The main parts to deliver electronic mail over the internet are as follows:
Exim is the default message transfer agent (MTA) of Debian.
It is installed by default and configured to do local mail delivery only.
This tutorial explains how to configure Exim 4 on Debian 10 (buster)
to send and receive mails for your own domain over the internet.
In the following examples, the domain is called example.net.
The IPv4 address of the server running the MTA is 192.0.2.1
and the IPv6 address is 2001:db8:10::1 in the examples.
Relevant parts in the zone of the domain are specified as follows:
@ IN MX 10 mail.example.net. ; The MX record specifies the mail server
mail IN A 192.0.2.1 ; IPv4 address for mail.example.net
mail IN AAAA 2001:db8:10::1 ; IPv6 address for mail.example.net
@ IN TXT "v=spf1 ip4:192.0.2.1 ip6:2001:db8:10::1 ~all"
The Sender Policy Framework (SPF) allows other MTAs to check
if they should accept or reject an incoming mail.
MTAs analyze the SPF information of the domain in the sender's
mail address (e.g. @example.net).
The SPF information is stored in a TXT record of the domain.
This record specifies the IP addresses that are allowed to transfer mail
where the sender's mail address ends with @example.net.
~all means that other MTAs should treat a mail with a sender's
mail address @example.net from all other IP addresses as spam.
When communicating with other MTAs, it is common that the IP address of
the connecting MTA is checked by doing a reverse DNS lookup.
If mail.example.net resolves to 192.0.2.1, it is expected that
a reverse DNS lookup of 192.0.2.1 gives mail.example.net.
Same applies for the IPv6 address.
The MX record of a domain can be checked using online tools:
https://mxtoolbox.com/MXLookup.aspx
Execute the following command to reconfigure the installed Exim package:
dpkg-reconfigure exim4-configThe following questions will be asked:
internet site; mail is sent and received directly using SMTPexample.net127.0.0.1 ; ::1 ; 192.0.2.1 ; 2001:db8:10::1example.net ; local-hostnameNoMaildir format in home directoryYesAnswering these questions edits the following file:
/etc/exim4/update-exim4.conf.conf#...
# This is a Debian specific file
dc_eximconfig_configtype='internet'
dc_other_hostnames='example.net ; local-hostname'
dc_local_interfaces='127.0.0.1 ; ::1 ; 192.0.2.1 ; 2001:db8:10::1'
dc_readhost=''
dc_relay_domains=''
dc_minimaldns='false'
dc_relay_nets=''
dc_smarthost=''
CFILEMODE='644'
dc_use_split_config='true'
dc_hide_mailname=''
dc_mailname_in_oh='true'
dc_localdelivery='maildir_home'
Afterwards, update-exim4.conf is called to update the configuration files.
When another MTA connects, the hostname in the SMTP greeting is expected to
match the DNS record.
This can be achieved by setting the hostname of the system or by specifying
the hostname in a configuration file:
/etc/exim4/conf.d/main/00_exim4-config_localmacrosMAIN_HARDCODE_PRIMARY_HOSTNAME = mail.example.net
In the following example, mail for root is forwarded to johndoe:
/etc/aliasesroot: johndoe
To reload the aliases:
newaliases
Send a mail to johndoe on the local system to see if the delivery
of mails work:
echo "This is a simple test." | mail johndoe@example.net -s "Test"
The mail is expected to be delivered into the directory /home/johndoe/Maildir/new/.
Connect to the MTA from a remote host:
telnet mail.example.net 25The SMTP greeting is expected to be shown.
The used SSL/TLS certificate has to include mail.example.net.
To enable STARTTLS on port 25 and SSL/TLS on port 465, add the following lines:
/etc/exim4/conf.d/main/00_exim4-config_localmacrosMAIN_TLS_ENABLE = yes
MAIN_TLS_CERTIFICATE = /etc/letsencrypt/live/example.net/fullchain.pem
MAIN_TLS_PRIVATEKEY = /etc/letsencrypt/live/example.net/privkey.pem
daemon_smtp_ports = 25 : 465
tls_on_connect_ports = 465
Further information can be found in
/usr/share/doc/exim4-base/README.Debian.gz.
certbot installs TLS/SSL certificates from Let's Encrypt an a way
that only root can read them.
If Exim cannot read the certificate, there is a message in the log file
that looks like this:
/var/log/exim4/mainlog2020-01-02 12:12:12 TLS error on connection from mail.other-mta.net [212.212.212.212]
(cert/key setup: cert=/etc/letsencrypt/live/example.net/fullchain.pem key=/etc/letsencrypt/live/example.net/privkey.pem):
Error while reading file.
Exim runs as user Debian-exim. Add this user to the group ssl-cert:
usermod -a -G ssl-cert Debian-exim
Allow users in the group ssl-cert to access the certificates:
chgrp ssl-cert /etc/letsencrypt/live /etc/letsencrypt/archive
chmod g+rx /etc/letsencrypt/live /etc/letsencrypt/archive
chgrp -R ssl-cert /etc/letsencrypt/archive
chmod -R g+r /etc/letsencrypt/archive
Let's Encrypt certificates are valid for 90 days.
certbot renews expired certificates automatically.
Exim needs to reload the configuration after the certificate has been renewed.
This is done automatically by placing an executable script as renewal hook:
/etc/letsencrypt/renewal-hooks/deploy/reload_exim4.sh#!/bin/sh
systemctl reload exim4.service
If SSL/TLS encryption works on port 465, the SMTP greeting should be shown
when executing the following command:
openssl s_client -connect mail.example.net:465
Without authentication, the MTA does not accept mail for a destination
that is not specified in the configuration files.
A mail client needs to be authenticated so that the MTA accepts and
relays mail to any destination.
A configuration for PLAIN authentication is found in a comment in
/etc/exim4/conf.d/auth/30_exim4-config_examples.
This configuration is written into a new file:
/etc/exim4/conf.d/auth/30_exim4-config_plainplain_server:
driver = plaintext
public_name = PLAIN
server_condition = "${if crypteq{$auth3}{${extract{1}{:}{${lookup{$auth2}lsearch{CONFDIR/passwd}{$value}{*:*}}}}}{1}{0}}"
server_set_id = $auth2
server_prompts = :
.ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}}
.endif
Usernames and passwords for Exim are specified with the following syntax:
/etc/exim4/passwdusername:crypted-password:(clear-password)
To crypt a password use the command line tool mkpassd.
It is part of the whois package.
Ensure that only Exim can read the accounts:
chown root:Debian-exim /etc/exim4/passwd
chmod 640 /etc/exim4/passwd
Further information can be found in the corresponding manual page:
man exim4_passwd
DomainKeys Identified Mail (DKIM) means that the domain of a mail can be
verified. The MTA signs outgoing mails using a private key specific for DKIM.
The public key is published in a TXT record of the domain.
If the key pair is updated, the old public key should still be available
on DNS servers to verify old mails. The selector determines the used key.
For DKIM, 1024-bit RSA keys are common.
The following commands generate a 1024-bit RSA key and allow Exim to access
the private key:
mkdir -p /etc/exim4/dkim/example.net
cd /etc/exim4/dkim/example.net
openssl genrsa -out privkey.pem 1024
chgrp Debian-exim privkey.pem
chmod g+r privkey.pem
In the following example, the date when the key was created (20200423) is used
as selector. To enable DKIM, add the following lines:
00_exim4-config_localmacrosDKIM_DOMAIN = example.net
DKIM_SELECTOR = 20200423
DKIM_PRIVATE_KEY = /etc/exim4/dkim/example.net/privkey.pem
The following command shows the public key:
openssl rsa -in /etc/exim4/dkim/example.net/privkey.pem -pubout
This public key is published in a TXT record of the domain.
Ensure that the selector 20200423 matches the selector in the config.
20200423._domainkey IN TXT "k=rsa; p=MIGfMA0G...QQIDAQAB"