more logging 2

Dockerfile

@@ -3,7 +3,13 @@ FROM alpine:3.22.2
 LABEL Maintainer="Wolfgang Hottgenroth <woho@hottis.de>"
 LABEL ImageName=""
 
-RUN apk add --no-cache exim
+RUN \
+  apk add --no-cache exim && \
+  mkdir -p /var/log/exim && \
+  chown exim:mail /var/log/exim && \
+  ln -sf /dev/stdout /var/log/exim/mainlog && \
+  ln -sf /dev/stdout /var/log/exim/rejectlog && \
+  ln -sf /dev/stdout /var/log/exim/paniclog 
 
 COPY exim.conf /etc/exim
 RUN chmod 644 /etc/exim/exim.conf
@@ -12,6 +18,6 @@ WORKDIR /etc/exim
 
 EXPOSE 25
 
-CMD [ "/usr/sbin/exim", "-bd", "-q15m", "-v" ]
+CMD [ "/usr/sbin/exim", "-bdf", "-q15m" ]
 
  

deployment/deploy-yml.tmpl

@@ -32,6 +32,14 @@ spec:
             - name: smtp
               containerPort: 25
               protocol: TCP
+          readinessProbe:
+            tcpSocket:
+              port: 25
+            initialDelaySeconds: 5
+            periodSeconds: 10
+            timeoutSeconds: 5
+            successThreshold: 1
+            failureThreshold: 3
           volumeMounts:
             - name: exim-config
               mountPath: /etc/exim/db
@@ -66,6 +74,7 @@ metadata:
   name: exim-forwarder
 spec:
   type: LoadBalancer
+  externalTrafficPolicy: Local
   selector:
     app: exim-forwarder
   ports:

exim.conf

@@ -6,6 +6,10 @@ tls_advertise_hosts = *
 tls_certificate = /etc/exim/ssl/server.crt
 tls_privatekey = /etc/exim/ssl/server.key
 
+log_file_path = /var/log/exim/%slog
+log_selector  = -all
+message_logs  = true
+
 
 # acl_smtp_connect = acl_connect
 acl_smtp_helo = acl_helo
@@ -26,11 +30,11 @@ acl_helo:
 
 acl_rcpt:
   # recipient verification
-  deny  message = User unknown
+  deny  message = Access denied (1)
       !verify = recipient
   
   # SPF check
-  deny  message = Access denied (1)
+  deny  message = Access denied (2)
         spf = fail
 
   # Greylisting
@@ -38,12 +42,12 @@ acl_rcpt:
         !seen = 72h / key=${sender_address}_${local_part}@${domain}
 
   # Rate limit
-  deny  message = Access denied (2)
+  deny  message = Access denied (3)
         ratelimit = 10 / 10m / strict
 
   accept condition = ${if match_domain{$domain}{+forward_domains}{yes}{no}}
 
-  deny  message = Access denied (x)
+  deny  message = Access denied (4)
 
 acl_data:
   warn  dkim_status = invalid

install.yml

@@ -1,61 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: exim-forwarder-config
-data:
-  domains: |
-    mainscnt.eu
-  addresses: |
-    wn@mainscnt.eu: wolfgang.hottgenroth@icloud.com
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: exim-forwarder
-  annotations:
-    configmap.reloader.stakater.com/reload: "exim-forwarder-config"
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: exim-forwarder
-  template:
-    metadata:
-      labels:
-        app: exim-forwarder
-    spec:
-      containers:
-        - name: exim-forwarder
-          image: your-registry/exim-forwarder:latest
-          ports:
-            - name: smtp
-              containerPort: 25
-              protocol: TCP
-          volumeMounts:
-            - name: exim-config
-              mountPath: /etc/exim
-              readOnly: true
-      volumes:
-        - name: exim-config
-          configMap:
-            name: exim-forwarder-config
-            items:
-              - key: domains
-                path: forward_domains
-              - key: addresses
-                path: forward_addresses
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: exim-forwarder
-spec:
-  type: LoadBalancer
-  selector:
-    app: exim-forwarder
-  ports:
-    - name: smtp
-      port: 25
-      targetPort: 25
-      protocol: TCP
-

snippets/certificate-test.yml

@@ -1,24 +0,0 @@
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: mx-hottis-de
-spec:
-  secretName: mx-hottis-de-cert
-  duration: 2160h
-  renewBefore: 360h
-  subject:
-    organizations:
-      - hottis-de
-  isCA: false
-  privateKey:
-    algorithm: RSA
-    encoding: PKCS1
-    size: 2048
-  usages:
-    - server auth
-  dnsNames:
-    - mx.hottis.de
-  issuerRef:
-    name: letsencrypt-staging-http
-    kind: ClusterIssuer
-    group: cert-manager.io

snippets/exim4.conf

@@ -1,74 +0,0 @@
-domainlist forward_domains = lsearch;/etc/exim4/forward_domains
-
-tls_advertise_hosts = *
-
-
-acl_smtp_connect = acl_connect
-acl_smtp_helo = acl_helo
-acl_smtp_rcpt = acl_rcpt
-acl_smtp_data = acl_data
-
-begin acl
-
-acl_connect:
-  deny message = Reverse DNS required
-       !verify = reverse_host_lookup
-  accept
-
-acl_helo:
-  deny message = Invalid HELO/EHLO name
-       condition = ${if match{$sender_helo_name}{\N^(localhost|localhost\.localdomain|\[?[0-9]{1,3}(\.[0-9]{1,3}){3}\]?)$\N}{yes}{no}}
-   accept
-
-acl_rcpt:
-  require verify = recipient
-
-  # SPF check
-  deny  message = Access denied (1)
-        spf = fail
-
-  # Greylisting
-  defer message = Try again later
-        !seen = 72h / key=${sender_address}_${local_part}@${domain}
-
-  # Rate limit
-  deny  message = Access denied (2)
-        ratelimit = 10 / 10m / strict
-
-  accept condition = ${if match_domain{$domain}{+forward_domains}{yes}{no}}
-
-  deny  message = Access denied (x)
-
-acl_data:
-  warn  dkim_status = invalid
-        add_header = X-DKIM-Status: invalid
-  warn  dkim_status = pass
-        add_header = X-DKIM-Status: pass
-
-  accept
-
-
-begin routers
-
-forward_aliases:
-  driver  = redirect
-  domains = +forward_domains
-  data    = ${lookup{$local_part@$domain}lsearch{/etc/exim4/forward_addresses}}
-  no_expn
-  allow_defer
-  allow_fail
-
-dnslookup_out:
-  driver    = dnslookup
-  domains   = ! +forward_domains
-  transport = remote_smtp
-  no_more
-
-
-begin transports
-
-remote_smtp:
-  driver = smtp
-  hosts_require_tls = *
-
-

snippets/forward_addresses

@@ -1 +0,0 @@
-wn@mainscnt.eu: wolfgang.hottgenroth@icloud.com

snippets/forward_domains

@@ -1,2 +0,0 @@
-mainscnt.eu
-