750
750
The access lists delivered with the exim4 packages also
751
contains quite a few configuration options that are too
751
contain quite a few configuration options that are too
752
752
restrictive to be active by default on a real-life site.
753
753
These are masked by .ifdef statements, can be activated by
754
754
setting the appropriate macros, and are documented in the
844
844
script prior to any operation that may invoke an exim process,
845
845
and gives an error message if the generated config file is
846
846
syntactically invalid. If you want to activate your changes to
847
files in conf.d/ just execute "invoke-rc.d exim4 restart".
847
files in conf.d/ just execute <command>invoke-rc.d exim4 restart</command>.
850
<section id="howto-change-config"><title>How do I do minor tweaks to the configuration</title>
850
<section id="howto-change-config"><title>How do I do minor tweaks to the configuration?</title>
852
852
Some times, you want to do minor adjustments to the Exim
853
853
configuration to make Exim behave exactly like you want it
908
908
<section id="completely-different-configuration"> <title>Using a completely different configuration scheme</title>
910
910
If you are an experienced Exim administrator, you might feel
911
like working with our pre-fabricated configuration
911
working with our pre-fabricated configuration
912
912
cumbersome and complex. You might feel right if you need to
913
913
make more complex changes and do not need to receive updates
914
from us. This section is going to tell how about how to use
914
from us. This section is going to tell about how to use
915
915
your own configuration.
935
935
you can either take
936
936
<filename>/etc/exim4/exim4.conf.template</filename>,
937
937
run <command>update-exim4.conf --keepcomments --output
938
/etc/exim4/exim4.conf</command>, or use Upstream's
938
/etc/exim4/exim4.conf</command>, or use upstream's
939
939
default configuration file that is installed as
940
940
<filename>/usr/share/doc/exim4-base/examples/example.conf.gz</filename>.
941
You're going to lose all magic you get from packaging
941
You are going to lose all magic you get from packaging
942
942
though, so you need to be familiar with Exim to build
943
943
an actually working config.
960
960
pre-fabricated, static config file to
961
961
<filename>/etc/exim4/exim4.conf</filename>. This is
962
962
considered bad advice by the Debian maintainers since
963
you're going to disable all updates and service magic
963
you are going to disable all updates and service magic
964
964
that Debian might deliver in the future this way. If
965
965
you do not know exactly what you're doing here, this
966
966
is a bad choice. We try to comment on external HOWTOs
973
973
<section> <title>Replacing exim4-config with your own exim4 configuration package.</title>
975
We have split off Exim's configuration system (debconf,
976
update-exim4.conf, and the files in
975
We split off Exim's configuration system (debconf,
976
<command>update-exim4.conf</command>, and the files in
977
977
<filename>/etc/exim4/conf.d)</filename> to a separate
978
978
package, exim4-config. If you want to, you can replace
979
979
exim4-config by something entirely different. The other
996
Your package must provide an executable update-exim4.conf
997
that must be in root's path (/usr/sbin recommended). The init
996
Your package must provide an executable <command>update-exim4.conf</command>
997
that must be in root's path (<filename>/usr/sbin</filename> recommended). The init
998
998
script will invoke that executable prior to invoking the
999
actual exim daemon. If you don't need that script, have it exit 0.
999
actual exim daemon. If you do not need that script, have it exit 0.
1002
1002
If you want to create your own configuration packages, there is a
1007
1007
The Exim 4 Debian svn repository holds sources for a
1008
1008
exim4-config-simple package which contains a simple, not
1009
debconf-driven configuration scheme as example which can
1010
be used as template for a classical, exim4.conf based
1009
debconf-driven configuration scheme as an example which can
1010
be used as a template for a classical, exim4.conf based
1011
1011
configuration scheme.
1017
1017
exim4-config-medium package which contains the conf.d
1018
1018
driven configuration of the main package with the
1019
1019
debconf interaction removed. This can be used to create
1020
you own non-debconf configuration package that uses the
1020
your own non-debconf configuration package that uses the
1021
1021
conf.d mechanism.
1026
1026
Finally, you can invoke the script
1027
"debian/config-custom/create-custom-config-package"
1027
<filename>debian/config-custom/create-custom-config-package</filename>
1028
1028
which will create a new source package
1029
1029
"exim4-config-custom" with the debconf-driven config
1030
1030
scheme of exim4-config for your local modification.
1033
1033
</itemizedlist>
1034
1034
Please note that exim4-config-simple and
1035
exim4-config-medium are only targetet to be used as
1035
exim4-config-medium are only targeted to be used as a
1036
1036
template. The configurations contained are not
1037
1037
suitable for productive use. Of course, the Debian
1038
1038
maintainers appreciate any patches you might find
1050
1050
Exchanging the entire exim4-config package with
1051
1051
something custom comes particularly handy for sites
1052
1052
that have more than a few machines that are
1053
similarly configured, but don't want to use the
1053
similarly configured, but do not want to use the
1054
1054
original exim4-config package. Build your own
1055
1055
exim4-config-custom or exim4-config-foo, and simply
1056
1056
apt that package to the machines that need to have
1084
1084
the server Exim connects to offers it.
1087
This means that you won't need any special configuration if
1087
This means that you will not need any special configuration if
1088
1088
you want to use TLS for outgoing mail. However, if your
1089
1089
server setup mandates the use of client certificates, you
1090
1090
need to amend your remote_smtp and/or remote_smtp_smarthost
1128
1128
Outlook and Outlook Express, and Incredimail) insist on doing
1129
1129
TLS on connect on Port 465. If you need to support these, set
1130
1130
SMTPLISTENEROPTIONS='-oX 465:25 -oP /var/run/exim4/exim.pid'
1131
in /etc/default/exim4 and "tls_on_connect_ports=465" in the main
1132
configuration section.
1131
in <filename>/etc/default/exim4</filename> and
1132
"tls_on_connect_ports=465" in the main configuration section.
1135
1135
The -oP is needed because Exim does not write an implicit pid
1162
1162
GnuTLS does not support varying its Diffie-Hellman parameters.
1163
1163
Therefore tls_dhparam settings are ignored in Exim's
1164
1164
configuration file, and no dhparam file is generated by
1165
exim-gencerts. GnuTLS uses D-H parameters that are
1165
exim-gencerts. GnuTLS uses Diffie-Hellman parameters that are
1166
1166
computed when they are needed. When someone sends STARTTLS,
1167
1167
Exim will compute these parameters and then store these
1168
1168
parameters in a cache file located in Exim's spool directory
1172
1172
The daily cron job and the script
1173
1173
<filename>/usr/share/exim4/exim4_refresh_gnutls-params</filename>
1174
take care of new D-H parameters. If neither gnutls-bin nor
1175
openssl are installed, the gnutls-params file is removed and
1176
Exim re-generates the file on the fly during the next incoming TLS
1177
connection. Systems generating little entropy might hang in this
1178
situation after clients invoking a STARTTLS command.
1174
take care of new Diffie-Hellman parameters. If neither gnutls-bin
1175
nor openssl are installed, the <filename>gnutls-params</filename>
1176
file is removed and Exim re-generates the file on the fly during
1177
the next incoming TLS connection. Systems generating little
1178
entropy might hang in this situation after clients invoking a
1181
1182
To avoid this behavior, which can possibly lead to a DoS
1182
1183
condition, if the daily cron job finds openssl or gnutls-bin
1183
installed, it will regenerate the gnutls-params file outside
1184
of Exim and only replace the gnutls-params file after a new
1185
one has been successfully generated. If the new file
1186
generation does not finish after an hour, the process is
1187
killed to avoid sustained entropy depletion. If the
1188
gnutls-params file gets older than two weeks, the daily cron
1189
job starts sending out warning messages.
1184
installed, it will regenerate the
1185
<filename>gnutls-params</filename> file outside of Exim and only
1186
replace the <filename>gnutls-params</filename> file after a new
1187
one has been successfully generated. If the new file generation
1188
does not finish after an hour, the process is killed to avoid
1189
sustained entropy depletion. If the
1190
<filename>gnutls-params</filename> file gets older than two weeks,
1191
the daily cron job starts sending out warning messages.
1192
It is "more secure" when you have the gnutls-params file
1193
regenerated more often. You can delete it any time
1194
you wish without any need for synchronization. Exim will
1195
regenerate it automatically. Alternatively, you can manually invoke
1196
<command>/usr/share/exim4/exim4_refresh_gnutls-params</command>
1197
to re-generate the file.
1194
It is "more secure" when you have the
1195
<filename>gnutls-params</filename> file regenerated more often.
1196
You can delete it any time you wish without any need for
1197
synchronization. Exim will regenerate it automatically.
1198
Alternatively, you can manually invoke
1199
<command>/usr/share/exim4/exim4_refresh_gnutls-params</command> to
1200
regenerate the file.
1200
1203
NOTE! The fact that GnuTLS does not support generated
1225
1228
failures in Exim context. If Exim logs "not enough random bytes
1226
1229
available", or simply hangs silently when an encrypted
1227
1230
connection should be established, then Exim was
1228
unable to read enough random data from /dev/random to do whatever
1229
cryptographic operation is requested. Please check that
1230
your /dev/random device is setup properly.
1231
unable to read enough random data from
1232
<filename>/dev/random</filename> to do whatever cryptographic
1233
operation is requested. Please check that your
1234
<filename>/dev/random</filename> device is setup properly.
1233
1237
A process that regularly consumes a lot of entropy is the
1234
re-generation of the Diffie-Hellman parameters. See
1238
regeneration of the Diffie-Hellman parameters. See
1235
1239
<xref linkend="dhparams"/> for more information.
1382
1387
so existing issues will be reported daily until
1383
1388
either the paniclog is rotated due to its sheer
1384
1389
size, or you manually move it away, for example by
1385
calling logrotate -f /etc/logrotate/exim4-paniclog
1390
calling <command>logrotate -f
1391
/etc/logrotate/exim4-paniclog</command> from a shell.
1389
1394
Just in case your system logs transient error
1390
1395
situations to the panic log as well (see, for
1392
http://www.exim.org/bugzilla/show_bug.cgi?id=92),
1397
<ulink url="http://www.exim.org/bugzilla/show_bug.cgi?id=92">Exim Bug 92</ulink>),
1393
1398
you can configure
1394
1399
<command>$E4BCD_PANICLOG_NOISE</command> to a
1395
1400
regular expression. If the paniclog contains only
1413
1419
If TLS is enabled, it regenerates the GnuTLS
1414
1420
parameter file. If that process fails (maybe because
1415
1421
your system being short of entropy), and the
1416
gnutls-params file thus gets older than
1422
<filename>gnutls-params</filename> file thus gets older than
1417
1423
<command>$E4BCD_GNUTLS_PARAMS_MAXAGE</command>, the
1418
1424
cron job logs this to syslog and sends out a warning
1422
1428
</itemizedlist>
1504
1510
Since system accounts (mail, uucp, lp etc) are usually aliased
1505
1511
to root, and root's mailbox is usually read by a human, these
1506
1512
account names have started to be a common target for spammers.
1507
The Debian exim 4 packages have a mechanism to deal with this
1513
The Debian Exim 4 packages have a mechanism to deal with this
1508
1514
situation. However, since this derives rather far from normal
1509
1515
behavior, it is disabled by default.
1524
1530
<filename>/etc/exim4/lowuid_aliases</filename> is an alias
1525
1531
file that is only honored for local accounts with UID lower
1526
1532
than FIRST_USER_UID. If you define an alias for such an
1527
account here, incoming e-mail is processed according to the
1533
account here, incoming mail is processed according to the
1528
1534
alias. If you alias the account to itself, messages are
1529
1535
delivered to the account itself, which is an exception to the
1530
1536
rule that messages for low-UID accounts are rejected. The
1537
1543
Sometimes, it might be desireable to be able to bypass local
1538
1544
routing specialities like the alias file or a user-forward
1539
file. This is possible in the Debian exim4 packages by
1545
file. This is possible in the Debian Exim4 packages by
1540
1546
prefixing the account name with "real-". For a local account
1541
1547
name "foo", "real-foo@hostname.example" will result in direct
1542
1548
delivery to foo's local Mailbox.
1547
1553
messages delivered from remote as well, set the Exim macro
1548
1554
COND_LOCAL_SUBMITTER to true. If you do not want this at all,
1549
1555
set the macro to false. Please note that the userforward
1550
router uses this feature to get error messages (notifying the
1551
user of a syntax error in her .forward file) delivered.
1556
router uses this feature to get error messages delivered, i.e.
1557
notifying the user of a syntax error in her
1558
<filename>.forward</filename> file.
1554
1561
<section> <title>Using more complex deliveries from alias files</title>
1556
1563
Delivery to arbitrary files, directory or to pipes in the
1557
<filename>/etc/aliases</filename> file is dsabled by default
1558
in the Debian exim 4 packages. The delivery process including the
1564
<filename>/etc/aliases</filename> file is disabled by default
1565
in the Debian Exim 4 packages. The delivery process including the
1559
1566
program being piped to would run as the exim admin-user
1560
1567
Debian-exim, which might open up security holes.
1565
1572
package maintainers would like to suggest using a dedicated
1566
1573
router/transport pair to invoke local processes for mail
1567
1574
processing. For example, the Debian mailman package contains a
1568
<filename>/usr/share/doc/mailman/README.EXIM</filename> file
1575
<filename>/usr/share/doc/mailman/README.Exim4.Debian</filename> file
1569
1576
that gives a good example how to implement this. Using a
1570
1577
dedicated router/transport pair have the following advantages:
1641
1648
rmail is the oldest way to transfer mail to a remote system.
1642
1649
However, today it is normally required to use addresses with
1643
full domains for that (well, they look like any normal address
1644
for you, and we don't tell about the other way to not confuse
1650
full domains for that (Well, they look like any normal address
1651
for you, and we do not tell about the other way to not confuse
1645
1652
you ;). If you want this, you can use this transport:
1647
1654
<programlisting>
1770
1777
<command>eximconfig</command> on Exim 3 installation. These
1771
1778
answers are then taken as default values for the debconf based
1772
1779
configuration process. Be warned! <command>eximconfig</command>
1773
from the Exim 3 packages doesn't record the explicit answers
1780
from the Exim 3 packages does not record the explicit answers
1774
1781
given on Exim 3 configuration. So we have to guess the answers
1775
1782
from the Exim 3 configuration file
1776
1783
<filename>/etc/exim/exim.conf</filename>, which is bound to fail
1792
1799
If you have used a customized Exim 3 configuration, you can of
1793
1800
course use <command>exim_convert4r4</command>, and install the
1794
1801
resulting file as <filename>/etc/exim4/exim4.conf</filename>
1795
after careful inspection. Exim4 will then use that file and
1802
after careful inspection. Exim 4 will then use that file and
1796
1803
ignore the file that it generated from the debconf
1797
1804
configuration. To aid future updates, we do, however, encourage
1798
1805
you not to use the
1805
1812
<section> <title>PAM</title>
1807
1814
PAM: On Debian systems the PAM modules run as the same user
1808
as the calling program, so they can't do anything you
1809
couldn't do yourself, and in particular can't access
1815
as the calling program, so they cannot do anything you
1816
could not do yourself, and in particular cannot access
1810
1817
<filename>/etc/shadow</filename> unless the user is in group
1811
1818
shadow. - If you want to use
1812
1819
<filename>/etc/shadow</filename> for Exim's SMTP AUTH you
1818
1825
<section> <title>Account name restrictions</title>
1820
1827
In the default configuration, Exim cannot locally deliver
1821
e-mails to accounts which have capitals in their name. This is
1828
mail to accounts which have capitals in their name. This is
1822
1829
caused by the fact that Exim converts the local part of incoming
1823
e-mail to lower case before the comparision done by the
1830
mail to lower case before the comparision done by the
1824
1831
check_local_user directive in routers is done.
1833
1840
<section> <title>No deliveries to root!</title>
1835
No Exim4 version released with any Debian OS can run
1842
No Exim 4 version released with any Debian OS can run
1836
1843
deliveries as root. If you don't redirect mail for root via
1837
1844
<filename>/etc/aliases</filename> to a nonprivileged
1838
1845
account, the mail will be delivered to