Exim und Dovecot mit gemeinsamer Passwortdatei

$ aptitude install exim4-daemon-heavy dovecot-pop3d 

# /etc/exim4/exim4.conf

CONFDIR = /etc/exim4

primary_hostname = mail.domain.tld

local_interfaces     = 0.0.0.0
daemon_smtp_ports    = 25 : 465
tls_on_connect_ports = 465

domainlist local_domains    = @:localhost:domain.tld
domainlist relay_to_domains =
hostlist relay_from_hosts = 127.0.0.1
hostlist unroutable = 0.0.0.0/8 : 127.0.0.0/8 : \
                      10.0.0.0/8 : 172.16.0.0/12 : 192.168.0.0/16 : \
                      169.254.0.0/16 : 192.0.2.0/24 : \
                      224.0.0.0/4 : 240.0.0.0/5 : 248.0.0.0/5 
domainlist whitelist     = nice-domain.tld

host_lookup = *

acl_smtp_connect = acl_connect
acl_smtp_helo    = acl_check_helo
acl_smtp_mail    = acl_check_mail
acl_smtp_rcpt    = acl_check_rcpt
acl_smtp_predata = acl_check_predata
acl_smtp_data    = acl_check_data
acl_smtp_mime    = acl_check_mime

never_users = root

tls_advertise_hosts = *
tls_certificate     = /etc/ssl/CAcert/mail-server.crt
tls_privatekey      = /etc/ssl/CAcert/mail-server.key

pipelining_advertise_hosts = :

accept_8bitmime = true

rfc1413_hosts = *
rfc1413_query_timeout = 0s

ignore_bounce_errors_after = 2d
timeout_frozen_after = 7d

message_size_limit = 20M


begin acl

acl_connect:
   defer message = Sorry, too busy. Try again later.
           ratelimit = 10 / 1s / $primary_hostname
   #require        acl     = aux_delay
   accept

acl_check_helo:
   accept  hosts = : 127.0.0.1 : 89.110.146.50
   drop    message = RFCs mandate HELO/EHLO before mail can be sent.
           condition = ${if eq {$sender_helo_name}{}}
   drop    message = "Bad HELO - IP address not allowed [$sender_helo_name]"
           condition = ${if isip{$sender_helo_name}}
   drop    message = You are using my ip address
           condition = ${if eq{$sender_helo_name}{[$interface_address]}{true}{false}}
   drop    message = You're a liar
           condition = ${if match{$sender_helo_name}{$primary_hostname}{yes}{no}}
   drop    message = You're a liar
           condition = ${if match_domain{$sender_helo_name}{+local_domains}{yes}{no}}
   drop    message = Bad HELO: non-FQDN hostname ($sender_helo_name)
           condition = ${if and { { !match{$sender_helo_name}{\N^\[.+\]$\N} } \
            { !match{$sender_helo_name}{\N^(?i)((?=[^-])[a-z0-9-]*[a-z0-9]\.)+[a-z]{2,6}$\N} } }}
   #require        acl     = aux_delay
   accept

acl_check_mail:
   warn    set acl_m0      = 1
   accept

acl_check_rcpt:

   accept  hosts = : 

   deny    message       = Restricted characters in address
           local_parts   = ^[.] : ^.*[@%!/|]

   deny    message       = Restricted characters in address
           local_parts   = ^[./|] : ^.*[@%!] : ^.*/\\.\\./

   accept  local_parts   = postmaster
           domains       = +local_domains

   deny    message         = too many invalid recipients
           condition       = ${if > {$acl_m0}{3}}

   deny    message = not receiving mail
           recipients = lsearch;CONFDIR/deny_recipients

   deny    message = user not sending mail
           senders = /etc/exim4/deny_senders

   deny    message = MYBL - $sender_host_address is blacklisted
           hosts = /etc/exim4/deny_hosts

   deny    message = RBL - ${sender_host_address} is blacklisted at $dnslist_domain ($dnslist_value); ${dnslist_text}
           dnslists = sbl-xbl.spamhaus.org/<;$sender_host_address;$sender_address_domain

   deny    message = RBL - ${sender_host_address} is blacklisted at ${dnslist_domain}; ${dnslist_text}
           dnslists = bl.spamcop.net : cbl.abuseat.org : list.dsbl.org

   warn    dnslists = dnsbl.sorbs.net 
           add_header = X-blacklisted-at: RBL - $dnslist_domain ($dnslist_text)

   warn    dnslists = spam.dnsbl.sorbs.net 
           add_header = X-blacklisted-at: RBL - $dnslist_domain ($dnslist_text)

   warn    dnslists = rhsbl.sorbs.net
           add_header = X-blacklisted-at: RBL - $dnslist_domain ($dnslist_text)

   require acl             = aux_verify_sender

   accept  domains       = +local_domains
            verify        = recipient

   deny    domains         = +local_domains
           message         = unknown user
           set acl_m0      = ${eval:$acl_m0+1}

   accept  domains       = +relay_to_domains
            verify        = recipient

   accept  hosts         = +relay_from_hosts

   accept  authenticated = *

   deny    message       = relay not permitted

aux_verify_sender:
   accept sender_domains = +whitelist
          logwrite = verifing sender address
   accept dnslists = dsn.rfc-ignorant.org/$sender_address_domain
          logwrite = doing sender callout verification
   require verify = sender/callout=30s,defer_ok
   accept

acl_check_predata:
   deny condition = ${if > {$acl_m0}{3}}
        message = too many invalid recipients
   #require acl = aux_delay
   accept

acl_check_data:
  warn condition = ${if !def:header_Date: {1}}
       hosts = :
       message = Date: $tod_full
  #deny message = REJECTED - No Subject or Body
  #     !condition = ${if def:h_Subject:}
  #     condition = ${if <{$body_linecount}{1}{true}{false}}
  accept

aux_delay:
   accept  hosts = *
           condition = ${if eq {$interface_port}{25}{1}{0}}
           delay = 30s
   accept

acl_check_mime:
   #deny message = Attached '$mime_filename' file has disallowed extension!
   #     condition = ${if match {${lc:$mime_filename}} {[.] *(gif|exe|scr)\$}}
   deny message = Bad attachment filename ($mime_filename): $acl_m1
        set acl_m1 = ${lookup {$mime_filename} nwildlsearch{CONFDIR/deny_mime} }
        condition = ${if def:acl_m1 }
   accept


begin routers

dnslookup:
   pass_on_timeout = true
   driver                  = dnslookup
   domains                 = ! +local_domains
   transport               = remote_smtp
   ignore_target_hosts = +unroutable
   no_more
   cannot_route_message = Remote domain not found in DNS

system_aliases:
   driver          = redirect
   domains          = +local_domains
   allow_fail
   allow_defer
   data             = ${lookup{$local_part}lsearch{/etc/aliases}}

set_address_data_uid:
   debug_print      = "R: set_address_data for $local_part@$domain"
   driver           = redirect
   check_local_user
   domains          = +local_domains
   address_data     = "$local_user_uid"
   data             =

local_user_low_uid:
   debug_print      = "R: local_user_low_uid for $local_part@$domain (uid $address_data)"
   driver           = redirect
   check_local_user
   domains          = +local_domains
   condition        = "${if <{$address_data}{1000}{1}}"
   data             = hostmaster

localuser:
   driver           = accept
   check_local_user
   domains          = +local_domains
   transport        = local_delivery


begin transports

remote_smtp:
   driver     = smtp

local_delivery:
   driver    = appendfile
   directory = $home/Maildir
   create_directory
   delivery_date_add
   envelope_to_add
   return_path_add
   maildir_format


begin retry

* * F,2h,15m; G,16h,1h,1.5; F,4d,6h


begin rewrite


begin authenticators

plain_server:
   driver = plaintext
   public_name = PLAIN
   server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
   server_prompts = :
   server_condition = "${if and { {!eq{$auth2}{}} {!eq{$auth3}{}} \ 
         {crypteq{$auth3}{${extract{1}{:}{${lookup{$auth2}\
         search{CONFDIR/passwd}{$value}{*:*}}}}}} }{1}{0}}"
   server_set_id = $auth2

login_server:
   driver = plaintext
   public_name = LOGIN
   server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
   server_prompts = "Username:: : Password::"
   server_condition = "${if and { {!eq{$auth1}{}} {!eq{$auth2}{}} \
         {crypteq{$auth2}{${extract{1}{:}{${lookup{$auth1}\
         lsearch{CONFDIR/passwd}{$value}{*:*}}}}}} }{1}{0}}"
   server_set_id = $auth1

Die passwd Datei für exim und dovecot. Die einzige Methode, die ich gefunden habe, md5-Passwörter zu erzeugen, die mit exim und dovecot funktionieren, ist die kommentierte Perlzeile.
# exim4 / dovecot passwd file
#
# perl -MDigest::MD5=md5_hex -e 'print md5_hex($ARGV[0]),"\n"' password
# (mkpasswd -H md5, dovecotpw - don't work for exim4)
# crypt should also work for both
#

user:{md5}md5_hashed_password

Folgende Dateiberechtigungen sind völlig ausreichend. Besonders die Passwortdatei sollte diese Berechtigungen aufweisen.
$ chmod 0640 /etc/exim4/*
$ chgrp Debian-exim /etc/exim4/*

Eine dazu passende Konfiguration für dovecot, bei der die Passwörter in einer Datei stehen. dovecot-auth wird als Debian-exim gestartet, so dass der Zugriff auf /etc/exim4/passwd möglich ist.
# /etc/dovecot/dovecot.conf

protocols = pop3s

log_timestamp = "%Y-%m-%d %H:%M:%S "

ssl_disable = no
ssl_cert_file = /etc/ssl/CAcert/mail-server.crt
ssl_key_file = /etc/ssl/CAcert/mail-server.key

mail_location = maildir:~/Maildir
mail_extra_groups = mail

protocol imap {
}

protocol pop3 {
  pop3_uidl_format = %08Xu%08Xv
}

auth default {
  mechanisms = plain
  passdb passwd-file {
    args = /etc/exim4/passwd
  }
  userdb passwd {
  }
  user = Debian-exim
}

dict {
}

plugin {
}

 
© 2001 - 2017 Frank Remetter