User Tools

Site Tools


docs:tips_n_tricks:exim.html

exim

debianemailexim
:!: These tips might be outdated (~2015) or not the best solution :!:

Increase timeout for delay warning messages

In case exim can not deliver a mail, it informs the sender by sending a warning message. To send out those messages only after a mail could not be delivered for 15 days, add the line

delay_warning = 15d

somewhere close to

timeout_frozen_after = ... 

in exims configuration file. The latter does - at least on debian systems - already exist. On Debian systems, there is no exim4.conf file. You have to edit exim4.conf.template instead and run update-exim2.conf afterwards.

Expunge undeliverable mails

exim4 -Mg <Message-Id>

Virtual domains with exim4 on Debian

Place virtual hosts alias files (like /etc/aliases) in /etc/exim4/virtual/ with it's name being the domain name. I.e. for domain example.com it would be the file /etc/exim4/virtual/example.com.

Create the file /etc/exim4/conf.d/router/350_local_virtual:

virtual:
      driver = redirect
      allow_defer
      allow_fail
      domains = dsearch;/etc/exim4/virtual
      data = ${expand:${lookup{$local_part}lsearch*@{/etc/exim4/virtual/$domain}}}
      retry_use_local_part
      pipe_transport   = address_pipe
      file_transport   = address_file
      no_more

Then run

update-exim4.conf.template -r
/etc/init.d/exim4 restart

You must not have a virtual domain name for the “system mail name” as configured with dpkg-reconfigure exim4-config as this will screw up delivery to local addresses.

Use a debian server with exim4 as a incoming(!) smart host for dialup systems

  • Put your routing in /etc/exim4/hubbed_hosts (Will be used by standard debian exim configuration automatically)
mydomain.com        mail.mydomain.intern

(provided that mail.domain.intern resolves to an ip address by /etc/host or an internal DNS)

  • Create a new file for your domain specific retry schedule /etc/exim4/conf.d/retry/35_local
# Address or Domain    Error       Retries
# -----------------    -----       -------

*.mydomain.com         *           F,1h,5m;F,2d,1h;F,999d,1d
*.mydomain.intern      *           F,1h,5m;F,2d,1h;F,999d,1d
  • Increase the time until the server will send warning messages, as the dialup computer may be offline for several days by creating a new file /etc/exim4/conf.d/main/02_local_options
delay_warning = 15d
  • Run
update-exim4.conf.template -r
/etc/init.d/exim4 restart

Creating local accounts to authenticate against for as outgoing smart host on debian

exim-adduser

Use /usr/share/doc/exim4/examples/exim-adduser to create users and set permissions of /etc/exim4/passwd right afterwords

shadow

There seem to be other solutions using /etc/shadow which require the exim user to be in the group shadow

mkpasswd

The files format is one user per line:

<uid>:<hashed password>:<cleartext password>:

The hashed password can be generated by mkpasswd -H md5 <cleartext password>. The cleartext password is only needed when using CRAM-MD5 authentication. mkpasswd for debian systems is available in the whois package.

References:

TLS with exim < 4.80 using GnuTLS on debian

vi /etc/exim4/conf.d/main/00_local_macros
cp -vip /etc/ssl/private/myhostname.key /etc/exim4/
chgrp Debian-exim /etc/exim4/myhostname.key
chmod o-rwx,g=r /etc/exim4/myhostname.key
update-exim4.conf.template -r
/etc/init.d/exim4 stop
/etc/init.d/exim4 start # this will call update-exim4.conf

added lines to 00_local_macros:

MAIN_TLS_ENABLE = 1
tls_require_ciphers = AES_256 : AES_128 : 3DES
gnutls_require_protocols = TLS1 

MAIN_TLS_CERTIFICATE = /etc/ssl/certs/myhostname.crt
MAIN_TLS_PRIVATEKEY = CONFDIR/myhostname.key

The key is copied from /etc/ssl/private/1) to /etc/exim4/ in order to set permissions, so Exim (and only Exim) can reed it.

Credits:

ssl gnutls

Enableing smtps/submissons on port 465 on debian Buster

Enabling fail2ban for exim4 on Debian buster

apt install fail2ban
fail2ban-client add exim-spam
fail2ban-client start exim
fail2ban-client start exim-spam
Don't try to configure it by fail2ban-client but create a section in /etc/fail2ban/jail.d/local.conf

fail2ban

1)
which is root-readable only
2)
Exim documentation says, 0.0.0.0.25 ; 0.0.0.0.465 but I didn't check whether that works as well
docs/tips_n_tricks/exim.html.txt · Last modified: 07.07.2024 15:15 CEST by peter

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki