If you are noticing a spammer is abusing your machine which is identifying with a common "HELO" command via SMTP, you can optionally deny all messages which match this rule.

For example a spammer might be identifying to your server with a fake HELO command which is common for all SMTP transactions.

Edit /usr/local/atmail/mailserver/configure

In the ACL

acl_check_rcpt:

You can append the new rule below for the HELO check

deny message = HELO not allowed
condition = ${if eq{$sender_helo_name}{spammer.com}{yes}{no}}
Copy the rule for each domain you wish to check.

Restart the Atmail services and the new HELO check is live, example transaction below:

# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
220 nexus.local.atmail.com Welcome to the @Mail SMTP Server ( Exim )
helo spammer.com
250 nexus.local.atmail.com Hello localhost [127.0.0.1]
mail from: test@test.com
250 OK
rcpt to: test@nexus.atmail.com
550 HELO not allowed

By default, Exim only checks inbound emails for spam. This is easily fixable, via the following steps:

1.) Open up /usr/local/atmail/mailserver/configure, and find:

# Accept outgoing messages from authenticated users, no need to scan as spam
accept  authenticated = *

# Skip scanning messages from users that are trusted
accept hosts = +relay_from_hosts

# Skip if message over size
accept condition = ${if > {$message_size}{50k} }

# Pass the email via Spamassassin and don't scan messages over the specified size to save CPU
# Append the X-Spam-Score and X-Spam-Report for all messages
warn  message = X-Spam-Score: $spam_score
condition = ${if < {$message_size}{50k} }
hosts = ! +relay_from_hosts
spam = nobody:true/defer_ok

warn  message = X-Spam-Report: $spam_report
condition = ${if < {$message_size}{50k} }
hosts = ! +relay_from_hosts
spam = nobody:true/defer_ok

# Reject message if Spam-score is too high ( avoid wasted disk/CPU on obvious Spam messages)
drop message = This message is rejected by the Anti-Spam System. Spam-score too high : $spam_score spam points - Please reformat your email and send again
spam = nobody:true/defer_ok
hosts = ! +relay_from_hosts
condition = ${if < {$message_size}{50k} }
condition = ${if > {$spam_score_int}{100}{1}{0}}

2.) Change the block so it looks like:

# Skip if message over size
accept condition = ${if > {$message_size}{50k} }

# Pass the email via Spamassassin and don't scan messages over the specified size to save CPU
# Append the X-Spam-Score and X-Spam-Report for all messages
warn  message = X-Spam-Score: $spam_score
condition = ${if < {$message_size}{50k} }
spam = nobody:true/defer_ok

warn  message = X-Spam-Report: $spam_report
condition = ${if < {$message_size}{50k} }
spam = nobody:true/defer_ok

# Reject message if Spam-score is too high ( avoid wasted disk/CPU on obvious Spam messages)
drop message = This message is rejected by the Anti-Spam System. Spam-score too high : $spam_score spam points - Please reformat your email and send again
spam = nobody:true/defer_ok
condition = ${if < {$message_size}{50k} }
condition = ${if > {$spam_score_int}{100}{1}{0}}

3.) Go to WebAdmin > Services > Anti-Spam, and set 'Skip Trusted' to off. Save changes.

4.) Restart Atmail.

This will scan all emails.

Updating Exim to 4.72 is essential, as it contains security measures that nullify current issues with versions 4.69 and older. Before applying this update, make sure you have the PCRE package installed. This can be done via yum or apt. For Fedora or CentOS:

% yum install pcre-devel

For Ubuntu/Debian:

% apt-get install libpcre3 libpcre3-dev libpcre++-dev

---
To update Exim, do the following:

1.) Download the new Exim package from: http://kb.atmail.com/attach/eximatmail.tgz

% wget  'http://kb.atmail.com/attach/eximatmail.tgz'

2.) Replace your current package with the new package:

% mv /usr/local/atmail/server_source/eximatmail.tgz /usr/local/atmail/server_source/eximatmail.tgz.old
% mv /usr/local/atmail/server_source/exim-4.69/ /tmp/exim-4.69/
% mv eximatmail.tgz /usr/local/atmail/server_source/eximatmail.tgz

3.) Make a backup of your current configure file:

% cp -R /usr/local/atmail/mailserver/configure /usr/local/atmail/mailserver/configure.backup

4.) Stop Atmail:

% /etc/init.d/atmailserver stop

5.) Rebuild:

% php /usr/local/atmail/server_source/scripts/buildexim.php

5.) After rebuilding, open up your /usr/local/atmail/mailserver/configure file. Find this line:

# Stop the SMTP if load > X
smtp_load_reserve = 20

6.) Below this, add:

dkim_verify_signers = $sender_address_domain

7.) Find:

acl_smtp_data = acl_check_content

8.) Below this, add:

acl_smtp_dkim = acl_check_dkim

9.) Find:

deny    message       = relay not permitted

10.) Below this, add:

acl_check_dkim:

deny message = Invalid DKIM
dkim_status = fail

accept

11.) Restart Atmail:

% /etc/init.d/atmailserver restart

Congratulations! Now you have the new version, with improved security and DKIM capabilities.

Some LDAP setups disallow the use of bind authentication for users - merely acting as storage mechanisms for passwords by access of the admin user. While this is not recommended, these steps outline how to enable authentication of this sort via Exim.

For the following setup, we will use the following parameters:

- the LDAP server is ldap.local
- the administrator DN is 'uid=admin,ou=Admin,o=domain.com'
- the password is 'password'
- the base DN for users is 'ou=People,o=domain.com'
- the attribute for password is 'userpass'
- the objectClass is 'inetOrgPerson'

1.) Open up /usr/local/atmail/mailserver/configure

2.) Find the following line:

# AUTH LOGIN authentication method with MySQL support used by Outlook Express.
#auth_login:
#driver = plaintext
#public_name = LOGIN
#server_condition = ${if eq{$1}{${lookup mysql{SELECT Account FROM UserSession WHERE Account='$1' and Password='$2'}{$value}fail}}{1}{0}}
#server_prompts = "Username:: : Password::"
#server_set_id = $1

3.) Replace with:

auth_login:
driver = plaintext
public_name = LOGIN
server_condition = ${if eq{$2}{${lookup ldap{user="uid=admin,ou=Admin,o=domain.com" pass=193af9q ldap://ldap.local/ou=People,o=domain.com?userpass?sub?(&(uid=$1)(objectclass=inetOrgPerson))}{$value}fail}}{1}{0}}
server_prompts = "Username:: : Password::"
server_set_id = $1

4.) Note the LDAP URL. it takes the following format:

ldap://[host name]/[base DN]?[attribute name]?[scope]?[filter]

For our example, we use:

ldap://ldap.local:389/ou=People,o=domain.com?userpass?sub?(&(uid=$1)(objectclass=account))

Where:

ldap.local:389 is the hostname and port of the LDAP server

ou=People,o=domain.com is our Base DN. This is the distinguished name that forms the base of the LDAP search. If entries have the LDAP format of 'uid=username,ou=People,o=domain.com', the Base DN to use is 'ou=People,o=domain.com'.

userpass is the attribute we are looking for, for comparison

sub is the scope of the search. sub retrieves information about entries at all levels below the distinguished name (base dn) specified in the URL. base retrieves information about the distinguished name (base dn) specified in the URL only.

(&(uid=$1)(objectclass=inetOrgPerson)) is the filter. Normally, a basic filter contains only one set - for example, (objectclass=inetOrgPerson), which specifies that it should only show entries of the object class 'inetOrgPerson'. Since we are looking for a specific object class AND uid, we need to specify both.

In this case, the filter is specified as:

(&(uid=$1)(objectclass=inetOrgPerson))

Which, roughly means:

((uid=$1) AND (objectclass=inetOrgPerson))

The operator "&", standing for "AND", being appended at the front of the filter. This requires that both filter conditions are met.

5.) Restart Atmail.

You can use SSL certificates to allow your users to access Atmail via SSL. This document will show you how to convert SSL certificates in a format that can be used by Apache, Exim and Dovecot.

1.) Upon getting your SSL certificates, you will receive them in two files: .crt and .key. For the purposes of this document, we will put them in the directory: /usr/local/atmail/ssl/ as two files domain.key and domain.crt.

2.) You will need to convert the crt file to .PEM. This command will do it:

% openssl x509 -inform der -in /usr/local/atmail/ssl/domain.crt -out /usr/local/atmail/ssl/domain.pem

3.) Afterwards, you will need a password-less key file:

% openssl rsa -in /usr/local/atmail/ssl/domain.key -out /usr/local/atmail/ssl/domain-nopass.key

4.) Define the pathnames of the key and cert files in WebAdmin > Services > POP3/IMAP.

5.) The SSL Certificate Path corresponds to your .pem file. For this example, the setting will be "/usr/local/atmail/ssl/domain.pem".

6.) The SSL key file corresponds to your passphrase-less key file. For this example, the setting will be "/usr/local/atmail/ssl/domain-nopass.key".

7.) Save changes.

8.) Should you want to verify this manually, open up /usr/local/atmail/mailserver/etc/dovecot.conf, and look for this line block:

ssl = yes
protocols = pop3 imap pop3s imaps
ssl_cert_file = /usr/local/atmail/ssl/domain.pem
ssl_key_file = /usr/local/atmail/ssl/domain-nopass.key

9.) And here is the corresponding entry for /usr/local/atmail/mailserver/configure:

tls_advertise_hosts = *
log_selector = +tls_peerdn
tls_certificate=/usr/local/atmail/ssl/domain.pem
tls_privatekey=/usr/local/atmail/ssl/domain-nopass.key

10.) Restart Atmail services.

Sometimes you need to test SMTP Authentication is working on your server, and you may not have Outlook or another email client handy to test the connection.

You can verify SMTP authentication is working by using telnet and accessing the SMTP server directly. Below is a quick tutorial on how to test your server with Atmail for SMTP authentication details

1: First, make sure SMTP authentication is enabled via the Atmail Webadmin > Services > SMTP Settings > SMTP Authentication = On

2: Next, create or verify an existing username and password on the system

3: Build the Base64 username/password

SMTP AUTH LOGIN will encapsulate the username and password as a Base64 string. This is used to prevent sending the username/password plaintext via the network connection. Using Perl, you can issue the following command to encode the username and password as a base64 string, which can be sent to the SMTP server. Note the @ symbol is escaped to pass the string via Perl.
# perl -MMIME::Base64 -e 'print encode_base64("myusername\@domain.com")'

bXl1c2VybmFtZUBkb21haW4uY29t

# perl -MMIME::Base64 -e 'print encode_base64("weakpass")'
d2Vha3Bhc3M=

4: Access the local system. Commands we issue are highlighted in bold.
# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
220 mydomain.com Welcome to the @Mail SMTP Server ( Exim )
ehlo test.com
250-mydomain.com localhost [127.0.0.1]
250-SIZE 52428800
250-PIPELINING
250-AUTH LOGIN
250-STARTTLS
250 HELP

The above command will verfiy AUTH LOGIN is enabled on the server. Next, send the following command to start the SMTP Authentication process

AUTH LOGIN
334 VXNlcm5hbWU6 ( Server returns username as a base64 string )

bXl1c2VybmFtZUBkb21haW4uY29t

334 UGFzc3dvcmQ6 ( Server returns password as a base64 string )

d2Vha3Bhc3M=

235 Authentication succeeded
Congratulations, SMTP authentication is now enabled and confirmed working on your server. Note you must send the Base64 string of the username and password as two commands.

You can add per-domain AV and Spam filtering support, if you wish. Just follow the following steps:

1.) open up /usr/local/atmail/mailserver/configure

2.) find:

MYSQL_DOMAINS = select Hostname from Domains where Hostname='${quote_mysql:$domain}'

3.) Below this, add:

MYSQL_AVCHECK = SELECT Hostname from Domains where AV='1' and Hostname='$domain'

MYSQL_SPAMCHECK = SELECT Hostname from Domains where Spam='1' and Hostname='$domain'

4.) Then, find this line:

domainlist relay_to_domains =

5.) Below this:

domainlist sa_domains = mysql;MYSQL_SPAMCHECK
domainlist av_domains = mysql;MYSQL_AVCHECK

6.) Then, find:

accept  hosts = :

7.) Below this:

warn domains = +av_domains
set acl_m1 = 1

warn domains = +sa_domains
set acl_m2 = 1

8.) Then, find:

acl_check_content:

9.) Below this, add:

accept condition = ${if match{$acl_m1}{1}}

accept condition = ${if match{$acl_m2}{1}}

10.) Login to your MySQL

11.) Add the two other columns to the Domains table:

> alter table Domains add Spam tinyint(1) default NULL;
> alter table Domains add AV tinyint(1) default NULL;

12.) To enable filtering for a specific domain, do the following:

> update Domains set Spam='1' where Hostname='yourdomain.com';

Replace yourdomain.com with your chosen domain.

13.) Restart atmail:

% /etc/init.d/atmailserver restart

When compiled with Exim, the libspf libraries can sometimes cause issues. Sometimes it is best to use the SPFQuery binaries for SPF support.

To use SPFQuery with Exim, just go through the following steps:

- download Mail::SPF from http://search.cpan.org/CPAN/authors/id/J/JM/JMEHNLE/mail-spf/Mail-SPF-v2.006.tar.gz

- untar, install:

% tar xvfz Mail-SPF-v2.006.tar.gz
% cd Mail-SPF-v2.006
% perl Makefile.PL && make && make install

- open the /usr/local/atmail/mailserver/configure file (or where your Exim configuration file is located).

- find this line:

accept  local_parts   = postmaster
domains       = +local_domains

- below this, add:

# SPF Acl clause
warn  set acl_m1  = --ip-address=$sender_host_address  --mfrom=$sender_address --helo=$sender_helo_name
set acl_m1  = ${run{/usr/bin/spfquery $acl_m1}{$value}{fail}}

deny message    = SPF check fail. $sender_host_address is not allowed to send mail from $sender_address_domain.
condition   = ${if eq {$runrc}{1}{1}{0}}

- restart exim:

% killall -HUP exim

- you can also add this line to check for soft failures:

warn message    = SPF check soft fail. Your host is not set as an allowed sender for $sender_address_domain.     condition   = ${if eq {$runrc}{2}{1}{0}}

Creating smarthosts with Exim is easy, but you may want to enable SMTP authentication during transactions for additional security. Just go through the following steps:

1.) Open up your /usr/local/atmail/mailserver/configure file, and find:

dnslookup:
driver = dnslookup
domains = ! +local_domains
transport = remote_smtp
ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
no_more

2.) Comment out this line so it looks like:

#dnslookup:
# driver = dnslookup
# domains = ! +local_domains
# transport = remote_smtp
# ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
# no_more

3.) Add this line below:

divertnonlocal:
driver = manualroute
domains = ! +local_domains
transport = remote_smtp
route_list = * 192.168.0.6
ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
no_more

4.) Replace "192.168.0.6" with your SMTP relay host (your smarthost destination).

5.) Find this line afterwards:

remote_smtp:
driver = smtp

6.) Change it to:

remote_smtp:
driver = smtp
 hosts_require_auth = 192.168.0.6
hosts_try_auth = 192.168.0.6

7.) Change "192.168.0.6" to your smarthost server.

8.) At the bottom of the file, find this line:

begin authenticators

9.) Below this, add:

login:

driver = plaintext

public_name = LOGIN

 (more...)