Additional Notes And Instructions For Exim4U Table Of Contents 1) Instruction Notes For Adding A Domain 2) Instruction Notes For Adding Mailman Users to Exim4u 3) General Discussion About Local Host And Relay Domain Spam Processing 4) General Discussion about URIBL, SURBL and DBL Spam Blocking 5) Example iptables Configuration For Exim4U 6) How To Reset The Encrypted Password for the siteadmin 1) Instruction Notes For Adding A Domain This procedure will provide Exim4U email and Apache web access for a virtual domain on RedHat/CentOS 5. For other distros please refer to your distro's documentation. a) Add the domain as a zone in named.conf. (Typically /var/named/chroot/etc/named.conf) b) Add a zone file for the domain. (Typically /var/named/chroot/var/named/) c) chown named:named /var/named/chroot/var/named/. d) Add unix user (adduser ). Make the unix user's directory executable for all users. eg.: chmod a+x /home/. (Otherwise, apache will not work for DocumentRoot subdirectories.) e) Add virtual host to /etc/httpd/conf/httpd.conf and restart httpd. (Or create SSL cert and add virtual host to /etc/httpd/conf.d/ssl.conf) f) Add domain and initial email users in Exim4U. 2) Instruction Notes For Adding Mailman Users to Exim4u a) Specify mailman virtual domain in exim configuration file (/etc/exim/exim4u_local.conf.inc) and restart exim. b) Specify mailman virtual domain in /usr/lib/mailman/Mailman/mm_cfg.py and restart mailman. c) All mailman administrative functions will then be available at: https:///mailman. 3) General Discussion About Local Host And Relay Domain Spam Processing Exim4U has a unique way of handling localhost and relay domain spam processing. That is, Exim4U provides the flexibility to coordinate spam processing between the relay host and the local host. First of all, Exim4U provides an initial layer of spam filtering during the SMTP connections whereby all mail is filtered regardless if the mail is destined to be relayed to another host or delivered to a user on the local host. This initial layer of filtering will only reject mail which has a 100% probability of being spam. As an example, all incoming mail will be rejected if its sending IP is in the spamhaus RBL, if the recipient does not exist or if the spamassassin score is greater than Exim4U's overall reject score (default = 10). Subsequently, the Exim4U web interface can be used to specify the spam tag score and the spam discard score on a per user basis for the local host and on a per domain basis for relay domains. The spam discard score is the minimum score for which mail is discarded to /dev/null. The spam tag score is the minimum score for which mail is tagged as spam and may thereby be optionally placed in the user's spam folder instead of the user's inbox on the server. With Exim4U's web interface, spam tag and discard scores can be individually specified for each user on the local host as well as for each relay domain. Another interesting feature is that Exim4U does not rely on DNS MX records for relaying mail from a relay host to its destination host. Instead, the destination host is specified in the Exim4U web interface in the Relay Server Address field in Domain Administration. Therefore, multiple relay hosts may be deployed along with the destination host and the MX records can all be set to the same value or any set of values for that matter but all mail will ultimately be delivered to the destination host. Exim4U may be used to specify whether spam tagging and/or spam header rewriting is done by the relay host(s) or the destination host. These features provide the capability for Exim4U installations to be used as spam filters for any other mail host. A further discussion on the recommended configurations for coordinating local hosts and relay hosts may be found in etc/exim/exim4u_global_spam_virus. 4) General Discussion about URIBL, SURBL and DBL Spam Blocking Exim4U automatically blocks spam mail that contain URLs which are on the URIBL, SURBL or Spamhaus DBL blacklists. This is done within the ACLs in /etc/exim/exim.conf's prior to calling spamassassin. URIBL Testing To test a given domain, domain.tld, on the URIBL: nslookup domain.tld.multi.uribl.com If the host domain is not found then it isn't listed. If the host is listed, the answer will be 127.0.0.X where X indicates the list. Here is a chart for what X means: X Binary On List --------------------------------------------- 1 00000001 gold 2 00000010 black 4 00000100 grey 8 00001000 red 14 00001110 black,grey,red (for testpoints) 255 11111111 your DNS is blocked from querying URIBL For systems processing 300,000 queries/day then the URIBL may block access to their database. If you use your ISP's nameservers for resolution, and they are blocked, consider running your own caching nameserver. Otherwise, consider subscribing to the URIBL's commercial datafeed services to run local copies of the URIBL zones and keep your queries on your own network. More information about the URIBL data feed service is available at: http://www.uribl.com/datafeed.shtml SURBL Testing To test a given domain, domain.tld, on the SURBL: nslookup domain.tld.multi.surbl.org If the host domain is not found then it isn't listed. If the host is listed, the answer will be 127.0.0.X where X indicates the list. Here is a chart for what X means: 2 = blacklisted on sc.surbl.org (SpamCop) 4 = blacklisted on ws.surbl.org (sa-blacklist) 8 = blacklisted on phishing data source (labelled as [ph] in multi) 16 = blacklisted on ob.surbl.org (Outblaze) 32 = blacklisted on ab.surbl.org (AbuseButler) 64 = blacklisted on jp data source (jwSpamSpy) If an entry belongs to just one list it will have an address where the last octet has that value, for example 127.0.0.8 means it comes from the phishing list and 127.0.0.2 means it's in the data used in sc.surbl.org. An entry on multiple lists gets the sum of those list numbers as the last octet, so 127.0.0.6 means a record is on both ws.surbl.org and sc.surbl.org (comes from: 2 + 4 = 6). Systems processing more than 250,000 inbound messages per day or having more than 1,000 users should set up a local name server for mirroring the SURBL data base. More information about the SURBL data feed service is available at: http://george.surbl.org/pricing.html DBL Testing To test a given domain, domain.tld, on the Spamhaus DBL: nslookup domain.tld.dbl.spamhaus.com If the host domain is not found then it isn't listed. If the host is listed, the answer will be 127.0.1.X where X indicates the list. Here is a chart for what X means: Return Codes Data Source ------------ ----------- 2 spam domain 3-19 spam domain (future use) 20-39 phish domain (future use) 40-59 malware domain (future use) 255 IP queries prohibited! RFC5782 operational test ------------------------ Command: nslookup test.dbl.spamhaus.org Results: 127.0.1.2 (which indicates a spam domain) Use of the Spamhaus DNSBLs via DNS queries to the Spamhaus public DNSBL servers is allowed if you meet all three of the following criteria: 1) Your use of the Spamhaus DNSBLs is non-commercial, and 2) Your email traffic is less than 100,000 SMTP connections per day, and 3) Your DNSBL query volume is less than 300,000 queries per day. If you do not fit all three of these criteria then you should use the Spamhaus Datafeed Service. More information about the Spamhaus Datafeed Service is available at: http://www.spamhaus.org/organization/dnsblusage.html 5) Example iptables configuration for Exim4U *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :Exim4U-0-50-INPUT - [0:0] # Enable Munin IP_ plugin to access the network. -A INPUT -d 174.36.1.26 -A OUTPUT -s 174.36.1.26 -A INPUT -d 10.17.55.50 -A OUTPUT -s 10.17.55.50 # -A INPUT -j Exim4U-0-50-INPUT -A FORWARD -j Exim4U-0-50-INPUT # # Uncomment the next line to enable web access using HTTP, HTTPS -A Exim4U-0-50-INPUT -p tcp -m multiport --dport 80,443, --syn -j ACCEPT # Enable mail over POP and SMTP -A Exim4U-0-50-INPUT -p tcp -m multiport --dport 587,2525,25,110,143,113 --syn -j ACCEPT # Enable ssh access -A Exim4U-0-50-INPUT -p tcp -m tcp --dport 22 --syn -j ACCEPT # Enable external access to DNS on any ip -A Exim4U-0-50-INPUT -p udp -m udp --dport 53 -d 0/0 -j ACCEPT -A Exim4U-0-50-INPUT -p tcp -m tcp --dport 53 -d 0/0 -j ACCEPT -A Exim4U-0-50-INPUT -m udp -s 0/0 --sport 53 -d 0/0 --dport 1025:65535 -p udp -j ACCEPT # Accept all local connections -A Exim4U-0-50-INPUT -i lo -j ACCEPT # Accept ntp time server -A Exim4U-0-50-INPUT -p udp --dport 123 -j ACCEPT # Allow input from DCC (Spamassassin) -A Exim4U-0-50-INPUT -p udp -m udp --sport 6277 -j ACCEPT # Open incoming port for pyzor -A Exim4U-0-50-INPUT -p udp -m udp --sport 24441 -j ACCEPT # Allow Webmin -A Exim4U-0-50-INPUT -p tcp -m tcp --dport 10000 --syn -j ACCEPT # Reject everything else -A Exim4U-0-50-INPUT -p tcp -m tcp --syn -j REJECT -A Exim4U-0-50-INPUT -p udp -m udp -j REJECT COMMIT 6) How To Reset The Encrypted Password for the siteadmin Beginning with Exim4U 3.0.0, if you elect to encrypt passwords then the passwords are not stored in clear-text anywhere. If a user loses their password then the Domain Admin can just reset it. Likewise, if a Domain Admin loses their password then the siteadmin can simply reset it. However, there is no way to reset a lost siteadmin's password from within the Exim4U web interface since the siteadmin can then not login. Therefore, the following procedure can be used to reset a siteadmin's password: a) Use the mysql command line or phpmyadmin to change the siteadmin's password to a clear-text value such as "PASSWD". b) Edit home/exim4u/public_html/exim4u/config/variables.php and change: $cryptscheme = "CLEAR"; c) Login to the Exim4U web interface as the siteadmin using the clear-text password set in step (a) above. d) While remaining logged in to the Exim4U web interface as the siteadmin, go back and edit home/exim4u/public_html/exim4u/config/variables.php and change the $cryptscheme variable back to its previous value (SHA512, MD5 or DES). e) Then, using the Exim4U web interface that you are still logged into as the siteadmin, reset the password and click the Submit button to save it. The password has now been reset!