diff options
| author | Jason Gunthorpe <jgg@mellanox.com> | 2020-05-28 10:13:37 -0300 |
|---|---|---|
| committer | Jason Gunthorpe <jgg@mellanox.com> | 2020-05-28 11:41:47 -0300 |
| commit | 192d633a13adf2d552f4257f4975b066204b9da9 (patch) | |
| tree | 544fd2e7ec777e2bbf123369fd3de064958425c6 /doc/example-exim4.conf | |
| parent | 72b3e5ff5d68d9f70257f9556068cc1e5de23e1c (diff) | |
| download | cloud_mdir_sync-192d633a13adf2d552f4257f4975b066204b9da9.tar.gz cloud_mdir_sync-192d633a13adf2d552f4257f4975b066204b9da9.tar.bz2 cloud_mdir_sync-192d633a13adf2d552f4257f4975b066204b9da9.zip | |
Add OAUTH Credential server
The OAUTH credential server allows CMS to ack as an OAUTH broker and
supply bearer tokens to other applications in the system. Currently this
only support SMTP tokens for outbound mail delivery.
A UNIX domain socket is used to communicate between the SMTP agent and CMS.
A simple one line protocol is used to specify the account requested and
CMS returns the plain XAOUTH2 response string. The agent is responsible to
base64 encode it.
This works for GMail and O365 mailboxes.
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Diffstat (limited to 'doc/example-exim4.conf')
| -rw-r--r-- | doc/example-exim4.conf | 134 |
1 files changed, 134 insertions, 0 deletions
diff --git a/doc/example-exim4.conf b/doc/example-exim4.conf new file mode 100644 index 0000000..2f2c906 --- /dev/null +++ b/doc/example-exim4.conf @@ -0,0 +1,134 @@ +# Specify local domains HERE, these are names that might appear in email +domainlist local_domains = +domainlist relay_to_domains = +hostlist relay_from_hosts = localhost +# Create this file HERE +# It has single lines in the format: +# domain.com: host=smtp.office365.com::587 helo=cms user=user@domain.com oauth=/home/XX/mail/.cms/exim/unix +# oauth= may also be replaced with password= to do basic authentication. The +# file is searched based on the Envelope From when invoking sendmail +SMARTFN = /etc/exim4/exim-smart-hosts + +# We don't have IPv6, do not even try. +disable_ipv6=true + +# It is also a good idea to edit /etc/default/exim4 and switch to 'queueonly' mode (Debian) +local_interfaces = <; [127.0.0.1]:25 + +acl_smtp_rcpt = acl_check_rcpt +acl_smtp_data = acl_check_data + +tls_advertise_hosts = + +# Trusted users are allowed to override the sender envelope +trusted_users = # Add your user name HERE + +never_users = root + +host_lookup = * + +prdr_enable = true + +log_selector = +smtp_protocol_error +smtp_syntax_error \ + +tls_certificate_verified + +ignore_bounce_errors_after = 2d +timeout_frozen_after = 7d + +keep_environment = +add_environment = <; PATH=/bin:/usr/bin + +begin acl +acl_check_rcpt: + + # Standard input + accept hosts = : + control = dkim_disable_verify + + deny message = Restricted characters in address + domains = +local_domains + local_parts = ^[.] : ^.*[@%!/|] + + + deny message = Restricted characters in address + domains = !+local_domains + local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./ + + + accept local_parts = postmaster + domains = +local_domains + + + require verify = sender + + accept hosts = +relay_from_hosts + control = submission + control = dkim_disable_verify + + accept authenticated = * + control = submission + control = dkim_disable_verify + + require message = relay not permitted + domains = +local_domains : +relay_to_domains + + require verify = recipient + + accept + +begin routers + +# The router is sensitive to the sender address and will use the correct outgoing server. +# Use something like: +# exim -f 'user@domain.com' -bt user@otherdomain.com +# To quick test +smarthost: + debug_print = "R: smarthost for $local_part@$domain" + driver = manualroute + domains = ! +local_domains + transport = remote_smtp_smarthost + route_data = ${extract{host}{${lookup{$sender_address_domain}lsearch{SMARTFN}}}} + no_more + +begin transports + +remote_smtp_smarthost: + debug_print = "T: remote_smtp_smarthost for $local_part@$domain" + driver = smtp + helo_data = ${extract{helo}{${lookup{$sender_address_domain}lsearch{SMARTFN}}}{$value}{wakko.ziepe.ca}} + hosts_require_auth = ${extract{user}{${lookup{$sender_address_domain}lsearch{SMARTFN}}}{*}{}} + hosts_require_tls = * + tls_tempfail_tryclear = false + tls_verify_certificates = system + +begin retry + +* * F,2h,15m; G,16h,1h,1.5; F,4d,6h + +begin rewrite + +# Replace user and domain HERE +root@+local_domains user@domain.com Ffrs +user@+local_domains user@domain.com Ffrs + +begin authenticators + +xoauth2_smart: + driver = plaintext + client_condition = ${if and {{!eq{$tls_out_cipher}{}} {eq{${extract{oauth}{${lookup{$sender_address_domain}lsearch{SMARTFN}}}{}fail}}{}}} } + public_name = XOAUTH2 + client_ignore_invalid_base64 = true + client_send = : ${readsocket{${extract{oauth}{${lookup{$sender_address_domain}lsearch{SMARTFN}}}{$value}fail}}{SMTP ${extract{user}{${lookup{$sender_address_domain}lsearch{SMARTFN}}}{$value}fail}}} + +# Plain has fewer round trips, so prefer to use it +plain_smart: + driver = plaintext + client_condition = ${if and {{!eq{$tls_out_cipher}{}} {eq{${extract{password}{${lookup{$sender_address_domain}lsearch{SMARTFN}}}{}fail}}{}}} } + public_name = PLAIN + client_send = ^${extract{user}{${lookup{$sender_address_domain}lsearch{SMARTFN}}}{$value}fail}^${extract{password}{${lookup{$sender_address_domain}lsearch{SMARTFN}}}} + +login_smart: + driver = plaintext + client_condition = ${if and {{!eq{$tls_out_cipher}{}} {eq{${extract{password}{${lookup{$sender_address_domain}lsearch{SMARTFN}}}{}fail}}{}}} } + public_name = LOGIN + client_send = : ${extract{user}{${lookup{$sender_address_domain}lsearch{SMARTFN}}}{$value}fail} : ${extract{password}{${lookup{$sender_address_domain}lsearch{SMARTFN}}}} |