pam_exim

Translations and other documenation about pam_exim

There is an howto for setting up pam_exim on debian in italian and spanish available by max@maximumdebian.org. 

There is also a polsih version of this page.
You can find it here. Thanks to taniell@codeminion.com for translation

What is it?

Pam_exim a patched version of the pam_unix module that comes with the Linux-Pam package (http://kernel.org/pub/linux/libs/pam/).

It is designed to authenicate a user/password-pair not only for root, but one special user/group that is in my configuration the user running the EXIM MTA.

For security reasons it checks the calling user/group and checks for the userid of the user that is going to be authenticated being > than a MINUID.

In my configuration i use the module to let exim authenticate system-users for relay-control with smtp-auth.

This should only be done when you use TLS to encrypt your smtp-sessions because otherwise you send your username and password in base64 to the internet

It is tested on RedHat Linux 6.x/7.x with the source of linux-pam-0.75 but should run on all linux-distributions out there supporting pam.

Requirements for use with the EXIM-MTA:

- Linux with PAM
- Exim-MTA with PAM-support compiled in
- TSL-support for exim (optional, but recommended)


In theory there are lots of other things you could do with this patched pam_unix,
but i intended it to work with exim and its default configuration is for use with EXIM.

Installation:

Download the Linux-Pam-modules from http://kernel.org/pub/linux/libs/pam/ and the pam_exim-package here.

Unpack first the Linux-Pam-modules and then from its source-directory unpack pam_exim. You will have an directory added to modules called pam_exim.

Edit the file modules/pam_exim/unix_chkpwd.c and set the lines

#define MINUID 500
#define EXIMUID 8
#define EXIMGID 12

to the appropriate values for your installation.

Configure pam-modules and make it. Make install and you're ready to run.

If you just want to add the pam_exim module and leave the rest of pam untouched just configure and changedir to modules/pam_exim do a make. Do a make install and you're ready to run.

Configuration
add a file named exim to /etc/pam.d/ containing the following content:

#%PAM-1.0
auth required /lib/security/pam_exim.so
account required /lib/security/pam_permit.so

or if you have one single pam-config pam.conf add this to pam.conf

exim auth required /lib/security/pam_exim.so
exim account required /lib/security/pam_permit.so

After that you should be able to use exim with pam-authentication for smtp-auth of any system-user with UID > MINUID.

The configuration for smtp-auth with Exim and PAM is published on the exim.org-site here.

I personally use this configuration in the authentication-part of the exim configuration-file.

IMPORTANT FOR RH 9 AND kernel 2.6.X-USERS

Greg Owen contacted me to tell me that pam_exim does not work with redhat9. He assumed it would be caused by changed Signal-Handling.

The logfile would show errors like these
Jul 7 10:30:14 mail exim(pam_exim)[17379]: args to give gowen Jul 7 10:30:14 mail kernel: (see the NOTES section of 'man 2 wait'). Workaround activated.
Jul 7 10:30:14 mail exim_chkpwd[17379]: pass okay - returnig UNIX_PASSED
Jul 7 10:30:14 mail exim(pam_exim)[17378]: authentication failure; logname= uid=95 euid=95 tty= ruser= rhost= user=gowen

He sent me a patch which fixes the problem.

I did not check the patch, but Greg said it would work.

Contact

If you have any problems contact the author

Disclaimer

This software is left as-is without guarantee or any kind of support. I do not claim any copyrights. I just added a few lines to the pam_unix-module and deleted some out of it.