For others who may be intersted. (Note this is what I did on a Solaris 10 machine) I also already had EXIM configured with SpamAssassin to put [SPAM] in the subject if the message was “spam”. This also assumes that the IMAP mailbox directory is the mail directory in the users home directory.

Here is what you need to do:

1. Install procmail, (I get it from blastwave, as I did exim,spamassassin, and clamav):

su - root
cd /opt/csw/bin
./pkg-get -i procmail

2. Configure exim to handle procmail pipes.
a. make a backup copy of /opt/csw/etc/exim/exim.conf
b. In the “routers” sections of the exim.conf, right above the localuser: line add the following:

procmail:
 debug_print = "R: procmail for $local_part@$domain"
 driver = accept
 domains = +local_domains
 check_local_user
 transport = procmail_pipe
 require_files = ${local_part}: \\
               ${if exists{/etc/procmailrc}\\
                 { /etc/procmailrc}{${home}/.procmailrc}}:\\
               +/opt/csw/bin/procmail
 no_verify
 no_expn

exactly how I have it above

c. In the transports section right below the 2 lines that say:

remote_smtp:
driver = smtp

add in this :

procmail_pipe:
 debug_print = "T: procmail_pipe for $local_part@$domain"
 driver = pipe
 path = "/opt/csw/bin:/bin:/usr/bin"
 command = "/opt/csw/bin/procmail"
 return_path_add
 delivery_date_add
 envelope_to_add

e. Now restart exim:

/etc/init.d/cswexim stop; /etc/init.d/cswexim start

3. Setup a .procmailrc in the users home directory and make sure it is owned by the user, this is what I had in my test user’s .procmailrc file:

VERBOSE=no
MAILDIR=/home/testuser/mail

#:0: #Delete spam messages
#* ^Subject: \[SPAM]
#/dev/null
:0: #Delete spam messages
* ^Subject: \[SPAM]
Spam

the first set will just delete the messages if they contain [SPAM] in the subject, and they are commented out. The second set will put the messages in the Spam folder. You can replace the Spam with Junk if you want. Make sure the mail directory exists in the home directory and it owned by the user. The Junk/Spam folder will automatically be created if it does not exist the first time a spam message comes in..

Should be it.

Posted by unixwiz, filed under Solaris, Spam Fighting, exim. Date: July 26, 2006, 10:59 pm | No Comments »

Not long ago I decided to set up an authenicated email server so people off campus could send email through campus servers. The old way would have been an open relay, which is very bad. So I decided to start looking at TLS authenication. Well the default Sendmail that comes with Solaris 10 does not have TLS authenication. So I decided to disable sendmail and install exim..

To disable sendmail on Solaris 10:

svcadm disable sendmail

Then I installed Exim from the Blastwave Software library which is really as easy as :

/opt/csw/bin/pkg-get -i exim

(of course this assumes that you have the pkg-get package installed if not, download and install it. The wonders of pkg-get is that it will download all the dependencies as well.

The changes I made are as follows:

Under the Main Configuration block, I added:

tls_on_connect_ports = 465
daemon_smtp_ports = 25:465

Which allows exim to listen on both port 25 and port 465.

I then changed the

rfc1413_query_timeout = 30s

to

rfc1413_query_timeout = 0s

which disables ident lookups, (we don’t allow them).

The last change to the main config section is :

#SSL stuff
tls_certificate = /opt/csw/etc/exim/exim.cert
tls_privatekey = /opt/csw/etc/exim/exim.key
tls_advertise_hosts = *
auth_advertise_hosts = ${if eq{$tls_cipher}{}{}{*}}

Which defines the SSL cert/key and that it should always advertise auth/tls..

Next up is the ACL Configuration, I added this under the “begin acl”

acl_check_auth:
accept encrypted = *
accept condition = ${if($tls_cipher)}
deny message = TLS encryption ONLY

Which makes it so only encrypted authenicated connections will work.

The next change was in the routers section. I wanted the exim server to pass all mail to our spam/virus scanner and not to talk to any other mail server so I added this:

send_to_gateway:
driver = manualroute
transport = remote_smtp
route_list = * SMTP.somehost.edu

The next change I did was comment out the following:

#local_delivery:
#driver = appendfile
#file = /var/mail/$local_part
#delivery_date_add
#envelope_to_add
#return_path_add
# group = mail
# mode = 0660

#address_pipe:
#driver = pipe
#return_output

#address_file:
#driver = appendfile
#delivery_date_add
#envelope_to_add
#return_path_add

#address_reply:
#driver = autoreply

The final change I made was to use ldap authenication. So I added this to the Authenication Configuration section:

begin authenticators

BASEDN=ou=people,dc=someplace,dc=edu

login:
driver = plaintext
public_name = LOGIN
server_prompts = “Username:: : Password::”
server_condition = “${lookup ldap{user=uid=$1,BASEDN pass=$2 ldap://ldap.server.edu/BASEDN?uid?sub?(uid=$1)}{yes}fail}”
server_set_id = $1

One important note Make sure you leave Username:: : Password:: as that and that you do not change it. It seems that Microsoft has hardcoded those values in as the prompts for username and password in Microsoft Outlook and Outlook Express. So if you make those anything other than Username: and Password: those two clients will NOT work, and you will get some weird base64 error codes back. It took me a couple of hours to figure out why Thunderbird worked and Outbreak didn’t. That was it. What you have now is a SMTP server that only accepts mail from authenicated clients and which forwards all mail to a central hub. Hope this helps other people, it took me a while to get it setup. Another side note, if you use Symantec Antivirus on MS Windows (probably on OSX as well) and have the Email Auto-Protect enabled, you will never be able to send mail out on port 25 if it is encrypted (in this case it is) as Symantec blocks all encrypted mail as it can’t “scan” it.

One final note, to provide some “HA” to this setup I have two identical setups of Exim in 2 different buildings on 2 different networks. They both use the same SSL Cert/Key and are setup in a DNS RR to answer up to the same hostname.

Technorati Tags: , ,

Posted by unixwiz, filed under Solaris, exim. Date: November 29, 2005, 11:32 pm | No Comments »