> >
> Part of it. I miss the setup example. Something like this:
>
> local_name domain1.com :
>
> tls_key = /path/file1.key
> tls_cert = /path/file1.cert
>
> local_name domain2.com :
>
> tls_pem = /path/file2.pem
>
> I guess thats the part, which isn't implemented yet.
>
Ah, but tls_privatekey, tls_certificate etc are expandable so you can make use of that and the fact that $tls_sni contains the SNI name sent.
As it says in the docs:
If the string tls_sni appears in the main section's tls_certificate option (prior to expansion) then the following options will be re-expanded during TLS session handshake, to permit alternative values to be chosen:
tls_certificate
tls_crl
tls_privatekey
tls_verify_certificates
Great care should be taken to deal with matters of case, various injection attacks in the string (../ or SQL), and ensuring that a valid filename can always be referenced; it is important to remember that $tls_sni is arbitrary unverified data provided prior to authentication.
---
So you could have
Tls_privatekey = /etc/exim/keys/${tls_sni}
Tls_certificate = /etc/exim/certs/${tls_sni}
Or something fancier with lookups and defaults and all that sort of thing (and that does some sanity checking of the contents of $tls_sni - especially if you're using a SQL based lookup).