Question re saslauthd with exim4

[scbates930]

Please describe the question or issue you're facing with "Install and configure Exim4 - Ubuntu Server documentation".
I followed the instructions, and find that I'm getting authentication problems\failures.

It appears to me that if you follow these instructions the saslauthd is using /etc/passwd for authentication not /etc/exim4/passwd
I was able to get the authenticaiton to work with a dummy user created via useradd but not using the documented script.
sudo /usr/share/doc/exim4-base/examples/exim-adduser

So the question is how to get the sasauthd to use the the /etc/exim4/passwd file and not the /etc/passwd file?

---

Reported from: https://documentation.ubuntu.com/server/how-to/mail-services/install-exim4/

[cpaelzer]

Thanks for the report @scbates930 !
I'm really not a mail person, but I've ran the example top to bottom and ended with a system that had the user ubuntu:ubuntu only in /etc/passwd and testuser:testpassword only in /etc/exim4/passwd.

With that setup I was then testing if TLS and SASL would be present - I know you only asked about SASL, but I wanted to check the whole document while being at it.

First I checked with telnet the announced capabilities to an EHLO and it included 250-STARTTLS
Next I checked with openssl s_client -connect localhost:25 -starttls smtp which got me connected well New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 and still responded.

FTR

root@n-exim4:~# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 n-exim4.lxd ESMTP Exim 4.97 Ubuntu Thu, 19 Dec 2024 12:07:44 +0000
EHLO
501 Syntactically invalid EHLO argument(s)
EHLO localhost
250-n-exim4.lxd Hello localhost [127.0.0.1]
250-SIZE 52428800
250-8BITMIME
250-PIPELINING
250-PIPECONNECT
250-CHUNKING
250-STARTTLS
250-PRDR
250 HELP

root@n-exim4:~# openssl s_client -connect localhost:25 -starttls smtp
...
SSL handshake has read 1482 bytes and written 406 bytes
Verification error: self-signed certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 18 (self-signed certificate)
---
250 HELP
EHLO localhost
250-n-exim4.lxd Hello localhost [127.0.0.1]
250-SIZE 52428800
250-8BITMIME
250-PIPELINING
250-PIPECONNECT
250-AUTH PLAIN LOGIN
250-CHUNKING
250-PRDR
250 HELP
DONE

As expected we see capability differs, AUTH only with TLS.
Still we might use the above as hints how to self tests in the very document?
Not sure, would that help any to not search around too much as I had to?

Then for authentication - which you actually asked about, I think I can confirm your report.

If I use the user/pw from /etc/exim4/passwd I get indeed denied:

root@n-exim4:~# swaks --to [email protected] --from [email protected] --server localhost --port 25 --tls --auth LOGIN --auth-user testuser --auth-password testpassword
=== Trying localhost:25...
=== Connected to localhost.
<-  220 n-exim4.lxd ESMTP Exim 4.97 Ubuntu Thu, 19 Dec 2024 12:10:34 +0000
 -> EHLO n-exim4.lxd
<-  250-n-exim4.lxd Hello localhost [127.0.0.1]
<-  250-SIZE 52428800
<-  250-8BITMIME
<-  250-PIPELINING
<-  250-PIPECONNECT
<-  250-CHUNKING
<-  250-STARTTLS
<-  250-PRDR
<-  250 HELP
 -> STARTTLS
<-  220 TLS go ahead
=== TLS started with cipher TLSv1.3:TLS_AES_256_GCM_SHA384:256
=== TLS client certificate not requested and not sent
=== TLS no client certificate set
=== TLS peer[0]   subject=[/C=US]
===               commonName=[], subjectAltName=[] notAfter=[2027-12-19T11:49:45Z]
=== TLS peer certificate failed CA verification (self-signed certificate), failed host verification (using host localhost to verify)
 ~> EHLO n-exim4.lxd
<~  250-n-exim4.lxd Hello localhost [127.0.0.1]
<~  250-SIZE 52428800
<~  250-8BITMIME
<~  250-PIPELINING
<~  250-PIPECONNECT
<~  250-AUTH PLAIN LOGIN
<~  250-CHUNKING
<~  250-PRDR
<~  250 HELP
 ~> AUTH LOGIN
<~  334 VXNlcm5hbWU6
 ~> dGVzdHVzZXI=
<~  334 UGFzc3dvcmQ6
 ~> dGVzdHBhc3N3b3Jk
<~* 535 Incorrect authentication data
*** No authentication type succeeded
 ~> QUIT
<~  221 n-exim4.lxd closing connection
=== Connection closed with remote host.

If instead I use the /etc/passwd user it works

root@n-exim4:~# swaks --to [email protected] --from [email protected] --server localhost --port 25 --tls --auth LOGIN --auth-user ubuntu --auth-password ubuntu
=== Trying localhost:25...
=== Connected to localhost.
<-  220 n-exim4.lxd ESMTP Exim 4.97 Ubuntu Thu, 19 Dec 2024 12:10:49 +0000
 -> EHLO n-exim4.lxd
<-  250-n-exim4.lxd Hello localhost [127.0.0.1]
<-  250-SIZE 52428800
<-  250-8BITMIME
<-  250-PIPELINING
<-  250-PIPECONNECT
<-  250-CHUNKING
<-  250-STARTTLS
<-  250-PRDR
<-  250 HELP
 -> STARTTLS
<-  220 TLS go ahead
=== TLS started with cipher TLSv1.3:TLS_AES_256_GCM_SHA384:256
=== TLS client certificate not requested and not sent
=== TLS no client certificate set
=== TLS peer[0]   subject=[/C=US]
===               commonName=[], subjectAltName=[] notAfter=[2027-12-19T11:49:45Z]
=== TLS peer certificate failed CA verification (self-signed certificate), failed host verification (using host localhost to verify)
 ~> EHLO n-exim4.lxd
<~  250-n-exim4.lxd Hello localhost [127.0.0.1]
<~  250-SIZE 52428800
<~  250-8BITMIME
<~  250-PIPELINING
<~  250-PIPECONNECT
<~  250-AUTH PLAIN LOGIN
<~  250-CHUNKING
<~  250-PRDR
<~  250 HELP
 ~> AUTH LOGIN
<~  334 VXNlcm5hbWU6
 ~> dWJ1bnR1
<~  334 UGFzc3dvcmQ6
 ~> dWJ1bnR1
<~  235 Authentication succeeded
 ~> MAIL FROM:<[email protected]>
<~  250 OK
 ~> RCPT TO:<[email protected]>
<~  250 Accepted
 ~> DATA
<~  354 Enter message, ending with "." on a line by itself
 ~> Date: Thu, 19 Dec 2024 12:10:49 +0000
 ~> To: [email protected]
 ~> From: [email protected]
 ~> Subject: test Thu, 19 Dec 2024 12:10:49 +0000
 ~> Message-Id: <[email protected]>
 ~> X-Mailer: swaks v20240103.0 jetmore.org/john/code/swaks/
 ~> 
 ~> This is a test mailing
 ~> 
 ~> 
 ~> .
<~  250 OK id=1tOFMf-000000006Wn-1X9T
 ~> QUIT
<~  221 n-exim4.lxd closing connection
=== Connection closed with remote host.

Now, while looking at the config that is not surprising.
/etc/default/saslauthd has the following by default:

...
MECHANISMS="pam"
...

Which to me means, use local pam which would be /etc/passwd.
I experimented a bit with saslpasswd2 and MECHANISMS="sasldb" but that didn't get me far.

As far as I've analyzed in this short time the user created with exim-adduser is for when you'd use the less adavanced internal authentication (= not saslauthd), or we use the better saslauthd but then need to configure it further as I started above.

For now let me conclude that I agree that the example setup is testing the login against pam - and due to that it isn't entirely clear what we'd need exim-adduser for in the example.

I think saslauthd against pam is better, but we should describe it as such then.
And maybe mention how to set up sasl to use a different sasldb IF the user wants that (as a step to follow the base setup with pam).

Furthermore it might be just me, but I'd like to use the examples above to allow users self-checks of the setup.

Let me raise this to the people dealing with the package a bit more often and had some former touch with this documentation page.