Monday, 13 January 2014

Outlook 2013 vs Exim 4

I had problems getting Outlook 2013 to play TLS with my exim servers. The solution seemed to be to set Outlook's encryption to 'Auto' and use port 587 (a NON TLS port).  I have both PLAIN and LOGIN auth but Outlook uses the latter. If you are still using a flat auth file that uses the CRYPT hash then there is an example line for you, but I mostly authenticate against a database,
(so that changes don't have to be rolled out in batches.)

exim config snippit:

tls_advertise_hosts = *
daemon_smtp_ports = 25 : 465 : 587
tls_on_connect_ports = 465 : 6465
# some ISPs filter 25 and 465 to their own SMTP servers for 'simplicity' hence I have  6465 for customers with that affliction.

MYSQL_AUTHPLAIN=SELECT  im_server FROM imap,domains WHERE imap.im_doid = domains.do_id and concat(imap.im_userid,'@',domains.do_name) = '$2' ) AND ( im_auth='${hmac{md5}{$3}{$3}}' || im_auth=encrypt('$3',im_auth) || im_auth='${sha1:$3}' )
# transitioning from encrypt to sha1 and merging in an hmac_md5 config

MYSQL_AUTHLOGIN=SELECT  im_server FROM imap,domains WHERE imap.im_doid = domains.do_id and concat(imap.im_userid,'@',domains.do_name) = '$1' AND (  im_auth=encrypt('$2',im_auth) || im_auth='${sha1:$2}' )

begin authenticators
# $1 is the old string for $auth1; $2 = $auth2; $auth3 = $3

  driver = plaintext
  public_name = PLAIN
  server_condition = ${lookup mysql{MYSQL_AUTHPLAIN}{1}fail}
  server_advertise_condition = ${if def:tls_cipher }
  server_set_id = $2
 driver = plaintext
 public_name = LOGIN
 server_prompts = "Username:: : Password::"
 #  server_condition = ${lookup mysql{MYSQL_AUTHLOGIN}{1}fail}
 server_condition = "${if crypteq{$auth2}{${extract{1}{:}{${lookup{$auth1}lsearch{/etc/exim/passwd}{$value}{*:*}}}}}{1}{0}}"
 server_advertise_condition = ${if eq{$tls_cipher}{}{no}{yes}}
 server_set_id = $1


Example mysql schema, with domains in one table and imap, (and smtp authentication in im_auth) in another:

CREATE TABLE `domains` (
  `do_id` int(255) NOT NULL AUTO_INCREMENT,
  `do_name` varchar(255) NOT NULL,
  `do_status` enum('disabled','suspended','enabled','migrating out','migrating in','registering','desired','disputed','remote') NOT NULL DEFAULT 'remote',
  `do_added` datetime NOT NULL,
  `do_acid` int(255) NOT NULL COMMENT "account id - other table",
  `do_group` int(255) DEFAULT NULL,
  `do_peid` int(255) DEFAULT '0' COMMENT "people ID",
  `do_location` varchar(255) DEFAULT NULL,
  `do_masters` varchar(255) DEFAULT NULL COMMENT 'a ; delimited list of ip addresses',
  PRIMARY KEY (`do_id`)

  `im_id` int(255) NOT NULL AUTO_INCREMENT,
  `im_userid` varchar(128) NOT NULL COMMENT 'the bit before the at sign',
  `im_doid` int(255) NOT NULL COMMENT 'link to domains.do_id',
  `im_passwd` varchar(74) DEFAULT NULL COMMENT '{HASH}string e.g. {SHA1}shy75adsgf=',
  `im_home` varchar(255) NOT NULL COMMENT 'explicit path on im_server',
  `im_uid` int(11) NOT NULL COMMENT 'probably 8 (mail) though for shell users set it to their uid',
  `im_gid` int(11) NOT NULL COMMENT 'probably 12 (mail) or 8 on some systems',
  `im_server` varchar(128) DEFAULT NULL COMMENT 'mostly this will be the localhost or hostname',
  `im_quota` int(255) DEFAULT NULL COMMENT 'In Megs: 2 petabyte limit',
  `im_peid` int(255) DEFAULT NULL COMMENT 'links to people table',
  `im_auth` varchar(255) DEFAULT NULL COMMENT 'exim authenticates from this if it does not understand im_passwd - useful for migrating from MD5 to SHA256',
  `im_mode` char(4) DEFAULT '0640' COMMENT 'smallint seems wrong',
  `im_dir_mode` char(4) DEFAULT NULL COMMENT 'exim file and dir modes',
  `im_last_seen` datetime DEFAULT '0000-00-00 00:00:00' COMMENT 'the last SMTP,IMAP',
  PRIMARY KEY (`im_id`),
  UNIQUE KEY `im_row` (`im_userid`,`im_doid`)

# I've never had to add a NULL imap row to enable SMTP, but that is perfectly possible.

No comments:

Post a Comment

About this blog

Sort of a test blog... until it isn't