This is an old revision of the document!
Table of Contents
Exim4 - Enable SMTP-Auth
Generate an Exim SSL certificate
Exim provides a script for this. Either run:
/usr/share/doc/exim4-base/examples/exim-gencert
or create a certificate manually. Within the /etc/exim4 directory run:
openssl req -x509 -sha256 -days 9000 -nodes -newkey rsa:4096 -keyout exim.key -out exim.crt
Shows
Generating a 4096 bit RSA private key ............................................++ .............................................................................................................................++ writing new private key to 'exim.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:UK State or Province Name (full name) [Some-State]:Jersey Locality Name (eg, city) []:St. Helier Organization Name (eg, company) [Internet Widgits Pty Ltd]:ShareWiz Organizational Unit Name (eg, section) []:Tech Common Name (e.g. server FQDN or YOUR name) []:mail.sharewiz.net Email Address []:admin@sharewiz.net
This will create an exim.key and exim.crt file in /etc/exim.
Enable the basic SMTP-Auth in the Exim config file
Uncomment the following lines.
- /etc/exim4/exim4.conf.template
# plain_server: # driver = plaintext # public_name = PLAIN # server_condition = "${if crypteq{$3}{${extract{1}{:}{${lookup{$2}lsearch{CON$ # server_set_id = $2 # server_prompts = : # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS # server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} # .endif
and
- /etc/exim4/exim4.conf.template
login_server: driver = plaintext public_name = LOGIN server_prompts = "Username:: : Password::" server_condition = "${if crypteq{$auth2}{${extract{1}{:}{${lookup{$auth1}lsearch{CONFDIR/passwd}{$value}{*:*}}}}}{1}{0}}" server_set_id = $auth1 .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} .endif
saslauthd Authentication
You need to configure Exim4 to use the saslauthd for authentication. Edit /etc/exim4/conf.d/auth/30_exim4-config_examples and uncomment the plain_saslauthd_server and login_saslauthd_server sections:
- /etc/exim4/exim4.conf.template
plain_saslauthd_server: driver = plaintext public_name = PLAIN server_condition = ${if saslauthd{{$auth2}{$auth3}}{1}{0}} server_set_id = $auth2 server_prompts = : .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} .endif # login_saslauthd_server: driver = plaintext public_name = LOGIN server_prompts = "Username:: : Password::" # don't send system passwords over unencrypted connections server_condition = ${if saslauthd{{$auth1}{$auth2}}{1}{0}} server_set_id = $auth1 .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} .endif
Enable TLS
Create (or edit if it exists) /etc/exim4/exim4.conf.localmacros
Add the line:
- /etc/exim4/exim4.conf.localmacros
MAIN_TLS_ENABLE = true
Setup the users and passwords
Users and their passwords are held within the /etc/exim4/passwd file in the following format:
:$Username:$password:
Create /etc/exim4/passwd if it does not exist.
Copy output from:
htpasswd -nd usernameforsmtp
or
mkpasswd -H md5
and paste it in /etc/exim4/passwd
Repeat for any other logins you'd like to add.
Set the permissions and ownership
This file should have permissions set to 640 and have ownership of root:Debian-exim.
chmod 640 /etc/exim4/passwd Chown root:Debian-exim /etc/exim4/passwd
Update your configuration and Restart Exim4
update-exim4.conf /etc/init.d/exim4 restart
References
/usr/share/share/exim/README.Debian.gz