Friday, March 4, 2011

Exim4 SSL/TLS Configuration

Here we are going configure exim4 to use SSL/TLS for incoming connections:
  1. First of all let create an exim4 certificate request (see here how to create a certificate authority):
    openssl req -newkey rsa:2048 -keyout exim.key -out exim.csr -days 3650 -nodes
  2. Now let sign it with our certificate authority:
    openssl ca -out exim.crt -infiles exim.csr
  3. Here we get two important files: exim.key (that is private key) and exim.crt (x509 certificate file). Let copy them to /etc/exim4
  4. Secure certificates:
    chown root:Debian-exim exim.key exim.crt
    chmod g=r,o= exim.key exim.crt
  5. Enable exim4 daemon listening options for ports 25 and 465 (file /etc/default/exim4):
    SMTPLISTENEROPTIONS='-oX 465:25 -oP /var/run/exim4/'
  6. Turn on SSL/TLS option (new file /etc/exim4/conf.d/main/00_exim4-localmacros):
    MAIN_TLS_ENABLE = true
  7. Restart exim4 and have a look at log file when you send a test message.
    /etc/init.d/exim4 restart
    echo test | mail -s "ssl/tls test" root@dev.local
    Here is what you will see in log file (/var/log/exim4/mainlog):
    ... P=esmtps X=TLS1.0:RSA_AES_256_CBC_SHA1:32 ...
    If for some reason you can not see esmtps message in log file it most likely it doesn't use SSL/TLS for local delivery, try from remote machine.

Alternative Certificate Location

You can specify any location for ssl/tls certificate (file /etc/exim4/conf.d/main/00_exim4-localmacros):
This is useful when you host both SMTP and IMAP services on the same host. Note, group Debian-exim must have read access to both files.


  1. Что то не работает, но всё равно спасибо.

    1. Если не работает, то что за ошибка?

    2. В лог файле строк RSA_AES_256_CBC_SHA1 нет, видимо не прикрутил сертификат (ОС Debian Squeeze).