Exim4 with Dovecot in SSL on Debian Jessie

For some reason it is always a struggle to configure a simple smtp/imap service on your fresh VPS.
Here are some simple basic steps for Debian Jessie to get a secure server up and running in no-time.

step 1 - install all packages

You will need exim4 (different from default package) and dovecot

1
apt-get install exim4-daemon-heavy dovecot-imapd

step 2 - configure exim

Just run the default setup like so:

1
dpkg-reconfigure exim4-config

  • config type: internet
  • mail system name: hostname of machine
  • IP-addresses to listen on for incoming SMTP connections: 127.0.0.1 ; x.x.x.x your public IP
  • other domains: localhost ; yourdomain.com ; otherdomain.com
  • relaying for: localhost ; yourdomain.com ; otherdomain.com
  • machines to relay: empty
  • shrink DNS queries: choose what you like
  • mail storage type: Maildir format needed for imap
  • separate configuration files: no

now open /etc/exim4/exim4.conf.template with your favorite editor.
Goto line ~322 or search for the ### main/03_exim4-config_tlsoptions section add the following:

1
2
AUTH_SERVER_ALLOW_NOTLS_PASSWORDS = yes
MAIN_TLS_ENABLE = yes

now go to line ~1805 or search for ### auth/30_exim4-config_examples and add the following:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
plain_server:
driver = plaintext
public_name = PLAIN
server_condition = "${if pam{$2:$3}{1}{0}}"
server_set_id = $2
.ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
.endif

login_server:
driver = plaintext
public_name = LOGIN
server_prompts = "Username:: : Password::"
server_condition = "${if pam {$1:$2}{yes}{no}}"
server_set_id = $1
.ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
.endif

save and exit.

Now prepare the exim4 SSL self-signed certificate by running:

1
/usr/share/doc/exim4/examples/exim-gencert

This will add an exim4.crt and exim.key to the /etc/exim4/ directory.

Now give exim access to the pam.d users, create a file called /etc/pam.d/exim and add:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
#
# The PAM config file for exim SMTP
# /etc/pam.d/exim
#

#
# The standard Unix authentication modules, used with
# NIS (man nsswitch) as well as normal /etc/passwd and
# /etc/shadow entries.

@include common-auth
@include common-account
@include common-password
@include common-session

Finally you will need to give the exim4 uid access to the shadow group:

1
adduser shadow Debian-exim

step 3 - configure dovecot

Move old dovecot config to a safe place,

1
mv /etc/dovecot/dovecot.conf /etc/dovecot/dovecot.conf.orig

and create a new /etc/dovecot/dovecot.conf with the following stuff:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
protocols = imap
listen = *
disable_plaintext_auth = yes
auth_verbose = yes
auth_failure_delay = 15 secs

ssl = required
ssl_cert = </etc/exim4/exim.crt
ssl_key = </etc/exim4/exim.key

userdb {
driver = passwd
}

passdb {
driver = pam
}

# Run auth service for Exim SMTP server
service auth {
unix_listener auth-client {
mode = 0660
group = Debian-exim
}
}

# Ensure we have a login process
service imap-login {
process_min_avail = 1
}

# Local imap configuration
protocol imap {
mail_max_userip_connections = 30
imap_idle_notify_interval = 2 mins
}

namespace inbox {
inbox = yes
location = maildir:~/Maildir
prefix =
separator = /
}

step 4 - restart and test services

restart all services

1
2
service exim4 restart
service dovecot restart

check your exim/smtp with for ex. telnet

1
2
3
4
5
>telnet localhost 25
220 domain ESTMP Exim 4
> EHLO localhost
250-AUTH PLAIN LOGIN
250-STARTTLS

if AUTH and STARTTLS is there you are all set

debugging mail delivery etc. is beyond the scope of this post, but a great place to start is viewing all exim4 logs:

1
tail -f /var/log/exim4/*

and start sending / receiving test emails.

Common issues I encountered

Hostname (SMTP relay)

Some mailservers will not accept your email because the hostname is incorrect. This is easy to fix if you know what to do (I did after months of debugging:)
This is what hostname should return:

1
2
3
4
5
6
7
8
hostname
>local_hostname (ex. cybertim)

hostname -i
>public_ip

hostname -f
>FQDN (ex. cybertim.net)

You will notice that when there are rejection issues hostname doesn’t return this values in a correct order (for instance -f also returns the localhostname)
Set it straight in the /etc/hosts file like this:

1
2
127.0.0.1 localhost.localdomain localhost
public_ip FQDN local_hostname

Test the hostname commands again and it should be okay.

Right issues

I noticed with some installations right-issues when starting exim4, you can check this by starting exim4 and check the status:

1
service exim4 status

You will probably need to set these straight for exim4 (logging and spool)

1
2
3
4
5
chown -R Debian-exim.adm /var/log/exim4
chown -R Debian-exim.root /var/spool/exim4
chown -R Debian-exim.Debian-exim /var/spool/exim4/scan
chmod g+rw /var/log/exim4
chmod g+r /var/spool/exim4

Happy mailing!