/usr/share/doc/exim4-base/examples/exim-gencert

[*] Creating a self signed SSL certificate for Exim!
    This may be sufficient to establish encrypted connections but for
    secure identification you need to buy a real certificate!
    
    Please enter the hostname of your MTA at the Common Name (CN) prompt!
    
Generating a 1024 bit RSA private key
.....++++++
...................................++++++
unable to write 'random state'
writing new private key to '/etc/exim4/exim.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Code (2 letters) [US]:DE
State or Province Name (full name) []:Schleswig-Holstein
Locality Name (eg, city) []:Schwarzenbek 
Organization Name (eg, company; recommended) []:tiri Limited & Co. KG
Organizational Unit Name (eg, section) []:
Server name (eg. ssl.domain.tld; required!!!) []:www.1-search.de
Email Address []:
[*] Done generating self signed certificates for exim!
    Refer to the documentation and example configuration files
    over at /usr/share/doc/exim4-base/ for an idea on how to enable TLS
    support in your mail transfer agent.

/etc/exim4/exim4.conf.localmacros

MAIN_TLS_ENABLE = true
MAIN_TLS_ADVERTISE_HOSTS = *
#AUTH_SERVER_ALLOW_NOTLS_PASSWORDS = true
MAIN_TLS_CERTIFICATE = CONFDIR/exim.crt
MAIN_TLS_PRIVATEKEY = CONFDIR/exim.key
daemon_smtp_ports = smtp : 587 : 465
tls_on_connect_ports=465

/etc/exim4/exim4.conf.template

plain_server:
  driver = plaintext
  public_name = PLAIN
  #server_condition = "${if crypteq{$auth3}{${extract{1}{:}{${lookup{$auth2}lsearch{CONFDIR/passwd}{$value}{*:*}}}}}{1}{0}}"
  # http://www.exim.org/exim-html-current/doc/html/spec_html/ch11.html
  #server_condition = "${if crypteq{$auth3}{\\{md5\\}34a2b886c462c2e5e09116aec2d97c6d}{1}{0}}"
  server_condition = "${if crypteq{$auth3}{\\{md5\\}${lookup mysql {SELECT password FROM user WHERE mbox = '${sg {$auth2}{'}{}}' AND active = '1';}}}{1}{0}}"
  server_set_id = $auth2
  server_prompts = :
  .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
  server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
  .endif

# LOGIN authentication has traditional prompts and responses. There is no
# authorization ID in this mechanism, so unlike PLAIN the username and
# password are $auth1 and $auth2. Apart from that you can use the same
# server_condition setting for both authenticators.

login_server:
  driver = plaintext
  public_name = LOGIN
  server_prompts = "Username:: : Password::"
  #server_condition = "${if crypteq{$auth2}{${extract{1}{:}{${lookup{$auth1}lsearch{CONFDIR/passwd}{$value}{*:*}}}}}{1}{0}}"
  server_condition = "${if crypteq{$auth2}{\\{md5\\}${lookup mysql {SELECT password FROM user WHERE mbox = '${sg {$auth1}{'}{}}' AND active = '1';}}}{1}{0}}"
  server_set_id = $auth1
  .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
  server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
  .endif

cram_md5_server:
  driver = cram_md5
  public_name = CRAM-MD5
  #server_secret = ${extract{2}{:}{${lookup{$auth1}lsearch{CONFDIR/passwd}{$value}fail}}}
  # to be tested // konnte nich nicht geprueft werden
  server_secret = ${lookup mysql {SELECT password FROM user WHERE mbox = '${sg {$auth1}{'}{}}' AND active = '1';}{$value}fail}}}
  server_set_id = $auth1

openssl s_client

$ openssl s_client -connect 127.0.0.1:465
< 220 test.local ESMTP Exim 4.63 Sat, 10 May 2008 22:19:50 +0000
EHLO test.com
< 250-test.local Hello localhost [127.0.0.1]
< 250-SIZE 52428800
< 250-PIPELINING
< 250-AUTH PLAIN LOGIN CRAM-MD5 
< 250-AUTH=PLAIN LOGIN
< 250 HELP