Exim4

Exim4-LDAP 0.0.7 released

Submitted by hswong3i on Wed, 2009/09/16 - 01:21

Exim4-LDAP 0.0.7 is a development release, which fix a lot of hidden bugs, more comprehensive clone of Qmail-LDAP individual account features, better documentation and coding syntax, and even more. I am confident that the code is stable enough for wider testing by the community, download now.

Spotlight changes include:

  • Add support with Qmail-LDAP accountStatus attribute.
  • Add support with Qmail-LDAP deliveryProgramPath attribute.
  • Activate home_directory in transport with relative patch support.
  • Add LDAP_MAILROOT support if homeDirectory is not absolute.
  • Debug program pipe transport.
  • Add sample LDIF for demo user demo@example.com.
  • Document installation guideline in INSTALL.

Please refer to /usr/share/doc/exim4-ldap/changelog.gz for complete changelog. Changes since 0.0.5:


Exim4-LDAP 0.0.5 initial released

Submitted by hswong3i on Mon, 2009/08/17 - 12:35

Exim4-LDAP is my latest development progress. It is a Debian package that depends on exim4-heavy-daemon and slapd, which utilize Qmail-LDAP schema as backend database schema for seamless migration. Unlink Qmail-LDAP which required for manual source patching and compile, Exim4-LDAP just define additional authentication/router/transfer rules within configuration files. The ultimate goal of this research project is going to integrate with Samba-LDAP-PAM (for both Windows/Linux Single-Sign-On), RADIUS (for other services SSO) and even other services such as webmail. The project is now hosting in SourceForge.net with .deb available, download now.

Here I will draft some simple installation guideline which not yet included in source package document. I am now testing this with a newly installed Debian Lenny sandbox.


Temperary Exim4 SASL AUTH solution with LDAP-Samba-PAM/NSS + Courier authpam module

Submitted by hswong3i on Sat, 2009/06/20 - 12:52

Recall to my previous Exim4 + Courier + SSL on Debian etch mini-HOWTO, Exim4 authentication should work fine without enable plain_courier_authdaemon and login_courier_authdaemon support. But case will become a bit more complicated when using LDAP-Samba-PAM/NSS setup: LDAP user will now not able to be authenticated. Why and what's up!?

Why not functioning?

By default Debian's Exim4 already coming with AUTH PLAIN and AUTH LOGIN setup with direct query on /etc/passwd or /etc/shadow as follow (Beware! This is completely not equal as authenticate with PAM!):

plain:
  driver = plaintext
  public_name = PLAIN
.ifndef AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS
  client_send = "<; ${if !eq{$tls_cipher}{}\
                    {^${extract{1}{:}{PASSWDLINE}}\
                     ^${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}\
                   }fail}"
.else
  client_send = "<; ^${extract{1}{:}{PASSWDLINE}}\
                    ^${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}"
.endif

login:
  driver = plaintext
  public_name = LOGIN
.ifndef AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS
  # Return empty string if not non-TLS AND looking up $host in passwd-file
  # yields a non-empty string; fail otherwise.
  client_send = "<; ${if and{\
                          {!eq{$tls_cipher}{}}\
                          {!eq{PASSWDLINE}{}}\
                         }\
                      {}fail}\
                 ; ${extract{1}{::}{PASSWDLINE}}\
                 ; ${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}"
.else
  # Return empty string if looking up $host in passwd-file yields a
  # non-empty string; fail otherwise.
  client_send = "<; ${if !eq{PASSWDLINE}{}\
                      {}fail}\
                 ; ${extract{1}{::}{PASSWDLINE}}\
                 ; ${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}"
.endif

As LDAP users information are now NOT stored within /etc/passwd and /etc/shadow, for sure that above setup will not function (because the PASSWDLINE don't contain such information).

Possible solutions

exim4-auth-001.pngexim4-auth-001.png

Some possible solutions:

  1. Direct authenticate with LDAP backend (reference: http://www.wlug.org.nz/EximSmtpAuth)
  2. Manual setup Exim4 with PAM authentication, as LDAP + PAM/NSS function correctly (reference: http://www.wlug.org.nz/EximSmtpAuth)
  3. Enable Exim4's plain_courier_authdaemon and login_courier_authdaemon support, as Courier's authpam module function correctly (which also means LDAP + PAM/NSS function correctly)

Each setup come with different PROS/CONS:

  1. Direct LDAP authentication: We can even store more information within LDAP, e.g. quota, vocation message, redirect, alias and so on, therefore enrich Exim4 functionality; BTW, this method is the most ideal but complicated in setup.
  2. Manual PAM authentication: A bit simple than above but only able to query authenticate information, and nothing else. There is no default Debian's reference setup, too.
  3. Authenticate though Courier: Most simple as Debian already handle most reference setup, what we only need to do is enable it.

Quick-and-dirty solution

Well... Long story short, as a quick and dirty solution, just enable Exim4's Courier authenticate section as below:

# Authenticate against courier authdaemon

# This is now the (working!) example from
# http://www.exim.org/eximwiki/FAQ/Policy_controls/Q0730
# Possible pitfall: access rights on /var/run/courier/authdaemon/socket.
plain_courier_authdaemon:
  driver = plaintext
  public_name = PLAIN
  server_condition = \
    ${extract {ADDRESS} \
              {${readsocket{/var/run/courier/authdaemon/socket} \
              {AUTH ${strlen:exim\nlogin\n$auth2\n$auth3\n}\nexim\nlogin\n$auth2\n$auth3\n} }} \
              {yes} \
              fail}
  server_set_id = $auth2
  .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
  server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
  .endif

login_courier_authdaemon:
  driver = plaintext
  public_name = LOGIN
  server_prompts = Username:: : Password::
  server_condition = \
    ${extract {ADDRESS} \
              {${readsocket{/var/run/courier/authdaemon/socket} \
              {AUTH ${strlen:exim\nlogin\n$auth1\n$auth2\n}\nexim\nlogin\n$auth1\n$auth2\n} }} \
              {yes} \
              fail}
  server_set_id = $auth1
  .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
  server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
  .endif

And then ensure Courier is now authenticate with authpam:

authmodulelist="authpam"

Finally give access to Exim4 in order to query Courier authdaemon socket:

chmod 755 /var/run/courier/authdaemon

That's all :D


Exim4 SMTP relay though smarthost without TLS support on Debian Lenny

Submitted by hswong3i on Thu, 2009/04/02 - 14:06

Similar as my previous approach with GMail SMTP smarthost relay, now I try to use my own ISP's SMTP as relay server. BTW, as HGC Broadband's SMTP server only allow port 25 with plain text authentication, with default Debian setup I get the following error message:

2009-04-02 13:39:56 1LpFee-00055Y-1N ** someotherelse@gmail.com R=smarthost T=remote_smtp_smarthost: SMTP error from remote mail server after MAIL FROM:<someone@example.com> SIZE=45837: host mail02.hgcbroadband.com [210.0.255.175]: 530 Authentication required

This is happened even setup correctly with dpkg-reconfigure exim4-config and /etc/exim4/passwd.client. Some important note from Debian configuration file /etc/exim4/conf.d/auth/30_exim4-config_examples:

# Because AUTH PLAIN and AUTH LOGIN send the password in clear, we
# only allow these mechanisms over encrypted connections by default.
# You can set AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS to allow unencrypted
# clear text password authentication on all connections.

So edit /etc/exim4/conf.d/main/03_exim4-config_tlsoptions and add this line to the top of file:

AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS = true

Run dpkg-reconfigure exim4-config again and try to send email though HGC Broadband's SMTP server, all done :D


Using Exim4 to send Messages through GMail on Debian Lenny

Submitted by hswong3i on Thu, 2009/04/02 - 13:21

NOTE: For complete and latest version please refer to http://wiki.debian.org/GmailAndExim4

Background

My email server seems a bit crazy on these day: both GMail and Yahoo! Mail block a direct send from my server because of following reason:

  hswong3i@gmail.com
    SMTP error from remote mail server after end of data:
    host gmail-smtp-in.l.google.com [209.85.143.114]:
    550-5.7.1 [x.x.x.x] The IP you're using to send mail is not authorized to
    550-5.7.1 send email directly to our servers. Please use the SMTP relay at your
    550-5.7.1 service provider instead. Learn more at            http://mail.google
    550 5.7.1 .com/support/bin/answer.py?answer=10336 d4si2957764tib.28

When checking http://mail.google.com/support/bin/answer.py?answer=10336 it give me the following reason:

In order to prevent spam, Gmail refuses mail when the sending IP address does not match the sending domain. To send mail from your server to Gmail, we suggest using the SMTP relay provided by your ISP. Please note that we are unable to whitelist IP addresses or otherwise make exceptions at this time.

First of all I guess this is due to the use of dynamic IP, with only forward DNS record (A/MX/CNAME) but no reserve record (PTR). But even update my own DNS server with reserve record, no one else are able to discover it though internet. So I have no way to prove my IP is under my control, and so can't prove myself as not spammer.

Secondly, I try to use SMTP relay from my own ISP. BTW, as I am using HGC broadband my username and password is required for the connection. Ok, this is another issue and not my cup of tea :S

Finally, I try to configure my Exim4 to send email though my own Gmail account. This should be most simple because it will no longer depend on my internet connection, and so I can change my ISP whenever and whatever. Here are some procedure for Debian Lenny.

Procedure for Debian Lenny

Run dpkg-reconfigure exim4-config with following options:

  1. General type of mail configuration: mail sent by smarthost; received via SMTP or fetchmail
  2. System mail name: Your SMTP FNDQ, e.g. smtp.example.com
  3. IP-addresses to listen on for incoming SMTP connections: left as empty
  4. Other destinations for which mail is accepted: Some FNDQ of your domain, e.g. example.com, *.example.com
  5. Domains to relay mail for: Other server of your domain, e.g. *.example.com
  6. Machines to relay mail for: Your local subnet, e.g. 192.168.0.0/24
  7. IP address or host name of the outgoing smarthost: smtp.gmail.com::587
  8. Hide local mail name in outgoing mail? No
  9. Keep number of DNS-queries minimal (Dial-on-Demand)? No
  10. Delivery method for local mail: Maildir format in home directory
  11. Split configuration into small files? Yes

Next, edit /etc/exim4/passwd.client and add the following lines (Note: change information accordingly):

gmail-smtp.l.google.com:yourAccountName@gmail.com:y0uRpaSsw0RD
*.google.com:yourAccountName@gmail.com:y0uRpaSsw0RD
smtp.gmail.com:yourAccountName@gmail.com:y0uRpaSsw0RD

Finally, run update-exim4.conf and everything should work fine (You may also run dpkg-reconfigure exim4-config again and double check every setup). Try to send an email to somewhere else and check your log from /var/log/exim/mainlog.

Restriction

Well... GMail SMTP server will rewrite my mail sender (e.g. someone@example.com) into my GMail account (e.g. someotherelse@gmail.com)... This is not what I am really asking for... Well... So I will fallback to use ISP SMTP relay solution... Most likely they are working in same idea :D

Some other tips

Remember that Gmail is using port 587 + TLS for SMTP relay. Always remember to check if TLS support enabled if you face any error.


Forward a message but still leave a copy on the server?

Submitted by hswong3i on Wed, 2008/08/20 - 02:57

I am using Debian etch for production, plus Exim4 with per user ~/Maildir support. Since I hope to forward each user message to their own public email for backup, Procmail FAQ give me a useful example.

First of all, check if your Exim4 have ~/.procmailrc supported, which usually already there. Find the follow code snippet from /etc/exim4/exim4.conf.template:

#####################################################
### router/700_exim4-config_procmail
#####################################################

procmail:
  debug_print = "R: procmail for $local_part@$domain"
  driver = accept
  domains = +local_domains
  check_local_user
  transport = procmail_pipe
  # emulate OR with "if exists"-expansion
  require_files = ${local_part}:\
                  ${if exists{/etc/procmailrc}\
                    {/etc/procmailrc}{${home}/.procmailrc}}:\
                  +/usr/bin/procmail
  no_verify
  no_expn

#####################################################
### end router/700_exim4-config_procmail
#####################################################

Work around together with Debian's procmail example (/usr/share/doc/procmail/examples/), just create a ~/.procmailrc as below:

# Please check if all the paths in PATH are reachable, remove the ones that
# are not.

PATH=$HOME/bin:/usr/bin:/usr/ucb:/bin:/usr/local/bin:.
MAILDIR=$HOME/Maildir/
DEFAULT=$MAILDIR
LOGFILE=$MAILDIR/from
LOCKFILE=$HOME/.lockmail

:0c
! someone@example.com

Send an email to this user, check the mail log with tail -f -n 50 /var/log/exim4/mainlog and you will find that message already forward to your target public email address, with a saved local copy :-)


Exim4 + Maildir + Procmail on Debian etch mini-HOWTO

Submitted by hswong3i on Mon, 2008/04/28 - 14:14

What is Procmail? From Wikipedia (http://en.wikipedia.org/wiki/Procmail):

Procmail is a mail delivery agent (MDA) or mail filter, a program to process incoming emails on a computer, widely used on Unix systems. It is typically invoked from an MTA like Sendmail; this makes the mail processing event-driven. The companion-tool formail allows procmail to be used in batch-processing on mail that already is in your mailbox.

Common operations carried out with procmail include filtering and sorting of emails into different folders according to keywords in from, to, subject, text of the mail, or sending autoreplies, but more sophisticated operations are also possible.

A common practice is to let procmail call an external spam filter program, such as SpamAssassin. This method can allow for spam to be filtered or even deleted.

We can combine Procmail with Exim4, filter mail with some extra rules, and deliver incoming mail into other location. Working this on Debian etch is not too difficult.

First of all, we will need the Procmail package (you usually have this already):

apt-get install procmail

Then we will need the /etc/procmailrc, which defined the rules that will be apply. We can use the example as references:

cat /usr/share/doc/procmail/examples/3procmailrc  > /etc/procmailrc

NOTICE!! This sample is target for mailbox format, and so we will need to take the following changes for Maildir support:

MAILDIR =       $HOME/Maildir/  # You'd better make sure it exists
DEFAULT =       $MAILDIR
#LOGFILE =      $MAILDIR/from
LOCKFILE=       $HOME/.lockmail

By default, Exim4 will route incoming mail to procmail if /etc/procmailrc exists, and transport it though procmail_pipe. you don't need to take extra handling for this ;-)


Exim4 + Maildir + Mutt on Debian etch mini-HOWTO

Submitted by hswong3i on Mon, 2008/04/28 - 13:50

It is not too difficult to have Maildir support under Exim4 of Debian etch, simply run:

dpkg-reconfigure exim4-config

And answer "Maildir format in home directory" when asking for "Delivery method for local mail"

BTW, the main point is this line under /etc/exim4/update-exim4.conf.conf:

dc_localdelivery='maildir_home'

On the other hand, during testing your Exim4 configuration, e.g.:

echo "my test" | mail -s "test message" root

You may also hope to check if the mail is actually delivered to your new Maildir.

Next is about Mutt. Default Mutt setting just support for mailbox format, with lossy layout. User can customize their Mutt behavior by editing ~/.muttrc. Thanks to Debian, we have a good example from /usr/share/doc/mutt/. Just run:

zcat /usr/share/doc/mutt/examples/sample.muttrc.gz > ~/.muttrc

And you will get a good template.

Also create your ~/.muttrc-local with following lines, so override default setting with Maildir support:

set mbox_type=Maildir
set folder="~/Maildir"
set mask="!^\\.[^.]"
set mbox="~/Maildir"
set record="+.Sent"
set postponed="+.Drafts"
set spoolfile="~/Maildir"

That's all! Its time to enjoy Mutt with your Maildir :)


Exim4 + Courier + SSL on Debian etch mini-HOWTO

Submitted by hswong3i on Mon, 2008/04/28 - 12:10

Not every one need a complete solution of virtual hosting email system: you may only hope to have a simple email system within your personal server, and let you check your system log remotely. For this, you may hope you email system come with:

  1. Support both SMTP, SSMTP with authentication
  2. Support both POP3, POP3S, IMAP2, IMAPS

And that's all! This simple HOWTO will guide you though the detail steps.


Exim4 + ClamAV + SpamAssassin + Greylistd on Debian etch mini-HOWTO

Submitted by hswong3i on Thu, 2008/03/06 - 18:47

What if you hope to have ClamAV and SpamAssassin with your Debian Exim4, but don't really hope for a complete virtual hosting email system with vexim? You may follow this simple guideline and set them up within 15min :)


Syndicate content