View Source: EximNotes - Waikato Linux Users Group

You are viewing an old revision of this page. View the current version.
!!! Careful about editing the configuration

Since [Exim] rereads its configuration on every delivery attempt, it is unadvisable to edit a live configuration file.

!!! Removing all frozen messages in an [Exim] queue

Lots of bounce messages to fake [Email] addresses from spam?

<verbatim>
mailq | awk '/frozen/ { print $3 }' | xargs exim -Mrm
</verbatim>

!!! Setting up [Exim] as a mail filter for another machine that does mail delivery (eg MicrosoftExchange)

See EximMailFilter.

!!! Setting up [Exim] to use [LDAP] aliasing and to deliver via [Cyrus] [IMAP]

If you're running [Exim] 3, make sure to read the notes at the bottom of this entry.

First, in the <tt>router</tt> section of <tt>exim.conf</tt>, add a router for [Cyrus] (at the top) as follows:

<verbatim>
local_user_cyrus:
  driver = accept
  check_local_user
  local_part_suffix = +*
  transport = local_delivery_cyrus
</verbatim>

Note that the <tt>local_part_suffix</tt> part allows you to specify <tt>user+mailfolder@domain</tt>... and the command in the <tt>local_delivery_cyrus</tt> section takes care of delivering to the correct subfolder of inbox.

Next, in the <tt>transport</tt> section, add a transport to allow delivery via [Cyrus]:

<verbatim>
local_delivery_cyrus:
  driver = pipe
  command = /usr/libexec/cyrus/deliver -m ${substr_1:$local_part_suffix} -- $local_part
  user = cyrus
  group = mail
  return_output
  log_output
  message_prefix =
  message_suffix =
</verbatim>

Finally, you will need to modify your alias resolution to use [LDAP].  This is based on my [LDAP] configuration, which consists of an Organisational Unit (OU) of Aliases, each container having an attribute <tt>rfc822MailMember</tt>, containing the real mailbox.  An example:

<verbatim>
dn: cn=greg,ou=Aliases,dc=compel,dc=co,dc=nz
rfc822MailMember: greig
objectClass: nisMailAlias
objectClass: top
cn: greg
</verbatim>

This fixes the fact that no one can deal with the fact that GreigMcGill has an "i" in his name! ;)

So... back to <tt>exim.conf</tt>... the alias router looks like the following:

<verbatim>
system_aliases:
   driver = redirect
   allow_fail
   allow_defer
   data = ${lookup ldap {ldap://10.0.0.1/cn=$local_part,\
     ou=Aliases,dc=compel,dc=co,dc=nz?rfc822MailMember?base}}
   file_transport = address_file
   pipe_transport = address_pipe
</verbatim>

Now, this assumes that your system is like mine, where each user is a real account, and <tt>getpwnam()</tt> and the like will return usernames out of [LDAP] via [PAM]. If this is the case, the above configuration should be all you need.  If you are running a "black box" MailServer, then some other kind soul may like to add the required configuration below.

If you have a different [LDAP] [Schema] to the one mentioned above, either because your system installed a different set of [Schema] for the equivalent entries, or you are running a custom [Schema] that handles multiple virtual domain hosting without unix accounts, then just modify your [LDAP] lookups appropriately. As a hint:

<verbatim>
data = ${lookup ldap {ldap://127.0.0.1/cn=$local_part,\
  ou=Aliases,o=$domain,dc=wlug,dc=org,dc=nz?mailAlias?base}}
</verbatim>

If my system recieves mail to say <tt>daniel@wlug.org.nz</tt>, it will for the dn given as:

<verbatim>
cn=daniel,ou=Aliases,o=wlug.org.nz,dc=wlug,dc=org,dc=nz
</verbatim>

and return the <tt>mailAlias</tt> attribute.

Between [Exim], SendMail, [Postfix] and Courier, [Exim] has been the easiest to set up with a custom [LDAP] [Schema] by far. SendMail supposedly supports it, but in practice doesn't. [Postfix] is SendMail with a pretty configuration file, and has worse support for custom [LDAP] [Schema]s [IMO]. [Exim] > *.

!! [Exim] 3

The above system will work with previous version of [Exim], however the format might be slightly different (not confirmed this, I just base this off what I've done with [Exim] 3.3.5)

The main difference is in the query line in the Aliases director example above:

<verbatim>
data = ${lookup ldap {ldap://10.0.0.1/cn=$local_part,\
  ou=Aliases,dc=compel,dc=co,dc=nz?rfc822MailMember?base}}
</verbatim>

I always used something that looked like:

<verbatim>
 query = "ldap://127.0.0.1/ou=Aliases,o=$domain,ou=Domains,BASEDN?mailAlias?sub?cn=$local_part"
</verbatim>

but there are probably other ways of doing this too :)


!!! Delivering to [Cyrus]21 from [Exim] 3.3 ([Woody])

The mighty Cuchulain's config:

Transport:

__NOTE:__ this __must__ be placed somewhere sensible in the transports list. ie, before any transports for procmail(1), <tt>userforward</tt>, or <tt>local_user</tt> delivery.)
<verbatim>
local_delivery_cyrus:
   driver = pipe
   command = "/usr/sbin/cyrdeliver -m ${substr_1:${local_part_suffix}} -- ${local_part}"
   user = cyrus
   group = mail
   envelope_to_add = true
   return_output
   log_output
   prefix =
   suffix =
</verbatim>


Director:

<verbatim>
local_user_cyrus:
   driver = localuser
   transport = local_delivery_cyrus
</verbatim>

!!! Delivering to [Cyrus] from [Exim] 4.x

Exim 4.x has native [LMTP] support, so you don't need to pipe the mail to cyrus's deliver program. Instead, you can do the following:

Note that the same rules about placing local_user_cyrus in a sensible place apply here as well!

Router:

<verbatim>
local_user_cyrus:
  debug_print = "R: local_user_cyrus for $local_part@$domain"
  driver = accept
  local_part_suffix = +*
  local_part_suffix_optional
  transport = cyrus_ltcp
</verbatim>

Transport:

<verbatim>
cyrus_ltcp:
  debug_print = "T: cyrus_ltcp for $local_part@$domain"
  driver = smtp
  protocol = lmtp
  hosts = carbon.meta.net.nz
  allow_localhost
</verbatim>


!!! Using MailDir format instead of [MBox]

This is for version 3.35 (the version with [Debian] [Woody]).

The default is to deliver local mail to <tt>/var/spool/mail/$USERNAME</tt> in [MBox] format. In the <tt>local_delivery</tt> section of <tt>exim.conf</tt>, remove the line that says

<verbatim>
file = /var/spool/mail/${local_part}
</verbatim>

and add lines that say

<verbatim>
create_directory = true
  directory = /home/${local_part}/Maildir/
  directory_mode = 770
  maildir_format
</verbatim>

Easy peasy. :) But see the comment below about possible gotchas, as this is just the basic bit.

!!! [Exim] can deliver to Inbox but can't deliver to forwarded mailboxes (subfolders etc)

I have [Exim filtering|EximFilter] set up in a <tt>.forward</tt> file to drop all my [Email] into the right place.

However, I was getting lots of messages like this in my logs:

<verbatim>
2003-04-21 19:38:04 196iGy-00005j-01 ==
      /home/user/Maildir/.Mailing Lists.WLUG/ <user@localhost> D=userforward
  defer (-31): directory_transport unset in userforward driver
</verbatim>

The problem? <tt>exim.conf</tt> was set up for MailDir support, but for some reason the config for the directory delivery agent wasn't linked to the forwarding section.

Ensure <tt>address_directory</tt> has <tt>Maildir</tt> uncommented, and then find the <tt>userforward</tt> section.  Under <tt>file_transport = address_file</tt>, set

<verbatim>
directory_transport = address_directory
</verbatim>

and rerun the queue, forcing redelivery if necessary, with <tt>exim -qff</tt>.

!!! [Exim] 3 generates some message about unable to deliver due to a child process failure

This when used in conjunction with [Cyrus] [IMAP] can be caused by trying to deliver to a mailbox which has reached it's maximum quota limit. The exim_mainlog entry looks similar to the following:

<verbatim>
2004-01-08 11:08:12 1AeLqW-0007k0-00 == gerwin@north.pub.tla T=local_delivery_cyrus defer (0): Child
process of local_delivery_cyrus transport returned 75 (could mean temporary error) from
command: /usr/lib/cyrus-imapd/deliver
</verbatim>

!!! Configuring Exim4 with a virtual domain table/users in text files

(If you have multiple domains on the same machine, and users account names don't correspond to their [Email] addresses.)

In the top section of your <tt>exim.conf</tt>

<verbatim>
domainlist local_domains = @ : \
    @[] : \
    localhost : \
    partial-lsearch;/etc/exim/virtual.domains
</verbatim>

and underneath the part where it says something like

<verbatim>
real_local:
  driver = accept
  check_local_user
  local_part_prefix = real-
  transport = local_delivery
</verbatim>

add a section

<verbatim>
virtual:
  driver = redirect
  allow_defer
  allow_fail
  data = ${lookup{$local_part@$domain}lsearch*@{/etc/exim/virtual.users}}
  domains = partial-lsearch;/etc/exim/virtual.domains
  retry_use_local_part
</verbatim>

now you will need file called <tt>virtual.domains</tt> that is simply a list of all the domains for which you accept mail, and a <tt>virtual.users</tt> file with a table of users in the format:

<tt>virtual.domains</tt>::

    <verbatim>
    example.com
    example.net
    </verbatim>

<tt>virtual.users</tt>::

    <verbatim>
    #example.com
    regularuser@example.com     : localuser
    forwardinguser@example.com  : someuser@example.org
    *@example.com               : catchalluser

    #example.net
    regularuser@example.net     : localuser2
    forwardinguser@example.net  : someuser2@example.org
    *@example.net               : catchall2
    </verbatim>

--BlairHarrison

!!! Connections to [Exim] take a long time to work (Exim is slow to show the [SMTP] banner)

Check that your [DNS] and hosts(5) settings are correct, and that you can correctly resolve hosts on the server.

If this all works as desired but connections are still slow, it could be an [IDENT] timeout. Try either setting:

<verbatim>
rfc1413_hosts = *
rfc1413_query_timeout = 0s
</verbatim>

or installing an [IDENT] server on the [Exim] machine.

!!! Testing a new transport on a live system

<tt>prefix = test-</tt> is your friend

!!! See also

* EximSmtpAuth
* EximFilter
* [INBOX Autocreate Cyrus Patch | http://email.uoa.gr/projects/cyrus/autocreate/]

!!! Alternative Method

Another method of Exim and Cyrus-IMAP integration is described at [Exim and LMTP callouts to Cyrus | http://anfi.homeunix.net/exim/rtvcyrus.html]. It allows cyrus to check existence of cyrus mailbox
*before* replying to "RCPT TO:" or "MAIL FROM:". Exim does not have to send back bounces in reply to
"dictionary recipient" spam.

It is best suited for integration with [Cyrus-IMAP virtual domains | http://asg.web.cmu.edu/cyrus/download/imapd/install-virtdomains.html].

The method is also described in [Cyrus Imap page of Exim Wiki | http://www.exim.org/eximwiki/CyrusImap]

!!! Implementing [SPF] in [Exim] 4 using [exiscan-acl | http://duncanthrax.net/exiscan-acl/]

Section 8 of the [exiscan-acl patch documentation | http://duncanthrax.net/exiscan-acl/exiscan-acl-spec.txt] explains how to do it if you've compiled [SPF] into [Exim]. Otherwise, you can do so so via the [Mail::SPF::Query | http://search.cpan.org/dist/Mail-SPF-Query/] [Perl] module. [Appending A.7 | http://slett.net/spam-filtering-for-mx/exim-spf.html] of [Spam Filtering for Mail Exchangers | http://slett.net/spam-filtering-for-mx/] shows both approaches.

http://www.meini.org/spf/ contains [Debian] [Package]s for the [Mail::SPF::Query | http://search.cpan.org/dist/Mail-SPF-Query/] and [Net::CIDR::Lite | http://search.cpan.org/dist/Net-CIDR-Lite/] modules and for [libspf | http://www.libspf.org/]. The packaged libspf version is pretty old though, you might consider installing from SourceCode. You'll also need [Net::DNS | http://search.cpan.org/dist/Net-DNS/], for which a [Debian] package can be found at [http://www.proesdorf.de/debian/].

Alternatively you could use [Evan's deb packages|http://evanjones.ca/software/libspf-alt-debian.html] but the newer code of [libspf2|http://libspf2.org/download.html] and build some new libspf2 packages.

!!! Useful Exim4 Mail Proxy tweaks.

If you have Exim4 configured as a mail proxy in front of, say, MS Exchange, or another Active Directory based email server, you may find the following useful to either limit spam, or transition from a "catchall" domain setup.  Note that these two configurations are mutually exclusive.

This first config fragment provides the ability to reject nonexistent email addresses at SMTP time.

This first stanza belongs in the main configuration, and simply defines the LDAP lookup macro.
You will need to create the "MTA Auth" user in AD.  Copy Guest and enable it.
Don't forget to set the IP address of the AD server correctly.

Note that port 3268 is used.  AD geeks will recognise this as the Global Catalog port, and means you are asking the AD Forest, rather than just a particular server.  If you don't want this, or your server isn't a GC server, just use port 389.

<verbatim>

ITP_LDAP_AD_MAIL_RCPT = \
        user="CN=MTA\ Auth,CN=Users,DC=site,DC=example,DC=co,DC=nz" \
        pass=gand4lf \
        ldap://10.7.31.10:3268/DC=site,DC=example,DC=co,DC=nz\
        ?mail?sub?\
        (&\
         (objectClass=*)\
         (proxyAddresses=SMTP:${quote_ldap:${local_part}@${domain}})\
        )
</verbatim>

This belongs as the first router in the routers section.
Change the domains to match ALL domains we accept mail for.

<verbatim>

adsi_itp_check:
        driver = redirect
        domains = *example.co.nz
        allow_fail
        allow_defer
        forbid_file
        forbid_pipe
        redirect_router = spam_redirect
        data = ${lookup ldap {ITP_LDAP_AD_MAIL_RCPT}\
        {${local_part}@${domain}}{:fail: User unknown}}
</verbatim>

The second fragment provides a "catchall" function for a domain.  If an email address is not defined within a site, mail will be accepted and routed to the provided address (catchall@example.co.nz in this case).  Please do not use this except as a transitory measure, as catchalls are inherently bad IMHO.

First, the lookup macro, as before.

<verbatim>

ITP_LDAP_AD_MAIL_RCPT = \
        user="CN=MTA\ Auth,CN=Users,DC=site,DC=example,DC=co,DC=nz" \
        pass=gand4lf \
        ldap://10.7.31.10:3268/DC=site,DC=example,DC=co,DC=nz\
        ?mail?sub?\
        (&\
         (objectClass=*)\
         (proxyAddresses=SMTP:${quote_ldap:${local_part}@${domain}})\
        )
</verbatim>

Now the catchall router:

<verbatim>

adsi_itp_catchall:
        driver = redirect
        domains = *example.co.nz
        redirect_router = spam_redirect
        condition = ${if eq{${lookup ldap {ITP_LDAP_AD_MAIL_RCPT}{${local_part}@${domain}}}}{} {yes}{no}}
        data = catchall@example.co.nz
</verbatim>

As nice as this solution is, it doesn't (in the above example) cater for Public Folders which are mail enabled. Greig informs me that you can modify the LDAP bind to do this, however. One way to do this is below:

<verbatim>

ldap_default_servers = <; server.test.lan:3268
LDAP_AD_MAIL_RCPT = \
        user="CN=ldap_user,OU=Users,DC=test,DC=lan" \
        pass=ilovegreig \
        ldap:///DC=test,DC=lan\
        ?mail?sub?\
        (&\
                (|\
                        (objectClass=user)\
                        (objectClass=publicFolder)\
                        (objectClass=group)\
                )\
        (proxyAddresses=SMTP:${quote_ldap:${local_part}@${domain}})\
)
</verbatim>

One issue I found was that I wasn't able to query the whole forest using port 389. I needed to use port 3268 (GC). More information can be found at http://www.exim.org/eximwiki/MsExchangeAddressVerification.

----
Part of CategoryMailNotes
4 pages link to EximNotes:
Version 57, saved on Wednesday, December 14, 2005 3:47:03 pm by "MichaelBordignon"
Edit PageHistory Diff Info LikePages