[[Configure Exim]]
 
Trace: » Configure Exim
Table of Contents

Configure Exim

Introduction

To run exim with mailscanner you need 2 configuration files one for the daemon that will listen on port 25 and accept incoming mail and another for the exim process that will deliver the clean mail that has been scanned by mailscanner. You also require 2 queues one for incoming and the other for clean mail that has been scanned.

I will not dwell on all the configuration options that exim provides i expect that you will be able to get detailed info else where on how to configure an normal running exim system so i will only focus on those areas that are specific to this setup.

  • So to begin backup your exim configuration then create the second configuration file out the outbound process.
 #> cp /etc/exim/exim.conf /etc/exim/exim.conf.orig
 #> cp /etc/exim/exim.conf /etc/exim/exim_out.conf

Inbound Exim

This is the configuration for the exim daemon that listens on port 25 and accepts the messages and queues them for mailscanner to process. The configuration file is /etc/exim/exim.conf

Anti-virus / Sanesecurity Checks

  • Configure the incoming exim daemon (/etc/exim/exim.conf) to use clamav to scan incoming mail and reject virus infected email and image and pdf spam at smtp time.
av_scanner = clamd:/var/run/clamav/clamd.sock

Mail routing

  • Configure the domains you accept mail for, we will add these to a file /etc/exim/relay_domains
# example /etc/exim/relay_domains
example.com
  • Specify this in the exim configuration
domainlist relay_to_domains = lsearch;/etc/exim/relay_domains
  • Configure the routing of the domains you are filtering mail for in the file /etc/exim/mail-routes
#example /etc/exim/mail-routes
example.com: xxx.xxx.xxx.xxx:xxx.xxx.xxx.xxx #this domain is on a CGP cluster of 2 front end nodes
somedomain.com: xxx.xxx.xxx.xxx # this delivers to one CGP machine
  • Configure a router to accept mail for the relay domains. You need to add this under the check_backend: router (see address verification below) 
deliver_clean:
  driver = manualroute
  domains = +relay_to_domains
  transport = remote_smtp
  route_data = ${lookup{$domain}lsearch{/etc/exim/mail-routes}}

Mailscanner intergration

  • Configure the inbound exim just to queue the messages and not deliver to enable mailscanner to process them.
spool_directory = /var/spool/exim.in
process_log_path = /var/spool/exim/exim-process.info
queue_only = true
queue_only_override = false
  • Create the inbound spool directory and set correct ownership
 # mkdir /var/spool/exim.in
 # chown exim.exim /var/spool/exim.in

RBL's

  • Configure the RBL's under acl_check_rcpt: 
drop    message       = REJECTED because $sender_host_address is in a black list spamhaus.org
           dnslists      = zen.spamhaus.org

drop    message       = REJECTED because $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text
           dnslists      = bl.spamcop.net

drop    message       = REJECTED because $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text
           dnslists      = dnsbl.sorbs.net

Anti Spam

  • If you want to reject messages from servers with no reverse dns add this under acl_check_rcpt:, it does have a exception list to which you can add domains where the acl should not be applied and trys to deliver a test message to sending address to verify if the sender is valid.
drop  message   = REJECTED - We don't accept messages from hosts without reverse DNS
        log_message = No reverse DNS
        domains = ! lsearch;/etc/exim/checks_exempt_hosts
        !verify = reverse_host_lookup
        !verify = sender/callout=2m,defer_ok
        !condition =  ${if eq{$sender_verify_failure}{}}
  • To reject messages from clients that dont provide a HELO/EHLO add this to acl_check_rcpt:
drop  message  = REFUSED - no HELO/EHLO greeting
        log_message = remote host did not present greeting
        condition = ${if def:sender_helo_name {false}{true}}
  • You can rate limit the connections to your server as well add this to acl_check_connect: to do so (read the exim docs on the parameters if you want to fine tune it for your site)
deny ratelimit = 250 / 15m / strict
       message = You can only send $sender_rate per $sender_rate_period
       log_message = RATE: $sender_rate/$sender_rate_period (max $sender_rate_limit)

accept
  • Stop rogue spam bots from trashing your machine
smtp_accept_max_nonmail = 30
smtp_max_unknown_commands = 1
  • Allow pipelining only from the localhost to allow you to later use mailfeeder to release mail
pipelining_advertise_hosts = 127.0.0.1

Address verification

This users the router check_backend to communicate with your communigate pro system via ldap to ensure that an address exists before accepting mail for that address.

  • Add your default ldap servers to the exim configuration
ldap_default_servers = xxx.xxx.xxx.xxx
  • Configure domains that have a catchall account (no verification if address exists before accepting mail)
# example /etc/exim/catchall_domains
somedomain.com
  • Specify this in the exim configuration
domainlist domains_with_catchall = lsearch;/etc/exim/catchall_domains
  • Create and add the ldap enabled CGP domains to the file /etc/exim/ldap-domains. The first column is the domain alias or domain and the second is the actual domain as it exists in ldap as when you sync CGP domains to ldap it does not copy the domain aliases as well.
#example  /etc/exim/ldap-domains
example.com: example.com
example.co.za: example.com
  • Create the check_backend router, this should be the first router in your configuration
check_backend:
 driver = redirect
 domains = ! +domains_with_catchall : +relay_to_domains
 allow_fail
 allow_defer
 forbid_file
 forbid_pipe
 data = ${lookup ldap{ldap:///uid=${local_part},cn=${lookup{$domain}lsearch{/etc/exim/ldap-domains}}?mail}{$value}{:fail: Unknown user}}
 #version 5.x use this instead
 data = ${lookup ldap{ldap:///cn=${lookup{$domain}lsearch{/etc/exim/ldap-domains}}?uid?sub?(uid=$local_part)}{$local_part@$domain}{:fail: User Unknown}}

Clean delivery Exim

This is the configuration that is used to deliver the clean mail that mailscanner has already scanned. The configuration file is /etc/exim/exim_out.conf. For this you can use the default configuration with all the checks and acls taken out.

You need to add this router to deliver the cleaned mail to the actual CGP servers. If you are running a cluster, this router is capable of spreading the deliveries across the servers that you have configured in /etc/exim/mail-routes making it fully redundant. 

deliver_clean:
  driver = manualroute
  domains = +relay_to_domains
  transport = remote_smtp
  hosts_randomize = true
  route_data = ${lookup{$domain}lsearch{/etc/exim/mail-routes}}

Sample configuration files

 
 
configure_exim.txt · Last modified: 2008/12/18 04:45 by topdog
 
Recent changes RSS feed Valid XHTML 1.0 Valid CSS Driven by DokuWiki