Hi Brian, on Sat, 17 Apr 2004 10:48:28 -0400 you wrote:
> I'm so confused with all the exim options that their are, I have no idea
> what I have to do to accoplish what I'm looking for.
I'm sure it can seem a bit daunting (it was for me, even when I upgraded
from Exim 3 to Exim 4). However, take a small step back and you'll find
that in actual fact Exim has a relatively small number of actual
options/directives, and the trick is in fact recognising the basic
building blocks and from there constructing the rules that you want. This
power and flexibility means that there are often many ways to achieve a
particular result, which is why you will sometimes see slightly vague
answers on here (because the answer to many questions will be "well, it
depends how you are doing xyz"). Nevertheless, it's worth persevering as
the control you get is really awesome once you get into it: you can
certainly do everything you want.
This is by no means a complete list, and probably not 100% correct in
terminology usage, but here are a few of the core elements that are at the
core of Exim and which it's worth understanding:
- domainlists/hostlists/addresslists: these are just lists of
domains/hosts/addresses, that can be used in many ways
- routers: blocks that actually determine how mail is routed
- ACLs: implement policy control, mostly for SMTP transactions. There are
numerous creative uses of ACLs to implement all kinds of powerful
anti-spam/virus measures which would be difficult or impossible with
some other MTAs.
- transports: sort of like "drivers" which actually deliver mail
- lookups: look up data in a database of some kind (text file, DBM, cdb,
MySQL etc..)
- variables/string expansions
> I'm trying to use exim to filter email for multiple domains.
> - using domainlist local_domains = domain1.tld : domain2.tld
OK, "domainlist" is just a general term saying "I am defining a list of
domains called XYZ", where XYZ="local_domains" in this case. However, in
the default configuration, "local_domains" is primarily intended for
domains that have local users. In this case you'd probably be better
keeping local_domains exclusively for the primary hostname of the machine,
and setting up a separate domain list for the domains that you are
filtering mail for. By default, Exim defines one called "relay_domains",
which is for mail that is accepted but will ultimately be delivered
elsewhere. You might want to use this, or maybe define your own, like
"scan_domains" or something.
I would do this:
domainlist local_domains = @ (@ means the local host name)
domainlist scan_domains = domain1 : domain2
> I've seen refrences where I can use a flat file can I also use a cdb?
Yes. Pretty much everywhere in Exim where a flat file is used for
something, you can use a DBM, cdb, LDAP, MySQL or whatever, as long as
you've compiled Exim with the relevant support. This is the beauty of the
generic "lookup" which just means "look up the data X in data source Y".
It's very easy to switch between types (e.g. use plain text files at
first, and then if performance starts to become a problem switch to CDB or
DBM).
> The machine will take no local mail.
Typically, you will want *some* local mail handling, even if it's just
root to receive local system reports etc.
> - qmail calls these rcpthosts then they are listed in virtualdomains or
> smtproutes.
You can call them pretty much whatever you want
> The machine will accept emails for various designated domains.
> - postfix designates these as relay_domains. Is domainlist what I want
> to use for this?
In the default configuration, I would use
> I need to be able to define who will get mail for these domain. Some
> domains have a finite list of users, others I have no idea.
The easiest way, if the machine which you are ultimately delivering to
supports SMTP-time rejection, is to use a real-time SMTP callout. This is
*very* easy to turn on in Exim. (just add the "/callout" option to the
relevant ACL verification rule).
If the machines you are delivering to blindly accept all recipients, or
you just prefer to keep a local list then yes, sure, you can easily set up
a list. I would probably just have a text file for each domain containing
a list of valid local parts. (You could choose to compile it into a
DBM/CDB for performance if you like, but as previously discussed that
doesn't really affect things much; you just change "lsearch" to "dbm" or
"cdb" in the lookup.
> - can there be a per domain reject message?
Yes. This is just a matter of setting up an ACL appropriately.
> I need to always accept emails for various acceptable users, ie.
> postmaster, abuse.. etc. regardless of dnsbl status or other.
> - I belive exim does this
Yes, this is trivial. In fact, IIRC Exim does this for postmaster by
default.
> I need to use dnsbl's to block and would like to be able to tag on
> others.
Very easy.
> - We think this would do that.
> warn message = X-Warning: $sender_host_address is in SPEWS
> log_message = found in spews
> dnslists = spews.localmirror.int
Yep, looks good.
> I would like to be able to filter out things like spaces and irregular
> quotation marks in MAIL FROM or RCPT TO.
Also very easy. Exim filters out a fair amount by default - one of the
first ACL rules looks something like this:
deny local_parts = ^.*[@!/|] : ^\\.
> - I see it does some regex with the HELO, something simmilar to that
> possible?
By default, Exim syntax checks the HELO. You can do whatever you like.
There is both an ACL that can be run at HELO time (allowing you to reject,
defer or accept the HELO, though doing so at HELO time is probably not
advisable) and also the HELO information is put into a variable
$sender_helo_name which can be processed later, for example at RCPT time.
> In accepting emails for other domains some will have different hosts
> where the mail will be delivered.
> - qmail calls this smtproutes, postfix calls this transports, I belive
> this is called a manualrouter, but it looks like I would need one
> router per domain.
You would need a *single* router, which uses the "manualroute" driver.
This is very easy to set up. For example, if you had set up a domainlist
"scan_domains" which contained all the domains you want to scan for, and
you want to provide manual routing information for each of them, just do
something like this:
scan_domains:
driver = manualroute
domains = +scan_domains
route_data = ${lookup{$domain}lsearch{/etc/exim/domain_routes}}
transport = remote_smtp
no_more
In this way, you could have a file /etc/exim/domain_routes which contained
things like this:
domain1: mail.foo.example.com
domain2: 192.168.0.1 : mail2.bar.example.com
and so on.
(Again, yes it could be a DBM or CDB if you like)
> - not all destination hosts are on 'port 25' I don't see where port is
> defined, it all looks like port 25 is assumed.
There is a "port" option to the smtp transport.
> I would like to be able to call an antivirus scanner from within the
> mta, or using as little resources as possible to do so and preferrably
> not using perl to do it.
> - I've seen the av_scanner configuration, not sure if I have it
> configured correctly.. how to test?
See
http://www.timj.co.uk/linux/Exim-SpamAndVirusScanning.pdf for my HOWTO
which explains in simlpe terms the various options related to spam and
virus content scanning with Exim, and how to set them up and test.
> The messages if something is bounced needs to be coherenant message to
> the user (probably not technical) as possible.
> - just so the bounce message contains what the dnsbl issued, or just
> something semi-clear.
Yes, that's OK.
> - we have our own composite dnsbl using rbldnsd which is just a mirror
> for spamhouse and the cbl and dsbl. Sometimes the address spaces over
> lap, resulting in more than one return value for the IP. Does exim
> show all the results or just the first one?
Not sure about this, check the manual (perhaps look at the reference
manual online, which is not the same as the book).
> along with the various, MX and/or A record checks, blocking the verisign
> .com global thing if possible.
The mind-bogglingly stupid Verislime "break the DNS" thing isn't active at
the moment, but if it returns, it's trivial to block just by adding the IP
address of the MX/A which they point all unregistered domains to, to
ignore_target_hosts.
> We are currenly using qmail and qmail-scanner to do the majority of
> these things, but what it cannot do is whitelist recipients :(
If you mean "don't scan mail for this recipient", that is slightly
non-trivial to do at SMTP time due to the limitations of the protocol (not
Exim), but there are reasonably good solutions to it - see the archives
for discussions, including Alan Flavells excellent "scanning profiles"
idea. However, I'd get familiarised with ACLs first before trying to use
them to do powerful and slightly unorthodox manipulations of the SMTP
protocol.
> There are many hits on google for various postfix/qmail uce/spamcontrol
> but I can't find something simmilar on exim. Might look at putting SA
> on this if everything all goes well. We have SA on the machines where
> the mail is finally delivered.
SA is easy to integrate with Exim, via one of two widely-used and stable
patches: Exiscan or SA-Exim. Again, see the HOWTO that I previously
referred to for detailed discussion.
Hope that helps. In summary: yes, Exim can do everything you need, and you
would find it an excellent choice not only for that, but because it offers
unparalleled power and flexibility, so that when the next "feature
request" you have comes along, you can implement it easily just by adding
a new ACL rule or router.
Tim
