Mail_Server_based_on_Exim_and_Courier-imap

Exim Installation

First we have to unmerge ssmtp as it blocks exim from being installed.

emerge -C ssmtp

Now we install 'exim' using the following flags

echo 'mail-mta/exim ssl sasl exiscan-acl ldap'>>/etc/portage/package.use
emerge exim

N:B To have both packages ssmtp and exim, you need to recompile ssmpt with "mailwrapper" set.After that exim and ssmtp wont block each other.

We will use the template configuration that uses exiscan patch

cp /etc/exim/exim.conf.exiscan-acl /etc/exim/exim.conf

Exim basic configuration

The configuration of exim in file /etc/exim/exim.conf needs to be modified. You have to adjust the following settings for your Gentoo box:

domainlist local_domains = @ : mydomain.com
domainlist relay_to_domains =
hostlist   relay_from_hosts = 127.0.0.1
qualify_domain = mydomain.com

edit:: I tried this and got relaying denied messages when the clients tried to send mail through the server. 127.0.0.1 says "only allow this server to send mail, nothing else". I replaced it with 172.16.0.0/24 (the range in the network the server was on), but you can also replace it with @[] with is "any IP range on any Ethernet Interface" - !!!NEVER DO THIS!!! @[] will create open relay from your mail server (stevewalsh) You can also set both, localhost and your subnet, separated by a comma (PChaos)

You don't have to worry about the rest as we'll change some more things later on. What we've changed so far is acctually enough to run a SMTP server. You can check if it works by running the server now:

/etc/init.d/exim start

You can test exim at this point with the exim -bh option. Use an IP address of a machine on the network to test name resolution using hosts file

exim -bh 172.16.0.100

when prompted, enter a valid from address

mail from: user@mydomain.com

and then a user on the server

rcpt to: otheruser@mydomain.com

Exim will then provide you with information regarding the mail delivery attempt.

Exim troubleshooting

Installing courier-imap

# for IDLE support
euse --enable fam
emerge gamin
# install courier-imap
emerge courier-imap

if you haven't installed exim you have to emerge cyrus-sasl. Euse is available with gentoolkit.

Configuring courier-imap

/etc/courier-imap/imapd

MAXPERIP=10
IMAP_CHECK_ALL_FOLDERS=1
IMAP_ENHANCEDIDLE=1
IMAP_MOVE_EXPUNGE_TO_TRASH=1

/etc/courier-imap/pop3d

POP3AUTH="LOGIN"

Some Courier troubleshooting

I installed according to above but missed the POP3AUTH="LOGIN" and consequently ran into the problem that I could not do a POP3 login. Courier replied (approximately): Login failed, temporary problem please try again later. Restarting courier-pop3d after correcting my misstake had no effect. Finally, I could solve the problem by restarting courier-authlib.

code: #/etc/init.d/courier-authlib restart

As an extra info, the command above restarts both courier-authlib and courier-pop3d.

SSL for imap

If you have your own CA, then consider using that to sign your certificates, instead of the technique described below. For help on doing that, refer to your CA's own help pages.

You need to fill out the appropriate section ([ req_dn ]) in the following files for imap and pop3, respectively:

/etc/courier-imap/imapd.cnf
/etc/courier-imap/pop3d.cnf

Once you've made the above changes, run one (or both) of these commands:

mkimapdcert
mkpop3dcert

Starting the services

In case you are going to use the SSL version.

/etc/init.d/courier-imapd-ssl start
/etc/init.d/courier-pop3d-ssl start

If you want to be able to use the non-SSL version (as well or instead), use these:

/etc/init.d/courier-imapd start
/etc/init.d/courier-pop3d start

And finally add the appropriate services to your default run-level so they start at boot.

rc-update add courier-imapd-ssl default
rc-update add courier-pop3d-ssl default

Or

rc-update add courier-imapd default
rc-update add courier-pop3d default

Authentication

/etc/conf.d/saslauthd

SASLAUTHD_OPTS="${SASLAUTH_MECH} -a shadow"

/etc/init.d/saslauthd restart
rc-update add saslauthd default

/etc/exim/auth_conf.sub

plain:
  driver = plaintext
  public_name = PLAIN
  server_prompts = :
  server_condition = ${if saslauthd{{$2}{$3}}{1}{0}}
  server_set_id = $2
login:
  driver = plaintext
  public_name = LOGIN
  server_prompts = "Username:: : Password::"
  server_condition = ${if saslauthd{{$1}{$2}}{1}{0}}
  server_set_id = $1

/etc/courier/authlib

edit:: i found authmodulelist in /etc/courier/authlib/authdaemonrc (RDWest) edit:: (RDWest) This is the symbolic linked file for what was mentioned above (Zor)

authmodulelist="authshadow"

Mail filtering

Extend userforward transport: (edit: in /etc/exim/exim.conf, search for userforward)

directory_transport = address_directory

Add new transport

address_directory:
  driver = appendfile
  maildir_format

Add $home/.forward file

# Exim filter
if $h_subject: contains "test" then save .maildir/.testFolder.testSubfolder/
elif $h_from: is "not@wanted.com" then save .maildir/.SPAM/
endif

Spam filtering and virus scanning

We will use clamav for virus protection and spam assassin for spam filtering. The latter can seriously impact performance of your server, some serious memory leaks there...or maybe i misconfigured something TODO

emerge spamassassin clamav

Ensure that clamav gets loaded on reboot by editing the file /etc/conf.d/clamd EDIT: With USE="crypt", clamav-0.90 automatically sets this to yes on build. bob921, 3 Apr 2007

START_CLAMD=yes

Now run it

/etc/init.d/clamd start
rc-update add clamd default

And the same for spamassassin

/etc/init.d/spamd start
rc-update add spamd default

Exim will communicate with clamav through a socket in /tmp/clamd. Back to exim configuration file. Activate new ACLs (these two are only available when using the exiscan patch)

acl_smtp_mime = acl_check_mime
acl_smtp_data = acl_check_content

av_scanner = clamd:/tmp/clamd

If you get 451 errors from the clients you will need to change the above to the clamAV socket in /var/run/clamav/clamd.sock.

av_scanner = clamd:/var/run/clamav/clamd.sock

If you still get errors on the clients about "server could not accept request at this time", make sure you have entries in /etc/hosts for the client machines. If this still fails, you can try the clamAV TCP port, 3310

av_scanner = clamd: 127.0.0.1 3310

acl_check_mime:
   # Decode MIME parts to disk. This will support virus scanners later.
   warn decode = default

   # File extension filtering.
   deny message = Blacklisted file extension detected
   condition = ${if match \
       {${lc:$mime_filename}} \
       {\N(\.exe|\.pif|\.bat|\.scr|\.lnk|\.com|.vbs)$\N} \
       {1}{0}}

   # Finally accept all other messages that have
   # made it to this point
   accept
acl_check_content:
   # Reject messages that have serious MIME errors.
   # This calls the demime condition again, but it
   # will return cached results.
   deny  message = Serious MIME defect detected ($demime_reason)
   demime = *
   condition = ${if >{$demime_errorlevel}{2}{1}{0}}

   # Reject virus infected messages.
   deny  message = This message contains malware ($malware_name)
   malware = *

   # Always add X-Spam-Score and X-Spam-Report headers, using SA system-wide settings
   # (user "nobody"), no matter if over threshold or not.
   warn  message = X-Spam-Score: $spam_score ($spam_bar)
   spam = nobody:true
   warn  message = X-Spam-Report: $spam_report
   spam = nobody:true

   # Add X-Spam-Flag if spam is over system-wide threshold
   warn message = Subject: [*SPAM*] $h_Subject
   spam = nobody

   # Reject spam messages with score over 10, using an extra condition.
   deny  message = This message scored $spam_score points. Congratulations!
   spam = nobody:true
   condition = ${if >{$spam_score_int}{100}{1}{0}}

   # finally accept all the rest
   accept

Error messages & solutions

If you see this error message:

ClamAV returned /var/spool/exim/scan/1Eh5VJ-0000h2-2s: Access denied.

Try this:
Make sure that exim's spool files are group-readable. This is the default so you're probably OK.
Make sure the clam users is also in exim's group in your /etc/group file. And make sure you set:

AllowSupplementaryGroups

in /etc/clamd.conf. This isn't the default and has to be there for clamd to pick up it's in exim's group. After this, clamd should have access to exim's spool files and the daemon interface should work.