Tuesday, September 06, 2011
Configure Exim4 to provide SMTP Relay service with SMTP Authentication and TLS enabled
Prerequisites:
- Box running Debian Squeeze or Debian variants
- Exim4 Package (apt-get install exim4)
- Internet Routable Public IP Address (172.16.75.12) with reverse DNS relay.example.org
Reconfiguring Exim4
Run the command as root,
# dpkg-reconfigure exim4-config
There are two useful scenarios while delivering mails. Smarthosts is
safer option if your privoder has a SMTP server you can use.
If not, you will have to deliver them directly using your mail server.
If your IP is blacklisted, or doesn't have a reverse DNS, your mails may
not be delivered successfully.
Case 1: Direct delivery without Smarthost(eg: To deliver mails directly to remote SMTP servers):
internet site; mail is sent and received directly using SMTP System mail name: relay.example.org IP-address to listen on for incoming SMTP connections: 127.0.0.1; 172.16.75.12 Other destinations for which mail is accepted: Leave Empty Domains to relay mail for: * (This option will accept mail for any domain) Machines to relay mail for: Leave Empty (Or specify whitelisted relay IPs) Keep number of DNS-queries minimal (Dial-on-Demand)? No Delivery method for local mail: mbox format in /var/mail/ Split Configuration into small files? Yes (Very Important)
This should result in configuration file /etc/exim4/update-exim4.conf.conf
dc_eximconfig_configtype='internet' dc_other_hostnames='relay.example.org' dc_local_interfaces='127.0.0.1 ; 172.16.75.12' dc_readhost='relay.example.org' dc_relay_domains='*' dc_minimaldns='false' dc_relay_nets='' CFILEMODE='644' dc_use_split_config='true' dc_hide_mailname='true' dc_mailname_in_oh='true' dc_localdelivery='maildir_home'
Case 2: Delivery with Smarthost (eg: To Use ISP's SMTP server to relay all your mails):
mail sent by smarthost; received via SMTP or fetchmail IP address of hostname of the outgoing smarthost: 1.2.3.4 Hide local mail name in outgoing mail? Yes Visible domain name for local users: relay.example.org
This should result in configuration file
/etc/exim4/update-exim4.conf.conf with minor differences from file above;
dc_eximconfig_configtype='smarthost' dc_smarthost='172.16.75.17'
Generate Self-signed Certificate
In order to use TLS (Transport Layer Security) with SMTP authentication,
you must generate a self-signed certificate or purchase one from reputed
CA.
# /usr/share/doc/exim4-base/examples/exim-gencert
After filling in all the details this will generate a certificate and
key files in: /etc/exim4/exim.crt , /etc/exim4/exim.key
This is the default location where exim4 searches for these files.
Add Exim4 User
To create username/passwords specifically for exim4 SMTP authentication,
run the command
# /usr/share/doc/exim4/examples/exim-adduser
You may also copy the file to /sbin and run it,
# cp /usr/share/doc/exim4/examples/exim-adduser /sbin # exim-adduser
Enabling TLS
Type the following command to create a config macro file to enable TLS
# echo "MAIN_TLS_ENABLE = yes" > /etc/exim4/conf.d/main/00_local_settings
Additional settings can be added to the file /etc/exim4/conf.d/main/00_local_settings
Enabling SMTP Authentication
Uncomment following lines in /etc/exim4/conf.d/auth/30_exim4-config_examples
plain_server:
driver = plaintext
public_name = PLAIN
server_condition = "${if crypteq{$auth3}{${extract{1}{:}{${lookup{$auth2}lsearch{CONFDIR/passwd}{$value}{*:*}}}}}{1}{0}}"
server_set_id = $auth2
server_prompts = :
.ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
.endif
login_server:
driver = plaintext
public_name = LOGIN
server_prompts = "Username:: : Password::"
server_condition = "${if crypteq{$auth2}{${extract{1}{:}{${lookup{$auth1}lsearch{CONFDIR/passwd}{$value}{*:*}}}}}{1}{0}}"
server_set_id = $auth1
.ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
.endif
Updating Exim4 Configuration
Finally run this command to update exim4 configuration and restart exim4:
# update-exim4.conf # /etc/init.d/exim4 restart
If your provider is blocking port 25 you may want to run the SMTP relay
service on additional ports. To do this, modify this line in /etc/default/exim4
SMTPLISTENEROPTIONS='-oX 587:25 -oP /var/run/exim4/exim.pid' This tells exim4 to listen on port 587 in addition to 25
Testing
# telnet 172.16.75.12 Type, EHLO SMTP If you see following line among other things, it means it's working. 250-STARTTLS
A full test can be performed using an email client.
Wednesday, January 06, 2010
IPtables Rules to block SSH Bruteforce and Tor exit nodes
I was going through some of the old files and came across IPTables Rules to block SSH Bruteforce and Tor exit nodes. These rules are helpful in protecting your VPS/Dedicated Servers from related attacks and IP Spoofing.
IPTables Rules to limit SSH bruteforce (Download)
------------------------------------------------------------
iptables -A INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set --name SSH iptables -A INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 7 --rttl --name SSH -j DROP
Explanation: The first lines assigns a name SSH to the packets with destination port 22. If the packet count exceeds 7 hits per 60 second for an ip address further connections are dropped. If your sshd is listening to a port other than 22 update above rules to reflect changes.
IPTables Rules to block Tor exit nodes (Download)
-------------------------------------------------------------
#!/bin/bash wget -P/tmp http://anonymizer.blutmagie.de:2505/ip_list_exit.php/Tor_ip_list_EXIT.csv if [ -f /tmp/Tor_ip_list_EXIT.csv ]; then for BAD_IP in `cat /tmp/Tor_ip_list_EXIT.csv` do iptables -A INPUT -s "$BAD_IP" -j DROP done else echo "Can't read /tmp/Tor_ip_list_EXIT.csv" fi
Explanation: The above commands sequence downloads the tor exit node list from blutmagie.de and adds IPTables rules to drop the connection with each IP address as source.
