Exim provides a script for this. Either run:
/usr/share/doc/exim4-base/examples/exim-gencert
or create a certificate manually. Within the /etc/exim4 directory run:
openssl req -x509 -sha256 -days 9000 -nodes -newkey rsa:4096 -keyout exim.key -out exim.crt
Shows
Generating a 4096 bit RSA private key ............................................++ .............................................................................................................................++ writing new private key to 'exim.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:UK State or Province Name (full name) [Some-State]:Jersey Locality Name (eg, city) []:St. Helier Organization Name (eg, company) [Internet Widgits Pty Ltd]:ShareWiz Organizational Unit Name (eg, section) []:Tech Common Name (e.g. server FQDN or YOUR name) []:mail.sharewiz.net Email Address []:admin@sharewiz.net
This will create an exim.key and exim.crt file in /etc/exim.
Uncomment the following lines. TODO dont do this but do the next step on sasl.
# plain_server: # driver = plaintext # public_name = PLAIN # server_condition = "${if crypteq{$3}{${extract{1}{:}{${lookup{$2}lsearch{CON$ # server_set_id = $2 # server_prompts = : # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS # server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} # .endif
and
login_server: driver = plaintext public_name = LOGIN server_prompts = "Username:: : Password::" server_condition = "${if crypteq{$auth2}{${extract{1}{:}{${lookup{$auth1}lsearch{CONFDIR/passwd}{$value}{*:*}}}}}{1}{0}}" server_set_id = $auth1 .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} .endif
You need to configure Exim4 to use the saslauthd for authentication. Edit /etc/exim4/conf.d/auth/30_exim4-config_examples and uncomment the plain_saslauthd_server and login_saslauthd_server sections:
plain_saslauthd_server: driver = plaintext public_name = PLAIN server_condition = ${if saslauthd{{$auth2}{$auth3}}{1}{0}} server_set_id = $auth2 server_prompts = : .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} .endif # login_saslauthd_server: driver = plaintext public_name = LOGIN server_prompts = "Username:: : Password::" # don't send system passwords over unencrypted connections server_condition = ${if saslauthd{{$auth1}{$auth2}}{1}{0}} server_set_id = $auth1 .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} .endif
This section provides details on configuring the saslauthd to provide authentication for Exim4.
Install the sasl2-bin package.
apt-get install sasl2-bin
To configure saslauthd edit the /etc/default/saslauthd configuration file and set START=no to:
START=yes
Next the Debian-exim user needs to be part of the sasl group in order for Exim4 to use the saslauthd service:
sudo adduser Debian-exim sasl
Now start the saslauthd service:
sudo /etc/init.d/saslauthd start
Exim4 is now configured with SMTP AUTH using TLS and SASL authentication.
Create (or edit if it exists) /etc/exim4/exim4.conf.localmacros
Add the line:
MAIN_TLS_ENABLE = true
Users and their passwords are held within the /etc/exim4/passwd file in the following format:
:$Username:$password:
Create /etc/exim4/passwd if it does not exist.
Copy output from:
htpasswd -nd usernameforsmtp
or
mkpasswd -H md5
and paste it in /etc/exim4/passwd
Repeat for any other logins you'd like to add.
This file should have permissions set to 640 and have ownership of root:Debian-exim.
chmod 640 /etc/exim4/passwd Chown root:Debian-exim /etc/exim4/passwd
update-exim4.conf /etc/init.d/exim4 restart
220-mail.xxxxxxxx.com ESMTP Exim 4.34 #1 Wed, 23 Jun 2004 17:35:13 -0700 EHLO mail.myserver.com 250-mail.xxxxxxxx.com Hello mail.myserver.com [192.168.0.156] 250-SIZE 52428800 250-PIPELINING 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP AUTH LOGIN 334 VXNlcm5hbWU6 bXl1c2VybmFtZQ== 334 UGFzc3dvcmQ6 bXlwYXNzd29yZA== 235 Authentication succeeded
/usr/share/share/exim/README.Debian.gz
https://help.ubuntu.com/community/Exim4
https://debian-administration.org/article/280/HowTo_Setup_Basic_SMTP_AUTH_in_Exim4