Difference between revisions of "User:Ente/Exim draft"

From ArchWiki
Jump to navigation Jump to search
(Page moved to main namespace.)
 
(56 intermediate revisions by one other user not shown)
Line 1: Line 1:
[[:Category:Mail server]]
+
#REDIRECT [[Exim]]
[[ja:Exim]]
 
{{Related articles start}}
 
{{Related|Postfix}}
 
{{Related|Courier MTA}}
 
{{Related|OpenSMTPD}}
 
{{Related|Fail2ban}}
 
{{Related|Dovecot}}
 
{{Related|Virtual user mail system}}
 
{{Related articles end}}
 
This article gives a quick overview on the configuration of an exim mail server.
 
 
 
[http://exim.org/ Exim] is a versatile [[Wikipedia:SMTP|SMTP]] server for Linux/UNIX-like systems. While the [https://github.com/Exim/exim/wiki/ exim wiki] provides some helpful how-to's on certain specific use cases, a [https://exim.org/exim-html-current/doc/html/spec_html/index.html detailed description] of all configuration options is available as well.
 
 
 
==Installation==
 
 
 
[[Install]] the {{Pkg|exim}} package.
 
 
 
==Basic Configuration==
 
Nevertheless it is highly recommended to consult the official documentation before using the given documentation below.
 
 
 
Exim comes with a bulky default configuration file. Many options in there aren't necessary in a regular use case. By default configuration is done in a single file containing several chapters. Although not recommended for heavy load enviroments, it is possible to split up that file into several configuration files.
 
 
 
Below is a very basic configuration, which provides: local delivers to system users (Maildir format) and authorized relaying to MX hosts. The description is based on a domain "mydomain.tld" served on a host "hostname.mydomain.tld".
 
===Main Parameters===
 
Main parameters contain some basic options. Using solely those options would open ports for connections but still no mail would be accepted nor relayed anywhere.
 
{{bc|1=
 
# be the responsible mail host for hostname.mydomain.tld (@) & mydomain.tld
 
domainlist local_domains = @ : mydomain.tld
 
 
 
# we don't relay. Not for foreign domains nor for a single host
 
domainlist relay_to_domains =
 
hostlist  relay_from_hosts =
 
 
 
# serve the 2 ports 25 and 587; don't use 465 - it's not an official port
 
daemon_smtp_ports = 25 : 587
 
 
 
# do a reverse name lookup for all incoming connections
 
host_lookup = *
 
 
 
# Logging: log all events, add syslog to logging path & avoid double entries
 
log_selector = +all
 
log_file_path = : syslog
 
syslog_duplication = false
 
 
 
# undeliverables: discard bounce messages after 2d and all others after 7 d
 
ignore_bounce_errors_after = 2d
 
timeout_frozen_after = 7d
 
}}
 
===TLS & Security===
 
The following options are still part of the first configuration section in exim. Anyway. Security comes first. TLS is a major part of it.
 
{{bc|1=
 
# actually not required: it's hard coded - anyway: no mail delivery to root
 
never_users = root
 
 
 
# don't show the exim version to everyone. Actually don't even show the name.
 
smtp_banner = $smtp_active_hostname ESMTP $tod_full
 
 
 
# STARTTLS is offered to everyone
 
tls_advertise_hosts = *
 
tls_certificate = /path/to/exim/only/fullchain.pem
 
tls_privatekey = /path/to/exim/only/privkey.pem
 
 
 
# use all ciphers on port 25, use only good ciphers on port 587
 
tls_require_ciphers = ${if =={$received_port}{25} \
 
{DEFAULT}\
 
{HIGH:!MD5:!SHA1:!SHA2<nowiki>}}</nowiki>
 
 
 
# we don't use port 465, so we don't activate TLS on it
 
#tls_on_connect_ports = 465
 
}}
 
===routing & transport===
 
{{bc|1=
 
 
 
begin routers
 
 
 
# that's the relay router
 
dnslookup:
 
# the transport type used for this router (see below)
 
driver = dnslookup
 
# the domains served on this router
 
domains = ! +local_domains
 
# the transport to be used (see transport section below)
 
transport = remote_smtp
 
# localhost is to be ignored if dns gives such result
 
ignore_target_hosts = <; 0.0.0.0 ; 127.0.0.0/8 ; ::1
 
# a router list is processed until matched and successful transported.
 
# if transport fails, we don't want the next router to be used
 
no_more
 
 
 
localuser:
 
# the transport type - we accept the mail locally
 
driver = accept
 
# send a notification - mail arrived
 
dsn_lasthop
 
# this router serves only our domains
 
domains = +local_domains
 
# to dovecot
 
transport = local_delivery
 
# in case dovecot throws an error
 
cannot_route_message = Unknown local user
 
 
 
begin transports
 
 
 
remote_smtp:
 
driver = smtp
 
message_size_limit = ${if > {$max_received_linelength}{998} {1}{0}}
 
 
 
local_delivery:
 
driver = appendfile
 
file = /var/mail/$local_part
 
delivery_date_add
 
envelope_to_add
 
return_path_add
 
# group = mail
 
# mode = 0660
 
 
 
# if routing or transport fails, try again after this (default) ruleset
 
begin retry
 
 
 
# Address or Domain    Error      Retries
 
# -----------------    -----      -------
 
*                      *          F,2h,15m; G,16h,1h,1.5; F,4d,6h
 
}}
 
===ACL: Access Control Lists===
 
 
 
==extended configuration==
 
 
 
===Local delivery: Dovecot LMTP & SASL authentification===
 
 
 
===SPAMassassin===
 
 
 
===DKIM&DNSSEC===
 
 
 
==Hardening==
 
 
 
===fail2ban===
 
 
 
The default configuration is located in {{ic|<nowiki><nowiki>/etc/mail/exim.conf</nowiki>}}. For the purpose of this description this single confguration file will be split up into multiple files.
 
 
 
=== basic configuration: exim.conf ===
 
 
 
*host name & domain definitions
 
**{{ic|#primary_hostname}} may overrule uname(). By default there is no need to touch it.
 
**The following three options are colon-separated lists which will be reused later. "@" is deemed localhost.
 
***{{ic|<nowiki>domainlist local_domains = mydomain.tld</nowiki>}} for which domains shall the server consider himself the final destination (i.e. no more relaying required)
 
***{{ic|<nowiki>domainlist relay_to_domains = </nowiki>}} usually none. Leave blank unless you read the doc.
 
***{{ic|<nowiki>hostlist relay_from_hosts = </nowiki>}} usually none. Leave blank unless you read the doc.
 
 
 
*TLS
 
**{{ic|<nowiki>tls_advertise_hosts = *</nowiki>}} which client will be offered tls? Should be set to * by default.
 
**{{ic|<nowiki>tls_certificate = /path/to/cert.pem</nowiki>}} & {{ic|<nowiki>tls_privatekey = /path/to/very/secret/key.pem</nowiki>}}: location of tls certificate files
 
**{{ic|<nowiki>#tls_on_connect_ports = </nowiki>}} which ports to offer tls at (STARTTLS is offered on the others, 465 might be a valid* answer here)
 
**{{ic|<nowiki>tls_require_ciphers tls_require_ciphers = ${if =={$received_port}{25}{DEFAULT}{HIGH:!MD5:!SHA1:!SHA2}}</nowiki>}} specify the ciphers offered. The given example statement doesn't do any limitation on port 25; it requires OpenSLL to offer ciphers of category HIGH excluding a few specific ones only.
 
::{{Note| Exim loads certificate files during mail processing with the low privilege user exim. While it is good to run an internet facing process with such a user, it is somewhat strange to give access to a private key to such user. If your server serves multiple purposes (e.g. http, imap, smtp) with multiple dns aliases (cname or several names pointing to a single ip) it may be wise to request multiple certificates. If the exim certificate gets lost, damage is limited to smtp.}}
 
*ports
 
**{{ic|<nowiki>daemon_smtp_ports = 25 : 587 </nowiki>}} which ports to listen to
 
**{{ic|<nowiki>#tls_on_connect_ports = 465</nowiki>}} which ports to require TLS on (STARTTLS is offered on all other ports too)
 
*{{ic|<nowiki>never_users = root</nowiki>}} which users not to deliver mail too?
 
:{{bc|Exim would have to raise privilege of the delivery process to root. This shall be avoided. Actually all system users should be added here, although that is not as easy as in postfix. Neglet to deliv to root is disabled hard coded into exim.}}
 
*Logging
 
**{{ic|<nowiki>log_file_path = :syslog</nowiki>}} where to write the log file to. The given example adds "syslog" to the default.
 
**{{ic|<nowiki>log_selector = +all</nowiki>}} for testing. Later to be adjusted to your needs. Defaults are quite limited.
 
*address qualification
 
**{{ic|<nowiki>qualify_domain = $primary_hostname</nowiki>}} locally injected mail from "root" will be turned into root@hostname.mydomain.tld
 
**{{ic|<nowiki># qualify_recipient =</nowiki>}} snail mail doesn't deliver if you don't provide a fully qualified address. Why should we?
 
*{{ic|/path/to/some_include.conf}} exim allows including external files.
 
 
 
=== ACL - access control lists ===
 
 
 
exim uses ACL to determine whether a message should be processed, defered or rejected. Each ACL (there may be plenty) starts with the result (e.g. accept, defer, reject) and then lists checks that must ALL succeed.
 
gn
 

Latest revision as of 13:41, 16 August 2017

Redirect to: