Note: This page deals with an older version of Exim and just enough to run it with LRP/LEAF. It may be that this page of mine may be more helpful to you for Exim 4.x help.
I finally got an SMTP program with Realtime Blackhole List, RBL, support working on a LEAF (LRP derivative) firewall. Now all incoming email is accepted by the firewall, RBL lookups are done, and then they are passed to the internal server. Note: I am not yet using this to relay outgoing email, because I want to make sure only the internal server can pass messages through. Since I had to stumble around a few places, I thought I would document what is working for me here.
Setup: LEAF - Oxygen flavor, kernel 2.2.18, Openwall, VPN; with SeaWall.
Goal: To better protect an Exchange 5.5 server (yes, I know... I know) and eliminate spam without a high dollar program.
Tried using SMTPD, using the SMTPD-1.lrp you can find floating around. Never got it to run.
Exim site is here: http://www.exim.org/
Exim.lrp, by Koon Wong, is available here:
http://master-beta.linuxrouter.org:8080/addons/packages/kwong/exim.html
or a net search will turn it up. You will probably also need libdb.lrp. A net search will turn it up too.
Load them up per your LRP's instructions and edit the /etc/exim/configure file. Once done, backup the exim package and reboot.
Note: Make sure your firewall rules allow the box to lookup DNS and use identd. Also that it allows incoming connections to SMTP and outgoing connections to your internal SMTP server. I'm running SeaWall, so in seawall.conf it was:
# SMTP Server (optional) -- set this if you need to access SMTP servers # from your firewall smtpservers="internal.server.ip"
Example: smtpservers="192.168.1.1"
In apps it was:
#PROT SOURCE PORT(s) SOURCE ADDR(s) DEST PORT DEST ADDR tcp 53 udp 53 tcp 113
And in servers it was:
# PROTOCOL PORT CLIENTS(S) SERVER SERVER PORT EXTERNAL tcp 25 0.0.0.0/0
The basic config I used is below (etc/exim/configure). More detail is included in the default config file. I've also included items I rem'd out in the default config. Remember to replace any occurrence of dom.ain with your vaild domain name. Example: mycompany.com.
# Runtime configuration file for Exim # # This is a default configuration file which will operate correctly in # ...(see default config file for full text)... # ... Blank lines, and lines starting with # are ignored. # MAIN CONFIGURATION SETTINGS # # Specify your host's canonical name here. This should normally be the fully # qualified "official" name of your host. If this option is not set, the # uname() function is called to obtain the name. primary_hostname = name.dom.ain # Specify the domain you want to be added to all unqualified addresses qualify_domain = dom.ain # If this option is not set, the qualify_domain value is used. # qualify_recipient = # Specify your local domains as a colon-separated list here. If this option # is not set (i.e. not mentioned in the configuration file), the # qualify_recipient value is used as the only local domain. If you do not want # to do any local deliveries, uncomment the following line, but do not supply # any data for it. This sets local_domains to an empty string, which is not # the same as not mentioning it at all. An empty string specifies that there # are no local domains; not setting it at all causes the default value (the # setting of qualify_recipient) to be used. local_domains = # If you want to accept mail addressed to your host's literal IP address, for # local_domains_include_host_literals # No local deliveries will ever be run under the uids of these users never_users = root # The setting below causes Exim to do a reverse DNS lookup on all incoming IP call host_lookup_nets = 0.0.0.0/0 # Exim contains support for the Realtime Blocking List (RBL) # Note: The ones listed in the default config file are obsolete. # Note: This version, v2.1, does not support the reject/warn option. rbl_domains = "bl.spamcop.net : \ list.dsbl.org : \ sbl.spamhaus.org : \ spamblock.outblaze.com : \ relays.ordb.org : \ relays.osirusoft.com : \ relays.visi.com : \ opm.blitzed.org" # These were giving positives on some of our real email. Included here in case you want to use them: # multihop.dsbl.org:unconfirmed.dsbl.org # Note: MAPs is now charging. Included here in case you want them: # blackholes.mail-abuse.org/reject:dialups.mail-abuse.org/reject:relays.mail-abuse.org/warn # Who to allow anything to get through to recipients_reject_except = postmaster@dom.ain # Collect more data in the logs rbl_log_headers = true #log headers rbl_log_rcpt_count = true #log recipient info # This is set so only a warning header is added # Set rbl_reject_recipients to true when you are ready to reject rbl_reject_recipients = false rbl_warn_header = true # The setting below locks out the use of your host as a mail relay by any # other host. If you want to permit relaying through your host from... sender_host_reject_relay = * # From the documentation: # When at least one of the sender_{host|net}_{accept|reject}_relay # options is set, other than except, the address is only accepted # if sender_{host|net}_accept_relay are both null or if the host # matches one of their patterns and if the host does not match any pattern # in sender_{host|net}_reject_relay, unless it also matches _except. relay_domains = dom.ain # If you want Exim to support the "percent hack" for all your local domains percent_hack_domains = * # My additions, see documentation queue_only_load = 5 trusted_users = nobody auto_thaw = 60s forbid_domain_literals ignore_errmsg_errors # Remove <<x@y.com>> to <x@y.com> strip_excess_angle_brackets = true smtp_banner = "name.dom.ain ESMTP" # Verify sender address sender_verify = true sender_verify_reject = true sender_verify_fixup = true end # TRANSPORTS CONFIGURATION # # ORDER DOES NOT MATTER # # Only one appropriate transport is called for each delivery. # # A transport is used only when referenced from a director or a router that # successfully handles an address. # This transport is used for delivering messages over SMTP connections. remote_smtp: driver = smtp # This transport is used for local delivery to user mailboxes. # local_delivery: # driver = appendfile # file = /var/spool/mail/${local_part} # delivery_date_add # envelope_to_add # return_path_add # group = mail # mode = 0660 # This transport is used for handling pipe addresses generated by alias # or .forward files. address_pipe: driver = pipe return_output # This transport is used for handling file addresses generated by alias # or .forward files. address_file: driver = appendfile delivery_date_add envelope_to_add return_path_add # This transport is used for handling file addresses generated by alias # or .forward files if the path ends in "/" # address_directory: # driver = appendfile # delivery_date_add # envelope_to_add # return_path_add # no_from_hack # prefix = "" # suffix = "" # maildir_format # This transport is used for handling autoreplies generated by the filtering # address_reply: # driver = autoreply end # DIRECTORS CONFIGURATION # # Specifies how local addresses are handled # # ORDER DOES MATTER # # A local address is passed to each in turn until it is accepted. # # Local addresses are those with a domain that matches some item in the # "local_domains" setting above, or those which are passed back from the # routers because of a "self=local" setting (not used in this configuration). # This director handles aliasing using a traditional /etc/aliases file. system_aliases: driver = aliasfile file = /etc/aliases search_type = lsearch # user = exim # This director handles forwarding using traditional .forward files. # userforward: # driver = forwardfile # file = .forward # no_verify # no_expn # check_ancestor # filter # This director matches local user mailboxes. # localuser: # driver = localuser # transport = local_delivery end # ROUTERS CONFIGURATION # # Specifies how remote addresses are handled # # ORDER DOES MATTER # # A remote address is passed to each in turn until it is accepted. # # Remote addresses are those with a domain that does not match any item # in the "local_domains" setting above. # Forward to internal server # In route_list, dom.ain is your domain and name.or.ip is # the name or IP of the server to forward the email to. send_to_gateway: driver = domainlist transport = remote_smtp route_list = "dom.ain name.or.ip byname" # This router routes to remote hosts over SMTP using a DNS lookup with # default options. lookuphost: driver = lookuphost transport = remote_smtp # This router routes to remote hosts over SMTP by explicit IP address, # literal: # driver = ipliteral # transport = remote_smtp end # There is a little bit more in the configuration file, but we wont # cover it here. # End of Exim configuration file
Since exim generates log files and I wanted to keep an eye on what was being rejected, here is a simple albeit not elegant script that emails me the logs daily as an attachment. Remember to replace all name@dom.ain with the valid email of whom you want it to go to.
#!/bin/sh # Script to email and remove exim logs. # No it is not pretty, but it gets the job done. # Writen By: S. Yoder Date: 08/21/2002 # This is the tail end of the email and it is common to all echo " --DMW.Boundary.605592468-- . quit" > /tmp/endmail # This starts a new exim_mainlog file mv /var/log/exim/exim_mainlog /var/log/exim/exim_mainlog.old touch /var/log/exim/exim_mainlog # This is the header for exim_mainlog.old echo "Mail From:<name@dom.ain> Rcpt To:<name@dom.ain> DATA To:<name@dom.ain> Subject:Exim Mainlog Mime-Version: 1.0 Content-type: multipart/mixed; boundary=\"DMW.Boundary.605592468\" This is a Mime message. >--DMW.Boundary.605592468 Content-Type: application/octet-stream; name=\"exim_mainlog.txt\" Content-Disposition: attachment; filename=\"exim_mainlog.txt\" Content-Transfer-Encoding: 7bit " > /tmp/beginmail # This emails the log and removes it cat /tmp/beginmail /var/log/exim/exim_mainlog.old /tmp/endmail >/tmp/tmplog cat /tmp/tmplog | exim -bs rm -f /var/log/exim/exim_mainlog.old # This starts a new exim_rejectlog file mv /var/log/exim/exim_rejectlog /var/log/exim/exim_rejectlog.old touch /var/log/exim/exim_rejectlog # This is the header for exim_rejectlog.old echo "Mail From:<name@dom.ain> Rcpt To:<name@dom.ain> DATA To:<name@dom.ain> Subject:Exim Rejectlog Mime-Version: 1.0 Content-type: multipart/mixed; boundary=\"DMW.Boundary.605592468\" This is a Mime message. --DMW.Boundary.6055.92468 Content-Type: application/octet-stream; name=\"exim_rejectlog.txt\" Content-Disposition: attachment; filename=\"exim_rejectlog.txt\" Content-Transfer-Encoding: 7bit " > /tmp/beginmail # This emails the log and removes it cat /tmp/beginmail /var/log/exim/exim_rejectlog.old /tmp/endmail >/tmp/tmplog cat /tmp/tmplog | exim -bs rm -f /var/log/exim/exim_rejectlog.old # End of script
I saved it as /etc/mailogs.daily, but you can call it what you like. Remember to add it to cron and chomod it so cron can run it (755 if I recall correctly - rwxr-xr-x).
