====== Exim4 and TLS ====== This configuration is based on Debian with Exim4 split-file configuration. Files we need to edit are ''conf.d/main/01_exim4-config_listmacrosdefs'', ''conf.d/main/03_exim4-config_tlsoptions'' and ''conf.d/acl/30_exim4-config_check_rcpt''. ===== Beforehand ===== Make sure you have a root certificate (CA), and server certificate and a key without passphrase. The key should only be readable by Exim4, so set its right to ''root:Debian-exim'', ''0640''. ===== Edit macros ===== What we want it's to have TLS on Exim and have client verification (so client needs to provide a signed certificate to be able to send a mail through our mail server). In macro file, ''01_exim4-config_listmacrosdefs'', the configuration is pretty straightforward : MAIN_TLS_ENABLE=1 MAIN_TLS_VERIFY_CERTIFICATES=/path/to/my/CA.pem MAIN_TLS_CERTIFICATE=/path/to/my/certificate.pem MAIN_TLS_PRIVATEKEY=/path/to/my/private/key.pem MAIN_TLS_TRY_VERIFY_HOSTS=* MAIN_TLS_CRL=/path/to/my/crl.pem So first we enable TLS with ''MAIN_TLS_ENABLE'' set to ''1''. Then we set our root certificate with ''MAIN_TRY_TLS_VERIFY_CERTIFICATES''. By setting our root certificate, we won't let anyone connect to our server without providing a certificate that we have signed. You can, if you want, provide a relay only for people using client certificates signed by known company (trusted like verisign, ...). For this you need to install package ''ca-certificates'' on Debian (which also contains CAcert.org CA) and then just don't set ''MAIN_TLS_VERIFY_CERTIFICATES''. So anyone having a client certificate from those companies can connect to your server and send a mail through. I won't recommend against or for this option, but you can make it. Then we provide our server certificate and our key with ''MAIN_TLS_CERTIFICATE'' and ''MAIN_TLS_PRIVATEKEY''. The next value is used to set which host we want to verify, so here we set everyone ''MAIN_TLS_TRY_VERIFY_HOSTS=*''. Exim will then ask client for a client certificate, but is not going to shutdown the connection if the client doesn't provide one. The idea is to shutdown the connection only when relaying. If you set ''MAIN_TLS_VERIFY_HOSTS=*'', Exim will shutdown the connection if the client doesn't provide a certificate, but this will block incoming message from any hosts (so you won't get any mail in your inbox). Finally we want to provide a crl file, so our server knows which of our certificates are still valid and which have been revoked : ''MAIN_TLS_CRL''. ===== Edit TLS options ===== We then edit TLS options in file ''03_exim4-config_tlsoptions''. I just added the following lines : .ifdef MAIN_TLS_CRL tls_crl=MAIN_TLS_CRL .endif to use crl. The rest of the configuration was already well done by Debian packagers. ===== Edit ACL ===== We need to edit ACL in ''30_exim4-config_check_rcpt''. When client contact the server, Exim check if recipient address is on the server or should be sent to another server, so at this moment we tell Exim to accept only authenticated user (that's already configured by Debian packagers) and we just add ''verify = certificate'' to accept only authenticated user using client certificate. So in the file search for ''accept'' to get something like : accept authenticated = * control = submission/sender_retain So add there just : accept verify = certificate authenticated = * control = submission/sender_retain