Translation(s): English - Italiano


Exim Overview

Exim is a message transfer agent (MTA).

Installation

Exim generally comes with default Debian installation. If you need to use ACL and other features you may need to install exim4-daemon-heavy

#apt-get install exim4-daemon-heavy

Configuration

This configuration has been tested on a server and ought to be suitable for internal use:

#dpkg-reconfigure exim4-config

General type of mail configuration:  internet site; mail is sent and received directly using SMTP.
System mail name: yourdomain.com
IP-addresses to listen on for incomming SMTP connections: // leave blank
Other destinations for which mail is accepted: yourdomain.com
Domains to relay mail for: // leave blank
Machines to relay mail for: // leave blank
Keep number of DNS-queries minimal (Dial-on-Demand) ?: No
Delivery method for local mail: Maildir format in home directory
Split configuration into small files ? : No

This writes the configuration in your - /etc/exim4/update-exim4.conf.conf

TLS and Authentication

Generate a certificate using:

#bash /usr/share/doc/exim4-base/examples/exim-gencert

It will generate exim.crt and exim.key in /etc/exim4/

Instead of generating a certificate, you may simply copy certificates that you have purchased or generated previously.

Edit /etc/exim4/exim4.conf.template

add the following line before .ifdef MAIN_TLS_ENABLE

MAIN_TLS_ENABLE = yes

Install diagnostic tools

#apt-get install swaks libnet-ssleay-perl

Test the connection:

$swaks -a -tls -q HELO -s localhost -au your_user -ap '<>'
 === Trying localhost:25...
 === Connected to localhost.
 <-  220 debianwb ESMTP Exim 4.76 Thu, 04 Aug 2011 14:22:02 +0600
  -> EHLO debianwb
 <-  250-debianwb Hello localhost [127.0.0.1]
 <-  250-SIZE 52428800
 <-  250-PIPELINING
 <-  250-STARTTLS
 <-  250 HELP
  -> STARTTLS
 <-  220 TLS go ahead
 === TLS started w/ cipher DHE-RSA-AES256-SHA
  ~> EHLO debianwb
 <~  250-debianwb Hello localhost [127.0.0.1]
 <~  250-SIZE 52428800
 <~  250-PIPELINING
 <~  250 HELP
  ~> QUIT
 <~  221 evie closing connection

Note that above we are sending an empty password while testing with the swaks tool.

Some ISPs may block connecting to port 25, and also some broken clients insist TLS on Port 465.

To support these, change /etc/default/exim4 as:

SMTPLISTENEROPTIONS='-oX 465:25 -oP /var/run/exim4/exim.pid'

Also edit /etc/exim4/exim4.conf.template:

#####################################################
### main/03_exim4-config_tlsoptions
#####################################################
tls_on_connect_ports=465
### main/03_exim4-config_tlsoptions
#################################

Check pkg-exim4.alioth.debian.org README for details.

User Authentication

Now, we will add authentication schema. For the shell users we are using SASL, which uses PAM for password authentication.

#apt-get install sasl2-bin

edit /etc/default/saslauthd to enable saslauth

START=yes

start the deamon:

#/etc/init.d/saslauthd start

edit /etc/exim4/exim4.conf.template and uncomment the following lines for the authentication via saslauthd:

 plain_saslauthd_server:
    driver = plaintext
    public_name = PLAIN
    server_condition = ${if saslauthd{{$auth2}{$auth3}}{1}{0}}
    server_set_id = $auth2
    server_prompts = :
    .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
    server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
    .endif

Add exim to sasl group

#adduser Debian-exim sasl

Restart exim:

#/etc/init.d/exim4 restart

Test the connection using your username:

#swaks -a -tls -q AUTH -s localhost -au your_user
Password:

Enable IMAP access by installing ?Courier-Imap or similar MTA

Spam scanning

There are several ways to detect spam.

Exim has default configuration for spamassassin (exim4-daemon-heavy required).

#apt-get install spamassassin

edit /etc/default/spamassassin

ENABLED=1

start the deamon:

/etc/init.d/spamassassin start

edit /etc/exim4/exim4.conf.template uncomment or change according to your configuration:

# For spam scanning, there is a similar option that defines the interface to
# SpamAssassin. You do not need to set this if you are using the default, which
# is shown in this commented example. As for virus scanning, you must also
# modify the acl_check_data access control list to enable spam scanning.

 spamd_address = 127.0.0.1 783

edit /etc/exim4/exim4.conf.template add spam header in the acl_check_data section:

### acl/40_exim4-config_check_data
#################################

# This ACL is used after the contents of a message have been received. This
# is the ACL in which you can test a message's headers or body, and in
# particular, this is where you can invoke external virus or spam scanners.

acl_check_data:
...
...
...
# See the exim docs and the exim wiki for more suitable examples.
#
# warn
#   spam = Debian-exim:true
#   add_header = X-Spam_score: $spam_score\n\
#             X-Spam_score_int: $spam_score_int\n\
#             X-Spam_bar: $spam_bar\n\
#             X-Spam_report: $spam_report

# put headers in all messages (no matter if spam or not)
 warn  spam = nobody:true
     add_header = X-Spam-Score: $spam_score ($spam_bar)
     add_header = X-Spam-Report: $spam_report

# add second subject line with *SPAM* marker when message
# is over threshold
  warn  spam = nobody
      add_header = Subject: ***SPAM (score:$spam_score)*** $h_Subject:

Check exim wiki, pr0d.planetlarg.com for details information.

To test you spamassassin setup follow spamassassin test and gtube.

Exim Access control lists (ACL)

Exim provides flexible way to set access control list. Exim ACL documentation can be found here.

For example, if we are trying to deny all the mails from 3 free e-mail service provider (domain1.com, domain2.com, domain3.com) based on the mail's received header from their server, we can use the following lines:

deny
     condition = ${if match{$h_Received:}{\N\.(domain1|domain2|domain3)\.com\N}{yes}{no}}
     message = This mailbox does not support free e-mail services.

Debian Exim4 User FAQ

There is a Wiki page with Debian Exim4 User FAQ.


See also