Part Three: Configuring Exim to accept and deliver mail, and for secure outbound SMTP mail, including OSX connectivity

This is the third part of the tutorial on installing a mail server, refer the overview, or hit the tutorials menu at the top, and look at the mail server tutorial category.

In this section I explain how to install Exim on the vanilla virtual machine.  Exim accepts mail from the outside world and delivers it to your mailbox on the local server, and accepts SMTP mail from you and sends it to the outside world.  The acceptance of SMTP mail from you needs to be secured, as unsecured SMTP servers can be used by spammers to send spam.

There are a handful of decisions that need to be made / settings that need to be configured in the setup of Exim:

  • How you’ll authenticate users.  I’m choosing to require each user to have a Linux logon to the server, which makes the authentication reasonably easy to setup, but does require that each user has an account on this machine.  This works fine for a small home server, for something larger you’d probably want to look at an LDAP.  On my personal install I actually use NIS+ to synchronise users across my machines, I’m not going through the setup for that here.
  • Where mail will be stored.  In general the options are /var/mail, or /home/<user>.  Since I’m requiring each user to have their own account on this machine anyway, I may as well use /home/<user>.  If you were using LDAP for your users you might make a different choice.
  • What format mail should be stored in.  The original Unix format was mbox, in which each folder is a single file.  Whilst it has indexes and the like for performance, it just feels to me like a single file for your mailbox is going to lead to trouble.  The newer format is MailDir, where each folder is a directory and each message a file in that directory.  This seems better to me, so I’ve used it.  Note there are other, less standard, formats available.  Since the format we use needs to be valid for both Exim and Dovecot, I’m trying to stick to the standard formats.

So, let’s get on to the install.

Firstly, you need a freshly installed virtual server that has a base Debian install with the only extra service being ssh.  If you haven’t done this yet refer part two of this tutorial here.

SSH into the new server, for all the instructions I’m assuming you’re logged on as root.  If you’re a more diligent system administrator than I (or on Ubuntu) you may need to prefix most of these commands with ‘sudo’.

Firstly, install some base software that I think we should have – ntp to provide an accurate time source, sudo to allow super user access.

  aptitude install ntp sudo

Next, install exim and some packages to permit testing and verification

  aptitude install exim4 sasl2-bin swaks libnet-ssleay-perl

Configure the base Exim settings

  dpkg-reconfigure exim4-config

For the settings, we want:

  • internet site
  • For system mail name, I normally use my root domain.  So if my server is mail.example.com, the system mail name would be just example.com
  • Set the IP addresses to listen on to blank
  • Set other destinations your domain name such as example.com (I think blank would also work)
  • Leave domains to relay mail blank
  • Unconditionally relay mail (smarthost).  I use my mail server as a smarthost for all my local machines, so I enter 192.168.1.0/24, which accepts any machine on my local network. Your local network may not be addressing in the 192.168.1.x range, so configure as appropriate for your network
  • Dial-on-demand = no
  • Maildir format in home directory
  • Split configuration = no

Although we haven’t finished our configuration yet, we’re now far enough through that we can test that exim is listening for outbound SMTP mail, which verifies that we’ve done our configuration through to this stage correctly:

 telnet 192.168.1.xx 25  # can't use machine name - mail - as then resolves to 127.0.0.1
 ehlo xxx                # looking for 250-TLS in the response - won't be there yet
 quit

Next, we want to configure for all connections from the outside world that try to send mail must use TLS and username/password.  We’re using sasld to provide the authentication service, we enable it by editing /etc/default/saslauthd, changing:

 START=yes

And then executing

 /etc/init.d/sasld start

Next, we set up the SSL authentication.  The base instructions I started with are at http://wiki.debian.org/Exim.

Generate a self-signed certificate that we can use to identify this server (note that all your mail clients will complain about this being self-signed, so you’ll need to accept a security exception in each mail client.  You could instead spend money on a commercial certificate…)

  /usr/share/doc/exim4-base/examples/exim-gencert

When generating the certificate, set the domain name to just the externally visible part – so set to example.com, not mail.example.com.

Edit /etc/exim4/exim4.conf.template, and uncomment

login_saslauthd_server:
  driver = plaintext
  public_name = LOGIN
  server_prompts = "Username:: : Password::"
  # don't send system passwords over unencrypted connections
  server_condition = ${if saslauthd{{$auth1}{$auth2}}{1}{0}}
  server_set_id = $auth1
 .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
 server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
 .endif

Create (or edit if it exists) /etc/exim4/exim4.conf.localmacros, and add the line

 MAIN_TLS_ENABLE = true

Add the exim user to the sasl group:

  addgroup Debian-exim sasl

Once done:

 update-exim4.conf
 /etc/init.d/exim4 restart

Check the authentication again using telnet, this time you should see 250-TLS in the response:

 telnet 192.168.1.xx 25  # can't use machine name - mail - as then resolves to 127.0.0.1
 ehlo xxx                # looking for 250-TLS in the response - should now be there 
 quit

Next, we try to actually sign on to the server using swaks

  swaks -a -tls -q AUTH -s 192.168.1.xx -au

This should give you a response that includes near the end:

  <~  235 Authentication succeeded

If you get errors, consult /var/log/exim4/mainlog, typically there will be some information in there.

Update your external firewall to forward SMTP connections to your new mail server – so redirect port 25 to this IP address.

Your server now accepts mail, you need it to on-forward this mail to the outside world.  To do this, you setup configuration in /etc/exim4/passwd.client, lines like:

  smtp.<isp>:<user>@domain:<password>
  smtp.isp.com.au:paul@example.com:password
  add in a row for each user that can send mail, although it's not clear to me that we need separate users for each outbound mailbox, or whether we just need a logon to our ISP

If you have a Mac OSX client that you want to connect to this, you still have a bit more setup to do.  The mail client on Mac OSX is rather ill behaved, and gave me an enormous amount of grief.  My current settings that appear to have been stable for a few weeks were to add the following lines to /etc/exim4/exim4.conf.localmacros:

  gnutls_compat_mode=true
  gnutls_require_protocols = TLS1.0:SSL3

At this point, you should have a mail server that accepts mail from your local machines and delivers it to your mailbox(es), and that accepts outbound SMTP connections and delivers mail to your ISP for on-forwarding.

Advertisements

4 thoughts on “Part Three: Configuring Exim to accept and deliver mail, and for secure outbound SMTP mail, including OSX connectivity

  1. Pingback: Part One: Install a secure Debian Wheezy imap mail server into a virtual using Exim, Dovecot, Fetchmail | technpol

  2. Pingback: How to make Thunderbird use Exim4 as SMTP? – Internet and Tecnnology Answers for Geeks

  3. Pingback: [ASK] server - How to make Thunderbird use Exim4 as SMTP? | Some Piece of Information

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s