Difference between revisions of "User:Ente/Exim draft"

From ArchWiki
Jump to: navigation, search
m (TLS & Security)
(user pages shall not be categorized, see Help:Style#User pages)
(Tag: wiki-scripts)
Line 1: Line 1:
[[Category:Mail server]]
+
[[:Category:Mail server]]
 
[[ja:Exim]]
 
[[ja:Exim]]
 
{{Related articles start}}
 
{{Related articles start}}

Revision as of 10:27, 25 March 2017

Category:Mail server

This article gives a quick overview on the configuration of an exim mail server.

Exim is a versatile SMTP server for Linux/UNIX-like systems. While the exim wiki provides some helpful how-to's on certain specific use cases, a detailed description of all configuration options is available as well.

Installation

Install the exim package.

Configuration

Nevertheless it is highly recommended to consult the official documentation before using the given documentation below.

Exim configuration by default is done in a single file containing several chapters. Although not recommended for heavy load enviroments, it is possible to split up that file into several configuration files.

Basic Configuration

Exim comes with a bulky default configuration file. Many options in there aren't necessary in a regular use case. Below is a very basic configuration, which provides: local delivers to system users (Maildir format) and authorized relaying to MX hosts. The description is based on a domain "mydomain.tld" served on a host "hostname.mydomain.tld".

Main Parameters

Main parameters contain some basic options. Using solely those options would open ports for connections but still no mail would be accepted nor relayed anywhere.

# be the responsible mail host for hostname.mydomain.tld (@) & mydomain.tld
domainlist local_domains	= @ : mydomain.tld

# we don't relay. Not for foreign domains nor for a single host
domainlist relay_to_domains	=
hostlist   relay_from_hosts	= 

# serve the 2 ports 25 and 587; don't use 465 - it's not an official port
daemon_smtp_ports 		= 25 : 587

# do a reverse name lookup for all incoming connections
host_lookup 			= *

# Logging: log all events, add syslog to logging path & avoid double entries
log_selector 			= +all
log_file_path 			= : syslog
syslog_duplication		= false

# undeliverables: discard bounce messages after 2d and all others after 7 d
ignore_bounce_errors_after 	= 2d
timeout_frozen_after 		= 7d

TLS & Security

The following options are still part of the first configuration section in exim. Anyway. Security comes first. TLS is a major part of it.

# actually not required: it's hard coded - anyway: no mail delivery to root
never_users 			= root

# don't show the exim version to everyone. Actually don't even show the name.
smtp_banner = $smtp_active_hostname ESMTP $tod_full

# STARTTLS is offered to everyone
tls_advertise_hosts		= *
tls_certificate			= /path/to/exim/only/fullchain.pem
tls_privatekey			= /path/to/exim/only/privkey.pem

# use all ciphers on port 25, use only good ciphers on port 587
tls_require_ciphers 		= ${if =={$received_port}{25} \
					{DEFAULT}\
					{HIGH:!MD5:!SHA1:!SHA2}}

# we don't use port 465, so we don't activate TLS on it
#tls_on_connect_ports = 465

ACL, routing & transport

Local delivery: Dovecot LMTP & SASL authentification

extended configuration

SPAMassassin

DKIM&DNSSEC

Hardening

fail2ban

The default configuration is located in <nowiki>/etc/mail/exim.conf. For the purpose of this description this single confguration file will be split up into multiple files.

basic configuration: exim.conf

  • host name & domain definitions
    • #primary_hostname may overrule uname(). By default there is no need to touch it.
    • The following three options are colon-separated lists which will be reused later. "@" is deemed localhost.
      • domainlist local_domains = mydomain.tld for which domains shall the server consider himself the final destination (i.e. no more relaying required)
      • domainlist relay_to_domains = usually none. Leave blank unless you read the doc.
      • hostlist relay_from_hosts = usually none. Leave blank unless you read the doc.
  • TLS
    • tls_advertise_hosts = * which client will be offered tls? Should be set to * by default.
    • tls_certificate = /path/to/cert.pem & tls_privatekey = /path/to/very/secret/key.pem: location of tls certificate files
    • #tls_on_connect_ports = which ports to offer tls at (STARTTLS is offered on the others, 465 might be a valid* answer here)
    • tls_require_ciphers tls_require_ciphers = ${if =={$received_port}{25}{DEFAULT}{HIGH:!MD5:!SHA1:!SHA2}} specify the ciphers offered. The given example statement doesn't do any limitation on port 25; it requires OpenSLL to offer ciphers of category HIGH excluding a few specific ones only.
Note: Exim loads certificate files during mail processing with the low privilege user exim. While it is good to run an internet facing process with such a user, it is somewhat strange to give access to a private key to such user. If your server serves multiple purposes (e.g. http, imap, smtp) with multiple dns aliases (cname or several names pointing to a single ip) it may be wise to request multiple certificates. If the exim certificate gets lost, damage is limited to smtp.
  • ports
    • daemon_smtp_ports = 25 : 587 which ports to listen to
    • #tls_on_connect_ports = 465 which ports to require TLS on (STARTTLS is offered on all other ports too)
  • never_users = root which users not to deliver mail too?
Exim would have to raise privilege of the delivery process to root. This shall be avoided. Actually all system users should be added here, although that is not as easy as in postfix. Neglet to deliv to root is disabled hard coded into exim.
  • Logging
    • log_file_path = :syslog where to write the log file to. The given example adds "syslog" to the default.
    • log_selector = +all for testing. Later to be adjusted to your needs. Defaults are quite limited.
  • address qualification
    • qualify_domain = $primary_hostname locally injected mail from "root" will be turned into root@hostname.mydomain.tld
    • # qualify_recipient = snail mail doesn't deliver if you don't provide a fully qualified address. Why should we?
  • /path/to/some_include.conf exim allows including external files.

ACL - access control lists

exim uses ACL to determine whether a message should be processed, defered or rejected. Each ACL (there may be plenty) starts with the result (e.g. accept, defer, reject) and then lists checks that must ALL succeed. gn