Difference between revisions of "Exim"

From wiki
Line 5: Line 5:
  
 
== Configure ==
 
== Configure ==
{{TODO}}
+
 
 +
=== TLS Certificates ===
 +
# Edit file <code>/etc/nginx/sites-enabled/noweb</code> an add a <code>server_name</code> line for <code>smtp.example.org</code>
 +
# Activate your new domain in Nginx<syntaxhighlight lang="console">
 +
# service nginx reload
 +
</syntaxhighlight>
 +
# Edit file <code>/usr/local/sbin/renew_certificates</code> and add the following to the config list<syntaxhighlight lang="python">
 +
{
 +
    'domains': ['smtp.example.org'],
 +
    'reload': [['service', 'exim4', 'reload']]
 +
}
 +
</syntaxhighlight>
 +
# Get Your certificate{{Let’s Encrypt/New Cert Command|domain = smtp.example.org|command = service exim4 reload}}
 +
 
 +
=== Authentication ===
 +
Create file <code>/etc/exim4/conf.d/auth/15_dovecot</code><syntaxhighlight lang="properties">
 +
dovecot_login:
 +
  driver = dovecot
 +
  public_name = LOGIN
 +
  server_socket = /run/dovecot/auth-client
 +
  server_set_id = $auth1
 +
 
 +
dovecot_plain:
 +
  driver = dovecot
 +
  public_name = PLAIN
 +
  server_socket = /run/dovecot/auth-client
 +
  server_set_id = $auth1
 +
</syntaxhighlight>
 +
 
 +
=== Smart catch ===
 +
This is my #1 spam fighting technique. It allows me to have an infinite number of email addresses while still preventing spammers to generate them.
 +
 
 +
You can check the [[Exim/SmartCatch|installation instructions]].
 +
 
 +
=== Dovecot Delivery ===
 +
Create file <code>/etc/exim4/conf.d/router/899_dovecot</code><syntaxhighlight lang="properties">
 +
## router/899_dovecot
 +
#################################
 +
 
 +
dovecot:
 +
  debug_print = "R: dovecot for $local_part@$domain"
 +
  driver = accept
 +
  domains = +local_domains
 +
  transport = dovecot_virtual_delivery
 +
  cannot_route_message = Unknown user
 +
</syntaxhighlight>Then create <code>/etc/exim4/conf.d/transport/99_dovecot_virtual_delivery</code><syntaxhighlight lang="properties">
 +
dovecot_virtual_delivery:
 +
  driver = pipe
 +
  command = /usr/lib/dovecot/dovecot-lda -d $local_part -a $original_local_part@$original_domain  -f $sender_address -e
 +
  message_prefix =
 +
  message_suffix =
 +
  delivery_date_add
 +
  envelope_to_add
 +
  return_path_add
 +
  log_output
 +
  user = vmail
 +
  temp_errors = 64 : 69 : 70: 71 : 72 : 73 : 74 : 75 : 78
 +
</syntaxhighlight>
 +
 
 +
== Firewall ==
 +
{{nftables/config|category = Exim|tcp_port_in = 25, 587|udp_port_in = |tcp_port_out = |udp_port_out = |user_out = }}
  
 
== Fail2Ban ==
 
== Fail2Ban ==

Revision as of 20:09, 4 June 2016

Install

# apt install exim4-daemon-light

Configure

TLS Certificates

  1. Edit file /etc/nginx/sites-enabled/noweb an add a server_name line for smtp.example.org
  2. Activate your new domain in Nginx
    # service nginx reload
  3. Edit file /usr/local/sbin/renew_certificates and add the following to the config list
    {
    'domains': ['smtp.example.org'],
    'reload': [['service', 'exim4', 'reload']]
}
  4. Get Your certificate
    $ sudo /usr/local/sbin/certmanage
Renewing certificate for smtp.example.org that will expire on 0001-01-01

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for smtp.example.org
Using the webroot path /var/www/acme-challenge for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/1764_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/1764_csr-certbot.pem

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/smtp.example.org/fullchain.pem. Your cert
   will expire on 2025-02-19. To obtain a new or tweaked version of
   this certificate in the future, simply run certbot again. To
   non-interactively renew *all* of your certificates, run "certbot
   renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Restarting services:
service exim4 reload

Authentication

Create file /etc/exim4/conf.d/auth/15_dovecot

dovecot_login:
  driver = dovecot
  public_name = LOGIN
  server_socket = /run/dovecot/auth-client
  server_set_id = $auth1

dovecot_plain:
  driver = dovecot
  public_name = PLAIN
  server_socket = /run/dovecot/auth-client
  server_set_id = $auth1

Smart catch

This is my #1 spam fighting technique. It allows me to have an infinite number of email addresses while still preventing spammers to generate them.

You can check the installation instructions.

Dovecot Delivery

Create file /etc/exim4/conf.d/router/899_dovecot

## router/899_dovecot
#################################

dovecot:
  debug_print = "R: dovecot for $local_part@$domain"
  driver = accept
  domains = +local_domains
  transport = dovecot_virtual_delivery
  cannot_route_message = Unknown user

Then create /etc/exim4/conf.d/transport/99_dovecot_virtual_delivery

dovecot_virtual_delivery:
  driver = pipe
  command = /usr/lib/dovecot/dovecot-lda -d $local_part -a $original_local_part@$original_domain  -f $sender_address -e
  message_prefix =
  message_suffix =
  delivery_date_add
  envelope_to_add
  return_path_add
  log_output
  user = vmail
  temp_errors = 64 : 69 : 70: 71 : 72 : 73 : 74 : 75 : 78

Firewall

Assuming that you configured nftables as described, you can edit file /etc/nftables/main_config.conf and add 

# Exim
add element  inet main  tcp_port_in { 25, 587 }

and activate it using 

$ sudo /etc/nftables/reload_main.conf

Fail2Ban

The filter for Exim is already included in Debian, we just need to activate it. It will filter people trying to log on your server, trying to make it relay spam, and sending nonsense command.

Create file /etc/fail2ban/jail.d/exim.conf 

[exim]
enabled  = true
port     = 25,587
logpath  = %(exim_main_log)s
Retrieved from ‘https://wiki.meurisse.org/index.php?title=Exim&oldid=375