User Tools

Site Tools


Using SSL with Exim 4 and Courier IMAP/POP3 on Debian

Here I will be setting up SSL keys with Exim 4 and Courier IMAP and POP3 under Debian to secure the sending and retrieval of emails and username and password details to my server.

I will be using SSL certificates from CA Cert as they are free. CA Cert are not a commercial 'paid-for' certificate provider and so their keys will not automatically be installed in your web browser or mail client. You will need to install their root keys on every machine you wish to connect from over SSL to your machines which use CA Cert keys to avoid irritating errors. If you want to avoid this hassle or you want commercial grade support (and perhaps some insurance), go with a commercial SSL certificate provider like Thawte, Verizon or Comodo. By installing the CA Cert root keys, you are agreeing to the fact that you trust CA Cert to be secure and to verify your own keys against. In terms of commercial liability, this might not be something you want to do.

If you want to use a commercial SSL provider, then this should still work for you, but the CA Cert specific stuff will need to be translated to apply to your own provider. Of course in that case, you won't need to import the CA Cert root keys either.

Using SSL to secure SMTP, POP3 and IMAP means all of the sending and receiving of email between your mail client and server will be encrypted as will your username and password. Sending and receiving of mail between mail servers will only be encrypted if both ends support it and are configured to use it as a preference. You will have no control over whether other people's mail servers do so, so there are no guarantees of complete end to end encrypted transmission. If that's what you want, you would be better off encrypting your email before sending using PGP or GPG. For Thunderbird users like me, you can use the Enigmail extension which works with GPG and possibly PGP.

Set up a CA Cert Account

Join CA Cert and add your domains. For each DNS name you want a certificate for, you need to verify that domain with them which means you must be able to receive email on that domain. For me, this meant I had to set up MX records for the machines I wanted to secure and set up domain aliases to forward mail received on those domains to my regular email domain, I didn't have an email account available that CA Cert would deliver their 'domain verification probe' emails to, so I had to set up an alias address for one of the accounts they will deliver to. Once this was done I could complete their domain verification process by clicking on the links they emailed me.

Import the CA Cert Root Keys

Import the CA Cert root keys by downloading them from here and then importing them into Thunderbird as described here. if you don't use Thunderbird, I'm sure there are other guides on the CA Cert Wiki which tell you how.

Create your SSL Certificate with CA Cert

Described here. In each of the following key generation steps, put the in the values that are relevent for you. Be sure when asked for the common name to put in the DNS hostname of the system on which you will be calling it (ie what you put in your mail client as your SMTP server address, or put in the IP address if that's what you will set up in your mail client, but you shouldn't use IPs because if you have to change your server's IP then your cert won't be valid any more).

So, run the following command:



openssl req -new -key /etc/exim4/exim.key -out /etc/exim4/exim.csr

Log in to the CA Cert website and create a new certificate. Paste the contents of /etc/exim4/exim.csr into the CSR box. If you didn't verify your domain with CA Cert then you won't be able to create a certificate for that domain. Once this is done, it will give you a key, which you should paste into your /etc/exim4/exim4.crt file, overwriting the existing contents. Save the file.

Configure Exim to Use Your Keys

I don't use the Debian Exim4 split config, if you do, follow the instructions on configuring SSL here or here.

For me, I configured SSL with the following, by placing it in the top part of the configuration before you hit the ACLs and routers:

# Turn on SSL

log_selector = +subject +tls_cipher+tls_peerdn
tls_advertise_hosts = *
tls_certificate = /etc/exim4/exim.crt
tls_privatekey = /etc/exim4/exim.key
tls_on_connect_ports = 465

The above is described here, here and here (note the file paths to the keys in these links are wrong, use mine).

Edit /etc/default/exim4 and modify the relevent line to be:

# options for daemon listening on port 25
SMTPLISTENEROPTIONS='-oX 465:25 -oP /var/run/exim4/'

as described here again.

Now restart exim with:

/etc/init.d/exim4 restart

Make sure your firewall allows TCP port 465 through to your mail server. With IP Tables, this will be something like:

iptables -A INPUT -p tcp -d mailserverip --dport 465 -j ACCEPT

I use an IP Tables script to maintain my firewall rules between reboots, so I have to re-run my firewall script afterwards. You could use iptables-save and iptables-restore to look after this for you but I assume if you're using an IP Tables firewall you know how to make your rules permanent as this isn't intended to be an IP Tables tutorial. My way works for me.

Getting Your Mail Client to Connect Using SSL

I use Thunderbird, so your mileage may vary with these instructions, but the principles are the same across all mail client which support SSL. In Thunderbird I go into my account settings, then Outgoing Server, select my server, click edit and tick the SSL box. This automatically changes the SMTP port on my server to 465. In any other mail client tell it to use SSL and port 465, all of the other settings should stay the same.

Try to Send a Mail

No instructions here, you should be able to figure this out. Watch your Exim logs for errors if you can't get your mail through. In a corporate environment you might be behind a firewall which doesn't allow you to connect out on TCP port 465, so if it fails and nothing is logged either by your Exim daemon or the firewall on or in front of your mail server, then consider your local firewall restricting outgoing access.

It should work though. If it does then you're done :) Just be sure to keep an eye on when your certificate expires because you'll need to renew it before then or you'll start getting errors and remember that CA Cert are not an official, paid for certificate provider. You will need to install their root keys on every machine you wish to connect over SSL from to avoid irritating errors.

Setting Up Courier IMAP and POP3 for SSL

You already have an SSL certificate for your hostname, so there's little point in making a new one. You should already have courier-imap and courier-pop3 installed, if you don't and you are collecting your mail over IMAP or POP3, then you must be using some other POP or IMAP daemon like Dovecot or something. I can't help you there, I'm using Courier. For IMAP and POP3 over SSL with Courier, you should also have courier-imap-ssl and courier-pop3-ssl installed, if you don't, install them now.

Courier expects your certificate and key in a single file. Use the following to make a single file which contains both, substitute 'hostname' for the common name you gave when creating your SSL certificate:

cat /etc/exim4/exim.crt /etc/exim4/exim.key > /etc/courier/hostname.pem

Now edit both /etc/courier/imapd-ssl and /etc/courier/pop3d-ssl and search for the TLS_CERTFILE directive, change this in each file to:


Save the file and restart both the courier-imap-ssl and courier-pop3d-ssl daemons:

/etc/init.d/courier-imap-ssl restart
/etc/init.d/courier-pop-ssl restart

Keep an eye open for any errors or daemons failing to restart. if there are any problems, check /var/log/mail.err.

Your courier SSL daemons should now be using your certificate so you need to open up TCP ports 993 and 995 for IMAPS and POP3S respectively. Add the following IP Tables rules, however you manage your filewall and be sure to make them survive a reboot:

iptables -A INPUT -p tcp -d mailserverip --dport 993 -j ACCEPT
iptables -A INPUT -p tcp -d mailserverip --dport 995 -j ACCEPT

Setting Up Your Mail Client for IMAP and POP3 for SSL

In Thunderbird, go into your account settings, then Server Settings and tick the SSL box in the Security Settings section. Now try to access your mail. It should work. If not, check /var/log/mail.err on the server and make sure you opened the firewall rules. Otherwise, you're all set and all of your communication with your mail server will be done over SSL :-)

using_ssl_with_exim_4_on_debian.txt · Last modified: 2016/11/25 22:38 (external edit)