~ubuntu-branches/ubuntu/precise/exim4/precise : revision 26

152

</variablelist>

153

</para>

154

<para>

155

Just apting the meta-package <command>exim4</command> will pull

155

Just apting the metapackage <command>exim4</command> will pull

156

in the other packages per dependency. You'll get an exim daemon

157

with minimal feature set (no external lookups).

158

</para>

545

</section>

546

<section><title>Delivery method for local mail</title>

547

<para>

548

Exim is able to store locally delivered email in

548

Exim is able to store locally delivered mail in

549

different formats. The most commonly used ones are

550

mbox and Maildir. mbox uses a single file for the

551

complete mail folder stored in /var/mail/. With

748

</para>

749

<para>

750

The access lists delivered with the exim4 packages also

751

contains quite a few configuration options that are too

751

contain quite a few configuration options that are too

752

restrictive to be active by default on a real-life site.

753

These are masked by .ifdef statements, can be activated by

754

setting the appropriate macros, and are documented in the

844

script prior to any operation that may invoke an exim process,

845

and gives an error message if the generated config file is

846

syntactically invalid. If you want to activate your changes to

847

files in conf.d/ just execute "invoke-rc.d exim4 restart".

847

files in conf.d/ just execute <command>invoke-rc.d exim4 restart</command>.

848

</para>

849

</section>

850

<section id="howto-change-config"><title>How do I do minor tweaks to the configuration</title>

850

<section id="howto-change-config"><title>How do I do minor tweaks to the configuration?</title>

851

<para>

852

Some times, you want to do minor adjustments to the Exim

853

configuration to make Exim behave exactly like you want it

908

<section id="completely-different-configuration"> <title>Using a completely different configuration scheme</title>

909

<para>

910

If you are an experienced Exim administrator, you might feel

911

like working with our pre-fabricated configuration

911

working with our pre-fabricated configuration

912

cumbersome and complex. You might feel right if you need to

913

make more complex changes and do not need to receive updates

914

from us. This section is going to tell how about how to use

914

from us. This section is going to tell about how to use

915

your own configuration.

916

</para>

917

<para>

935

you can either take

936

<filename>/etc/exim4/exim4.conf.template</filename>,

937

run <command>update-exim4.conf --keepcomments --output

938

/etc/exim4/exim4.conf</command>, or use Upstream's

938

/etc/exim4/exim4.conf</command>, or use upstream's

939

default configuration file that is installed as

940

<filename>/usr/share/doc/exim4-base/examples/example.conf.gz</filename>.

941

You're going to lose all magic you get from packaging

941

You are going to lose all magic you get from packaging

942

though, so you need to be familiar with Exim to build

943

an actually working config.

944

</para>

960

pre-fabricated, static config file to

961

<filename>/etc/exim4/exim4.conf</filename>. This is

962

considered bad advice by the Debian maintainers since

963

you're going to disable all updates and service magic

963

you are going to disable all updates and service magic

964

that Debian might deliver in the future this way. If

965

you do not know exactly what you're doing here, this

966

is a bad choice. We try to comment on external HOWTOs

972

</section>

973

<section> <title>Replacing exim4-config with your own exim4 configuration package.</title>

974

<para>

975

We have split off Exim's configuration system (debconf,

976

update-exim4.conf, and the files in

975

We split off Exim's configuration system (debconf,

976

<command>update-exim4.conf</command>, and the files in

977

<filename>/etc/exim4/conf.d)</filename> to a separate

978

package, exim4-config. If you want to, you can replace

979

exim4-config by something entirely different. The other

993

</simpara>

994

</listitem>

995

</itemizedlist>

996

Your package must provide an executable update-exim4.conf

997

that must be in root's path (/usr/sbin recommended). The init

996

Your package must provide an executable <command>update-exim4.conf</command>

997

that must be in root's path (<filename>/usr/sbin</filename> recommended). The init

998

script will invoke that executable prior to invoking the

999

actual exim daemon. If you don't need that script, have it exit 0.

999

actual exim daemon. If you do not need that script, have it exit 0.

1000

</para>

1001

<para>

1002

If you want to create your own configuration packages, there is a

1006

1007

The Exim 4 Debian svn repository holds sources for a

1008

exim4-config-simple package which contains a simple, not

1009

debconf-driven configuration scheme as example which can

1010

be used as template for a classical, exim4.conf based

1009

debconf-driven configuration scheme as an example which can

1010

be used as a template for a classical, exim4.conf based

1011

configuration scheme.

1012

</simpara>

1013

</listitem>

1017

exim4-config-medium package which contains the conf.d

1018

driven configuration of the main package with the

1019

debconf interaction removed. This can be used to create

1020

you own non-debconf configuration package that uses the

1020

your own non-debconf configuration package that uses the

1021

conf.d mechanism.

1022

</simpara>

1023

</listitem>

1024

1025

1026

Finally, you can invoke the script

1027

"debian/config-custom/create-custom-config-package"

1027

<filename>debian/config-custom/create-custom-config-package</filename>

1028

which will create a new source package

1029

"exim4-config-custom" with the debconf-driven config

1030

scheme of exim4-config for your local modification.

1032

</listitem>

1033

</itemizedlist>

1034

Please note that exim4-config-simple and

1035

exim4-config-medium are only targetet to be used as

1035

exim4-config-medium are only targeted to be used as a

1036

template. The configurations contained are not

1037

suitable for productive use. Of course, the Debian

1038

maintainers appreciate any patches you might find

1050

Exchanging the entire exim4-config package with

1051

something custom comes particularly handy for sites

1052

that have more than a few machines that are

1053

similarly configured, but don't want to use the

1053

similarly configured, but do not want to use the

1054

original exim4-config package. Build your own

1055

exim4-config-custom or exim4-config-foo, and simply

1056

apt that package to the machines that need to have

1084

the server Exim connects to offers it.

1085

</para>

1086

<para>

1087

This means that you won't need any special configuration if

1087

This means that you will not need any special configuration if

1088

you want to use TLS for outgoing mail. However, if your

1089

server setup mandates the use of client certificates, you

1090

need to amend your remote_smtp and/or remote_smtp_smarthost

1128

Outlook and Outlook Express, and Incredimail) insist on doing

1129

TLS on connect on Port 465. If you need to support these, set

1130

SMTPLISTENEROPTIONS='-oX 465:25 -oP /var/run/exim4/exim.pid'

1131

in /etc/default/exim4 and "tls_on_connect_ports=465" in the main

1132

configuration section.

1131

in <filename>/etc/default/exim4</filename> and

1132

"tls_on_connect_ports=465" in the main configuration section.

1133

</para>

1134

<para>

1135

The -oP is needed because Exim does not write an implicit pid

1162

GnuTLS does not support varying its Diffie-Hellman parameters.

1163

Therefore tls_dhparam settings are ignored in Exim's

1164

configuration file, and no dhparam file is generated by

1165

exim-gencerts. GnuTLS uses D-H parameters that are

1165

exim-gencerts. GnuTLS uses Diffie-Hellman parameters that are

1166

computed when they are needed. When someone sends STARTTLS,

1167

Exim will compute these parameters and then store these

1168

parameters in a cache file located in Exim's spool directory

1171

<para>

1172

The daily cron job and the script

1173

<filename>/usr/share/exim4/exim4_refresh_gnutls-params</filename>

1174

take care of new D-H parameters. If neither gnutls-bin nor

1175

openssl are installed, the gnutls-params file is removed and

1176

Exim re-generates the file on the fly during the next incoming TLS

1177

connection. Systems generating little entropy might hang in this

1178

situation after clients invoking a STARTTLS command.

1174

take care of new Diffie-Hellman parameters. If neither gnutls-bin

1175

nor openssl are installed, the <filename>gnutls-params</filename>

1176

file is removed and Exim re-generates the file on the fly during

1177

the next incoming TLS connection. Systems generating little

1178

entropy might hang in this situation after clients invoking a

1179

STARTTLS command.

1179

1180

</para>

1180

1181

<para>

1181

1182

To avoid this behavior, which can possibly lead to a DoS

1182

1183

condition, if the daily cron job finds openssl or gnutls-bin

1183

installed, it will regenerate the gnutls-params file outside

1184

of Exim and only replace the gnutls-params file after a new

1185

one has been successfully generated. If the new file

1186

generation does not finish after an hour, the process is

1187

killed to avoid sustained entropy depletion. If the

1188

gnutls-params file gets older than two weeks, the daily cron

1189

job starts sending out warning messages.

1184

installed, it will regenerate the

1185

<filename>gnutls-params</filename> file outside of Exim and only

1186

replace the <filename>gnutls-params</filename> file after a new

1187

one has been successfully generated. If the new file generation

1188

does not finish after an hour, the process is killed to avoid

1189

sustained entropy depletion. If the

1190

<filename>gnutls-params</filename> file gets older than two weeks,

1191

the daily cron job starts sending out warning messages.

1190

1192

</para>

1191

1193

<para>

1192

It is "more secure" when you have the gnutls-params file

1193

regenerated more often. You can delete it any time

1194

you wish without any need for synchronization. Exim will

1195

regenerate it automatically. Alternatively, you can manually invoke

1196

<command>/usr/share/exim4/exim4_refresh_gnutls-params</command>

1197

to re-generate the file.

1194

It is "more secure" when you have the

1195

<filename>gnutls-params</filename> file regenerated more often.

1196

You can delete it any time you wish without any need for

1197

synchronization. Exim will regenerate it automatically.

1198

Alternatively, you can manually invoke

1199

<command>/usr/share/exim4/exim4_refresh_gnutls-params</command> to

1200

regenerate the file.

1198

1201

</para>

1199

1202

<para>

1200

1203

NOTE! The fact that GnuTLS does not support generated

1225

1228

failures in Exim context. If Exim logs "not enough random bytes

1226

1229

available", or simply hangs silently when an encrypted

1227

1230

connection should be established, then Exim was

1228

unable to read enough random data from /dev/random to do whatever

1229

cryptographic operation is requested. Please check that

1230

your /dev/random device is setup properly.

1231

unable to read enough random data from

1232

<filename>/dev/random</filename> to do whatever cryptographic

1233

operation is requested. Please check that your

1234

<filename>/dev/random</filename> device is setup properly.

1231

1235

</para>

1232

1236

<para>

1233

1237

A process that regularly consumes a lot of entropy is the

1234

re-generation of the Diffie-Hellman parameters. See

1238

regeneration of the Diffie-Hellman parameters. See

1235

1239

<xref linkend="dhparams"/> for more information.

1236

1240

</para>

1237

1241

</section>

1353

1357

1354

1358

1355

1359

1356

It reads /etc/default/exim4, so you can use this

1357

file to change any of the variables used in the cron job.

1360

It reads <filename>/etc/default/exim4</filename>, so you

1361

can use this file to change any of the variables used in

1362

the cron job.

1358

1363

</simpara>

1359

1364

</listitem>

1360

1365

1382

1387

so existing issues will be reported daily until

1383

1388

either the paniclog is rotated due to its sheer

1384

1389

size, or you manually move it away, for example by

1385

calling logrotate -f /etc/logrotate/exim4-paniclog

1386

from a shell.

1390

calling <command>logrotate -f

1391

/etc/logrotate/exim4-paniclog</command> from a shell.

1387

1392

</simpara>

1388

1393

1389

1394

Just in case your system logs transient error

1390

1395

situations to the panic log as well (see, for

1391

1396

example,

1392

http://www.exim.org/bugzilla/show_bug.cgi?id=92),

1397

<ulink url="http://www.exim.org/bugzilla/show_bug.cgi?id=92">Exim Bug 92</ulink>),

1393

1398

you can configure

1394

1399

<command>$E4BCD_PANICLOG_NOISE</command> to a

1395

1400

regular expression. If the paniclog contains only

1400

1405

If you want to disable paniclog monitoring

1401

1406

completely, set <command>$E4BCD_WATCH_PANICLOG</command>

1402

1407

to no. <command>E4BCD_WATCH_PANICLOG=once</command> will

1403

rotate a non-empty paniclog automatically.

1408

rotate a non-empty paniclog automatically after sending out

1409

the warning e-mail.

1404

1410

</simpara>

1405

1411

</listitem>

1406

1412

1413

1419

If TLS is enabled, it regenerates the GnuTLS

1414

1420

parameter file. If that process fails (maybe because

1415

1421

your system being short of entropy), and the

1416

gnutls-params file thus gets older than

1422

<filename>gnutls-params</filename> file thus gets older than

1417

1423

<command>$E4BCD_GNUTLS_PARAMS_MAXAGE</command>, the

1418

1424

cron job logs this to syslog and sends out a warning

1419

e-mail to root.

1425

message to root.

1420

1426

</simpara>

1421

1427

</listitem>

1422

1428

</itemizedlist>

1462

1468

1463

1469

1464

1470

1465

Disable exim4's listening daemon by executing

1471

Disable Exim 4's listening daemon by executing

1466

1472

<command>update-exim4defaults --queuerunner

1467

1473

queueonly</command>

1468

1474

</simpara>

1504

1510

Since system accounts (mail, uucp, lp etc) are usually aliased

1505

1511

to root, and root's mailbox is usually read by a human, these

1506

1512

account names have started to be a common target for spammers.

1507

The Debian exim 4 packages have a mechanism to deal with this

1513

The Debian Exim 4 packages have a mechanism to deal with this

1508

1514

situation. However, since this derives rather far from normal

1509

1515

behavior, it is disabled by default.

1510

1516

</para>

1524

1530

<filename>/etc/exim4/lowuid_aliases</filename> is an alias

1525

1531

file that is only honored for local accounts with UID lower

1526

1532

than FIRST_USER_UID. If you define an alias for such an

1527

account here, incoming e-mail is processed according to the

1533

account here, incoming mail is processed according to the

1528

1534

alias. If you alias the account to itself, messages are

1529

1535

delivered to the account itself, which is an exception to the

1530

1536

rule that messages for low-UID accounts are rejected. The

1536

1542

<para>

1537

1543

Sometimes, it might be desireable to be able to bypass local

1538

1544

routing specialities like the alias file or a user-forward

1539

file. This is possible in the Debian exim4 packages by

1545

file. This is possible in the Debian Exim4 packages by

1540

1546

prefixing the account name with "real-". For a local account

1541

1547

name "foo", "real-foo@hostname.example" will result in direct

1542

1548

delivery to foo's local Mailbox.

1547

1553

messages delivered from remote as well, set the Exim macro

1548

1554

COND_LOCAL_SUBMITTER to true. If you do not want this at all,

1549

1555

set the macro to false. Please note that the userforward

1550

router uses this feature to get error messages (notifying the

1551

user of a syntax error in her .forward file) delivered.

1556

router uses this feature to get error messages delivered, i.e.

1557

notifying the user of a syntax error in her

1558

<filename>.forward</filename> file.

1552

1559

</para>

1553

1560

</section>

1554

1561

<section> <title>Using more complex deliveries from alias files</title>

1555

1562

<para>

1556

1563

Delivery to arbitrary files, directory or to pipes in the

1557

<filename>/etc/aliases</filename> file is dsabled by default

1558

in the Debian exim 4 packages. The delivery process including the

1564

<filename>/etc/aliases</filename> file is disabled by default

1565

in the Debian Exim 4 packages. The delivery process including the

1559

1566

program being piped to would run as the exim admin-user

1560

1567

Debian-exim, which might open up security holes.

1561

1568

</para>

1565

1572

package maintainers would like to suggest using a dedicated

1566

1573

router/transport pair to invoke local processes for mail

1567

1574

processing. For example, the Debian mailman package contains a

1568

<filename>/usr/share/doc/mailman/README.EXIM</filename> file

1575

<filename>/usr/share/doc/mailman/README.Exim4.Debian</filename> file

1569

1576

that gives a good example how to implement this. Using a

1570

1577

dedicated router/transport pair have the following advantages:

1571

1578

1640

1647

<para>

1641

1648

rmail is the oldest way to transfer mail to a remote system.

1642

1649

However, today it is normally required to use addresses with

1643

full domains for that (well, they look like any normal address

1644

for you, and we don't tell about the other way to not confuse

1650

full domains for that (Well, they look like any normal address

1651

for you, and we do not tell about the other way to not confuse

1645

1652

you ;). If you want this, you can use this transport:

1646

1653

</para>

1647

1654

1655

1662

</programlisting>

1656

1663

<para>

1657

1664

However, all recipients are handled via the command line, so

1658

you're discouraged to use it.

1665

you are discouraged to use it.

1659

1666

</para>

1660

1667

</section>

1661

1668

<section> <title>bsmtp/rsmtp</title>

1703

1710

<para>

1704

1711

You need a router to tell Exim 4 which mails to forward to

1705

1712

UUCP. You can use this one; please adopt the last line. Of

1706

course, it's also possible to send mail via more than one way.

1713

course, it is also possible to send mail via more than one way.

1707

1714

</para>

1708

1715

1709

1716

uucp_router:

1758

1765

1759

1766

<section> <title>Updating from Exim 3</title>

1760

1767

<para>

1761

If you use <command>exim4-config</command> from Debian, you'll

1768

If you use <command>exim4-config</command> from Debian, you will

1762

1769

get the debconf based configuration scheme that is intended to

1763

1770

cover the majority of cases.

1764

1771

</para>

1770

1777

<command>eximconfig</command> on Exim 3 installation. These

1771

1778

answers are then taken as default values for the debconf based

1772

1779

configuration process. Be warned! <command>eximconfig</command>

1773

from the Exim 3 packages doesn't record the explicit answers

1780

from the Exim 3 packages does not record the explicit answers

1774

1781

given on Exim 3 configuration. So we have to guess the answers

1775

1782

from the Exim 3 configuration file

1776

1783

<filename>/etc/exim/exim.conf</filename>, which is bound to fail

1792

1799

If you have used a customized Exim 3 configuration, you can of

1793

1800

course use <command>exim_convert4r4</command>, and install the

1794

1801

resulting file as <filename>/etc/exim4/exim4.conf</filename>

1795

after careful inspection. Exim4 will then use that file and

1802

after careful inspection. Exim 4 will then use that file and

1796

1803

ignore the file that it generated from the debconf

1797

1804

configuration. To aid future updates, we do, however, encourage

1798

1805

you not to use the

1805

1812

1806

1813

<para>

1807

1814

PAM: On Debian systems the PAM modules run as the same user

1808

as the calling program, so they can't do anything you

1809

couldn't do yourself, and in particular can't access

1815

as the calling program, so they cannot do anything you

1816

could not do yourself, and in particular cannot access

1810

1817

<filename>/etc/shadow</filename> unless the user is in group

1811

1818

shadow. - If you want to use

1812

1819

<filename>/etc/shadow</filename> for Exim's SMTP AUTH you

1818

1825

<section> <title>Account name restrictions</title>

1819

1826

<para>

1820

1827

In the default configuration, Exim cannot locally deliver

1821

e-mails to accounts which have capitals in their name. This is

1828

mail to accounts which have capitals in their name. This is

1822

1829

caused by the fact that Exim converts the local part of incoming

1823

e-mail to lower case before the comparision done by the

1830

mail to lower case before the comparision done by the

1824

1831

check_local_user directive in routers is done.

1825

1832

</para>

1826

1833

<para>

1832

1839

</section>

1833

1840

<section> <title>No deliveries to root!</title>

1834

1841

<para>

1835

No Exim4 version released with any Debian OS can run

1842

No Exim 4 version released with any Debian OS can run

1836

1843

deliveries as root. If you don't redirect mail for root via

1837

1844

<filename>/etc/aliases</filename> to a nonprivileged

1838

1845

account, the mail will be delivered to