EximConfig v2.6 - J.P.Boggis 23/05/2003 (Last updated: 28/10/2024) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ *** Fight back against spam with EximConfig and SA-Exim! *** http://www.jcdigita.com/eximconfig eximconfig@jcdigita.com EximConfig is an extensive set of configuration and ACL files for the Exim 4.2x and above MTA's (See http://www.exim.org), preferably used in conjunction with SpamAssassin (See http://www.spamassassin.org) and the SA-Exim patch (See http://marc.merlins.org/linux/exim/sa.html) WARNING: This project is no-longer actively developed or maintained. ***** USE AT YOUR OWN RISK ***** License: ~~~~~~~~ This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License long with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA For further information, see: http://www.gnu.org/licenses/gpl.html Sections: ~~~~~~~~~ 1: Features 2: Requirements 3: New installation 4: Upgrading from a previous version *** IMPORTANT UPGRADE NOTES *** 5: Basic configuration. 6: Updated ACL's and customisation 7: Stopping spam with SMTP-time SpamAssassin 8: Stopping forgeries with SPF (Sender Policy Framework) 9: Stopping viruses and prohibited attachments with Exiscan 10: Embedded Perl for handling escaped and Base64 encoded messages 11: Flood protection using MySQL database 12: Greylisting using MySQL database 13: Permanent reject by-pass (Auto-whitelist) using MySQL database 14: TLS (Secure SMTP) 15: Windows executables and viruses 16: Using EximConfig with Fetchmail 17: Recipient tags (Force direct/smart sending and changing the outbound sender domain 'on the fly') 18: EximConfig Directories 19: Utilities 20: Log Files 21: Custom Log Rotation 22: Acknowledgements Features (1): ~~~~~~~~~~~~~ * Support for multiple languages for reject and log messages. This allows reject messages to be shown in the language of the sending user if translated message files for the appropriate language(s) are created or installed. * Can handle both local mail on the host Exim server as well as act as a Internet SMTP relay gateway for less configurable/secure/spam-proof mail systems, such as Microsoft Exchange, Novell GroupWise, Lotus Notes, etc. This enables you to keep the GroupWare functions of these corporate mail systems (Calendar, tasks, sharing, etc.) but enjoy the security, spam protection and many other benefits of the Exim mailer. It can also of course act as a gateway for other internal Exim servers! :) * Most rejection is performed at SMTP-time, off-loading the task of handling undeliverable messages to the remote sending mail server/software as well as helping to remove E-mail addresses from spam lists. This creates more work for spam mailers too, slowing down their sending software! :) * Extensive ACL's (Access Control Lists) - Blocking can be performed on sending host, domain, IP address, HELO/EHLO, recipient, subject, message body, offensive language (Swear words), attachments, etc. Reject by-pass phrase allows legitimate senders to get through spam blocks, etc. * Greylisting feature using MySQL database. This is an effective feature against spammers and viruses that can be applied to all messages or just those that originate from potential dynamic hosts (Where most spam/viruses generally originate from.) See Greylisting section for further details. * Detection and rejection of viruses using Exiscan patch and suitable 3rd party anti-virus software, such as ClamAV. Exiscan support can also detect bad MIME encoding and check for prohibited attachments within encoded multipart MIME messages. NOTE: If you are unable to use the Exiscan support, EximConfig itself can still reject executable attachments used by viruses. * Flood protection using MySQL database to prevent flooding by host and sender. Also detects sending of duplicate messages and repeat failed deliveries, helping prevent spam that is not picked up by other ACL's or SpamAssassin (MySQL server and Exim compiled with MySQL support required, such as GNU/Debian Linux's exim4-daemon-heavy.) * Tarpitting of messages with a large number of recipients (Each further recipient is delayed) and optional rejection after recipients reach a given maximum number. * Can match against escaped or Base64 encoded message body text using embedded Perl (Exim compiled with support for this required, such as GNU/Debian Linux's exim4-daemon-heavy.) * Detailed and explanative rejection messages, which can be optionally customised. * SMTP-time SpamAssassin thanks to http://sourceforge.net/projects/sa-exim Simply set the threshold and messages reaching this score will be rejected at SMTP-time. A lower threshold can also be set in the normal SpamAssassin config files so that messages with lower scores simply get marked as possible spam. 'Teergrube' can also be performed on messages with high scores to penalise the spammer and their spam sending software by purposely holding the connection open for a given amount of time. * Sender callback verification that can be optionally performed for all senders or just those who match specific domain names (Safer in corporate environments) such as major ISP's like HotMail, MSN, AOL, etc. who's addresses are often forged by spammers. NOTE: Please see: http://www.backscatterer.org/?target=sendercallouts * Optional forced sender callback verification on hosts with no reverse DNS lookup (PTR) record and/or hostnames that indicate potential dynamic dial-up/dsl/cable connections (Helps blocks spammers using these hosts but still allows legitimate senders through.) Sender callback can also be optionally enabled for all senders (Not recommended in a corporate environment.) * Support for SPF (Sender Policy Framework, see http://spf.pobox.com) to verify that sender is sending from a host that has been authorised by the owners of the domain (Prevents forgery of domains where SPF records have been published.) * Detects and blocks remote hosts attempting to use a forged local host/domain name as their sender address or HELO/EHLO (A common trick used by spammers.) * RBLs (Realtime BlackLists) can be utilised to force additional checking such as sender callback and greylisting on blacklisted hosts/domains. * Smart domains allows you to selectively route outgoing E-mail for specific domain names via your ISP's official mail servers, helping avoiding relay black lists (RBL) and spam restrictions that some ISP's and companies are now putting in place for mail sent directly from DSL, cable or broadband connections. Mail for domains not listed is sent directly. Direct sending for smart domains can also be forced by adding direct- to the beginning of the recipient address(es) of an outbound message. Smart sending can be forced too by adding smart- to the beginning of the recipient address (ISP mail servers must be setup to handle the domain though.) * Support for TLS for encrypted E-mail transfers. * Support for both client and server SMTP authentication. Client is used to authenticate with an upstream ISP mail server that you are using as a smarthost. Server is used to allow remote users to login to your server and send messages as though they were a local or relay user, avoiding ACL's normally applied to remote senders. * 'mcp' (Multiple Copy) script to make distribution of ACL's, etc. to multiple Exim servers that use EximConfig easier. * Detailed accumulative statistics using the 'eximconfigstats' script. * Upgrade script to assist with upgrading from previous versions of EximConfig. Requirements (2): ~~~~~~~~~~~~~~~~~ * Exim 4.2x or later MTA (See http://www.exim.org) preferably with TLS support and either the dl_local_scan patch applied or compiled with SA-Exim replacement local_scan.c Embedded Perl support is also recommended for unescaping and Base64 decoding message body text, along with MySQL database support if you wish to use the flood protection feature. The exim4-daemon-heavy package distributed with GNU/Debian Linux meets the above requirements. * (Optional) SpamAssassin for spam scanning of messages (See http://www.spamassassin.org) * (Optional) SA-Exim for SMTP-time spam scanning and rejection using SpamAssassin (See: http://sourceforge.net/projects/sa-exim) * (Optional) Exim compiled with Exiscan patch for virus scanning (Such as Debian's exim4-daemon-heavy), plus suitable 3rd party anti-virus software, such as ClamAV. Exiscan: http://duncanthrax.net/exiscan-acl ClamAV: http://www.clamav.net * (Optional) SPF daemon (spfd) running via socket /tmp/spfd for SPF support. This is available in the Debian's spf-tools-perl and libmail-spf-perl packages. * Ideally one or more registered domain names with MX record(s) pointing directly at your Exim host server(s) to allow SMTP-time rejection to work effectively. EximConfig can also work with indirectly received mail (E.g: Collected using Fetchmail), but will only act as a filter - The spammers will never see the rejections :( ) New Installation (3): ~~~~~~~~~~~~~~~~~~~~~ Simply uncompress the .tar.gz file and then move the eximconfig directory into your Exim configuration directory (This is currently /etc/exim4 under GNU/Debian Linux and usually /etc/exim under other distributions.) If your Exim installation is not located in /etc/exim4, rather than editing the path in the config files and scripts, you can simply create a symlink (Easier), e.g: ln -s /etc/exim /etc/exim4 (If your Exim installation is located in /etc/exim) You can then run the bin/makelinks script to create the symlinks for exim4.conf and sa-exim.conf tar xzf eximconfig.tar.gz mv eximconfig /etc/exim4 cd /etc/exim4/eximconfig bin/makelinks /etc/exim4 Once you have done this, simply customise the config files to suit your system and preferences (See basic configuration section below as a starting point.) Each configuration file is relatively self-explanatory - Simply edit/view it to see usage information. Finally, once you're happy with the configuration, simply restart Exim for the new config to take effect. NOTE: Please keep hold of the eximconfig.tar.gz that you used to install with. When used with the upgrade script (See below), this will make the upgrading process easier by identifying which files you have customised. Upgrading from a previous version (4): ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ USAGE: bin/upgrade [] EximConfig is updated and improved regularly, so at some point you may wish to install a more up-to-date version. The bin/upgrade script will help make this process easier, especially if it is used with the original eximconfig.tar.gz that you installed from. This will enable it to identify which files you have customised. To upgrade, simply download the latest eximconfig.tar.gz distribution from http://www.jcdigita.com/eximconfig Now change to the directory where EximConfig is installed (E.g: cd /etc/exim4/eximconfig) and run the upgrade script, preferably specifying the path to your original installation archive, e.g: bin/upgrade /usr/src/eximconfig.tar.gz /usr/src/orig-eximconfig.tar.gz NOTE: If you don't have the original installation archive anymore, you can still run the upgrade. However, it will only be able to upgrade files that are rarely modified (Such as config/exim4.conf) and create new files that do not currently exist. Files that are replaced will automatically be backed up to the 'old' directory. NOTE: If you have already previously upgraded using the upgrade script, simply omit the 2nd parameter to use the archive that was copied at the end of your previous upgrade for future comparison (Assuming that you answered Y to this), e.g: bin/upgrade /usr/src/eximconfig.tar.gz You will be asked if you wish to backup your existing configuration. Choose Y and this will be backed up to old/backup-eximconfig.tar.gz During the upgrade process, if a file has been modified from the original installation archive, you will be asked by the script what you would like to do. You will have the option to view the changes that you have made as well as what changes that we have and then decide whether to replace the file or not. If you choose Y, the file will be backed up and then replaced with the upgraded file. Choosing O will overwrite without backing up (Only do this if you are happy losing any customisations you have made.) Choosing N will leave your customised file untouched. At the end of the upgrade process, results will be displayed. Read through these carefully to check for any errors ('less' is used as the viewer by default) and then press Q when finished. If any errors occured, you will need to rectify them and then simply run the upgrade script again. Otherwise, you will be asked if you wish to make a copy of the eximconfig.tar.gz archive that you used to upgrade with, so that it can be used for comparison in your next upgrade. Choose Y (It will be kept in the 'old' directory, alongside any files that were replaced/upgraded.) When you next upgrade, simply omit the previous archive (2nd parameter) and the previous archive in the 'old' directory will be automatically used. *** IMPORTANT UPGRADE NOTES *** ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 30/06/2004 Because the flood protect repeat failed delivery feature is now based on both host and sender, you may wish to add an index to the Host field to improve efficiency (This should not really be neccessary for small sites.) To add the index, log into your MySQL EximConfig database(s) and run the following MySQL command: alter table FloodProtectRepeatFail add index(Host); 28/06/2004 New to EximConfig v1.9 flood protection is detection of repeat delivery failures. This feature rejects repeat failures for EximConfig DATA ACL's. The settings for this can be adjusted in config/flood_protect (NOTE: Messages rejected by SMTP-time SpamAssassin cannot be detected by this due to the fact that they are rejected by local_scan() after Exim ACL's have been processed.) If you are already using flood protection, you will need to create the additional FloodProtectRepeatFail table in your EximConfig MySQL database, otherwise you will get MySQL errors. Please see the flood protect section (11) for the appropriate MySQL CREATE TABLE statement. If you don't wish to use the new repeat failure feature, simply change FLOOD_PROTECT_REPEAT_FAIL_ENABLED to No. (NOTE: You don't need to do this if you are not using flood protection, i.e: FLOOD_PROTECT_ENABLED is set to No.) EximConfigStats has also been considerably improved - For full usage instructions, run: bin/eximconfigstats help 10/09/2004 ClamAV in Debian testing (sarge)/unstable (sid) now runs as an unprivileged user and needs to be added to the Debian-exim group to be able to scan mail for viruses. Please see Exiscan section for further details. 10/09/2004 MySQL update privilege is required for the EximConfig MySQL user for greylisting feature. If you have previously created this user, please grant the update privilege to them, eg: mysql -p mysql> use mysql mysql> update user set Update_priv='Y' where User='eximconfig'; mysql> flush privileges; 13/09/2004 New to EximConfig 2.0 is the greylisting feature (Requires MySQL support and database.) This is an effective new feature against spammers and viruses that can be applied to all messages or just those that originate from potential dynamic hosts (Where most spam/viruses generally originate from.) See Greylisting section for further details. 13/09/2004 The regularly updated ACL's for sender address/domain, host, subject and message body can now be optionally disabled, allowing you to use your .custom versions of these only. See: config/custom_acls 31/05/2006 Unique ID added to reject bypass phrase. To ensure that this is unique for your system, please edit REJECTBYPASS_CODE and REJECTBYPASS_MULTIPLIER in config/bypass This feature helps prevent spammers from abusing the reject bypass phrase. 04/07/2006 New Greylisting options added to config/greylist: GREYLIST_VERIFY_POOL = Yes Some large ISP's may use a pool of servers to handle delivery and retrying of messages, which depending on how many servers the ISP has, may result in considerably increased time for the sender to pass. This option ignores the last number in the IP address when performing verification. GREYLIST_PASS_HOST = Yes Once a sender+recipient+host triplet has passed greylisting, this option will prevent greylisting for all further senders from the same host while the passed triplet(s) remain in effect (The expiry time will be reset on all triplets for the host for each new message that is received.) This setting helps prevent unnecessary greylisting and delaying of messages from hosts that are likely to pass (E.g: Major ISP mail servers.) Basic Configuartion (5): ~~~~~~~~~~~~~~~~~~~~~~~~ config/system_filter If your Exim 4.x is not using /etc/exim4 for it's configuration and /var/log/exim4 for its log files, please edit these to the correct locations, for example (If editing with vi/vim): :%s/\/etc\/exim4/\/etc\/exim/g :%s/\/var\/log\/exim4/\/var\/log\/exim Also, check the scripts in the bin directory - Some of these will need their Exim, EximConfig and Exim log file paths updated. config/hostname Set this to the external hostname of your mail server. This should be a valid Internet host+domain name, e.g: mail.company.com config/domainname Set this to your primary domain name, e.g: company.com config/bypass Edit REJECTBYPASS_CODE and REJECTBYPASS_MULTIPLIER to ensure that these are unique for your system (They are used to generate unique ID numbers for the reject bypass phrase.) config/contact_address Set this to your general contact address (Also, see localparts/contact, accept/contact and reject/contact), e.g: email@company.com localparts/contact Common localparts (Username before @ in E-mail address) that are often targeted by spammers. Please check this list to ensure that any contact addresses that you actually do use within your organisation are not listed as REJECT. config/postmaster Set this to your postmaster address, e.g: postmaster@company.com config/postmaster_forward Set this to the address you want messages sent to postmaster to be forwarded/redirected to (Set this the same as config/postmaster if you do not require this.) hosts/local Set this to the local host IP address(es) of your Exim host server, excluding 127.0.0.1 and ::::1 which are assumed local by default, e.g: 192.168.0.1 domains/local This is a list of domain names that will be associated with the local host Exim server (In addition to the hostname specified in config/hostname) Mail sent to these domains will be routed to local users on this host Exim server, e.g: webmail.company.com company.co.uk company.info hosts/relay Set this to the IP address(es) of hosts that you wish to allow to relay through your Exim host server, such as internal mail servers that will be using it as a gateway to the outside world, e.g: 192.168.0.2 192.168.1.1 domains/relay This is a list of recipient domain names that will be relayed to other mail servers (Usually internal Groupware systems such as Microsoft Exchange, Novell GroupWise, Lotus Notes, etc.) E.g: relaycompany.com route/relay In conjunction with the above, this is a list of recipient domain names and the mail servers that they will be routed to, e.g: * 192.168.0.2 : 192.168.1.1 This will route all mail for the relayed domain names to the internal mail servers 192.168.0.2 and alternatively 192.168.1.1 You can also specify alternative routing for specific domain names by including these above the default line, e.g: company.com 192.168.0.3 : 192.168.1.2 hosts/smart Set this to a : separated list of your ISP's mail servers (smart hosts) used for delivering messages via SMTP. SMTP servers will be used in the order specified (If 1st fails, 2nd will be used, etc.), e.g: smtp.isp.com : smtp2.isp.com IMPORTANT: Please make sure that you make arrangements with your ISP to accept your domain names on their mail servers before using this feature, otherwise all your outgoing messages will be blocked as 3rd party relaying attempts! NOTE: You can force direct SMTP sending for a domain handled by a smart host by adding direct- to the beginning of the recipient address for an outbound message, e.g: direct-user@host.com Smart sending can also be forced by adding smart- to the beginning of the recipient address. Use of an ISP smart host is particularly important if you are using a DSL, cable or broadband connection for sending your outgoing messages. Some ISP's (Such as SupaNet and AOL) will block direct SMTP from these connections due to the spam problem. hosts/auth If you are using an ISP smart host that requires authentication before messages can be sent through it, simply add its hostname to this file and set your correct username and password in the files config/hosts_auth_user and config/hosts_auth_password accept/auth_logins If you wish to allow remote users to log into your server via SMTP authentication and send messages as though they were a local/relay user, simply add a suitable login and password for them to this file. For further information, please see notes in accept/auth_logins route/smart In conjunction with the above, this is a list of your sender domain names that will be routed via your ISP's mail servers. All other domain names not listed in this file will be sent directly over SMTP. route/recipient_direct Recipient domain names listed in this file will always be sent directly via SMTP. route/recipient_smart Recipient domain names listed in this file will be sent via ISP 'smarthost(s)' (NOTE: This will fail if the ISP mail server is not configured to accept the sender domain name.) localparts/relay If you are using the above relay domain routing feature, you should set this to the user naming format used on the mail server(s) the messages will be relayed to, e.g: firstname.lastname@${domain} ...Or... user@${domain} hosts/remote This is a list of remote hosts that will be allowed to send inbound messages using a local or relay domain name (See domains/local and domains/relay) without being rejected as a forged sender. For most people, this list will not contain any hosts. localparts/contact Local parts (User name before @ in E-mail address) that are considered contact names that will either be re-written to the correct contact address for the specified domain names or rejected with the user informed of the correct contact address. Where multiple companies are hosted within the same E-mail system, this allows sales@domain, info@domain, etc. to be used with messages sent to these addresses automatically re-written to the correct, unique contact address for each particular company. The reject feature is also useful to avoid spam that is commonly sent to contact addresses, regardless of whether they exist or not. For example you can reject sales@ if you're not a commercial company. accept/contact List of domain names and their correct contact address. Depending on localparts/contact, a contact name will either be seamlessly re-written and delivered to the correct contact address or rejected with the sending user informed of the correct contact address. reject/contact Domain names that contact names will always be rejected for. Useful for domains that you rarely use that constantly receive spam sent to contact names such as sales@, info@, contact@, etc. config/postmaster_rewrite_local These files control whether postmaster@, config/postmaster_rewrite_relay webmaster@ and abuse@ for local and/or relay domain names are re-written to the above postmaster_forward address. config/rewrite Custom address re-writing rules. config/rewrite_sender Custom sender address re-writing rules. config/rewrite_recipient Custom recipient address re-writing rules. config/callback This file contains options to enable sender callback verification. This verifies that a sender exists by checking that they are deliverable on the mail server(s) that handle mail for the domain they are using. This can either be enabled for all senders (Not recommended) or optionally for senders from specific domains, hosts with no reverse DNS, potentially dynamic host IP addresses and hosts that have been blacklisted by RBLs (Realtime BlackLists.) IMPORTANT: You should not use sender callback verification if your mail server utilises a connection with a dynamic IP address. If you do, your callback probes may get rejected by blacklists (RBLs) in use by some ISP's and companies. Use of sender callback can also be seen as abusive by some server administrators - Please see: http://www.backscatterer.org/?target=sendercallouts If you relay mail on behalf of other mail servers, recipient callback verification can also be optionally enabled to ensure that undeliverable messages are rejected at SMTP-time, rather than bounced when they reach the relay hosts (This will only work if the relay hosts reject undeliverable recipients at SMTP-time.) domains/callback Sender callback verification can be forced for individual selected domains (Such as those of major ISP's that are commonly forged by spammers (aol.com, msn.com, yahoo.com, etc.)) by placing them in this file. Greylisting will also be applied to these domains if the GREYLIST_DYNAMIC option is enabled in config/greylist (See section on greylisting for further details.) config/rbls Sender callback and greylisting can optionally be forced for hosts/domains that are blacklisted by RBLs (Realtime BlackLists) config/greylist Greylisting options. See section on greylisting for further information. config/tarpit Tarpitting options. config/settings Add your own custom main configuration settings to this file. config/acl_rcpt Add your own custom RCPT and DATA ACL's to these config/acl_data files, if required. config/routers Add your own custom routers and transports to these config/transports files, if required. These will be included before the pre-defined routers and transports used by EximConfig. config/ip_domain_literals Comment out 'allow_domain_literals' in this file if you do not want to allow routing over SMTP by explicit IP address, given as a "domain literal" in the form [nnn.nnn.nnn.nnn] The RFC's require this facility but you may wish to disable it. config/check_language Set this to Yes to block messages with offensive language (Swear words) in their subject or message body text. Recommended in a corporate environment to prevent misuse/abuse of E-mail. Also helps block pornographic spam. Offensive language that will be blocked can be customised in reject/language config/check_attachment_filename Set this to Yes to block known malicious attachment filenames, such as the recent Win32.Sobig.E virus (your_details.zip, etc.) Attachment filenames that are blocked can be customised in reject/attachment_filename config/check_attachment_executable Set this to Yes to block Windows executable attachments used by viruses (Highly recommended.) Inbound and outbound attachment types to block can be customised in reject/attachment_executable_inbound and reject/attachment_executable_outbound config/check_attachment_prohibited Set this to Yes to block other non-executable attachments, such as resource wasting video and audio files. (Useful in a corporate environment.) Prohibited attachment types can be customised in reject/attachment_prohibited config/check_virus_hoax Set this to Yes to block known hoax viruses, such as JDBGMGR.EXE and SULFNBK.EXE (Important because these instruct users to delete legitimate files from their Windows PC's (Recommended in a corporate environment.) config/check_virus_warning Set this to Yes to block potential virus warning messages (Based on subject), which are usually hoaxes and waste time of IT departments due to queries from users. Even worse, some of these may instruct users to delete files from their computer, which you don't want happening. (Recommended in a corporate environment.) config/language Sets the default language for log messages and automatic lookup for sender hosts and domains. messages/en Translations of reject and log messages can be created or installed in this directory to allow these to be shown in languages other than English. domains/language Sets the language to use for specific sender domains. Updated ACL's and customisation (6): ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ACL's: reject/sender_address Rejected full sender E-mail addresses. reject/sender_domain Rejected sender domain names. reject/sender_name Rejected sender From: names. reject/host Rejected sender hosts. reject/subject Rejected subject text. reject/body Rejected message body text. reject/attachment_filename Prohibited attachment filenames. messages/reasons Pre-defined rejection reasons. Download updates from: http:/www.jcdigita.com/eximconfig NOTE: The above ACL's used to be updated on a regular basis, but due to the amount of time involved versus effectiveness, these are now only updated occasionally outside of updates to the main EximConfig distribution. More effective measures such as greylisting and SURBL support in SpamAssassin along with spammers constantly registering different 'throw-away' domains make lists in reject/sender_address and reject/body less effective and difficult/time consuming to maintain. You can download the latest copies of these files from the URL above and copy them directly into the reject directory (Exim does not need to be restarted for these new updated ACL's to take effect.) Because you will probably want to use the updated ACL's, this makes customising these ACL's with your own entries more difficult, because you must keep track of what you have added and copy it across to the new updated ACL's. So that you don't need to do this, simply add your own entries to the .custom versions of these files which are provided for this purpose. For example, add your own custom rejected sender domain names to reject/sender_domain.custom instead of reject/sender_domain. You can also optionally disable the above regularly updated ACL's so that only your .custom versions are used. This can be done using the otions in config/custom_acls NOTE: .custom ACL's are only currently available for the above reject ACL files (Except reject/attachment_filename and messages/reasons.) Stopping spam with SMTP-time SpamAssassin (7): ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ One of the most effective counter measures against spam that can be used with Exim is SpamAssassin at SMTP-time, thanks to SA-Exim. Most anti-spam solutions (Including SpamAssassin in most installations) are applied after a message has been received, either bouncing it back to the sender (Usually forged, so pointless) or sending it to a 'black hole' if it is detected as spam. This isn't very effective because to the spammer, it appears that you are receiving their E-mails and your address is valid. By rejecting spam at SMTP-time (While the spammer still has an active connection to your mail server), your address will appear undeliverable to them and this will quickly help get you off spam lists. NOTE: SMTP-time spam rejection is only effective in this way for mail that's received directly by Exim, i.e: Mail received via a registered domain name with MX (Mail eXchanger) record(s) pointing directly at your Exim mail server(s). It can of course still be used with indirect mail too (E.g: Collected via Fetchmail), to prevent it from ending up in your inbox, but the spammer will never see the rejection. SMTP-time SpamAssassin is implemented using SpamAssassin, which can be obtained from http://www.spamassassin.org or as a ready-configured package for your operating system. Once installed, make sure you enable and start it (By default, it's disabled in GNU/Debian Linux after installion.) SA-Exim, which enables the SMTP-time intergration of SpamAssassin into Exim can be obtained from: http://sourceforge.net/projects/sa-exim If you are running GNU/Debian Linux, you can simply install the sa-exim package. You should also ensure that you are using exim4-daemon-heavy rather than exim4-daemon-light. This will allow you to use all features of EximConfig, including flood protection and greylisting. If you are compiling sa-exim yourself, this can either be patched into the source of Exim, or if your Exim has the local_scan() patch applied (Such as GNU/Debian Linux's exim4-deamon-heavy package), it can be compiled as a separate module that can be loaded dynamically without needing to recompile Exim. If you need to compile SA-Exim, obtain it from the URL above. If you are compiling it as a module for use with local_scan_path, simply follow through the README and compile it separately from Exim. Once compiled, copy the resulting sa-exim-N.N.so to bin/sa-exim.so in your EximConfig installation. If your Exim does not have the local_scan() patch applied, you will need to recompile the Exim from source code. The SA-Exim INSTALL file explains how to patch SA-Exim into the Exim source code directly. Once installed, you will need to enable SA-Exim support in EximConfig. Simply edit config/check_spam and set this to: Yes If you are using a patched version of Exim (Such as Debian's exim4-daemon-heavy) that supports use of local_scan_path, edit config/local_scan_path and uncomment the appropriate local_scan_path line. Ensure that the sa-exim.conf symlink exists in your Exim installation directory (/etc/exim4 under GNU/Debian Linux, usually /etc/exim under other distributions.) If not, run: bin/makelinks /etc/exim4 (Or /etc/exim appropriately.) Finally take a look at config/sa-exim.conf, which is the configuration file for SA-Exim. In particular, you may want to change the permanent reject (SApermreject) and 'teergrubing' (SAteergrube) thresholds. By setting these to a higher value than the threshold in your system SpamAssassin local.cf (Usually found in /etc, e.g: /etc/spamassassin/local.cf), you can have low scoring messages (E.g: >= 5.5) simply marked as spam and higher scoring messages rejected or even 'teergrubed' if the score is high enough. NOTE: The spam thresholds in sa-exim.conf cannot be set lower than the required_hits setting in SpamAssassin's config file (/etc/spamassassin/local.cf under GNU/Debian Linux.) If you wish to use a lower threshold than the SpamAssassin default of 5.5, you will need to change this in SpamAssassin's config file. Now simply restart Exim and check the headers of an incoming E-mail from a remote user. This should have X-Spam headers present to indicate that SpamAssassin has been applied. Messages marked as spam or rejected by SpamAssassin will be logged to Exim's rejectlog. The utility 'bin/logview' is supplied to view this in a format that is more easier to read. See section near the end of this file for more information about this. Stopping forgeries with SPF (Sender Policy Framework) (8): ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SPF information: http://spf.pobox.com SPF is a DNS-based mechanism through which a sending host can be checked to determine whether it is authorised to send mail for a particular domain. Full details of SPF and how it works can be found at the web site above. In particular, it can help prevent forgeries by spammers and viruses for domains who implement and publish SPF records. Although not widely implemented at present, this will change as more ISP's and companies implement MTA's capable of checking SPF records and more domain owners set their SPF records up to prevent forgery of their domains. To use SPF with EximConfig, you will need the SPF Daemon (spfd.) This is now included with Debian's spf-tools-perl and libmail-spf-perl packages. A bin/spfd script is also included that can be used with Debian (And possibly other distributions) to automatically start spfd. Under Debian, simply 'ln -s bin/spfd /etc/init.d' (From your EximConfig installation directory, e.g: /etc/exim4/eximconfig) and then run 'insserv spfd' to enable it. Start it by using: /etc/init.d/spfd start Once spfd is up and running, you should have a spfd socket in /tmp (This must be owned by the same user that Exim runs under, otherwise access will be denied due to Exim security constraints.) Edit config/check_spf and set this to Yes. Then simply restart Exim to enable SPF. Keep an eye on your Exim mainlog - If messages get temporarily rejected with the error 'Cannot connect to spfd', spfd either isn't running or the socket /tmp/spfd does not have the correct ownership (See above.) Stopping forgeries with DKIM (DomainKeys Identified Mail) (8a) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ In addition to SPF, signing outbound E-mail with DKIM helps prevent forgeries by allowing the receiving server to check that the E-mail is genuine and has not been tampeered with. Setting up DKIM: 1. Create the DKIM folder using the below command: mkdir /etc/exim4/dkim 2. Change the permissions of the DKIM folder: chown -R Debian-exim:Debian-exim /etc/exim4/dkim/ 3. Create a private key for each domain: cd /etc/exim4/dkim openssl genrsa -out domain.com-private.pem 2048 4. Generate a public key for each domain: openssl rsa -in domain.com-private.pem -out domain.com-public.pem -pubout -outform PEM 5. Repeat the above steps 3-4 for each domain that you wish to DKIM sign 6. Change the permissions of the certificate files in the DKIM folder: chmod 640 /etc/exim4/dkim/* 7. Edit DKIM_SELECTOR in config/dkim with the current date in YYYYMMDD format 8. Log into your domain registrar and add the following records for each domain to be DKIN signed: Type: TXT Name: YYYYMMDD._domainkey Value: v=DKIM1; k=rsa; p=PUBLIC_KEY Where YYYYMMDD is the the value for DKIM_SELECTOR and PUBLIC_KEY is the public key for the domain from the dkim folder (the string of random letters and numbers only without the BEGIN/END PUBLIC KEY headers. Stopping forgeries with DMARC policy (8b) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ DMARC (Domain-based Messaging Authentication, Reporting and Conformance) sets the policy for when SPF and/or DKIM records do not match. DMARC is a mandatory requirement for PCI DSS 4.0 1. Log into your domain registrar and add the following records for each domain to add a DMARC policy: Type: TXT Name: _dmarc Value: v=DMARC1; p=reject; pct=100; rua=mailto:postmaster@yourdomain.com; NOTE: Use p=quarantine instead of p=reject to test first Stopping viruses and prohibited attachments with Exiscan (9): ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Exiscan: http://duncanthrax.net/exiscan-acl ClamAV: http://www.clamav.net If your Exim has been compiled with the Exiscan patch (Such as exim4-daemon-heavy in GNU/Debian Linux), you can enable realtime virus scanning with the help of a 3rd party virus scanning solution such as ClamAV. Exiscan also offers detection of badly encoded MIME in messages, as well as better detection of attachments within multipart MIME encoded messages. To enable Exiscan support, simply do the following: * Edit config/exiscan_include and uncomment the .include line. * If you wish to use the anti-virus feature, please edit config/exiscan_av and set it correctly for the anti-virus solution you are using (See http://duncanthrax.net/exiscan-acl/exiscan-acl-spec.txt for further details.) * If you wish to reject Windows executable files (Highly recommended!), please ensure that config/check_attachment_executable is set to Yes. * Restart Exim for your changes to take effect. NOTE: If you are using ClamAV under GNU/Debian Linux, please ensure that ClamAV has permission to read files in the /var/spool/exim4/scan directory. With recent updates, ClamAV runs as an unprivileged user (clamav) and will not have access to these by default. Simply run 'dpkg-reconfigure clamav-base', go through the various config dialogue screens (Leaving options unchanged) until you reach the 'Please enter any extra groups for clamd' screen. Enter Debian-exim in the 'Groups for clamav-daemon' box. Once you have finished reconfiguring ClamAV, simply restart ClamAV and Exim for the changes to take effect: /etc/init.d/clamav-daemon restart /etc/init.d/exim4 stop skill exim4 (Kills any 'hung' processes.) /etc/init.d/exim4 start Embedded Perl for handling escaped and Base64 encoded messages (10): ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Due to limitations of Exim expansion items, the ACL's in EximConfig, such as reject/body can only match plain text and simple obfuscation, such as 1 for i (E.g: V1agra) Messages that would otherwise match rules in reject/body will 'slip' through if they have been escaped or Base64 encoded. However, if your Exim supports embedded Perl (${perl} expansion item), such as exim4-daemon-heavy in GNU/Debian Linux, the ACL's will be able to match against text that has been escaped (E.g: =2e for .), hidden using HTML entities (&#...;) or Base64 encoded (These are common tricks used by spammers to avoid filters.) To enable Perl support for decoding escaped/encoded message text, edit config/embedded_perl and uncomment the perl_startup line. Then edit config/check_perl and set this to Yes. NOTE: The following Perl libraries are required: MIME::Base64 (Debian package: libs/libmime-base64-perl) HTML::Entities.pm (Debian package: libhtml-parser-perl) Flood protection using MySQL database (11): ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ If your Exim supports MySQL lookups (${lookup mysql}), such as exim4-daemon-heavy in GNU/Debian Linux, you can enable flood protection to help safe-guard your Exim MTA from flood sending/mail bombs and DoS (Denial of Service) attacks. Host flood protection will drop connections from hosts if the number of connections within given periods of time (1, 5, 15, 30 and 60 minutes) exceed the limits specified. Sender flood protection will reject messages from senders if the total number of messages they have sent within given periods of time exceed the limits specified (NOTE: A single message sent to multiple recipients in one go counts as 1 message from the sender.) Duplicate message protection will reject repeat sendings of the same message (Based on initial subject and body content) to an individual user and multiple users, based on the limits that have specified. This can be useful for combating spams sent to multiple users or sent over and over again. Repeat delivery failure protection will reject senders who repeatedly send messages from the same host that result in rejection by EximConfig's DATA ACL's. This is particularly useful for combating poorly designed or configured mail servers that incorrectly treat messages permanently rejected after DATA as a temporary rather than permanent failure and keep on retrying upto their configured temporary failure timeout, resulting in lots of logfile spam and wasted bandwidth/server resources (NOTE: This cannot take into account message rejected by SMTP-time SpamAssassin because this is carried out by local_scan() after Exim's ACL's have been processed.) In order to use flood protection, you will need to create a MySQL database and several tables for it to use (EximConfig cannot do this automatically.) Creating a MySQL user for EximConfig ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ You will also need a suitable MySQL user and password for EximConfig to use to access this database (IMPORTANT: Don't use MySQL's root user!) mysql -uroot -p [Press RETURN and enter your MySQL root password here] mysql> use mysql mysql> INSERT INTO user (Host,User,Password,Select_priv,Update_priv,Insert_priv,Delete_priv) VALUES('localhost','eximconfig',PASSWORD('ex1mc0nfig'),'Y','Y','Y','Y'); (NOTE: Use something different from the above example password ex1mc0nfig and keep a note of it - You will need it later.) mysql> flush privileges; Creating the database and tables ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Now you will need to create the database and tables: mysql> CREATE DATABASE EximConfig; mysql> use EximConfig mysql> CREATE TABLE FloodProtectHost(ID INT NOT NULL auto_increment,Host VARCHAR(40) NOT NULL,Received TIMESTAMP,primary key(ID),index(Host)); mysql> CREATE TABLE FloodProtectSender(ID INT NOT NULL auto_increment,User VARCHAR(128) NOT NULL,Domain VARCHAR(128) NOT NULL,Received TIMESTAMP,primary key(ID),index UserDomain (User,Domain)); mysql> CREATE TABLE FloodProtectSenderRcpt(ID INT NOT NULL auto_increment,FromUser VARCHAR(128) NOT NULL,FromDomain VARCHAR(128) NOT NULL,ToUser VARCHAR(128) NOT NULL,ToDomain VARCHAR(128) NOT NULL,Received TIMESTAMP,primary key(ID),index FromUserDomain (FromUser,FromDomain),index ToUserDomain (ToUser,ToDomain)); mysql> CREATE TABLE FloodProtectRepeat(ID INT NOT NULL auto_increment,Body VARCHAR(32),Recipient VARCHAR(128) NOT NULL,Received TIMESTAMP,primary key(ID),index BodyRecipient (Body,Recipient)); mysql> CREATE TABLE FloodProtectRepeatFail(ID INT NOT NULL auto_increment,FromUser VARCHAR(128) NOT NULL,FromDomain VARCHAR(128) NOT NULL,ToUser VARCHAR(128) NOT NULL,ToDomain VARCHAR(128) NOT NULL,Host VARCHAR(40) NOT NULL,Received TIMESTAMP,primary key(ID),index FromUserDomain (FromUser,FromDomain),index ToUserDomain (ToUser,ToDomain),index(Host)); mysql> CREATE TABLE GreylistVerify(ID INT NOT NULL auto_increment,FromUser VARCHAR(128) NOT NULL,FromDomain VARCHAR(128) NOT NULL,ToUser VARCHAR(128) NOT NULL,ToDomain VARCHAR(128) NOT NULL,Host VARCHAR(40) NOT NULL,Received TIMESTAMP,primary key(ID),index FromUserDomain (FromUser,FromDomain),index ToUserDomain (ToUser,ToDomain),index(Host),index(Received)); mysql> CREATE TABLE GreylistVerified(ID INT NOT NULL auto_increment,FromUser VARCHAR(128) NOT NULL,FromDomain VARCHAR(128) NOT NULL,ToUser VARCHAR(128) NOT NULL,ToDomain VARCHAR(128) NOT NULL,Host VARCHAR(40) NOT NULL,LastMsg TIMESTAMP,primary key(ID),index FromUserDomain (FromUser,FromDomain),index ToUserDomain (ToUser,ToDomain),index(Host)); mysql> quit Configure EximConfig to use flood protection ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Edit config/flood_protect and set FLOOD_PROTECT_ENABLED to Yes NOTE: You may also wish to tweak the settings in this file to suit your requirements. Edit config/mysql_database and uncomment the hide mysql_servers line. You will need to edit this so that it contains the correct MySQL server hostname, database, username and password. In general, unless your MySQL server is not running on localhost, the only part you will need to change is the username and password, e.g: hide mysql_servers = localhost/EximConfig/eximconfig/ex1mc0nfig Also, ensure that this file is not readable by everyone on your system, otherwise they will be able to view this file and log into MySQL using the username and password! I.e: chmod o-rwx config/mysql_database Enabling flood protection ~~~~~~~~~~~~~~~~~~~~~~~~~ Simply restart Exim and flood protection should be up and running. You should now see X-Flood-Protect in the headers of inbound messages from remote hosts. NOTE: Flood protection is not applied to messages sent by hosts listed in hosts/local, hosts/relay, hosts/remote and accept/hosts. It will also not be applied to senders and sender domains listed in accept/sender_address and accept/sender_domain. Optimising flood protection MySQL tables used by EximConfig ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ NOTE: Please ignore this section if you have just created the EximConfig flood protection tables using the above MySQL CREATE TABLE statements. *** THIS IS FOR OLDER EXIMCONFIG INSTALLATIONS ONLY. *** Earlier instructions for creating the MySQL tables used by EximConfig flood protection did not included definitions for indexes to speed up searching performed on the database by Exim. The following MySQL commands will add these indexes to speed up the performance of searches. The 'Body' field of FloodProtectRepeat will also be changed to VARCHAR(32) due to the fact that it now uses a MD5 checksum of the message for duplicate checking instead of the actual message text as in early versions. mysql EximConfig -uroot -p mysql> alter table FloodProtectHost add index(Host); mysql> create index UserDomain on FloodProtectSender (User,Domain); mysql> create index FromUserDomain on FloodProtectSenderRcpt (FromUser,FromDomain); mysql> create index ToUserDomain on FloodProtectSenderRcpt (ToUser,ToDomain); mysql> alter table FloodProtectRepeat change Body Body VARCHAR(32); mysql> create index BodyRecipient on FloodProtectRepeat (Body,Recipient); mysql> quit Greylisting using MySQL database (12): ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Greylisting takes advantage of the fact that most legitimate mailers will automatically retry at increasing intervals when a message is temporarily rejected. Most spam sending software and viruses with built-in SMTP engines are incapable of doing this (Or retry immediately several times and then give up.) It's also impractical for spammers to retry failed deliveries with the vast quantities of messages they need to send out to make the spam effective. Greylisting is enabled and customised in the config file config/greylist For each unique sender (Sender address, recipient address and host), the greylisting feature will initially temporarily reject the message. All further attempts will be rejected until the minimum delay period (GREYLIST_VERIFY_MIN_DELAY) has passed. NOTE: Temporary rejection should not result in the sending MTA informing the sender of delivery failure, unless a poorly designed/implemented MTA is being used (Which for legitimate senders/ISP's is rare.) Once the minimum delay period has passed, the sender will pass greylist verification and further messages sent from the same host will not be delayed. This will remain in effect providing users from the host send messages on a regular basis (The verification will timeout after GREYLIST_PASS_TIMEOUT days.) Greylisting can also be performed per individual sender+recipient+host if GREYLIST_PASS_HOST is set to No. If a sender fails to resend within the maximum delay period (GREYLIST_VERIFY_MAX_DELAY), all further messages from them will be rejected. This will time out after a set period of days (GREYLIST_VERIFY_TIMEOUT.) By default, greylisting is applied to potential dynamic hosts (I.e: DSL/cable/dial-up connections) and hosts with no reverse DNS lookup (PTR) record set only. This helps prevent mail from most legitimate senders sent via legitimate ISP mail servers from being delayed. You can optionally apply greylisting to all hosts if you wish by setting GREYLIST_ALL to Yes. NOTE: Greylisting does not affect other EximConfig ACL's. These will still be applied regardless of whether the user has passed greylisting or not (Recipient ACL's are applied before the greylist ACL's. DATA ACL's are applied afterwards.) Greylisting is disabled by default. If you wish to use the greylisting feature, you will need to setup the required MySQL database and tables first. Greylisting can then be enabled by editing config/greylist and setting GREYLIST_ENABLED to Yes. For instructions on how to setup the MySQL database and tables, please see the above Flood Protection section (The same EximConfig database is utilised.) If you have already previously created this database, please skip the CREATE DATABASE instruction and CREATE TABLE instructions for all tables except for GreylistVerify and GreylistVerified. Also, please see 10/09/2004 note in the IMPORTANT UPGRADE NOTES section regarding update privilege for the EximConfig MySQL user. Permanent reject by-pass (Auto-whitelist) using MySQL database (13): ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ EximConfig features a reject by-pass phrase that can be added to the recipient name to by-pass message rejection in most cases. By default, this simply involves the user adding 'verified-' or 'verify-' followed by a unique verification ID to the address of each recipient, e.g: verified-17263-fred.bloggs@domain.tld Without fixing the reason for their messages being rejected, the sender would need to add verified- to the recipient of every message they send (Unless you whitelist them using accept/sender_address, accept/sender_domain, domains/nocallback, etc.) - This can be particularly frustrating if they need to send a message to multiple recipients. Ideally, the user needs to get the problem fixed, which is usually down to poor mail server configuration or ACL restrictions at their end (E.g: Host block, null sender <> not accepted, IP-based RBL, etc.) However, some users may not understand how to do this, or may be reliant on a 3rd party (E.g: ISP) that is either unwilling or slow to do this. To get around this, you can enable the use of the auto-whitelisting feature, which uses a MySQL database to remember users who have properly followed the instructions in their reject bounce messages and have used the verification phrase to get their message through. Passed verification is keyed on either of the following: * IP address of sender, plus their full sender address. * Full sender address and recipent. So, if they send from the same IP in future or to the same verified recipient, the message will automatically be whitelisted (Equivalent of adding verified-) Addresses of whitelisted senders will automatically be removed from the database if no messages are received within a period of 30 days. Creating the auto-whitelist database ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Please first follow the above flood protection instructions for creating the EximConfig database (If you do not wish to use flood protection, you can omit creation of its tables (create table statements) and ignore the section on enabling flood protection.) You will now need to create the whitelisting database tables: mysql EximConfig -uroot -p mysql> CREATE TABLE VerifiedSenders (ID INT NOT NULL auto_increment,Host VARCHAR(40) NOT NULL,FromUser VARCHAR(115) NOT NULL,FromDomain VARCHAR(115) NOT NULL,ToUser VARCHAR(115) NOT NULL,ToDomain VARCHAR(115) NOT NULL,Received TIMESTAMP,primary key(ID),unique UniqueSender (FromUser,FromDomain,ToUser,ToDomain,Host),index HostSender (Host,FromUser,FromDomain)); mysql> quit Enabling auto-whitelisting ~~~~~~~~~~~~~~~~~~~~~~~~~~ Simply edit config/auto-whitelist and set AUTO_WHITELIST to Yes. Now restart Exim. You will see X-Auto-Whitelisted-Sender: Yes in the headers of messages from auto-whitelisted senders. TLS (Secure SMTP) (14): ~~~~~~~~~~~~~~~~~~~~~~~ If Exim4 has been compiled with TLS (Secure SMTP) support, you can enable it by installing certificates or creating a self-signed certificate. This enables secure E-mail transfer to take place between two servers that support TLS. config/tls_certificate_public.pem Public certificate. config/tls_certificate_private.pem Private key part of certificate. config/tls_dhparam.pem DH parameters file (openssl only.) reject/tls Hosts that TLS will be disallowed for (E.g: Those with broken TLS.) To generate a self-signed certificate with openssl (Follow on-screen prompts): openssl req -x509 -newkey rsa:1024 -keyout config/tls_certificate_private.pem \ -out config/tls_certificate_public.pem -days 9999 -nodes openssl dhparam -out config/tls_dhparam.pem 1024 (Above assumes that you are currently in the eximconfig directory.) NOTE: The installation and use of strong encryption may be illegal in some countries. Initially generating the keys may take some time on older computer systems. Windows executables and viruses (15): ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ NOTE: If you are using Exiscan, please ignore this section. EximConfig has ACL's that will reject executable Windows files, which are usually viruses or 'Trojan Horses' containing SpyWare, SpamWare or other malicious code. In most cases, there are very few legitimate reasons to receive Windows executables (Even if you are running Windows!), and legitimate executables can always be archived (E.g: .zip) so that they can be sent/received without being blocked. If you're not running Windows, this ACL is still useful to stop you from receiving all the virus-generated spam from infected Windows users! To enable this ACL, simply edit config/check_attachment_executable and set this to Yes. Then restart Exim for this change to take effect. While this ACL will reject the majority of executables and is being improved all the time, there is a very small possibility that a file may slip through due to encoding of the message that cannot be handled within Exim ACL's. To help safe-guard against this, simply add the following to your SpamAssassin local.cf (Usually in /etc/mail/spamassassin/local.cf - See the SA docs for other possible locations): score MICROSOFT_EXECUTABLE N.N (Where N.N is the threshold that you use for SApermreject in config/sa-exim.conf) This will ensure that any Microsoft executable files that manage to slip through will be blocked at SMTP-time by SpamAssassin, which is able to fully decode such messages. IMPORTANT: If you have any Windows machines, these should be running up-to-date anti-virus software with the latest signatures installed. E-mail isn't the only way to catch viruses! You may also want to assign a score for BASE64_ENC_TEXT, which is sometimes used by spammers to hide their spam text from filters. SpamAssassin can decode this, but the ACL's in EximConfig can't (There's no function in Exim to do this.) A suggested setting is half of your SA reject threshold (SApermreject) in config/sa-exim.conf - You don't want to reject these messages out-right because legitimate messages may sometimes be sent to you in this format. Using EximConfig with Fetchmail (16): ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The EximConfig ACL's are intended for blocking directly received spam at SMTP-time, penalising the spammer and their spam sending software. Because mail collected via POP3 or IMAP using fetchmail has already been received on your behalf by your ISP, it's too late to penalise the spammer (You only end up penalising your ISP's POP3/IMAP server and your local fetchmail process instead!) However, it can still be worth using EximConfig in conjunction with fetchmail to help filter out unwanted junk collected via fetchmail. The downside is the spammer will never know that you didn't receive their message (With the exception that you never view their tracking images embedded in the message or click on their links.) If you have a broadband/cable connection, you should consider purchasing your own registered domain name, so that you can point the MX (Mail eXchanger) of it directly at your Exim host so that spam gets rejected at SMTP-time. If you have a dynamic IP that changes, you can use services such as DynDNS (See www.dyndns.org) and clients like ddclient to automatically keep the IP address your domain points to up-to-date. A registered domain also has the advantage of staying the same no matter what ISP you move to in the future. Aliased network interface ~~~~~~~~~~~~~~~~~~~~~~~~~ To make it work, you will first need to setup an aliased interface for delivering your fetchmail collected E-mail. By default, fetchmail delivers via localhost, which will avoid most of the ACL's in EximConfig as well as scanning by SpamAssassin. Simply add an aliased interface that will then be used for delivering fetchmail collected messages using the smtphost option in your .fetchmailrc or the global /etc/fetchmailrc In GNU/Debian Linux, you would do this via /etc/network/interfaces, e.g: # Aliased local interface for fetchmail delivery via Exim auto eth0:0 iface eth0:0 inet static address 192.168.0.111 netmask 255.255.255.0 network 192.168.0.0 broadcast 192.168.0.255 The above assumes you are using the private 192.168.0.0/255.255.255.0 network for your computers on your LAN. If you are using one of the other private ranges (E.g: 172.16.0.0/255.255.0.0) you should assign an appropriate IP address in that range for fetchmail, e.g: 172.16.0.111 Local DNS lookup ~~~~~~~~~~~~~~~~ You will need to be able to refer to this address by name, so if you are running a local DNS server, you should add an appropriate local name for this IP address. I use spamcheck.lan If you do not have a local DNS server, or don't know how to set one up, simply add the following to /etc/hosts (Change 192.168.0.111 appropriately if you have used a different IP address to this): 192.168.0.111 spamcheck.lan spamcheck Check that the above is all working OK by pinging spamcheck.lan (Or whatever you have decided to call it): linux:/# ping -c 4 spamcheck.lan PING spamcheck.lan (192.168.0.111): 56 data bytes 64 bytes from 192.168.0.111: icmp_seq=0 ttl=0 time=0.0 ms 64 bytes from 192.168.0.111: icmp_seq=1 ttl=0 time=0.0 ms 64 bytes from 192.168.0.111: icmp_seq=2 ttl=0 time=0.0 ms 64 bytes from 192.168.0.111: icmp_seq=3 ttl=0 time=0.0 ms --- spamcheck.lan ping statistics --- 4 packets transmitted, 4 packets received, 0% packet loss round-trip min/avg/max = 0.0/0.0/0.0 ms EximConfig local domains ~~~~~~~~~~~~~~~~~~~~~~~~ To prevent spamcheck.lan delivered messages from being rejected, you will need to add spamcheck.lan to domains/local, otherwise they will be rejected as 3rd party relaying attempts! NOTE: DO NOT add spamcheck.lan or its IP address to hosts/local, hosts/relay, etc. otherwise the ACL's and SpamAssassin will not be applied. EximConfig remote hosts ~~~~~~~~~~~~~~~~~~~~~~~ Fetchmail by default uses FETCHMAIL-DAEMON@localhost when sending bounces, etc. This unfortunately can't be changed in its config at present, so will result in the message being rejected as a forgery. To prevent this, simply add the IP address of your spamcheck.lan interface to hosts/remote, e.g: 192.168.0.111 Fetchmail config ~~~~~~~~~~~~~~~~ You will need to add the following options to your fetchmailrc: * Make sure the 'set no bouncemail' option is disabled - You don't want to be bouncing rejected spam, which is usually from forged addresses. * In the defaults: section, you need the following options: antispam 550 smtphost spamcheck.lan The first option will allow fetchmail to recognise messages that have been rejected as spam or for some other ACL reason, such as non-existent sender domain, etc. Messages rejected by this code will not be bounced and will be deleted from the POP3/IMAP server by fetchmail. The second option tells fetchmail to deliver collected messages via spamcheck.lan instead of localhost, allowing the EximConfig ACL's and SpamAssassin to be applied. Disable SA-Exim teergrube for fetchmail ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Finally, you will need to disable teergrube for fetchmail: You don't want to teergrube your own fetchmail process! Edit hosts/noteergrube and add the following to it: 192.168.0.111 AVOID Reject forgeries ~~~~~~~~~~~~~~~~ A common trick used by spammers when hiding their identity is to simply use your E-mail address as the sender address! EximConfig will reject these forgeries for your domain names, but you can also reject forged messages collected via fetchmail by simply adding your full POP3/IMAP E-mail addresses to reject/sender_address_forged Check that it works! ~~~~~~~~~~~~~~~~~~~~ Before trying the above for the first time, please use stand-alone POP3/IMAP collection software to collect your messages so that you don't lose anything important by accident (Or try it out with a test POP3/IMAP account you don't normally use, or one that you receive nothing but spam on! :) Restart fetchmail and Exim to be sure all of the above changes have taken effect. Then try sending both a normal message and a pretend spam message (E.g: Message with the subject 'Buy Viagra now!') to test that it is working correctly. Check your logs (Exim rejectlog, mainlog, etc.) to make sure messages are being accepted/rejected and delivered correctly. Check the headers of received messages to make sure that they have passed through SpamAssassin (Presence of X-Spam headers will indicate this.) Keep an eye on rejectlog to ensure that spam with a high score collected through fetchmail is not being teergrubed. Recipient tags (17): ~~~~~~~~~~~~~~~~~~~~ In addition to the reject by-pass phrase (See section 13), a number of special tags can be used in front of a recipient address for outbound messages from local or relay hosts: smart-recipient@domain.tld Forces the message to be routed via ISP smarthosts, providing that the sender's domain is not listed in route/direct. The smart- part is removed automatically from the recipient address. NOTE: Please ensure that the sender domain is authorised to relay through the ISP's smarthosts before using this option, otherwise your message may be rejected. direct-recipient@domain.tld Forces the message to be routed directly over SMTP, by-passing any ISP smarthost normally used to handle mail for the sender's domain. The direct- part is removed automatically from the recipient address. local_domain.tld%recipient@domain.tld Changes the sender's domain to that specified 'on the fly'. This is useful for once-off E-mails where the sender wishes to use another local or relay domain name without having to change this in the settings of their E-mail software. The local_domain.tld% part is removed automatically from the recipient address. EximConfig Directories (18): ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ accept Whitelist ACL's. bin Various scripts and utilities, such as makelinks, mcp, eximconfigstats, logview, loggrep, etc. config Main configuration files. domains Local, relay and callback domain names. hosts Relay and smart hosts, plus hosts/exim distribution file. localparts Local part (Bit before @ in address) related configuration. messages Error messages. reject Blacklist ACL's. route Routing for relay and smart domains. Utilities (19): ~~~~~~~~~~~~~~~ bin/loggrep Simple but very useful shell script that allows you to grep the specified log files in the correct order (I.e: /var/log/exim4/mainlog or /var/log/exim4/rejectlog) USAGE: bin/loggrep [ []] The 3rd parameter is optional and excludes from the results of the grep for in . NOTE: /var/log/exim4/mainlog is assumed if is omitted. bin/logview Another useful shell script that views the specified log file (Using 'less' by default), but uses 'sed' to format the output in a way that is more easier to read. This is primarily intended for easier browsing of the Exim reject log (/var/log/exim4/rejectlog) USAGE: bin/logview [ You can also use logview in a similar format to loggrep to restrict the entries shown. The format for this is: USAGE: bin/logview [ []] NOTE: /var/log/exim4/rejectlog is assumed if is omitted. bin/eximconfigstats Generates detailed ACL statistics (Rejected messages, SpamAssassin, etc.) for Exim servers running EximConfig. For full usage instructions, please run: bin/eximconfigstats help bin/mcp Useful script for distributing ACL's to multiple Exim servers that use EximConfig. Simply edit hosts/mcp so that it contains a list of your hosts, and then use mcp (Multiple Copy) in the following format: USAGE: bin/mcp [] [...] [:][@][] is a list of source files or directories you wish to copy. This is either followed by a single : for copying to a single host (scp/rcp format is used), or more usefully, @ followed by an optional path to copy to the list of hosts in the hosts/mcp file. For example: bin/mcp domains/callback @domains This will copy the domains/callback file to each Exim server listed in hosts/mcp to the domains directory in the default path (/etc/exim4/eximconfig) bin/mcp reject accept @ This will copy the reject and accept DIRECTORIES and all the ACL files contained within them to the list of Exim servers in hosts/mcp. This is very useful for distributiing updated ACL's easily. IMPORTANT: The above command-line copies the reject and accept DIRECTORIES across to the default path on the remote hosts. If you incorrectly use reject/* accept/*, you will copy the FILES in these directories to the default path on the remote host, rather than the reject and accept directories on these hosts! bin/upgrade This script is used to assist with upgrading to a newer version of EximConfig. See the upgrading section near the beginning of this README for details of how to use this. bin/spfd init.d script for starting and stopping spfd (See section on SPF (Sender Policy Framework) for more information.) Log Files (20): ~~~~~~~~~~~~~~~ In addition to the standard log files maintained by Exim, a number of custom log files are used by EximConfig (These are found in the Exim log files directory (/var/log/exim4 under GNU/Debian Linux)): maillog Brief log of messages passing through Exim mail server. Useful for analysis or generating statistics. Fields are separated by | and for example, can be imported into a spreadsheet for analysis. The fields are (In order): Date (YYYY-MM-DD) + Time (HH:MM:SS), Size (Bytes), Sender, Recipient(s) and Subject. spamlog Brief log of spam messages passing through the Exim server that have NOT been rejected at SMTP-time by SA-Exim. This can be used to tweak the threshold used by SpamAssassin to mark messages as spam, and the (Usually higher) SApermreject threshold used by SA-Exim to reject high scoring spam at SMTP-time. By sorting this file by spam score, you can determine suitable thresholds that will not block legitimate messages. The fields are (In order): Date (YYYY-MM-DD) + Time (HH:MM:SS), Action ('Marked' as spam or 'Rejected'), Spam Score, Sender, Recipient(s) and Subject. NOTE: Messages rejected at SMTP-time by SA-Exim will not appear in this log file (See above.) NOTE: You can have low scoring spam ignored and dropped when sent to specific users by listing them in reject/spam (See this file for more details.) Custom Log Rotation (21): ~~~~~~~~~~~~~~~~~~~~~~~~~ If you are using logrotate to automatically rotate system log files (E.g: Under GNU/Debian Linux), you should add the following to /etc/logrotate.conf so that the above two custom log files are automatically rotated (Change path to Exim4 logs if applicable): # EximConfig custom logs /var/log/exim4/maillog { missingok monthly create 0640 mail adm rotate 12 delaycompress compress } /var/log/exim4/spamlog { missingok monthly create 0640 mail adm rotate 3 delaycompress compress } Acknowledgements (22): ~~~~~~~~~~~~~~~~~~~~~~ * The developers of the Exim MTA. See: http://www.exim.org * Marc Merlin for SA-Exim (SMTP-time SpamAssassin), plus Exim 4.x config and ACL's from which some of EximConfig was created. See: http://marc.merlins.org/linux/exim/sa.html Download SA-Exim from: http://sourceforge.net/projects/sa-exim * Tom Kistner for the Exiscan patch. See: http://duncanthrax.net/exiscan-acl * Greg Ward for 8-bit sender/subject ACL's for blocking Asian spammers. See: http://dman.ddts.net/~dman/software/exim * Nigel Metheringham for Exim system filter rules for attachment blocking, which I have adapted to SMTP-time ACL's. * Configuring DKIM for Exim: https://bobcares.com/blog/configuring-dkim-for-exim * Various other sources on the web that I can't remember that ideas were obtained from. :)