Learn Linux Series (#5) - e-mail server (Exim)
vitusc (49) w utopian-io • 3 miesiące temu
Learn Linux Series (#5) - e-mail server (Exim)
What Will I Learn?
What is Exim
How to install Exim
How to configure Exim
Mailboxes and using Maildir
SMTP authorization
SSL encryption
Automatic answer
Supporting multiple domains in Exim
Requirements
Linux system installed
Basic knowledge of terminal operation
Average knowledge of linux commands
Motivation when something goes wrong
Difficulty
Intermediate
Learn Linux Series (#5) - e-mail server (Exim)
The MTA service (message transfer agent) is responsible for the transfer of, among others, e-mail between servers. The most popular representatives of this type of services are: Sendmail, Postfix or Exim described by us. Here are the advantages that speak for choosing Exim as our MTA:
*Authorization in Exim is implemented by default
*Clam AntiVirus - a free antivirus program that works great with Exim
*it supports anti-spam scanner (SpamAssasin), and MIME error detection
*has a lot of useful functions
Exim configuration options allow you to build a fairly extensive server that supports local accounts and accounts stored in the MySQL database
Exim installation
We run the program: poldek and execute the command:
poldek -i exim
Of course, before we execute the recommendation to start the daemon, we should make the configuration.
Configuration
Before we start configuring the SMTP daemon, we must necessarily add an MX record to each DNS zone supported by our server. Local domains are those that Exim treats as 'your' domains. Mail addressed @ utopian.local.domain which will reach Exim will be delivered locally. Such domains are defined in the domainlist local_domains directive. By default, mail is sent to the same domain as the hostname of the server:
domainlist local_domains = @
The @ sign means 'my name'. To add additional domains, simply add them to this list separated by colons:
domainlist local_domains = @ : utopian.io : steemit.com :
/etc/mail/local_domains
Besides utopian.io,steemit.com, Exim will now also accept domains listed in the /etc/mail/local_domains file. Domains should be entered in separate lines. Exim works so well that after adding a file path, you just need to reboot it once. Any combinations in /etc/mail/local_domains will not require a reboot. So it will be the most convenient to add to the configuration file:
domainlist local_domains = @ : /etc/mail/local_domains
And simply sign all domains to /etc/mail/local_domains
At this point, we can check the server's operation. All we need is to reload the daemon and send an email to the existing user account. With this configuration, the mail will reach the mbox mailboxes.
Mailboxes and using Maildir
Exim can place mail in both mbox mailboxes (text files in /var/mail/) and increasingly popular Maildir mailboxes (files stored in a directory located in the user's home directory).
In the transporters configuration section, we find the "local_delivery" option, put a comment mark in front of the "file =" option and add the following lines:
maildir_format = true
directory=${home}/Mail/Maildir
As you can easily guess, the second option indicates where the boxes are stored. After modification, the section discussed may look as follows:
local_delivery:
driver = appendfile
file = /var/mail/$local_part
delivery_date_add
envelope_to_add
return_path_add
group = mail
mode = 0660
maildir_format = true
directory=${home}/Mail/Maildir
SMTP authorization
If our users use SMTP from outside the local network, we will need authorization. The Exim case is quite complex. Well, Exim is dropping root privileges too early. The package cyrus-sasl, and more specifically pwcheck daemon (in PLD cyrus-sasl-saslauthd) will help. In the AUTHENTICATORS section, enter the following lines (or delete comments #):
plain:
driver = plaintext
public_name = PLAIN
server_prompts = :
server_condition = ${if saslauthd{{$1}{$3}}{1}{0}}
the above entry will work at saslauthd -a shadow, if
we run saslauthd -a pam (eg. PLD) enter then:
server_condition = ${if saslauthd{{$1}{$3}{smtp}}{1}{0}}
server_set_id = $2
login:
driver = plaintext
public_name = LOGIN
server_prompts = "Username:: : Password::"
server_condition = ${if saslauthd{{$1}{$2}}{1}{0}}
the above entry will work at saslauthd -a shadow, if
we run saslauthd -a pam (eg. PLD) enter then:
server_condition = ${if saslauthd{{$1}{$3}{smtp}}{1}{0}}
server_set_id = $1
The last thing to do with saslauthd (run with the -a pam option) you need to create (or check if it is) is /etc/pam.d/smtp:
#%PAM-1.0
example PAM file for saslauthd - place it as /etc/pam.d/
(e.g. /etc/pam.d/smtp if you want to use saslauthd for SMTP
AUTH)
auth required /lib/security/pam_listfile.so
item=user sense=deny file=/etc/security/blacklist
onerr=succeed
auth required /lib/security/pam_unix.so
auth required /lib/security/pam_tally.so
file=/var/log/faillog onerr=succeed no_magic_root
auth required /lib/security/pam_nologin.so
account required /lib/security/pam_tally.so deny=0
file=/var/log/faillog onerr=succeed no_magic_root
account required /lib/security/pam_unix.so
session required /lib/security/pam_unix.so
you must also run pwcheck saslauthd before checking the authorization
echo 'pwcheck_method:saslauthd' > /etc/sasl/smtpd.conf
SSL encryption
Exim deals very well with connections encrypted using SSL (supports the STARTTLS method). All you need to do is generate the appropriate certificates:
$ openssl genrsa -out /etc/mail/exim.key 1024
Generating RSA private key, 1024 bit long modulus
.......++++++
..............................++++++
e is 65537 (0x10001)
$ openssl req -new -x509 -days 365 -key /etc/mail/exim.key -out
/etc/mail/exim.crt
Using configuration from /var/lib/openssl/openssl.cnf
You are about to be asked to enter information that will be
incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:EN
State or Province Name (full name) [Some-State]:NYC
Locality Name (eg, city) []:City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Utopian Ltd.
Organizational Unit Name (eg, section) []:Utopian's Mail Server
Common Name (eg, YOUR name) []:utopian.io
Email Address []:[email protected]
After such treatment, the following should be added to the Exim main section:
tls_certificate = /etc/mail/exim.crt
tls_privatekey = /etc/mail/exim.key
tls_advertise_hosts = *
after restart, Exim should be able to communicate with SSL without any problems, which can be seen in the logs:
U=exim P=esmtp X=TLSv1:DES-CBC3-SHA:168 S=2909
id=ebb601c374e2$80dace00$cab00a12@fv
Formerly, Exim could listen on port 465 only using inetd, in newer versions we will be able to set the appropriate options:
daemon_smtp_ports = 25 : 465
tls_on_connect_ports = 465
Automatic answer
It's a good idea to set up an automatic response for people who write to you. Here, the Exim option comes in handy.
At the beginning we edit the file /etc/mail/exim.conf and in the routers section in front of the localuser router we add the following lines:
user_vacation:
driver = accept
check_local_user
# utopian-io is on vacation. We will try to write back as soon as possible.
condition = "${if or {{match {$h_precedence:} {(?i)junk|bulk|list}} {eq {$sender_address} {}}} {no} {yes}}"
no_expn
require_files = /var/mail/vacation/${local_part}/vacation.msg
# utopian-io is on vacation. We will try to write back as soon as possible.
senders = " ! ^.-request@.:
! ^.@list.:\
! ^owner-.@.:
! ^postmaster@.:
! ^listmaster@.:
! ^mailer-daemon@.
! ^root@.*"
transport = vacation_reply
unseen
user = ${local_part}
no_verify
Next, we create a directory /var/mail/vacation, in which there will be directories containing the username and files with information about the reason for his absence. We write this reason to the vacation.msg file located in /var/mail/vacation/USER_NAME/. Once we have these settings behind us in the transport section, we add the following lines:
vacation_reply:
driver = autoreply
file = /var/mail/vacation/$local_part/vacation.msg
file_expand
from = System Automatycznej Odpowiedzi <$original_local_part@$original_domain>
log = /var/mail/vacation/$local_part/vacation.log
once = /var/mail/vacation/$local_part/vacation.db
once_repeat = 7d
subject = ${if def:h_Subject: {Re: ${quote:${escape:${length_50:$h_Subject:}}} (autoreply)} {Information} }
text = "
Hi $h_from\n\n
your content\n
your content2:\n
====================================================\n\n
"
to = "$sender_address"
That's all, now we have to restart Exim:
/etc/rc.d/init.d/exim restart
Supporting multiple domains in Exim
Below is the listing from /etc/mail/exim.conf
virtusertable_alias:
driver = redirect
allow_fail
allow_defer
data = ${lookup{$local_part@$domain}lsearch{/etc/mail/virtusertable}}
file_transport = address_file
pipe_transport = address_pipe
virtusertable_defaultalias:
driver = redirect
allow_fail
allow_defer
data = ${lookup{@$domain}lsearch{/etc/mail/virtusertable}}
file_transport = address_file
pipe_transport = address_pipe
Place the example above at the beginning of the routers section. For the record, let me add that the beginning of the section is marked with the word begin.
Below is a listing from the file /etc/mail/virtusertable
[email protected] user
[email protected] user2
@domain.eu user3
User3 will receive all mail from the domain "domain.eu". After these procedures, exim should already be prepared to support multiple domains. You must remember to restart it after modifying its configuration file.
/etc/rc.d/init.d/exim restart
Curriculum
Part 1 - TCP/IP Computer Adaptation
Part 2 - Proftpd management and configuration
Part 3 - Introduction to programming
Part 4 - e-mail server (Postfix)
Posted on Utopian.io - Rewarding Open Source Contributors
Source
Plagiarism is the copying & pasting of others work without giving credit to the original author or artist. Plagiarized posts are considered spam.
Spam is discouraged by the community, and may result in action from the cheetah bot.
More information and tips on sharing content.
If you believe this comment is in error, please contact us in #disputes on Discord