After zEitEr's suggestion to use a multi-domain TLS certificate for all domains on my server (adding new ones, when needed), I came to the conclusion that in the long run this would become cumbersome. So I've reverted back to using seperate certificates for each domain (multi-domain certficiates allright, but with just subdomains).
To make this work on one IP address, I have to rely on SNI (Server Name Identification). I managed to set up Dovecot, Pure-FTPD and the webserver (NGINX) working fine, but I'm currently stuck on Exim.
Per the Exim docs, I seem to understand that the ${tls_in_sni} variable should be expanded to whatever server name got fed into the connection. I realize the risk of the server name being passed is a doctored string (like "../../../root/whatever/"), so sanitazion is in order. But that's not my problem right now.
I've set /etc/exim.conf up like the docs say:
tls_certificate = /path/to/exim/certs/${tls_in_sni}.pem
tls_privatekey = /path/to/exim/keys/${tls_in_sni}.key
The Exim docs say:
I know this works only with newer versions of openSSL and Exim, but that's been taken care of. The problem is that the server name is just never expanded.
When I start exim in debug mode, logging the connection details and making a connection which contains a server name, I can confirm that the tls_in_sni variable is just completely empty:
My test from my client command line is:
I tried the (apparantly deprecated) ${tls_sni} variable name too, it didn't matter.
So what am I missing here? Did anyone get this to work reliably? If so, what did you do to sanitize the passed server name string?
Many thanks.
To make this work on one IP address, I have to rely on SNI (Server Name Identification). I managed to set up Dovecot, Pure-FTPD and the webserver (NGINX) working fine, but I'm currently stuck on Exim.
Per the Exim docs, I seem to understand that the ${tls_in_sni} variable should be expanded to whatever server name got fed into the connection. I realize the risk of the server name being passed is a doctored string (like "../../../root/whatever/"), so sanitazion is in order. But that's not my problem right now.
I've set /etc/exim.conf up like the docs say:
tls_certificate = /path/to/exim/certs/${tls_in_sni}.pem
tls_privatekey = /path/to/exim/keys/${tls_in_sni}.key
The Exim docs say:
"If the string tls_in_sni appears in the main section’s tls_certificate option (prior to expansion) then the following options will be re-expanded during TLS session handshake, to permit alternative values to be chosen: tls_certificate, tls_privatekey etc...", found here
I know this works only with newer versions of openSSL and Exim, but that's been taken care of. The problem is that the server name is just never expanded.
When I start exim in debug mode, logging the connection details and making a connection which contains a server name, I can confirm that the tls_in_sni variable is just completely empty:
Code:
9964 tls_certificate file /path/to/exim/certs/.pem
9964 TLS error on connection from <my ip> (openssl.client.net) [22.222.22.22] (SSL_CTX_use_certificate_chain_file file=/path/to/exim/certs/.pem): error:02001002:system library:fopen:No such file or directory
My test from my client command line is:
Code:
openssl s_client -tls1 -starttls smtp -connect mail.mydomain.com:587 -servername mail.mydomain.com
I tried the (apparantly deprecated) ${tls_sni} variable name too, it didn't matter.
So what am I missing here? Did anyone get this to work reliably? If so, what did you do to sanitize the passed server name string?
Many thanks.