You are here: Foswiki>TIG Web>EmailTopics>ClientCertificatesExim (10 Jul 2009, amitra)EditAttach

Using client certificates for authentication in Exim

This document describes the configuration changes necessary get the Exim MTA to use client-side certificates to authenticate to the CSAIL mail relay. It is intended to cover both Exim 3 and 4, and while it assumes that you're using Debian, the process should be very similar on other systems.

In Debian 3.0, you need to have the exim-tls package installed, which has support for cryptographical functions included. Crypto support is left out of the plain exim package.

The first requirement is to create a client side certificate, signed by the CSAIL certificate authority. You need the openssl package installed to generate a certificate signing request. Run the following commands as root:

      $ umask 077
      $ openssl req -newkey rsa:2048 -nodes \ 
      > -out client.req -keyout client.key
      $ chown root:mail client.key
      $ chmod 640 client.key

OpenSSL will prompt you for input several times, but you should accept the defaults (just press enter) at all prompts except for Common Name. At the Common Name prompt, enter the fully-qualified domain name of your computer. (If you computer is mobile and doesn't have a static IP address, you should register it in WebDNS first, and then wait an hour. The Certificate Authority will not accept requests for certificates if the name is not in the CSAIL domain or is not found.)

At this point, you will have two new files in the current directory, client.req and client.key. client.key is the private key for the certificate and needs to be kept secure. It should be owned by root and readable by the mail group. It should not be world-readable! Copy client.key to /etc/exim/.

The client.req file is the certificate signing request. You need to send this to the Aertificate Authority using the Web interface at You must already have a personal CSAIL client certificate to authenticate yourself to the CA. If your request is acceptable, the CA will respond with a signed client certificate, which will also be sent to you at your CSAIL email address and any other address you provided on the request form. The actual encoded certificate is the blob of text between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----. Copy all that text, including the delimiter lines to a file called /etc/exim/client.pem. This file may be world readable.

Edit the Exim configuration file, /etc/exim/exim.conf. Search for the secion entitled "TRANSPORTS CONFIGURATION". Change the remote_smtp configuration block in the transports section to look like this:

         driver = smtp
         tls_certificate = /etc/exim/client.pem
         tls_privatekey = /etc/exim/client.key

At this point, once you restart exim, it will present your new certificate when initiating a secure connection with a remote server. With this configuration in place, you can use as a "smarthost" and relay all your mail through it, regardless of whether the mail is destined for addresses at CSAIL or not. Getting exim to use outgoing as a smarthost is accomplished by having the following lines as the only configuration lines in the "ROUTERS CONFIGURATION" section of the config file:

         driver = domainlist
         transport = remote_smtp
         route_list = "* bydns_a"
Topic revision: 10 Jul 2009, amitra

MIT Computer Science and Artificial Intelligence Laboratory


  • About CSAIL
  • Research
  • News + Events
  • Resources
  • People

This site is powered by Foswiki MIT: Massachusetts Institute of Technology