Skip to content

exim

Extract GZ archives and keep GZ

This command keeps original GZ files intact and extract each GZ file in directory to specific directory

for f in /var/log/exim4/mainlog.*.gz; do STEM=$(basename "${f}" .gz); gunzip -c "${f}" > /home/username/exim/logs/"${STEM}"; done

Exim LDAP filter

  • Add LDAP filter to /etc/exim4/exim4.conf
LDAP_AD_ANONYMOUS_S2 = LDAP_CONN \
  ldaps:///LDAP_AD_BASE_DN\
  ?mail?sub?\
  (&\
    (objectClass=user)\
    (proxyAddresses=SMTP:${quote_ldap:$sender_address_local_part}@*)\
    (|\
      (memberof:1.2.840.113556.1.4.1941:=CN=adgroup,OU=Administrative,OU=Structures,DC=office,DC=company,DC=com)\
      (proxyAddresses=smtp:pr@company.com)\
    )\
  )

  • Explanation of the LDAP filter:

    • LDAP_AD_ANONYMOUS_S2: This is a user-defined string expansion that makes a query to the LDAP server. LDAP_CONN is a macro that sets up an LDAP connection.
    • ldaps:///LDAP_AD_BASE_DN: It connects to the LDAP server securely (via LDAPS), at the domain set by the LDAP_AD_BASE_DN macro.
    • ?mail?sub?: It's looking for entries whose mail attribute contain the search string, and it's searching all levels below the base DN (i.e., using subtree scope (sub)).
    • Include the users who have all of the following (&...):
      • They have objectClass as user
      • Their proxyAddresses attribute contains the sender address part from the current email, prefixed with SMTP:, following with any domain (denoted by @*).
      • Include the users who either (|...):
        • Are members of group "adgroup" based on transitive group membership, provided by memberof:1.2.840.113556.1.4.1941:. It means the users will be matched even if they are members of a nested group.
        • Have pr@company.com in their proxyAddresses.

  • Add ACL to /etc/exim4/exim4.conf 

    acl_check_rcpt:
    accept
        condition = ${if eqi{${lookup ldap {LDAP_AD_ANONYMOUS_S2}}}{$sender_address}}

  • Explanation of the ACL:

    • acl_check_rcpt: This is where the ACL (access control list) check is happening.
    • condition = ${if eqi{${lookup ldap {LDAP_AD_ANONYMOUS_S2}}}{$sender_address}}: This is another user-defined string expansion that compares the result of the LDAP_AD_ANONYMOUS_S2 LDAP lookup with the sender’s email address in a case-insensitive manner. If they match, the email is accepted.

  • Run ldapsearch command to test LDAP connection

ldapsearch -LLL -H ldaps://dcserver.office.company.com:636 -D "username@company.com" -W -x -b "DC=office,DC=company,DC=com" -s sub '(&(objectClass=user)(proxyAddresses=SMTP:username@*)(|(memberof:1.2.840.113556.1.4.1941:=CN=adgroup,OU=Administrative,OU=Structures,DC=office,DC=company,DC=com)(proxyAddresses=smtp:pr@company.com)))' sAMAccountName

This confirms if the sender passes the LDAP filter. The user should be mamber in adgroup.

  • Run curl to test SMTP connection (because exim -bh could not do it for LDAP filter)
echo "From: bogus@company.com
To: external@outlook.com
Subject: This is a test

This is body." | curl --insecure --verbose --ssl-reqd smtp://mailserver.company.com --mail-from username@company.com --mail-rcpt external@outlook.com --user 'username:password' --upload-file /dev/stdin

  • Explanation of the curl command:

  • From: bogus@company.com - message header from

  • To: external@outlook.com - message header to
  • smtp://mailserver.company.com - mail server that supports upgrading from clear-text to secure transfers
  • --mail-from username@company.com - envelope from
  • --mail-rcpt external@outlook.com - envelope to
  • --user 'username:password' - mail authentication

It's recommended to have access to external@outlook.com to confirm the message passed through

Exim replace From address

begin rewrite
myapp@myserver.mydomain   legal.user@myserver.mydomain   Ffrs

The flags have the following meanings: - F - Rewrite the envelope from field. - f - Rewrite the From: header field. - r - Rewrite the Reply-To: header field. - s - Rewrite the Sender-To: header field.

Exim replace From address (regexp)

/etc/exim4/exim4.conf

begin rewrite
\N^(?!.*?@bots\.company\.com).*$\N    server@bots.company.com    Ffrs
Note: \N - needed for suppress string expansion within the regular expression

Exim send mail

Nothing is send but it is tested

exim -bh 192.168.1.10 <<EOF >/home/user/exim-output.txt 2>&1
EHLO mailhost.domain1.ru
MAIL FROM: <sender@domain1.ru>
RCPT TO: <recipient@domain2.com>
DATA
From: sender@domain1.ru
To: recipient@domain2.com
Subject: TESTSUBJECT
TESTBODY
.
QUIT
EOF

Exim generate DKIM keys

cd /etc/exim/keys/
openssl genrsa -out private.key 2048
openssl rsa -in private.key -out public.key -pubout -outform PEM
You need to convert the .key file into a single-line format that is suitable for DNS. Extract the part between the -----BEGIN PUBLIC KEY----- and -----END PUBLIC KEY----- lines and create a DNS TXT record One-line format: 
awk 'NF {sub(/\r/, ""); printf "%s\\n",$0;}' private.key
And add the key to your DNS using the following TXT record (make sure to update "p=" with your public key in one line format): 
smarthost._domainkey.mydomain.io. IN TXT "v=DKIM1; h=sha256; k=rsa; p=MIGfMA..."