Professional Documents
Culture Documents
J.Meers - Mediavest
Prepared for the First International Exim Conference and Tutorial – Feb 2005
Version 1.2 – Updated Dec 2006
- Contents -
Abstract
Problem Scenario
Security Considerations
Routing Considerations
Possible Solutions
Selected Solution
My Book
Thanks
Copyright
Licence
Liability
- Abstract -
Exim
Microsoft Exchange
This third-party scanning could equally be any other mail scanning service or a
dedicated mail scanning appliance such as a “SurfControl RiskFilter” held on
the organizations own premises.
- Objective and Scope -
This paper attempts to addresses issues for administrators who must use
Exchange in a corporate environment, but have concerns over its ability to
protect the valuable resources it holds, or its ability to provide advanced
routing and filtering of messages before delivery.
The paper discusses a method for removing many of the risks associated with
presenting Microsoft Exchange directly to the Internet.
NOTE:
This paper does not attempt to provide detailed information on securing
Microsoft Windows, Microsoft Exchange, Active Directory and IIS.
- Assumptions and Reasoning -
It is assumed that the reader does not need convincing that protecting
or hiding the following information or services from attackers is
sensible:
It is also assumed that the reader does not need convincing that
restricting internet access to the following services is more reliable
and more secure than allowing connections from any host and relying
the services themselves to fend off security flaws and brute force
attacks:
● SMTP
● IMAP
● POP3
NOTE:
Any service that can be used remotely to validate credentials is a
potential liability, and given enough time or a big enough dictionary of
words, an attacker can establish a username and password to begin
trying to escalate their privileges on the target system.
Paper Content
Covers vulnerable ports and services.
Securing Exchange 2000, Part One
Output from port scans, Server enumeration,
Chris Weber, Security Engineer, Foundstone
LDAP enumeration and pilfering shares with
http://securityfocus.com/infocus/1572
poor default security
Covers exploiting SMTP relay even when SMTP
Securing Exchange 2000, Part Two relay is disabled.
Chris Weber, Security Engineer, Foundstone
Front end/Back end configuration, restricting
http://securityfocus.com/infocus/1578
privileges, using SSL, TLS and IPSEC to encrypt
communications.
Provides advice for securing:
Securing your Exchange Server
The Operating System, Exchange itself, IIS
Installation
webserver and Outlook Web Access , service
Monty Hall
accounts, domain security and server
http://securityfocus.com/infocus/1305
placement.
Covers the use of an SMTP Relay in the DMZ
Exchange 2000 in the Enterprise: Tricks between Exchange and the Internet.
and Tips Part One
This paper covers the same topology we will
Tim Mullen, Chief Software Architect for
use in this paper but specifically uses Microsoft
AnchorIS.Com
ISA server and Trend Micro's SMTP Relay.
http://securityfocus.com/infocus/1654
Part two of this paper covers various methods
Exchange 2000 in the Enterprise: Tricks of encryption .
and Tips Part Two
The paper has an excellent section on securing
Tim Mullen, Chief Software Architect for
Outlook Web Access with the IIS lock-down tool
AnchorIS.Com
and some of the caveats introduced such as the
http://securityfocus.com/infocus/1658
double dot encoded URL.
NOTE:
The “further reading and references” section towards the end of this
paper provide additional material on securing Exchange. Much of this is
at a very technical level and may be too complicated for some users, but
well worth a look should you need guidance on further hardening your
infrastructure with more finely grained access control and encryption.
- Problem Scenario -
“FictionalCompany.com” require Microsoft Outlook and Microsoft
Exchange to enable the use of Blackberry and Windows based PDA
devices for staff who frequently work out of the office, or on the road.
---
The solution should provide a mechanism for temporary redirection of all email
destined for a particular domain to handle situations where servers, networks,
routers and internet connections fail unexpectedly.
The solution should restrict access for unknown domains and IP addresses to
prevent the system being used as a relay for junk mail.
The solution should provide a mechanism for incorporating some form of mail
content scanning to identify virus, spam and pornographic material before
delivery to users mailboxes. Ideally this should be done before the mail actually
reaches the SMTP relay.
The server has been made public using Network Address Translation (NAT).
One of the public IP addresses has been mapped directly to the server on the
LAN by using one-to-one NAT on the firewall.
The firewall has an opening on port 25, allowing any host on the internet to
connect to the SMTP service. POP3, SMTP, IMAP4 and Outlook Web Access are
all enabled on the server, but these are only available to users on the LAN.
This is a typical installation that you might find at any number of Small to
Medium sized Enterprises (SME's).
- Security Considerations -
● The SMTP service should be the only service accessible from the internet, as
this is the bare minimum required to send and receive e-mail with other
individuals or organisations.
● All other services (POP3, IMAP, Outlook Web Access, RPC, LDAP and SMB
connections) should be unreachable from the internet without first passing
some form of strong authentication such as an IPSEC VPN, or a dial-in service
secured by a secondary mechanism such as RADIUS or RSA SecureID.
NOTE:
This paper does not deal with the various strong authentication methods
available for securing access to the internal corporate network, but
focuses on securing the SMTP service. The SMTP service is one of the
most frequent starting points for attackers as almost every company has
it open.
- Routing Considerations -
If we employ a single mail hub with an ability to process mail for multiple
domains and servers we will receive the following benefits:
● Flexibility for companies that have multiple business units that share
resources internally but operate as different organisations externally.
● The ability to extend the system at a later date to content scan messages for
viruses, porn and spam before delivery.
For more information about scanning messages for spam and viruses see the
following article:
http://www.exim-new-users.co.uk/content/view/99/39/
- Possible Solutions -
Microsoft Exchange as a standalone SMTP relay
Using another Exchange server in its own workgroup avoids the problems
associated with giving away domain administration privileges and domain
passwords, but still suffers from the problems associated with using Exchange
on a public facing internet connection.
NOTE:
* If a DMZ is not available on your firewall it is still possible to use Exim
using one-to-one NAT and/or port forwarding, but a dedicated DMZ would
always be preferred.
- Selected Solution -
Our solution will incorporate Exchange with Exim and the
MessageLabs virus scanning service.
Exim provides all the functionality we need with the flexibility to add more
advanced content scanning and filtering at a later date.
Using an external content scanning service in conjunction with our Exim relay
also provides cost and efficiency benefits by rejecting virus, spam and porn
before it has consumed bandwidth getting to our SMTP relay.
Requirements:
WAN Any internet connection with at least 1 free, fixed IP address for use
in the DMZ (Unless NAT or port forwarding is used)
Content
Scanning We will be using MessageLabs mail scanning service. For the
purpose of this paper we have been assigned the following hosts,
mail19.messagelabs.com and mail20.messagelabs.com as
the primary and backup hosts to use for sending and receiving
e-mails to be scanned by the service.
NOTE:
The chosen solution does not require a massive investment in hardware,
nor does it require much administration, making it ideal starting point for
the average Small to Medium-sized Enterprise (SME).
- Debian and Ubuntu users -
By default Debian and Ubuntu offer a different configuration system than other
distributions.
Some users run into problems with this alternate configuration method because
they fail to locate and read the relevant documentation.
The biggest difference as far as this paper is concerned is that the config file
for Debian or a Debian-based distribution like Ubuntu is called:
/etc/exim/exim4.conf
/etc/exim/exim.conf
By default Debian has its own configuration system and configuration files that
will be used unless it can find a configuration file called:
/etc/exim/exim4.conf
http://pkg-exim4.alioth.debian.org/README/README.Debian.html
or here:
http://www.exim-new-users.co.uk/content/view/100/39/
- Tutorial -
To make the tutorial easier to following we will use the following 3
fictional domains, each having its own dedicated Exchange server:
exch1 = exch1.exch1.exch1.exch1
exch2 = exch2.exch2.exch2.exch2
exch3 = exch3.exch3.exch3.exch3
exim = exim.exim.exim.exim
mail19.messagelabs.com = av1.av1.av1.av1
mail20.messagelabs.com = av2.av2.av2.av2
NOTE:
If you don't have multiple domain names or exchange servers just ignore
any lines referring to “domain2.com”, “domain3.com”,
“exch2.exch2.exch2.exch2” and “exch3.exch3.exch3.exch3”. They are
provided for the benefit of larger or more complex installations.
- Overview of sending an email on the existing system -
When an e-mail is sent from an individual the following process occurs from top
to bottom until the message is delivered to the destination mail server.
The sender types in the e-mail address of the recipient in the To: field.
e.g e-mail addressed to user1@fictionalcompany.com
The sender clicks “send” and the message is delivered to the users mail server
e.g Message sent from Outlook to Exchange
The mail server then reads the e-mail address and separates the domain part
of the address from the user part of the address.
e.g fictionalcompany.com
The mail server then contacts a DNS server and requests a list of MX (Mail
eXchange) records for the domain fictionalcompany.com.
e.g pri=5 mail1.fictionalcompany.com
pri=10 mail2.fictionalcompany.com
The mail server then selects the mail server with the highest priority and
connects over SMTP to deliver the mail.
e.g Exchange connects to port 25 on mail1.fictionalcompany.com to
deliver the mail over SMTP.
(The highest priority mail server always has the lowest number in the MX field,
the opposite of what most people expect. The MX record is a special DNS
record used for Mail eXchange between domains)
Once the e-mail arrives on the mail server instead of trying to send the email
directly the email is forwarded to the Exim server where address rewriting and
address redirection may be performed before passing the e-mail onto the
MessageLabs service for virus, porn and spam scanning before final delivery.
- Overview of receiving an email on the existing system -
When an e-mail is received from an individual the following process occurs from
top to bottom until the message lands in the recipients mailbox.
Based on the MX records for the domain, inbound mail arrives directly
at the Exchange server on Port 25
We will later point our MX records at MessageLabs who will receive the e-mail
on our behalf before content scanning. The message will then be delivered to
our new Exim server in the DMZ. Our Exim server then performs its checks on
any aliases and domains that may need re-writing or re-directing before final
delivery to Exchange.
- Steps Involved -
The tutorial will be done in stages, starting with the default installation.
We will only move onto the next step after the successful testing of the
previous step. This not only makes the tutorial easier to follow but gives us an
idea where we went wrong should we make a mistake.
Going Live
Troubleshooting
- Building the server -
For our Exim server we are using a Pentium III 700Mhz with 256Mb RAM and a
10/100Mb network card (or better).
For testing purposes all of the initial work was done on “Fedora Core*”,
installed on a single 10GB IDE hard drive with one big root “/” partition and a
512Mb swap partition. We disabled the firewall and ran the full gnome desktop
with Remote Desktop (a modified version of VNC), to help us get things
working quickly and iron out any problems.
Once we are familiar with the new Exim server and have got a working
configuration we save all the config files to a floppy or USB memory stick and
start again, this time paying more attention to resilience and security.
A 3ware Escalade RAID controller** and 2 IDE hard disks provide excellent
value for money and are very well supported by most Linux kernels and the
SMART disk monitoring daemon.
We keep the 512Mb swap partition but split the remaining disk space between
a root “/” and “/var” partition and installed the 3ware monitoring software.
We install Red Hat Enterprise Linux 4*** on the server with a subscription to
Red Hat Network****. We opt for a basic subscription as we are only concerned
about getting security updates. The firewall is enabled, SMTP and SSH are the
only services allowed through the firewall.
If the Gnome or KDE desktop is installed we would also need to open port
5900:tcp to use the remote desktop feature.
The remote desktop feature***** is useful for watching the messages come in
and out vial the Exim monitor “eximon” but does introduce and extra set of
services and ports to secure.
The Exim server should have a hostname, IP address, subnet mask and default
gateway set at installation. These should be established before the installation
begins instead of installing the server with a DHCP address then changing
these via the applet later. The server should at least be able to resolve its own
hostname and Fully qualified hostname (FQDN) via the hosts file (/etc/hosts).
- Internet Connectivity -
Check for a working Internet connection and setup a time server for the
machine to use as a reference. Accurate time is essential for making sense of
mail headers and log files.
- Updates -
The system should be updated by the Red Hat Network on a regular basis. On
the test systems we automate updates using a script in /etc/cron.hourly. On
the live system we automate this via the Red Hat Network. Should you decide
to use a script you may want to consider if kernel updates should be done
automatically or by hand.
(you can use “pup”, “yum” or the “yum” service on Fedora Core 5 onwards)
- Backups -
To begin setting up our Exim SMTP Gateway we now switch the default mail
transport from Sendmail to Exim. On most distributions the package required
to do this is called system-switch-mail or system-switch-mail-gnome.
- Queue Frequency -
For testing we will set the default queue frequency to 1minuite for making it
easy to see how Exim handles large or difficult messages.
To do this we need to change the default QUEUE setting from 1hour to 1min.
# /etc/sysconfig/exim
DAEMON=yes
QUEUE=1m
gedit <enter>
gedit /etc/sysconfig/exim <enter>
Once your Exim relay is up and running you may need to change
configuration remotely. To do this you may want to use SSH and the VI
text editor from a Unix/Linux box, or WinSCP from a Windows PC.
This type of remote management requires that port 22 be open, and the
SSH (Secure Shell) service running.
For security reasons, SSH would normally be blocked at the firewall to all
*external* connections. This is highly recommended on most systems.
- Exim Monitor -
It would be useful to see if Exim is running correctly during our testing.
Select the Startup Programs tab, click Add, type eximon, click OK, click
Close.
Now reboot and look out for any Sendmail or Exim error messages on start-up.
Once you have logged in the Exim Monitor should start up automatically.
- A Test Email Using the Default Config -
Now Exim is running we can send ourselves a test e-mail from the command
line.
First open up a Terminal (The Linux equivalent of a DOS Prompt) then type:
NOTE:
DONT FORGET A BLANK LINE BEFORE THE CTRL-D
On the Monitor screen you should now see your message being processed.
If you would prefer to use a program rather than the command line to send
messages during testing, or couldn't figure out how to do it via the command
line, you can always use one of the following programs configured for a local
mailbox to send email using the “root” account.
NOTE:
Replace “exch1.exch1.exch1.exch1” with the IP Address or the
hostname of your exchange server
Trying exch1.exch1.exch1.exch1...
Connected to my-exchange (exch1.exch1.exch1.exch1).
Escape character is '^]'.
220 my-exchange.my-domain.fictionalcompany.com
Microsoft ESMTP MAIL Service, Version: 5.xxx.xxx.xxx ready at
Thu, 10 Feb 2005 11:18:41 +0000
If it worked type:
quit <enter> to close the connection, then continue onto the next section.
If it didn't work:
Make sure both machines can see each other and are not being blocked by a
hardware or software firewall on either box.
If the firewall is running on the Exchange server, make sure the Mail (SMTP)
service on port 25 is open, and accessible to the Exim box.
NOTE:
If you are running a firewall that prevents Exim seeing the Exchange
servers you may need a firewall rule such as:
Allow:
exim.exim.exim.exim > exch1.exch1.exch1.exch1 : port 25 (SMTP)
- Test SMTP connectivity from Exchange to Exim -
From the Exchange server, open up a DOS Prompt and type:
NOTE:
Replace “exim.exim.exim.exim” with the IP Address or the
hostname of your Exim box
Trying exim.exim.exim.exim...
Connected to exim.exim.exim.exim (exim.exim.exim.exim).
Escape character is '^]'.
220 your-hostname ESMTP Exim 4.xx Thu, 10 Feb 2005 11:50:43 +0000
If it worked type:
quit <enter> to close the connection, then continue onto the next section.
If it didn't work:
Make sure both machines can see each other and are not being blocked by a
hardware or software firewall on either box.
If the firewall is running on the Exim box, make sure the Mail (SMTP) service on
port 25 is open.
NOTE:
For troubleshooting purposes only, typing the following in a terminal
will stop the IP Tables firewall if it is running.
The commands we type are shown in yellow, and the server responses are
shown in blue.
Trying exch1.exch1.exch1.exch1...
Connected to my-exchange (exch1.exch1.exch1.exch1).
Escape character is '^]'.
220 my-exchange.my-domain.fictionalcompany.com
Microsoft ESMTP MAIL Service, Version: 5.xxx.xxx.xxx ready at
Thu, 10 Feb 2005 11:18:41 +0000
250 sendername@senderdomain.com....Sender Ok
250 recipientname@recipientdomain.com
data <enter>
quit <enter>
Hopefully your message will be accepted for relay and will arrive shortly.
COMMON ERRORS:
error 510
The domain name you specified as the senders domain does not exist.
error 503
The recipient was specified before the sender
error 550
Relay Denied
A “Relay Denied” message indicates that Exim is able to reach the SMTP
service running on Exchange, but is not allowed to relay messages. To correct
this change the relay permissions in Exchange:
Check your settings for each of the following then restart the SMTP service:
The commands we type are in yellow, the server responses are in blue.
Trying exim.exim.exim.exim...
Connected to exim.exim.exim.exim (exim.exim.exim.exim).
Escape character is '^]'.
220 your-hostname ESMTP Exim 4.xx Thu, 10 Feb 2005 11:50:43 +0000
250 Ok
250 Accepted
data <enter>
250 OK [Message-ID]
quit <enter>
Hopefully your message will be accepted for relay and will arrive shortly.
COMMON ERRORS:
error 510
The domain name you specified as the senders domain does not exist.
error 503
The recipient was specified before the sender
error 550
Relay Denied
A “Relay Denied” message indicates that Exchange is able to reach the SMTP
service running on Exim, but is not allowed to relay messages. This means that
your default Exim config will not allow relay. We will replace this config in the
next section anyway.
Note:
Repeating this test on the Exim server, from the Exim server using
127.0.0.1 as the IP Address (the loop-back address), will prove that the
server is working, but relay permissions are denying remote connections.
If you got this far, Congratulations!
If everything has worked so far, we have proved we have an ability to send
messages backwards and forwards between the two servers, allowing Exim to
act as a relay between the Internet and Exchange.
Depending on your previous experience, you may now know significantly more
about sending messages over SMTP than you did before.
You have probably also figured out how easy it is for “spammers” to automate
the generation of millions of messages Spam messages sent every day on
poorly configured hosts. Exim can be extended provide the basis of an
excellent Spam filtering solution when combined with SpamAssassin.
Most people will find the section we just completed on Network, Firewall, DMZ
and LAN configuration more difficult than any of the other tasks in this paper. It
should get easier from here.
Now the foundations are in place we will begin generating our own custom
configuration.
- Breakdown of the new Exim configuration -
The new Exim config will consist of the following files, all located in /etc/exim
This may seem very elaborate for most installations, but the aim of this tutorial
is to break everything down everything into small, bite-sized chunks that are as
self explanatory as possible.
- The Files -
/etc/exim/exim.conf
This will become our standard or “stock” config file that should never need
changing once the initial settings have been made. Get this file right and you
can drop it in every installation you make here on.
/etc/exim/exim-local-settings.txt
This file will contain any settings we want to make specific to this host. Later
this file can be used to add some of the more advanced configuration options
/etc/exim/exim-accept-from-this-list-of-ip-addresses.txt
This file is used in addition to firewall rules to determine which hosts or
networks are allowed to use the Exim Relay.
/etc/exim/exim-accept-for-this-list-of-domains.txt
This file is used to determine which domains are allowed to use the Exim Relay.
/etc/exim/exim-redirect-mail-for-this-list-of-users.txt
This file contains a list of email addresses to redirect, along with the e-mail
address to redirect to. Useful for example when an employee is unexpectedly
taken ill, or out of the office for a long period of time e.g. maternity leave.
/etc/exim/exim-deliver-mail-to-this-list-of-servers.txt
This file contains the actual list of servers to deliver messages to for each
domain we relay for
We will start with the simple config files first then move on to an explanation of
the main exim.conf later.
NOTE:
IN EACH OF THE FOLLOWING EXAMPLES SUBSTITUTE THE
FICTIONALCOMPANY.COM INFORMATON WITH YOU OWN NAMES,
ADDRESSES AND DOMAINS.
- exim-local-settings.txt -
NOTE:
In this example we will make the following local settings.
We are also going to change the default SMTP banner to hide specific
version information from the casual observer. This is not foolproof but
makes us a less likely target from automated attacks.
# /etc/exim/exim-local-settings.txt
NOTE:
lines beginning with a # (hash sign) are comments and are ignored.
Place your config on lines under comments, using tabs may improve
the readability of the file.
If you choose to edit these files using a Windows PC and find problems
with carriage returns at the end of each line, try using WinVI* or the
Edit facility in WinSCP** instead of using Windows notepad.
# /etc/exim/exim-accept-from-this-list-of-ip-addresses.txt
CIDR notation may be used in this file. For more info on CIDR notation see:
http://www.webopedia.com/TERM/C/CIDR.html
* WinVi http://www.winvi.de/en/
** WinSCP http://winscp.sourceforge.net
*** Putty http://www.chiark.greenend.org.uk/~sgtatham/putty/
- exim-accept-for-this-list-of-domains.txt -
List each domain we are going to relay for in this file.
# /etc/exim/exim-accept-for-this-list-of-domains.txt
domain1.com
domain2.com
domain3.com
Simple as that.
- exim-redirect-mail-for-this-list-of-users.txt -
List the e-mail address we want to be redirected, and the e-mail address we
want to redirect it to.
# /etc/exim/exim-redirect-mail-for-this-list-of-users.txt
postmaster@domain1.com: it-manager@domain1.com
previous.employee@domain1.com: new.employee@domain1.com
vacancies@domain2.com: humanresources@domain1.com
maiden-name@domain3.com: married-name@domain3.com
joe-bloggs@uk-office.co.uk: joe-bloggs@us-office.com
no-spam-112233@domain1.co.uk: real-account@domain1.co.uk
Each entry is separated with a colon (:) and at least one space, followed by the
new address.
As a general rule:
# /etc/exim/exim-deliver-mail-to-this-list-of-servers.txt
# example by hostname
fictionalcompany.com: exchange.fictionalcompany.com
# example by ip address
domain1.com: exch1.exch1.exch1.exch1
domain2.com: exch2.exch2.exch2.exch2
domain3.com: exch3.exch3.exch3.exch3
domain4.com: 10.1.1.1:10.2.2.2
Each entry is separated with a colon (:) and at least one space.
As a general rule:
# /etc/exim/exim.conf
.include /etc/exim/exim-local-settings.txt
domainlist local_domains =
acl_smtp_rcpt = acl_check_rcpt
never_users = root
acl_check_rcpt:
accept hosts = :
deny local_parts = ^.*[@%!/|] : ^\\.
redirect:
driver = redirect
data = ${lookup{$local_part@$domain}
lsearch{/etc/exim/exim-redirect-mail-for-this-list-of-users.txt}}
internal:
driver = manualroute
domains = +relay_to_domains
transport = remote_smtp
route_data = ${lookup{$domain}partial-lsearch
{/etc/exim/exim-deliver-mail-to-this-list-of-servers.txt}}
external:
driver = dnslookup
domains = ! +relay_to_domains
transport = remote_smtp
ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
no_more
remote_smtp:
driver = smtp
We will break the file down into more manageable sections over the next few
pages:
Section #1 of exim.conf – Initial Settings
# /etc/exim/exim.conf
.include /etc/exim/exim-local-settings.txt
domainlist local_domains =
acl_smtp_rcpt = acl_check_rcpt
never_users = root
We don't have any local domains so this is set but left empty
(local meaning a mailbox actually held and stored on the Exim server)
domainlist local_domains =
acl_check_rcpt:
accept hosts = :
Otherwise reply with an error 550 “relay not permitted at this server”
message. If not explicitly accepted by any other section, deny for relay.
deny message = relay not permitted at this server
Section #3 of exim.conf – Router Settings
redirect:
driver = redirect
data = ${lookup{$local_part@$domain}
lsearch{/etc/exim/exim-redirect-mail-for-this-list-of-users.txt}}
internal:
driver = manualroute
domains = +relay_to_domains
transport = remote_smtp
route_data = ${lookup{$domain}partial-lsearch
{/etc/exim/exim-deliver-mail-to-this-list-of-servers.txt}}
external:
driver = dnslookup
domains = ! +relay_to_domains
transport = remote_smtp
ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
no_more
/etc/exim/exim-redirect-mail-for-this-list-of-users.txt
redirect:
driver = redirect
data = ${lookup{$local_part@$domain}
lsearch{/etc/exim/exim-redirect-mail-for-this-list-of-users.txt}}
/etc/exim/exim-deliver-mail-to-this-list-of-servers.txt
internal:
driver = manualroute
transport = remote_smtp
route_data = ${lookup{$domain}partial-lsearch
{/etc/exim/exim-deliver-mail-to-this-list-of-servers.txt}}
The EXTERNAL mail router
Process all of our external deliveries.
The first via normal, straight delivery via MX records, and the second via a
third party scanning service or appliance such as MessageLabs or
SurfControl RiskFilter.
NOTE:
You may only use one of the EXTERNAL routers shown below.
remote_smtp:
driver = smtp
remote_smtp:
driver = smtp
- Create our new config -
Now you understand how the contents of our Exim configuration we can start
to build our own.
Using the previous pages as an example, create your new config by editing or
creating all of the following files, replacing the FictionalCompany.com details
with your own.
You may want to get the following details ready before creating the
new config:
Firewall IP Address : . . .
Router IP Address : . . .
Your new Exim config will consist of the following files, all located in /etc/exim
Once you have created your new config, reboot and we will test it.
---
If everything works correctly we can make Exim the default “smarthost” for all
outbound mail sent from Outlook and Exchange.
NOTE:
From this point we move from testing to going live, some users may be
more comfortable performing the next steps out of hours or during
weekends.
Exchange requires you to put square brackets around the IP address if you
intend to use the IP literally e.g [192.168.1.1]
The Default SMTP Virtual Server will need to be restarted for this to take effect.
If everything works correctly after the SMTP Virtual Server restart we will have
proved that Outbound mail is being processed correctly by Exim.
The only thing left to do is to make Exim the default server for Inbound mail by
making changes on your firewall, or by asking your ISP to add or modify your
DNS records to set your new Exim SMTP as the lowest priority server for
inbound e-mail.
(Lowest priority has the highest preference on MX records).
Now when mail is delivered to your domain the MX record should point at Exim
not Exchange, hence Exim will receive the mail not Exchange.
● Put Exim on it's own IP Address in the DMZ and change your MX records.
(Requires changes to the DNS records held by your ISP)
Some of these changes may require you to modify settings on your main
firewall.
Some of these changes may require you to modify the DNS settings for your
domain.
DNS changes can take between 24-48 hours to propagate and may be best
done over a weekend.
- Option 2: Third party scanning -
NOTE:
Be sure to include the correct section for your “external” router in
/etc/exim/exim.conf.
e.g
route_list = * mail19.messagelabs.com
would become
route_list = * av1.av1.av1.av1
Your new Exim config will consist of the following files, all located in /etc/exim
Once you have created your new config, reboot and we will test it.
---
NOTE:
From this point we move from testing to going live, some users may be
more comfortable performing the next steps out of hours or during
weekends.
Exchange requires you to put square brackets around the IP address if you
intend to use the IP literally e.g [192.168.1.1]
The Default SMTP Virtual Server will need to be restarted for this to take effect.
If everything works correctly after the SMTP Virtual Server restart we will have
proved that Outbound mail is being processed correctly by Exim.
The only thing left to do is to make Exim (or you mail scanning service or
appliance) the default server for Inbound mail by making changes on your
firewall, or by asking your ISP to add or modify your MX records to set your
lowest priority server for inbound e-mail.
(Lowest priority has the highest preference on MX records).
Now when mail is delivered to your domain the MX record should point at Exim
(or your mail scanning service or appliance) not Exchange, hence Exim will
receive the mail before Exchange.
● Put Exim on it's own IP Address in the DMZ and change your MX records.
(Requires changes to the DNS records held by your ISP)
Some of these changes may require you to modify the DNS settings for your
domain.
DNS changes can take between 24-48 hours to propagate and may be best
done over a weekend.
- Going live -
Eximon can be used to view all inbound and outbound mail on the queue.
---
The following commands are also useful for monitoring the queue and can be
used remotely over SSH (or putty on a Windows PC).
Additionally you can test how Exim will handle individual addresses by using
the -bt option.
username@fictionalcompany.com
router = external, transport = remote_smtp
host mail19.messagelabs.com [193.109.254.3]
host mail19.messagelabs.com [212.125.75.19]
NOTE:
Once Exim has replaced Exchange as the SMTP gateway for your
network, Exchange can be pulled back onto the LAN (if it wasn't
already) where it can benefit from the same security as your
other private servers.
- Troubleshooting -
If you have any problems once your Exim SMTP Relay is in place check the
following:
www.exim.org
www.exim.org
For general questions about this tutorial (not specific errors, they belong on the
mailing list), feel free to contact me with as much info as possible on:
jason@exim-new-users.co.uk
www.exim-new-users.co.uk
To date this paper has been downloaded over 10,000 times however I have
only ever received 15-20 emails about it. If you find the paper useful please
send me an email to tell me where you are using your new server.
(It really does make all of the long nights and weekends working on papers like
this worthwhile and I genuinely want to hear your feedback about the paper,
good or bad)
Thanks, Jason
- Common Mistakes and How to Avoid Them -
Sendmail and Exim
up2date -uf
mv /usr/sbin/sendmail /usr/sbin/sendmail.old
chmod 0600 /usr/sbin/sendmail.old
ln -s /usr/exim/bin/exim /usr/sbin/sendmail
File Locations
Config files
e.g
exim@fictionalcompany.com should have been
exim.fictionalcompany.com if it represents a hostname
- Monitoring queues with Eximstate -
Eximstate is a fantastic tool that we use to report back to one central console.
We use this along with Apache to monitor every site from a single webpage.
http://www.olliecook.net/projects/eximstate/
- Monitoring messages with Exilog -
Exilog is another great tool for viewing or searching all messages that pass
through your server.
http://duncanthrax.net/exilog/
- Future versions of this paper -
This paper was originally written between 2004 and 2005 for the
First International Exim Conference and Tutorial held between the 23 &
24 February 2005.
http://www.uit.co.uk/exim-conference/
The paper has been used extensively as a reference guide for creating Exim
“mail-hubs” or “smarthosts” for Exchange servers, however I have been
pleasantly surprised by the number of people who have adapted the paper for
other types of situations that don't involve Exchange at all.
All current versions of this paper will be keep with their original filenames:
http://www.exim-new-
users.co.uk/Integrating_Exim_with_Exchange_Tutorial_v.1.0.pdf
http://www.exim-new-
users.co.uk/Integrating_Exim_with_Exchange_Tutorial_v.1.1.pdf
http://www.exim-new-
users.co.uk/Integrating_Exim_with_Exchange_Tutorial_v.1.2.pdf
http://www.uit.co.uk/exim-conference/full-papers/jason-meers.pdf
http://www.exim-new-users.co.uk
I intend to keep the Exchange versions of this paper updated as and when
when required, however I would also like to create new, more generic papers
based on this one that are non-exchange specific and have more user-friendly
and search-friendly titles such as:
HOWTO-build-a-small-exim-mail-server
HOWTO-build-an-exim-mail-hub
Future versions may also be included with the actual configuration files in RPM
format to make things even easier. Please contact me if you would be
interested in testing and trying these updated version prior to release.
- My Book -
I am currently writing a beginners guide to Exim which is due to be published
by UIT Cambridge in 2007. Please check back on their site in mid 2007 if you
would be interested in purchasing a copy of my book:
http://www.uit.co.uk/bookshop.htm
Suggested further reading for extending the functionality of Exim with LDAP,
Virus and Spam Filtering Capabilities.
Books
Practical TCP/IP
UIT Cambridge
Niall Mansfield
SpamAssasin
O'Reilly
Alan Schwartz
Websites
Exim www.exim.org
Exim-new-users www.exim-new-users.co.uk
MailScanner www.mailscanner.info
Clam-AV www.clamav.net
SpamAssassin http://spamassassin.apache.org
References
securityfocus.net
- Copyright -
All trademarks used in this document are the property of their respective
owners.
- Licence -
This document is released under the CreativeCommons Attribution-
ShareAlike 2.0 licence.
Attribution-ShareAlike 2.0
You are free:
● to copy, distribute, display, and perform the work
● to make derivative works
● to make commercial use of the work
Your fair use and other rights are in no way affected by the above.
This is a human-readable summary of the Legal Code (the full license).
Disclaimer
- Liability -
The author accepts no liability for any damage or loss caused by the use of
information contained in this document. While every effort has been made in
the creation of this document, the author does not guarantee the accuracy of
any of the information contained in this document. It is the readers
responsibility to decide for themselves if the information contained is accurate
when deciding to follow the tutorial.
The author also recommends that anyone wishing to follow the tutorial should
purchase a new, separate domain name for the purpose of testing to ensure no
business critical systems are affected.