Setting up a Secure Exim4 SMTP Server
This brief guide will explain the steps you can take to get basic SMTP AUTH working with Debian's exim4 package. (For users connecting to your server, not for forwarding via your ISP)
First of all generate an Exim SSL certificate:
# /usr/share/doc/exim4-base/examples/exim-gencert
Now edit /etc/exim4/exim4.conf.template. Uncomment the following lines:
# plain_server: # driver = plaintext # public_name = PLAIN # server_condition = "${if crypteq{$3}{${extract{1}{:}{${lookup{$2}lsearch{CON$..... # server_set_id = $2 # server_prompts = : # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS # server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} # .endif
Once that has been done create (or edit if it exists) /etc/exim4/exim4.conf.localmacros
Add the line:
MAIN_TLS_ENABLE = true
To actually setup the users and passwords create /etc/exim4/passwd
htpasswd -c -d /etc/exim4/passwd smtpuser
Repeat (omitting -c) for any other logins you'd like to add.
Change permissions on /etc/exim4/passwd and /etc/exim4/exim4.conf.localmacros to 640 root.Debian-exim
Update your configuration and restart Exim4:
# update-exim4.conf # /etc/init.d/exim4 restart
These steps allow relaying from authenticated connections. Furthermore, authenticated connections that require relaying are forced to use TLS. Port 25 is used by default, but port 587 can be added by adding daemon_smtp_ports = smtp : 587
to /etc/exim4/exim4.conf.localmacros
. Port 587 can then be opened up on the router (Port 25 could also be, but it may be blocked or redirected to the ISP MTA).