EximConfig

installation

just install exim4 exim4-daemon-heavy clamav clamav-daemon spamassassin spamc.

the usage of maildir should be answered in dpkg-reconfigure exim4-config with yes. also select the multiple file configuration layout.

virus scanning with clamav

we'll do it like on Exim4 Configuration on Debian: SpamAssassin, ClamAV, Virtual Domain Alias Files and Messages Size Limits.

add following to your /etc/exim4/conf.d/main/00_local-macros. 

# enable clamav for scanning mails
av_scanner = clamd:/var/run/clamav/clamd.ctl

# local ACLs for virus scanning (not only)
CHECK_DATA_LOCAL_ACL_FILE=/etc/exim4/local_acl_data

add following to your /etc/exim4/local_acl_data. 

# Reject messages that have serious MIME errors.
  # This calls the demime condition again, but it
  # will return cached results.
  deny
    message = Serious MIME defect detected ($demime_reason)
    demime = *
    condition = ${if >{$demime_errorlevel}{2}{1}{0}}

  # Reject file extensions used by worms.
  # Note that the extension list may be incomplete.
  deny 
    message = This domain has a policy of not accepting certain types of attachments \
              in mail as they may contain a virus.  This mail has a file with a .$found_extension \
              attachment and is not accepted.  If you have a legitimate need to send \
              this particular attachment, send it in a compressed archive, and it will \
              then be forwarded to the recipient.
    demime = exe:com:vbs:bat:pif:scr

  # Reject messages containing malware.
  deny
    message = This message contains a virus ($malware_name) and has been rejected
    malware = *

for the rejected file extension also have a look to Threat Watch for Lancaster University. 

# as of 2008-11-08
demime = ade:adp:bas:bat:chm:cmd:com:cpl:crt:eml:emf:exe:hlp:hta:inf:ins:isp:jse:lnk:mdb:mde:msc:msi:msp:mst:pcd:pif:reg:scr:sct:shs:url:vbs:vbe:wsf:wsh:wsc

before restarting clamav, we need to be sure that all of the access rights are in place so that the scans actually happen. the best way to handle this is to add the clamav user to the Debian-exim group. Either manually edit /etc/group, or simple run: 

adduser clamav Debian-exim

be sure that /etc/clamav/clamd.conf contains a line that reads: 

AllowSupplementaryGroups true

a restart of clamav is necessary for the changes to take effect: 

/etc/init.d/clamav-daemon restart

for testing just install clamav-testfiles which can be found in /usr/share/clamav-testfiles.

spam-tagging w/ spamassassin

we'll do it like on Adding SpamAssassin and ExiscanExamples - Exim Wiki.

Exiscan-ACL's "spam" condition passes the message through SpamAssassin, and triggers if these indicate that the message is junk. By default, it connects to a SpamAssassin daemon (spamd) running on localhost. The host address and port can be changed by adding a spamd_address setting in the main section of the Exim configuration file. 

# enable spamassassin
spamd_address = 127.0.0.1 783

In our implementation, we are going to reject messages classified as spam. However, we would like to keep a copy of such messages in a separate mail folder, at least for the time being. This is so that the user can periodically scan for False Positives.

Exim offers controls that can be applied to a message that is accepted, such as freeze. The Exiscan-ACL patch adds one more of these controls, namely fakereject. This causes the following SMTP response: 

550-FAKEREJECT id=message-id
550-Your message has been rejected but is being kept for evaluation.
550 If it was a legit message, it may still be delivered to the target recipient(s).

the headers we'd like to have look like following (standard spamassassin hedaers): 

X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on bogdan.kmp.or.at
X-Spam-Level: ******
X-Spam-Status: Yes, score=6.5 required=5.0 tests=BAYES_99,HTML_MESSAGE,
        MIME_HTML_ONLY autolearn=no version=3.2.5

We can incorporate this feature into our implementation, by inserting the following snippet in /etc/exim4/local_acl_data. 

# Reject messages that are spam.
  # Invoke SpamAssassin to obtain $spam_score and $spam_report.
  # Depending on the classification, $acl_m9 is set to "ham" or "spam".
  #
  # If the message is classified as spam, pretend to reject it.
  #
  warn
    condition = ${if <{$message_size}{256k}{1}{0}}
    set acl_m9 = ham
    spam = mail/defer_ok
    set acl_m9 = spam
    control = fakereject
    logwrite = Rejected spam: $spam_report
    message = X-Spam-Flag: YES

  # Add an appropriate X-Spam-Status: header to the message.
  #
  warn
    condition = ${if <{$message_size}{256k}{1}{0}}
    message = X-Spam-Level: $spam_bar\n\
              X-Spam-Status: ${if eq {$acl_m9}{spam}{Yes}{No}}, $spam_report

  # Add an appropriate X-Spam-Scanned: header if message is too big.
  #
  warn
    condition = ${if >={$message_size}{256k}{1}{0}}
    message = X-Spam-Scanned: No, Message bigger than 256KiB

In this example, $acl_m9 is initially set to "ham". Then SpamAssassin is invoked as the user mail. If the message is classified as spam, then $acl_m9 is set to "spam", and the FAKEREJECT response above is issued. Finally, some X-Spam-*: headers are added to the message. The idea is that the Mail Delivery Agent or the recipient's Mail User Agent can use this header to filter junk mail into a separate folder.

for testing spamassassin just have a look on SpamAssassin: The GTUBE.

Multiple Domain Alias Files

we'll do it like on Exim4 Configuration on Debian: SpamAssassin, ClamAV, Virtual Domain Alias Files and Messages Size Limits.

The steps below are used to enable support for having multiple virtual domains each with its own alias file.

Exim will need to have the alias files for each domain.

Create the /etc/exim4/virtual-domains.d directory.

For each virtual domain, create a file that contains the aliases to be used named as the domain.

For example, if example.com was one of my domains, I'd do the following:

Create the /etc/exim4/virtual-domains.d/example.com file.

If my system users were sys1, sys2, and sys3, and their email addresses were to be joe, john, jason, I'd put the following into the domain alias file: 

joe:    sys1@localhost
john:   sys2@localhost
jason:  sys3@localhost

If john was also to get all mail addressed to info@example.com, you would add this entry: 

info:   sys2@localhost

If you wanted all mail to user1@example.com to go to another email account outside of this domain, you would enter: 

user1:  a.user@some.domain

If you wanted all mail directed at any address other than what is defined in the alias file to go to joe, you'd enter: 

*:      sys1@localhost

In the above examples, the "@localhost" suffix to the user names forces the delivery to a system user. I found that if you do not include this in the alias files and your machine's host name is within one of the domains handled by exim, every system user would need an entry in the machine's domain in order to be delivered corectly. For instance, if your host name was mail.example1.com and example1.com was handled by this server this would be needed. This would allow delivery to all the system user names at example1.com. The reason is simple, and I will try to illustrate it for you here:

  1. exim receives a message delivered to joe.blow@example3.com

  2. The alias file for this domain has joe.blow: jblow in it.
  3. This would translate to jblow@domain-of-the-system
  4. The process would be repeated using jblow@domain-of-the-system
  5. If there was no entry in the domain-of-the-system alias file for jblow, the message would be undeliverable (or non-routable)

You could even have special redirects like the following: 

script: "| /path/to/some/script"
prev:   :fail: $local_part left!
kill:   :blackhole:

or you even can have regular expressions: 

^klaus[-.](m|maria)\.pfei[f]{1,2}er$    klaus
^(kmp|klaus)[+-.][a-zA-Z0-9+-.]*$       klaus
^(kmp|klaus)$                           klaus

Edit /etc/exim4/conf.d/main/00_local-macros by adding the following lines: 

# List of domains considered local for exim. Domains not listed here
# need to be deliverable remotely.
MAIN_LOCAL_DOMAINS = @:localhost:dsearch;/etc/exim4/virtual-domains.d

Create /etc/exim4/conf.d/router/470_local-config_virtual_domains_aliases with the following content: 

virtual_domain_aliases:
  driver = redirect
  allow_defer
  allow_fail
  domains = dsearch;/etc/exim4/virtual-domains.d
  data = ${lookup{$local_part}nwildlsearch{/etc/exim4/virtual-domains.d/$domain}}
  retry_use_local_part
  pipe_transport = address_pipe
  file_transport = address_file
  no_more

Now, regenerate your exim4 config: 

update-exim4.conf

If there were no errors, restart exim4: 

/etc/init.d/exim4 restart

increasing logging

just add to your /etc/exim4/conf.d/main/00_local-macros: 

# always log all
MAIN_LOG_SELECTOR = +all -pid

no rewrite on /etc/email-addresses

just imagine, you've two distinguishable users with folowing adresses: 

john@example1.com
john@example2.com

first john has login john, second john has login millerj on your machine. so, your /etc/email-addresses looks like: 

john:    john@example1.com
millerj: john@example2.com

due to a rewriteing in /etc/exim4/conf.d/rewrite/31_exim4-config_rewriting all emails from john@example2.com will appear as from john@example1.com.

just disabling this by adding the follwoing to your /etc/exim4/conf.d/main/00_local-macros: 

# don't rewrite from on base of /etc/email-addresses
NO_EAA_REWRITE_REWRITE=1

enabling TLS

do it like as described in 2.2.2. Enabling TLS support for Exim as server in /usr/share/doc/exim4-base/README.Debian.gz.

you need only two steps to go with TLS. first generate your self signed certificates: 

/usr/share/doc/exim4-base/examples/exim-gencert

second add follwoing to your /etc/exim4/conf.d/main/00_local-macros: 

# enable TLS
MAIN_TLS_ENABLE=1

if you'd like to or have to enable smtps/ssmtp, just add the follwoing to your /etc/exim4/conf.d/main/00_local-macros: 

# listen on 25 (smtp), 465 (smtps/ssmtp)
daemon_smtp_port = 25:465
tls_on_connect_ports = 465

enable submission ... /etc/exim4/conf.d/acl/30_exim4-config_check_rcpt 

# hook in my own RCPT ACLs
CHECK_RCPT_LOCAL_ACL_FILE=/etc/exim4/local_acl_rcpt

/etc/exim4/local_acl_rcpt 

# submission on port 587 only authenticated
  # rejected non authenticated on port 587
  accept
    condition = ${if eq{$interface_port}{587}{1}{0}}
    endpass
    message = SMTP AUTH required for submission on port 587
    authenticated = *

authentication

needs to be documented ...

disabling IDENT

just add in your /etc/exim4/conf.d/main/00_local-macros: 

# disable IDENT
rfc1413_hosts = *
rfc1413_query_timeout = 0s

later

Allow connections to the submission port (587) and the smtps port (465)

of Exim Notes - Waikato Linux Users Group 

SMTPS is easy, since 4.43:

# wlug: listen on 25 (smtp), 465 (ssmtp for Outlook)
daemon_smtp_port = 25:465
tls_on_connect_ports = 465

in your main section. Between 4.03 and 4.43, you can use the -tls-on-connect command line parameter.

587 is harder, because the rules are "either SMTP AUTH or SSL". An Exim SSL/TLS recipe was posted to the list, which suggests (updated, and with client certs removed - you really want to only use SMTP AUTH):

# wlug: listen on 25 (smtp), 465 (ssmtp for Outlook) and 587 (submission)
daemon_smtp_port = 25:465:587

# uncomment to only allow auth if you're on by SSL
# auth_advertise_hosts  = ${if eq{$tls_cipher}{}{localhost}{*}}

tls_advertise_hosts     = *
tls_certificate         = /etc/exim4/server-cert.pem
tls_privatekey          = /etc/exim4/server-key.pem

..and in your RCPT ACL (near the top):

  accept  authenticated = *
          encrypted = *

  accept  condition = ${if eq{$interface_port}{587}{1}{0}}
          endpass
          message = SMTP AUTH required for port 587
          authenticated = *

KmpWiki: EximConfig (last edited 2011-03-05 07:49:42 by KlausMariaPfeiffer)