We all know how important it is to secure web servers with encryption. As I’ve mentioned before, port 80 HTTP should be considered deprecated at this point!

Just as important (potentially more so), but often overlooked, is to ensure that your email server is also secure.

STARTTLS is a technology that lets you start an encrypted session during a standard SMTP connection. In the same way as HTTPS secures web, STARTTLS will secure email in transit from your mail client to the server, and from server to server. This makes it much harder to passively read the traffic, and having more encrypted traffic on the internet is only ever a good thing.

This only protects email in transit from server to server of course, so this is not a replacement for end to end encryption methods like PGP, but it does complement it… and since most email is still sent insecurely, this adds extra security without requiring your users do any extra work.

It’s easy to set up (for Exim at least), and it transparently runs on port 25, so there’s no reason not to!

Generate your keys

As with web, you’ll need a server key and certificate file.

For my public mail and MX relay servers, I decided to use valid certificate authority certificates. Clients, and some relaying servers, will throw a certificate error for self signed certificates, but others will not. Better safe than sorry, and since I already had a valid certificate on my site for the server in question, I simply recycled the certificate.

If this is your internal server, you can use a certificate signed by your own certificate authority, supported by the machines in your organisation.

The default exim configuration expects to find certificates in /etc/exim4/exim.key and /etc/exim4/exim.crt.

Enable TLS

The basic STARTTLS configuration by simply editing exim4.conf.template and setting MAIN_TLS_ENABLE = yes in the tlsoptions section. Restart exim and you should have STARTTLS support enabled.

As with a web server, you can configure ciphers etc at this stage. On my server at least, the defaults seemed reasonably strong, but as we learn which ciphers have been compromised by GCHQ and the NSA, we might need to tweak these.

Test your configuration

Next, you should test your configuration.

To do this, the simplest way is to use a program called swaks, which you should find in your distro’s package library.

swaks -a -tls -q HELO -s mail.example.com -au test -ap '<>'

Should produce a result something like…

=== Trying mail.example.com:25...
=== Connected to mail.example.com.
.
.
.
 -> STARTTLS
<-  220 TLS go ahead
=== TLS started w/ cipher ECDHE-RSA-AES256-GCM-SHA384
=== TLS peer subject DN="/OU=Domain Control Validated/OU=PositiveSSL/CN=mail.example.com"
.
.
.
 ~> QUIT
<~  221 mail.example.com closing connection
=== Connection closed with remote host.

If you get an error when starting TLS examine your exim log for the cause.

2 thoughts on “Configuring STARTTLS in Exim

  1. Hi! As advised in /usr/share/doc/exim4-base/README.Debian.gz, you’d better not modify the exim4.conf.template file, but rather create a /etc/exim4/exim4.conf.localmacros file.

  2. Installing (apt-get install exim4) and configuring (dpkg-reconfigure exim4-config) exim4. Updating the server with update-exim4.conf.
    In a subsequent step, the mail server is configured for TLS. A self signed certificate is generated by executing /usr/share/doc/exim4-base/examples/exim-gencert. MAIN_TLS_ENABLE = yes in /etc/exim4/conf.d/main/03_exim4-config_tlsoptions enables TLS. In /etc/exim4/conf.d/auth/30_exim4-config_examples, the sections with plain_saslauthd_server and login_saslauthd_server need to be uncommented.
    Allowed email users are added to exim4 using /usr/share/doc/exim4-base/examples/exim-adduser. The password file /etc/exmin4/passwd should be protected: chown root:Debian-exim /etc/exim4/passwdfollowed by chmod 640 /etc/exim4/passwd. For each of these users a home directory is needed to deliver the mail (calling adduser <name> on Ubuntu).
    Configuring SASL by installing it (apt-get install sasl2-bin) and editing START=yes in /etc/default/saslauthd. Finally, exim4 needs to be a member in the sail group: adduser Debian-exim sasl. The server needs a restart: systemctl restart saslauthd.
    At the end, updating (update-exim4.conf) and restarting (systemctl restart exim4) might be a good idea.
    For exim4 to work, the firewall should open TCP ports 25 and 587 (SSL).

    swaks
    With the help of swaks (the swiss army knife for SMTP), the exim4 server can be tested:

    swaks -a -tls -q HELO -s smtp_host -au test -ap '<>'
    

    A working connection looks like:

    === Trying smtp_host:25...
    === Connected to smtp_host.
    <-  220 xxx ESMTP Exim 4.88 Ubuntu Fri, 09 Jun 2017 17:18:17 +0200
     -> EHLO xxx
    <-  250-xxx Hello xxx [some ip]
    <-  250-SIZE 52428800
    <-  250-8BITMIME
    <-  250-PIPELINING
    <-  250-STARTTLS
    <-  250-PRDR
    <-  250 HELP
     -> STARTTLS
    <-  220 TLS go ahead
    === TLS started with cipher TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256
    === TLS no local certificate set
    === TLS peer DN="Certificate details"
     ~> EHLO xxx
    <~  250-xxx Hello xxx [some ip]
    <~  250-SIZE 52428800
    <~  250-8BITMIME
    <~  250-PIPELINING
    <~  250-AUTH PLAIN LOGIN
    <~  250-PRDR
    <~  250 HELP
     ~> QUIT
    <~  221 xxx closing connection
    

    There was a minor hiccup after installing swaks and testing the exim4 server, because the above call returned:

    *** TLS not available: requires Net::SSLeay.  Exiting
    

    This Perl module had to be installed for swaks by starting cpan and calling install Net::SSLeay.
    Resources
    Configuring STARTTLS in exim
    Share this:

    Related

Leave a Reply