SysteMajik Consulting

Tag: exim

Posts related to the Exim4 SMTP server

  • Adding sa-exim to Exim

    Until now I have been using SpamAssassin using the spam content scanning built into Exim. This gives me detailed control over what happens to messages. However, I decided I wanted to review the messages that are rejected.  Looking at my options sa-exim appeared to be a simple solution. I found it was as simple as I hoped. This article covers how I implemented it on Ubuntu and should be directly applicable to other Debian-based distributions.

    Read more: Adding sa-exim to Exim

    The eximstats utility includes code to analyze the messages generated by sa-exim. This provides statistics on ham and spam.

    As sa-exim is somewhat obsoleted by the ability to call Spamassassin (and Rspamd) directly, I have replicated the functionality as an inclusion to the Data ACL. It is covered in another post.

    Installation

    As I already had SpamAssassin installed, adding sa-exim was simple. I merely need to run the command sudo apt-get install sa-exim. This installed the package and added it into the split configuration of Exim. If are modifying your configuration, it is much simpler to use the split configuration. Besides the installed changes you are likely going to want to add the ACLs specified here. These are outlined as additions to the split configuration but could be added to the unsplit configuration. (Comments on adapting these changes to the unsplit configuration are specified a the end.) This configuration should work with the default exim-daemon-light package.

    Defining Options and Macros

    The file /etc/exim4/exim4.conf.localmacros contains options and macros for the unsplit configuration file. When using the split configuration these are loaded from the /etc/exim4/conf.d/main directory. By creating a 00_localmacros symlink pointing to /etc/exim4/exim4.conf.localmacros the same configuration can be used for both the split and unsplit configurations.

    # Define macrs to use local check-rcpt and check-data rules
CHECK_RCPT_LOCAL_ACL_FILE = CONFDIR/acls/30_local-config_check-rcpt
CHECK_DATA_LOCAL_ACL_FILE = CONFDIR/acls/40_local-config_check-data

# Specify recipients not be to be rejected - default postmaster
CHECK_RCPT_POSTMASTER = postmaster : spamtrap

# Specify spamd location and allow retry
spamd_address = 127.0.0.1 783 retry=10s

    Enabling sa-exim

    As shipped sa-exim is disabled. The sa-exim.conf file has a default setting indicating that no messages are to be scanned. This file needs to be edited to evaluate conditions enabling scanning and rejection of messages.

    I found three methods that could be used.

    • Creating an if statement to evaluate the remote address to determine if the message should be scanned;
    • Setting the variable acl_m0 to “do_not_scan”, “canreject”, or a third value to cover all conditions; or
    • Adding headers indicating whether scanning or rejection is desired. (This has and advantage of making the settings visible in the headers of the delivered message.)

    I chose to use the extended variable format and set variables if scanning is desired or message rejection is permitted. The configuration treats the variables as false if they are not set. The variables I chose are acl_m_scan and acl_m_canreject. As the variables may not be set, the conditions below may need to be modified if your configuration requires a referenced variable to exist. On older Exim versions variables like acl_m0 and acl_m1 could be used.

    The simplest way to configure sa-exim is to append the desired configuration items to the end of the installed sa-exim.conf file. This makes local settings easy to locate. Commented settings below are set to the default values.

    # Scanning and rejection conditions noted above
# bool_lax works better than bool
SAEximRunCond: ${if bool_lax{$acl_m_scan}}
SAEximRejCond: ${if bool_lax{$acl_m_can_reject}}

# Generic conditions
SAEximDebug: 0
SAspamcUser: mail
#SAmaxbody: 256000
SAmaxrcptlistlength: 8000

# Thresholds - SAdevnull is commented in the default settings
#SAdevnull: 25.0
#SApermreject: 12.0

# Conditions controlling saving a copy of the message
# Disable these if you are not going to examine the results
#SAtimeoutSavCond: 1
#SAerrorSavCond: 1
#SAdevnullSavCond: 1
#SApermrejectSavCond: 1

    Extending ACLs

    The default Ubuntu/Debian configuration allows for local additions to the Recipient and Data ACLs by file inclusion. These files survive updates to the default configuration.

    If your configuration does not have the inclusion capability, the inclusions below should be added just before the final accept clauses in the relevant ACL. Alternatively, you can add code to include the additions in the same location. The code used to include the recipient addition is:

      .ifdef CHECK_RCPT_LOCAL_ACL_FILE
  .include CHECK_RCPT_LOCAL_ACL_FILE
  .endif

    I use the directory /etc/exim4/acls to contain the inclusion files. Using file inclusion adds a slight overhead when new Exim processes are started. This is trivial compared to the total overhead of processing a message.

    Extending the Recipient ACL

    This ACL enables rejection of the message with high spam scores. Mail sent only to the postmaster or similar accounts will be flagged and delivered. If the postmaster is one of several recipients (which should not be the case), the message may be rejected. The macro CHECK_RCPT_LOCAL_ACL_FILE points to this file.

    ### /etc/exim4/acls/30_local-config_check_rcpt
#####################################

#### NOTE: If we get here the sender is remote and unauthenticated

  # Not postmaster or local sender so enable spam rejection
  warn
    set acl_m_reject = yes

    Extending the Data ACL

    The Data ACL process all SMTP messages after the Data has been received. This is the last ACL called before the sa-exim code is executed. If desired, the Data ACL can be configured as the non-SMTP ACL.

    The Data ACL inclusion marks messages for sa-exim to scan. This setting must be done the scanning will not be done.

    ### acls/40_local-config_check_data
#####################################

  # Scan message if unauthenticted and remote
  warn
    !authenticated = *
    !hosts = : +relay_from_hosts
    set acl_m_scan = yes

    The Data ACL processes messages after the data has been received. It does not process non-SMTP messages in the default configuration.

  • Securing Submisssion on Exim

    I noticed a significant increase in the number of hosts attempting to authenticate to my Exim submission ports (465 and 587). As a result, I have implemented a number of security measures. These measures have effectively blocked the attempts. This post outlines the main measures that I have implemented. This includes ACLs and fail2ban blacklisting.

    (more…)

  • Securing TLS

    A StackExchange question on using HAProxy’s capture feature to pass data from TCP mode to HTTP mode prompted me to update my SSL configuration. This was intended to get an A+ rating from SSL Labs by sending non-SNI capable clients to a server with weaker ciphers. This was to enable clients on WinXP/IE8, Java 6, and an old Android version to connect. I found a solution without having to have two sets of ciphers and handling traffic in both the TCP mode and HTTP mode. I then optimized my settings to a minimal list of cipher specifications.

    (more…)

  • MX on a Dynamic IP Address

    I often see posts asking about running a mail server on a Dynamic IP address. Twenty years ago I started running my server on a dynamic IP address. However, times have changed, and it is more difficult to do so. Stil, there are mail server roles that work reasonably well on a dynamic IP address.  

    (more…)

  • Disabling SSLv3 to block Poodle

    The new Poodle vulnerability lead me to disable SSLv3 on my Ubuntu server. I have TLS/SSL enabled on three services: apache2, exim4, and dovecot2. Each service required a different method to disable SSLv3. While SSLv3 is mostly history, the techniques I used can be applied to other TLS versions.

    Ubuntu uses configuration files split into small pieces. The method should apply to other distributions, although the configuration files may be arranged differently.

    (more…)

  • Hostnames for eximstats Rejections

    I use eximstats to report my daily email traffic. I have a fairly high rate of rejections and wanted hostnames listed in the rejection reports. To resolve this I developed a patch to capture the hostname related to the IP address, and add this data to the rejection reports.

    The enhanced list saves me the effort of looking up IP addresses that were repeatedly addressed. Occasionally, these are from legitimate servers that have been misconfigured. DNS problems are often the cause.

    (more…)

  • Email Logins for Dovecot and Exim

    While I was cleaning up my Ubuntu Email server configuration, I consolidated my login security. My SMTP server is Exim and my IMAP server is Dovecot.  Mail User Agents (MUAs) use authentication over TLS encrypted connections to access IMAP and SMTP. Both programs had their own password configuration.

    Exim includes Dovecot in its supported authentication mechanisms. This enables one authentication mechanism to be used for both SMTP and IMAP (or POP3). This post also includes configuration details for forced authentication over the Submission port.

    (more…)

  • Implementing IPv6 Part 2

    We are quickly running out of IPv4 addresses. Are you ready for World IPv6 Day on June 8th, 2011? I have prepared my configuration on OpenWRT and Ubuntu. This includes configuring DNS using bind, email using Exim, and a Squid web proxy.

    Having verified that I could establish IPv6 connectivity, I chose to improve my connectivity. This started with getting a tunnel from Hurricane Electric and updating my configuration. I then updated my bind server and Exim mail server support IPv6 addresses. This posting updates and continues from my post on Implementing IPv6 6to4 on OpenWRT.   Review it for information on creating a tunnel and running radvd on OpenWRT.

    (more…)

  • Blocking Spam with Exim

    Recent reports indicate that spam is increasing again. I have been using Exim to filter spam for several years. Some recent tuning I have done has decreased the percent of spam that reaches my spam filters. This article provides a discussion of the techniques used and provides implementation examples. Spambots tend to be simple programs that don’t handle slow servers very well. Using a greylist is an effective method of blocking them as they usually don’t retry. My latest changes use delays to cause many spambots to abandon their attempt. Greylisting is used only for poorly configured servers that make it to the Recipient command.

    (more…)

  • Implementing DKIM with Exim

    This article was updated in February 2014 to reflect changes in policy and reporting options. The earlier ADSP (Author Domain Signing Practices) information has been removed.

    DomainKeys Identified Mail (DKIM) provides a method to confirm the origin of an e-mail. DKIM also provides some protection against tampering. Unlike SPF, this validation applies to the contents of the message when it is signed. Like SPF, the information required for validation is added to DNS.

    (more…)