Mailing List Archive: exim: users

Exim & Spamassassin at SMTP time

Index | Next | Previous | View Threaded

exim.ml at riotm

Mar 9, 2010, 2:40 AM

Post #1 of 10 (1085 views)
Permalink

Exim & Spamassassin at SMTP time

Good morning, this is my first post here so please be gentle with me.
Please accept my apologies for the length of the post. I've done some
research but get mixed, missing and contradictory views so I could use
some professional input.

For a few years I have been using Postfix largely because I inherited
the 'skills' from a support based role where it made up a large portion
of an anti-spam appliance I worked with.

Recently I've started to look for reasons to justifiably try Exim and
look at what it can do 'better' or 'differently' to Postfix.

I'm guessing this list is watched by Exim experts who are very
intelligent. Ultimately it comes from the Cambridge University stable
and I'm wondering if I can get a few quick 'yes'/'no' type answers to
help dispell some myths and give me a prod to install it and look at it.

I'm told that Exim has a steep learning curve and 'ordinary' admins
struggle with it when compared to Postfix - does anyone here hold a view
on that?

My cursory searches suggest that Spamassassin can be implemented with
Exim but I'm keen to know if it's possible to get Exim to reject
messages that Spamassassin scores at 'x' during the SMTP session {rather
than after accepting the message} Currently I can get Postfix to do this
but have to plug a slightly buggy and exploitable milter into it to do
this. I'd be very keen on an MTA that could do this easily - does Exim
tick this box?

I would like to make use of Bounce Address Tag Validation. I've seen it
in my logs but it appears that Postfix has only an experimental
milter/PD for this - does Exim have a solution for this and is it easy
to implement?
http://en.wikipedia.org/wiki/Bounce_Address_Tag_Validation

Postfix allows some basic header and body checking (but does not really
have an effective way to white list such rules) - does Exim have similar
or better features in this area?

As far as SASL goes with Exim, is it limited to Cyrus or can it use
Dovecot?

Can Exim support 'virtual' domains with this kind of scenario:
Accept mail for catchall [at] domai for virtual mailbox on the local machine
Accept mail for catchall [at] domai and relay to a final destination server
Accept mail for x.recipient [at] domain and deliver to local virtual mailbox
Accept mail for y.recipient [at] domain and relay to remote final
destination.

Can I get Exim to archive a copy of all mail that passes through it by
piping it to another indexing program?

How does Exim fair as far as DKIM signing / verification goes?

Finally, I'm guessing and taking as read Exim supports rejecting on
DNSBL's, missing/errors in PTR and invalid recipients (either by looking
to LDAP, a PostgreSQL or MySQL database)

I appreciate that this is a long post with lots of questions. I want to
be 'patriotic' and try an English MTA but need to be sure I'm not going
to get into several months of 'learning' to find that I've gone the
wrong way!

Kind regards
Daniel

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

mcn4 at leicester

Mar 9, 2010, 2:59 AM

Post #2 of 10 (1079 views)
Permalink

Re: Exim & Spamassassin at SMTP time [In reply to]

Hi,

Just a quick zoom through your questions:

On Tue, Mar 09, 2010 at 10:40:25AM +0000, exim.ml [at] riotm wrote:
> I'm told that Exim has a steep learning curve and 'ordinary' admins
> struggle with it when compared to Postfix - does anyone here hold a view
> on that?

I've been using it for over 10 years, and have never seriously
used anything else, but found it no problem to learn. But I guess
if you're moving from something else it may be harder. Exim has
definitely got more flexible over the years, which probably also
makes it harder - in some ways it's a programming system for
e-mail. However, the documentation is some of the best of any of
the software I use, it comes with a basic working config, and
examples are to be found all over the place.

> My cursory searches suggest that Spamassassin can be implemented with
> Exim but I'm keen to know if it's possible to get Exim to reject
> messages that Spamassassin scores at 'x' during the SMTP session {rather
> than after accepting the message} Currently I can get Postfix to do this
> but have to plug a slightly buggy and exploitable milter into it to do
> this. I'd be very keen on an MTA that could do this easily - does Exim
> tick this box?

Yes, easily. You could set it to, for example, reject messages
with a score over 10, and tag messages with a score over 5.

> I would like to make use of Bounce Address Tag Validation. I've seen it
> in my logs but it appears that Postfix has only an experimental
> milter/PD for this - does Exim have a solution for this and is it easy
> to implement?

Yes. Here at work I run BATV selectively - it only applies (and
checks) if the user is listed in a config file; you don't have to
run it for everyone.

> Postfix allows some basic header and body checking (but does not really
> have an effective way to white list such rules) - does Exim have similar
> or better features in this area?

You can check headers easily while mail is being handled, and
could accept/reject dependent on them (or even route mail
differently depending on the header contents, for example).

> As far as SASL goes with Exim, is it limited to Cyrus or can it use
> Dovecot?

Not sure about this - I do auth at home by having exim and dovecot
both look at the same passwd file, and at work by exim checking
the password with LDAP.

> Can Exim support 'virtual' domains with this kind of scenario:
> Accept mail for catchall [at] domai for virtual mailbox on the local machine
> Accept mail for catchall [at] domai and relay to a final destination server
> Accept mail for x.recipient [at] domain and deliver to local virtual mailbox
> Accept mail for y.recipient [at] domain and relay to remote final
> destination.

Yes.

> Can I get Exim to archive a copy of all mail that passes through it by
> piping it to another indexing program?

Yes.

> How does Exim fair as far as DKIM signing / verification goes?

As of the latest version, it's built in and works great. I've got
it running on my home system, and hope to add it to my work system
this year sometime.

> Finally, I'm guessing and taking as read Exim supports rejecting on
> DNSBL's, missing/errors in PTR and invalid recipients (either by looking
> to LDAP, a PostgreSQL or MySQL database)

Yes.

> I appreciate that this is a long post with lots of questions. I want to
> be 'patriotic' and try an English MTA but need to be sure I'm not going
> to get into several months of 'learning' to find that I've gone the
> wrong way!

I'm sure you won't find you've gone the 'wrong way' with exim (but
then, I can't really compare to anything else).

Hope that helps,

Matthew

--
Matthew Newton, Ph.D. <mcn4 [at] le>

Systems Architect (UNIX and Networks), Network Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp [at] le>

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

chris+exim at qwirx

Mar 9, 2010, 3:04 AM

Post #3 of 10 (1075 views)
Permalink

Re: Exim & Spamassassin at SMTP time [In reply to]

Hi Daniel,

On Tue, 9 Mar 2010, exim.ml [at] riotm wrote:

> For a few years I have been using Postfix largely because I inherited
> the 'skills' from a support based role where it made up a large portion
> of an anti-spam appliance I worked with.
>
> Recently I've started to look for reasons to justifiably try Exim and
> look at what it can do 'better' or 'differently' to Postfix.

You may find this presentation (of mine) useful:

http://www.ws.afnog.org/afnog2009/sse/exim/afnog-2009-exim-presentation.pdf

In particular pages 5 and 6 say:

Why use Exim?

* Flexible (lots of features)
* Reasonably secure
* Reasonably scalable
* Good debugging options
* Sane configuration syntax

Why not to use Exim?

* Not every problem is a nail
* Simplicity? Use postfix or qmail
* Top security? Use qmail
* Faster delivery? Use postfix or sendmail
* Insane configuration file? Use sendmail
* Note: Exim is not designed for spooling large amounts of mail and not
very good at it

> I'm told that Exim has a steep learning curve and 'ordinary' admins
> struggle with it when compared to Postfix - does anyone here hold a view
> on that?

I think it is more difficult to use, because it's much more powerful than
any other MTA I can think of, and that makes it more complex to configure,
and hence more difficult to learn.

If postfix can do everything you want, then I suggest you stick with it
for simplicity. I assert that there is nothing that an MTA might usefully
do that Exim cannot do.

> My cursory searches suggest that Spamassassin can be implemented with
> Exim but I'm keen to know if it's possible to get Exim to reject
> messages that Spamassassin scores at 'x' during the SMTP session {rather
> than after accepting the message} Currently I can get Postfix to do this
> but have to plug a slightly buggy and exploitable milter into it to do
> this. I'd be very keen on an MTA that could do this easily - does Exim
> tick this box?

Yes: http://marc.merlins.org/linux/exim/sa.html

> I would like to make use of Bounce Address Tag Validation. I've seen it
> in my logs but it appears that Postfix has only an experimental
> milter/PD for this - does Exim have a solution for this and is it easy
> to implement? http://en.wikipedia.org/wiki/Bounce_Address_Tag_Validation

Yes:

http://www.exim-users.org/forums/showthread.php?t=51895
http://www.exim-users.org/forums/showthread.php?t=56425

> Postfix allows some basic header and body checking (but does not really
> have an effective way to white list such rules) - does Exim have similar
> or better features in this area?

Exim can apply any expression to the header and the body, including
applying regular expressions and lookups in the filesystem, LDAP and SQL
databases in any combination. The ACL syntax is basically a programming
language; I think it is Turing-complete. That's one reason why it's so
powerful and quite hard to learn.

> As far as SASL goes with Exim, is it limited to Cyrus or can it use
> Dovecot?

Exim uses saslauthd and apparently works with Dovecot:

http://wiki.exim.org/AuthenticatedSmtpUsingDovecot

> Can Exim support 'virtual' domains with this kind of scenario:
> Accept mail for catchall [at] domai for virtual mailbox on the local machine
> Accept mail for catchall [at] domai and relay to a final destination server
> Accept mail for x.recipient [at] domain and deliver to local virtual mailbox
> Accept mail for y.recipient [at] domain and relay to remote final
> destination.

Exim can do anything you can possibly imagine with virtual domains. You
might find the tutorial I posted above useful for this.

> Can I get Exim to archive a copy of all mail that passes through it by
> piping it to another indexing program?

You could, with a transport filter, but a carbon copy mailbox might be a
better way to archive copies of all mail, depending on what you want to
do.

> How does Exim fair as far as DKIM signing / verification goes?

http://wiki.exim.org/DKIM

> Finally, I'm guessing and taking as read Exim supports rejecting on
> DNSBL's, missing/errors in PTR and invalid recipients (either by looking
> to LDAP, a PostgreSQL or MySQL database)

Yes, see for example the presentation I posted earlier, and these:

http://www.exim.org/howto/rbl.html
http://www.gossamer-threads.com/lists/exim/users/77228
http://www.tty1.net/virtual_domains_en.html

> I appreciate that this is a long post with lots of questions. I want to
> be 'patriotic' and try an English MTA but need to be sure I'm not going
> to get into several months of 'learning' to find that I've gone the
> wrong way!

Please note that I answered all your questions in 15 minutes using Google.

Cheers, Chris.
--
_ ___ __ _
/ __/ / ,__(_)_ | Chris Wilson <0000 at qwirx.com> - Cambs UK |
/ (_/ ,\/ _/ /_ \ | Security/C/C++/Java/Perl/SQL/HTML Developer |
\ _/_/_/_//_/___/ | We are GNU-free your mind-and your software |

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

exim.ml at riotm

Mar 9, 2010, 3:17 AM

Post #4 of 10 (1077 views)
Permalink

Re: Exim & Spamassassin at SMTP time [In reply to]

SNIP FOR BANDWIDTH AND CLARITY

A big thank you to Chris and to Matthew for your responses. I'm liking
what I am seeing and need to stop being such a wuss and commit to learn
Exim.

No doubt I'll be coming back asking some idiot questions in due
course :-)

Again, serious thanks to you both for taking the time.

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

iane at sussex

Mar 9, 2010, 3:40 AM

Post #5 of 10 (1082 views)
Permalink

Re: Exim & Spamassassin at SMTP time [In reply to]

--On 9 March 2010 10:40:25 +0000 exim.ml [at] riotm wrote:

> Good morning, this is my first post here so please be gentle with me.
> Please accept my apologies for the length of the post. I've done some
> research but get mixed, missing and contradictory views so I could use
> some professional input.
>
> For a few years I have been using Postfix largely because I inherited
> the 'skills' from a support based role where it made up a large portion
> of an anti-spam appliance I worked with.
>
> Recently I've started to look for reasons to justifiably try Exim and
> look at what it can do 'better' or 'differently' to Postfix.
>
> I'm guessing this list is watched by Exim experts who are very
> intelligent.

Oh, absolutely!

> Ultimately it comes from the Cambridge University stable
> and I'm wondering if I can get a few quick 'yes'/'no' type answers to
> help dispell some myths and give me a prod to install it and look at it.
>
> I'm told that Exim has a steep learning curve and 'ordinary' admins
> struggle with it when compared to Postfix - does anyone here hold a view
> on that?

Exim may be a little harder to get started with. However, if you want to do
interesting things, then you'll probably find Exim more capable. I should
admit that I don't know much about postfix, though.

> My cursory searches suggest that Spamassassin can be implemented with
> Exim but I'm keen to know if it's possible to get Exim to reject
> messages that Spamassassin scores at 'x' during the SMTP session {rather
> than after accepting the message}

Yes, we do this, using spamd. Implementation is flexible within the
constraints of SMTP.

> Currently I can get Postfix to do this
> but have to plug a slightly buggy and exploitable milter into it to do
> this. I'd be very keen on an MTA that could do this easily - does Exim
> tick this box?

> I would like to make use of Bounce Address Tag Validation. I've seen it
> in my logs but it appears that Postfix has only an experimental
> milter/PD for this - does Exim have a solution for this and is it easy
> to implement?
> http://en.wikipedia.org/wiki/Bounce_Address_Tag_Validation

<http://wiki.exim.org/BATV%20signed%20address> You'll need some
understanding of the Exim config file to implement this.

> Postfix allows some basic header and body checking (but does not really
> have an effective way to white list such rules) - does Exim have similar
> or better features in this area?

Exim has very flexible ways of checking headers. For example, you can match
any header against a regular expression, or a lookup list. Many of the
obvious things are already implemented.

> As far as SASL goes with Exim, is it limited to Cyrus or can it use
> Dovecot?

Sorry, I can't answer that question. I'd be surprised if you could not do
what you want here, though.

> Can Exim support 'virtual' domains with this kind of scenario:
> Accept mail for catchall [at] domai for virtual mailbox on the local machine
> Accept mail for catchall [at] domai and relay to a final destination server
> Accept mail for x.recipient [at] domain and deliver to local virtual mailbox
> Accept mail for y.recipient [at] domain and relay to remote final
> destination.

Yes, you can do all those things. However, you'd be advised against using
catchall mailboxes. It's probably better to use plus-addressing if you want
to assign a range of addresses in advance.

> Can I get Exim to archive a copy of all mail that passes through it by
> piping it to another indexing program?

Yes, you can define a shadow transport that does a second delivery of
email. It can be through a pipe. However, you'll find that the log facility
will save all the data that is legal to intercept under UK law.

> How does Exim fair as far as DKIM signing / verification goes?

It's implemented. I'm not currently using it.

> Finally, I'm guessing and taking as read Exim supports rejecting on
> DNSBL's, missing/errors in PTR and invalid recipients (either by looking
> to LDAP, a PostgreSQL or MySQL database)

yes, all of those are possible.

> I appreciate that this is a long post with lots of questions. I want to
> be 'patriotic' and try an English MTA but need to be sure I'm not going
> to get into several months of 'learning' to find that I've gone the
> wrong way!
>
> Kind regards
> Daniel

Looking at <http://www.postfix.org/features.html>, there's a couple of
things that Exim doesn't support:
QMQP, Milters, plug-ins.

For Milters, you'd use Exim ACLs. My understanding is that ACLs are rather
easier to work with. Indeed, your reference to a 'buggy' milter confirms
this. It suggests that a lot of effort would be required to fix the bugs,
and that's hard to imagine with ACLs.

Plugins? Well, Exim can call perl scripts, but I've never seen the need for
my installation. Quite often an alternative solution exists without resort
to perl.

--
Ian Eiloart
IT Services, University of Sussex
01273-873148 x3148
For new support requests, see http://www.sussex.ac.uk/its/help/

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

iane at sussex

Mar 9, 2010, 3:42 AM

Post #6 of 10 (1079 views)
Permalink

Re: Exim & Spamassassin at SMTP time [In reply to]

--On 9 March 2010 12:04:32 +0100 Chris Wilson <chris+exim [at] qwirx> wrote:

> * Top security? Use qmail

Unless losing email is a security problem to you. I had a virtual server
with small amounts of RAM. When qmail ran out of RAM (as it would with
maximum parallelization of deliveries), it would just throw away what it
could not deliver. Ugly.

--
Ian Eiloart
IT Services, University of Sussex
01273-873148 x3148
For new support requests, see http://www.sussex.ac.uk/its/help/

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

toby-exim at bryans

Mar 9, 2010, 3:49 AM

Post #7 of 10 (1075 views)
Permalink

Re: Exim & Spamassassin at SMTP time [In reply to]

On Tue, Mar 09, 2010 at 11:17:41AM +0000, exim.ml [at] riotm wrote:
> A big thank you to Chris and to Matthew for your responses. I'm liking
> what I am seeing and need to stop being such a wuss and commit to learn
> Exim.

Just a quick point but when I first learned exim I found that Phillip's
Book to be invaluable:

http://www.amazon.co.uk/Exim-SMTP-Mail-Server-Official/dp/0954452976/ref=sr_1_1?ie=UTF8&s=books&qid=1268135137&sr=8-1

It is a little out of date now but the fundamentals are there and it
will help you to know what to search for in the online documentation :).

Also, when you ask about doing virtual hosting one possible solution is
to use virtual exim. It's been a bit quiet recently but the current
solution works well and it looks like there may well be some people
developing it further. It consists of exim configuration files, a
database schema and some php scripts for administration so it plugs into
any installation of exim very easily. There are of course, plenty of
other ways to implement this!

--
Toby

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

mcn4 at leicester

Mar 9, 2010, 4:38 AM

Post #8 of 10 (1076 views)
Permalink

Re: Exim & Spamassassin at SMTP time [In reply to]

On Tue, Mar 09, 2010 at 11:40:20AM +0000, Ian Eiloart wrote:
> > Can Exim support 'virtual' domains with this kind of scenario:
> > Accept mail for catchall [at] domai for virtual mailbox on the local machine
> > Accept mail for catchall [at] domai and relay to a final destination server
> > Accept mail for x.recipient [at] domain and deliver to local virtual mailbox
> > Accept mail for y.recipient [at] domain and relay to remote final
> > destination.
>
> Yes, you can do all those things. However, you'd be advised
> against using catchall mailboxes. It's probably better to use
> plus-addressing if you want to assign a range of addresses in
> advance.

Agreed - catchall addresses will mean you have more spam to deal
with, and someone who gets your address wrong by mistake won't
know that you might delete it without reading it (because of the
spam). That's one reason anyway.

My home mail is too complex, but gives an idea of what is
possible. Because of the complexity, I might have got this a bit
wrong, but in essence:

For each local address, it looks up in a text table to see if the
domain is local, and also see if there is a "folder name"
associated with that domain. If so, that returns the name of an
'aliases' file for that domain.

The aliases file is then looked up, to see what local user (or
remote address) the mail should be delivered to. If remote, it is
sent on.

For local users, if the local part is plain, it is delivered to
their inbox.

If the local part has a suffix (e.g. matthew-exim), then Exim will
look in their Maildir and see if a sub-folder of the suffix name
(here, "exim") exists under the previously looked up "folder name"
for that domain.

If this sub-folder exists, the mail is delivered there, otherwise
the mail is rejected (at SMTP time).

This allows users (OK, my Wife and I!) to create an IMAP folder in
the mail client, and then an e-mail address is automatically
created to drop mail into that folder. Delete the folder, the
address goes away.

I wouldn't necessarily recommend this, but exim makes it possible;
not just to do the delivery into wierd folders, but to do it when
receiving the mail, so that it can be rejected at SMTP time if it
can't be delivered and not bounce.

Cheers,

Matthew

--
Matthew Newton, Ph.D. <mcn4 [at] le>

Systems Architect (UNIX and Networks), Network Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp [at] le>

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

tlyons at ivenue

Mar 9, 2010, 9:01 AM

Post #9 of 10 (1066 views)
Permalink

Re: Exim & Spamassassin at SMTP time [In reply to]

On Tue, Mar 9, 2010 at 3:17 AM, exim.ml [at] riotm <exim.ml [at] riotm> wrote:
> SNIP FOR BANDWIDTH AND CLARITY
>
> A big thank you to Chris and to Matthew for your responses. I'm liking
> what I am seeing and need to stop being such a wuss and commit to learn
> Exim.
>
> No doubt I'll be coming back asking some idiot questions in due
> course :-)

There are a couple of change in thought patterns that you'll want to make:
1. You have control of each phase of the smtp dialogue. If you've
ever written a milter, this will make perfect sense to you. (Note
that a queue-id doesn't get created until the data phase.)
2. The exim specification manual is a reference, not a howto. It
gives you technical specifications on everything. It is one of the
best written references I've ever seen regarding an email product.
For me the most useful chapters have been 3, 6, 7, 11, and 40, and I
most frequently reference 11 and 40.
3. Someone else mentioned "The Exim SMTP mail server" book written by
Philip Hazel. I cannot recommend this enough, it is fantastic.

--
Regards... Todd
I seek the truth...it is only persistence in self-delusion and
ignorance that does harm. -- Marcus Aurealius

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

eximusers at downhill

Mar 9, 2010, 10:31 AM

Post #10 of 10 (1060 views)
Permalink

Re: Exim & Spamassassin at SMTP time [In reply to]

exim.ml [at] riotm <exim.ml [at] riotm> wrote:
[...]
> As far as SASL goes with Exim, is it limited to Cyrus or can it use
> Dovecot?
[...]

Exim can do SMTP AUTH
... by looking up authentication data with one of its lokups (flat
file, *sql, etc.)
... by querying cyrus sasl
... by querying dovecot's auth backend.
etc.

cu andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads