Set Exim4 on Debian Etch with single conf file 24/10/06
Prerequistes
Exim: http://www.exim.org/mailman/listinfo/exim-users
SA-Exim: http://lists.merlins.org/lists/listinfo/sa-exim
SpamAssassin: http://spamassassin.org/lists.html
Clam Antivirus: http://www.clamav.net/ml.html
exim4-heavy-daemon daemon has exiscan in built.
(exim4 – 4.63-7 , exim4-base – 4.63.7, exim4-config – 4.63-7, exim4-daemon-heavy – 4.63-7,
spamassassin – 3.1.4-1, sa-exim – 4.2.1-2, clamav – 0.88.4-2 , clamav-base 0.88.4-2, clamav-daemon 0.88.4.-2, clamav-freshclam – 0.88.4-2, libclamav1 – 0.88.4-2, libnet-dns-perl – 0.59-1, libnet-ip-perl – 1.25-1, libnet-daemon-perl – 0.38-1.1, libtimedate-perl 1.1600-5, libmime-perl – 5.420-0.1))
=============================
Testing with sample files from example directory.
spamassassin -t < sample-nonspam.txt > nonspam.out
spamassassin -t < sample-spam.txt > spam.out
check the files nonspam.out and spam.out
==============================
Use "local_scan" option in Exim config file to tell the dlopen patch which local_scan modules to load. For example:
local_scan_path = /usr/libexec/exim/sa-exim.so
===============================
SpamAssassin
Edit /etc/spamassassin/local.cf and give group rwx on /var/spool/spamassassin
bayes_path /var/spool/spamassassin/bayes
bayes_file_mode 0666
bayes_auto_learn 1
rewrite_header Subject *****SPAM*****
report_safe 1
required_hits 5.0
lock_method flock
allow_user_rules 1
Edit /etc/exim4/sa-exim.conf
# Remove or comment out the following line and set it to 1 to enable sa-exim
SAEximRunCond: 1
================================
For exim4 create /etc/exim4/exim4.conf.localmacros
MESSAGE_SIZE_LIMIT = 10M
CHECK_DATA_LOCAL_ACL_FILE = /etc/exim4/exim4.check_data_localacl
MAIN_TLS_ENABLE = yes
MAIN_TLS_ADVERTISE_HOSTS = *
MAIN_TLS_CERTIFICATE = /etc/exim4/exim.crt
MAIN_TLS_PRIVATEKEY = /etc/exim4/exim.key
=====================================
Create /etc/exim4/exim4.check_data_localacl
#File attachment blocking settings
#deny message = Blacklisted file extension detected
# condition = ${if match \
# {${lc:$mime_filename}} \
# {\N(\.bat|\.com|\.exe|\.pif|\.prf|\.scr|\.vbs)$\N} \
# {1}{0}}
# Unpack MIME containers and reject file extensions
# used by worms. Note that the extension list may be
# incomplete.
deny message = $found_extension files are not accepted here
demime = com:vbs:bat:pif:scr:bhx:hqx:exe
#for clam av
deny message = This message contains a virus or other harmful content ($malware_name)
demime = *
malware = *
#for exiscan MIME checking settings
deny message = This message contains malformed MIME ($demime_reason)
demime = *
condition = ${if >{$demime_errorlevel}{2}{1}{0}}
=======================================
Virus scanning settings in /etc/exim4/exim4.conf.template
av_scanner = clamd:/var/run/clamav/clamd.ctl
=======================================
Restart exim4 invoke-rc.d exim4 restart
=======================================
Installing Clam
unprivileged user 'clamav' will be created, which is the user that we will set ClamAV up to run as. You will need to add 'clamav' as an additional user in the 'Debian-exim' group
edit /etc/clamav/clamd.conf
#Automatically Generated by clamav-base postinst
#To reconfigure clamd run #dpkg-reconfigure clamav-base
#Please read /usr/share/doc/clamav-base/README.Debian.gz for details
LocalSocket /var/run/clamav/clamd.ctl
FixStaleSocket
User clamav
AllowSupplementaryGroups
ScanMail
ScanArchive
ArchiveMaxRecursion 5
ArchiveMaxFiles 1000
ArchiveMaxFileSize 10M
ArchiveMaxCompressionRatio 250
ReadTimeout 180
MaxThreads 12
MaxConnectionQueueLength 15
LogFile /var/log/clamav/clamav.log
LogTime
LogFileMaxSize 0
PidFile /var/run/clamav/clamd.pid
DatabaseDirectory /var/lib/clamav
SelfCheck 3600
ScanOLE2
ScanPEDetectBrokenExecutables
ScanHTML
ArchiveBlockMax
Testing
telnet your.server 25
[Wait for connection and the server banner, e.g. 220 your.server.name ESMTP Exim 4.30 ...]
HELO test
[Server should respond: 250...]
MAIL FROM: <you@your.address>
[Server should respond: 250...]
RCPT TO: <you@your.address>
[Server should respond: 250...]
DATA
[Server should respond: 354...]
From: you@your.address
To: you@your.address
Subject: a test mail
test
.
check the headers
X-Spam-Status: No, hits=1.1 required=5.0
tests=NO_REAL_NAME, MSGID_FROM_MTA_SHORT
autolearn=no version=2.60
X-Spam-Level: *
same test with this in body
From: test@test
Subject: MAKE MONEY FAST!!! $$$ 34fs4
viagra
This time the headers
X-Spam-Status: Yes, hits=6.0 required=5.0
tests=CASHCASHCASH,MISSING_HEADERS,NO_REAL_NAME,PLING_PLING,
SUBJ_HAS_SPACES,SUBJ_HAS_UNIQ_ID
autolearn=no version=2.60
X-Spam-Level: *********
X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on your.server.example
X-Spam-Report: ---- Start SpamAssassin results
6.00 points, 5 required;
* 0.8 -- From: does not include a real name
* 1.7 -- Subject contains lots of white space
* 1.3 -- Subject contains a unique ID
* 0.5 -- Missing To: header
* 0.0 -- Contains at least 3 dollar signs in a row
* 1.7 -- Subject has lots of exclamation marks
---- End of SpamAssassin results
X-Spam-Flag: YES
the following should be rejected.
From: test@test
Subject: MAKE MONEY FAST!!! $$$ 34fs4
MiME-Version: 1.0
VIAGRA!!!!
AS SEEN ON NATIONAL TV, WORK FROM HOME!!!
GUARANTEED 100% THIS IS NOT SPAM!!!
GTUBE test for spam (put in the mail)
/XJS\*C4JDBQADN1\.NSBN3\*2IDNEN\*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL\*C\.34X/
Eicar Virus test (put in the mail) for clamav testing
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
==========================================
Install sasl2-bin ,libauthen-sasl , libsasl2 , libsasl2-modules
edit /etc/default/saslauthd
START=yes
MECHANISMS="pam shadow sasldb"
on mail server
install
sasl2-bin and edit /etc/default/saslauthd
and uncomment START.
adduser Debian-exim saslinvoke-rc.d saslauthd start
for smtp auth. in /etc/exim4/exim4.conf.localmacros add the following.
For exim4 create /etc/exim4/exim4.conf.localmacros
MESSAGE_SIZE_LIMIT = 10M
CHECK_DATA_LOCAL_ACL_FILE = /etc/exim4/exim4.check_data_localacl
MAIN_TLS_ENABLE = yes
MAIN_TLS_ADVERTISE_HOSTS = *
MAIN_TLS_CERTIFICATE = /etc/exim4/exim.crt
MAIN_TLS_PRIVATEKEY = /etc/exim4/exim.key
AUTH_SERVER_ALLOW_NOTLS_PASSWORDS = true
==========================================
uncomment from auth section of /etc/exim4/exim4.conf.template
cram_md5_server:
driver = cram_md5
public_name = CRAM-MD5
server_secret = ${extract{2}{:}{${lookup{$auth1}lsearch{/etc/passwd}{$value}fail}}}
server_set_id = $auth1
# Authenticate against local passwords using sasl2-bin
# Requires exim_uid to be a member of sasl group, see README.Debian.gz
plain_saslauthd_server:
driver = plaintext
public_name = PLAIN
server_condition = ${if saslauthd{{$auth2}{$auth3}}{1}{0}}
server_set_id = $auth2
server_prompts = :
.ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
.endif
login_saslauthd_server:
driver = plaintext
public_name = LOGIN
server_prompts = "Username:: : Password::"
# don't send system passwords over unencrypted connections
server_condition = ${if saslauthd{{$auth1}{$auth2}}{1}{0}}
server_set_id = $auth1
.ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
.endif
===============================================
Make the cert and the key files.
openssl req -x509 -newkey rsa:1024 -keyout /etc/exim4/exim.key -out /etc/exim4/exim.crt -days 0 -nodes
or
bash /usr/share/doc/exim4-base/examples/exim-gencert
Testing from another pc install install swaks libnet-ssleay-perl
$ swaks -a -tls -q HELO -s localhost -au jasonb -ap '<>' === Trying localhost:25... === Connected to localhost. <- 220 evie ESMTP Exim 4.50 Tue, 02 May 2006 17:56:25 -0400 -> EHLO evie <- 250-evie Hello localhost [127.0.0.1] <- 250-SIZE 52428800 <- 250-PIPELINING <- 250-STARTTLS <- 250 HELP -> STARTTLS <- 220 TLS go ahead === TLS started w/ cipher DHE-RSA-AES256-SHA ~> EHLO evie <~ 250-evie Hello localhost [127.0.0.1] <~ 250-SIZE 52428800 <~ 250-PIPELINING <~ 250 HELP ~> QUIT <~ 221 evie closing connection
==================================================
for routing mail of unknown local users to another server add the following at the end of the router section.
### router/mail for unknown users
#################################
unknown:
driver = manualroute
transport = remote_smtp
route_list = * mail.domain.com
#no_verify
Add the following line to /etc/exim4/update-exim4.conf.conf
dc_localdelivery=maildir_home
after making any changes to exim4.conf.template or update-exim4.conf.conf
run update-exim4.conf
and restart exim4
test
telnet smtpserver 25
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
220 proxy1.hsmum1.com ESMTP Exim 4.44 Fri, 11 Mar 2005 16:23:52 +0530
EHLO test
250-proxy1.hsmum1.com Hello root at localhost [127.0.0.1]
250-SIZE 3145728
250-PIPELINING
250-AUTH LOGIN CRAM-MD5 <<<<<<<<
250-STARTTLS
250 HELP
AUTH LOGIN <<<<<<<<
334 VXNlcm5hbWU6
or
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
220 proxy1.hsmum1.com ESMTP Exim 4.44 Fri, 11 Mar 2005 16:24:56 +0530
EHLO test
250-proxy1.hsmum1.com Hello root at localhost [127.0.0.1]
250-SIZE 3145728
250-PIPELINING
250-AUTH LOGIN CRAM-MD5 <<<<<<<<
250-STARTTLS
250 HELP
AUTH CRAM-MD5 <<<<<<<<<<<<<<
334 PDE2NDc5LjExMTA1Mzg1MDhAcHJveHkxLmhzbXVtMS5jb20+
Configure outlook to authenticate with smtp.
======================================
Integrating openwebmail
install the openwebmail .deb package
edit /etc/apache2/apache2.conf
and add to end.
Include "/etc/openwebmail/apache.conf"
edit /etc/openwebmail/openwebmail_path.conf and add
/usr/lib/cgi-bin/openwebmail
you can fine tune /etc/openwebmail/openwebmail.conf
======================================
Adding a footer/disclaimer.
Install the altermime package
edit /etc/exim4/exim4.conf.template
dnslookup:
debug_print = "R: dnslookup for $local_part@$domain"
driver = dnslookup
domains = ! +local_domains
# transport = ${if eq {$sender_address_domain}{your.domain}\
# {remote_smtp_filter}{remote_smtp}}
# transport = remote_smtp
transport = remote_smtp_filter
same_domain_copy_routing = yes
# ignore private rfc1918 and APIPA addresses
ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 : 192.168.0.0/16 :\
172.16.0.0/12 : 10.0.0.0/8 : 169.254.0.0/16
no_more
Under the transport section add
##############################################
### for transport/footer
##############################################
remote_smtp_filter:
driver = smtp
transport_filter = /etc/exim4/footer.sh
##############################################
### end transport/footer
##############################################
edit the /etc/exim4/footer.sh
#!/bin/sh
TEMP=`/bin/date "+%s.%N"`
/bin/cat >/tmp/altermime.$TEMP
/usr/bin/altermime --input=/tmp/altermime.$TEMP --disclaimer=/etc/exim4/footer.txt --disclaimer-html=/etc/exim4/footer.html --log-syslog
/bin/cat /tmp/altermime.$TEMP
/bin/rm -f /tmp/altermime.$TEMP
Create an appropriate footer.txt and footer.html
===================================
For internal only address. Add the following to exim4.conf.localmacros
CHECK_RCPT_LOCAL_ACL_FILE = /etc/exim4/rcpt_local_acl
edit /etc/exim4/rcpt_local_acl
!authenticated = *
!acl = acl_whitelist_local_deny
deny message = user unknown
recipients = lsearch;/etc/exim4/internalemailsonly
sender_domains = ! +local_domains
edit /etc/exim4/internalemailsonly
Adding a filter to catch some email ids
edit the exim4.conf.template and add the following under main configuration settings
exim_path = /usr/sbin/exim4
system_filter = /etc/exim4/exim4.filter
system_filter_user = Debian-exim
system_filter_group = Debian-exim
create /etc/exim4/exim4.filter
if first_delivery
and ("$h_to:, $h_cc:" contains "xxx@hotmail.com")
or ("$h_from:" contains "xxx@hotmail.com")
then
unseen deliver "forreview@domain.com"
endif
if first_delivery
and ("$h_from:" contains "www@gmail.com")
then
deliver "forreview@domain.com"
endif
======================================================