Exim und Dovecot mit gemeinsamer Passwortdatei
$ aptitude install exim4-daemon-heavy dovecot-pop3d
# /etc/exim4/exim4.conf
CONFDIR = /etc/exim4
primary_hostname = mail.domain.tld
local_interfaces = 0.0.0.0
daemon_smtp_ports = 25 : 465
tls_on_connect_ports = 465
domainlist local_domains = @:localhost:domain.tld
domainlist relay_to_domains =
hostlist relay_from_hosts = 127.0.0.1
hostlist unroutable = 0.0.0.0/8 : 127.0.0.0/8 : \
10.0.0.0/8 : 172.16.0.0/12 : 192.168.0.0/16 : \
169.254.0.0/16 : 192.0.2.0/24 : \
224.0.0.0/4 : 240.0.0.0/5 : 248.0.0.0/5
domainlist whitelist = nice-domain.tld
host_lookup = *
acl_smtp_connect = acl_connect
acl_smtp_helo = acl_check_helo
acl_smtp_mail = acl_check_mail
acl_smtp_rcpt = acl_check_rcpt
acl_smtp_predata = acl_check_predata
acl_smtp_data = acl_check_data
acl_smtp_mime = acl_check_mime
never_users = root
tls_advertise_hosts = *
tls_certificate = /etc/ssl/CAcert/mail-server.crt
tls_privatekey = /etc/ssl/CAcert/mail-server.key
pipelining_advertise_hosts = :
accept_8bitmime = true
rfc1413_hosts = *
rfc1413_query_timeout = 0s
ignore_bounce_errors_after = 2d
timeout_frozen_after = 7d
message_size_limit = 20M
begin acl
acl_connect:
defer message = Sorry, too busy. Try again later.
ratelimit = 10 / 1s / $primary_hostname
#require acl = aux_delay
accept
acl_check_helo:
accept hosts = : 127.0.0.1 : 89.110.146.50
drop message = RFCs mandate HELO/EHLO before mail can be sent.
condition = ${if eq {$sender_helo_name}{}}
drop message = "Bad HELO - IP address not allowed [$sender_helo_name]"
condition = ${if isip{$sender_helo_name}}
drop message = You are using my ip address
condition = ${if eq{$sender_helo_name}{[$interface_address]}{true}{false}}
drop message = You're a liar
condition = ${if match{$sender_helo_name}{$primary_hostname}{yes}{no}}
drop message = You're a liar
condition = ${if match_domain{$sender_helo_name}{+local_domains}{yes}{no}}
drop message = Bad HELO: non-FQDN hostname ($sender_helo_name)
condition = ${if and { { !match{$sender_helo_name}{\N^\[.+\]$\N} } \
{ !match{$sender_helo_name}{\N^(?i)((?=[^-])[a-z0-9-]*[a-z0-9]\.)+[a-z]{2,6}$\N} } }}
#require acl = aux_delay
accept
acl_check_mail:
warn set acl_m0 = 1
accept
acl_check_rcpt:
accept hosts = :
deny message = Restricted characters in address
local_parts = ^[.] : ^.*[@%!/|]
deny message = Restricted characters in address
local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./
accept local_parts = postmaster
domains = +local_domains
deny message = too many invalid recipients
condition = ${if > {$acl_m0}{3}}
deny message = not receiving mail
recipients = lsearch;CONFDIR/deny_recipients
deny message = user not sending mail
senders = /etc/exim4/deny_senders
deny message = MYBL - $sender_host_address is blacklisted
hosts = /etc/exim4/deny_hosts
deny message = RBL - ${sender_host_address} is blacklisted at $dnslist_domain ($dnslist_value); ${dnslist_text}
dnslists = sbl-xbl.spamhaus.org/<;$sender_host_address;$sender_address_domain
deny message = RBL - ${sender_host_address} is blacklisted at ${dnslist_domain}; ${dnslist_text}
dnslists = bl.spamcop.net : cbl.abuseat.org : list.dsbl.org
warn dnslists = dnsbl.sorbs.net
add_header = X-blacklisted-at: RBL - $dnslist_domain ($dnslist_text)
warn dnslists = spam.dnsbl.sorbs.net
add_header = X-blacklisted-at: RBL - $dnslist_domain ($dnslist_text)
warn dnslists = rhsbl.sorbs.net
add_header = X-blacklisted-at: RBL - $dnslist_domain ($dnslist_text)
require acl = aux_verify_sender
accept domains = +local_domains
verify = recipient
deny domains = +local_domains
message = unknown user
set acl_m0 = ${eval:$acl_m0+1}
accept domains = +relay_to_domains
verify = recipient
accept hosts = +relay_from_hosts
accept authenticated = *
deny message = relay not permitted
aux_verify_sender:
accept sender_domains = +whitelist
logwrite = verifing sender address
accept dnslists = dsn.rfc-ignorant.org/$sender_address_domain
logwrite = doing sender callout verification
require verify = sender/callout=30s,defer_ok
accept
acl_check_predata:
deny condition = ${if > {$acl_m0}{3}}
message = too many invalid recipients
#require acl = aux_delay
accept
acl_check_data:
warn condition = ${if !def:header_Date: {1}}
hosts = :
message = Date: $tod_full
#deny message = REJECTED - No Subject or Body
# !condition = ${if def:h_Subject:}
# condition = ${if <{$body_linecount}{1}{true}{false}}
accept
aux_delay:
accept hosts = *
condition = ${if eq {$interface_port}{25}{1}{0}}
delay = 30s
accept
acl_check_mime:
#deny message = Attached '$mime_filename' file has disallowed extension!
# condition = ${if match {${lc:$mime_filename}} {[.] *(gif|exe|scr)\$}}
deny message = Bad attachment filename ($mime_filename): $acl_m1
set acl_m1 = ${lookup {$mime_filename} nwildlsearch{CONFDIR/deny_mime} }
condition = ${if def:acl_m1 }
accept
begin routers
dnslookup:
pass_on_timeout = true
driver = dnslookup
domains = ! +local_domains
transport = remote_smtp
ignore_target_hosts = +unroutable
no_more
cannot_route_message = Remote domain not found in DNS
system_aliases:
driver = redirect
domains = +local_domains
allow_fail
allow_defer
data = ${lookup{$local_part}lsearch{/etc/aliases}}
set_address_data_uid:
debug_print = "R: set_address_data for $local_part@$domain"
driver = redirect
check_local_user
domains = +local_domains
address_data = "$local_user_uid"
data =
local_user_low_uid:
debug_print = "R: local_user_low_uid for $local_part@$domain (uid $address_data)"
driver = redirect
check_local_user
domains = +local_domains
condition = "${if <{$address_data}{1000}{1}}"
data = hostmaster
localuser:
driver = accept
check_local_user
domains = +local_domains
transport = local_delivery
begin transports
remote_smtp:
driver = smtp
local_delivery:
driver = appendfile
directory = $home/Maildir
create_directory
delivery_date_add
envelope_to_add
return_path_add
maildir_format
begin retry
* * F,2h,15m; G,16h,1h,1.5; F,4d,6h
begin rewrite
begin authenticators
plain_server:
driver = plaintext
public_name = PLAIN
server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
server_prompts = :
server_condition = "${if and { {!eq{$auth2}{}} {!eq{$auth3}{}} \
{crypteq{$auth3}{${extract{1}{:}{${lookup{$auth2}\
search{CONFDIR/passwd}{$value}{*:*}}}}}} }{1}{0}}"
server_set_id = $auth2
login_server:
driver = plaintext
public_name = LOGIN
server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
server_prompts = "Username:: : Password::"
server_condition = "${if and { {!eq{$auth1}{}} {!eq{$auth2}{}} \
{crypteq{$auth2}{${extract{1}{:}{${lookup{$auth1}\
lsearch{CONFDIR/passwd}{$value}{*:*}}}}}} }{1}{0}}"
server_set_id = $auth1
Die passwd Datei für exim und dovecot. Die einzige Methode, die ich gefunden habe,
md5-Passwörter zu erzeugen, die mit exim und dovecot funktionieren, ist die
kommentierte Perlzeile.
# exim4 / dovecot passwd file
#
# perl -MDigest::MD5=md5_hex -e 'print md5_hex($ARGV[0]),"\n"' password
# (mkpasswd -H md5, dovecotpw - don't work for exim4)
# crypt should also work for both
#
user:{md5}md5_hashed_password
Folgende Dateiberechtigungen sind völlig ausreichend. Besonders die Passwortdatei sollte
diese Berechtigungen aufweisen.
$ chmod 0640 /etc/exim4/*
$ chgrp Debian-exim /etc/exim4/*
Eine dazu passende Konfiguration für dovecot, bei der die Passwörter in einer Datei stehen.
dovecot-auth wird als Debian-exim gestartet, so dass der Zugriff auf /etc/exim4/passwd möglich
ist.
# /etc/dovecot/dovecot.conf
protocols = pop3s
log_timestamp = "%Y-%m-%d %H:%M:%S "
ssl_disable = no
ssl_cert_file = /etc/ssl/CAcert/mail-server.crt
ssl_key_file = /etc/ssl/CAcert/mail-server.key
mail_location = maildir:~/Maildir
mail_extra_groups = mail
protocol imap {
}
protocol pop3 {
pop3_uidl_format = %08Xu%08Xv
}
auth default {
mechanisms = plain
passdb passwd-file {
args = /etc/exim4/passwd
}
userdb passwd {
}
user = Debian-exim
}
dict {
}
plugin {
}