My mail server overhaul -- exim

[richb at pioneer.ci.net (Rich Braun)]

This month's computer project was Overhauling the Email Server.  Once every
couple of years, the spammers get sufficiently under my skin that I decide to
do something about them.  In this case, I discovered that I couldn't make a
simple configuration change (to smart-host outbound mail via a commercial
service instead of Comcast) because I'd accidentally deleted a sendmail build
directory a couple years ago.

Out with sendmail, in with exim.  I'm posting to BLU because I am absolutely
THRILLED with the results of my efforts.  The last discussion about MTA
programs (email servers) in the BLU archives appears to date back to November
2003.  The topic's worth revisiting now, with the improved freeware available.

I didn't look at postfix so I don't know how it compares to exim.  You might
be able to accomplish the same things with postfix as with exim, perhaps
others here have experience with both.

If you just download the exim distro and install it on your system, it will
come up easily and do a serviceable job of relaying your email to/from a
personal domain.

If you start to look under the hood at the SMTP protocol, though, and read up
on spam control techniques--WOW.  This is hot stuff.  I still have
spamassassin installed on my machine--it was formerly knocking out about 98.5%
of the 10,000 messages (just under 100Mbytes) I get per month.  But with a bit
of tuning, you can get exim to block nearly 95% of email even before it gets
to spamassassin.  THAT MEANS I CAN NOW ACTUALLY REVIEW THE QUARANTINE FOLDER. 
And my correspondents will now get a politely-worded reject reply in the event
there are ever any false-positives.  In the past I just had to assume that an
occasional important message would get dev-nulled into the quarantine folder,
without me or my correspondent being the wiser.

But that's not all.  When you tinker with the SMTP protocol at this level, you
get the satisfaction of gumming up the works of spammers' outbound servers. 
Throw a few timeouts in there at each step of the protocol, and picture
hundreds of your friends doing the same thing--you get the feeling you could
actually make a dent in their ability to reach millions of mailboxes daily.

You can't do this if you throw in the towel and switch to a webmail account at
a place like Hotmail, or if you run a user-level filter like Spamassassin. 
Spam control at the Mail Transfer Agent level really works a whole lot better.

This posting is turning out longer than I wanted so I'll just list a few of
the techniques I threw into my configuration, to whet your appetite for a
similar overhaul:

- Insert 20-second delays at the HELO, MAIL FROM, RCPT TO stages of any
message that comes from a misconfigured or non-RFC-compliant server.  Spammers
almost by definition have to use non-compliant servers in order to spew at a
high rate.
- Consult a couple of the more-conservative RBL block-lists to reject most
spam even before accepting message DATA, which saves lots of overhead vs. the
Spamassassin technique.
- Reject binary MIME attachments, especially zip/pif/exe.
- Grey-list new correspondents for 1 hour (this blocks incoming spewage for
that long no matter how hard they try).
- Disable external access to certain system aliases that I use in monitoring
scripts (these had leaked out to spammers' databases in the past because
sendmail is so vulnerable to so-called 'dictionary' attacks).

All of this works automatically, without any user-level white-listing.  When I
started this, I figured exim might block maybe 60% of the spam flow.  Reaching
a rate above 95% was quite the pleasant surprise!

So--if you aren't running your own mail server because you think it's hard to
configure, or if you're running an obsolete software package, consider exim. 
(Current version=4.51.)

Any thoughts on this subject from email gurus here?

-rich