What is exim in linux

What is exim in linux

Exim is a versatile mail transfer agent. This article builds upon Mail server. While the Exim wiki provides some helpful how-tos on certain specific use cases, a detailed description of all configuration options is available as well.

Contents

Installation

Basic configuration

Exim comes with a bulky default configuration file which is located in /etc/mail/exim.conf . Many options in there are not necessary in a regular use case. By default configuration is done in a single file containing several chapters. Below is a very basic configuration, which provides: local delivers to system users (Maildir format) and authorized relaying to MX hosts. The description is based on a domain «mydomain.tld» served on a host «hostname.mydomain.tld». It is highly recommended to consult the official documentation before using the given documentation below.

Main parameters

Main parameters contain some basic options. Using solely those options would open ports for connections but still no mail would be accepted nor relayed anywhere.

TLS, security & authentication

This article or section needs expansion.

To obtain a certificate, see OpenSSL#Usage.

The first part of the following options are still part of the first configuration section in Exim. Starting with «begin authenticators» the first special section in Exim configuration begins. There will be more such sections later. Below some very basic security related options are defined, TLS is set up & a plain text authenticator using a user password lookup is introduced.

Routing, transport & retry

For each recipient of a message routing is performed as follows: routers are tested in their order given in the routing section. For each router, conditions may apply (e.g. domains = ! +local_domains ). Only if all conditions apply, the message will be handed over to the defined transport (e.g. transport = smtp ). If transport fails or not all conditions of a router are fulfilled, the next router is tested.

Use manualroute

If you want to use manualroute instead, comment out the dnslookup block and add the smarthost block.

ACL: Access Control Lists

Access Control Lists are at the heart of Exim. They are required for basic checks and may be used for sophisticated message processing. In general the overall message processing in Exim is:

With this it is important to note that messages coming from authenticated clients are treated (by default) by the same ACL as messages coming from other mail servers. Exim know a full set of different ACL. Good knowledge of the SMTP protocol is required to choose the correct set of ACL.

For a basic setup two ACL are mandatory: acl_smtp_rcpt and acl_smtp_data. These are default to deny while all other default to accept. The example below just prevents being an open relay. This setup has multiple security flaws (e.g. all authenticated users may use any mail address). If added to an existing configuration, it must be added before any other special section (i.e. before any existing «begin»).

Hide machine name

If you have a laptop, or a machine in a smarthost configuration, where you do not want the name of the machine to appear in the outgoing email then you must enable exim’s rewriting facilities.

In the Rewriting section you should have something like:

where machine is the hostname of your laptop or PC and mydomain is the domain name of the machine and the outgoing mail. To rewrite only sender domain, add special flag (F) in the line end. See upstream document for detail

Startup

Dovecot LMTP delivery & SASL authentication

This article or section needs expansion.

In this section the integration of Dovecot is described. It is assumed that Dovecot & Exim are already setup and configured. Dovecot will serve as SASL authenticator and local transport mechanism. For this purpose the Dovecot services will be setup as follows.

To use the Dovecot SASL in a TLS protected environment, add the following authenticator to Exim.

The existing router for local delivery can be reused. You may want to consider add a dsn_lasthop to the router definition. If DSN is used, Exim will assume final delivery of the message at this point. In the transport section the transport for local delivery must be replaced by the following transport definition.

The host is specified in the router, not the transport. Thus, the router must look like:

Furthermore your Dovecot lmtp service must be adjusted accordingly. For example: here is a Git commit that fixes this exact issue.

Since Dovecot is configured to provide a unix socket for the exim user, you may harden your security by adding the following line to the main configuration section.

Using Gmail as smarthost

In the beginning of the exim conf file, you must enable TLS using

or to advertise tls to all hosts

More information about TLS can be found in the exim documentation.

Add a router before or instead of the dnslookup router:

Add a transport:

Because of host verification, your exim log might contain

But this has no effect on mail-delivery and can be ignored. Add an authenticator (replacing myaccount@gmail.com and mypassword with your own account details):

$host_address is used for hosts_require_auth and hosts_require_tls instead of smtp.gmail.com to avoid occasional 530 5.5.1 Authentication Required errors. These are caused by the changing IP addresses in DNS queries for smtp.gmail.com. $host_address will expand to the particular IP address that was resolved by the gmail_route router.

For added security, use a per-application password. This works with Google Apps accounts as well.

Hardening

Rate limits

Security breaches happen. In case you don’t have any service that submits local mail (receiving mail from localhost on a port is not considered local submission), completely disable local submission. Do so by adding acl_not_smtp = acl_local to the main section and add the following simple ACL to the acl section.

If local submission is required, consider imposing a rate limit to it. Do so by adding acl_not_smtp = acl_local to the main section and adding the following ACL to the acl section. It imposes 2 rate limits: 20 mails in a single minute and 30 mails in 10 minutes. With this a burst of local submitted alerts are possible while

Troubleshooting

451 Temporary local problem

If you are getting a «451 Temporary Local Problem» when testing SMTP, you are probably sending as root. By default Exim will not allow you to send as root.

Источник

Exim Overview

Exim is a message transfer agent (MTA).

Installation

Exim generally comes with default Debian installation. If you need to use ACL and other features you may need to install exim4-daemon-heavy

Configuration

The README.Debian.gz file included in the exim4 packages details Debian style configuration exhaustively.

Generally, the Debian Exim 4 packages are configured through debconf. The install prompts for questions during package installation, and your initial Exim configuration is created from your answers. You can repeat the configuration process at any time by invoking:

Despite the default configuration being extended somewhat from the original upstream, chances are that you’ll need to manually change the Exim configuration with an editor if you intend to do something that is not covered by the debconf-driven configuration. It has never been the packages’ intention to offer all possible configuration methods through debconf.

There are three ways you can configure exim4. The first is a single monolithic file, the second is split file, and the third is your own file.

The configuration file is generated from these config files using the command (yes it has .conf in the name)

After which you should restart exim4 with something like

Single Exim4 configuration file

If you select this option in debconf, configuration will be generated from the /etc/exim4/exim4.conf.template file.

The default file is rich with features which can be enabled and controlled merely by setting the values of various macros.

Incidentally, the /etc/exim4/exim4.conf.localmacros file will be read in first, which makes it the ideal place to put any macros you may want to set. Using this file you can control various features (DKIM for example) and still gain the benefits of not touching the debian provided files, so hopefully having more seamless upgrades.

Split file

In this scenarios the configuration is split across lots of smaller files stored in /etc/exim4/conf.d/ which are then assembled in to one file for you by the update-exim4.conf command. Each section of the configuration file has its own subdirectory and the files therein are concatenated in alphabetical order. As such its probably a good idea that your custom files be named something like 00_exim4-my-config so they are included first.

This mode of operation allows for your own sections of configuration to be inserted at any location in the final config file, without touching any of the package provided files. The idea being that upgrades become very reliable.

Your own file

Simply install your own file in /etc/exim/exim4.conf and exim will use that file verbatim.

To have something to start with, you can either take /etc/exim4/exim4.conf.template, run update-exim4.conf —keepcomments —output /etc/exim4/exim4.conf, or use upstream’s default configuration file that is installed as /usr/share/doc/exim4-base/examples/example.conf.gz.

You are going to lose all magic you get from packaging though, so you need to be familiar with Exim to build an actually working config.

Note that /etc/exim4/exim4.conf is read directly by exim4 every time exim forks. So if you edit it in place, each smtp connection will actually read a different configuration file!

Location of the auto-generated config

For reference, the file generated by update-exim4.conf is /var/lib/exim4/config.autogenerated

Avoid editing this file in place!

Example stand-alone example

This configuration has been tested on a server and ought to be suitable for internal use:

This writes the configuration to /etc/exim4/update-exim4.conf.conf.

Things you might want to configure

TLS and authentication

Generating a local certificate

Generate a certificate using:

It will generate exim.crt and exim.key in /etc/exim4/

Instead of generating a certificate, you may simply copy certificates that you have purchased or generated previously.

Edit /etc/exim4/exim4.conf.localmacros and add the following line:

This, of course, may be already enabled in the main configuration template «exim4.conf.template»

As with any change to the configuration, run update-exim4.conf then restart exim (service exim4 restart) or, if you’re using systemd; systemclt restart exim4.service.

Dual stack RSA/ECDSA configuration

If you wish to support both ECDSA and RSA algorithms, you can provide more than one certificate:

Exim will select a certificate to present to the client based on the selected cipher. The priority order for ciphers will affect which certificate is used.

Communicating with a smarthost

If, like most home users, you are not actually running an Internet server but instead are using e-mail accounts from an ISP or other company (e.g. gmail, hotmail, yahoo mail, etc.), you will need to communicate with their smtp server to send mail.

Every company seems to configure their server differently and puts different restrictions on how you can send mail. This makes configuring Exim4 difficult to describe as a general case. Adding tls makes things even more complicated. However you should always use tls (if available) so that your login is sent encrypted.

I’m going to describe a setup that should work in most cases when you are sending mail using a single account to a single smarthost.

1. Select one of the smarthost options when running dpkg-reconfigure exim4-config. When specifying the smarthost, include both the smarthost server name and the port it wants you to use (e.g. example.com::465). Note the double colons.
2. Add authentication credentials for a specific server to /etc/exim4/passwd.client:

: : (e.g. server.example.com:mymail@example.com:abdc1243)
or specify credentials for every server:
*: : (e.g. *:mymail@example.com:abdc1243)

Add the following lines to /etc/exim4/exim4.conf.localmacros (you may need to create it if it doesn’t exist):

Add the following to /etc/exim4/exim4.conf.template after .ifdef REMOTE_SMTP_SMARTHOST_HOSTS_REQUIRE_TLS . .endif

Add the following after .ifdef MAIN_TLS_ENABLE
The SMTP server may reject mail without a proper «»From:»» address. Add a line to /etc/email-addresses to link each linux user to an email address e.g.

Run update-exim4.conf followed by service exim4 restart

SPF filtering

This is provided via the macro CHECK_RCPT_SPF, set it to true.

Exim uses a helper tool, which you will need to install.

You should then run update-exim4.conf and restart exim.

DNS Blacklists

You can configure exim to use DNS Blacklists with the macro CHECK_RCPT_IP_DNSBLS :

The default behaviour is not to block the hosts found in the lists, but just add a warning header. In order to truly blacklist the spammers, just change ‘warn’ by ‘deny’ in the following block:

Then restart exim.

Email sub-addressing (plus-signs as in Gmail)

These can easily be achieved by adding something similar to the following in one of more of your router definitions

The above example would deliver user+example@domain.com, user-example@domain.com and user_example@domain.com to user@domain.com.

Similarly, you could use a prefix instead with these similarly named options

The above example would deliver example+user@domain.com, example-user@domain.com and example_user@domain.com to user@domain.com.

In either case, you could then use sieve filtering, config tricks or your email client to apply delivery rules.

Install diagnostic tools

Test the connection:

Note that above we are sending an empty password while testing with the swaks tool.

Some ISPs may block connecting to port 25, and also some broken clients insist TLS on Port 465.

To support these, change /etc/default/exim4 as:

Also edit /etc/exim4/exim4.conf.template:

User authentication

Adding user authentication is possible using tools like Dovecot or sasl2-bin. For shell users who would like to use SASL and PAM for password authentication, that can setup this way:

Edit /etc/default/saslauthd to enable saslauth:

Start the deamon:

In /etc/exim4/exim4.conf.template, uncomment the following lines to enable authentication via saslauthd:

Add exim to the sasl group:

Test the connection using your username:

Enable IMAP access by installing Courier-Imap or a similar MTA.

Spam scanning

There are several ways to detect spam.

Exim has default configuration for spamassassin (exim4-daemon-heavy required).

If you are using Debian Jessie or later (with systemd enabled by default), enable and start the service using systemctl;

On earlier Debian releases, edit /etc/default/spamassassin .

. and then start the daemon.

On all systems, edit /etc/exim4/exim4.conf.template as required for your system.

First, if necessary, set the spamd_address:

Next, edit the acl_check_data section to add suitable spam headers:

Note that the above configuration also adds an X-Spam-Report header in outgoing emails, thereby violating RFC2822. Some mail servers, in particular the Debian mailing-list server, simply drop such non-conformant emails. See also Debian bug 774553.

For more information about configuring spam filters, see the exim documentation.

Exim access control lists (ACLs)

Exim provides flexible way to set access control list. For detailed information, see the ACL documentation on the exim wiki.

For example, if we are trying to deny all mail from three free email service providers (domain1.com, domain2.com, domain3.com) based on Received headers from the servers, we can use the following lines:

Smarthost with Authentication

Start by reconfiguring exim4:

Select mail sent by smarthost, no local mail (unless you are configuring local mail, which most folks at home do not need).

Then edit the file:

And add the line:

Substituting the correct email account login name for login and corresponding password. Comments in the passwd.client file will provide additional information about configuration options.

Most ISPs offer multiple email accounts so it may make sense security wise to create an account just for utility use such as this. If your Linux host is ever compromised you will be glad you had a separate utility email account.

NOTE: you should also see the section https://wiki.debian.org/Exim#TLS_and_authentication (above) about configuring tls. You should never communicate with a smarthost without an encrypted connection.

DMARC Support

Note Trisquel 8 backports repository, exim4-daemon-heavy has DMARC support builtin, and is based on the version from ubuntu 18.04.

You will need to compile a modified version of exim, editing any of the EDITME configuration files in a patch like the one below. In your configuration, you will need to use the spf builtin to exim instead of the external one that Debian’s default config ships with. Documentation of these features is in https://github.com/Exim/exim/blob/master/doc/doc-txt/experimental-spec.txt

Exim will also have new dependencies, libopendmarc2 and libspf2-2. And their dev version for building.

For running a mailing list and ensuring all sent mail is DMARC compliant

Mailman lists can easily be misconfigured to send out DMARC failing messages. If configured properly, it will not modify DKIM signatures, and send DMARC compliant mail without «munge from» set. However sometimes people misconfigure exim by using the default DKIM headers, which includes list-* headers, which sets up Mailman to send DMARC failing messages because it needs to modify them. Exim can do from munging in this case. This also allows Mailman lists to have content filtering turned on, and rely on exim to munge from when it happens, since Mailman isn’t smart enough to only munge in that case. Related pages: https://wiki.list.org/DOC/What%20can%20I%20do%20about%20members%20being%20unsubscribed%20by%20bounces%20of%20Yahoo%20user%27s%20posts%20for%20DMARC%20policy%20reasons%3F https://wiki.list.org/DEV/DMARC

Requires DMARC support (see above section of this wiki).

Edit exim-conf.d/acl/30_exim4-config_check_rcpt, comment out a line

Add to your rcpt_local_acl

Add to your data_local_acl.

Debian Exim4 User FAQ

There is a Wiki page with Debian Exim4 User FAQ.

Источник