Integrating Exim with Exchange

- Advanced routing and security for vulnerable hosts -

J.Meers - Mediavest
Prepared for the First International Exim Conference and Tutorial – Feb 2005
Version 1.2 – Updated Dec 2006
 - Contents -

Abstract

Objective and Scope

Assumptions and Reasoning

Problem Scenario

Security Considerations

Routing Considerations

Possible Solutions

Selected Solution

Debian and Ubuntu users

Tutorial: Exim, Exchange and MessageLabs integration

Common mistakes and how to avoid them

Monitoring queues with EximState

Monitoring messages with Exilog

Future versions of this paper

My Book

Further reading & references

Thanks

Copyright

Licence

Liability
 - Abstract -
Exim

Exim is a message transfer agent (MTA) developed at the University of

Cambridge for use on Unix systems connected to the Internet. It is freely
available under the terms of the GNU General Public Licence. In style it is
similar to Smail 3, but its facilities are more general. There is a great deal of
flexibility in the way mail can be routed, and there are extensive facilities for
checking incoming mail. Exim can be installed in place of Sendmail, although
the configuration of Exim is quite different to that of Sendmail.

Microsoft Exchange

Exchange is Microsoft's flagship messaging product with over 100 million

licences sold worldwide. Securing this product is a challenge for any
administrator. To properly secure Exchange attention must also be paid to
Operating System security, Active Directory security, NT/2000/2003 file and
folder security, LDAP security, RPC security as well as the notorious IIS
webserver.

For many administrators having so many vulnerable services to contend with is

difficult enough without the added security concerns that come from
connecting a server holding private data directly to the Internet.

MessageLabs - Third-party mail scanning service

“MessageLabs” is a mail scanning service similar to the ones offered by

“Postini” and “IronPort”. A customers e-mail is first delivered a the third-party
scanning service who will scan each message and any attachments for viruses
and spam. If the message is clean it is passed on to the company e-mail server
for final delivery to the end user.

This third-party scanning could equally be any other mail scanning service or a
dedicated mail scanning appliance such as a “SurfControl RiskFilter” held on
the organizations own premises.
 - Objective and Scope -
This paper attempts to addresses issues for administrators who must use
Exchange in a corporate environment, but have concerns over its ability to
protect the valuable resources it holds, or its ability to provide advanced
routing and filtering of messages before delivery.

This paper shows a real-life example of Exim in use as an SMTP gateway to an

internal Exchange server, providing a level of separation from Internet based
enumeration and exploit.

The tutorial provides a mechanism for:

● Proving temporary redirection by domain.

● Providing permanent redirection by email address.

● Restricting the domains allowed for relay and delivery.

● Restricting IP addresses allowed for relay and delivery.

● Sending and receiving mail via a dedicated appliance or third party

Virus/Spam/Porn scanning service such as MessageLabs.

The paper discusses a method for removing many of the risks associated with
presenting Microsoft Exchange directly to the Internet.

NOTE:
This paper does not attempt to provide detailed information on securing
Microsoft Windows, Microsoft Exchange, Active Directory and IIS.
 - Assumptions and Reasoning -
It is assumed that the reader does not need convincing that protecting
or hiding the following information or services from attackers is
sensible:

● Services that run with administrative privileges.

● Services that can be used to disclose information (Active Directory, LDAP).

● Services which advertise version information that can be used to establish

which security updates have, and have not not been applied.

● Local administrative accounts and domain administrative accounts.

● Internal usernames and passwords.

● Default accounts or guest accounts with known, empty or weak passwords.

● Internal e-mail addresses, groups and distribution lists.

● Confidential information and correspondence.

It is also assumed that the reader does not need convincing that
restricting internet access to the following services is more reliable
and more secure than allowing connections from any host and relying
the services themselves to fend off security flaws and brute force
attacks:

● SMTP

● Outlook Web Access (OWA)

● IMAP

● POP3

● RPC, LDAP and SMB connections

NOTE:
Any service that can be used remotely to validate credentials is a
potential liability, and given enough time or a big enough dictionary of
words, an attacker can establish a username and password to begin
trying to escalate their privileges on the target system.

Most security specialists would agree: No server holding

confidential data should ever be connected directly to the
Internet.
If the reader needs any further evidence to support the statements made
above, or simply wishes to find out more information about securing Exchange
the following documents provide further independent analysis.

Incidentally, all of the documents below re-enforce the recommendations made

in this paper, they also recommend that the main Exchange server(s) should be
moved back at least one level from any public facing Internet connections.

Paper
Securing Exchange 2000, Part One
Chris Weber, Security Engineer, Foundstone
http://securityfocus.com/infocus/1572
Securing Exchange 2000, Part Two
Chris Weber, Security Engineer, Foundstone
http://securityfocus.com/infocus/1578
Securing your Exchange Server
Installation
Monty Hall
http://securityfocus.com/infocus/1305
Exchange 2000 in the Enterprise: Tricks
and Tips Part One
Tim Mullen, Chief Software Architect for
AnchorIS.Com
http://securityfocus.com/infocus/1654
Exchange 2000 in the Enterprise: Tricks
and Tips Part Two
Tim Mullen, Chief Software Architect for
AnchorIS.Com
http://securityfocus.com/infocus/1658
Content
Covers vulnerable ports and services.
Output from port scans, Server enumeration,
LDAP enumeration and pilfering shares with
poor default security
Covers exploiting SMTP relay even when SMTP
relay is disabled.
Front end/Back end configuration, restricting
privileges, using SSL, TLS and IPSEC to encrypt
communications.
Provides advice for securing:
The Operating System, Exchange itself, IIS
webserver and Outlook Web Access , service
accounts, domain security and server
placement.
Covers the use of an SMTP Relay in the DMZ
between Exchange and the Internet.
This paper covers the same topology we will
use in this paper but specifically uses Microsoft
ISA server and Trend Micro's SMTP Relay.
Part two of this paper covers various methods
of encryption .
The paper has an excellent section on securing
Outlook Web Access with the IIS lock-down tool
and some of the caveats introduced such as the
double dot encoded URL.

NOTE:
The “further reading and references” section towards the end of this
paper provide additional material on securing Exchange. Much of this is
at a very technical level and may be too complicated for some users, but
well worth a look should you need guidance on further hardening your
infrastructure with more finely grained access control and encryption.
 - Problem Scenario -
“FictionalCompany.com” require Microsoft Outlook and Microsoft
Exchange to enable the use of Blackberry and Windows based PDA
devices for staff who frequently work out of the office, or on the road.
---

The solution should provide a mechanism for redirecting emails to another

mailbox to handle situations where staff leave, get married or are out of the
office long periods of time due to maternity or illness.

The solution should provide a mechanism for temporary redirection of all email
destined for a particular domain to handle situations where servers, networks,
routers and internet connections fail unexpectedly.

The solution should restrict access for unknown domains and IP addresses to
prevent the system being used as a relay for junk mail.

The solution should provide a mechanism for incorporating some form of mail
content scanning to identify virus, spam and pornographic material before
delivery to users mailboxes. Ideally this should be done before the mail actually
reaches the SMTP relay.

The solution should make configuration as easy a possible to understand and

modify, reducing the chances of making configuration errors.

The IT department have been asked to provide all of this functionality in a

secure manner. No budget has been set, but the final solution should provide
good value for money compared to the other possible alternatives.

The current Exchange installation

The current installation consists of a single Exchange server installed on a

Domain Controller on the LAN. The Domain controller also runs DNS and WINS
for the internal network. The server can communicate over NetBIOS, NetBEUI
and TCP/IP.

The server has been made public using Network Address Translation (NAT).
One of the public IP addresses has been mapped directly to the server on the
LAN by using one-to-one NAT on the firewall.

The firewall has an opening on port 25, allowing any host on the internet to
connect to the SMTP service. POP3, SMTP, IMAP4 and Outlook Web Access are
all enabled on the server, but these are only available to users on the LAN.

This is a typical installation that you might find at any number of Small to
Medium sized Enterprises (SME's).
 - Security Considerations -
● The SMTP service should be the only service accessible from the internet, as
this is the bare minimum required to send and receive e-mail with other
individuals or organisations.

● All other services (POP3, IMAP, Outlook Web Access, RPC, LDAP and SMB
connections) should be unreachable from the internet without first passing
some form of strong authentication such as an IPSEC VPN, or a dial-in service
secured by a secondary mechanism such as RADIUS or RSA SecureID.

NOTE:
This paper does not deal with the various strong authentication methods
available for securing access to the internal corporate network, but
focuses on securing the SMTP service. The SMTP service is one of the
most frequent starting points for attackers as almost every company has
it open.
 - Routing Considerations -
If we employ a single mail hub with an ability to process mail for multiple
domains and servers we will receive the following benefits:

● Reduction of the number of ports and sockets to secure.

● Reduction of management overhead (Less servers to manage).

● Reduction of hardware requirements (Less servers required).

● Flexibility for companies that have multiple business units that share
resources internally but operate as different organisations externally.

● The flexibility to redirect or reject mail at delivery time.

● The ability to extend the system at a later date to content scan messages for
viruses, porn and spam before delivery.

For more information about scanning messages for spam and viruses see the
following article:

http://www.exim-new-users.co.uk/content/view/99/39/
 - Possible Solutions -
Microsoft Exchange as a standalone SMTP relay
Using another Exchange server in its own workgroup avoids the problems
associated with giving away domain administration privileges and domain
passwords, but still suffers from the problems associated with using Exchange
on a public facing internet connection.

Dedicated SMTP relay in the DMZ*

Such as Exim, Trend Micro-Interscan, SurfControl RiskFilter, Clearswift
MimeSweeper etc...

3rd Party Service

Such as MessageLabs, Postini, IronPort etc...

NOTE:
* If a DMZ is not available on your firewall it is still possible to use Exim
using one-to-one NAT and/or port forwarding, but a dedicated DMZ would
always be preferred.
 - Selected Solution -
Our solution will incorporate Exchange with Exim and the
MessageLabs virus scanning service.

Exim provides all the functionality we need with the flexibility to add more
advanced content scanning and filtering at a later date.

The MessageLabs service provides multiple scanning technologies that we can

not hope to better internally without massive investment in extra equipment
and staff.

Using an external content scanning service in conjunction with our Exim relay
also provides cost and efficiency benefits by rejecting virus, spam and porn
before it has consumed bandwidth getting to our SMTP relay.

Requirements:

Firewall A hardware firewall would be preferred, but any firewall with

stateful packet inspection (SPI) and a DMZ (or NAT and port
forwarding).

WAN Any internet connection with at least 1 free, fixed IP address for use
in the DMZ (Unless NAT or port forwarding is used)

DMZ 1 server capable of running Exim

(We will be using a Dell PowerEdge 350 or better - Pentium III
700Mhz with 256Mb RAM on Red Hat Enterprise Linux 4, CentOS 4
or Fedora Core)

LAN Exchange 2000 (SP3) running on Windows 2000 Server (SP4)

Content
Scanning We will be using MessageLabs mail scanning service. For the
purpose of this paper we have been assigned the following hosts,
mail19.messagelabs.com and mail20.messagelabs.com as
the primary and backup hosts to use for sending and receiving
e-mails to be scanned by the service.

NOTE:
The chosen solution does not require a massive investment in hardware,
nor does it require much administration, making it ideal starting point for
the average Small to Medium-sized Enterprise (SME).
 - Debian and Ubuntu users -
By default Debian and Ubuntu offer a different configuration system than other
distributions.
Some users run into problems with this alternate configuration method because
they fail to locate and read the relevant documentation.
The biggest difference as far as this paper is concerned is that the config file
for Debian or a Debian-based distribution like Ubuntu is called:

/etc/exim/exim4.conf

Instead of the usual:

/etc/exim/exim.conf

By default Debian has its own configuration system and configuration files that
will be used unless it can find a configuration file called:

/etc/exim/exim4.conf

More information can be found here:

http://pkg-exim4.alioth.debian.org/README/README.Debian.html

or here:

http://www.exim-new-users.co.uk/content/view/100/39/
- Tutorial -
To make the tutorial easier to following we will use the following 3
fictional domains, each having its own dedicated Exchange server:

domain1.com with an exchange server called exch1

domain2.com with an exchange server called exch2

domain3.com with an exchange server called exch3

...and we will use the following in place of actual IP Addresses:

exch1 = exch1.exch1.exch1.exch1

exch2 = exch2.exch2.exch2.exch2

exch3 = exch3.exch3.exch3.exch3

exim = exim.exim.exim.exim

mail19.messagelabs.com = av1.av1.av1.av1

mail20.messagelabs.com = av2.av2.av2.av2

The final network layout will look like this:

NOTE:
If you don't have multiple domain names or exchange servers just ignore
any lines referring to “domain2.com”, “domain3.com”,
“exch2.exch2.exch2.exch2” and “exch3.exch3.exch3.exch3”. They are
provided for the benefit of larger or more complex installations.
 - Overview of sending an email on the existing system -

When an e-mail is sent from an individual the following process occurs from top
to bottom until the message is delivered to the destination mail server.

The sender types the message in an e-mail client

e.g Message created in Outlook

The sender types in the e-mail address of the recipient in the To: field.
e.g e-mail addressed to user1@fictionalcompany.com

The sender clicks “send” and the message is delivered to the users mail server
e.g Message sent from Outlook to Exchange

The mail server then reads the e-mail address and separates the domain part
of the address from the user part of the address.
e.g fictionalcompany.com

The mail server then contacts a DNS server and requests a list of MX (Mail
eXchange) records for the domain fictionalcompany.com.
e.g pri=5 mail1.fictionalcompany.com
pri=10 mail2.fictionalcompany.com

The mail server then selects the mail server with the highest priority and
connects over SMTP to deliver the mail.
e.g Exchange connects to port 25 on mail1.fictionalcompany.com to
deliver the mail over SMTP.

(The highest priority mail server always has the lowest number in the MX field,
the opposite of what most people expect. The MX record is a special DNS
record used for Mail eXchange between domains)

How this will change:

Once the e-mail arrives on the mail server instead of trying to send the email
directly the email is forwarded to the Exim server where address rewriting and
address redirection may be performed before passing the e-mail onto the
MessageLabs service for virus, porn and spam scanning before final delivery.
 - Overview of receiving an email on the existing system -

When an e-mail is received from an individual the following process occurs from
top to bottom until the message lands in the recipients mailbox.

Based on the MX records for the domain, inbound mail arrives directly
at the Exchange server on Port 25

Exchange decides if it should accept the message

If the message is accepted Exchange delivers the message to the

users mailbox

The user views the message in Outlook

How this will change:

We will later point our MX records at MessageLabs who will receive the e-mail
on our behalf before content scanning. The message will then be delivered to
our new Exim server in the DMZ. Our Exim server then performs its checks on
any aliases and domains that may need re-writing or re-directing before final
delivery to Exchange.
 - Steps Involved -
The tutorial will be done in stages, starting with the default installation.

We will only move onto the next step after the successful testing of the
previous step. This not only makes the tutorial easier to follow but gives us an
idea where we went wrong should we make a mistake.

Build the Server

Network Settings
Internet Connectivity
Updates
Backups
E-mail Transport
Queue Frequency
Exim Monitor

Our First Test E-Mail with the default Exim config.

Test SMTP connectivity between Exchange and Exim

Test SMTP relay between Exchange and Exim

Break Down the Configuration

Create our new config

Option 1: Straight delivery via MX records
Option 2: Third party scanning service or appliance

Going Live

Troubleshooting
 - Building the server -

For our Exim server we are using a Pentium III 700Mhz with 256Mb RAM and a
10/100Mb network card (or better).

Suggested specification for INITIAL TESTING

For testing purposes all of the initial work was done on “Fedora Core*”,
installed on a single 10GB IDE hard drive with one big root “/” partition and a
512Mb swap partition. We disabled the firewall and ran the full gnome desktop
with Remote Desktop (a modified version of VNC), to help us get things
working quickly and iron out any problems.

Once we are familiar with the new Exim server and have got a working
configuration we save all the config files to a floppy or USB memory stick and
start again, this time paying more attention to resilience and security.

Suggested specification for FINAL IMPLEMENTATION

We install a RAID controller in the server and Mirror two drives.

A 3ware Escalade RAID controller** and 2 IDE hard disks provide excellent
value for money and are very well supported by most Linux kernels and the
SMART disk monitoring daemon.

We keep the 512Mb swap partition but split the remaining disk space between
a root “/” and “/var” partition and installed the 3ware monitoring software.

We install Red Hat Enterprise Linux 4*** on the server with a subscription to
Red Hat Network****. We opt for a basic subscription as we are only concerned
about getting security updates. The firewall is enabled, SMTP and SSH are the
only services allowed through the firewall.

If the Gnome or KDE desktop is installed we would also need to open port
5900:tcp to use the remote desktop feature.

The remote desktop feature***** is useful for watching the messages come in
and out vial the Exim monitor “eximon” but does introduce and extra set of
services and ports to secure.

* Fedora Core http://www.fedoraproject.org

** 3ware RAID Storage Solutions http://www.3ware.com
*** RedHat http://www.redhat.com
**** RedHat Network http://rhn.redhat.com
***** System > Preferences > Remote Desktop
 - Network Settings -

The Exim server should have a hostname, IP address, subnet mask and default
gateway set at installation. These should be established before the installation
begins instead of installing the server with a DHCP address then changing
these via the applet later. The server should at least be able to resolve its own
hostname and Fully qualified hostname (FQDN) via the hosts file (/etc/hosts).

Systems Settings > Network

- Internet Connectivity -

Check for a working Internet connection and setup a time server for the
machine to use as a reference. Accurate time is essential for making sense of
mail headers and log files.

Systems Settings > Date & Time

- Updates -

The system should be updated by the Red Hat Network on a regular basis. On
the test systems we automate updates using a script in /etc/cron.hourly. On
the live system we automate this via the Red Hat Network. Should you decide
to use a script you may want to consider if kernel updates should be done
automatically or by hand.

If you wish to script the updates with up2date on RHEL:

To update everything (except skipped packages) up2date -u

To update everything (including skipped packages) up2date -uf
To download updates but not install them up2date -ud
To change up2date settings up2date –-configure

(you can use “pup”, “yum” or the “yum” service on Fedora Core 5 onwards)

To use pup System Tools > Package Updater

To use yum yum -y update

chkconfig yum on

- Backups -

Consider using a USB memory stick to make backups of configuration files.

These can be scheduled by using scripts in /etc/cron.daily, /etc/cron.weekly

and /etc/cron.monthly to backup into separate folders on the USB device.
This is much more secure than enabling NFS, SAMBA or FTP on the box.
 - E-Mail transport -

To begin setting up our Exim SMTP Gateway we now switch the default mail
transport from Sendmail to Exim. On most distributions the package required
to do this is called system-switch-mail or system-switch-mail-gnome.

Preferences > More Preferences > Mail Transport Agent Switcher

Select Exim then click Ok.

- Queue Frequency -

For testing we will set the default queue frequency to 1minuite for making it
easy to see how Exim handles large or difficult messages.

To do this we need to change the default QUEUE setting from 1hour to 1min.

Open up gedit and edit /etc/sysconfig/exim to read as follows:

# /etc/sysconfig/exim

DAEMON=yes
QUEUE=1m

(try /etc/sysconfig/sendmail if /etc/sysconfig/exim doesn't work as expected)

Note - Editing Files:

Gedit can be launched from

Applications > Accessories > Text Editor

or from a the command line e.g

gedit <enter>
gedit /etc/sysconfig/exim <enter>

Once your Exim relay is up and running you may need to change
configuration remotely. To do this you may want to use SSH and the VI
text editor from a Unix/Linux box, or WinSCP from a Windows PC.

This type of remote management requires that port 22 be open, and the
SSH (Secure Shell) service running.

For security reasons, SSH would normally be blocked at the firewall to all
*external* connections. This is highly recommended on most systems.
 - Exim Monitor -
It would be useful to see if Exim is running correctly during our testing.

To do this we use launch the Exim Monitor “eximon” at startup.

Applications > Preferences > More Preferences > Sessions

Select the Startup Programs tab, click Add, type eximon, click OK, click
Close.

Now reboot and look out for any Sendmail or Exim error messages on start-up.
Once you have logged in the Exim Monitor should start up automatically.
 - A Test Email Using the Default Config -
Now Exim is running we can send ourselves a test e-mail from the command
line.

First open up a Terminal (The Linux equivalent of a DOS Prompt) then type:

mail yourname@yourdomain.com <enter>

type your subject <enter>
type your message <enter>
<a deliberate blank line here> <enter>
CTRL-D <hold CTRL and press D>
<ignore the “CC:” prompt> <enter>

NOTE:
DONT FORGET A BLANK LINE BEFORE THE CTRL-D

On the Monitor screen you should now see your message being processed.

If you would prefer to use a program rather than the command line to send
messages during testing, or couldn't figure out how to do it via the command
line, you can always use one of the following programs configured for a local
mailbox to send email using the “root” account.

Evolution or the excellent Mozilla Thunderbird can be used by using:

Applications > Internet > Email for Evolution or

Applications > Internet > Thunderbird Email for Thunderbird
 - Test SMTP connectivity from Exim to Exchange -
From the Exim box, open up a terminal and type:

telnet exch1.exch1.exch1.exch1 25 <enter>

to telnet to your exchange server on port 25 (SMTP)

NOTE:
Replace “exch1.exch1.exch1.exch1” with the IP Address or the
hostname of your exchange server

You should get a response similar to the following:

Trying exch1.exch1.exch1.exch1...
Connected to my-exchange (exch1.exch1.exch1.exch1).
Escape character is '^]'.
220 my-exchange.my-domain.fictionalcompany.com
Microsoft ESMTP MAIL Service, Version: 5.xxx.xxx.xxx ready at
Thu, 10 Feb 2005 11:18:41 +0000

If it worked type:

quit <enter> to close the connection, then continue onto the next section.

If it didn't work:

Make sure both machines can see each other and are not being blocked by a
hardware or software firewall on either box.

If the firewall is running on the Exchange server, make sure the Mail (SMTP)
service on port 25 is open, and accessible to the Exim box.

NOTE:
If you are running a firewall that prevents Exim seeing the Exchange
servers you may need a firewall rule such as:

Allow:
exim.exim.exim.exim > exch1.exch1.exch1.exch1 : port 25 (SMTP)
 - Test SMTP connectivity from Exchange to Exim -
From the Exchange server, open up a DOS Prompt and type:

telnet exim.exim.exim.exim 25 <enter>

to telnet to your exim box on port 25 (SMTP)

NOTE:
Replace “exim.exim.exim.exim” with the IP Address or the
hostname of your Exim box

You should get a response similar to the following:

Trying exim.exim.exim.exim...
Connected to exim.exim.exim.exim (exim.exim.exim.exim).
Escape character is '^]'.
220 your-hostname ESMTP Exim 4.xx Thu, 10 Feb 2005 11:50:43 +0000

If it worked type:

quit <enter> to close the connection, then continue onto the next section.

If it didn't work:

Make sure both machines can see each other and are not being blocked by a
hardware or software firewall on either box.

If the firewall is running on the Exim box, make sure the Mail (SMTP) service on
port 25 is open.

Systems Settings > Security Level

NOTE:
For troubleshooting purposes only, typing the following in a terminal
will stop the IP Tables firewall if it is running.

service iptables stop <enter>

 - Test SMTP Relay from Exim to Exchange -
We will now create a message from the Exim server on the Exchange server
using exactly the same commands that an actual MTA such as Exim (Mail
Transfer Agent) would use. (Yes, helo is meant to be spelt with one “l” )

The commands we type are shown in yellow, and the server responses are
shown in blue.

telnet exch1.exch1.exch1.exch1 25 <enter>

Trying exch1.exch1.exch1.exch1...
Connected to my-exchange (exch1.exch1.exch1.exch1).
Escape character is '^]'.
220 my-exchange.my-domain.fictionalcompany.com
Microsoft ESMTP MAIL Service, Version: 5.xxx.xxx.xxx ready at
Thu, 10 Feb 2005 11:18:41 +0000

helo senderdomain.com <enter>

250 senderdomain.com Hello [your ip address]

mail from: sendername@senderdomain.com <enter>

250 sendername@senderdomain.com....Sender Ok

rcpt to: recipientname@recipientdomain.com <enter>

250 recipientname@recipientdomain.com
 data <enter>

type your message <enter>

type a blank line <enter>

<type a single dot on its own line> < enter>

250 [Message-ID] Queued mail for delivery

quit <enter>

Hopefully your message will be accepted for relay and will arrive shortly.

COMMON ERRORS:

error 510
The domain name you specified as the senders domain does not exist.

error 503
The recipient was specified before the sender

error 550
Relay Denied

A “Relay Denied” message indicates that Exim is able to reach the SMTP
service running on Exchange, but is not allowed to relay messages. To correct
this change the relay permissions in Exchange:

Exchange System Manager > Administrative Groups > Servers >

Exchange Server > Protocols > SMTP > Default SMTP Virtual Server >
Right Click > Properties > Access.

Check your settings for each of the following then restart the SMTP service:

Authentication (anonymous connections may need to be enabled)

Connection (Exim's IP Address may need added or removed )
Relay (Exim's IP Address may need added or removed )
 - Test SMTP Relay from Exchange to Exim -
We will now create a message from the Exchange server on the Exim box using
exactly the same commands that an actual MTA such as Exim (Mail Transfer
Agent) would use. (helo is meant to be spelt with one “l” )

The commands we type are in yellow, the server responses are in blue.

telnet exim.exim.exim.exim 25 <enter>

Trying exim.exim.exim.exim...
Connected to exim.exim.exim.exim (exim.exim.exim.exim).
Escape character is '^]'.
220 your-hostname ESMTP Exim 4.xx Thu, 10 Feb 2005 11:50:43 +0000

helo senderdomain.com <enter>

220 exim-hostname ESMTP Exim 4.xx

250 exim-hostname Hello your-hostname [your ip address]

mail from: sendername@senderdomain.com <enter>

250 Ok

rcpt to: recipientname@recipientdomain.com <enter>

250 Accepted
 data <enter>

type your message <enter>

type a blank line <enter>

<type a single dot on its own line> < enter>

250 OK [Message-ID]

quit <enter>

221 exim-hostname closing connection

Hopefully your message will be accepted for relay and will arrive shortly.

COMMON ERRORS:

error 510
The domain name you specified as the senders domain does not exist.

error 503
The recipient was specified before the sender

error 550
Relay Denied

A “Relay Denied” message indicates that Exchange is able to reach the SMTP
service running on Exim, but is not allowed to relay messages. This means that
your default Exim config will not allow relay. We will replace this config in the
next section anyway.

Note:
Repeating this test on the Exim server, from the Exim server using
127.0.0.1 as the IP Address (the loop-back address), will prove that the
server is working, but relay permissions are denying remote connections.
 If you got this far, Congratulations!
If everything has worked so far, we have proved we have an ability to send
messages backwards and forwards between the two servers, allowing Exim to
act as a relay between the Internet and Exchange.

Depending on your previous experience, you may now know significantly more
about sending messages over SMTP than you did before.

You have probably also figured out how easy it is for “spammers” to automate
the generation of millions of messages Spam messages sent every day on
poorly configured hosts. Exim can be extended provide the basis of an
excellent Spam filtering solution when combined with SpamAssassin.

Most people will find the section we just completed on Network, Firewall, DMZ
and LAN configuration more difficult than any of the other tasks in this paper. It
should get easier from here.

Now the foundations are in place we will begin generating our own custom
configuration.
 - Breakdown of the new Exim configuration -
The new Exim config will consist of the following files, all located in /etc/exim

exim.conf The master config file

exim-local-settings.txt
exim-accept-from-this-list-of-ip-addresses.txt
exim-accept-for-this-list-of-domains.txt
exim-redirect-mail-for-this-list-of-users.txt
exim-deliver-mail-to-this-list-of-servers.txt
Custom settings for this host
Allowed IP's/Networks/Hosts
Allowed domains for relay
Accounts to be redirected
IP's of destination mail servers

This may seem very elaborate for most installations, but the aim of this tutorial
is to break everything down everything into small, bite-sized chunks that are as
self explanatory as possible.

- The Files -

/etc/exim/exim.conf
This will become our standard or “stock” config file that should never need
changing once the initial settings have been made. Get this file right and you
can drop it in every installation you make here on.

/etc/exim/exim-local-settings.txt
This file will contain any settings we want to make specific to this host. Later
this file can be used to add some of the more advanced configuration options

/etc/exim/exim-accept-from-this-list-of-ip-addresses.txt
This file is used in addition to firewall rules to determine which hosts or
networks are allowed to use the Exim Relay.

/etc/exim/exim-accept-for-this-list-of-domains.txt
This file is used to determine which domains are allowed to use the Exim Relay.

/etc/exim/exim-redirect-mail-for-this-list-of-users.txt
This file contains a list of email addresses to redirect, along with the e-mail
address to redirect to. Useful for example when an employee is unexpectedly
taken ill, or out of the office for a long period of time e.g. maternity leave.

/etc/exim/exim-deliver-mail-to-this-list-of-servers.txt
This file contains the actual list of servers to deliver messages to for each
domain we relay for

We will start with the simple config files first then move on to an explanation of
the main exim.conf later.

NOTE:
IN EACH OF THE FOLLOWING EXAMPLES SUBSTITUTE THE
FICTIONALCOMPANY.COM INFORMATON WITH YOU OWN NAMES,
ADDRESSES AND DOMAINS.
 - exim-local-settings.txt -

NOTE:
In this example we will make the following local settings.

Messages sent without a domain name will be appended with:

fictionalcompany.com

We are also going to change the default SMTP banner to hide specific
version information from the casual observer. This is not foolproof but
makes us a less likely target from automated attacks.

We are also going to restrict this size of E-mails we will accept.

The 15Mb limit will most likely give us a “real-life” attachment size of
9-10Mb (as the MIME encoding used to send the E-mail adds a significant
increase in size to the original message).

The maximum number of SMTP connections has been reduced to 100 to

stop the server running out of memory should someone try and kill it by
making lots of incomplete connection attempts, draining resources.

# /etc/exim/exim-local-settings.txt

# avoid using the setting if possible

# exim will use machines hostname as default
# primary_hostname = exim.fictionalcompany.com

# if a message to be sent or received has no domain name after the

# “@” sign then use this domainname for the sender or recipient
qualify_domain = fictionalcompany.com
qualify_recipient = fictionalcompany.com

# Maximum message size AFTER encoding

message_size_limit = 15M

# Maximum number of incoming connections

smtp_accept_max = 100

# set smtp banner & hide version/type of mta from crackers

smtp_banner = fictionalcompany.com secure smtp server
 - exim-accept-from-this-list-of-ip-addresses.txt -
This file contains a list of IP Addresses and/or networks that Exim will accept
mail for (Fully qualified domain names can also be used in this file too).

NOTE:
lines beginning with a # (hash sign) are comments and are ignored.
Place your config on lines under comments, using tabs may improve
the readability of the file.

If you choose to edit these files using a Windows PC and find problems
with carriage returns at the end of each line, try using WinVI* or the
Edit facility in WinSCP** instead of using Windows notepad.

Putty*** is also worth a mention for Windows administrators.

# /etc/exim/exim-accept-from-this-list-of-ip-addresses.txt

# the local address of our server

127.0.0.1
exim.exim.exim.exim
# our internal network(s)
192.168.0.0/16
10.0.0.0/8
# our external network(s)
202.158.21.22/24
# our local firewall
fwall.fwall.fwall.fwall
# our local router
routr.routr.routr.routr
# exchange servers
exch1.exch1.exch1.exch1
exch2.exch2.exch2.exch2
# messagelabs servers
av1.av1.av1.av1
av2.av2.av2.av2
# a fully qualified hostname
mail.anothercompany.com

CIDR notation may be used in this file. For more info on CIDR notation see:
http://www.webopedia.com/TERM/C/CIDR.html

* WinVi http://www.winvi.de/en/
** WinSCP http://winscp.sourceforge.net
*** Putty http://www.chiark.greenend.org.uk/~sgtatham/putty/
 - exim-accept-for-this-list-of-domains.txt -
List each domain we are going to relay for in this file.

# /etc/exim/exim-accept-for-this-list-of-domains.txt

domain1.com
domain2.com
domain3.com

Simple as that.
 - exim-redirect-mail-for-this-list-of-users.txt -
List the e-mail address we want to be redirected, and the e-mail address we
want to redirect it to.

# /etc/exim/exim-redirect-mail-for-this-list-of-users.txt

postmaster@domain1.com: it-manager@domain1.com

previous.employee@domain1.com: new.employee@domain1.com

vacancies@domain2.com: humanresources@domain1.com

maiden-name@domain3.com: married-name@domain3.com

joe-bloggs@uk-office.co.uk: joe-bloggs@us-office.com

no-spam-112233@domain1.co.uk: real-account@domain1.co.uk

Each entry is separated with a colon (:) and at least one space, followed by the
new address.

Using tabs will make this file more readable.

As a general rule:

● Use the Exim server to manage redirections to different mailboxes

● Use your Exchange server to manage multiple aliases of the same mailbox
 - exim-deliver-mail-to-this-list-of-servers.txt -
List the domains we want to deliver to, followed by the hostname or IP Address
of the server we want it delivered to.

# /etc/exim/exim-deliver-mail-to-this-list-of-servers.txt

# example by hostname
fictionalcompany.com: exchange.fictionalcompany.com

# example by ip address
domain1.com: exch1.exch1.exch1.exch1
domain2.com: exch2.exch2.exch2.exch2
domain3.com: exch3.exch3.exch3.exch3

# example of fallback servers for

# domain4.com where # 10.1.1.1 is
# the main server and 10.2.2.2 is
# the fallback server

domain4.com: 10.1.1.1:10.2.2.2

Each entry is separated with a colon (:) and at least one space.

Using tabs will make this file more readable.

As a general rule:

● Use IP Addresses instead of hostnames wherever possible

● Only list domains you wish to route internally here, if a match is found it is
acted on literally and delivered directly.
 - exim.conf -
This is the main configuration file used by Exim.

This is a basic version with no local or 3rd party Mail Scanning.

# /etc/exim/exim.conf

############# INITIAL SETTINGS ######################

# set some defaults values and read in config files #
#####################################################

.include /etc/exim/exim-local-settings.txt

domainlist relay_to_domains = /etc/exim/exim-accept-for-this-

list-of-domains.txt

hostlist relay_from_hosts = /etc/exim/exim-accept-from-this-

list-of-ip-addresses.txt

domainlist local_domains =
acl_smtp_rcpt = acl_check_rcpt

never_users = root

############# ACCEPT SETTINGS #######################

# set rules for accepting messages here #
#####################################################
begin acl

acl_check_rcpt:

accept hosts = :
deny local_parts = ^.*[@%!/|] : ^\\.

accept local_parts = postmaster

domains = +local_domains

accept domains = +relay_to_domains

endpass
message = relay not permitted at this server
verify = recipient

accept hosts = +relay_from_hosts

deny message = relay not permitted at this server

############# ROUTER SETTINGS #######################
# set rules for selecting a transport #
#####################################################
begin routers

redirect:
driver = redirect
data = ${lookup{$local_part@$domain}
lsearch{/etc/exim/exim-redirect-mail-for-this-list-of-users.txt}}

internal:
driver = manualroute
domains = +relay_to_domains
transport = remote_smtp
route_data = ${lookup{$domain}partial-lsearch
{/etc/exim/exim-deliver-mail-to-this-list-of-servers.txt}}

external:
driver = dnslookup
domains = ! +relay_to_domains
transport = remote_smtp
ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
no_more

############# TRANSPORT SETTINGS ####################

# set rules for delivery transports #
#####################################################
begin transports

remote_smtp:
driver = smtp

We will break the file down into more manageable sections over the next few
pages:
 Section #1 of exim.conf – Initial Settings

# /etc/exim/exim.conf

############# INITIAL SETTINGS ######################

# set some defaults values and read in config files #
#####################################################

.include /etc/exim/exim-local-settings.txt

domainlist relay_to_domains = /etc/exim/exim-accept-for-this-

list-of-domains.txt

hostlist relay_from_hosts = /etc/exim/exim-accept-from-this-

list-of-ip-addresses.txt

domainlist local_domains =

acl_smtp_rcpt = acl_check_rcpt

never_users = root

Section #1 is used to:

Read in the configuration stored in

/etc/exim/exim-local-settings.txt

Read in the list of allowed domains in

/etc/exim/exim-accept-for-this-list-of-domains.txt

Read in the list of allowed hosts in

/etc/exim/exim-accept-from-this-list-of-ip-addresses.txt

We don't have any local domains so this is set but left empty
(local meaning a mailbox actually held and stored on the Exim server)
domainlist local_domains =

The default name for the access control list is “acl_check_rcpt”

acl_smtp_rcpt = acl_check_rcpt

For security exim must never run as the “root” user.

never_users = root
 Section #2 of exim.conf – Accept Settings
############# ACCEPT SETTINGS #######################
# set rules for accepting messages here #
#####################################################
begin acl

acl_check_rcpt:

accept hosts = :

deny local_parts = ^.*[@%!/|] : ^\\.

accept local_parts = postmaster

domains = +local_domains

accept domains = +relay_to_domains

endpass
message = relay not permitted at this server
verify = recipient

accept hosts = +relay_from_hosts

deny message = relay not permitted at this server

Accept mail E-mails created locally (empty sender).

accept hosts = :

Do not accept mail with *possibly* dangerous characters.

deny local_parts = ^.*[@%!/|] : ^\\.

Accept anything for the postmaster at local domains.

accept local_parts = postmaster
domains = +local_domains

Accept messages addressed to domains we are a relay for, or reply with an

error 550 “relay not permitted at this server” message.
accept domains = +relay_to_domains
endpass
message = relay not permitted at this server
verify = recipient

Accept messages from allowed IP Addresses.

accept hosts = +relay_from_hosts

Otherwise reply with an error 550 “relay not permitted at this server”
message. If not explicitly accepted by any other section, deny for relay.
deny message = relay not permitted at this server
 Section #3 of exim.conf – Router Settings

############# ROUTER SETTINGS #######################

# set rules for selecting a transport #
#####################################################
begin routers

redirect:
driver = redirect
data = ${lookup{$local_part@$domain}
lsearch{/etc/exim/exim-redirect-mail-for-this-list-of-users.txt}}

internal:
driver = manualroute
domains = +relay_to_domains
transport = remote_smtp
route_data = ${lookup{$domain}partial-lsearch
{/etc/exim/exim-deliver-mail-to-this-list-of-servers.txt}}

external:
driver = dnslookup
domains = ! +relay_to_domains
transport = remote_smtp
ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
no_more

The REDIRECT mail router

Process all of our user redirections, as listed in the file:

/etc/exim/exim-redirect-mail-for-this-list-of-users.txt
redirect:
driver = redirect
data = ${lookup{$local_part@$domain}
lsearch{/etc/exim/exim-redirect-mail-for-this-list-of-users.txt}}

The INTERNAL mail router

Process all of our internal deliveries , as listed in the file:

/etc/exim/exim-deliver-mail-to-this-list-of-servers.txt
internal:
driver = manualroute
transport = remote_smtp
route_data = ${lookup{$domain}partial-lsearch
{/etc/exim/exim-deliver-mail-to-this-list-of-servers.txt}}
The EXTERNAL mail router
Process all of our external deliveries.

Two possible external routers are shown.

The first via normal, straight delivery via MX records, and the second via a
third party scanning service or appliance such as MessageLabs or
SurfControl RiskFilter.

NOTE:
You may only use one of the EXTERNAL routers shown below.

Option 1: straight delivery via MX records

external:
driver = dnslookup
domains = ! +relay_to_domains
transport = remote_smtp
ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
no_more

Option 2: third party scanning service

external:
driver = manualroute
domains = ! +relay_to_domains
transport = remote_smtp
ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
route_list = * mail19.messagelabs.com
no_more
 Section #4 of exim.conf – Transport Settings

############# TRANSPORT SETTINGS ####################

# set rules for delivery transports #
#####################################################
begin transports

remote_smtp:
driver = smtp

We only have one transport defined here, remote smtp.

remote_smtp:
driver = smtp
 - Create our new config -
Now you understand how the contents of our Exim configuration we can start
to build our own.

Using the previous pages as an example, create your new config by editing or
creating all of the following files, replacing the FictionalCompany.com details
with your own.

You may want to get the following details ready before creating the
new config:

Exim Server IP Address : . . .

Exchange Server IP Address : . . .

Firewall IP Address : . . .

Router IP Address : . . .

Our local network(s) : . . . /

: . . . /
: . . . /
: . . . /
: . . . /
: . . . /

Our external network(s) : . . . /

: . . . /
: . . . /
: . . . /
: . . . /
: . . . /

Scanning Appliances (optional) : . . .

: . . .
: . . .

Scanning Services (optional) : . . . /

: . . . /
: . . . /
 - Option 1: Straight delivery via MX records -
NOTE:
Be sure to include the correct section for your “external” router in
/etc/exim/exim.conf.

Your new Exim config will consist of the following files, all located in /etc/exim

exim.conf The master config file

exim-local-settings.txt
exim-accept-from-this-list-of-ip-addresses.txt
exim-accept-for-this-list-of-domains.txt
exim-redirect-mail-for-this-list-of-users.txt
exim-deliver-mail-to-this-list-of-servers.txt
Custom settings for this host
Allowed IP's/Networks/Hosts
Allowed domains for relay
Accounts to be redirected
IP's of destination mail servers

Once you have created your new config, reboot and we will test it.

---

We repeat the tests we performed earlier before committing our changes.

● Test SMTP relay from Exim to Exchange

● Test SMTP relay from Exchange to Exim

If everything works correctly we can make Exim the default “smarthost” for all
outbound mail sent from Outlook and Exchange.

NOTE:
From this point we move from testing to going live, some users may be
more comfortable performing the next steps out of hours or during
weekends.

The “smarthost” facility in Exchange can be set from:

Exchange System Manager > Administrative Groups > Servers >

Exchange Server > Protocols > SMTP > Default SMTP Virtual Server >
Right Click > Properties > Delivery > Advanced > Smart Host.

The Smarthost would normally be entered as an IP address rather than as a

hostname.

Exchange requires you to put square brackets around the IP address if you
intend to use the IP literally e.g [192.168.1.1]

The Default SMTP Virtual Server will need to be restarted for this to take effect.
If everything works correctly after the SMTP Virtual Server restart we will have
proved that Outbound mail is being processed correctly by Exim.

The only thing left to do is to make Exim the default server for Inbound mail by
making changes on your firewall, or by asking your ISP to add or modify your
DNS records to set your new Exim SMTP as the lowest priority server for
inbound e-mail.
(Lowest priority has the highest preference on MX records).

Now when mail is delivered to your domain the MX record should point at Exim
not Exchange, hence Exim will receive the mail not Exchange.

In practice you could either:

● Change your one-to-one NAT settings to point at Exim instead of Exchange

(Requires changes to your NAT settings on the main firewall).

● Put Exim on it's own IP Address in the DMZ and change your MX records.
(Requires changes to the DNS records held by your ISP)

● Replace Exchange by putting Exim on Exchanges old IP Address in the DMZ

and use a new IP Address for Exchange on your LAN.
(Requires changing your Exchange servers IP Address and updating your
users mail client and the IP Address that the name of the Exchange server
resolves to)

Some of these changes may require you to modify settings on your main
firewall.

Some of these changes may require you to modify the DNS settings for your
domain.

DNS changes can take between 24-48 hours to propagate and may be best
done over a weekend.
 - Option 2: Third party scanning -
NOTE:
Be sure to include the correct section for your “external” router in
/etc/exim/exim.conf.

The following line should be adjusted to reflect your scanning service or

appliance.

e.g
route_list = * mail19.messagelabs.com

would become
route_list = * av1.av1.av1.av1

(Remember to replace “av1.av1.av1.av1.av1” with the actual IP Address

of your mail scanning service or appliance)

Your new Exim config will consist of the following files, all located in /etc/exim

exim.conf The master config file

exim-local-settings
exim-accept-from-this-list-of-ip-addresses
exim-accept-for-this-list-of-domains
exim-redirect-mail-for-this-list-of-users
exim-deliver-mail-to-this-list-of-servers
Custom settings for this host
Allowed IP's/Networks/Hosts
Allowed domains for relay
Accounts to be redirected
IP's of destination mail servers

Once you have created your new config, reboot and we will test it.

---

We repeat the tests we performed earlier before committing our changes.

● Test SMTP relay from Exim to Exchange

● Test SMTP relay from Exchange to Exim

Additionally in this config we need to:

● Test SMTP relay from Exim to your Scanning Service or Appliance

● Test SMTP relay from your Scanning Service or Appliance to Exim
If everything works correctly we can make Exim the default “smarthost” for all
outbound mail sent from Outlook and Exchange.

NOTE:
From this point we move from testing to going live, some users may be
more comfortable performing the next steps out of hours or during
weekends.

The “smarthost” facility in Exchange can be set from:

Exchange System Manager > Administrative Groups > Servers >

Exchange Server > Protocols > SMTP > Default SMTP Virtual Server >
Right Click > Properties > Delivery > Advanced > Smart Host.

The Smarthost would normally be entered as an IP address rather than as a

hostname.

Exchange requires you to put square brackets around the IP address if you
intend to use the IP literally e.g [192.168.1.1]

The Default SMTP Virtual Server will need to be restarted for this to take effect.

If everything works correctly after the SMTP Virtual Server restart we will have
proved that Outbound mail is being processed correctly by Exim.

The only thing left to do is to make Exim (or you mail scanning service or
appliance) the default server for Inbound mail by making changes on your
firewall, or by asking your ISP to add or modify your MX records to set your
lowest priority server for inbound e-mail.
(Lowest priority has the highest preference on MX records).

Now when mail is delivered to your domain the MX record should point at Exim
(or your mail scanning service or appliance) not Exchange, hence Exim will
receive the mail before Exchange.

In practice you could either:

● Change your one-to-one NAT settings to point at Exim instead of Exchange

(Requires changes to your NAT settings on the main firewall).

● Put Exim on it's own IP Address in the DMZ and change your MX records.
(Requires changes to the DNS records held by your ISP)

● Replace Exchange by putting Exim on Exchanges old IP Address in the DMZ

and use a new IP Address for Exchange on your LAN.
(Requires changing your Exchange servers IP Address and updating your
users mail client and the IP Address that the name of the Exchange server
resolves to)
Some of these changes may require you to modify settings on your main
firewall.

Some of these changes may require you to modify the DNS settings for your
domain.

DNS changes can take between 24-48 hours to propagate and may be best
done over a weekend.
 - Going live -
Eximon can be used to view all inbound and outbound mail on the queue.

---

The following commands are also useful for monitoring the queue and can be
used remotely over SSH (or putty on a Windows PC).

exim -bp <enter>

exim -bp | exiqsumm <enter>

Additionally you can test how Exim will handle individual addresses by using
the -bt option.

For example to see how Exim would handle a message to

username@fictionalcompany.com you would type:

exim -bt username@fictionalcompany.com <enter>

Giving a reply such as:

username@fictionalcompany.com
router = external, transport = remote_smtp
host mail19.messagelabs.com [193.109.254.3]
host mail19.messagelabs.com [212.125.75.19]

NOTE:

Once Exim has replaced Exchange as the SMTP gateway for your
network, Exchange can be pulled back onto the LAN (if it wasn't
already) where it can benefit from the same security as your
other private servers.
 - Troubleshooting -
If you have any problems once your Exim SMTP Relay is in place check the
following:

● DNS & Host records held by your ISP

● DNS settings and Host files on the local server

● Access rules on your main network firewall.

● Access rules on your operating system.

● Access control and relay settings on your mail servers

● Exim Config files

Then check the Exim FAQ located at:

www.exim.org

Then check the Exim mailing lists at:

www.exim.org

For general questions about this tutorial (not specific errors, they belong on the
mailing list), feel free to contact me with as much info as possible on:

jason@exim-new-users.co.uk

I will answer as many questions as time allows, but please be patient as my

day-to-day job takes priority over any Exim related questions.

For further information please visit my website at:

www.exim-new-users.co.uk

To date this paper has been downloaded over 10,000 times however I have
only ever received 15-20 emails about it. If you find the paper useful please
send me an email to tell me where you are using your new server.
(It really does make all of the long nights and weekends working on papers like
this worthwhile and I genuinely want to hear your feedback about the paper,
good or bad)

Thanks, Jason
 - Common Mistakes and How to Avoid Them -
Sendmail and Exim

On many systems Exim *pretends* to be Sendmail hence:

/etc/sysconfig/exim should be /etc/sysconfig/sendmail

service exim restart should be service sendmail restart

Sendmail Updates overwrite Exim

Sometimes a Sendmail update will overwrite and Exim binary *pretending* to

be Sendmail. I had to use the following script each time we ran RedHat Update
on RHEL 2&3, to ensure Exim always replaced any updated Sendmail binaries.

up2date -uf

mv /usr/sbin/sendmail /usr/sbin/sendmail.old
chmod 0600 /usr/sbin/sendmail.old
ln -s /usr/exim/bin/exim /usr/sbin/sendmail

File Locations

In our examples Exim is always installed in:

/usr/sbin for the executable binary files and

/etc/exim for the configuration

However you may also find the following directories used:

/usr/exim/bin (binaries when complied from source)

/user/exim (config when complied from source)
/etc/exim4 (config under debian based distros e.g. ubuntu)

Config files

● Upper case and lower case are important

● Check the presence of colons (:) in the config files

● Get dots and @ signs the correct way round.

(I wasted a full day wondering what was wrong with my config)

e.g
exim@fictionalcompany.com should have been
exim.fictionalcompany.com if it represents a hostname
 - Monitoring queues with Eximstate -

Eximstate is a fantastic tool that we use to report back to one central console.

An example is shown below:

We use this along with Apache to monitor every site from a single webpage.

For more information visit:

http://www.olliecook.net/projects/eximstate/
 - Monitoring messages with Exilog -

Exilog is another great tool for viewing or searching all messages that pass
through your server.

An example is shown below.

For more information visit:

http://duncanthrax.net/exilog/
 - Future versions of this paper -
This paper was originally written between 2004 and 2005 for the
First International Exim Conference and Tutorial held between the 23 &
24 February 2005.

http://www.uit.co.uk/exim-conference/

The paper has been used extensively as a reference guide for creating Exim
“mail-hubs” or “smarthosts” for Exchange servers, however I have been
pleasantly surprised by the number of people who have adapted the paper for
other types of situations that don't involve Exchange at all.

All current versions of this paper will be keep with their original filenames:

http://www.exim-new-
users.co.uk/Integrating_Exim_with_Exchange_Tutorial_v.1.0.pdf

http://www.exim-new-
users.co.uk/Integrating_Exim_with_Exchange_Tutorial_v.1.1.pdf

http://www.exim-new-
users.co.uk/Integrating_Exim_with_Exchange_Tutorial_v.1.2.pdf

http://www.uit.co.uk/exim-conference/full-papers/jason-meers.pdf

All future versions will be hosted at my website:

http://www.exim-new-users.co.uk

I intend to keep the Exchange versions of this paper updated as and when
when required, however I would also like to create new, more generic papers
based on this one that are non-exchange specific and have more user-friendly
and search-friendly titles such as:

HOWTO-build-a-small-exim-mail-server
HOWTO-build-an-exim-mail-hub

Future versions may also be included with the actual configuration files in RPM
format to make things even easier. Please contact me if you would be
interested in testing and trying these updated version prior to release.
 - My Book -
I am currently writing a beginners guide to Exim which is due to be published
by UIT Cambridge in 2007. Please check back on their site in mid 2007 if you
would be interested in purchasing a copy of my book:

http://www.uit.co.uk/bookshop.htm

- Further reading & references -

Suggested further reading for extending the functionality of Exim with LDAP,
Virus and Spam Filtering Capabilities.

Books

The Exim SMTP Mail Server

Official Guide for Release 4
UIT Cambridge
Philip Hazel

Practical TCP/IP
UIT Cambridge
Niall Mansfield

LDAP System Administration

O'Reilly
Gerald Carter

SpamAssasin
O'Reilly
Alan Schwartz

Websites

Exim www.exim.org

Exim-new-users www.exim-new-users.co.uk

MailScanner www.mailscanner.info

Clam-AV www.clamav.net

SpamAssassin http://spamassassin.apache.org
References

The official Exim reference has been used extensively.

Many other useful pieces of information were also gleaned from:

securityfocus.net

and the SANS institute, in particular the following documents:

Security Issues For Exchange 2000 Outlook Web Access

Implementation
http://www.sans.org/rr/whitepapers/windows/975.php

Securing Web Based Corporate E-Mail Using Microsoft Exchange

Outlook Web Access
http://www.sans.org/rr/whitepapers/email/575.php

Exchange 2000 Security an Overview

http://www.sans.org/rr/whitepapers/email/1360.php

Securing Web Based Corporate E-Mail Using Microsoft Exchange

Outlook Web Access
http://www.sans.org/rr/whitepapers/email/575.php
 - Thanks -
Thanks firstly to Philip Hazel and the University of Cambridge for giving Exim to
the Open Source Community.

- Copyright -
All trademarks used in this document are the property of their respective
owners.

- Licence -
This document is released under the CreativeCommons Attribution-
ShareAlike 2.0 licence.

Attribution-ShareAlike 2.0
You are free:
● to copy, distribute, display, and perform the work
● to make derivative works
● to make commercial use of the work

Under the following conditions:

Attribution. You must give the original author

credit.

Share Alike. If you alter, transform, or build upon

this work, you may distribute the resulting work
only under a license identical to this one.
● For any reuse or distribution, you must make clear to others the license
terms of this work.
● Any of these conditions can be waived if you get permission from the
copyright holder.

Your fair use and other rights are in no way affected by the above.
This is a human-readable summary of the Legal Code (the full license).
Disclaimer
 - Liability -
The author accepts no liability for any damage or loss caused by the use of
information contained in this document. While every effort has been made in
the creation of this document, the author does not guarantee the accuracy of
any of the information contained in this document. It is the readers
responsibility to decide for themselves if the information contained is accurate
when deciding to follow the tutorial.

A test system that does not contain any important information or

correspondence is recommended for following this tutorial.

The author also recommends that anyone wishing to follow the tutorial should
purchase a new, separate domain name for the purpose of testing to ensure no
business critical systems are affected.