Here's what worked for me (Exim 4.4x), and I am presuming that the SSL certificate (selfsigned or whatnot) and server key have already been configured (man ssl):

In the main configuration section (before the ACL configuration) add the following lines (this essentially tells client connections that TLS is available on port 465/tcp, and only advertise SMTP AUTH if TLS is in use):

daemon_smtp_ports = 25:465
tls_advertise_hosts = *
tls_on_connect_ports = 465
auth_advertise_hosts = ${if eq{$tls_cipher}{}{}{*}}
tls_certificate = /etc/ssl/exim/server.crt
tls_privatekey = /etc/ssl/exim/server.key

In the AUTHENTICATION section, add the following lines (after begin authenticators), which ensures that plaintext authentication is only available if the session is TLS encrypted):

  driver = plaintext
  public_name = PLAIN
  server_prompts = :
  server_advertise_condition = ${if eq{$tls_cipher}{}{no}{yes}}
  server_condition = "${if crypteq{$3}{${lookup{$2}lsearch{/etc/exim/passwd}{$value}{*:*}}}{1}{0}}"
  server_set_id = $2

  driver = plaintext
  public_name = LOGIN
  server_prompts = "Username:: : Password::"
  server_advertise_condition = ${if eq{$tls_cipher}{}{no}{yes}}
  server_condition = "${if crypteq{$2}{${lookup{$1}lsearch{/etc/exim/passwd}{$value}{*:*}}}{1}{0}}"
  server_set_id = $1

All that needs to be done now is to create a file (readable by the user running the Exim process) called /etc/exim/passwd where you define your users, one for each line, so:)


In OpenBSD, there is a handy command called 'encrypt' which generates crypt hashes, but 'htpasswd' from the Apache distribution should also do the trick.

(Needless to say, Exim needs to be configured for SMTP AUTH and SSL/TLS!)