TLS (Transport Layer Security)

To begin, make sure Exim was compiled with OpenSSL (or GnuTLS) support.

First, create a self-signed key/cert that is readable by the uid/gid that exim runs as (usually "exim" or "mail").

$ openssl req -x509 -newkey rsa:1024 -keyout exim.key -out exim.crt -days 9999 -nodes

Now, add the following lines somewhere near the top of your exim.conf:

auth_advertise_hosts = ${if eq{$tls_cipher}{}{}{*}}
tls_advertise_hosts = *
tls_certificate = /usr/share/ssl/certs/exim.crt
tls_privatekey = /usr/share/ssl/private/exim.key

The auth_advertise_hosts line restricts SMTP Authentication to connections that use TLS. This is probably a good idea to keep people from sending their passwords in cleartext.

SMTP Authentication

Your authenticator setup will vary depending on what you verify the user/password credentials against. Most people verify against the user's system password (/etc/passwd and /etc/shadow) or against a separate user/password list used only for SMTP access. We'll cover both here.

Authenticating Against System Passwords

The downside to this approach is that the exim user must be able to read /etc/shadow. If you decide to allow this, the easiest way is to assign group ownership to the exim user and add group read access to the file:

$ chgrp exim /etc/shadow
$ chmod g+r /etc/shadow

Add the following block of text to the authenticators section of your exim.conf:

plain:
  driver = plaintext
  public_name = PLAIN
  server_prompts = :
  server_set_id = $2
  server_condition = "${if pam{$2:$3}{1}{0}}"

login:
  driver = plaintext
  public_name = LOGIN
  server_prompts = "Username:: : Password::"
  server_set_id = $1
  server_condition = "${if pam{$1:$2}{1}{0}}"

Authenticating Against Another Password File

If you'd prefer, you can setup Exim to use a separate password file for SMTP authentication. If you don't mind the hassle of maintaining yet another password file, this is probably a good way to go.

First, create a password file that will contain user/password tuples for every person allowed to relay through your mail server. We'll use /etc/exim/passwd here. I'll add some comments to the file that show how to encrypt the passwords with plain old Perl.

# This file allows a user to authenticate a mail submission to the Exim
# MTA without using their system password (found in /etc/shadow).
#
# Each line of this file should contain a "user:password:comment" field,
# where the password is encrypted using MD5 and encoded as a hexadecimal
# string.  Please note that this format is NOT the same as is used by
# /etc/shadow!  You can disable a user from ever sending (authenticated)
# messages by using "*" as the password.
#
# You can use the following Perl command line to generate the password:
#
#  perl -MDigest::MD5=md5_hex -e 'print md5_hex($ARGV[0]),"\n"' password
#
# (replace "password" with your password, of course).
####################
#   System users   #
####################

root:*:

###################
#   Local users   #
###################

someguy:9e6be879f50db909633f002cbf938998:

Next, add this text to the authenticators section of your exim.conf:

plain:
  driver = plaintext
  public_name = PLAIN
  server_prompts = :
  server_set_id = $2
  server_condition = "\
    ${if exists{/etc/exim/passwd}\
      {${lookup{$2}lsearch{/etc/exim/passwd}\
        {${if crypteq{$3}{\\\{md5\\\}${extract{1}{:}{$value}{$value}fail}}\
          {true}{false} }}\
        {${if pam{$2:${sg{$3}{:}{::}} }\
          {true}{false}} } }}\
      {${if pam{$2:${sg{$3}{:}{::}} }\
          {true}{false} }} }"

login:
  driver = plaintext
  public_name = LOGIN
  server_prompts = "Username:: : Password::"
  server_set_id = $1
  server_condition = "\
    ${if exists{/etc/exim/passwd}\
      {${lookup{$1}lsearch{/etc/exim/passwd}\
        {${if crypteq{$2}{\\\{md5\\\}${extract{1}{:}{$value}{$value}fail}}\
          {true}{false} }}\
        {${if pam{$1:${sg{$2}{:}{::}} }\
          {true}{false}} } }}\
      {${if pam{$1:${sg{$2}{:}{::}} }\
        {true}{false}} }}"

You'll notice the server_condition directives are a bit long and hairy. That's because we've add a fallback to PAM (system auth) if the exim password file doesn't exist. If you don't need this, you can remove it.