Package: exim4-config
Version: 4.89-2.1
Severity: wishlist
Tags: patch
Hi,
Current smarthost set-up can use only one smarthost. These days, that
will cause outgoing mail with unmatched From: _From ... may get flagged
as spam. So use of the account specific smarthost is getting important.
For example, gmail accounts, it is best to use the pertinent account to
use message submission port at 587 with STARTTLS. (Otherwise, from:
address are overwritten.)
To pick smarthost, I think ${address:$h_from:} is better than
$sender_address. So I added few lines for smarthost setting to realize
this as attached patch.This approach should make outgoing mails to be
more robust against spam filters.
(I am also trying to add a remote shell account support as an extra
experimental feature. This should be good for people.debian.org etc..)
Yes, this sounds like my old closed bug: https://bugs.debian.org/656841
(Well it was more of SSMTP. Also code example was buggy.)
The https://wiki.debian.org/GmailAndExim4 is outdated (I agree that
localdomain in HELO/EHLO line may be bad idea.)
But since then, mail situation get more restrictive with dkim, spf, and
dmarc, we really need to use sender matched SMTP servers.
So this needs to be done properly. I was inspired by few similar
attempts. Here are my comments on them:
https://medium.com/@krala/exim4-and-multiple-gmail-accounts-c8fae2ac60a3
* No need to use ${lc:...} since lsearch is case insensitive
* Should use ${address:$h_from:} instead of $sender_address
* No need to have separate CONFDIR/gmail-accounts
* No need to limit to gmail
https://gist.github.com/kanru/3368424
* Why only one account per domain?
* Why new config file CONFDIR/smarthosts ?
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=750122
* Mark is right on technical side that this kind of config chokes
performance. But when using mutt to read and reply multiple mail
accounts on your work station, that is negligible. Automatically
using right SMTP relay gives huge advantage against spam filter these
days.
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=541473
* This wishlist is addressed by this patch.
Anyway, the current results are attached. I may update these patches in:
https://github.com/osamuaoki/exim4-debian-pkg
I hope this helps.
Osamu
>From c3d3135c6229717616043a3dba2476b5f2f044ba Mon Sep 17 00:00:00 2001
From: Osamu Aoki <[email protected]>
Date: Thu, 13 Jul 2017 22:03:55 +0900
Subject: [PATCH 1/5] Local modified package to support the new account based
spooling.
---
debian/changelog | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index ba527c7..3ba54e9 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+exim4 (4.89-2.1) UNRELEASED; urgency=medium
+
+ * Non-maintainer upload.
+ * Support spooling of mails sent via the authenticated SMTP service
+ corresponding to each account and via the SSH account with
+ password-less access.
+
+ -- Osamu Aoki <[email protected]> Thu, 13 Jul 2017 21:58:26 +0900
+
exim4 (4.89-2) unstable; urgency=medium
* Revert addition of header "# pidfile: /var/run/exim4/exim.pid" to
--
2.11.0
>From 9a9af03a2736aa76e2fa08fe432764d3b98089de Mon Sep 17 00:00:00 2001
From: Osamu Aoki <[email protected]>
Date: Sun, 23 Jul 2017 20:30:55 +0900
Subject: [PATCH 2/5] Refactor around PASSWDLINE
Drop using double quote to minimize backslash escapes
Use listextract instead of extract
LOGIN with extact {::} looks strange
---
.../debconf/conf.d/auth/30_exim4-config_examples | 48 ++++++++++------------
1 file changed, 22 insertions(+), 26 deletions(-)
diff --git a/debian/debconf/conf.d/auth/30_exim4-config_examples b/debian/debconf/conf.d/auth/30_exim4-config_examples
index b3b1ce6..4680b27 100644
--- a/debian/debconf/conf.d/auth/30_exim4-config_examples
+++ b/debian/debconf/conf.d/auth/30_exim4-config_examples
@@ -204,31 +204,27 @@
# You can set AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS to allow unencrypted
# clear text password authentication on all connections.
+# this returns the matching line from passwd.client (by smarthost)
+PASSWDLINE = ${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$value}fail}
+
cram_md5:
driver = cram_md5
public_name = CRAM-MD5
- client_name = ${extract{1}{:}{${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$value}fail}}}
- client_secret = ${extract{2}{:}{${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$value}fail}}}
-
-# this returns the matching line from passwd.client and doubles all ^
-PASSWDLINE=${sg{\
- ${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$value}fail}\
- }\
- {\\N[\\^]\\N}\
- {^^}\
- }
+ client_name = ${listextract{1}{PASSWDLINE}}
+ client_secret = ${listextract{2}{PASSWDLINE}}
plain:
driver = plaintext
public_name = PLAIN
.ifndef AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS
- client_send = "<; ${if !eq{$tls_out_cipher}{}\
- {^${extract{1}{:}{PASSWDLINE}}\
- ^${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}\
- }fail}"
+ client_send = <; ${if !eq{$tls_out_cipher}{}\
+ {\
+ ^${listextract{1}{${sg{PASSWDLINE}{\N[\^]\N}{^^}}}}\
+ ^${listextract{2}{${sg{PASSWDLINE}{\N[\^]\N}{^^}}}}\
+ }fail}
.else
- client_send = "<; ^${extract{1}{:}{PASSWDLINE}}\
- ^${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}"
+ client_send = <; ^${listextract{1}{${sg{PASSWDLINE}{\N[\^]\N}{^^}}}}\
+ ^${listextract{2}{${sg{PASSWDLINE}{\N[\^]\N}{^^}}}}
.endif
login:
@@ -237,18 +233,18 @@ login:
.ifndef AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS
# Return empty string if not non-TLS AND looking up $host in passwd-file
# yields a non-empty string; fail otherwise.
- client_send = "<; ${if and{\
- {!eq{$tls_out_cipher}{}}\
- {!eq{PASSWDLINE}{}}\
- }\
- {}fail}\
- ; ${extract{1}{::}{PASSWDLINE}}\
- ; ${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}"
+ client_send = <; ${if and{\
+ {!eq{$tls_out_cipher}{}}\
+ {!eq{PASSWDLINE}{}}\
+ }\
+ {}fail}\
+ ; ${listextract{1}{PASSWDLINE}}\
+ ; ${listextract{2}{PASSWDLINE}}
.else
# Return empty string if looking up $host in passwd-file yields a
# non-empty string; fail otherwise.
- client_send = "<; ${if !eq{PASSWDLINE}{}\
+ client_send = <; ${if !eq{PASSWDLINE}{}\
{}fail}\
- ; ${extract{1}{::}{PASSWDLINE}}\
- ; ${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}"
+ ; ${listextract{1}{PASSWDLINE}}\
+ ; ${listextract{2}{PASSWDLINE}}
.endif
--
2.11.0
>From 7ca2a38fc33930be015e23d25a74bd37925694cb Mon Sep 17 00:00:00 2001
From: Osamu Aoki <[email protected]>
Date: Sun, 23 Jul 2017 21:17:00 +0900
Subject: [PATCH 3/5] Message submission to each mail account
Instead of the traditional smarthost serving host to host base, the new
message submission supports each external server for each "From:"
address. This solves problem for multiple gmail related email addresses
and provides robust way to send mails without labeled as spams.
---
.../debconf/conf.d/auth/30_exim4-config_examples | 5 ++--
.../debconf/conf.d/router/200_exim4-config_primary | 9 +++++++
.../30_exim4-config_remote_smtp_submission | 28 ++++++++++++++++++++++
debian/passwd.client | 10 ++++++++
4 files changed, 50 insertions(+), 2 deletions(-)
create mode 100644 debian/debconf/conf.d/transport/30_exim4-config_remote_smtp_submission
diff --git a/debian/debconf/conf.d/auth/30_exim4-config_examples b/debian/debconf/conf.d/auth/30_exim4-config_examples
index 4680b27..cd5da9b 100644
--- a/debian/debconf/conf.d/auth/30_exim4-config_examples
+++ b/debian/debconf/conf.d/auth/30_exim4-config_examples
@@ -204,8 +204,9 @@
# You can set AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS to allow unencrypted
# clear text password authentication on all connections.
-# this returns the matching line from passwd.client (by smarthost)
-PASSWDLINE = ${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$value}fail}
+# this returns the matching line from passwd.client (by mail "From:" account or smarthost)
+PASSWDLINE = ${lookup{${address:$h_from:}}lsearch{CONFDIR/passwd.client}{$value}\
+ {${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$value}fail}}}
cram_md5:
driver = cram_md5
diff --git a/debian/debconf/conf.d/router/200_exim4-config_primary b/debian/debconf/conf.d/router/200_exim4-config_primary
index 7681d91..8fee21c 100644
--- a/debian/debconf/conf.d/router/200_exim4-config_primary
+++ b/debian/debconf/conf.d/router/200_exim4-config_primary
@@ -73,6 +73,15 @@ nonlocal:
# domains, you'll need to copy the dnslookup_relay_to_domains router
# here so that mail to relay_domains is handled separately.
+SUBMISSIONHOST = ${listextract{3}{${lookup{${address:$h_from:}}lsearch{CONFDIR/passwd.client}{$value}fail}}{$value}fail}
+
+submission:
+ debug_print = "R: submission for $local_part@$domain from ${address:$h_from:}"
+ driver = manualroute
+ domains = ! +local_domains
+ transport = remote_smtp_submission
+ route_list = * SUBMISSIONHOST byname
+
smarthost:
debug_print = "R: smarthost for $local_part@$domain"
driver = manualroute
diff --git a/debian/debconf/conf.d/transport/30_exim4-config_remote_smtp_submission b/debian/debconf/conf.d/transport/30_exim4-config_remote_smtp_submission
new file mode 100644
index 0000000..5b485c8
--- /dev/null
+++ b/debian/debconf/conf.d/transport/30_exim4-config_remote_smtp_submission
@@ -0,0 +1,28 @@
+
+### transport/30_exim4-config_remote_smtp_submission
+#################################
+
+remote_smtp_submission:
+ debug_print = "T: remote_smtp_submission for $local_part@$domain"
+ driver = smtp
+ port = 587
+ hosts_require_auth = *
+ hosts_require_tls = *
+.ifdef REMOTE_SMTP_HEADERS_REWRITE
+ headers_rewrite = REMOTE_SMTP_HEADERS_REWRITE
+.endif
+.ifdef REMOTE_SMTP_RETURN_PATH
+ return_path = REMOTE_SMTP_RETURN_PATH
+.endif
+.ifdef REMOTE_SMTP_HELO_DATA
+ helo_data=REMOTE_SMTP_HELO_DATA
+.endif
+.ifdef TLS_DH_MIN_BITS
+tls_dh_min_bits = TLS_DH_MIN_BITS
+.endif
+.ifdef REMOTE_SMTP_SMARTHOST_TLS_CERTIFICATE
+tls_certificate = REMOTE_SMTP_SMARTHOST_TLS_CERTIFICATE
+.endif
+.ifdef REMOTE_SMTP_SMARTHOST_PRIVATEKEY
+tls_privatekey = REMOTE_SMTP_SMARTHOST_PRIVATEKEY
+.endif
diff --git a/debian/passwd.client b/debian/passwd.client
index 2f06b8d..1157975 100644
--- a/debian/passwd.client
+++ b/debian/passwd.client
@@ -4,4 +4,14 @@
# see exim4_passwd_client(5) for more documentation
#
# Example:
+# Use message submission port 578 for each "From:" email account
+# (4 data list, Good for services like gmail)
+### [email protected]:login:password:submission.host.example
+### [email protected]:[email protected]:<application_password>:smtp.gmail.com
+#
+# Use a smarthost for all "From:" email accounts (wildcard accepted)
+# (3 data list, Good for most connection ISP provided SMTP servers.)
+# (Need to specify submission port as ::587 if not port 25)
### target.mail.server.example:login:password
+###*.so-net.ne.jp:[email protected]::587:secret
+
--
2.11.0
>From 2683d1414114495e95069da1797bdd34e4bb2236 Mon Sep 17 00:00:00 2001
From: Osamu Aoki <[email protected]>
Date: Fri, 14 Jul 2017 22:05:17 +0900
Subject: [PATCH 4/5] Experimental ssh+sendmail support
This enables to send *@debian.org address mail from
{people,alioth}.debian.org to make its delivery more robust.
This needs some more testing and documentation
---
debian/debconf/conf.d/router/200_exim4-config_primary | 10 ++++++++++
debian/debconf/conf.d/transport/30_exim4-config_ssh_pipe | 15 +++++++++++++++
debian/exim4-config.install | 1 +
debian/ssh_hosts | 7 +++++++
4 files changed, 33 insertions(+)
create mode 100644 debian/debconf/conf.d/transport/30_exim4-config_ssh_pipe
create mode 100644 debian/ssh_hosts
diff --git a/debian/debconf/conf.d/router/200_exim4-config_primary b/debian/debconf/conf.d/router/200_exim4-config_primary
index 8fee21c..b50901e 100644
--- a/debian/debconf/conf.d/router/200_exim4-config_primary
+++ b/debian/debconf/conf.d/router/200_exim4-config_primary
@@ -73,6 +73,16 @@ nonlocal:
# domains, you'll need to copy the dnslookup_relay_to_domains router
# here so that mail to relay_domains is handled separately.
+ssh:
+ debug_print = "R: ssh for $local_part@$domain from ${address:$h_from:}"
+ driver = accept
+ condition = ${if exists{CONFDIR/ssh_hosts}\
+ {${lookup{${address:$h_from:}}lsearch{CONFDIR/ssh_hosts}{$value}fail}}fail}
+ domains = *
+ transport = ssh_pipe
+ no_verify
+ no_expn
+
SUBMISSIONHOST = ${listextract{3}{${lookup{${address:$h_from:}}lsearch{CONFDIR/passwd.client}{$value}fail}}{$value}fail}
submission:
diff --git a/debian/debconf/conf.d/transport/30_exim4-config_ssh_pipe b/debian/debconf/conf.d/transport/30_exim4-config_ssh_pipe
new file mode 100644
index 0000000..47e754b
--- /dev/null
+++ b/debian/debconf/conf.d/transport/30_exim4-config_ssh_pipe
@@ -0,0 +1,15 @@
+
+### transport/30_exim4-config_ssh_pipe
+#################################
+
+SSH_LINE = ${lookup{${address:$h_from:}}lsearch{CONFDIR/ssh_hosts}}
+
+ssh_pipe:
+ debug_print = "T: ssh_pipe for $local_part@$domain from ${address:$h_from:} via SSH_LINE"
+ driver = pipe
+ path = "/bin:/usr/bin:/usr/local/bin"
+ command = "SSH_LINE"
+ return_path_add
+ delivery_date_add
+ envelope_to_add
+
diff --git a/debian/exim4-config.install b/debian/exim4-config.install
index 9ad2aa1..afa367b 100644
--- a/debian/exim4-config.install
+++ b/debian/exim4-config.install
@@ -1,3 +1,4 @@
debian/debconf/update-exim4.conf.template usr/sbin
debian/debconf/exim4.conf.template etc/exim4
+debian/ssh_hosts etc/exim4
debian/script usr/share/bug/exim4-config
diff --git a/debian/ssh_hosts b/debian/ssh_hosts
new file mode 100644
index 0000000..0a120b1
--- /dev/null
+++ b/debian/ssh_hosts
@@ -0,0 +1,7 @@
+# configuration file used when the local exim is
+# authenticating to the remote SSH service host
+# with the account corresponding to the From address as a client.
+# (smarthost,sattelite)
+#
+# Example:
+### header-From: /usr/bin/ssh -p 22 -i /path/to/ssh-id_rsa [email protected] /usr/bin/sendmail -bm -ti
--
2.11.0
>From 023f6c90fdbcc5bd625a44ab420dbdbc83e55224 Mon Sep 17 00:00:00 2001
From: Osamu Aoki <[email protected]>
Date: Sun, 23 Jul 2017 22:21:51 +0900
Subject: [PATCH 5/5] Update passwd.client doc.
---
debian/manpages/exim4-config_files.5 | 27 ++++++++++++++++++++++++++-
1 file changed, 26 insertions(+), 1 deletion(-)
diff --git a/debian/manpages/exim4-config_files.5 b/debian/manpages/exim4-config_files.5
index b217377..58b745a 100644
--- a/debian/manpages/exim4-config_files.5
+++ b/debian/manpages/exim4-config_files.5
@@ -230,7 +230,9 @@ readable for others. Recommended file mode is root:Debian\-exim 640.
contains account and password data for SMTP authentication when exim
is authenticating as a client to some remote server.
-The file should contain lines of the form
+For the traditional smarthost configuration in which a single external
+host relays all outgoing mails, the file should contain lines of the
+form
.br
target.mail.server.example:login-user-name:password
@@ -267,12 +269,35 @@ password is your SMTP password in clear text. If you do not know about
your SMTP password, you can try using your POP3 password as a first
guess.
+For the new message submission configuration in which an account on an
+external SMTP submission host specific to the "From:" address of each
+outgoing mail relays that mail, the file should contain lines of the
+form
+
+.br
[email protected]:login:password:submission.host.example
+
+which will cause exim to use login-user-name and password when sending
+messages to the port 587 of the host submission.host.example. Please
+note this line has 4 list items instead of 3. This new style of
+configuration enables to use the account specific SMTP message
+submission service required by some modern restrictive ISP services such
+as gmail.com. This should also help you avoid your mail to be labeled
+as a spam. Currently, this new configuration only supports the port 587
+which uses the STARTTLS.
+
This file must be readable for the Debian\-exim user and should not be
readable for others. Recommended file mode is root:Debian\-exim 640.
.br
# example for CONFDIR/passwd.client
.br
+# this enables to use 2 gmail accounts
+.br
[email protected]:[email protected]:<application-password>:smtp.gmail.com
+.br
[email protected]:[email protected]:<application-password>:smtp.gmail.com
+.br
# this will only match if the server's generic name matches exactly
.br
mail.server.example:user:password
--
2.11.0
