using Exim 4 w/ multiple smarthosts (was: making sendmail call to msmtp asynchronous?)

[Matthias Andree <ma+gnus@dt.e-technik.uni-dortmund.de>]

Am 30.03.2011 14:01, schrieb Richard Riley:
> Matthias Andree <ma+gnus@dt.e-technik.uni-dortmund.de> writes:
> 
>> On Wed, Mar 30, 2011 at 08:38:46AM +0200, Richard Riley wrote:
>>> Not without pain. Of course. Exim4 is up there with the worst when it
>>> comes to "simple tweaks" and enabling exim4 for multiple smarthosts
>>> proved impossible (for me) give or take despite some old configs out
>>> there in google land for exim1-3 but not 4. Why not use exim4s smtp send
>>> facility? Its a pain if you travel : here I sit on holiday and smtp
>>> ports for outgoing are blocked by the ISP and/or the hotel router. Gah!
>>
>> While I could offer you sample configs from my Cygwin installation, I've
>> found out the hard way (this time on FreeBSD) that Exim4 has a very
>> awkward lock-destination-sites behaviour that requires major manual
>> interventions to purge the retry/site database to get mails unstuck,
>> thus I decided I'm not going to install any more of that.
>>
>> While Postfix is a bit more of an effort to configure (enable
>> sender-based authentication, enable sender-based relay, enable smtp (not
>> smtpd)-side tls, enable smtp-side sasl, permit plaintext authentication
>> on secure tls channels, set up all the maps, I find it's more
>> transparent and has less magic special casing underneath that confuses
>> the heck out of myself.
>>
> 
> Much as I dislike Exim4 docs, I have to stick up for it here. Using a
> single smarthost as I described is pretty straightforward.

The docs are quite detailed, however the hard-wired defaults and to a
lesser extent the default configuration take you in for a few surprises.

> Clearing frozen mails caused by a destination refusing your mail because
> your IP is blacklisted or smtp ports are blocked is a google away.

...or just because the Exim4 host has been down for a while.  BTST, and
that takes users by surprise, so you need to figure out how to kick and
purge /var/spool/exim/db/* so that exim actually tries again.  It's not
sufficient to use exim -qff in such situations. :-(

The delay_after_cutoff=true default that can cause routers to get jammed
and bounce all mail is quite unobvious...


It's not Exim's TLS/SASL configuration or sender-dependent smarthost
configuration, but exactly the retry-, wait- and delay_after_cutoff
stuff.  I haven't had such nasty effects as I've had with Exim's
remote_smtp in a dozen years with Postfix.  Anyways, here we go, a few
comments inlined.  Works for me with the default Exim configuration
around it with Exim 4.70 on Cygwin 1.5 and 1.7 and Exim 4.75 on FreeBSD
8.2 (the original intent was to log everything while I had to use
Outlook 2003 and didn't trust it and make sure that I know where the
credentials are so that I could exclude them from or encrypt them for
the networked backup).

Note that Postfix supports per-sender authentication, too, not just
per-smarthost authentication.  In that case, Postfix figures out by
itself that it can only reuse TLS connections for mail from the same
sender. I wouldn't know how to tell Exim4 that.

This snippet, however, probably would not exist had there been a Postfix
port to Windows or Cygwin in 2007 :-)

########################################################################
# Exim 4 sender-dependent smarthosts:

begin routers

smarthost1:
   driver = manualroute
   domains = ! +local_domains
   senders = address1@example.org : address2@example.org
   transport = remote_smtp_ssl
   route_data = "mailhost1.example.net::587"

# smarthost2 also for bounces (nothing between = and :)
smarthost2:
   driver = manualroute
   domains = ! +local_domains
   senders = : domain2.example
   transport = remote_smtp_ssl
   route_data = "hermes2.example.org::587"

# smarthost3 uses an autossh tunnel:
smarthost_freebsd:
   driver = manualroute
   domains = ! +local_domains
   senders = FreeBSD.org
   transport = remote_smtp
   route_data = "localhost::1234"
   self = send

# other stuff (forward, local delivery etc.) goes here.
# the example configure file is quite sound.

# ...

begin transports

# ...

# note this is the simple way, all remote_smtp_ssl
# routed mail requires TLS and AUTH and assumes
# trusted certs in /etc/ssl/certs
#
remote_smtp_ssl:
  driver = smtp
  hosts_require_tls  = *
  hosts_require_auth = *
  tls_verify_certificates = /etc/ssl/certs
  delay_after_cutoff = false

# ...

begin authenticators

PLAIN:
  driver                     = plaintext
  server_set_id              = $auth2
  server_prompts             = :
  server_condition           = Authentication is not yet configured
  server_advertise_condition = ${if def:tls_cipher }
  client_send =
"${extract{auth_plain}{${lookup{$host}lsearch{/usr/local/etc/exim/smtp_auth}{$value}fail}}}"

#############################################################

... the credentials are in the file /usr/local/etc/exim/smtp_auth
(buried deep inside client_send) in the form

mailhost1.example.net:                   auth_plain=^USERNAME^PASSWORD

########


HTH
Matthias