Re: [exim] Problem with tls_certificate and multiple domains

Góra strony
Delete this message
Reply to this message
Autor: Heiko Schlittermann
Data:  
Dla: Nospam2k
CC: exim-users
Temat: Re: [exim] Problem with tls_certificate and multiple domains
Hi,

1st: please send your questions to exim-users@??? (not to the
*-owner address).

Nospam2k <nospam2k@???> (Mi 16 Okt 2019 01:58:42 CEST):
> After many hours of troubleshooting, I cannot figure out how to correctly setup tls_certificate for multiple domains. I’m using CentOS 7.7 and Exim 4.92. I have only one exim.conf file. I have in the main body:
>
> tls_certificate = /etc/exim/private/certs/${lc:${domain:$h_from:}}/cert.pem
> tls_privatekey = /etc/exim/private/certs/${lc:${domain:$h_from:}}/privkey.pem


Didn't we answer this alreay? The $h_from: isn't available during TLS
session setup.

> begin transports
>
> remote_smtp:
>     tls_certificate = /etc/exim/private/certs/${lc:${domain:$h_from:}}/cert.pem
>     tls_privatekey = /etc/exim/private/certs/${lc:${domain:$h_from:}}/privkey.pem


The TLS settings in the transports section are for outgoing connections.
The above settings would choose a certificate based on the recipient's
domain for an outgoing mail, I suppose, that's not what you want.

Use in the main section:

    TLS_DOMAIN = ${if def:tls_in_sni {${lc:tls_in_sni}}{example.com}}


    tls_certificate = /etc/exim/private/certs/TLS_DOMAIN/cert.pem
    tls_privatekey  = /etc/exim/private/certs/TLS_DOMAIN/privkey.pem


You need a "fallback", as there is a fair chance, that the client
doesn't send you a TLS SNI.

    Best regards from Dresden/Germany
    Viele Grüße aus Dresden
    Heiko Schlittermann
--
 SCHLITTERMANN.de ---------------------------- internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --------------- key ID: F69376CE -
 ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -