Setup an email server with exim courier and spamassassin

Sat 15 November 2014
By alex


1. Install exim
2. Install spamassassin
3. Install courier

Exim

1) Install exim

sudo apt-get install exim4-daemon-heavy

2) Configure

sudo dpkg-reconfigure exim4-configure

3) Harden

Reduce banner information

vi /etc/exim4/exim4.conf.template
    # Add
    smtp_banner = $smtp_active_hostname ESMTP    

If not required, disable ipv6

vi /etc/exim4/exim4.conf.template
    # Add
    disable_ipv6 = true   

4) Enable and configure TLS communication

Generate a csr or self signed keys using openssl or exim-gencert

sudo /usr/share/doc/exim4-base/examples/exim-gencert

or

sudo openssl req -x509 -nodes -newkey rsa -keyout exim.pem -out exim.pem -days 730

Enable TLS

vi /etc/exim4/exim4.conf.template
    # Add
    tls_on_connect_ports=465    
    MAIN_TLS_ENABLE = yes

    # Uncomment and/or modify
    MAIN_TLS_CERTIFICATE = CONFDIR/exim.crt    
    MAIN_TLS_PRIVATEKEY = CONFDIR/exim.key
vi /etc/default/exim4
    # Add
    SMTPLISTENEROPTIONS='-oX 465:25 -oP /var/run/exim4/exim.pid'

Enable SASL authentication and AUTH PLAIN LOGIN

vi /etc/exim4/exim4.conf.template
    # Uncomment 
     plain_saslauthd_server:
       driver = plaintext
       public_name = PLAIN
       server_condition = ${if saslauthd{{$auth2}{$auth3}}{1}{0}}
       server_set_id = $auth2
       server_prompts = :
       .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
       server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}}
       .endif

     login_saslauthd_server:
       driver = plaintext
       public_name = LOGIN
       server_prompts = "Username:: : Password::"
       server_condition = ${if saslauthd{{$auth1}{$auth2}}{1}{0}}
       server_set_id = $auth1
       .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
       server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}}
       .endif

5) Restart exim

service exim4 restart

Spamassasin

1) Install spamassassin

sudo apt-get install spamassassin

2) Enable

vi /etc/default/spamassassin
    # Modify
    ENABLED=1
    CRON=1

3) Enable integration with exim

vi /etc/exim4/exim4.conf.template
    # Uncomment
    spamd_address = 127.0.0.1 783

4) Enable logging

vi /etc/rsyslog.d/60-spamd.conf
    # Add
    :app-name, isequal, "spamd"     -/var/log/spam
    & ~

5) Restart spamassassin

service spamassassin restart

Courier

1) Install Courier and saslauthd

sudo apt-get install courier-pop-ssl sasl2-bin

2) Harden

Bind courier to an ipv4 address to disable listening on ipv6

vi /etc/courier/pop3d-ssl
    # Modify
    SSLADDRESS=server_ip_here

2) Enable TLS

Generate a csr or self signed keys using openssl or mkpop3dcert

sudo /usr/sbin/mkpop3dcert

or

sudo openssl req -x509 -nodes -newkey rsa -keyout my_domain_pop.pem -out my_domain_pop.pem -days 730

Add the certificate to courier's config

vi /etc/courier/pop3d-ssl
    # Modify
    TLS_CERTFILE=/etc/courier/my_domain_pop.pem

3) Enable exim and saslauthd integration

Add the exim user to the saslauthd group

sudo usermod -a -G sasl Debian-exim

4) Restart courier and exim

sudo service exim4 restart
sudo service courier-pop3d-ssl restart