Re: [exim] Problem with tls_certificate and multiple domains

トップ ページ
このメッセージを削除
このメッセージに返信
著者: Heiko Schlittermann
日付:  
To: exim-users
CC: Nospam2k
題目: Re: [exim] Problem with tls_certificate and multiple domains
Heiko Schlittermann via Exim-users <exim-users@???> (Mi 16 Okt 2019 06:48:25 CEST):
>     TLS_DOMAIN = ${if def:tls_in_sni {${lc:tls_in_sni}}{example.com}}

>
>     tls_certificate = /etc/exim/private/certs/TLS_DOMAIN/cert.pem
>     tls_privatekey  = /etc/exim/private/certs/TLS_DOMAIN/privkey.pem

>
> You need a "fallback", as there is a fair chance, that the client
> doesn't send you a TLS SNI.


The above is nonsens, missing '$' and breaks if $tls_in_sni doesn't
match an existing file. Sorry for that. Now, after a cup of coffee:

That's what I have in my working configuration.

TLS_SNI = ${lc:${extract{-1}{/}{$tls_in_sni}}}

tls_certificate = ${if exists{/var/lib/exim4/TLS_SNI-ssl.pem}\
    {/var/lib/exim4/TLS_SNI-ssl.pem}\
    {/var/lib/exim4/ssl.schlittermann.de-ssl.pem}}


But now I'm asking myself, if I can be sure that $tls_in_sni doesn't
contain ../../../ and what impact this could have. So, probably in a
first step you should sanitize the $tls_in_sni.

    Best regards from Dresden/Germany
    Viele Grüße aus Dresden
    Heiko Schlittermann
--
 SCHLITTERMANN.de ---------------------------- internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --------------- key ID: F69376CE -
 ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -