sendmail -> exim4

Have been running sendmail for a long time on woody. However - with the upgrade to sarge I've been taking a look at exim's configuration - since the sendmail config is a nightmare :)

Status so far

Installation

apt-get install exim4-daemon-heavy

This got exim4 down and removed sendmail. No debconf prompts came up at all. Some searching in debian-user gave me

dpkg-reconfigure exim4-config

Good start - got it listening on more than 127.0.0.1 and got the list of local names installed.

Spamassassin

I was using a sendmail milter to run spamassassin - for exim an apt-cache search gave me a hint

apt-get install sa-exim

The /usr/share/doc/sa-exim/README.Debian is a good file to read.

ClamAV

Here's another useful link (good for the clamav stuff):

http://koivi.com/exim4-config/

From this I took the following:

apt-get install clamav-daemon spamassassin spamc

An addition that I discovered - you need to edit /etc/default/spamassassin and set ENABLED=1 or it won't even start.

Add the following to your /etc/exim4/conf.d/main/01exim4-configlistmacrosdefs file:

# This tells what virus scanner to user
av_scanner = clamd:/var/run/clamav/clamd.ctl
# Slowing spammers down by holding their connection a bit
TEERGRUBE = 60s</code>

Edit /etc/exim4/conf.d/acl/40exim4-configcheck_data to inlude the following before the "# accept otherwise" line:

# Reject messages that have serious MIME errors.
# This calls the demime condition again, but it
# will return cached results.
deny message = Serious MIME defect detected ($demime_reason)
demime = *
condition = ${if >{$demime_errorlevel}{2}{1}{0}}
.ifdef TEERGRUBE
    delay = TEERGRUBE
.endif
# Reject file extensions used by worms.
# Note that the extension list may be incomplete.
deny message = This domain has a policy of not accepting certain types of attachments \
               in mail as they may contain a virus.  This mail has a file with a .$found_extension \
               attachment and is not accepted.  If you have a legitimate need to send \
               this particular attachment, send it in a compressed archive, and it will \
               then be forwarded to the recipient.
demime = exe:com:vbs:bat:pif:scr
.ifdef TEERGRUBE
    delay = TEERGRUBE
.endif
# Reject messages containing malware.
deny message = This message contains a virus ($malware_name) and has been rejected
malware = *
.ifdef TEERGRUBE
    delay = TEERGRUBE
.endif

Then, you also need to set access for ClamAV. The best way to handle this is to add the clamav user to the Debian-exim group and be sure that /etc/clamav/clamd.conf contains the following lines (on a fresh sarge install the clamd.conf part was already in place):

User clamav
AllowSupplementaryGroups

If you had to add these lines, a restart of ClamAV is necessary for the changes to take effect.

Virtual domains

This section is taken mostly verbatim from Debian Administration. This site is highly recommended for all debian administrators.

  • mkdir /etc/exim4/virtual

  • For each domain - create a file named after that domain - for example - for this domain I created a file called chrissearle.org

  • In each file - for each local user to be recognised - add user : user@localhost

  • In each file - for each remote user to be recognised (mail forwarding) - add user : user@remote.host.tld

  • At the end of each file - add a catchall address - * : catchalluser@localhost

  • In /etc/exim4/conf.d/main/01exim4-configlistmacrosdef change the line starting domainlist listdomains with domainlist localdomains = @:localhost:dsearch;/etc/exim4/virtual

  • Add /etc/exim4/conf.d/router/350exim4-configvdom_aliases containing

    vdom_aliases:
    driver = redirect
    allow_defer
    allow_fail
    domains = dsearch;/etc/exim4/virtual
    data = ${expand:${lookup{$local_part}lsearch*@{/etc/exim4/virtual/$domain}}}
    retry_use_local_part
    pipe_transport   = address_pipe
    file_transport   = address_file
    no_more

Here I have assumed that either exim will go through a given virtual file - and send mail to the first matching address - so that the catchall address at the end gets everything that isn't already sent somehwhere else or that the * match is special and will only trigger if the mail isn't already handled (regardless of line order in the file). Whichever of these is correct - I find the files more readable with the catchall at the end. Time/the documentation will show if this assumption is correct. It's similar to the virtual user handling in sendmail.

I have also assumed that all mailman addresses will be in their respective virtual file and in /etc/aliases (where you add the pipe to the mailman programs). Maybe the mailman stuff should be in these files - I'll update this when I find out.

SMTP AUTH

One of the main users is on a BT Yahoo broadband. I never managed to get any kind of SMTP AUTH or POP-before-SMTP or anything working with sendmail. So I cheated and opened for relaying from BT. We got away with it for slightly over a year but last weekend the server was found and began to send so much spam that it died. So - that route is out.

Now - at the same time we're setting up a sarge box with exim - so - let's get SMTP AUTH working.

I'm going to start with PLAIN and LOGIN - we can look at other ones and SSL later. One step at a time.

First - I installed the following:

apt-get install courier-authdaemon courier-imap courier-pop

For SSL when I get that far we'll add

apt-get install courier-imap-ssl courier-pop-ssl

courier-authdaemon is by default set up to use pam - that'll do for now.

In /etc/exim4/conf.d/auth/30exim4-configexamples comment out the active plain: and login: sections

Add to a new file /etc/exim4/conf.d/auth/15_exim4-config

Update - it seems that the conf.d files are read in alphabetical order across the conf.d subdirectories - not within - it may be that this file would be better named 30_exim4-config or similar. You could always edit these sections into the examples file - but - I felt that examples were examples :)

# Unix clients
plain:  
    driver = plaintext
    public_name = PLAIN
    server_condition = \
            ${if eq {${readsocket{/var/run/courier/authdaemon/socket}\
            {AUTH ${strlen:exim\nlogin\n$2\n$3\n}\nexim\nlogin\n$2\n$3\n}}}{FAIL\n} {no}{yes}}
    server_set_id = $2
# Windows clients
login:
    driver = plaintext
    public_name = LOGIN
    server_prompts = Username:: : Password::
    server_condition = ${if eq {${readsocket{/var/run/courier/authdaemon/socket} \
             {AUTH ${strlen:exim\nlogin\n$1\n$2\n}\nexim\nlogin\n$1\n$2\n}}}{FAIL\n} {no}{yes}}
    server_set_id = $1

This code snippet I found on the net - but I've lost the URL - so - if it's yours please let me know so I can credit.

Now - /var/run/courier/authdaemon is not readable by anything other than daemon user and daemon group. The socket is rwx for everyone. I've chosen to add Debian-exim4 user to the daemon group rather than edit the permissions on the authdaemon directory - I'm not sure if this is the best. It is necessary that exim can read/write to that socket.

Restart exim and try the following (you will need to type the telnet, EHLO and QUIT lines):

telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.localdomain.
Escape character is '^]'.
220 server.domain.tld ESMTP Exim 4.50 Thu, 19 May 2005 20:15:15 +0200
EHLO foo
250-server.domain.tld Hello chris at localhost [127.0.0.1]
250-SIZE 52428800
250-PIPELINING
250-AUTH PLAIN LOGIN
250 HELP
QUIT

So - AUTH is supported - plain and login - good.

Now - for testing - it was easy to add to change the /etc/default/exim4 file so that COMMONOPTIONS was set to -d-all+auth

Restarting exim4 with this in place will give debug output for auth related things. It won't background as a daemon - but that doesn't matter for testing.

In Outlook outgoing mail was set to require login and to use the same username/password as incoming (POP3 or IMAP). Sent a mail and presto - it went thru using the LOGIN auth (as could be seen in the debug log).

So - I've removed the debug options and restarted - later we'll be trying to add SSL and maybe some other options (although I'm not sure what Outlook supports other than login).

RBL blacklists

You'll need to edit /etc/exim4/conf.d/acl/30exim4-configcheck_rcpt

Find the section with the text

#############################################################################
# There are no checks on DNS "black" lists because the domains that contain
# these lists are changing all the time. You can find examples of
# how to use dnslists in /usr/share/doc/exim4-config/examples/acl
#############################################################################

And look in the example file in the directory listed for examples. Simple :) However - this is just warnings. My old server is stricter - and rejects. This can be done by adding acl rules of the form

deny dnslists = dnsbl.njabl.org

Recommended Reading

Loads of stuff on http://www.debian-administration.org - simply run a search for exim.

As I get the system more up and running I'll add to this article. Things on the wishlist

  • mailman (as in the config at http://www.exim.org/howto/mailman21.html rather than the simple adding of aliases to /etc/aliases)
  • SSL
  • LDAP instead of PAM auth
  • Mail2News gateway
  • Getting my home machine to use this box as a smarthost (or whatever is most appropriate) so that my mail isn't rejected as coming from an ISP block.