Overview
This article briefly explains how to use Exim to ensure that outbound mail to specific domains are sent over TLS, thus ensuring secure outbound communication. This document assumes that you've already built Exim with TLS support and that the remote mail server accepts TLS sessions.
Router configuration
Under the routers section of the Exim config file, add a new router called tls_domains that looks like this:
tls_domains:
driver = dnslookup
domains = securepartner.com:nextpartner.com
transport = tls_smtp
Here, we tell Exim to use the dnslookup driver to do DNS lookups to determine the MX records for the domains which we specify, and we specifically tell it to use the tls_smtp transport, which we'll add next.
Transport configuration
Now we'll add a new transport in the transport section of the Exim config file, that looks something like this:
tls_smtp:
driver = smtp
hosts_require_tls = *
This transport tells Exim to deliver using the smtp driver and that all hosts require TLS. If TLS is not able to negotiate, the message will not be delivered.
Check routing
You should now be able to ask Exim how it would route mail for these domains as per the example below:
exim -bt marcs@securepartner.com
marcs@securepartner.com
router = tls_domains, transport = tls_smtp
host mail.securepartner.com[192.168.12.1] MX=10
Logs
The Exim logs should show something like this now for a successful TLS mail:
1MxJip-0002v8-9v => marcs@securepartner.com R=tls_domains T=tls_smtp H=192.168.12.1 [192.168.12.1] X=TLSv1:DHE-RSA-AES256-SHA:256|Outbound TLS with Exim