Enabling STARTTLS and certificate verification in Exim

Make sure to use exim 4.33 or newer, as older versions are vulnerable to a buffer overflow! Guninski security advisory #68

1. Obtain a certificate, using the server name for the Common Name (CN). This may be the value from primary_hostname in the exim configuration.

   Upon completion you will have a private-key file (host.key) and public-key (certificate) file (host.cert). Rename the files as needed, or adjust the values in the next step.

2. Edit your configure file (sometimes called exim.conf), adding these lines

   tls_advertise_hosts = *
   tls_try_verify_hosts = *
   tls_verify_certificates = /usr/local/etc/exim/certs/cacert.pem
   tls_certificate = /usr/local/etc/exim/certs/host.cert
   tls_privatekey = /usr/local/etc/exim/certs/host.key
   log_selector = +tls_peerdn
   
   received_header_text = "Received: \
       ${if def:sender_rcvhost {from ${sender_rcvhost}\n\t}\
       {${if def:sender_ident {from ${sender_ident} }}\
       ${if def:sender_helo_name {(helo=${sender_helo_name})\n\t}}}}\
       by ${primary_hostname} \
       ${if def:received_protocol {with ${received_protocol}}} \
       ${if def:tls_cipher {($tls_cipher)\n\t}}\
       ${if def:tls_peerdn {($tls_peerdn)(verified=$tls_certificate_verified)\n\t}} \
       (Exim ${version_number} #${compile_number})\n\t\
       id ${message_id}\
       ${if def:received_for {\n\tfor $received_for}}"
   

3. The following lines should be added to the remote_smtp: transport to ensure that Exim acting as a client sends it's certificate to the server

   remote_smtp:
     driver = smtp
     tls_certificate = /usr/local/etc/exim/certs/host.cert
     tls_privatekey = /usr/local/etc/exim/certs/host.key
   

4. To get Exim to respect verified certificates on inbound transactions, adjust the acl_check_rcpt: accordingly

   acl_check_rcpt:
   
     accept  hosts = :
   
     deny    local_parts   = ^.*[@%!/|] : ^\\.
   
     accept  local_parts   = postmaster
             domains       = +local_domains
   
     accept  hosts         = +relay_from_hosts
   
     accept  authenticated = *
   
     warn  log_message = verified peer dn $tls_peerdn
           condition = $tls_certificate_verified
   
     accept condition = $tls_certificate_verified
   

5. Create your /usr/local/etc/exim/certs folder and put the files there.

   mkdir /usr/local/etc/exim/certs
   cp host.key host.cert /usr/local/etc/exim/certs/
   

6. You'll also want a CA certificate for verifying your MTA peers. You may download the Credentia CA certificate from here. Other CA certificates (VeriSign, Thawte, Geotrust etc) can simply be exported from Internet Explorer (Windows) or Netscape/Mozilla (Unix/Linux).

   cat credca2.crt >> /usr/local/etc/exim/certs/cacert.pem
   

7. Now restart Exim and you're done. Watch the mainlog to see the STARTTLS in action. You can also view the message header Received: line(s).

See Also