exim4

I was having the issue that if clamav died (usually due to freshclam update taking too long) that exim4 would start temporary rejecting ALL mail.

Here's a suggestion from Mike Cardwell on the exim users mailing list. It adds a check on the file existing and adds a header if not instead of rejecting.

warn !condition = ${if exists{/var/run/clamav/clamd.ctl}}
     add_header = X-Virus-Checked: False
deny condition  = ${if exists{/var/run/clamav/clamd.ctl}}
     malware    = *

My exim4 process is configured based on this post and other points noted here.

Today it started failing - clamav failed to read its db (locked) possibly due to freshclam runs.

Debian bug [debbug:454587] gave the hint - the packages in volatile have this fixed (a non-security update that fixes this issue in stable).

So - added to my apt-config:

General expansion testing (needed this for testing Setting outgoing IP:

exim4 -be '${lookup{string_to_get_value_from}lsearch{file_to_look_in}}'

or

exim4 -be '${lookup{string_to_get_value_from}lsearch{file_to_look_in}{$value}{default_if_not_found}}'

etc etc.

Thanks to Dave Evans on the exim4 users list for this.

I need to set different IP addresses for different outgoing domains.

Since I only have a few - we took a simple approach

/etc/exim4/interfaces

has lines of the form

domain: ip
domain: ip
domain: ip

Then - in /etc/exim4/conf.d/transport/30_exim4-config_remote_smtp (or wherever your definition of remote_smtp transport is) add the following to the remote_smtp transport:

Cargo culted direct from the exim site.

openssl req -x509 -newkey rsa:1024 -keyout /etc/exim4/exim.key -out /etc/exim4/exim.crt -days 9999 -nodes

The really important bit is that the common name (CN) field must be the server name (at least so it seems to be for me)

Don't forget - if your pop3 and imap certificates also expire at the same time to renew them to.

After upgrading sarge to etch - spamassassin was installed - but sa-exim wasn't running (the headers in mail showed it to be to do with the setting of SAEximRunCond stating that it should not run).

After a lot of looking at the default line in /etc/exim4/sa-exim.conf I found lower down the line:

SAEximRunCond: 0

Comment this out if you want sa-exim to run spamassassin on the mail!

Mail.app wouldn't stop asking about the certificates.

So:

1. Remove any instances of them from Keychain Access
2. Try to get mail - when told about the certificate choose View certificate and drag the icon to the desktop
3. Don't add the cert to your login keychain - drag it to the X509Anchors chain instead.
4. Mark it as always trusted (after all - you trust yourself don't you?)
5. Repeat 2. - 4. for sending mail.

Bingo! Well - works4me at least.

An article popped up on debian-administration.org. I'm going to have to take a closer look at one of the comments:

http://www.debian-administration.org/articles/302#comment_6

If this can work well with courier (which I guess it should) then this will solve an issue I've had a while (and I don't want to go the route of a database for this).

Edit: Various things that have come up under discussion

courier assumes $HOME - to change this you need to change the authenticator so that it changes the value of $HOME (at least according to various google searches)

The script for monitoring exim4 mailstats does not take into account the greylist temporary reject - it shows as a true reject.

The affected file is symlinked in at /etc/munin/plugins/exim_mailstats

To not show these as true rejects - in the parseEximfile function change

elsif ($line=~/rejected/)
{
$rejected++;
}

elsif ($line=~/rejected/)
{
if ($line!~/greylisted/) {
$rejected++;
}
}

The dnslookup section of the exim4 config contains

# ignore private rfc1918 and APIPA addresses
ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 : 192.168.0.0/16 :\
172.16.0.0/12 : 10.0.0.0/8 : 169.254.0.0/16

To allow one specific subnet thru change it:
# ignore private rfc1918 and APIPA addresses
ignore_target_hosts = !192.168.3.0/24 : 0.0.0.0 : 127.0.0.0/8 : 192.168.0.0/16 :\
172.16.0.0/12 : 10.0.0.0/8 : 169.254.0.0/16

Here it allows the 192.168.3.x network.

Have been running sendmail for a long time on woody. However - with the upgrade to sarge I've been taking a look at exim's configuration - since the sendmail config is a nightmare :)

Status so far

Installation

apt-get install exim4-daemon-heavy

This got exim4 down and removed sendmail. No debconf prompts came up at all. Some searching in debian-user gave me

dpkg-reconfigure exim4-config

Good start - got it listening on more than 127.0.0.1 and got the list of local names installed.

Spamassassin

I was using a sendmail milter to run spamassassin - for exim an apt-cache search gave me a hint