Heiko Schlittermann via Exim-users <exim-users@???> (Mi 16 Okt 2019 06:48:25 CEST):
> TLS_DOMAIN = ${if def:tls_in_sni {${lc:tls_in_sni}}{example.com}}
>
> tls_certificate = /etc/exim/private/certs/TLS_DOMAIN/cert.pem
> tls_privatekey = /etc/exim/private/certs/TLS_DOMAIN/privkey.pem
>
> You need a "fallback", as there is a fair chance, that the client
> doesn't send you a TLS SNI.
The above is nonsens, missing '$' and breaks if $tls_in_sni doesn't
match an existing file. Sorry for that. Now, after a cup of coffee:
That's what I have in my working configuration.
TLS_SNI = ${lc:${extract{-1}{/}{$tls_in_sni}}}
tls_certificate = ${if exists{/var/lib/exim4/TLS_SNI-ssl.pem}\
{/var/lib/exim4/TLS_SNI-ssl.pem}\
{/var/lib/exim4/ssl.schlittermann.de-ssl.pem}}
But now I'm asking myself, if I can be sure that $tls_in_sni doesn't
contain ../../../ and what impact this could have. So, probably in a
first step you should sanitize the $tls_in_sni.
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de ---------------------------- internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --------------- key ID: F69376CE -
! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -
