Encryption, Authenication and other SMTP Processing

Exim can use encryption and authenticated connections, you can also use Access Control Lists (ACL's). I have only just touched the surface of this subject so you might want to check out the full documentation at the official Exim web site.

Encrypted SMTP Connections

RFC3207 defines how SMTP connections can use encryption between to hosts, once a connections is established the client issues a STARTTLS command. If the server accepts this request, the two hosts negotiate an encryption mechanism to be used for all subsequent data transfers. Exim uses the TLS protocol which is implemented by making use of the OpenSSL or GnuTLS library, so either of these must be installed. When using encryption you should have a good idea what public keys, private keys and certificates are, if not then I suggest you have a look on the web.

Once you have built Exim which included TLS support, you need to configure the following options in order to use TLS

tls options tls_advertise_hosts = *
tls_certificate = /etc/secure/exim/certs
tls_privatekey = /etc/secure/exim/privkey

Once the above have been set then the server will work as an encrypting server. You can request client certificates by using the two options below

request client certs

tls_verify_hosts = <host>           ## if client matches and has no cert abort TLS connection
tls_try_verify_hosts = <host>       ## if client matches and has no cert session continues (use ACL)

Note: both of the above are host lists

When a client does connect successfully you can use the variable $tls_cipher to name the cipher used during the connection, it is included in the Received: header line. The distinguished name in the clients cert is available via the variable $tls_peerdn this is not logged in any header lines by default.

You have a number of option if you wish to configure Exim to use TLS as a client

client TLS options

hosts_avoid_tls = <host list>       ## do not use TLS on these SMTP servers
hosts_require_tls = <host list>     ## force encryption on SMTP servers

tls_verify_certificates = <file name>  ## check the servers cert
tls_require_ciphers = <cipher list>    ## only use specific ciphers   

SMTP Authentication

Exim uses ACLs to control which incoming messages it accepts, both for relaying and for local delivery. One way of controlling relaying is by checking the sending host. When a server that supports authentication is sent a EHLO command it advertises a number of authentication mechanisms. When the client wants to authenticate it sends the SMTP command AUTH LOGIN (login is one of the many authentication methods, others include cram-mds, plain). ACLs are implemented to control what a client can and cannot do.

The are a number of authentication mechanisms, i list the common ones here

PLAIN is described in RFC2595, it requires 3 concatenated data strings separated by binary zero. The second and third strings are a user/password pair, the first string in not need and is empty. It is efficient in that it requires only a single command and response.
LOGIN not described by any RFC but is used by Pine and Outlook, it is again based on username/password pair but prompted for separately, it is less efficient than PLAIN because it uses three interactions to obtain the data.
CRAM-MD5 is described in RFC2195 and avoids transmitting unencrypted passwords over the network. the server sends a challenge string and the client sends back a username, followed by a space and the MD5 digest of the challenge string concatenated with a a password. The server computes the MD5 digest of the same string and compares this with what it has received. This method only requires two interactions.

You can advertise which hosts can use authentication using the option auth_advertise_hosts and supply a list of hosts. You can find out what is available on server by using telnet.

what authentications are available

$ telnet some.server.example 25
220 some.server.example ESMTP Exim 4.05 Mon 13 May 2002 10:24:00:18 +0100
EHLO client.domain.example
250-some.server.example Hello client.domain.example []
250-SIZE 20971520
250-AUTH PLAIN CRAM-MD5                        ## the authentication methods available
250 HELP

There is a section in the configuration file that sets up the authenticators, it starts at begin authenticators, the configuration options can be a server or a client option which will be defined as either server_ or client_, so you may see both in a authenticator.

You can use Exim's-bh option to test authentication but the data must be in encoded in base64 (you can use mimencode).

There are a number of options that all authenticators use, all the options are unset by default

driver This option must be set and can be either plaintext or cram_md5
public_name This options specifies the name of the authentication mechanism that the driver implements and by which it is known to the outside world for example PLAIN, LOGIN, CRAM-MD5.
server_condition you can use this option as an additional authentication or authorization mechanism that is applied after the other authenticator has succeeded
server_set_id used to populate the variable $authenticated _id


SMTP over TCP/IP is the only way of transferring messages to and from other hosts. There a number of SMTP commands that you may want to know

VRFY verifies an email address
EXPN lists the expansion of an alias or mailing list
TURN this has now been deprecated due to security reasons, but it was used to switch the roles of the client and server
ETRN this has replaced the turn command by overcoming the security issues. ACLs are used to control this command.

Batched SMTP

Messages that are in batched SMTP format can be passed to Exim by using the -bS command-line option, this causes exim to accept one or more messages by reading SMTP on the standard input but to generate no SMTP responses.