Penguin
Recent Changes
Annotated edit history of EximNotes version 69 showing authors affecting page license. View with all changes included.
Rev Author # Line
66 CraigBox 1 !!! Be careful about editing the configuration
60 MichaelBordignon 2
66 CraigBox 3 Since [Exim] (version 3) rereads its configuration on every delivery attempt, it is unadvisable to edit a live configuration file. If you're using [Debian] and 4.x, the config it uses isn't the one you edit (it gets generated on init-script-reload), so you're OK.
60 MichaelBordignon 4
5 !!! Removing all frozen messages in an [Exim] queue
6
7 Lots of bounce messages to fake [Email] addresses from spam?
8
9 <verbatim>
10 mailq | awk '/frozen/ { print $3 }' | xargs exim -Mrm
11 </verbatim>
12
13 !!! Setting up [Exim] as a mail filter for another machine that does mail delivery (eg MicrosoftExchange)
14
15 See EximMailFilter.
16
17 !!! Setting up [Exim] to use [LDAP] aliasing and to deliver via [Cyrus] [IMAP]
18
19 If you're running [Exim] 3, make sure to read the notes at the bottom of this entry.
20
21 First, in the <tt>router</tt> section of <tt>exim.conf</tt>, add a router for [Cyrus] (at the top) as follows:
22
23 <verbatim>
24 local_user_cyrus:
25 driver = accept
26 check_local_user
27 local_part_suffix = +*
28 transport = local_delivery_cyrus
29 </verbatim>
30
31 Note that the <tt>local_part_suffix</tt> part allows you to specify <tt>user+mailfolder@domain</tt>... and the command in the <tt>local_delivery_cyrus</tt> section takes care of delivering to the correct subfolder of inbox.
32
33 Next, in the <tt>transport</tt> section, add a transport to allow delivery via [Cyrus]:
34
35 <verbatim>
36 local_delivery_cyrus:
37 driver = pipe
38 command = /usr/libexec/cyrus/deliver -m ${substr_1:$local_part_suffix} -- $local_part
39 user = cyrus
40 group = mail
41 return_output
42 log_output
43 message_prefix =
44 message_suffix =
45 </verbatim>
46
47 Finally, you will need to modify your alias resolution to use [LDAP]. This is based on my [LDAP] configuration, which consists of an Organisational Unit (OU) of Aliases, each container having an attribute <tt>rfc822MailMember</tt>, containing the real mailbox. An example:
48
49 <verbatim>
50 dn: cn=greg,ou=Aliases,dc=compel,dc=co,dc=nz
51 rfc822MailMember: greig
52 objectClass: nisMailAlias
53 objectClass: top
54 cn: greg
55 </verbatim>
56
57 This fixes the fact that no one can deal with the fact that GreigMcGill has an "i" in his name! ;)
58
59 So... back to <tt>exim.conf</tt>... the alias router looks like the following:
60
61 <verbatim>
62 system_aliases:
63 driver = redirect
64 allow_fail
65 allow_defer
66 data = ${lookup ldap {ldap://10.0.0.1/cn=$local_part,\
67 ou=Aliases,dc=compel,dc=co,dc=nz?rfc822MailMember?base}}
68 file_transport = address_file
69 pipe_transport = address_pipe
70 </verbatim>
71
72 Now, this assumes that your system is like mine, where each user is a real account, and <tt>getpwnam()</tt> and the like will return usernames out of [LDAP] via [PAM]. If this is the case, the above configuration should be all you need. If you are running a "black box" MailServer, then some other kind soul may like to add the required configuration below.
73
74 If you have a different [LDAP] [Schema] to the one mentioned above, either because your system installed a different set of [Schema] for the equivalent entries, or you are running a custom [Schema] that handles multiple virtual domain hosting without unix accounts, then just modify your [LDAP] lookups appropriately. As a hint:
75
76 <verbatim>
77 data = ${lookup ldap {ldap://127.0.0.1/cn=$local_part,\
78 ou=Aliases,o=$domain,dc=wlug,dc=org,dc=nz?mailAlias?base}}
79 </verbatim>
80
81 If my system recieves mail to say <tt>daniel@wlug.org.nz</tt>, it will for the dn given as:
82
83 <verbatim>
84 cn=daniel,ou=Aliases,o=wlug.org.nz,dc=wlug,dc=org,dc=nz
85 </verbatim>
86
87 and return the <tt>mailAlias</tt> attribute.
88
89 Between [Exim], SendMail, [Postfix] and Courier, [Exim] has been the easiest to set up with a custom [LDAP] [Schema] by far. SendMail supposedly supports it, but in practice doesn't. [Postfix] is SendMail with a pretty configuration file, and has worse support for custom [LDAP] [Schema]s [IMO]. [Exim] > *.
90
91 !! [Exim] 3
92
93 The above system will work with previous version of [Exim], however the format might be slightly different (not confirmed this, I just base this off what I've done with [Exim] 3.3.5)
94
95 The main difference is in the query line in the Aliases director example above:
96
97 <verbatim>
98 data = ${lookup ldap {ldap://10.0.0.1/cn=$local_part,\
99 ou=Aliases,dc=compel,dc=co,dc=nz?rfc822MailMember?base}}
100 </verbatim>
101
102 I always used something that looked like:
103
104 <verbatim>
105 query = "ldap://127.0.0.1/ou=Aliases,o=$domain,ou=Domains,BASEDN?mailAlias?sub?cn=$local_part"
106 </verbatim>
107
108 but there are probably other ways of doing this too :)
109
110 !!! Delivering to [Cyrus]21 from [Exim] 3.3 ([Woody])
111
112 The mighty Cuchulain's config:
113
114 Transport:
115
116 __NOTE:__ this __must__ be placed somewhere sensible in the transports list. ie, before any transports for procmail(1), <tt>userforward</tt>, or <tt>local_user</tt> delivery.)
117 <verbatim>
118 local_delivery_cyrus:
119 driver = pipe
120 command = "/usr/sbin/cyrdeliver -m ${substr_1:${local_part_suffix}} -- ${local_part}"
121 user = cyrus
122 group = mail
123 envelope_to_add = true
124 return_output
125 log_output
126 prefix =
127 suffix =
128 </verbatim>
129
130
131 Director:
132
133 <verbatim>
134 local_user_cyrus:
135 driver = localuser
136 transport = local_delivery_cyrus
137 </verbatim>
138
139 !!! Delivering to [Cyrus] from [Exim] 4.x
140
141 Exim 4.x has native [LMTP] support, so you don't need to pipe the mail to cyrus's deliver program. Instead, you can do the following:
142
143 Note that the same rules about placing local_user_cyrus in a sensible place apply here as well!
144
145 Router:
146
147 <verbatim>
148 local_user_cyrus:
149 debug_print = "R: local_user_cyrus for $local_part@$domain"
150 driver = accept
151 local_part_suffix = +*
152 local_part_suffix_optional
153 transport = cyrus_ltcp
154 </verbatim>
155
156 Transport:
157
158 <verbatim>
159 cyrus_ltcp:
160 debug_print = "T: cyrus_ltcp for $local_part@$domain"
161 driver = smtp
162 protocol = lmtp
66 CraigBox 163 hosts = localhost
60 MichaelBordignon 164 allow_localhost
165 </verbatim>
166
66 CraigBox 167 !!! LMTP callbacks
168
169 Another thing you can do with Exim and Cyrus-IMAP integration is described at [Cyrus Imap page of Exim Wiki | http://www.exim.org/eximwiki/CyrusImap]. It allows Cyrus to check the existence of mailboxes *before* replying to "RCPT TO:" or "MAIL FROM:". Exim does not have to send back bounces in reply to
170 "dictionary recipient" spam.
171
172 It is best suited for integration with [Cyrus-IMAP virtual domains | http://asg.web.cmu.edu/cyrus/download/imapd/install-virtdomains.html].
173
174 See also [LMTPNotes].
60 MichaelBordignon 175
176 !!! Using MailDir format instead of [MBox]
177
178 This is for version 3.35 (the version with [Debian] [Woody]).
179
180 The default is to deliver local mail to <tt>/var/spool/mail/$USERNAME</tt> in [MBox] format. In the <tt>local_delivery</tt> section of <tt>exim.conf</tt>, remove the line that says
181
182 <verbatim>
183 file = /var/spool/mail/${local_part}
184 </verbatim>
185
186 and add lines that say
187
188 <verbatim>
189 create_directory = true
190 directory = /home/${local_part}/Maildir/
191 directory_mode = 770
192 maildir_format
193 </verbatim>
194
195 Easy peasy. :) But see the comment below about possible gotchas, as this is just the basic bit.
196
197 !!! [Exim] can deliver to Inbox but can't deliver to forwarded mailboxes (subfolders etc)
198
199 I have [Exim filtering|EximFilter] set up in a <tt>.forward</tt> file to drop all my [Email] into the right place.
200
201 However, I was getting lots of messages like this in my logs:
202
203 <verbatim>
204 2003-04-21 19:38:04 196iGy-00005j-01 ==
205 /home/user/Maildir/.Mailing Lists.WLUG/ <user@localhost> D=userforward
206 defer (-31): directory_transport unset in userforward driver
207 </verbatim>
208
209 The problem? <tt>exim.conf</tt> was set up for MailDir support, but for some reason the config for the directory delivery agent wasn't linked to the forwarding section.
210
211 Ensure <tt>address_directory</tt> has <tt>Maildir</tt> uncommented, and then find the <tt>userforward</tt> section. Under <tt>file_transport = address_file</tt>, set
212
213 <verbatim>
214 directory_transport = address_directory
215 </verbatim>
216
217 and rerun the queue, forcing redelivery if necessary, with <tt>exim -qff</tt>.
218
219 !!! [Exim] 3 generates some message about unable to deliver due to a child process failure
220
221 This when used in conjunction with [Cyrus] [IMAP] can be caused by trying to deliver to a mailbox which has reached it's maximum quota limit. The exim_mainlog entry looks similar to the following:
222
223 <verbatim>
224 2004-01-08 11:08:12 1AeLqW-0007k0-00 == gerwin@north.pub.tla T=local_delivery_cyrus defer (0): Child
225 process of local_delivery_cyrus transport returned 75 (could mean temporary error) from
226 command: /usr/lib/cyrus-imapd/deliver
227 </verbatim>
228
229 !!! Configuring Exim4 with a virtual domain table/users in text files
230
231 (If you have multiple domains on the same machine, and users account names don't correspond to their [Email] addresses.)
232
233 In the top section of your <tt>exim.conf</tt>
234
235 <verbatim>
236 domainlist local_domains = @ : \
237 @[] : \
238 localhost : \
239 partial-lsearch;/etc/exim/virtual.domains
240 </verbatim>
241
242 and underneath the part where it says something like
243
244 <verbatim>
245 real_local:
246 driver = accept
247 check_local_user
248 local_part_prefix = real-
249 transport = local_delivery
250 </verbatim>
251
252 add a section
253
254 <verbatim>
255 virtual:
256 driver = redirect
257 allow_defer
258 allow_fail
259 data = ${lookup{$local_part@$domain}lsearch*@{/etc/exim/virtual.users}}
260 domains = partial-lsearch;/etc/exim/virtual.domains
261 retry_use_local_part
262 </verbatim>
263
264 now you will need file called <tt>virtual.domains</tt> that is simply a list of all the domains for which you accept mail, and a <tt>virtual.users</tt> file with a table of users in the format:
265
266 <tt>virtual.domains</tt>::
267
268 <verbatim>
269 example.com
270 example.net
271 </verbatim>
272
273 <tt>virtual.users</tt>::
274
275 <verbatim>
276 #example.com
277 regularuser@example.com : localuser
278 forwardinguser@example.com : someuser@example.org
279 *@example.com : catchalluser
280
281 #example.net
282 regularuser@example.net : localuser2
283 forwardinguser@example.net : someuser2@example.org
284 *@example.net : catchall2
285 </verbatim>
286
287 --BlairHarrison
288
289 !!! Connections to [Exim] take a long time to work (Exim is slow to show the [SMTP] banner)
290
291 Check that your [DNS] and hosts(5) settings are correct, and that you can correctly resolve hosts on the server.
292
293 If this all works as desired but connections are still slow, it could be an [IDENT] timeout. Try either setting:
294
295 <verbatim>
296 rfc1413_hosts = *
297 rfc1413_query_timeout = 0s
298 </verbatim>
299
300 or installing an [IDENT] server on the [Exim] machine.
301
302 !!! Testing a new transport on a live system
303
304 <tt>prefix = test-</tt> is your friend
305
306 !!! Implementing [SPF] in [Exim] 4 using [exiscan-acl | http://duncanthrax.net/exiscan-acl/]
307
308 Section 8 of the [exiscan-acl patch documentation | http://duncanthrax.net/exiscan-acl/exiscan-acl-spec.txt] explains how to do it if you've compiled [SPF] into [Exim]. Otherwise, you can do so so via the [Mail::SPF::Query | http://search.cpan.org/dist/Mail-SPF-Query/] [Perl] module. [Appending A.7 | http://slett.net/spam-filtering-for-mx/exim-spf.html] of [Spam Filtering for Mail Exchangers | http://slett.net/spam-filtering-for-mx/] shows both approaches.
309
310 http://www.meini.org/spf/ contains [Debian] [Package]s for the [Mail::SPF::Query | http://search.cpan.org/dist/Mail-SPF-Query/] and [Net::CIDR::Lite | http://search.cpan.org/dist/Net-CIDR-Lite/] modules and for [libspf | http://www.libspf.org/]. The packaged libspf version is pretty old though, you might consider installing from SourceCode. You'll also need [Net::DNS | http://search.cpan.org/dist/Net-DNS/], for which a [Debian] package can be found at [http://www.proesdorf.de/debian/].
311
312 Alternatively you could use [Evan's deb packages|http://evanjones.ca/software/libspf-alt-debian.html] but the newer code of [libspf2|http://libspf2.org/download.html] and build some new libspf2 packages.
313
314 !!! Useful Exim4 Mail Proxy tweaks.
315
316 If you have Exim4 configured as a mail proxy in front of, say, MS Exchange, or another Active Directory based email server, you may find the following useful to either limit spam, or transition from a "catchall" domain setup. Note that these two configurations are mutually exclusive.
317
318 This first config fragment provides the ability to reject nonexistent email addresses at SMTP time.
319
320 This first stanza belongs in the main configuration, and simply defines the LDAP lookup macro.
321 You will need to create the "MTA Auth" user in AD. Copy Guest and enable it.
322 Don't forget to set the IP address of the AD server correctly.
323
324 Note that port 3268 is used. AD geeks will recognise this as the Global Catalog port, and means you are asking the AD Forest, rather than just a particular server. If you don't want this, or your server isn't a GC server, just use port 389.
325
326 <verbatim>
327
328 ITP_LDAP_AD_MAIL_RCPT = \
329 user="CN=MTA\ Auth,CN=Users,DC=site,DC=example,DC=co,DC=nz" \
330 pass=gand4lf \
331 ldap://10.7.31.10:3268/DC=site,DC=example,DC=co,DC=nz\
332 ?mail?sub?\
333 (&\
334 (objectClass=*)\
335 (proxyAddresses=SMTP:${quote_ldap:${local_part}@${domain}})\
336 )
337 </verbatim>
338
339 This belongs as the first router in the routers section.
340 Change the domains to match ALL domains we accept mail for.
341
342 <verbatim>
343
344 adsi_itp_check:
345 driver = redirect
346 domains = *example.co.nz
347 allow_fail
348 allow_defer
349 forbid_file
350 forbid_pipe
351 redirect_router = spam_redirect
352 data = ${lookup ldap {ITP_LDAP_AD_MAIL_RCPT}\
353 {${local_part}@${domain}}{:fail: User unknown}}
354 </verbatim>
355
356 The second fragment provides a "catchall" function for a domain. If an email address is not defined within a site, mail will be accepted and routed to the provided address (catchall@example.co.nz in this case). Please do not use this except as a transitory measure, as catchalls are inherently bad IMHO.
357
358 First, the lookup macro, as before.
359
360 <verbatim>
361
362 ITP_LDAP_AD_MAIL_RCPT = \
363 user="CN=MTA\ Auth,CN=Users,DC=site,DC=example,DC=co,DC=nz" \
364 pass=gand4lf \
365 ldap://10.7.31.10:3268/DC=site,DC=example,DC=co,DC=nz\
366 ?mail?sub?\
367 (&\
368 (objectClass=*)\
369 (proxyAddresses=SMTP:${quote_ldap:${local_part}@${domain}})\
370 )
371 </verbatim>
372
373 Now the catchall router:
374
375 <verbatim>
376
377 adsi_itp_catchall:
378 driver = redirect
379 domains = *example.co.nz
380 redirect_router = spam_redirect
381 condition = ${if eq{${lookup ldap {ITP_LDAP_AD_MAIL_RCPT}{${local_part}@${domain}}}}{} {yes}{no}}
382 data = catchall@example.co.nz
383 </verbatim>
384
385 As nice as this solution is, it doesn't (in the above example) cater for Public Folders which are mail enabled. Greig informs me that you can modify the LDAP bind to do this, however. One way to do this is below:
386
387 <verbatim>
388
389 ldap_default_servers = <; server.test.lan:3268
390 LDAP_AD_MAIL_RCPT = \
391 user="CN=ldap_user,OU=Users,DC=test,DC=lan" \
392 pass=ilovegreig \
393 ldap:///DC=test,DC=lan\
394 ?mail?sub?\
395 (&\
396 (|\
397 (objectClass=user)\
398 (objectClass=publicFolder)\
399 (objectClass=group)\
400 )\
401 (proxyAddresses=SMTP:${quote_ldap:${local_part}@${domain}})\
402 )
403 </verbatim>
404
405 One issue I found was that I wasn't able to query the whole forest using port 389. I needed to use port 3268 (GC). If you're having problems, there's a high chance you haven't got the DN correct. Use adsiedit to check (found in the Windows Support Tools). More information can be found at http://www.exim.org/eximwiki/MsExchangeAddressVerification.
62 CraigBox 406
407 !!! /dev/null or other file alias doesn't work (Exim 4.5)
408
409 <verbatim>
410 root@firewall.tla:/etc # exim4 -bv -v junk@firewall.tla
411 R: spam_redirect for firewall.tla
412 R: system_aliases for junk@firewall.tla
413 junk@firewall.tla -> /dev/null
414 *** Error in setting up pipe, file, or autoreply:
415 file_transport unset in system_aliases router
416 </verbatim>
417
65 CraigBox 418 There is a macro defined for the file_transport router, but its unset by default. To allow this behaivour, add this macro to either your /etc/exim4/conf.d/main/02_exim4-config_options.rul, or a local macros filw, such as /etc/exim4/conf.d/main/000_local_macros:
62 CraigBox 419 <verbatim>
420 # allow writing to files in system aliases (potentially bad!)
421 SYSTEM_ALIASES_FILE_TRANSPORT = address_file
422 </verbatim>
423
63 CraigBox 424 A better answer is changing the destination using the [redirect router alias|http://www.exim.org/exim-html-4.62/doc/html/spec_html/ch22.html#SECTspecitredli] <tt>:blackhole:</tt>.
65 CraigBox 425
426 !!! Allow connections to the submission port (587) and the smtps port (465)
427
428 SMTPS is easy, since 4.43:
429
430 <pre>
431 # wlug: listen on 25 (smtp), 465 (ssmtp for Outlook)
432 daemon_smtp_port = 25:465
433 tls_on_connect_ports = 465
434 </pre>
435
436 in your <tt>main</tt> section. Between 4.03 and 4.43, you can use [the -tls-on-connect command line parameter|http://exim.netmirror.org/exim-html-4.40/doc/html/FAQ_17.html#TOC322].
437
438 587 is harder, because the rules are "either SMTP AUTH or SSL". [An Exim SSL/TLS recipe|http://www.exim.org/mail-archives/exim-users/Week-of-Mon-20030210/msg00257.html] was posted to the list, which suggests (updated, and with client certs removed - you really want to only use SMTP AUTH):
439
440 <pre>
441 # wlug: listen on 25 (smtp), 465 (ssmtp for Outlook) and 587 (submission)
442 daemon_smtp_port = 25:465:587
443
444 # uncomment to only allow auth if you're on by SSL
445 # auth_advertise_hosts = ${if eq{$tls_cipher}{}{localhost}{*}}
446
447 tls_advertise_hosts = *
448 tls_certificate = /etc/exim4/server-cert.pem
449 tls_privatekey = /etc/exim4/server-key.pem
450 </pre>
451
452 ..and in your RCPT ACL (near the top):
453
454 <pre>
455 accept authenticated = *
456 encrypted = *
457
458 accept condition = ${if eq{$interface_port}{587}{1}{0}}
459 endpass
460 message = SMTP AUTH required for port 587
461 authenticated = *
462 </pre>
69 AlastairPorter 463
464 !!! Redirecting all mail to a single mailbox
465
466 I wanted to set up an SMTP server for testing that would accept all mail and send it to a single mailbox so that we didn't accidentally send mail to anyone.
467
468 This example uses Debian's split config.<br>
469 Add a new router in <tt>/etc/exim4/conf.d/router</tt>. Because these files are processed in alphabetical order, add it at the top. <tt>09_exim4-config-redirect_all</tt> is a good choice.
470 <pre>
471 redirect_all:
472 debug_print = "R: redirecting all mail"
473 driver = redirect
474 data = "user_to_send_to"
475 </pre>
476
477 Test using the method listed below.
65 CraigBox 478
68 MattBrown 479 !!! Testing a new config file before putting it live.
480
481 JohnMcPherson pointed out the following useful tips:
482
483 If you're using Debian's split configuration setup, you can generate a new configuration file to a temporary location with:
484 <pre>
485 $ update-exim4.conf -o ~~/exim4.test.config
486 </pre>
487
488 Then you can test the routing of that config without touching your running server using
489 <pre>
490 $ exim -C ~~/exim4.test.config -bt user@host.com
491 </pre>
492
493 If it's not working how you intended, then ramp up the debugging and get all the details
494 <pre>
495 $ exim -d+all -C ~~/exim4.test.config -bt user@host.com < /dev/null
496 </pre>
66 CraigBox 497
498 !!! See also
499
500 * EximSmtpAuth
501 * EximFilter
502 * [INBOX Autocreate Cyrus Patch | http://email.uoa.gr/projects/cyrus/autocreate/]
68 MattBrown 503
60 MichaelBordignon 504
505 ----
506 Part of CategoryMailNotes

PHP Warning

lib/blame.php:177: Warning: Invalid argument supplied for foreach() (...repeated 7 times)