Re: [exim] Multiple sll virtual hosting for STMP

Top Page

Reply to this message
Author: Torsten Tributh
Date:  
To: Exim-users
Subject: Re: [exim] Multiple sll virtual hosting for STMP

Am 15.12.18 um 18:28 schrieb The Doctor via Exim-users:
> All right trying to put multiple wilcard SSL certidficates in
> the configuration. When I do, I manage to kill the SSL funcationality.
>
> in the configuraton file I have
>
> local_interfaces = 0.0.0.0.25 : 127.0.0.1.10025 : 0.0.0.0.465 : 0.0.0.0.587
>
> domainlist local_domains = @
> domainlist relay_to_domains =
> hostlist relay_from_hosts = 127.0.0.1 : 204.209.81.0/24
>
> # Allow any client to use TLS.
>
> tls_advertise_hosts = *
> log_selector = +all
>
> # Specify the location of the Exim server's TLS certificate and private key.
> # The private key must not be encrypted (password protected). You can put
> # the certificate and private key in the same file, in which case you only
> # need the first setting, or in separate files, in which case you need both
> # options.
>
> #tls_certificate = ${if exists{/etc/ssl/certs/${tls_sni}.chain.cert}{/etc/ssl/ce
> rts/${tls_sni}.chain.cert}{/etc/ssl/certs/wilcard.nk.ca.2018.chain.cert}}
> #tls_privatekey = $if exists{/etc/ssl/certs/${tls_sni}.key}{/etc/ssl/certs/${tls
> _sni}.key}{/etc/ssl/certs/wilcard.nk.ca.2018.key}}


That something breaks seems to be a typo.
You need an opening bracket "{" in front of the "if" for your key.

I assume that this config will not fit your intention.
When you get a connect with SNI = "whateverhost.acebizventures.com"
the config will search for:

/etc/ssl/certs/whateverhost.acebizventures.com.chain.cert
which will always bring you to the fall-back cert
...and beside: is their not an "2019" in your filename, but not in the
config?

You have to cut the tls_sni down to the domainame first.
Afterwards, don't forget to add "wildcard." in front of that.



> tls_certificate = /etc/ssl/certs/wilcard.nk.ca.2018.chain.cert
> tls_privatekey = /etc/ssl/certs/wilcard.nk.ca.2018.key
>
> Also from the cert directory I have
>
> -rw-r--r-- 1 root wheel 2273 May 31 2018 wilcard.nk.ca.2018.cert
> -rw-r--r-- 1 root wheel 7068 May 31 2018 wilcard.nk.ca.2018.chain.cert
> -rw-r--r-- 1 root wheel 1098 May 14 2018 wilcard.nk.ca.2018.csr
> -rw-r--r-- 1 root wheel 4795 May 31 2018 wilcard.nk.ca.2018.int.cert
> -rw-r--r-- 1 root wheel 1679 May 14 2018 wilcard.nk.ca.2018.key
> -rw-r--r-- 1 root wheel 1746 May 14 2018 wilcard.nk.ca.2018.key.orig
> -rw-r--r-- 1 root wheel 4867 May 31 2018 wilcard.nk.ca.zip
> -rw-r--r-- 1 root wheel 2240 Dec 14 23:52 wildcard.acebizventures.com.2019.cert
> -rw-r--r-- 1 root wheel 7036 Dec 15 08:17 wildcard.acebizventures.com.2019.chain.cert
> -rw-r--r-- 1 root wheel 1424 Dec 14 22:03 wildcard.acebizventures.com.2019.crt
> -rw-r--r-- 1 root wheel 1115 Dec 14 21:59 wildcard.acebizventures.com.2019.csr
> -rw-r--r-- 1 root wheel 4796 Dec 14 23:52 wildcard.acebizventures.com.2019.int.cert
> -rw-r--r-- 1 root wheel 1675 Dec 14 22:00 wildcard.acebizventures.com.2019.key
> -rw-r--r-- 1 root wheel 1743 Dec 14 22:00 wildcard.acebizventures.com.2019.key.orig
>
>
> Pointers please.
>

--
Torsten