- First of all let create an exim4 certificate request (see here how to create a certificate authority):
openssl req -newkey rsa:2048 -keyout exim.key -out exim.csr -days 3650 -nodes
- Now let sign it with our certificate authority:
openssl ca -out exim.crt -infiles exim.csr
- Here we get two important files: exim.key (that is private key) and exim.crt (x509 certificate file). Let copy them to /etc/exim4
- Secure certificates:
chown root:Debian-exim exim.key exim.crt chmod g=r,o= exim.key exim.crt
- Enable exim4 daemon listening options for ports 25 and 465 (file /etc/default/exim4):
SMTPLISTENEROPTIONS='-oX 465:25 -oP /var/run/exim4/exim.pid'
- Turn on SSL/TLS option (new file /etc/exim4/conf.d/main/00_exim4-localmacros):
MAIN_TLS_ENABLE = true
- Restart exim4 and have a look at log file when you send a test message.
/etc/init.d/exim4 restart echo test | mail -s "ssl/tls test" firstname.lastname@example.orgHere is what you will see in log file (/var/log/exim4/mainlog):
... P=esmtps X=TLS1.0:RSA_AES_256_CBC_SHA1:32 ...If for some reason you can not see esmtps message in log file it most likely it doesn't use SSL/TLS for local delivery, try from remote machine.
Alternative Certificate LocationYou can specify any location for ssl/tls certificate (file /etc/exim4/conf.d/main/00_exim4-localmacros):
MAIN_TLS_CERTIFICATE=/etc/ssl/certs/mail.dev.local-cert.pem MAIN_TLS_PRIVATEKEY=/etc/ssl/private/mail.dev.local-key.pemThis is useful when you host both SMTP and IMAP services on the same host. Note, group Debian-exim must have read access to both files.