Gernot Walzl


The main parts to deliver electronic mail over the internet are as follows:

Exim is the default message transfer agent (MTA) of Debian.
It is installed by default and configured to do local mail delivery only.

This tutorial explains how to configure Exim 4 on Debian 10 (buster)
to send and receive mails for your own domain over the internet.



In the following examples, the domain is called
The IPv4 address of the server running the MTA is
and the IPv6 address is 2001:db8:10::1 in the examples.


Relevant parts in the zone of the domain are specified as follows:

@     IN  MX    10  ; The MX record specifies the mail server
mail  IN  A             ; IPv4 address for
mail  IN  AAAA  2001:db8:10::1        ; IPv6 address for
@     IN  TXT   "v=spf1 ip4: ip6:2001:db8:10::1 ~all"


The Sender Policy Framework (SPF) allows other MTAs to check
if they should accept or reject an incoming mail.

MTAs analyze the SPF information of the domain in the sender's
mail address (e.g.
The SPF information is stored in a TXT record of the domain.
This record specifies the IP addresses that are allowed to transfer mail
where the sender's mail address ends with
~all means that other MTAs should treat a mail with a sender's
mail address from all other IP addresses as spam.


When communicating with other MTAs, it is common that the IP address of
the connecting MTA is checked by doing a reverse DNS lookup.
If resolves to, it is expected that
a reverse DNS lookup of gives
Same applies for the IPv6 address.

Check MX Record

The MX record of a domain can be checked using online tools:

Basic Configuration


Execute the following command to reconfigure the installed Exim package:

dpkg-reconfigure exim4-config

The following questions will be asked:

  1. General type of mail configuration:
    internet site; mail is sent and received directly using SMTP
  2. System mail name:
  3. IP-addresses to listen on for incoming SMTP connections: ; ::1 ; ; 2001:db8:10::1
  4. Other destinations for which mail is accepted: ; local-hostname
  5. Domains to relay mail for:
    (leave empty)
  6. Machines to relay mail for:
    (leave empty)
  7. Keep number of DNS-queries minimal (Dial-on-Demand)?
  8. Delivery method for local mail:
    Maildir format in home directory
  9. Split configuration into small files?

Answering these questions edits the following file:

# This is a Debian specific file

dc_other_hostnames=' ; local-hostname'
dc_local_interfaces=' ; ::1 ; ; 2001:db8:10::1'

Afterwards, update-exim4.conf is called to update the configuration files.


When another MTA connects, the hostname in the SMTP greeting is expected to
match the DNS record.
This can be achieved by setting the hostname of the system or by specifying
the hostname in a configuration file:



In the following example, mail for root is forwarded to johndoe:

root: johndoe

To reload the aliases:


Test Local Delivery

Send a mail to johndoe on the local system to see if the delivery
of mails work:

echo "This is a simple test." | mail -s "Test"

The mail is expected to be delivered into the directory /home/johndoe/Maildir/new/.

Test Remote Connectivity

Connect to the MTA from a remote host:

telnet 25

The SMTP greeting is expected to be shown.

SSL/TLS Encryption

The used SSL/TLS certificate has to include


To enable STARTTLS on port 25 and SSL/TLS on port 465, add the following lines:

MAIN_TLS_CERTIFICATE = /etc/letsencrypt/live/
MAIN_TLS_PRIVATEKEY = /etc/letsencrypt/live/

daemon_smtp_ports = 25 : 465
tls_on_connect_ports = 465

Further information can be found in /usr/share/doc/exim4-base/README.Debian.gz.

Let's Encrypt

certbot installs TLS/SSL certificates from Let's Encrypt an a way
that only root can read them.

If Exim cannot read the certificate, there is a message in the log file
that looks like this:

2020-01-02 12:12:12 TLS error on connection from []
  (cert/key setup: cert=/etc/letsencrypt/live/ key=/etc/letsencrypt/live/
  Error while reading file.

Exim runs as user Debian-exim. Add this user to the group ssl-cert:

usermod -a -G ssl-cert Debian-exim

Allow users in the group ssl-cert to access the certificates:

chgrp ssl-cert /etc/letsencrypt/live /etc/letsencrypt/archive
chmod g+rx /etc/letsencrypt/live /etc/letsencrypt/archive
chgrp -R ssl-cert /etc/letsencrypt/archive
chmod -R g+r /etc/letsencrypt/archive

Let's Encrypt certificates are valid for 90 days.
certbot renews expired certificates automatically.
Exim needs to reload the configuration after the certificate has been renewed.
This is done automatically by placing an executable script as renewal hook:

systemctl reload exim4.service

Test Encryption

If SSL/TLS encryption works on port 465, the SMTP greeting should be shown
when executing the following command:

openssl s_client -connect


Without authentication, the MTA does not accept mail for a destination
that is not specified in the configuration files.
A mail client needs to be authenticated so that the MTA accepts and
relays mail to any destination.


A configuration for PLAIN authentication is found in a comment in

This configuration is written into a new file:

  driver = plaintext
  public_name = PLAIN
  server_condition = "${if crypteq{$auth3}{${extract{1}{:}{${lookup{$auth2}lsearch{CONFDIR/passwd}{$value}{*:*}}}}}{1}{0}}"
  server_set_id = $auth2
  server_prompts = :
  server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}}


Usernames and passwords for Exim are specified with the following syntax:


To crypt a password use the command line tool mkpassd.
It is part of the whois package.

Ensure that only Exim can read the accounts:

chown root:Debian-exim /etc/exim4/passwd
chmod 640 /etc/exim4/passwd

Further information can be found in the corresponding manual page:

man exim4_passwd


DomainKeys Identified Mail (DKIM) means that the domain of a mail can be
verified. The MTA signs outgoing mails using a private key specific for DKIM.
The public key is published in a TXT record of the domain.

If the key pair is updated, the old public key should still be available
on DNS servers to verify old mails. The selector determines the used key.

Generate Key

For DKIM, 1024-bit RSA keys are common.
The following commands generate a 1024-bit RSA key and allow Exim to access
the private key:

mkdir -p /etc/exim4/dkim/
cd /etc/exim4/dkim/
openssl genrsa -out privkey.pem 1024
chgrp Debian-exim privkey.pem
chmod g+r privkey.pem


In the following example, the date when the key was created (20200423) is used
as selector. To enable DKIM, add the following lines:

DKIM_SELECTOR = 20200423
DKIM_PRIVATE_KEY = /etc/exim4/dkim/

Publish Public Key

The following command shows the public key:

openssl rsa -in /etc/exim4/dkim/ -pubout

This public key is published in a TXT record of the domain.
Ensure that the selector 20200423 matches the selector in the config.

20200423._domainkey  IN  TXT  "k=rsa; p=MIGfMA0G...QQIDAQAB"
CONTENT.html source 2022-05-22 14 KB