Original installation instructions

First of all, this is really just a composition of the links which I list at the bottom.

Goals

• Exim 4 on a debian 5.0 (6.x) virtual machine
• DoveCot as IMAP-Server
• SquirrelMails as WebInterface via self signed SSL
• The whole thing for two domains at once

Exim 4

apt-get install exim4-daemon-heavy eximon4 exim4-doc-info gnutls-bin openssl file libmail-spf-query-perl swaks bsd-mailx ca-certificates
dpkg-reconfigure exim4-config

• ::1 is 127.0.0.1 in ip6
• not mbox but maildir!
• split files

• Error: socket bind() to port 25 for address ::1 failed: Cannot assign requested address: daemon abandoned
  • redo "dpkg-reconfigure exim4-config" but don't use ::1

• Test the server with

echo "hello" | mail -s "a test email" yourMail@yourDomain.com

• Read mail with

mail

TLS for SMTP

• install openssl (for certificate) and swaks (for tests) and libnet-ssleay-perl

apt-get install openssl swaks libnet-ssleay-perl

• create the certificat (change DAYS depending on your wishes)

/usr/share/doc/exim4-base/examples/exim-gencert

• create file /etc/exim4/conf.d/main/001_local with

MAIN_TLS_ENABLE = 1

• test the server with

swaks -f yourMail@YourDomain.com -t yourMail@YourDomain.com -tls -s localhost

DoveCot

• Install it

apt-get install dovecot-imapd

• edit /etc/dovecot/dovecot.conf

protocols = imap sieve
mail_location = maildir:~/mail

• and perhaps, not sure about it

# Number of authentication processes to create
count = 1

This will set ~/mail/ as the directoy for the mail

• require ssl in conf.d/10-ssl.conf

ssl = required

LDA

Search for "protocol lda" and enable the following code

grep -r lda /etc/dovecot/*

protocol lda {
 postmaster_address = postmaster@<yourDomain.com>
 mail_plugins = sieve
}

Disable plaintext authentication

Uncomment

#disable_plaintext_auth = yes

Enable the authenticator socket

Look for this line in the default configuration, and uncomment the socket section below it.

  socket listen {
    master {
      path = /var/run/dovecot/auth-master
      mode = 0600
    }
    client {
      path = /var/run/dovecot/auth-client
      mode = 0666
    }
  }

• restart dovecot

Create a Dovecot transport for Exim

• create /etc/exim4/conf.d/transport/20_dovecot

dovecot:
  driver = pipe
  command = /usr/lib/dovecot/deliver
  message_prefix =
  message_suffix =
  log_output
  delivery_date_add
  envelope_to_add
  return_path_add
  temp_errors = 64 : 69 : 70: 71 : 72 : 73 : 74 : 75 : 78

Configure Exim to use the Dovecot transport for local deliveries

I am not sure about this. I think you should not use it !

• edit /etc/exim4/conf.d/router/900_exim4-config_local_user

change

transport = LOCAL_DELIVERY

to

transport = dovecot

• edit /etc/exim4/conf.d/auth/30_exim4-config_examples (or if know where to do it right...) and add

plain:
  driver = dovecot
  public_name = PLAIN
  server_socket = /var/run/dovecot/auth-client
  server_set_id = $auth1

login:
  driver = dovecot
  public_name = LOGIN
  server_socket = /var/run/dovecot/auth-client
  server_set_id = $auth1

• make sure other plain/login sections are disabled

Apache 2

• install it

apt-get install apache2 apache2-doc

• enable SSL

a2enmod ssl

• diable http site

a2dissite default

• enable https site

a2ensite default-ssl

• Edit the file /etc/apache2/ports.conf. Comment out the following two lines:

NameVirtualHost *:80
Listen 80

• edit /etc/apache2/sites-available/default-ssl

from

<VirtualHost _default_:443>

to

<VirtualHost *:443>

• set the ServerName sub.domain.xx (/etc/apache2/sites-available/default-ssl)
• restart apache
• connect to https://domain (don't forget your firewall)

Point to new certs

edit /etc/apache2/sites-enabled/default-ssl (or whatever you use) change

SSLCertificateFile    /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

to

SSLCertificateFile   /etc/exim4/exim.crt
SSLCertificateKeyFile /etc/exim4/exim.key

Configure Apache to authenticate local users (not working for Debian 5 - only from 6 !)

• install it

apt-get install libapache2-mod-authnz-external

• activate it

a2enmod authnz_external

Edit /etc/apache2/sites-available/default-ssl and add a block like this near to the top. (There's a full example configuration file you can see below).

AddExternalAuth pwauth /usr/sbin/pwauth
        SetExternalAuthMethod pwauth pipe

        <Location />
                AuthBasicProvider external
                AuthExternal pwauth
                AuthName Hinterlands
                AuthType basic
                Require valid-user
        </Location>

Restart Apache and reload the page you visited before, and you should now be prompted for your username and password. Everything transmitted is encrypted, so you should feel reasonable secure in sending your credentials along, browsers caches and password managers excepted.

SquirrelMail

• install it

apt-get install squirrelmail squirrelmail-secure-login squirrelmail-compatibility squirrelmail-decode avelsieve wngerman wamerican-large php-gettext php-xml-parser aspell spellutils emacsen-common php5-mhash aspell-doc ispell

• check /usr/share/squirrelmail/plugins/secure_login/functions.php ca. line 391, look for code like

if ( $serverPort == $targetHttpsPort && $secure_logoff_count == 0)

below that look for

 $location = 'http:// ....

If you find it, replace it with https. (It seems to be fixed now)

• call /etc/squirrelmail/conf.pl

Options you will definitely need to change are:

(Options are listed by main menu, then sub menu number. So "1 1" refers to option 1, sub option 1. And so on.)

• 1 1 - Set your own organisation name.
• 2 3 - SMTP
• 2 A 4 - localhost
• 2 A 5 - 993
• 2 A 6 - login
• 2 A 7 - true
• 2 A 8 - dovecot

• continue like here: http://wiki.andreas-duffner.de/index.php/Web-Client_SquirrelMail

Plugins

• get new plugins from [1] and unzip them to /usr/share/squirrelmail/plugins/

and activate them with

/etc/squirrelmail/conf.pl

Check in /etc/php5/apache2/php.ini:

• post_max_size
• upload_max_filesize

Tests

openssl s_client -connect 127.0.0.1:993 -showcerts
echo "hello" | mail -s "a test email" yourMail@yourDomain.com
swaks -f yourMail@YourDomain.com -t yourMail@YourDomain.com -tls -s localhost

pk12

• create a pk12 key:

openssl pkcs12 -export -in /etc/exim4/exim.crt -inkey /etc/exim4/exim.key \
 -out <your-domain>.p12 -name "<something to recognize>"

Thunderbird

Perhaps you will have to give Thunderbird wrong data when you create the account. Tell him the real ports, but protocols and passwords are plain. No idea, why I had to do that.

Spam Assassin

the following is from sysadmin world

• install spamassassin and the exim filter

apt-get install sa-exim  spamassassin

• start on each boot: /etc/default/spamassassin

ENABLED=1 

• start

service spamassassin start

• in /etc/exim4/exim4.conf.template at the top in MAIN CONFIGURATION SETTINGS add:

local_scan_path = /usr/lib/exim4/local_scan/sa-exim.so

• enable the connector in /etc/exim4/sa-exim.conf. Please be careful, there are some lines with SAEximRunCond but only one with SAEximRunCond: 0. Comment this line out.

#SAEximRunCond: 0 

Logging:

SAEximDebug: 0

• activate changes in /etc/exim4/exim4.conf.template

/usr/sbin/update-exim4.conf 

• restart exim

/etc/init.d/exim4 restart

Dovecot certificate recreate

• create key

openssl genrsa -out /etc/ssl/private/dovecot.pem 1024

• create cert

openssl req -new -x509 -key /etc/ssl/private/dovecot.pem -out /etc/ssl/certs/dovecot.pem -days 4500

Outlook

In the dovecot config file make sure you have allowed "login"

mechanisms = plain login

Links

• Handling mail for multiple virtual domains with exim4
• DebianEximDovecotSquirrelmailSieve - Hinterlands
• Integrating SpamAssassin with Exim4
• How to renew the SSL certificate for dovecot on Ubuntu Linux
• Debian mit Postfix und Dovecot mag Outlook nicht

New installation instructions (Debian 7 Wheezy) work in progress (again)

Goals

• Using Debian 7 Wheezy
• Exim 4 as mail server
• Using self created certificate
• Dovecot for imap access
• (todo) SquirrelMail as web client
• (todo) SpamAssassin for spam filtering
• Access from
  • (todo) Thunderbird
  • (todo) Outlook (which one?)
• (todo) Backup of mails to a different system

Exim 4

install

We will use the heavy version to be able to later integrate SpamAssassin.

apt-get install exim4-daemon-heavy

If you can start programs with X-Server, you would like to get geximon:

apt-get install geximon xauth

Remember to ssh with "-X" or "ForwardX11 yes" in your config

paniclog

If you get paniclog entries like "address already in use", find out about the other process with

netstat -lnp | grep 25

Chances are, it is something about sendmail. Do

which sendmail

and "ls -l" on the result like

ls -l /usr/sbin/sendmail

or just (ticks, not single quotes)

ls -l `which sendmail`

Chances are, it is a link to exim4 and the installation went wrong. Happens every time for me. Remove the paniclog and restart the server. Check the log /var/log/exim4/mainlog

If it is not the above, perhaps you need to remove the sendmail(-bin) package.

validating

Have a look at the ports:

netstat -apn | grep exim

If you have exim4 listen on port 25, you should be ok.

• add at least one local user so you can set him as receiver for postmaster etc in the next step

Now you should reconfigure exim4

dpkg-reconfigure exim4-config

• internet site
• accept the domain name if you don't know better
• IP addresses to listen to:
  • leave this empty ore make sure you include the external ip
  • ::1 the IP6 variant, if you keep this empty, don't bother now
• final destination: your domains
• domains to relay for: normally none (empty)
• machines to relay for: normally none (empty)
• DNS queries minimal: your choice (default: no)
• delivery method: maildir in home directory
• split: your choice (default: no) The main difference is, where will you later put your modifications
  • non-slit: /etc/exim4/exim4.conf.localmacros
  • split: /etc/exim4/conf.d/main/000_localmacros
• root/postmaster: select the above created user, should really read his mail

Now send a mail:

echo Hello You | mail <user>@<OTHER-domain> -s test-1

You should receive the mail at your account at the OTHER domain.

open firewall

If you have a firewall, open it for incoming at port 25. For example ufw:

ufw allow smtp

or firehol in /etc/firehol/firehol.conf

server smtp accept

TLS for SMTP

• install openssl (for certificate) and swaks (for tests) and libnet-ssleay-perl

apt-get install openssl swaks libnet-ssleay-perl

• edit the cert creation script, check at least the DAYS value. 7300 would be 20 years.

vi /usr/share/doc/exim4-base/examples/exim-gencert

• execute the script

/usr/share/doc/exim4-base/examples/exim-gencert

• create file /etc/exim4/exim4.conf.localmacros (non-split!) with

MAIN_TLS_ENABLE = 1

• reload exim

/etc/init.d/exim4 reload

• test it locally

swaks -f yourMail@YourDomain.com -t yourMail@YourDomain.com -tls -s localhost

• What would be bad:

Host did not advertise STARTTLS

DoveCot

• allow in your firewall, for example for ufw

ufw limit imap

or for firehol in /etc/firehol/firehol.conf

server imap accept

Don't forget

firehol start

• install it

apt-get install dovecot-imapd

• first test (look for "Dovecot ready")

telnet localhost 143

• remote test (look for "Dovecot ready") from another computer

telnet <domain> 143

• remote tls test

openssl s_client -connect <domain>:143 -starttls imap