Re: [exim] Best way tls_certificate select

Top Page
Delete this message
Reply to this message
Author: Arkadiusz Miśkiewicz
Date:  
To: exim-users
Subject: Re: [exim] Best way tls_certificate select
On Saturday 20 of January 2018, Sławek wrote:
> Niw i settings tls_certificate = ${if
> exists{/etc/letsencrypt/live/${tls_sni}/fullchain.pem}{/etc/letsencrypt/li
> ve/${tls_sni}/fulkchain.pem}{/etc.exim.certc/certificate.crt}} Where
> ${$tls_sni} as directory mail.domain.com
> tls_sni what value does it return ?domain name ?mx record name ?
> all clients , outlook, thunderbird, windows Live settings smtp server as
> mail.domain.com divecot correctly chooses the certificate by
> mail.domain.com


Be aware that $tls_sni is remote user controlled thus can contain
malicious content. tls_sni is in most cases a hostname that's set in
email client as smtp server.

tls_sni works fine here but we use safe hash ${lc:${sha1:${lc:${tls_sni}}}}

tls_certificate = ${if exists{/etc/certs/letsencrypt/cert.${lc:${tls_sni}}.pem}{/etc/certs/letsencrypt/cert.${lc:${tls_sni}}.pem}{/etc/openssl/certs/default.crt}}


> Exim not
> regardsSławomir Dworaczek
>
> -------- Oryginalna wiadomość --------
> Od: Sławek <slawek@???>
> Data: 20.01.2018  12:46  (GMT+01:00)
> Do:     exim-users@???
> Temat: Best way tls_certificate select

>
>
>
> Its possible select tls_certificate with variable tls_certificate=
> /etc/letsencrypt/live/mail.$domain_sender/fullchain.pem ?beacause tls_sni
> not works
>
>
> regatds
> Sławomir Dworaczek



--
Arkadiusz Miśkiewicz, arekm / ( maven.pl | pld-linux.org )