A secure smarthost setup for Exim
February 24th, 2010 | by jim |A Linux/Unix server usually needs to be able to send email, even if only for internal reporting purposes. There’s no point in having a full-featured mail server for this, so you should configure the server to send messages via some other MTA, a “smarthost”. This could be one of your own machines, or perhaps it’s one belonging to your ISP.
Of course, when submitting to the smarthost you need to be able to differentiate yourself from spammers; this generally means you have to authenticate yourself. And if you’re doing that, it should be over an encrypted connection and you should authenticate the smarthost too. Let’s see a minimal Exim configuration that does just that …
# This is the Exim4 configuration for "leaf node".
# It provides the following behaviour :-
# • NO SMTP listeners
# • Local process submission only
# • NO local delivery
# • qualify_domain @mydomain.tld
# • /etc/aliases remapping
# • ALL mail sent to smarthost smarthost.tld
# •• with verified TLS and AUTH/LOGIN
# •• Whitelisted at smarthost### Main
# No SMTP listeners is not a config item, it’s based on daemon invocation
# Debian packaged exim: update-exim4defaults –queuerunner queueonlyqualify_domain = mydomain.tld
### Routers
begin routersetc_aliases:
driver = redirect
data = ${lookup{$local_part}lsearch{/etc/aliases}}# Send everything to a smarthost
send_to_smarthost:
driver = manualroute
route_list = * smarthost.tld
transport = smarthost### Transports
begin transportssmarthost:
driver = smtp
hosts_require_tls = smarthost.tld
hosts_require_auth = smarthost.tld
tls_verify_certificates = /etc/exim4/tls/smarthost-ca.crt### Authenticators
begin authenticatorssmarthost_login:
driver = plaintext
public_name = LOGIN
hide client_send = : MTAuserid : MTAuserpassword
Tags: exim