Re: [Exim] TLS + Multiple certs + Multiple domains

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: Giuliano Gavazzi
Dátum:  
Címzett: Josh Stompro, exim-users
Tárgy: Re: [Exim] TLS + Multiple certs + Multiple domains
Sorry, wasn't meant to go out so coincise.

What docs? spec.txt 4.10 and 4.12 say what Tamas wrote.
I must admit that the spec.txt is not very clear on the issue, it is
difficult to find a definition for type string*, but if you look at
other string with that particular type and see how they can be
defined in the configuration, you'll see what you can do with
tls_certificate.

Probably you would use $interface_address to select the certificate,
or, if the IP address might change in future, you could do a reverse
dns lookup on it as in

tls_certificate = /etc/mail/certs/${lookup \
                    dnsdb{PTR=$interface_address}{$value}fail}.cert


that should look for a certificate in /etc/mail/certs/you.virtualhostname.cert

(this is not checked, also, I am not sure lookup dnsdb can get PTR
records without reversing the ip address and appending in-addr.arpa).
Of course you MUST set your reverse dns (alternatively you could use
a lookup file and use lsearch to select the file name corresponding
to an interface_address)

Note that as you are listening on many interfaces, you should limit
the output to one only with the transport:

remote_smtp:
driver = smtp
interface = your.out.going.ip
command_timeout = 5m

And again: your ip reverse MUST correspond to the HELO name, that is
to the value of primary_hostname (or the result of uname). At the
same time the direct lookup of your HELO argument (primary_hostname)
must give your outgoing IP address.
If you want to use virtual ourgoing hosts too (that is different
remote_smtp depending on the sender domain, but why?) than you should
change the helo message, as the primary_host name is fixed by the
configuration file (it is not connection dependent, that is).
You can do this by:

helo_data                       Type: string*      Default: $primary_hostname


     The value of this option is expanded, and used as the argument for the
     EHLO or HELO command that starts the outgoing SMTP session.


This is a private options for smtp (transport). So your transport could be:

remote_smtp:
   driver = smtp
   interface = your.out.going.ip
   helo_data = ${lookup \
                    dnsdb{PTR=$interface_address}{$value}fail}
   command_timeout = 5m


with the the same considerations as above about the definition of
tls_certificate. Both will fail is the lookup fails..

How to select the smtp transport according to the sender domain is
left as an exercise to the reader.

Is this too much? Probably yes, but hey, it took me time to research
and write this, now it's your turn.

Giuliano

At 23:27 -0600 2003/01/03, Josh Stompro wrote:
>    Thanks for responding.  Would you mind explaining your response?
>I'm afraid they are to clever for me.  I have looked at the docs again
>and the tls_certificate option is of type "string" not "string*".  Are
>you using that * as a wildcard or as added ephasis?  Wouldn't I need to
>run a different exim instance for each IP if I wanted them to use
>different certs?
>Thanks
>Josh
>Tamas TEVESZ wrote:

>
>>it does. there is just No Such Thing as namebased virtualhosting
>>(adapt that wording to this particular case) and ssl.
>>
>>>    Is my only option to use multiple ip addresses and multiple
>>>copies of exim?

>>
>>multiple ips, yes. multiple exims, no.
>>
>>tls_certificate                 Type: string*
>>                                            ^
>>                                            ^
>>                                            ^

>>
>
>
>
>--
>
>## List details at http://www.exim.org/mailman/listinfo/exim-users
>Exim details at http://www.exim.org/ ##



--
H U M P H
    || |||
  software


Java & C++ Server/Client/Human Interface applications on MacOS - MacOS X
http://www.humph.com/