Exim is a flexible MTA that requires careful hardening due to its complexity. With the latest version 4.99.1 addressing security vulnerabilities, proper security configuration is critical.
# Restrict configuration file prefixes
ALT_CONFIG_PREFIX = "/etc/exim/conf.d/"
# Disable dangerous -D option
DISABLE_D_OPTION = yes
# Whitelist safe macros for -D option
WHITELIST_D_MACROS = "DEBUG_LOG_FILE"
# Fixed forbidden users (cannot be overridden)
FIXED_NEVER_USERS = "root:daemon"
# Strict relay controls in ACL
acl_check_rcpt:
deny senders_domains = +local_domains
!hosts = +relay_from_hosts
!authenticated = *
message = relay not permitted
accept
# Enable authentication mechanisms
MAIN_TLS_ENABLE = yes
# Configure authentication
begin authenticators
# Example: PLAIN authentication
plain_saslauthd_server:
driver = plaintext
public_name = PLAIN
server_condition = ${if saslauthd{{$auth2}{$auth3}}{1}{0}}
server_set_id = $auth2
server_prompts = :
.ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
.endif
# Force TLS for authentication
MAIN_TLS_ENABLE = yes
tls_require_ciphers = AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256
deliver_drop_privilege = true to minimize privileged operations# Limit trusted users to system services only
trusted_users = exim:www-data
trusted_groups = Debian-exim
# Never trust untrusted users
never_users = root:daemon
forbid_* options for .forward files${run...} expansion items${quote:...}, ${quote_local_part:...} properly${match_local_part...} if EXPAND_LISTMATCH_RHS is enabled# Secure local delivery transport
local_delivery:
driver = appendfile
directory = "/var/mail/$local_part"
mode = 0660
group = mail
return_path_add
envelope_to_add
bcc_return_path_add
.forward file processingforwardfile_transport with limited capabilities.forward files in shared environments# Monitor for suspicious activity
tail -f /var/log/exim4/mainlog | grep -E "(rejected|failed|denied)"
# Watch for queue anomalies
watch 'exim -bp | wc -l'
commandline_checks_require_admin for tighter controlWith the upgrade to Exim 4.99.1, pay attention to: