Exim
From wiki
Install
# apt install exim4-daemon-light
Configure
TLS Certificates
- Edit file
/etc/nginx/sites-enabled/noweb
an add aserver_name
line forsmtp.example.org
- Activate your new domain in Nginx
# service nginx reload
- Edit file
/usr/local/sbin/renew_certificates
and add the following to the config list{ 'domains': ['smtp.example.org'], 'reload': [['service', 'exim4', 'reload']] }
- Get Your certificate
$ sudo /usr/local/sbin/certmanage Renewing certificate for smtp.example.org that will expire on 0001-01-01 Saving debug log to /var/log/letsencrypt/letsencrypt.log Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org Obtaining a new certificate Performing the following challenges: http-01 challenge for smtp.example.org Using the webroot path /var/www/acme-challenge for all unmatched domains. Waiting for verification... Cleaning up challenges Generating key (2048 bits): /etc/letsencrypt/keys/1764_key-certbot.pem Creating CSR: /etc/letsencrypt/csr/1764_csr-certbot.pem IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/smtp.example.org/fullchain.pem. Your cert will expire on 2025-02-20. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le Restarting services: service exim4 reload
Authentication
Create file /etc/exim4/conf.d/auth/15_dovecot
dovecot_login:
driver = dovecot
public_name = LOGIN
server_socket = /run/dovecot/auth-client
server_set_id = $auth1
dovecot_plain:
driver = dovecot
public_name = PLAIN
server_socket = /run/dovecot/auth-client
server_set_id = $auth1
Smart catch
This is my #1 spam fighting technique. It allows me to have an infinite number of email addresses while still preventing spammers to generate them.
You can check the installation instructions.
Dovecot Delivery
Create file /etc/exim4/conf.d/router/899_dovecot
## router/899_dovecot
#################################
dovecot:
debug_print = "R: dovecot for $local_part@$domain"
driver = accept
domains = +local_domains
transport = dovecot_virtual_delivery
cannot_route_message = Unknown user
Then create /etc/exim4/conf.d/transport/99_dovecot_virtual_delivery
dovecot_virtual_delivery:
driver = pipe
command = /usr/lib/dovecot/dovecot-lda -d $local_part -a $original_local_part@$original_domain -f $sender_address -e
message_prefix =
message_suffix =
delivery_date_add
envelope_to_add
return_path_add
log_output
user = vmail
temp_errors = 64 : 69 : 70: 71 : 72 : 73 : 74 : 75 : 78
Firewall
Assuming that you configured nftables as described, you can edit file /etc/nftables/main_config.conf
and add
# Exim
add element inet main tcp_port_in { 25, 587 }
and activate it using
$ sudo /etc/nftables/reload_main.conf
Fail2Ban
The filter for Exim is already included in Debian, we just need to activate it. It will filter people trying to log on your server, trying to make it relay spam, and sending nonsense command.
Create file /etc/fail2ban/jail.d/exim.conf
[exim]
enabled = true
port = 25,587
logpath = %(exim_main_log)s