Monday, October 26, 2015

Configure Exim on Debian Wheezy

apt-get install exim4

To support recent IOS devices you need to generate a 2048-bit SSL certificate.

Add TCP port 587 to the listening ports by editing /etc/default/exim4.

To support local account authentication for SMTP over SSL submission port 587 uncomment out the sslauthd section, ref: https://wiki.debian.org/Exim%C2%A0

Exim defaults to IPv6 before IPv4. To ensure you can send mail to Gmail accounts and other systems review Google's identification guidelines: https://support.google.com/mail/answer/81126?p=ipv6_authentication_error&rd=1#authentication

To disable IPv6:
nano /etc/exim4/exim4.conf.template
   disable_ipv6 = true
update-exim4.conf
/etc/init.d/exim4 restart
Alternatively, you can disable just IPv6 DNS by only using the IPv4 DNS:
    dns_ipv4_lookup = *

If receiving email from the Internet, greylisting is a fairly effective anti-spam technique. Install greylistd and adjust the RetryMin to 60 (to minimise delays) and use greylistd-setup-exim4 to change the netmask to 16 to minimize issues with mail from large organisations such as Google, Yahoo and ISP's who use multiple servers for sending.

To use SpamAssassin with Exim, the easiest way is to install exim4-daemon-heavy and spamassassin.  The daemon-heavy package is required because it provides the exiscan-acl feature which allows the data content to be scanned during receival. Copy the applicable block from here into exim4.conf.template: https://wiki.bitlair.nl/Pages/Projects/Mailserver_with_Debian,_Exim,_spamassassin,_greylistd,_DKIM,_SRS,_SPF,_DMARC,_forwarding,_LDAP,_dovecot,_LMTP,_disk_crypto#Exim_spamd_integration

If setting up a Backup MX, you will probably want to create a file containing a list of email addresses to accept mail for since they are not local users. Be aware there is a bug in the exim4.conf.template if you use CHECK_RCPT_LOCAL_ACL_FILE because update-exim.conf will insist you use a ACL name in the file, but that will cause the acl_check_rcpt to return an implicit deny, stopping all incoming emails since it no longer reaches the accept that is at the end of that ACL. Just add the deny line into the template near that section. E.g:
deny
 message That user is not in my list.
 !recipients = /etc/exim4/recipients_whitelist





Sunday, October 25, 2015

Run your own DynDNS server on Debian Linux

This outline assumes you own your own domain and manage the DNS servers running Debian Wheezy or Jessie with:

  • bind9 for DNS
  • lighttp for webserver
  • php5
apt-get install bind9
 - configure your zone.

apt-get install lighttp php5-cgi

Configure SSL:
 lighty-enable-mod ssl
 openssl ...


Configure authentication:
 lighty-enable-mod auth
 echo username:realm:`md5sum password | cut -b -32` >> /etc/lighttpd/.htpasswd/htdigest.user
Enable PHP:
 lighty-enable-mod fastcgi
 lighty-enable-mod fastcgi-php

Configure Virtual Hosting:
 lighty-enable-mod simple-vhost
 mkdir -p /srv/yourdomain.com/htdocs/update

Copy nsupdate.php from:
 https://github.com/chip-rosenthal/web-nsupdate

Modify the nsupdate.php:
 nsupdate -l

Allow www-data to read the session key to perform updates:
 chgrp www-data /var/run/named/session.key
 chmod g+r /var/run/named/session.key