EXIM configuration - setup permissions problem

Posted on 2004-11-10
Last Modified: 2012-06-21

We've just set a Linux box (Slackware 10.0).

We have lots of domains, some delivered by SMTP, some by POP3 which are presently downloaded onto an aging MS SBS 4.5 server with Exchange 5.5.  We don't want to change that just yet because we're moving offices and will be getting new IP addresses and servers.

The Linux box has two NICs, one of which is connected to the LAN, the other to a DSL firewall/router.  We're already using it as a proxy server.

What I'd like to also do is to configure fetchmail and Exim on the box to relay the POP3 accounts to our existing Exchange 5.5 server - we have to do this quickly because it uses the MS pop3 connector which will not be available after we retire the small business server 4.5 box.  I'm also very scared of rebooting that machine (from several nasty past experiences), so I don't really want to open it up to put a second LAN card in it.

Here comes the problem:

We've downloaded Exim 4.4 and compiled it up with the following options:

EXIM_GROUP is unspecified.

I've created a user called exim.  Exim is just a normal user in the "users" group, because it's the only one on the box apart from me and root.

make install has to be executed as root, so the files in the installation directories all have -rwxr-xr-x root root permissions.

This is probably all down to some stupid permissions problem because I've been working with MS for too long and almost forgotten *nix.

I've read this section on the Exim help, but it doesn't seem to make sense to me - see section 5.2.

If I chown/chgrp all the files (which surely I have to because I don't want to run as root) to exim/users, su to exim and then ./exim -bd I get the following error (3 times):

"Exim configuration file /usr/exim/configure has the wrong owner group or mode"

Can somebody with a running Exim please let me know how you have set the compile options/ user permissions/groups  because this is getting really frustrating.

If I try to run it as root (which I shouldn't) it does get a lot further, but won't relay because of the "never_users" of root - this isn't really the right way to do it so fixing the permissions is really the answer I'm looking for.

Question by:wesbird
    LVL 17

    Accepted Solution

    From section 4.13 of the above doc -

    The install script copies files only if they are newer than the files they are going to replace. The Exim binary is required to be owned by root and have the setuid bit set, for normal configurations. Therefore, you must run make install as root so that it can set up the Exim binary in this way. However, in some special situations (for example, if a host is doing no local deliveries) it may be possible to run Exim without making the binary setuid root (see chapter 4.8 for details).

    4.8 says

    It is not necessary to be root to do any of the other things Exim does, such as receiving messages and delivering them externally over SMTP, and it is obviously more secure if Exim does not run as root except when necessary. For this reason, a user and group for Exim to use must be defined in Local/Makefile.

    I guess you need to set an Exim group at compile or use it setuid root.
    LVL 7

    Author Comment


    I tried recompiling it with an "exim" group, and the daemon won't even start as exim or root now.  Exim -bP shows the following (if this means anything to anyone?):

    acl_not_smtp =
    acl_smtp_auth =
    acl_smtp_connect =
    acl_smtp_data =
    acl_smtp_etrn =
    acl_smtp_expn =
    acl_smtp_helo =
    acl_smtp_mail =
    acl_smtp_mailauth =
    acl_smtp_predata =
    acl_smtp_quit =
    acl_smtp_rcpt = acl_check_rcpt
    acl_smtp_vrfy =
    admin_groups =
    auth_advertise_hosts = *
    auto_thaw = 0s
    bi_command =
    bounce_message_file =
    bounce_message_text =
    bounce_return_size_limit = 100K
    bounce_sender_authentication =
    callout_domain_negative_expire = 3h
    callout_domain_positive_expire = 1w
    callout_negative_expire = 2h
    callout_positive_expire = 1d
    callout_random_local_part = $primary_hostname-$tod_epoch-testing
    check_log_inodes = 0
    check_log_space = 0
    check_spool_inodes = 0
    check_spool_space = 0
    daemon_smtp_ports = smtp
    delay_warning = 1d
    delay_warning_condition = ${if match{$h_precedence:}{(?i)bulk|list|junk}{no}{yes
    deliver_queue_load_max =
    dns_again_means_nonexist =
    dns_check_names_pattern = (?i)^(?>(?(1)\.|())[^\W_](?>[a-z0-9-]*[^\W_])?)+$
    dns_ipv4_lookup =
    dns_retrans = 0s
    dns_retry = 0
    errors_copy =
    errors_reply_to =
    exim_group = exim
    exim_path = /usr/exim/bin/exim
    exim_user = exim
    extra_local_interfaces =
    finduser_retries = 0
    freeze_tell =
    gecos_name =
    gecos_pattern =
    header_line_maxsize = 0
    header_maxsize = 1048576
    headers_charset = ISO-8859-1
    helo_accept_junk_hosts =
    helo_allow_chars =
    helo_lookup_domains = @ : @[]
    helo_try_verify_hosts =
    helo_verify_hosts =
    hold_domains =
    host_lookup =
    host_lookup_order = bydns:byaddr
    host_reject_connection =
    hosts_connection_nolog =
    hosts_treat_as_local =
    ignore_bounce_errors_after = 2d
    ignore_fromline_hosts =
    keep_malformed = 4d
    local_from_prefix =
    local_from_suffix =
    local_interfaces =
    local_scan_timeout = 5m
    localhost_number =
    log_file_path =
    log_selector =
    lookup_open_max = 25
    max_username_length = 0
    message_body_visible = 500
    message_id_header_domain =
    message_id_header_text =
    message_size_limit = 50M
    never_users =
    percent_hack_domains =
    pid_file_path =
    pipelining_advertise_hosts = *
    primary_hostname =
    process_log_path =
    qualify_domain =
    qualify_recipient =
    queue_domains =
    queue_only_file =
    queue_only_load =
    queue_run_max = 5
    queue_smtp_domains =
    receive_timeout = 0s
    received_header_text = Received: ${if def:sender_rcvhost {from $sender_rcvhost\n
    \t}{${if def:sender_ident {from $sender_ident }}${if def:sender_helo_name {(helo
    =$sender_helo_name)\n\t}}}}by $primary_hostname ${if def:received_protocol {with
     $received_protocol}} (Exim $version_number)\n\tid $message_id${if def:received_
    for {\n\tfor $received_for}}
    received_headers_max = 30
    recipient_unqualified_hosts =
    recipients_max = 0
    remote_max_parallel = 2
    remote_sort_domains =
    retry_data_expire = 1w
    retry_interval_max = 1d
    rfc1413_hosts = *
    rfc1413_query_timeout = 30s
    sender_unqualified_hosts =
    smtp_accept_max = 20
    smtp_accept_max_nonmail = 10
    smtp_accept_max_nonmail_hosts = *
    smtp_accept_max_per_connection = 1000
    smtp_accept_max_per_host =
    smtp_accept_queue = 0
    smtp_accept_queue_per_connection = 10
    smtp_accept_reserve = 0
    smtp_active_hostname =
    smtp_banner = $primary_hostname ESMTP Exim $version_number $tod_full
    smtp_connect_backlog = 20
    smtp_etrn_command =
    smtp_load_reserve =
    smtp_max_synprot_errors = 3
    smtp_max_unknown_commands = 3
    smtp_ratelimit_hosts =
    smtp_ratelimit_mail =
    smtp_ratelimit_rcpt =
    smtp_receive_timeout = 5m
    smtp_reserve_hosts =
    spool_directory = /var/spool/exim
    syslog_facility =
    syslog_processname = exim
    system_filter =
    system_filter_directory_transport =
    system_filter_file_transport =
    system_filter_group = exim
    system_filter_pipe_transport =
    system_filter_reply_transport =
    system_filter_user = exim
    timeout_frozen_after = 1w
    timezone =
    trusted_groups =
    trusted_users =
    unknown_login =
    unknown_username =
    untrusted_set_sender =
    uucp_from_pattern = ^From\s+(\S+)\s+(?:[a-zA-Z]{3},?\s+)?(?:[a-zA-Z]{3}\s+\d?\d|
    uucp_from_sender = $1
    warn_message_file =

    LVL 17

    Expert Comment

    What error messages do you get?
    LVL 7

    Author Comment

    None I've noticed in the /var/spool/exim... - mainlog logfiles. (Will not be back at site for at least 10hrs - and have firewalled it without a way tunnel in from home yet! [it's only a 10 minute walk - but not at this time of night] )  Do you know the paths to system logifles I may have to check (slackware 10)?

    LVL 7

    Author Comment

    (since the recompile that is) - let's freeze this thread until I'm back in the office.
    LVL 7

    Author Comment

    For your information, we did get fetchmail working today - it saved the company. This town got ADSL only three weeks ago [and I'm rushing around all my small clients and this biggest client getting it working for them], and the big client is growing very fast; in the last two weeks they've been getting over 250MB email traffic per day, through a single 64K ISDN channel.  

    It would have been ISDN meltdown - if the MS SBS 4.5 POP3 connector goes, it's 6 or 7 hours to catch up with the mail (they handle shedloads of digital photographs).  1MB/s link with fetchmail saved the day, but fetchmail bombs out if the SMTP receiver is not available (I tested this today) which is why I need Exim as a fallback.  I know this is small for what Exim can handle, because it's what a lot of ISPs use - but it's our story ;-), and I really need it!!

    LVL 17

    Expert Comment

    Stupid question perhaps, but why exim? I would recommend postfix.
    LVL 7

    Author Comment

    Because I don't know anything about postfix!

    Besides which, I've got exim working now - another recompile, and changed

    EXIM_GROUP = exim
    to # EXIM_GROUP

    The problem was in fact that I had not put a '#' in front the first time I compiled it (but had just left it as a blank group name), but you were right about the issue being around there so pts for your help will be awarded shortly.

    P.S. for anybody else with setup problems, try running

    exim -bd -d

    which will write all logfile info to the console instead of the logfile.  Very helpful if your logfile permissions are wrong.


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Free Trending Threat Insights Every Day

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
    Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
    This video discusses moving either the default database or any database to a new volume.
    Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    22 Experts available now in Live!

    Get 1:1 Help Now