Configuring MTAs

Exim4 is the MTA we will use on the MX, the relay server and the mailstores.

The Relay server

First we add the volatile repository in the file /etc/apt/source.list.d/volatile.list:

deb http://volatile.debian.org/debian-volatile lenny/volatile main

... and update the apt database:

sudo apt-get update

Then we install exim4 (most people want to proceed with 'internet site' type installation, and let exim listen on 0.0.0.0). Answer YES when prompted for splitted configuration files:

sudo apt-get install exim4-daemon-heavy clamav-daemon clamav-freshclam openssl

In order to use TLS over the SMTP sessions we need to have a certificate. It can be either a certificates delivered by a certification authority, or a self-signed cert. Here we generate a self-signed cert, but be aware that such certificate will produce warnings on the client side.

RSA key:

openssl genrsa 2048

chmod 640 exim.key

Certificate request:

openssl req -new -key exim.key -out exim.csr

Certificate:

openssl x509 -req -signkey exim.key -in exim.csr -days 9999 -out exim.c

File copy:

chown Debian-exim exim.key

sudo cp exim.key exim.crt /etc/exim4

Activate TLS in /etc/exim4/update-exim4.conf.conf:

...
MAIN_TLS_ENABLE='true'
...

Create the main macro definition file /etc/exim4/conf.d/main/04_mailMEOmacrodefs:

ldap_default_servers = ldap.middle.earth
.ifndef MAILMEO_DOMAINROOT
MAILMEO_DOMAINROOT = ou=domains,dc=middle,dc=earth
.endif

MAILMEO_DOMAINROOT defines the LDAP root dn where we store domains and users info.

As a modern relay server our server will authenticate users before relaying their mail: this is SMTP-AUTH.

In order to do this we will create the new config file /etc/exim4/conf.d/auth/50_mailMEO_authsmtp:

plain_server: 
   driver = plaintext 
   public_name = PLAIN 
   server_condition = ${if ldapauth \ 
        {user="uid=${quote_ldap_dn:${extract{1}{@}{$2}{$value} fail}},\ 
        dc=${quote_ldap_dn:${extract{2}{@}{$2}{$value} fail}},\ 
        MAILMEO_DOMAINROOT" \ 
    pass=${quote:$3} \ 
    ldap:///}{yes}{no}} 
   server_set_id = $auth2 
   server_prompts = : 
   .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS 
   server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} 
   .endif

login_server: 
   driver = plaintext 
   public_name = LOGIN
   server_condition = ${if ldapauth \ 
        {user="uid=${quote_ldap_dn:${extract{1}{@}{$1}{$value} fail}},\ 
        dc=${quote_ldap_dn:${extract{2}{@}{$1}{$value} fail}},\ 
        MAILMEO_DOMAINROOT" \ 
    pass=${quote:$2} \ 
    ldap:///}{yes}{no}} 
   server_set_id = $auth1
   server_prompts = "Username:: : Password::"
   .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS 
   server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} 
   .endif

As we store password in a encrypted form we have to use a clear-text password mechanism for authentication: either PLAIN or LOGIN (or both). It is then recommended to advertise AUTH only for crypted SMTP sessions. To make AUTH available even for clears sessions, define AUTH_SERVER_ALLOW_NOTLS_PASSWORDS (eg = true) in the /etc/exim4/conf.d/main/04_mailMEOmacrodefs file.

Additionally we will ask exim to bind on the submission port (587), which *should* be preferred by MUA to submit mails, and to advertise TLS. In /etc/exim4/update-exim4.conf.conf change dc_local_interfaces:

dc_local_interfaces='0.0.0.0:0.0.0.0.587'

Antivirus scanning is done by clamav, and is tightly integrated in exim4. All is needed is activating an option in /etc/exim4/conf.d/main/02_exim4-config_options:

av_scanner = clamd:/var/run/clamav/clamd.ctl

Uncomment 3 lines in /etc/exim4/conf.d/acl/40_exim4-config_check_data:

deny
   malware = *
   message = This message was detected as possible malware ($malware_name).

Add user clamav to the Debian-exim group:

sudo adduser clamav Debian-exim

We restart clamav and exim4 and we're done with the relay server.

sudo /etc/init.d/clamav-daemon restart

sudo /etc/init.d/exim4 restart

The Mailstore server (denetor)

This server hosts the mailboxes on its filesystem. Spam checking is done here too. You may find it strange to scan for spam on the mail store but, to me it's the best way to do it... Let me explain why.

Spam scanning is really a resource hog, so it make sense to do it lately after every other filter (DNSBL or so)have done their jobs. Spam scanning is prone to false positives (at least when you have a lot of mailboxes with different profiles like for an ISP) so it 's very risky to reject mails based such scanning. At last doing spam scanning at smtp time prohibit users specific setting (at least its not coherent as soon as you have multiples recipients for a mail). So deferring spam scanning on mailstore allows to store spam in a junk folder based on scanning that really suits each users because it's done at delivery time.

 Enough talking, let's start with packages installation (install just like previously).

To benefit from the best features of dovecot we need to use the 1.2.x version. Unfortunately, Debian chips an old 1.0 version which lacks important features like quotawarning. So we're going to add the backports repository (which are now official Debian repositories). Add the following file: /etc/apt/sources.list.d/backports.list

deb http://backports.debian.org/debian-backports lenny-backports main

and run

sudo apt-get update

sudo apt-get install spamassassin exim4-daemon-heavy

sudo apt-get -t lenny-backports install dovecot-imapd dovecot-pop3d

Definition of exim's macros in /etc/exim4/conf.d/main/04_mailMEOmacrodefs:

ldap_default_servers = ldap.middle.earth
 # mailMEO macros definitions 
.ifndef MAILMEO_DOMAINROOT
MAILMEO_DOMAINROOT = ou=domains,dc=middle,dc=earth 
.endif 

.ifndef MAILMEO_MAINDOMAIN
MAILMEO_MAINDOMAIN = ${lookup ldap {USER=userid=exim,dc=middle,dc=earth PASS=eximmta ldap:///MAILMEO_DOMAINROOT?dc?one?(associatedDomain=$domain)}} 
.endif 
domainlist mailMEO_domains = <\n ${sg{${lookup ldapm {\ 
    USER=userid=exim,dc=middle,dc=earth PASS=eximmta \ 
    ldap:///MAILMEO_DOMAINROOT?associatedDomain?one?\ 
    (&(objectClass=inetLocalMailRecipient)(objectClass=dNSDomain)(mailHost=${loo
kup dnsdb{a=$primary_hostname}{$value}fail}))}}}{,}{\\n}}

mailMEO_domains returns the list of domains handled in LDAP. To enable management of a domain in LDAP, just create an LDAP entry using the following template (change it to suit your needs):

dn: dc=%MYDOMAIN.TLD%,ou=domains,dc=middle,dc=earth
dc: middle.earth
objectClass: dNSDomain
objectClass: top
objectClass: inetLocalMailRecipient
objectClass: domainRelatedObject
mailHost: %IPADDR_OF_MAILSTORE%
associatedDomain: %MYDOMAIN%

We have to specify exim to accept thoose domains this is done by adding the domainlist to the rcpt acl file /etc/exim4/conf.d/acl/30_exim4-config_check_rcpt: change

require
  message = relay not permitted
  domains = +local_domains : +relay_to_domains

to

require
  message = relay not permitted
  domains = +local_domains : +relay_to_domains : +mailMEO_domains

 The MAILMEO_MAINDOMAIN introduces a feature I would call "domain aliasing". It makes it possible for all addresses living in a domain to also exist in another domain. In the sample data lotr.middle.earth is a domain alias of middle.earth so frodo's mailbox can be reached using address frodo@middle.earth or frodo@lotr.middle.earth. middle.earth is the "main" domain, and is some what privileged. For example authentication (POP/IMAP/SMTP) is only possible using "main domain" credentials. To add a domain alias to am existing domain, just add another "associatedDomain" attribute to the domain object.

Now let's add one router for each type of address. Those routers will defines which message has to be handled by which transport.