Debian as Email Gateway

My goal was to setup a Debian server that acts as an email gateway to my ‘real’ email server. The idea is that email comes into the gateway box, Exim processes the mail, and then routes the email onto the final destination server, and then mailbox. For this example, my main email system is called FirstClass(made by Opentext). It can run on Linux, Windows, or Mac. You wouldn’t normally provide a gateway email system for FirstClass, but because of Exim’s powerfull feature set, I wanted exim to intercept the mail, process it with RBLS, greylisting, and then pass it on to FirstClass. A similar example is where System Admins may buy a Barracuda box and place it in front of their Exchange server. This works well, but can empty your pockets.   🙂
Normally, I would have 2 servers.
  • The gateway server, running Debian, with Exim installed
  • The real mail server, running Debian with FirstClass installed
But in this case I wanted to run everything on one box. Hmmmm, sounds difficult at first. How the hell do you run 2 mail systems on one server? Well lets find out.
First, I have FirstClass installed on my server. But because I’m not going to use it receive or smtp email directly, I need to change the port that it runs on. There is a config setting for this:
Now that my main mail system is running on port 26, I can install and setup Exim on this same box which will run on the default port 25.

There is one more setting that is optional in FirstClass where I can specify where outgoing mail is sent. Either FirstClass can send email out directly, or I can pass it through Exim. I would like to pass it via Exim because then Exim will log all incoming and outgoing mail. So, I’ve set FirstClass to route mail through to Exim.
My domain is estone.ca
My mx record points to mail.estone.ca
Whats weird here is that I’m actually telling my FirstClass system to route its smtp mail to itself. But remember my main mail software is running on port 26. Since its routing all mail to mail.estone.ca (which is Exim running on port 25) then all is okay.

So now that I have my FirstClass system setup and running, its time to configure Exim to receive email and pass it on to FirstClass. What allows Exim to do this is called Mail Hubbing.
When you enable Exim to Mail Hub, it simply processes the mail but then passes it on to another mail host. Instead of Exim receiving the email, and sending it to a users mailbox[1], it routes it to another system.
[1] Linux would normally store its local mail in /var/mail/username
Below, is an example of how you could configure your Exim as a mail hub.(I’m using a split config in this example)
First, I’m assuming you’ve already configured your Exim to be a true mail server. Check the Exim FAQ for more info.
You can configure Exim on Debian by running:
# dpkg-reconfigure exim4-config
Create a file /etc/exim4/hubbed_hosts and enter the mail host you would like Exim to route the mail to.
Example:
root@estone:/etc/exim4# cat hubbed_hosts
estone.ca:                              199.60.230.17::26
root@estone:/etc/exim4#
Note that I use double colon to specify the port. If you have a 2nd physical server, you would have IP address only.
Now we’re almost done. There are a few more settings needed to make this work.
Another setting that is needed is to allow Exim to send to itself. This only needed because I’m running the 2 mail systems on one box. To allow Exim to send to itself add the “self = send” line to the router file.
root@estone:/etc/exim4# cat conf.d/router/150_exim4-config_hubbed_hosts
# router/150_exim4-config_hubbed_hosts
#################################
# route specific domains manually.
#
# see exim4-config_files(5) and spec.txt chapter 20.3 through 20.7 for
# more detailed documentation.
hubbed_hosts:
 debug_print = “R: hubbed_hosts for $domain”
 driver = manualroute
 self = send
 domains = “${if exists{CONFDIR/hubbed_hosts}\
                  {partial-lsearch;CONFDIR/hubbed_hosts}\
             fail}”
 same_domain_copy_routing = yes
 route_data = ${lookup{$domain}partial-lsearch{CONFDIR/hubbed_hosts}}
 transport = remote_smtp
root@estone:/etc/exim4#
And lastly, we need to adhere to RFC 3834 and not produce backscatter. If spam came into your Exim System, it would then hub it over to your main mail server. If the To: address had no real recipient, your main mail server will bounce a message back to the From: address of the spam. Thus, backscatter.
So, we need to configure exim to check for true recipients before it processes the mail.
This is done by adding recipient callouts to your check_rcpt config under /etc/exim4/conf.d/acl/30_exim4-config_check_rcpt.
[snip]
# We also require all accepted addresses to be verifiable. This check will
 # do local part verification for local domains, but only check the domain
 # for remote domains.
 require
   verify = recipient/callout
[snip]
 # Accept if the address is in a domain for which we are an incoming relay,
 # but again, only if the recipient can be verified.
 accept
   domains = +relay_to_domains
   endpass
   verify = recipient/callout
At this point, you are done.
Configure your Exim to check emails against Blacklists, and throw in some greylisting, or any other filtering/antivirus of your choice.
Cheers!