1) A Linux server, preferably Debian or Ubuntu to follow this tutorial step by step, on other distributions the software packages and file paths can be different.

2) Public IP address preferably directly on the server (+ if you are not directly owning the IP in RIPE database, the provider of this IP address to you should be able and willing to set reverse DNS entry on this IP address later in this tutorial, so if you are just looking for provider check this with them before ordering a service from them).

3) A publicly registered domain name either with some DNS hosting company or you can do yourself a small DNS server. If you will have a DNS provider, just make sure they allow you to enter TXT records for your domain record.

In this tutorial, I will be using “example.com” as the domain. Please change all example.com text in this tutorial to your own domain when following this tutorial. At the point of writing this tutorial this example.com was pointing to public IP of 123.123.123.123.

Also the demouser account email is demouser@example.com.

The target what we will have at the end of this tutorial

• En email system with email in the form of @example.com.
• IMAP secured with SSL for access to your emails (test is to access emails from your smartphone).
• All standard protection mechanisms on the emails so that other email systems do not classify our emails as SPAM. This includes SPF, DKIM, rDNS and SpamAssassin headers.

How we will call our systems. This uses “example.com” as the domain, and “exampleserver” as the hostname.

The DNS server will be 8.8.8.8 (NOTE: This is a gmail DNS system).

echo exampleserver> /etc/hostname
hostname -F /etc/hostname
echo "8.8.8.8   exampleserver.example.com exampleserver" >> /etc/hosts

Verification is easy, just use these commands and you should get the answers visible.

hostname --short
exampleserver
 
hostname --domain
example.com
 
hostname --fqdn
exampleserver.example.com
 
hostname --ip-address
8.8.8.8 

To get all the software in debian for our little tutorial, we need three main pieces of software:

1. Exim4 – the SMTP daemon.
2. Courier – communication extension for Exim4 to have IMAP and POP access to emails.
3. Swaks – Swiss army knife for SMTP troubleshooting.
4. SSL-cert packages – for easy work with generating certificates in later parts of the tutorial.

If you are using Debian or Ubuntu, then you can simply follow these commands :

apt-get update 
apt-get install exim4-daemon-heavy courier-authdaemon courier-imap courier-imap-ssl courier-pop courier-pop-ssl swaks libnet-ssleay-perl ssl-cert

SSL Certificate Required

POP and IMAP over SSL requires a valid, signed, X.509 certificate.
During the installation of courier-pop-ssl or courier-imap-ssl, a
self-signed certificate will be generated if necessary.

For production use, the X.509 certificate must be signed by a recognized 
certificate authority, in order for mail clients to accept the
certificate.  The default location for this certificate is
/etc/courier/pop3d.pem or /etc/courier/imapd.pem.

Verification of the installation can be afterwards done by checking the running ports with a netstat command if all the pop3, imap, smtp, pop3s and imaps ports are present like visible like in the example below:

netstat –utal
-- omitted --
tcp6       0      0 [::]:pop3               [::]:*                  LISTEN     
tcp6       0      0 [::]:imap2              [::]:*                  LISTEN     
tcp6       0      0 [::]:ssh                [::]:*                  LISTEN     
tcp6       0      0 localhost:smtp          [::]:*                  LISTEN     
tcp6       0      0 [::]:imaps              [::]:*                  LISTEN     
tcp6       0      0 [::]:pop3s              [::]:*                  LISTEN     

In this example, I will prefer each user having his email inside his home directory under ~/Maildir. For the new users, add this directory to the skeleton so that it is automatically created for new users like this:

maildirmake /etc/skel/Maildir

For existing users, you have to do this manually (or do a script for this). For example for my test user “testuser” like this:

maildirmake ~demouser/Maildir
chown –R demouser.demouser ~demouser/Maildir

adduser demouser

Give this user a password when prompted. Always choose a good password here because this UNIX passwords will also be user by the IMAP/POP3 access to your emails!

Now, first step here is to use the debian built-in configuration package to configure the “main” exim4 points with:

dpkg-reconfigure exim4-config

It will give you several options in a wizard, this is how I configured my answers for a small and independent server:

• General type of mail configuration: internet site; mail is sent and received directly using SMTP.
• System mail name: example.com
• IP-addresses to listen on for incoming SMTP connections: leave this field empty!!!
• Other destinations for which mail is accepted: leave this field empty!!!
• Domains to relay mail for: leave this field empty!!!
• Machines to relay mail for: leave this field empty!!!
• Keep number of DNS-queries minimal (Dial-on-Demand)?: NO
• Delivery method for local mail: Maildir format in home directory
• Split configuration into small files?: NO
• Root and postmaster mail recipient: demouser (or your real administrator name, but non-root account)

First run this small command to generate a certificate based on example from exim.

/usr/share/doc/exim4-base/examples/exim-gencert
[*] Creating a self signed SSL certificate for Exim!
    This may be sufficient to establish encrypted connections but for
    secure identification you need to buy a real certificate!
 
    Please enter the hostname of your MTA at the Common Name (CN) prompt!
 
Generating a 1024 bit RSA private key
...........................................++++++
....................................................................++++++
writing new private key to '/etc/exim4/exim.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Code (2 letters) [US]:JE
State or Province Name (full name) []:Jersey
Locality Name (eg, city) []:St. Helier
Organization Name (eg, company; recommended) []:example.com
Organizational Unit Name (eg, section) []:example.com
Server name (eg. ssl.domain.tld; required!!!) []:exampleserver.example.com
Email Address []:demouser
[*] Done generating self signed certificates for exim!
    Refer to the documentation and example configuration files
    over at /usr/share/doc/exim4-base/ for an idea on how to enable TLS
    support in your mail transfer agent.

Next, based on the documentation you find in /usr/share/doc/exim4-base/ , you should create a file /etc/exim4/exim4.conf.localmacros to and insert these lines to enable TLS support on port 465.

echo "MAIN_TLS_ENABLE = true" > /etc/exim4/exim4.conf.localmacros
echo "tls_on_connect_ports = 465" >> /etc/exim4/exim4.conf.localmacros

Inside /etc/default/exim4 change this line:

SMTPLISTENEROPTIONS=''

To this:

SMTPLISTENEROPTIONS='-oX 465:25:587 -oP /var/run/exim4/exim.pid'

Ok, now restart exim4 again with the service command

service exim4 restart

And check if the exim4 is listening on port 465:

netstat -atupln | grep 465
tcp        0      0 0.0.0.0:465    0.0.0.0:*    LISTEN      16020/exim4     
tcp6       0      0 :::465         :::*         LISTEN      16020/exim4 

Ok, so the basic email system should now be running, lets test it with the most basic test and that is sending an email locally (either between two users of the local system or to yourself).

This test will send email to testuser from testuser.

echo "test message content" | mail –s "test subject" demouser@example.com

You can either check the inbox of demouser, or more simply check logs inside /var/log/exim4/mainlog

cat /var/log/exim4/mainlog
2014-12-23 16:56:42 1Y3XRa-0004B4-Sj <= root@example.com U=root P=local S=391
2014-12-23 16:56:42 1Y3XRa-0004B4-Sj => demouser <demouser@example.com> R=local_user T=maildir_home
2014-12-23 16:56:42 1Y3XRa-0004B4-Sj Completed

Ok, all looks good, now lets try sending to external source like gmail (replace the xxxx with your real email).

echo "test message content" | mail –s "test subject" xxxxx@gmail.com

Now the good and the bad part, the email arrived, but it ended most probably in spam folder because technically this is a “rogue” system with unknown domain and no basic signatures in the email headers.

As immediate step after my emails got working was that Thunderbird was unable to connect to the courier with IMAPS (with TLS enabled) despite the basic certificates existed from the installation (during apt-get install a default set was generated).

To verify what is going one, this is the best test to see the problem, we will use SWAKS to troubleshoot like this:

swaks -a -tls -q AUTH -s localhost -au demouser     
Password: playingwithexim4
=== Trying localhost:25...
=== Connected to localhost.
<-  220 exampleserver.example.com ESMTP Exim 4.80 Tue, 23 Dec 2014 20:10:29 -0500
 -> EHLO exampleserver.example.com
<-  250-exampleserver.example.com Hello localhost [127.0.0.1]
<-  250-SIZE 52428800
<-  250-8BITMIME
<-  250-PIPELINING
<-  250-STARTTLS
<-  250 HELP
 -> STARTTLS
<-  220 TLS go ahead
=== TLS started w/ cipher DHE-RSA-AES256-SHA256
=== TLS peer subject DN="/C=JE/ST=Jersey/L=St. Helier/O=example.com/OU=example.com/CN=exampleserver.example.com/emailAddress=demouser"
 ~> EHLO exampleserver.example.com
<~  250-exampleserver.example.com Hello localhost [127.0.0.1]
<~  250-SIZE 52428800
<~  250-8BITMIME
<~  250-PIPELINING
<~  250 HELP
*** Host did not advertise authentication
 ~> QUIT
<~  221 exampleserver.example.com closing connection
=== Connection closed with remote host.

As you noticed, the TLS layer is there successfully, the problem is more with the authentication not working.

Add these lines to /etc/exim4/exim4.conf.template

MAIN_TLS_ENABLE = yes
tls_on_connect_ports=465 
rfc1413_query_timeout = 0s

Install SASLAUTH daemon that will do the authentication for us against local unix usernames.

NOTE: If you want some other method of authentication, check the exim4 wiki.

apt-get install sasl2-bin

Edit /etc/default/saslauthd to enable saslauth with this line change:

START=yes

Restart the SASLAUTH daemon:

/etc/init.d/saslauthd start

Add exim to sasl group

adduser Debian-exim sasl
Adding user `Debian-exim' to group `sasl' ...
Adding user Debian-exim to group sasl
Done.

Inside /etc/exim4/exim4.conf.template uncomment these lines to enable PAM authentication (in the below all lines below and including the “plain_saslauthd_server”):

/etc/exim4/exim4.conf.template

# Authenticate against local passwords using sasl2-bin
# Requires exim_uid to be a member of sasl group, see README.Debian.gz
# plain_saslauthd_server:
#   driver = plaintext
#   public_name = PLAIN
#   server_condition = ${if saslauthd{{$auth2}{$auth3}}{1}{0}}
#   server_set_id = $auth2
#   server_prompts = : 
#   .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS 
#   server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
#   .endif

Do a restart of both exim4 and saslauth

update-exim4.conf
service exim4 restart
service saslauthd restart