Category: Exim

EXIM on Mailhubs

File Locations:

  • /usr/exim – distribution installation directory
  • /usr/exim/configure – main configuration file (same across all hubs)
  • /usr/exim/configure.local – local server specific configuration
  • /etc/exim – directory containing utility lists and databases

The master copy of the main configuration file /usr/exim/configure is held on mailhub mx1.qub.ac.uk. The file is rsync’d to the other three mailhubs every 5 minutes using the root cron job –

# /root/scripts/rsync_exim_conf.sh

This means that you only have to make configuration changes to the file on mx1.qub.ac.uk but Exim needs to be restarted on each mailhub to effect any changes. Restart Exim using the command –

# systemctl restart exim

The file /usr/exim/configure.local is particular to each mailhub and changes must be made on each server. Again, Exim needs to be restarted if any changes are made.

Utility Lists and Databases:

The filenames in /etc/exim fall into two different categories: they are either flat text files or dbm database files. The flat text files all contain addresses, domains or IP addresses. The names should be self-explantory and they are used principally in the ACL section of the Exim configuration for blacklisting or whitelisting. These files are also rsync’d from mx1.qub.ac.uk to the other mailhubs as part of the script referred to above.

The database files are –

  • exch_table – list of local Exchange aliases
  • o365_table – list of Office 365 aliases
  • mlist_table – list of aliases from the Sympa list server
  • sm_table – list of St. Mary’s student aliases
  • local_domains – list of local domains

These database files are principally used for routing mail. They are built separately on each mailhub from correspondingly named text files with the suffix .dat – e.g. exch_table is built from exch_table.dat.

The first 2 tables are generated on each mailhub by the script /root/scripts/hub_tables.sh that utilises perl subscripts to extract mail alias information from Active Directory using LDAP. The data for the first two files is initially saved as –

  • exch_table_tmp.dat
  • o365_table_tmp.dat

These files are first checked by the script to see if they are larger than the previous data files. If they are equal or smaller, the database files are not updated. This is a safety feature to avoid the possibility of missing data from the database files. You need to check these files, particularly when numbers of accounts are being removed. If you are sure that the smaller temporary file is valid then copy it to the main data file and build the database file from it e.g.

# cp exch_table_tmp.dat exch_table.dat

# exim_dbmbuild exch_table.dat exch_table

The mlist_table database file is built from the mlist_table.dat file that is pulled across from cmc-mlist.qub.ac.uk using scp.

The local_domains file is built from local_domains.dat and that file should be updated as required.

The sm_table file is built from sm_table.dat. The information for that file should come from St. Mary’s or QSIS and usually only requires attention annually.

Switch SMTP Servers

The University SMTP service is handled by the two hosts smtp1.qub.ac.uk and smtp2.qub.ac.uk. The service is normally handled by smtp1.qub.ac.uk and smtp2.qub.ac.uk is available as a backup. The active SMTP server is configured with the IP address for smtp.qub.ac.uk set as a secondary address. Switching the service requires the secondary IP address to be removed from the current active server and added to the network configuration on the current passive server. A small change also needs to made to the Exim configuration on each of the servers.

Exim Configuration

It is best to update the Exim configuration in advance of making changes to the network configuration. The SMTP transport section in the configuration file looks like this –

remote_smtp_52:
driver = smtp
port = 52
connect_timeout = 1m
interface = 143.117.16.195

Comment out the interface line on the active server and uncomment it on the target server. Make the changes active by restarting Exim on both servers after the network configurations (see below) have been updated. Make sure that eximon is running on both servers so you can check whether the SMTP traffic has successfully switched.

Network Configuration

Display the current IP address configuration on the active server –

# ip a show dev ens192 | grep inet

inet 143.117.16.80/24 brd 143.117.16.255 scope global noprefixroute ens192
inet 143.117.16.195/24 brd 143.117.16.255 scope global secondary noprefixroute ens192:1
inet6 fe80::250:56ff:fe8c:c405/64 scope link

The secondary address is highlighted. Remove the secondary address from the active server as follows –

# ip a del 143.117.16.195/24 dev ens192:1

Add the secondary address on the target server as follows –

# ip a add 143.117.16.195/24 dev ens192:1

Make these changes in quick succession on the active and target servers and then restart Exim on each using –

# systemctl restart exim

Monitor SMTP traffic on each server using eximon. It sometimes takes a couple of minutes for connecting hosts to pick up on the change depending on the refresh rate of their arp tables.

Build Exim from Source on Centos 7

Pre-requisites:

#yum install gcc

#yum install libdb libdb-devel

#yum install opendmarc libopendmarc libopendmarc-devel

#yum install libspf2 libspf2-devel

#yum install libX11 libX11-devel

#yum install libXt libXt-devel

#yum install libXaw libXaw-devel

#yum install openldap openldap-devel

Install iconv library –

1. Download cert-forensics-tools-release-el7 rpm:
https://forensics.cert.org/cert-forensics-tools-release-el7.rpm

2. Install cert-forensics-tools-release-el7 rpm:
# rpm -Uvh cert-forensics-tools-release*rpm

3. Install libiconv rpm package:
# yum –enablerepo=forensics install libiconv

Create exim user and group

Exim Build:

Download exim source code tar file (see exim.org) and unpack it. Switch to the main distribution directory. The install instructions are in the README file.

Edit the makefile as instructed to include the following functions –

LDAP lookup
PCRE
Content scan
DMARC
SPF
TLS
TLS and plaintext AUTH
ICONV

Then –

# make
# make install

Upgrade Exim:

Download the latest distribution from exim.org and unpack it as above. Switch to the main distribution directory and copy the Local/Makefile from the current source distribution into the Local directory. The ‘make install’ process should detect the presence of an existing configuration file (/usr/exim/configure) and should not overwrite it. You may want to take a copy of the configuration file before installing as a precaution.

Then –

# make
# make install

This will replace the old version with the new one. You will need to restart the daemon for it to take effect i.e.

# systemctl restart exim

Checking and De-listing Mailhubs Blacklisted by Hotmail/Live

Login at https://login.live.com/ with a valid hotmail/live account. I have set up the account cmc-qub@hotmail.com for this. Make sure you know the password (ask Clive McDowell).

Once you have logged in open another browser tab and go to https://postmaster.live.com/snds. The useful links are –

  1. View Data: summary report on host IP addresses with historical data going back possibly months.

  2. View IP Status: gives a list of any IPs that are blacklisted.

  3. Request Access: allows you to add IP addresses or address ranges to be included in the reporting.

The other links should be self-explanitory.

If one of the IPs is blacklisted go to this link http://go.microsoft.com/fwlink/?LinkID=614866 and fill out the form. You will usually get an automated response fairly quickly but it’s really up to them how soon they take any action. In recent times it has only been a few hours.

Exim on Centos

The version of Exim that comes with rpmforge is currently 4.63 which is somewhat lower than the latest version. Rpms for the latest version (currently 4.77) is available from atrpms. Create the file /etc/yum.repos.d/atrpms.repo on any target machine and add the following content –

[atrpms-stable]
name=Centos $releasever – $basearch – ATrpms
baseurl=http://dl.atrpms.net/el$releasever-$basearch/atrpms/stable
gpgkey=http://ATrpms.net/RPM-GPG-KEY.atrpms
gpgcheck=1
enabled=1
includepkgs=libspf2* libsrs*

[atrpms-testing]
name=Centos $releasever – $basearch – ATrpms
baseurl=http://dl.atrpms.net/el$releasever-$basearch/atrpms/testing
gpgkey=http://ATrpms.net/RPM-GPG-KEY.atrpms
gpgcheck=1
enabled=1
includepkgs=exim*

To update exim simply run yum update exim