commit: e03b214b3e492f786189508a627e834bbca8cf2e Author: Fabian Groffen <grobian <AT> gentoo <DOT> org> AuthorDate: Sun Oct 19 07:58:02 2025 +0000 Commit: Fabian Groffen <grobian <AT> gentoo <DOT> org> CommitDate: Sun Oct 19 08:02:50 2025 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e03b214b
mail-mta/exim: update/append instructions for authenticators Previous iteration for PAM replacement with gsasl was based on a misunderstanding. Document the Cyrus SASL route using saslauthd, as the Dovecot implementation is trivial (copy/paste from their docs). Hopefully this allows people to get their instances up and running within reasonable time. Closes: https://bugs.gentoo.org/964558 Signed-off-by: Fabian Groffen <grobian <AT> gentoo.org> mail-mta/exim/files/auth_conf.sub | 28 +++++++++++++++++++++------- 1 file changed, 21 insertions(+), 7 deletions(-) diff --git a/mail-mta/exim/files/auth_conf.sub b/mail-mta/exim/files/auth_conf.sub index f843314d6e67..ff8c03dd5dec 100644 --- a/mail-mta/exim/files/auth_conf.sub +++ b/mail-mta/exim/files/auth_conf.sub @@ -1,25 +1,39 @@ ###################################################################### # AUTHENTICATION CONFIGURATION # ###################################################################### -# Using PAM with Exim on Gentoo is non-ideal from security perspective, see: +# Using PAM directly from Exim on Gentoo is non-ideal from security +# perspective, see: # https://bugs.gentoo.org/964377 # Suggestion is to use Dovecot's SASL # https://doc.dovecot.org/2.4.1/howto/sasl/exim.html#exim-and-dovecot-sasl -# or GNU SASL -# https://www.exim.org/exim-html-current/doc/html/spec_html/ch-the_gsasl_authenticator.html +# or Cyrus SASL's saslauthd +# https://exim-users.exim.narkive.com/joAt25zW/authentication-using-saslauthd-cyrus-sasl +# You will want to setup at least 2 directives for AUTH support that are +# only announced on secure connections (e.g. after STARTTLS) so the +# client never attempts to send the plain password over an unencrypted +# connection. # The "plain" directive works for nearly everything except windows MUA's. # The "login" directive will allow you to authenticate your Outlook 2000 and # outlook express clients. - -# below an example of how to use GNU SASL +# below an example of how to use Cyrus SASL in Exim's authenticators. #plain: -# driver = gsasl +# driver = cyrus_sasl # public_name = PLAIN # server_set_id = $auth1 +# server_advertise_condition = ${if eq{$tls_cipher}{}{no}{yes}} # #login: -# driver = gsasl +# driver = cyrus_sasl # public_name = LOGIN # server_set_id = $auth1 +# server_advertise_condition = ${if eq{$tls_cipher}{}{no}{yes}} +# +# to tell cyrus_sasl to connect to the saslauth deamon, you need a file +# /etc/sasl2/exim.conf containing: +#pwcheck_method: saslauthd +# +# and make sure you configure /etc/conf.d/saslauthd properly, e.g. use +# "-a shadow" for the simplest support, or when using pam that the +# appropriate /etc/pam.d/saslauthd is setup.
