Managing Exim4 TLS in Ubuntu 20.04

Basically, configuration is generated by update-exim4.conf. This script is reading files in /etc/exim4 to generate configuration in /var/lib/exim4. The source depends on whether you've selected to split up configuration or not when running dpkg-reconfigure exim4-config. In the former case source files are in /etc/exim4/conf.d, in the latter case it is the file /etc/exim4/exim4.conf.template.

Variables mentioned there are set in different files according to your previous selection as well: when splitting configuration files you may simply put another file into /etc/exim4/conf.d start with 00_ to make sure it is processed first. Otherwise you edit file named /etc/exim4/exim4.conf.localmacros.

In there you can write something like this:

MAIN_TLS_ADVERTISE_HOSTS = 

This is disabling promotion of STARTTLS to connecting clients. In a local-only setup this is fine.

Whenever editing this configuration file you need to run update-exim4.conf and restart exim4 afterwards.

And if you like to use proper TLS certificates you could set up certbot to fetch one from LetsEncrypt. After that, set up links so exim4 is finding those files:

ln -s /etc/letsencrypt/live/foo.example.com/privkey.pem /etc/exim4/exim.key
ln -s /etc/letsencrypt/live/foo.example.com/fullchain.pem /etc/exim4/exim.crt

Replace foo.example.com with proper segment used in your case. Usually it's the domain name of your cert.

An executable script file named /etc/letsencrypt/renewal-hooks/deploy/exim4.sh with the following content is restarting exim4 whenever a new certificate has been issued.

#!/bin/sh
systemctl restart exim4