Haack's Wiki

User Tools

Site Tools

Trace: mailclient
computing:mailclient

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
computing:mailclient [2026/03/29 15:41] oemb1905computing:mailclient [2026/04/19 19:31] (current) oemb1905
Line 1: Line 1:
-Use this for personal machines behind someone else's LAN. It turns exim into a MUA instead of a MTA. That is, tt uses your remote self-hosted smtp instead of sending directly. +# 1. Main configuration for exim
 <code> <code>
-sudo apt install exim4 +cat << 'EOF'sudo tee /etc/exim4/update-exim4.conf.conf 
-sudo nano /etc/exim4/update-exim4.conf.conf +dc_eximconfig_configtype='satellite
-dc_eximconfig_configtype='smarthost+dc_smarthost='mail.haacksnetworking.org::587'
-dc_smarthost='mail.domain.com::587'+
 dc_local_interfaces='127.0.0.1 ; ::1' dc_local_interfaces='127.0.0.1 ; ::1'
 dc_other_hostnames='' dc_other_hostnames=''
-dc_readhost=''+dc_readhost='haacksnetworking.org'
 dc_relay_domains='' dc_relay_domains=''
 dc_minimaldns='false' dc_minimaldns='false'
 dc_hide_mailname='true' dc_hide_mailname='true'
 +dc_localdelivery='net@haacksnetworking.org'
 +EOF
 +</code>
  
-sudo nano /etc/exim4/passwd.client +Local delivery is there as a placeholder but/and is ignored as per the localmacros entry below. It is harmless and in some cases I enable it and remove the other entry, etc., so its retained here. The rest are self-explanatory. It should be noted that exim4 currently has a bug whereby it cannot properly interpret ipv6 entries and/or bind to the ipv6-ready interface, so I disabled it for nowFor some, this is a routing issue, but my routing table is good and it still does not work:
-mail.domain.com:user:password +
-*:user:password+
  
-sudo chown root:Debian-exim /etc/exim4/passwd.client +  * [[https://manpages.debian.org/jessie/exim4-config/update-exim4.conf.8.en.html |Man Pages Examples]] 
-sudo chmod 640 /etc/exim4/passwd.client+
  
-#calm tls +Despite formatting it as the man pages and ncurses installer suggest, e.g., ''dc_smarthost='[2046::1bd7::f::6::::20]::587''', it nevertheless interprets the IP as a domain and tries to do a DNS check on it. I plan to remove the ipv6 block once this fixed and/or I discover a work-around. 
-sudo nano /etc/exim4/exim4.conf.localmacros+ 
 + 
 +2. Local macros 
 +<code> 
 +cat << 'EOF'sudo tee /etc/exim4/exim4.conf.localmacros
 MAIN_TLS_ADVERTISE_HOSTS = MAIN_TLS_ADVERTISE_HOSTS =
 REMOTE_SMTP_SMARTHOST_HOSTS_REQUIRE_TLS = * REMOTE_SMTP_SMARTHOST_HOSTS_REQUIRE_TLS = *
-MAIN_HARDCODE_PRIMARY_HOSTNAME = user.domain.com 
 MAIN_LOCAL_DOMAINS = MAIN_LOCAL_DOMAINS =
 +disable_ipv6 = true
 +EOF
 +</code>
  
 +This block has a lot. First, it requires TLS whether the server does or not. Secondly, it stops attempts at local delivery, i.e., if I had a cronjob trying to email a report to user@haacksnetworking.org or user@net.haacksnetworking.org, it prohibits it from trying to deliver it to the client itself. This is good because the client is send-only, and does not have dovecot installed ofc. Rather, we want emails from net@haacksnetworking.org sent to, e.g., notifications@haacksnetworking.org to be delivered externally. As noted earlier, ipv6 is disabled due to the exim4 bug. Lastly, since this server is send-only, we also disable TLS advertisements. There's no need to advertise to clients for incoming connections.
  
-sudo update-exim4.conf +# 3Password file 
-sudo systemctl restart exim4+<code> 
 +cat << 'EOF'sudo tee /etc/exim4/passwd.client 
 +mail.haacksnetworking.org:net:pass 
 +*:net:pass 
 +EOF 
 +</code>
  
-echo "Test after permission fix" | mail -s "Exim4 test 2" oemb1905@jonathanhaack.com +Pretty self-explanatoryReplace ''pass'' above with a secure password. I would recommend ensuring TLS is enforced on the server as well as on the client, combined with a non-dictionary 40 character password. Since these credentials are stored in plain files and we are using simple UNIX users, you need to make sure that you don't give users ''sudo'' privileges. The email accounts should be separate from user accounts used for shell access and shell access should be disabled for any user accounts being used as email. Naturally, one should not have password auth via ssh enabled; key-based login should be enforced. In short, any time you are storing credentials for simple UNIX users on a remote client, make sure they are not sudoers, have no shell access, and that ssh is key-based only and preferably with an explicitly allowed sysadmin user, e.g., ''AllowUsers sysadmn''.
-sudo tail -f /var/log/exim4/mainlog+
  
 +# 4. Email address rewriting
 +<code>
 +cat << 'EOF' | sudo tee /etc/email-addresses
 +sexa: net@haacksnetworking.org
 +root: net@haacksnetworking.org
 +*: net@haacksnetworking.org
 +EOF
 </code> </code>
  
-Here'a copy pastable version:+This re-writes the headers so that system and/or cronjob emails originating from the client match the remote smtp user credentials and domain. Without this, exim4 would use the system email as the envelope-from instead of the remote server's. This is essential for emails to arrive at Gmail, Microsoft, etc., without issue.
  
 +# 5. Set mailname and hostname
 <code> <code>
-sudo apt install exim4 +echo "net.outsidebox.vip" | sudo tee /etc/mailname 
-cat << 'EOF' | sudo tee /etc/exim4/update-exim4.conf.conf +echo "net.outsidebox.vip" | sudo tee /etc/hostname 
-dc_eximconfig_configtype='smarthost' +</code>
-dc_smarthost='mail.domain.com::587' +
-dc_local_interfaces='127.0.0.1 ; ::1' +
-dc_other_hostnames='' +
-dc_readhost='' +
-dc_relay_domains='' +
-dc_minimaldns='false' +
-dc_hide_mailname='true' +
-EOF+
  
-cat << 'EOF| sudo tee /etc/exim4/passwd.client +Make sure alias and fqdn are also specified properly in ''/etc/hosts''. Remember, system emails go to ''root@net.outsidebox.vip'' but they attempt this delivery via ''mail.haacksnetworking.org''. So, since this origin is allowed in ''mail.haacksnetworking.org'', those get delivered to root on ''haacksnetworking.org'' and/or whatever alias is specified thereIn short, setting the fqdn.com is essential to figuring out which system-generated emails are which if/when problems happen. In short, if/when these values are set, the email will be sent to the alias specified for root on ''mail.haacksnetworking.org'', which is ''notifications@haacksnetworking.org'', and the from address will be ''root@net.outsidebox.vip''. The fqdn.com being set ensures clear disambiguation when issues come up.
-mail.domain.com:user:password +
-*:user:password +
-EOF+
  
 +# 6. Fix permissions and apply
 +<code>
 sudo chown root:Debian-exim /etc/exim4/passwd.client sudo chown root:Debian-exim /etc/exim4/passwd.client
 sudo chmod 640 /etc/exim4/passwd.client sudo chmod 640 /etc/exim4/passwd.client
- 
-cat << 'EOF' | sudo tee /etc/exim4/exim4.conf.localmacros 
-MAIN_TLS_ADVERTISE_HOSTS = 
-REMOTE_SMTP_SMARTHOST_HOSTS_REQUIRE_TLS = * 
-MAIN_HARDCODE_PRIMARY_HOSTNAME = user.domain.com 
-MAIN_LOCAL_DOMAINS = 
-EOF 
  
 sudo update-exim4.conf sudo update-exim4.conf
 sudo systemctl restart exim4 sudo systemctl restart exim4
 +</code>
  
-echo "Exim4 configured and restarted." +Set permissions on the credentials and restart the services.  
-echo "Test with:" + 
-echo 'echo "Test from $(hostname)"mail -s "Exim4 test from $(hostname)test@gmail.com'+# 7. Configure the **remote mailserver** to accept email from the subdomain and/or other IP of the client: 
 +<code> 
 +nano /etc/postfix/main.cf 
 +mydestination = mail.haacksnetworking.org, 
 +        haacksnetworking.org, 
 +        mail.haacksnetworking.org,  
 +        node0.otherdomain.org, #accept system email sent to your node's "localaddress 
 +        node1.otherdomain.com, #accept system email sent to your node's "local" address 
 +        localhost.haacksnetworking.org, 
 +        localhost 
 +sudo systemctl restart postfix
 </code> </code>
  
- --- //[[alerts@haacksnetworking.org|oemb1905]] 2026/03/29 15:33//+We need to adjust the remote email server. This is because, as mentioned above, system emails default to ''root@sub.domain.org'' or ''root@net.outsidebox.vip'', for example. Unless you approve that from envelope, the message will be rejected by ''mail.haacksnetworking.org''. If you configure the remote server to accept email for that domain, however, then it will attempt local delivery first and send that email to the corresponding "user" (in this case root) on ''mail.haacksnetworking.org''. If you also want to send and respond and use this subdomain in webmail, you can point that subdomain to your remote mail server's A/AAAA and MX records. I don't need that, but I did test and ensure it worked. In short, by adding this origin, system-generated emails from each client will arrive at root or root's alias on the remote server, ensuring oversight and proper monitoring takes place. 
 + 
 + --- //[[alerts@haacksnetworking.org|oemb1905]] 2026/04/19 19:06//
computing/mailclient.1774798871.txt.gz · Last modified: by oemb1905

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: GNU Free Documentation License 1.3
GNU Free Documentation License 1.3 Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki