Setting up a Mail Server on a Raspberry Pi

The long story: Several years ago, it was hard for people on the ‘go’ to send email because different ISPs would block SMTP traffic on port 25.  Not all hosting providers (especially shared hosting providers) would provide SMTP relay/forwarding for different domains and when they did, the mail was not always delivered with the same success rate as a big ISP.

So to circumvent the problem, I used CCProxy listen on port 587 and forwarded the mail through my local ISP SMTP server no matter where I was or what device I was on.  CCProxy is a great solution, however since I no longer needed the box it was running on I wanted a smaller footprint for the host.

Challenge one: CCProxy works best under Windows – I was able to get it working in Wine but not as reliably.

Challenge two: CCProxy uses a different format for authentication than most mail programs for AUTH LOGIN.  The username is “<username>#<TheMailServerName>”.   They parse the the username, sending the real username to the Mail Server.  You can also setup users within CCProxy, if that is your need.

Solution: Until I can get everyone switch over to regular credentials or different hosts, modify Exim4’s AUTH LOGIN functions to authenticate existing users using the CCProxy authentication schema.

My notes:

I set this mail server up on a Raspberry Pi running Raspbian, but there really should not be too many differences in any Debian based Linux distro.

  1. Install from the repos – apt-get install exim4
  2. Configure as a smarthost with no local mail delivery and select ‘one’ config file instead of ‘split’ configuration.  If you are not lazy like myself and really want it neat and clean, choose split configuration. Type “sudo dpkg-reconfigure exim4-config” to do the initial configuration.  You can repeat this step as many times as you would like.
  3. This step is more of an overview than a step but I don’t want to anger WordPress by adding a paragraph in a <li>.  When Exim4 is configured it creates the /etc/exim4 directory with a file called “update-exim4.conf.conf” and “exim4-conf.template”.  The latter file is the non-split version and is used instead of the config files in the subdirectories off exim4 when present.  Whenever you make changes to these files you MUST run ‘sudo update-exim4.conf’ to generate the real configuration file that lives at “/var/lib/exim4/config.autogenerated” and restart exim4 (sudo /etc/init.d/exim4 restart).  I was tempted to just jack with the last file, but honestly nothing ever good comes from that.
  4. Time to create your userfile – several ways you can do this using htpasswd, perl, ‘sudo /usr/share/doc/exim4/examples/exim-adduser’ or some web tool to generate hashes (probably not the way to go).  I created mine in the /etc/exim4 directory and named it “tword”.  You can really name it anything you want but most examples/code have it as passwd.  For my use, I created everyone’s username as ‘username#mailserver’ because the mailserver will always be the same and that is exactly what the client is sending.  I do not parse the username from the SMTP server as CCProxy does.  Then we have to make sure that Exim4 can access the file but others cannot.  In my case I ran “chown root:Debian-exim /etc/exim4/tword” and “sudo chmod 660 /etc/exim4/tword”.  Note – htpasswd users might need to install apache2-utils for htpasswd to work.
  5. Now it is time to start editing the template file.  By default, Exim4 is only going broadcast the LOGIN method over TLS connections.  This security is really a good thing and I encourage everyone to set up the certs needed for TLS so you are not transmitting passwords in the clear.  But – how to disable that: add/change/uncomment the line  so it looks like this “AUTH_SERVER_ALLOW_NOTLS_PASSWORDS = true”.  I shoved it right above the commented out plain text login.  After you add that, uncomment the “login_server:” block and make sure to change the ‘lsearch{CONFDIR/passwd}’ to look for whatever password file you created (in my case lsearch{CONFDIR/tword} ).
  6. Before we test to see if the authentication is working, let’s change the default port of Exim4 by typing  “sudo nano /etc/default/exim4”.  This file is nicely laid out and tells you the following:
    # Options for the SMTP listener daemon. By default, it is listening on
    # port 25 only. To listen on more ports, it is recommended to use
    # -oX 25:587:10025 -oP /var/run/exim4/

    So you modify the line below the commented section to “SMTPLISTENEROPTIONS=’-oX 25:587 -oP /var/run/exim4/'” to add port 587 (you can really make it any port that is not in use but you do not gain anything by doing so <insert security verse obscurity argument />.  Now reboot Exim4.

  7. Time to test – I like to test with telnet so I can make sure that the proper ports are working but you have to install in on most OS’s now including Windows and Rasbian (sudo apt-get install telnet) then telent mailserver 587.  You wait for the SMTP banner coming from exim, then you can type ‘EHLO’, press enter and you should see a list of all available options and authentication methods.  If you don’t see ‘AUTH LOGIN’ something went wrong.  Full instructions on how to test through telnet.  Couple of other tools: “exim -bt [email protected]” will show you how the message would be routed and “exim -v [email protected]” then enter, then “From: [email protected]”, enter, “Subject: Wow Mail”, then enter again the type your message.  When done, hit ctrl-d and the message will send and show you any errors along the way.
  8. Some final notes: You can use almost anything in the usernames as long as you escape them (some characters need to be enclosed in quotes – like leading #).  Running your own mail relay may make your ISP mad if you don’t have a business account.  The hostname gets left in the header of the email.  I still refrain from making the hostname ’emailserver’.  My favorite is to name them following Window’s conventions like ‘Thomas-PC’ or ‘ASUS-wefWrw3’.

For anyone that is new to Exim4, it is an extremely flexible alternative to sendmail or postfix.  There are many other rule sets for routing, filtering and auth that I do not mention here.  These notes are specific to the need that I had to fill.  Check out Exim4’s FAQs section.

Leave a Reply