Learn Linux Series (#5) - e-mail server (Exim)

Learn Linux Series (#5) - e-mail server (Exim)

What Will I Learn?

• What is Exim
• How to install Exim
• How to configure Exim
• Mailboxes and using Maildir
• SMTP authorization
• SSL encryption
• Automatic answer
• Supporting multiple domains in Exim
  
  

Requirements

• Linux system installed
• Basic knowledge of terminal operation
• Average knowledge of linux commands
• Motivation when something goes wrong
  
  

Difficulty

• Intermediate
  
  
  
  
  Learn Linux Series (#5) - e-mail server (Exim)
  
  
  
  The MTA service (message transfer agent) is responsible for the transfer of, among others, e-mail between servers. The most popular representatives of this type of services are: Sendmail, Postfix or Exim described by us. Here are the advantages that speak for choosing Exim as our MTA:
  
  *Authorization in Exim is implemented by default
  
  *Clam AntiVirus - a free antivirus program that works great with Exim
  
  *it supports anti-spam scanner (SpamAssasin), and MIME error detection
  
  *has a lot of useful functions
  
  
  Exim configuration options allow you to build a fairly extensive server that supports local accounts and accounts stored in the MySQL database
  
  
  Exim installation
  
  We run the program: poldek and execute the command:

poldek -i exim

Of course, before we execute the recommendation to start the daemon, we should make the configuration.

Configuration

Before we start configuring the SMTP daemon, we must necessarily add an MX record to each DNS zone supported by our server. Local domains are those that Exim treats as 'your' domains. Mail addressed @ utopian.local.domain which will reach Exim will be delivered locally. Such domains are defined in the domainlist local_domains directive. By default, mail is sent to the same domain as the hostname of the server:

domainlist local_domains = @

The @ sign means 'my name'. To add additional domains, simply add them to this list separated by colons:

domainlist local_domains = @ : utopian.io : steemit.com : \
    /etc/mail/local_domains

Besides utopian.io,steemit.com, Exim will now also accept domains listed in the /etc/mail/local_domains file. Domains should be entered in separate lines. Exim works so well that after adding a file path, you just need to reboot it once. Any combinations in /etc/mail/local_domains will not require a reboot. So it will be the most convenient to add to the configuration file:

domainlist local_domains = @ : /etc/mail/local_domains

And simply sign all domains to /etc/mail/local_domains



At this point, we can check the server's operation. All we need is to reload the daemon and send an email to the existing user account. With this configuration, the mail will reach the mbox mailboxes.

Mailboxes and using Maildir

Exim can place mail in both mbox mailboxes (text files in /var/mail/) and increasingly popular Maildir mailboxes (files stored in a directory located in the user's home directory).
In the transporters configuration section, we find the "local_delivery" option, put a comment mark in front of the "file =" option and add the following lines:

maildir_format = true
  directory=${home}/Mail/Maildir

As you can easily guess, the second option indicates where the boxes are stored. After modification, the section discussed may look as follows:

local_delivery:
  driver = appendfile
#  file = /var/mail/$local_part
  delivery_date_add
  envelope_to_add
  return_path_add
  group = mail
  mode = 0660
  maildir_format = true
  directory=${home}/Mail/Maildir

SMTP authorization

If our users use SMTP from outside the local network, we will need authorization. The Exim case is quite complex. Well, Exim is dropping root privileges too early. The package cyrus-sasl, and more specifically pwcheck daemon (in PLD cyrus-sasl-saslauthd) will help. In the AUTHENTICATORS section, enter the following lines (or delete comments #):

plain:
  driver = plaintext
  public_name = PLAIN
  server_prompts = :
  server_condition = ${if saslauthd{{$1}{$3}}{1}{0}}
  # the above entry will work at saslauthd -a shadow, if
  # we run saslauthd -a pam (eg. PLD) enter then:
  # server_condition = ${if saslauthd{{$1}{$3}{smtp}}{1}{0}}
  server_set_id = $2
      
login:
  driver = plaintext
  public_name = LOGIN
  server_prompts = "Username:: : Password::"
  server_condition = ${if saslauthd{{$1}{$2}}{1}{0}}
# the above entry will work at saslauthd -a shadow, if
  # we run saslauthd -a pam (eg. PLD) enter then:
  # server_condition = ${if saslauthd{{$1}{$3}{smtp}}{1}{0}}
  server_set_id = $1

The last thing to do with saslauthd (run with the -a pam option) you need to create (or check if it is) is /etc/pam.d/smtp:

#%PAM-1.0
#
# example PAM file for saslauthd - place it as /etc/pam.d/
# (e.g. /etc/pam.d/smtp if you want to use saslauthd for SMTP
# AUTH)
#
auth    required    /lib/security/pam_listfile.so
item=user sense=deny file=/etc/security/blacklist
onerr=succeed
auth    required    /lib/security/pam_unix.so
auth    required    /lib/security/pam_tally.so
file=/var/log/faillog onerr=succeed no_magic_root
auth    required    /lib/security/pam_nologin.so
account required    /lib/security/pam_tally.so deny=0
file=/var/log/faillog onerr=succeed no_magic_root
account required    /lib/security/pam_unix.so
session required    /lib/security/pam_unix.so

you must also run pwcheck saslauthd before checking the authorization

# echo 'pwcheck_method:saslauthd' > /etc/sasl/smtpd.conf

SSL encryption

Exim deals very well with connections encrypted using SSL (supports the STARTTLS method). All you need to do is generate the appropriate certificates:

$ openssl genrsa -out /etc/mail/exim.key 1024
Generating RSA private key, 1024 bit long modulus
.......++++++
..............................++++++
e is 65537 (0x10001)
$ openssl req -new -x509 -days 365 -key /etc/mail/exim.key -out \
    /etc/mail/exim.crt
Using configuration from /var/lib/openssl/openssl.cnf
You are about to be asked to enter information that will be
incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:EN
State or Province Name (full name) [Some-State]:NYC
Locality Name (eg, city) []:City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Utopian Ltd.
Organizational Unit Name (eg, section) []:Utopian's Mail Server
Common Name (eg, YOUR name) []:utopian.io
Email Address []:[email protected]

After such treatment, the following should be added to the Exim main section:

tls_certificate = /etc/mail/exim.crt
tls_privatekey = /etc/mail/exim.key
tls_advertise_hosts = *

after restart, Exim should be able to communicate with SSL without any problems, which can be seen in the logs:

U=exim P=esmtp X=TLSv1:DES-CBC3-SHA:168 S=2909
id=ebb601c374e2$80dace00$cab00a12@fv

Formerly, Exim could listen on port 465 only using inetd, in newer versions we will be able to set the appropriate options:

daemon_smtp_ports = 25 : 465
tls_on_connect_ports = 465

Automatic answer

It's a good idea to set up an automatic response for people who write to you. Here, the Exim option comes in handy.
At the beginning we edit the file /etc/mail/exim.conf and in the routers section in front of the localuser router we add the following lines:

user_vacation:
     driver = accept
     check_local_user
     # utopian-io is on vacation. We will try to write back as soon as possible.
     condition = "${if or {{match {$h_precedence:} {(?i)junk|bulk|list}} {eq {$sender_address} {}}} {no} {yes}}"
     no_expn
     require_files = /var/mail/vacation/${local_part}/vacation.msg  
     # utopian-io is on vacation. We will try to write back as soon as possible.
     senders = " ! ^.*-request@.*:\
         ! ^.*@list*.*:\ 
                 ! ^owner-.*@.*:\
                 ! ^postmaster@.*:\
                 ! ^listmaster@.*:\
                 ! ^mailer-daemon@.*\
                 ! ^root@.*"
     transport = vacation_reply
     unseen
     user = ${local_part}
     no_verify

Next, we create a directory /var/mail/vacation, in which there will be directories containing the username and files with information about the reason for his absence. We write this reason to the vacation.msg file located in /var/mail/vacation/USER_NAME/. Once we have these settings behind us in the transport section, we add the following lines:

vacation_reply:
     driver = autoreply
     file = /var/mail/vacation/$local_part/vacation.msg
     file_expand
     from = System Automatycznej Odpowiedzi <$original_local_part@$original_domain>
     log = /var/mail/vacation/$local_part/vacation.log
     once = /var/mail/vacation/$local_part/vacation.db
     once_repeat = 7d
     subject = ${if def:h_Subject: {Re: ${quote:${escape:${length_50:$h_Subject:}}} (autoreply)} {Information} }
     text = "\
     Hi $h_from\n\n\
     **your content**\n\
     **your content2**:\n\
     ====================================================\n\n\
     "
     to = "$sender_address"

That's all, now we have to restart Exim:

# /etc/rc.d/init.d/exim restart

Supporting multiple domains in Exim

Below is the listing from /etc/mail/exim.conf

virtusertable_alias:
   driver = redirect
   allow_fail
   allow_defer
   data = ${lookup{$local_part@$domain}lsearch{/etc/mail/virtusertable}}
   file_transport = address_file
   pipe_transport = address_pipe
virtusertable_defaultalias:
   driver = redirect
   allow_fail
   allow_defer
   data = ${lookup{@$domain}lsearch{/etc/mail/virtusertable}}
   file_transport = address_file
   pipe_transport = address_pipe

Place the example above at the beginning of the routers section. For the record, let me add that the beginning of the section is marked with the word begin.
Below is a listing from the file /etc/mail/virtusertable

[email protected]     user
[email protected]   user2
@domain.eu      user3

User3 will receive all mail from the domain "domain.eu". After these procedures, exim should already be prepared to support multiple domains. You must remember to restart it after modifying its configuration file.

# /etc/rc.d/init.d/exim restart

Curriculum

• Part 1 - TCP/IP Computer Adaptation
• Part 2 - Proftpd management and configuration
• Part 3 - Introduction to programming
• Part 4 - e-mail server (Postfix)

---

Posted on Utopian.io - Rewarding Open Source Contributors

---