Up one level
Email in Debian Linux using Exim4 and Courier IMAP
Spencer Stirling

Setting up email in Linux can be a daunting and confusing task - that's for sure. Although there seems to be plenty of down-and-dirty documentation for each little tool, it can be VERY difficult to get the big picture and see how everything fits together. I must say that this is not really the fault of Linux, but rather the fault of "email" in general. It's a jungle out there.

In this document I'll *try* to give a survey of the main types of emailing setups. For the uninitiated and pseudo-initiated alike, it pays to just read the whole document through (without skipping sections). Many of the vocab words that we'll need I'll introduce in the first section. A quick warning: whenever I mention a tcp or udp port number, you should be thinking to yourself FIREWALL!!! Configure your FIREWALL to allow these ports!!!

Type 1: NOT HOSTING YOUR OWN DOMAIN
There are two main classifications of email systems. The first is very likely what you have: you don't have your own domain, or maybe you have your own domain but you are paying somebody ELSE to host it. In this case somebody ELSE gave you an email address, and you are just trying to "check your email". This type of system can be as easy or as hard as you like, depending upon your preference.

First, a little theory about how email works. Let's suppose your friend has an email address jack@hisdomain.com and you have an email address at jill@yourdomain.com. Then, whenever he writes an email to you, the mail server that is "in charge" of hisdomain.com contacts the email server that is "in charge" of yourdomain.com and sends the message on over. More precisely, there are complicated programs on each server called Mail Transport Agents (MTA) that talk to each other using a language called Simple Mail Transport Protocol (SMTP) - and it's always over the standard port 25.

Mail Transport Agent (MTA)
The MTA is really the HEART of the email "system". In fact, I wouldn't consider anything WITHOUT an MTA to be dubbed an "email system". It's the job of the MTA to receive email on port 25, process, and deliver locally to the appropriate user account - perhaps sending the mail through spam and/or virus filters first (there can be a whole BUNCH of little programs mixed up into this mess). It's also the job of the MTA to SEND emails out on port 25 to an MTA on a remote machine.

Some examples of MTAs are packages like Exim4, Sendmail (the original, but a bit outdated if you ask me), Qmail, Postfix, and Courier. By "deliver locally" I mean that the MTA puts the email into the correct user's "INBOX". Now this INBOX can come in two formats:

Mbox format. The older format is called the "mbox" format - this essentially collects EVERY email to a local user in ONE GIANT FILE. For example, Exim4 defaults to using the "mbox" format. When Exim4 receives email on port 25, it first gathers everything up into the /var/spool/exim4 directory. This directory is not your concern right now! Consider it a temporary playground for Exim4.

Once Exim4 is finished messing around with the email, it appends the email message (and attachments, too) to the file

/var/spool/mail/jill

This is your INBOX (in mbox format)! It is important to remember that the other email folders with which you are probably familiar (like SENT folder, or DRAFTS, or TRASH, etc) have NOTHING to do with your MTA or your INBOX. Those other folders are completely invented for convenience by your particular email *client* (the Mail User Agent - MUA - more on that later), and they are usually stored elsewhere.

Maildir format. Other MTAs, like Qmail or Courier, use a more modern INBOX format called "maildir" (Exim4 can also use the maildir format if configured appropriately - and we WILL). The differences between "mbox" and "maildir" are two-fold:

1) the huge monolithic INBOX file is now split into a lot of different files, and

2) the INBOX is now usually stored in the user's home directory. So, for example, the INBOX for user jill might be located in the directory

/home/jill/Maildir

So in this case the MTA delivers mail straight into the user's home directory!!!

Remote Access
The software that YOU see is called a Mail User Agent (MUA) or "mail client". It's job is to provide access to your local INBOX, and it usually provides other convenient folders like "SENT" or "DRAFTS". The details of these *other* folders depend HEAVILY on the MUA that you choose. Sometimes, if you mix and match them, then you can get strange consequences. The MUA also allows you to write and SEND emails. To do this, the MUA contacts the local MTA using the "sendmail" command and hands over the email for delivery. You don't need to know about the "sendmail" command - this is pretty much internal - and historical because the original MTA was (is) called "Sendmail".

We'll learn more about the "ins and outs" of MUA's later. The problem for you now is that YOU MIGHT NOT BE LOGGED IN LOCALLY. In other words, while your email is sitting safely on the server hosting "yourdomain.com", you aren't logged into it! Maybe you're at home, or whatever. You'll never access your INBOX that way! Now it is possible to log into the server and use the MUA provided there. For example, you could:

1) SSH in and check your mail with one of those text-based MUA's (such as "Mutt) that I haven't discussed yet, or

2) hopefully your server provides access via the Web (so-called "Webmail").

The beauty of both of these methods CANNOT be underestimated: both are secure!!! SSH kicks ass in general for security, and Webmail conversations take place over SSL (Secure Socket Layer) or TLS (OpenSource and more flexible than SSL). Hence, your passwords DON'T get left out in the open - in so-called cleartext - and neither are your emails themselves (although your emails were probably transmitted in "cleartext" from hisdomain.com to yourdomain.com IN THE BEGINNING, so that's not so important). The VERY important thing here is that your username and password info isn't broadcast where people can easily eavesdrop.

The other nice thing is that these methods require ZERO setup - and they're very reliable. In FACT, I ONLY use Webmail. It never changes, it never screws up, and I never lose emails.

In contrast, many/most people (i.e. your clients) don't want this. Instead they want an MUA (now installed on their home computer) to automatically connect to the server and somehow automatically download the INBOX. Then they can work offline, etc etc etc.

Here's the rub: this "somehow" method is OFTEN COMPLETELY INSECURE, and can cause serious data loss if care is not taken to do the "right" thing and somebody's hard drive crashes.

Nevertheless, here's how to do it. This is where the Mail User Agent (MUA) makes an appearance AGAIN, except now it operates in a different mode. Previously the MUA was installed on the server itself and was directly accessing your INBOX. Now the MUA will be installed on your home computer, and it will access your INBOX via logging into your server using a special set of protocols called POP/IMAP (incoming emails) and Smarthost (outgoing emails). Most MUAs like Mozilla Thunderbird easily work in this mode.

POP and IMAP
The POP and IMAP protocols are two different methods by which a client can download the INBOX (POP is older). The actual behavior using these protocols seems to vary WIDELY depending upon the mail CLIENT. For example, the standard Mozilla Thunderbird client behaves differently depending upon POP or IMAP, whereas with the "fetchmail" client (as we'll see later) POP and IMAP behave rather similarly.

For example, suppose that you are using Mozilla Thunderbird to access your mail via POP (to a POP server like "pop.sbcglobal.yahoo.com"). The standard Thunderbird+POP behavior is to *download* INBOX messages locally to the home computer and then DELETE them from the server! That's not good - what if you want to check your email from a different computer?!?!?! What if your harddrive CRASHES?!?!?!

I cannot think of a single instance where such behavior would be desired - unfortunately this is a Thunderbird default (most clients using POP act this way by default, in fact). This is why I usually direct people to use IMAP instead - POP is too easy to screw up (and once you screw up the first time, all of those emails are GONE from the server).

If you want POP to leave the messages on the server then go into "Edit->Account Settings->[your account]->Server Settings". You should click "Leave messages on server" and then click "Until I delete them or move them from Inbox". DO NOT check the "Delete after ?? days" option unless you know what this does. (These settings must be done BEFORE you check your mail *the first time*.) Note that, on the server, your mail will be changed from "unread" to "read", but at least a copy will stay on the server UNTIL you delete it or move it out of your INBOX.

If your ISP is complaining that your email account it taking up too much diskspace on their server then you should MANUALLY move some messages from your INBOX to some Local Folder - this will take them off of the server and keep them ONLY on your home computer. This solves the problem in a systematic fashion (so at least you know what is only locally copied, and what is still on the server).

One advantage of using POP (over IMAP) is that even IF mail is deleted from the server (perhaps your ISP screws up, whatever) then your INBOX at home is unaffected (because you downloaded a local copy). This can be very useful if you have one of those ISPs that changes their email system every two weeks and constantly purges people's INBOXes (grrrrrr). IMAP, on the other hand, does not have this advantage (emails gone from the server are gone from home, too).

So far so good. Standard POP connections occur on port 110, and are TOTALLY INSECURE! Your username and password are cast into the open with no encryption at all!!! However, people do it everyday... hey, it's only your bank account, right? I wish that I could show you here how easy it is to sniff your information, but there's no room here. Needless to say, a goldmine can easily be found in airports, coffee shops, and conferences where large numbers of people are logging into their emails constantly. There's nothing to stop a creep from just spending a few hours collecting data and then going to town on everybody.

Fortunately, there IS a way to clean this up. IF your server provides it, there's POP over SSL (aka POPS), which takes place over the standard port 995. What this does is it opens up an SSL encrypted tunnel to the server, then the standard POP session continues over this encrypted port 995. In Mozilla Thunderbird at the same panel you can click "Use secure connection (SSL)". Unfortunately not every ISP has moved passed the 1950s when everybody was talking about lollipops and ponies, so this might not be provided to you! You should complain - really.

Now there's one other possibility. The usual POP authentication (log in) takes place using the so-called AUTH LOGIN (worst) or AUTH PLAIN (still bad) protocols. This isn't an issue really if the channel is encrypted using SSL as above. Sometimes it's not, but instead your server MIGHT provide "secure POP authentication" using instead the CRAM-MD5 or Kerberos authentication procedures. This means that your username/password information is encrypted, but your emails themselves will be sent in clear text. That's usually fine, too, since your emails will probably be heading out in clear text eventually anyway. I *think* this "secure authentication" for POP is called APOP. You'll need to figure out for yourself if your server expects this (most don't). Since mine doesn't, in Thunderbird I left the "Use secure authentication" option UNCHECKED.

Obviously some good ISPs might combine both SSL and secure authentication for added security. Mix and match... mix and match.

IMAP: IMAP offers the better choice for *most* users because messages are never DELETED automatically from the server (except when using "fetchmail" - see below). Instead, if you set up a connection via IMAP then messages are left on the server until you explicitly DELETE them or MOVE THEM TO A LOCAL FOLDER! That's the behavior that I expect. The only disadvantage is the following: you won't get a local copy of your email - if your ISP server crashes then your emails are gone (there is an option in Thunderbird to make IMAP email available while offline, which pretty much gives you a local copy, but as soon as you log in the next time Thunderbird will see that all of your emails have been deleted from the server and will then update itself by deleting all of its LOCAL COPIES!!! OUCH!).

Usually it's either POP or IMAP, but sometimes both... so you're stuck with what you get. You'll usually be able to tell by the name of the server, e.g. "imap.sbcglobal.yahoo.com".

Now IMAP comes with the same security flaws that plague POP. Standard IMAP traffic goes over port 143 in CLEAR TEXT! Like POP the fix is IMAP over SSL (aka IMAPS) over port 993, if offered by your ISP.

Also like POP there is an "secure authenticated IMAP" to use CRAM-MD5 or Kerberos encrypted authentication, and obviously this can be teamed up with SSL for double protection. My ISP doesn't offer this, so in Thunderbird I left "Use secure authentication" UNCHECKED.

Smarthost
Now comes the part where you need to SEND emails. This is a little different. If you think about it, when your friend SENDS YOU an email from hisdomain.com to yourdomain.com, there's really no way to do it other than what I just described. The problem is that hisdomain.com has no idea where your home computer is, but it CAN find yourdomain.com by doing a DNS "MX record" lookup to find the server.

Conversely, if you SEND email FROM your home computer no such limitation exists in principle. When you send an email TO your friend jack@hisdomain.com then your home computer could just look up the MX record for hisdomain.com and your mail client (MUA) could just pretend to be an MTA and send the email on through (or you could set up your own little MTA and have it negotiate the connection). In practice this doesn't work very well because most respectable domains won't accept an SMTP connection from your crappy IP address. It knows, using blacklists, that your IP address is just some DSL or cable modem - not a permanent static domain - and it won't accept your traffic. We'll run into this issue again later EVEN IF WE HOST OUR OWN DOMAIN (unless we're willing to fork out the cash for a good static connection).

If you think about it, this is probably for the better. If anybody could send email to any server then the spam/virus problem would probably grow exponentially. In fact, many DSL and cable modem ISPs actually BLOCK your outgoing port 25 so that you can't even TRY! This is a REAL pain in the butt.

The solution is called Smarthost. Basically this is like POP/IMAP in reverse. This time you will SEND your email to YOUR server. The idea is that then your ISP will relay the message to the appropriate domain. Other domains WILL accept email from your ISP's mailserver since it has a "respectable name" - i.e. a static IP address. For some reason these "relays" are always called "SMTP" servers, but really they should be called "does SMTP for you" servers. An example is "smtp.sbcglobal.yahoo.com".

The question arises: how does the Smarthost server know to relay messages for YOU? Obviously they can't trust just anybody. There are two answers:

1) Sometimes the Smarthost is configured to accept all email from a certain range of IP addresses (after all, your ISP knows its customers).

2) More often your Smarthost will use "SMTP authentication" - i.e. logging IN!

Unfortunately, any time "authentication" is necessary then you are setting yourself up for username/password theft. like POP and IMAP, regular vanilla Smarthost traffic is NOT SECURE (but it happens every day)! The regular traffic occurs over port 25. There are 3 fixes:

1) Tunnel Smarthost traffic over SSL (port 465)

2) Tunnel Smarthost traffic over TLS - big brother to SSL (port 25 reused)

3) Use some form of SECURE authentication like CRAM-MD5 or Kerberos.

Obviously (3) can be combined with either (1) or (2)

Application: An INSANE SETUP with your OWN MTA
Let's apply these basic concepts, except let's make a REAL email system with your own MTA (you don't have to do this). It IS possible to have a FULL EMAIL SYSTEM on your computer but still use POP/IMAP and Smarthost to actually receive/transmit the mail. Why would anybody want to bother setting up a complicated MTA when it's pretty trivial to set up Thunderbird or something like it? Pure insanity, REALLY!

Actually, it's fun to set your own little mail server - good practice for later on if you buy your own domain and set up a server for real. The better answer is that many people like to bring to bear the full power of spam killing, antivirus, and filtering capabilities provided by mail servers.

Installing Exim4
The standard MTA that comes with Debian is called Exim4. It's rather good, and I must say that I had it set up in a couple of hours (although the more advanced stuff took several days). I should mention that I worked on Courier for two days and never did get the Smarthost client to login to my ISPs Smarthost server, so I ditched it and went for Exim4.

BEFORE WE BEGIN If you already have a version of exim installed then you may want to consider nuking the config files in /etc/exim4 - otherwise you may be missing some of the more recent advances like ready-made configurations for antivirus and antispam plugins. This guide covers Exim4 4.60-4.

Installation is easy, almost trivial. In Debian I installed the package "exim4-daemon-heavy". I could've just installed the package "exim4", but this would have installed a cut-down "light" version of the daemon with less capabilities. I want it all, so there you go. After that I went ahead and installed the package "exim4" as well.

The configuration is VERY friendly (uses DEBCONF). This configuration can always be re-run by using

dpkg-reconfigure exim4-config

Question 1 concerns whether you want to use the newer "split file" scheme or the old monolithic config file scheme. I chose the older one because I couldn't figure out where anything was with all of those files spread everywhere. Actually, I dislike the Exim4 config file system - it's not the usual "edit the config file and restart the daemon" routine. Instead, if you edit the configuration then you'll need to run

update-exim4.conf

This generates the REAL configuration file (located in /var/lib/exim4). Then you'll need to restart the daemon with "/etc/init.d/exim4 restart".

Back to business, Question 2 asks about your general setup. Unless you have a full domain WITH a static IP address AND good enough "reputation" to send emails then you should choose

mail sent by Smarthost; received via SMTP or fetchmail

We already talked about sending via Smarthost. You'll need Smarthost if you don't have your own domain, or if you have your own domain but you are hosting it from your DSL/cable modem. RECEIVING via SMTP is much less strict - you merely need a server of your own. This also means that the "MX record" for yourdomain.com must point to the IP address of YOUR COMPUTER! You don't really need a good reputation for servers to send TO YOUR DOMAIN, so you can RECEIVE as a full-fledged domain if you have one, even if you can't SEND by yourself!

On the other hand, if you DON'T host your own domain then you'll need to use POP or IMAP to download emails from the server that hosts your email account. You can still select the "receive via SMTP", but nothing will be sent to you. This is where the "fetchmail" program comes in. Fetchmail acts like a POP or IMAP client, downloads the relevant emails from your remote account, and then gives them over to your local MTA for local delivery. More about that later.

Question 3 asks about the "mailname.com" for your server. Any message sent from the user "jill" will be REALLY sent as "jill@mailname.com" (this can be overridden on a per-user basis by editing /etc/email-addresses, and users can override this themselves). You can use localhost.localdomain if you want, or you can make anything up that you like (BUT DON'T). There is no rule that says that the email domain needs to be valid. In fact, in the old days you could put in any bogus name that you want. You can even send emails in SOMEBODY else's name!

HOWEVER IN PRACTICE nowadays no mailserver will accept an email from "jill@localhost.localdomain", and most mailservers will drop an email from "jill@mailname.com" if "mailname.com" is not an ACTUAL domain. That doesn't stop you from using somebody else's domain, except that it's not a good thing to do (for a variety of reasons, including local delivery problems). Here's my advice: if you own your own domain then use that, if you don't then leave it as "localhost.localdomain" and we'll mask it later for each user separately.

Question 4 asks on what interfaces Exim4 should listen for incoming SMTP connections. If you are going to use Fetchmail to get your mails from a remote server then you should only use 127.0.0.1 (just listen to loopback - Fetchmail downloads the emails and sends them to your MTA using SMTP at 127.0.0.1). If you are actually going to receive emails AS your own domain then leave it blank (listen on all devices).

Question 5 asks for a list of domain names for which your computer will consider itself the "final destination". Only emails addressed to users at these domains will be accepted (however see below about setting up "virtual domains"). Everything else will be bounced. So if you're expecting people to receive emails to

user@yourdomain.com

then you should put "yourdomain.com" here (again, unless you are using virtual domains!). You should at least have the mailname (your answer to question 3) listed here.

Question 6 asks about those networks for which YOU will agree to relay email (without authentication). This just means that you might want your computer to act as a Smarthost *server* for OTHER computers (this has nothing to do with the fact that your computer will be a Smarthost CLIENT logging into the Smarthost server provided by your ISP - see the difference?). You probably don't want this unless you're setting up a whole network and domain of "trusted" computers. Don't just relay for anybody - that's VERY bad. In my case I am a Smarthost server, but I'm going to force my users to login using Smarthost/SMTP authentication, so I left this entry blank. (p.s. maybe I've used the "Smarthost" terminology poorly here? Maybe "relay" is more proper since "Smarthost" probably MEANS "relay+authentication". Who cares?

Question 7 asks for the name of the Smarthost server that you want to use. In my case I'm an SBC DSL customer so I'm forced to use "smtp.sbcglobal.yahoo.com". This worked for me, but you should NOTE that this name is actually an alias for "smtp-sbc.mail.yahoo.com", which in turn is an alias for the REAL mail server "smtp.sbc.mail.yahoo4.akadns.net". Sometimes you MUST use the real name. You can find this by using the command

host smtp.sbcglobal.yahoo.com

Question 8 asks about "Hiding" your OUTGOING mailname. I answer NO since this option will override any mailname that you have specified elsewhere (aliases, user-defined settings, etc).

Question 9 involves minimizing DNS queries - that's up to you.

Manual configuration of Exim4
You're NOT DONE YET!!! Now it's time to tweak some settings in Exim4. First, I'm using the "Maildir" format for my mailboxes, so to enable this you need to add the line

dc_localdelivery=maildir_home

to the file "/etc/exim4/update-exim4.conf.conf". Next, if you're logging into the remote Smarthost (you probably are) then you should put the Smarthost name, your username, and password in "/etc/exim4/passwd.client" - the format in there is obvious. Don't forget to change the permissions of that file to 640! There's sensitive password info in there that shouldn't be available to your users (a note - this file should be owned by user: root,group: Debian-exim).

As already mentioned, there are many Smarthost setups out there. The following describes how to set up your Smarthost *client* in 3 different situations (none of these uses "secure authentication" like CRAM-MD5 or Kerberos):

1) Smarthost over TLS on port 25
2) Smarthost in CLEAR TEXT
3) Smarthost over SSL on port 465

Smarthost client over TLS
IF your ISP's Smarthost server provides TLS then *I THINK* that you are done. Exim4 seems to default to using TLS, but I haven't actually tested this yet (I will someday soon... believe me).

Smarthost client in CLEAR TEXT, aka riding bareback

Now, unfortunately in my case my Smarthost "smtp.sbcglobal.yahoo.com" requires SMTP authentication (logging in), but it doesn't even use SSL/TLS. Furthermore, it doesn't use any of the "somewhat ok" encrypted username/password formats like CRAM-MD5, but instead it uses "PLAIN" which isn't really any better than the worst: "LOGIN". So my username/password is being broadcast out in the open (don't worry, I don't actually use this system. I just set this up for fun, then decommissioned it). If you are in this situation then don't tell anyone. If you still want to be silly then you can do it, but Exim4 tries to protect you from doing this accidentally. You need to explicitly tell Exim4 to allow you to broadcast your info in the clear.

Go into "/etc/exim4/exim4.conf.template" and look for the stanza (near the end) that starts like:

plain:
  driver = plaintext
  public_name = PLAIN
  ...

Right before that you should add the line

AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS = true

That will allow your SMTP authentication to go out in PLAIN or LOGIN text, even when not over an encrypted TLS channel!

Smarthost client over SSL on port 465
The STRANGE thing here is that Exim4 doesn't seem to support SSL natively. Apparently it's TLS or nothing for Exim4. I NEED my Smarthost client over SSL, so we'll be forced to trick Exim4 into using an SSL tunnel. I found a good guide at http://www.technovelty.org/linux/tips, but I'm going to CHANGE SEVERAL THINGS!!!. First, I'm going to use the package "stunnel4" rather than "stunnel", so install the package "stunnel4".

The idea is that we're going to use "stunnel4" to set up some SSL tunnel(s). A warning: I'm setting up two tunnels here - one for my Smarthost *client* to connect to a remote host, and one IN ANTICIPATION of a Smarthost SERVER that you may want to set up later. I'll leave you to figure out what does what. Here's the strategy for now: Stunnel4 will listen on the *local* port 464 (that's right... I said 464, NOT 465 - I'm trying to avoid conflicts here) and be configured to login to the ACTUAL remote Smarthost whenever it receives traffic. That will be taken care of with this script "/etc/init.d/ssmtp-tunnel":

#! /bin/sh -e

case "$1" in
  start)
    echo -n "Starting ssmtp tunnels "
    /usr/bin/stunnel4 /etc/exim4/stunnelin.conf
    /usr/bin/stunnel4 /etc/exim4/stunnelout.conf
    echo "stunnel."
    ;;
  stop)
    echo -n "Stopping ssmtp tunnel "
    killall -9 stunnel4
    echo "stunnel."
    ;;
  restart)
    $0 stop
    sleep 1
    $0 start
    ;;
  *)
    echo "Usage: /etc/init.d/ssmtp-tunnel {start|stop|restart|reload|force-reload}"
    exit 1
esac

exit 0

You can load this into your startup scripts by running "update-rc.d ssmtp-tunnel defaults". Obviously you're going to need the configuration files "/etc/exim4/stunnelin.conf" and "/etc/exim4/stunnelout.conf", so here they are

# /etc/exim4/stunnelin.conf
client=no
cert=/etc/courier/imapd.pem

[smtp]
accept=465
connect=localhost:25

Note the certificate mentioned there. We'll set one of those up later (Courier IMAP section). Obviously "stunnelin.conf" is meant to handle incoming connections (i.e. a Smarthost server), so if you don't care about having a Smarthost SERVER then you can just ditch the "stunnelin.conf" stuff altogether. Here's the important file for now:
# /etc/exim4/stunnelout.conf
client=yes

[smtp]
accept=localhost:464
connect=remotesmarthost.com:465

Obviously your should change "remotesmarthost.com" to be the Smarthost that you want to use.

Now the other necessary changes are easy... in "/etc/exim4/update-exim4.conf.conf" you should change your Smarthost to "localhost" like so

dc_smarthost='localhost'

and in "/etc/exim4/exim4.conf.template" you'll need to force Exim4 to allow you to send passwords in the clear like we did in the previous subsection (although secretly this is all going over an SSL tunnel - Exim4 just doesn't know it). So add the line

AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS = true

like we did before, and tell Exim4 to go through port 464 by adding these entries in the "remote_smtp_smarthost:" stanza

hosts_avoid_tls = localhost
hosts_require_auth = localhost
port = 464

In the "smarthost:" stanza add the entry

self = send

Finally enable these changes by issuing

update-exim4.conf
/etc/init.d/exim4 restart
/etc/init.d/ssmtp-tunnel start
and you're DONE!

Important note Remember your "/etc/exim4/passwd.client" file! As far as Exim4 is concerned, the Smarthost server is localhost. You MUST use "*" as your server NAME in there!!!

Your first MUA - using Mutt
I'm not a Mutt expert. I think that it's a good email client - text based and fast, but the setup is a little ridiculous. I'm not going to spend a week trying to figure out all of the ins and outs of it, so here goes. It's important to have SOMETHING to send email, so install the package "mutt".

Now, as a user you cannot just charge ahead and use Mutt without a little setup. First, you will actually need to manually create your Maildir INBOX before you can send/receive anything. So install the package "courier-base". This actually installs part of the Courier MTA, but that's OK. All that we want for now is the command "maildirmake".

Login as the relevant user and run

maildirmake ~/Maildir

This creates an INBOX in that user's Maildir directory. Now you're almost ready to get somewhere (note: many sysadmins put a Maildir directory in /etc/skel so that they don't have to do this for EVERY user).

The only piece left is a custom .muttrc in your home directory. This is necessary because Mutt expects to use the mbox-type INBOX and we want to use maildirs instead (for good reason - we'll see later). The following is a VERY barebones ~/.muttrc to do what you want

# Where is your INBOX?
set spoolfile=~/Maildir
set folder=~/Maildir
set mbox_type=Maildir

# We are going to set up a Sent, Drafts, and Trash folder.
# We might as well just store them as subdirectories
# ~/Maildir/.Drafts
# ~/Maildir/.Sent
# ~/Maildir/.Trash
# These folders will each have their own little "maildirs" format.
# This is a STANDARD place for the IMAP server to put its folders, too
# I'm looking for compatibility with IMAP so that if I use Webmail
# or login remotely using IMAP then the folders are preserved
#
# This mask is necessary so that when you press "c" to bring
# up your folder list these folders won't be hidden.  It's not pretty,
# but it works.
set mask="."

# Send folder
set record=~/Maildir/.Sent
set copy=yes

# Keep INBOX messages in INBOX - why move them unless you want to?
set move=no

# Drafts folder
set postponed=~/Maildir/.Drafts
set postpone=yes

# There is no built-in Trash command in Mutt
# This maps "d" to Trash and creates the trash folder
macro index d "=.Trash\n"
macro pager d "=.Trash\n"

# Set your "From" information
set from="user@yourdomain.com"
set use_from=yes
set use_envelope_from=yes

That's it! Start by trying to send an email to yourself or other users on the local machine (just use their usernames - the domain will be filled in automatically). Then try to send an honest email out to the world. The debugging log is in /var/log/exim4/mainlog. You can see which emails are still in the outgoing queue with the "mailq" command.

Fetchmail
Now it's time to figure out how to DOWNLOAD emails from a remote IMAP or POP server and inject them into your local mail system as though they were received the usual SMTP way. Fetchmail is your tool here. Now forget everything that I said above about how POP and IMAP differ. Fetchmail, for most things, treats them very much the same. By default, Fetchmail downloads messages and then deletes then off of the server. If you want to change that behavior, then you can use the "keep" keyword (see below) which will download messages but merely mark them as "read" on the server.

To start just install the package "fetchmail". Create a ~/.fetchmailrc file in the relevant user's home directory (the emails have to go to SOMEBODY, right!). In there you can put commands such as

defaults
set no bouncemail
set no spambounce
poll pop.sbcglobal.yahoo.com protocol pop3 username \
  "asdf@hotmail.com" password "YOURPASSWORD" keep

Obviously "asdf@hotmail.com" is the email account that you are downloading, and the "keep" command just says to not delete the files off the server. This is for POP... an IMAP script would be similar. The variations on this theme are endless. Just run the command "fetchmail" and watch those emails come on down (the "Envelope-to" address will be changed to whichever user invokes Fetchmail so the Exim4 knows where to deliver the mail)! Note that the POP default is to not download messages that have been marked as "read" on the server. You can change this with a "fetchall" keyword after "keep" above. To automate this you can put a "fetchmail" line in your crontab to be run every 10 minutes or so.

If your IMAP/POP server is expecting an SSL connection then you can use a script like the following (here I'll use IMAP on port 993 to demonstrate):

defaults
set no bouncemail
set no spambounce
poll imap.sbcglobal.yahoo.com protocol imap port 993 username \
  "asdf@hotmail.com" password "YOURPASSWORD" ssl keep

Note the "keep" keyword there, even for IMAP.

Where do you go now?
At this point you should have a functioning email system. Now what to do next? You'll want spam and virus filters. You may even want to set your machine up as a POP/IMAP/Smarthost server in its OWN RIGHT! A webmail interface would be nice, too. I'll show you how to do all of that in the next section.

Type #2: HOSTING YOUR OWN DOMAIN
If you host your own domain on your own server then the setup should be very similar to the "insane" setup above, except you won't need fetchmail to grab those emails off of another server because now YOU are hosting the domain (your server will RECEIVE emails directly via SMTP). Make sure that port 25 is open into your server! Make sure that your domain "MX record" points to YOUR SERVER!!! You'll need to go to your internet registry to do that (I'm using ZoneEdit and Dynamic DNS so I went there to do it). In question 4 above leave it blank (listen on all interfaces).

SENDING email from your own server is still a bit tricky. For example, although I'm hosting my own domain (on a computer in the middle of the forest, which explains the slow connection!), I only have a dynamic IP address (see my Dynamic DNS article for hints about how to set something like that up). This means that I shouldn't directly SEND emails to other email servers - instead I still am forced to use my ISP's Smarthost as discussed above (otherwise half of my outgoing email will be bounced back as untrusted). If you have a static IP address then you won't need to use your ISP's Smarthost/SMTP server as a relay... you can just send directly (make sure that the outgoing port 25 is open in your firewall! Also many ISP's block outgoing port 25, so you might have to make a special request for them to open it).

Setting up Courier IMAP and Squirrelmail
Now for some more fun. Maybe you want to set your machine up as an IMAP and Smarthost *server* (now YOU'RE the host, and so your users will expect these services). You'll probably want to set up a Webmail interface as well.

IMAP (over SSL) server using Courier
Fortunately, this is the really FUN part. You'll get a lot for your minimal efforts. Here I'm going to use the IMAP (over SSL) server provided as part of the Courier MTA. Yes, it's true - this system is half Exim4, half Courier. That doesn't matter. In fact, it started as a complete Courier system, but I couldn't get the Smarthost client to authenticate, so Exim4 it was. Now it's a big Frankenstein, but this is (I think) probably the most common configuration out there. Actually, there are A LOT of tools that make Courier a VERY good MTA. The IMAPS/POPS servers, the Courier authentication daemon - it's all REALLY good stuff.

To install Courier IMAP is almost trivial. Again, no need to reinvent the wheel. There's a good howto at http://edseek.com/~jasonb/articles/exim4_courier/courierimap.html.

After you've followed the instructions on that page, you should have an IMAPS server listening on port 993.

One quick note - under the hood all of this stuff uses the Courier authentication module "courier-authdaemon" to do the actual password checking. We'll use it again, even with Exim4! If you run into login problems then you can use the "courierauthtest" utility to test your authdaemon. I've noticed that most problems come from permissions issues. You should set the permissions as follows

chmod 775 /var/run/courier/authdaemon
chmod 777 /var/run/courier/authdaemon/socket

At this point we could really implement some security. You might want to have a look at the "secure authentication" modules for Courier IMAP (like CRAM-MD5), but to be honest I'm not freaked out about clear-text as long as the channel is encrypted (I know, I'm probably letting a lot hang out here).

Squirrelmail
Now that you have IMAP set up you can install the Squirrelmail webmail client. Personally, I'm a big fan of Squirrelmail. It is very easy to install, and I like the interface. Note that Courier supplies its own webmail client called "sqwebmail" - you won't even need Courier IMAP installed for that to work - just install the package "sqwebmail" and you'll have a fully-functioning webmail CLIENT! Cool, huh!

However, to be honest, I like the user interface to Squirrelmail a bit better, and since I already have the IMAP server installed for other reasons, I'm going to use it.

Start by making sure that you have PHP support included with your Apache server. In my case I'm still running Apache 1.3 so I installed the package "libapache-mod-php5". Now you're ready to rock: install the package "squirrelmail". After installing you will receive the instructions to run "squirrelmail-configure". I ran it, but I didn't actually change anything in there. Note that the "folders" are listed as INBOX.Sent, INBOX.Drafts, and INBOX.Trash - these will ACTUALLY be located in ~/Maildir/.Sent, ~/Maildir/.Drafts, and ~/Maildir/.Trash (think of INBOX as an alias for ~/Maildir), so you won't need to change the default.

Save the settings and exit.

Squirrelmail is set up, but Apache doesn't know about it. There's a handy little file called "/etc/squirrelmail/apache.conf" that gives some good ideas. This is the time when your interface with Apache might get a little sketchy. You see, you MUST have your Squirrelmail going over HTTPS on port 443 instead of regular HTTP on port 80, so you'd better make sure that the appropriate stanzas in your "/etc/apache/httpd.conf" are configured to use SSL. Don't just use the regular - that would leave passwords out in the clear!

In my case, I never could get Apache with the "libapache-mod-ssl" SSL module to work, so instead I use TWO different Apache webservers, BOTH RUNNING SIMULTANEOUSLY. One regular and one with SSL statically linked in! For my regular Apache webserver I am using the package "apache-perl" (which has perl statically linked in, too)... the configuration file there is in

/etc/apache-perl/httpd.conf

For SSL-enabled Apache I use the Debian package "apache-ssl". The relevant configuration file is located in

/etc/apache-ssl/httpd.conf

So, to set up the SSL-enabled server to use Squirrelmail I added the following to "/etc/apache-ssl/httpd.conf" (in addition to the usual settings for any httpd.conf file):

#SQUIRRELMAIL STUFF

Alias /squirrelmail /usr/share/squirrelmail

<Directory /usr/share/squirrelmail>
  php_flag register_globals off
  Options Indexes FollowSymLinks
  <IfModule mod_dir.c>
    DirectoryIndex index.php
  </IfModule>

  # access to configtest is limited by default to prevent information leak
  <Files configtest.php>
    order deny,allow
    deny from all
    allow from 127.0.0.1
  </Files;>
</Directory>

Notice what's going on here. Whenever a user directs their browser to "https://www.spencerstirling.com/squirrelmail" they should get the Squirrelmail login. Restart the Apache SSL webserver so the changes take effect.

Now, in the regular Apache webserver I like to have a "redirection" so that if somebody puts in http:// then the get redirected to https://. The following does the trick:

#SQUIRRELMAIL REDIRECTION STUFF

Alias /squirrelmail /usr/share/squirrelmail
<IfModule mod_rewrite.c>
    <Location /squirrelmail>
      RewriteEngine on
      RewriteCond %{HTTPS} !^on$ [NC]
      RewriteRule . https://%{HTTP_HOST}%{REQUEST_URI}  [L]
    </Location>
</IfModule>

Restart your regular Apache webserver and you're done.

Smarthost server setup in Exim4
Now it's time to set your machine up as a Smarthost SERVER (so others can relay mail through you). I'm not going to fight the path of least resistance - here I'll describe 3 setups (none of which use "secure authentication" modules like CRAM-MD5).

1) Smarthost in CLEAR TEXT over port 25
2) Smarthost over TLS on port 25
3) Smarthost over SSL on port 465

Smarthost server in CLEAR TEXT over port 25
Here a way to allow insecure connections:

First, you must tell Exim4 to allow people to login to your server on a clear channel. So add the line

AUTH_SERVER_ALLOW_NOTLS_PASSWORDS = true

in "/etc/exim4/exim4.conf.template" BEFORE it's referred to by other stanzas. You'll see where.

Now you'll need to tell Exim4 to use the Courier authentication daemon to do the password checking. After the place where you put the previous entry you'll see many stanzas with several different authentication methods available. Uncomment the following stanzas

plain_courier_authdaemon:
  ...
  
login_courier_authdaemon:
  ...

The only thing left to do is to change the permissions of the Courier authdaemon to allow Exim4 access:

chmod 775 /var/run/courier/authdaemon
chmod 777 /var/run/courier/authdaemon/socket

Now you can test your connection with a telnet to port 25 (remember to update-exim4.conf and restart exim daemon first) - consult http://qmail.jms1.net/test-auth.shtml for good information about that! You can test courier-authdaemon with the "courierauthtest" command if you are having problems authenticating.

Smarthost server over TLS on port 25
For a secure TLS connection first follow the steps in the previous subsection. Next, you'll need to start the TLS server by adding the entry

MAIN_TLS_ENABLE = true

BEFORE it's referred to by other stanzas.

Now you'll need to generate your TLS certificates. Use the following commands

cd /etc/exim4
/usr/share/doc/exim4-base/examples/exim-gencert

That's IT! Yes - I know. You ALREADY generated certificates for Courier IMAPS. These are for Exim4 Smarthost server. That's the price that we pay for using two packages. It's amazing that they coexist so well!

If you want to FORCE your users to use TLS then you should take out the "AUTH_SERVER_ALLOW_NOTLS_PASSWORDS = true" line that you added in the previous subsection.

Smarthost server over SSL on port 465
Now you MIGHT want to set up a Smarthost server over SSL on port 465. Why? In my case, it's because my ISP is filtering my traffic on port 25. For some reason regular SMTP traffic gets through, but TLS traffic is being filtered (*shrug*). Using an "stunnel4" hack I can just enable Smarthost over SSL and be done with it. By the way, if you want to know how to perform a port scan to see what is happening with YOUR firewall, try the command (from a remote machine)

nmap -sV yourdomain.com

First, set up Exim4 as a Smarthost server as described in the last two subsections - just make sure that Smarthost over CLEAR TEXT is enabled (you can also use TLS, giving you all three worlds AT ONCE! Cool, huh?).

Of course Exim4 doesn't handle SSL, so we'll be forced to use the same scheme already described when we were talking about setting up a Smarthost CLIENT over SSL. In fact, all of the relevant STunnel configuration was already done there - so there's nothing left to say!!! Stunnel should be listening on port 465 and directing traffic to port 25 locally (where Exim4 is listening).

Hosting MULTIPLE DOMAINS
Hosting multiple domains is possible. The only issue is that you need both incoming and outgoing aliases to a) determine how to route incoming emails to local users, and b) to determine the default OUTGOING email addresses for each user.

If you have a relatively simple setup (not 1000 different domains) then you can handle both of these rather easily.

Virtual Domains for INCOMING mail
Start by editing the file "/etc/exim4/domains.virtual" and add any domains that you want to "virtually" host, like so

hotmail.com
sbcglobal.net
Now, you can add the specific user aliases by editing the file "/etc/exim4/aliases.virtual", for example
@hotmail.com: user1
asdf@hotmail.com: user2
poiu@hotmail.com: user3

jimmy@sbcglobal.net: user1
This specifies which local users should receive mail. The first line specifies where to dump nonexistent "@hotmail.com" addresses. If not specified then the mail will be bounced back to sender (as in the second stanza).

You can actually forward any email ANYWHERE! Cool, huh?

Of course, you'll need to update "/etc/exim4/exim4.conf.template" as well. Look for the line "domainlist local_domains" and tack onto the end the entry ":lsearch;/etc/exim4/domains.virtual", for example:

domainlist local_domains = MAIN_LOCAL_DOMAINS:lsearch;/etc/exim4/domains.virtual
Now look for the "router" section. After the "system_aliases" stanza you should add the following stanzas:
domains_virtual:
driver = redirect
data = ${lookup{$local_part@$domain}lsearch{/etc/exim4/aliases.virtual}}

domains_virtual_others:
driver = redirect
data = ${lookup{@$domain}lsearch{/etc/exim4/aliases.virtual}}

Update Exim4 and restart the daemon. Go outside and do a raindance... hopefully this works.

/etc/email-addresses for OUTGOING mail
Assigning a default email address on OUTGOING email is just as easy. If you don't set anything up then the email will originate from "user@mailname" (what you answered in question 3 during the Exim setup), although the users can always configure this themselves in their mail client.

Often neither of these options is going to be acceptable. Your users will SEAMLESSLY want their emails to come from THEIR domain - they don't want to even know about it. In this case you can manually set the default email address (on a per-user basis) by editing the file "/etc/email-addresses". The format in there is obvious.

Clamav Antivirus and Spamassassin
This is getting long, but let's press ahead! You'll want software that checks for viruses in those emails, and you'll want to kill spam! Clamav is your virus killer. It's free, it's good, and it updates ITSELF (using the "clamav-freshclam" package). Much of the following was shamelessly stolen from http://koivi.com/exim4-config/ (with whatever changes I needed).

Start by installing the following packages:

clamav
clamav-base
clamav-daemon
clamav-freshclam
clamav-testfiles
arj
unzoo
lha
unrar
spamassassin
spamc
sa-exim

I don't know why, but I needed to rerun "dpkg-reconfigure clamav-base" to get the socket to take effect - I think that the default is

/var/run/clamav/clamd.ctl

You'll need to add the "clamav" user to the "Debian-exim" group so that Exim4 can access this socket!!! Furthermore, you'll need to change ownership of the clamav directory:

chown Debian-exim:Debian-exim /var/run/clamav

In fact, to avoid problems I also run the clamav daemon as user "Debian-exim". Just edit "/etc/clamav/clamd.conf" and set

User Debian-exim

Now comes the easiest part of ALL!!! You need to edit "/etc/exim4/exim4.conf.template". First look for the antivirus and spam section. You should add/change the appropriate line to

av_scanner = clamd:/var/run/clamav/clamd.ctl

Note the correct socket. You should also uncomment the line

spamd_address = 127.0.0.1 783

Apparently Spamassassin runs as a daemon listening to port 783. The comments there instruct you to the "acl_check_data" stanza. Go there and uncomment the lines

   deny
     malware = *
     message = This message was detected as possible malware ($malware_name).
and the lines

   warn
     spam = nobody
     message = X-Spam_score: $spam_score\n\
               X-Spam_score_int: $spam_score_int\n\
               X-Spam_bar: $spam_bar\n\
               X-Spam_report: $spam_report


MORE AGGRESSIVE TECHNIQUE If you trust Spamassassin enough, you can just outright reject such messages. Instead of the "warn" stanza above, try this
  deny
    spam = nobody
    message = 550 Unrouteable address : User unknown\n\
              Write "postmaster" for questions
Note that I didn't send a message back saying "this is spam" - I just told them that the user doesn't exist! A little spammer psychology is in order here: I'm guessing that the spammers spend a lot of time cleaning and pruning their databases. They MUST! If you send back "user unknown" then perhaps their spam program will remove you from their list. If you send them back "this is spam" then they know that they have you! MOVING ON...

Now I don't know why, by Spamassassin is configured by default to NOT RUN! If you are in Debian, then edit
/etc/default/spamassassin
You need to set
ENABLED=1
In the "OPTIONS" tag you should remove "--create-prefs" and replace it with "-x". The first option allows users to have their own preferences, but this opens up a whole can of worms. You're on your own there.

Now edit "/etc/spamassassin/local.cf" and add the following lines

trusted_networks 127.0.0.1
dns_available yes
skip_rbl_checks 1
You'll be performing these RBL checks separately (see below). I disable it here because this makes sending mail in Squirrelmail PAINFULLY slow (like 10 seconds, which is unacceptable). Restart Spamassassin. In fact, restart Spamassassin AND Clamav. Restart them twice. Reboot the machine and go for a walk. These are finicky programs.

Give yourself a little "update-exim4.conf" and "/etc/init.d/exim4 restart" and you'll be ON YOUR WAY! Note: I think this was once MUCH more difficult - it's pretty slick NOW!

Testing Clamav and Spamassassin
First, let's test Clamav. I had you install the "clamav-testfiles" package for a reason - in "/usr/share/clamav-testfiles" you'll see several "clam" files with various extensions. These are virus *signatures* - not VIRUSES!!! They'll trip the alarm, but cause no problem. You should email these to yourself from a different DOMAIN - Clamav doesn't check emails that originate internally.

If all goes well then you'll never get them. Check your /var/log/exim4/mainlog log - you should receive several warnings of "Malware" and rejected email. That's GOOD!

Now for Spamassassin. There are two files located in "/usr/share/doc/spamassassin/examples", namely

sample-spam.txt
sample-nonspam.txt

Transfer these files to an account in a different domain and then mail yourself back with

mail jill@yourdomain < sample-spam.txt
mail jill@yourdomain < sample-nonspam.txt

You'll receive both messages, but if all goes well you'll see a lot of spam warning messages in the header of the second email. These are directives flagging the email for further processing.

What further processing should we use? The simplest is to put a .forward file in the home directory of each user with the following entries:

# Exim filter
if  $h_X-Spam_report: CONTAINS "possible spam"
then
  save $home/Maildir/.Spam/
  finish
endif

It's pretty obvious what this does. You'll need to make each user a Spam folder with the command

maildirmake ~/Maildir/.Spam

From a sysadmin point-of-view, I always put all of the following items into "/etc/skel" so that when I create new users they automatically have these settings in place

/etc/skel/Maildir
/etc/skel/Maildir/.Spam
/etc/skel/.forward
/etc/skel/.muttrc
This directs incoming spam into the Spam folder. But we can do more with this. The users can see their Spam folder by "subscribing" to it from within Squirrelmail (Folders->Subscribe). This can be a valuable tool for training Spamassassin - I just tell my users to MOVE any spam that "slipped through the cracks" from INBOX to the Spam folder (as opposed to just deleting them). Then I have a cron job that runs the following command (on a regular basis)
sa-learn --spam /home/fred/Maildir/.Spam/cur/*
for each user on the system. Over time this teaches Spamassassin, and eventually almost everything ends up in the .Spam folder by default. Be sure that your users (or YOU) clean out those spam folders once per month - they get pretty full.

This is pretty weak, I know, but I don't care! I won't claim to be a Spamassassin expert. Clamav seems to take care of itself, like owning a cat. The proper care and feeding of Spamassassin is more like a dog - always begging for attention and constantly having to take a piss.

BLACKLISTS
Aren't we done yet? Not quite. You'll want to use so-called DNSBLS blacklists (e.g. spamhaus.org), just like everybody else. This will reduce your spam A LOT! In Exim4 this is almost trivial. Go into "/etc/exim4/exim4.conf.template" and look for the stanza

  .ifdef CHECK_RCPT_IP_DNSBLS
  warn
    message = X-Warning: $sender_host_address is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
    log_message = $sender_host_address is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
    dnslists = CHECK_RCPT_IP_DNSBLS
  .endif
This will put a warning message on any emails that come in which match a record found in your DNSBLS service(s). Personally I change the "warn" to "deny". I don't want to see their junk at all. In FACT, I also change the "message" tag above to
    message = 550 Unrouteable address : User unknown\n\
              Write "postmaster" for questions
Seriously... why TELL the spammer that they're blacklisted? Just tell them that the user doesn't exist - maybe you'll be removed from their list...

To actually specify your DNSBLS services, you'll need to add a line like this

CHECK_RCPT_IP_DNSBLS = sbl-xbl.spamhaus.org:dnsbl.sorbs.net:combined.njabl.org:bl.spamcop.net:psbl.surriel.com
somewhere in your "/etc/exim4/exim4.conf.template" file. Personally I put it just BEFORE the "begin acl" statement since exim4 will complain if you put it INSIDE of the ACL checking stanzas.

You should search for different DNSBLS services out there. In particular, it's important to block any dynamic IP addresses. Hell, you had to use smarthost, right?!?! Why should you accept mail (usually spam) from some other idiot on their DSL? Make them use Smarthost, too... at least their ISP can be held accountable then. It's an ongoing battle, for sure.

Note that you can start a "fake" SMTP session to see if a certain IP address will be rejected by issuing the following command

exim4 -bh [IP address]
where [IP address] is the IP address that you can pull from one of those spam messages that you have been receiving. This will start a test SMTP session. Now type the following commands
ehlo assholespammer.com
MAIL FROM:somejerk@assholespammer.com
RCPT TO:jill@yourdomain.com
Hopefully you'll get rejected. Try looking around for other DNSBLS servers (by using blacklisting I have an account that went from about 50 spam per day to just 1!). This, coupled with Spamassassin, should give you some good results.

LOCAL BLACKLISTS (a Honeypot)
Honeypots are really cool. The strategy is this: make up an email address on your server that doesn't exist (and probably won't in the future), say "sosweet@example.com" (where "example.com" is your domain). Now purposefully PLACE this email address in HIDDEN places on your websites (I mean hidden from human viewers). I have a hidden link on every page! Yes, let it be harvested. The following link works for me:

<a href="mailto:sosweet@example.com"><font color="white">haha</font></a>
Obviously "white" is my background color, so this is invisible (it might be better to put a 1-pixel picture in). Any email coming to this account will be spam (for sure), so you can use this information to locally blacklist certain hosts.

First you'll need to configure "/etc/exim4/exim4.conf.template" to set up a local filter. I stole these ideas directly from Mark Knox's page http://www.hardline.org/SpamHoneypot. Somewhere in that file (I put mine at the top of the "main/config-options" section you should put the following stanza:

# setup HONEYPOT filters (fake email addresses used as bait)
system_filter = "/etc/exim4/system.filter"
system_filter_user = Debian-exim
system_filter_group = Debian-exim
system_filter_pipe_transport = address_pipe
Fortunately for me, local blacklist functionality was already set up out-of-the-box, so there's not much more to do. Whatever sender IP address ends up in "/etc/exim4/local_host_blacklist" is denied. However, in the stanza
  deny
    message = sender IP address $sender_host_address is locally blacklisted here. If you think this is wrong, get in touch with postmaster
    !acl = acl_whitelist_local_deny
    hosts = ${if exists{CONFDIR/local_host_blacklist}\
                 {CONFDIR/local_host_blacklist}\
                 {}}

I like to change the "message" to
    message = 550 Unrouteable address : User unknown\n\
              Write "postmaster" for questions
Again, maybe if you send a "user unknown" then you'll be removed from their list.

Now you'll need to set up the filter itself. Create a file called "/etc/exim4/system.filter" and place the following lines in there (with the appropriate changes):

if $recipients contains "sosweet@example.com"
then
  pipe "/etc/exim4/blacklist-me $sender_host_address"
endif
Obviously this refers to a shell script called "/etc/exim4/blacklist-me", so create it with the following lines:
#!/bin/sh
BLACKLIST=/etc/exim4/local_host_blacklist
BLACKLISTDATES=/etc/exim4/local_host_blacklist_dates

echo $* >> $BLACKLIST
echo $* `date +"%Y-%m-%d %H:%M:%S"` >> $BLACKLISTDATES
Make this file executable ("chmod +x /etc/exim4/blacklist-me"). Now, in the "/etc/exim4" directory you need to touch two files:
touch /etc/exim4/local_host_blacklist
touch /etc/exim4/local_host_blacklist_date
Change the ownership of both of these files to "Debian-exim"
chown Debian-exim:Debian-exim /etc/exim4/local_host_blacklist
chown Debian-exim:Debian-exim /etc/exim4/local_host_blacklist_date
Now for the final step: add an alias (see above) for our fake user "sosweet@example.com". In "/etc/exim4/aliases.virtual" add the line
sosweet@example.com: :blackhole:
That's IT! Now just sit and trap evil spammers with your flypaper trap! Yes, I DID shamelessly steal this information from the link above.

This page has been visited   times since March 15, 2006