Differences between revisions 38 and 39
Revision 38 as of 2006-10-14 16:35:19
Size: 22193
Editor: ZugSchlus
Comment: add pseudorandom HOWTO
Revision 39 as of 2006-10-20 10:34:44
Size: 22670
Editor: ZugSchlus
Comment:
Deletions are marked like this. Additions are marked like this.
Line 241: Line 241:

----------

== Content Filtering ==

=== Exim's built-in filter or sa-exim? ===

Exim can do content filterint (spam and malware) itself via ACLs. This is documented in spec.txt chapter 40. A lot of newbies use sa-exim because this turns out to be the first hit on Google for "exim spamassassin". This is not necessary for most environments since exim has its own spamassassin interface.

It would be good to have a comparision of sa-exim and exim here. Volunteers?

Back to PkgExim4

1. Debian Exim4 User FAQ

This is work in progress, so it is probably not yet very helpful.

?TableOfContents


1.1. Meta

1.1.1. Where can I find more information about Debian exim4

http://pkg-exim4.alioth.debian.org/ has a truckload of links to documentation


1.1.2. I have a question

Do not edit this page to ask your question. Ask it on the Debian exim4 user mailing list where it is less likely to be missed. It might be possible that an answer appears here quickly.


1.1.3. I want to contribute

It is vital that this web page does not contain false information. It is appreciated if you could announce your changes on the Debian exim4 user mailing list to have them reviewed.

Of course, if your change is trivial, you don't need to do that.


1.2. Debian Configuration

1.2.1. How do I re-execute the debconf-driven configuration?

Debian's configuration is factored out into a dedicated package. Thus, dpkg-reconfiguring exim4, exim4-base or one of the daemon packages is not going to work. Please use  dpkg-reconfigure exim4-config or edit /etc/exim4/update-exim4.conf.conf directly.

More information can be found in the manual page for update-exim4.conf.


1.2.2. I get the error "Mailing to remote domains not supported".

This is exim's post-installation default. If you want to participate in global e-mail, reconfigure your exim and choose a different "General type of mail configuration".


1.2.3. How does exim find out its host name to use in HELO/EHLO?

Some paranoid third parties check the HELO/EHLO name of a host delivering mail to them. If the HELO/EHLO name does not match the reverse DNS of the originating IP, the message is rejected or scored appropriately.

The name used by Exim in EHLO/HELO is pulled from configuration option primary_hostname. Debian's exim4 default configuration does not set primary_hostname. Exim then defaults to uname() to find the host name. If that call only returns one component, gethostbyname() or getipnodebyname() is used to obtain the fully qualified host name.

If your Exim HELOs as localhost.localdomain, then you have most probably a misconfigured /etc/hosts created by some versions of the Debian installer. In this case, please fix your /etc/hosts.

Please refrain from using primary_hostname unless you cannot avoid using it. It enhances the complexity of your configuration and leads to error issues that are a hell to debug.


1.2.4. How can I integrate third-party tools with Exim?

On first look, Debian's exim configuration is radically different from what Upstream and the larger part of the rest of the world use. On second look, we're not _that_ different.

Most probably the documentation of the third-party tool is going to help you to create a working integration in Debian's exim configuration. You might not be able to use their point-and-drool step-by-step instructions, but with a moderate amount of reading and abstraction is going to deliver a working configuration. The documentation delivered with Debian's exim4 packages might help.


1.2.5. What do the "DEBCONFfooDEBCONF" macros in the Debian configuration do?

When the Exim daemon is started, the dpkg-conffiles in /etc/exim4 are post-processed to the result /var/lib/exim4/config.autogenerated, which is the configuration file that Exim reads. In this post-processing step, done by update-exim4.conf, the DEBCONFfooDEBCONF strings are replaced with values pulled from /etc/exim4/update-exim4.conf.conf and system configuration.

Please note that the string DEBCONF is kind of a misnomer since the strings are _not_ directly pulled from the Debconf database, but from user-editable conffiles instead. This is a common misunderstanding.

For more information, read the update-exim4.conf man page.


1.3. Common issues

1.3.1. When I try to deliver a message via SMTP to my Exim, I get "550 relay not permitted"

Exim does not relay by default for any host. If you want to use your exim as a smart host, please enter the IP ranges your exim should relay for into dc_relay_nets in /etc/exim4/update-exim4.conf.conf or reconfigure exim using debconf.

Please note that you cannot use this mechanism if your client is on a dynamic IP as your client's IP address changes. In these case, use SMTP AUTH to have your client authenticate before relaying.

If this does work, verify that you're actually talking to your exim. Some ISPs block incoming SMTP connections (port tcp/25 blocking) or redirect these connections to their own server.


1.3.2. How can I debug SMTP AUTH and/or other SMTP aspects

Exim's logs are usually quite helpful. Use them!

A possible strategy is to find out first which side of the communication is causing the trouble. So it might be a good idea to find out whether the other side of the conversation causes the trouble.

You can use telnet or netcat to directly connect to the other side and manually run the SMTP transaction. If TLS is used, both openssl and gnutls-cli can act as a telnet replacement which can use TLS on the network side of the connection.

An extremely useful tool for this kind of debugging is [http://packages.debian.org/swaks swaks]-

Please note that it might be necessary to know about SMTP and have some experience for the debugging session to succeed.


1.3.3. Exim stops delivery after ten messages are received

In the default configuration, exim delivers the first ten messages received over a single SMTP connection immediately, and places the following messages on the queue. This is a feature geared to avoid load spikes in cases where many messages are delivered at once, and it is also exim's default (see Exim specification chapter 14.10 and 44.3).

By default, the Exim daemon starts a queue runner every 30 minutes, and the queued messages will be delivered then, in a serialized way.

This situation is most frequently experienced by sites running fetchmail, where it can be annoying to have messages delayed by up to 30 minutes. One possible fix is to increase the smtp_accept_queue_per_connection configuration value. This option is not in the default configuration, hence the default of 10 is used by exim.

It is, however, a better fix for the fetchmail case to have fetchmail execute exim -q after finishing the retrieving process. This decreases the load spike which would otherwise be experienced if one had simply increased smtp_accept_queue_per_connection.

You can specify a command to execute in fetchmailrc using the postcommand user option, e.g. postcommand "/usr/sbin/exim4 -q", in the appropriate "poll" line in your fetchmailrc. This, of course, assumes that the user running fetchmail has the appropriate privileges to cause an exim queue run.


1.3.4. I don't have a FQDN on this machine and just want it to send notifications by email (to outside domains) via various scripts. Can exim do this? How?

Most scripts deliver e-mail either to /usr/lib/sendmail or via SMTP to localhost. Debian exim4 does always accept messages delivered via /usr/lib/sendmail. If you want to deliver via SMTP to localhost, make sure to set dc_local_interfaces to 127.0.0.1 or answer the question "IP-addresses to listen on for incoming SMTP connections" during configuration appropriately. Debian exim always relays messages delivered via SMTP from localhost.

If your host name is not configured in the world wide DNS, you need to set the "System mail name" to an existing domain name, or your messages will be rejected by most systes on the Internet due to sender verification.

If you have a smart host available, use it by choosing "mail sent by smarthost; no local mail" (dc_eximconfig_configtype='satellite'). Have the smarthost either accept messages from your host by virtue of its IP address relay list or use SMTP authentication.

If you are in a situation where you must use direct SMTP delivery to the target MX, choose "internet site; mail is sent and received directly using SMTP" (dc_eximconfig_configtype='internet'). This is not a 100 % fit of your needs as your system will also do local deliveries, so you need to make sure that you do not send local messages to addresses that exist locally as they will be delivered locally which might be undesired.

A lot of scripts generate syntactically bad headers which might cause a legitimate message sent out by your system to be classified as spam. If your system is sending out status messages to you, it is a good idea to have your sender IP address whitelisted on the receiving end. That way it is ensured that your status messages are actually received. If you send out messages to third parties, such whitelisting is not possible and you'll have to bite the bullet and generate "clean" messages with correct headers and non-spammy contents. This includes a valid sender in both message Envelope and headers.

If the target of the message does sender callout verification, make sure that the sender address your scripts use actually exists.


1.4. Networking and ISP issues

1.4.1. my exim cannot connect to the outside

It might be possible that your ISP blocks outgoing connections to port TCP/25 of external hosts. This prevents computers on the ISP network from directly sending out e-mail. Many ISPs do this as a security precaution because compromised computers (called "Zombies") are frequently used to send out Spam.

On these networks, you cannot deliver e-mail directly. You need to use a smart host for outgoing mail. If your ISP offers a smart host for outgoing mail, it is probably a good idea to use it.

If your ISP does not offer a smart host or you want to deliver via a trusted third party, you need to have your exim deliver the messages to the smart host on a different port, for example tcp/587.


1.4.2. my exim cannot be connected to from the outside

It might be possible that your ISP blocks incoming connections to port TCP/25 of their customer's machines. This prevents computers on the ISP network from directly receiving e-mail. Many ISPs do this as a security precaution because misconfigured SMTP servers can be an open relay and thus be abused to send out Spam.

If you want to run a MX server on such a connection, you're out of luck. It is not possible to use a different port for MX servers since the Internet Standards don't offer the possibility to tell delivering hosts to try delivery on a different port.

If you want to run a smarthost on such a connection, it might be a solution to configure exim to listen on port tcp/587 additionally. Please note that the Internet standards demand that you only accept e-mail after authentication if the connection is made to TCP/587. Otherwise, you might open yourself to receiving and sending Spam.


1.4.3. How do I configure exim to use a different port to receive mail

Set SMTPLISTENEROPTIONS to the appropriate value in /etc/default/exim4. For example, use -oX 25:587 -oP /var/run/exim4/exim.pid to have exim listen on tcp/25 and tcp/587. The -oP parameter is necessary in this case since exim does not create a pid file automatically if -oX is given on the command line. If you omit the -oP parameter, the init script will malfunction.


1.4.4. How do I configure exim to use a different port to send mail

This does only make sense when delivering to a smarthost. Starting with exim4 4.63-5, you can enter smarthost.example::portnumber as a smarthost to have exim deliver to a different port.

With earlier exim versions, you need to modify the smarthost and hub_user_smarthost routers manually.


1.5. Routing

1.5.1. I am trying to have exim forward mail to some internal hosts, but all I am getting is "all relevant MX records point to non-existent hosts"

A probeble cause for this might be that all MX records for the offending domain point to site local or link local IP addresses, which are ignored by the dnslookup router to protect from misconfigured external domains. The default configuration has relaxed checking for domains that the local system is configured to allow relaying to, so adding the offending domain to dc_relay_domains will most probably help. Please note that this entry might be necessary anyway to bypass relay control for the domains in question.

Please note that no domain on the public Internet should have MX records pointing to site local or link local IP addresses, so you might check your externally visible MX records.

If this doesn't help, try analyzing the output of exim -d -bt some.local.part@the.offending.domain.example

[http://www.exim.org/eximwiki/FAQ/Routing_to_remote_hosts/Q0302 Upstream Exim FAQ Q0302] might help as well.


1.5.2. What do "lowest numbered MX record points to local host" or "remote host address is the local host" mean?

This is covered in [http://www.exim.org/eximwiki/FAQ/Routing_to_remote_hosts/Q0301 Upstream Exim FAQ Q0301.] The Debian default configuration has the hubbed_hosts router mentioned there already defined. Its configuration file is /etc/exim4/hubbed_hosts, and some documentation can be found in /etc/exim4/conf.d/router/150_exim4-config_hubbed_hosts.


1.5.3. How do I configure a catch-all?

A catch-all is most easily implemented by modifying the system_aliases router. It causes all local parts that have no explicit alias entry are aliased to one single target, unconditionally.

To enable this:

  • 1 add a * to the lsearch statement in the system_aliases router, giving lsearch* 1 add a line *: your.catchall.target.example to /etc/aliases

If you want mail for some other targets to be processed as before, you need to alias them to themselves (other-target: other-target) to prevent them from being caught by the catch-all.

It is no longer necessary to alias the catch-all target to itself as it was with previous versions of Exim.

Please note that it is a really bad idea to use a catch all in these days since incredible amounts of spam are received on these accounts. It is far superior to tell Exim which local parts exist so that it is possible to reject spam to non-existing addresses before actually accepting it.


1.5.4. How can I create a blacklist to deny specific hosts / ip addresses?

The access lists that come with Debian's exim4 configuration have some infrastructure for that and are extensively documented. Their function can be controlled with files placed in /etc/exim4. See also the manual page for exim4_files (available from exim4 4.62-2 on and linked to by PkgExim4) for explanation of these files.

There is also macro-driven infrastructure to use DNS-based block lists. See the ACL files and the Debian exim4 documentation for more information.

Please note that this needs basic familiarity with Exim ACLs and lookups.


1.6. TLS

1.6.1. I am experiencing timeout issues with TLS connections

Exim4 in Debian uses GnuTLS for licensing issues. Unfortunately, there still are a few rough edges in the GnuTLS stuff.

For example, GnuTLS uses much entropy. On some systems, it uses more entropy than the system is generating. This has become a problem since the kernel developers decided to drop the network card as an entropy source in early 2.6.x due to the possibility of it being manipulated externally.

You can find out how much entropy your system has available by looking into /proc/sys/kernel/random/entropy_avail. If that number stays under 100 for more than a few seconds, you have a problem. Possible solutions are using a hardware random number generator your system might be equipped with, or using a special solution that allows using a microphone connected to your system's audio in as an entropy source.

While replacing /dev/random with /dev/urandom is commonly handled as a possible solution, we advise against doing so since this will decrease the security of _all_ cryptographic functions of your system.

Starting exim 4.60-3, the package can be locally rebuilt against OpenSSL by setting an environment variable during build. This might result in a GPL violation, so be sure to check this with your legal department before actually doing so.

A constant source of entropy starvation is the generation of a file containing an RSA key and parameters needed for the Diffie-Hellman key change algorithm. That file is deleted in the daily cron job as recommended by the upstream Exim docs, and normally, the next exim process starting up a TLS session generates a new set of parameters. This, however, uses _lots_ of entropy, and exim blocks if not enough entropy is available, leading to session timeouts. More information about this can be found in the Exim specification chapter 38.3.

Since exim4 4.52-2, if the package gnutls-bin is installed, the daily cron job does not simply remove the file but tries to generate a new parameter file. Only if this succeeds, the old parameter file is replaced by the new, so in theory, exim should always find a recent parameter file to use, avoiding the blocking situation.

In exim 4.63-4, that process was touched again and it can now use an installed openssl package as well as gnutls-bin to generate the new file.

Please note that both Debian and upstream are currently in dire need of people knowledgeable with GnuTLS and exim to debug these issues. If you can do this, please get in touch with the maintainers.


1.7. Content Filtering

1.7.1. Exim's built-in filter or sa-exim?

Exim can do content filterint (spam and malware) itself via ACLs. This is documented in spec.txt chapter 40. A lot of newbies use sa-exim because this turns out to be the first hit on Google for "exim spamassassin". This is not necessary for most environments since exim has its own spamassassin interface.

It would be good to have a comparision of sa-exim and exim here. Volunteers?


1.8. Questions needing answers


1.9. Recommendable and not-so-recommendable third-party documentation

1.9.1. I have configured exim with help of a non-Debian HOWTO. It doesn't work.

Unfortunately, a lot of third-party documentation has been written by people who do not fully understand how things work. They might have been successful in solving the issue at their hands, but challenges are so different that it is extremely improbable that the solution will hold in other situations.

It is thus adviseable to take third-party HOWTOs with extreme caution and use them only as input for a local solution. Taking a third-party configuration snippet verbatim is like asking for extreme trouble.

In this FAQ entry, we'll link to third-party HOWTO documents and comment about what we think about their contents.

  • [http://www.lexspoon.org/linux/smtp-relay.html SMTP Relaying Via a Smarthost.] This document shows basic understanding of the concepts in an abstract way, but gives questionable advice in detail.

    • The document gives a truckload of Debian-specific advice and does not say that it is Debian-specific. This suggests that the author does not have too much E-Mail admin experience, and nearly none outside a Debian environment.
    • Why does the document recommend changing our local configuration to use a hardcoded user name instead of the file lookup that we provide?
    • Why does the document recommend having Exim listen on Port 26 instead of using the standardized submission port 587?
    • The author has never heard of swaks and advocates manual debugging
    • The author rants about Debian's exim4 configuration scheme and calls it "confusing". In the same paragraph, he says that he didn't find out how to use a single, hand-crafted exim4.conf file. Considered that it is prominently documented in the README that /etc/exim4/exim4.conf takes absolute preference over all other configurations, it looks to me that the author of this HOWTO did not bother to read our documentation.
  • [http://koivi.com/exim4-config/ Installing and configuring Exim 4 on Debian.] This document gives advice how to configure spamassassin, clamav and some implementation of "virtual domains". Please note that "virtual" is a very overused term and you might think of "virtual domains" as something different than the document's author might think. Additionally, the documentation uses exim's built-in content scanning interface to link to clamav, but uses sa-exim for spamassassin integration. This is double work since exim's built-in content scanning can link to spamassassin as well.

  • [http://www.lug-untermain.de/howto/exim.php Gemischtes Doppel.] This Document in German language isn't so bad, but it switches off all Debian automatisms and leaves the user out in the dark without updates.

  • [http://www.dbmail.org/dokuwiki/doku.php?id=debian:exim4 debian:exim4 [dbmail]] is a HOWTO about how to use exim4 with dbmail. I have to advise against using this howto for the following reasons:

    • The author himself claims to be not an expert on spamassassin, pam, clamav or exim4. Yet, he publishes his (wrong and misleading) findings.
    • He neither did manage to get saslauthd to work, nor mySQL. Both things are trivial to do if one has familiarized oneself with exim as it is necessary to run a mail server on the Internet.
    • It advises to use sa-exim "For Spamassassin auto-blocking". I don't know what auto-blocking is, but exim can use spamassassin at SMTP time natively and can also block depending on the spamassassin results. I have not yet seen a setup where sa-exim was actually needed.
    • At least the HOWTO uses our configuration and allows people to receive updates in the future.
  • [http://www.pseudorandom.co.uk/2006/mailserver/ Mailserver configuration with Debian, Exim, ClamAV & dspam] is a document worth reading. It was written by somebody with understanding of the way the Debian packages of Exim4 work, and the document shows how to enable the suggested features while still making use of our Defaults. That's the way a HOWTO should be.


Back to PkgExim4