Re: using Exim 4 w/ multiple smarthosts

[Richard Riley <rileyrg@googlemail.com>]

Matthias Andree <ma+gnus@dt.e-technik.uni-dortmund.de> writes:

> Am 30.03.2011 14:01, schrieb Richard Riley:
>> Matthias Andree <ma+gnus@dt.e-technik.uni-dortmund.de> writes:
>> 
>>> On Wed, Mar 30, 2011 at 08:38:46AM +0200, Richard Riley wrote:
>>>> Not without pain. Of course. Exim4 is up there with the worst when it
>>>> comes to "simple tweaks" and enabling exim4 for multiple smarthosts
>>>> proved impossible (for me) give or take despite some old configs out
>>>> there in google land for exim1-3 but not 4. Why not use exim4s smtp send
>>>> facility? Its a pain if you travel : here I sit on holiday and smtp
>>>> ports for outgoing are blocked by the ISP and/or the hotel router. Gah!
>>>
>>> While I could offer you sample configs from my Cygwin installation, I've
>>> found out the hard way (this time on FreeBSD) that Exim4 has a very
>>> awkward lock-destination-sites behaviour that requires major manual
>>> interventions to purge the retry/site database to get mails unstuck,
>>> thus I decided I'm not going to install any more of that.
>>>
>>> While Postfix is a bit more of an effort to configure (enable
>>> sender-based authentication, enable sender-based relay, enable smtp (not
>>> smtpd)-side tls, enable smtp-side sasl, permit plaintext authentication
>>> on secure tls channels, set up all the maps, I find it's more
>>> transparent and has less magic special casing underneath that confuses
>>> the heck out of myself.
>>>
>> 
>> Much as I dislike Exim4 docs, I have to stick up for it here. Using a
>> single smarthost as I described is pretty straightforward.
>
> The docs are quite detailed, however the hard-wired defaults and to a
> lesser extent the default configuration take you in for a few surprises.
>
>> Clearing frozen mails caused by a destination refusing your mail because
>> your IP is blacklisted or smtp ports are blocked is a google away.
>
> ...or just because the Exim4 host has been down for a while.  BTST, and
> that takes users by surprise, so you need to figure out how to kick and
> purge /var/spool/exim/db/* so that exim actually tries again.  It's not
> sufficient to use exim -qff in such situations. :-(
>
> The delay_after_cutoff=true default that can cause routers to get jammed
> and bounce all mail is quite unobvious...
>
> It's not Exim's TLS/SASL configuration or sender-dependent smarthost
> configuration, but exactly the retry-, wait- and delay_after_cutoff
> stuff.  I haven't had such nasty effects as I've had with Exim's
> remote_smtp in a dozen years with Postfix.  Anyways, here we go, a few
> comments inlined.  Works for me with the default Exim configuration
> around it with Exim 4.70 on Cygwin 1.5 and 1.7 and Exim 4.75 on FreeBSD
> 8.2 (the original intent was to log everything while I had to use
> Outlook 2003 and didn't trust it and make sure that I know where the
> credentials are so that I could exclude them from or encrypt them for
> the networked backup).
>
> Note that Postfix supports per-sender authentication, too, not just
> per-smarthost authentication.  In that case, Postfix figures out by
> itself that it can only reuse TLS connections for mail from the same
> sender. I wouldn't know how to tell Exim4 that.
>
> This snippet, however, probably would not exist had there been a Postfix
> port to Windows or Cygwin in 2007 :-)
>
> ########################################################################
> # Exim 4 sender-dependent smarthosts:
>
> begin routers
>
> smarthost1:
>    driver = manualroute
>    domains = ! +local_domains
>    senders = address1@example.org : address2@example.org
>    transport = remote_smtp_ssl
>    route_data = "mailhost1.example.net::587"
>
> # smarthost2 also for bounces (nothing between = and :)
> smarthost2:
>    driver = manualroute
>    domains = ! +local_domains
>    senders = : domain2.example
>    transport = remote_smtp_ssl
>    route_data = "hermes2.example.org::587"
>
> # smarthost3 uses an autossh tunnel:
> smarthost_freebsd:
>    driver = manualroute
>    domains = ! +local_domains
>    senders = FreeBSD.org
>    transport = remote_smtp
>    route_data = "localhost::1234"
>    self = send
>
> # other stuff (forward, local delivery etc.) goes here.
> # the example configure file is quite sound.
>
> # ...
>
> begin transports
>
> # ...
>
> # note this is the simple way, all remote_smtp_ssl
> # routed mail requires TLS and AUTH and assumes
> # trusted certs in /etc/ssl/certs
> #
> remote_smtp_ssl:
>   driver = smtp
>   hosts_require_tls  = *
>   hosts_require_auth = *
>   tls_verify_certificates = /etc/ssl/certs
>   delay_after_cutoff = false
>
> # ...
>
> begin authenticators
>
> PLAIN:
>   driver                     = plaintext
>   server_set_id              = $auth2
>   server_prompts             = :
>   server_condition           = Authentication is not yet configured
>   server_advertise_condition = ${if def:tls_cipher }
>   client_send =
> "${extract{auth_plain}{${lookup{$host}lsearch{/usr/local/etc/exim/smtp_auth}{$value}fail}}}"
>
> #############################################################
>
> ... the credentials are in the file /usr/local/etc/exim/smtp_auth
> (buried deep inside client_send) in the form
>
> mailhost1.example.net:                   auth_plain=^USERNAME^PASSWORD
>
> ########
>
> HTH
> Matthias

Interesting post, but I think this doesnt work with multiple gmail smtp
servers since they are all keyed by the same smtp server name. It needs
to be keyed by the from address. Hairy stuff all in all. I am surprised
its not a default config example to be honest. I do have a set up in
emacs for dynamically channging he smtp server and credentials based on
from/posting style in emacs but of course this isnt asynchronous and
causes an "intolerable" (aren't we spoiled these days? ;)) delay.



-- 
☘ http://www.shamrockirishbar.com, http://splash-of-open-sauce.blogspot.com/ http://www.richardriley.net