Installing SSL on Exim Mail Server

Exim is a widely used Mail Transfer Agent (MTA). Enabling SSL/TLS in Exim is crucial for preventing eavesdropping on email communications. This guide covers how to point Exim to your SSL certificate and enable TLS.

Prerequisites

Before you begin, ensure you have:

Root access to the server
Exim4 installed
Your SSL certificate and private key files

Step 1 — Configure Exim for TLS

The configuration method depends on your OS. For Debian/Ubuntu using the template system, edit /etc/exim4/conf.d/main/03_exim4-config_tlsoptions or /etc/exim4/exim4.conf.template.

# Enable TLS
tls_advertise_hosts = *

# Path to certificate and key
tls_certificate = /etc/ssl/certs/mail.yourdomain.crt
tls_privatekey = /etc/ssl/private/mail.yourdomain.key

# (Optional) If you have a CA Bundle
# tls_verify_certificates = /etc/ssl/certs/ca-bundle.crt

💡

Permissions: Ensure the Exim user (usually Debian-exim or exim) has read access to the certificate and key files.

Step 2 — Update and Restart Exim

On Debian/Ubuntu, update the configuration files and restart the service:

sudo update-exim4.conf
sudo systemctl restart exim4

On CentOS/RHEL, simply restart the service:

sudo systemctl restart exim

Step 3 — Verify Installation

Check if Exim is advertising TLS support by connecting via telnet or openssl:

openssl s_client -connect localhost:25 -starttls smtp

Look for the STARTTLS command in the server response.

Prerequisites

Step 1 — Configure Exim for TLS

Step 2 — Update and Restart Exim

Step 3 — Verify Installation

Related Guides