Linux   Linux – Exim: Authenticated and TLS mail through smarthost

Exim is a very flexible and common MTA (mail transfer agent) in Unix systems.
This posts shows the way to configure Exim as client to send authenticated and encrypted (TLS) emails through a smarthost.

Lets suppose the smarthost email server is listening on port 587 for secure outgoing SMTP…

Configure exim to use the smarthost

To configure exim In debian systems (if you have visited previous posts, you probably know i am a debian fan):

dpkg-reconfigure exim4-config

(Only showing the screens related to the goal we want to achieve)

Configure exim as satellite (mail sent by smarhost; no local domain)
Linux - Exim Authenticated and TLS mail through smarthost

Set the smarthost hostname[::port]  (for example - Exim Authenticated and TLS mail through smarthost

If you need to configure exim by editing the config file (instead of using dpkg-reconfigure), these are the related values:


Configure credentials to authenticate

Exim has a password file called passwd.client that allows configurin a list of credentials associated to each smarthost. In my debian 9, the full path is /etc/exim4/passwd.client

Edit the file to add the credentials

# password file used when the local exim is authenticating to a remote
# host as a client.
# see exim4_passwd_client(5) for more documentation
# Example:
### target.mail.server.example:login:password

Test it

Send a mail and check exim logs (/var/log/exim4/mainlog)…

2017-12-19 13:29:52 1eRH1r-0003vG-U8 => R=smarthost T=remote_smtp_smarthost [] X=TLS1.0:RSA_AES_256_CBC_SHA1:256 CV=no DN="C=ES,ST=MyState,L=MyCity,O=MyORG,OU=MyOU," A=plain C="250 ok:  Message 8285030 accepted"

… and smarthost logs if available (in this example a Cisco Ironport):

Tue Dec 19 13:29:52 2017 Info: SMTP Auth: (ICID 44485983) succeeded for user: smtpuser using AUTH mechanism: PLAIN with profile: SMTP_TLS

1 thought on “Linux – Exim: Authenticated and TLS mail through smarthost

  1. Hi – thank you for this. It looks almost exactly like what I’m trying to get working, but with one exception: I do have local mail too, with the clients (Thunderbird on laptops; K9mail on smartphones) doing IMAP and SMTP to my exim4 MTA. If any of these (or other processes on the machine with Exim on) sends an email addressed only to one of these local hosts, it duly gets delivered locally, without the need to send it out on the Internet – just what I want. Obviously, email for other domains needs to go out by SMTP, via my ISP’s smart host. My ISP tells me that they accept this using TLS on port 587, and gives me the username and password to authenticate this. Now, I get all this, as well as the need to use TLS to protect these login credentials from eavesdroppers, and I’ve done what everybody says to do, except to set AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS, which I don’t believe I need to do, and looks dodgy to me, but I just can’t get Exim4 to send my outgoing mail. (Or, maybe, my ISP isn’t accepting it.) Now, I see that, in your example, you use the ‘satellite’ configuration, rather than ‘smarthost’, which appears to apply more closely to my situation. So, my question is, would I still be able to do all of the above, with these hosts on my local domain, if I use “satellite” as you suggest, or, if not, and I go on using “smarthost” as I’m doing now, how do I get outgoing SMTP to authenticate correctly and send out my emails?
    Many thanks in anticipation!


Leave a Reply

Your email address will not be published. Required fields are marked *