lead you to the page.
</simpara>
</listitem>
- <listitem>
- <simpara>
- The Debian Exim 4 packages have their own
- <ulink url="http://pkg-exim4.alioth.debian.org">
- Home Page
- </ulink> which also links to a User FAQ.
- </simpara>
- </listitem>
<listitem>
<para>
The very extensive Upstream documentation is shipped
extremely flexible, allowing you to get exactly the amount of
control you need for the job at hand.
</para>
- <para>
- The <ulink url="http://pkg-exim4.alioth.debian.org"
- type="http">development web page</ulink> contains a lot of
- useful links and other information. The subversion repository
- of the Debian package is available for public read-only access
- and is linked from the development web page.
- </para>
<section> <title>Feature Sets in the daemon packages</title>
<para>
To use Exim 4, you need at least the following packages:
please be familiar with how Exim works. At minimum, have read this
README file and the manpages delivered with the Debian Exim 4
packages, and <filename>/usr/share/doc/exim4-base/spec.txt.gz</filename>
- chapters 3 and 6. <filename>spec.txt.gz</filename> is an excellent
- reference.
+ chapters <phrase>"How Exim receives and delivers mail"</phrase> and
+ <phrase>"The Exim run time configuration file"</phrase>.
+ <filename>spec.txt.gz</filename> is an excellent reference.
</para>
<para>
Please note that while most free-form fields in the
list extra care needs to be taken in this case.
<emphasis>Unresolvable names in the host list will break
relaying.</emphasis> See
- <ulink url="http://www.exim.org/exim-html-current/doc/html/spec_html/ch-domain_host_address_and_local_part_lists.html">
- Exim specification - chapter Domain, host, address, and
- local part lists
- </ulink> and the exim4-config_files man page.
+ Exim specification chapter <phrase>"Domain, host, address, and
+ local part lists"</phrase>
+ and the exim4-config_files man page.
</para>
</section>
<section> <title>IP address or host name of the outgoing
<para>
Multiple smarthost entries are permitted, semicolon
separated. Each of the hosts is tried, in the order
- specified (See Exim specification, chapter 20.5).
+ specified (See Exim specification, chapter
+ <phrase>"The manualroute router"</phrase>, section
+ <phrase>"How the list of hosts is used"</phrase>.)
</para>
</section>
<section> <title>Hide local mail name in outgoing mail</title>
setting macros. That way, you can switch on and off certain
parts of the default configuration and/or override values set
in Debconf without having to touch the dpkg-conffiles. While
- touching dpkg-conffiles itself is explitly allowed and wanted,
+ touching dpkg-conffiles itself is explicitly allowed and wanted,
it can be quite a nuisance to be asked on package upgrade
whether one wants to use the locally changed file or the
file changed by the package maintainer.
<para>
into the appropriate file. For more detailed discussion of the
general macro mechanism, see the Exim specification, chapter
- 6.4, for details how macro expansion works.
+ <phrase>"The Exim run time configuration file"</phrase>, for
+ details how macro expansion works.
</para>
</section>
<section> <title>How does this work?</title>
</para>
<para>
This means that you will not need any special configuration if
- you want to use TLS for outgoing mail. However, if your
+ you want to use TLS for outgoing mail. However, to enforce
+ TLS and successful certificate verification, a few things
+ need to be configured.
+ </para>
+ <para>
+ To enforce TLS and prevent fallback to unencrypted
+ connections, ensure that hosts_require_tls = * is in effect on
+ the respective transport. For the remote_smtp_smarthost
+ transport, this setting can be controlled via the
+ REMOTE_SMTP_SMARTHOST_HOSTS_REQUIRE_TLS macro.
+ </para>
+ <para>
+ The certificate presented by the remote host is checked
+ against the system CA certificate store
+ (<filename>/etc/ssl/certs/</filename>) and the verification
+ result is logged (CV=...). However successful certificate
+ verification is <emphasis>not enforced</emphasis> by default.
+ This can be changed by setting tls_verify_hosts = * on the
+ respective transport.
+ </para>
+ <para>
+ Another possibility would be to use DANE for certificate
+ verification. This requires support on the server side and
+ a resolver with DNSSEC support on the client side.
+ </para>
+ <para>
+ If your
server setup mandates the use of client certificates, you
need to amend your remote_smtp and/or remote_smtp_smarthost
transports with a tls_certificate option. This is not
commonly needed.
</para>
- <para>
- The certificate
- presented by the remote host is not checked unless you
- specify a tls_verify_certificate option on the transport.
- </para>
<para id="tls_client_certicate">
To make exim send a TLS certificate to the remote host set
REMOTE_SMTP_TLS_CERTIFICATE/REMOTE_SMTP_PRIVATEKEY or for
(most prominent example being nearly all versions of Microsoft
Outlook and Outlook Express, and Incredimail) insist on doing
TLS on connect on Port 465. If you need to support these, set
- SMTPLISTENEROPTIONS='-oX 465:25 -oP /var/run/exim4/exim.pid'
+ SMTPLISTENEROPTIONS='-oX 465:25 -oP /run/exim4/exim.pid'
in <filename>/etc/default/exim4</filename> and
"tls_on_connect_ports=465" in the main configuration section.
</para>
job will malfunction.
</para>
<para>
- It might be appropriate to add "+tls_cipher +tls_peerdn" to
+ It might be appropriate to add "+tls_cipher" to
any log_selector statement you might already have, or to add a
log_selector statement setting these two options in a local
- configuration file. These options have Exim log what cipher
+ configuration file. (For Debian's configuration simply define
+ the MAIN_LOG_SELECTOR macro.)
+ This option makes Exim log what cipher
your Exim and the peer's mailer have negotiated to use to
- encrypt the transaction, and they have Exim log the
- Distinguished Name of the peer's certificate.
+ encrypt the transaction.
</para>
<para>
Exim can be configured to ask a client for a certificate and to
to no. <command>E4BCD_WATCH_PANICLOG=once</command> will
rotate a non-empty paniclog automatically after sending out
the warning e-mail.
+ </simpara>
+ <simpara>
+ The <command>E4BCD_PANICLOG_LINES</command> setting can be
+ used to limit the number of lines of paniclog quoted in
+ warning email. It is set to 10 by default.
</simpara>
</listitem>
<listitem>
</para>
<para>
Just in case that you need exceptions to the rule,
- <filename>/etc/exim4/lowuid_aliases</filename> is an alias
+ <filename>/etc/exim4/lowuid-aliases</filename> is an alias
file that is only honored for local accounts with UID lower
than FIRST_USER_ACCOUNT_UID. If you define an alias for such an
account here, incoming mail is processed according to the
alias. If you alias the account to itself, messages are
delivered to the account itself, which is an exception to the
rule that messages for low-UID accounts are rejected. The
- format of <filename>/etc/exim4/lowuid_aliases</filename> is
+ format of <filename>/etc/exim4/lowuid-aliases</filename> is
just another alias file.
</para>
</section>
<section> <title>How to bypass local routing specialities</title>
<para>
- Sometimes, it might be desireable to be able to bypass local
+ Sometimes, it might be desirable to be able to bypass local
routing specialities like the alias file or a user-forward
file. This is possible in the Debian Exim4 packages by
prefixing the account name with "real-". For a local account
</section>
</section>
</section>
+ <section> <title>Notes on running SpamAssassin at SMTP time</title>
+ <para>
+ Exim can run
+ <ulink url="https://spamassassin.apache.org/">
+ SpamAssassin</ulink> while receiving a message by SMTP which
+ allows one to avoid acceptance of spam messages. The Debian
+ configuration contains some example code for running SpamAssassin,
+ but like all filtering this needs to be handled carefully.
+ </para>
+ <para>
+ SpamAssassin's default report should not be used in a add_header
+ statement since it contains empty lines. (This triggers e.g.
+ Amavis' warning "BAD HEADER SECTION, Improper folded header field
+ made up entirely of whitespace".) This is a safe, terse alternative:
+ <programlisting>
+ clear_report_template
+ report (_SCORE_ / _REQD_ requ) _TESTSSCORES(,)_ autolearn=_AUTOLEARN_
+ </programlisting>
+ </para>
+ <para>
+ Rejecting spam messages: Do not reject spam-messages received on
+ (non-spam) mailing lists, this can/will cause auto-unsubscription.
+ This also applies to messages received via forwarding services
+ (e.g. @debian.org addresses). If theses messages are rejected the
+ forwarding services will need to send a bounce address to the
+ spammer and will probably disable the forwarding if it happens all
+ the time. You will need to have some kind of whitelist to exclude
+ these hosts.
+ </para>
+ <para>
+ Security considerations: By default <command>spamd</command>
+ runs as root and changes uid/gid to the requested user to run
+ SpamAssassin. The example uses SpamAssassin default non-privileged
+ user (nobody) which prevents use of Bayesian filtering since this
+ requires persistent storage. You might want to setup a dedicated
+ user for exim spam scanning and use that one, either for a separate
+ SpamAssassin user profile or to run SpamAssassin as non-privileged
+ user.
+ </para>
+ </section>
</section>
<section> <title>Updating from Exim 3</title>
<section> <title>Misc Notes</title>
<section> <title>PAM</title>
<para>
- PAM: On Debian systems the PAM modules run as the same user
+ On Debian systems the PAM modules run as the same user
as the calling program, so they cannot do anything you
could not do yourself, and in particular cannot access
<filename>/etc/shadow</filename> unless the user is in group
In the default configuration, Exim cannot locally deliver
mail to accounts which have capitals in their name. This is
caused by the fact that Exim converts the local part of incoming
- mail to lower case before the comparision done by the
+ mail to lower case before the comparison done by the
check_local_user directive in routers is done.
</para>
<para>
</section>
</section>
<section> <title>Debian modifications to the Exim source</title>
- <variablelist>
- <varlistentry>
- <term>
- <ulink url="http://www.arise.demon.co.uk/exim-patches/">
- Patches</ulink> by Steve Haslam:
- </term>
- <listitem>
- <simpara>
- boolean_redefine_protect
- [src/mytypes.h]
- Surround the definition of TRUE and FALSE macros with #ifndef
- /#endif, in case some other header defines them (from mixing No
- Perl and Exim, istr)
- </simpara>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>
- Other stuff
- </term>
- <listitem>
- <itemizedlist>
- <listitem>
- <simpara>
- link exim dynamically against pcre.
- </simpara>
- </listitem>
- <listitem>
- <para>
- The main binary is /usr/sbin/exim4:
- <itemizedlist>
- <listitem>
- <simpara>
- src/globals.c was changed to use 'US
- BIN_DIRECTORY "/exim4"' as default for
- exim_path.
- </simpara>
- </listitem>
- <listitem>
- <simpara>
- changed default for $exim_path (modulo
- lower/upper case) from BIN_DIRECTORY/exim to
- BIN_DIRECTORY/exim4 in exicyclog.src,
- exim_checkaccess.src, eximon.src, exinext.src,
- exiqgrep.src, exiwhat.src.
- </simpara>
- </listitem>
- <listitem>
- <simpara>
- OS/Makefile-Linux:EXIWHAT_MULTIKILL_ARG=exim4
- </simpara>
- </listitem>
- </itemizedlist>
- </para>
- </listitem>
- <listitem>
- <simpara>
- <ulink
-url="http://marc.merlins.org/linux/exim/files/sa-exim-current/">localscan_dlopen
-.patch</ulink>:
- Allow to use and switch between different local_scan
+ <itemizedlist>
+ <listitem>
+ <simpara>
+ Install the exim binary as /usr/sbin/exim4 instead of
+ /usr/sbin/exim-<version> with a symlink /usr/sbin/exim. Also
+ adapt the documentation.
+ </simpara>
+ </listitem>
+ <listitem>
+ <simpara>
+ Make the build reproducible. Pull date/time from debian/changelog
+ and use it as build time instead of using __DATE__.
+ </simpara>
+ </listitem>
+ <listitem>
+ <simpara>
+ Documentation updates
+ </simpara>
+ <itemizedlist>
+ <listitem>
+ <simpara>
+ Mention how to install the Debian packaged perl-modules needed
+ for eximstats' graphs.
+ </simpara>
+ </listitem>
+ <listitem>
+ <simpara>
+ Add a warning about convert4r4.
+ </simpara>
+ </listitem>
+ <listitem>
+ <simpara>
+ Point to the <ulink
+ url="mailto:pkg-exim4-users@lists.alioth.debian.org">
+ Debian-specific mailing list</ulink> instead of
+ the <ulink url="mailto:exim-users@exim.org">official
+ exim-users list</ulink>.
+ </simpara>
+ </listitem>
+ </itemizedlist>
+ </listitem>
+ <listitem>
+ <simpara>
+ <ulink
+ url="http://marc.merlins.org/linux/exim/files/sa-exim-current/">localscan_dlopen.patch</ulink>:
+ This patch makes it possible to use and switch between
+ different local_scan
functions without recompiling Exim. Use
local_scan_path = /path/to/sharedobject to utilize
local_scan() in <filename>/path/to/sharedobject</filename>.
- </simpara>
- </listitem>
- <listitem>
- <simpara>
- changes to the documentation to have the <ulink
- url="mailto:pkg-exim4-users@lists.alioth.debian.org">
- Debian-specific mailing list</ulink> mentioned where
- the <ulink url="mailto:exim-users@exim.org">official
- exim-users list</ulink> is mentioned
- </simpara>
- </listitem>
- </itemizedlist>
- </listitem>
- </varlistentry>
- </variablelist>
+ </simpara>
+ </listitem>
+ </itemizedlist>
</section>
<section> <title>Credits</title>
HCoop / hcoop / debian / exim4.git / blobdiff