exim4 configuratie voor remote smtp met het smtps protocol [en]


exim4 has been around for a long time and has seen many changes. In the modern SMTP / MTA mail world the use of the STARTSSL command has become the standard. However their are still some mail providers which require tls on connect otherwise known as the SMTPS protocol. Configuring a modern version of Exim to use SMTPS has become rather difficult. If you follow along in a few steps you will be shown to make a modern version of Exim (4.82) use the deprecated SMTPS protocol for smarthosts.

This guide is made for Debian / Ubuntu based systems and might not work on other distributions of Linux


Make sure the required packages are installed by executing apt-get remove exim4-daemon-light; apt-get install exim4-daemon-heavy swaks openssl If you want to install the requirements manually the following packages are required but not necessarily installed by default.


Getting to business

Exim configuration on Debian and Ubuntu has been greatly simplified for most types of configuration because of dpkg-reconfigure exim4-config. Start by executing the dpkg-reconfigure exim4-config command and select the following options values marked between [] are to be replaced with your own data accordingly

General type of mail configuration: mail sent by smarthost; no local mail
System mail name: [system name as described in /etc/hostname]
IP-addresses to listen on for incoming SMTP connections: [required listening interface default: ‘ ; ::1’]
Other destinations for which mail is accepted: [system name as described in /etc/hostname]
Machines to relay mail for: [empty line]
IP address or host name of the outgoing smarthost: [remote smtp server: ‘address::port’]
Hide local mail name in outgoing mail: yes
Visible domain name for local users: [system name as described in /etc/hostname]
Keep number of DNS-queries minimal (Dial-on-Demand): no
Delivery method for local mail: mbox format in /var/mail/
Split configuration into small files: no

Various parts of the Exim documentation as well as information provided by dpkg-reconfigure exim4-config and various articles on the internet will provide misinformation around the declaration of a remote smarthost. For the smarthost to work with SMTPS both the address and the port need to be described, for the address an DNS address is preferred. Between the address and the port you need to delimit with two : characters. Example: mail.domain::587. Never use a single : or replace the port declaration with a protocol since it will not work!

With the address and port configured the first configuration hurdle has been conquered. Now the final step is to change the configuration templates. The configuration template can be found in /etc/exim4/exim4.conf.template. open this file using your favorite file editor and make sure you have write permissions. Now scroll down to the line remote_smtp_smarthost:. The final step is to add two lines below driver = smtp described as part of the smarthost configuration.

hosts_require_tls = [remote smtp server without port]
protocol = smtps

After this you should have something which looks like the following:

  debug_print = “T: remote_smtp_smarthost for $local_part@$domain”
  driver = smtp
  hosts_require_tls = mail.example-domain.net
  protocol = smtps

Now just restart the exim4 daemon by executing service exim4 restart and the configuration for an smtps remote smarthost is now complete, on to testing.


For the testing of the newly configured SMTP relay both swaks and sendmail will be used. First copy and execute the command after changing the to and from email addresses: swaks -f m1@example.com -t m2@example.com -s localhost -p 25. The execution of this command should pass with flying colors, if succesful the output will look similar to this.

=== Trying localhost:25…
=== Connected to localhost.
<- 220 local.WORKGROUP ESMTP Exim 4.82 Ubuntu Sun, 05 Mar 2017 16:47:32 +0100
-> EHLO test.com
<- 250-local.WORKGROUP Hello localhost [::1]
<- 250-SIZE 52428800
<- 250-8BITMIME
<- 250 HELP
-> MAIL FROM:<m1@example.com>
<- 250 OK
-> RCPT TO:<m2@example.com>
<- 250 Accepted
<- 354 Enter message, ending with “.” on a line by itself
-> Date: Sun, 05 Mar 2017 16:47:32 +0100
-> To: m2@example.com
-> From: m1@example.com
-> Subject: test Sun, 05 Mar 2017 16:47:32 +0100
-> X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/
-> This is a test mailing
-> .
<- 250 OK id=1ckYNg-0004Qe-Eh
<- 221 local.WORKGROUP closing connection

If at this point you receive the email on the email address as defined after the swaks -f parameter. Well then you are done although it is best to continue to ensure some other configuration parameters. At this point it is possible to stop and enjoy your working SMTP relay.

Next test is using sendmail and this test will identify how to remote SMTP server responds to what is being send. Execute echo "Subject: test" | sendmail -v replaceme@example.com. The output should look similar to:

<= local.WORKGROUP U=root P=local S=345
root@h2351298:/etc/exim4# delivering 1ckbCq-0004Z0-Tw
R: smarthost for mail@example.com
T: remote_smtp_smarthost for @
Transport port=465 replaced by host-specific port=587
Connecting to mail.example.nl []:587 … connected
SMTP<< 220 mail.example.nl ESMTP ready
SMTP<< 250-mail.example.nl
SMTP<< 235 2.0.0 OK
SMTP<< 250 OK
SMTP>> RCPT TO:<mail@example.com>
SMTP<< 250 Accepted
SMTP<< 354 Enter message, ending with “.” on a line by itself
SMTP>> writing message and terminating “.”
SMTP<< 250 OK id=1ckbCv-0006HX-CQ
=> mail@example.com R=smarthost T=remote_smtp_smarthost H=mail.example.nl [] X=TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128
DN=”jurisdictionOfIncorporationCountryName=NL,businessCategory=Private Organization,serialNumber=61838454,C=NL,ST=Flevoland,L=Almere,O=EXAMPLE BV,CN=mail.example.nl” A=plain C=”250 OK id=1ckbCv-0006HX-CQ”

configuring auth

At this you might see a totally different result stating something similar to Relay not permitted authentication required. This simply means you need to add a valid SMTP account for the remote server. The server, username and password need to be added on a single line in /etc/exim4/passwd.client. Once again use : to delimit between the server, username and password, this time a single : is used to delimit between the different variables. An example would be example.com:bestuser@example.com:verysecurepassword

That settles it a modern version of exim using the deprecated smtps protocol. Hope this might save you the struggle I had figuring this out. If you have any questions feel free to ask them in comments below.


All comments by the author will be marked with the emblem: auteur
  1. engelbert torremans -


    I tried following your example on my Debian 10 setup with exim4.

    My ISP supports both port 465 and 587. Got it working with 465 but had to use port = 465 as additional line in exim4.conf.template. Using smtp.myisp.dom::465 does not work.
    When trying to use port 587 it does not work. Exim4 goes straight to smtp tls encrypted without first doing the starttls handshake.

    Any suggestions on what I could try. Using swaks to test it via port 587 works fine.

    Thanks for your help,


    • Engelbert Torremans -

      Have it working now. The issue is/was probabaly caused by the fact that I am using IPV6 and the ::port in smarthost declaration (which ends up in /etc/exim4/update-exim4.conf.conf) is not working as expected.

      So I now use this:
      In /etc/exim4/update-exim4.conf.conf

      To get the port assignment right I did this in /etc/exim4/exim4.conf.template (in the remote_smtp_smarthost: section as indicated in your example):

      For port 465 (immediate tls):
      hosts_require_tls = your.isp.host
      protocol = smtps
      port = 465

      For port 587 (tls via STARTTLS)
      port = 587 (the other 2 lines mentioned above should NOT be there)

      That is it. Of course the authentication parts might also be needed depending on your isp requirements.


      • Dantali0n auteur

        Glad you got it working, good to see these configuration parameters still work as expected as this post is originally from 2017. (I do intend to display the date of posts but haven’t got around to modifying the theme).

        Personally I have moved away from Exim and smarthosts thanks to mailcow. Being able to run my own mailserver with reasonably low efforts and all mail related services (such as rspamd) seamlessly tied to one another has caused me to reconsider.

Geef een antwoord

Het e-mailadres wordt niet gepubliceerd. Vereiste velden zijn gemarkeerd met *