Sie sind auf Seite 1von 55

Integrating Exim with Exchange

- Advanced routing and security for vulnerable hosts -

J.Meers - Mediavest
Prepared for the First International Exim Conference and Tutorial – Feb 2005
- Contents -

Abstract

Objective and Scope

Assumptions and Reasoning

Problem Scenario

Security Considerations

Routing Considerations

Possible Solutions

Selected Solution

Tutorial: Exim, Exchange and MessageLabs integration

Common mistakes and how to avoid them

Monitoring queues with EximState and Apache

Further reading & references

Thanks

Copyright

Licence

Liability
- Abstract -
Exim

Exim is a message transfer agent (MTA) developed at the University of


Cambridge for use on Unix systems connected to the Internet. It is freely
available under the terms of the GNU General Public Licence. In style it is
similar to Smail 3, but its facilities are more general. There is a great deal of
flexibility in the way mail can be routed, and there are extensive facilities for
checking incoming mail. Exim can be installed in place of sendmail, although
the configuration of Exim is quite different to that of sendmail.

Microsoft Exchange

Exchange is Microsoft's flagship messaging product with over 100 million


licences sold worldwide. Securing this product is a challenge for any
administrator. To properly secure Exchange attention must also be paid to
Operating System security, Active Directory security, NT/2000/2003 file and
folder security, LDAP security, RPC security as well as the notorious IIS
webserver.

For many administrators having so many vulnerable services to contend with is


difficult enough without the added security concerns that come from
connecting a server holding private data directly to the internet.
- Objective and Scope -
This paper attempts to addresses issues for administrators who must use
Exchange in a corporate environment, but have concerns over its ability to
protect the valuable resources it holds, or its ability to provide advanced
routing and filtering of messages before delivery.

This paper shows a real-life example of Exim in use as an SMTP gateway to an


internal Exchange server, providing a level of separation from Internet based
enumeration and exploit.

The tutorial provides a mechanism for:

● Proving temporary redirection by domain.

● Providing permanent redirection by email address.

● Restricting the domains allowed for relay and delivery.

● Restricting IP addresses allowed for relay and delivery.

● Sending and receiving mail via a dedicated appliance or third party


Virus/Spam/Porn scanning service such as MessageLabs.

The paper discusses a method for removing many of the risks associated with
presenting Microsoft Exchange directly to the Internet.

NOTE:
This paper does not attempt to provide detailed information on securing
Microsoft Windows, Microsoft Exchange, Active Directory and IIS.
- Assumptions and Reasoning -
It is assumed that the reader does not need convincing that protecting
or hiding the following information or services from attackers is
sensible:

● Services that run with administrative privileges.

● Services that can be used to disclose information (Active Directory, LDAP).

● Services which advertise version information that can be used to establish


which security updates have, and have not not been applied.

● Local administrative accounts and domain administrative accounts.

● Internal usernames and passwords.

● Default accounts or guest accounts with known, empty or weak passwords.

● Internal e-mail addresses, groups and distribution lists.

● Confidential information and correspondence.

It is also assumed that the reader does not need convincing that
restricting internet access to the following services is more reliable
and more secure than allowing connections from any host and relying
the services themselves to fend off security flaws and brute force
attacks:

● SMTP

● Outlook Web Access (OWA)

● IMAP

● POP3

● RPC, LDAP and SMB connections

NOTE:
Any service that can be used remotely to validate credentials is a
potential liability, and given enough time or a big enough dictionary of
words, an attacker can establish a username and password to begin
trying to escalate their privileges on the target system.

Most security specialists would agree: No server holding


confidential data should ever be connected directly to the
Internet.
If the reader needs any further evidence to support the statements made
above, or simply wishes to find out more information about securing Exchange
the following documents provide further independent analysis.

Incidentally, all of the documents below re-enforce the recommendations made


in this paper, they also recommend that the main Exchange server(s) should be
moved back at least one level from any public facing Internet connections.

Paper Content
Covers vulnerable ports and services.
Securing Exchange 2000, Part One
Output from port scans, Server enumeration,
Chris Weber, Security Engineer, Foundstone
LDAP enumeration and pilfering shares with
http://securityfocus.com/infocus/1572
poor default security
Covers exploiting SMTP relay even when SMTP
Securing Exchange 2000, Part Two relay is disabled.
Chris Weber, Security Engineer, Foundstone
Front end/Back end configuration, restricting
http://securityfocus.com/infocus/1578
privileges, using SSL, TLS and IPSEC to encrypt
communications.
Provides advice for securing:
Securing your Exchange Server
The Operating System, Exchange itself, IIS
Installation
webserver and Outlook Web Access , service
Monty Hall
accounts, domain security and server
http://securityfocus.com/infocus/1305
placement.
Covers the use of an SMTP Relay in the DMZ
Exchange 2000 in the Enterprise: Tricks between Exchange and the Internet.
and Tips Part One
This paper covers the same topology we will
Tim Mullen, Chief Software Architect for
use in this paper but specifically uses Microsoft
AnchorIS.Com
ISA server and Trend Micro's SMTP Relay.
http://securityfocus.com/infocus/1654
Part two of this paper covers various methods
Exchange 2000 in the Enterprise: Tricks of encryption .
and Tips Part Two
The paper has an excellent section on securing
Tim Mullen, Chief Software Architect for
Outlook Web Access with the IIS lock-down tool
AnchorIS.Com
and some of the caveats introduced such as the
http://securityfocus.com/infocus/1658
double dot encoded URL.

NOTE:
The “further reading and references” section towards the end of this
paper provide additional material on securing Exchange. Much of this is
at a very technical level and may be too complicated for some users, but
well worth a look should you need guidance on further hardening your
infrastructure with more finely grained access control and encryption.
- Problem Scenario -
“FictionalCompany.com” require Microsoft Outlook and Microsoft
Exchange to enable the use of Blackberry and Windows based PDA
devices for staff who frequently work out of the office, or on the road.
---

The solution should provide a mechanism for redirecting emails to another


mailbox to handle situations where staff leave, get married or are out of the
office long periods of time due to maternity or illness.

The solution should provide a mechanism for temporary redirection of all email
destined for a particular domain to handle situations where servers, networks,
routers and internet connections fail unexpectedly.

The solution should restrict access for unknown domains and IP addresses to
prevent the system being used as a relay for SPAM.

The solution should provide a mechanism for incorporating some form of mail
content scanning to identify virus, spam and pornographic material before
delivery to users mailboxes. Ideally this should be done before the mail actually
reaches the SMTP relay.

The solution should make configuration as easy a possible to understand and


modify, reducing the chances of making configuration errors.

The IT department have been asked to provide all of this functionality in a


secure manner. No budget has been set, but the final solution should provide
good value for money compared to the other possible alternatives.

The current Exchange installation

The current installation consists of a single Exchange server installed on a


Domain Controller on the LAN. The Domain controller also runs DNS and WINS
for the internal network. The server can communicate over NetBIOS, NetBEUI
and TCP/IP.

The server has been made public using Network Address Translation (NAT).
One of the public IP addresses has been mapped directly to the server on the
LAN by using one-to-one NAT on the firewall.

The firewall has an opening on port 25, allowing any host on the internet to
connect to the SMTP service. POP3, SMTP, IMAP4 and Outlook Web Access are
all enabled on the server, but these are only available to users on the LAN.

This is a typical installation that you might find at any number of Small to
Medium sized Enterprises (SME's).
- Security Considerations -
● The SMTP service should be the only service accessible from the internet, as
this is the bare minimum required to send and receive e-mail with other
individuals or organisations.

● All other services (POP3, IMAP, Outlook Web Access, RPC, LDAP and SMB
connections) should be unreachable from the internet without first passing
some form of strong authentication such as an IPSEC VPN, or a dial-in service
secured by a secondary mechanism such as RADIUS or RSA SecureID.

NOTE:
This paper does not deal with the various strong authentication methods
available for securing access to the internal corporate network, but
focuses on securing the SMTP service. The SMTP service is one of the
most frequent starting points for attackers as almost every company has
it open.
- Routing Considerations -
If we employ a single mail hub with an ability to process mail for multiple
domains and servers we will receive the following benefits:

● Reduction of the number of ports and sockets to secure.

● Reduction of management overhead (Less servers to manage).

● Reduction of hardware requirements (Less servers required).

● Flexibility for companies that have multiple business units that share
resources internally but operate as different organisations externally.

● The flexibility to redirect or reject mail at delivery time.

● The ability to content scan messages for virus, porn and spam before
delivery.
- Possible Solutions -
Microsoft Exchange as a standalone SMTP relay
Using another Exchange server in its own workgroup avoids the problems
associated with giving away domain administration privileges and domain
passwords, but still suffers from the problems associated with using Exchange
on a public facing internet connection.

Dedicated SMTP relay in the DMZ*


Such as EXIM, Trend Micro-Interscan, SurfControl-RiskFilter, Clearswift-
MimeSweeper etc...

3rd Party Service


Such as MessageLabs, Symantec Managed Security Services, InnoTech-
MailPure etc...

NOTE:
* If a DMZ is not available on your firewall it is still possible to use Exim
using one-to-one NAT and/or port forwarding, but a dedicated DMZ would
always be preferred.
- Selected Solution -
Our solution will incorporate Exchange with Exim and the
MessageLabs virus scanning service.

Exim provides all the functionality we need with the flexibility to add more
advanced content scanning and filtering at a later date.

The MessageLabs service provides multiple scanning technologies that we can


not hope to better internally without massive investment in extra equipment
and staff.

Using an external content scanning service in conjunction with our Exim relay
also provides cost and efficiency benefits by rejecting virus, spam and porn
before it has consumed bandwidth getting to our SMTP relay.

Requirements:

Firewall A hardware firewall would be preferred, but any firewall with


stateful packet inspection (SPI) and a DMZ (or NAT and port
forwarding).

WAN Any internet connection with at least 1 free, fixed IP address for use
in the DMZ (Unless NAT or port forwarding is used)

DMZ 1 server capable of running Exim


(We will be using a Pentium III 700Mhz with 256Mb Ram on RedHat
Enterprise Linux 4 or Fedora Core 3)

LAN Exchange 2000 (SP3) running on Windows 2000 Server (SP4)

Content
Scanning We will be using MessageLabs mail scanning service. For the
purpose of this paper we have been assigned the following hosts,
mail19.messagelabs.com and mail20.messagelabs.com as
the primary and backup hosts to use for sending and receiving
e-mails to be scanned by the service.

NOTE:
The chosen solution does not require a massive investment in hardware,
nor does it require much administration, making it ideal starting point for
the average Small to Medium-sized Enterprise (SME).
- Tutorial -
To make the tutorial easier to following we will use the following 3
fictional domains, each having its own dedicated Exchange server:

domain1.com with an exchange server called exch1

domain2.com with an exchange server called exch2

domain3.com with an exchange server called exch3

...and we will use the following in place of actual IP Addresses:

exch1 = exch1.exch1.exch1.exch1

exch2 = exch2.exch2.exch2.exch2

exch3 = exch3.exch3.exch3.exch3

exim = exim.exim.exim.exim

mail19.messagelabs.com = av1.av1.av1.av1

mail20.messagelabs.com = av2.av2.av2.av2

The final network layout will look like this:

NOTE:
If you don't have multiple domain names or exchange servers just ignore
any lines referring to “domain2.com”, “domain3.com”,
“exch2.exch2.exch2.exch2” and “exch3.exch3.exch3.exch3”. They are
provided for the benefit of larger or more complex installations.
- Overview of sending an email on the existing system -

When an e-mail is sent from an individual the following process occurs from top
to bottom until the message is delivered to the destination mail server.

The sender types the message in an e-mail client


e.g Message created in Outlook

The sender types in the e-mail address of the recipient in the To: field.
e.g e-mail addressed to user1@ FictionalCompany.com

The sender clicks “send” and the message is delivered to the users mail server
e.g Message sent from Outlook to Exchange

The mail server then reads the e-mail address and separates the domain part
of the address from the user part of the address.
e.g FictionalCompany.com

The mail server then contacts a DNS server and requests a list of MX (Mail
eXchange) records for the domain fictionalcompany.com.
e.g pri=5 mail1.FictionalCompany.com
pri=10 mail2.FictionalCompany.com

The mail server then selects the mail server with the highest priority and
connects over SMTP to deliver the mail.
e.g Exchange connects to port 25 on mail1.FictionalCompany.com to
deliver the mail over SMTP.

(The highest priority mail server always has the lowest number in the MX field,
the opposite of what most people expect. The MX record is a special DNS
record used for Mail eXchange between domains)

How this will change:

Once the e-mail arrives on the mail server instead of trying to send the email
directly the email is forwarded to the Exim server where address rewriting and
address redirection may be performed before passing the e-mail onto the
MessageLabs service for virus, porn and spam scanning before final delivery.
- Overview of receiving an email on the existing system -

When an e-mail is received from an individual the following process occurs from
top to bottom until the message lands in the recipients mailbox.

Based on the MX records for the domain, inbound mail arrives directly
at the Exchange server on Port 25

Exchange decides if it should accept the message

If the message is accepted Exchange delivers the message to the


users mailbox

The user views the message in Outlook

How this will change:

We will later point our MX records at MessageLabs who will receive the e-mail
on our behalf before content scanning. The message will then be delivered to
our new Exim server in the DMZ. Our Exim server then performs its checks on
any aliases and domains that may need re-writing or re-directing before final
delivery to Exchange.
- Steps Involved -
The tutorial will be done in stages, starting with the default installation.

We will only move onto the next step after the successful testing of the
previous step. This not only makes the tutorial easier to follow but gives us an
idea where we went wrong should we make a mistake.

Build the Server


Network Settings
Internet Connectivity
Updates
Backups
E-mail Transport
Queue Frequency
Exim Monitor

Our First Test E-Mail with the default Exim config.

Test SMTP connectivity between Exchange and Exim

Test SMTP relay between Exchange and Exim

Break Down the Configuration

Create our new config


Option 1: Straight delivery via MX records
Option 2: Third party scanning service or appliance

Going Live

Troubleshooting
- Building the server -

For our Exim server we are using a Pentium III 700Mhz with 256Mb RAM and a
10/100Mb network card.

Suggested specification for INITIAL TESTING

For testing purposes all of the initial work was done on “Fedora Core 3*”,
installed on a single 10GB IDE hard drive with one big root “/” partition and a
512Mb swap partition. We disabled the firewall and ran the full gnome desktop
with Remote Desktop (a modified version of VNC), to help us get things
working quickly and iron out any problems.

Once we are familiar with the new Exim server and have got a working
configuration we save all the config files to a floppy or USB memory stick and
start again, this time paying more attention to resilience and security.

Suggested specification for FINAL IMPLEMENTATION

We install a raid controller in the server and Mirror two drives.

A 3ware escalade RAID controller** and 2 IDE hard disks provide excellent
value for money and are very well supported by most Linux kernels and the
SMART disk monitoring daemon.

We kept the 512Mb swap partition but split the remaining disk space between
a root “/” and “/var” partition and installed the 3ware monitoring software.

We install RedHat Enterprise Linux 4*** on the server with a subscription to


RedHat Network****. We opt for a basic subscription as we are only concerned
about getting security updates. The firewall is enabled, SMTP and SSH are the
only services allowed through the firewall.

If the Gnome or KDE desktop is installed we would also need to open port
5900:tcp to use the remote desktop feature.

The remote desktop feature***** is useful for watching the messages come in
and out vial the Exim monitor “eximon” but does introduce and extra set of
services and ports to secure.

* Fedora Core 3 http;//fedora.redhat.com


** 3ware RAID Storage Solutions http://www.3ware.com
*** RedHat http://www.redhat.com
**** RedHat Network http://rhn.redhat.com
***** RedHat Menu > Applications > Preferences > Remote Desktop
- Network Settings -

The Exim server should have a hostname, IP address, subnet mask and default
gateway set at installation. These should be established before the installation
begins instead of installing the server with a DHCP address then changing
these via the applet later. The server should at least be able to resolve its own
hostname and Fully qualified hostname (FQDN) via the hosts file (/etc/hosts).

RedHat Menu > Systems Settings > Network

- Internet Connectivity -

Check for a working Internet connection and setup a time server for the
machine to use as a reference. Accurate time is essential for making sense of
mail headers and log files.

RedHat Menu > Systems Settings > Date & Time

- Updates -

The system should be updated by the RedHat Network on a regular basis. On


the test systems we automate updates using a script in /etc/cron.hourly. On
the live system we automate this via the RedHat Network. Should you decide
to use a script you may want to consider if kernel updates should be done
automatically or by hand.

If you wish to script the updates:

To update everything (except skipped packages) up2date -u


To update everything (including skipped packages) up2date -uf
To download updates but not install them up2date -ud
To change up2date settings up2date –-configure

- Backups -

Consider using a USB memory stick to make backups of configuration files.

These can be scheduled by using scripts in /etc/cron.daily, /etc/cron.weekly


and /etc/cron.monthly to backup into separate folders on the USB device.
This is much more secure than enabling NFS, SAMBA or FTP on the box.

SCP was the only another alternative we considered before deciding on a USB
device. A floppy disk would also suffice as an average set of config files would
only be around 100k in size.
- E-Mail transport -

To begin setting up our Exim SMTP Gateway we now switch the default mail
transport from Sendmail to Exim.

RedHat Menu > Applications > Preferences > More Preferences > Mail
Transport Agent Switcher

Select Exim then click Ok.

- Queue Frequency -

For testing we will set the default queue frequency to 1minuite for making it
easy to see how Exim handles large or difficult messages.

To do this we need to change the default QUEUE setting from 1hour to 1min.

Open up GEDIT and edit /etc/sysconfig/exim to read as follows:

# /etc/sysconfig/exim

DAEMON=yes
QUEUE=1m

(try /etc/sysconfig/sendmail if /etc/sysconfig/exim doesn't work as expected)

Note - Editing Files:

Gedit can be launched from


Applications > accessories > Text Editor

or from a the command line e.g

gedit <enter>
gedit /etc/sysconfig/exim <enter>

Once your Exim relay is up and running you may need to change
configuration remotely. To do this you may want to use SSH and the VI
text editor from a Unix/Linux box, or WinSCP from a Windows PC.

This type of remote management requires that port 22 be open, and the
SSH (Secure Shell) service running.

For security reasons, SSH would normally be blocked at the firewall to all
*external* connections. This is highly recommended on most systems.
- Exim Monitor -
It would be useful to see if Exim is running correctly during our testing.

To do this we use launch the Exim Monitor “eximon” at startup.

RedHat Menu > Applications > Preferences > More Preferences >
Sessions

Select the Startup Programs tab, click Add, type eximon, click OK, click
Close.

Now reboot and look out for any Sendmail or Exim error messages on start-up.
Once you have logged in the Exim Monitor should start up automatically.
- A Test Email Using the Default Config -
Now Exim is running we can send ourselves a test e-mail from the command
line.

First open up a Terminal (The Linux equivalent of a DOS Prompt) then type:

mail yourname@yourdomain.com <enter>


type your subject <enter>
type your message <enter>
<a deliberate blank line here> <enter>
CTRL-D <hold CTRL and press D>
<ignore the “CC:” prompt> <enter>

NOTE:
DONT FORGET A BLANK LINE BEFORE THE CTRL-D

On the Monitor screen you should now see your message being processed.

If you would prefer to use a program rather than the command line to send
messages during testing, or couldn't figure out how to do it via the command
line, you can always use one of the following programs configured for a local
mailbox to send email using the “root” account.

Evolution or the excellent Mozilla Thunderbird can be used by using:

Applications > Internet > Email for Evolution or


Applications > Internet > Thunderbird Email for Thunderbird
- Test SMTP connectivity from Exim to Exchange -
From the Exim box, open up a terminal and type:

telnet exch1.exch1.exch1.exch1 25 <enter>

to telnet to your exchange server on port 25 (SMTP)

NOTE:
Replace “exch1.exch1.exch1.exch1” with the IP Address or the
hostname of your exchange server

You should get a response similar to the following:

Trying exch1.exch1.exch1.exch1...
Connected to my-exchange (exch1.exch1.exch1.exch1).
Escape character is '^]'.
220 my-exchange.my-domain.fictionalcompany.com
Microsoft ESMTP MAIL Service, Version: 5.xxx.xxx.xxx ready at
Thu, 10 Feb 2005 11:18:41 +0000

If it worked type:

quit <enter> to close the connection, then continue onto the next section.

If it didn't work:

Make sure both machines can see each other and are not being blocked by a
hardware or software firewall on either box.

If the firewall is running on the Exchange server, make sure the Mail (SMTP)
service on port 25 is open, and accessible to the Exim box.

NOTE:
If you are running a firewall that prevents Exim seeing the Exchange
servers you may need a firewall rule such as:

Allow:
exim.exim.exim.exim > exch1.exch1.exch1.exch1 : port 25 (SMTP)
- Test SMTP connectivity from Exchange to Exim -
From the Exchange server, open up a DOS Prompt and type:

telnet exim.exim.exim.exim 25 <enter>

to telnet to your exim box on port 25 (SMTP)

NOTE:
Replace “exim.exim.exim.exim” with the IP Address or the
hostname of your Exim box

You should get a response similar to the following:

Trying exim.exim.exim.exim...
Connected to exim.exim.exim.exim (exim.exim.exim.exim).
Escape character is '^]'.
220 your-hostname ESMTP Exim 4.xx Thu, 10 Feb 2005 11:50:43 +0000

If it worked type:

quit <enter> to close the connection, then continue onto the next section.

If it didn't work:

Make sure both machines can see each other and are not being blocked by a
hardware or software firewall on either box.

If the firewall is running on the Exim box, make sure the Mail (SMTP) service on
port 25 is open.

RedHat Menu > Systems Settings > Security Level

NOTE:
For troubleshooting purposes only, typing the following in a terminal
will stop the IP Tables firewall if it is running.

service iptables stop <enter>


- Test SMTP Relay from Exim to Exchange -
We will now create a message from the Exim server on the Exchange server
using exactly the same commands that an actual MTA such as Exim (Mail
Transfer Agent) would use. (Yes, helo is meant to be spelt with one “l” )

The commands we type are shown in yellow, and the server responses are
shown in blue.

telnet exch1.exch1.exch1.exch1 25 <enter>

Trying exch1.exch1.exch1.exch1...
Connected to my-exchange (exch1.exch1.exch1.exch1).
Escape character is '^]'.
220 my-exchange.my-domain.fictionalcompany.com
Microsoft ESMTP MAIL Service, Version: 5.xxx.xxx.xxx ready at
Thu, 10 Feb 2005 11:18:41 +0000

helo senderdomain.com <enter>

250 senderdomain.com Hello [your ip address]

mail from: sendername@senderdomain.com <enter>

250 sendername@senderdomain.com....Sender Ok

rcpt to: recipientname@recipientdomain.com <enter>

250 recipientname@recipientdomain.com
data <enter>

type your message <enter>

type a blank line <enter>

<type a single dot on its own line> < enter>

250 [Message-ID] Queued mail for delivery

quit <enter>

Hopefully your message will be accepted for relay and will arrive shortly.

COMMON ERRORS:

error 510
The domain name you specified as the senders domain does not exist.

error 503
The recipient was specified before the sender

error 550
Relay Denied

A “Relay Denied” message indicates that Exim is able to reach the SMTP
service running on Exchange, but is not allowed to relay messages. To correct
this change the relay permissions in Exchange:

Exchange System Manager > Administrative Groups > Servers >


Exchange Server > Protocols > SMTP > Default SMTP Virtual Server >
Right Click > Properties > Access.

Check your settings for each of the following then restart the SMTP service:

Authentication (anonymous connections may need to be enabled)


Connection (Exims IP Address may need added or removed )
Relay (Exims IP Address may need added or removed )
- Test SMTP Relay from Exchange to Exim -
We will now create a message from the Exchange server on the Exim box using
exactly the same commands that an actual MTA such as Exim (Mail Transfer
Agent) would use. (helo is meant to be spelt with one “l” )

The commands we type are in yellow, the server responses are in blue.

telnet exim.exim.exim.exim 25 <enter>

Trying exim.exim.exim.exim...
Connected to exim.exim.exim.exim (exim.exim.exim.exim).
Escape character is '^]'.
220 your-hostname ESMTP Exim 4.xx Thu, 10 Feb 2005 11:50:43 +0000

helo senderdomain.com <enter>

220 exim-hostname ESMTP Exim 4.xx


250 exim-hostname Hello your-hostname [your ip address]

mail from: sendername@senderdomain.com <enter>

250 Ok

rcpt to: recipientname@recipientdomain.com <enter>

250 Accepted
data <enter>

type your message <enter>

type a blank line <enter>

<type a single dot on its own line> < enter>

250 OK [Message-ID]

quit <enter>

221 exim-hostname closing connection

Hopefully your message will be accepted for relay and will arrive shortly.

COMMON ERRORS:

error 510
The domain name you specified as the senders domain does not exist.

error 503
The recipient was specified before the sender

error 550
Relay Denied

A “Relay Denied” message indicates that Exchange is able to reach the SMTP
service running on Exim, but is not allowed to relay messages. This means that
your default Exim config will not allow relay. We will replace this config in the
next section anyway.

Note:
Repeating this test on the Exim server, from the Exim server using
127.0.0.1 as the IP Address (the loop-back address), will prove that the
server is working, but relay permissions are denying remote connections.
If you got this far, Congratulations!
If everything has worked so far, we have proved we have an ability to send
messages backwards and forwards between the two servers, allowing Exim to
act as a relay between the Internet and Exchange.

Depending on your previous experience, you may now know significantly more
about sending messages over SMTP than you did before.

You have probably also figured out how easy it is for “spammers” to automate
the generation of millions of messages SPAM messages sent every day on
poorly configured hosts. Exim can be extended provide the basis of an
excellent SPAM filtering soulution when combined with SpamAssassin.

Most people will find the section we just completed on Network, Firewall, DMZ
and LAN configuration more difficult than any of the other tasks in this paper. It
should get easier from here.

Now the foundations are in place we will begin generating our own custom
configuration.
- Breakdown of the new Exim configuration -
The new Exim config will consist of the following files, all located in /etc/exim

exim.conf the master config file


exim-local-settings custom settings for this host
exim-accept-from-this-list-of-ip-addresses allowed IP Addresses/Networks
exim-accept-from-this-list-of-domains allowed domains
exim-redirect-mail-for-this-list-of-users accounts to be redirected
exim-deliver-mail-to-this-list-of-servers mail servers to deliver to/from

This may seem very elaborate for most installations, but the aim of this tutorial
is to break everything down everything into small, bite-sized chunks that are as
self explanatory as possible.

- The Files -

/etc/exim/exim.conf
This will become our standard or “stock” config file that should never need
changing once the initial settings have been made. Get this file right and you
can drop it in every installation you make here on.

/etc/exim/exim-local-settings
This file will contain any settings we want to make specific to this host. Later
this file can be used to add some of the more advanced configuration options

/etc/exim/exim-accept-from-this-list-of-ip-addresses
This file is used in addition to firewall rules to determine which hosts or
networks are allowed to use the Exim Relay.

/etc/exim/exim-accept-for-this-list-of-domains
This file is used to determine which domains are allowed to use the Exim Relay.

/etc/exim/exim-redirect-mail-for-this-list-of-users
This file contains a list of email addresses to redirect, along with the e-mail
address to redirect to. Useful for example when an employee is unexpectedly
taken ill, or out of the office for a long period of time e.g. maternity leave.

/etc/exim/exim-deliver-mail-to-this-list-of-servers
This file contains the actual list of servers to deliver messages to for each
domain we relay for

We will start with the simple config files first then move on to an explanation of
the main exim.conf later.

NOTE:
IN EACH OF THE FOLLOWING EXAMPLES SUBSTITUTE THE
FICTIONALCOMPANY.COM INFORMATON WITH YOU OWN NAMES,
ADDRESSES AND DOMAINS.
- exim-local-settings -

NOTE:
In this example we will make the following local settings.

Messages that arrive with a missing username or domain will be


delivered to:
it-manager@fictionalcompany.com

We are also going to change the default SMTP banner to hide specific
version information from the casual observer. This is not foolproof
but makes us a less likely target from automated attacks.

We are also going to restrict this size of E-mails we will accept.


The 15Mb limit will most likely give us a “real-life” attachment size of
9-10Mb (as the MIME encoding used to send the E-mail adds a significant
increase in size to the original message).

The maximum number of SMTP connections has been reduced to 100 to


stop the server running out of memory should someone try and kill it by
making lots of incomplete connection attempts, draining resources.

# exim-local-settings

# avoid using the setting if possible


# exim will use machines hostname as default
#primary_hostname = exim.fictionalcomapny.com

# if a message has no domain name after the “@” sign use:


qualify_domain = fictionalcompany.com

# if a message has no senders name before the “@” use:


# “postmaster” or “administrator” are often used
qualify_recipient = it-manager

# Maximum message size AFTER encoding


message_size_limit = 15M

# Maximum number of incoming connections


smtp_accept_max = 100

# set smtp banner & hide version/type of mta from crackers


smtp_banner = fictionalcompany.com secure smtp server
- exim-accept-from-this-list-of-ip-addresses -
This file contains a list of IP Addresses and/or networks that Exim will accept
mail for.

NOTE:
lines beginning with a # (hash sign) are comments and are ignored.
Place your config on lines under comments, using tabs may improve
the readability of the file.

If you choose to edit these files using a Windows PC and find problems
with carriage returns at the end of each line, try using WinVI* or the
Edit facility in WinSCP** instead of using Windows notepad.

Putty*** is also worth a mention for Windows administrators.

# /usr/exim/exim-accept-from-this-list-of-ip-addresses

# the local address of our server


127.0.0.1
exim.exim.exim.exim
# our internal network(s)
192.168.0.0/16
10.0.0.0/8
# our external network(s)
202.158.21.22/24
202.158.21.52/28
# our local firewall
fwall.fwall.fwall.fwall
# our local router
routr.routr.routr.routr
# exchange servers
exch1.exch1.exch1.exch1
exch2.exch2.exch2.exch2
exch3.exch3.exch3.exch3
# messagelabs servers
av1.av1.av1.av1
av2.av2.av2.av2

CIDR notation may be used in this file. For more info on CIDR notation see:
http://www.webopedia.com/TERM/C/CIDR.html

* WinVi http://www.winvi.de/en/
** WinSCP http://winscp.sourceforge.net
*** Putty http://www.chiark.greenend.org.uk/~sgtatham/putty/
- exim-accept-from-this-list-of-ip-domains -
List each domain we are going to relay for in this file.

# /usr/exim/exim-accept-from-this-list-of-domains

domain1.com
domain2.com
domain3.com

Simple as that.
- exim-redirect-mail-for-this-list-of-users -
List the e-mail address we want to be redirected, and the e-mail address we
want to redirect it to.

# /usr/exim/exim-redirect-mail-for-this-list-of-users

postmaster@domain1.com: it-manager@domain1.com

previous.employee@domain1.com: new.employee@domain1.com

vacancies@domain2.com: humanresources@domain1.com

maiden-name@domain3.com: married-name@domain3.com

joe-bloggs@uk-office.co.uk: joe-bloggs@us-office.com

no-spam-112233@domain1.co.uk: real-account@domain1.co.uk

Each entry is separated with a colon (:) and at least one space, followed by the
new address.

Using tabs will make this file more readable.

As a general rule:

● Use the Exim server to manage redirections to different mailboxes


● Use your Exchange server to manage multiple aliases of the same mailbox
- exim-deliver-mail-to-this-list-of-servers -
List the domains we want to deliver to, followed by the hostname or IP Address
of the server we want it delivered to.

# /usr/exim/exim-deliver-mail-to-this-list-of-servers

# example by hostname
fictionalcompany.com: exchange.fictionalcompany.com

# example by ip address
domain1.com: exch1.exch1.exch1.exch1
domain2.com: exch2.exch2.exch2.exch2
domain3.com: exch3.exch3.exch3.exch3

# example of fallback server


# 10.1.1.1 is main server
# 10.2.2.2 is fallback server
domain4.com: 10.1.1.1:10.2.2.2

Each entry is separated with a colon (:) and at least one space.

Using tabs will make this file more readable.

As a general rule:

● Use IP Addresses instead of hostnames wherever possible


● Only list domains you wish to route internally here, if a match is found it is
acted on literally and delivered directly.
- exim.conf -
This is the main configuration file used by Exim.

This is a basic version with no local or 3rd party Mail Scanning.

# /usr/exim/exim.conf

############# INITIAL SETTINGS ######################


# set some defaults values and read in config files #
#####################################################

.include /etc/exim/exim-local-settings

domainlist relay_to_domains = /etc/exim/exim-accept-for-this-


list-of-domains

hostlist relay_from_hosts = /etc/exim/exim-accept-from-this-


list-of-ip-addresses

domainlist local_domains =
acl_smtp_rcpt = acl_check_rcpt

never_users = root

############# ACCEPT SETTINGS #######################


# set rules for accepting messages here #
#####################################################
begin acl

acl_check_rcpt:

accept hosts = :
deny local_parts = ^.*[@%!/|] : ^\\.

accept local_parts = postmaster


domains = +local_domains

accept domains = +relay_to_domains


endpass
message = relay not permitted at this server
verify = recipient

accept hosts = +relay_from_hosts

deny message = relay not permitted at this server


############# ROUTER SETTINGS #######################
# set rules for selecting a transport #
#####################################################
begin routers

redirect:
driver = redirect
data = ${lookup{$local_part@$domain}lsearch{/etc/exim/exim-
redirect-mail-for-this-list-of-users}}

internal:
driver = manualroute
transport = remote_smtp
route_data = ${lookup{$domain}partial-lsearch{/etc/exim/exim-
deliver-mail-to-this-list-of-servers}}

external:
driver = dnslookup
domains = ! +relay_to_domains
transport = remote_smtp
ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
no_more

############# TRANSPORT SETTINGS ####################


# set rules for delivery transports #
#####################################################
begin transports

remote_smtp:
driver = smtp

We will break the file down into more manageable sections over the next few
pages:
Section #1 of exim.conf – Initial Settings

# /usr/exim/exim.conf

############# INITIAL SETTINGS ######################


# set some defaults values and read in config files #
#####################################################

.include /etc/exim/exim-local-settings

domainlist relay_to_domains = /etc/exim/exim-accept-from-this-


list-of-domains

hostlist relay_from_hosts = /etc/exim/exim-accept-from-this-


list-of-ip-addresses

domainlist local_domains =

acl_smtp_rcpt = acl_check_rcpt

never_users = root

Section #1 is used to:

Read in the configuration stored in


/etc/exim/exim-local-settings

Read in the list of allowed domains in


/etc/exim/exim-accept-from-this-list-of-domains

Read in the list of allowed hosts in


/etc/exim/exim-accept-from-this-list-of-ip-addresses

We don't have any local domains so this is set but left empty
(local meaning a mailbox actually held and stored on the Exim server)
domainlist local_domains =

The default name for the access control list is “acl_check_rcpt”


acl_smtp_rcpt = acl_check_rcpt

For security exim must never run as the “root” user.


never_users = root
Section #2 of exim.conf – Accept Settings
############# ACCEPT SETTINGS #######################
# set rules for accepting messages here #
#####################################################
begin acl

acl_check_rcpt:

accept hosts = :

deny local_parts = ^.*[@%!/|] : ^\\.

accept local_parts = postmaster


domains = +local_domains

accept domains = +relay_to_domains


endpass
message = relay not permitted at this server
verify = recipient

accept hosts = +relay_from_hosts

deny message = relay not permitted at this server

Accept mail E-mails created locally (empty sender).


accept hosts = :

Do not accept mail with *possibly* dangerous characters.


deny local_parts = ^.*[@%!/|] : ^\\.

Accept anything for the postmaster at local domains.


accept local_parts = postmaster
domains = +local_domains

Accept anything for domains we are a relay for or reply with an “error 550
Relay not permitted at this server” message.
accept domains = +relay_to_domains
endpass
message = relay not permitted at this server
verify = recipient

Accept anything from allowed IP Addresses.


accept hosts = +relay_from_hosts

Otherwise reply with an “error 550 Relay not permitted at this server”
message. If not explicitly accepted by any other section, deny for relay.
deny message = relay not permitted at this server
Section #3 of exim.conf – Router Settings

############# ROUTER SETTINGS #######################


# set rules for selecting a transport #
#####################################################
begin routers

redirect:
driver = redirect
data = ${lookup{$local_part@$domain}lsearch{/etc/exim/exim-
redirect-mail-for-this-list-of-users}}

internal:
driver = manualroute
transport = remote_smtp
route_data = ${lookup{$domain}partial-lsearch{/etc/exim/exim-
deliver-mail-to-this-list-of-servers}}

external:
driver = dnslookup
domains = ! +relay_to_domains
transport = remote_smtp
ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
no_more

The REDIRECT mail router


Process all of our user redirections, as listed in the file:

/etc/exim/exim-redirect-mail-for-this-list-of-users

redirect:
driver = redirect
data = ${lookup{$local_part@$domain}lsearch{/etc/exim/exim-
redirect-mail-for-this-list-of-users}}

The INTERNAL mail router


Process all of our internal deliveries , as listed in the file:

/etc/exim/exim-deliver-mail-to-this-list-of-servers

internal:
driver = manualroute
transport = remote_smtp
route_data = ${lookup{$domain}partial-lsearch{/etc/exim/exim-
deliver-mail-to-this-list-of-servers}}
The EXTERNAL mail router
Process all of our external deliveries.

Two possible external routers are shown.

The first via normal, straight delivery via MX records, and the second via a
third party scanning service or appliance such as MessageLabs or
SurfControl RiskFilter.

NOTE:
You may only use one of the EXTERNAL routers shown below.

Option 1: straight delivery via MX records


external:
driver = dnslookup
domains = ! +relay_to_domains
transport = remote_smtp
ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
no_more

Option 2: third party scanning service


external:
driver = manualroute
domains = ! +relay_to_domains
transport = remote_smtp
ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
route_list = * mail19.messagelabs.com
no_more
Section #4 of exim.conf – Transport Settings

############# TRANSPORT SETTINGS ####################


# set rules for delivery transports #
#####################################################
begin transports

remote_smtp:
driver = smtp

We only have one transport defined here, remote smtp.

remote_smtp:
driver = smtp
- Create our new config -
Now you understand how the contents of our Exim configuration we can start
to build our own.

Using the previous pages as an example, create your new config by editing or
creating all of the following files, replacing the FictionalCompany.com details
with your own.

You may want to get the following details ready before creating the
new config:

Exim Server IP Address : . . .

Exchange Server IP Address : . . .

Firewall IP Address : . . .

Router IP Address : . . .

Our local network(s) : . . . /


: . . . /
: . . . /
: . . . /
: . . . /
: . . . /

Our external network(s) : . . . /


: . . . /
: . . . /
: . . . /
: . . . /
: . . . /

Scanning Appliances (optional) : . . .


: . . .
: . . .

Scanning Services (optional) : . . . /


: . . . /
: . . . /
- Option 1: Straight delivery via MX records -
NOTE:
Be sure to include the correct section for your “external” router in
/etc/exim/exim.conf.

Your new Exim config will consist of the following files, all located in /etc/exim

exim.conf the master config file


exim-local-settings custom settings for this host
exim-accept-from-this-list-of-ip-addresses allowed IP Addresses/Networks
exim-accept-from-this-list-of-domains allowed domains
exim-redirect-mail-for-this-list-of-users accounts to be redirected
exim-deliver-mail-to-this-list-of-servers mail servers to deliver to/from

Once you have created your new config, reboot and we will test it.

---

We repeat the tests we performed earlier before committing our changes.

● Test SMTP relay from Exim to Exchange


● Test SMTP relay from Exchange to Exim

If everything works correctly we can make Exim the default “smarthost” for all
outbound mail sent from Outlook and Exchange.

NOTE:
At this point we have moved from testing to going live, some users may
be more comfortable performing the next steps out of hours or during
weekends.

The “smarthost” facility in Exchange can be set from:

Exchange System Manager > Administrative Groups > Servers >


Exchange Server > Protocols > SMTP > Default SMTP Virtual Server >
Right Click > Properties > Delivery > Advanced > Smart Host.

The Smarthost would normally be entered as an IP address rather than as a


hostname.

Exchange requires you to put square brackets around the IP address if you
intend to use the IP literally e.g [192.168.1.1]

The Default SMTP Virtual Server will need to be restarted for this to take effect.
If everything works correctly after the SMTP Virtual Server restart we will have
proved that Outbound mail is being processed correcly by Exim.

The only thing left to do is to make Exim the default server for Inbound mail by
making changes on your firewall, or by asking your ISP to add or modify your
DNS records to set your new Exim SMTP as the lowest priority server for
inbound e-mail.
(Lowest priority has the highest preference on MX records).

Now when mail is delivered to your domain the MX record should point at Exim
not Exchange, hence Exim will receive the mail not Exchange.

In practice you could either:

● Change your one-to-one NAT settings to point at Exim instead of Exchange


(Requires changes to your NAT settings on the main firewall).

● Put Exim on it's own IP Address in the DMZ and change your MX records.
(Requires changes to the DNS records held by your ISP)

● Replace Exchange by putting Exim on Exchanges old IP Address in the DMZ.


(Requires changing your Exchange servers IP Address)

Some of these changes may require you to modify settings on your main
firewall.

Some of these changes may require you to modify the DNS settings for your
domain.

DNS changes can take between 24-48 hours to propagate and may be best
done over a weekend.
- Option 2: Third party scanning -
NOTE:
Be sure to include the correct section for your “external” router in
/etc/exim/exim.conf.

The following line must be adjusted to reflect your scanning service or


appliance.

e.g
route_list = * mail19.messagelabs.com

would become
route_list = * av1.av1.av1.av1

(Remember to replace “av1.av1.av1.av1.av1” with the IP Address of


your Scanning Service or Appliance)

Your new Exim config will consist of the following files, all located in /etc/exim

exim.conf the master config file


exim-local-settings custom settings for this host
exim-accept-from-this-list-of-ip-addresses allowed IP Addresses/Networks
exim-accept-from-this-list-of-domains allowed domains
exim-redirect-mail-for-this-list-of-users accounts to be redirected
exim-deliver-mail-to-this-list-of-servers mail servers to deliver to/from

Once you have created your new config, reboot and we will test it.

---

We repeat the tests we performed earlier before committing our changes.

● Test SMTP relay from Exim to Exchange


● Test SMTP relay from Exchange to Exim

Additionally in this config we need to:

● Test SMTP relay from Exim to your Scanning Service or Appliance


● Test SMTP relay from your Scanning Service or Appliance to Exim
If everything works correctly we can make Exim the default “smarthost” for all
outbound mail sent from Outlook and Exchange.

NOTE:
At this point we have moved from testing to going live, some users may
be more comfortable performing the next steps out of hours or during
weekends.

The “smarthost” facility in Exchange can be set from:

Exchange System Manager > Administrative Groups > Servers >


Exchange Server > Protocols > SMTP > Default SMTP Virtual Server >
Right Click > Properties > Delivery > Advanced > Smart Host.

The Smarthost would normally be entered as an IP address rather than as a


hostname.

Exchange requires you to put square brackets around the IP address if you
intend to use the IP literally e.g [192.168.1.1]

The Default SMTP Virtual Server will need to be restarted for this to take effect.

If everything works correctly after the SMTP Virtual Server restart we will have
proved that Outbound mail is being processed correcly by Exim.

The only thing left to do is to make Exim the default server for Inbound mail by
making changes on your firewall, or by asking your ISP to add or modify your
DNS records to set your new Exim SMTP as the lowest priority server for
inbound e-mail.
(Lowest priority has the highest preference on MX records).

Now when mail is delivered to your domain the MX record should point at Exim
not Exchange, hence Exim will receive the mail not Exchange.

In practice you could either:

● Change your one-to-one NAT settings to point at Exim instead of Exchange


(Requires changes to your NAT settings on the main firewall).

● Put Exim on it's own IP Address in the DMZ and change your MX records.
(Requires changes to the DNS records held by your ISP)

● Replace Exchange by putting Exim on Exchanges old IP Address in the DMZ.


(Requires changing your Exchange servers IP Address)

Some of these changes may require you to modify settings on your main
firewall.
Some of these changes may require you to modify the DNS settings for your
domain.

DNS changes can take between 24-48 hours to propagate and may be best
done over a weekend.
- Going live -
In normal use, Eximon should be used to view all inbound and outbound mail
on the queue.

---

The following commands are also useful for monitoring the queue and can be
used remotely over SSH (or putty on a Windows PC).

exim -bp <enter>

exim -bp | exiqsumm <enter>

Additionally can test how Exim will handle individual addresses by using the -bt
option.

For example to see how Exim would handle a message to

it-manager@fictionalcompany.com you would type:

exim -bt it-manager@fictionalcompany.com <enter>

Giving a reply such as:

it-manager@fictionalcompany.com
router = external, transport = remote_smtp
host mail19.messagelabs.com [193.109.254.3]
host mail19.messagelabs.com [212.125.75.19]

NOTE:

Once Exim has replaced Exchange as the SMTP gateway for your
network, Exchange can be pulled back onto the LAN (if it wasn't
already) where it can benefit from the same security as your
other private servers.
- Troubleshooting -

If you have any problems once your Exim SMTP Relay is in place check the
following:

● DNS & Host records held by your ISP

● DNS settings and Host files on the local server

● Access rules on your main network firewall.

● Access rules on your operating system.

● Access control and relay settings on your mail servers

● Exim Config files

Then check the Exim FAQ located at:

www.exim.org

Then check the Exim mailing lists at:

www.exim.org

For general questions about this tutorial (not specific errors, they belong on the
mailing list), feel free to contact me with as much info as possible on:

exim@mv-online.co.uk

I will answer as many questions as time allows, but please be patient as my


day-to-day job takes priority over any Exim related questions.
- Common Mistakes and How to Avoid Them -
Sendmail and Exim

On many systems Exim *pretends* to be Sendmail hence:

/etc/sysconfig exim should be /etc/sysconfig/sendmail


service exim restart should be service sendmail restart

Sendmail Updates overwrite Exim

Sometimes a Sendmail update will overwrite and Exim binary *pretending* to


be Sendmail. We had to use the following script each time we ran RedHat
Update on RHEL 2&3, to ensure Exim always replaced any updated Sendmail
binaries.

up2date -uf

mv /usr/sbin/sendmail /usr/sbin/sendmail.old
chmod 0600 /usr/sbin/sendmail.old
ln -s /usr/exim/bin/exim /usr/sbin/sendmail

File Locations

In our examples Exim is always installed in:

/usr/sbin for the executable binary files and


/etc/exim for the configuration

However you may also find the following directories used:

/usr/exim/bin (binaries when complied from source)


/user/exim (config when complied from source)
/etc/exim4 (config under debian based distros e.g. ubuntu)

Config files

● Upper case and lower case are important

● Check the presence of colons (:) in the config files

● Get dots and @ signs the correct way round.


(I wasted a full day wondering what was wrong with my config)

e.g
exim@fictionalcompany.com should have been
exim.fictionalcompany.com if it represents a hostname
- Monitoring queues with Eximstate and Apache -

Eximstate is a fantastic tool that we use to report back to one central console.

An example is shown below.

We use this along with Apache to monitor every site from a single webpage.

For more information visit:

http://www.olliecook.net/projects/eximstate/
- Further reading & references -

Suggested further reading for extending the functionality of Exim with LDAP,
Virus and Spam Filtering Capabilities.

Books

The Exim SMTP Mail Server ISBN 0-9544529-0-9


Official Guide for Release 4
Philip Hazel & UIT

LDAP System Administration ISBN 1-56592-491-6


O'Reilly
Gerald Carter

SpamAssasin ISBN 0-596-00707-8


O'Reilly
Alan Schwartz

Websites

Exim www.exim.org

MailScanner www.mailscanner.info

Clam-AV www.clamav.net
References

The official Exim reference has been used extensively.


Many other useful pieces of information were also gleaned from:

securityfocus.net

and the SANS institute, in particular the following documents:

Security Issues For Exchange 2000 Outlook Web Access


Implementation
http://www.sans.org/rr/whitepapers/windows/975.php

Securing Web Based Corporate E-Mail Using Microsoft Exchange


Outlook Web Access
http://www.sans.org/rr/whitepapers/email/575.php

Exchange 2000 Security an Overview


http://www.sans.org/rr/whitepapers/email/1360.php

Securing Web Based Corporate E-Mail Using Microsoft Exchange


Outlook Web Access
http://www.sans.org/rr/whitepapers/email/575.php
- Thanks -
Thanks firstly to Philip Hazel and the University of Cambridge for giving Exim to
the Open Source Community.

- Copyright -
All trademarks used in this document are the property of their respective
owners.

- Licence -
This document is released under the CreativeCommons Attribution-
ShareAlike 2.0 licence.

Attribution-ShareAlike 2.0
You are free:
● to copy, distribute, display, and perform the work
● to make derivative works
● to make commercial use of the work

Under the following conditions:

Attribution. You must give the original author


credit.

Share Alike. If you alter, transform, or build upon


this work, you may distribute the resulting work
only under a license identical to this one.
● For any reuse or distribution, you must make clear to others the license
terms of this work.
● Any of these conditions can be waived if you get permission from the
copyright holder.

Your fair use and other rights are in no way affected by the above.
This is a human-readable summary of the Legal Code (the full license).
Disclaimer
- Liability -
The author accepts no liability for any damage or loss caused by the use of
information contained in this document. While every effort has been made in
the creation of this document, the author does not guarantee the accuracy of
any of the information contained in this document. It is the readers
responsibility to decide for themselves if the information contained is accurate
when deciding to follow the tutorial.

A test system that does not contain any important information or


correspondence is recommended for following this tutorial.

The author also recommends that anyone wishing to follow the tutorial should
purchase a separate domain name for the purpose of testing to ensure no
business critical systems are affected.