EXIM ====== Enable TLS, mit lets encrypt certificates Siehe auch https://otremba.net/wiki/Exim4_als_SMTP-Server_(Debian) Und vor allem das README.Debian.gz von exim4 Und https://wiki.debian.org/PkgExim4UserFAQ https://wiki.debian.org/PkgExim4 - Erst letsencrypt einrichten mit Apache und certbot -> siehe unten - Dann exim konfigurieren - ports 25, 587 mit STARTTLS, port 465 direkt ## ALTERNATIV PORT 465 WEGLASSEN - NUR FÜR MS OUTLOOK! - /etc/exim4/exim4.conf.localmacros: MAIN_TLS_ENABLE = true tls_on_connect_ports = 465 - /etc/default/exim4 SMTPLISTENEROPTIONS='-oX 25:465:587 -oP /run/exim4/exim.pid' - Kopieren der letsencrypt certificates: sudo cp /etc/letsencrypt/live/schaelsick.de/fullchain.pem /etc/exim4/exim.crt sudo cp /etc/letsencrypt/live/schaelsick.de/privkey.pem /etc/exim4/exim.key sudo chown root.Debian-exim /etc/exim4/exim.crt /etc/exim4/exim.key sudo chmod 640 /etc/exim4/exim.key sudo chmod 640 /etc/exim4/exim.crt systemctl restart exim4 - Alles letztere muss nach jedem erfolgreichen update der letsencrypt Zertifikate geschehen! -> copy script to /etc/letsencrypt/renewal-hooks/deploy - sudo update-exim4.conf - sudo systemctl restart exim4 SPF Eintrag im DNS machen (je domain mit den richtigen IPs): TXT v=spf1 a mx ip4:161.97.65.134 ip6:2a02:c207:3006:1270::1/64 mx:mail.schaelsick.de ~all iprev - DNS und reverse lookup should match - Ensure there is a reverse DNS for hostname OR set MAIN_HARDCODE_PRIMARY_HOSTNAME = mail.schaelsick.de (to hostname with proper PTR record) DKIM - create keys - openssl genrsa -out dkim.privkey 2048 - openssl rsa -in dkim_rsa.private.key -out dkim_rsa.public.key -pubout -outform PEM - create TXT entry in DNS: oct21._domainkey.schaelsick.de TXT IN v=DKIM1; p=; t=s:y - edit /etc/exim4/exim4.conf.localmacros DKIM_DOMAIN = schaelsick.de DKIM_SELECTOR = oct21 DKIM_PRIVATE_KEY = /etc/exim4/dkim_rsa.private.key DKIM_CANON = relaxed DMARC: - DNS Eintrag: - create TXT entry in DNS: _dmarc.schaelsick.de TXT IN v=DMARC1; p=none; rua=mailto:dmarc-rua@schaelsick.de Lesenswert zu Exim (volles Setup, nur senden, Exim Konfiguration, SPF allgemein): https://www.linuxbabe.com/mail-server/postfix-send-only-multiple-domains-ubuntu https://www.linuxbabe.com/mail-server/setup-basic-postfix-mail-sever-ubuntu https://www.linuxbabe.com/mail-server/secure-email-server-ubuntu-postfix-dovecot https://fanf2.user.srcf.net/ https://fanf2.user.srcf.net/hermes/doc/talks/2005-02-eximconf/paper.pdf https://www.exim.org/exim-html-current/doc/html/spec_html/ch-the_default_configuration_file.html https://dev-notes.eu/2016/03/exim4-send-only-mailserver/ https://www.spfwizard.net/ http://server1.sharewiz.net/doku.php?id=exim4:selective_and_multiple_domain_dkim_with_exim https://subhrajitnandy.wordpress.com/using-dkim-in-exim/ https://www.dnswatch.info/dkim/create-dns-record https://www.sidn.nl/en/news-and-blogs/hands-on-implementing-spf-dkim-and-dmarc-in-exim https://prodmarc.com/blog/what-is-dkim-its-best-practices/ https://lists.archive.carbon60.com/exim/users/110963 https://www.hostpapa.com/knowledgebase/list-useful-commands-manage-exim-mail-server/ https://forum.hestiacp.com/t/exim4-multiple-domains-letsencrypt/2742 https://kofler.info/dkim-konfiguration-fuer-postfix/ https://www.sidn.nl/en/news-and-blogs/hands-on-implementing-spf-dkim-and-dmarc-in-exim Ein bisschen was zu den aktuellen Problemem mit "tainted" Variablen (unsicheren Daten, die einen Dateizugriff, zB auf Zertifikate, verhindern): https://lists.exim.org/lurker/message/20201109.222746.24ea3904.en.html https://www.exim.org/exim-html-4.95/doc/html/spec_html/ch-string_expansions.html TEsten: Leere mail an check-auth@verifier.port25.com