Exim4 + Courier + SSL on Debian etch mini-HOWTO

Submitted by hswong3i on Mon, 2008/04/28 - 12:10

Not every one need a complete solution of virtual hosting email system: you may only hope to have a simple email system within your personal server, and let you check your system log remotely. For this, you may hope you email system come with:

  1. Support both SMTP, SSMTP with authentication
  2. Support both POP3, POP3S, IMAP2, IMAPS

And that's all! This simple HOWTO will guide you though the detail steps.

Install required packages

apt-get update
apt-get install exim4-daemon-heavy courier-authdaemon courier-imap courier-imap-ssl courier-pop courier-pop-ssl swaks libnet-ssleay-perl ssl-cert

Prepare your user account

First of all, we need to have a full picture about how user is being authenticated:

  1. SMTP authentication request, from remote client to Exim4.
  2. Internal request of authentication information, from Exim4 to Courier.
  3. courier-authdaemon use it authentication backend to query user information, e.g. PAM under normal Debian's Courier setup; for the case of multi-hosting server, we will use MySQL as backend.
  4. PAM will look up user information from /etc/passwd, /etc/group, and /etc/shadow, which means: host's local user account information.

So let's work it out. Create Maildir under /etc/skel/, therefore every new user will come with a valid Maildir under their home directory:

maildirmake /etc/skel/Maildir

If you have an existing user account without Maildir under home directory, run the following command:
maildirmake ~/Maildir

If you hope to create a new user account, just simply create in Debian style:
adduser demouser

Configure Courier

Actually you don't need to anything for courier: Debian default setup for courier will configure it to use PAM as authentication backend, check /etc/courier/authdaemonr and you will find that:

##NAME: authmodulelist:2
#
# The authentication modules that are linked into authdaemond.  The
# default list is installed.  You may selectively disable modules simply
# by removing them from the following list.  The available modules you
# can use are: authuserdb authpam authpgsql authldap authmysql authcustom authpipe

authmodulelist="authpam"

##NAME: authmodulelistorig:3
#
# This setting is used by Courier's webadmin module, and should be left
# alone

authmodulelistorig="authuserdb authpam authpgsql authldap authmysql authcustom authpipe"

We will need to reconfigure the pop3d.pem and imapd.pem. here i will make use of Debian etch make-ssl-cert:
rm -rf /etc/courier/*.pem
make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/courier/imapd.pem
make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/courier/pop3d.pem

(Optional, you may only use this if default PAM authentication backend is not function as well) Check the permission of courier authdaemon socket and its directory. By default, the directory is 700 and so not readable:

ls -lad /var/run/courier/authdaemon /var/run/courier/authdaemon/socket

And should have similar result:
drwx------ 2 daemon daemon 4096 2009-01-23 11:33 /var/run/courier/authdaemon
srwxrwxrwx 1 root   root      0 2009-01-23 11:33 /var/run/courier/authdaemon/socket

Run the following command to change it as 755 and double check its status, e.g.:
chmod 755 /var/run/courier/authdaemon

Check the ports for services with netstat -utal | egrep -e 'pop|imap'. You should have similar result:

tcp6       0      0 [::]:imaps              [::]:*                  LISTEN
tcp6       0      0 [::]:pop3s              [::]:*                  LISTEN
tcp6       0      0 [::]:pop3               [::]:*                  LISTEN
tcp6       0      0 [::]:imap2              [::]:*                  LISTEN

NOTE!! Remember to configure your firewall or else you may/may not able to access your services though Internet.

Then test your IMAP with telnet localhost imap2, and work out as follow:

Trying 127.0.0.1...
Connected to localhost.localdomain.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE ACL ACL2=UNION STARTTLS] Courier-IMAP ready. Copyright 1998-2008 Double Precision, Inc.  See COPYING for distribution information.
AB LOGIN "root" "CHANGE"
AB OK LOGIN Ok.
BC SELECT "Inbox"
* FLAGS ($MDNSent NonJunk $Forwarded $label1 $label2 \Draft \Answered \Flagged \Deleted \Seen \Recent)
* OK [PERMANENTFLAGS ($MDNSent NonJunk $Forwarded $label1 $label2 \* \Draft \Answered \Flagged \Deleted \Seen)] Limited
* 190 EXISTS
* 0 RECENT
* OK [UIDVALIDITY 1205133440] Ok
* OK [MYRIGHTS "acdilrsw"] ACL
BC OK [READ-WRITE] Ok
ZZZZ LOGOUT
* BYE Courier-IMAP server shutting down
ZZZZ OK LOGOUT completed
Connection closed by foreign host.

Configure Exim4

First of all, generate the X.509 certification for Exim4:

bash /usr/share/doc/exim4-base/examples/exim-gencert

As mentioned in section "2.1.3. Using Exim Macros to control the configuration" and "2.2.2. Enabling TLS support for Exim as server" from /usr/share/doc/exim4-base/README.Debian.gz, you should create a file with name /etc/exim4/conf.d/main/000_localmacros (split configuration) or /etc/exim4/exim4.conf.localmacros (non-split configuration), and insert lines as following:

MAIN_TLS_ENABLE = true
tls_on_connect_ports = 465

Also edit /etc/default/exim4 as following, so Exim4 will listen on both port 25 and 465:

# options for daemon listening on port 25
SMTPLISTENEROPTIONS='-oX 465:25 -oP /var/run/exim4/exim.pid'

(Optional, you may only use this if default PAM authentication backend is not function as well) Also, you will need to uncomment the following line within /etc/exim4/exim4.conf.template (around line 1811), to active the courier authentication backend:

# This is now the (working!) example from
# http://www.exim.org/eximwiki/FAQ/Policy_controls/Q0730
# Possible pitfall: access rights on /var/run/courier/authdaemon/socket.
plain_courier_authdaemon:
  driver = plaintext
  public_name = PLAIN
  server_condition = \
    ${extract {ADDRESS} \
              {${readsocket{/var/run/courier/authdaemon/socket} \
              {AUTH ${strlen:exim\nlogin\n$auth2\n$auth3\n}\nexim\nlogin\n$auth2\n$auth3\n} }} \
              {yes} \
              fail}
  server_set_id = $auth2
  .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
  server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
  .endif

login_courier_authdaemon:
  driver = plaintext
  public_name = LOGIN
  server_prompts = Username:: : Password::
  server_condition = \
    ${extract {ADDRESS} \
              {${readsocket{/var/run/courier/authdaemon/socket} \
              {AUTH ${strlen:exim\nlogin\n$auth1\n$auth2\n}\nexim\nlogin\n$auth1\n$auth2\n} }} \
              {yes} \
              fail}
  server_set_id = $auth1
  .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
  server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
  .endif

Finally, run reconfigure Exim4:

dpkg-reconfigure exim4-config

Here is my sample configuration:

  1. Split configuration into small files?: No
  2. General type of mail configuration: internet site; mail is sent and received directly using SMTP
  3. System mail name: your FQDN, same as that when you configure the X.509 certification
  4. IP-addresses to listen on for incoming SMTP connections: left it blank
  5. Other destinations for which mail is accepted: left it blank, or your FQDN, or the domain of your server
  6. Domains to relay mail for: left it blank
  7. Machines to relay mail for: left it blank, or input your local domain range (e.g. 192.168.0.0/16)
  8. Keep number of DNS-queries minimal (Dial-on-Demand)? No
  9. Delivery method for local mail: Maildir format in home directory

Check the ports for services with netstat -utal | egrep -e 'smtp|ssmtp'. You should have similar result:

tcp        0      0 *:ssmtp                 *:*                     LISTEN
tcp        0      0 *:smtp                  *:*                     LISTEN
tcp6       0      0 [::]:ssmtp              [::]:*                  LISTEN
tcp6       0      0 [::]:smtp               [::]:*                  LISTEN

NOTE!! Remember to configure your firewall or else you may/may not able to access your services though Internet.

Try to send a mail to yourself with echo "my test" | mail -s "test message" root, check /var/log/exim4/mainlog and should have similar result:

2008-04-28 12:39:52 1JqL9c-0006VR-TM <= root@example.com U=root P=local S=358
2008-04-28 12:39:52 1JqL9c-0006VR-TM => user <root@example.com> R=local_user T=maildir_home
2008-04-28 12:39:52 1JqL9c-0006VR-TM Completed

Also send a mail to someone else in public with echo "my test" | mail -s "test message" someone@elsewhere.com, check /var/log/exim4/mainlog and should have similar result:
2008-04-28 12:41:50 1JqLBW-0006Vg-Aq <= root@example.com U=root P=local S=356
2008-04-28 12:41:53 1JqLBW-0006Vg-Aq => someone@elsewhere.com R=dnslookup T=remote_smtp H=smtp.elsewhere.com [209.85.201.27]
2008-04-28 12:41:53 1JqLBW-0006Vg-Aq Completed

Check if TLS active with swaks -a -tls -q HELO -s localhost -au root -ap '<>', and should have similar result:
=== Trying localhost:25...
=== Connected to localhost.
<-  220 smtp.example.com ESMTP Exim 4.69 Mon, 28 Apr 2008 12:43:38 +0800
-> EHLO smtp.example.com
<-  250-smtp.example.com Hello root at localhost [127.0.0.1]
<-  250-SIZE 52428800
<-  250-PIPELINING
<-  250-STARTTLS
<-  250 HELP
-> STARTTLS
<-  220 TLS go ahead
=== TLS started w/ cipher DHE-RSA-AES256-SHA
~> EHLO smtp.example.com
<~  250-smtp.example.com Hello root at localhost [127.0.0.1]
<~  250-SIZE 52428800
<~  250-PIPELINING
<~  250-AUTH PLAIN LOGIN
<~  250 HELP
~> QUIT
<~  221 smtp.example.com closing connection
=== Connection closed with remote host.

Check is password authentication is active with TLS with swaks -a -tls -q AUTH -s localhost -au root, answer the password, and should have similar result:
=== Trying localhost:25...
=== Connected to localhost.
<-  220 smtp.example.com ESMTP Exim 4.69 Mon, 28 Apr 2008 12:46:00 +0800
-> EHLO smtp.example.com
<-  250-smtp.example.com Hello root at localhost [127.0.0.1]
<-  250-SIZE 52428800
<-  250-PIPELINING
<-  250-STARTTLS
<-  250 HELP
-> STARTTLS
<-  220 TLS go ahead
=== TLS started w/ cipher DHE-RSA-AES256-SHA
~> EHLO smtp.example.com
<~  250-smtp.example.com Hello root at localhost [127.0.0.1]
<~  250-SIZE 52428800
<~  250-PIPELINING
<~  250-AUTH PLAIN LOGIN
<~  250 HELP
~> AUTH LOGIN
<~  334 VXNlcm5hbWU6
~> cm9vdA==
<~  334 UGFzc3dvcmQ6
~> MXFhc3cyM2Vk
<~  235 Authentication succeeded
~> QUIT
<~  221 smtp.example.com closing connection
=== Connection closed with remote host.

Check your email service with external email client

Up to this moment, you should setup your email service correctly and check with localhost. Next should be your most daily task and target: use your email service with external email client. Here is a very simple guide for setting up ThunderBird 2.x:

  1. Go to Tool > Account Settings
  2. Add Account
  3. Email Account > Your personal information > setup as POP or IMAP, field in SMTP information if this is your first email account.
  4. Back to the Account Settings page, go to your email account > Server Settings, configure Security Settings as SSL (port 993 for IMAPS and 995 for POP3S).
  5. Back to the Account Settings page, go to your email account > Outgoing Server (SMTP), edit your target SMTP setting, and also set it up as SSL (port 465 for SSMTP)

That's all! Let's enjoy with your new email server :)


Nice howto! :-) I'm having

Anonymous's picture
Submitted by Anonymous on Sun, 2008/06/01 - 22:58.

Nice howto! :-) I'm having some issues with it though as SMTP is not accepting incoming transmissions. Where can I get help or who can help? Thanks

Please detail your

hswong3i's picture
Submitted by hswong3i on Thu, 2008/06/05 - 22:51.

Please detail your problem.

First of all, you can check the /var/log/exim4/mainlog and find out the problem. Without a effective error log and message, nothing I can do for you :S

Next, if no error log exist, there maybe some problem about your firewall. Double check if port 25/465 are open for public access.

Moreover, be careful about the configuration of Exim4. During dpkg-reconfigure exim4-config, it will ask which network interface are you going to bind with. If you carelessly bind to your localhost (127.0.0.1) ONLY, for sure that you will not able to receive incoming message from public internet.

Some interesting point, too: are you sure that your server is able to be accessed by others? E.g. is your DNS setup correctly? Is the MX record defined? And so on :-)

----------------------------------------
Edison Wong

SMTP external connections

Anonymous's picture
Submitted by Anonymous on Tue, 2008/06/10 - 23:48.

had the same problem. in

/etc/exim4/update-exim4.conf.conf

check that the following entry exists:

dc_local_interfaces=''

that solved that (particular :)) issue for me!

anyway: THANKS A LOT TO THE AUTHOR!!! without your howto i wouldn't use my server's mail service today.

ch

nicee

rafucho's picture
Submitted by rafucho (not verified) on Sat, 2009/10/24 - 02:29.

very good how-to keep up bro

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <h1> <h2> <h3> <h4> <h5> <h6> <em> <strong> <code> <del> <blockquote> <q> <sub> <p> <br> <ul> <ol> <li> <dl> <dt> <dd> <a> <b> <u> <i> <sup> <acronym> <pre> <img>
  • Lines and paragraphs break automatically.
  • You may post code using <code>...</code> (generic) or <?php ... ?> (highlighted PHP) tags.
  • Images can be added to this post.

More information about formatting options

CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.