On server.africafocus.org

Great new acl directive
    logwrite = message
but only available for some version of Exim after 4.67.

IMPORTANT:  Make sure all user .forward files are go-w.

Definition-wise "envelope settings" are the From and "mail to" settings,
not the ^name: settings inside the message "data".

pipe programs by default get path of just /usr/bin.
Pipes do not suffer from the permission problems due to hitchpost files.
Just set user, group and path for the address_pipe transport and you're all set.
Same as for Sendmail, the receiving program gets exactly what you see in
a normal mailx folder:  From /^From / to terminating blank line, with \n
line terminators (not \r\n).
IMPORTANT!!! Remove quotes from around pipe commands.  Use quotes only
to preserve white space in arg(s).
FOR THIS REASON, PIPE COMMANDS WITH ANY ARGS ARE NOT INTER-COMPATIBLE 
BETWEEN EXIM AND SENDMAIL (may be if you turn on shell comd option, but 
that is insecure).

N.b. aliases only applies to local deliveries.
If criteria of a dnslookup or send_t_smart_host router apply (usually by
virtue of a 'domains' specification) then aliases will not be applied.
IMPORTANT!  Since my exim config strategy is that unqualified recipient
names default to @admc.com, this means that target addrs in /etc/mail/aliases
must have a specified @ domain unless you want them to route to x@admc.com.
For a target addr that recurses to another alias you should use
referring@localhost.

STRATEGY:  Set user and group for the pipe and file transports for
system aliases, but leave them unset for user forwards.
(I don't remember if I set user and group for system aliases or if
the exiscan build for Linux did that for me).

.forward files in general:  Each line contains one command, where each
command is an absolute filename, email addr, or pipe command, just like
comma-separated commands in a single aliases file).


EXIM ALGORITHM:
    During message receipt, run the ACLs to see whether to accept it.
    If accepted, write the H and D spool files in /var/spool/exim/input dir.
    Either right after it's written, or at retry times, the routers are
     tried if the message is ripe for a send attempt.
    Routers invoke transports.

Make sure Sendmail queue was empty.
Turned off Sendmail startup in /etc/rc.conf.
Killed Sendmail processes.
Edit /etc/mail/mailer.conf according to exim according to Exim Spec doc.


host_reject_connection is a list in the Main configuration section, 
not an ACL.  For some reason they say it's usually better to deny
hosts latter.

\N...\N escapes string expansion.


exim_user:  Specified at build time and, when "configure" is built,
exim_user (and exim_group) settings are written to "configure".  The
docs have zero documentation about using or changing this setting in
"configure".  They speak of it only as a built-time setting.
The run-time "configure" file must be owned as exim_user or root.
Some binary runs chuser to exim_user.
The first means that exim_user should be a priviliged user, the latter
means that exim_user should be a non-privileged user.
IMO, best policy is to make it a non-privileged user and have root
own the "configure" file.



LOOKUPS

Lookup types are either "single-key" or "query style".  I'm not doing query 
style.
Single-key types: dsearch, lsearch, [many others].

lsearch data files:
    Like a property file (if data begins with ":", : delim must also follow key)
    Leading white-space for continuation lines.
    # comment
    Blank lines ignored
    Key of "*" is for defaults (looked up by specify s-k type of type*).

Partial matching.  Not always available.  Looks in data file for "*." + partial,
where partial is >=X trailing components of key (where X defaults to 2).
    *.dates.fict.example would match x.dates.fict.example + dates.fict.example.
    Invoke with sk-type of partial-type
    By default, requires minum comp-length of 2: *.onecomp.twocomps.

${lookup{key}lsearch{file}{successret}{failret}}

${lookup{akey}lsearch{/a/file} =>   LIST FROM VALUE OF akey IN /a/file
 (Values are string-expanded)

????:   /a/file > LIST FROM /a/file      Does this work?

lsearch;/a/file =>  LIST OF KEYS IN /a/file


LISTS:  List of items to compare a given key against.
Lists are used by Exim accoring to the list name in the Main configuration
section.  Other lists are arguments to commands within ACL definitions
(accessed like +listname).
List types.  Each item in a list is a comparison expression, not a static 
constant.
    domain
    host
    address
    local part
All "items" in the list beginning with a / are file paths.  File paths 
are read just like you would want, with #comments and blank lines ignored.
    \s*:\s* is normal delimiter:  Can use X as delim like: <X LIST
    ^ indicates beginning of a regex.
    Example:
    deny senders = \N^\d{8}\w@.*\.baddomain\.example$\N :
         ${lookup{$domain}lsearch{/badsenders/bydomain}}

ACLs
Each ACL is evaluated at a specific point in the SMTP conversation.
Which ACL is called when is clearly listed in the Spec sect. 37.2.
acl_smtp_connect.

    ACLs with any names are "defined" in the ACL section of the cfg file.
    ACLS are activated with the "acl_not_smtp" and acl_smtp_*" commands in
    the main section of the cfg file.
    Some acl_smtp_*'s are set to deny by default, including acl_smtp_rcpt,
     therefore you must set acl_smtp_rcpt in order to not deny all smtp traffic.
    If an acl is specified as /a/file, the file contains an ACL definition, 
     not a list.


configure file
==============
Normal setting names are all lowercase.
Use double-quotes to use character sequences like \n in strings.

.include filename
# Macro names MUST begin with capital letter.
MACRONAME = macrovalue  (in main section of cfg file).
.ifdef MACRONAME
.else
.endif


When testing source host against the relay-from hostlist, the host
name is the one from reverse lookup, not the one in EHLO.

N.b.  BEWARE.
If any host name in a host list fails to resolve, the lookups croak.
I guess you have to use IP addrs if any hostname lookup could EVER
fail.???

As the docs say, lookup files really are re-read for each request.
(But not for multiple lookups during one SMTP connection).


SPAM ASSASSIN
Install Exim-SA from http://marc.merlins.org/linux/exim/files/sa-exim-current.tar.gz.
It scan's email during receipt with a local_scan function.
Follow installations in the INSTALL file, but EDIT the supplied
.c file to fix SPAMASSASSIN_CONFIG (or figure out where to set the
compiler -D optionfor it).
Do change settings in the sa-exim cfg file to disable permanent
and temp rejects.

Have to figure out how to do a "build" of Exim on OpenBSD, since
you must put a file into place and edit the Makefile.



COMPLAINT:  No way to specify a port other than smtp/25 for
target mail hosts.
Yes sir.  You set it in the transport or something.


PROCMAIL ON LINUX (when run by root) USES DOT LOCKING, so definitely
leave use_lock on (Exim defaults to both use_lockfile and use_fcntl_lock on).


Unlike Sendmail, permits sender addrs beginning with /
Unlike Sendmail, prohibits sender addrs containing *


CONFIGURATION
Do exclude any non-internet-routable IPs from host_lookup, because the
reverse IP lookup is done immediately after SMTP connection.
For unknown reason, it's not using the local resolv.conf (because my
reverse lookups work from there).  (Nothing in Exim spec about adjusting that).

FOR Sendmail + Exim RPM co-existence.
Set "group" to mail and "mode to 0660 for both local_delivery appendfile 
and address_file appendfile.
Set "user" to mail for the appendfile.
Set "mode_fail_narrower" = false for both appendfiles, so that folders
 created by Sendmail first are usable by Exim.
(I have perms of 
drwxrwsr-x    3 root     mail         4096 Dec 13 12:49 /var/spool/mail
)

IMPORTANT SETUP ITEM
Must track down every /etc/aliases /file/path and make sure that mail:mail
has permissions to write the hitchpost file in the destination dir.

CONSIDERATIONS ABOUT ACCIDENTALLY DOING LOOKUPS OR WILDCARDS IN LISTS
Prohibited in email addresses
    spaces
Do have to worry about
    ; (used in lookups)
    leading "
    leading *
    leading /
    leading ^
    "

EXIM STRING EXPANSION
This is not about the special characters in ^reges /filepath *wildcard.
It is only about using $variables, ; lookups and \x escape sequences.
Escape these with \$ and \x, or surround with \N... \N.
... but sec. 6.12 says that you need double-quotes to use \escape sequences.
I "think" the only reason to ever need double quotes if for leading or
trailing white space.



Do copy in comments from my Exim *.list files.


Before using Exim, set an alias from root and postmaster to some 
regular user (or /file), since Exim doesn't deliver to root 
(see never_users setting) and postmaster is used for lots of stuff.

TODO:  Test $ in addresses.

TODO:  Read on Exim string expansion

domains applies to domain part of recipient address
local_parts applies to mailbox part of recipient address
senders applies to the entire SMTP envelope FROM address

Can negate any conditions or list elements by putting ! before them.

clamd must run with privileges to update files under
/var/exim/spool/scan.
Make sure to set perms of /var/log/freshclam.log to be writable to the clam
user.

SSL cert must be readble by Exim configuration User

Don't forget to either set t bit for /var/spool/mail, or set group sticky
and set Exim group and perm options.

ACLs:  Default action for undefined ACL's varies, but default action for
defined ACLs is always deny (with a default message).  To use your own
message, give your own deny action at the end.

There is no uninstall Makefile target nor script.  Therefore, if you don't
use an OS packaging facility, you're on your own for de-installations.

EXISCAN:
    Works great!
    Building:
        Extract normal Exim tarball.
        Apply patch from inside base directory (not BASEDIR/src).
        Install Exim as normal.
    RPMS.  Have RPMs for MANY Linux versions and Exim versions.
        See my exiscanrpms.txt (just the readme from the ftp site).
        Install "exim" (support package) and exim-base RPMs
            Latter has SSL and Tcp Wrappers but also LDAP :().
            Contents of exim-base.rpm: /usr/sbin/exim (sym link), exim-base.
            Also have exim-mon and exim-doc.
        Must give "--replacefiles" switch to install if sendmail is still
         installed (because both deliver an /etc/aliases file).
        Init script says that config file is /etc/exim/exim.conf, but the 
         RPM actually uses /etc/exim/exim4.conf.
        Due to TCP Wrappers support, must add entry for "exim" in hosts.allow.
        After install RPM, you must define macro SYSTEM_ALIASES_FILE to the 
         real path in /etc/exim/exim4.conf.
        (See section above, "FOR Sendmail + Exim RPM co-existence.").

CONVENTIONS.  This sectin obsolete.
    We follow the Exiscan rpm conventions.
    Creates an "exim" user and group.
    All the log and spool stuff has ownership exim:exim (but not pid or lock).
    /etc/exim/exim4.conf  (Not incorrect comment in supplied init script)
    /etc/aliases (delivered one is a normal Berkeley one, noting Exim-specific)
    /etc/sysconfig/exim  (just like Sendmail's sysconfig file)
    /usr/sbin/exim  (sym link to exim-base)  (runs as exim:exim)
    /usr/share/doc/exim-*  (has normal dist docs, not HTML docs)
    /var/log/exim
    /var/spool/exim
    /var/run/exim.pid  (writes as root)
    /var/lock/subsys/exim

SMTP FROM addresses beginning with \ work and both IMAP and mailx
as addresses.  \ is not interpreted specially by Exim, like \username 
in an aliases file.

I think that mailx and IMAP clients never show the SMTP enveloper FROM addr
unless there is no From: addr.


Turns out that you really must run 2 daemons to run TLS on one port
and non-TLS on another.  You can differentiate between incoming port,
you you can only advertise STARTTLS based on client host name :( .
So that the Linux "daemon" functions/scripts work, you have to make
a sym-link to the "exim" program so that the program name is ps is unique.
Make an /etc/sysconfig/eximtls that does not process the queue.  No
reason to have two daemons competing over the queue directory
(/var/exim/input).


AUTHENTICATION:
    Tbird seems to use AUTH PLAIN and sends no AUTH att w/ MAIL commands
    (therefore, $authenticated_sender is empty).
$authenticated_sender => Value of AUTH att of MAIL command (IMO useless
 since it is not verified in any way).
The server_set_id sets the $authenticated_id val, and what I use for 
 fixed_plain sets it to the user name that the client authenticates with.
Therefore, fuck using AUTH att of MAIL.  Just authenticate and send as
 usual.


Sending email with 'exim' directly (exactly same as if using 'sendmail' as MTA.
This is very similar to what I document in "tech/smtp.netcat" but is more
general in that it doesn't require any SMTP listener and routing/processing
behavior will obey the MTA config.
If no input redirection and just typing in stdin then skip the -i and you can
terminate message content with dot AND another blank line (why???).
-t says to derive recips from content To:, Cc:, Bcc: instead of command line.
You really should include a To: to satisfy agents, so just use -t.
[No command switch causes implicit -bm behavior].
--------------------
exim -i -t <<< 'From: Blainus Simpson <blaine.simpson@admc.com>
To: Blainus Aurelius <blaine@admc.com>, Blickus Mavicus <blaine.dev@gmail.com>
Subject: T13  otherword

c1
c2'
--------------------
or from file:  exim -i -t < /file/path.txt


RUN-TIME ADMIN
-C is a major pain in the ass to get to work usefully.
  Usually will want to just backup and update default config file.
  Fine for syntax checking "exim -bV -C /path" etc.  See section "SYNTAX CH..."
"exim -C /abs/path1.conf:abs/path2.conf"  Specify config file(s)
  Generally must be run as root (sudo fine) and file must only be writable to root.
  And for some reason even when run by root (from direct login or sudo),
   mail sent (like with -bm) will queue up but not transmite.  So can't test
   transmission part with -C.
   Therefore for submission with -C and transmit with default config file do:
     exim -C...; exim -qi
"exim -Mrm msgid1 msgid2..."   Remove messages from queue.
"exim -bp" list Queue.  With proper installation can use 'mailq', but more
  general and reliable to explicitly run "exim -bp" instead.
    "Delivered" recipients show up with a "D " before the addr.
By default "newaliases" == "exim -bi" is a no-op.
To specify specific message IDs:
    "exim -M msgid1 msgid2":  Attempts to send messages regardless of msg state.
    "exim -v -M msgid1 msgid2":  Same but shows communications.  Great!
    "exim -Mt msgid1 msgid2":  Thaws them (can then run "exim -q[f]").
    "exim -Mrm msgid1 msgid2":  Remove
Otherwise
    "exim [-v] -q" Sends all those ready.
    "exim [-v] -qf"  Sends all those but frozen.
    "exim [-v] -qff" Sends all.

    exim -Mvl ID:  view log
    exim -Mvb ID:  view body
    exim -Mvh ID:  view header
"exim -q[i][f][f]" to retry xmit queue.
    i: initial attempt only; 
    f: nonFrozens
    ff:  Force all
"exim -bt email@addr"  Test aliasing and routing.

eximon:  To close child windows, use the "Dismiss" buttons.  Otherwise
the entire eximon program will exit.
    Delivered recipients show up with a "* " before addr (like "D" with
    exim -bp").

VACATION
    Traditional vacation DOES NOT WORK from aliases file, because in that
     case "vacation" is invoked by the exim uid, so $HOME and pwd will be
     wrong and/or won't have permission to update or read the needed files.
    Way in fac works very badly.
        Traditional way is by using a pipe for the vacation program in user's
        .forward file.
        Easier to use generic router option "require_files" and "unseen"
        generic option.
        See Exim FAQ question about howto.
    Better is to just install vacation and set a .forward entry like this:
        \blaine, "|/usr/bin/vacation -t0 -a bsimpson blaine"
        (Just "|/usr/bin/vacation -t0 -a bsimpson blaine" to not keep a copy).
        manually make your $HOME/.vacation.msg file and run
         "vacation -I" (which latter just touches a file $HOME/.vacation.db).
        RTFM about switches for vacation.
    I did use the Exim filter "vacation" command, but it seems to want to
     use the vacation program's .vacation.msg file and ignore the
     filter file's message settings.  ???

Exim filter files kick ass.  Enable them with a single line in exim.conf.
    Separate doc file for user use of filter files.
    You can't "unset" "once" files, and once_repeat must be set to something
     with positive units (i.e., can't set it to 0, but can set it to 1s).

The filter variable $sender_address is the ^From address, not ^Sender:,
From:, etc.


EMAIL AUTH:
With md5 password auth turned on, I can't get from the md5 passwd + salt
to the md5 password in either base64 or hex encoding, as is required by
Exim crypteq() and as is returned by:
     3fc04b70ac1d0dc394db6f008ee203ae
     bifrost$ perl -we 'use Digest::MD5 qw(md5_hex);
         print(md5_hex("RealPwd")); print "\n";' > /tmp/it
I am left with no automatic way to generate a password map from /etc/shadow!!!


SYNTAX CHECKING CONFIG FILE:
    "exim -bV [-C /path/to/cfg]" does a limited and static check of the config file.
        It does list modules though.
    "exim [-C /path/to/cfg] -bh 127.0.0.1" recommended
    "exim [-C /path/to/cfg] -N"  recommended


See spam.txt for general information about SPF.  The following is about
 SPF on Exim.
SPF.  Follow instructions in http://www.libspf2.org/patch/25_exim4-config_spf .
To build libspf_alt, need a little work-around in "libtool" script.  Add:
    set -- "$@" -lresolv
Doc about SPF in Exim.  Mightily useful, even though libspf_alt is set up
 differently:  http://wiki.exim.org/SPF .
just for while running the "make" step.
ALSO:  Edit bin/spfd/spfd.c and change gLockFilePath.
(Add "/usr/local/lib" to LD_LIBRARY_PATH before running spfd.  Unnecessary?)
    Seems to just have taken a little while to update sys lib path).
apfd uses single-hyphens where it should use double, like:
    spfd -help
Requires /var/run/spfd.pid to be CREATABLE!!! Ug!
Even when run with "-path=/var/run/x", it uses an unspecified UNIX socket
 and addr localhost:5847.  "-path=" arg validates, but seems to do nothing.
-file=... works and causes to listen to specified UNIX socket.
N.b. there is a bug where you need to keep the filepath short here.
This works:  /var/spf/uskd.  This doesn't:  /var/spf/socket.
Get my init script "spdf".
The "dist" targets just make source distros, so they are no help for
 redistribution.
For binary redistro, it DOES NOT WORK to move the build directory and
 run "make install" on the target system.  It invokes "gcc" for some reason.
 tar up /usr/local/*/*spf* and extracting that on target.

PAM setup (AFTER PAM IS BUILT IN!!!):
http://www.tipcache.com/tip/Setup_SMTP_AUTH_and_TLS_with_Exim_8.html

BUILDING
I get the source rpm for target Linux distro.
With all Suse distros I've had, the rpms have no artifacts or comments
describing how they were build or with what options.  Basically, you're
on your own.
Just copy src/EDITMD to Local/Makefile and edit it up.  (and save a copy!)
Probably need pam-devel rpm for Pam support.
Need libdb-*-devel rpm installed.
Need to add tcpd-devel rpm for tcpd support.
Need to add libopenssl-devel rpm for TLS support.
Just run "make" (and "make install" if desired).  No "configure".
On OpenSUSE, you DO need to update EXIM_EXTRALIBS to support Tcpd and Pam:
    EXTRALIBS_EXIM=-lpam -lwrap

salslauthd  Giving it a try
WORKS GREAT:  http://wiki.exim.org/AuthenticatedSmtpUsingSaslauthd
As these docs imply, pam does not work,  Set SASLAUTHD_AUTHMECH to "shadow"
 (in /etc/sysconfig/syslauthd).
Contrary to cyrus-sasl-saslauthd man page, the default socket pat is
    /var/run/sasl2/mux, with the pid file (not /var/state/saslauthd/mux).
Contrary to the Wiki page above, you don't need to change dir perms or
 ownership.
DO NOT NEED TO OPEN PERMS ON /etc/shadow either.
I guess the OpenSUSE build of exim has
    CYRUS_SASLAUTHD_SOCKET=/var/run/sasl2/mux
since it somehow works correctly with default OpenSUSE saslauthd mux location.
I don't know why examples always give the "login:" stanza in the
 "authenticators" section.  Only the "plain:" stanza is needed.

@ = The name of the local host.


ENVELOPE SENDER:  Sender:

DEBUGGING / WORKING AROUND HOST TIMEOUT PROBLEMS
You can change the retry time with the exim_fixdb utility, but its interface is very clumsy. If you have a message for the host on the queue, the simplest thing to do is to force a delivery with the -M command line option. If delivery succeeds, the retry data will get cleared. If the host is past the cutoff time, so that messages are bouncing immediately without trying a delivery, you can use -odq to put a message on the queue without a delivery attempt, and then use -M on it.

exiqgrep is "Exim message queue display utility".
See http://bradthemad.org/tech/notes/exim_cheatsheet.php

Run "alternatives exim" to set as the default MTA.

If OpenSSL version doesn't have c_rehash program, run this instead:
openssl rehash

Client Cert setup
Regardless whether client certs are ca-authorized or self-signed, you must tell
  server which clients are authorized by the RELAY_FROM_CERTS checksum list.
  To determine hex string to put into the RELAY_FROM_CERTS list, tail the mail
  log when you try sending from that client ("exim -v -M ..." useful here).
If client certs are self-signed then you must stage all client cert files on
  server.  Run OpenSSL's c_rehash in that directory, and specify the directory
  in Exim tls_verify_certificates setting.
If client certs are ca-authorized then just ensure that the CA cert is
  included in a tls_verify_certificates setting.

Client Side setup for Host Cert for smarthost
Generally you require SSL for smarthost and  tell it what the smarthost is.
It will then require that the name in the host cert match specified smarthostname.
With a self-signed server cert you trust that cert.
For a CA-authorized server cert you trust just the CA cert.