Table of Contents
Exim4 - Install Exim4
Install Exim4
There are various Exim4 packages available. If you need to use ACL and other features you may need to install exim4-daemon-heavy.
apt-get install exim4-daemon-heavy
Configuration
The README.Debian.gz file included in the exim4 packages details Debian style configuration exhaustively.
zless /usr/share/doc/exim4-config/README.Debian.gz
Generally, the Debian Exim 4 packages are configured through debconf. The install prompts for questions during package installation, and your initial Exim configuration is created from your answers. You can repeat the configuration process at any time by invoking:
dpkg-reconfigure exim4-config
Despite the default configuration being extended somewhat from the original upstream, chances are that you'll need to manually change the Exim configuration with an editor if you intend to do something that is not covered by the debconf-driven configuration. It has never been the packages' intention to offer all possible configuration methods through debconf.
There are three ways you can configure exim4. The first is a single monolithic file, the second is split file, and the third is your own file.
The configuration file is generated from these config files using the command (yes it has .conf in the name)
update-exim4.conf
After which you should restart exim4 with something like
service exim4 restart
Single Exim4 configuration file
If you select this option in debconf, configuration will be generated from the /etc/exim4/exim4.conf.template file.
The default file is rich with features which can be enabled and controlled merely by setting the values of various macros.
Incidentally, the /etc/exim4/exim4.conf.localmacros file will be read in first, which makes it the ideal place to put any macros you may want to set. Using this file you can control various features (DKIM for example) and still gain the benefits of not touching the debian provided files, so hopefully having more seamless upgrades.
Split file
In this scenarios the configuration is split across lots of smaller files stored in /etc/exim4/conf.d/ which are then assembled in to one file for you by the update-exim4.conf command. Each section of the configuration file has its own subdirectory and the files therein are concatenated in alphabetical order. As such its probably a good idea that your custom files be named something like 00_exim4-my-config so they are included first.
This mode of operation allows for your own sections of configuration to be inserted at any location in the final config file, without touching any of the package provided files. The idea being that upgrades become very reliable.
Your own file
Simply install your own file in /etc/exim/exim4.conf and exim will use that file verbatim.
To have something to start with, you can either take /etc/exim4/exim4.conf.template, run update-exim4.conf –keepcomments –output /etc/exim4/exim4.conf, or use upstream's default configuration file that is installed as /usr/share/doc/exim4-base/examples/example.conf.gz.
You are going to lose all magic you get from packaging though, so you need to be familiar with Exim to build an actually working config.
Note that /etc/exim4/exim4.conf is read directly by exim4 every time exim forks. So if you edit it in place, each smtp connection will actually read a different configuration file!
Location of the auto-generated config
For reference, the file generated by update-exim4.conf is /var/lib/exim4/config.autogenerated
IMPORTANT: Avoid editing this file in place!
Example stand-alone example
This configuration has been tested on a server and ought to be suitable for internal use:
dpkg-reconfigure exim4-config
Shows
General type of mail configuration: internet site; mail is sent and received directly using SMTP. System mail name: yourdomain.com IP-addresses to listen on for incomming SMTP connections: // leave blank Other destinations for which mail is accepted: yourdomain.com Domains to relay mail for: // leave blank Machines to relay mail for: // leave blank Keep number of DNS-queries minimal (Dial-on-Demand) ?: No Delivery method for local mail: Maildir format in home directory Split configuration into small files ? : No
This writes the configuration to /etc/exim4/update-exim4.conf.conf.
Things you might want to configure
TLS and authentication
Generate a certificate using:
bash /usr/share/doc/exim4-base/examples/exim-gencert
It will generate exim.crt and exim.key in /etc/exim4/
Instead of generating a certificate, you may simply copy certificates that you have purchased or generated previously.
Edit /etc/exim4/exim4.conf.template
add the following line before .ifdef MAIN_TLS_ENABLE
- /etc/exim4/exim4.conf.template
MAIN_TLS_ENABLE = yes
Now restart exim.
SPF filtering
This is provided via the macro CHECK_RCPT_SPF, set it to true.
Exim uses a helper tool, which you will need to install…
apt-get install spf-tools-perl
You should then run update-exim4.conf and restart exim.
Email sub-addressing (plus-signs as in Gmail)
These can easily be achieved by adding something similar to the following in one of more of your router definitions
- /etc/exim4/exim4.conf.template
local_part_suffix = +* : -* : _* local_part_suffix_optional
The above example would deliver user+example@domain.com, user-example@domain.com and user_example@domain.com to user@domain.com.
Similarly, you could use a prefix instead with these similarly named options
- /etc/exim4/exim4.conf.template
local_part_prefix = *+ : *- : *_ local_part_prefix_optional
The above example would deliver example+user@domain.com, example-user@domain.com and example_user@domain.com to user@domain.com.
In either case, you could then use sieve filtering, config tricks or your email client to apply delivery rules.
Install diagnostic tools
apt-get install swaks libnet-ssleay-perl
Test the connection:
swaks -a -tls -q HELO -s localhost -au your_user -ap '<>'
Result
=== Trying localhost:25... === Connected to localhost. <- 220 debianwb ESMTP Exim 4.76 Thu, 04 Aug 2011 14:22:02 +0600 -> EHLO debianwb <- 250-debianwb Hello localhost [127.0.0.1] <- 250-SIZE 52428800 <- 250-PIPELINING <- 250-STARTTLS <- 250 HELP -> STARTTLS <- 220 TLS go ahead === TLS started w/ cipher DHE-RSA-AES256-SHA ~> EHLO debianwb <~ 250-debianwb Hello localhost [127.0.0.1] <~ 250-SIZE 52428800 <~ 250-PIPELINING <~ 250 HELP ~> QUIT <~ 221 evie closing connection
Note that above we are sending an empty password while testing with the swaks tool.
Some ISPs may block connecting to port 25, and also some broken clients insist TLS on Port 465.
To support these, change /etc/default/exim4 as:
- /etc/default/exim4
SMTPLISTENEROPTIONS='-oX 465:25 -oP /var/run/exim4/exim.pid'
Also edit /etc/exim4/exim4.conf.template:
- /etc/exim4/exim4.conf.template
##################################################### ### main/03_exim4-config_tlsoptions ##################################################### tls_on_connect_ports=465 ### main/03_exim4-config_tlsoptions #################################
Check pkg-exim4.alioth.debian.org README for details.
User authentication
Adding user authentication is possible using tools like Dovecot or sasl2-bin. For shell users who would like to use SASL and PAM for password authentication, that can setup this way:
apt-get install sasl2-bin
Edit /etc/default/saslauthd to enable saslauth:
- /etc/default/saslauthd
START=yes
Start the deamon:
/etc/init.d/saslauthd start
In /etc/exim4/exim4.conf.template, uncomment the following lines to enable authentication via saslauthd:
- /etc/exim4/exim4.conf.template
plain_saslauthd_server: driver = plaintext public_name = PLAIN server_condition = ${if saslauthd{{$auth2}{$auth3}}{1}{0}} server_set_id = $auth2 server_prompts = : .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} .endif
Add exim to the sasl group:
adduser Debian-exim sasl
Restart exim:
/etc/init.d/exim4 restart
Test the connection using your username:
swaks -a -tls -q AUTH -s localhost -au your_user Password:
Enable IMAP access by installing Courier-Imap or a similar MTA.
Spam scanning
There are several ways to detect spam.
Exim has default configuration for spamassassin (exim4-daemon-heavy required).
apt-get install spamassassin
If you are using Debian Jessie or later (with systemd enabled by default), enable and start the service using systemctl;
systemctl enable spamassassin.service
On earlier Debian releases, edit /etc/default/spamassassin …
- /etc/default/spamassassin
ENABLED=1
…and then start the daemon.
/etc/init.d/spamassassin start
On all systems, edit /etc/exim4/exim4.conf.template as required for your system.
First, if necessary, set the spamd_address:
- /etc/exim4/exim4.conf.template
# For spam scanning, there is a similar option that defines the interface to # SpamAssassin. You do not need to set this if you are using the default, which # is shown in this commented example. As for virus scanning, you must also # modify the acl_check_data access control list to enable spam scanning. # spamd_address = 127.0.0.1 783
Next, edit the acl_check_data section to add suitable spam headers:
- /etc/exim4/exim4.conf.template
### acl/40_exim4-config_check_data ################################# # This ACL is used after the contents of a message have been received. This # is the ACL in which you can test a message's headers or body, and in # particular, this is where you can invoke external virus or spam scanners. acl_check_data: ... ... ... # See the exim docs and the exim wiki for more suitable examples. # # warn # spam = Debian-exim:true # add_header = X-Spam_score: $spam_score\n\ # X-Spam_score_int: $spam_score_int\n\ # X-Spam_bar: $spam_bar\n\ # X-Spam_report: $spam_report # put headers in all messages (no matter if spam or not) warn spam = nobody:true add_header = X-Spam-Score: $spam_score ($spam_bar) add_header = X-Spam-Report: $spam_report # add second subject line with *SPAM* marker when message # is over threshold warn spam = nobody add_header = Subject: ***SPAM (score:$spam_score)*** $h_Subject:
For more information about configuring spam filters, see the exim wiki.
To test your spamassassin setup follow spamassassin test and gtube.
Exim access control lists (ACLs)
Exim provides flexible way to set access control list. For detailed information, see the ACL documentation on the exim wiki.
For example, if we are trying to deny all mail from three free email service providers (domain1.com, domain2.com, domain3.com) based on Received headers from the servers, we can use the following lines:
- /etc/exim4/exim4.conf.template
deny condition = ${if match{$h_Received:}{\N\.(domain1|domain2|domain3)\.com\N}{yes}{no}} message = This mailbox does not support free e-mail services.