Debian 7: Setting up production Exim MTA as an e-mail service provider
My knowledge about Exim exclusevily comes from the excellent Official Guide to Exim by Exim’s author, Philip Hazel. Email servers are very complex.
How to install Exim
apt-get install exim4
By default, this installs the package exim4-daemon-light, which does not have advanced capabilities compiled in. Since we want to do spam filtering, we need to install exim4-daemon-heavy:
apt-get install exim4-daemon-heavy
This will remove exim4-daemon-light automatically.
We have to enable Exim for internet communications, since the default is only localhost communications. In /etc/exim4/update-exim4.conf.conf change the line dc_eximconfig_configtype='local' to dc_eximconfig_configtype='internet'
Enter the domains you want to receive emails for:
dc_other_hostnames='mydomain.com'
Make Exim listen on all interfaces by emptying the following config line:
dc_local_interfaces=''
Enable TLS for Exim by running the script
/usr/share/doc/exim4-base/examples/exim-gencert
… and add the following line somewhere at the top of Exim’s configuration template file /etc/exim4/exim4.conf.template.
MAIN_TLS_ENABLE=yes
Every time you modify /etc/exim4/exim4.conf.template, you have to run update-exim4.conf and do service exim4 restart.
Next, we will install and configure Spamassassin for Exim. Luckily, it is a Debian package.
Spam Assassin
Installation
You can find instructions in this Debian Wiki https://wiki.debian.org/Exim, but you will find all commands here for convenience.
apt-get install spamassassin
This starts a daemon called spamd automatically. However, it is disabled by default. Enable it by changing the following line in /etc/default/spamassassin:
ENABLED=1
Debian-specific modification: In the same file, change this line
OPTIONS="--create-prefs --max-children 5 --helper-home-dir"
to this:
OPTIONS="--create-prefs --max-children 5 --helper-home-dir -u debian-spamd"
This instructs the spamd daemon to run as the user debian-spamd which is created when you install spamassassin. Its home directory is /var/lib/spamassassin. I had to do this because the following error messages was regularly logged into /var/log/syslog:
config: cannot create user preferences file /nonexistent/.spamassassin/user_prefs: No such file or directory
spamd: failed to create readable default_prefs: /nonexistent/.spamassassin/user_prefs
spamd: failed to create readable default_prefs: /var/spool/exim4/.spamassassin/user_prefs
Also, enable the cronjob to automatically update spamassassin’s rules:
CRON=1
The conjob file in question is /etc/cron.daily/spamassassin which in turn calls sa-update.
Next, you can configure the behavior of spamassassin in the config file /etc/spamassassin/local.cf. Especially the entries rewrite_header and required_score are interesting, but later we will configure Exim to do these jobs for us directly.
Restart the daemon to make the changes effective:
service spamassassin restart
Integration into Exim
All of following modifications have to take place in /etc/exim4/exim4.conf.template.
Now we have to enable spamd in Exim’s configuration file. Search for the line containing spamd_address and uncomment it like this:
spamd_address = 127.0.0.1 783
It is a good idea to add special headers to each processed email which specify the spam score. The configuration is already there, we just have to uncomment it (see also official documentation of this here):
warn
spam = debian-spamd:true
add_header = X-Spam_score: $spam_score\\n\\
X-Spam_score_int: $spam_score_int\\n\\
X-Spam_bar: $spam_bar\\n\\
X-Spam_report: $spam_report
Note that I have replaced spam = Debian-exim:true with spam = debian-spamd:true to match the user of the spamd daemon. If you want to know what the :true part means, study this section of the official Exim documentation.
At this point, emails which are definitely spam will still be delivered. This is not good, since when a mail client of one of your customers should be compromised, it could send thousands of spam emails per day, which still would cause your server and IP to be blacklisted. If you want to bounce emails that are over a certain spam point threshold, add the following lines directly below. In this case, the threshold is 12.0 (but you have to enter it without the comma):
deny
message = This message scored $spam_score spam points.
spam = debian-spamd
condition = ${if >{$spam_score_int}{120}{1}{0}}
Generate the real Exim4 configuration from /etc/exim4/exim4.conf.template that we’ve just edited by running
update-exim4.conf
service exim4 restart
Test
Now, let’s test if our spamassassin setup was successful. Send an email to your Exim server that contains the following line. This code is taken from Spamassassin’s GTUBE (the Generic Test for Unsolicited Bulk Email):
XJS\*C4JDBQADN1.NSBN3\*2IDNEN\*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL\*C.34X
The email should bounce back immediately and contain the message that we’ve entered above:
SMTP error from remote server after transfer of mail text:
host: mail.myserver.com
This message scored 1000.0 spam points.
Now, send yourself a normal email. After you have received it, in your mail client (I’m using Icedove) inspect the mail source by pressing Ctrl + U. It should contain the following special header lines:
X-Spam_score: 2.7
X-Spam_score_int: 27
X-Spam_bar: ++
X-Spam_report: snip
So far, so good.
Greylisting
Next, let’s set up Greylisting, another spam defense measure. The tool of my choice was greylistd because Debian has its own package greylistd.
Installation
apt-get install greylistd
You will be shown a configuration notice, instructing you how to enable greylistd in the Exim configuration. The following will show you what to do.
Integration into Exim
greylistd-setup-exim4 add
As far as I could determine, this automatically adds some lines in the already existing Exim configuration templates exim4.conf.template and inside of the directory /etc/exim4/conf.d. It adds it right after acl_check_rcpt:.
At this point, greylistd is already running. In case you want to restart the service, run
service greylist restart
Of course, we have to restart Exim again so that our new configuration becomes active:
update-exim4.conf
service exim4 restart
Test
Observe the contents of the Exim log file
tail -f /var/log/exim4/mainlog
and send yourself a regular email. You will see a line in the logfile similar to this:
F=<from@email.com> temporarily rejected RCPT <to@email.com>: greylisted.
When it says “temporarily rejected RCPT” and “greylisted” it means that greylistd is working.
Anti-Malware and Anti-Virus
As an email provider you certainly want to have some anti-malware and anti-virus measures in place. My choice was ClamAV, since it’s part of Debian and rather easy to integrate with Exim. The following instructions are loosely based on the Ubuntu Wiki EximClamAV, but it contains one step too much which seems to be no longer necessary (the part about creating a new file). In any case, here are my working steps.
Installation
First, install the daemon:
apt-get install clamav-daemon
It will output the following failures, but don’t worry, they are harmless:
[FAIL] Clamav signatures not found in /var/lib/clamav ... failed!
[FAIL] Please retrieve them using freshclam ... failed!
[FAIL] Then run '/etc/init.d/clamav-daemon start' ... failed!
To get rid of the messages, you have to run
freshclam
This command updates your virus databases from the internet. You should create a cron job to run it regularly. Now you are able to restart the daemon without failure messages:
service clamav-daemon restart
Next, add the clamav daemon user to the Debian-exim group, so that it can access the spool files:
usermod -a -G Debian-exim clamav
Integration into Exim
Locate the line in /etc/exim4/exim4.conf.template which contains av_scanner, un-comment it, and change it to the following (as the Ubuntu Wiki correctly says, the default value does not work):
av_scanner = clamd:/var/run/clamav/clamd.ctl
Next, un-comment the following lines in /etc/exim4/exim4.conf.template (this is where the Ubuntu Wiki says that you should create a new file, but it’s already there):
deny
malware = \*
message = This message was detected as possible malware ($malware_name).
As we have done before, we have to restart Exim so that our new configuration becomes active:
update-exim4.conf
service exim4 restart
Test
There is a special string that you can use to test Anti-Malware programs. It is taken from the eicar website. At the bottom of the linked page you will find it:
X5O!P%@AP\[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H\*
Send an email to Exim which contains this string in a separate line. It should bounce immediately. The bounced message will contain:
SMTP error from remote server after transfer of mail text:
host: mail.myserver.com
This message was detected as possible malware (Eicar-Test-Signature).
When you get this, ClamAV is working correctly.
Setting up Exim with DKIM (DomainKeys Identified Mail)
Google Mail suggests using DKIM for ISP providers. When you are signing outgoing messages with DKIM, you are reducing the chance that Google thinks you are a spammer. See also Google’s Bulk Senders Guideline as to how Google judges the Anti-Spam qualities of your mails. DKIM is not a strong Anti-Spam indicator, it only ensures (due to private/public key encryption) that an email was actually sent from the server it claims it was sent. Anyhow, here is how to do it (based on the articles here and here):
Generate a private key with openssl:
cd /etc/exim4
openssl genrsa -out dkim.private.key 1024
Extract the public key:
openssl rsa -in dkim.private.key -out dkim.public.key -pubout -outform PEM
Change permissions and ownership to make it readable for Exim and for security reasons:
chmod 640 dkim.p*
chown root:Debian-exim dkim.p*
Next add the following to exim4.conf.template (or to your split-configuration files if you use that method), right before the line remote_smtp:
DKIM_DOMAIN = yourdomain.com
DKIM_SELECTOR = exim
DKIM_PRIVATE_KEY = CONFDIR/dkim.private.key
DKIM_CANON = relaxed
DKIM_STRICT = true
More information about these parameters see this section of the official Exim documentation.
Update the configuration and restart Exim:
update-exim4.conf
service exim4 restart
Now send a test email to some address (e.g. free mail provider) which is not handled by your email server and inspect the sources of the received email. It should contain a line DKIM-Signature . To avoid confusion: If you are sending an email to yourself, which is received by the same server which you are configuring, no DKIM Signature is added (since not necessary).
Next, you have to add the DKIM public key as a TXT “selector record” to the DNS zone of yourdomain.com. For DKIM_DOMAIN and DKIM_SELECTOR you have specified above, you have to add the following entry:
TXT | exim._domainkey | v=DKIM1; k=rsa; p=MIGfMA...;
where p= gives the public key from /etc/exim4/dkim.public.key without headers and without line breaks.
You also should add a “DKIM policy record” for the subdomain _domainkey to state that all emails must be signed with DKIM. Otherwise, DKIM could simply be omitted by a spoofer without consequences. Again, this is a simple TXT entry in the DNS:
TXT | _domainkey | o=~;
You can use this tester to check the policy record: http://domainkeys.sourceforge.net/policycheck.html
However, this “o” policy record does not seem to be documented in any RFC (I found it on various blog posts), and it is superseded by RFC5617 (DKIM ADSP Author Domain Signing Practices). For ADSP you would have to add:
TXT | _adsp._domainkey | dkim=all
Similar in function to ADSP seems to be DMARC. I’ll write about this in a future blog post.
For details on DKIM see: RFC specification
Test
Now check if your zone records have been saved and are effective:
dig TXT exim._domainkey.yourdomain.com
It should output the contents of the TXT zone entry which you’ve made above. If you can see them, send an email to the excellent SMTP tester email check-auth@verifier.port25.com
If it responds with
DKIM check: pass
Then the DKIM set-up was successful.
Additional Anti-Spam measures
A characteristic behavior of malicious Spam senders is that they send a Spam Flood (as many messages as possible in the least time possible). If possible, they will send many messages in just one SMTP connection (i.e. several MAIL commands in one session). If that happens, you will be blacklisted very soon, and with tens of thousands of sent spam emails, it will be very difficult to re-gain a good reputation in the eyes of email providers like Google or Yahoo. Legitimate human senders however will only send a few single messages, one message per SMTP connection, and it will take them at least 10 seconds to write a short email. So, we can rate-limit the submission of messages, having a big impact on spammers, but little impact on legitimate human senders. Exim has a rate-limiting feature, but I decided for an easier, more robust, low-level approach using the iptables firewall.
First, we will configure Exim to just allow one MAIL command per SMTP session. From the Exim Main Configuration Documentation, we can write somewhere in /etc/exim4/exim4.conf.template
smtp_accept_max_per_connection = 1
Next, we are going to limit the number of parallel SMTP connections per sending host to 1:
smtp_accept_max_per_host = 1
And we will limit the maximum SMTP connections which Exim will allow. You can set this to the approximate number of clients you have, plus a margin:
smtp_accept_max = 100
Now that we know that there only can be 1 message per SMTP connection, we limit the SMTP connection frequency in our firewall:
iptables -A INPUT -p tcp --dport 25 -m state --state NEW -m recent --set
iptables -A INPUT -p tcp --dport 25 -m state --state NEW -m recent --update --seconds 60 --hitcount 6 -j DROP
This will limit incoming SMTP connections to 6 in 1 minute, which is one connection per 10 seconds in average - enough for private or business emails, not enough for spammers.
SMTP banner delay
(inspiration from here and here) Exim drops the connection if a SMTP client attempts to send something before the SMTP banner is displayed. This is a spam protection built directly into Exim:
SMTP protocol synchronization error (input sent without waiting for greeting): rejected connection
To further slow down spam, we simply delay this banner. Somewhere at the beginning of the Exim config file, write:
acl_smtp_connect = acl_check_connect
In layman’s terms, this tells Exim which ACL to execute when a connection is initiated. Then, after begin acl add this:
acl_check_connect:
accept
delay = 10s
You can test this by telneting to your server. The banner should appear only after 10 seconds.
More Anti Spam measures
https://github.com/Exim/exim/wiki/BlockCracking (not tested)
Conclusion
If you have succeeded so far, test your new Exim installation with the great tool at:
http://www.allaboutspam.com/email-server-test/
Exim is a very complex program (the most complex one I’ve encountered so far) and you can go very, very deep studying it. The complexity seems to stem from the complexity of the email delivery process itself. Despite that fact, this tutorial enables you to set up Exim with Anti-Malware and Anti-Spam measures in less than 1 hour. It is by no means exhaustive, but it at least bounces Spam emails above a certain threshold which is the most important thing when you don’t want your server and IP address to be blacklisted all over the internet. It also adds value to your customers when you are operating Exim as a business.
But: Anyone who would like to operate Exim for customers - would like to be a professional email hosting company - should think twice if it’s really worth it. Things do go wrong all the time, and if you don’t have a deep knowledge about what exactly to do in case of an technical or security-relevant incident - immediately, right there and then - you could upset all your customers pretty quickly. So, my advice would be: “hands-off” unless you know what you are doing.
Follow up:
Exim and Spamassassin: Rewriting Subject lines, adding SPAM and Score