====== Exim4 - Enable SMTP-Auth ======

===== Generate an Exim SSL certificate =====

Exim provides a script for this.  Either run:

<code bash>
/usr/share/doc/exim4-base/examples/exim-gencert
</code>

or create a certificate manually.  Within the /etc/exim4 directory run:

<code bash>
openssl req -x509 -sha256 -days 9000 -nodes -newkey rsa:4096 -keyout exim.key -out exim.crt
</code>

Shows

<code>
Generating a 4096 bit RSA private key
............................................++
.............................................................................................................................++
writing new private key to 'exim.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:UK
State or Province Name (full name) [Some-State]:Jersey
Locality Name (eg, city) []:St. Helier 
Organization Name (eg, company) [Internet Widgits Pty Ltd]:ShareWiz
Organizational Unit Name (eg, section) []:Tech
Common Name (e.g. server FQDN or YOUR name) []:mail.sharewiz.net
Email Address []:admin@sharewiz.net
</code>

This will create an **exim.key** and **exim.crt** file in /etc/exim.


===== Enable the basic SMTP-Auth in the Exim config file =====

Uncomment the following lines.  TODO dont do this but do the next step on sasl.

<file bash /etc/exim4/exim4.conf.template>
# plain_server:
#   driver = plaintext
#   public_name = PLAIN
#   server_condition = "${if crypteq{$3}{${extract{1}{:}{${lookup{$2}lsearch{CON$
#   server_set_id = $2
#   server_prompts = :
#   .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
#   server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
#   .endif
</file>

and

<file bash /etc/exim4/exim4.conf.template>
login_server:
  driver = plaintext
  public_name = LOGIN
  server_prompts = "Username:: : Password::"
  server_condition = "${if crypteq{$auth2}{${extract{1}{:}{${lookup{$auth1}lsearch{CONFDIR/passwd}{$value}{*:*}}}}}{1}{0}}"
  server_set_id = $auth1
  .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
  server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
  .endif
</file>  



===== saslauthd Authentication =====

You need to configure Exim4 to use the saslauthd for authentication.  Edit /etc/exim4/conf.d/auth/30_exim4-config_examples and uncomment the plain_saslauthd_server and login_saslauthd_server sections:

<file bash /etc/exim4/exim4.conf.template>
 plain_saslauthd_server:
   driver = plaintext
   public_name = PLAIN
   server_condition = ${if saslauthd{{$auth2}{$auth3}}{1}{0}}
   server_set_id = $auth2
   server_prompts = :
   .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
   server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
   .endif
#
 login_saslauthd_server:
   driver = plaintext
   public_name = LOGIN
   server_prompts = "Username:: : Password::"
   # don't send system passwords over unencrypted connections
   server_condition = ${if saslauthd{{$auth1}{$auth2}}{1}{0}}
   server_set_id = $auth1
   .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
   server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
   .endif
</file>


===== Configuring SASL =====

This section provides details on configuring the saslauthd to provide authentication for Exim4.

Install the sasl2-bin package.

<code bash>
apt-get install sasl2-bin
</code>

To configure saslauthd edit the /etc/default/saslauthd configuration file and set START=no to:

<file bash /etc/default/saslauthd>
START=yes
</file>

Next the Debian-exim user needs to be part of the sasl group in order for Exim4 to use the saslauthd service:

<code bash>
sudo adduser Debian-exim sasl
</code>

Now start the saslauthd service:

<code bash>
sudo /etc/init.d/saslauthd start
</code>

Exim4 is now configured with SMTP AUTH using TLS and SASL authentication.


===== Enable TLS =====

Create (or edit if it exists) /etc/exim4/exim4.conf.localmacros

Add the line:

<file bash /etc/exim4/exim4.conf.localmacros>
MAIN_TLS_ENABLE = true
</file>


===== Setup the users and passwords =====

Users and their passwords are held within the **/etc/exim4/passwd** file in the following format:

<code>
:$Username:$password:
</code>


Create **/etc/exim4/passwd** if it does not exist.  

Copy output from:

<code bash>
htpasswd -nd usernameforsmtp
</code>

or

<code bash>
mkpasswd -H md5
</code>

and paste it in /etc/exim4/passwd

Repeat for any other logins you'd like to add.


==== Set the permissions and ownership ====

This file should have permissions set to 640 and have ownership of root:Debian-exim.

<code bash>
chmod 640 /etc/exim4/passwd
Chown root:Debian-exim /etc/exim4/passwd
</code>


===== Update your configuration and Restart Exim4 =====

<code bash>
update-exim4.conf
/etc/init.d/exim4 restart
</code>


===== An SMTP AUTH session =====

<code bash>
220-mail.xxxxxxxx.com ESMTP Exim 4.34 #1 Wed, 23 Jun 2004 17:35:13 -0700 
EHLO mail.myserver.com
250-mail.xxxxxxxx.com Hello mail.myserver.com [192.168.0.156]
250-SIZE 52428800
250-PIPELINING
250-AUTH PLAIN LOGIN
250-STARTTLS
250 HELP
AUTH LOGIN
334 VXNlcm5hbWU6
bXl1c2VybmFtZQ==
334 UGFzc3dvcmQ6
bXlwYXNzd29yZA==
235 Authentication succeeded
</code>

===== References =====

/usr/share/share/exim/README.Debian.gz

https://help.ubuntu.com/community/Exim4

https://debian-administration.org/article/280/HowTo_Setup_Basic_SMTP_AUTH_in_Exim4