Exim
Exim is a versatile mail transfer agent. This article builds upon Mail server. While the Exim wiki provides some helpful how-tos on certain specific use cases, a detailed description of all configuration options is available as well.
Basic configuration
Exim comes with a bulky default configuration file which is located in /etc/mail/exim.conf. Many options in there are not necessary in a regular use case. By default configuration is done in a single file containing several chapters. Below is a very basic configuration, which provides: local delivers to system users (Maildir format) and authorized relaying to MX hosts. The description is based on a domain "mydomain.tld" served on a host "hostname.mydomain.tld". It is highly recommended to consult the official documentation before using the given documentation below.
Main parameters
Main parameters contain some basic options. Using solely those options would open ports for connections but still no mail would be accepted nor relayed anywhere.
# be the responsible mail host for hostname.mydomain.tld (@) & mydomain.tld domainlist local_domains = @ : mydomain.tld # we don't relay. Not for foreign domains nor for a single host domainlist relay_to_domains = hostlist relay_from_hosts = # serve the on all used ports daemon_smtp_ports = 25 : 465 : 587 # do a reverse name lookup for all incoming connections host_lookup = * # Logging: log all events, add syslog to logging path & avoid double entries log_selector = +all log_file_path = : syslog syslog_duplication = false # undeliverables: discard bounce messages after 2d and all others after 7 d ignore_bounce_errors_after = 2d timeout_frozen_after = 7d
TLS, security & authentication
To obtain a certificate, see OpenSSL#Usage.
The first part of the following options are still part of the first configuration section in Exim. Starting with "begin authenticators" the first special section in Exim configuration begins. There will be more such sections later. Below some very basic security related options are defined, TLS is set up & a plain text authenticator using a user password lookup is introduced.
Routing, transport & retry
For each recipient of a message routing is performed as follows: routers are tested in their order given in the routing section. For each router, conditions may apply (e.g. ). Only if all conditions apply, the message will be handed over to the defined transport (e.g. ). If transport fails or not all conditions of a router are fulfilled, the next router is tested.
begin routers # that's the relay router dnslookup: # the router type driver = dnslookup # the domains served on this router: not the local domain domains = ! +local_domains # the transport to be used (see transport section below) transport = remote_delivery # localhost is to be ignored if dns gives such result ignore_target_hosts = <; 0.0.0.0 ; 127.0.0.0/8 ; ::1 # a router list is processed until matched and successful transported. # if transport fails, we don't want the next router to be used no_more # local delivery localuser: # the transport type - we accept the mail locally driver = accept # this router serves only our domains domains = +local_domains # use transport named local_delivery transport = local_delivery # in case local delivery fails cannot_route_message = Unknown local user begin transports remote_delivery: driver = smtp local_delivery: #deliver to a local mailbox driver = appendfile file = /var/mail/$local_part # if routing or transport fails, try again after this (default) ruleset begin retry # Address or Domain Error Retries # ----------------- ----- ------- * * F,2h,15m; G,16h,1h,1.5; F,4d,6h
Use manualroute
If you want to use manualroute instead, comment out the dnslookup block and add the smarthost block.
#dnslookup:
# the router type
# driver = dnslookup
# the domains served on this router: not the local domain
# domains = ! +local_domains
# the transport to be used (see transport section below)
# transport = remote_delivery
# localhost is to be ignored if dns gives such result
# ignore_target_hosts = <; 0.0.0.0 ; 127.0.0.0/8 ; ::1
# a router list is processed until matched and successful transported.
# if transport fails, we don't want the next router to be used
# no_more
smarthost:
driver = manualroute
domains = !+local_domains
transport = remote_delivery
route_list = * smtp.myisp.com # change to the desired smtp server
ignore_target_hosts = <; 0.0.0.0 ; 127.0.0.0/8 ; ::1
ACL: Access Control Lists
Access Control Lists are at the heart of Exim. They are required for basic checks and may be used for sophisticated message processing. In general the overall message processing in Exim is:
connection > (authentication >) ACL > routing > transport
With this it is important to note that messages coming from authenticated clients are treated (by default) by the same ACL as messages coming from other mail servers. Exim know a full set of different ACL. Good knowledge of the SMTP protocol is required to choose the correct set of ACL.
acl_smtp_connect > acl_smtp_helo > ... > acl_smtp_rcpt > ... > acl_smtp_data > ...
For a basic setup two ACL are mandatory: acl_smtp_rcpt and acl_smtp_data. These are default to deny while all other default to accept. The example below just prevents being an open relay. This setup has multiple security flaws (e.g. all authenticated users may use any mail address). If added to an existing configuration, it must be added before any other special section (i.e. before any existing "begin").
Hide machine name
If you have a laptop, or a machine in a smarthost configuration, where you do not want the name of the machine to appear in the outgoing email then you must enable exim's rewriting facilities.
In the Rewriting section you should have something like:
*@machine.mydomain $1@mydomain
where is the hostname of your laptop or PC and is the domain name of the machine and the outgoing mail. To rewrite only sender domain, add special flag (F) in the line end. See upstream document for detail
Startup
Start/enable the .
Dovecot LMTP delivery & SASL authentication
In this section the integration of Dovecot is described. It is assumed that Dovecot & Exim are already setup and configured. Dovecot will serve as SASL authenticator and local transport mechanism. For this purpose the Dovecot services will be setup as follows.
To use the Dovecot SASL in a TLS protected environment, add the following authenticator to Exim.
The existing router for local delivery can be reused. You may want to consider add a to the router definition. If DSN is used, Exim will assume final delivery of the message at this point. In the transport section the transport for local delivery must be replaced by the following transport definition.
/etc/mail/exim.conf - transports section
local_delivery: driver = lmtp socket = /var/run/dovecot/exim-lmtp batch_max = 200
verify = recipient/callout=no_cache will not work as expected, i.e. non-existent user accounts will not throw a failure. To accomplish a receipient check against Dovecot you must replace the driver above by a
driver = smtp protocol = lmtp port = 2525
The host is specified in the router, not the transport. Thus, the router must look like:
lmtp_router: driver = manualroute domains = +local_domains transport = local_delivery route_list = * 127.0.0.1 bynameFurthermore your Dovecot lmtp service must be adjusted accordingly. For example: here is a Git commit that fixes this exact issue.
Since Dovecot is configured to provide a unix socket for the exim user, you may harden your security by adding the following line to the main configuration section.
Using Gmail as smarthost
In the beginning of the exim conf file, you must enable TLS using
tls_advertise_hosts = +local_network : *.gmail.com
or to advertise tls to all hosts
tls_advertise_hosts = *
More information about TLS can be found in the exim documentation.
Add a router before or instead of the dnslookup router:
Add a transport:
Because of host verification, your exim log might contain
But this has no effect on mail-delivery and can be ignored. Add an authenticator (replacing myaccount@gmail.com and mypassword with your own account details):
is used for and hosts_require_tls instead of smtp.gmail.com to avoid occasional 530 5.5.1 Authentication Required errors. These are caused by the changing IP addresses in DNS queries for smtp.gmail.com. will expand to the particular IP address that was resolved by the router.
For added security, use a per-application password. This works with Google Apps accounts as well.
Hardening
Rate limits
Security breaches happen. In case you do not have any service that submits local mail (receiving mail from localhost on a port is not considered local submission), completely disable local submission. Do so by adding to the main section and add the following simple ACL to the acl section.
If local submission is required, consider imposing a rate limit to it. Do so by adding to the main section and adding the following ACL to the acl section. It imposes 2 rate limits: 20 mails in a single minute and 30 mails in 10 minutes. With this a burst of local submitted alerts are possible while
/etc/mail/exim.conf - acl section
acl_local: # apply a limit of 30 mails to the administrator for alerts submitted # by local services deny ratelimit = 30 / 1m / strict recipients = admin@mydomain.tld : root@hostname.mydomain.tld log_message = AL01: Sender rate limit for local submission \ exceeded: $sender_rate / $sender_rate_period. # apply a burst limit of 3 mails per minute to everyone else deny ratelimit = 3 / 1m / strict !recipients = admin@mydomain.tld : root@hostname.mydomain.tld log_message = AL02: Sender rate limit for local submission \ exceeded: $sender_rate / $sender_rate_period. # apply a regular limit of 10 mails per 30 minutes to everyone else deny ratelimit = 10 / 30m / strict !recipients = admin@mydomain.tld : root@hostname.mydomain.tld log_message = AL03: Sender rate limit for local submission \ exceeded: $sender_rate / $sender_rate_period. accept
Troubleshooting
451 Temporary local problem
If you are getting a "451 Temporary Local Problem" when testing SMTP, you are probably sending as root. By default Exim will not allow you to send as root.