
### auth/30_exim4-config_examples
#################################

# The examples below are for server side authentication; they allow two
# styles of plain-text authentication against an CONFDIR/passwd file
# which should have user names in the first column and crypted passwords
# in the second. The columns need to be separated by ':'. For CRAM-MD5
# exim needs access to the UNECRYPTED passwd - the example below assumes
# it is available in the third column of CONFDIR/passwd

# plain_server:
#   driver = plaintext
#   public_name = PLAIN
#   server_condition = "${if crypteq{$3}{${extract{1}{:}{${lookup{$2}lsearch{CONFDIR/passwd}{$value}{*:*}}}}}{1}{0}}"
#   server_set_id = $2
#   server_prompts = :
#
# login_server:
#   driver = plaintext
#   public_name = LOGIN
#   server_prompts = "Username:: : Password::"
#   server_condition = "${if crypteq{$2}{${extract{1}{:}{${lookup{$1}lsearch{CONFDIR/passwd}{$value}{*:*}}}}}{1}{0}}"
#   server_set_id = $1
#
# cram_md5_server:
#   driver = cram_md5
#   public_name = CRAM-MD5
#   server_secret = ${extract{2}{:}{${lookup{$1}lsearch{CONFDIR/passwd}{$value}fail}}}
#   server_set_id = $1

# Here is an example of CRAM-MD5 authentication against PostgreSQL:
#
# psqldb_auth:
#   driver = cram_md5
#   public_name = CRAM-MD5
#   server_secret = ${lookup pgsql{SELECT pw FROM users WHERE username = '${quote_pgsql:$1}'}{$value}fail}
#   server_set_id = $1

# Authenticate against local passwords using sasl2-bin
# Requires exim_uid to be a member of sasl group, see README.SMTP-AUTH
# plain_saslauthd:
#   driver = plaintext
#   public_name = PLAIN
#   # don't send system passwords over unencrypted connections
#   server_advertise_condition = ${if eq{$tls_cipher}{}{0}{1}}
#   server_condition = ${if saslauthd{{$2}{$3}}{1}{0}}
#   server_set_id = $2
#   server_prompts = :
#
# login_saslauthd:
#   driver = plaintext
#   public_name = LOGIN
#   # don't send system passwords over unencrypted connections
#   server_advertise_condition = ${if eq{$tls_cipher}{}{0}{1}}
#   server_condition = ${if saslauthd{{$1}{$2}}{1}{0}}
#   server_set_id = $1

##############
# See /usr/share/doc/exim4-base/README.SMTP-AUTH
##############

# These examples below are the equivalent for client side authentication.
# They get the passwords from CONFDIR/passwd.client. This file should have
# three columns separated by colons, the first contains the name of the
# mailserver to authenticate against, the second the username and the third
# contains the password.

### # example for CONFDIR/passwd.client
### mail.server:blah:secret
### # default entry:
### *:bar:foo

cram_md5:
  driver = cram_md5
  public_name = CRAM-MD5
  client_name = ${extract{1}{:}{${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}}
  client_secret = ${extract{2}{:}{${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}}

# Because AUTH PLAIN sends the password in clear, per default we only allow it
# over encrypted connections. If you want to change this disable the existing
# "client send" entry and enable the one below without the "if !eq{$tls_cipher}{}"
# by removing the hash-mark (#) at the beginning of the line.
plain:
  driver = plaintext
  public_name = PLAIN
  client_send = "${if !eq{$tls_cipher}{}{\
                     ^${extract{1}{::}\
		       {${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}}\
		     ^${extract{2}{::}\
		       {${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}}\
		   }fail}"
#  client_send = "^${extract{1}{::}{${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}}^${extract{2}{::}{${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}}"

# Because AUTH LOGIN sends the password in clear, per default we only allow it
# over encrypted connections. If you want to change this disable the existing
# "client send" entry and enable the one below without the "if !eq{$tls_cipher}{}"
# by removing the hash-mark (#) at the beginning of the line.
login:
  driver = plaintext
  public_name = LOGIN
  client_send = "${if !eq{$tls_cipher}{}{}fail}\
                 : ${extract{1}{::}\
		        {${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}} \
		 : ${extract{2}{::}\
		     {${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}}"
#  client_send = ": ${extract{1}{::}{${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}} : ${extract{2}{::}{${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}}"



