Walkthrough: How to install an email-server (e.g. on a vserver) with debian 6.0 -> snd/rcv mails by exim4 -> virtual users by dovecot (imap server) Goal (FIXME): Use vserver as tunnel endpoint and deploy arm-email-server at home (DSL) behind NAT Author: chf, your-name-here -------------------------------------------------------------------------- READ -------------------------------------------------------------------------- http://wiki.dovecot.org/HowTo/EximAndDovecotSASL http://wiki.dovecot.org/HowTo/VirtualhostingWithExim http://wiki.dovecot.org/AuthDatabase/PasswdFile -------------------------------------------------------------------------- vserver setup -------------------------------------------------------------------------- config DNS, reverse DNS, ... (FIXME) -------------------------------------------------------------------------- install exim4 -------------------------------------------------------------------------- aptitude install exim4-daemon-heavy dpkg-reconfigure exim4-config internet site; mail is sent and received directly using SMTP System mail name: IP-addresses to listen on for incoming SMTP connections: Other destinations for which mail is accepted: example-domain.org Domains to relay mail for: Machines to relay mail for: Keep number of DNS-queries minimal (Dial-on-Demand)?: N Split configuration into small files?: Y so that /etc/exim4/update-exim4.conf.conf will be generated with these values: dc_eximconfig_configtype='internet' dc_other_hostnames='' dc_local_interfaces='' dc_readhost='' dc_relay_domains='' dc_minimaldns='false' dc_relay_nets='' dc_smarthost='' CFILEMODE='644' dc_use_split_config='true' dc_hide_mailname='' dc_mailname_in_oh='true' dc_localdelivery='mail_spool' ----------------------- enable TLS ----------------------- modify /usr/share/doc/exim4-base/examples/exim-gencert for 4096 bit long cert and execute it. It'll copy the self-signed-cert/key accordingly. create /etc/exim4/conf.d/main/000_localmacros add MAIN_TLS_ENABLE = 1 -------------------------------------------------------------------------- install dovecot -------------------------------------------------------------------------- aptitude install dovecot-imapd - add user and group vmail as no-login-able without a shell - create dir /var/mail/vmail and set rights to vmail for this dir, this will hold all virtual users imap-maildirs - create a 4096 bit long cert with a modified version of /usr/share/doc/exim4-base/examples/exim-gencert and copy the generated server.crt and server.key to /etc/ssl/certs/dovecot.pem and /etc/ssl/private/dovecot.pem -------------------------------------------------------------------------- create: /etc/dovecot/dovecot.conf -------------------------------------------------------------------------- protocols = imap imaps managesieve disable_plaintext_auth = yes log_timestamp = "%Y-%m-%d %H:%M:%S " ssl = required mail_location = maildir:/var/mail/vmail/%u mail_uid = vmail mail_gid = vmail mail_privileged_group = mail protocol imap { } protocol managesieve { } protocol lda { #set file-rights for log accordingly #log_path = /var/log/dovecot-deliver-errors.log postmaster_address = root@example-domain.org hostname = example-domain.org mail_plugins = sieve } auth default { mechanisms = plain passdb passwd-file { args = /etc/dovecot/passwd } userdb passwd-file { args = /etc/dovecot/passwd } user = root socket listen { master { path = /var/run/dovecot/auth-master mode = 0600 user = vmail group = vmail } client { group = Debian-exim path = /var/run/dovecot/auth-client mode = 0660 } } } plugin { sieve=/var/mail/vmail/%u/.dovecot.sieve sieve_dir=/var/mail/vmail/%u/sieve } -------------------------------------------------------------------------- create: /etc/exim4/conf.d/auth/35_exim4-config_dovecot -------------------------------------------------------------------------- dovecot_login: driver = dovecot public_name = LOGIN server_socket = /var/run/dovecot/auth-client # setting server_set_id might break several headers in mails sent by authenticated smtp. So be careful. server_set_id = $auth1 dovecot_plain: driver = dovecot public_name = PLAIN server_socket = /var/run/dovecot/auth-client server_set_id = $auth1 -------------------------------------------------------------------------- create: /etc/dovecot/passwd -------------------------------------------------------------------------- testuser:{plain}add_super_secret_PASSWORD_here:::::: ant_hilde:{plain}add_super_secret_PASSWORD_here:::::: grandpa_john:{plain}add_super_secret_PASSWORD_here:::::: -------------------------------------------------------------------------- create: /etc/exim4/conf.d/router/860_exim4-config_dovecot -------------------------------------------------------------------------- # Routers are evaluated in order of configuration. # You will want to place this after the remote router and before the # localuser router in the default configuration. # If you want to allow + addressing (ie having an address extension) # then uncomment the suffix stanzas dovecot_router: driver = accept #local_part_suffix = +* #local_part_suffix_optional require_files = +/var/mail/vmail/${local_part}/ #transport = dovecot_transport transport = dovecot_virtual_delivery -------------------------------------------------------------------------- create: /etc/exim4/conf.d/transport/30_exim4-config_dovecot -------------------------------------------------------------------------- # Transport to send any mail for who a dovecot user exists to the appropriate maildir box # Transports definitions are not order dependant - you just call a named transport dovecot_transport: driver = appendfile user = vmail group = vmail mode = 0600 directory=/var/mail/vmail/${lc:$local_part}/ maildir_format = true mode_fail_narrower = false envelope_to_add = true return_path_add = true dovecot_virtual_delivery: driver = pipe #command = /usr/lib/dovecot/deliver -d $local_part@$domain -f $sender_address -c /etc/dovecot/dovecot.conf # v1.1+: command = /usr/local/libexec/dovecot/deliver -d $local_part@$domain -f $sender_address -a $original_local_part@$original_domain command = /usr/lib/dovecot/deliver -d $local_part -f $sender_address -a $original_local_part@$original_domain message_prefix = message_suffix = delivery_date_add envelope_to_add return_path_add log_output user = vmail temp_errors = 64 : 69 : 70: 71 : 72 : 73 : 74 : 75 : 78 ----------------------- enable SPAMASSASIN ----------------------- aptitude install sa-exim spamassassin edit /etc/exim4/sa-exim.conf and comment out SAEximRunCond to enable sa-exim checks ----------------------- CONFIGURE CLIENT ----------------------- Receiving Email: IMAP Server: example-domain.org Username: testuser SSL-Encryption Authentication Type: Password Sending EMail: SMTP Server: example-domain.org Username: testuser TLS-Encryption Authentication: PLAIN Sieve: Port: 2000 use strict rfc example sieve script: require ["fileinto"]; ##Move spam to spam folder if header :contains "X-Spam-Flag" ["YES"] { fileinto "spam"; stop; } if header :contains "Subject" "Linux" { fileinto "s2"; } you could maybe setup: http://wiki.dovecot.org/HowTo/RefilterMail -------------------------------------------------------------------------- DOVECOT ANTISPAM --- DOES NOT WORK because we have virtual users FIXME -------------------------------------------------------------------------- aptitude install dovecot-antispam -- will be installed from backports man dovecot-antispam add mail_plugins = antispam to protocol imap{}, like this in /etc/dovecot/dovecot.conf: protocol imap { mail_plugins = antispam } Now we want to use "sa-learn" to mark mails as spam oder ham. So we need the folders SPAM and HAM for every user. In the "plugin {}" section of /etc/dovecot/dovecot.conf we add following lines: # antispam_debug_target = syslog # antispam_debug_target = stderr # antispam_verbose_debug = 1 antispam_backend = pipe antispam_spam = SPAM antispam_pipe_program = /usr/bin/sa-learn antispam_pipe_program_spam_arg = --spam antispam_pipe_program_notspam_arg = --ham antispam_pipe_tmpdir = /tmp -------------------------------------------------------------------------- KEEP IN MIND --- SUPPORTING OUTLOOK and THUNDERBIRD -------------------------------------------------------------------------- from: /usr/share/doc/exim4-daemon-heavy/README.Debian.gz 2.2.2. Enabling TLS support for Exim as server After this configuration, Exim will advertise STARTTLS when connected to on the normal SMTP ports. Some broken clients (most prominent example being nearly all versions of Microsoft Outlook and Outlook Express, and Incredimail) insist on doing TLS on connect on Port 465. If you need to support these, set SMTPLISTENEROPTIONS='-oX 465:25 -oP /var/run/exim4/exim.pid' in /etc/default/exim4 and "tls_on_connect_ports=465" in the main configuration section. -------------------------------------------------------------------------- EXTRA CHECKS -------------------------------------------------------------------------- add CHECK_DATA_VERIFY_HEADER_SENDER = 1 to /etc/exim4/conf.d/main/000_localmacros http://lists.alioth.debian.org/pipermail/pkg-exim4-users/2011-September/001970.html On Mon, Sep 12, 2011 at 08:27:19AM +0200, Johann Spies wrote: > Hallo Hans, > > > On Sat, Sep 10, 2011 at 01:08:41PM +0200, Hans Ekbrand wrote: > > Dear exim users, > > > > I want to reject mail when Reverse DNS lookup fails, currently I only > > get a warning - like this: > > > > X-Host-Lookup-Failed: Reverse DNS lookup failed for 203.211.146.24 (failed) > > > > I have > > CHECK_RCPT_REVERSE_DNS = yes > > CHECK_RCPT_SPF = yes > > > > in /etc/exim4/conf.d/main/00_local_options > > > > How do I configure exim to reject instead of warn? > > I did this to find the answer: > > % sudo rgrep CHECK_RCPT_REVERSE_DNS /etc/exim4 > /etc/exim4/exim4.conf.template: .ifdef CHECK_RCPT_REVERSE_DNS > /etc/exim4/conf.d/acl/30_exim4-config_check_rcpt: .ifdef > CHECK_RCPT_REVERSE_DNS > % vim /etc/exim4/conf.d/acl/30_exim4-config_check_rcpt > > You can change the 'warn' in the section where CHECK_RCPT_REVERSE_DNS is > used to 'deny' Thanks, Johann and Akihiro!