Dear Exim users!
I'm hosting several domains on my mailserver (running Exim 3.22).
For each domain an own IP interface exists, so that Exim can behave
differently depending on the FQDN the user specified as SMTP server.
Assuming a mapping file (IP address -> CRT/KEY file) exists ...
1.2.3.4: crtfile=/path/to/certs/key1234 keyfile=/path/to/keys/key1234
Then I can set tls_certificate and tls_privatekey like this:
tls_certificate = ${lookup {$interface_address:crtfile} lsearch {/path/to/mapping-file} {$value} fail}
tls_privatekey = ${lookup {$interface_address:keyfile} lsearch {/path/to/mapping-file} {$value} fail}
Since SSL certificates have the FQDN encoded within the certificate,
I now can use the appropriate CRT/KEY pair, depending on the FQDN/IP
the user has connected to.
But now I'm running into a similar problem as with SMTP authentication.
For SMTP authentication it's (not perfect but) acceptable to advertise
that feature only to hosts connecting from IP ranges that aren't
allowed to relay by default.
For SSL, it makes not that much sense to have it dependent on the
client's IP address. Advertising SSL heavily depends on the fact
if I have a SSL certificate or not (for a given domain).
Looks like tls_advertise_hosts doesn't expand, so I cannot make
it dependent on "$interface_address". For example, if $interface_address
is listed in "/path/to/mapping-file" (see above), than advertise it
(and do not in any other case):
tls_advertise_hosts = ${lookup {$interface_address} lsearch {/path/to/mapping-file} {*} {!*}}
If tls_advertise_hosts were expandable, would it work?
Are there other Exim admins with ia similar situation? How did you
manage the problem of having several domains with their own SSL
certs?
Any help is welcome. ;-)
Greetings, Andreas
