Exim Installation and Configuration with Debian


This page is intended to provide specific instructions for configuring Exim4 on Debian (stable) so it operates with MailScanner. You should probably read the general exim installation and configuration guide first. Nearly all the steps on that page are replicated here but “Debian-ised” so that future package updates from Debian wont break your Exim installation.

For completeness, I’ll restate it: From the Exim FAQ: “Accepting and delivering a message are two entirely separate, independent processes, which communicate only by writing/reading the message on the disc.”

MailScanner separates these two parts even further, by requiring them to use separate queues. Incoming mail is accepted into one queue, and outgoing mail is sent only from the other queue. The only way mail can get from one queue to the other is through MailScanner.

Since there is no way to tell Exim to use two separate queues in this manner, we have to use two separate Exim processes. Each of these processes must have its own configuration file, so that the spool directories can be different.

To ensure that all mail is scanned, the “accepter” process (which accepts incoming messages from the network, or from the local command-line) must be prevented from actually sending any mail out, at least in normal use. This implies that we must use the compiled-in default path for the Exim configuration file for the accepter process – otherwise local users would evade MailScanner when sending mail using the command-line interface to Exim. Don’t forget that many MUAs will also use the command-line interface without specifying a path for the configuration file, so this really is a must.

Configuration of Exim

Debian maintains two different versions of Exim under two different package names.

  • exim = Exim 3.3x
  • exim4 = Exim 4.5x

For the purpose of this guide, it is assumed you have the “exim4” package installed.

Debain further complicates matters by giving you the option of a monlithic configuration file, or a distributed directory hierachy of smaller configuration files. Both methods have advantages and draw-backs, either way it isn’t particularly important because the configuration file that Debian’s init script uses is dynamically generated each time the process is started/restarted (more on this later). For now, you simply need to decide which method of exim configuration you want to use, however, this guide is written based on the distributed configuration model.

Firstly, we need to duplicate every thing Exim is currently doing as this will form the basis of the outgoing mail queue. This needs to be done with the Exim process stopped (to avoid copying queue files etc). It is important that the new configuration maintains the same permissions as the existing configuration so we’ll use the “-a” switch:

  cp -a /etc/exim4 /etc/exim4.out
  cp -a /var/spool/exim4 /var/spool/exim4.out
  cp -a /etc/init.d/exim4 /etc/init.d/exim4.out
  cp -a /etc/default/exim4 /etc/default/exim4.out

As can be seen above, we now have two spool directories, /var/spool/exim4 for incoming (unprocessed) mail and /var/spool/exim4.out for outgoing (scanned) mail. We need to make two changes to the mail configuration:

  • tell the outgoing Exim to use a different spool directory
  • prevent the incoming Exim from delivering the mail straight away (queue only)

Spool Directory Locations

To change the spool directory you need to edit /etc/exim4.out/conf.d/main/02_exim4-config_options and change the value of SPOOLDIR:

  SPOOLDIR = /var/spool/exim4.out

Deferring Incoming Messages (Queue Only)

To prevent the incoming Exim from delivering messages we need to tell it to queue_only. You need to add the following to the bottom of the /etc/exim4/conf.d/main/02_exim4-config_options file:

  # Custom section for MailScanner compatibility.  This daemon should only queue messages!
  # The queue_only_override prevents any user from bypassing the mail filter (MailScanner)
  .ifndef QUEUEONLY
  queue_only = true
  queue_only_override = false

Note the “queue_only_override” is optional and simply prevents any user from bypassing the mail filter if they use the incoming Exim process. This isn’t normally a problem and shouldn’t prevent you from releasing quarantined mails etc. Simply call exim using the outgoing configuration and all is well.

You also should modify /etc/default/exim4 as follows:


That’s it! Your exim’s are configured.

Running Exim

This is where things get a little weird. As stated earlier, Debian dynamically generates the configuration for Exim every time it is started/restarted. The default location of the configuration is /var/lib/exim4/config.autogenerated. This configuration is the result of two things (primarily):

  1. The /usr/sbin/update-exim4.conf script
  2. The /etc/exim4 configuration directory.

The manual page for /usr/sbin/update-exim4.conf explains how this is done but all you really need to know is that the /etc/exim4/update-exim4.conf.conf is the magic that glues it all together. For both the incoming and outgoing Exim’s, this file is the same. On my system, I’ve actually symbolically linked the outgoing to the incoming update-exim4.conf.conf, to save me having to edit it twice. This may not be appropriate for all configurations.

Modify Outgoing Exim Init Script

Because the two Exim’s have different configuration files, we need to modify the /etc/init.d/exim4.out script:

  1. modify the Exim options to not listen on any ports and only run the queue.
  2. configure it to generate an automatic configuration with a different name.
  3. configure to use the new configuration file.

Modifying the outgoing Exim to only run the queue, and not spawn a listening process, is actually handled in the /etc/default/exim.out file. Modify the line as follows:


Now generate a different configuration file. This is done in the init script itself. Modify the following lines near the top of /etc/init.d/exim4.out script:

  UPEX4OPTS="-o /var/lib/exim4/config.out.autogenerated -d /etc/exim4.out"

The final step is to configure it to use the new outgoing configuration file which is done in the /etc/default/exim4.out. Modify the following line:

  COMMONOPTIONS='-C /var/lib/exim4/config.out.autogenerated'

You may also want to make the startup descriptions that are dumped to the screen a little more indicative of what is going on. In both scripts there is a line with NAME=.... Edit with something that makes sense, eg,:

  NAME="exim4 incoming"
  NAME="exim4 outgoing"

Also you yo edit /etc/init.d/exim4.out:


  [ -f /etc/default/exim4 ] && . /etc/default/exim4


   [ -f /etc/default/exim4.out ] && . /etc/default/exim4.out

Configuration of MailScanner

MailScanner itself needs to know how to invoke Exim to send mail; it does this to send warning messages to sender, recipients and postmaster when a virus is detected, and to initiate an immediate delivery attempt for a message when it has been placed in the outgoing queue. There are two settings in the MailScanner configuration that tell it how to invoke a mailer (in this case Exim); one for each of these cases.

The “Sendmail” setting is used to send mail that has been freshly created by MailScanner (i.e. warnings). You can use a simple setting such as this:

      Sendmail = /usr/sbin/exim4

However that causes warnings to be re-scanned before being sent out. To bypass this you can set:

      Sendmail = /usr/sbin/exim4 -C /var/lib/exim4/config.out.autogenerated

You might also like to get Exim to mark messages that have been generated by MailScanner in the log like this:

      Sendmail = /usr/sbin/exim4 -oMr MailScanner

The “Sendmail2” setting is used to initiate a delivery attempt for a message that has just been scanned. It defaults to being the same as the “Sendmail” setting, but you need to tell Exim to use the outgoing configuration:

      Sendmail2 = /usr/sbin/exim4 -C /var/lib/exim4/config.out.autogenerated

MailScanner also needs to be told where the Exim incoming and outgoing spool directories are. In the simple case these settings will work; note that MailScanner needs to be explicitly told the

input subdirectory which is implicit in the Exim configuration.

      Incoming Queue Dir = /var/spool/exim4/input
      Outgoing Queue Dir = /var/spool/exim4.out/input

If you have split_spool_directory in your Exim configuration the configuration is slightly different:

      Incoming Queue Dir = /var/spool/exim4/input/*
      Outgoing Queue Dir = /var/spool/exim4.out/input
      Split Exim Spool = yes

(The latter option is near the bottom of the default MailScanner.conf.) You need to ensure that all the spool (sub)directories are created before starting MailScanner for the first time.

You will also need to specify the Exim user, which will typically be:

      Run As User = Debian-exim
      Run As Group = Debian-exim

Examples of a init script and default file for debian

Here are my own files for using exim as described above. You place the init script in /etc/init.d/ and the default file in /etc/default/


This should work with all versions of Mailscanner (tested up to 4.77) and exim (tested up to 4.69)

I would recomend everybody to read the above text first though and “do it yourself” but you can compare your own results with mine to see any possible changes.



If you have issues with anything there is a mailinglist and IRC channel full of extremely helpfull people that assist people with mailscan for free all day everyday.

Configuration of Authenticated SMTP over TLS

To come...

documentation/configuration/mta/exim/installation/debian.txt · Last modified: 2009/06/16 09:52 by jonascph
Recent changes RSS feed Creative Commons License Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki