Commit | Line | Data |
---|---|---|
de45f55a AM |
1 | <?xml version="1.0" encoding="utf-8"?> |
2 | <!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" | |
3 | "http://www.docbook.org/xml/4.4/docbookx.dtd"> | |
4 | <article> <title>Exim 4 for Debian</title> | |
5 | <section> <title>Introduction</title> | |
6 | <para> | |
7 | If you're reading this, you have found the README.Debian | |
8 | file. This is good, thanks! Please continue reading this file in | |
9 | its entirety. It is full of important information and has been | |
10 | written with the questions in mind that keep popping up on the | |
11 | mailing lists. | |
12 | </para> | |
13 | <section> <title>How to find your way around the Documentation</title> | |
14 | <para> | |
15 | Exim comes with very extensive documentation. Here is how to | |
16 | find it. | |
17 | <orderedlist> | |
18 | <listitem> | |
19 | <simpara> | |
20 | A lot of information about Debian's Exim 4 | |
21 | packaging can be found in this document. | |
22 | </simpara> | |
23 | </listitem> | |
24 | <listitem> | |
25 | <simpara> | |
26 | The packages contain a lot of Debian-specific man pages. | |
27 | Use the <command>apropos exim</command> command to get a list. | |
28 | </simpara> | |
29 | </listitem> | |
30 | <listitem> | |
31 | <simpara> | |
32 | Most files that control the default configuration are | |
33 | documented in the exim4-config_files(5) man page, which | |
34 | is symlinked to the file names. man <filename> should | |
35 | lead you to the page. | |
36 | </simpara> | |
37 | </listitem> | |
38 | <listitem> | |
39 | <simpara> | |
40 | The Debian Exim 4 packages have their own | |
41 | <ulink url="http://pkg-exim4.alioth.debian.org"> | |
42 | Home Page | |
43 | </ulink> which also links to a User FAQ. | |
44 | </simpara> | |
45 | </listitem> | |
46 | <listitem> | |
47 | <para> | |
48 | The very extensive Upstream documentation is shipped | |
49 | <orderedlist> | |
50 | <listitem> | |
51 | <simpara> | |
52 | in text form | |
53 | (<filename>/usr/share/doc/exim4-base/spec.txt.gz</filename>) | |
54 | with the binary packages. | |
55 | </simpara> | |
56 | </listitem> | |
57 | <listitem> | |
58 | <simpara> | |
59 | in HTML in the package | |
60 | <filename>exim4-doc-html</filename> | |
61 | </simpara> | |
62 | </listitem> | |
63 | <listitem> | |
64 | <simpara> | |
65 | as a Texinfo file in the package | |
66 | <filename>exim4-doc-info</filename> | |
67 | </simpara> | |
68 | </listitem> | |
69 | </orderedlist> | |
70 | </para> | |
71 | </listitem> | |
72 | </orderedlist> | |
73 | </para> | |
74 | <para> | |
75 | Please note that documentation found on the web or in other | |
76 | parts of the Debian system (such as the Debian Reference) | |
77 | might be outdated and thus give wrong advice. In doubt, the | |
78 | documentation listed above should take precedence. | |
79 | </para> | |
80 | </section> | |
81 | <section> <title>Getting Support</title> | |
82 | <para> | |
83 | For your questions and comments, there is a <ulink | |
84 | url="http://lists.alioth.debian.org/mailman/listinfo/pkg-exim4-users"> | |
85 | Debian-specific mailing list</ulink>. Please ask Debian-specific | |
86 | questions there, and only write to the upstream exim-users mailing | |
87 | list if | |
88 | you are sure that your question is not Debian-specific. | |
89 | Debian-specific questions are more likely to find answers on | |
90 | our pkg-exim4-users mailing list, while complex custom | |
91 | configuration issues might be more easily solved on the | |
92 | upstream exim-users mailing list because of the broader and | |
93 | more experienced audience there. You can subscribe to | |
94 | pkg-exim4-users <ulink | |
95 | url="http://lists.alioth.debian.org/mailman/listinfo/pkg-exim4-users"> | |
96 | via the subscription web page;</ulink> you need to be | |
97 | subscribed to post. | |
98 | </para> | |
99 | <para> | |
100 | If you think that your question might be more easily answered | |
101 | if one knows a bit about your configuration, you might want to | |
102 | execute <command>reportbug --subject="none" --offline --quiet | |
103 | --severity=wishlist --body="none" --output=exim4.reportbug | |
104 | exim4-config</command> on the system in question, answer yes | |
105 | to both "include [extended] configuration" questions and include | |
106 | the contents of the exim4.reportbug file generated by this | |
107 | command with your question. Please check whether the file | |
108 | contains any confidential information before sending. | |
109 | </para> | |
110 | </section> | |
111 | <section> <title>Packaging</title> | |
112 | <para> | |
113 | Similar to the Apache2 package, Exim 4 is an entirely | |
114 | different package that does not currently offer a smooth | |
115 | upgrade path from Debian's Exim 3 packages. | |
116 | </para> | |
117 | <para> | |
118 | It is the first Exim package in Debian that can be configured | |
119 | using debconf. However, the entire configuration framework is | |
120 | extremely flexible, allowing you to get exactly the amount of | |
121 | control you need for the job at hand. | |
122 | </para> | |
123 | <para> | |
124 | The <ulink url="http://pkg-exim4.alioth.debian.org" | |
125 | type="http">development web page</ulink> contains a lot of | |
126 | useful links and other information. The subversion repository | |
127 | of the Debian package is available for public read-only access | |
128 | and is linked from the development web page. | |
129 | </para> | |
130 | <section> <title>Feature Sets in the daemon packages</title> | |
131 | <para> | |
132 | To use Exim 4, you need at least the following packages: | |
133 | <variablelist> | |
134 | <varlistentry> | |
135 | <term>exim4-base</term> | |
136 | <listitem> | |
137 | <simpara>support files for all Exim MTA (v4) packages</simpara> | |
138 | </listitem> | |
139 | </varlistentry> | |
140 | <varlistentry> | |
141 | <term>exim4-config</term> | |
142 | <listitem> | |
143 | <simpara>configuration for the Exim MTA (v4)</simpara> | |
144 | </listitem> | |
145 | </varlistentry> | |
146 | <varlistentry> | |
147 | <term>exim4-daemon-light</term> | |
148 | <listitem> | |
149 | <simpara>lightweight exim MTA (v4) daemon</simpara> | |
150 | </listitem> | |
151 | </varlistentry> | |
152 | </variablelist> | |
153 | </para> | |
154 | <para> | |
155 | Just apting the metapackage <command>exim4</command> will pull | |
156 | in the other packages per dependency. You'll get an exim daemon | |
157 | with minimal feature set (no external lookups). | |
158 | </para> | |
159 | <para> | |
160 | If you need more advanced features like LDAP, sqlite, PostgreSQL | |
161 | and MySQL data lookups, SASL and SPA SMTP authentication, embedded | |
162 | Perl interpreter, and exiscan-acl for integration of | |
163 | virus-scanners and SpamAssassin, you can replace | |
164 | <command>exim4-daemon-heavy</command> instead of | |
165 | <command>exim4-daemon-light</command>. Additionally, the source | |
166 | package offers infrastructure to build your own custom-tailored | |
167 | exim4-daemon-custom which exactly fits your special local needs. | |
168 | The infrastructure to do so is already in place, see | |
169 | debian/rules for instructions. | |
170 | </para> | |
171 | </section> | |
172 | <section> <title>How to build a custom daemon</title> | |
173 | <para> | |
174 | The process of building a custom daemon is partially | |
175 | documented in the <filename>debian/rules</filename> file | |
176 | in the source package. Patches for more documentation are welcome. | |
177 | </para> | |
178 | </section> | |
179 | </section> | |
180 | </section> | |
181 | <section> <title>Configuration of Exim 4 in the Debian packages</title> | |
182 | <para> | |
183 | Generally, the Debian Exim 4 packages are configured through | |
184 | debconf. You have been asked some questions on package installation, | |
185 | and your initial Exim configuration has been created from your | |
186 | answers. You can repeat the configuration process any time by invoking | |
187 | <command>dpkg-reconfigure exim4-config</command>. If you are an | |
188 | experienced Exim administrator and prefer to have your own, | |
189 | hand-crafted, non-automatic Exim configuration, you will find | |
190 | information about how to do so in | |
191 | <xref linkend="completely-different-configuration"/>. | |
192 | </para> | |
193 | <para> | |
194 | The debconf-driven configuration is mainly geared for a | |
195 | one-domain shell account machine/workstation with local delivery | |
196 | as suggested by the original upstream default configuration. | |
197 | If you configure the packages to handle more than one local | |
198 | domain, all local domains are treated identically. The domain | |
199 | part is not used for routing and filtering decisions. | |
200 | </para> | |
201 | <para> | |
202 | Despite the default configuration being extended somewhat from | |
203 | the original upstream, chances are that you'll need to | |
204 | manually change the Exim configuration with an editor if you intend to | |
205 | do something that is not covered by the debconf-driven configuration. | |
206 | It has never been the packages' intention to offer all possible | |
207 | configuration methods through debconf. The configuration files are | |
208 | there to be changed, feel free to do so if you see fit. The Debian | |
209 | Exim 4 maintainers have tried to make the configuration as flexible as | |
210 | possible so that manual intervention can be minimized. | |
211 | </para> | |
212 | <para> | |
213 | If you need to make manual changes to the Exim configuration, | |
214 | please be familiar with how Exim works. At minimum, have read this | |
215 | README file and the manpages delivered with the Debian Exim 4 | |
216 | packages, and <filename>/usr/share/doc/exim4-base/spec.txt.gz</filename> | |
217 | chapters 3 and 6. <filename>spec.txt.gz</filename> is an excellent | |
218 | reference. | |
219 | </para> | |
220 | <para> | |
221 | Please note that while most free-form fields in the | |
222 | debconf-driven configuration have the entered string end up | |
223 | verbatim in Exim's configuration file (and thus using more | |
224 | advanced features like host, address and domain lists is possible | |
225 | and will probably work), this is not officially supported. | |
226 | Only plain lists are supported in the debconf dialogs. You may | |
227 | use more advanced features, but they may stop working any time | |
228 | during upgrades. | |
229 | </para> | |
230 | <section> <title>The Configuration System</title> | |
231 | <section id="debconf-questions"> <title>The Debconf questions</title> | |
232 | <para> | |
233 | In this section, we try to document and explain the debconf | |
234 | questions, which are themselves limited to a small screen of | |
235 | information and might leave questions unanswered. Since you | |
236 | can usually read this file only after having answered the | |
237 | questions, the process can always be repeated by invoking | |
238 | <command>dpkg-reconfigure exim4-config.</command> | |
239 | <filename>/etc/exim4/update-exim4.conf.conf</filename>, | |
240 | documented in the <command>update-exim4.conf</command> | |
241 | manual page, is | |
242 | a simple shell-script snippet used to store the answers | |
243 | that you passed to debconf when initially configuring Exim. | |
244 | You may also modify this file with an editor of your choice. | |
245 | The package maintainer scripts can handle this and will | |
246 | preserve your changes. | |
247 | </para> | |
248 | <section> <title>General type of mail configuration</title> | |
249 | <para> | |
250 | This is the main configuration question which will | |
251 | control which of the remaining questions are | |
252 | presented to you. It also controls things like daemon | |
253 | invocation and delivery of outgoing mail. | |
254 | </para> | |
255 | <section> <title> internet site; mail is sent and | |
256 | received directly using SMTP</title> | |
257 | <para> | |
258 | This option is suitable for a standalone system | |
259 | with full internet connectivity. | |
260 | </para> | |
261 | <itemizedlist> | |
262 | <listitem> | |
263 | <para> | |
264 | The Exim SMTP daemon will accept messages | |
265 | to local domains, and deliver them locally. | |
266 | </para> | |
267 | </listitem> | |
268 | <listitem> | |
269 | <para> | |
270 | Outgoing mail will be delivered directly | |
271 | to the mail exchange servers of the | |
272 | recipient domain | |
273 | </para> | |
274 | </listitem> | |
275 | </itemizedlist> | |
276 | </section> | |
277 | <section> <title> mail sent by smarthost; received via | |
278 | SMTP or fetchmail</title> | |
279 | <para> | |
280 | This option is suitable for a standalone client system | |
281 | which has restricted internet connectivity, for | |
282 | example on a residential connection where an SMTP | |
283 | smarthost is used. Some ISPs block outgoing SMTP | |
284 | connections to combat the spam problem, thus | |
285 | requiring the use of their smarthosts. It is | |
286 | generally a good idea to use the ISPs smart host | |
287 | if one is connected with a dynamic IP address | |
288 | since quite a few sites do not accept mail | |
289 | directly delivered from a dial-in pool. | |
290 | </para> | |
291 | <para> | |
292 | fetchmail can be used to retrieve incoming mail | |
293 | from the ISP's POP3 or IMAP mail server and | |
294 | deliver it to Exim via SMTP. | |
295 | </para> | |
296 | <itemizedlist> | |
297 | <listitem> | |
298 | <para> | |
299 | The Exim SMTP daemon will accept messages | |
300 | to local domains, and deliver them locally. | |
301 | </para> | |
302 | </listitem> | |
303 | <listitem> | |
304 | <para> | |
305 | Outgoing mail will always be delivered to | |
306 | the smarthost configured in exim4. | |
307 | </para> | |
308 | </listitem> | |
309 | </itemizedlist> | |
310 | </section> | |
311 | <section> <title>mail sent by smarthost; no local mail</title> | |
312 | <para> | |
313 | This option is suitable for a client system in a | |
314 | computer pool which is not responsible for a local | |
315 | e-mail domain. All locally generated e-mail is | |
316 | sent to the smarthost without any local domains. | |
317 | </para> | |
318 | </section> | |
319 | <section> <title>local delivery only; not on a network</title> | |
320 | <para> | |
321 | This option is suitable for a standalone system | |
322 | with no networking at all. Only messages for configured | |
323 | local domains are accepted and delivered locally; | |
324 | messages for all other domains are rejected: | |
325 | ``Mailing to remote domains not supported''. | |
326 | </para> | |
327 | </section> | |
328 | <section> <title>no configuration at this time</title> | |
329 | <para> | |
330 | This option disables most of Debian's automatisms | |
331 | and leaves exim in an unconfigured state. | |
332 | update-exim4.conf will still copy | |
333 | <filename>/etc/exim4/exim4.conf.template</filename> | |
334 | or concatenate the files from | |
335 | <filename>/etc/exim4/conf.d,</filename> and will | |
336 | not generate any configuration control macros. | |
337 | Unless you manually edit the configuration source, | |
338 | this will leave Exim with a syntactically invalid | |
339 | configuration file, thus in a state where the | |
340 | daemon won't even start. | |
341 | </para> | |
342 | <para> | |
343 | Only choose this option if you know what you're | |
344 | doing and are prepared to create your own Exim | |
345 | configuration. | |
346 | </para> | |
347 | <para> | |
348 | dpkg-conffile handling is still in place, and you | |
349 | will be offered updates for configuration | |
350 | snippets, as soon as they become available. | |
351 | </para> | |
352 | </section> | |
353 | </section> | |
354 | <section> <title>System mail name</title> | |
355 | <para> | |
356 | The "mail name" is the domain name used to "qualify" | |
357 | mail addresses without a domain name. | |
358 | </para> | |
359 | <para> | |
360 | This name will also be used by other programs. It | |
361 | should be the single, full domain name (FQDN). | |
362 | </para> | |
363 | <para> | |
364 | For example, if a mail address on the local host is | |
365 | foo@example.org, then the correct value for this | |
366 | option would be example.org. | |
367 | </para> | |
368 | <para> | |
369 | Exim, as a rule, handles only fully qualified mail | |
370 | addresses, that is, addresses with a local part, an @ | |
371 | sign and a domain. If confronted with an unqualified | |
372 | address, that is, one without @ sign and without | |
373 | domain, first thing exim does is qualify the address | |
374 | by adding the @ sign and a domain. | |
375 | </para> | |
376 | <para> | |
377 | This qualification happens for all addresses exim | |
378 | encounters, be it sender, recipient or else. | |
379 | </para> | |
380 | <para> | |
381 | The domain name used to qualify unqualified mail addresses | |
382 | is called ``mail name'' on Debian systems and entered | |
383 | in this debconf dialog. What you enter here will end | |
384 | up in <filename>/etc/mailname,</filename> which is a | |
385 | file that might be used by other programs as well. | |
386 | </para> | |
387 | <para> | |
388 | In some configuration types, the package configuration | |
389 | will offer you, at a later step, to hide this name | |
390 | from outgoing messages by rewriting the headers. | |
391 | </para> | |
392 | </section> | |
393 | <section> <title>IP addresses to listen on for incoming SMTP | |
394 | connections</title> | |
395 | <para> | |
396 | Please enter a semicolon-separated list of IP addresses. | |
397 | The Exim SMTP listener daemon will listen on all IP | |
398 | addresses listed here. | |
399 | </para> | |
400 | <para> | |
401 | An empty value will cause Exim to listen for connections | |
402 | on all available network interfaces. | |
403 | </para> | |
404 | <para> | |
405 | If this system does only receive e-mail directly from | |
406 | local services (and not from other hosts), | |
407 | it is suggested to prohibit external connections to the | |
408 | local Exim daemon. Such services include e-mail | |
409 | programs (MUSs) which talk to localhost only as well as | |
410 | fetchmail. External connections are impossible when | |
411 | 127.0.0.1 is entered here, as this will disable listening | |
412 | on public network interfaces. | |
413 | </para> | |
414 | <para> | |
415 | Do not change this unless you know what you are doing. | |
416 | Altering this value could post a security risk to your | |
417 | system. For most users, the default value is sufficient. | |
418 | </para> | |
419 | </section> | |
420 | <section> <title>Other destinations for which mail is accepted</title> | |
421 | <para> | |
422 | Please enter a semicolon-separated list of recipient | |
423 | domains for which this machine should consider itself | |
424 | the final destination. These domains are commonly | |
425 | called 'local domains'. The local hostname and 'localhost' | |
426 | are always added to the list given here. | |
427 | </para> | |
428 | <para> | |
429 | By default all local domains will be treated | |
430 | identically. If both a.example and b.example are | |
431 | local domains, acc@a.example and acc@b.example will | |
432 | be delivered to the same final destination. If | |
433 | different domain names should be treated differently, | |
434 | it is necessary to edit the config files afterwards. | |
435 | </para> | |
436 | <para> | |
437 | The answer to this question ends up in the list of | |
438 | domains that Exim will consider local domains. Mail | |
439 | for recipients in one of these domains will be | |
440 | subject to local alias expansion and then delivered | |
441 | locally in the appropriate configuration types. | |
442 | </para> | |
443 | </section> | |
444 | <section> <title>Domains to relay mail for</title> | |
445 | <para> | |
446 | Please enter a semicolon-separated list of recipient | |
447 | domains for which this system will relay mail, for | |
448 | example as a fallback MX or mail gateway. This means | |
449 | that this system will accept mail for these domains | |
450 | from anywhere on the Internet and deliver them | |
451 | according to local delivery rules. | |
452 | </para> | |
453 | <para> | |
454 | Do not mention local domains here. Wildcards may be used. | |
455 | </para> | |
456 | <para> | |
457 | The answer to this question is a list of the domains | |
458 | for which Exim will relay messages coming in from anywhere | |
459 | on the Internet. | |
460 | </para> | |
461 | </section> | |
462 | <section> <title>Machines to relay mail for</title> | |
463 | <para> | |
464 | Please enter a semicolon-separated list of IP address | |
465 | ranges for which this system will unconditionally relay | |
466 | mail, functioning as a smarthost. | |
467 | </para> | |
468 | <para> | |
469 | You should use the standard address/prefix format | |
470 | (e.g. 194.222.242.0/24 or 5f03:1200:836f::/48). | |
471 | </para> | |
472 | <para> | |
473 | If this system should not be a smarthost for any | |
474 | other host, leave this list blank. | |
475 | </para> | |
476 | <para> | |
477 | Please note that systems not listed here can still use | |
478 | SMTP AUTH to relay through this system. If this system | |
479 | only has clients on dynamic IP addresses that use SMTP | |
480 | AUTH, leave this list blank as well. Do | |
481 | <emphasis>NOT</emphasis> list 0.0.0.0/0! | |
482 | </para> | |
483 | <para> | |
484 | Warning: While it is possible to use | |
485 | host<emphasis>names</emphasis> instead of IP addresses in this | |
486 | list extra care needs to be taken in this case. | |
487 | <emphasis>Unresolvable names in the host list will break | |
488 | relaying.</emphasis> See | |
489 | <ulink url="http://www.exim.org/exim-html-current/doc/html/spec_html/ch-domain_host_address_and_local_part_lists.html"> | |
490 | Exim specification - chapter Domain, host, address, and | |
491 | local part lists | |
492 | </ulink> and the exim4-config_files man page. | |
493 | </para> | |
494 | </section> | |
495 | <section> <title>IP address or host name of the outgoing | |
496 | smarthost</title> | |
497 | <para> | |
498 | Please enter the IP address or the host name of a mail | |
499 | server that this system should use as outgoing | |
500 | smarthost. If the smarthost only accepts your mail on | |
501 | a port different from TCP/25, append two colons and | |
502 | the port number (for example smarthost.example::587 or | |
503 | 192.168.254.254::2525). Colons in IPv6 addresses need | |
504 | to be doubled. | |
505 | </para> | |
506 | <para> | |
507 | If the smarthost requires authentication, please refer | |
508 | to <xref linkend="smtp-auth"/> for notes about setting | |
509 | up SMTP authentication. | |
510 | </para> | |
511 | <para> | |
512 | Multiple smarthost entries are permitted, semicolon | |
513 | separated. Each of the hosts is tried, in the order | |
514 | specified (See Exim specification, chapter 20.5). | |
515 | </para> | |
516 | </section> | |
517 | <section> <title>Hide local mail name in outgoing mail</title> | |
518 | <para> | |
519 | The headers of outgoing mail can be rewritten to make | |
520 | it appear to have been generated on a different | |
521 | system, replacing the local host name in From, | |
522 | Reply-To, Sender and Return-Path. | |
523 | </para> | |
524 | </section> | |
525 | <section> <title>Visible domain name for local users</title> | |
526 | <para> | |
527 | If you ask Exim to hide the local mail name in | |
528 | outgoing mail, it will next ask you for the domain | |
529 | name that should be visible for your local users. | |
530 | These information is then used to establish the | |
531 | appropriate rewriting rules. | |
532 | </para> | |
533 | </section> | |
534 | <section> <title>Keep number of DNS queries minimal | |
535 | (Dial-on-Demand)</title> | |
536 | <para> | |
537 | In normal mode of operation Exim does DNS lookups at | |
538 | startup, and when receiving or delivering messages. | |
539 | This is for logging purposes and allows keeping down | |
540 | the number of hard-coded values in the configuration. | |
541 | </para> | |
542 | <para> | |
543 | If this system does not have a DNS full service | |
544 | resolver available at all times (for example if its | |
545 | Internet access is a dial-up line using | |
546 | dial-on-demand), this might have unwanted | |
547 | consequences. For example, starting up Exim or | |
548 | running the queue (even with no messages waiting) | |
549 | might trigger a costly dial-up-event. | |
550 | </para> | |
551 | <para> | |
552 | This option should be selected if this system is | |
553 | using Dial-on-Demand. If it has always-on Internet | |
554 | access, this option should be disabled. | |
555 | </para> | |
556 | </section> | |
557 | <section><title>Delivery method for local mail</title> | |
558 | <para> | |
559 | Exim is able to store locally delivered mail in | |
560 | different formats. The most commonly used ones are | |
561 | mbox and Maildir. mbox uses a single file for the | |
562 | complete mail folder stored in /var/mail/. With | |
563 | Maildir format every single message is stored in a | |
564 | separate file in ~/Maildir/. | |
565 | </para> | |
566 | <para> | |
567 | Please note that most mail tools in Debian expect the | |
568 | local delivery method to be mbox in their default. | |
569 | </para> | |
570 | </section> | |
571 | <section> <title>Split configuration into small files</title> | |
572 | <para> | |
573 | Our packages offer two (actually three, see | |
574 | <xref linkend="completely-different-configuration"/>) | |
575 | possibilities: | |
576 | </para> | |
577 | <orderedlist> | |
578 | <listitem> | |
579 | <simpara> | |
580 | Generate Exim's configuration from | |
581 | <filename>/etc/exim4/exim4.conf.template,</filename> | |
582 | which is basically a normal Exim run-time | |
583 | configuration file which will be supplemented | |
584 | with some macros generated from Debconf in a | |
585 | post-processing step before it is passed to exim. | |
586 | </simpara> | |
587 | </listitem> | |
588 | <listitem> | |
589 | <simpara> | |
590 | Generate Exim's configuration from the | |
591 | multiple files in | |
592 | <filename>/etc/exim4/conf.d/</filename>. The | |
593 | directories in | |
594 | <filename>/etc/exim4/conf.d/</filename> | |
595 | correspond to the sections of the Exim | |
596 | run-time configuration file, so you should | |
597 | easily find your way around there. | |
598 | </simpara> | |
599 | </listitem> | |
600 | </orderedlist> | |
601 | <para> | |
602 | Splitting the configuration across multiple files | |
603 | means that you have the actual configuration file | |
604 | automatically generated from the files below | |
605 | <filename>/etc/exim4/conf.d/</filename> by invoking | |
606 | <command>update-exim4.conf</command>. Each section | |
607 | of Exim's configuration has its own subdirectory and | |
608 | the files in there are supposed to be read in | |
609 | alphanumeric order. | |
610 | <filename>router/00_exim4-config_header</filename> | |
611 | is followed by | |
612 | <filename>router/100_exim4-config_domain_literal</filename>, | |
613 | ... | |
614 | </para> | |
615 | <para> | |
616 | If you chose unsplit configuration, | |
617 | <command>update-exim4.conf</command> builds the | |
618 | configuration from | |
619 | <filename>/etc/exim4/exim4.conf.template</filename>, | |
620 | which is basically the files from | |
621 | <filename>/etc/exim4/conf.d/</filename> concatenated | |
622 | together at package build time, and thus guarantees | |
623 | consistency on the target system. | |
624 | </para> | |
625 | <para> | |
626 | In both cases, <command>update-exim4.conf</command> | |
627 | generates exim configuration macros from the debconf | |
628 | configuration values and puts them into | |
629 | the actual configuration file, which is then used by | |
630 | the Exim daemon. See the | |
631 | <command>update-exim4.conf</command> manual | |
632 | page for more in-depth information about this | |
633 | mechanism. | |
634 | </para> | |
635 | <para> | |
636 | Benefits of the split configuration approach: | |
637 | <itemizedlist> | |
638 | <listitem> | |
639 | <simpara> | |
640 | it means less work for you when upgrading. | |
641 | If we shipped one big file and modified | |
642 | for example the Maildir transport in a new | |
643 | version you won't have to do manual | |
644 | conffile merging unless you had changed | |
645 | exactly <emphasis>this</emphasis> | |
646 | transport. | |
647 | </simpara> | |
648 | </listitem> | |
649 | <listitem> | |
650 | <simpara> | |
651 | It allows other packages (e.g. sa-exim) to | |
652 | modify Exim's configuration by dropping | |
653 | files into | |
654 | <filename>/etc/exim4/conf.d</filename>. | |
655 | This needs, however quite exact syncing | |
656 | between the exim4 packages and the other, | |
657 | cooperating package. | |
658 | </simpara> | |
659 | </listitem> | |
660 | </itemizedlist> | |
661 | </para> | |
662 | <para> | |
663 | Drawbacks of the split configuration approach: | |
664 | <itemizedlist> | |
665 | <listitem> | |
666 | <simpara> | |
667 | It is more fragile. If files from | |
668 | different sources (package, manually | |
669 | changed, or other package) get out of | |
670 | sync, it is possible for Exim to break | |
671 | until you manually correct this. This can | |
672 | for example happen if we decide to add a | |
673 | new option to the Debian setup of a later | |
674 | version, and you have already set this | |
675 | option in a local file. | |
676 | </simpara> | |
677 | </listitem> | |
678 | </itemizedlist> | |
679 | </para> | |
680 | <para> | |
681 | Benefits of the unsplit configuration approach: | |
682 | <itemizedlist> | |
683 | <listitem> | |
684 | <simpara> | |
685 | People familiar with configuring Exim may | |
686 | find this approach easier to understand as | |
687 | <filename>exim4.conf.template</filename> | |
688 | basically is a complete Exim configuration | |
689 | file which will only undergo some basic | |
690 | string replacement before is it passed to | |
691 | exim. | |
692 | </simpara> | |
693 | </listitem> | |
694 | <listitem> | |
695 | <simpara> | |
696 | Split-config's fragility mentioned | |
697 | above does not occur. | |
698 | </simpara> | |
699 | </listitem> | |
700 | </itemizedlist> | |
701 | </para> | |
702 | <para> | |
703 | Drawbacks of the unsplit configuration approach: | |
704 | <itemizedlist> | |
705 | <listitem> | |
706 | <simpara> | |
707 | Will require manual intervention in case of an | |
708 | upgrade. | |
709 | </simpara> | |
710 | </listitem> | |
711 | </itemizedlist> | |
712 | </para> | |
713 | <para> | |
714 | If in doubt go for the unsplit config, because it is | |
715 | easier to roll back to Debian's default configuration | |
716 | in one step. If you intend to do many changes to the | |
717 | Debian setup, you might want to use the split config | |
718 | at the price of having to more closely examine the | |
719 | config file after an update. | |
720 | </para> | |
721 | <para> | |
722 | We'd appreciate a patch that uses ucf and the | |
723 | 3-way-merge mechanism offered by that package. It | |
724 | might be the best way to handle the big configuration | |
725 | file. | |
726 | </para> | |
727 | <para> | |
728 | If you are using unsplit configuration, have local | |
729 | changes to <filename>/etc/exim4/conf.d/</filename> | |
730 | (either made by yourself or by other packages dropping | |
731 | their own routers or transports in) and want to | |
732 | re-generate | |
733 | <filename>/etc/exim4/exim4.conf.template</filename> to | |
734 | activate these changes, you can do so by using | |
735 | <command>update-exim4.conf.template</command>. | |
736 | </para> | |
737 | </section> | |
738 | </section> | |
739 | <section> <title>Access Control in the default configuration</title> | |
740 | <para> | |
741 | The Debian exim 4 packages come with a default configuration | |
742 | that allows flexible access control and blacklisting of | |
743 | sites and hosts. The acls involved can be found in | |
744 | /etc/exim4/conf.d/acl, or in /etc/exim4/exim4.conf.template, | |
745 | depending on which configuration scheme you use. Most | |
746 | rejections of messages due to this mechanism happen at RCPT | |
747 | time. Local configuration of the mechanisms happens through | |
748 | data files in /etc/exim4 or via Exim macros that you can set | |
749 | in /etc/exim4/conf.d/main, so there is normally no need to | |
750 | change the files in the acl subdirectory in a split-config | |
751 | setup. If you use the non-split config, you need to edit | |
752 | /etc/exim4/exim4.conf.template, which, as a big | |
753 | dpkg-conffile, won't give you any advantage of the .ifdef | |
754 | scheme. | |
755 | </para> | |
756 | <para> | |
757 | The data files are documented in the exim4-config_files man | |
758 | page. | |
759 | </para> | |
760 | <para> | |
761 | The access lists delivered with the exim4 packages also | |
762 | contain quite a few configuration options that are too | |
763 | restrictive to be active by default on a real-life site. | |
764 | These are masked by .ifdef statements, can be activated by | |
765 | setting the appropriate macros, and are documented in the | |
766 | ACL files itself. | |
767 | </para> | |
768 | </section> | |
769 | <section id='macros'> <title>Using Exim Macros to control the | |
770 | configuration</title> | |
771 | <para> | |
772 | Our configuration can be controlled in a limited way by | |
773 | setting macros. That way, you can switch on and off certain | |
774 | parts of the default configuration and/or override values set | |
775 | in Debconf without having to touch the dpkg-conffiles. While | |
776 | touching dpkg-conffiles itself is explitly allowed and wanted, | |
777 | it can be quite a nuisance to be asked on package upgrade | |
778 | whether one wants to use the locally changed file or the | |
779 | file changed by the package maintainer. | |
780 | </para> | |
781 | <para> | |
782 | Whenever you see an <command>.ifdef</command> or | |
783 | <command>.ifndef</command> clause in the configuration file, | |
784 | you can control the appropriate clause by setting the macro in | |
785 | a local configuration file. For split configuration, you can | |
786 | drop the local configuration file anywhere in | |
787 | <filename>/etc/exim4/conf.d/main</filename>. Just make sure it | |
788 | gets read before the macro is first used. | |
789 | <filename>000_localmacros</filename> is a possible name, | |
790 | guaranteeing first order. For a non-split configuration, | |
791 | <filename>/etc/exim4/exim4.conf.localmacros</filename> gets | |
792 | read before | |
793 | <filename>/etc/exim4/exim4.conf.template</filename>. To | |
794 | actually set the macro <varname>EXIM4_EXAMPLE</varname> to the | |
795 | value "this is a sample", write the following line | |
796 | </para> | |
797 | <para> | |
798 | EXIM4_EXAMPLE = this is a sample | |
799 | </para> | |
800 | <para> | |
801 | into the appropriate file. For more detailed discussion of the | |
802 | general macro mechanism, see the Exim specification, chapter | |
803 | 6.4, for details how macro expansion works. | |
804 | </para> | |
805 | </section> | |
806 | <section> <title>How does this work?</title> | |
807 | <para> | |
808 | The script <command>update-exim4.conf</command> parses the | |
809 | <filename>/etc/exim4/update-exim4.conf.conf</filename> file | |
810 | and provides the configuration for the exim daemon. | |
811 | </para> | |
812 | <para> | |
813 | Depending on the value of | |
814 | <varname>dc_use_split_config</varname>, it either | |
815 | <itemizedlist> | |
816 | <listitem> | |
817 | <simpara> | |
818 | takes all the files below | |
819 | <filename>/etc/exim4/conf.d/</filename> and | |
820 | concatenates them together or | |
821 | </simpara> | |
822 | </listitem> | |
823 | <listitem> | |
824 | <simpara> | |
825 | uses <filename>exim4.conf.template</filename> as | |
826 | input. | |
827 | </simpara> | |
828 | </listitem> | |
829 | </itemizedlist> | |
830 | The debconf-managed information from | |
831 | <filename>/etc/exim4/update-exim4.conf.conf</filename> is | |
832 | merged into the generated configuration file by generating a | |
833 | number of Exim configuration macros. | |
834 | </para> | |
835 | <para> | |
836 | <varname>DCsmarthost</varname>, for example, is set to the | |
837 | value of <varname>$dc_smarthost</varname> | |
838 | in <filename>/etc/exim4/update-exim4.conf.conf</filename> | |
839 | which holds the answer to "Which machine will act as the | |
840 | smarthost and handle outgoing mail?" | |
841 | </para> | |
842 | <para> | |
843 | The result of these operations is saved as | |
844 | <filename>/var/lib/exim4/config.autogenerated</filename>, | |
845 | which is <emphasis>not</emphasis> a dpkg-conffile! Manual | |
846 | changes to this file will be overwritten by | |
847 | <command>update-exim4.conf</command>. | |
848 | </para> | |
849 | <para> | |
850 | Please consult <command>update-exim4.conf</command> manpage | |
851 | for more detailed information. | |
852 | </para> | |
853 | <para> | |
854 | <command>update-exim4.conf</command> is invoked by the init | |
855 | script prior to any operation that may invoke an exim process, | |
856 | and gives an error message if the generated config file is | |
857 | syntactically invalid. If you want to activate your changes to | |
858 | files in conf.d/ just execute <command>invoke-rc.d exim4 restart</command>. | |
859 | </para> | |
860 | </section> | |
861 | <section id="howto-change-config"><title>How do I do minor tweaks to the configuration?</title> | |
862 | <para> | |
863 | Some times, you want to do minor adjustments to the Exim | |
864 | configuration to make Exim behave exactly like you want it | |
865 | to behave. There are the following possibilities to modify | |
866 | Exim's behavior. | |
867 | </para> | |
868 | <section><title>Adjustments supported by the debconf configuration</title> | |
869 | <para> | |
870 | If you want to modify parameters that are supported by the | |
871 | debconf configuration, things are easy. Just invoke | |
872 | <command>dpkg-reconfigure exim4-config</command> or hand-edit | |
873 | <filename>/etc/exim4/update-exim4.conf.conf</filename> to your | |
874 | liking and restart Exim. | |
875 | </para> | |
876 | <para> | |
877 | You can find explanation of the debconf questions in <xref | |
878 | linkend="debconf-questions"/>. | |
879 | Additionally, | |
880 | <filename>/etc/exim4/update-exim4.conf.conf</filename> | |
881 | is documented in the <command>update-exim4.conf</command> | |
882 | man page. | |
883 | </para> | |
884 | </section> | |
885 | <section><title>Adjustments controlled by macros in the Debian Exim configuration</title> | |
886 | <para> | |
887 | Some aspects of the Debian Exim configuration can be | |
888 | controlled by Exim macros. To find out about these, you | |
889 | need basic understanding of Exim configuration. Just look | |
890 | in our Exim configuration and see which macro needs to be | |
891 | set to a different value to alter Exim's behavior. | |
892 | </para> | |
893 | <para> | |
894 | <xref linkend="macros"/> gives a closer explanation about | |
895 | how to do this. | |
896 | </para> | |
897 | </section> | |
898 | <section><title>Making direct changes to the Debian Exim configuration</title> | |
899 | <para> | |
900 | You can, of course, make direct change to the | |
901 | configuration. All configuration files in /etc/exim4 are | |
902 | dpkg-conffiles, and you can thus edit them any time. Your | |
903 | changes will be preserved through updates. You need to | |
904 | know about how to configure Exim to be successful. | |
905 | </para> | |
906 | <para> | |
907 | If you use unsplit configuration, edit | |
908 | <filename>/etc/exim4/exim4.conf.template</filename>. If you use | |
909 | split configuration, edit the Exim configuration snippets in | |
910 | <filename>/etc/exim4/conf.d</filename>. | |
911 | </para> | |
912 | <para> | |
913 | More information about how the Exim configuration is built | |
914 | can be found in this document and in the | |
915 | <command>update-exim4.conf</command> manual page. | |
916 | </para> | |
917 | </section> | |
918 | </section> | |
919 | <section id="completely-different-configuration"> <title>Using a completely different configuration scheme</title> | |
920 | <para> | |
921 | If you are an experienced Exim administrator, you might feel | |
922 | working with our pre-fabricated configuration | |
923 | cumbersome and complex. You might feel right if you need to | |
924 | make more complex changes and do not need to receive updates | |
925 | from us. This section is going to tell about how to use | |
926 | your own configuration. | |
927 | </para> | |
928 | <para> | |
929 | But, you might profit from keeping the Debian magic. Most | |
930 | files that come with Debian exim4 are conffiles. Debian is | |
931 | going to care about your changes and keeps them around. | |
932 | Additionally, a lot of configuration options can be | |
933 | overridden with a macro, which does not require you to | |
934 | actually change our configuration file. A lot of people are | |
935 | using our configuration scheme, and maybe it is going to | |
936 | save you a lot of time if you decide to spend some time | |
937 | familiarizing yourself with our scheme. | |
938 | </para> | |
939 | <section> <title>Override exim4-config configuration magic</title> | |
940 | <para> | |
941 | If you are only running a small number of systems and | |
942 | want to completely disable Debian's magic, just take | |
943 | your monolithic configuration file and install it as | |
944 | <filename>/etc/exim4/exim4.conf</filename>. Exim will | |
945 | use that file verbatim. To have something to start, | |
946 | you can either take | |
947 | <filename>/etc/exim4/exim4.conf.template</filename>, | |
948 | run <command>update-exim4.conf --keepcomments --output | |
949 | /etc/exim4/exim4.conf</command>, or use upstream's | |
950 | default configuration file that is installed as | |
951 | <filename>/usr/share/doc/exim4-base/examples/example.conf.gz</filename>. | |
952 | You are going to lose all magic you get from packaging | |
953 | though, so you need to be familiar with Exim to build | |
954 | an actually working config. | |
955 | </para> | |
956 | <para> | |
957 | <filename>/var/lib/exim4/config.autogenerated</filename>, | |
958 | the file generated by | |
959 | <command>update-exim4.conf</command>, is ignored as soon | |
960 | as <filename>/etc/exim4/exim4.conf</filename> is found. | |
961 | You should not edit | |
962 | <filename>/etc/exim4/exim4.conf</filename> directly when | |
963 | Exim is running, because the forked processes Exim starts | |
964 | for SMTP receiving or queue running would use the new | |
965 | configuration file, while the original main exim-daemon | |
966 | would still use the old configuration file. | |
967 | </para> | |
968 | <para> | |
969 | Some third-party HOWTOs that reference Debian and | |
970 | claim to make things easy suggest dumping a | |
971 | pre-fabricated, static config file to | |
972 | <filename>/etc/exim4/exim4.conf</filename>. This is | |
973 | considered bad advice by the Debian maintainers since | |
974 | you are going to disable all updates and service magic | |
975 | that Debian might deliver in the future this way. If | |
976 | you do not know exactly what you're doing here, this | |
977 | is a bad choice. We try to comment on external HOWTOs | |
978 | found on the web in the <ulink | |
979 | url="http://wiki.debian.org/PkgExim4UserFAQ">Debian | |
980 | Exim4 User FAQ</ulink> to help you find out which | |
981 | advice to follow. | |
982 | </para> | |
983 | </section> | |
984 | <section> <title>Replacing exim4-config with your own exim4 configuration package.</title> | |
985 | <para> | |
986 | We split off Exim's configuration system (debconf, | |
987 | <command>update-exim4.conf</command>, and the files in | |
988 | <filename>/etc/exim4/conf.d)</filename> to a separate | |
989 | package, exim4-config. If you want to, you can replace | |
990 | exim4-config by something entirely different. The other | |
991 | packages don't care. Your package needs to: | |
992 | <itemizedlist> | |
993 | <listitem> | |
994 | <simpara> | |
995 | Provides: exim4-config-2, Conflicts: | |
996 | exim4-config-2,exim4-config | |
997 | </simpara> | |
998 | </listitem> | |
999 | <listitem> | |
1000 | <simpara> | |
1001 | drop the Exim 4 configuration either into | |
1002 | <filename>/var/lib/exim4/config.autogenerated</filename> | |
1003 | or into <filename>/etc/exim4/exim4.conf</filename>. | |
1004 | </simpara> | |
1005 | </listitem> | |
1006 | </itemizedlist> | |
1007 | Your package must provide an executable <command>update-exim4.conf</command> | |
1008 | that must be in root's path (<filename>/usr/sbin</filename> recommended). The init | |
1009 | script will invoke that executable prior to invoking the | |
1010 | actual exim daemon. If you do not need that script, have it exit 0. | |
1011 | </para> | |
1012 | <para> | |
1013 | If you want to create your own configuration packages, there is a | |
1014 | number of helpers available. | |
1015 | <itemizedlist> | |
1016 | <listitem> | |
1017 | <simpara> | |
1018 | The Exim 4 Debian svn repository holds sources for a | |
1019 | exim4-config-simple package which contains a simple, not | |
1020 | debconf-driven configuration scheme as an example which can | |
1021 | be used as a template for a classical, exim4.conf based | |
1022 | configuration scheme. | |
1023 | </simpara> | |
1024 | </listitem> | |
1025 | <listitem> | |
1026 | <simpara> | |
1027 | The Exim 4 Debian svn repository holds sources for a | |
1028 | exim4-config-medium package which contains the conf.d | |
1029 | driven configuration of the main package with the | |
1030 | debconf interaction removed. This can be used to create | |
1031 | your own non-debconf configuration package that uses the | |
1032 | conf.d mechanism. | |
1033 | </simpara> | |
1034 | </listitem> | |
1035 | <listitem> | |
1036 | <simpara> | |
1037 | Finally, you can invoke the script | |
1038 | <filename>debian/config-custom/create-custom-config-package</filename> | |
1039 | which will create a new source package | |
1040 | "exim4-config-custom" with the debconf-driven config | |
1041 | scheme of exim4-config for your local modification. | |
1042 | </simpara> | |
1043 | </listitem> | |
1044 | </itemizedlist> | |
1045 | Please note that exim4-config-simple and | |
1046 | exim4-config-medium are only targeted to be used as a | |
1047 | template. The configurations contained are not | |
1048 | suitable for productive use. Of course, the Debian | |
1049 | maintainers appreciate any patches you might find | |
1050 | suitable. The scripts in exim4-config-simple and | |
1051 | exim4-config-medium may not work at all in your | |
1052 | environment. Unfortunately, they have not been | |
1053 | updated in a long time as well. We are willing to | |
1054 | accept patches. | |
1055 | </para> | |
1056 | <para> | |
1057 | See the development web page for links to the subversion | |
1058 | repository. | |
1059 | </para> | |
1060 | <para> | |
1061 | Exchanging the entire exim4-config package with | |
1062 | something custom comes particularly handy for sites | |
1063 | that have more than a few machines that are | |
1064 | similarly configured, but do not want to use the | |
1065 | original exim4-config package. Build your own | |
1066 | exim4-config-custom or exim4-config-foo, and simply | |
1067 | apt that package to the machines that need to have | |
1068 | that configuration. Future updates can then be | |
1069 | handled via the dpkg-conffile mechanism, properly | |
1070 | detecting local modifications. | |
1071 | </para> | |
1072 | <para> | |
1073 | In the future, it might be possible that Debian will | |
1074 | contain multiple flavours of Exim4 configuration. | |
1075 | However, these packages would have to be maintained | |
1076 | by someone else because the exim4 package | |
1077 | maintainers think that the scheme delivered with | |
1078 | exim4-config is the least of all evils and would | |
1079 | rather not spend the time to maintain multiple configuration | |
1080 | schemes while only actually using one. It would be | |
1081 | nice to have a configuration scheme using a | |
1082 | monolithic config file, managed by ucf in | |
1083 | three-way-merge mode. If anybody feels ready to | |
1084 | maintain it, please go ahead. | |
1085 | </para> | |
1086 | </section> | |
1087 | </section> | |
1088 | </section> | |
1089 | <section id="TLS"> <title>Using TLS</title> | |
1090 | <section> <title>Exim 4 as TLS/SSL client</title> | |
1091 | <para> | |
1092 | Both exim4-daemon-heavy and exim4-daemon-light support TLS/SSL | |
1093 | using the GnuTLS library and STARTTLS. Exim will use TLS | |
1094 | via STARTTLS <emphasis>automatically</emphasis> as client if | |
1095 | the server Exim connects to offers it. | |
1096 | </para> | |
1097 | <para> | |
1098 | This means that you will not need any special configuration if | |
1099 | you want to use TLS for outgoing mail. However, if your | |
1100 | server setup mandates the use of client certificates, you | |
1101 | need to amend your remote_smtp and/or remote_smtp_smarthost | |
1102 | transports with a tls_certificate option. This is not | |
1103 | commonly needed. | |
1104 | </para> | |
1105 | <para> | |
1106 | The certificate | |
1107 | presented by the remote host is not checked unless you | |
1108 | specify a tls_verify_certificate option on the transport. | |
1109 | </para> | |
1110 | <para id="tls_client_certicate"> | |
1111 | To make exim send a TLS certificate to the remote host set | |
1112 | REMOTE_SMTP_TLS_CERTIFICATE/REMOTE_SMTP_PRIVATEKEY or for | |
1113 | the remote_smtp_smarthost transport | |
1114 | REMOTE_SMTP_SMARTHOST_TLS_CERTIFICATE/REMOTE_SMTP_SMARTHOST_PRIVATEKEY | |
1115 | respectively. | |
1116 | </para> | |
1117 | <para> | |
1118 | TLS on connect is not natively supported. | |
1119 | </para> | |
1120 | </section> | |
1121 | <section> <title>Enabling TLS support for Exim as server</title> | |
1122 | <para> | |
1123 | You should have created certificates in | |
1124 | <filename>/etc/exim4/</filename> either by hand or by usage of | |
1125 | the exim-gencert (which requires openssl). exim-gencert is | |
1126 | shipped in | |
1127 | <filename>/usr/share/doc/exim4-base/examples/</filename> and | |
1128 | takes care of proper access privileges on the private key | |
1129 | file. | |
1130 | </para> | |
1131 | <para> | |
1132 | Now, enable TLS by setting the macro MAIN_TLS_ENABLE in a | |
1133 | local configuration file as described in <xref linkend="macros"/>. | |
1134 | </para> | |
1135 | <para> | |
1136 | After this configuration, Exim will advertise STARTTLS when | |
1137 | connected to on the normal SMTP ports. Some broken clients | |
1138 | (most prominent example being nearly all versions of Microsoft | |
1139 | Outlook and Outlook Express, and Incredimail) insist on doing | |
1140 | TLS on connect on Port 465. If you need to support these, set | |
1141 | SMTPLISTENEROPTIONS='-oX 465:25 -oP /var/run/exim4/exim.pid' | |
1142 | in <filename>/etc/default/exim4</filename> and | |
1143 | "tls_on_connect_ports=465" in the main configuration section. | |
1144 | </para> | |
1145 | <para> | |
1146 | The -oP is needed because Exim does not write an implicit pid | |
1147 | file if -oX is given. Without pid file, init script and cron | |
1148 | job will malfunction. | |
1149 | </para> | |
1150 | <para> | |
1151 | It might be appropriate to add "+tls_cipher +tls_peerdn" to | |
1152 | any log_selector statement you might already have, or to add a | |
1153 | log_selector statement setting these two options in a local | |
1154 | configuration file. These options have Exim log what cipher | |
1155 | your Exim and the peer's mailer have negotiated to use to | |
1156 | encrypt the transaction, and they have Exim log the | |
1157 | Distinguished Name of the peer's certificate. | |
1158 | </para> | |
1159 | <para> | |
1160 | Exim can be configured to ask a client for a certificate and to | |
1161 | try to verify it. Debian's exim configuration used to enable | |
1162 | this by default, but stopped doing so since it caused TLS errors | |
1163 | with a couple of popular clients (Outlook, Incredimail, etc.). | |
1164 | To enable this again set the macro MAIN_TLS_TRY_VERIFY_HOSTS to | |
1165 | the lists hosts whose certificates you want to check. (Use * to | |
1166 | try checking all hosts. The value of the macro is used to | |
1167 | populate exim's main option tls_try_verify_hosts.) You should | |
1168 | also point MAIN_TLS_VERIFY_CERTIFICATES to a file containing the | |
1169 | accepted certificates, since its default setting | |
1170 | (/etc/ssl/certs/ca-certificates.crt) can contain a large list of | |
1171 | certificates which causes the interoperabilty problems with | |
1172 | Outlook et.al. noted above. | |
1173 | </para> | |
1174 | <para> | |
1175 | The server certificate is only used for incoming connections, | |
1176 | please consult <xref linkend="tls_client_certicate"/> for the | |
1177 | corresponding outgoing conncection options. | |
1178 | </para> | |
1179 | </section> | |
1180 | <section> <title>Troubleshooting</title> | |
1181 | <para> | |
1182 | If Exim complains in an SMTP session that TLS is unavailable, | |
1183 | the Exim mainlog or paniclog frequently has exact information | |
1184 | about what might be wrong. Fo example, you might see | |
1185 | </para> | |
1186 | <para> | |
1187 | 2003-01-27 19:06:45 TLS error on connection from localhost [127.0.0.1] | |
1188 | (cert/key setup): Error while reading file) | |
1189 | </para> | |
1190 | <para> | |
1191 | showing that there has been an error while accessing the | |
1192 | certificate or the private key file. | |
1193 | </para> | |
1194 | <para> | |
1195 | Insuffient entropy available is a frequent cause of TLS | |
1196 | failures in Exim context. If Exim logs "not enough random bytes | |
1197 | available", or simply hangs silently when an encrypted | |
1198 | connection should be established, then Exim was | |
1199 | unable to read enough random data from | |
1200 | <filename>/dev/random</filename> to do whatever cryptographic | |
1201 | operation is requested. Please check that your | |
1202 | <filename>/dev/random</filename> device is setup properly. | |
1203 | </para> | |
1204 | <para> | |
1205 | You might also find "TLS error on connection to [...] | |
1206 | (gnutls_handshake): The Diffie-Hellman prime sent by the server is | |
1207 | not acceptable (not long enough)." given as reason. Exim by default | |
1208 | requires a DH prime length of 1024 bits. This requirement can be | |
1209 | downgraded by setting the tls_dh_min_bits option on the SMTP | |
1210 | transport. The setting is accessible in the Debian configuration by | |
1211 | setting the macro TLS_DH_MIN_BITS. (e.g. "TLS_DH_MIN_BITS = 768"). | |
1212 | </para> | |
1213 | </section> | |
1214 | </section> | |
1215 | <section id="smtp-auth"> <title>SMTP-AUTH</title> | |
1216 | <para> | |
1217 | Exim can do SMTP AUTH both as a client and as a server. | |
1218 | </para> | |
1219 | <para> | |
1220 | AUTH PLAIN and AUTH LOGIN are disabled for connections which are | |
1221 | not protected by SSL/TLS per default. These authentication | |
1222 | methods use cleartext passwords, and allowing the | |
1223 | transmission of cleartext passwords on unencrypted connections | |
1224 | is a security risk. Therefore, the default configuration configures | |
1225 | Exim not to use and/or allow AUTH PLAIN and AUTH LOGIN over | |
1226 | unencrypted connections. | |
1227 | </para> | |
1228 | <para> | |
1229 | It is thus recommended to set up Exim to use TLS to encrypt | |
1230 | the connections. Please refer to <xref linkend="TLS"/> for | |
1231 | documentation about this. Note that most Microsoft clients | |
1232 | need special handling for TLS. | |
1233 | </para> | |
1234 | <section> <title>Using Exim as SMTP-AUTH client</title> | |
1235 | <para> | |
1236 | If you want to set up Exim as SMTP AUTH client for delivery | |
1237 | to your internet access provider's smarthost put the name of | |
1238 | the server, your login and password in | |
1239 | <filename>/etc/exim4/passwd.client</filename>. See the man | |
1240 | page for exim4-config_files(5) for more information about the | |
1241 | required format. | |
1242 | </para> | |
1243 | <para> | |
1244 | If you need to enable AUTH PLAIN or AUTH LOGIN for unencrypted | |
1245 | connections because your service provider does support neither | |
1246 | TLS encryption nor the CRAM MD5 authentication method, you can | |
1247 | do so by setting the AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS macro. | |
1248 | Please refer to <xref linkend="macros"/> for an explanation of | |
1249 | how best to do this. | |
1250 | </para> | |
1251 | <para> | |
1252 | <filename>/etc/exim4/passwd.client</filename> needs to be | |
1253 | readable for the exim user (user Debian-exim, group | |
1254 | Debian-exim). It is suggested that you keep the default | |
1255 | permissions root:Debian-exim 0640. | |
1256 | </para> | |
1257 | </section> | |
1258 | <section> <title>Using Exim as SMTP-AUTH server</title> | |
1259 | <para> | |
1260 | The configuration files include many, verbosely commented, | |
1261 | examples for server-side smtp-authentication which just need | |
1262 | to be uncommented. | |
1263 | </para> | |
1264 | <para> | |
1265 | If you need to enable AUTH PLAIN or AUTH LOGIN for unencrypted | |
1266 | connections because your clients neither support TLS encryption | |
1267 | nor the CRAM MD5 authentication method, you can do so by setting | |
1268 | the AUTH_SERVER_ALLOW_NOTLS_PASSWORDS macro. Please refer to | |
1269 | <xref linkend="macros"/> for an explanation of how best to | |
1270 | do this. | |
1271 | </para> | |
1272 | <para> | |
1273 | If you want to authenticate against system passwords (e.g. | |
1274 | <filename>/etc/shadow</filename>) the easiest way is to use | |
1275 | saslauthd in the Debian package sasl2-bin. You have to add the | |
1276 | exim-user (currently Debian-exim) to the sasl group, to give | |
1277 | exim permission to use the saslauthd service. | |
1278 | </para> | |
1279 | <para> | |
1280 | The Debian exim4 maintainers consider using system login | |
1281 | passwords a bad idea for the following reasons: | |
1282 | <itemizedlist> | |
1283 | <listitem> | |
1284 | <simpara> | |
1285 | A compromised password will give access to a system account. | |
1286 | </simpara> | |
1287 | </listitem> | |
1288 | <listitem> | |
1289 | <simpara> | |
1290 | E-Mail passwords could accidentally be transmitted unencrypted. | |
1291 | </simpara> | |
1292 | </listitem> | |
1293 | <listitem> | |
1294 | <simpara> | |
1295 | E-Mail passwords are likely to be stored with the | |
1296 | client software, which greatly increases the chance of a | |
1297 | compromise. | |
1298 | </simpara> | |
1299 | </listitem> | |
1300 | </itemizedlist> | |
1301 | </para> | |
1302 | </section> | |
1303 | </section> | |
1304 | ||
1305 | <section> <title>How the Exim daemon is started</title> | |
1306 | <para> | |
1307 | The Debian Exim 4 packages' init script is located in | |
1308 | <filename>/etc/init.d/exim4</filename>. Apart from the | |
1309 | functions that are required by Debian policy and the LSB, it | |
1310 | supports the commands <command>what</command>, which executes | |
1311 | <command>exiwhat</command> to show what your Exim processes | |
1312 | are doing, and <command>force_stop</command> which | |
1313 | unconditionally kills all Exim processes. | |
1314 | </para> | |
1315 | <para> | |
1316 | The init script can be configured to start listening and/or | |
1317 | queue running daemons. This configuration can be found in | |
1318 | <filename>/etc/default/exim4</filename>. This file is | |
1319 | extensively documented. | |
1320 | </para> | |
1321 | </section> | |
1322 | ||
1323 | <section> <title>Miscellaneous packaging issues</title> | |
1324 | <section> <title>The daily cron job</title> | |
1325 | <para> | |
1326 | Exim4's daily cron job | |
1327 | (<filename>/etc/cron.daily/exim4-base</filename>) | |
1328 | does basic housekeeping tasks: | |
1329 | <itemizedlist> | |
1330 | <listitem> | |
1331 | <simpara> | |
1332 | It reads <filename>/etc/default/exim4</filename>, so you | |
1333 | can use this file to change any of the variables used in | |
1334 | the cron job. | |
1335 | </simpara> | |
1336 | </listitem> | |
1337 | <listitem> | |
1338 | <simpara> | |
1339 | It is a no-op if no Exim4 binary is found. | |
1340 | </simpara> | |
1341 | </listitem> | |
1342 | <listitem> | |
1343 | <simpara> | |
1344 | If <command>$E4BCD_DAILY_REPORT_TO</command> is set | |
1345 | to a non-empty string, the output of eximstats is | |
1346 | mailed to the address given in that variable. The | |
1347 | default is empty, so no reports are sent. Options | |
1348 | for eximstats can be given in | |
1349 | <command>$E4BCD_DAILY_REPORT_OPTIONS</command>. | |
1350 | </simpara> | |
1351 | </listitem> | |
1352 | <listitem> | |
1353 | <simpara> | |
1354 | A non-empty paniclog is a nearly sure sign of bad | |
1355 | things going on. Thus, the cron job will send out | |
1356 | warning messages to the syslog and root if it finds | |
1357 | the panic log non-empty. | |
1358 | Please note that the paniclog is not rotated daily, | |
1359 | so existing issues will be reported daily until | |
1360 | either the paniclog is rotated due to its sheer | |
1361 | size, or you manually move it away, for example by | |
1362 | calling <command>logrotate -f | |
1363 | /etc/logrotate.d/exim4-paniclog</command> from a shell. | |
1364 | </simpara> | |
1365 | <simpara> | |
1366 | Just in case your system logs transient error | |
1367 | situations to the panic log as well (see, for | |
1368 | example, | |
1369 | <ulink url="http://www.exim.org/bugzilla/show_bug.cgi?id=92">Exim Bug 92</ulink>), | |
1370 | you can configure | |
1371 | <command>$E4BCD_PANICLOG_NOISE</command> to a | |
1372 | regular expression. If the paniclog contains only | |
1373 | lines that match that regular expression, no warning | |
1374 | messages are generated. | |
1375 | </simpara> | |
1376 | <simpara> | |
1377 | If you want to disable paniclog monitoring | |
1378 | completely, set <command>$E4BCD_WATCH_PANICLOG</command> | |
1379 | to no. <command>E4BCD_WATCH_PANICLOG=once</command> will | |
1380 | rotate a non-empty paniclog automatically after sending out | |
1381 | the warning e-mail. | |
1382 | </simpara> | |
1383 | </listitem> | |
1384 | <listitem> | |
1385 | <simpara> | |
1386 | It tidies up the retry and hints databases. | |
1387 | </simpara> | |
1388 | </listitem> | |
1389 | </itemizedlist> | |
1390 | </para> | |
1391 | </section> | |
1392 | </section> | |
1393 | ||
1394 | <section> <title>Using Exim with inetd/xinetd</title> | |
1395 | <para> | |
1396 | Exim4 is run as a separate daemon instead of inetd/xinetd for | |
1397 | two reasons: | |
1398 | <variablelist> | |
1399 | <varlistentry> | |
1400 | <term>Ease of maintenance:</term> | |
1401 | <listitem> | |
1402 | <simpara> | |
1403 | update-inetd is difficult to impossible to handle | |
1404 | correctly (Just check the archived bug reports of Exim.) | |
1405 | and update-inetd seems to be unmaintained for a long | |
1406 | time, nobody dares to touch it. To quote Mark Baker, the | |
1407 | maintainer of Exim (v3): "I really wish I had never used | |
1408 | inetd in the first place, but simply set up exim to run | |
1409 | as a daemon, but it's too late to change that now." | |
1410 | </simpara> | |
1411 | </listitem> | |
1412 | </varlistentry> | |
1413 | <varlistentry> | |
1414 | <term>Extended features</term> | |
1415 | <listitem> | |
1416 | <simpara> | |
1417 | Running from <command>inetd</command> interferes with | |
1418 | Exim's resource controls (e.g it disables | |
1419 | smtp_accept_max_per_host and smtp_accept_max). | |
1420 | </simpara> | |
1421 | </listitem> | |
1422 | </varlistentry> | |
1423 | </variablelist> | |
1424 | </para> | |
1425 | <para> | |
1426 | If you introduce bugs on your systems by running from (x)inetd | |
1427 | you are on your own! If you want to run exim from | |
1428 | <command>xinetd</command>, follow these steps: | |
1429 | <orderedlist> | |
1430 | <listitem> | |
1431 | <simpara> | |
1432 | Disable Exim 4's listening daemon by executing | |
1433 | <command>update-exim4defaults --queuerunner | |
1434 | queueonly</command> | |
1435 | </simpara> | |
1436 | </listitem> | |
1437 | <listitem> | |
1438 | <para> | |
1439 | Create <filename>/etc/xinetd.d/exim4</filename> | |
1440 | <programlisting> | |
1441 | service smtp | |
1442 | { | |
1443 | disable = no | |
1444 | flags = NAMEINARGS | |
1445 | socket_type = stream | |
1446 | protocol = tcp | |
1447 | wait = no | |
1448 | user = Debian-exim | |
1449 | group = Debian-exim | |
1450 | server = /usr/sbin/exim4 | |
1451 | server_args = exim4 -bs | |
1452 | } | |
1453 | </programlisting> | |
1454 | </para> | |
1455 | </listitem> | |
1456 | <listitem> | |
1457 | <simpara>Run <command>invoke-rc.d exim4 restart; invoke-rc.d | |
1458 | (x)inetd restart</command></simpara> | |
1459 | </listitem> | |
1460 | </orderedlist> | |
1461 | </para> | |
1462 | <para>If you want to use plain inetd, insert following line into | |
1463 | <filename>/etc/inetd.conf</filename>:<programlisting> | |
1464 | smtp stream tcp nowait Debian-exim /usr/sbin/exim4 exim4 -bs | |
1465 | </programlisting> | |
1466 | </para> | |
1467 | </section> | |
1468 | ||
1469 | <section> <title>Handling incoming mail for local accounts with low UID</title> | |
1470 | <para> | |
1471 | Since system accounts (mail, uucp, lp etc) are usually aliased | |
1472 | to root, and root's mailbox is usually read by a human, these | |
1473 | account names have started to be a common target for spammers. | |
1474 | The Debian Exim 4 packages have a mechanism to deal with this | |
1475 | situation. However, since this derives rather far from normal | |
1476 | behavior, it is disabled by default. | |
1477 | </para> | |
1478 | <para> | |
1479 | To enable it, set the macro FIRST_USER_ACCOUNT_UID to a numeric, | |
1480 | non-zero value. Incoming mail for local users that have a UID | |
1481 | lower than FIRST_USER_ACCOUNT_UID is rejected with the message "no | |
1482 | mail to system accounts". Incoming mail for local users that | |
1483 | have a UID greater or equal FIRST_USER_ACCOUNT_UID are processed as | |
1484 | usual. Therefore, the default value of 0 ensures that the | |
1485 | mechanism is disabled. On Debian systems, setting | |
1486 | FIRST_USER_ACCOUNT_UID to 500 or 1000 (depending on your local policy) | |
1487 | will disable incoming mail for system accounts. | |
1488 | </para> | |
1489 | <para> | |
1490 | Just in case that you need exceptions to the rule, | |
1491 | <filename>/etc/exim4/lowuid_aliases</filename> is an alias | |
1492 | file that is only honored for local accounts with UID lower | |
1493 | than FIRST_USER_ACCOUNT_UID. If you define an alias for such an | |
1494 | account here, incoming mail is processed according to the | |
1495 | alias. If you alias the account to itself, messages are | |
1496 | delivered to the account itself, which is an exception to the | |
1497 | rule that messages for low-UID accounts are rejected. The | |
1498 | format of <filename>/etc/exim4/lowuid_aliases</filename> is | |
1499 | just another alias file. | |
1500 | </para> | |
1501 | </section> | |
1502 | <section> <title>How to bypass local routing specialities</title> | |
1503 | <para> | |
1504 | Sometimes, it might be desireable to be able to bypass local | |
1505 | routing specialities like the alias file or a user-forward | |
1506 | file. This is possible in the Debian Exim4 packages by | |
1507 | prefixing the account name with "real-". For a local account | |
1508 | name "foo", "real-foo@hostname.example" will result in direct | |
1509 | delivery to foo's local Mailbox. | |
1510 | </para> | |
1511 | <para> | |
1512 | This feature is by default only available for locally | |
1513 | generated messages. If you want it to be accessible for | |
1514 | messages delivered from remote as well, set the Exim macro | |
1515 | COND_LOCAL_SUBMITTER to true. If you do not want this at all, | |
1516 | set the macro to false. Please note that the userforward | |
1517 | router uses this feature to get error messages delivered, i.e. | |
1518 | notifying the user of a syntax error in her | |
1519 | <filename>.forward</filename> file. | |
1520 | </para> | |
1521 | </section> | |
1522 | <section> <title>Using more complex deliveries from alias files</title> | |
1523 | <para> | |
1524 | Delivery to arbitrary files, directory or to pipes in the | |
1525 | <filename>/etc/aliases</filename> file is disabled by default | |
1526 | in the Debian Exim 4 packages. The delivery process including the | |
1527 | program being piped to would run as the exim admin-user | |
1528 | Debian-exim, which might open up security holes. | |
1529 | </para> | |
1530 | <para> | |
1531 | Invoking pipes from <filename>/etc/aliases</filename> file is | |
1532 | widely considered obsolete and deprecated. The Debian Exim | |
1533 | package maintainers would like to suggest using a dedicated | |
1534 | router/transport pair to invoke local processes for mail | |
1535 | processing. For example, the Debian mailman package contains a | |
1536 | <filename>/usr/share/doc/mailman/README.Exim4.Debian</filename> file | |
1537 | that gives a good example how to implement this. Using a | |
1538 | dedicated router/transport pair have the following advantages: | |
1539 | <itemizedlist> | |
1540 | <listitem> | |
1541 | <para> | |
1542 | The router/transport pair can be put in place by another | |
1543 | package, giving a well-defined transaction point between | |
1544 | Exim 4 and $PACKAGE. | |
1545 | </para> | |
1546 | </listitem> | |
1547 | <listitem> | |
1548 | <para> | |
1549 | Not allowing pipe deliveries from alias files makes it | |
1550 | harder to accidentally run programs with wrong | |
1551 | privileges. | |
1552 | </para> | |
1553 | </listitem> | |
1554 | <listitem> | |
1555 | <para> | |
1556 | It is possible to run different pipe processes under | |
1557 | different accounts. | |
1558 | </para> | |
1559 | </listitem> | |
1560 | <listitem> | |
1561 | <para> | |
1562 | Even if only invoking a single local program, it is easier | |
1563 | to do with your dedicated router/transport since you won't | |
1564 | need to change this file, making automatic updates of this | |
1565 | file possible for future versions of the Exim 4 packages. If | |
1566 | you do local changes here, dpkg conffile handling will | |
1567 | bother you on future updates. | |
1568 | </para> | |
1569 | </listitem> | |
1570 | </itemizedlist> | |
1571 | If you insist on using <filename>/etc/aliases</filename> in | |
1572 | the traditional way, you will need to activate the | |
1573 | respective functions by setting the transport options on the | |
1574 | system_aliases router appropriately. Macros are defined to make | |
1575 | this easier. See | |
1576 | ||
1577 | <filename>/etc/exim4/conf.d/router/400_exim4-config_system_aliases</filename> | |
1578 | for information about which macros are available. You might | |
1579 | find the address_file, address_pipe and/or address_directory | |
1580 | transports that are used for the userforward router helpful in | |
1581 | writing your own transports for use in the system_aliases router. | |
1582 | </para> | |
1583 | <para> | |
1584 | If any of your aliases expand to pipes or files or directories | |
1585 | you should set up a user and a group for these deliveries to run | |
1586 | under. You can do this by setting the "user" and - if necessary | |
1587 | - a "group" option and adding a "group" option if necessary. | |
1588 | Alternatively, you can specify "user" and/or "group" on the | |
1589 | transports that are used. | |
1590 | </para> | |
1591 | </section> | |
1592 | ||
1593 | <section> <title>Putting Exim 4 and UUCP together</title> | |
1594 | <para> | |
1595 | UUCP is a traditional way to execute remote jobs (e.g. spool | |
1596 | mails), and as a lot of old things there are much more than one | |
1597 | way to do it. However, today, the ways to handle it have boiled | |
1598 | down to more or less two different ways. | |
1599 | </para> | |
1600 | <para> | |
1601 | Our recommendation is to use bsmtp/rsmtp wherever possible, | |
1602 | because it supports all kinds of mail addresses (also the empty | |
1603 | ones in bounces), and is also better from the security point of | |
1604 | view. | |
1605 | </para> | |
1606 | <section> <title>Sending mail via UUCP</title> | |
1607 | <section> <title>rmail with full addresses</title> | |
1608 | <para> | |
1609 | rmail is the oldest way to transfer mail to a remote system. | |
1610 | However, today it is normally required to use addresses with | |
1611 | full domains for that (Well, they look like any normal address | |
1612 | for you, and we do not tell about the other way to not confuse | |
1613 | you ;). If you want this, you can use this transport: | |
1614 | </para> | |
1615 | <programlisting> | |
1616 | rmail: | |
1617 | debug_print = "T: rmail for $pipe_addresses" | |
1618 | driver=pipe | |
1619 | command = uux - -r -a$sender_address -gC $domain_data!rmail $pipe_addresses | |
1620 | return_fail_output | |
1621 | user=uucp | |
1622 | batch_max = 20 | |
1623 | </programlisting> | |
1624 | <para> | |
1625 | However, all recipients are handled via the command line, so | |
1626 | you are discouraged to use it. | |
1627 | </para> | |
1628 | </section> | |
1629 | <section> <title>bsmtp/rsmtp</title> | |
1630 | <para> | |
1631 | This is a more efficient way to transfer mails. It works | |
1632 | like sending SMTP via a pipe, but instead of waiting for an | |
1633 | answer, the SMTP is just batched; from this is also the name | |
1634 | batched SMTP or short bsmtp. | |
1635 | </para> | |
1636 | <para> | |
1637 | Furthermore, this way won't fail on addresses like " | |
1638 | "@do.main. If you want this, please use this, if the remote | |
1639 | site uses rsmtp (e.g. is Exim 4): | |
1640 | </para> | |
1641 | <programlisting> | |
1642 | rsmtp: | |
1643 | debug_print = "T: rsmtp for $pipe_addresses" | |
1644 | driver=pipe | |
1645 | command = /usr/bin/uux - -r -a$sender_address -gC $domain_data!rsmtp | |
1646 | use_bsmtp | |
1647 | return_fail_output | |
1648 | user=uucp | |
1649 | batch_max = 100 | |
1650 | </programlisting> | |
1651 | <para> | |
1652 | and this if it wants bsmtp as the command: | |
1653 | </para> | |
1654 | <programlisting> | |
1655 | bsmtp: | |
1656 | debug_print = "T: bsmtp for $pipe_addresses" | |
1657 | driver=pipe | |
1658 | command = /usr/bin/uux - -r -a$sender_address -gC $domain_data!bsmtp | |
1659 | use_bsmtp | |
1660 | return_fail_output | |
1661 | user=uucp | |
1662 | batch_max = 100 | |
1663 | </programlisting> | |
1664 | <para> | |
1665 | Of course, these examples can be extended for e.g. | |
1666 | compression (but you can also use ssh for compression, if | |
1667 | you want). | |
1668 | </para> | |
1669 | </section> | |
1670 | <section> <title>The router</title> | |
1671 | <para> | |
1672 | You need a router to tell Exim 4 which mails to forward to | |
1673 | UUCP. You can use this one; please adopt the last line. Of | |
1674 | course, it is also possible to send mail via more than one way. | |
1675 | </para> | |
1676 | <programlisting> | |
1677 | uucp_router: | |
1678 | debug_print = "R: uucp_router for $local_part@$domain" | |
1679 | driver=accept | |
1680 | require_files = +/usr/bin/uux | |
1681 | domains = wildlsearch;/etc/exim4/uucp | |
1682 | transport = rsmtp | |
1683 | </programlisting> | |
1684 | <para> | |
1685 | The file <filename>/etc/exim4/uucp</filename> looks like: | |
1686 | </para> | |
1687 | <programlisting> | |
1688 | *.do.main uucp.name.of.remote.side | |
1689 | </programlisting> | |
1690 | </section> | |
1691 | <section> <title>Speaking UUCP with the smarthost</title> | |
1692 | <para> | |
1693 | If you have a leaf system (i.e. all your mail not for your | |
1694 | local system goes to a single remote system), you can just | |
1695 | forward all non-local mail to the remote UUCP system. In | |
1696 | this case, you can replace "domains = ..." with "domains = ! | |
1697 | +local_domains", but then you need also to replace | |
1698 | $domain_data in the transport by the UUCP-name of your | |
1699 | smarthost. The file <filename>/etc/exim4/uucp</filename> is | |
1700 | not needed in this case. | |
1701 | </para> | |
1702 | </section> | |
1703 | </section> | |
1704 | <section> <title>Receiving mail via UUCP</title> | |
1705 | <section> <title>Allow UUCP to use any envelope address</title> | |
1706 | <para> | |
1707 | Depending how much you trust your local users, you might use | |
1708 | trusted_users and add uucp to it or use | |
1709 | local_sender_retain=true and local_from_check=false. | |
1710 | </para> | |
1711 | </section> | |
1712 | <section> <title>If you get batched smtp</title> | |
1713 | <para> | |
1714 | Allow uucp to execute rsmtp via | |
1715 | <programlisting> | |
1716 | commands rmail rnews rsmtp | |
1717 | </programlisting> | |
1718 | in your <filename>/etc/uucp/sys</filename>, and ask the | |
1719 | sending site to use rsmtp (and not bsmtp) as the batched | |
1720 | command. | |
1721 | </para> | |
1722 | </section> | |
1723 | </section> | |
1724 | </section> | |
1725 | </section> | |
1726 | ||
1727 | <section> <title>Updating from Exim 3</title> | |
1728 | <para> | |
1729 | If you use <command>exim4-config</command> from Debian, you will | |
1730 | get the debconf based configuration scheme that is intended to | |
1731 | cover the majority of cases. | |
1732 | </para> | |
1733 | <para> | |
1734 | If <command>exim4-config</command> is installed while an Exim 3 | |
1735 | package is present on the system, | |
1736 | <command>exim4-config</command> tries to parse the Exim 3 config | |
1737 | file to determine the answers that were given to | |
1738 | <command>eximconfig</command> on Exim 3 installation. These | |
1739 | answers are then taken as default values for the debconf based | |
1740 | configuration process. Be warned! <command>eximconfig</command> | |
1741 | from the Exim 3 packages does not record the explicit answers | |
1742 | given on Exim 3 configuration. So we have to guess the answers | |
1743 | from the Exim 3 configuration file | |
1744 | <filename>/etc/exim/exim.conf</filename>, which is bound to fail | |
1745 | if the config file has been modified after using | |
1746 | <command>eximconfig</command>. | |
1747 | </para> | |
1748 | <para> | |
1749 | This is the reason why we refrained from doing a "silent update", but | |
1750 | only use the guessed answers to get reasonable defaults for our | |
1751 | debconf based configuration process. | |
1752 | </para> | |
1753 | <para> | |
1754 | Please note that we do not use the | |
1755 | <command>exim_convert4r4</command> script, but try to configure | |
1756 | the Exim 4 package in the same way Exim 3 was. This will | |
1757 | hopefully aid future updates. | |
1758 | </para> | |
1759 | <para> | |
1760 | If you have used a customized Exim 3 configuration, you can of | |
1761 | course use <command>exim_convert4r4</command>, and install the | |
1762 | resulting file as <filename>/etc/exim4/exim4.conf</filename> | |
1763 | after careful inspection. Exim 4 will then use that file and | |
1764 | ignore the file that it generated from the debconf | |
1765 | configuration. To aid future updates, we do, however, encourage | |
1766 | you not to use the | |
1767 | <filename>exim_convert4r4-generated</filename> file verbatim but | |
1768 | instead drop appropriate configuration snippets in their | |
1769 | appropriate place in <filename>/etc/exim4/conf.d</filename>. | |
1770 | </para> | |
1771 | </section> | |
1772 | <section> <title>Misc Notes</title> | |
1773 | <section> <title>PAM</title> | |
1774 | <para> | |
1775 | PAM: On Debian systems the PAM modules run as the same user | |
1776 | as the calling program, so they cannot do anything you | |
1777 | could not do yourself, and in particular cannot access | |
1778 | <filename>/etc/shadow</filename> unless the user is in group | |
1779 | shadow. - If you want to use | |
1780 | <filename>/etc/shadow</filename> for Exim's SMTP AUTH you | |
1781 | will need to run exim as group shadow. Only | |
1782 | exim4-daemon-heavy is linked against libpam. We suggest using | |
1783 | saslauthd instead. | |
1784 | </para> | |
1785 | </section> | |
1786 | <section> <title>Account name restrictions</title> | |
1787 | <para> | |
1788 | In the default configuration, Exim cannot locally deliver | |
1789 | mail to accounts which have capitals in their name. This is | |
1790 | caused by the fact that Exim converts the local part of incoming | |
1791 | mail to lower case before the comparision done by the | |
1792 | check_local_user directive in routers is done. | |
1793 | </para> | |
1794 | <para> | |
1795 | The router option caseful_local_part can be used to control | |
1796 | this, and we decided not to set this option in the Debian | |
1797 | configuration since it would be a rather big change to Exim's | |
1798 | default behavior. | |
1799 | </para> | |
1800 | </section> | |
1801 | <section> <title>No deliveries to root!</title> | |
1802 | <para> | |
1803 | No Exim 4 version released with any Debian OS can run | |
1804 | deliveries as root. If you don't redirect mail for root via | |
1805 | <filename>/etc/aliases</filename> to a nonprivileged | |
1806 | account, the mail will be delivered to | |
1807 | <filename>/var/mail/mail</filename> with permissions 0600 and | |
1808 | owner mail:mail. | |
1809 | </para> | |
1810 | <para> | |
1811 | This redirection is done by the mail4root router which | |
1812 | is last in the list and will thus catch mail for root that has not | |
1813 | been taken care of earlier. | |
1814 | </para> | |
1815 | </section> | |
1816 | <section> <title>Debugging maintainer and init scripts</title> | |
1817 | <para> | |
1818 | Most of the scripts that come with this Debian package do a | |
1819 | <command>set -x</command> if invoked with the environment | |
1820 | variable EX4DEBUG defined and non-zero. This is particularly | |
1821 | handy if you need to debug the maintainer scripts that are | |
1822 | invoked during package installation. Since dpkg redirects | |
1823 | stdout of maintainer scripts, calling dpkg with EX4DEBUG | |
1824 | set might yield interesting results. If in doubt, invoke | |
1825 | the maintainer scripts with EX4DEBUG set manually directly | |
1826 | from the command line. | |
1827 | </para> | |
1828 | </section> | |
1829 | <section> <title>SELinux</title> | |
1830 | <para> | |
1831 | There is no SELinux policy for Exim4 available so far. | |
1832 | Until this is resolved, users should use postfix or | |
1833 | sendmail if they intend to run SELinux. | |
1834 | </para> | |
1835 | <para> | |
1836 | The Debian Exim4 maintainers would appreciate if | |
1837 | somebody could write an SELinux policy. We will gladly | |
1838 | use them in the Debian packages as long as there is | |
1839 | somebody available to test, debug and support. | |
1840 | </para> | |
1841 | </section> | |
1842 | <section> <title>misc</title> | |
1843 | <itemizedlist> | |
1844 | <listitem> | |
1845 | <simpara> | |
1846 | <command>convert4r4</command> is installed as | |
1847 | <filename>/usr/sbin/exim_convert4r4.</filename> | |
1848 | </simpara> | |
1849 | </listitem> | |
1850 | <listitem> | |
1851 | <simpara> | |
1852 | The charset for $header_foo expansions defaults to | |
1853 | UTF-8 instead of ISO-8859-1. | |
1854 | </simpara> | |
1855 | </listitem> | |
1856 | <listitem> | |
1857 | <simpara> | |
1858 | <ulink url="http://marc.merlins.org/linux/exim/"> | |
1859 | Marc Merlin's Exim 4 Page</ulink> has a lot of ACL | |
1860 | examples. | |
1861 | </simpara> | |
1862 | </listitem> | |
1863 | <listitem> | |
1864 | <simpara> | |
1865 | For an example of Exim usage in a | |
1866 | <emphasis>large</emphasis> installation, see | |
1867 | Tony Finch's | |
1868 | <ulink | |
1869 | url="http://www-uxsup.csx.cam.ac.uk/~fanf2/hermes/doc/talks/2005-02-eximconf/"> | |
1870 | paper</ulink> | |
1871 | about the Exim installation at University of Cambridge: | |
1872 | </simpara> | |
1873 | </listitem> | |
1874 | </itemizedlist> | |
1875 | </section> | |
1876 | </section> | |
1877 | <section> <title>Debian modifications to the Exim source</title> | |
1878 | <variablelist> | |
1879 | <varlistentry> | |
1880 | <term> | |
1881 | <ulink url="http://www.arise.demon.co.uk/exim-patches/"> | |
1882 | Patches</ulink> by Steve Haslam: | |
1883 | </term> | |
1884 | <listitem> | |
1885 | <simpara> | |
1886 | boolean_redefine_protect | |
1887 | [src/mytypes.h] | |
1888 | Surround the definition of TRUE and FALSE macros with #ifndef | |
1889 | /#endif, in case some other header defines them (from mixing No | |
1890 | Perl and Exim, istr) | |
1891 | </simpara> | |
1892 | </listitem> | |
1893 | </varlistentry> | |
1894 | <varlistentry> | |
1895 | <term> | |
1896 | Other stuff | |
1897 | </term> | |
1898 | <listitem> | |
1899 | <itemizedlist> | |
1900 | <listitem> | |
1901 | <simpara> | |
1902 | link exim dynamically against pcre. | |
1903 | </simpara> | |
1904 | </listitem> | |
1905 | <listitem> | |
1906 | <para> | |
1907 | The main binary is /usr/sbin/exim4: | |
1908 | <itemizedlist> | |
1909 | <listitem> | |
1910 | <simpara> | |
1911 | src/globals.c was changed to use 'US | |
1912 | BIN_DIRECTORY "/exim4"' as default for | |
1913 | exim_path. | |
1914 | </simpara> | |
1915 | </listitem> | |
1916 | <listitem> | |
1917 | <simpara> | |
1918 | changed default for $exim_path (modulo | |
1919 | lower/upper case) from BIN_DIRECTORY/exim to | |
1920 | BIN_DIRECTORY/exim4 in exicyclog.src, | |
1921 | exim_checkaccess.src, eximon.src, exinext.src, | |
1922 | exiqgrep.src, exiwhat.src. | |
1923 | </simpara> | |
1924 | </listitem> | |
1925 | <listitem> | |
1926 | <simpara> | |
1927 | OS/Makefile-Linux:EXIWHAT_MULTIKILL_ARG=exim4 | |
1928 | </simpara> | |
1929 | </listitem> | |
1930 | </itemizedlist> | |
1931 | </para> | |
1932 | </listitem> | |
1933 | <listitem> | |
1934 | <simpara> | |
1935 | <ulink | |
1936 | url="http://marc.merlins.org/linux/exim/files/sa-exim-current/">localscan_dlopen | |
1937 | .patch</ulink>: | |
1938 | Allow to use and switch between different local_scan | |
1939 | functions without recompiling Exim. Use | |
1940 | local_scan_path = /path/to/sharedobject to utilize | |
1941 | local_scan() in <filename>/path/to/sharedobject</filename>. | |
1942 | </simpara> | |
1943 | </listitem> | |
1944 | <listitem> | |
1945 | <simpara> | |
1946 | changes to the documentation to have the <ulink | |
1947 | url="mailto:pkg-exim4-users@lists.alioth.debian.org"> | |
1948 | Debian-specific mailing list</ulink> mentioned where | |
1949 | the <ulink url="mailto:exim-users@exim.org">official | |
1950 | exim-users list</ulink> is mentioned | |
1951 | </simpara> | |
1952 | </listitem> | |
1953 | </itemizedlist> | |
1954 | </listitem> | |
1955 | </varlistentry> | |
1956 | </variablelist> | |
1957 | </section> | |
1958 | ||
1959 | <section> <title>Credits</title> | |
1960 | <para><variablelist> | |
1961 | <varlistentry> | |
1962 | <term><ulink url="mailto:aba@not.so.argh.org">Andreas | |
1963 | Barth</ulink></term> | |
1964 | <listitem> | |
1965 | <simpara>UUCP documentation</simpara> | |
1966 | </listitem> | |
1967 | </varlistentry> | |
1968 | <varlistentry> | |
1969 | <term>Dan Weber, Ryen Underwood</term> | |
1970 | <listitem> | |
1971 | <simpara>inetd/xinetd documentation</simpara> | |
1972 | </listitem> | |
1973 | </varlistentry> | |
1974 | </variablelist> | |
1975 | </para> | |
1976 | </section> | |
1977 | ||
1978 | </article> |