Multiple SSL Certificates with Exim?

[James2k]

Hi,

I've been implementing multiple SSL certificates on IMAP and POP3 in Dovecot which was easy enough following:

http://help.directadmin.com/item.php?id=388

Now I want to do the same with Exim for SMTP. I noticed this small entry in the Knowledge base:

http://help.directadmin.com/item.php?id=389

However I'm unsure how to exactly implement the above code as it seems a bit more tricky. Has anyone implemented such a setup? If so, I'd appreciate any advice anyone can give on the best way to use it.

At the moment any encrypted SMTP connection is met with an error with "SSL certificate does not match" my specific domain I have a separate SSL certificate for, but it is validated for the general domain the server uses.

Thanks,

James

 

[Arieh]

Only a few days ago I posted about it, http://www.directadmin.com/forum/showthread.php?t=45170&p=230923#post230923

But like the KB link says, it's just having cert/key files for each IP address you use with exim and it works.

To be clear, if you have example1.tld which points to 1.2.3.4 then you place the cert for example1.tld in the file 1.2.3.4.cert.

 

[James2k]

Ah I understand it a bit better now thanks!

I'll try it out and report back.

One additional question, how can I define a CA Cert? My SSL certificates (RapidSSL) comes with one?

 

[Arieh]

According to this http://www.exim.org/exim-html-current/doc/html/spec_html/ch41.html

The file named by tls_certificate may contain more than one certificate. This is useful in the case where the certificate that is being sent is validated by an intermediate certificate which the other end does not have. Multiple certificates must be in the correct order in the file. First the host’s certificate itself, then the first intermediate certificate to validate the issuer of the host certificate, then the next intermediate certificate to validate the issuer of the first intermediate certificate, and so on, until finally (optionally) the root certificate. The root certificate must already be trusted by the recipient for validation to succeed, of course, but if it’s not preinstalled, sending the root certificate along with the rest makes it available for the user to install if the receiving end is a client MUA that can interact with a user.

As I understand it, first put the domain cert, then the CA.

 

[James2k]

Thanks I missed that section when looking for CA Certificates in Exim.

Everything seems to be working, a side note for anyone, make sure the certs and key files are chowned (chown) to the mail group.

Many thanks for your help.