joDoc

Enable TLS, mit lets encrypt certificates

Siehe auch https://otremba.net/wiki/Exim4_als_SMTP-Server_(Debian)
Und vor allem das README.Debian.gz von exim4
Und https://wiki.debian.org/PkgExim4UserFAQ https://wiki.debian.org/PkgExim4

- Erst letsencrypt einrichten mit Apache und certbot → siehe unten - Dann exim konfigurieren - ports 25, 587 mit STARTTLS, port 465 direkt ## ALTERNATIV PORT 465 WEGLASSEN - NUR FÜR MS OUTLOOK!

1. /etc/exim4/exim4.conf.localmacros:

MAIN_TLS_ENABLE = true

       tls_on_connect_ports = 465
   - /etc/default/exim4
       SMTPLISTENEROPTIONS='-oX 25:465:587 -oP /run/exim4/exim.pid'
   - Kopieren der letsencrypt certificates:
       sudo cp /etc/letsencrypt/live/schaelsick.de/fullchain.pem /etc/exim4/exim.crt
       sudo cp /etc/letsencrypt/live/schaelsick.de/privkey.pem /etc/exim4/exim.key
       sudo chown root.Debian-exim /etc/exim4/exim.crt /etc/exim4/exim.key
       sudo chmod 640 /etc/exim4/exim.key
       sudo chmod 640 /etc/exim4/exim.crt
       systemctl restart exim4
   - Alles letztere muss nach jedem erfolgreichen update der letsencrypt Zertifikate geschehen! 
       -> copy script to /etc/letsencrypt/renewal-hooks/deploy
- sudo update-exim4.conf 
- sudo systemctl restart exim4 

SPF Eintrag im DNS machen (je domain mit den richtigen IPs):

  TXT v=spf1 a mx ip4:161.97.65.134 ip6:2a02:c207:3006:1270::1/64 mx:mail.schaelsick.de ~all

iprev - DNS und reverse lookup should match

1. Ensure there is a reverse DNS for hostname OR

set MAIN_HARDCODE_PRIMARY_HOSTNAME = mail.schaelsick.de (to hostname with proper PTR record)

DKIM - create keys

1. openssl genrsa -out dkim.privkey 2048
2. openssl rsa -in dkim_rsa.private.key -out dkim_rsa.public.key -pubout -outform PEM
3. create TXT entry in DNS: oct21._domainkey.schaelsick.de TXT IN

v=DKIM1; p=<public key from file>; t=s:y

1. edit /etc/exim4/exim4.conf.localmacros

DKIM_DOMAIN = schaelsick.de

     DKIM_SELECTOR = oct21
     DKIM_PRIVATE_KEY = /etc/exim4/dkim_rsa.private.key
     DKIM_CANON = relaxed

DMARC: - DNS Eintrag:

1. create TXT entry in DNS: _dmarc.schaelsick.de TXT IN

v=DMARC1; p=none; rua=mailto:dmarc-rua@schaelsick.de

Lesenswert zu Exim (volles Setup, nur senden, Exim Konfiguration, SPF allgemein):

https://www.linuxbabe.com/mail-server/postfix-send-only-multiple-domains-ubuntu
https://www.linuxbabe.com/mail-server/setup-basic-postfix-mail-sever-ubuntu
https://www.linuxbabe.com/mail-server/secure-email-server-ubuntu-postfix-dovecot
https://fanf2.user.srcf.net/
https://fanf2.user.srcf.net/hermes/doc/talks/2005-02-eximconf/paper.pdf
https://www.exim.org/exim-html-current/doc/html/spec_html/ch-the_default_configuration_file.html
https://dev-notes.eu/2016/03/exim4-send-only-mailserver/
https://www.spfwizard.net/
http://server1.sharewiz.net/doku.php?id=exim4:selective_and_multiple_domain_dkim_with_exim
https://subhrajitnandy.wordpress.com/using-dkim-in-exim/
https://www.dnswatch.info/dkim/create-dns-record
https://www.sidn.nl/en/news-and-blogs/hands-on-implementing-spf-dkim-and-dmarc-in-exim
https://prodmarc.com/blog/what-is-dkim-its-best-practices/
https://lists.archive.carbon60.com/exim/users/110963
https://www.hostpapa.com/knowledgebase/list-useful-commands-manage-exim-mail-server/
https://forum.hestiacp.com/t/exim4-multiple-domains-letsencrypt/2742
https://kofler.info/dkim-konfiguration-fuer-postfix/
https://www.sidn.nl/en/news-and-blogs/hands-on-implementing-spf-dkim-and-dmarc-in-exim

Ein bisschen was zu den aktuellen Problemem mit „tainted“ Variablen (unsicheren Daten, die einen Dateizugriff, zB auf Zertifikate, verhindern):

https://lists.exim.org/lurker/message/20201109.222746.24ea3904.en.html
https://www.exim.org/exim-html-4.95/doc/html/spec_html/ch-string_expansions.html

TEsten: Leere mail an check-auth@verifier.port25.com