Configure exim4 smtp relay to use tls on connect (smtps)


exim4 has been around for a long time and has seen many changes. In the modern SMTP / MTA mail world the use of the STARTSSL command has become most common. However their are still mail providers which require tls on connect otherwise known as the SMTPS protocol. Configuring a modern version of Exim to use SMTPS has become rather difficult. If you follow along in a few steps you will be shown to make a modern version of Exim (4.82) use the SMTPS protocol for smarthosts.

This guide is made for Debian / Ubuntu based systems and might not work on other distributions of Linux


Make sure the required packages are installed by executing apt-get remove exim4-daemon-light; apt-get install exim4-daemon-heavy swaks openssl If you want to install the requirements manually the following packages are required but not necessarily installed by default.


Getting to business

Exim configuration on Debian and Ubuntu has been greatly simplified for most types of configuration because of dpkg-reconfigure exim4-config. Start by executing the dpkg-reconfigure exim4-config command and select the following options values marked between [] are to be replaced with your own data accordingly

General type of mail configuration: mail sent by smarthost; no local mail
System mail name: [system name as described in /etc/hostname]
IP-addresses to listen on for incoming SMTP connections: [required listening interface default: ‘ ; ::1’]
Other destinations for which mail is accepted: [system name as described in /etc/hostname]
Machines to relay mail for: [empty line]
IP address or host name of the outgoing smarthost: [remote smtp server: ‘address::port’]
Hide local mail name in outgoing mail: yes
Visible domain name for local users: [system name as described in /etc/hostname]
Keep number of DNS-queries minimal (Dial-on-Demand): no
Delivery method for local mail: mbox format in /var/mail/
Split configuration into small files: no

Various parts of the Exim documentation as well as information provided by dpkg-reconfigure exim4-config and various articles on the internet will provide misinformation around the declaration of a remote smarthost. For the smarthost to work with SMTPS both the address and the port need to be described, for the address an DNS address is preferred. Between the address and the port you need to delimit with two : characters. Example: mail.domain::587. Never use a single : or replace the port declaration with a protocol since it will not work!

With the address and port configured the first configuration hurdle has been conquered. Now the final step is to change the configuration templates. The configuration template can be found in /etc/exim4/exim4.conf.template. open this file using your favorite file editor and make sure you have write permissions. Now scroll down to the line remote_smtp_smarthost:. The final step is to add two lines below driver = smtp described as part of the smarthost configuration.

hosts_require_tls = [remote smtp server without port]
protocol = smtps

After this you should have something which looks like the following:

  debug_print = “T: remote_smtp_smarthost for $local_part@$domain”
  driver = smtp
  hosts_require_tls =
  protocol = smtps

Now just restart the exim4 daemon by executing service exim4 restart and the configuration for an smtps remote smarthost is now complete, on to testing.


For the testing of the newly configured SMTP relay both swaks and sendmail will be used. First copy and execute the command after changing the to and from email addresses: swaks -f -t -s localhost -p 25. The execution of this command should pass with flying colors, if succesful the output will look similar to this.

=== Trying localhost:25…
=== Connected to localhost.
<- 220 local.WORKGROUP ESMTP Exim 4.82 Ubuntu Sun, 05 Mar 2017 16:47:32 +0100
<- 250-local.WORKGROUP Hello localhost [::1]
<- 250-SIZE 52428800
<- 250-8BITMIME
<- 250 HELP
<- 250 OK
-> RCPT TO:<>
<- 250 Accepted
<- 354 Enter message, ending with “.” on a line by itself
-> Date: Sun, 05 Mar 2017 16:47:32 +0100
-> To:
-> From:
-> Subject: test Sun, 05 Mar 2017 16:47:32 +0100
-> X-Mailer: swaks v20130209.0
-> This is a test mailing
-> .
<- 250 OK id=1ckYNg-0004Qe-Eh
<- 221 local.WORKGROUP closing connection

If at this point you receive the email on the email address as defined after the swaks -f parameter. Well then you are done although it is best to continue to ensure some other configuration parameters. At this point it is possible to stop and enjoy your working SMTP relay.

Next test is using sendmail and this test will identify how to remote SMTP server responds to what is being send. Execute echo "Subject: test" | sendmail -v The output should look similar to:

<= local.WORKGROUP U=root P=local S=345
root@h2351298:/etc/exim4# delivering 1ckbCq-0004Z0-Tw
R: smarthost for
T: remote_smtp_smarthost for @
Transport port=465 replaced by host-specific port=587
Connecting to []:587 … connected
SMTP<< 220 ESMTP ready
SMTP<< 235 2.0.0 OK
SMTP<< 250 OK
SMTP<< 250 Accepted
SMTP<< 354 Enter message, ending with “.” on a line by itself
SMTP>> writing message and terminating “.”
SMTP<< 250 OK id=1ckbCv-0006HX-CQ
=> R=smarthost T=remote_smtp_smarthost [] X=TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128
DN=”jurisdictionOfIncorporationCountryName=NL,businessCategory=Private Organization,serialNumber=61838454,C=NL,ST=Flevoland,L=Almere,O=EXAMPLE BV,” A=plain C=”250 OK id=1ckbCv-0006HX-CQ”

configuring auth

At this you might see a totally different result stating something similar to Relay not permitted authentication required. This simply means you need to add a valid SMTP account for the remote server. The server, username and password need to be added on a single line in /etc/exim4/passwd.client. Once again use : to delimit between the server, username and password, this time a single : is used to delimit between the different variables. An example would be

That settles it a modern version of exim using the deprecated smtps protocol. Hope this might save you the struggle I had figuring this out. If you have any questions feel free to ask them in comments below.


All comments by the author will be marked with the emblem: author
  1. IMTheNachoMan -

    Is this using 465? The log output shows “Transport port=465 replaced by host-specific port=587”

    • Dantali0n author

      No this is using port 587, The exim smarthost configuration will attempt to use port 465 and starttls which is then overridden by the configuration changes described in this post and as a result 587 and TLS on connect is used.

  2. Car -

    Very interesting your article, as it would be the case that the exm quee I am configuring becomes smarthost, that is, another server send the email through the Exim that I am installing, which would be the configuration in this case.

  3. Shawn -

    Thank You! I had a couple systems using EXIM4 with smarthost to send me system notifications. They were working fine using STARTTLS. I just switched smarthost to one that ONLY supports explicit SSL and had been struggling to get it to work until I found your post. Thanks again.

    p.s. in my case, EXIM complained about the apparently redundant “hosts_require_tls” line in exim4.conf.template , but it worked fine after I removed it.
    exim4[28127]: Starting MTA:2021-11-30 08:52:32 Exim configuration error in line 862 of /var/lib/exim4/config.autogenerated.tmp:
    exim4[28127]: “hosts_require_tls” option set for the second time
    exim4[28127]: Invalid new configfile /var/lib/exim4/config.autogenerated.tmp, not installing

Leave a Reply

Your email address will not be published.