Wiki

User Tools

Site Tools

Trace: prevent_uefi_boot_issues
exim4:config

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
exim4:config [2016/11/23 09:57] peterexim4:config [2020/07/15 09:30] (current) – external edit 127.0.0.1
Line 1: Line 1:
 ====== Exim4 - Config ====== ====== Exim4 - Config ======
  
 +
 +http://networkgeekstuff.com/networking/tutorial-email-server-for-a-small-company-including-imap-for-mobiles-spf-and-dkim/
 TODO TODO
  
-===== Objectives ===== +Our mail server supports virtual accounts using the MySQL databaseSMTP-authentication and secure connection TLS SSL.
- +
-  * Check the sending host +
-    * greeting syntax session, +
-    * a domain name that matches the name and address, etc.  +
- +
-    * If an obvious error is found (invalid characters, trying to pass themselves off as other hosts, etc.) the email is not passed, otherwise the email is checked for a spam score; +
- +
-  * If the host or the sender is unknown or not included in the whitelist, triggered a delay, then greylist.  +
-    * The delay is calculated by the formula 15c + (the number dialed parrots 10),  +
-    * Greylisting add it to the grey list and sends the error "temporary problem" +
- +
-    * If the host is a normal relay, they will usually send the email again and get to the white list (Normal hosts are willing to wait and will retry after the delay.  Spammers on the otherhand usually won't wait as they want to send out as many emails as possible). +
- +
-  * The email is then checked.  +
-    * If it has prohibited file extensions in the attachments or contains a virus, it is dropped. +
-    * The email is then sent to Spamassassin, where the number of points scored there is multiplied by 2 and added to the total; +
- +
-  * Then the email is sent to the routers, which decides what to do with it:  +
-    * Send by SMTP,  +
-    * Put in a drawer, etc.  +
-    * and assign the appropriate email transport. <code> +
-The router with the groups - all interesting thing:  +
- +
-The group - it is something like an alias, but as long as it is not a private, only group members can write in it; +
-</code> +
- +
-  * Transports then carry out what they want from the routers; +
- +
-  * Separately, the system filter works; +
- +
-  * The total spam points adjusts the rules subject line to something like **SPAM [104 points]** or remove it entirely, depending on the settings each individual mailbox; +
  
  
Line 42: Line 13:
  
 <WRAP info> <WRAP info>
-You could always use a different user as the owner instead of using the **mail** user, and if so simply ensure that you adjust for all subsequent instructions in this setup.+**NOTE**: different user could be used as the owner instead of using the **mail** user account, and if so simply ensure that you adjust for all subsequent instructions in this setup.
  
 For example, you could create a different user account named exim: For example, you could create a different user account named exim:
Line 70: Line 41:
  
 <WRAP info> <WRAP info>
-Ubuntu usually has the **mail** user having:+**NOTE**:  Ubuntu usually has the **mail** user having:
  
   * a UID value of 8.     * a UID value of 8.  
Line 80: Line 51:
  
 ===== Create a certificate ===== ===== Create a certificate =====
 +
 +To use TLS / SSL create a certificate. 
 +
 +Create a certificate manually.  Within the /etc/exim4 directory run:
  
 <code bash> <code bash>
Line 87: Line 62:
 </code> </code>
  
-and fill in the fields.  Pay special attention to the field **Common Name (eg, YOUR name) []**, which should contain the DNS-name of the mail server.+<WRAP todo> 
 +Should this be 
 + 
 +openssl req -x509 **-sha256** -newkey rsa:4096 -keyout mail.pem -out mail.pem -days 9999 -nodes 
 +</WRAP> 
 + 
 +<WRAP alert> 
 +**ALERT**:  There are less than **9999** days left before the Unix / Linux 32-bit date wrap-around occurs.   
 + 
 +This can result in the days being calculated as a negative date.  It would be safer to use a more meaningful number of days. 
 +</WRAP> 
 + 
 +Fill in the following fields with any data you like (as this is purely a self-signed certificate) except for the **Common Name (eg, YOUR name) []** field where you need to enter the name of the server
 + 
 + 
 +Shows
  
 <code> <code>
-Country Name (2 letter code) [CA]: UA +Generating a 4096 bit RSA private key 
-State or Province Name (full name) [Quebec]: Kiev +............................................++ 
-Locality Name (eg, city) [Montreal]: Kiev +.............................................................................................................................++ 
-Organization Name (eg, company) [Open Network Architecture]: Internet Provider +writing new private key to 'exim.key' 
-Organizational Unit Name (eg, section) [Internet Department]: Network Operation Center +----- 
-Common Name (eg, YOUR name) []: jared.kiev.ua +You are about to be asked to enter information that will be incorporated 
-Email Address []: noc@jared.kiev.ua+into your certificate request. 
 +What you are about to enter is what is called a Distinguished Name or a DN. 
 +There are quite a few fields but you can leave some blank 
 +For some fields there will be a default value, 
 +If you enter '.', the field will be left blank. 
 +----- 
 +Country Name (2 letter code) [AU]:UK 
 +State or Province Name (full name) [Some-State]:Jersey 
 +Locality Name (eg, city) []:St. Helier  
 +Organization Name (eg, company) [Internet Widgits Pty Ltd]:ShareWiz 
 +Organizational Unit Name (eg, section) []:Tech 
 +Common Name (e.g. server FQDN or YOUR name) []:mail.sharewiz.net 
 +Email Address []:admin@sharewiz.net
 </code> </code>
  
Line 138: Line 140:
 openssl ecparam -list_curves openssl ecparam -list_curves
  
-openssl rsa req -passin Pa551923w0rd -in 1_sharewiz.net.csr -noout -text+openssl rsa req -passin password -in 1_sharewiz.net.csr -noout -text
  
  
Line 176: Line 178:
 ==== configure ==== ==== configure ====
  
-<code+<file bash configure
-configure:+######################################################################  
 +# Runtime configuration file for Exim #  
 +###################################################################### 
  
-  ################################################## ####################  +Include main settings. 
-  # Runtime configuration file for Exim #  +include /usr/local/etc/exim/100.main.conf
-  ################################################## #################### +
  
-  Inklyudim main settings +Include settings Greylisting. 
- .include /usr/local/etc/exim/100.main.conf+.include /usr/local/etc/exim/110.greylist.conf
  
- Inklyudim settings Greylisting +### ACL configuration for incoming mail. 
- .include /usr/local/etc/exim/110.greylist.conf+begin acl
  
- ### ACL configuration for incoming mail +Start ACL - "working" for the ACL Greylisting 
- begin acl+.ifdef USE_GREYLIST 
 +greylist_acl: 
 +.include /usr/local/etc/exim/200.acl-greylist.conf 
 +.endif
  
- Start ACL - "workingfor the ACL Greylisting +Verify the HELO. 
- .ifdef USE_GREYLIST+acl_check_helo: 
 +  accept hosts = +relay_from_hosts 
 +  drop condition = ${if match{$sender_helo_name}{MY_IP}{yes}{no} } 
 +  message   "Dropped spammer pretending to be us
 +  drop condition = ${if match{$sender_helo_name}{^[0-9]\.[0-9]\.[0-9]\.[0-9]}{yes}{no} } 
 +  message   = "Dropped IP-only or IP-starting helo" 
 +accept
  
- greylist_acl: 
- .include /usr/local/etc/exim/200.acl-greylist.conf 
  
- .endif+# These rules are triggered for each email. 
 +acl_check_rcpt: 
 +  warn set acl_c_lp = $local_part@$domain
  
- Verifying the HELO +  Acl_check_rcpt - checking the syntax is correct 
- acl_check_helo: +  .include /usr/local/etc/exim/400.acl-check-rcpt-syntax.conf
-  accept hosts = +relay_from_hosts +
-  drop condition = ${if match {$sender_helo_name} {MY_IP} {yes} {no}} +
-  message = "Dropped spammer pretending to be us" +
-  drop condition = ${if match {$sender_helo_name} {^ [0-9] \[0-9] \[0-9] \. [0-9]} {yes} {no}} +
-  message = "Dropped IP-only or IP-starting helo" +
- accept+
  
- These rules are triggered for each letter +  Acl_check_rcpt - anti-spam - Host and others. 
- acl_check_rcpt:+  .include /usr/local/etc/exim/410.acl-check-rcpt-spam.conf
  
- warn set acl_c_lp = $local_part @ $ domain+  # Acl_check_rcpt - black-lists, delays, etc. 
 +  .include /usr/local/etc/exim/420.acl-check-rcpt-end.conf
  
- # Acl_check_rcpt - checking the syntax is correct 
- .include /usr/local/etc/exim/400.acl-check-rcpt-syntax.conf 
  
- Acl_check_rcpt - anti-spam - Host and others+Check the message body
- .include /usr/local/etc/exim/410.acl-check-rcpt-spam.conf+acl_check_content:
  
- Acl_check_rcpt - black-lists, delays, etc. +  Include configuration message body check 
- .include /usr/local/etc/exim/420.acl-check-rcpt-end.conf+  .include /usr/local/etc/exim/500.acl-check-data.conf
  
- # Check the message body  
-  acl_check_content: 
  
- Inklyudim configuration message body check +What do we do with the mail. 
- .include /usr/local/etc/exim/500.acl-check-data.conf+begin routers
  
- What do we do with the mail +  Include router configuration 
- begin routers +  .include /usr/local/etc/exim/600.routers.conf
- # Inklyudim configuration routrerov +
- .include /usr/local/etc/exim/600.routers.conf+
  
- # Start transports - both deliver mail 
- begin transports 
- # Inklyudim transports 
- .include /usr/local/etc/exim/700.transports.conf 
  
- Configuration of repetition and rewriting +Start transports - Delivers the mail. 
- .include /usr/local/etc/exim/800.retry.conf+begin transports
  
- #begin rewrite+  Include transports. 
 +  .include /usr/local/etc/exim/700.transports.conf
  
- # Authentication section when sending emails. + 
- begin authenticators +# Configuration of repetition and rewriting. 
- # Authenticate users. +.include /usr/local/etc/exim/800.retry.conf 
- .include /usr/local/etc/exim/900.authenticators.conf  + 
-</code>+ 
 +#begin rewrite 
 + 
 + 
 +# Authentication section when sending emails. 
 +begin authenticators 
 +  # Authenticate users. 
 +  .include /usr/local/etc/exim/900.authenticators.conf  
 +</file>
  
  
Line 256: Line 262:
  
 <code> <code>
-  # Set the variables +# Set the variables. 
- MY_IP = 123.123.123.123 +MY_IP = 123.123.123.123 
- INTERNAL_IP = 192.168.1.2+INTERNAL_IP = 192.168.1.2 
 + 
 +# Settings Vexim. 
 +USE_SPF = true 
 +USE_AV = true 
 +USE_SPAMD = true 
 +USE_GREYLIST = true 
 +TLS = true 
 + 
 +# Whitelisting. 
 +hostlist whitelist_hosts = net-iplsearch; /usr/local/etc/exim/whitelist-hosts 
 +addresslist whitelist_sender = wildlsearch; /usr/local/etc/exim/whitelist-sender 
 + 
 +# In IPv6 we do not work. 
 +disable_ipv6 = true
  
- Settings Vexim +User and group from which will run the entire bundle. 
- USE_SPF true +exim_user exim 
- USE_AV true +exim_group mail
- USE_SPAMD = true +
- USE_GREYLIST = true +
- TLS = true+
  
- Whitelisting +There were mailings settings, do not use - no setup. 
- hostlist whitelist_hosts net-iplsearch; /usr/local/etc/exim/whitelist-hosts +MAILMAN_HOME = /usr/local/mailman 
- addresslist whitelist_sender wildlsearch; /usr/local/etc/exim/whitelist-sender+MAILMAN_WRAP = MAILMAN_HOME/mail/mailman 
 +MAILMAN_USER = exim 
 +MAILMAN_GROUP = mail
  
- In IPv6 we do not work +Enter the credentials to connect to the MySQL server.  
- disable_ipv6 true+# Word `hide`, first, means that when  
 +# Check config command call  
 +# Exim -bV config_file these data will not be displayed.  
 +# If without it - it will be shown ... Recording format:  
 +# Host / dbname / user / password 
 +hide mysql_servers localhost::(/tmp/mysql.sock)/mail/exim/8975f9i7vioyuhg
  
- User and group from which will run the entire bundle +Interfaces to listen. 
- exim_user exim +local_interfaces MY_IP
- exim_group = mail+
  
- # There were mailings settingsdo not use - no setup +# Host Name.  Used EHLO.  
- MAILMAN_HOME = / usr / local / mailman +Listed on the other pointsif they are not specified, the type qualify_domain and other ..  
- MAILMAN_WRAP = MAILMAN_HOME / mail / mailman +# If there are not found anything (comment out the line), then used that returns the uname () function. 
- MAILMAN_USER = exim +primary_hostname sharewiz.net
- MAILMAN_GROUP mail+
  
- Enter the credentials to connect to the MySQL server.  +Request for sampling Domain Information
-  # Word `hide`, first, means that when  +VIRTUAL_DOMAINS = SELECT DISTINCT domain FROM domains WHERE type = 'local' AND enabled = '1' AND domain = '${quote_mysql:$domain}' 
-  # Check config command call  +RELAY_DOMAINS = SELECT DISTINCT domain FROM domains WHERE type = 'relay'  AND domain = '${quote_mysql:$domain}' 
-  # Exim -bV config_file these data will not be displayed.  +ALIAS_DOMAINS SELECT DISTINCT alias FROM domainalias WHERE alias = '${quote_mysql:$domain}'
-  # If without it - it will be shown ... Recording format:  +
-  # Host / dbname / user / password +
- hide mysql_servers localhost :: (/tmp/mysql.sock) /mail/exim/8975f9i7vioyuhg+
  
- # Interfaces to listen +# Make a list of local domains.  Next, the list will appear in the form of + local_domains. 
- local_interfaces MY_IP+In this case, the domains are selected from the database MySQL.  Also, you can simply scroll through the colon. 
 +domainlist local_domains = @ : ${lookup mysql{VIRTUAL_DOMAINS}} : ${lookup mysql{ALIAS_DOMAINS}} 
 +domainlist relay_to_domains ${lookup mysql{RELAY_DOMAINS}}
  
- Host Name.  Used EHLO.  +List of trusted networks from which mail will go without a number of checks
-  # Listed on the other points, if they are not specified, the type qualify_domain and other ..  +hostlist   relay_from_hosts = localhost : MY_IP : 192.168.100.0/20 : 192.168.80.0/24
-  # If there are not found anything (comment out the line), then used that returns the uname () function +
- primary_hostname = sharewiz.net+
  
- Request for sampling Domain Information +Enter the name acl for checking mail. 
- VIRTUAL_DOMAINS SELECT DISTINCT domain FROM domains WHERE type = 'local' AND enabled = '1' AND domain = '${quote_mysql: $domain}' +acl_smtp_rcpt acl_check_rcpt 
- RELAY_DOMAINS SELECT DISTINCT domain FROM domains WHERE type = 'relay' AND domain = '${quote_mysql: $domain}' +acl_smtp_data acl_check_content 
- ALIAS_DOMAINS = SELECT DISTINCT alias FROM domainalias WHERE alias '${quote_mysql: $domain}'+acl_smtp_helo acl_check_helo
  
- Make a list of local domains Next, the list will appear in the form of + local_domains  +If the setting is said to check mail for viruses - connect
-  # In this case, the domains are selected from the database MySQL.  Also, you can simply scroll through the colon+.ifdef USE_AV 
- domainlist local_domains @${lookup mysql {VIRTUAL_DOMAINS}}: ${lookup mysql {ALIAS_DOMAINS}} +av_scanner clamd:/var/run/clamav/clamd.sock 
- domainlist relay_to_domains = ${lookup mysql {RELAY_DOMAINS}}+.endif
  
- # List of trusted networks from which mail will go without a number of checks 
- hostlist relay_from_hosts = localhost: MY_IP: 192.168.100.0/20: 192.168.80.0/24  
  
- Enter the name acl`ov for checking mail. +If the setting is said to check mail for spam - connect
- acl_smtp_rcpt = acl_check_rcpt +.ifdef USE_SPAMD 
- acl_smtp_data acl_check_content +spamd_address /var/run/spamd.sock 
- acl_smtp_helo = acl_check_helo+.endif
  
- # If the setting is said to check mail for viruses - connect 
- .ifdef USE_AV 
- av_scanner = clamd: /var/run/clamav/clamd.sock 
- .endif 
  
- # If the setting is said to check mail for spam - connect +# If the setting is said to work with support for SSL - connect. 
- .ifdef USE_SPAMD +.ifdef TLS 
- spamd_address = /var/run/spamd.sock + # SSL/TLS cert and key 
- .endif+ tls_certificate = /etc/ssl/certs/mail.pem 
 + tls_privatekey = /etc/ssl/certs/mail.pem 
 + # Advertise TLS to anyone 
 + tls_advertise_hosts = * 
 + tls_on_connect_ports=465 
 +.endif
  
- # If the setting is said to work with support for SSL - connect 
- .ifdef TLS 
-  # SSL / TLS cert and key 
-  tls_certificate = /etc/ssl/certs/mail.pem 
-  tls_privatekey = /etc/ssl/certs/mail.pem 
-  # Advertise TLS to anyone 
-  tls_advertise_hosts = * 
-  tls_on_connect_ports = 465 
- .endif 
  
- # Domain name is added to the local senders (real  +# Domain name is added to the local senders (real users of the system) that mail is sent from the root, will be from  
-  # Of users of the system) that  mail is sent from the root, will be from  +root@sharewiz.net.  If this item is not specified, then the hostname of `primary_hostname` is used
-  Root domen_ukazannyy_zdes.  If the item is not specified, it is used  +qualify_domain = sharewiz.net
-  # Hostname of `primary_hostname`. +
- qualify_domain = sharewiz.net+
  
- # Host Name for the situation, return to the previous one - is the domain name to be added to the e-mail  +# Host Name for the situation, return to the previous one - is the domain name to be added to the e-mail  
-  # Of system users, well and in general for the post, which came on the address type `root` etc ... +# Of system users, well and in general for the post, which came on the address type `root` etc ... 
   Eton # If the item is not specified then the value obtained from the preceding paragraph - `qualify_domain`   Eton # If the item is not specified then the value obtained from the preceding paragraph - `qualify_domain`
  qualify_recipient = sharewiz.net  qualify_recipient = sharewiz.net
Line 474: Line 481:
  system_filter_group = mail     system_filter_group = mail   
 </code> </code>
- 
  
 ==== 110.greylist.conf ==== ==== 110.greylist.conf ====
exim4/config.1479895070.txt.gz · Last modified: 2020/07/15 09:30 (external edit)
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki