Debian Linux, exim4 and Outlook 2003 TLS/SSL Config

Posted by & filed under , .

The following might seem obvious for some of you but I felt the need to publish it as it took me ages to get exim4 and Outlook 2003 to work together with one of the domains I’ve just bought.

In brief, I’ve bought a new domain (call it example.com) and I went this time for a proper dedicated hosting (rather than shared hosting) — which meant I had a physical machine that I had to administer myself. I’ve chosen Debian Linux as the OS for it — for various reasons that are outside the scope of this post. I’ve chosen exim4 (more specifically exim4-daemon-heavy) as my MTA and decided to go for courier-imap (over SSL) to read emails.

Obviously I had to generate a self-signed certificate — and I found the instructions on http://wiki.debian.org/SSLkeys very useful for this. Having set courier-imap-ssl up, Outlook was able to read straight away my emails over IMAPS (obviously you get a prompt informing you that the identify of the authority creating the certificate cannot be verified but that’s just a minor glitch 🙂

Having configured IMAP it was time to move onto configuring exim4 — and I needed to have exim accept email normally for my domain (example.com) and obviously prevent open relaying — so unless the email is intended for a user in the domain example.com then the user will have to be authenticated. Now that is very easily configured (in fact it’s present by default) in /etc/exim4/conf.d/acl/... (I use a split file configuration).  In order to enable TLS (on port 465) I have the following in my /etc/exim4/conf.d/main/000_localmacros:

daemon_smtp_ports = 25 : 465
tls_on_connect_ports = 465
MAIN_TLS_ENABLE = true

In terms of authenticators I had only 2 set up:

plain_server:
driver = plaintext
public_name = PLAIN
server_condition = "${if crypteq{$auth3}{${extract{1}{:}{${lookup{$auth2}lsearch{CONFDIR/passwd}
{$value}{*:*}}}}}{1}{0}}"
server_set_id = $auth2
server_prompts = :
.ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
.endif
 
cram_md5_server:
driver = cram_md5
public_name = CRAM-MD5
server_secret = ${extract{2}{:}{${lookup{$auth1}lsearch{CONFDIR/passwd}{$value}fail}}}
server_set_id = $auth1

(all the others have been commented out)

Now this configuration worked just fine with the likes of Thunderbird (configured to authenticate both at receive and send email) and my messages were sent just fine. In Outlook though, I could only receive emails and any time I try to reply to any emails received (or simply just send a new email) exim throwed an error about relaying not being allowed. Which basically said to me that Outlook was not sending the authentication at all when sending emails. Having talked to Andreas Metzler (on the Pkg-exim4-users mailing list) it turns out that Outlook only does NOT support AUTH PLAIN and only supports the AUTH LOGIN method — so I had to add the following section in my authenticators section for exim:

plain_server:
driver = plaintext
public_name = PLAIN
server_condition = "${if crypteq{$auth3}{${extract{1}{:}{${lookup{$auth2}lsearch{CONFDIR/passwd}
{$value}{*:*}}}}}{1}{0}}"
server_set_id = $auth2
server_prompts = :
.ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
.endif
 
cram_md5_server:
driver = cram_md5
public_name = CRAM-MD5
server_secret = ${extract{2}{:}{${lookup{$auth1}lsearch{CONFDIR/passwd}{$value}fail}}}
server_set_id = $auth1
login_server:
driver = plaintext
public_name = LOGIN
server_prompts = "Username:: : Password::"
server_condition = "${if crypteq{$auth2}{${extract{1}{:}{${lookup{$auth1}lsearch{CONFDIR/passwd}{$value}{*:*}}}}}{1}{0}}"
server_set_id = $auth1
.ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
.endif

Having restarted exim4 all worked well! (Bear in mind that you do need to configure your Outlook to use port 465 for sending emails and also you need to configure it to authenticate on SMTP!)

While configuring my system I also found this link very helpful: http://pkg-exim4.alioth.debian.org/README/README.Debian.html — and obviously some of the mailing list archives which can be reached from this link.

5 Responses to “Debian Linux, exim4 and Outlook 2003 TLS/SSL Config”

  1. John

    Thank you so much for this.

    I spent a day almost tearing my hair out trying to get Outlook 2003 to play with Exim and TLS until I found this blog post, now everything works fine!