Let's Encrypt Certificates with Exim

by J. Edward Durrett

Let's Encrypt / FreeBSD / Exim / TLS

Let's Encrypt is a new, free certificate authority currently in a public
beta (for more information see letsencrypt.org). With a client,
it is possible to automate the generation and installation of SSL/TLS
certificates for websites.

The prospect of cost-less certificates is a great leap in securing web
traffic on the internet. It also can be extended to secure other domain
based services.

Exim, can be configured to use TLS during SMTP connections to encrypt
email between mail servers. Note, this only encrypts the data being
exchanged and, if other measures are not taken, the mail is not
encrypted end to end.

In the past, SSL certificates cost money. It was worth it for securing
websites, but in other areas, self-signed certificates were cheap
substitutes and, in most cases, worked just fine. The major side effect
being error messages noting a self-signed certificate in the logs.

Now, with the monetary barrier gone, there is no excuse for using
self-signed certificates anywhere on the public internet. Here is how to get a
certificate from Let's Encrypt and make it work with exim. The
assumption here is that Let's Encrypt is already set up.

First, get the certificate:

./letsencrypt-auto certonly --debug -c /usr/local/etc/letsencrypt/cli.ini -d [domainname]

The --debug flag is needed since the current python client is not
completely problem free on FreeBSD. That is not an issue as we are only
getting a certificate and not using the advanced features like auto
configuration of Apache or other web server.

The next step is a bit hackish and really isn't very elegant. The
letsencrypt command gets certificates and installs it in
/etc/letsencrypt/archive/[domainname]/ and then makes symlinks to
/etc/letsencrypt/live/[domainname]/. Well, Exim doesn't seem to want to
read symlinks and pointing the Exim configuration to the archive
directory does not make sense, as I have a much more elegant solution in
the works. But, copying the certificate and key into a special
directory for Exim works:

NOTE:This was not an issue with symllinks, but permissions. A better, more up to date guide is here.

cp /etc/letsencrypt/archive/[domainname]/fullchain1.pem \
cp /etc/letsencrypt/archive/[domainname]/privkey1.pem \

And then in /usr/local/etc/exim/configure:

tls_certificate = /etc/ssl/exim/exim.cert
tls_privatekey = /etc/ssl/exim/exim.key

Restarting Exim is the last step.

Copyright (c) 2019, Jason Edward Durrett - All content on this site, unless otherwise noted, is subject to this license.

Please contact me if any errors, such as erroneous / misleading content or missing / incomplete attribution, are found.