===== Configuration ===== exim uses a single configuration file by default, ''/etc/exim/exim.conf''. The config file is well documented internally and will work without modification in many cases, however we need to force all outbound mail via a Smart Host relay and but also allow local delivery via a pipe to local accounts (for the junkmail user). To accomplish this we need to alter the order of one mail router and add another. Exim handles it's mail with a combination of Access Control Lists (ACL's), Routers and Transports. The drawing below outlines this:- {{:rb:exim-routertransport.gif |}} An incoming mail is subjected to ACL checks to test if the MTA can handle the mail, for an internet mail server, incoming mail will be checked to see if forward and reverse DNS agree, if the sending server name matches it's PTR, and also checks can be done to see if the sending server is blacklisted in someway. If so, mail is declined at the point. As no mail has been accepted these is no problem with undeliverable mail left on the system or backscatter. \\ begin routers localuser: driver = accept local_parts = junkmail # check_local_user # local_part_suffix = +* : -* # local_part_suffix_optional transport = local_delivery cannot_route_message = Unknown user smarthost: driver = manualroute domains = * transport = remote_smtp route_data = mailhost.prod.wagerware.net Local deliveries (that is to users who have an account on the system) don't need a full email address, just a user name is enough, but as I want astringer@wagerworks to get to me, I don't want a local delivery even though I have a local account, so we add the line ''local_parts = junkmail''. This only tries to do a local delivery for the user "junkmail". junkmail's messages are accepted, but all others are failed and so get tested by the next router. junkmails messages are passed to a transport which appends to the users mail file in /var/spool/mail/ by the localuser router. To use a mail relay (inet01) we need to add another Router. As routers are run in the order they are listed in the config file, the localuser router has to be the first router run, followed by the mail relay router. Since gy-asp-inet01 (or more accurately qmail's config) doesn't handle TLS very well, all TLS config is commented out:- #tls_advertise_hosts = * #tls_certificate = /etc/pki/tls/certs/exim.pem #tls_privatekey = /etc/pki/tls/private/exim.pem ===== TLS Configuration ===== In order to pass email securely, TLS is used to encrypt SMTP mail between servers (and between clients to servers although this is not used here). As with https, a certificate is used to control the encryption process. For TLS use, a self signed certificate seems adequate, the process below will generate one:- [root@gy-asp-web01 exim]# pwd /etc/exim [root@gy-asp-web01 exim]# openssl req -x509 -newkey rsa:1024 -keyout exim.key -out exim.crt -days 9999 -nodes Generating a 1024 bit RSA private key ...++++++ ....................++++++ writing new private key to 'exim.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [GB]: State or Province Name (full name) [Berkshire]:Guernsey Locality Name (eg, city) [Newbury]:St Peter Port Organization Name (eg, company) [My Company Ltd]:IGT Ltd Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:gy-asp-web01 Email Address []: [root@gy-asp-web01 exim]# ls -l total 68 -rw-r--r-- 1 root mail 28471 Mar 16 12:26 exim.conf -rw-r--r-- 1 root root 1090 Mar 16 12:43 exim.crt -rw-r--r-- 1 root root 887 Mar 16 12:43 exim.key -rw-r--r-- 1 root root 15575 Aug 25 2005 sa-exim.conf -rw-r--r-- 1 root root 2777 Aug 25 2005 sa-exim_short.conf After generating the certificate, you can check the contents with:- [root@gy-asp-web01 exim]# openssl x509 -text -in exim.crt Certificate: Data: Version: 3 (0x2) Serial Number: 0 (0x0) Signature Algorithm: md5WithRSAEncryption Issuer: C=GB, ST=Guernsey, L=St Peter Port, O=IGT Ltd, CN=gy-asp-web01 Validity Not Before: Mar 16 12:43:27 2011 GMT Not After : Jul 31 12:43:27 2038 GMT Subject: C=GB, ST=Guernsey, L=St Peter Port, O=IGT Ltd, CN=gy-asp-web01 Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:cf:b4:ad:f7:56:4a:35:b1:ba:11:1d:6e:5c:44: ----edited---- ee:ed:d2:49:68:41:03:1b:b7 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 7E:8F:10:1D:1F:71:9A:E7:DD:EC:A7:DC:0B:51:1C:41:D5:7D:B8:7E X509v3 Authority Key Identifier: keyid:7E:8F:10:1D:1F:71:9A:E7:DD:EC:A7:DC:0B:51:1C:41:D5:7D:B8:7E DirName:/C=GB/ST=Guernsey/L=St Peter Port/O=IGT Ltd/CN=gy-asp-web01 serial:00 X509v3 Basic Constraints: CA:TRUE Signature Algorithm: md5WithRSAEncryption 24:21:85:fb:ad:e0:4e:42:c3:c6:89:66:f9:cc:ed:90:39:78: ----edited---- 43:73 -----BEGIN CERTIFICATE----- MIIC9zCCAmCgAwIBAgIBADANBgkqhkiG9w0BAQQFADBhMQswCQYDVQQGEwJHQjER ----Edited---- j+rGe++KPhr5JrsHtKy8otyKtD5iFPzgGA8ZaGimkc3uR1O4GEHcphdDcw== -----END CERTIFICATE----- [root@gy-asp-web01 exim]# You can examine the key contents with:- [root@gy-asp-web01 exim]# openssl rsa -text -in exim.key Private-Key: (1024 bit) modulus: 00:cf:b4:ad:f7:56:4a:35:b1:ba:11:1d:6e:5c:44: ----edited---- To enable TLS on your server, add the following lines to the /etc/exim/exim/conf file. A good place is just before the ACL section. The tls_advertise_hosts = * line tells exim to use TLS for all hosts, it is possible to control using TLS on a per host basis for instance if one host advertises TLS but the config is in fact broken so it will never work. The last two lines specify the location of the certificate and key files to be used. #Set up TLS info tls_advertise_hosts = * tls_certificate = /etc/exim/exim.crt tls_privatekey = /etc/exim/exim.key ===== Testing ===== exim writes it's logs to /var/log/exim/main.log by default, a sample log line is:- 2011-01-28 08:40:23 1PijsV-00028F-RK <= root@gy-asp-db03.prod.wagerware.net U=root P=local S=695 2011-01-28 08:40:25 1PijsV-00028F-RK TLS error on connection to 172.27.200.50 [172.27.200.50] (SSL_connect): error:00000000:lib(0):func(0):reason(0) 2011-01-28 08:40:25 1PijsV-00028F-RK TLS session failure: delivering unencrypted to 172.27.200.50 [172.27.200.50] (not in hosts_require_tls) 2011-01-28 08:40:25 1PijsV-00028F-RK => ww-noc@igt.com R=smarthost T=remote_smtp H=172.27.200.50 [172.27.200.50] 2011-01-28 08:40:25 1PijsV-00028F-RK Completed * 1PijsV-00028F-RK is the message id * The 1st line shows the message is incoming (<=)from a local user (root) * TLS is being attempted because the remote end requests it, but we have TLS turned off * The 4th line shows the outbound status, it is a remote delivery and is being processed by the smarthost router which uses smtp to deliver it to the remote host (H). * Last line is the important one, ''Completed'' signifies that the mail has been delivered successfully. The ''exigrep'' utility can be used to search for a particular message:- [root@gy-asp-db03 mail]# exigrep 1PijsV-00028F-RK /var/log/exim/main.log 2011-01-28 08:40:23 1PijsV-00028F-RK <= root@gy-asp-db03.prod.wagerware.net U=root P=local S=695 2011-01-28 08:40:25 1PijsV-00028F-RK TLS error on connection to 172.27.200.50 [172.27.200.50] (SSL_connect): error:00000000:lib(0):func(0):reason(0) 2011-01-28 08:40:25 1PijsV-00028F-RK TLS session failure: delivering unencrypted to 172.27.200.50 [172.27.200.50] (not in hosts_require_tls) 2011-01-28 08:40:25 1PijsV-00028F-RK => ww-noc@igt.com R=smarthost T=remote_smtp H=172.27.200.50 [172.27.200.50] 2011-01-28 08:40:25 1PijsV-00028F-RK Completed After enabling TLS, some different information is given:- 2011-03-16 12:47:18 1Pzq8E-0000yV-AH <= root@gy-asp-web01.prod.wagerware.net U=root P=local S=378 2011-03-16 12:47:18 1Pzq8E-0000yV-AH TLS error on connection to mailhost.prod.wagerware.net [172.27.200.50] (SSL_connect): error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol 2011-03-16 12:47:18 1Pzq8E-0000yV-AH TLS session failure: delivering unencrypted to mailhost.prod.wagerware.net [172.27.200.50] (not in hosts_require_tls) 2011-03-16 12:47:18 1Pzq8E-0000yV-AH => andrew.stringer@igt.com R=smarthost T=remote_smtp H=mailhost.prod.wagerware.net [172.27.200.50] 2011-03-16 12:47:18 1Pzq8E-0000yV-AH Completed