====== Setting up a Secure Exim4 SMTP Server ======
This brief guide will explain the steps you can take to get basic SMTP AUTH working with Debian's exim4 package. (For users connecting to your server, not for forwarding via your ISP)

First of all generate an Exim SSL certificate:

  # /usr/share/doc/exim4-base/examples/exim-gencert

Now edit /etc/exim4/exim4.conf.template. Uncomment the following lines:

  # plain_server:
  #   driver = plaintext
  #   public_name = PLAIN
  #   server_condition = "${if crypteq{$3}{${extract{1}{:}{${lookup{$2}lsearch{CON$.....
  #   server_set_id = $2
  #   server_prompts = :
  #   .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
  #   server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
  #   .endif

Once that has been done create (or edit if it exists) /etc/exim4/exim4.conf.localmacros

Add the line:

  MAIN_TLS_ENABLE = true

To actually setup the users and passwords create /etc/exim4/passwd

  htpasswd -c -d /etc/exim4/passwd smtpuser

Repeat (omitting -c) for any other logins you'd like to add.

Change permissions on /etc/exim4/passwd and /etc/exim4/exim4.conf.localmacros to 640 root.Debian-exim

Update your configuration and restart Exim4:

  # update-exim4.conf
  # /etc/init.d/exim4 restart


These steps allow relaying from authenticated connections. Furthermore, authenticated connections that require relaying are forced to use TLS. Port 25 is used by default, but port 587 can be added by adding ''daemon_smtp_ports = smtp : 587'' to ''/etc/exim4/exim4.conf.localmacros''. Port 587 can then be opened up on the router (Port 25 could also be, but it may be blocked or redirected to the ISP MTA).