exim uses a single configuration file by default, /etc/exim/exim.conf. The config file is well documented internally and will work without modification in many cases, however we need to force all outbound mail via a Smart Host relay and but also allow local delivery via a pipe to local accounts (for the junkmail user). To accomplish this we need to alter the order of one mail router and add another.

Exim handles it's mail with a combination of Access Control Lists (ACL's), Routers and Transports. The drawing below outlines this:-

An incoming mail is subjected to ACL checks to test if the MTA can handle the mail, for an internet mail server, incoming mail will be checked to see if forward and reverse DNS agree, if the sending server name matches it's PTR, and also checks can be done to see if the sending server is blacklisted in someway. If so, mail is declined at the point. As no mail has been accepted these is no problem with undeliverable mail left on the system or backscatter.

begin routers

localuser:
  driver = accept
  local_parts = junkmail
  # check_local_user
  # local_part_suffix = +* : -*
  # local_part_suffix_optional
  transport = local_delivery
  cannot_route_message = Unknown user

smarthost:
  driver = manualroute
  domains = *
  transport = remote_smtp
  route_data = mailhost.prod.wagerware.net

Local deliveries (that is to users who have an account on the system) don't need a full email address, just a user name is enough, but as I want astringer@wagerworks to get to me, I don't want a local delivery even though I have a local account, so we add the line local_parts = junkmail. This only tries to do a local delivery for the user “junkmail”. junkmail's messages are accepted, but all others are failed and so get tested by the next router. junkmails messages are passed to a transport which appends to the users mail file in /var/spool/mail/ by the localuser router. To use a mail relay (inet01) we need to add another Router. As routers are run in the order they are listed in the config file, the localuser router has to be the first router run, followed by the mail relay router.

Since gy-asp-inet01 (or more accurately qmail's config) doesn't handle TLS very well, all TLS config is commented out:-

#tls_advertise_hosts = *

#tls_certificate = /etc/pki/tls/certs/exim.pem
#tls_privatekey = /etc/pki/tls/private/exim.pem

In order to pass email securely, TLS is used to encrypt SMTP mail between servers (and between clients to servers although this is not used here). As with https, a certificate is used to control the encryption process. For TLS use, a self signed certificate seems adequate, the process below will generate one:-

[root@gy-asp-web01 exim]# pwd
/etc/exim
[root@gy-asp-web01 exim]# openssl req -x509 -newkey rsa:1024 -keyout exim.key -out exim.crt -days 9999 -nodes
Generating a 1024 bit RSA private key
...++++++
....................++++++
writing new private key to 'exim.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:
State or Province Name (full name) [Berkshire]:Guernsey
Locality Name (eg, city) [Newbury]:St Peter Port
Organization Name (eg, company) [My Company Ltd]:IGT Ltd
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:gy-asp-web01
Email Address []:
[root@gy-asp-web01 exim]# ls -l
total 68
-rw-r--r--  1 root mail 28471 Mar 16 12:26 exim.conf
-rw-r--r--  1 root root  1090 Mar 16 12:43 exim.crt
-rw-r--r--  1 root root   887 Mar 16 12:43 exim.key
-rw-r--r--  1 root root 15575 Aug 25  2005 sa-exim.conf
-rw-r--r--  1 root root  2777 Aug 25  2005 sa-exim_short.conf

After generating the certificate, you can check the contents with:-

[root@gy-asp-web01 exim]# openssl x509 -text -in exim.crt
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 0 (0x0)
        Signature Algorithm: md5WithRSAEncryption
        Issuer: C=GB, ST=Guernsey, L=St Peter Port, O=IGT Ltd, CN=gy-asp-web01
        Validity
            Not Before: Mar 16 12:43:27 2011 GMT
            Not After : Jul 31 12:43:27 2038 GMT
        Subject: C=GB, ST=Guernsey, L=St Peter Port, O=IGT Ltd, CN=gy-asp-web01
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:cf:b4:ad:f7:56:4a:35:b1:ba:11:1d:6e:5c:44:
                    ----edited----
                    ee:ed:d2:49:68:41:03:1b:b7
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
            7E:8F:10:1D:1F:71:9A:E7:DD:EC:A7:DC:0B:51:1C:41:D5:7D:B8:7E
            X509v3 Authority Key Identifier:
            keyid:7E:8F:10:1D:1F:71:9A:E7:DD:EC:A7:DC:0B:51:1C:41:D5:7D:B8:7E
            DirName:/C=GB/ST=Guernsey/L=St Peter Port/O=IGT Ltd/CN=gy-asp-web01
            serial:00

            X509v3 Basic Constraints:
            CA:TRUE
    Signature Algorithm: md5WithRSAEncryption
        24:21:85:fb:ad:e0:4e:42:c3:c6:89:66:f9:cc:ed:90:39:78:
        ----edited----
        43:73
-----BEGIN CERTIFICATE-----
MIIC9zCCAmCgAwIBAgIBADANBgkqhkiG9w0BAQQFADBhMQswCQYDVQQGEwJHQjER
----Edited----
j+rGe++KPhr5JrsHtKy8otyKtD5iFPzgGA8ZaGimkc3uR1O4GEHcphdDcw==
-----END CERTIFICATE-----
[root@gy-asp-web01 exim]#

You can examine the key contents with:-

[root@gy-asp-web01 exim]# openssl rsa -text -in exim.key
Private-Key: (1024 bit)
modulus:
  00:cf:b4:ad:f7:56:4a:35:b1:ba:11:1d:6e:5c:44:
  ----edited----

To enable TLS on your server, add the following lines to the /etc/exim/exim/conf file. A good place is just before the ACL section. The tls_advertise_hosts = * line tells exim to use TLS for all hosts, it is possible to control using TLS on a per host basis for instance if one host advertises TLS but the config is in fact broken so it will never work. The last two lines specify the location of the certificate and key files to be used.

#Set up TLS info
tls_advertise_hosts = *
tls_certificate = /etc/exim/exim.crt
tls_privatekey = /etc/exim/exim.key

exim writes it's logs to /var/log/exim/main.log by default, a sample log line is:-

2011-01-28 08:40:23 1PijsV-00028F-RK <= root@gy-asp-db03.prod.wagerware.net U=root P=local S=695
2011-01-28 08:40:25 1PijsV-00028F-RK TLS error on connection to 172.27.200.50 [172.27.200.50] (SSL_connect): error:00000000:lib(0):func(0):reason(0)
2011-01-28 08:40:25 1PijsV-00028F-RK TLS session failure: delivering unencrypted to 172.27.200.50 [172.27.200.50] (not in hosts_require_tls)
2011-01-28 08:40:25 1PijsV-00028F-RK => ww-noc@igt.com R=smarthost T=remote_smtp H=172.27.200.50 [172.27.200.50]
2011-01-28 08:40:25 1PijsV-00028F-RK Completed

• 1PijsV-00028F-RK is the message id
• The 1st line shows the message is incoming (⇐)from a local user (root)
• TLS is being attempted because the remote end requests it, but we have TLS turned off
• The 4th line shows the outbound status, it is a remote delivery and is being processed by the smarthost router which uses smtp to deliver it to the remote host (H).
• Last line is the important one, Completed signifies that the mail has been delivered successfully.

The exigrep utility can be used to search for a particular message:-

[root@gy-asp-db03 mail]# exigrep 1PijsV-00028F-RK /var/log/exim/main.log
2011-01-28 08:40:23 1PijsV-00028F-RK <= root@gy-asp-db03.prod.wagerware.net U=root P=local S=695
2011-01-28 08:40:25 1PijsV-00028F-RK TLS error on connection to 172.27.200.50 [172.27.200.50] (SSL_connect): error:00000000:lib(0):func(0):reason(0)
2011-01-28 08:40:25 1PijsV-00028F-RK TLS session failure: delivering unencrypted to 172.27.200.50 [172.27.200.50] (not in hosts_require_tls)
2011-01-28 08:40:25 1PijsV-00028F-RK => ww-noc@igt.com R=smarthost T=remote_smtp H=172.27.200.50 [172.27.200.50]
2011-01-28 08:40:25 1PijsV-00028F-RK Completed

After enabling TLS, some different information is given:-

2011-03-16 12:47:18 1Pzq8E-0000yV-AH <= root@gy-asp-web01.prod.wagerware.net U=root P=local S=378
2011-03-16 12:47:18 1Pzq8E-0000yV-AH TLS error on connection to mailhost.prod.wagerware.net [172.27.200.50] (SSL_connect): error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
2011-03-16 12:47:18 1Pzq8E-0000yV-AH TLS session failure: delivering unencrypted to mailhost.prod.wagerware.net [172.27.200.50] (not in hosts_require_tls)
2011-03-16 12:47:18 1Pzq8E-0000yV-AH => andrew.stringer@igt.com R=smarthost T=remote_smtp H=mailhost.prod.wagerware.net [172.27.200.50]
2011-03-16 12:47:18 1Pzq8E-0000yV-AH Completed