Re: [exim] Multiple domains using certificates and keys

Góra strony
Delete this message
Reply to this message
Autor: Jasen Betts
Data:  
Dla: exim-users
Temat: Re: [exim] Multiple domains using certificates and keys
On 2022-03-23, The Doctor via Exim-users <exim-users@???> wrote:
>
> Question:
>
> In my configuration file I have
>
> tls_certificate = ${if exists\
>                    {/path/to/2021/${tls_sni}/chain.cert}\
>           {/path/to/2022/${tls_sni}/chain.cert}\
>      {/path/to/default//chain.cert}\
>  }
>  tls_privatekey = ${if exists\
>         {path/to/old/${tls_sni}/key}\
>        {/path/to/current/${tls_sni}/key}\
>   {/path/to/defalut/key}\
> }

>
> Am I missing something?


Tainting I guess. ${tls_sni} is a value which may contain any bytes
whatsoever, and can be, and has been, abused by attackers, thus exim
doesn't trust it in a filesystem context.

So even though you know the names of the files you need
to verify them against a home-truth. something like:

    tls_privatekey = ${lookup {$tls_sni} dsearch,ret=full \
       {/path/to/current/}{$value/key}{/path/to/default/key}}


This assumes that the file "key" exists if the subdirectory $tls_sni
is found, if you want to be paranoid you can replace $value/key with
an if-exists check using "$value/key" instead of "path/to/current/${tls_sni}/key"

I'm a fan of putting the key, certificate, and chain into a single
file, as this reduces the number of cofiguration settings needed. then
you could have file-per-domain in a single directory. and replace
"/key" with ".allcert" or similatr above (not needing the if-exists test at all)

   tls_privatekey = ${lookup {$tls_sni.allcert} dsearch,ret=full \
      {/path/to/current/}{$value}{/path/to/default.allcert}}



Also you misspelled default one time, and 2021 vs 2022, I'm
guessing transcription errosrs, but you did ask.
Also double slashes but I think that is harmless in Posix.

--
Jasen.