Configuring Exim Mail Forwarding on CentOS: Virtual User Setup and Security Hardening


2 views

Exim provides flexible mail handling capabilities through its router and transport configuration. Unlike Sendmail's virtusertable, Exim uses a more sophisticated configuration file (/etc/exim/exim.conf) where we define routers and transports for mail processing.

Here's how to set up forwarding for me@example.com to me@gmail.com:

# In /etc/exim/exim.conf
domainlist local_domains = @ : example.com

begin routers
# Main router for local domains
localuser:
  driver = accept
  domains = +local_domains
  transport = virtual_user
  condition = ${lookup{$local_part@$domain}lsearch{/etc/exim/virtual-users}}

begin transports
virtual_user:
  driver = pipe
  command = /usr/sbin/sendmail -i -f $sender_address $recipients
  return_fail_output = true
  return_path_add = false

Create /etc/exim/virtual-users with entries like:

me@example.com: me@gmail.com
support@example.com: team@gmail.com
*@example.com: catchall@gmail.com

To limit SMTP to localhost only:

# In exim.conf
begin acl
acl_check_rcpt:
  accept hosts = 127.0.0.1
  deny message = Relay not permitted
  accept

Essential security measures:

# Disable VRFY and EXPN
disable_vrfy = true
disable_expn = true

# Enable TLS
tls_advertise_hosts = *
tls_certificate = /etc/ssl/certs/exim.pem
tls_privatekey = /etc/ssl/private/exim.key

# Rate limiting
smtp_accept_max_per_host = 5
smtp_accept_max = 50

After making changes:

exim -bV             # Verify configuration
exim -bt me@example.com  # Test address routing
systemctl restart exim

Check Exim's logs at /var/log/exim/mainlog. For real-time monitoring:

tail -f /var/log/exim/mainlog | grep 'me@example.com'

To set up mail forwarding in Exim similar to Sendmail's virtusertable, we'll use Exim's router configuration. Here's how to implement address forwarding:

# In /etc/exim/exim.conf
domainlist local_domains = @ : example.com

begin routers
forward_to_gmail:
  driver = redirect
  domains = +local_domains
  data = ${lookup{$local_part@$domain}lsearch{/etc/exim/forwarders}}
  allow_fail
  no_verify

Create /etc/exim/forwarders with contents like:

# Format: localuser@domain  targetemail@gmail.com
me@example.com      me@gmail.com
webmaster@example.com  admin@gmail.com

To restrict SMTP to localhost only, modify the ACLs in exim.conf:

begin acl

acl_check_rcpt:
  accept  hosts = 127.0.0.1
  accept  hosts = ::1
  deny    message = Relay not permitted

These additional settings will harden your Exim installation:

# Prevent open relay
hostlist relay_from_hosts = 127.0.0.1 : ::1

# Disable VRFY and EXPN
acl_smtp_vrfy = acl_check_vrfy
acl_smtp_expn = acl_check_expn

acl_check_vrfy:
  deny    message = Command not available
  accept

acl_check_expn:
  deny    message = Command not available
  accept

After making changes, test your configuration:

# Check configuration syntax
exim -bV

# Test address routing
exim -bt me@example.com

# Send a test email
swaks --to me@example.com --from test@test.com --server localhost

Here's a complete working configuration snippet:

begin routers
localuser:
  driver = accept
  domains = example.com
  local_parts = lsearch;/etc/exim/local_users
  transport = local_delivery

forwarding:
  driver = redirect
  domains = example.com
  data = ${lookup{$local_part@$domain}lsearch{/etc/exim/forwarders}}
  allow_fail
  no_verify

begin transports
local_delivery:
  driver = appendfile
  file = /var/mail/$local_part

Remember to restart Exim after configuration changes:

systemctl restart exim