Overview
This article briefly explains how to use Exim to ensure that inbound mail to specific domains are sent over TLS, thus ensuring secure inbound communication. This document assumes that you've already built Exim with TLS support and that the remote mail server will be delivering to you via TLS.
Generate a CSR
Certificates are a little beyond the scope of this, but essentially, you will first need to generate a CSR, which will need to be signed by someone like Entrust, Verisign etc. To do this, follow the following simple steps:
# openssl genrsa -out host.key 1024
# chmod 400 host.key
# openssl req -new -nodes -key host.key -out host.csr
You'll be asked to enter information for your host, organisation etc. Once the CSR is generated, send it to your certificate authority and they will send you back the signed cert.
Files
Now, copy the host.key file into your Exim config directory, and make sure that it's readable by the user that will be running Exim. Youâll also copy the signed cert to this directory. My filename is called cert.pem, and should be world-readable, but not writeable.
Exim Configuration
Now, letâs add four simple lines to Exim:
CONFDIR=/etc/exim
tls_certificate = CONFDIR/cert.pem
tls_privatekey = CONFDIR/host.key
tls_advertise_hosts = *
Essentially, this tells Exim where the certificate and private key files are stored, and which hosts it should advertise TLS to. In my case, I want to advertise TLS to all hosts that connect to us. If it's working, you should see something like this in your log files:
2009-11-10 10:48:19 1N7mOa-000PUi-Rt <= user@partner H=obfuscate.this.com [127.0.0.3] P=esmtps X=TLSv1:RC4-SHA:128 S=45231 id=0BC88D75D3848B4B84410DB823A6F62901F819F0@EXVS135RC102.this.com T="Swimsuit Boutique"|Inbound TLS with Exim