Exim4 Configuration For A SSL Certificate

This page show you how to configure Exim4 to use a SSL Server Certficate. This example was used on a Debian System, but should be similar for most other systems.

The examples show how to get a certificate from CAcert.org - a free certificate provider1

Generate Local Server-side Certificate

Run the command: 

/usr/share/doc/exim4-base/examples/exim-gencert

(adding the '--force' option if you have already done this once. This is a debian specific operation, and there is no analogous step needed on other systems

Then execute: 

openssl req -new -key /etc/exim4/exim.key -out /etc/exim4/exim.csr

supplying values at the prompt.

Further advice on generating a certificate can be found in the CACert Help.

Generate CACert Certificate

Create a new server certificate using the web menues within the CAcert.org pages and paste the contents of the file /etc/exim4/exim.csr where prompted.

Then copy what is generated to the file /etc/exim4/exim.crt (over-writing its existing contents).

Update Exim configuration files

For split-file configuration (debian only), edit the file /etc/exim4/conf.d/main/03_exim4-config_tlsoptions and uncomment: 

# log_selector = +tls_cipher +tls_peerdn
# tls_advertise_hosts = *
# tls_certificate = CONFDIR/exim.crt
# tls_privatekey = CONFDIR/exim.key

Then, activate the exim4 changes by: 

update-exim4.conf

Alternatively (or if you are not a debian user) edit your exim config file and add the following options to the first section of your configuration file : 

log_selector = +tls_cipher +tls_peerdn
tls_advertise_hosts = *
tls_certificate = /etc/exim/exim.crt
tls_privatekey = /etc/exim/exim.key

In either case you need to restart exim:- 

/etc/init.d/exim4 restart

or your appropriate similar command.

Reference

Following help file taken from Debian Exim4 package: http://cvs.alioth.debian.org/cgi-bin/cvsweb.cgi/~checkout~/exim/exim/debian/README.TLS?rev=1.12&content-type=text/plain&cvsroot=pkg-exim4

This document was lifted from the CAcert.org wiki and modified to make a little more general. The original source is at http://wiki.cacert.org/wiki/Exim4Configuration

  1. You will however had to previously set up a login with CAcert.org - a process that includes email verification - and have demonstrated an administrator or owner link to the domain you are requesting certificates for (1)

EximWiki: EximServerSslCertificate (last edited 2011-03-28 10:35:40 by GraemeFowler)