User Tools

Site Tools


using_ssl_with_exim_4_on_debian

This is an old revision of the document!


Using SSL with Exim 4 on Debian

Set up a CA Cert Account

Join CA Cert and add your domains. CA Cert are not an official, paid for certificate provider and so their keys will not automatically be installed in your web browser or mail client. You will need to install their root keys on every machine you wish to connect over SSL from to your machines using CA Cert keys to avoid irritating errors. If you want to avoid this or you want commercial grade support (and perhaps some insurance), go with a commercial SSL certificate provider like Thawte, Verizon or Comodo.

For each DNS name you want a certificate for, you need to verify that domain with them which means you must be able to receive email on that domain. For me, this meant I had to set up MX records for the machines I wanted to secure and set up domain aliases to forward mail received on those domains to my regular email domain, I didn't have an email account available that CA Cert would deliver their 'domain verification probe' emails to, so I had to set up an alias address for one of the accounts they will deliver to. Once this was done I could complete their domain verification process by clicking on the links they emailed me.

Import the CA Cert Root Keys

Import the CA Cert root keys by downloading them from here and then importing them into Thunderbird as described here. if you don't use Thunderbird, I'm sure there are other guides on the CA Cert Wiki which tell you how.

Create your SSL Certificate with CA Cert

Described here. In each of the following key generation steps, put the in the values that are relevent for you. Be sure when asked for the common name to put in the DNS hostname of the system on which you will be calling it (ie what you put in your mail client as your SMTP server address, or put in the IP address if that's what you will set up in your mail client, but you shouldn't use IPs because if you have to change your server's IP then your cert won't be valid any more).

So, run the following command:

/usr/share/doc/exim4-base/examples/exim-gencert

Then:

openssl req -new -key /etc/exim4/exim.key -out /etc/exim4/exim.csr

Log in to the CA Cert website and create a new certificate. Paste the contents of /etc/exim4/exim.csr into the CSR box. If you didn't verify your domain with CA Cert then you won't be able to create a certificate for that domain. Once this is done, it will give you a key, which you should paste into your /etc/exim4/exim4.crt file, overwriting the existing contents. Save the file.

Configure Exim to Use Your Keys

I don't use the Debian Exim4 split config, if you do, follow the instructions on configuring SSL here or here.

For me, I configured SSL with the following, by placing it in the top part of the configuration before you hit the ACLs and routers:

# Turn on SSL

log_selector = +subject +tls_cipher+tls_peerdn
tls_advertise_hosts = *
tls_certificate = /etc/exim4/exim.crt
tls_privatekey = /etc/exim4/exim.key
tls_on_connect_ports = 465
MAIN_TLS_ENABLE = true

The above is described here, here and here (note the file paths to the keys in these links are wrong, use mine).

Edit /etc/default/exim4 and modify the relevent line to be:

# options for daemon listening on port 25
SMTPLISTENEROPTIONS='-oX 465:25 -oP /var/run/exim4/exim.pid'

as described here again.

Now restart exim with:

/etc/init.d/exim4 restart

Make sure your firewall allows TCP port 465 through to your mail server. With IP Tables, this will be something like:

iptables -A INPUT -p tcp -d mailserverip --dport 465 -j ACCEPT

I use an IP Tables script to maintain my firewall rules between reboots, so I have to re-run my firewall script afterwards. You could use iptables-save and iptables-restore to look after this for you but I assume if you're using an IP Tables firewall you know how to make your rules permanent as this isn't intended to be an IP Tables tutorial. My way works for me.

Getting Your Mail Client to Connect Using SSL

I use Thunderbird, so your mileage may vary with these instructions, but the principles are the same across all mail client which support SSL. In Thunderbird I go into my account settings, then Outgoing Server, select my server, click edit and tick the SSL box. This automatically changes the SMTP port on my server to 465. In any other mail client tell it to use SSL and port 465, all of the other settings should stay the same.

Try to Send a Mail

No instructions here, you should be able to figure this out. Watch your Exim logs for errors if you can't get your mail through. In a corporate environment you might be behind a firewall which doesn't allow you to connect out on TCP port 465, so if it fails and nothing is logged either by your Exim daemon or the firewall on or in front of your mail server, then consider your local firewall restricting outgoing access.

It should work though. If it does then you're done :) Just be sure to keep an eye on when your certificate expires because you'll need to renew it before then or you'll start getting errors and remember that CA Cert are not an official, paid for certificate provider. You will need to install their root keys on every machine you wish to connect over SSL from to avoid irritating errors.

Now you're registered

using_ssl_with_exim_4_on_debian.1246638925.txt.gz · Last modified: 2016/11/25 22:38 (external edit)