Debian Exim Secure Authentication Pseudo-HOW-TO

Do not use exim in version 3 no more, for which this document is intended. Upgrade to a newer version of exim and use a different documentation, please.
This Pseudo-HOW-TO describes in short terms how to configure exim v3 secure SMTP authentication using either cram-md5, login or plain over SSL.


What you need:

• A running installation of exim v3 (=> 3.20) built with SSL support
  ( ...or: apt-get install exim-tls)
• OpenSSL
  ( ...or: apt-get install openssl)
• An SSL certificate (e.g. see in the exim documentation 38.4 or https://www.cacert.org/)

• exim v3 (nano /etc/exim/exim.conf):
  
  
  1. Goto the "Main Configuration Section" and add the option "host_auth_accept_relay", if it isn't already there. This option is a host list and defines which hosts are permitted to relay mails, if they have successfully authenticated themselves. Basically this may be everyone:
     

     host_auth_accept_relay = *        

  2. If you are using realtime DNS blacklists, you need to exclude a host, that has successfully authenticated itself. Without this setting, a client may not send any mails through exim, if it connects from a blacklisted IP address.
     

     rbl_hosts = ! 127.0.0.1/32 : ${if eq {$authenticated_sender}{} {$sender_host_address}{}}

     You may want to exclude your local network, too (preeceed it with an exclamation mark!).
     
     
  3. Turn on support for SSL connections. Exim recognises the "STARTTLS" command and thus accepts SSL and non-SSL connections on the same port, by default 25. You need to add the following lines to the "Main Configuration Section":
     

     # TLS Configuration
     tls_advertise_hosts = *
     tls_certificate = /etc/ssl/certs/my_certificate.crt
     tls_privatekey = /etc/ssl/certs/my_private_key.key

  4. You need to create a password file. This file holds all valid username-password pairs, each pair on a separate line. Furthermore, you need to tell exim how to read your password file. But first decide whether you want to share the password file between exim and your IMAP/POP3 server:
     
     
     • exim only
       If you want to use just one password file for exim alone and not share it with another server service, take the configuration snippet for UW-IMAPd and create your password file as /etc/cram-md5.pwd in the form:
       
       <login name> : <password>
       
       
     • Dovecot and exim
       If you use Dovecot as your IMAP/POP3 server, you may use the configuration snippet for dovecot and the corresponding sample password file.
       
       
     • UW-IMAPd and exim
       For the "University of Washington IMAP toolkit" use the configuration snippet for UW-IMAPd/iPOPd and its sample password file.
       
       
     • other IMAP/POP3 servers and exim
       If you use neither UW-IMAPd nor Dovecot and your IMAP/POP3 server expects any other separator character than a colon or a tab in its password file, you may take the general configuration snippet and its sample password file and customize it for your needs.
     
     Add the lines found in the appropriate configuration snippet to the last configuration section "Authentication Configuration" in exim.conf. Save the password file as: /etc/cram-md5.pwd
     
     
     • UW-IMAPd/iPOPd configuration snippet and the corresponding  sample password file
       
     • Dovecot configuration snippet and the corresponding  sample password file
     • general configuration snippet and the corresponding  sample password file
     
     Change the permissons and ownership of the password file:
     
     
     chown root:mail /etc/cram-md5.pwd
     chmod 640 /etc/cram-md5.pwd
     
     
     Make sure your IMAP/POP3 server can read the password file! You may need to add it to the "mail"-group (e.g. adduser dovecot mail).
     
     Edit your new password file /etc/cram-md5.pwd and add your mailusers, one per line.
     

• Optionally configure your IMAP or POP server to use the same password file as exim.

• Take your favourite mail client and test any combination of authentication mechanisms and right and wrong username/password pairs.
  
• Send some mails, search the lowest "Received:"-header for the word "asmtp". This indicates successfull authentication. Also watch the server's log files.
  

Other Exim3 Pseudo-How-Tos are available.