On 16/10/2019 07:58, Heiko Schlittermann via Exim-users wrote: > Heiko Schlittermann via Exim-users <[email protected]> (Mi 16 Okt 2019 > 06:48:25 CEST): >> TLS_DOMAIN = ${if def:tls_in_sni {${lc:tls_in_sni}}{example.com}} >> >> tls_certificate = /etc/exim/private/certs/TLS_DOMAIN/cert.pem >> tls_privatekey = /etc/exim/private/certs/TLS_DOMAIN/privkey.pem >> >> You need a "fallback", as there is a fair chance, that the client >> doesn't send you a TLS SNI. > > The above is nonsens, missing '$' and breaks if $tls_in_sni doesn't > match an existing file. Sorry for that. Now, after a cup of coffee: > > That's what I have in my working configuration. > > TLS_SNI = ${lc:${extract{-1}{/}{$tls_in_sni}}} > > tls_certificate = ${if exists{/var/lib/exim4/TLS_SNI-ssl.pem}\ > {/var/lib/exim4/TLS_SNI-ssl.pem}\ > {/var/lib/exim4/ssl.schlittermann.de-ssl.pem}} > > But now I'm asking myself, if I can be sure that $tls_in_sni doesn't > contain ../../../ and what impact this could have. So, probably in a > first step you should sanitize the $tls_in_sni.
You can use sha1 (or other) hashes as filenames. That makes the whole
problem go away but requires tool to setup filename with hashes.
tls_privatekey = ${if
exists{/etc/certs/letsencrypt/cert.${lc:${sha1:${lc:${tls_sni}}}}.pem}{/etc/certs/letsencrypt/cert.${lc:${sha1:${lc:${tls_sni}}}}.pem}{/etc/mail/exim-default-key.pem}}
tls_certificate = ${if
exists{/etc/certs/letsencrypt/cert.${lc:${sha1:${lc:${tls_sni}}}}.pem}{/etc/certs/letsencrypt/cert.${lc:${sha1:${lc:${tls_sni}}}}.pem}{/etc/mail/exim-default-cert.pem}}
--
Arkadiusz Miśkiewicz, arekm / ( maven.pl | pld-linux.org )
signature.asc
Description: OpenPGP digital signature
-- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
