# How To setup exim + exiscan-acl + SpamAssassin + clamav +...

## Cataclysm

How To setup exim + exiscan-acl + SpamAssassin + clamav + courier-imapd

This HowTo describes how to setup exim 4.22 with the exiscan-acl patch, SpamAssassin and clamav for content-scanning and courier-imapd for reading mail with an imap-ready mailclient. The whole set of programs is intended for being used as a mailserver on a routerbox, but configs can easily be modified to work in any other environment you need.

Let's start by editing /etc/make.conf to add/update some USE-Flags:

- If you have "mbox" in your USE, remove it!

- Add "exiscan-acl" and "maildir" to USE

- You may want to add "ldap", "berkdb", "mysql", "pam" and "nls" for support of there features in courier-imapd

- You may want to add "tcpd", "ssl", "mysql", "ldap", "pam", "lmtp" and "ipv6" for support of these features in exim

- Replace "mysql" with "postgres", or just add it, if you need postgres-support

I, personaly, have all of the USE-Flags shown above, except "postgres", in my USE  :Smile: 

Now emerge all the needed programs:

# emerge exim

# emerge clamav

# emerge Mail-SpamAssassin

# emerge courier-imap

This might trigger a long list of packages to emerge, depending on your current system-config. Note that you have to re-emerge exim if you added or removed any USE-flag! If emerge complains about another MTA blocking exim, you have to unmerge it (using emerge --unmerge <mta>) before emerging exim.

Don't start anything yet, these is much to configure beforce doing so.

Let's go on to the configuration  :Smile: 

EXIM:

"/etc/exim/exim.conf":

```
######################################################################

#                  Runtime configuration file for Exim               #

######################################################################

# This is a default configuration file which will operate correctly in

# uncomplicated installations. Please see the manual for a complete list

# of all the runtime configuration options that can be included in a

# configuration file. There are many more than are mentioned here. The

# manual is in the file doc/spec.txt in the Exim distribution as a plain

# ASCII file. Other formats (PostScript, Texinfo, HTML, PDF) are available

# from the Exim ftp sites. The manual is also online at the Exim web sites.

# This file is divided into several parts, all but the first of which are

# headed by a line starting with the word "begin". Only those parts that

# are required need to be present. Blank lines, and lines starting with #

# are ignored.

########### IMPORTANT ########## IMPORTANT ########### IMPORTANT ###########

#                                                                          #

# Whenever you change Exim's configuration file, you *must* remember to    #

# HUP the Exim daemon, because it will not pick up the new configuration   #

# until you do. However, any other Exim processes that are started, for    #

# example, a process started by an MUA in order to send a message, will    #

# see the new configuration as soon as it is in place.                     #

#                                                                          #

# You do not need to HUP the daemon for changes in auxiliary files that    #

# are referenced from this file. They are read every time they are used.   #

#                                                                          #

# It is usually a good idea to test a new configuration for syntactic      #

# correctness before installing it (for example, by running the command    #

# "exim -C /config/file.new -bV").                                         #

#                                                                          #

########### IMPORTANT ########## IMPORTANT ########### IMPORTANT ###########

######################################################################

#                    MAIN CONFIGURATION SETTINGS                     #

######################################################################

# Specify your host's canonical name here. This should normally be the fully

# qualified "official" name of your host. If this option is not set, the

# uname() function is called to obtain the name. In many cases this does

# the right thing and you need not set anything explicitly.

# primary_hostname =

# The next three settings create two lists of domains and one list of hosts.

# These lists are referred to later in this configuration using the syntax

# +local_domains, +relay_to_domains, and +relay_from_hosts, respectively. They

# are all colon-separated lists:

# YOU HAVE TO EDIT THIS BLOCK TO SUIT YOUR NEED!!

domainlist local_domains = @ : firestarter.shnet.org : finalfrontier.d2g.com : final-frontier.ath.cx : final-frontier.homelinux.net : final-frontier.homelinux.com : final-frontier.homelinux.org : final-frontier.homeunix.org : localhost

domainlist relay_to_domains =

hostlist   relay_from_hosts = 127.0.0.1 : 192.168.25.0/24

# Most straightforward access control requirements can be obtained by

# appropriate settings of the above options. In more complicated situations, you

# may need to modify the Access Control List (ACL) which appears later in this

# file.

# The first setting specifies your local domains, for example:

#

#   domainlist local_domains = my.first.domain : my.second.domain

#

# You can use "@" to mean "the name of the local host", as in the default

# setting above. This is the name that is specified by primary_hostname,

# as specified above (or defaulted). If you do not want to do any local

# deliveries, remove the "@" from the setting above. If you want to accept mail

# addressed to your host's literal IP address, for example, mail addressed to

# "user@[192.168.23.44]", you can add "@[]" as an item in the local domains

# list. You also need to uncomment "allow_domain_literals" below. This is not

# recommended for today's Internet.

# The second setting specifies domains for which your host is an incoming relay.

# If you are not doing any relaying, you should leave the list empty. However,

# if your host is an MX backup or gateway of some kind for some domains, you

# must set relay_to_domains to match those domains. For example:

#

# domainlist relay_to_domains = *.myco.com : my.friend.org

#

# This will allow any host to relay through your host to those domains.

# See the section of the manual entitled "Control of relaying" for more

# information.

# The third setting specifies hosts that can use your host as an outgoing relay

# to any other host on the Internet. Such a setting commonly refers to a

# complete local network as well as the localhost. For example:

#

# hostlist relay_from_hosts = 127.0.0.1 : 192.168.0.0/16

#

# The "/16" is a bit mask (CIDR notation), not a number of hosts. Note that you

# have to include 127.0.0.1 if you want to allow processes on your host to send

# SMTP mail by using the loopback address. A number of MUAs use this method of

# sending mail.

# All three of these lists may contain many different kinds of item, including

# wildcarded names, regular expressions, and file lookups. See the reference

# manual for details. The lists above are used in the access control list for

# incoming messages. The name of this ACL is defined here:

acl_smtp_rcpt = acl_check_rcpt

# You should not change that setting until you understand how ACLs work.

# The following ACL entry is used if you want to do content scanning with the

# exiscan-acl patch. When you uncomment this line, you must also review the

# acl_check_content entry in the ACL section further below.

acl_smtp_data = acl_check_content

# This configuration variable defines the virus scanner that is used with

# the 'malware' ACL condition of the exiscan acl-patch. If you do not use

# virus scanning, leave it commented. Please read doc/exiscan-acl-readme.txt

# for a list of supported scanners.

# av_scanner = sophie:/var/run/sophie

# av_scanner = cmdline:/usr/bin/antivir -v -z -allfiles -noboot -s -tmp %s:ALERT:\[(.+)\]

av_scanner = clamd:/tmp/clamd

# The following setting is only needed if you use the 'spam' ACL condition

# of the exiscan-acl patch. It specifies on which host and port the SpamAssassin

# "spamd" daemon is listening. If you do not use this condition, or you use

# the default of "127.0.0.1 783", you can omit this option.

spamd_address = 127.0.0.1 783

# Specify the domain you want to be added to all unqualified addresses

# here. An unqualified address is one that does not contain an "@" character

# followed by a domain. For example, "caesar@rome.example" is a fully qualified

# address, but the string "caesar" (i.e. just a login name) is an unqualified

# email address. Unqualified addresses are accepted only from local callers by

# default. See the recipient_unqualified_hosts option if you want to permit

# unqualified addresses from remote sources. If this option is not set, the

# primary_hostname value is used for qualification.

# qualify_domain =

# If you want unqualified recipient addresses to be qualified with a different

# domain to unqualified sender addresses, specify the recipient domain here.

# If this option is not set, the qualify_domain value is used.

# qualify_recipient =

# The following line must be uncommented if you want Exim to recognize

# addresses of the form "user@[10.11.12.13]" that is, with a "domain literal"

# (an IP address) instead of a named domain. The RFCs still require this form,

# but it makes little sense to permit mail to be sent to specific hosts by

# their IP address in the modern Internet. This ancient format has been used

# by those seeking to abuse hosts by using them for unwanted relaying. If you

# really do want to support domain literals, uncomment the following line, and

# see also the "domain_literal" router below.

# allow_domain_literals

# No deliveries will ever be run under the uids of these users (a colon-

# separated list). An attempt to do so causes a panic error to be logged, and

# the delivery to be deferred. This is a paranoic safety catch. Note that the

# default setting means you cannot deliver mail addressed to root as if it

# were a normal user. This isn't usually a problem, as most sites have an alias

# for root that redirects such mail to a human administrator.

never_users = root

# The setting below causes Exim to do a reverse DNS lookup on all incoming

# IP calls, in order to get the true host name. If you feel this is too

# expensive, you can specify the networks for which a lookup is done, or

# remove the setting entirely.

host_lookup = *

# The settings below, which are actually the same as the defaults in the

# code, cause Exim to make RFC 1413 (ident) callbacks for all incoming SMTP

# calls. You can limit the hosts to which these calls are made, and/or change

# the timeout that is used. If you set the timeout to zero, all RFC 1413 calls

# are disabled. RFC 1413 calls are cheap and can provide useful information

# for tracing problem messages, but some hosts and firewalls have problems

# with them. This can result in a timeout instead of an immediate refused

# connection, leading to delays on starting up an SMTP session.

rfc1413_hosts = *

rfc1413_query_timeout = 30s

# By default, Exim expects all envelope addresses to be fully qualified, that

# is, they must contain both a local part and a domain. If you want to accept

# unqualified addresses (just a local part) from certain hosts, you can specify

# these hosts by setting one or both of

#

# sender_unqualified_hosts =

# recipient_unqualified_hosts =

#

# to control sender and recipient addresses, respectively. When this is done,

# unqualified addresses are qualified using the settings of qualify_domain

# and/or qualify_recipient (see above).

# If you want Exim to support the "percent hack" for certain domains,

# uncomment the following line and provide a list of domains. The "percent

# hack" is the feature by which mail addressed to x%y@z (where z is one of

# the domains listed) is locally rerouted to x@y and sent on. If z is not one

# of the "percent hack" domains, x%y is treated as an ordinary local part. This

# hack is rarely needed nowadays; you should not enable it unless you are sure

# that you really need it.

#

# percent_hack_domains =

#

# As well as setting this option you will also need to remove the test

# for local parts containing % in the ACL definition below.

# When Exim can neither deliver a message nor return it to sender, it "freezes"

# the delivery error message (aka "bounce message"). There are also other

# circumstances in which messages get frozen. They will stay on the queue for

# ever unless one of the following options is set.

# This option unfreezes frozen bounce messages after two days, tries

# once more to deliver them, and ignores any delivery failures.

ignore_bounce_errors_after = 2d

# This option cancels (removes) frozen messages that are older than a week.

timeout_frozen_after = 7d

smtp_accept_queue_per_connection = 1000

smtp_accept_max_per_connection = 10000

extract_addresses_remove_arguments = false

tls_certificate = /etc/exim/rsa.cert

tls_privatekey = /etc/exim/rsa.key

tls_dhparam = /etc/exim/dh.key

tls_advertise_hosts=*

# Add verbose received-header:

received_header_text = Received: \

          ${if def:sender_fullhost {from ${sender_fullhost}\

          ${if def:sender_ident {(${sender_ident})}}}\

          {${if def:sender_ident {from ${sender_ident} }}}}\

          by ${primary_hostname}\

          ${if def:received_protocol {with ${received_protocol}}}\

          ${if def:tls_cipher {(tls_cipher ${tls_cipher})}}\

          ${if def:tls_peerdn {(tls_peerdn ${tls_peerdn})}}\

          (Exim ${version_number} #${compile_number} (Gentoo Linux 1.4))\

          id ${message_id}

######################################################################

#                       ACL CONFIGURATION                            #

#         Specifies access control lists for incoming SMTP mail      #

######################################################################

begin acl

# This access control list is used for every RCPT command in an incoming

# SMTP message. The tests are run in order until the address is either

# accepted or denied.

acl_check_rcpt:

  # Accept if the source is local SMTP (i.e. not over TCP/IP). We do this by

  # testing for an empty sending host field.

  accept  hosts = :

  # Deny if the local part contains @ or % or / or | or !. These are rarely

  # found in genuine local parts, but are often tried by people looking to

  # circumvent relaying restrictions.

  # Also deny if the local part starts with a dot. Empty components aren't

  # strictly legal in RFC 2822, but Exim allows them because this is common.

  # However, actually starting with a dot may cause trouble if the local part

  # is used as a file name (e.g. for a mailing list).

  deny    local_parts   = ^.*[@%!/|] : ^\\.

  # Accept mail to postmaster in any local domain, regardless of the source,

  # and without verifying the sender.

  accept  local_parts   = postmaster

          domains       = +local_domains

  # Deny unless the sender address can be verified.

  require verify        = sender

  #############################################################################

  # There are no checks on DNS "black" lists because the domains that contain

  # these lists are changing all the time. However, here are two examples of

  # how you could get Exim to perform a DNS black list lookup at this point.

  # The first one denies, while the second just warns.

  #

  # deny    message       = rejected because $sender_host_address is in a black list at 

$dnslist_domain\n$dnslist_text

  #         dnslists      = black.list.example

  #

  # warn    message       = X-Warning: $sender_host_address is in a black list at $dnslist_domain

  #         log_message   = found in $dnslist_domain

  #         dnslists      = black.list.example

  #############################################################################

  # Accept if the address is in a local domain, but only if the recipient can

  # be verified. Otherwise deny. The "endpass" line is the border between

  # passing on to the next ACL statement (if tests above it fail) or denying

  # access (if tests below it fail).

  accept  domains       = +local_domains

          endpass

          message       = unknown user

          verify        = recipient

  # Accept if the address is in a domain for which we are relaying, but again,

  # only if the recipient can be verified.

  accept  domains       = +relay_to_domains

          endpass

          message       = unrouteable address

          verify        = recipient

  # If control reaches this point, the domain is neither in +local_domains

  # nor in +relay_to_domains.

  # Accept if the message comes from one of the hosts for which we are an

  # outgoing relay. Recipient verification is omitted here, because in many

  # cases the clients are dumb MUAs that don't cope well with SMTP error

  # responses. If you are actually relaying out from MTAs, you should probably

  # add recipient verification here.

  accept  hosts         = +relay_from_hosts

  # Accept if the message arrived over an authenticated connection, from

  # any host. Again, these messages are usually from MUAs, so recipient

  # verification is omitted.

  accept  authenticated = *

  # Reaching the end of the ACL causes a "deny", but we might as well give

  # an explicit message.

  deny    message       = relay not permitted

# This access control list is used for content scanning with the exiscan-acl

# patch. You must also uncomment the entry for acl_smtp_data (scroll up),

# otherwise the ACL will not be used. IMPORTANT: the default entries here

# should be treated as EXAMPLES. You MUST read the file doc/exiscan-acl-spec.txt

# to fully understand what you are doing ...

acl_check_content:

  # First unpack MIME containers and reject serious errors.

  deny  message = This message contains a MIME error ($demime_reason)

        demime = *

        condition = ${if >{$demime_errorlevel}{2}{1}{0}}

        

  # Reject typically wormish file extensions. There is almost no

  # sense in sending such files by email.

  deny  message = This message contains an unwanted file extension ($found_extension)

        demime = scr:vbs:bat:lnk:pif

  

  # Reject virus infested messages.

  deny  message = This message contains malware ($malware_name)

        demime = *

        malware = *

  # Add X-Scanned Header

  warn message = X-Antivirus-Scanned: Clean

  # Reject messages containing "viagra" in all kinds of whitespace/case combinations

  # WARNING: this is an example !

  deny  message = This message matches a blacklisted regular expression ($regex_match_string)

        regex = [Vv] *[Ii] *[Aa] *[Gg] *[Rr] *[Aa]

  # Always add X-Spam-Score and X-Spam-Report headers, using SA system-wide settings

  # (user "nobody"), no matter if over threshold or not.

  warn  message = X-Spam-Score: $spam_score ($spam_bar)

        spam = nobody:true

  warn  message = X-Spam-Report: $spam_report

        spam = nobody:true

  # Add X-Spam-Flag if spam is over system-wide threshold

  warn message = X-Spam-Flag: YES

       spam = nobody

  # Reject spam messages with score over 10, using an extra condition.

  deny  message = This message scored $spam_score points. Congratulations!

        spam = nobody:true

        condition = ${if >{$spam_score_int}{100}{1}{0}}

  # finally accept all the rest

  accept

  

######################################################################

#                      ROUTERS CONFIGURATION                         #

#               Specifies how addresses are handled                  #

######################################################################

#     THE ORDER IN WHICH THE ROUTERS ARE DEFINED IS IMPORTANT!       #

# An address is passed to each router in turn until it is accepted.  #

######################################################################

begin routers

# This router routes to remote hosts over SMTP by explicit IP address,

# when an email address is given in "domain literal" form, for example,

# <user@[192.168.35.64]>. The RFCs require this facility. However, it is

# little-known these days, and has been exploited by evil people seeking

# to abuse SMTP relays. Consequently it is commented out in the default

# configuration. If you uncomment this router, you also need to uncomment

# allow_domain_literals above, so that Exim can recognize the syntax of

# domain literal addresses.

# domain_literal:

#   driver = ipliteral

#   domains = ! +local_domains

#   transport = remote_smtp

# This router routes addresses that are not in local domains by doing a DNS

# lookup on the domain name. Any domain that resolves to 0.0.0.0 or to a

# loopback interface address (127.0.0.0/8) is treated as if it had no DNS

# entry. Note that 0.0.0.0 is the same as 0.0.0.0/32, which is commonly treated

# as the local host inside the network stack. It is not 0.0.0.0/0, the default

# route. If the DNS lookup fails, no further routers are tried because of

# the no_more setting, and consequently the address is unrouteable.

#dnslookup:

#  driver = dnslookup

#  domains = ! +local_domains

#  transport = remote_smtp

#  ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8

#  no_more

# Router to send all outgoing mail to a smart-host using smtp-auth

send_to_relay:

  driver = manualroute

  domains = ! +local_domains

  transport = remote_smtp

  route_list = * your.smart.host.some.where

# The remaining routers handle addresses in the local domain(s).

# This router handles aliasing using a linearly searched alias file with the

# name /etc/mail/aliases. When this configuration is installed automatically,

# the name gets inserted into this file from whatever is set in Exim's

# build-time configuration. The default path is the traditional /etc/aliases.

# If you install this configuration by hand, you need to specify the correct

# path in the "data" setting below.

#

##### NB  You must ensure that the alias file exists. It used to be the case

##### NB  that every Unix had that file, because it was the Sendmail default.

##### NB  These days, there are systems that don't have it. Your aliases

##### NB  file should at least contain an alias for "postmaster".

#

# If any of your aliases expand to pipes or files, you will need to set

# up a user and a group for these deliveries to run under. You can do

# this by uncommenting the "user" option below (changing the user name

# as appropriate) and adding a "group" option if necessary. Alternatively, you

# can specify "user" on the transports that are used. Note that the transports

# listed below are the same as are used for .forward files; you might want

# to set up different ones for pipe and file deliveries from aliases.

system_aliases:

  driver = redirect

  allow_fail

  allow_defer

  data = ${lookup{$local_part}lsearch{/etc/mail/aliases}}

# user = exim

  file_transport = address_file

  pipe_transport = address_pipe

# This router handles forwarding using traditional .forward files in users'

# home directories. If you want it also to allow mail filtering when a forward

# file starts with the string "# Exim filter", uncomment the "allow_filter"

# option.

# The no_verify setting means that this router is skipped when Exim is

# verifying addresses. Similarly, no_expn means that this router is skipped if

# Exim is processing an EXPN command.

# The check_ancestor option means that if the forward file generates an

# address that is an ancestor of the current one, the current one gets

# passed on instead. This covers the case where A is aliased to B and B

# has a .forward file pointing to A.

# The three transports specified at the end are those that are used when

# forwarding generates a direct delivery to a file, or to a pipe, or sets

# up an auto-reply, respectively.

userforward:

  driver = redirect

  check_local_user

  file = $home/.forward

  no_verify

  no_expn

  check_ancestor

  allow_filter

  directory_transport = address_directory

  file_transport = address_file

  pipe_transport = address_pipe

  reply_transport = address_reply

# This router matches local user mailboxes. If the router fails, the error

# message is "Unknown user".

localuser:

  driver = accept

  check_local_user

  transport = local_delivery

  cannot_route_message = Unknown user

######################################################################

#                      TRANSPORTS CONFIGURATION                      #

######################################################################

#                       ORDER DOES NOT MATTER                        #

#     Only one appropriate transport is called for each delivery.    #

######################################################################

# A transport is used only when referenced from a router that successfully

# handles an address.

begin transports

# This transport is used for delivering messages over SMTP connections.

remote_smtp:

  driver = smtp

  hosts_require_auth=*

# Transport for outgoing smtp-auth

remote_tlssmtp:

  driver = smtp

  hosts_require_tls=*

  hosts_require_auth=*

#  auth_over_tls_hosts = *

# Modified standard local_delivery, now using maildir instead of mailbox format.

local_delivery:

  driver = appendfile

#  file = /var/mail/$local_part

  directory = /home/$local_part/.maildir

  maildir_format

  delivery_date_add

  envelope_to_add

  return_path_add

# group = mail

# mode = 0660

# This transport is used for handling pipe deliveries generated by alias or

# .forward files. If the pipe generates any standard output, it is returned

# to the sender of the message as a delivery error. Set return_fail_output

# instead of return_output if you want this to happen only when the pipe fails

# to complete normally. You can set different transports for aliases and

# forwards if you want to - see the references to address_pipe in the routers

# section above.

address_pipe:

  driver = pipe

  return_output

# This transport is used for handling deliveries directly to files that are

# generated by aliasing or forwarding.

address_file:

  driver = appendfile

  delivery_date_add

  envelope_to_add

  return_path_add

# This transport is user for handling deliveries directly to directories that are

# generated by aliasing or forwarding.

address_directory:

  driver = appendfile

  delivery_date_add

  envelope_to_add

  return_path_add

  maildir_format

# This transport is used for handling autoreplies generated by the filtering

# option of the userforward router.

address_reply:

  driver = autoreply

######################################################################

#                      RETRY CONFIGURATION                           #

######################################################################

begin retry

# This single retry rule applies to all domains and all errors. It specifies

# retries every 15 minutes for 2 hours, then increasing retry intervals,

# starting at 1 hour and increasing each time by a factor of 1.5, up to 16

# hours, then retries every 6 hours until 4 days have passed since the first

# failed delivery.

# Domain               Error       Retries

# ------               -----       -------

*                      *           F,2h,15m; G,16h,1h,1.5; F,4d,6h

######################################################################

#                      REWRITE CONFIGURATION                         #

######################################################################

# There are no rewriting specifications in this default configuration file.

begin rewrite

# Rewrite outgoing email to Cataclysm@final-frontier.org

cat@*firestarter.shnet.org        somebody@foo-bar.org          Fq

# Comment: changed the above line so that nobody will use my email-address by accident :)

# Rewrite all incoming mails on all domains to one single user: cat

*@final-frontier.org                    cat                     TQ

*@final-frontier.ath.cx                 cat                     TQ

*@final-frontier.homelinux.net          cat                     TQ

*@final-frontier.homelinux.org          cat                     TQ

*@final-frontier.homelinux.com          cat                     TQ

*@final-frontier.homeunix.org           cat                     TQ

######################################################################

#                   AUTHENTICATION CONFIGURATION                     #

######################################################################

# There are no authenticator specifications in this default configuration file.

begin authenticators

# Plaintext-authenticator for basic relay security

# Replace myuser with your username on your smart-host, and mypassword with your password.

fixed_plain:

  driver = plaintext

  public_name = PLAIN

  client_send = ^myuser^mypassword

######################################################################

#                   CONFIGURATION FOR local_scan()                   #

######################################################################

# If you have built Exim to include a local_scan() function that contains

# tables for private options, you can define those options here. Remember to

# uncomment the "begin" line. It is commented by default because it provokes

# an error with Exim binaries that are not built with LOCAL_SCAN_HAS_OPTIONS

# set in the Local/Makefile.

# begin local_scan

# End of Exim configuration file
```

I think the config file is fairly well commented. Now you have to generate a hostkey to use tls with exim.

# cd /etc/exim/

# openssl req -new -x509 -days 365 -nodes -out rsa.cert -keyout rsa.key

# openssl dhparam -out dh.key 1024

These filenames are already configured in the above exim.conf .

CLAMAV:

"/etc/clamav.conf":

```
##

## Example config file for the Clam AV daemon

## Please read the clamav.conf(5) manual before editing this file.

##

 

# Comment or remove the line below.

#Example

# Uncomment this option to enable logging.

# LogFile must be writable for the user running the daemon.

# Full path is required.

LogFile /var/log/clamd.log

# By default the log file is locked for writing - the lock protects against

# running clamd multiple times (if want to run another clamd, please

# copy the configuration file, change the LogFile variable, and run

# the daemon with --config-file option). That's why you shouldn't uncomment

# this option.

#LogFileUnlock

# Maximal size of the log file. Default is 1 Mb.

# Value of 0 disables the limit.

# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes)

# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). To specify the size

# in bytes just don't use modifiers.

#LogFileMaxSize 2M

# Log time with an each message.

LogTime

# Use system logger (can work together with LogFile).

#LogSyslog

# Enable verbose logging.

LogVerbose

# This option allows you to save the process identifier of the listening

# daemon (main thread).

PidFile /var/run/clamd.pid

# Path to a directory containing .db files.

# Default is the hardcoded directory (mostly /usr/local/share/clamav,

# it depends on installation options).

#DataDirectory /var/lib/clamav

 

# The daemon works in local or network mode. Currently the local mode is

# recommended for security reasons.

# Path to the local socket. The daemon doesn't change the mode of the

# created file (portability reasons). You may want to create it in a directory

# which is only accessible for a user running daemon.

LocalSocket /tmp/clamd

# TCP port address.

#TCPSocket 3310

#TCPSocket 784

# Maximum length the queue of pending connections may grow to.

# Default is 15.

#MaxConnectionQueueLength 30

# When activated, input stream (see STREAM command) will be saved to disk before

# scanning - this allows scanning within archives.

StreamSaveToDisk

# Close the connection if this limit is exceeded.

#StreamMaxLength 10M

# Maximal number of a threads running at the same time.

# Default is 5, and it should be sufficient for a typical workstation.

# You may need to increase threads number for a server machine.

#MaxThreads 10

# Thread (scanner - single task) will be stopped after this time (seconds).

# Default is 180. Value of 0 disables the timeout. SECURITY HINT: Increase the

# timeout instead of disabling it.

#ThreadTimeout 500

# Maximal depth the directories are scanned at.

MaxDirectoryRecursion 15

# Follow a directory symlinks.

# SECURITY HINT: You should have enabled directory recursion limit to

# avoid potential problems.

#FollowDirectorySymlinks

# Follow regular file symlinks.

#FollowFileSymlinks

# Do internal checks (eg. check the integrity of the database structures)

# By default clamd checks itself every 3600 seconds (1 hour).

#SelfCheck 600

# Run as selected user (clamd must be started by root).

# By default it doesn't drop privileges.

#User clamav

# Initialize the supplementary group access (for all groups in /etc/group

# user is added in. clamd must be started by root).

#AllowSupplementaryGroups

# Don't fork into background. Useful in debugging.

#Foreground

##

## Mail support

##

# Uncomment this option if you are planning to scan mail files.

ScanMail

##

## Archive support

##

# Comment this line to disable scanning of the archives.

ScanArchive

# Options below protect your system against Denial of Service attacks

# with archive bombs.

# Files in archives larger than this limit won't be scanned.

# Value of 0 disables the limit.

# WARNING: Due to the unrarlib implementation, whole files (one by one) in RAR

#          archives are decompressed to the memory. That's why never disable

#          this limit (but you may increase it of course!)

ArchiveMaxFileSize 10M

# Archives are scanned recursively - e.g. if Zip archive contains RAR file,

# the RAR file will be decompressed, too (but only if recursion limit is set

# at least to 1). With this option you may set the recursion level.

# Value of 0 disables the limit.

ArchiveMaxRecursion 5

# Number of files to be scanned within archive.

# Value of 0 disables the limit.

ArchiveMaxFiles 1000

# Use slower decompression algorithm which uses less memory. This option 

# affects bzip2 decompressor only.

#ArchiveLimitMemoryUsage

##

## Clamuko settings

## WARNING: This is experimental software. It is very likely it will hang

##          up your system !!!

##

# Enable Clamuko. Dazuko (/dev/dazuko) must be configured and running.

#ClamukoScanOnLine

# Set access mask for Clamuko.

ClamukoScanOnOpen

ClamukoScanOnClose

ClamukoScanOnExec

# Set the include paths (all files in them will be scanned). You can have

# multiple ClamukoIncludePath options, but each directory must be added

# in a seperate option. All subdirectories are scanned, too.

ClamukoIncludePath /home

#ClamukoIncludePath /students

# Set the exclude paths. All subdirectories are also excluded.

#ClamukoExcludePath /home/guru

# Limit the file size to be scanned (probably you don't want to scan your movie

# files ;))

# Value of 0 disables the limit. 1 Mb should be fine.

ClamukoMaxFileSize 1M

# Enable archive support. It uses the limits from clamd section.

# (This option doesn't depend on ScanArchive, you can have archive support

# in clamd disabled).

ClamukoScanArchive
```

I don't think that you have to modify this file. Just replace your default-config with it.

SPAMASSASSIN:

"/etc/mail/spamassassin/local.cf":

```
# This is the right place to customize your installation of SpamAssassin.

#

# See 'perldoc Mail::SpamAssassin::Conf' for details of what can be

# tweaked.

#

###########################################################################

#

# rewrite_subject 0

# report_safe 1

# trusted_networks 212.17.35.

# SpamAssassin config file for version 2.5x

# generated by http://www.yrex.com/spam/spamconfig.php (version 1.01)

# How many hits before a message is considered spam.

required_hits           5.0

# Whether to change the subject of suspected spam

rewrite_subject         0

# Text to prepend to subject if rewrite_subject is used

subject_tag             *****SPAM*****

# Encapsulate spam in an attachment

report_safe             1

# Use terse version of the spam report

use_terse_report        0

# Enable the Bayes system

use_bayes               1

# Enable Bayes auto-learning

auto_learn              1

# Enable or disable network checks

skip_rbl_checks         0

use_razor2              1

use_dcc                 1

use_pyzor               1

# Mail using languages used in these country codes will not be marked

# as being possibly spam in a foreign language.

ok_languages            all

# Mail using locales used in these country codes will not be marked

# as being possibly spam in a foreign language.

ok_locales              all
```

This file was generated by the config-tool at http://www.yrex.com/spam/spamconfig.php

COURIER-IMAP:

I did not change ANY configuration for courier-imapd - I just fired it up and it was working  :Smile: 

Note that there is some problem with current portage, blocking courier-imapd from being successfully emerged. I had to do it manualy with "ebuild /usr/portage/net-mail/courier-imap/courier-imap-2.1.1.ebuild merge", because just emerging it stopped for me with a sandbox access violation (Bug #28532). Maybe this is fixed in portage the time you read this  :Smile: 

Starting all programs:

Execute these commands in the following order:

# /etc/init.d/clamd start

# /etc/init.d/spamd start

# /etc/init.d/exim start

# /etc/init.d/courier-imapd start

Look out for any errors that might appear. If no errors show up, you're done! Congratulations. Test your installation by sending yourself a mail. Look at the headers of the received mail if there is a spam-report, and if it looks reasonable.

Now you can add all services to the default runlevel:

# rc-update add clamd default

# rc-update add spamd default

# rc-update add exim default

# rc-update add courier-imapd default

That's it!

Setting up .forward to filter incoming email:

Edit the file called ".forward" in your user's homedir. Here is my .forward as an example:

"/home/cat/.forward":

```
# Exim filter

if $header_from: matches MailingList@exhedra.com or

   $sender_address matches MailingList@planet-source-code.com

then

    save .maildir/.Newsletter.PlanetSourceCode/

endif

if $header_to: contains "linux-kernel@vger.kernel.org" or

   $header_cc: contains "linux-kernel@vger.kernel.org" or

   $header_to: contains "linux-kernel@vger.redhat.com" or

   $header_cc: contains "linux-kernel@vger.redhat.com"

then

   save .maildir/.MailingLists.Linux-Kernel/

endif

if $header_to: contains "bugtraq@securityfocus.com" or

   $header_cc: contains "bugtraq@securityfocus.com"

then

   save .maildir/.MailingLists.Bugtraq/

endif

if $header_to: matches members@gmx.net or

   $header_from: matches delphiforums@email-publisher.com or

   $header_from: matches webmaster@surf4euros.info or

   $header_from: matches webmaster@surf4ads.com or

   $header_from: matches nl1@adrom.net or

   $header_from: matches gratis2000@netnewsabo.de or

   $header_from: matches 4riyveuxou@aol.com or

   $header_from: matches jocelynespinoza_ha@online.nsk.su or

   $header_from: matches jxxwr85u@yahoo.com or

   $header_from: matches 02dkbgx64@yahoo.com or

   $header_from: matches w53gwkst@excite.com or

   $header_from: matches office@all-for-free.com

then

    seen finish

endif
```

You see, many mails are "save"d elsewhere than the normal inbox. In Courier's IMAP hierarchy, directories beneath the root are dot directories. In addition, all subdirectories are denoted by periods, not additional forward slashes. So, lists/Debian/User/ is actually .Lists.Debian.User/ on disk and should be referred to in Exim filters as "save .maildir/.Lists.Debian.User/" for things to be saved the way you expect. The trailing forward slash is IMPORTANT for maildir to work! The last block with "seen finish" simply sends the mail to /dev/null  :Smile: 

Please refer to the exim_filter docs for more detailed information about .forward filtering.

Okay, I think that's all. Hope that this is of some help for anybody  :Smile: 

Feel free to email me at cat@final-frontier.ath.cx if you have any questions about this HowTo.

Greets, Dennis.

P.S.: Excuse me for my bad english, I'm from germany - but I tried my best  :Wink: 

----------

## Lovechild

The subject title is a bit confusing - why do I need this ? 

Content filtering email proxy as a user, or is this meant for industry deployment - I'm not quite sure.

----------

## Cataclysm

My examples are from a small mailserver for private use, but you can modify it for use on bigger mailservers easily.

It's just a way to show how this bunch of programs CAN be setup, because it's not that easy if you have to do it from scratch.

----------

## smouge

Thanks for your post.

I'm considering switching from qmail to exim, I think your info will help me.

----------

## Cataclysm

Please let me know, if there are any errors in the guide, or any improvement you may find  :Smile: 

----------

## Giorgio

I don't know what I did wrong.. but using imap all goes well, if I use imapd-ssl (port 993) login is alway failed.   :Sad: 

ps. good tutorial anyway   :Cool: 

----------

## Cataclysm

You need to generate an imap-ssl-hostkey and then you have to fire up the courier-imapd-ssl.

# nano /etc/courier-imap/imapd.cnf

Change settings according to your system.

# mkimapdcert

Makes the required hostkeys.

# /etc/init.d/courier-imapd-ssl

Fires up the server. Now try if it works, if yes:

# rc-update add courier-imapd-ssl default

That's it!  :Smile:  Have fun.

After that you will have to import your selft-generated ssl-certificate into windows (if you use windows-clients), to let them not complain about your unknown key, but that's another chapter  :Smile: 

----------

## Giorgio

Now it works.   :Very Happy: 

Thanks again.   :Smile: 

----------

## timmy

I have almost the same setup, the only difference being that I'm using f-prot rather than clamav.

How do you go about updating the virus definition files in clamav? f-prot comes with an update script you can put in your crontab. I'm not sure how effective f-prot is, as I've not received a virus since I've been using it.

I'm also considering changing my imap server; I can't seem to get it to accept STARTTLS on port 143 (993 works fine), and my P800 smartphone needs the STARTTLS thing.

I'm very happy with exim, exiscan-acl and spamassassin   :Smile: 

Tim

----------

## Cataclysm

 *timmy wrote:*   

> How do you go about updating the virus definition files in clamav?

 

clamav comes with an auto-updater, running in the background, checking each 12 hours for new patterns  :Smile:  I'm quite happy with clamav.

----------

## timmy

I'm happy to report that f-prot picked up and blocked all the copies of W32/Swen.A@mm sent to me today, so I guess I'll be sticking with it...

On a different note, I wonder whether you shoud add the following to your /etc/mail/spamassassin/local.cf file?:

```
score RCVD_IN_OSIRUSOFT_COM 0

score X_OSIRU_DUL 0

score X_OSIRU_DUL_FH 0

score X_OSIRU_OPEN_RELAY 0

score X_OSIRU_SPAMWARE_SITE 0

score X_OSIRU_SPAM_SRC 0
```

I'm not sure what the current situation with osirusoft is...

----------

## Ladius

Just a pointing out the obvious update for the clamd section.

Might want to put in a note to edit the /etc/conf.d/clamd file:

```

# Config file for /etc/init.d/clamd

                                                                                

START_CLAMD=no

CLAMD_OPTS=""

CLAMD_LOG=""

                                                                                

START_FRESHCLAM=yes

FRESHCLAM_OPTS="-d -c 2"

FRESHCLAM_LOG="/var/log/clam-update.log"

```

should be changed to

```

# Config file for /etc/init.d/clamd

                                                                                

START_CLAMD=yes

CLAMD_OPTS=""

CLAMD_LOG=""

                                                                                

START_FRESHCLAM=yes

FRESHCLAM_OPTS="-d -c 2"

FRESHCLAM_LOG="/var/log/clam-update.log"

```

Without the changing "START_CLAMD=" from "no" to "yes" clamd won't start and any attempts to receive mail on the system will be given a temporary errror of 451 (which most good mail servers understand to be try me later joe maybe the admin has fixed me).

----------

## Cataclysm

Thank you, Ladius, I must have missed that out.

----------

## d33d0

Hi,

I would like to setup a mail proxy, to filter spam and protect the "real" mailserver against the "bad internet"..  The server should take new mails, filter for spam and forward all mails to a backend mailserver.

Is exim + spammassassin the first choice?

----------

## Cataclysm

d33d0, I don't know if exim is the first choice - but I know, that it is possible.

Some scratch ideas on that:

In /etc/exim/exim.conf:

```
domainlist relay_to_domains = your.domain
```

This ensures that mail to your inner MTA are allowed from everywhere.

Make sure that the proxy-MTA does NOT have your mail-domain in local_domains! Put the following in the routers-config of exim BEFORE dnslookup or your mail-relay:

```
send_to_my_real_mailserver:

  driver = manualroute

  domains = +relay_to_domains

  transport = remote_smtp

  route_list = * your.inner.mail.server
```

Hope that helps a bit...

----------

## Cataclysm

Thanks and regards for the following go to Vinay Malkani, he send it to me by email.

 *Quote:*   

> Smtp-auth (based on actual user logins) for inbound connections was extremely simple. I thought you might want to add it to your guide.
> 
> First create /etc/pam.d/exim (probably created for you when you emerged exim)
> 
> This file should read as follows:
> ...

 

----------

## kannX

Thanks for that great HowTo

if you use fetchmail to grab mails from external pop/imap accounts don't forget to start fetchmail with the 

```
-Z 550
```

 option or you'll get a mail bounce that will blow your machine up   :Wink: 

----------

## paul_zm

Thanx for the great howto. It helped me a lot.

The only thing I don't get to work is the subject rewriting. 

First I tried to change the local.cf from spamassassin but that didn't show any results. (Probably exim won't look at it.)

Then I tried to look for an exim rule to change the subject but I probably don't use the correct syntax.  Does anyone have a rule or filter I can use for that ?

----------

## Cataclysm

Yes I have.  :Smile: 

You probably got something like this in your exim.conf:

```
warn  message = X-Spam-Score: $spam_score ($spam_bar)

  spam = nobody:true

  condition = ${if >{$spam_score_int}{50}{1}{0}}

warn  message = X-Spam-Report: $spam_report

  spam = nobody:true

  condition = ${if >{$spam_score_int}{50}{1}{0}}
```

Just add the following before "accept" and beneath that to exim.conf:

```
warn message = Subject: *** SPAM *** $h_subject

  spam = nobody

  condition = ${if >{$spam_score_int}{100}{1}{0}}
```

$h_subject gets replaced by the original subject. Please adjust the spam-score (100 - stands for 10.0 and above) to your needs. If you want to use the systemwide settings for that score just delete the condition-line.

Have fun!  :Smile: 

----------

## paul_zm

I already tried that one but the "Subject"-rule has already been written when it arrives at the anti-spam section.  The result is two subject rules where the first one has priority over the second one (where the second one is the rule with the word SPAM in it).

I think I need a filter of some sort to rewrite the subject rule.

----------

## Cataclysm

After a long time of googl'ing I think I found a solution for you. The following comes from an archived message on the exim-users mailinglist:

 *Quote:*   

> For the subject tag, we prepare a new subject header in the
> 
> ACL, then swap it with the original Subject in the system
> 
> filter.
> ...

 

The system filter is located at /etc/exim/system_filter.exim. I hope that one works, maybe you could drop in a short report  :Smile: 

----------

## paul_zm

He Cataclysm, thank you very very much. It works perfect.

The only extra thing I had to do was adding the following line to the top in my exim.conf to activate the filter:

 *Quote:*   

> system_filter = /etc/exim/system_filter.exim

 

It must be possible to do something similar in a .forward file. But I don't use that.

----------

## matze81

Hi there, 

i just followed the How-To but after doing all the stuff mentioned there i'm only able to send/receive emails to/from local users. It's also possible to receive emails from "world". 

Now my Problem: 

When try to send an email to a "world" address i find the following error in the exim_main log and the mail will not arrive: 

```

... R=send_to_relay T=remote_smtp defer (-42): authentication required but server did not advertise AUTH support 
```

Did someone have a solution for this problem?

with regards 

matze

----------

## Cataclysm

You tried to use SMTP-Auth were it is not supported. Configure your smarthost without it.

In /etc/exim/exim.conf:

Change

```
remote_smtp: 

  driver = smtp 

  hosts_require_auth=*
```

to:

```
remote_smtp: 

  driver = smtp
```

That's it.

----------

## matze81

Hi Cataclysm,

many thanks for your reply.

I tried your suggestions and it works, but only with these settings:

```

dnslookup: 

  driver = dnslookup 

  domains = ! +local_domains 

  transport = remote_smtp 

  ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 

  no_more 

# Router to send all outgoing mail to a smart-host using smtp-auth 

#send_to_relay: 

# driver = manualroute 

#  domains = ! +local_domains 

# transport = remote_smtp 

#  route_list = * my.dyndns.adress

```

and also not to all host, some reply the following:

```
SMTP error from remote mailer after end of data: host <hostname> [ip]: 550 rejected: cannot route to sender <matze@localhost>
```

thats not the only problem, how you see the address is not rewritten, i don't realy know how to configure this. I think that's why some hosts reject me.

Could please give me some more hints and explain a little bit which these setting, shown above, mean. Perhaps i give you some extra information:

I want to send email from my server, so it should not be routed to another mailserver (sís this the so called smarthost?) which delivers it. i use a dyndns address for my server. The server is connected by a hardware router to the internet and i forwarded the smp, imap, pop and the dns port to the server. are there more ports which i should forward ?!

greetz

matze

----------

## matze81

Here i am again ....   :Very Happy: 

adding the following line in the rewrite section of my config, let me send mails to all hosts, but still the reciever get the mail from matze@localhost

and not matz@my.dyndns.address.

```
matze@localhost   matze@my.dyndns.address    Fq
```

do i have to write the line for each user ?!

readya

matze

----------

## Cataclysm

Sending mails directly from a DUH (dialup host) is a *very* bad idea - all big hosters like t-online, aol, msn and alike simply block smtp-traffic from DUH's. That's the reason why you should always use a smarthost in case of DUH's.

I don't really understand why you forward so many ports to your server... mail comes in on only one port: 25 (SMTP). If you want to use pop3 oder imap from outside your lan, forward these ports too, but don't do it with all and everything that comes to mind (poses a security-thread if your server is not good configured, especially imap is known to have several flaws).

To your rewrite-rules: Try something like this:

*@localhost     $1@my.dyndns.address   Fq

Rewrites every user on your system to your dyndns-address.

Edit: Or you could change your dnsdomainname to your dyndns-address.

----------

## matze81

hello,

so now i'm a little bit confused, hope i understand you right.

Wenn i send mails by using a smarthost, all mails will get the address of the smart host?! When this is true then thats not the way i want to do this. I want to send emails with the dyndns aderess. And it worked yesterday, so i think my isp don't block the smtp-traffic. The only problem is that the mails don't have the dyndns name in it. I'm sure i set the dyndns address in /etc/dnsdomainname, but i will check it after work. I also will try your rewrite rule.

Now something about the ports.

i forwarded the smtp port in order to recieve mails. pop and imap are forwarded for clients outside my lan to use the services. i have to forward the dns port because when sending a mail the recieve host makes an reverse dns lookup and when this port is blocked my mail is rejected.

matze

----------

## Cataclysm

 *matze81 wrote:*   

> Wenn i send mails by using a smarthost, all mails will get the address of the smart host?!

 

No. They will be send with the address you choose. But they no longer come from a DUH. Think of a smarthost as a relay between you and the receiver.

 *Quote:*   

> I want to send emails with the dyndns aderess. And it worked yesterday, so i think my isp don't block the smtp-traffic.

 

Not your ISP blocks the mail, the receivers mailserver blocks it. Try to send a mail to any @aol.com address... In addition your mails will get a tremendious score in anti-spam software.

 *Quote:*   

> The only problem is that the mails don't have the dyndns name in it. I'm sure i set the dyndns address in /etc/dnsdomainname, but i will check it after work. I also will try your rewrite rule.

 

Did you do "rc-update add domainname boot" ?

 *Quote:*   

> i forwarded the smtp port in order to recieve mails. pop and imap are forwarded for clients outside my lan to use the services. i have to forward the dns port because when sending a mail the recieve host makes an reverse dns lookup and when this port is blocked my mail is rejected.

 

Huh? What does a mailserver want from _your_ hosts dns ? Your dns-information is hosted by dyndns.org, so the mailservers should never have to query you for any information. I also never noticed that behaviour. For security-reasons the dns-port is rejected in my firewall, and that's the way you should go. I also use dyndns.org.

Edit: That's nonsense up there from me. Didn't look close enough  :Smile:  The reverse dns-information should be provided by your ISP though.

----------

## matze81

hello,

 *Quote:*   

> Not your ISP blocks the mail, the receivers mailserver blocks it. Try to send a mail to any @aol.com address... In addition your mails will get a tremendious score in anti-spam software. 

 

i tried to send emails to my web.de account and it works. But only with the forwarded dns port. Otherwise there will be a reverse dns lookup error.

 *Quote:*   

> Did you do "rc-update add domainname boot" ?

 

```
/etc/init.d/damainname status
```

says started. it was added in default runlevel, putting it into boot didn't

change something. mail arrives at web.de with matze@localhost.

/etc/dnsdomainname shows my dyndns address.

 *Quote:*   

> No. They will be send with the address you choose. But they no longer come from a DUH. Think of a smarthost as a relay between you and the receiver. 

 

ok then because of this fact and because of my problem i would give this method a try. but i don't know what a "smarthost" is. Do i have to set up another server, could i use some server in the www for this ?!

----------

## Cataclysm

 *matze81 wrote:*   

>  *Quote:*   Did you do "rc-update add domainname boot" ? 
> 
> ```
> /etc/init.d/damainname status
> ```
> ...

 

What does "hostname -d" say?

 *Quote:*   

> ok then because of this fact and because of my problem i would give this method a try. but i don't know what a "smarthost" is. Do i have to set up another server, could i use some server in the www for this ?!

 

A smarthost is a server with a static ip, running any kind of MTA (mail transport agent, eg. exim, sendmail, postfix, qmail....). This host accepts your mail (preferably after an appropriate authentication) and relays it to the receiver-mailserver. The receiver-host sees, that the mail comes from a static ip and voilá! it accepts it  :Smile: 

You cannot use any server you like for this, because nobody wants to relay mails without authentication - this has been abused a lot by spamers in the past. Maybe you should look at the webpages of your ISP - the german Telekom offers a smarthost to their customers (was free of charge, but since a year or so it costs a monthly fee  :Sad:  ).

Edit: "static ip" means: An ip outside the DUH-ip-ranges. You could have a static ip, but it will still be blocked, because it's marked as a dialup-ip.

----------

## matze81

ok i understand the "smarthost" method.

domainname -d shows my dyndns name.

ok i will search for an relay server, but i also would try to fix

the problem with the mail names. do you have more suggestions for me to solve the problem. i set the primary_hostname in the exim config too. no change!

----------

## Cataclysm

What's the first domainname (after "@ :") in "domainlist local_domains" in /etc/exim/exim.conf ? Which MUA do you use ?

----------

## matze81

this option is set to

```
domainlist local_domains = @ : dyndns-adress : localhost
```

tried this too

```
domainlist local_domains = @ : dyndns-adress
```

i'm using squirrelmail for testing. now i tried it from a windows client using outlook express. mails arrive at my web.de address and other addresses with @localhost!   :Crying or Very sad: 

----------

## matze81

mmh changing

```
domainlist local_domains = @ : dyndns-adress : localhost
```

to

```
domainlist local_domains = @ : localhost : dyndns-adress 
```

fixed the problem for outlook express but not for squirrelmail.

----------

## matze81

mmh, setting some options in the user specific setup from squirrelmail also fixed that problem. now the right email adress is shown.

but i think that means everybody could change his from adress, is this normal?

----------

## Cataclysm

I don't know squirrelmail too much, but it sounds normal. Take a look at the headers of the mails which have somebody@localhost as FROM: and look which envelope-address it has (Return-Path:) - with F in the rewriting-rules you rewrite that address, not the FROM-Header, which is left untouched.

I have my domainlist local_domains sorted in this order:

```
domainlist local_domains = @ : dyndns1-add : dyndns2-add : dyndns3-add : many-many-more-addresses : localhost
```

I thought you might have localhost as the first domain and that exim takes that as the primary domainname. But I think we have nailed your problem: You have to setup your mailclient to send mails out with a correct FROM-Header. Or you have to rewrite that header in your rewrite-rules too (for specifics read the spec-doc of exim).

----------

## matze81

yep, i think we got it too.

i'm going to study the exim manual about the rewrite rules, and some resources about security.

yeah, it works, i'm very happy.    :Very Happy: 

thank you very much.

----------

## Lews_Therin

I'm trying to send mail out to the big world, but from what I can tell there's an entry in exim.conf I need to edit. Unfortunately, I don't know what to edit it TO.

```

send_to_relay:

  driver = manualroute

  domains = ! +local_domains

  transport = remote_smtp

  route_list = * your.smart.host.some.where
```

Whenever I try to send a mail to my aol account (pity me   :Razz:  ), I get this in my logs:

```
2003-01-14 17:51:42 18YciU-00012A-P7 <= xxxxxx@lews.gotdns.org U=xxxxxx P=local S=444 id=20030115014315.GA3956@lews.gotdns.org

2003-01-14 17:51:44 18YciU-00012A-P7 no IP address found for host your.smart.host.some.where

2003-01-14 17:51:44 18YciU-00012A-P7 == xxxxxx@aol.com R=send_to_relay defer (-1): lookup of host "your.smart.host.some.where" failed in send_to_relay router

2003-01-14 17:51:44 18YciU-00012A-P7 Frozen
```

From higher up in this thread, it seems I need a "smart host", but I have a static IP for my computer. How do I fix this so that I can use this computer for my main e-mail?

----------

## Cataclysm

Comment out the smarthost block, and the dnslookup delivery will be used (which is bad for you too, because you also have a dialup-ip (no matter if it's static or not static)), or get a smarthost, as explained earlier in this thread.

----------

## Lews_Therin

Well, I commented out the block...and you were right. AOL rejected me...but I DID manage to connect to them, which is good. Gonna try the smart host thing now.

EDIT: Seems that my isp doesn't provide a smart host, or at least not one that I can find. Since it's fair to assume other isps won't accept mail from an open relay any more than they will from me, looks like I'm stuck with aol   :Confused: 

----------

## der-pima

Hi Guys.

I will post my config-files, because i think my system_filter and spamassassin arent working.

maybe you find a mistake.

EXIM

######

 *Quote:*   

> 
> 
> system_filter = /etc/exim/system_filter.exim
> 
> message_body_visible = 5000
> ...

 

EXIM_SYSTEM_FILTER

 *Quote:*   

> 
> 
> # Exim filter
> 
> ## Version: 0.13
> ...

 

ClamAV

 *Quote:*   

> 
> 
> ## 
> 
> ## Example config file for the Clam AV daemon 
> ...

 

SPAMASSASSIN

 *Quote:*   

> 
> 
> # SpamAssassin config file for version 2.5x
> 
> # generated by http://www.yrex.com/spam/spamconfig.php (version 1.01)
> ...

 

Thank you very much

----------

## matspi

Hi,

Is there a way to specify a timeout for the actions taken in the ACL section.

My router seems to be too slow for exim.

Thx

matspi

----------

## paul_zm

I want the following section in exim.conf to catch more spam by adding diacritical characters.

```
  # Reject messages containing "viagra" in all kinds of whitespace/case combinations 

  # WARNING: this is an example ! 

  deny  message = This message matches a blacklisted regular expression ($regex_match_string) 

        regex = [Vv] *[Ii] *[Aa] *[Gg] *[Rr] *[Aa] 
```

I have now the following regex:

```
 regex = [Vv] *[IiìíîïÌÍÎÏ1¡] *[Aaàáâã@ÀÁÂÃÄÅª] *[Gg] *[Rr] *[Aaàáâã@ÀÁÂÃÄÅª]

```

Somehow it doesn't seem to work. I think has something to do with the character sets or with the regular expression syntax. Can somebody tell me what I'm doing wrong here?

----------

## NightSpirit

Personally I don't use the exim config for catching spam (that's what spamassassin is for  :Smile: ) but looking at your code I would guess that it's not working because some characters you list are reserved/special characters. It is late and so I might miss some, but try:

```
regex = [Vv] *[IiìíîïÌÍÎÏ1\¡] *[Aaàáâã\@ÀÁÂÃÄÅª] *[Gg] *[Rr] *[Aaàáâã\@ÀÁÂÃÄÅª]
```

I know for certain that the @ symbol needs to be escaped by preceding with a \ and presuming that the semi-colon does too. As for the others I really don't know, but try the above and see if that helps.

Edit: as an additional, you may want to add "\!" to the "i" part of the above too, have seen that used before.

----------

## spline

Hi,

i set up my machine like describes in this thread.

My problem is the following:

I send myself an email with the subject "Viagra" to test my configurtaion.

This message was send using a completly different machine. 

The mail was routed to the account where i get my mails using fetchmail (web.de).

Fetchmail tries to get the mail, exim/spamassassin scans the mail (while SMTP connection still open) and then rejects the mail because of the subject. As i started fetchmail manually i see the message: 

 *Quote:*   

> 
> 
> reading message xxx@pop3.web.de:1 of 1 (1113 octets) .fetchmail: SMTP error: 550 *[Gg] *[Rr] *[Aa])
> 
> fetchmail: mail from FETCHMAIL-DAEMON@yyy.homelinux.org bounced to aaa@bbb.cc
> ...

 

exim_main.log

 *Quote:*   

> 
> 
> 2004-02-25 15:07:30 1Aw0dG-0008MN-Hn H=xxx.homelinux.org (localhost) [127.0.0.1] F=<aaa.bbb.cc> rejected after DATA: This message matches a blacklisted regular expression ([Vv] *[Ii] *[Aa] *[Gg] *[Rr] *[Aa])
> 
> 2004-02-25 15:07:30 1Aw0dG-0008MP-Kx H=xxx.homelinux.org (localhost) [127.0.0.1] F=<FETCHMAIL-DAEMON@xxx.homelinux.org> rejected after DATA: This message matches a blacklisted regular expression ([Vv] *[Ii] *[Aa] *[Gg] *[Rr] *[Aa])
> ...

 

But neither me as sender nor me as recipient get an message, that the mail was bounced. 

My understandig is, that this mail will stay on the server forever or until y hava a look in this mailbox manually. But is this the way it should be. This could exceed ma mail qouta on the server.

Is there a solution for this?

Regards

----------

## altere

would anyone be running this setup using mysql and virtual domains with exim and imap?

----------

## haven

 *Quote:*   

> But neither me as sender nor me as recipient get an message, that the mail was bounced.
> 
> My understandig is, that this mail will stay on the server forever or until y hava a look in this mailbox manually. But is this the way it should be. This could exceed ma mail qouta on the server.
> 
> Is there a solution for this?
> ...

 

My solution which was partially successful is to use the following commands to drop mail in fetchmail once they have been read:

flush

no keep

no fetchall

You can look up their full meaning in the fetchmail manual but that should put you on track. This is successful for 5xx errors as they are dropped. Temporary errors however still get stuck as there is no way (that I know of) to make fetchmail drop those once they have been read once.

Hopefully that helps a little.

Right my own question that I can on here to ask involves exiscan - I have an X-header setup, using the exiscan ACL's in exim, to show the spam score. The score shows fine i.e:

 *Quote:*   

> not spam (whitelisted),	SpamAssassin (score=0, required 5.5)

 

But in my /etc/mail/spamassassin/local.cf I have set the required hits to 5.0 and not 5.5 ... somehow its not picking it up.

Thinking I may be going insane I changed the /etc/conf.d/spamd file to specifically include this config as its primary i.e:

 *Quote:*   

>  --siteconfigpath=/etc/mail/spamassassin/local.cfg

 

Yet it still insists on thinking the required hits are 5.5 and not 5 - this makes me think that my local.cf file is being ignored which is definately not good.

Can anyone offer any ideas or is there something blindingly obvious that I have missed. 

Thanks in advance for your time.

----------

## ryker

Since this is a thread about installing Exim, I was wondering if anyone could tell me why you would use Exim over QMail or Postfix or some other mta.  Maybe someone here has past experience with several mta's and might comment.

----------

## codemonk

Hi,

i left out the part with rewriting all mails to cat, but now i get 550 (User not Local) if i send an email to my server, any idear?

----------

## baraka

Hi guys, i try to make exim works first without spam and anti-virus system, till now i was not able to send outside the world email neither receive (i have a mx record set to my mail server). The real annoying problem is pehaps i have log_file_path=syslog i was have notice no /var/log/exim/ files.

What can be happening? i need full logs to know what happening :/

----------

## baraka

 *Cataclysm wrote:*   

> Thanks and regards for the following go to Vinay Malkani, he send it to me by email.
> 
>  *Quote:*   Smtp-auth (based on actual user logins) for inbound connections was extremely simple. I thought you might want to add it to your guide.
> 
> First create /etc/pam.d/exim (probably created for you when you emerged exim)
> ...

 

I am using that code for authenticaton but maybe cause of the setting of never used:

 *Quote:*   

> 
> 
> never_users = root
> 
> 

 

i got a message from Mailer-Daemon like these:

 *Quote:*   

> 
> 
> ...
> 
> The addresses to which the message has not yet been delivered are:
> ...

 

and this messages repeats until it give-up delivering.

I read something about this error messages and try to put the following:

 *Quote:*   

> 
> 
> system_filter_user = mail
> 
> 

 

but no luck too. Any help for this ?

----------

## Zebbeman

I'm not sure if this is correct, but I think you cannot comment out never_users anymore. If it still works, you have to comment out # never_users if you are running Exim as root. I had a similar problem running exim as root after an update, so I changed from pam to sasl.

Pam needs Exim to be runned as root, sasl dont.

----------

## catman__

hi i want to bounce incomming mail with exim that are not used. With other words how can i bounce emails except the email adresses that i use.

tnx

catman

----------

## BakaO

Hello,

first, i would like to thanks you all for making gentoo the best distro !

Thanks Cataclysm !

I have a question, what should the spam become once it is detected has spam ?

Is it deleted ? so why we can change the title with ***** SPAM ***** ?

Or maybe it is delivered but marked as deleted ?

One more : for my house, i configure fetchmail -> exim -> spammasssin / clamv -> maildir -> courier-imap

OK but when i look at the log, when a spam is find, exim tell me that it can't find the 'FETCHMAIL-DEAMON' user   :Shocked:   is it normal ?

Thanks for all.

----------

## rex123

I'm running a very similar set-up to the one in this how-to, on a server with about 10 mail users. I found that spamassassin works miles better (and it's really amazingly good) if you enable bayesian rules. I have one bayesian database for the whole server. The way to set this up is to create a user, with a home directory, and use sa-learn as that user. I have a user called spamd.

Then change the spamd part of exim.conf to something like this:

```

warn  message = X-Spam-Score: $spam_score ($spam_bar) 

        spam = spamd:true/defer_ok 

  warn  message = X-Spam-Report: $spam_report 

        spam = spamd:true/defer_ok

  # Add X-Spam-Flag if spam is over system-wide threshold 

  warn message = X-Spam-Flag: YES 

       spam = spamd/defer_ok

...

```

The /defer_ok tells exim not to defer the message if spamd is down for some reason - it just skips the spamassassin routine. Requires exiscan 4.33.

Train spamassassin using sa-learn, and you're away. It needs 200 ham and 200 spam to get going, then it just gets better. I have my filters set to reject at 5.0, and I treat anything scoring over 1.0 as suspect. This produces almost no false positives, and catches almost everything (but I've been training it for a while, and I get a lot of spam).[/b]

----------

## McB4ne

 *Zebbeman wrote:*   

> I'm not sure if this is correct, but I think you cannot comment out never_users anymore. If it still works, you have to comment out # never_users if you are running Exim as root. I had a similar problem running exim as root after an update, so I changed from pam to sasl.
> 
> Pam needs Exim to be runned as root, sasl dont.

 

I tried commending out the whole line

#never_users = root

It gives the error of:

2004-08-30 19:57:07 1C1wxJ-0005Ss-Ty == mcbane@gmail.com R=dnslookup T=remote_smtp defer (-29): User 0 set for remote_smtp transport is on the fixed_never_users list

 :Laughing:  seroiusly I dont want to install cyrus-sasl cause it completely screwed my exim last time, and pam is so simple but how can I get this to work either with exim happy as root or pam happy as not root?

----------

## batzee

Could anyone who has successfully setup exim for smtp auth + relaying for authenticated clients only + no problems with never_users and exim_users please post how this can be done? If sasl really is the only way, could someone explain how to configure this?

thanks!

----------

## rex123

 *Quote:*   

> Could anyone who has successfully setup exim for smtp auth + relaying for authenticated clients only + no problems with never_users and exim_users please post how this can be done? If sasl really is the only way, could someone explain how to configure this? 
> 
> thanks!
> 
> 

 

This might help (I'm only including the relevant bits):

```

# allow relaying from localhost

hostlist   relay_from_hosts = 127.0.0.1

# I use tls. This means I can use pam, and shell accounts are still safe

tls_advertise_hosts = *

# You need to get hold of a certificate for this.

# See http://www.exim.org/exim-html-4.40/doc/html/spec_37.html#CHAP37

# for more info.

tls_certificate = /etc/exim/eximcert.pem

# define auth acl

acl_smtp_auth = acl_check_auth

# define rcpt acl

acl_smtp_rcpt = acl_check_rcpt

# other definitions here...

begin acl

acl_check_auth:

  # Only care about authentication if it's encrypted (this is optional, clearly)

  accept  encrypted = *

  deny    message       = Rejected authentication: Encryption required

acl_check_rcpt:

# Accept rcpt if the sender is authenticated

  accept  authenticated = *

# spam checks, HELO checks, sender verification checks etc here

# Check for local domain here...

# if we've reached here, then it's a relay attempt, by someone 

# who is not authenticated, so deny

  deny    message       = Rejected recipient: relay not permitted without encrypted authentication

# other acls here...

begin routers

# routers here

begin transports

#transports here

begin retry

# I have nothing here

begin rewrite

# Nor here

begin authenticators

# you need to have both of these if anyone uses Outlook.

# As you can see, I'm using pam with tls. It works well, but the

# client setup is slightly more effort than normal.

plain:

  driver = plaintext

  public_name = PLAIN

  server_advertise_condition = "${if eq{$tls_cipher}{}{no}{yes}}"

  server_condition = "${if pam{$2:$3}{1}{0}}"

  server_set_id = $2

login:

  driver = plaintext

  public_name = LOGIN

  server_advertise_condition = "${if eq{$tls_cipher}{}{no}{yes}}"

  server_prompts = "Username:: : Password::"

  server_condition = "${if pam{$1:$2}{1}{0}}"

  server_set_id = $1

```

Sorry if I've missed out anything crucial. Someone will probably notice it anyway.

----------

## batzee

Thanks for your help - now one more question: I am subscribed to some more or less high-volume mailinglists, each of them is filtered to a dedicated folder. Now what I would like to have is some tool which deletes old messages from these mailinglists folders automatically, maybe in a logrotate-like fashion (put old messages in an archive and zip it, delete the oldest of these archives each time).

Does anyone know if such a thing exists?

----------

## BakaO

Hello,

I have a big question : here is how my server is configured :

1 computer (my server) is installed with courier-imap + fetchmail + exim + spamassasin

Fetchmail gather for me 6 mail box et for my sister 2 mail box.

Everything is ok : exim accept mail from fetchmail in local, and let me send mail (smtp) with a computer in the local network.

But (here is my problem) : i want to enable auth smtp for let me use my server everywhere inthe world, but it this time, fetchmail is blocked (it don't use auth).

So : is there a thing do change in my exim conf file to let smtp in local without auth, or everything else ?

thanks.

----------

## Golbez

hey batzee, did that setup work, cause I know the exact problems you are having and feel your pain  :Smile: 

----------

## Zebbeman

 *McB4ne wrote:*   

> 
> 
>  seroiusly I dont want to install cyrus-sasl cause it completely screwed my exim last time, and pam is so simple but how can I get this to work either with exim happy as root or pam happy as not root?

 

Pam is simple, but I think it needs Exim to be runned as root. This is a security issue, so I changed to sasl.

I think I only changed "if pam" to "if saslauthd" in exim.conf and set "SASL_AUTHMECH=shadow" in saslauthd.

Since I used pam with Exim as root, the log files had root permissions, so I had to change them too.

----------

## marcelser

Hi Everyone,

I setup exim, clamav,spamassasin and courier-imap as described in this guide. Now I saw that there's a mailfilter called clamassassin. What do I have to change in exim.conf tu use clamassasin filter instead of clamav? As I'm a totally Exim newbie it would take me days to figure out how to include clamassasin.

Thanks for any help on this subject.

----------

## Golbez

 *Zebbeman wrote:*   

>  *McB4ne wrote:*   
> 
>  seroiusly I dont want to install cyrus-sasl cause it completely screwed my exim last time, and pam is so simple but how can I get this to work either with exim happy as root or pam happy as not root? 
> 
> Pam is simple, but I think it needs Exim to be runned as root. This is a security issue, so I changed to sasl.
> ...

 

I just tried this and it didnt work  :Sad: 

do you put SASL_AUTHMECH=shadow in /etc/conf.d/saslauthd?  

It just keeps prompting me for my password over and over like it wont authenticate

I get this in my exim_main.log:

```
2004-11-01 10:38:28 login authenticator failed for c-67-166-219-252.client.comcast.net ([127.0.0.1]) [67.166.219.252]: 435 Unable to authenticate at present (set_id=cgee): too few arguments or bracketing error for saslauthd
```

----------

## marcelser

 *Golbez wrote:*   

> I just tried this and it didnt work 
> 
> do you put SASL_AUTHMECH=shadow in /etc/conf.d/saslauthd?

 

I'm using 

```
SASLAUTHD_OPTS="${SASLAUTH_MECH} -a pam"                                                                                                         
```

 in /etc/conf.d/saslauthd as authentication method, so you still use pam but you don't have to run it with root privileges.

 *Golbez wrote:*   

> It just keeps prompting me for my password over and over like it wont authenticate
> 
> I get this in my exim_main.log:
> 
> ```
> ...

 

I had exactly the same problem and I had to change the exim.conf to the following lines:

```
plain:                                                                                                                                           

  driver = plaintext                                                                                                                             

  public_name = PLAIN                                                                                                                            

  server_condition = "${if saslauthd{{$2}{$3}{exim}}{yes}{no}}"                                                                                  

  server_set_id = $2                                                                                                                             

                                                                                                                                                 

login:                                                                                                                                           

  driver = plaintext                                                                                                                             

  public_name = LOGIN                                                                                                                            

  server_prompts = "Username:: : Password::"                                                                                                     

  server_condition = "${if saslauthd{{$1}{$2}{exim}}{yes}{no}}"                                                                                  

  server_set_id = $1
```

What I had to add is the {exim} part in the conf file, I think this can be anything, you could also use {smtp} or something else. This is the sasl's realm, and it seems that it needs something in there.  Hope this helps.

But I have another question. I also used exim with pam before I changed to sasl and instead of running it as root, I ran it as user "mail" and group "exim" (which I created). Then I changed the group of the "shadow" and "shadow-" file to "exim". Can someone tell me what the original  permissions and groups for "shadow" and "shadow-" should because I want to remove this hack. I think the group should be root but I'm not sure about the permissions.

Thanks.

----------

## Golbez

 *marcelser wrote:*   

>  *Golbez wrote:*   I just tried this and it didnt work 
> 
> do you put SASL_AUTHMECH=shadow in /etc/conf.d/saslauthd? 
> 
> I'm using 
> ...

 

Tried that, didnt work, same error  :Sad: 

----------

## marcelser

Do you use the newest versions of Exim and SASL? I found out that different versions may require different configurations. The example I gave below should work with the newest version, at least it does for me. This is what my exim_main.log shows when sending a mail:

```
2004-11-01 11:00:21 1COYys-0005H2-Vk <= marc@shadowsrealm.ch H=fw.20minuten.ch ([127.0.0.1]) [62.12.146.130] P=esmtpa A=plain:marc S=1171 id=4186

091E.7000205@shadowsrealm.ch

2004-11-01 11:00:23 1COYys-0005H2-Vk => marc.elser@20minuten.ch R=dnslookup T=remote_smtp H=smtp.20minuten.ch [62.12.146.134]

2004-11-01 11:00:23 1COYys-0005H2-Vk Completed

20
```

----------

## Zebbeman

Golbez:

This is how I set it up:

#/etc/exim/exim.conf:

begin authenticators

plain:

driver = plaintext

public_name = PLAIN

server_condition = ${if saslauthd{{$2}{$3}}{1}{0}}

login:

driver = plaintext

public_name = LOGIN

server_prompts = "Username:: : Password::"

server_condition = ${if saslauthd{{$1}{$2}}{1}{0}}

#/etc/conf.d/saslauthd:

SASLAUTHD_OPTS="${SASLAUTH_MECH} -a shadow"

----------

## Reepicheep

Hey I thought I would through this into the mix..  To get auth to use the local users I use courier authdaemond socket without running exim as root.

I just set my server_condition to :

PLAIN :

```
 

server_condition = ${if eq {${readsocket{/var/lib/courier-imap/authdaemon/socket} \

    {AUTH ${strlen:exim\nlogin\n$2\n$3\n}\nexim\nlogin\n$2\n$3\n}}}{FAIL\n} {no}{yes}}

```

LOGIN : 

```

server_condition = ${if eq {${readsocket{/var/lib/courier-imap/authdaemon/socket} \

    {AUTH ${strlen:exim\nlogin\n$1\n$2\n}\nexim\nlogin\n$1\n$2\n}}}{FAIL\n} {no}{yes}}

```

I use courier-imap anyway but it probably would work with just starting the authdaemond, then you can use what ever imap daemond you want.

----------

## dUSk

 *Reepicheep wrote:*   

> Hey I thought I would through this into the mix..  To get auth to use the local users I use courier authdaemond socket without running exim as root.
> 
> I just set my server_condition to :
> 
> PLAIN :
> ...

 

I had to change the courier-auth socket path from /var/lib/courier-imap/authdaemon/socket to /var/lib/courier/authdaemon/socket and it works!  :Wink:  thx

----------

## sleepingsun

I instal and follow instruction but when i wont to start exim i get this error ! 

```
# /etc/init.d/exim start

 * Starting exim ...

2006-10-13 13:32:40 Exim configuration error in line 306 of /etc/exim/exim.conf:

  error in ACL: unknown ACL condition/modifier in "$dnslist_domain\n$dnslist_text"                                            [ !! ]
```

----------

## doublehp

For

 *Quote:*   

> T=remote_smtp defer (-42): authentication required but server did not advertise AUTH support

 

I explain a fix here: https://forums.gentoo.org/viewtopic-p-3794054.html#3794054

In short, comment (or cleverly tweak) the line:

 *Quote:*   

> hosts_require_auth=*

 

----------

