Gernot Walzl

Navigation

The main parts to deliver electronic mail over the internet are as follows:

• Message Transfer Agent (MTA)
• Mail Delivery Agent (MDA)
• Mail User Agnet (MUA) or e-mail client

Exim is the default message transfer agent (MTA) of Debian.
It is installed by default and configured to do local mail delivery only.

This tutorial explains how to configure Exim 4 on Debian 10 (buster)
to send and receive mails for your own domain over the internet.

Contents

• Domain
  • Zone
  • SPF
  • rDNS
  • Check MX Record
• Basic Configuration
  • dpkg-reconfigure
  • Hostname
  • Aliases
  • Test Local Delivery
  • Test Remote Connectivity
• SSL/TLS Encryption
  • Configuration
  • Let's Encrypt
  • Test Encryption
• Authentication
  • Configuration
  • Accounts
• DKIM
  • Generate Key
  • Configuration
  • Publish Public Key
• External Links for further Information

Domain

In the following examples, the domain is called example.net.
The IPv4 address of the server running the MTA is 192.0.2.1
and the IPv6 address is 2001:db8:10::1 in the examples.

Zone

Relevant parts in the zone of the domain are specified as follows:

@     IN  MX    10 mail.example.net.  ; The MX record specifies the mail server
mail  IN  A     192.0.2.1             ; IPv4 address for mail.example.net
mail  IN  AAAA  2001:db8:10::1        ; IPv6 address for mail.example.net
@     IN  TXT   "v=spf1 ip4:192.0.2.1 ip6:2001:db8:10::1 ~all"

SPF

The Sender Policy Framework (SPF) allows other MTAs to check
if they should accept or reject an incoming mail.

MTAs analyze the SPF information of the domain in the sender's
mail address (e.g. @example.net).
The SPF information is stored in a TXT record of the domain.
This record specifies the IP addresses that are allowed to transfer mail
where the sender's mail address ends with @example.net.
~all means that other MTAs should treat a mail with a sender's
mail address @example.net from all other IP addresses as spam.

rDNS

When communicating with other MTAs, it is common that the IP address of
the connecting MTA is checked by doing a reverse DNS lookup.
If mail.example.net resolves to 192.0.2.1, it is expected that
a reverse DNS lookup of 192.0.2.1 gives mail.example.net.
Same applies for the IPv6 address.

Check MX Record

The MX record of a domain can be checked using online tools:
https://mxtoolbox.com/MXLookup.aspx

Basic Configuration

dpkg-reconfigure

Execute the following command to reconfigure the installed Exim package:

dpkg-reconfigure exim4-config

The following questions will be asked:

1. General type of mail configuration:
   internet site; mail is sent and received directly using SMTP
2. System mail name:
   example.net
3. IP-addresses to listen on for incoming SMTP connections:
   127.0.0.1 ; ::1 ; 192.0.2.1 ; 2001:db8:10::1
4. Other destinations for which mail is accepted:
   example.net ; local-hostname
5. Domains to relay mail for:
   (leave empty)
6. Machines to relay mail for:
   (leave empty)
7. Keep number of DNS-queries minimal (Dial-on-Demand)?
   No
8. Delivery method for local mail:
   Maildir format in home directory
9. Split configuration into small files?
   Yes

Answering these questions edits the following file:

/etc/exim4/update-exim4.conf.conf

#...
# This is a Debian specific file

dc_eximconfig_configtype='internet'
dc_other_hostnames='example.net ; local-hostname'
dc_local_interfaces='127.0.0.1 ; ::1 ; 192.0.2.1 ; 2001:db8:10::1'
dc_readhost=''
dc_relay_domains=''
dc_minimaldns='false'
dc_relay_nets=''
dc_smarthost=''
CFILEMODE='644'
dc_use_split_config='true'
dc_hide_mailname=''
dc_mailname_in_oh='true'
dc_localdelivery='maildir_home'

Afterwards, update-exim4.conf is called to update the configuration files.

Hostname

When another MTA connects, the hostname in the SMTP greeting is expected to
match the DNS record.
This can be achieved by setting the hostname of the system or by specifying
the hostname in a configuration file:

/etc/exim4/conf.d/main/00_exim4-config_localmacros

MAIN_HARDCODE_PRIMARY_HOSTNAME = mail.example.net

Aliases

In the following example, mail for root is forwarded to johndoe:

/etc/aliases

root: johndoe

To reload the aliases:

newaliases

Test Local Delivery

Send a mail to johndoe on the local system to see if the delivery
of mails work:

echo "This is a simple test." | mail johndoe@example.net -s "Test"

The mail is expected to be delivered into the directory /home/johndoe/Maildir/new/.

Test Remote Connectivity

Connect to the MTA from a remote host:

telnet mail.example.net 25

The SMTP greeting is expected to be shown.

SSL/TLS Encryption

The used SSL/TLS certificate has to include mail.example.net.

Configuration

To enable STARTTLS on port 25 and SSL/TLS on port 465, add the following lines:

/etc/exim4/conf.d/main/00_exim4-config_localmacros

MAIN_TLS_ENABLE = yes
MAIN_TLS_CERTIFICATE = /etc/letsencrypt/live/example.net/fullchain.pem
MAIN_TLS_PRIVATEKEY = /etc/letsencrypt/live/example.net/privkey.pem

daemon_smtp_ports = 25 : 465
tls_on_connect_ports = 465

Further information can be found in /usr/share/doc/exim4-base/README.Debian.gz.

Let's Encrypt

certbot installs TLS/SSL certificates from Let's Encrypt an a way
that only root can read them.

If Exim cannot read the certificate, there is a message in the log file
that looks like this:

/var/log/exim4/mainlog

2020-01-02 12:12:12 TLS error on connection from mail.other-mta.net [212.212.212.212]
  (cert/key setup: cert=/etc/letsencrypt/live/example.net/fullchain.pem key=/etc/letsencrypt/live/example.net/privkey.pem):
  Error while reading file.

Exim runs as user Debian-exim. Add this user to the group ssl-cert:

usermod -a -G ssl-cert Debian-exim

Allow users in the group ssl-cert to access the certificates:

chgrp ssl-cert /etc/letsencrypt/live /etc/letsencrypt/archive
chmod g+rx /etc/letsencrypt/live /etc/letsencrypt/archive
chgrp -R ssl-cert /etc/letsencrypt/archive
chmod -R g+r /etc/letsencrypt/archive

Let's Encrypt certificates are valid for 90 days.
certbot renews expired certificates automatically.
Exim needs to reload the configuration after the certificate has been renewed.
This is done automatically by placing an executable script as renewal hook:

/etc/letsencrypt/renewal-hooks/deploy/reload_exim4.sh

#!/bin/sh
systemctl reload exim4.service

Test Encryption

If SSL/TLS encryption works on port 465, the SMTP greeting should be shown
when executing the following command:

openssl s_client -connect mail.example.net:465

Authentication

Without authentication, the MTA does not accept mail for a destination
that is not specified in the configuration files.
A mail client needs to be authenticated so that the MTA accepts and
relays mail to any destination.

Configuration

A configuration for PLAIN authentication is found in a comment in
/etc/exim4/conf.d/auth/30_exim4-config_examples.

This configuration is written into a new file:

/etc/exim4/conf.d/auth/30_exim4-config_plain

plain_server:
  driver = plaintext
  public_name = PLAIN
  server_condition = "${if crypteq{$auth3}{${extract{1}{:}{${lookup{$auth2}lsearch{CONFDIR/passwd}{$value}{*:*}}}}}{1}{0}}"
  server_set_id = $auth2
  server_prompts = :
  .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
  server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}}
  .endif

Accounts

Usernames and passwords for Exim are specified with the following syntax:

/etc/exim4/passwd

username:crypted-password:(clear-password)

To crypt a password use the command line tool mkpassd.
It is part of the whois package.

Ensure that only Exim can read the accounts:

chown root:Debian-exim /etc/exim4/passwd
chmod 640 /etc/exim4/passwd

Further information can be found in the corresponding manual page:

man exim4_passwd

DKIM

DomainKeys Identified Mail (DKIM) means that the domain of a mail can be
verified. The MTA signs outgoing mails using a private key specific for DKIM.
The public key is published in a TXT record of the domain.

If the key pair is updated, the old public key should still be available
on DNS servers to verify old mails. The selector determines the used key.

Generate Key

For DKIM, 1024-bit RSA keys are common.
The following commands generate a 1024-bit RSA key and allow Exim to access
the private key:

mkdir -p /etc/exim4/dkim/example.net
cd /etc/exim4/dkim/example.net
openssl genrsa -out privkey.pem 1024
chgrp Debian-exim privkey.pem
chmod g+r privkey.pem

Configuration

In the following example, the date when the key was created (20200423) is used
as selector. To enable DKIM, add the following lines:

00_exim4-config_localmacros

DKIM_DOMAIN = example.net
DKIM_SELECTOR = 20200423
DKIM_PRIVATE_KEY = /etc/exim4/dkim/example.net/privkey.pem

Publish Public Key

The following command shows the public key:

openssl rsa -in /etc/exim4/dkim/example.net/privkey.pem -pubout

This public key is published in a TXT record of the domain.
Ensure that the selector 20200423 matches the selector in the config.

20200423._domainkey  IN  TXT  "k=rsa; p=MIGfMA0G...QQIDAQAB"

External Links for further Information

• https://www.exim.org/
• https://tools.ietf.org/html/rfc7208
• https://tools.ietf.org/html/rfc6376
• https://www.exim.org/exim-html-current/doc/html/spec_html/ch-the_exim_command_line.html
• https://debian-administration.org/article/718/DKIM-signing_outgoing_mail_with_exim4

CONTENT.html

source

2022-05-22

14 KB