Basic Exim Configuration


As the mail server that's the default for Debian GNU/Linux and its derivatives, Exim is moderately popular in the Linux world. You can also use Exim with other distributions, and in fact it ships with the PowerTools extensions for Red Hat, so it's fairly easy to install on Red Hat and related distributions. Like sendmail, Exim is a monolithic program, but the Exim configuration file format is relatively simple. Exim is capable of doing many of the same things as is sendmail, and this section describes some of these things, such as address masquerading, accepting mail addressed to multiple domains, and setting various relay options.

NOTE

graphics/note.gif

Because Exim is the default MTA only for Debian among those distributions discussed in this book, this section uses Exim as shipped with Debian as a reference. Other Exim installations may be configured differently by default.


Exim's Configuration Files

The main Exim configuration file is called exim.conf , and it's usually located in /etc . This file consists of lines of the form:

  option  =  value  

The file may also contain comments, which are lines that begin with a pound sign ( # ). In fact, a standard Debian Exim installation uses an exim.conf file that's mostly comments documenting what the configuration lines do. This fact can help greatly when you want to modify an Exim installation, because you can often figure out what needs to be changed by reading the comments in the configuration file.

TIP

graphics/tip.gif

When Debian installs Exim, the installer runs a script called eximconfig that generates the exim.conf file. You can run this script after the fact to reconfigure Exim without directly editing the exim.conf file. For small changes it's usually easier to edit the file yourself, because eximconfig requires you to respond to all its questions again. Nonetheless, eximconfig can be a useful tool if you're unfamiliar with Exim configuration, because it generates a configuration file with options that are appropriate for your system.


In addition to the main exim.conf file, Exim may use other files as sources of supplemental information. In particular, a default Debian Exim configuration uses these files:

  • /etc/aliases ” This file serves the same function in Exim as in sendmail: It associates two accounts so that mail addressed to one user is delivered to another. For instance, the line root: amelia causes mail addressed to root to be delivered to amelia instead. You can also specify a nonlocal account; for instance, root: amelia@ pangaea .edu causes local mail for root to be sent to amelia@pangaea.edu . Unlike the sendmail file of this name , the Exim file doesn't need to be compiled into a binary format to be used.

  • /etc/email-addresses ” This file causes From: addresses in outgoing mail to be rewritten. For instance, ben: bfranklin@pangaea.edu causes mail from ben on the local system to appear to come from bfranklin@pangaea.edu .

The eximconf script creates an /etc/aliases file that directs mail addressed to postmaster to root , and in turn directs root 's mail to a user you specify. You can add, delete, or modify this file as you see fit. The standard Debian /etc/email-addresses file is empty except for some comments.

Exim Address Masquerading

As described earlier, in "Address Masquerading," you may want Exim to use a particular hostname or domain name instead of the one that's returned by the hostname command. The most basic level of address masquerading is accomplished through the qualify_domain option. This sets the domain that's used for locally generated mail if the mail program does not set an address itself. For instance, suppose your exim.conf file includes the following line:

 qualify_domain = threeroomco.com 

If ben sends mail from a program that doesn't specify a From: domain, Exim will add the threeroomco.com domain to the address or replace an address that doesn't match this domain name, so that From: headers and the like will read ben@threeroomco.com .

Another option you might want to use is primary_hostname . You set this much like you do qualify_domain , and in fact the value of primary_hostname is used as the default for qualify_domain . The primary_hostname value is used in initial handshakes between Exim and the remote mail server, and the name also appears in Received: e-mail headers.

A more sophisticated address masquerading option is provided by the /etc/email-addresses file, described earlier. More precisely, this file is referenced by a line near the end of the exim.conf file. This line resembles the following:

 *@threeroomco.com  ${lookup{}lsearch{/etc/email-addresses}\                    {$value}fail} bcfrF 

This is one of exim.conf 's least transparent configuration lines, and you shouldn't need to adjust it, except perhaps to alter the domain at the beginning of the line. This line matches any address that falls in the threeroomco.com domain, and causes Exim to check /etc/email-addresses for a more precise match. If the first field (before the colon ) of a line in email-addresses matches that in an e-mail address, the second field (after the colon) is substituted. This tool allows you to perform address masquerading on a user-by-user basis; you need only edit the email-addresses file, as described earlier. If your mail server processes mail from multiple domains, you could duplicate the exim.conf entry for each domain, specifying a different substitution file for each domain or even using one file for all of them.

These descriptions cover only a fraction of the address masquerading features available in Exim. For more information, consult the "Address Rewriting" chapter of the Exim documentation at http://www.exim.org/exim-html-3.30/doc/html/spec_34.html.

Configuring Exim to Accept Mail

Exim provides several exim.conf options that determine whether it should treat an address as local, and deliver it as such. These include:

  • local_domains ” You can set this option to a colon-delimited list of hostnames that Exim will treat as local. For instance, local_domains = localhost:threeroomco.com causes Exim to accept mail addressed to users at localhost or threeroomco.com as local, and deliver that mail to local users. This value defaults to the value of the qualify_recipient option, which sets the hostname on incoming mail that lacks a hostname.

  • local_domains_include_host ” If this option is set to true , Exim accepts mail addressed to the computer's current hostname. You can achieve a similar effect by adding the hostname to the local_domains list.

  • local_domains_include_host_literals ” If this option is set to true , Exim accepts mail that's addressed to the system by IP address rather than by name. For instance, if Exim is running on a computer with the 172.24.98.2 IP address, and if the user ben exists, Exim will accept mail addressed to ben@[172.24.98.2] . If you don't want to accept such mail, set this value to false .

The eximconfig script sets some of these options based upon your responses to questions about domains for which you should accept mail, so if you've run this script and answered the questions appropriately, you should find reasonable default values already set.

Exim Relay Configuration

Like sendmail, Exim has several relay options, relating to both relaying mail from other systems and relaying outgoing mail through another SMTP system. The eximconfig script asks questions about relays, and so should configure Exim properly in many situations. You can change or fine-tune this configuration by directly editing exim.conf .

Configuring Exim to Relay Mail

The most important exim.conf options relating to mail relaying are as follows :

  • host_accept_relay ” To have Exim relay mail for specific computers, you should list them using this option (separating the names by colons). Most systems use at least host_accept_relay = localhost , which lets Exim relay mail that originates locally. Expanding this list by specifying all the hostnames, IP addresses, or wildcards that match the desired hosts expands Exim's relaying options. For instance, host_accept_relay = localhost:192.168.99.0/24:*.pangaea.edu allows localhost , all computers in the 192.168.99.0/24 network, and all computers in the pangaea.edu domain to relay mail. Using this feature to specify the IP addresses of your local domain is probably the safest way to permit relaying for most installations.

  • relay_domains ” You can list one or more domains with this option (separated by colons). Exim will relay mail from any system in the specified domains. This option is most useful if your mail server should relay mail for several different domains, or even just one very large domain. You can accomplish much the same goal by using an asterisk ( * ) wildcard as the machine name in a hostname with the host_accept_relay option.

  • relay_domains_include_local_mx ” If you want to have Exim automatically adjust its relaying policy to allow new domains, you can use this option. If you set it to yes , it permits computers whose DNS servers have an MX record that point to your system to relay mail. This can be convenient , because it eliminates the need to adjust Exim if you routinely change domain configurations. It's potentially risky, though, because a spammer could set up a domain with an MX entry that points to your Exim server and use your system as an effectively open relay.

  • sender_address_relay ” You can provide a colon-delimited list of e-mail addresses that are allowed to relay with this option. Ordinarily, if you use this option, a mail must match both this and a host-based option, such as host_accept_relay . (You can change this behavior to use either by specifying relay_match_host_or_sender = yes , but this configuration is potentially very dangerous because e-mail addresses are trivial to forge .) You can use this feature to limit who from a given system may relay mail through Exim.

These options permit you to configure Exim to relay mail for only some systems, such as those on your local network or any remote domains for which Exim should be a relay. These options are sufficient for many purposes. For more exotic needs, Exim supports some additional options, such as host_auth_accept_relay (which requires that remote systems authenticate themselves before relaying) and tls_host_accept_relay (which requires that remote systems use an authentication and encryption system known as TLS).

Configuring Exim to Send Through a Relay

If your system must use an outgoing relay, you need to configure Exim to direct all outgoing mail through that system. Unfortunately , there is no single Exim configuration option to handle this situation. The eximconfig utility, though, can generate a series of configuration lines that have the desired effect. These lines resemble the following:

 smarthost:   driver = domainlist   transport = remote_smtp   route_list = "* franklin.threeroomco.com bydns_a" end 

These lines tell Exim to send all external mail via franklin.threeroomco.com . You can change this system's name if your mail relay system ever changes.

Exim Anti-Spam Configuration

One of Exim's strengths is its extensive set of filtering rules. You can use these to specify hosts for which you'll refuse delivery, specify users from whom you'll refuse delivery, or perform more sophisticated checks on a per-user basis. The major filtering options are as follows:

  • host_reject ” This exim.conf option takes a colon-delimited list of hostnames, domain names, or IP addresses as its argument, and blocks all mail that originates from these systems. For instance, host_reject = *.badspammer.net:10.16.8.0/24 blocks all mail from the badspammer.net domain, and from the 10.16.8.0/24 network block. This rejection occurs as soon as the remote system attempts to make a connection. This sometimes causes repeated attempts to connect to your server, thus consuming small amounts of network resources over an extended period of time.

  • host_reject_recipients ” This option works much like host_reject , except that messages are rejected after the remote system begins the transaction, and more precisely, after it's sent the RCPT TO: command. The result is more likely to be an immediate cessation of attempts to send the messages.

  • sender_reject ” This option rejects mail that originates from certain senders. A sender may be either an entire domain or an individual user at a domain. For instance, sender_reject = spammer@abigisp.com: badspammer.net blocks mail from the badspammer.net domain and from the user spammer@abigisp.com . Exim refuses to receive mail as soon as it learns the sender's identity. This quick rejection causes some sending systems to try repeatedly to send the same message.

  • sender_reject_recipients ” This option works much like sender_reject , but it waits to reject the mail until the sender has entered a recipient address with the RCPT TO: command. This approach is more effective than sender_reject 's approach at getting the sending MTA to stop attempting to send the messages.

  • User-specific filters ” Exim supports filters that individual users can design. These reside in the .forward files in users' own home directories. This facility is extremely powerful and flexible. It's similar in many ways to Procmail filters, which are described shortly in the section "Using a Procmail Filter." It's described in some detail in the filter.txt.gz documentation file that comes with Exim, in the /usr/doc/exim directory in Debian GNU/Linux (you'll need to uncompress this file with gunzip to read it).

If you want to create a large list of senders or sender hostnames you want to reject, you can place them in a separate file, and reference that filename with the appropriate rejection options. In addition to custom filters, Exim includes several options related to support for blackhole lists. These are controlled through several exim.conf options:

  • rbl_domains ” Provide a colon-delimited list of blackhole list server addresses, such as those shown in Table 19.1, to have Exim use those lists. You can append these entries with /warn or /reject to specify that Exim add a warning header (which might be used by a subsequent Procmail filter, for instance) or reject the mail outright , respectively. Two additional options are /accept (to use a blackhole-like mechanism to provide a limited "white list") and /skiprelay (which bypasses the blackhole list check if the sender's domain is listed in the host_accept_relay option).

  • rbl_hosts ” The default for this option is * , which causes Exim to check all hosts against the blackhole lists specified by rbl_domains . You might want to exempt certain senders from these checks, though, and to do so, you add their names, preceded by exclamation marks, prior to the asterisk in a colon-delimited list. For instance, rbl_hosts = !ok.pangaea.edu:* exempts ok.pangaea.edu from the blackhole list checks.

  • rbl_reject_recipients ” You can use the /warn or /reject features of the rbl_domains option to specify whether to add a warning or reject a suspected spam, as noted earlier. When you've not specified explicitly what to do, Exim defaults to rejecting the affected mail. You can change this behavior to merely add a warning header by setting rbl_reject_recipients = no .

  • recipients_reject_except ” This option lets you specify blackhole list exceptions in terms of recipients. For instance, recipients_reject_except = postmaster@ your.domain causes Exim to accept mail addressed to postmaster@your.domain , even from sites included on a blackhole list.

There are a few additional blackhole list options in Exim; consult the package's documentation for details. In addition to pattern matching and blackhole lists, Exim provides a few additional options that may be used to help cut down on spam. These include the following:

  • headers_check_syntax ” Exim can check message headers for bogus syntax, such as a message addressed to user@ , and reject messages that fail these checks. This is normally a sanity check on the veracity of the data, but some spam uses poorly constructed mail headers that will fail such checks. To use this option, set it to true .

  • helo_verify ” During initial connections, a calling SMTP server identifies itself with a HELO or EHLO command. Normally, Exim doesn't require this, but you can set it to be more strict by providing a list of hosts that must use this handshake. (You can set helo_verify = * to require all senders to pass this test.) In addition to requiring use of HELO or EHLO , helo_verify requires that the IP address and DNS entries on the host match one another. Spammers often use misconfigured systems for which this isn't true, but unfortunately, many legitimate mail server systems are also misconfigured in such a way that they'll fail this test.

  • message_size_limit ” This option is another that's not strictly a spam-fighting tool, but that might catch some spam. It defaults to , which translates into no size limit. If you set this option to a positive value, that's the maximum message size that Exim will accept. This might be useful in limiting the impact of inconsiderate or accidental delivery of overly large messages to your system.

In all, Exim's spam filtering capabilities are extremely capable, particularly if you're willing to delve into the creation of user-specific filter files.



Advanced Linux Networking
Advanced Linux Networking
ISBN: 0201774232
EAN: 2147483647
Year: 2002
Pages: 203

Similar book on Amazon

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net