Exim Configuration for Workstations

From Nearline Storage
Jump to: navigation, search

This is for a Linux (Fedora 24) workstation that does not have a public internet address and wants to send mail via my mail.daveking.com mail server's SMTP gateway. To accomplish this the workstation must masquerade as a host in a existing domain on the internet.

The SMTP gateway will check the sending e-mail addresses to ensure that they are valid, therefore the sending addresses on the workstation must be defined as real mail addresses within the sending domain, i.e., (in my case) they must be defined in the "forwardings" table in the mail database on the server.

To configure exim on the workstation:

  1. Install exim and system-switch-mail packages.
  2. Patch the /etc/exim/exim.conf file with the patch below. Notice that the SMTP mail server userid and password are set in the last block of the patch and need to be edited before applying the patch. Also note that my domain (daveking.com) and hostname (localhost.localdomain) are used in the patch. These things need to be changed.
  3. Start the exim service and set it to be started at boot.
  4. Run “system-switch-mail” as root to set exim as the MTA.
  5. Modify the /etc/aliases file to define an alias for the root user and run the “newaliases” command as root
--- exim.conf.orig	2018-03-14 04:26:24.000000000 -0400
+++ exim.conf	2019-11-08 08:03:50.544107149 -0500
@@ -40,7 +40,6 @@
 ######################################################################
 #                    MAIN CONFIGURATION SETTINGS                     #
 ######################################################################
-#
 
 # Specify your host's canonical name here. This should normally be the fully
 # qualified "official" name of your host. If this option is not set, the
@@ -123,7 +122,7 @@
 # of what to set for other virus scanners. The second modification is in the
 # acl_check_data access control list (see below).
 
-av_scanner = clamd:/var/run/clamd.exim/clamd.sock
+#av_scanner = clamd:/var/run/clamd.exim/clamd.sock
 
 
 # For spam scanning, there is a similar option that defines the interface to
@@ -155,9 +154,6 @@
 tls_certificate = /etc/pki/tls/certs/exim.pem
 tls_privatekey = /etc/pki/tls/private/exim.pem
 
-# For OpenSSL, prefer EC- over RSA-authenticated ciphers
-# tls_require_ciphers = ECDSA:RSA:!COMPLEMENTOFDEFAULT
-
 # In order to support roaming users who wish to send email from anywhere,
 # you may want to make Exim listen on other ports as well as port 25, in
 # case these users need to send email from a network that blocks port 25.
@@ -180,7 +176,7 @@
 # unqualified addresses from remote sources. If this option is not set, the
 # primary_hostname value is used for qualification.
 
-# qualify_domain =
+qualify_domain = daveking.com
 
 
 # If you want unqualified recipient addresses to be qualified with a different
@@ -216,7 +212,7 @@
 # as if it were a normal user. This isn't usually a problem, as most sites have
 # an alias for root that redirects such mail to a human administrator.
 
-never_users = root
+# never_users = root
 
 
 # The setting below causes Exim to do a reverse DNS lookup on all incoming
@@ -232,7 +228,7 @@
 # Kerberos rather than only local users, then you possibly also want
 # to configure /etc/sysconfig/saslauthd to use the 'pam' mechanism
 # too. Once a user is authenticated, the acl_check_rcpt ACL then
-# allows them to relay through the system.
+# allows them to relay through the system. 
 #
 # auth_advertise_hosts = ${if eq {$tls_cipher}{}{}{*}}
 #
@@ -245,26 +241,18 @@
 #
 auth_advertise_hosts =
 
-# The settings below cause Exim to make RFC 1413 (ident) callbacks
-# for all incoming SMTP calls. You can limit the hosts to which these
-# calls are made, and/or change the timeout that is used. If you set
-# the timeout to zero, all RFC 1413 calls are disabled. RFC 1413 calls
-# are cheap and can provide useful information for tracing problem
-# messages, but some hosts and firewalls have problems with them.
-# This can result in a timeout instead of an immediate refused
-# connection, leading to delays on starting up SMTP sessions.
-# (The default was reduced from 30s to 5s for release 4.61. and to
-# disabled for release 4.86)
-#
-#rfc1413_hosts = *
-#rfc1413_query_timeout = 5s
-
-
-# Enable an efficiency feature.  We advertise the feature; clients
-# may request to use it.  For multi-recipient mails we then can
-# reject or accept per-user after the message is received.
-#
-prdr_enable = true
+# The settings below, which are actually the same as the defaults in the
+# code, cause Exim to make RFC 1413 (ident) callbacks for all incoming SMTP
+# calls. You can limit the hosts to which these calls are made, and/or change
+# the timeout that is used. If you set the timeout to zero, all RFC 1413 calls
+# are disabled. RFC 1413 calls are cheap and can provide useful information
+# for tracing problem messages, but some hosts and firewalls have problems
+# with them. This can result in a timeout instead of an immediate refused
+# connection, leading to delays on starting up SMTP sessions. (The default was
+# reduced from 30s to 5s for release 4.61.)
+
+rfc1413_hosts = *
+rfc1413_query_timeout = 5s
 
 
 # By default, Exim expects all envelope addresses to be fully qualified, that
@@ -280,13 +268,6 @@
 # and/or qualify_recipient (see above).
 
 
-# Unless you run a high-volume site you probably want more logging
-# detail than the default.  Adjust to suit.
-
-log_selector = +smtp_protocol_error +smtp_syntax_error \
-	+tls_certificate_verified
-
-
 # If you want Exim to support the "percent hack" for certain domains,
 # uncomment the following line and provide a list of domains. The "percent
 # hack" is the feature by which mail addressed to x%y@z (where z is one of
@@ -352,19 +333,16 @@
 
 # accept_8bitmime = false
 
-
 # Exim does not make use of environment variables itself. However,
 # libraries that Exim uses (e.g. LDAP) depend on specific environment settings.
 # There are two lists: keep_environment for the variables we trust, and
 # add_environment for variables we want to set to a specific value.
-# Note that TZ is handled separately by the timezone runtime option
+# Note that TZ is handled separateley by the timezone runtime option
 # and TIMEZONE_DEFAULT buildtime option.
 
 keep_environment = ^LDAP
 add_environment = PATH=/usr/bin::/bin
 
-
-
 ######################################################################
 #                       ACL CONFIGURATION                            #
 #         Specifies access control lists for incoming SMTP mail      #
@@ -496,11 +474,6 @@
           control       = submission
           control       = dkim_disable_verify
 
-  # Insist that a HELO/EHLO was accepted.
-
-  require message	= nice hosts say HELO first
-          condition	= ${if def:sender_helo_name}
-
   # Insist that any other recipient address that we accept is either in one of
   # our local domains, or is in a domain for which we explicitly allow
   # relaying. Any other domain is rejected as being unacceptable for relaying.
@@ -566,13 +539,6 @@
 
 acl_check_data:
 
-  # Deny if the message contains an overlong line.  Per the standards
-  # we should never receive one such via SMTP.
-  #
-  deny    message    = maximum allowed line length is 998 octets, \
-                       got $max_received_linelength
-          condition  = ${if > {$max_received_linelength}{998}}
-
   # Put simple tests first. A good one is to check for the presence of a
   # Message-Id: header, which RFC2822 says SHOULD be present. Some broken
   # or misconfigured mailer software occasionally omits this from genuine
@@ -697,14 +663,14 @@
 # If the DNS lookup fails, no further routers are tried because of the no_more
 # setting, and consequently the address is unrouteable.
 
-dnslookup:
-  driver = dnslookup
-  domains = ! +local_domains
-  transport = remote_smtp
-  ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
+#dnslookup:
+#  driver = dnslookup
+#  domains = ! +local_domains
+#  transport = remote_smtp
+#  ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
 # if ipv6-enabled then instead use:
 # ignore_target_hosts = <; 0.0.0.0 ; 127.0.0.0/8 ; ::1
-  no_more
+#  no_more
 
 
 # This alternative router can be used when you want to send all mail to a
@@ -713,13 +679,14 @@
 # should comment out "dnslookup" above.  Setting a real hostname in route_data
 # wouldn't hurt either.
 
-# smarthost:
-#   driver = manualroute
-#   domains = ! +local_domains
-#   transport = remote_smtp
-#   route_data = MAIL.HOSTNAME.FOR.CENTRAL.SERVER.EXAMPLE
-#   ignore_target_hosts = <; 0.0.0.0 ; 127.0.0.0/8 ; ::1
-#   no_more
+smarthost:
+  driver = manualroute
+  domains = ! +local_domains
+  transport = remote_msa
+#  route_data = smtp.comcast.net
+  route_data = mail.daveking.com
+#  ignore_target_hosts = <; 0.0.0.0 ; 127.0.0.0/8 ; ::1
+  no_more
 
 
 # The remaining routers handle addresses in the local domain(s), that is those
@@ -835,13 +802,9 @@
 
 
 # This transport is used for delivering messages over SMTP connections.
-# Refuse to send any message with over-long lines, which could have
-# been received other than via SMTP. The use of message_size_limit to
-# enforce this is a red herring.
 
 remote_smtp:
   driver = smtp
-  message_size_limit = ${if > {$max_received_linelength}{998} {1}{0}}
 
 # This transport is used for delivering messages over SMTP using the
 # "message submission" port (RFC4409).
@@ -910,7 +873,7 @@
   driver = autoreply
 
 
-# This transport is used to deliver local mail to cyrus IMAP server via UNIX
+# This transport is used to deliver local mail to cyrus IMAP server via UNIX 
 # socket. You'll need to configure the 'localuser' router above to use it.
 #
 #lmtp_delivery:
@@ -950,11 +913,10 @@
 #                      REWRITE CONFIGURATION                         #
 ######################################################################
 
-# There are no rewriting specifications in this default configuration file.
-
 begin rewrite
 
-
+#  This host masquerades as daveking.com
+*@localhost.localdomain	$1@daveking.com
 
 ######################################################################
 #                   AUTHENTICATION CONFIGURATION                     #
@@ -1006,6 +968,13 @@
 #  server_prompts             = :
 #  server_condition           = ${if saslauthd{{$2}{$3}{smtp}} {1}}
 #  server_advertise_condition = ${if def:tls_in_cipher }
+PLAIN:
+  driver = plaintext
+  public_name = PLAIN
+  client_send = ^userid^password
 
 # LOGIN authentication has traditional prompts and responses. There is no
 # authorization ID in this mechanism, so unlike PLAIN the username and
@@ -1019,7 +988,6 @@
 #  server_condition           = ${if saslauthd{{$1}{$2}{smtp}} {1}}
 #  server_advertise_condition = ${if def:tls_in_cipher }
 
-
 ######################################################################
 #                   CONFIGURATION FOR local_scan()                   #
 ######################################################################