Differences

This shows you the differences between two versions of the page.

--- docs:tips_n_tricks:exim.html [30.07.2016 14:03 CEST] – [Creating local accounts to authenticate against for as outgoing smart host on debian] peter
+++ docs:tips_n_tricks:exim.html [18.11.2019 00:08 CET] (current) – [Enabling fail2ban for exim4 on Debian buster] peter
@@ Line 68: / Line 68: @@
 ===== Creating local accounts to authenticate against for as outgoing smart host on debian =====
+==== exim-adduser ====
 Use ''/usr/share/doc/exim4/examples/exim-adduser'' to create users and set permissions of ''/etc/exim4/passwd'' right afterwords
+==== shadow ====
 There seem to be other solutions using ''/etc/shadow'' which require the //exim// user to be in the group //shadow//
+==== mkpasswd ====
+The files format is one user per line:
+  <uid>:<hashed password>:<cleartext password>:
+The //hashed password// can be generated by ''mkpasswd -H md5 //<cleartext password>//''. The //cleartext password// is only needed when using CRAM-MD5 authentication.
+//mkpasswd// for debian systems is available in the //whois// package.
 References:
   * [[https://www.debian-administration.org/article/280/HowTo_Setup_Basic_SMTP_AUTH_in_Exim4|HowTo Setup Basic SMTP AUTH in Exim4]]
   * [[http://vk6hgr.echidna.id.au/blog/?p=184|Exim on Debian and frustrating authentication errors]]
-=====  =====
+  * ''/usr/share/doc/exim4-config/README.Debian.gz'' on your local debian installation
+===== TLS with exim < 4.80 using GnuTLS on debian =====
+  vi /etc/exim4/conf.d/main/00_local_macros
+  cp -vip /etc/ssl/private/myhostname.key /etc/exim4/
+  chgrp Debian-exim /etc/exim4/myhostname.key
+  chmod o-rwx,g=r /etc/exim4/myhostname.key
+  update-exim4.conf.template -r
+  /etc/init.d/exim4 stop
+  /etc/init.d/exim4 start # this will call update-exim4.conf
+__added lines to ''00_local_macros''__:
+  MAIN_TLS_ENABLE = 1
+  tls_require_ciphers = AES_256 : AES_128 : 3DES
+  gnutls_require_protocols = TLS1
+  MAIN_TLS_CERTIFICATE = /etc/ssl/certs/myhostname.crt
+  MAIN_TLS_PRIVATEKEY = CONFDIR/myhostname.key
+The key is copied from ''/etc/ssl/private/''((which is root-readable only)) to ''/etc/exim4/'' in order to set permissions, so //Exim// (and only //Exim//) can reed it.
+Credits:
+  * www.schneiderp.de had an [[http://www.schneiderp.de/documentation/www.exim.org/exim-html-current/doc/html/spec_html/ch39.html#SECTreqciphgnu|old exim documentation]] available
+  * Tests done with [[https://de.ssl-tools.net/|SSL-Tools]]
+{{tag>ssl gnutls}}
+{{entry>ssl}}
+{{entry>gnutls}}
+===== Enableing smtps/submissons on port 465 on debian Buster =====
+  * Enable TLS as described above
+  * <code text  /etc/exim4/conf.d/main/03_custom-config_tlsoptions>
+tls_on_connect_ports = 465
+</code>
+  * run ''dpkg-reconfigure exim4-config'' and enter for the //local interfaces// the value\\ ''[0.0.0.0]:25;[0.0.0.0]:465''((Exim documentation says, ''0.0.0.0.25 ; 0.0.0.0.465'' but I didn't check whether that works as well))
+  * restart //exim4//: ''systemctl restart exim4''
+===== Enabling fail2ban for exim4 on Debian buster =====
+  apt install fail2ban
+  fail2ban-client add exim-spam
+  fail2ban-client start exim
+  fail2ban-client start exim-spam
+<note tip>Don't try to configure it by ''fail2ban-client'' but create a section in ''/etc/fail2ban/jail.d/local.conf''</note>
+{{tag>fail2ban}}
+{{entry>fail2ban}}
+======   ======
 {{tag>debian email exim}}
 {{entry>debian}}
 {{entry>email}}
 {{entry>exim}}