2

I want to use Exim4 as an MTA for my server, but basically only to send emails. For security issues, I would like to restrict incoming connections to localhost only (I think). So there is this option in the exim4 configuration where you can specify:

IP-addresses to listen on for incomming SMTP connections:

If I put localhost there, I can perfectly well send emails via mutt and mail, but other services on my machine cannot connect to the exim daemon to send emails, especially because there is no binding to the port tcp/25 if I specify localhost in the field above.

Of course if I leave the field blank, everything works fine, but I don't want to listen for tcp/25 for anybody else than my own machine... Here is my log when all connections are accepted, for local services like ossec:

2013-10-08 12:26:13 1VTcv7-XXXXX-XX <= ossecm@myserver.edu H=localhost (notify.ossec.net) [127.0.0.1] P=smtp S=979

Falcon Momot
  • 25,244
  • 15
  • 63
  • 92
Antoine Lizée
  • 155
  • 1
  • 2
  • 6

3 Answers3

3

If you literally put "localhost" in that setting, try putting instead:

dc_local_interfaces='127.0.0.1 ; ::1'

During dpkg-reconfigure exim4-config, if you select *Internet site" for the type, the second question looks like this:

Please enter a semicolon-separated list of IP addresses. The Exim SMTP listener
daemon will listen on all IP addresses listed here.

An empty value will cause Exim to listen for connections on all available network
interfaces.

If this system only receives mail directly from local services (and not from other
hosts), it is suggested to prohibit external connections to the local Exim daemon.
Such services include e-mail programs (MUAs) which talk to localhost only as well
as fetchmail. External connections are impossible when 127.0.0.1 is entered here,
as this will disable listening on public network interfaces.

IP-addresses to listen on for incoming SMTP connections:

Simply put the following in that field:

127.0.0.1; ::1
Antoine Lizée
  • 155
  • 1
  • 2
  • 6
Todd Lyons
  • 2,036
  • 16
  • 13
  • I may want to try this, but I am not sure that I understand well your suggestion. I think you are referring to a config file while I am talking about an **interactive configuration process**, called with `dpkg-reconfigure exim-config`. There is no variable to define, and there actually is a mention of putting localhost directly in there when running the configuration. – Antoine Lizée Oct 09 '13 at 22:06
  • Edited to include your concern. – Todd Lyons Oct 15 '13 at 14:12
  • Well, my "concern" about this kind of weird suggestion seem to be right in the end, since following it actually just broke my mail deamon :-). `sudo service exim4 restart [....] Stopping MTA for restart:/usr/sbin/update-exim4.conf: 21: /etc/exim4/update-exim4.conf.conf: ::1: not found ` and then `sudo dpkg-reconfigure exim4-config /var/lib/dpkg/info/exim4-config.config: 21: /etc/exim4/update-exim4.conf.conf: ::1: not found`. Finally : `ALERT: exim paniclog /var/log/exim4/paniclog has non-zero size, mail system possibly broken` – Antoine Lizée Oct 17 '13 at 01:09
  • The only way to make it work again (`reinstall` wasn't enough) is to go in the .conf.conf file mentioned above and actually edit it to correct for the wrong input. So I stripped out the definition of the thing, and just left the actual parameter. dpkg-reconfigure is indeed a GUI tool that let you specify the parameter only, and putting as the variable value the whole variable definition is obviously not the good thing to do. – Antoine Lizée Oct 17 '13 at 01:29
  • About your (corrected) suggestion: It doesn't seem that it fixed the issue. What were you expecting by adding the ::1 ? – Antoine Lizée Oct 17 '13 at 01:47
  • ::1 is the ipv6 equivalent of the localhost ip. If your machine has ipv6 disabled, just leave that one off. – Todd Lyons Oct 18 '13 at 00:39
1

When IPv6 disabled, you must change the file /etc/exim4/update-exim4.conf.conf:

this line: dc_local_interfaces='127.0.0.1 ; ::1'

change to: dc_local_interfaces='127.0.0.1'

Then restart exim.

For clarity, I give the screenshot: enter image description here

Andrei Krasutski
  • 111
  • 2
0

If you are not using a debian-based configuration, the general configuration directive would be:

local_interfaces = 127.0.0.1.25
# At least, when assuming this:
disable_ipv6 = true
Dan Poltawski
  • 141
  • 1
  • 3