On 16/10/2019 07:58, Heiko Schlittermann via Exim-users wrote:
> Heiko Schlittermann via Exim-users <exim-users@???> (Mi 16 Okt 2019 06:48:25 CEST):
>> TLS_DOMAIN = ${if def:tls_in_sni {${lc:tls_in_sni}}{example.com}}
>>
>> tls_certificate = /etc/exim/private/certs/TLS_DOMAIN/cert.pem
>> tls_privatekey = /etc/exim/private/certs/TLS_DOMAIN/privkey.pem
>>
>> You need a "fallback", as there is a fair chance, that the client
>> doesn't send you a TLS SNI.
>
> The above is nonsens, missing '$' and breaks if $tls_in_sni doesn't
> match an existing file. Sorry for that. Now, after a cup of coffee:
>
> That's what I have in my working configuration.
>
> TLS_SNI = ${lc:${extract{-1}{/}{$tls_in_sni}}}
>
> tls_certificate = ${if exists{/var/lib/exim4/TLS_SNI-ssl.pem}\
> {/var/lib/exim4/TLS_SNI-ssl.pem}\
> {/var/lib/exim4/ssl.schlittermann.de-ssl.pem}}
>
> But now I'm asking myself, if I can be sure that $tls_in_sni doesn't
> contain ../../../ and what impact this could have. So, probably in a
> first step you should sanitize the $tls_in_sni.
You can use sha1 (or other) hashes as filenames. That makes the whole
problem go away but requires tool to setup filename with hashes.
tls_privatekey = ${if
exists{/etc/certs/letsencrypt/cert.${lc:${sha1:${lc:${tls_sni}}}}.pem}{/etc/certs/letsencrypt/cert.${lc:${sha1:${lc:${tls_sni}}}}.pem}{/etc/mail/exim-default-key.pem}}
tls_certificate = ${if
exists{/etc/certs/letsencrypt/cert.${lc:${sha1:${lc:${tls_sni}}}}.pem}{/etc/certs/letsencrypt/cert.${lc:${sha1:${lc:${tls_sni}}}}.pem}{/etc/mail/exim-default-cert.pem}}
--
Arkadiusz Miśkiewicz, arekm / ( maven.pl | pld-linux.org )
