Exim

Contents

Introduction
This article is designed to create an Exim based mail server for almost any use, home to business.

Initial Modifications
If you are planning to use DKIM you will need to modify the Exim ebuild, as well as download a beta libdkim-exim ebuild.

Please see:
 * - Exim Ebuild
 * - DKIM Library for Exim

Exim Setup
Exim has a large amount of USE flags and optional items, so here we are going to run through them. This USE line is from the modified Exim ebuild ( See )

A break down of the various parts:
 * - Allows email content scanning in the ACLs
 * - Enable IPV6 for Exim
 * - LMTP is designed as an alternative to normal SMTP for situations where the receiving side does not have a mail queue, such as a mail storage server acting as a Mail Delivery Agent.
 * - Allows Exim to use MySQL for virtual users
 * - Allow you to do authenticated smtp over ssl using pam
 * - Enables you to use Perl with Exim
 * - Allows Exim to use SQLite for virtual users
 * - SSL support for encrypted email connection handling
 * - Allows the use of TCP Wrappers
 * - Allows use of Exim Monitor ( Not used by this How To )
 * - DomainKeys Identified Mail
 * - Using the DNS as a general database facility
 * - Predecessor of DKIM
 * - Authenticated SMTP using Dovecot SASL
 * - Email content scanner ( see exiscan-acl )
 * - TLS support for encrypted email connection handling
 * - Allows the use of LDAP
 * - Designed to replace /usr/sbin/sendmail and to invoke an appropriate MTA instead of sendmail
 * - Removed due to &mdash; see
 * - Mail Box format
 * - Ability to do Network Information Service lookups
 * - Use Postgres for virtual users
 * - Provides RADIUS based SMTP authentication
 * - Simple Authentication and Security Layer, a method for adding authentication support to connection-based protocols
 * - Allows software to identify and reject forged addresses in the SMTP MAIL FROM (Return-Path), a typical nuisance in e-mail spam.
 * - A mechanism for rewriting e-mail sender addresses into a format compliant with Sender Policy Framework, a mechanism that identifies and rejects e-mail sent from forged addresses
 * - Use syslog for logging

Issues
Sender Police Framework (and SRS):

While it sounds good in theory, there are a lot of potential issues. See:

* http://david.woodhou.se/why-not-spf.html * http://www.infradead.org/rpr.html

So we will be using DKIM with a fall back to DomainKeys. The possibility of using RPR ( Reverse-Path-Rewriting) will be shown as well.

A possibility might be to check for SPF, and accept the email anyway. Then add a header / edit subject to reflect the SPF status.

Base Preparations
Note: To install libdkim for exim, you will need to install the ebuild into your portage overlay

Base configuration will be from the exiscan-acl patch:

We will now work on configuring the individual parts

Exim Configuration
Exim's configuration file is broken down (internally) into 4 parts, making it easy to follow. Here we will break down the parts, and show some basic configurations. This all belongs in /etc/exim/exim.conf.

However, Debian splits up the configuration files, but if you create a /etc/exim/exim.conf it will use that and ignore the split up files.

Main Configuration Settings
This section allows you to define your specific setup. Items like domain names, and relaying hosts fit here. There are three types of configuration here: Anything starting with acl_ is for defining the policy control for that specific section. ie: acl_smtp_mailauth - set ACL for AUTH on MAIL command
 * Macro definitions: Lines start with upper case letter
 * Named list definitions: Starts with "domainlist", "hostlist", "addresslist" or "localpartlist"
 * Main configuration settings

Base set up we will be using:

ACL Configuration
Thanks to we can do a LOT of checking now at SMTP time, rather than in the work queue.

Pros: Cons:
 * We do not accept the email into the queue
 * A lot of real time checks we can do
 * Speed – we can hang onto an SMTP conversation for a while

Routers Configuration
This section of the configuration is for us to work out how to route an email to it's final destination. It's pretty advanced, and allows us to do lookups against almost anything. It's very very important to get the order correct here, as Exim will work through them sequentially.

I strongly recommend against enabling domain_literal, as the configuration file says, it can be exploited. Generally here you will not need to edit much, as it's set up to run in this order


 * 1) DNS Lookup for Non-local domains - Normally for outbound, or any domains you are relaying for
 * 2) Systems Aliases - This checks the default /etc/mail/aliases, just like sendmail
 * 3) User Forwards - This part handles traditional .forward files. To use Exim filtering, add 'allow_filter'
 * 4) Local User - The last rule checks if it can find an actual local user on the device.

Enabling routing to DoveCot - non-SQL Virtual Users1
File:

# Router to send any mail for who a dovecot user exists to the appropriate maildir box # Routers are evaluated in order of configuration. # You will want to place this after the remote router and before the # localuser router in the default configuration. # If you want to allow + addressing (ie having an address extension) # then uncomment the suffix stanzas dovecot_router: driver = accept #local_part_suffix = +* #local_part_suffix_optional require_files = +/home/dovecot/users/${local_part}/ transport = dovecot_transport

Using LDAP Alias routing
This example would look up richard@company.com in LDAP, and then use the homeMDB field as an alias. File: richard.ldif

dn: cn=richard,ou=engineering,dc=company,dc=com homeMDB: rgwilliam objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: Richard Gwilliam

File:

system_aliases: driver = redirect allow_fail allow_defer data = ${lookup ldap {ldap://10.0.10.1/cn=$local_part,\ ou=engineering,dc=company,dc=com?homeMDB?base}} file_transport = address_file pipe_transport = address_pipe

Transport Configuration
Transports are used by a Router, they define how the delivery should be carried out.

If we look at the routers, you will see normally an entry like:

file_transport = address_file pipe_transport = address_pipe

This defines what transport to use for this router. The default transports can generally be left alone. However, we need to add a transport for Dovecot File: Dovecot Non-SQL Virtual Transport

dovecot_transport: driver = appendfile user = dovecot group = dovecot mode = 0600 directory=/home/dovecot/users/${lc:$local_part}/ maildir_format = true mode_fail_narrower = false envelope_to_add = true return_path_add = true
 * 1) Transport to send any mail for who a dovecot user exists to the appropriate maildir box

SMTP SSL Authentication via pam
1. Create certificate (you can create free by cacert.org). 2. Setup certificate with the following lines: tls_advertise_hosts = * tls_certificate = /usr/lib/courier-imap/share/imapd.pem 3. Enable SSL port for authentication: daemon_smtp_ports = 25 : 465 : 587 tls_on_connect_ports = 465

4. Go to section begin authentificators and create the following block:

PLAIN: driver                    = plaintext server_set_id             = $auth2 server_prompts            = : server_condition          = "${if pam{$auth2:$auth3}{true}{false}}" server_advertise_condition = ${if def:tls_cipher }

LOGIN: driver                    = plaintext server_set_id             = $auth1 server_prompts            = Username:: : Password:: server_condition          = "${if pam{$auth1:$auth2}{true}{false}}" server_advertise_condition = ${if def:tls_cipher } 5. Check read access for mail user to the following files: /etc/shadow /usr/lib/courier-imap/share/imapd.pem /etc/pam.d/exim

Original information is located on Exim wiki page.

DKIM Configuration - Outbound
Signing examples:

external_smtp: driver = smtp dkim_selector = whizbang-dkim dkim_domain = DKIM_DOMAIN dkim_private_key = DKIM_PRIVATE_KEY dkim_strict = 0 dkim_canon = relaxed

Where the macros are defined as:

DKIM_DOMAIN = ${lc:${domain:$h_from:}} DKIM_FILE = /etc/exim/dkim/${lc:${domain:$h_from:}}.priv DKIM_PRIVATE_KEY = ${if exists{DKIM_FILE}{DKIM_FILE}{0}}

Dovecot Configuration
To let dovecot use non-SQL Virtual users, we need to define where the users are and what password file to use.


 * – where the users are stored
 * – the htpasswd file dovecot will use

Permission lock file hitching post problem
If you have in log:

Then in, in your transport, set group=mail and mode=0660. 

Exim

 * http://www.exim-new-users.co.uk/
 * http://wiki.exim.org/

SPF

 * http://www.openspf.org/
 * http://www.libspf2.org/

DKIM

 * http://wiki.exim.org/DKIM
 * http://www.dkim.org

Sources for Further Reading

 * 1) http://wiki.dovecot.org/HowTo/VirtualhostingWithExim