Chris' Blog

This howto is for exim4 setup on Debian Sarge and is likely a bit dated by now.

It was a big process getting exim4 working on debian. The main problem is because most of the howto’s out there are for those wanting to use exim4 as a relay to send mail to their ISP, but I wanted by own mail server. So here is how I did it:

Install Exim4

Install exim4 and the heavy daemon, needed for authentication against system passwords.

apt-get install exim4 exim4-daemon-heavy

Then answer the following questions:

Split configuration: Yes #seems like the logical thing to do
General type of mail configuration: internet site #I can deliver mail myself
System Mail Name: northfolk.ca #what should be after @ in e-mails
IP addresses to listen on: #leave blank to listen for all addresses
Other destinations for which mais is accepted: northfolk.ca #probaly not necessary if /etc/hosts is correctly configured, but I’ll be safe
Domains to relay for: #leave blank
Machines to relay for: 192.168.0.0/24 #I’ll relay for my local network without requiring authentication
Keep number of DNS-queries minimal: No #I’ve no idea what this means

Use Maildirs

Set exim to use maildirs (because I will also use Courier for imap access)

edit /etc/exim4/update-exim4.conf.conf
add the following line at the bottom:

dc_localdelivery=’maildir_home’

Setup Authentication

I had the most difficulty here. /usr/share/doc/exim4-base/README.SMTP-AUTH has most of the necessary information:

Install sasl2 and add Debian-exim to the sasl group.

apt-get install sasl2-bin
adduser Debian-exim sasl

Then edit /etc/exim4/conf.d/auth/30_exim4-config_examples. Mine looks like this:

plain_saslauthd_server:
driver = plaintext
public_name = PLAIN
server_condition = ${if saslauthd{{$2}{$3}}{1}{0}}
server_set_id = $2
server_prompts = :
.ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
.endif
#
login_saslauthd_server:
driver = plaintext
public_name = LOGIN
server_prompts = “Username:: : Password::”
# don’t send system passwords over unencrypted connections
# server_advertise_condition = ${if eq{$tls_cipher}{}{0}{1}}
server_condition = ${if saslauthd{{$1}{$2}}{1}{0}}
server_set_id = $1
.ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
.endif

Generate a certifacate by running

/usr/share/doc/exim4-base/examples/exim-gencert

Okay. That’s all fine, but here is what the document didn’t tell me:

edit /etc/default/saslauthd

# This needs to be uncommented before saslauthd will be run automatically
START=yes

# You must specify the authentication mechanisms you wish to use.
# This defaults to “pam” for PAM support, but may also include
# “shadow” or “sasldb”, like this:
# MECHANISMS=”pam shadow”

MECHANISMS=”shadow”

The defaults for this file were to not run saslauthd automatically, and authentication mechanism was set to pam. We need shadow, so either set to shadow or add to pam.

The other thing I need to do was enable TLS (which is not enabled by default). The following will enable TLS and will only allow secure connections.

Create a new file /etc/exim4/conf.d/main/00_local

with the line:

MAIN_TLS_ENABLE = true

Restart Services

/etc/init.d/saslauthd restart
/etc/init.d/exim4 restart

You’re Done!!!

And that’s it. It took me over a week to put all the pieces together (I hope I haven’t forgotten anything with this howto), but now you can do it in 10 minutes.

This entry was posted on Saturday, October 1st, 2005 at 7:29 am and is filed under website. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.