Log In
Register
SSL Brands
Sectigo SSL Certificates
RapidSSL Certificates
Thawte SSL Certificates
GeoTrust SSL Certificates
DigiCert SSL Certificates
SSL Certificates
Single Domain Certificates
SSL Tools
CSR Generator
CSR Decoder
SSL Certificate Decoder
SSL Certificate Checker
SSL / Key Matcher
ContactExim SSL/TLS Configuration Guide: RPM and Debian Systems
This guide covers configuring SSL/TLS encryption for existing Exim installations on both RPM-based and Debian-based systems using paid SSL certificates.
Prerequisites
Before configuring SSL/TLS, ensure you have:
-
- Exim already installed and running
- Your SSL certificate files (certificate, private key, CA bundle)
- Root or sudo access to the server
- Valid domain name configured for mail server
Install Paid SSL Certificate
Copy Certificate Files
For both RPM and Debian systems:
# Create SSL directory for Exim (if not exists)
sudo mkdir -p /etc/exim/ssl
# Copy certificate files
sudo cp your-cert.crt /etc/exim/ssl/server.crt
sudo cp your-private.key /etc/exim/ssl/server.key
sudo cp your-ca-bundle.crt /etc/exim/ssl/ca-bundle.crt
# Set proper permissions
sudo chmod 644 /etc/exim/ssl/server.crt
sudo chmod 600 /etc/exim/ssl/server.key
sudo chmod 644 /etc/exim/ssl/ca-bundle.crt
# Set ownership to exim user
sudo chown exim:exim /etc/exim/ssl/*
Configure Exim SSL/TLS
Locate Exim Configuration File
RPM-based systems: /etc/exim/exim.conf Debian-based systems: /etc/exim4/exim4.conf.template or /etc/exim4/conf.d/
Edit Main Configuration
For single configuration file systems:
# RPM-based
sudo nano /etc/exim/exim.conf
# Debian (if using single config)
sudo nano /etc/exim4/exim4.conf.template
SSL/TLS Main Section Configuration
Add these settings to the main configuration section:
# TLS Configuration
tls_advertise_hosts = *
tls_certificate = /etc/exim/ssl/server.crt
tls_privatekey = /etc/exim/ssl/server.key
tls_verify_certificates = /etc/exim/ssl/ca-bundle.crt
# TLS Security Settings
tls_require_ciphers = ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!SRP
# TLS Protocol Versions
openssl_options = +no_sslv2 +no_sslv3 +no_tlsv1 +no_tlsv1_1
# TLS Session Parameters
tls_dhparam = /etc/exim/ssl/dh2048.pem
tls_remember_esmtp = true
tls_on_connect_ports = 465
Generate Diffie-Hellman Parameters
Create DH parameters for enhanced security:
sudo openssl dhparam -out /etc/exim/ssl/dh2048.pem 2048
sudo chmod 644 /etc/exim/ssl/dh2048.pem
sudo chown exim:exim /etc/exim/ssl/dh2048.pem
Configure SMTP Authentication with TLS
Add to the authentication section:
# Authentication Configuration
auth_advertise_hosts = ${if eq{$tls_in_cipher}{}{}{*}}
# Plain Authentication (requires TLS)
plain_server:
driver = plaintext
public_name = PLAIN
server_condition = ${if crypteq{$auth3}{${extract{1}{:}{${lookup{$auth2}lsearch{/etc/exim/passwd}{$value}{*:*:*:*}}}}}{1}{0}}
server_set_id = $auth2
server_prompts = :
.ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{yes}}
.endif
# Login Authentication (requires TLS)
login_server:
driver = plaintext
public_name = LOGIN
server_condition = ${if crypteq{$auth2}{${extract{1}{:}{${lookup{$auth1}lsearch{/etc/exim/passwd}{$value}{*:*:*:*}}}}}{1}{0}}
server_set_id = $auth1
server_prompts = Username:: : Password::
.ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{yes}}
.endif
Debian Split Configuration (if applicable)
If using Debian split configuration, edit these files:
Main TLS settings in /etc/exim4/conf.d/main/03_exim4-config_tlsoptions:
MAIN_TLS_ENABLE = true
MAIN_TLS_CERTIFICATE = /etc/exim/ssl/server.crt
MAIN_TLS_PRIVATEKEY = /etc/exim/ssl/server.key
MAIN_TLS_VERIFY_CERTIFICATES = /etc/exim/ssl/ca-bundle.crt
Auth settings in /etc/exim4/conf.d/auth/30_exim4-config_examples:
plain_server:
driver = plaintext
public_name = PLAIN
server_condition = ${if crypteq{$auth3}{${extract{1}{:}{${lookup{$auth2}lsearch{/etc/exim4/passwd}{$value}{*:*:*:*}}}}}{1}{0}}
server_set_id = $auth2
server_prompts = :
server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{yes}}
Firewall Configuration
RPM-based Systems (CentOS/RHEL/Rocky Linux)
# Allow SMTP ports
sudo firewall-cmd --permanent --add-service=smtp
sudo firewall-cmd --permanent --add-service=smtps
sudo firewall-cmd --permanent --add-port=587/tcp
sudo firewall-cmd --reload
Debian-based Systems (Ubuntu/Debian)
# Allow SMTP ports
sudo ufw allow smtp
sudo ufw allow smtps
sudo ufw allow 587/tcp
sudo ufw reload
Update Exim Configuration
For Debian Split Configuration
If using Debian’s split configuration system:
sudo update-exim4.conf
Restart Exim Service
# Test configuration syntax
sudo exim -bV
# Restart Exim
sudo systemctl restart exim4 # Debian
sudo systemctl restart exim # RPM-based
sudo systemctl status exim4 # Debian
sudo systemctl status exim # RPM-based
Test SSL/TLS Configuration
Verify SSL/TLS Functionality
Test STARTTLS on port 25:
openssl s_client -connect your-domain.com:25 -starttls smtp
Test SMTPS on port 465:
openssl s_client -connect your-domain.com:465
Test Submission on port 587:
openssl s_client -connect your-domain.com:587 -starttls smtp
Check Exim Logs
Monitor logs for SSL/TLS activity:
# RPM-based systems
sudo tail -f /var/log/exim/main.log
# Debian-based systems
sudo tail -f /var/log/exim4/mainlog
Test SMTP Authentication
# Test authentication over TLS
telnet your-domain.com 587
# Then type:
# EHLO your-domain.com
# STARTTLS
# (after TLS negotiation)
# AUTH PLAIN
Advanced SSL/TLS Settings
Enhanced Security Configuration
Add these advanced settings for better security:
# Force TLS for specific hosts
hosts_require_tls = *.secure-domain.com : secure-partner.net
# TLS verification settings
tls_verify_hosts = *
tls_try_verify_hosts = *
# Additional TLS options
tls_crl = /etc/exim/ssl/crl.pem
tls_ocsp_file = /etc/exim/ssl/server.ocsp
# Outbound TLS settings
hosts_try_auth = *
hosts_require_auth = authenticated-relays.com
# TLS logging
log_selector = +tls_certificate_verified +tls_peerdn +tls_sni
Create TLS Policy Configuration
Create /etc/exim/tls_policy for domain-specific requirements:
sudo nano /etc/exim/tls_policy
Add entries:
gmail.com: require_tls
outlook.com: require_tls
partner.com: verify_certificate
Reference in main configuration:
tls_policy = ${lookup{$sender_address_domain}lsearch{/etc/exim/tls_policy}{$value}{default}}
Troubleshooting
Common Issues
Configuration validation:
# Check configuration syntax
sudo exim -bV
sudo exim -C /etc/exim/exim.conf -bV
Certificate verification:
# Check certificate validity
openssl x509 -in /etc/exim/ssl/server.crt -text -noout
# Verify certificate chain
openssl verify -CAfile /etc/exim/ssl/ca-bundle.crt /etc/exim/ssl/server.crt
Debug TLS connections:
# Test with debug output
exim -d+tls -bt test@domain.com
Testing
Use our My SSL Pro SSL Checker tool at https://mysslpro.com/tools/ssl-certificate-url-checker
Your Exim mail server now supports secure SSL/TLS encrypted connections for both SMTP and authenticated mail submission.