SysteMajik Consulting

Tag: email

Posts related to email services

  • Adding sa-exim to Exim

    Until now I have been using SpamAssassin using the spam content scanning built into Exim. This gives me detailed control over what happens to messages. However, I decided I wanted to review the messages that are rejected.  Looking at my options sa-exim appeared to be a simple solution. I found it was as simple as I hoped. This article covers how I implemented it on Ubuntu and should be directly applicable to other Debian-based distributions.

    Read more: Adding sa-exim to Exim

    The eximstats utility includes code to analyze the messages generated by sa-exim. This provides statistics on ham and spam.

    As sa-exim is somewhat obsoleted by the ability to call Spamassassin (and Rspamd) directly, I have replicated the functionality as an inclusion to the Data ACL. It is covered in another post.

    Installation

    As I already had SpamAssassin installed, adding sa-exim was simple. I merely need to run the command sudo apt-get install sa-exim. This installed the package and added it into the split configuration of Exim. If are modifying your configuration, it is much simpler to use the split configuration. Besides the installed changes you are likely going to want to add the ACLs specified here. These are outlined as additions to the split configuration but could be added to the unsplit configuration. (Comments on adapting these changes to the unsplit configuration are specified a the end.) This configuration should work with the default exim-daemon-light package.

    Defining Options and Macros

    The file /etc/exim4/exim4.conf.localmacros contains options and macros for the unsplit configuration file. When using the split configuration these are loaded from the /etc/exim4/conf.d/main directory. By creating a 00_localmacros symlink pointing to /etc/exim4/exim4.conf.localmacros the same configuration can be used for both the split and unsplit configurations.

    # Define macrs to use local check-rcpt and check-data rules
CHECK_RCPT_LOCAL_ACL_FILE = CONFDIR/acls/30_local-config_check-rcpt
CHECK_DATA_LOCAL_ACL_FILE = CONFDIR/acls/40_local-config_check-data

# Specify recipients not be to be rejected - default postmaster
CHECK_RCPT_POSTMASTER = postmaster : spamtrap

# Specify spamd location and allow retry
spamd_address = 127.0.0.1 783 retry=10s

    Enabling sa-exim

    As shipped sa-exim is disabled. The sa-exim.conf file has a default setting indicating that no messages are to be scanned. This file needs to be edited to evaluate conditions enabling scanning and rejection of messages.

    I found three methods that could be used.

    • Creating an if statement to evaluate the remote address to determine if the message should be scanned;
    • Setting the variable acl_m0 to “do_not_scan”, “canreject”, or a third value to cover all conditions; or
    • Adding headers indicating whether scanning or rejection is desired. (This has and advantage of making the settings visible in the headers of the delivered message.)

    I chose to use the extended variable format and set variables if scanning is desired or message rejection is permitted. The configuration treats the variables as false if they are not set. The variables I chose are acl_m_scan and acl_m_canreject. As the variables may not be set, the conditions below may need to be modified if your configuration requires a referenced variable to exist. On older Exim versions variables like acl_m0 and acl_m1 could be used.

    The simplest way to configure sa-exim is to append the desired configuration items to the end of the installed sa-exim.conf file. This makes local settings easy to locate. Commented settings below are set to the default values.

    # Scanning and rejection conditions noted above
# bool_lax works better than bool
SAEximRunCond: ${if bool_lax{$acl_m_scan}}
SAEximRejCond: ${if bool_lax{$acl_m_can_reject}}

# Generic conditions
SAEximDebug: 0
SAspamcUser: mail
#SAmaxbody: 256000
SAmaxrcptlistlength: 8000

# Thresholds - SAdevnull is commented in the default settings
#SAdevnull: 25.0
#SApermreject: 12.0

# Conditions controlling saving a copy of the message
# Disable these if you are not going to examine the results
#SAtimeoutSavCond: 1
#SAerrorSavCond: 1
#SAdevnullSavCond: 1
#SApermrejectSavCond: 1

    Extending ACLs

    The default Ubuntu/Debian configuration allows for local additions to the Recipient and Data ACLs by file inclusion. These files survive updates to the default configuration.

    If your configuration does not have the inclusion capability, the inclusions below should be added just before the final accept clauses in the relevant ACL. Alternatively, you can add code to include the additions in the same location. The code used to include the recipient addition is:

      .ifdef CHECK_RCPT_LOCAL_ACL_FILE
  .include CHECK_RCPT_LOCAL_ACL_FILE
  .endif

    I use the directory /etc/exim4/acls to contain the inclusion files. Using file inclusion adds a slight overhead when new Exim processes are started. This is trivial compared to the total overhead of processing a message.

    Extending the Recipient ACL

    This ACL enables rejection of the message with high spam scores. Mail sent only to the postmaster or similar accounts will be flagged and delivered. If the postmaster is one of several recipients (which should not be the case), the message may be rejected. The macro CHECK_RCPT_LOCAL_ACL_FILE points to this file.

    ### /etc/exim4/acls/30_local-config_check_rcpt
#####################################

#### NOTE: If we get here the sender is remote and unauthenticated

  # Not postmaster or local sender so enable spam rejection
  warn
    set acl_m_reject = yes

    Extending the Data ACL

    The Data ACL process all SMTP messages after the Data has been received. This is the last ACL called before the sa-exim code is executed. If desired, the Data ACL can be configured as the non-SMTP ACL.

    The Data ACL inclusion marks messages for sa-exim to scan. This setting must be done the scanning will not be done.

    ### acls/40_local-config_check_data
#####################################

  # Scan message if unauthenticted and remote
  warn
    !authenticated = *
    !hosts = : +relay_from_hosts
    set acl_m_scan = yes

    The Data ACL processes messages after the data has been received. It does not process non-SMTP messages in the default configuration.

  • DNS for Email Servers

    This article provides a quick overview of the DNS records required for an email server and presents a minimal sample configuration. The example assumes that you are running servers for both email and the web. Comments indicating the changes if you are using a third-party provider are provided.

    (more…)

  • MX on a Dynamic IP Address

    I often see posts asking about running a mail server on a Dynamic IP address. Twenty years ago I started running my server on a dynamic IP address. However, times have changed, and it is more difficult to do so. Stil, there are mail server roles that work reasonably well on a dynamic IP address.  

    (more…)

  • Hostnames for eximstats Rejections

    I use eximstats to report my daily email traffic. I have a fairly high rate of rejections and wanted hostnames listed in the rejection reports. To resolve this I developed a patch to capture the hostname related to the IP address, and add this data to the rejection reports.

    The enhanced list saves me the effort of looking up IP addresses that were repeatedly addressed. Occasionally, these are from legitimate servers that have been misconfigured. DNS problems are often the cause.

    (more…)

  • Faking IMAP for Exchange Email

    For years I have had problems getting IMAP access to exchange servers. Many organizations don’t enable IMAP on their Exchange servers, and others don’t do it right. I recently came across a solution that works with the Microsoft WebMail interface to provide an IMAP and/or POP3 access to the mail servers. This allows the use of IMAP mail clients like Thunderbird or Microsoft Live Mail.

    This article describes the solution as I have implemented it. It uses the open-source DavMail Gateway written in Java. It accesses a WebMail server and provides access via standard protocols like IMAP, SMTP, and CalDav. This program can be configured for personal use on a desktop, or group use on a server. When configuring a server, it is recommended that you provide SSL keys so that secure protocols can be used.

    (more…)

  • Detecting Email Server Forgery

    Most of the spam I received has been sent by servers forging or otherwise obscuring their server identity. RFC2505 states that the server identity and sender address are easily forged. Of these, it is easiest to identify server forgery. Very little, if any, of the personal email has a forged server identity. Unfortunately, legitimate bulk and automated email often show signs of server identity. If you deliver either of these types of emails, this article will provide information on fixing the situation.

    The rules here apply to emails originating from the Internet only. Mail User Agents submitting email are expected to violate these rules. MUAs should use an authenticated encrypted connection to the Submission port (576). Relay servers should not apply these rules to connections originating from the local network.

    (more…)

  • Securing your Email Reputation with SPF

    SPF (Server Policy Framework) is a simple means to limit the ability of others to forge your identity in email. I first implemented it after a forged identity under my domain was used to send Spam. Once SPF was configured,  the bounce messages quickly dropped off.

    Although not as frequently implemented as sender address checks, SPF can be used to prevent forgery of the HELO identity. My mail server uses SPF to check the Identity of the server. This is easier to configure and more reliable than checking the domain in the Mail from address. Even though I treat Neutral and Softfail policies as a Fail policy, I have not detected any false negatives. I verify both the address returned by the PTR record for the host and the address in the HELO command. This is primarily because the PTR record is more likely to have a valid domain.

    (more…)

  • Email Logins for Dovecot and Exim

    While I was cleaning up my Ubuntu Email server configuration, I consolidated my login security. My SMTP server is Exim and my IMAP server is Dovecot.  Mail User Agents (MUAs) use authentication over TLS encrypted connections to access IMAP and SMTP. Both programs had their own password configuration.

    Exim includes Dovecot in its supported authentication mechanisms. This enables one authentication mechanism to be used for both SMTP and IMAP (or POP3). This post also includes configuration details for forced authentication over the Submission port.

    (more…)

  • Blocking Spam with Exim

    Recent reports indicate that spam is increasing again. I have been using Exim to filter spam for several years. Some recent tuning I have done has decreased the percent of spam that reaches my spam filters. This article provides a discussion of the techniques used and provides implementation examples. Spambots tend to be simple programs that don’t handle slow servers very well. Using a greylist is an effective method of blocking them as they usually don’t retry. My latest changes use delays to cause many spambots to abandon their attempt. Greylisting is used only for poorly configured servers that make it to the Recipient command.

    (more…)

  • Email Policy

    SysteMajik.com actively discourages Spam and email sent from incorrectly configured servers. A legitimate email from correctly configured servers should have little problem being delivered. We believe we are relatively compliant with  RFC 2505 – Anti-Spam Recommendations for SMTP MTAs and other RFCs mentioned at the end of this document.

    This article covers our policy implementation for incoming and outgoing email.  These policies apply to all email destined to or originating from systemajik.com,  toucantango.com, and other domains for which we may handle email.

    (more…)