Cyrus22, Virtual Domains and Spam and Virus Free exim4 debian config
I love exim4 - and i cannot get on with either postfix or sendmail.
The level of sophistication that is required these days to set up a
trouble-free email server is, i believe, matched only by exim4's
sophistication and ease-of-setup. postfix is great - and secure - and
lovely - but if you need a rocket wizard to configure it, then it's not
much good to anybody. And sendmail is just... my hat off to anyone who
can configure sendmail because it's just... just... absolutely fine for
anyone who has an IQ of above 160. So, finally, having got a
setup that i am finally happy with, that can cope with several domains,
i thought it was time to let people know about it.
This setup is very fussy, and all of its checking is done at MTA time.
As a result, it is particularly important that you also have your backup
MX records do the same level of sophisticated checking (I had one client
for whom i did a similar setup, and they used some idiots for their MX
backup, whose server accepted the email immediately and then tried to
deliver it 60 times per hour, and then gave up).
I've spent about four years trying to track down issues to get this
configuration right. Finally I have solved the one thing that has been
bugging me: messages from the <> "bounce" address from spammers
to random addresses on my cyrus server causing me grief.
The issue is, I believe, that there is a bug in exim4 (which the
developers will not acknowledge as I pissed them off. as usually happens
when people don't know me very well, i went from trying to learn what to
do, asking for help and demonstrating both my ignorance and my willingness
to learn and help, to swearing at them in under 48 hours. so, if
you want to investigate this issue, please do so, because i certainly can't).
The issue is, i believe: in the LMTP transport, which will,
I believe, affect every single exim4 system in existence that uses LMTP
to deliver to the mailboxes (cyrus, courier etc.)
I believe that this bug stops you from being able to use LMTP for
sender-verification, as anything that is attempted to be delivered
(or tested/verified) returns immediately, and any errors, such as 550
mailbox nonexistent, are ignored. The logical result of this is that
spammers can send you email to any address, and it will be accepted by
exim4 into its queues, but then it cannot be delivered! (The symptoms
are that you keep getting undeliverable messages sent to postmaster).
Finally, I found the excellent 'virtual domains' concept, by steve.
Now, this addition to exim4 is extremely useful, and i said so in
a bugreport to the exim4 debian maintainers, who managed to
justify not adding it, because they believe that it over-uses
the word 'virtual'. This is, in my opinion, pure laziness on their
part, and if you also believe that having, out-of-the-box, the simple
capability for exim4 to do what postfix has been able to do for years
(handle multiple domains in a very simple fashion) then please do contact debian-devel, the
408467 bugreport and the debian exim4 maintainers to express your views.
So - in short: I have moved even my main domain lkcl.net into this format
(/etc/exim4/virtual/lkcl.net), and made the exim4 "standard" configuration
responsible only for localhost (/etc/mailname is localhost). Any
email addresses e.g. lkcl@lkcl.net are now listed as entries
"lkcl: lkcl@localhost" which is the only way that email will get into
the cyrus22 server - addresses to localhost.
Now, i have had to create entries for postmaster: postmaster@localhost
as well, and root, and webmaster, which is a bit of a pain, but there you go.
But it's still... it's the last irritating thing that i've had to fix.
The rest of my configuration is a probably-quite-extreme-and-probably-broken
sa-exim setup, which is so extreme low spam settings that virtually nothing
gets through. certainly, it's pretty hit-and-miss as to whether hotmail
users, with their insistence on sending HTML by default, will get through
spamassassin (which has both razor and pyzor _and_ dcc _and_ clamav
to back it up) but to be honest, I couldn't care less, and if i do happen
to care then i add them to /etc/spamassassin/local.cf as a whitelist_from
{email address} entry.
The only other thing is that i found someone who recommended adding these
two lines to /etc/spamassassin/local.cf:
score MIME_HTML_ONLY 3.0
score HTML_MESSAGE 3.0
the reason why to push the scores up a bit is because many messages which
contain those irritating viruses-in-an-image are HTML only messages with
a single MIME attachment.
Razor and Pyzor are very good distributed real-time spam checking programs.
DCC is a fuzzy spam checker that I found randomly and thought it might
be nice to try. I added the testmsg-whitelist which I found on the
dcc client web site, because treating test messages as spam is kinda
rude.
Exim4 with anti-virus was easy because i'm using exim4 4.64: see
main/20_clamav and also see acl/40_exim4-config-check-data near the end,
the 'This message contains a virus:....' This is absolutely brilliant
because the only opportunity to correctly inform people that they have
a virus on their system is at MTA time. anything else is risky, and you
shouldn't do it (send to the 'From:' address after receiving the email)
- as you can pretty much guarantee that it's going to be faked up.
Also, i installed greylistd. greylistd for debian has a script
that automatically reconfigures the ACLs in your exim4 config to make
it do greylisting. Unfortunately, there's a bug in the maintainer's
config, which turns off greylisting for anything that comes from <>
which is the key source of problems that I earlier encountered.
Of course, it's very _sensible_ to disable greylisting for <>
addresses (if you do not do proper distinction about where the incoming
message should to be sent) because if you get two servers doing
sender-verification using the <> "bounce" address, you end up
in a 'please try later' bun-fight over which nobody wins... :)
but here's the thing: only local mailboxes should be told
'please try later', whereas messages which are forwarded on to another
SMTP server should not be rejected at this stage.
so, I commented out the '!senders = :' line in acl/30_exim4-config_check_rcpt
and i hope like hell it was the right thing to do :)
Also note: I don't know where it came from but I have a section
main/09_exim4_local_options with smtp_accept_max = 0 to accept an
unlimited number of connections (for teergrubing) but the load
average must not be above 10: once it goes above 10, it stops
accepting incoming connections.
Overall, this is an extremely sophisticated setup, where, especially
since I installed dcc, and i set the spamassassin scores for those two
HTML thingies a bit higher, I am literally receiving no spam whatsoever.
Prior to dcc being in the mix and those two extra scores, I would
occasionally get three to four spam messages in one go, every few days.
At the moment, I'm receiving about 1,500 spam and virus delivery attempts
per day: with the combination of dcc, pyzor, razor, spamassassin,
greylisting and clamav, absolutely none of them get through.
Neither, being absolutely honest, will some email messages
especially from certain ISPs - but at least,
unlike non-MTA-time-setups, the sender is guaranteed to receive
a bounce message pointing them to some advice...
Here's the exim4 config files