Jason Meers

Integrating Exim with Exchange- Advanced routing and security for vulnerable hosts -

J.Meers - MediavestPrepared for the First International Exim Conference and Tutorial – Feb 2005

- Contents -

Abstract

Objective and Scope

Assumptions and Reasoning

Problem Scenario

Security Considerations

Routing Considerations

Possible Solutions

Selected Solution

Tutorial: Exim, Exchange and MessageLabs integration

Common mistakes and how to avoid them

Monitoring queues with EximState and Apache

Further reading & references

Thanks

Copyright

Licence

Liability

- Abstract -

Exim

Exim is a message transfer agent (MTA) developed at the University ofCambridge for use on Unix systems connected to the Internet. It is freelyavailable under the terms of the GNU General Public Licence. In style it issimilar to Smail 3, but its facilities are more general. There is a great deal offlexibility in the way mail can be routed, and there are extensive facilities forchecking incoming mail. Exim can be installed in place of sendmail, althoughthe configuration of Exim is quite different to that of sendmail.

Microsoft Exchange

Exchange is Microsoft's flagship messaging product with over 100 millionlicences sold worldwide. Securing this product is a challenge for anyadministrator. To properly secure Exchange attention must also be paid toOperating System security, Active Directory security, NT/2000/2003 file andfolder security, LDAP security, RPC security as well as the notorious IISwebserver.

For many administrators having so many vulnerable services to contend with isdifficult enough without the added security concerns that come fromconnecting a server holding private data directly to the internet.

- Objective and Scope -

This paper attempts to addresses issues for administrators who must useExchange in a corporate environment, but have concerns over its ability toprotect the valuable resources it holds, or its ability to provide advancedrouting and filtering of messages before delivery.

This paper shows a real-life example of Exim in use as an SMTP gateway to aninternal Exchange server, providing a level of separation from Internet basedenumeration and exploit.

The tutorial provides a mechanism for:

● Proving temporary redirection by domain.

● Providing permanent redirection by email address.

● Restricting the domains allowed for relay and delivery.

● Restricting IP addresses allowed for relay and delivery.

● Sending and receiving mail via a dedicated appliance or third party Virus/Spam/Porn scanning service such as MessageLabs.

The paper discusses a method for removing many of the risks associated withpresenting Microsoft Exchange directly to the Internet.

NOTE:This paper does not attempt to provide detailed information on securing Microsoft Windows, Microsoft Exchange, Active Directory and IIS.

- Assumptions and Reasoning -

It is assumed that the reader does not need convincing that protectingor hiding the following information or services from attackers issensible:

● Services that run with administrative privileges.

● Services that can be used to disclose information (Active Directory, LDAP).

● Services which advertise version information that can be used to establishwhich security updates have, and have not not been applied.

● Local administrative accounts and domain administrative accounts.

● Internal usernames and passwords.

● Default accounts or guest accounts with known, empty or weak passwords.

● Internal e-mail addresses, groups and distribution lists.

● Confidential information and correspondence.

It is also assumed that the reader does not need convincing thatrestricting internet access to the following services is more reliableand more secure than allowing connections from any host and relyingthe services themselves to fend off security flaws and brute forceattacks:

● SMTP

● Outlook Web Access (OWA)

● IMAP

● POP3

● RPC, LDAP and SMB connections

NOTE:Any service that can be used remotely to validate credentials is a potential liability, and given enough time or a big enough dictionary of words, an attacker can establish a username and password to begin trying to escalate their privileges on the target system.

Most security specialists would agree: No server holding confidential data should ever be connected directly to the Internet.

If the reader needs any further evidence to support the statements madeabove, or simply wishes to find out more information about securing Exchangethe following documents provide further independent analysis.

Incidentally, all of the documents below re-enforce the recommendations madein this paper, they also recommend that the main Exchange server(s) should bemoved back at least one level from any public facing Internet connections.

Paper Content

Securing Exchange 2000, Part OneChris Weber, Security Engineer, Foundstonehttp://securityfocus.com/infocus/1572

Covers vulnerable ports and services.

Output from port scans, Server enumeration,LDAP enumeration and pilfering shares withpoor default security

Securing Exchange 2000, Part TwoChris Weber, Security Engineer, Foundstonehttp://securityfocus.com/infocus/1578

Covers exploiting SMTP relay even when SMTPrelay is disabled.

Front end/Back end configuration, restrictingprivileges, using SSL, TLS and IPSEC to encryptcommunications.

Securing your Exchange ServerInstallationMonty Hallhttp://securityfocus.com/infocus/1305

Provides advice for securing:

The Operating System, Exchange itself, IISwebserver and Outlook Web Access , serviceaccounts, domain security and serverplacement.

Exchange 2000 in the Enterprise: Tricksand Tips Part OneTim Mullen, Chief Software Architect forAnchorIS.Comhttp://securityfocus.com/infocus/1654

Covers the use of an SMTP Relay in the DMZbetween Exchange and the Internet.

This paper covers the same topology we willuse in this paper but specifically uses MicrosoftISA server and Trend Micro's SMTP Relay.

Exchange 2000 in the Enterprise: Tricksand Tips Part TwoTim Mullen, Chief Software Architect forAnchorIS.Comhttp://securityfocus.com/infocus/1658

Part two of this paper covers various methodsof encryption .

The paper has an excellent section on securingOutlook Web Access with the IIS lock-down tooland some of the caveats introduced such as thedouble dot encoded URL.

NOTE:The “further reading and references” section towards the end of this paper provide additional material on securing Exchange. Much of this is at a very technical level and may be too complicated for some users, but well worth a look should you need guidance on further hardening your infrastructure with more finely grained access control and encryption.

- Problem Scenario -

“FictionalCompany.com” require Microsoft Outlook and MicrosoftExchange to enable the use of Blackberry and Windows based PDAdevices for staff who frequently work out of the office, or on the road.

- - -

The solution should provide a mechanism for redirecting emails to anothermailbox to handle situations where staff leave, get married or are out of theoffice long periods of time due to maternity or illness.

The solution should provide a mechanism for temporary redirection of all emaildestined for a particular domain to handle situations where servers, networks,routers and internet connections fail unexpectedly.

The solution should restrict access for unknown domains and IP addresses toprevent the system being used as a relay for SPAM.

The solution should provide a mechanism for incorporating some form of mailcontent scanning to identify virus, spam and pornographic material beforedelivery to users mailboxes. Ideally this should be done before the mail actuallyreaches the SMTP relay.

The solution should make configuration as easy a possible to understand andmodify, reducing the chances of making configuration errors.

The IT department have been asked to provide all of this functionality in asecure manner. No budget has been set, but the final solution should providegood value for money compared to the other possible alternatives.

The current Exchange installation The current installation consists of a single Exchange server installed on aDomain Controller on the LAN. The Domain controller also runs DNS and WINSfor the internal network. The server can communicate over NetBIOS, NetBEUIand TCP/IP.

The server has been made public using Network Address Translation (NAT).One of the public IP addresses has been mapped directly to the server on theLAN by using one-to-one NAT on the firewall.

The firewall has an opening on port 25, allowing any host on the internet toconnect to the SMTP service. POP3, SMTP, IMAP4 and Outlook Web Access areall enabled on the server, but these are only available to users on the LAN.

This is a typical installation that you might find at any number of Small toMedium sized Enterprises (SME's).

- Security Considerations -

● The SMTP service should be the only service accessible from the internet, asthis is the bare minimum required to send and receive e-mail with otherindividuals or organisations.

● All other services (POP3, IMAP, Outlook Web Access, RPC, LDAP and SMBconnections) should be unreachable from the internet without first passingsome form of strong authentication such as an IPSEC VPN, or a dial-in servicesecured by a secondary mechanism such as RADIUS or RSA SecureID.

NOTE:This paper does not deal with the various strong authentication methods available for securing access to the internal corporate network, but focuses on securing the SMTP service. The SMTP service is one of the most frequent starting points for attackers as almost every company has it open.

- Routing Considerations -

If we employ a single mail hub with an ability to process mail for multipledomains and servers we will receive the following benefits:

● Reduction of the number of ports and sockets to secure.

● Reduction of management overhead (Less servers to manage).

● Reduction of hardware requirements (Less servers required).

● Flexibility for companies that have multiple business units that shareresources internally but operate as different organisations externally.

● The flexibility to redirect or reject mail at delivery time.

● The ability to content scan messages for virus, porn and spam beforedelivery.

- Possible Solutions -

Microsoft Exchange as a standalone SMTP relayUsing another Exchange server in its own workgroup avoids the problemsassociated with giving away domain administration privileges and domainpasswords, but still suffers from the problems associated with using Exchangeon a public facing internet connection.

Dedicated SMTP relay in the DMZ*Such as EXIM, Trend Micro-Interscan, SurfControl-RiskFilter, Clearswift-MimeSweeper etc...

3rd Party ServiceSuch as MessageLabs, Symantec Managed Security Services, InnoTech-MailPure etc...

NOTE:* If a DMZ is not available on your firewall it is still possible to use Exim using one-to-one NAT and/or port forwarding, but a dedicated DMZ wouldalways be preferred.

- Selected Solution -

Our solution will incorporate Exchange with Exim and theMessageLabs virus scanning service.

Exim provides all the functionality we need with the flexibility to add moreadvanced content scanning and filtering at a later date.

The MessageLabs service provides multiple scanning technologies that we cannot hope to better internally without massive investment in extra equipmentand staff.

Using an external content scanning service in conjunction with our Exim relayalso provides cost and efficiency benefits by rejecting virus, spam and pornbefore it has consumed bandwidth getting to our SMTP relay.

Requirements:

Firewall A hardware firewall would be preferred, but any firewall with stateful packet inspection (SPI) and a DMZ (or NAT and port forwarding).

WAN Any internet connection with at least 1 free, fixed IP address for usein the DMZ (Unless NAT or port forwarding is used)

DMZ 1 server capable of running Exim(We will be using a Pentium III 700Mhz with 256Mb Ram on RedHat Enterprise Linux 4 or Fedora Core 3)

LAN Exchange 2000 (SP3) running on Windows 2000 Server (SP4)

ContentScanning We will be using MessageLabs mail scanning service. For the

purpose of this paper we have been assigned the following hosts,mail19.messagelabs.com and mail20.messagelabs.com as the primary and backup hosts to use for sending and receiving e-mails to be scanned by the service.

NOTE:The chosen solution does not require a massive investment in hardware, nor does it require much administration, making it ideal starting point for the average Small to Medium-sized Enterprise (SME).

- Tutorial -

To make the tutorial easier to following we will use the following 3fictional domains, each having its own dedicated Exchange server:

domain1.com with an exchange server called exch1



...and we will use the following in place of actual IP Addresses:

exch1 = exch1.exch1.exch1.exch1



exim = exim.exim.exim.exim

mail19.messagelabs.com = av1.av1.av1.av1

mail20.messagelabs.com = av2.av2.av2.av2

The final network layout will look like this:

NOTE:If you don't have multiple domain names or exchange servers just ignore any lines referring to “domain2.com”, “domain3.com”, “exch2.exch2.exch2.exch2” and “exch3.exch3.exch3.exch3”. They are provided for the benefit of larger or more complex installations.

- Overview of sending an email on the existing system -

When an e-mail is sent from an individual the following process occurs from topto bottom until the message is delivered to the destination mail server.

The sender types the message in an e-mail cliente.g Message created in Outlook

The sender types in the e-mail address of the recipient in the To: field.e.g e-mail addressed to user1@ FictionalCompany.com

The sender clicks “send” and the message is delivered to the users mail servere.g Message sent from Outlook to Exchange

The mail server then reads the e-mail address and separates the domain partof the address from the user part of the address.e.g FictionalCompany.com

The mail server then contacts a DNS server and requests a list of MX (MaileXchange) records for the domain fictionalcompany.com.e.g pri=5 mail1.FictionalCompany.com

pri=10 mail2.FictionalCompany.com

The mail server then selects the mail server with the highest priority andconnects over SMTP to deliver the mail.e.g Exchange connects to port 25 on mail1.FictionalCompany.com to

deliver the mail over SMTP.

(The highest priority mail server always has the lowest number in the MX field,the opposite of what most people expect. The MX record is a special DNSrecord used for Mail eXchange between domains)

How this will change:

Once the e-mail arrives on the mail server instead of trying to send the emaildirectly the email is forwarded to the Exim server where address rewriting andaddress redirection may be performed before passing the e-mail onto theMessageLabs service for virus, porn and spam scanning before final delivery.

- Overview of receiving an email on the existing system -

When an e-mail is received from an individual the following process occurs fromtop to bottom until the message lands in the recipients mailbox.

Based on the MX records for the domain, inbound mail arrives directlyat the Exchange server on Port 25

Exchange decides if it should accept the message

If the message is accepted Exchange delivers the message to theusers mailbox

The user views the message in Outlook

How this will change:

We will later point our MX records at MessageLabs who will receive the e-mailon our behalf before content scanning. The message will then be delivered toour new Exim server in the DMZ. Our Exim server then performs its checks onany aliases and domains that may need re-writing or re-directing before finaldelivery to Exchange.

- Steps Involved -

The tutorial will be done in stages, starting with the default installation.

We will only move onto the next step after the successful testing of theprevious step. This not only makes the tutorial easier to follow but gives us anidea where we went wrong should we make a mistake.

Build the ServerNetwork SettingsInternet ConnectivityUpdatesBackupsE-mail TransportQueue FrequencyExim Monitor

Our First Test E-Mail with the default Exim config.

Test SMTP connectivity between Exchange and Exim

Test SMTP relay between Exchange and Exim

Break Down the Configuration

Create our new configOption 1: Straight delivery via MX recordsOption 2: Third party scanning service or appliance

Going Live

Troubleshooting

- Building the server -

For our Exim server we are using a Pentium III 700Mhz with 256Mb RAM and a10/100Mb network card.

Suggested specification for INITIAL TESTING

For testing purposes all of the initial work was done on “Fedora Core 3*”,installed on a single 10GB IDE hard drive with one big root “/” partition and a512Mb swap partition. We disabled the firewall and ran the full gnome desktopwith Remote Desktop (a modified version of VNC), to help us get thingsworking quickly and iron out any problems.

Once we are familiar with the new Exim server and have got a workingconfiguration we save all the config files to a floppy or USB memory stick andstart again, this time paying more attention to resilience and security.

Suggested specification for FINAL IMPLEMENTATION

We install a raid controller in the server and Mirror two drives.

A 3ware escalade RAID controller** and 2 IDE hard disks provide excellentvalue for money and are very well supported by most Linux kernels and theSMART disk monitoring daemon.

We kept the 512Mb swap partition but split the remaining disk space betweena root “/” and “/var” partition and installed the 3ware monitoring software.

We install RedHat Enterprise Linux 4*** on the server with a subscription toRedHat Network****. We opt for a basic subscription as we are only concernedabout getting security updates. The firewall is enabled, SMTP and SSH are theonly services allowed through the firewall.

If the Gnome or KDE desktop is installed we would also need to open port5900:tcp to use the remote desktop feature.

The remote desktop feature***** is useful for watching the messages come inand out vial the Exim monitor “eximon” but does introduce and extra set ofservices and ports to secure.

* Fedora Core 3 http;//fedora.redhat.com** 3ware RAID Storage Solutions http://www.3ware.com*** RedHat http://www.redhat.com**** RedHat Network http://rhn.redhat.com***** RedHat Menu > Applications > Preferences > Remote Desktop

- Network Settings -

The Exim server should have a hostname, IP address, subnet mask and defaultgateway set at installation. These should be established before the installationbegins instead of installing the server with a DHCP address then changingthese via the applet later. The server should at least be able to resolve its ownhostname and Fully qualified hostname (FQDN) via the hosts file (/etc/hosts).

RedHat Menu > Systems Settings > Network

- Internet Connectivity -

Check for a working Internet connection and setup a time server for themachine to use as a reference. Accurate time is essential for making sense ofmail headers and log files.

RedHat Menu > Systems Settings > Date & Time

- Updates -

The system should be updated by the RedHat Network on a regular basis. Onthe test systems we automate updates using a script in /etc/cron.hourly. Onthe live system we automate this via the RedHat Network. Should you decideto use a script you may want to consider if kernel updates should be doneautomatically or by hand.

If you wish to script the updates:

To update everything (except skipped packages) up2date -uTo update everything (including skipped packages) up2date -ufTo download updates but not install them up2date -udTo change up2date settings up2date –-configure

- Backups -

Consider using a USB memory stick to make backups of configuration files.

These can be scheduled by using scripts in /etc/cron.daily, /etc/cron.weeklyand /etc/cron.monthly to backup into separate folders on the USB device.This is much more secure than enabling NFS, SAMBA or FTP on the box.

SCP was the only another alternative we considered before deciding on a USBdevice. A floppy disk would also suffice as an average set of config files wouldonly be around 100k in size.

- E-Mail transport -

To begin setting up our Exim SMTP Gateway we now switch the default mailtransport from Sendmail to Exim.

RedHat Menu > Applications > Preferences > More Preferences > MailTransport Agent Switcher

Select Exim then click Ok.

- Queue Frequency -

For testing we will set the default queue frequency to 1minuite for making iteasy to see how Exim handles large or difficult messages.

To do this we need to change the default QUEUE setting from 1hour to 1min.

Open up GEDIT and edit /etc/sysconfig/exim to read as follows:

# /etc/sysconfig/exim

DAEMON=yesQUEUE=1m

(try /etc/sysconfig/sendmail if /etc/sysconfig/exim doesn't work as expected)

Note - Editing Files:

Gedit can be launched fromApplications > accessories > Text Editor

or from a the command line e.g

gedit <enter>gedit /etc/sysconfig/exim <enter>

Once your Exim relay is up and running you may need to change configuration remotely. To do this you may want to use SSH and the VI text editor from a Unix/Linux box, or WinSCP from a Windows PC.

This type of remote management requires that port 22 be open, and the SSH (Secure Shell) service running.

For security reasons, SSH would normally be blocked at the firewall to all *external* connections. This is highly recommended on most systems.

- Exim Monitor -

It would be useful to see if Exim is running correctly during our testing.

To do this we use launch the Exim Monitor “eximon” at startup.

RedHat Menu > Applications > Preferences > More Preferences >Sessions

Select the Startup Programs tab, click Add, type eximon, click OK, clickClose.

Now reboot and look out for any Sendmail or Exim error messages on start-up.Once you have logged in the Exim Monitor should start up automatically.

- A Test Email Using the Default Config -

Now Exim is running we can send ourselves a test e-mail from the commandline.

First open up a Terminal (The Linux equivalent of a DOS Prompt) then type:

mail [email protected] <enter>type your subject <enter>type your message <enter><a deliberate blank line here> <enter>CTRL-D <hold CTRL and press D> <ignore the “CC:” prompt> <enter>

NOTE:DONT FORGET A BLANK LINE BEFORE THE CTRL-D

On the Monitor screen you should now see your message being processed.

If you would prefer to use a program rather than the command line to sendmessages during testing, or couldn't figure out how to do it via the commandline, you can always use one of the following programs configured for a localmailbox to send email using the “root” account.

Evolution or the excellent Mozilla Thunderbird can be used by using:

Applications > Internet > Email for Evolution orApplications > Internet > Thunderbird Email for Thunderbird

- Test SMTP connectivity from Exim to Exchange -

From the Exim box, open up a terminal and type:

telnet exch1.exch1.exch1.exch1 25 <enter>

to telnet to your exchange server on port 25 (SMTP)

NOTE:Replace “exch1.exch1.exch1.exch1” with the IP Address or the hostname of your exchange server

You should get a response similar to the following:

Trying exch1.exch1.exch1.exch1...Connected to my-exchange (exch1.exch1.exch1.exch1).Escape character is '^]'.220 my-exchange.my-domain.fictionalcompany.comMicrosoft ESMTP MAIL Service, Version: 5.xxx.xxx.xxx ready atThu, 10 Feb 2005 11:18:41 +0000

If it worked type:

quit <enter> to close the connection, then continue onto the next section.

If it didn't work:

Make sure both machines can see each other and are not being blocked by ahardware or software firewall on either box.

If the firewall is running on the Exchange server, make sure the Mail (SMTP)service on port 25 is open, and accessible to the Exim box.

NOTE:If you are running a firewall that prevents Exim seeing the Exchange servers you may need a firewall rule such as:

Allow:exim.exim.exim.exim > exch1.exch1.exch1.exch1 : port 25 (SMTP)

- Test SMTP connectivity from Exchange to Exim -

From the Exchange server, open up a DOS Prompt and type:

telnet exim.exim.exim.exim 25 <enter>

to telnet to your exim box on port 25 (SMTP)

NOTE:Replace “exim.exim.exim.exim” with the IP Address or the hostname of your Exim box

You should get a response similar to the following:

Trying exim.exim.exim.exim...Connected to exim.exim.exim.exim (exim.exim.exim.exim).Escape character is '^]'.220 your-hostname ESMTP Exim 4.xx Thu, 10 Feb 2005 11:50:43 +0000

If it worked type:

quit <enter> to close the connection, then continue onto the next section.

If it didn't work:

Make sure both machines can see each other and are not being blocked by ahardware or software firewall on either box.

If the firewall is running on the Exim box, make sure the Mail (SMTP) service onport 25 is open.

RedHat Menu > Systems Settings > Security Level

NOTE:For troubleshooting purposes only, typing the following in a terminal will stop the IP Tables firewall if it is running.

service iptables stop <enter>

- Test SMTP Relay from Exim to Exchange -

We will now create a message from the Exim server on the Exchange serverusing exactly the same commands that an actual MTA such as Exim (MailTransfer Agent) would use. (Yes, helo is meant to be spelt with one “l” )

The commands we type are shown in yellow, and the server responses areshown in blue.

telnet exch1.exch1.exch1.exch1 25 <enter>

Trying exch1.exch1.exch1.exch1...Connected to my-exchange (exch1.exch1.exch1.exch1).Escape character is '^]'.220 my-exchange.my-domain.fictionalcompany.comMicrosoft ESMTP MAIL Service, Version: 5.xxx.xxx.xxx ready atThu, 10 Feb 2005 11:18:41 +0000

helo senderdomain.com <enter>

250 senderdomain.com Hello [your ip address]

mail from: [email protected] <enter>

250 [email protected] Ok

rcpt to: [email protected] <enter>

250 [email protected]

data <enter>

type your message <enter>

type a blank line <enter>

<type a single dot on its own line> < enter>

250 [Message-ID] Queued mail for delivery

quit <enter>

Hopefully your message will be accepted for relay and will arrive shortly.

COMMON ERRORS:

error 510The domain name you specified as the senders domain does not exist.

error 503The recipient was specified before the sender

error 550Relay Denied

A “Relay Denied” message indicates that Exim is able to reach the SMTPservice running on Exchange, but is not allowed to relay messages. To correctthis change the relay permissions in Exchange:

Exchange System Manager > Administrative Groups > Servers >Exchange Server > Protocols > SMTP > Default SMTP Virtual Server >Right Click > Properties > Access.

Check your settings for each of the following then restart the SMTP service:

Authentication (anonymous connections may need to be enabled)Connection (Exims IP Address may need added or removed )Relay (Exims IP Address may need added or removed )

- Test SMTP Relay from Exchange to Exim -

We will now create a message from the Exchange server on the Exim box usingexactly the same commands that an actual MTA such as Exim (Mail TransferAgent) would use. (helo is meant to be spelt with one “l” )

The commands we type are in yellow, the server responses are in blue.

telnet exim.exim.exim.exim 25 <enter>

Trying exim.exim.exim.exim...Connected to exim.exim.exim.exim (exim.exim.exim.exim).Escape character is '^]'.220 your-hostname ESMTP Exim 4.xx Thu, 10 Feb 2005 11:50:43 +0000

helo senderdomain.com <enter>

220 exim-hostname ESMTP Exim 4.xx 250 exim-hostname Hello your-hostname [your ip address]

mail from: [email protected] <enter>

250 Ok

rcpt to: [email protected] <enter>

250 Accepted

data <enter>

type your message <enter>

type a blank line <enter>

<type a single dot on its own line> < enter>

250 OK [Message-ID]

quit <enter>

221 exim-hostname closing connection

Hopefully your message will be accepted for relay and will arrive shortly.

COMMON ERRORS:

error 510The domain name you specified as the senders domain does not exist.

error 503The recipient was specified before the sender

error 550Relay Denied

A “Relay Denied” message indicates that Exchange is able to reach the SMTPservice running on Exim, but is not allowed to relay messages. This means thatyour default Exim config will not allow relay. We will replace this config in thenext section anyway.

Note:Repeating this test on the Exim server, from the Exim server using 127.0.0.1 as the IP Address (the loop-back address), will prove that the server is working, but relay permissions are denying remote connections.

If you got this far, Congratulations!

If everything has worked so far, we have proved we have an ability to sendmessages backwards and forwards between the two servers, allowing Exim toact as a relay between the Internet and Exchange.

Depending on your previous experience, you may now know significantly moreabout sending messages over SMTP than you did before.

You have probably also figured out how easy it is for “spammers” to automatethe generation of millions of messages SPAM messages sent every day onpoorly configured hosts. Exim can be extended provide the basis of anexcellent SPAM filtering soulution when combined with SpamAssassin.

Most people will find the section we just completed on Network, Firewall, DMZand LAN configuration more difficult than any of the other tasks in this paper. Itshould get easier from here.

Now the foundations are in place we will begin generating our own customconfiguration.

- Breakdown of the new Exim configuration -

The new Exim config will consist of the following files, all located in /etc/exim

exim.conf the master config fileexim-local-settings custom settings for this hostexim-accept-from-this-list-of-ip-addresses allowed IP Addresses/Networksexim-accept-from-this-list-of-domains allowed domainsexim-redirect-mail-for-this-list-of-users accounts to be redirectedexim-deliver-mail-to-this-list-of-servers mail servers to deliver to/from

This may seem very elaborate for most installations, but the aim of this tutorialis to break everything down everything into small, bite-sized chunks that are asself explanatory as possible.

- The Files -

/etc/exim/exim.confThis will become our standard or “stock” config file that should never needchanging once the initial settings have been made. Get this file right and youcan drop it in every installation you make here on.

/etc/exim/exim-local-settingsThis file will contain any settings we want to make specific to this host. Laterthis file can be used to add some of the more advanced configuration options

/etc/exim/exim-accept-from-this-list-of-ip-addressesThis file is used in addition to firewall rules to determine which hosts ornetworks are allowed to use the Exim Relay.

/etc/exim/exim-accept-for-this-list-of-domainsThis file is used to determine which domains are allowed to use the Exim Relay.

/etc/exim/exim-redirect-mail-for-this-list-of-usersThis file contains a list of email addresses to redirect, along with the e-mailaddress to redirect to. Useful for example when an employee is unexpectedlytaken ill, or out of the office for a long period of time e.g. maternity leave.

/etc/exim/exim-deliver-mail-to-this-list-of-serversThis file contains the actual list of servers to deliver messages to for eachdomain we relay for

We will start with the simple config files first then move on to an explanation ofthe main exim.conf later.

NOTE:IN EACH OF THE FOLLOWING EXAMPLES SUBSTITUTE THE FICTIONALCOMPANY.COM INFORMATON WITH YOU OWN NAMES, ADDRESSES AND DOMAINS.

- exim-local-settings -

NOTE:In this example we will make the following local settings.

Messages that arrive with a missing username or domain will be delivered to:[email protected]

We are also going to change the default SMTP banner to hide specific version information from the casual observer. This is not foolproof

but makes us a less likely target from automated attacks.

We are also going to restrict this size of E-mails we will accept.The 15Mb limit will most likely give us a “real-life” attachment size of 9-10Mb (as the MIME encoding used to send the E-mail adds a significantincrease in size to the original message).

The maximum number of SMTP connections has been reduced to 100 to stop the server running out of memory should someone try and kill it by making lots of incomplete connection attempts, draining resources.

# exim-local-settings

# avoid using the setting if possible# exim will use machines hostname as default#primary_hostname = exim.fictionalcomapny.com

# if a message has no domain name after the “@” sign use:qualify_domain = fictionalcompany.com

# if a message has no senders name before the “@” use:# “postmaster” or “administrator” are often usedqualify_recipient = it-manager

# Maximum message size AFTER encodingmessage_size_limit = 15M

# Maximum number of incoming connectionssmtp_accept_max = 100

# set smtp banner & hide version/type of mta from crackerssmtp_banner = fictionalcompany.com secure smtp server

- exim-accept-from-this-list-of-ip-addresses -

This file contains a list of IP Addresses and/or networks that Exim will acceptmail for.

NOTE:lines beginning with a # (hash sign) are comments and are ignored.Place your config on lines under comments, using tabs may improve the readability of the file.

If you choose to edit these files using a Windows PC and find problems with carriage returns at the end of each line, try using WinVI* or the Edit facility in WinSCP** instead of using Windows notepad.

Putty*** is also worth a mention for Windows administrators.

# /usr/exim/exim-accept-from-this-list-of-ip-addresses

# the local address of our server127.0.0.1exim.exim.exim.exim

# our internal network(s)192.168.0.0/1610.0.0.0/8

# our external network(s)202.158.21.22/24202.158.21.52/28

# our local firewallfwall.fwall.fwall.fwall

# our local routerroutr.routr.routr.routr

# exchange serversexch1.exch1.exch1.exch1exch2.exch2.exch2.exch2exch3.exch3.exch3.exch3

# messagelabs serversav1.av1.av1.av1av2.av2.av2.av2

CIDR notation may be used in this file. For more info on CIDR notation see:http://www.webopedia.com/TERM/C/CIDR.html

* WinVi http://www.winvi.de/en/** WinSCP http://winscp.sourceforge.net*** Putty http://www.chiark.greenend.org.uk/~sgtatham/putty/

- exim-accept-from-this-list-of-ip-domains -

List each domain we are going to relay for in this file.

# /usr/exim/exim-accept-from-this-list-of-domains

domain1.comdomain2.comdomain3.com

Simple as that.

- exim-redirect-mail-for-this-list-of-users -

List the e-mail address we want to be redirected, and the e-mail address wewant to redirect it to.

# /usr/exim/exim-redirect-mail-for-this-list-of-users

[email protected]: [email protected]






Each entry is separated with a colon (:) and at least one space, followed by thenew address.

Using tabs will make this file more readable.

As a general rule:

● Use the Exim server to manage redirections to different mailboxes● Use your Exchange server to manage multiple aliases of the same mailbox

- exim-deliver-mail-to-this-list-of-servers -

List the domains we want to deliver to, followed by the hostname or IP Addressof the server we want it delivered to.

# /usr/exim/exim-deliver-mail-to-this-list-of-servers

# example by hostnamefictionalcompany.com: exchange.fictionalcompany.com

# example by ip addressdomain1.com: exch1.exch1.exch1.exch1domain2.com: exch2.exch2.exch2.exch2domain3.com: exch3.exch3.exch3.exch3

# example of fallback server# 10.1.1.1 is main server# 10.2.2.2 is fallback serverdomain4.com: 10.1.1.1:10.2.2.2

Each entry is separated with a colon (:) and at least one space.

Using tabs will make this file more readable.

As a general rule:

● Use IP Addresses instead of hostnames wherever possible● Only list domains you wish to route internally here, if a match is found it is

acted on literally and delivered directly.

- exim.conf -

This is the main configuration file used by Exim.

This is a basic version with no local or 3rd party Mail Scanning.

# /usr/exim/exim.conf

############# INITIAL SETTINGS ####################### set some defaults values and read in config files ######################################################

.include /etc/exim/exim-local-settings

domainlist relay_to_domains = /etc/exim/exim-accept-for-this-list-of-domains

hostlist relay_from_hosts = /etc/exim/exim-accept-from-this-list-of-ip-addresses

domainlist local_domains = acl_smtp_rcpt = acl_check_rcpt

never_users = root

############# ACCEPT SETTINGS ######################## set rules for accepting messages here ######################################################begin acl

acl_check_rcpt:

accept hosts = :deny local_parts = ^.*[@%!/|] : ^\\.

accept local_parts = postmaster domains = +local_domains

accept domains = +relay_to_domainsendpassmessage = relay not permitted at this serververify = recipient

accept hosts = +relay_from_hosts

deny message = relay not permitted at this server

############# ROUTER SETTINGS ######################## set rules for selecting a transport ######################################################begin routers

redirect: driver = redirect data = ${lookup{$local_part@$domain}lsearch{/etc/exim/exim-redirect-mail-for-this-list-of-users}}

internal: driver = manualroute transport = remote_smtp route_data = ${lookup{$domain}partial-lsearch{/etc/exim/exim-deliver-mail-to-this-list-of-servers}}

external: driver = dnslookup domains = ! +relay_to_domains transport = remote_smtp ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 no_more

############# TRANSPORT SETTINGS ##################### set rules for delivery transports ######################################################begin transports

remote_smtp: driver = smtp

We will break the file down into more manageable sections over the next fewpages:

Section #1 of exim.conf – Initial Settings

# /usr/exim/exim.conf

############# INITIAL SETTINGS ####################### set some defaults values and read in config files ######################################################

.include /etc/exim/exim-local-settings

domainlist relay_to_domains = /etc/exim/exim-accept-from-this-list-of-domains

hostlist relay_from_hosts = /etc/exim/exim-accept-from-this-list-of-ip-addresses

domainlist local_domains =

acl_smtp_rcpt = acl_check_rcpt

never_users = root

Section #1 is used to:

Read in the configuration stored in/etc/exim/exim-local-settings

Read in the list of allowed domains in/etc/exim/exim-accept-from-this-list-of-domains

Read in the list of allowed hosts in/etc/exim/exim-accept-from-this-list-of-ip-addresses

We don't have any local domains so this is set but left empty(local meaning a mailbox actually held and stored on the Exim server)domainlist local_domains =

The default name for the access control list is “acl_check_rcpt”acl_smtp_rcpt = acl_check_rcpt

For security exim must never run as the “root” user.never_users = root

Section #2 of exim.conf – Accept Settings

############# ACCEPT SETTINGS ######################## set rules for accepting messages here ######################################################begin acl

acl_check_rcpt:

accept hosts = :

deny local_parts = ^.*[@%!/|] : ^\\.

accept local_parts = postmaster domains = +local_domains


accept hosts = +relay_from_hosts


Accept mail E-mails created locally (empty sender).accept hosts = :

Do not accept mail with *possibly* dangerous characters. deny local_parts = ^.*[@%!/|] : ^\\.

Accept anything for the postmaster at local domains.accept local_parts = postmaster domains = +local_domains

Accept anything for domains we are a relay for or reply with an “error 550Relay not permitted at this server” message.


Accept anything from allowed IP Addresses.accept hosts = +relay_from_hosts

Otherwise reply with an “error 550 Relay not permitted at this server”message. If not explicitly accepted by any other section, deny for relay.


Section #3 of exim.conf – Router Settings

############# ROUTER SETTINGS ######################## set rules for selecting a transport ######################################################begin routers



external: driver = dnslookup domains = ! +relay_to_domains transport = remote_smtp ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 no_more

The REDIRECT mail routerProcess all of our user redirections, as listed in the file:

/etc/exim/exim-redirect-mail-for-this-list-of-users


The INTERNAL mail routerProcess all of our internal deliveries , as listed in the file:

/etc/exim/exim-deliver-mail-to-this-list-of-servers


The EXTERNAL mail routerProcess all of our external deliveries.

Two possible external routers are shown.

The first via normal, straight delivery via MX records, and the second via athird party scanning service or appliance such as MessageLabs orSurfControl RiskFilter.

NOTE:You may only use one of the EXTERNAL routers shown below.

Option 1: straight delivery via MX recordsexternal: driver = dnslookup domains = ! +relay_to_domains transport = remote_smtp ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 no_more

Option 2: third party scanning serviceexternal: driver = manualroute domains = ! +relay_to_domains transport = remote_smtp ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 route_list = * mail19.messagelabs.com no_more

Section #4 of exim.conf – Transport Settings

############# TRANSPORT SETTINGS ##################### set rules for delivery transports ######################################################begin transports


We only have one transport defined here, remote smtp.


- Create our new config -

Now you understand how the contents of our Exim configuration we can startto build our own.

Using the previous pages as an example, create your new config by editing orcreating all of the following files, replacing the FictionalCompany.com detailswith your own.

You may want to get the following details ready before creating thenew config:

Exim Server IP Address : . . .

Exchange Server IP Address : . . .

Firewall IP Address : . . .

Router IP Address : . . .

Our local network(s) : . . . /: . . . /: . . . /: . . . /: . . . /: . . . /

Our external network(s) : . . . /: . . . /: . . . /: . . . /: . . . /: . . . /

Scanning Appliances (optional) : . . .: . . .: . . .

Scanning Services (optional) : . . . /: . . . /: . . . /

- Option 1: Straight delivery via MX records -

NOTE:Be sure to include the correct section for your “external” router in/etc/exim/exim.conf.

Your new Exim config will consist of the following files, all located in /etc/exim


Once you have created your new config, reboot and we will test it.

---

We repeat the tests we performed earlier before committing our changes.

● Test SMTP relay from Exim to Exchange● Test SMTP relay from Exchange to Exim

If everything works correctly we can make Exim the default “smarthost” for alloutbound mail sent from Outlook and Exchange.

NOTE:At this point we have moved from testing to going live, some users may be more comfortable performing the next steps out of hours or during weekends.

The “smarthost” facility in Exchange can be set from:

Exchange System Manager > Administrative Groups > Servers >Exchange Server > Protocols > SMTP > Default SMTP Virtual Server >Right Click > Properties > Delivery > Advanced > Smart Host.

The Smarthost would normally be entered as an IP address rather than as ahostname.

Exchange requires you to put square brackets around the IP address if youintend to use the IP literally e.g [192.168.1.1]

The Default SMTP Virtual Server will need to be restarted for this to take effect.

If everything works correctly after the SMTP Virtual Server restart we will haveproved that Outbound mail is being processed correcly by Exim.

The only thing left to do is to make Exim the default server for Inbound mail bymaking changes on your firewall, or by asking your ISP to add or modify yourDNS records to set your new Exim SMTP as the lowest priority server forinbound e-mail.(Lowest priority has the highest preference on MX records).

Now when mail is delivered to your domain the MX record should point at Eximnot Exchange, hence Exim will receive the mail not Exchange.

In practice you could either:

● Change your one-to-one NAT settings to point at Exim instead of Exchange(Requires changes to your NAT settings on the main firewall).

● Put Exim on it's own IP Address in the DMZ and change your MX records.(Requires changes to the DNS records held by your ISP)

● Replace Exchange by putting Exim on Exchanges old IP Address in the DMZ.(Requires changing your Exchange servers IP Address)

Some of these changes may require you to modify settings on your mainfirewall.

Some of these changes may require you to modify the DNS settings for yourdomain.

DNS changes can take between 24-48 hours to propagate and may be bestdone over a weekend.

- Option 2: Third party scanning -

NOTE:Be sure to include the correct section for your “external” router in/etc/exim/exim.conf.

The following line must be adjusted to reflect your scanning service or appliance.

e.groute_list = * mail19.messagelabs.com

would becomeroute_list = * av1.av1.av1.av1

(Remember to replace “av1.av1.av1.av1.av1” with the IP Address of your Scanning Service or Appliance)

Your new Exim config will consist of the following files, all located in /etc/exim


Once you have created your new config, reboot and we will test it.

---

We repeat the tests we performed earlier before committing our changes.

● Test SMTP relay from Exim to Exchange● Test SMTP relay from Exchange to Exim

Additionally in this config we need to:

● Test SMTP relay from Exim to your Scanning Service or Appliance● Test SMTP relay from your Scanning Service or Appliance to Exim

If everything works correctly we can make Exim the default “smarthost” for alloutbound mail sent from Outlook and Exchange.

NOTE:At this point we have moved from testing to going live, some users may be more comfortable performing the next steps out of hours or during weekends.

The “smarthost” facility in Exchange can be set from:

Exchange System Manager > Administrative Groups > Servers >Exchange Server > Protocols > SMTP > Default SMTP Virtual Server >Right Click > Properties > Delivery > Advanced > Smart Host.

The Smarthost would normally be entered as an IP address rather than as ahostname.

Exchange requires you to put square brackets around the IP address if youintend to use the IP literally e.g [192.168.1.1]

The Default SMTP Virtual Server will need to be restarted for this to take effect.

If everything works correctly after the SMTP Virtual Server restart we will haveproved that Outbound mail is being processed correcly by Exim.

The only thing left to do is to make Exim the default server for Inbound mail bymaking changes on your firewall, or by asking your ISP to add or modify yourDNS records to set your new Exim SMTP as the lowest priority server forinbound e-mail.(Lowest priority has the highest preference on MX records).

Now when mail is delivered to your domain the MX record should point at Eximnot Exchange, hence Exim will receive the mail not Exchange.

In practice you could either:

● Change your one-to-one NAT settings to point at Exim instead of Exchange(Requires changes to your NAT settings on the main firewall).

● Put Exim on it's own IP Address in the DMZ and change your MX records.(Requires changes to the DNS records held by your ISP)

● Replace Exchange by putting Exim on Exchanges old IP Address in the DMZ.(Requires changing your Exchange servers IP Address)

Some of these changes may require you to modify settings on your mainfirewall.

Some of these changes may require you to modify the DNS settings for yourdomain.

DNS changes can take between 24-48 hours to propagate and may be bestdone over a weekend.

- Going live -

In normal use, Eximon should be used to view all inbound and outbound mailon the queue.

---

The following commands are also useful for monitoring the queue and can beused remotely over SSH (or putty on a Windows PC).

exim -bp <enter>

exim -bp | exiqsumm <enter>

Additionally can test how Exim will handle individual addresses by using the -btoption.

For example to see how Exim would handle a message to

[email protected] you would type:

exim -bt [email protected] <enter>

Giving a reply such as:

[email protected] router = external, transport = remote_smtp host mail19.messagelabs.com [193.109.254.3] host mail19.messagelabs.com [212.125.75.19]

NOTE:

Once Exim has replaced Exchange as the SMTP gateway for your network, Exchange can be pulled back onto the LAN (if it wasn't already) where it can benefit from the same security as your other private servers.

- Troubleshooting -

If you have any problems once your Exim SMTP Relay is in place check thefollowing:

● DNS & Host records held by your ISP

● DNS settings and Host files on the local server

● Access rules on your main network firewall.

● Access rules on your operating system.

● Access control and relay settings on your mail servers

● Exim Config files

Then check the Exim FAQ located at:

www.exim.org

Then check the Exim mailing lists at:

www.exim.org

For general questions about this tutorial (not specific errors, they belong on themailing list), feel free to contact me with as much info as possible on:

[email protected]

I will answer as many questions as time allows, but please be patient as myday-to-day job takes priority over any Exim related questions.

- Common Mistakes and How to Avoid Them -

Sendmail and Exim

On many systems Exim *pretends* to be Sendmail hence:

/etc/sysconfig exim should be /etc/sysconfig/sendmailservice exim restart should be service sendmail restart

Sendmail Updates overwrite Exim

Sometimes a Sendmail update will overwrite and Exim binary *pretending* tobe Sendmail. We had to use the following script each time we ran RedHatUpdate on RHEL 2&3, to ensure Exim always replaced any updated Sendmailbinaries.

up2date -uf

mv /usr/sbin/sendmail /usr/sbin/sendmail.oldchmod 0600 /usr/sbin/sendmail.oldln -s /usr/exim/bin/exim /usr/sbin/sendmail

File Locations

In our examples Exim is always installed in:

/usr/sbin for the executable binary files and/etc/exim for the configuration

However you may also find the following directories used:

/usr/exim/bin (binaries when complied from source)/user/exim (config when complied from source)/etc/exim4 (config under debian based distros e.g. ubuntu)

Config files

● Upper case and lower case are important

● Check the presence of colons (:) in the config files

● Get dots and @ signs the correct way round.(I wasted a full day wondering what was wrong with my config)

[email protected] should have beenexim.fictionalcompany.com if it represents a hostname

- Monitoring queues with Eximstate and Apache -

Eximstate is a fantastic tool that we use to report back to one central console.

An example is shown below.

We use this along with Apache to monitor every site from a single webpage.

For more information visit:

http://www.olliecook.net/projects/eximstate/

- Further reading & references -

Suggested further reading for extending the functionality of Exim with LDAP,Virus and Spam Filtering Capabilities.

Books

The Exim SMTP Mail Server ISBN 0-9544529-0-9Official Guide for Release 4Philip Hazel & UIT

LDAP System Administration ISBN 1-56592-491-6O'ReillyGerald Carter

SpamAssasin ISBN 0-596-00707-8O'ReillyAlan Schwartz

Websites

Exim www.exim.org

MailScanner www.mailscanner.info

Clam-AV www.clamav.net

References

The official Exim reference has been used extensively.Many other useful pieces of information were also gleaned from:

securityfocus.net

and the SANS institute, in particular the following documents:

Security Issues For Exchange 2000 Outlook Web AccessImplementation

http://www.sans.org/rr/whitepapers/windows/975.php

Securing Web Based Corporate E-Mail Using Microsoft ExchangeOutlook Web Access http://www.sans.org/rr/whitepapers/email/575.php

Exchange 2000 Security an Overview

http://www.sans.org/rr/whitepapers/email/1360.php

Securing Web Based Corporate E-Mail Using Microsoft ExchangeOutlook Web Accesshttp://www.sans.org/rr/whitepapers/email/575.php

- Thanks -

Thanks firstly to Philip Hazel and the University of Cambridge for giving Exim tothe Open Source Community.

- Copyright -

All trademarks used in this document are the property of their respectiveowners.

- Licence -

This document is released under the CreativeCommons Attribution-ShareAlike 2.0 licence.

Attribution-ShareAlike 2.0 You are free:

● to copy, distribute, display, and perform the work ● to make derivative works

● to make commercial use of the work

Under the following conditions:

Attribution. You must give the original authorcredit.

Share Alike. If you alter, transform, or build uponthis work, you may distribute the resulting work

only under a license identical to this one.

● For any reuse or distribution, you must make clear to others the licenseterms of this work.

● Any of these conditions can be waived if you get permission from thecopyright holder.

Your fair use and other rights are in no way affected by the above.

This is a human-readable summary of the Legal Code (the full license).

Disclaimer

- Liability -

The author accepts no liability for any damage or loss caused by the use ofinformation contained in this document. While every effort has been made inthe creation of this document, the author does not guarantee the accuracy ofany of the information contained in this document. It is the readersresponsibility to decide for themselves if the information contained is accuratewhen deciding to follow the tutorial.

A test system that does not contain any important information orcorrespondence is recommended for following this tutorial.

The author also recommends that anyone wishing to follow the tutorial shouldpurchase a separate domain name for the purpose of testing to ensure nobusiness critical systems are affected.

Jason Meers

Documents

Transcript of Jason Meers