Difference between revisions of "Exim"
(Rename certs folder) |
(Update certmanage command) |
||
(8 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
+ | == Prerequisite == | ||
+ | This article is part of the [[Emails/Complete|emails]] series. It is assumed that you already covered [[Dovecot]]. | ||
+ | |||
+ | This guide also uses the following software: | ||
+ | * [[Let’s Encrypt]] or another way to get certificates | ||
+ | * [[nftables]] as a firewall | ||
+ | * [[Fail2Ban]]. Optional but recommended for security. | ||
+ | |||
== Install == | == Install == | ||
<syntaxhighlight lang="console"> | <syntaxhighlight lang="console"> | ||
− | + | $ sudo apt install exim4-daemon-heavy | |
</syntaxhighlight>Note: The heavy version is needed to use Dovecot as an authentication mechanism. | </syntaxhighlight>Note: The heavy version is needed to use Dovecot as an authentication mechanism. | ||
Line 15: | Line 23: | ||
==== Create folder ==== | ==== Create folder ==== | ||
Unlike other programs, Exim doesn't read it's certificate as the root user. So it will be unable to read them from the standard let’sencrypt folder. We will create a folder readable by Exim where we can safely drop certificates later<syntaxhighlight lang="console"> | Unlike other programs, Exim doesn't read it's certificate as the root user. So it will be unable to read them from the standard let’sencrypt folder. We will create a folder readable by Exim where we can safely drop certificates later<syntaxhighlight lang="console"> | ||
− | + | $ sudo mkdir -m 710 /etc/exim4/private | |
− | + | $ sudo chgrp Debian-exim /etc/exim4/private | |
</syntaxhighlight> | </syntaxhighlight> | ||
Line 22: | Line 30: | ||
# Edit file <code>/etc/nginx/sites-enabled/noweb</code> an add a <code>server_name</code> line for <code>smtp.example.org</code> | # Edit file <code>/etc/nginx/sites-enabled/noweb</code> an add a <code>server_name</code> line for <code>smtp.example.org</code> | ||
# Activate your new domain in Nginx<syntaxhighlight lang="console"> | # Activate your new domain in Nginx<syntaxhighlight lang="console"> | ||
− | + | $ sudo systemctl reload nginx.service | |
</syntaxhighlight> | </syntaxhighlight> | ||
− | # Edit file <code>/usr/local/sbin/renew_certificates</code> and add the following to the config list<syntaxhighlight lang=" | + | # Edit file <code>/usr/local/sbin/renew_certificates</code> and add the following to the config list<syntaxhighlight lang="json"> |
{ | { | ||
− | + | "domains": ["smtp.example.org"], | |
− | + | "reload": [["cp", "--preserve=all", "/etc/letsencrypt/live/smtp.example.org/fullchain.pem", "/etc/letsencrypt/live/smtp.example.org/privkey.pem", "/etc/exim4/private/"], ["/bin/systemctl", "reload", "exim4.service"]] | |
} | } | ||
</syntaxhighlight> | </syntaxhighlight> | ||
# Get Your certificate{{Let’s Encrypt/New Cert Command|domain = smtp.example.org|command = cp --preserve=all /etc/letsencrypt/live/smtp.example.org/{fullchain,privkey}.pem /etc/exim4/private/ | # Get Your certificate{{Let’s Encrypt/New Cert Command|domain = smtp.example.org|command = cp --preserve=all /etc/letsencrypt/live/smtp.example.org/{fullchain,privkey}.pem /etc/exim4/private/ | ||
− | service | + | /bin/systemctl reload exim4.service}} |
==== Use Certificate ==== | ==== Use Certificate ==== | ||
Line 38: | Line 46: | ||
MAIN_TLS_CERTIFICATE = /etc/exim4/private/fullchain.pem | MAIN_TLS_CERTIFICATE = /etc/exim4/private/fullchain.pem | ||
MAIN_TLS_PRIVATEKEY = /etc/exim4/private/privkey.pem | MAIN_TLS_PRIVATEKEY = /etc/exim4/private/privkey.pem | ||
− | tls_require_ciphers = PFS: | + | # GNUTLS ciphers: https://www.gnutls.org/manual/html_node/Priority-Strings.html |
+ | # test using: gnutls-cli -l --priority PFS:+RSA:... | ||
+ | tls_require_ciphers = PFS:+RSA:-ARCFOUR-128:-3DES-CBC:-MD5:-SIGN-RSA-MD5:-CAMELLIA-128-CBC:-CAMELLIA-256-CBC:-CURVE-SECP192R1:%SERVER_PRECEDENCE | ||
</syntaxhighlight> | </syntaxhighlight> | ||
=== Authentication === | === Authentication === | ||
+ | We will use dovecot to verify user login and password. It lets us have only one database of users and share it between the different email infrastructure parts (smtp, imap...) | ||
+ | |||
+ | ==== Dovecot ==== | ||
+ | First modify the file <code>/etc/dovecot/conf.d/10-master.conf</code>. Find the section <code>service auth</code> and add the following lines<syntaxhighlight lang="properties"> | ||
+ | service auth { | ||
+ | ... | ||
+ | # Authentication socket used by Exim | ||
+ | unix_listener auth-client { | ||
+ | mode = 0600 | ||
+ | user = Debian-exim | ||
+ | } | ||
+ | ... | ||
+ | } | ||
+ | </syntaxhighlight>And apply config with<syntaxhighlight lang="console"> | ||
+ | $ sudo systemctl restart dovecot.service | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | ==== Exim ==== | ||
Create file <code>/etc/exim4/conf.d/auth/15_dovecot</code><syntaxhighlight lang="properties"> | Create file <code>/etc/exim4/conf.d/auth/15_dovecot</code><syntaxhighlight lang="properties"> | ||
dovecot_login: | dovecot_login: | ||
Line 86: | Line 114: | ||
</syntaxhighlight> | </syntaxhighlight> | ||
− | == Firewall == | + | === Firewall === |
{{nftables/config|category = Exim|tcp_port_in = 25, 587|udp_port_in = |tcp_port_out =25 |udp_port_out = |user_out = }} | {{nftables/config|category = Exim|tcp_port_in = 25, 587|udp_port_in = |tcp_port_out =25 |udp_port_out = |user_out = }} | ||
+ | |||
+ | === DKIM === | ||
+ | [[Exim/DKIM]] | ||
+ | |||
+ | === Paniclog === | ||
+ | In case Exim encounter a grave problem (cannot start, lost email…) it will write a log to <code>/var/log/exim4/paniclog</code>. There is a cron job that monitor this file and will send you a daily mail if it is not empty. | ||
+ | |||
+ | It is important to not miss these emails and act on them quickly. I use a [[Dovecot|Sieve]] script to mark them as important:<syntaxhighlight lang="c"> | ||
+ | if header :matches "Subject" "exim paniclog on * has non-zero size" { | ||
+ | addflag "\\Flagged"; | ||
+ | } | ||
+ | </syntaxhighlight>Also note that this log file is never rotated. So you will get the same email over and over until you do it manually. It can be done with:<syntaxhighlight lang="console"> | ||
+ | $ sudo logrotate -f /etc/logrotate.d/exim4-paniclog | ||
+ | </syntaxhighlight>To have this rotation done automatically (and thus receive the email only once), edit <code>/etc/default/exim4</code><syntaxhighlight lang="shell"> | ||
+ | # Rotate /var/log/exim4/paniclog after email is sent to admin | ||
+ | E4BCD_WATCH_PANICLOG='once' | ||
+ | </syntaxhighlight> | ||
== Fail2Ban == | == Fail2Ban == |
Latest revision as of 11:29, 3 May 2018
Prerequisite
This article is part of the emails series. It is assumed that you already covered Dovecot.
This guide also uses the following software:
- Let’s Encrypt or another way to get certificates
- nftables as a firewall
- Fail2Ban. Optional but recommended for security.
Install
$ sudo apt install exim4-daemon-heavy
Note: The heavy version is needed to use Dovecot as an authentication mechanism.
Configure
Base
Create file /etc/exim4/conf.d/main/00_local_settings
daemon_smtp_ports = smtp : 587
TLS Certificates
Create folder
Unlike other programs, Exim doesn't read it's certificate as the root user. So it will be unable to read them from the standard let’sencrypt folder. We will create a folder readable by Exim where we can safely drop certificates later
$ sudo mkdir -m 710 /etc/exim4/private
$ sudo chgrp Debian-exim /etc/exim4/private
Get certificate
- Edit file
/etc/nginx/sites-enabled/noweb
an add aserver_name
line forsmtp.example.org
- Activate your new domain in Nginx
$ sudo systemctl reload nginx.service
- Edit file
/usr/local/sbin/renew_certificates
and add the following to the config list{ "domains": ["smtp.example.org"], "reload": [["cp", "--preserve=all", "/etc/letsencrypt/live/smtp.example.org/fullchain.pem", "/etc/letsencrypt/live/smtp.example.org/privkey.pem", "/etc/exim4/private/"], ["/bin/systemctl", "reload", "exim4.service"]] }
- Get Your certificate
$ sudo /usr/local/sbin/certmanage Renewing certificate for smtp.example.org that will expire on 0001-01-01 Saving debug log to /var/log/letsencrypt/letsencrypt.log Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org Obtaining a new certificate Performing the following challenges: http-01 challenge for smtp.example.org Using the webroot path /var/www/acme-challenge for all unmatched domains. Waiting for verification... Cleaning up challenges Generating key (2048 bits): /etc/letsencrypt/keys/1764_key-certbot.pem Creating CSR: /etc/letsencrypt/csr/1764_csr-certbot.pem IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/smtp.example.org/fullchain.pem. Your cert will expire on 2025-02-19. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le Restarting services: cp --preserve=all /etc/letsencrypt/live/smtp.example.org/{fullchain,privkey}.pem /etc/exim4/private/ /bin/systemctl reload exim4.service
Use Certificate
Edit /etc/exim4/conf.d/main/00_local_settings
and add the following lines
MAIN_TLS_ENABLE = true
MAIN_TLS_CERTIFICATE = /etc/exim4/private/fullchain.pem
MAIN_TLS_PRIVATEKEY = /etc/exim4/private/privkey.pem
# GNUTLS ciphers: https://www.gnutls.org/manual/html_node/Priority-Strings.html
# test using: gnutls-cli -l --priority PFS:+RSA:...
tls_require_ciphers = PFS:+RSA:-ARCFOUR-128:-3DES-CBC:-MD5:-SIGN-RSA-MD5:-CAMELLIA-128-CBC:-CAMELLIA-256-CBC:-CURVE-SECP192R1:%SERVER_PRECEDENCE
Authentication
We will use dovecot to verify user login and password. It lets us have only one database of users and share it between the different email infrastructure parts (smtp, imap...)
Dovecot
First modify the file /etc/dovecot/conf.d/10-master.conf
. Find the section service auth
and add the following lines
service auth {
...
# Authentication socket used by Exim
unix_listener auth-client {
mode = 0600
user = Debian-exim
}
...
}
And apply config with
$ sudo systemctl restart dovecot.service
Exim
Create file /etc/exim4/conf.d/auth/15_dovecot
dovecot_login:
driver = dovecot
public_name = LOGIN
server_socket = /run/dovecot/auth-client
server_set_id = $auth1
dovecot_plain:
driver = dovecot
public_name = PLAIN
server_socket = /run/dovecot/auth-client
server_set_id = $auth1
Smart catch
This is my #1 spam fighting technique. It allows me to have an infinite number of email addresses while still preventing spammers to generate them.
You can check the installation instructions.
Dovecot Delivery
Create file /etc/exim4/conf.d/router/899_dovecot
## router/899_dovecot
#################################
dovecot:
debug_print = "R: dovecot for $local_part@$domain"
driver = accept
domains = +local_domains
transport = dovecot_virtual_delivery
cannot_route_message = Unknown user
Then create /etc/exim4/conf.d/transport/99_dovecot_virtual_delivery
dovecot_virtual_delivery:
driver = pipe
command = /usr/lib/dovecot/dovecot-lda -d $local_part -a $original_local_part@$original_domain -f $sender_address -e
message_prefix =
message_suffix =
delivery_date_add
envelope_to_add
return_path_add
log_output
user = vmail
temp_errors = 64 : 69 : 70: 71 : 72 : 73 : 74 : 75 : 78
Firewall
Assuming that you configured nftables as described, you can edit file /etc/nftables/main_config.conf
and add
# Exim
add element inet main tcp_port_in { 25, 587 }
add element inet main tcp_port_out { 25 }
and activate it using
$ sudo /etc/nftables/reload_main.conf
DKIM
Paniclog
In case Exim encounter a grave problem (cannot start, lost email…) it will write a log to /var/log/exim4/paniclog
. There is a cron job that monitor this file and will send you a daily mail if it is not empty.
It is important to not miss these emails and act on them quickly. I use a Sieve script to mark them as important:
if header :matches "Subject" "exim paniclog on * has non-zero size" {
addflag "\\Flagged";
}
Also note that this log file is never rotated. So you will get the same email over and over until you do it manually. It can be done with:
$ sudo logrotate -f /etc/logrotate.d/exim4-paniclog
To have this rotation done automatically (and thus receive the email only once), edit /etc/default/exim4
# Rotate /var/log/exim4/paniclog after email is sent to admin
E4BCD_WATCH_PANICLOG='once'
Fail2Ban
The filter for Exim is already included in Debian, we just need to activate it. It will filter people trying to log on your server, trying to make it relay spam, and sending nonsense command.
Create file /etc/fail2ban/jail.d/exim.conf
[exim]
enabled = true
port = 25,587
logpath = %(exim_main_log)s