Difference between revisions of "User:Ente/Exim draft"

From ArchWiki
Jump to navigation Jump to search
Line 126: Line 126:
===ACL: Access Control Lists===
===ACL: Access Control Lists===
==extended configuration==
==Local delivery: Dovecot LMTP & SASL authentification==
===Local delivery: Dovecot LMTP & SASL authentification===

Revision as of 15:48, 25 March 2017

Category:Mail server

This article gives a quick overview on the configuration of an exim mail server.

Exim is a versatile SMTP server for Linux/UNIX-like systems. While the exim wiki provides some helpful how-to's on certain specific use cases, a detailed description of all configuration options is available as well.


Install the exim package.

Basic Configuration

Nevertheless it is highly recommended to consult the official documentation before using the given documentation below.

Exim comes with a bulky default configuration file. Many options in there aren't necessary in a regular use case. By default configuration is done in a single file containing several chapters. Although not recommended for heavy load enviroments, it is possible to split up that file into several configuration files.

Below is a very basic configuration, which provides: local delivers to system users (Maildir format) and authorized relaying to MX hosts. The description is based on a domain "mydomain.tld" served on a host "hostname.mydomain.tld".

Main Parameters

Main parameters contain some basic options. Using solely those options would open ports for connections but still no mail would be accepted nor relayed anywhere.

# be the responsible mail host for hostname.mydomain.tld (@) & mydomain.tld
domainlist local_domains	= @ : mydomain.tld

# we don't relay. Not for foreign domains nor for a single host
domainlist relay_to_domains	=
hostlist   relay_from_hosts	= 

# serve the 2 ports 25 and 587; don't use 465 - it's not an official port
daemon_smtp_ports 		= 25 : 587

# do a reverse name lookup for all incoming connections
host_lookup 			= *

# Logging: log all events, add syslog to logging path & avoid double entries
log_selector 			= +all
log_file_path 			= : syslog
syslog_duplication		= false

# undeliverables: discard bounce messages after 2d and all others after 7 d
ignore_bounce_errors_after 	= 2d
timeout_frozen_after 		= 7d

TLS & Security

The following options are still part of the first configuration section in exim. Anyway. Security comes first. TLS is a major part of it.

# actually not required: it's hard coded - anyway: no mail delivery to root
never_users 			= root

# don't show the exim version to everyone. Actually don't even show the name.
smtp_banner = $smtp_active_hostname ESMTP $tod_full

# STARTTLS is offered to everyone
tls_advertise_hosts		= *
tls_certificate			= /path/to/exim/only/fullchain.pem
tls_privatekey			= /path/to/exim/only/privkey.pem

# use all ciphers on port 25, use only good ciphers on port 587
tls_require_ciphers 		= ${if =={$received_port}{25} \

# we don't use port 465, so we don't activate TLS on it
#tls_on_connect_ports = 465

routing & transport

begin routers

	# that's the relay router
		# the transport type used for this router (see below)
		driver = dnslookup
		# the domains served on this router
		domains = ! +local_domains
		# the transport to be used (see transport section below)
		transport = remote_smtp
		# localhost is to be ignored if dns gives such result
		ignore_target_hosts = <; ; ; ::1
		# a router list is processed until matched and successful transported.
		# if transport fails, we don't want the next router to be used

		# the transport type - we accept the mail locally
		driver = accept
		# send a notification - mail arrived
		# this router serves only our domains
		domains = +local_domains
		# to dovecot
		transport = local_delivery
		# in case dovecot throws an error
		cannot_route_message = Unknown local user

begin transports

	 	driver = smtp
		message_size_limit = ${if > {$max_received_linelength}{998} {1}{0}}

		driver = appendfile
		file = /var/mail/$local_part
		# group = mail
		# mode = 0660

# if routing or transport fails, try again after this (default) ruleset
begin retry

	# Address or Domain    Error       Retries
	# -----------------    -----       -------
	*                      *           F,2h,15m; G,16h,1h,1.5; F,4d,6h

ACL: Access Control Lists

Local delivery: Dovecot LMTP & SASL authentification





The default configuration is located in <nowiki>/etc/mail/exim.conf. For the purpose of this description this single confguration file will be split up into multiple files.

basic configuration: exim.conf

  • host name & domain definitions
    • #primary_hostname may overrule uname(). By default there is no need to touch it.
    • The following three options are colon-separated lists which will be reused later. "@" is deemed localhost.
      • domainlist local_domains = mydomain.tld for which domains shall the server consider himself the final destination (i.e. no more relaying required)
      • domainlist relay_to_domains = usually none. Leave blank unless you read the doc.
      • hostlist relay_from_hosts = usually none. Leave blank unless you read the doc.
  • TLS
    • tls_advertise_hosts = * which client will be offered tls? Should be set to * by default.
    • tls_certificate = /path/to/cert.pem & tls_privatekey = /path/to/very/secret/key.pem: location of tls certificate files
    • #tls_on_connect_ports = which ports to offer tls at (STARTTLS is offered on the others, 465 might be a valid* answer here)
    • tls_require_ciphers tls_require_ciphers = ${if =={$received_port}{25}{DEFAULT}{HIGH:!MD5:!SHA1:!SHA2}} specify the ciphers offered. The given example statement doesn't do any limitation on port 25; it requires OpenSLL to offer ciphers of category HIGH excluding a few specific ones only.
Note: Exim loads certificate files during mail processing with the low privilege user exim. While it is good to run an internet facing process with such a user, it is somewhat strange to give access to a private key to such user. If your server serves multiple purposes (e.g. http, imap, smtp) with multiple dns aliases (cname or several names pointing to a single ip) it may be wise to request multiple certificates. If the exim certificate gets lost, damage is limited to smtp.
  • ports
    • daemon_smtp_ports = 25 : 587 which ports to listen to
    • #tls_on_connect_ports = 465 which ports to require TLS on (STARTTLS is offered on all other ports too)
  • never_users = root which users not to deliver mail too?
Exim would have to raise privilege of the delivery process to root. This shall be avoided. Actually all system users should be added here, although that is not as easy as in postfix. Neglet to deliv to root is disabled hard coded into exim.
  • Logging
    • log_file_path = :syslog where to write the log file to. The given example adds "syslog" to the default.
    • log_selector = +all for testing. Later to be adjusted to your needs. Defaults are quite limited.
  • address qualification
    • qualify_domain = $primary_hostname locally injected mail from "root" will be turned into root@hostname.mydomain.tld
    • # qualify_recipient = snail mail doesn't deliver if you don't provide a fully qualified address. Why should we?
  • /path/to/some_include.conf exim allows including external files.

ACL - access control lists

exim uses ACL to determine whether a message should be processed, defered or rejected. Each ACL (there may be plenty) starts with the result (e.g. accept, defer, reject) and then lists checks that must ALL succeed. gn