Lethe's Ccielogs

Hello all in the last article we’ve talked about ASSP and how it can help protect our network from unwanted mail (formerly SPAM), in the second part we’ll see how to prepare our system and how to configure Exim as our preferred MTA.

As you know the default and preferred MTA in Linux Red Hat, or CentOS, is Sendmail so we’ll start off installing Exim, Exim monitor to monitor message flow and System-mail switcher that will make possible to tell the system we want to use Exim instead of Sendmail as our default MTA, to do so simply issue the following command as root from a shell prompt :

yum install system-switch-mail system-switch-mail-gnome exim exim-mon

Once you’re done with the installation we can move on configuring Exim to handle mail traffic for our organization. Exim stores its configuration in a file named, guess it!, exim.conf which is usually stored in the /etc/exim/ directory, to make our life easier, editing the conf file itself is a complicated and error prone process, we’ll use a set of files that’ll be read by the exim.conf file to valorize the various configuration parameters.

Create the following files in the /etc/exim/ directory using the touch command :

exim-accept-for-this-list-of-domains.txt

This file defines the domain, or the list of domains, our MTA will be responsible of mail delivery for, multiple entry should simply be put in a new new line, we’re going to accept mails for ccielogs.com and example.com so our file will looks like this :

 ccielogs.com

 example.com

exim-accept-from-this-list-of-ip-addresses.txt

This file defines the list of IP address of our mail servers which will be able to relay through Exim, that is the configured smart host. The format of the file looks like this :

# /etc/exim/exim-accept-from-this-list-of-ip-addresses.txt
# the local address of our server
                                        127.0.0.1
                                        10.10.10.10
# our internal network(s)
# our external network(s)
# our local firewall
#fwall.fwall.fwall.fwall
# our local router
#routr.routr.routr.routr
# mail servers hostname
                                        mailhost
                                        mailhost1.example.com
# messagelabs servers
#av1.av1.av1.av1
#av2.av2.av2.av2
# a fully qualified hostname
#mail.anothercompany.com

As you can see I’ve left a few fields empty as we’re not going to use them for this example anyhow they should give you a good idea of which fields/values you can use.

exim-deliver-mail-to-this-list-of-servers.txt

This file defines the server, either by hostname or IP, of servers to which Exim should forward incoming mails destined for the domains defined in the exim-accept-for-this-list-of-domains.txt configuration file, the format of the file looks like this :

# /etc/exim/exim-deliver-mail-to-this-list-of-servers.txt
# example by hostname           
ccielogs.com:              mailhost.ccielogs.com
# example by ip address
exampl.com                 10.10.10.10
# domain1.com: exch1.exch1.exch1.exch1
# domain2.com: exch2.exch2.exch2.exch2
# domain3.com: exch3.exch3.exch3.exch3
# example of fallback servers for
# domain4.com where # 10.1.1.1 is
# the main server and 10.2.2.2 is
# the fallback server
# domain4.com: 10.1.1.1:10.2.2.2

exim-local-settings.txt

This file defines Exim server settings, like SMTP banner or name given in the initial hello exchange format, the maximum number of concurrent SMTP connections allowed and so on, the format of the file looks like this :

/etc/exim/exim-local-settings.txt
# avoid using the setting if possible
# exim will use machines hostname as default
# primary_hostname = exim.fictionalcompany.com
# if a message to be sent or received has no domain name after the
# .@. sign then use this domainname for the sender or recipient
#
qualify_domain = ccielogs.com
qualify_recipient = ccielogs.com
# Maximum message size AFTER encoding
message_size_limit = 15M
# Maximum number of incoming connections
smtp_accept_max = 100
# Hides the default SMTP banner showing SMTP server version
smtp_banner = ccielogs.com super secure SMTP server *** Every access is logged. Any abuse will be punished ***

Once you’ve tailored the configuration files to your needs you’re good to go, there is actually one more configuration file that we’re not gonna use but I’ll briefly describe it here for completeness

exim-redirect-mail-for-this-list-of-users.txt

This file defines a list of users for which mail should be redirected to another server or to the local store in case you have configured mailboxes on the local system.

Ok we’re almost done, finally we can edit the master exim.conf configuration file, as I’ve already said we’ve used split configuration files to make all the configuration easier to implement and, as you can see below, all we specified in the master configuration file are the names of the single files and a few other parameters :

# /etc/exim/exim.conf
############# INITIAL SETTINGS ######################
# set some defaults values and read in config files #
#####################################################
.include /etc/exim/exim-local-settings.txt
daemon_smtp_port = 255
domainlist relay_to_domains  = /etc/exim/exim-accept-for-this-list-of-domains.txt
hostlist   relay_from_hosts  = /etc/exim/exim-accept-from-this-list-of-ip-addresses.txt
domainlist local_domains  =
acl_smtp_rcpt  = acl_check_rcpt
never_users  = root
############# ACCEPT SETTINGS #######################
# set rules for accepting messages here             #
#####################################################
begin acl
acl_check_rcpt:
accept  hosts  = :
deny    local_parts    = ^.*[@%!/|] : ^\.
accept  local_parts    = postmaster
        domains        = +local_domains
accept  domains        = +relay_to_domains
endpass
message = relay not permitted at this server
verify = recipient
accept  hosts = +relay_from_hosts
deny    message        = relay not permitted at this server

############# ROUTER SETTINGS #######################
# set rules for selecting a transport               #
#####################################################
begin routers
redirect:
  driver  = redirect
  data  = ${lookup{$local_part@$domain} lsearch {/etc/exim/exim-redirect-mail-for-this-list-of-users.txt}}
internal:
  driver  = manualroute
  domains  = +relay_to_domains
  transport  = remote_smtp

As you can see we modified only a few lines, the one in bold, to tell Exim where to look for the configuration of that particular parameter.

A special note has to be given to the daemon_smtp_port = 255 parameter, this is needed if, like me, you’re implementing exim and ASSP on a single machine.ASSP listens for incoming connections on standard SMTP port, 25, hence we need to tell Exim to listen on a custom port, 125 in this example.

If you have made it so far congratulations as your exim based mail server is finally ready! All that is left to do is to test the message flow between the Exim box, smart host, and the Exchange (or whatever MTA you’ll use) server and vice versa; of course I won’t cover this as if you’re reading this you already know how to test and configure this 

The last step, finally!, will be telling our system we will use Exim as our preferred MTA instead of Sendmail to do this we’ll use switch-mail, remember we’ve installed this in the first part of the article, which can be found under System –> Mail Transport Switcher

Ok now you’re really done, all that is left is to disable/uninstall Sendmail as we will not be using it anymore

Wow it has been a long run but I think it was well worth the effort as we’ve covered how to install Exim, how configure it to handle incoming mail and to work as smart host for our internal MTAs, finally we’ve seen how to make Exim the default System MTA.

In the next article we’ll see how to install ClamAV and how to configure it to protect our network.

Stay tuned!

Lethe.