Differences between revisions 1 and 42 (spanning 41 versions)
Revision 1 as of 2012-02-05 11:45:06
Size: 3922
Comment: Initial page
Revision 42 as of 2019-03-16 22:18:37
Size: 16816
Editor: ?Nico de Groot
Comment:
Deletions are marked like this. Additions are marked like this.
Line 2: Line 2:
||<tablestyle="width: 100%;" style="border: 0px hidden">~-[[DebianWiki/EditorGuide#translation|Translation(s)]]: English - [[it/PostgreSql|Italiano]] - [[ru/Pan|Русский]] -~||<style="text-align: right;border: 0px hidden"> (!) [[Pan/Discussion|Discussion]]|| ~-[[DebianWiki/EditorGuide#translation|Translation(s)]]: English - [[it/Exim|Italiano]] -~
Line 6: Line 6:
== Exim Overview == = Exim Overview =
Line 10: Line 10:
== Installation == = Installation =
Line 17: Line 17:

== Configuration ==

This configuration is tested in a could server and suitable for internal use:
= Configuration =

The README.Debian.gz file included in the exim4 packages details Debian style configuration exhaustively.
{{{
#zless /usr/share/doc/exim4-config/README.Debian.gz
}}}

Generally, the Debian Exim 4 packages are configured through debconf.
The install prompts for questions during package installation, and your
initial Exim configuration is created from your answers. You can
repeat the configuration process at any time by invoking:
{{{
 dpkg-reconfigure exim4-config
}}}

Despite the default configuration being extended somewhat from the
original upstream, chances are that you'll need to manually change the
Exim configuration with an editor if you intend to do something that is
not covered by the debconf-driven configuration. It has never been the
packages' intention to offer all possible configuration methods through
debconf.

There are three ways you can configure exim4. The first is a single monolithic file, the second is split file, and the third is your own file.

The configuration file is generated from these config files using the command (yes it has .conf in the name)

{{{
update-exim4.conf
}}}

After which you should restart exim4 with something like

{{{
service exim4 restart
}}}

== Single Exim4 configuration file ==

If you select this option in debconf, configuration will be generated from the
''/etc/exim4/exim4.conf.template'' file.

The default file is rich with features which can be enabled and controlled merely by setting the values of various macros.

Incidentally, the ''/etc/exim4/exim4.conf.localmacros'' file will be read in first, which makes it the ideal place to put any macros you may want to set. Using this file you can control various features (DKIM for example) and still gain the benefits of not touching the debian provided files, so hopefully having more seamless upgrades.

== Split file ==

In this scenarios the configuration is split across lots of smaller files stored in ''/etc/exim4/conf.d/'' which are then assembled in to one file for you by the update-exim4.conf command. Each section of the configuration file has its own subdirectory and the files therein are concatenated in alphabetical order. As such its probably a good idea that your custom files be named something like ''00_exim4-my-config'' so they are included first.

This mode of operation allows for your own sections of configuration to be inserted at any location in the final config file, without touching any of the package provided files. The idea being that upgrades become very reliable.

== Your own file ==

Simply install your own file in ''/etc/exim/exim4.conf'' and exim will use that file verbatim.

To have something to start with, you can either take
''/etc/exim4/exim4.conf.template'', run ''update-exim4.conf --keepcomments --output /etc/exim4/exim4.conf'', or use upstream's default configuration
file that is installed as ''/usr/share/doc/exim4-base/examples/example.conf.gz''.

You are going to lose all magic you get from packaging though, so you need to be familiar with Exim to build an actually working config.

Note that ''/etc/exim4/exim4.conf'' is read directly by exim4 every time exim forks. So if you edit it in place, each smtp connection will actually read a different configuration file!

== Location of the auto-generated config ==

For reference, the file generated by update-exim4.conf is ''/var/lib/exim4/config.autogenerated''

Avoid editing this file in place!

== Example stand-alone example ==

This configuration has been tested on a server and ought to be suitable for internal use:
Line 37: Line 105:
This is write the configuration in your - ''/etc/exim4/update-exim4.conf.conf''



=== TLS and Authentication ===
This writes the configuration to ''/etc/exim4/update-exim4.conf.conf''.

= Things you might want to configure =

== TLS and authentication ==

=== generating a local certificate ===
Line 50: Line 120:
You may simply copy certificates if you have bought it earlier.


Edit ''/etc/exim4/exim4.conf.template''

add the following line before ''.ifdef MAIN_TLS_ENABLE''
Instead of generating a certificate, you may simply copy certificates that you have purchased or generated previously.

Edit ''/etc/exim4/exim4.conf.localmacros''

add the following line:
Line 60: Line 129:
=== Install diagnostic tools === As with any change to the configuration, run update-exim4.conf then restart exim (service exim4 restart).

=== communicating with a smarthost ===

If, like most home users, you are not actually running an Internet server but instead are using e-mail accounts from an ISP or other company (e.g. gmail, hotmail, yahoo mail, etc.), you will need to communicate with their smtp server to send mail.

Every company seems to configure their server differently and puts different restrictions on how you can send mail. This makes configuring Exim4 difficult to describe as a general case. Adding tls makes things even more complicated. However you should always use tls (if available) so that your login is sent encrypted.

I'm going to describe a setup that should work in most cases when you are sending mail using a single account to a single smarthost.

 1. select one of the smarthost options when running dpkg-reconfigure exim4-config. When specifying the smarthost, include both the smarthost server name and the port it wants you to use (e.g. example.com::465). Note the double colons.
 2. edit /etc/exim4/passwd.client to use the following line:
      *:<username>:<user password> (e.g. *:mymail@example.com:abdc1243)
    This will send all exim4 e-mail using those credentials.
 3. Add the following lines to /etc/exim4/exim4.conf.localmacros:
      MAIN_TLS_ENABLE = 1
     REMOTE_SMTP_SMARTHOST_HOSTS_REQUIRE_TLS = *
      TLS_ON_CONNECT_PORTS = 465
     REQUIRE_PROTOCOL = smtps
 4. Add the following to /etc/exim4/exim4.conf.template after .ifdef REMOTE_SMTP_SMARTHOST_HOSTS_REQUIRE_TLS ... .endif
      .ifdef REQUIRE_PROTOCOL
        protocol = REQUIRE_PROTOCOL
      .endif
 5. Add the following after .ifdef MAIN_TLS_ENABLE
      .ifdef TLS_ON_CONNECT_PORTS
        tls_on_connect_ports = TLS_ON_CONNECT_PORTS
      .endif
 6. run update-exim4.conf followed by service exim4 restart

== SPF filtering ==

This is provided via the macro ''CHECK_RCPT_SPF'', set it to ''true''.

Exim uses a helper tool, which you will need to install...

{{{
# apt-get install spf-tools-perl
}}}

You should then run ''update-exim4.conf'' and restart exim.

== DNS Blacklists ==

You can configure exim to use DNS Blacklists with the macro CHECK_RCPT_IP_DNSBLS :
{{{
CHECK_RCPT_IP_DNSBLS = zen.spamhaus.org
}}}

The default behaviour is not to block the hosts found in the lists, but just add a warning header. In order to truly blacklist the spammers, just change 'warn' by 'deny' in the following block:
{{{
  .ifdef CHECK_RCPT_IP_DNSBLS
  warn # <--- deny
    dnslists = CHECK_RCPT_IP_DNSBLS
    add_header = X-Warning: $sender_host_address is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
    log_message = $sender_host_address is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
  .endif
}}}

Then restart exim.

== Email sub-addressing (plus-signs as in Gmail) ==

These can easily be achieved by adding something similar to the following in one of more of your router definitions
{{{
local_part_suffix = +* : -* : _*
local_part_suffix_optional
}}}

The above example would deliver ''`user+example@domain.com`'', ''`user-example@domain.com`'' and ''`user_example@domain.com`'' to ''`user@domain.com`''.

Similarly, you could use a prefix instead with these similarly named options

{{{
local_part_prefix = *+ : *- : *_
local_part_prefix_optional
}}}

The above example would deliver ''`example+user@domain.com`'', ''`example-user@domain.com`'' and ''`example_user@domain.com`'' to ''`user@domain.com`''.

In either case, you could then use sieve filtering, config tricks or your email client to apply delivery rules.

== Install diagnostic tools ==
Line 90: Line 240:
We are sending an empty pass while testing ''swaks''.


=== Authentication ===
Now, we will add authentication schema.
For the shell users we are using ''SASL'', which uses PAM for password authentication.
Note that above we are sending an empty password while testing with the ''swaks'' tool.

Some ISPs may block connecting to port 25, and also some broken clients insist TLS on Port 465.

To support these, change ''/etc/default/exim4'' as:
{{{
SMTPLISTENEROPTIONS='-oX 465:25 -oP /var/run/exim4/exim.pid'
}}}

Also edit ''/etc/exim4/exim4.conf.template'':
{{{
#####################################################
### main/03_exim4-config_tlsoptions
#####################################################
tls_on_connect_ports=465
### main/03_exim4-config_tlsoptions
#################################
}}}

Check [[http://pkg-exim4.alioth.debian.org/README/README.Debian.html#TLS| pkg-exim4.alioth.debian.org README]] for details.

== User authentication ==
Adding user authentication is possible using tools like [[Dovecot]] or sasl2-bin. For shell users who would like to use ''SASL'' and PAM for password authentication, that can setup this way:
Line 100: Line 267:
edit /etc/default/saslauthd to enable saslauth Edit ''/etc/default/saslauthd'' to enable saslauth:
Line 105: Line 272:
start the deamon: Start the deamon:
Line 111: Line 278:
edit ''/etc/exim4/exim4.conf'' and '''uncomment''' the following line authentication via saslauthd: In ''/etc/exim4/exim4.conf.template'', uncomment the following lines to enable authentication via saslauthd:
Line 125: Line 292:
Add exim to sasl group Add exim to the sasl group:
Line 141: Line 308:
Enable IMAP access by installing [[Courier-Imap]] or similar MTA
Enable IMAP access by installing [[Courier-Imap]] or a similar MTA.


== Spam scanning ==
There are several ways to detect spam.

Exim has default configuration for spamassassin (''exim4-daemon-heavy'' required).
{{{
#apt-get install spamassassin
}}}

If you are using Debian Jessie or later (with systemd enabled by default), enable and start the service using systemctl;

{{{
#systemctl enable spamassassin.service
}}}

On earlier Debian releases, edit ''/etc/default/spamassassin'' ...
{{{
ENABLED=1
}}}

...and then start the daemon.
{{{
#/etc/init.d/spamassassin start
}}}


On all systems, edit ''/etc/exim4/exim4.conf.template'' as required for your system.

First, if necessary, set the ''spamd_address'':

{{{
# For spam scanning, there is a similar option that defines the interface to
# SpamAssassin. You do not need to set this if you are using the default, which
# is shown in this commented example. As for virus scanning, you must also
# modify the acl_check_data access control list to enable spam scanning.

spamd_address = 127.0.0.1 783

}}}


Next, edit the ''acl_check_data'' section to add suitable spam headers:

{{{
### acl/40_exim4-config_check_data
#################################

# This ACL is used after the contents of a message have been received. This
# is the ACL in which you can test a message's headers or body, and in
# particular, this is where you can invoke external virus or spam scanners.

acl_check_data:
...
...
...
# See the exim docs and the exim wiki for more suitable examples.
#
# warn
# spam = Debian-exim:true
# add_header = X-Spam_score: $spam_score\n\
# X-Spam_score_int: $spam_score_int\n\
# X-Spam_bar: $spam_bar\n\
# X-Spam_report: $spam_report

# put headers in all messages (no matter if spam or not)
 warn spam = debian-spamd:true
     add_header = X-Spam-Score: $spam_score ($spam_bar)
     add_header = X-Spam-Report: $spam_report

# add second subject line with *SPAM* marker when message
# is over threshold
  warn spam = debian-spamd
      add_header = Subject: ***SPAM (score:$spam_score)*** $h_Subject:
}}}
Note that the above configuration also adds an ''X-Spam-Report'' header in outgoing emails, thereby violating RFC2822. Some mail servers, in particular the Debian mailing-list server, simply drop such non-conformant emails. See also Debian bug DebianBug:774553.

For more information about configuring spam filters, see the [[http://www.exim.org/exim-html-current/doc/html/spec_html/ch44.html|exim wiki]].


To test your ''spamassassin'' setup follow spamassassin [[https://wiki.apache.org/spamassassin/TestingInstallation]] and [[https://spamassassin.apache.org/gtube/|gtube]].


== Exim access control lists (ACLs) ==
Exim provides flexible way to set access control list. For detailed information, see the ACL documentation on the [[http://www.exim.org/exim-html-current/doc/html/spec_html/ch43.html|exim wiki]].


For example, if we are trying to deny all mail from three free email service providers (domain1.com, domain2.com, domain3.com) based on ''Received'' headers from the servers, we can use the following lines:
{{{
deny
     condition = ${if match{$h_Received:}{\N\.(domain1|domain2|domain3)\.com\N}{yes}{no}}
     message = This mailbox does not support free e-mail services.
}}}

== Smarthost with Authentication ==

Start by reconfiguring exim4:

{{{
sudo dpkg-reconfigure exim4-config
}}}

Select '''mail sent by smarthost, no local mail''' (unless you are configuring local mail, which most folks at home do not need).

Then edit the file:

{{{
sudo vim /etc/exim4/passwd.client
}}}

And add the line:

{{{
*:login:password
}}}

Substituting the correct email account login name for ''login'' and corresponding ''password''. Comments in the ''passwd.client'' file will provide additional information about configuration options.

Most ISPs offer multiple email accounts so it may make sense security wise to create an account just for utility use such as this. If your Linux host is ever compromised you will be glad you had a separate utility email account.

NOTE: you should also see the section https://wiki.debian.org/Exim#TLS_and_authentication (above) about configuring tls. You should never communicate with a smarthost without an encrypted connection.


= Debian Exim4 User FAQ =
There is a Wiki page with [[PkgExim4UserFAQ|Debian Exim4 User FAQ]].
Line 146: Line 437:
See:
= See also =
 * [[PkgExim4]]
Line 152: Line 443:
 * [[http://www.exim.org/exim-html-current/doc/html/spec_html/ch40.html| Exim Access control lists]]
 * [[http://www.exim.org/exim-html-current/doc/html/spec_html/ch41.html| Exim Content scanning at ACL time]]
 * [[http://spamassassin.apache.org/]]
 * [[http://pr0d.planetlarg.com/mediawiki/index.php?title=Install_spamassassin&redirect=no|pr0d.planetlarg.com]]
 * [[http://pkg-exim4.alioth.debian.org/README/README.Debian.html#TLS| pkg-exim4.alioth.debian.org README]]

Translation(s): English - Italiano


Exim Overview

Exim is a message transfer agent (MTA).

Installation

Exim generally comes with default Debian installation. If you need to use ACL and other features you may need to install exim4-daemon-heavy

#apt-get install exim4-daemon-heavy

Configuration

The README.Debian.gz file included in the exim4 packages details Debian style configuration exhaustively.

#zless /usr/share/doc/exim4-config/README.Debian.gz

Generally, the Debian Exim 4 packages are configured through debconf. The install prompts for questions during package installation, and your initial Exim configuration is created from your answers. You can repeat the configuration process at any time by invoking:

 dpkg-reconfigure exim4-config

Despite the default configuration being extended somewhat from the original upstream, chances are that you'll need to manually change the Exim configuration with an editor if you intend to do something that is not covered by the debconf-driven configuration. It has never been the packages' intention to offer all possible configuration methods through debconf.

There are three ways you can configure exim4. The first is a single monolithic file, the second is split file, and the third is your own file.

The configuration file is generated from these config files using the command (yes it has .conf in the name)

update-exim4.conf

After which you should restart exim4 with something like

service exim4 restart

Single Exim4 configuration file

If you select this option in debconf, configuration will be generated from the /etc/exim4/exim4.conf.template file.

The default file is rich with features which can be enabled and controlled merely by setting the values of various macros.

Incidentally, the /etc/exim4/exim4.conf.localmacros file will be read in first, which makes it the ideal place to put any macros you may want to set. Using this file you can control various features (DKIM for example) and still gain the benefits of not touching the debian provided files, so hopefully having more seamless upgrades.

Split file

In this scenarios the configuration is split across lots of smaller files stored in /etc/exim4/conf.d/ which are then assembled in to one file for you by the update-exim4.conf command. Each section of the configuration file has its own subdirectory and the files therein are concatenated in alphabetical order. As such its probably a good idea that your custom files be named something like 00_exim4-my-config so they are included first.

This mode of operation allows for your own sections of configuration to be inserted at any location in the final config file, without touching any of the package provided files. The idea being that upgrades become very reliable.

Your own file

Simply install your own file in /etc/exim/exim4.conf and exim will use that file verbatim.

To have something to start with, you can either take /etc/exim4/exim4.conf.template, run update-exim4.conf --keepcomments --output /etc/exim4/exim4.conf, or use upstream's default configuration file that is installed as /usr/share/doc/exim4-base/examples/example.conf.gz.

You are going to lose all magic you get from packaging though, so you need to be familiar with Exim to build an actually working config.

Note that /etc/exim4/exim4.conf is read directly by exim4 every time exim forks. So if you edit it in place, each smtp connection will actually read a different configuration file!

Location of the auto-generated config

For reference, the file generated by update-exim4.conf is /var/lib/exim4/config.autogenerated

Avoid editing this file in place!

Example stand-alone example

This configuration has been tested on a server and ought to be suitable for internal use:

#dpkg-reconfigure exim4-config

General type of mail configuration:  internet site; mail is sent and received directly using SMTP.
System mail name: yourdomain.com
IP-addresses to listen on for incomming SMTP connections: // leave blank
Other destinations for which mail is accepted: yourdomain.com
Domains to relay mail for: // leave blank
Machines to relay mail for: // leave blank
Keep number of DNS-queries minimal (Dial-on-Demand) ?: No
Delivery method for local mail: Maildir format in home directory
Split configuration into small files ? : No

This writes the configuration to /etc/exim4/update-exim4.conf.conf.

Things you might want to configure

TLS and authentication

generating a local certificate

Generate a certificate using:

#bash /usr/share/doc/exim4-base/examples/exim-gencert

It will generate exim.crt and exim.key in /etc/exim4/

Instead of generating a certificate, you may simply copy certificates that you have purchased or generated previously.

Edit /etc/exim4/exim4.conf.localmacros

add the following line:

MAIN_TLS_ENABLE = yes

As with any change to the configuration, run update-exim4.conf then restart exim (service exim4 restart).

communicating with a smarthost

If, like most home users, you are not actually running an Internet server but instead are using e-mail accounts from an ISP or other company (e.g. gmail, hotmail, yahoo mail, etc.), you will need to communicate with their smtp server to send mail.

Every company seems to configure their server differently and puts different restrictions on how you can send mail. This makes configuring Exim4 difficult to describe as a general case. Adding tls makes things even more complicated. However you should always use tls (if available) so that your login is sent encrypted.

I'm going to describe a setup that should work in most cases when you are sending mail using a single account to a single smarthost.

  1. select one of the smarthost options when running dpkg-reconfigure exim4-config. When specifying the smarthost, include both the smarthost server name and the port it wants you to use (e.g. example.com::465). Note the double colons.
  2. edit /etc/exim4/passwd.client to use the following line:
    • This will send all exim4 e-mail using those credentials.
  3. Add the following lines to /etc/exim4/exim4.conf.localmacros:
    • MAIN_TLS_ENABLE = 1
    • REMOTE_SMTP_SMARTHOST_HOSTS_REQUIRE_TLS = *
      • TLS_ON_CONNECT_PORTS = 465
      REQUIRE_PROTOCOL = smtps
  4. Add the following to /etc/exim4/exim4.conf.template after .ifdef REMOTE_SMTP_SMARTHOST_HOSTS_REQUIRE_TLS ... .endif
    • ifdef REQUIRE_PROTOCOL
      • protocol = REQUIRE_PROTOCOL
    • endif
  5. Add the following after .ifdef MAIN_TLS_ENABLE
    • ifdef TLS_ON_CONNECT_PORTS
      • tls_on_connect_ports = TLS_ON_CONNECT_PORTS
    • endif
  6. run update-exim4.conf followed by service exim4 restart

SPF filtering

This is provided via the macro CHECK_RCPT_SPF, set it to true.

Exim uses a helper tool, which you will need to install...

# apt-get install spf-tools-perl

You should then run update-exim4.conf and restart exim.

DNS Blacklists

You can configure exim to use DNS Blacklists with the macro CHECK_RCPT_IP_DNSBLS :

CHECK_RCPT_IP_DNSBLS = zen.spamhaus.org

The default behaviour is not to block the hosts found in the lists, but just add a warning header. In order to truly blacklist the spammers, just change 'warn' by 'deny' in the following block:

  .ifdef CHECK_RCPT_IP_DNSBLS
  warn # <--- deny
    dnslists = CHECK_RCPT_IP_DNSBLS
    add_header = X-Warning: $sender_host_address is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
    log_message = $sender_host_address is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
  .endif

Then restart exim.

Email sub-addressing (plus-signs as in Gmail)

These can easily be achieved by adding something similar to the following in one of more of your router definitions

local_part_suffix = +* : -* : _*
local_part_suffix_optional

The above example would deliver user+example@domain.com, user-example@domain.com and user_example@domain.com to user@domain.com.

Similarly, you could use a prefix instead with these similarly named options

local_part_prefix = *+ : *- : *_
local_part_prefix_optional

The above example would deliver example+user@domain.com, example-user@domain.com and example_user@domain.com to user@domain.com.

In either case, you could then use sieve filtering, config tricks or your email client to apply delivery rules.

Install diagnostic tools

#apt-get install swaks libnet-ssleay-perl

Test the connection:

$swaks -a -tls -q HELO -s localhost -au your_user -ap '<>'
 === Trying localhost:25...
 === Connected to localhost.
 <-  220 debianwb ESMTP Exim 4.76 Thu, 04 Aug 2011 14:22:02 +0600
  -> EHLO debianwb
 <-  250-debianwb Hello localhost [127.0.0.1]
 <-  250-SIZE 52428800
 <-  250-PIPELINING
 <-  250-STARTTLS
 <-  250 HELP
  -> STARTTLS
 <-  220 TLS go ahead
 === TLS started w/ cipher DHE-RSA-AES256-SHA
  ~> EHLO debianwb
 <~  250-debianwb Hello localhost [127.0.0.1]
 <~  250-SIZE 52428800
 <~  250-PIPELINING
 <~  250 HELP
  ~> QUIT
 <~  221 evie closing connection

Note that above we are sending an empty password while testing with the swaks tool.

Some ISPs may block connecting to port 25, and also some broken clients insist TLS on Port 465.

To support these, change /etc/default/exim4 as:

SMTPLISTENEROPTIONS='-oX 465:25 -oP /var/run/exim4/exim.pid'

Also edit /etc/exim4/exim4.conf.template:

#####################################################
### main/03_exim4-config_tlsoptions
#####################################################
tls_on_connect_ports=465
### main/03_exim4-config_tlsoptions
#################################

Check pkg-exim4.alioth.debian.org README for details.

User authentication

Adding user authentication is possible using tools like Dovecot or sasl2-bin. For shell users who would like to use SASL and PAM for password authentication, that can setup this way:

#apt-get install sasl2-bin

Edit /etc/default/saslauthd to enable saslauth:

START=yes

Start the deamon:

#/etc/init.d/saslauthd start

In /etc/exim4/exim4.conf.template, uncomment the following lines to enable authentication via saslauthd:

 plain_saslauthd_server:
    driver = plaintext
    public_name = PLAIN
    server_condition = ${if saslauthd{{$auth2}{$auth3}}{1}{0}}
    server_set_id = $auth2
    server_prompts = :
    .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
    server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
    .endif

Add exim to the sasl group:

#adduser Debian-exim sasl

Restart exim:

#/etc/init.d/exim4 restart

Test the connection using your username:

#swaks -a -tls -q AUTH -s localhost -au your_user
Password:

Enable IMAP access by installing Courier-Imap or a similar MTA.

Spam scanning

There are several ways to detect spam.

Exim has default configuration for spamassassin (exim4-daemon-heavy required).

#apt-get install spamassassin

If you are using Debian Jessie or later (with systemd enabled by default), enable and start the service using systemctl;

#systemctl enable spamassassin.service

On earlier Debian releases, edit /etc/default/spamassassin ...

ENABLED=1

...and then start the daemon.

#/etc/init.d/spamassassin start

On all systems, edit /etc/exim4/exim4.conf.template as required for your system.

First, if necessary, set the spamd_address:

# For spam scanning, there is a similar option that defines the interface to
# SpamAssassin. You do not need to set this if you are using the default, which
# is shown in this commented example. As for virus scanning, you must also
# modify the acl_check_data access control list to enable spam scanning.

spamd_address = 127.0.0.1 783

Next, edit the acl_check_data section to add suitable spam headers:

### acl/40_exim4-config_check_data
#################################

# This ACL is used after the contents of a message have been received. This
# is the ACL in which you can test a message's headers or body, and in
# particular, this is where you can invoke external virus or spam scanners.

acl_check_data:
...
...
...
# See the exim docs and the exim wiki for more suitable examples.
#
# warn
#   spam = Debian-exim:true
#   add_header = X-Spam_score: $spam_score\n\
#             X-Spam_score_int: $spam_score_int\n\
#             X-Spam_bar: $spam_bar\n\
#             X-Spam_report: $spam_report

# put headers in all messages (no matter if spam or not)
 warn  spam = debian-spamd:true
     add_header = X-Spam-Score: $spam_score ($spam_bar)
     add_header = X-Spam-Report: $spam_report

# add second subject line with *SPAM* marker when message
# is over threshold
  warn  spam = debian-spamd
      add_header = Subject: ***SPAM (score:$spam_score)*** $h_Subject:

Note that the above configuration also adds an X-Spam-Report header in outgoing emails, thereby violating RFC2822. Some mail servers, in particular the Debian mailing-list server, simply drop such non-conformant emails. See also Debian bug 774553.

For more information about configuring spam filters, see the exim wiki.

To test your spamassassin setup follow spamassassin https://wiki.apache.org/spamassassin/TestingInstallation and gtube.

Exim access control lists (ACLs)

Exim provides flexible way to set access control list. For detailed information, see the ACL documentation on the exim wiki.

For example, if we are trying to deny all mail from three free email service providers (domain1.com, domain2.com, domain3.com) based on Received headers from the servers, we can use the following lines:

deny
     condition = ${if match{$h_Received:}{\N\.(domain1|domain2|domain3)\.com\N}{yes}{no}}
     message = This mailbox does not support free e-mail services.

Smarthost with Authentication

Start by reconfiguring exim4:

sudo dpkg-reconfigure exim4-config

Select mail sent by smarthost, no local mail (unless you are configuring local mail, which most folks at home do not need).

Then edit the file:

sudo vim /etc/exim4/passwd.client

And add the line:

*:login:password

Substituting the correct email account login name for login and corresponding password. Comments in the passwd.client file will provide additional information about configuration options.

Most ISPs offer multiple email accounts so it may make sense security wise to create an account just for utility use such as this. If your Linux host is ever compromised you will be glad you had a separate utility email account.

NOTE: you should also see the section https://wiki.debian.org/Exim#TLS_and_authentication (above) about configuring tls. You should never communicate with a smarthost without an encrypted connection.

Debian Exim4 User FAQ

There is a Wiki page with Debian Exim4 User FAQ.


See also