Most ISPs enforce SMTP authentication to send emails which helps them reduce spam.

But, this is not supported by most Linux distributions(Centos, Debian, etc.) by default.

So, you must manually configure your mail server to enable SMTP authentication, which requires many edits in the core configuration files.

In our role as Outsourced Tech Support, we help our web hosts and their Dedicated and VPS customers setup SMTP authentication in their servers.

Today, let’s discuss how we enable SMTP authentication in Exim4 mail server.

Before we get into the details, let’s be clear about SMTP authentication.

What is SMTP authentication?

SMTP authentication aka SMTP_AUTH enables an email sender to log on to the mail server using an authentication mechanism supported by the mail server.

In other words, the email client passes the email username and password for each message sent to the mail server.

Therefore, this ensures that every time a message is sent from your account, the mail server confirms that it is authorized to do so.

Now, let’s see the how we configure Exim4 SMTP authentication.

How to setup Exim4 SMTP authentication?

Here, we discuss how our Support Engineers configure Exim4 to use SMTP_AUTH with TLS encryption.

1) Enable TLS encryption

First, we need to generate an Exim SSL Certificate for use with TLS. We generate the Exim4 SSL certificate with the following command:

/usr/share/doc/exim4-base/examples/exim-gencert

This generates the certificate files exim.crt and exim.key in the folder /etc/exim4/.

Further, Exim4 must also be configured to use TLS.

To do this, we create the file(or edit if it exists) “/etc/exim4/exim4.conf.localmacros“, and add the following line.

MAIN_TLS_ENABLE = true

Once TLS is enabled, it ensures that all the emails exchanged with the server is in an encrypted connection, to prevent data theft or modification.

2) Enable authentication

Next, enable authentication in Exim4, so that server authenticates the email clients each time a message is sent.

To enable plaintext authentication, comment out the following lines in Exim4 configuration file “/etc/exim4/exim4.conf.template”

# plain_server:
# driver = plaintext
# public_name = PLAIN
# server_condition = "${if crypteq{$3}{${extract{1}{:}{${lookup{$2}lsearch{CON$
# server_set_id = $2
# server_prompts = :
# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
# server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
# .endif

Here, the plaintext authenticator supports the authentication mechanisms PLAIN and LOGIN. Both of these transfer data as plain text.

But, don’t worry, we’ve already seen how our Security Specialists, enable SMTP encryption on the server to solve this security issue.

3) Setup users and passwords

Additionally, to allow an external mail client to connect to the Exim4 mail server, a new user must be added to Exim4.

We setup new users and passwords with the following command.

/usr/share/doc/exim4-base/examples/exim-adduser

This will add the new user and password to the Exim4 password file “/etc/exim4/passwd“.

Most importantly, our Security Specialists ensure that this file is assigned with proper permissions and ownership to prevent outside access.

For instance, on Debian servers, we set the permission and ownership of the “/etc/exim4/passwd” file as follows:

chown root:Debian-exim /etc/exim4/passwd
chmod 640 /etc/exim4/passwd

4) Restart Exim4 service

Once you are done with all the above steps, update the Exim4 configuration and restart the service.

We use the below command to generate the main configuration files of Exim4.

update-exim4.conf

After that, restart the Exim4 service.

For instance, in Debian servers, we restart the Exim4 service with the below command.

/etc/init.d/exim4 restart

You’re done!! Exim4 is now configured to use SMTP authentication.

Conclusion

In short, nowadays, most ISPs enforce SMTP authentication to send emails. This is not enabled in most mail servers by default. We have to enable it manually. Today, we have seen the steps followed by our Support Engineers to enable SMTP authentication in Exim4 mail servers.