Configure Exim

Configure Exim

Introduction

To run exim with mailscanner you need 2 configuration files one for the daemon that will listen on port 25 and accept incoming mail and another for the exim process that will deliver the clean mail that has been scanned by mailscanner. You also require 2 queues one for incoming and the other for clean mail that has been scanned.

I will not dwell on all the configuration options that exim provides i expect that you will be able to get detailed info else where on how to configure an normal running exim system so i will only focus on those areas that are specific to this setup.

So to begin backup your exim configuration then create the second configuration file out the outbound process.

#> cp /etc/exim/exim.conf /etc/exim/exim.conf.orig

 #> cp /etc/exim/exim.conf /etc/exim/exim_out.conf

Inbound Exim

This is the configuration for the exim daemon that listens on port 25 and accepts the messages and queues them for mailscanner to process. The configuration file is /etc/exim/exim.conf

Anti-virus / Sanesecurity Checks

Configure the incoming exim daemon (/etc/exim/exim.conf) to use clamav to scan incoming mail and reject virus infected email and image and pdf spam at smtp time.

av_scanner = clamd:/var/run/clamav/clamd.sock

Mail routing

Configure the domains you accept mail for, we will add these to a file /etc/exim/relay_domains

# example /etc/exim/relay_domains
example.com

Specify this in the exim configuration

domainlist relay_to_domains = lsearch;/etc/exim/relay_domains

Configure the routing of the domains you are filtering mail for in the file /etc/exim/mail-routes

#example /etc/exim/mail-routes
example.com: xxx.xxx.xxx.xxx:xxx.xxx.xxx.xxx #this domain is on a CGP cluster of 2 front end nodes
somedomain.com: xxx.xxx.xxx.xxx # this delivers to one CGP machine

Configure a router to accept mail for the relay domains. You need to add this under the check_backend: router (see address verification below)

deliver_clean:
  driver = manualroute
  domains = +relay_to_domains
  transport = remote_smtp
  route_data = ${lookup{$domain}lsearch{/etc/exim/mail-routes}}

Mailscanner intergration

Configure the inbound exim just to queue the messages and not deliver to enable mailscanner to process them.

spool_directory = /var/spool/exim.in
process_log_path = /var/spool/exim/exim-process.info
queue_only = true
queue_only_override = false

Create the inbound spool directory and set correct ownership

 # mkdir /var/spool/exim.in
 # chown exim.exim /var/spool/exim.in

RBL's

Configure the RBL's under acl_check_rcpt:

drop    message       = REJECTED because $sender_host_address is in a black list spamhaus.org
           dnslists      = zen.spamhaus.org

drop    message       = REJECTED because $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text
           dnslists      = bl.spamcop.net

drop    message       = REJECTED because $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text
           dnslists      = dnsbl.sorbs.net

Anti Spam

If you want to reject messages from servers with no reverse dns add this under acl_check_rcpt:, it does have a exception list to which you can add domains where the acl should not be applied and trys to deliver a test message to sending address to verify if the sender is valid.

drop  message   = REJECTED - We don't accept messages from hosts without reverse DNS
        log_message = No reverse DNS
        domains = ! lsearch;/etc/exim/checks_exempt_hosts
        !verify = reverse_host_lookup
        !verify = sender/callout=2m,defer_ok
        !condition =  ${if eq{$sender_verify_failure}{}}

To reject messages from clients that dont provide a HELO/EHLO add this to acl_check_rcpt:

drop  message  = REFUSED - no HELO/EHLO greeting
        log_message = remote host did not present greeting
        condition = ${if def:sender_helo_name {false}{true}}

You can rate limit the connections to your server as well add this to acl_check_connect: to do so (read the exim docs on the parameters if you want to fine tune it for your site)

deny ratelimit = 250 / 15m / strict
       message = You can only send $sender_rate per $sender_rate_period
       log_message = RATE: $sender_rate/$sender_rate_period (max $sender_rate_limit)

accept

Stop rogue spam bots from trashing your machine

smtp_accept_max_nonmail = 30
smtp_max_unknown_commands = 1

Allow pipelining only from the localhost to allow you to later use mailfeeder to release mail

pipelining_advertise_hosts = 127.0.0.1

Address verification

This users the router check_backend to communicate with your communigate pro system via ldap to ensure that an address exists before accepting mail for that address.

Add your default ldap servers to the exim configuration

ldap_default_servers = xxx.xxx.xxx.xxx

Configure domains that have a catchall account (no verification if address exists before accepting mail)

# example /etc/exim/catchall_domains
somedomain.com

Specify this in the exim configuration

domainlist domains_with_catchall = lsearch;/etc/exim/catchall_domains

Create and add the ldap enabled CGP domains to the file /etc/exim/ldap-domains. The first column is the domain alias or domain and the second is the actual domain as it exists in ldap as when you sync CGP domains to ldap it does not copy the domain aliases as well.

#example  /etc/exim/ldap-domains
example.com: example.com
example.co.za: example.com

Create the check_backend router, this should be the first router in your configuration

check_backend:
 driver = redirect
 domains = ! +domains_with_catchall : +relay_to_domains
 allow_fail
 allow_defer
 forbid_file
 forbid_pipe
 data = ${lookup ldap{ldap:///uid=${local_part},cn=${lookup{$domain}lsearch{/etc/exim/ldap-domains}}?mail}{$value}{:fail: Unknown user}}
 #version 5.x use this instead
 data = ${lookup ldap{ldap:///cn=${lookup{$domain}lsearch{/etc/exim/ldap-domains}}?uid?sub?(uid=$local_part)}{$local_part@$domain}{:fail: User Unknown}}

Clean delivery Exim

This is the configuration that is used to deliver the clean mail that mailscanner has already scanned. The configuration file is /etc/exim/exim_out.conf. For this you can use the default configuration with all the checks and acls taken out.

You need to add this router to deliver the cleaned mail to the actual CGP servers. If you are running a cluster, this router is capable of spreading the deliveries across the servers that you have configured in /etc/exim/mail-routes making it fully redundant.

deliver_clean:
  driver = manualroute
  domains = +relay_to_domains
  transport = remote_smtp
  hosts_randomize = true
  route_data = ${lookup{$domain}lsearch{/etc/exim/mail-routes}}