> >
> Part of it. I miss the setup example. Something like this:
>
> local_name domain1.com :
>
> tls_key = /path/file1.key
> tls_cert = /path/file1.cert
>
> local_name domain2.com :
>
> tls_pem = /path/file2.pem
>
> I guess thats the part, which isn't implemented yet.
>
Ah, but tls_privatekey, tls_certificate etc are expandable so you can make use
of that and the fact that $tls_sni contains the SNI name sent.
As it says in the docs:
If the string tls_sni appears in the main section's tls_certificate option
(prior to expansion) then the following options will be re-expanded during TLS
session handshake, to permit alternative values to be chosen:
tls_certificate
tls_crl
tls_privatekey
tls_verify_certificates
Great care should be taken to deal with matters of case, various injection
attacks in the string (../ or SQL), and ensuring that a valid filename can
always be referenced; it is important to remember that $tls_sni is arbitrary
unverified data provided prior to authentication.
---
So you could have
Tls_privatekey = /etc/exim/keys/${tls_sni}
Tls_certificate = /etc/exim/certs/${tls_sni}
Or something fancier with lookups and defaults and all that sort of thing (and
that does some sanity checking of the contents of $tls_sni - especially if
you're using a SQL based lookup).
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
