Re: [Exim] Multiple SSL certificates

Góra strony
Delete this message
Reply to this message
Autor: Tony Finch
Data:  
Dla: doctor
CC: exim-users
Temat: Re: [Exim] Multiple SSL certificates
Mike Richardson <doctor@???> wrote:
>
>Unless there is a variable in exim which stores the hostname which the
>client is configured to connect to (reverse IP lookup doesn't help), as
>opposed to the hostname of the machine it is connected to, then
>unfortunately this doesn't help.


SMTP doesn't allow the server to find out what the client thinks
the server's name is, which is necessary for multiple certificates to
work. You have to have a separate IP address for each name, and choose the
certificate to present based on the address. This is a problem with almost
all TLS implementations -- in fact it's one of the classic https FAQs.

>Can I request that support for multiple certificates be added to the
>wish list please?


I do this:

        CERTS   = /opt/dist/certs


        tls_certificate = CERTS/server/${lookup{$interface_address} \
                                         cdb{DB/ipaddr2name.cdb}}


The ipaddr2name table contains entries like

        131.111.8.140   smtp.hermes.cam.ac.uk


This is necessary because our reverse DNS refers to the host's name
not the service name. If your DNS is differently set up you might
be able to use a dnsdb lookup.

Tony.
--
f.a.n.finch <dot@???> http://dotat.at/
NORTH FITZROY: NORTHEASTERLY 5 OR 6, DECREASING 3 OR 4 IN NORTH. SHOWERS.
GOOD.