Re: [exim] Problem with tls_certificate and multiple domains

2019-10-23 Thread Arkadiusz Miśkiewicz via Exim-users 
On 16/10/2019 07:58, Heiko Schlittermann via Exim-users wrote:
> Heiko Schlittermann via Exim-users  (Mi 16 Okt 2019 
> 06:48:25 CEST):
>> TLS_DOMAIN = ${if def:tls_in_sni {${lc:tls_in_sni}}{example.com}}
>>
>> tls_certificate = /etc/exim/private/certs/TLS_DOMAIN/cert.pem
>> tls_privatekey  = /etc/exim/private/certs/TLS_DOMAIN/privkey.pem
>>
>> You need a "fallback", as there is a fair chance, that the client
>> doesn't send you a TLS SNI.
> 
> The above is nonsens, missing '$' and breaks if $tls_in_sni doesn't
> match an existing file. Sorry for that. Now, after a cup of coffee:
> 
> That's what I have in my working configuration.
> 
> TLS_SNI = ${lc:${extract{-1}{/}{$tls_in_sni}}}
> 
> tls_certificate = ${if exists{/var/lib/exim4/TLS_SNI-ssl.pem}\
> {/var/lib/exim4/TLS_SNI-ssl.pem}\
> {/var/lib/exim4/ssl.schlittermann.de-ssl.pem}}
> 
> But now I'm asking myself, if I can be sure that $tls_in_sni doesn't
> contain ../../../ and what impact this could have. So, probably in a
> first step you should sanitize the $tls_in_sni.

You can use sha1 (or other) hashes as filenames. That makes the whole
problem go away but requires tool to setup filename with hashes.

tls_privatekey =  ${if
exists{/etc/certs/letsencrypt/cert.${lc:${sha1:${lc:${tls_sni.pem}{/etc/certs/letsencrypt/cert.${lc:${sha1:${lc:${tls_sni.pem}{/etc/mail/exim-default-key.pem}}
tls_certificate = ${if
exists{/etc/certs/letsencrypt/cert.${lc:${sha1:${lc:${tls_sni.pem}{/etc/certs/letsencrypt/cert.${lc:${sha1:${lc:${tls_sni.pem}{/etc/mail/exim-default-cert.pem}}



-- 
Arkadiusz Miśkiewicz, arekm / ( maven.pl | pld-linux.org )



signature.asc
Description: OpenPGP digital signature
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Problem with tls_certificate and multiple domains

2019-10-18 Thread Evgeniy Berdnikov via Exim-users 
On Wed, Oct 16, 2019 at 04:05:51PM -0400, Viktor Dukhovni via Exim-users wrote:
> > On Oct 16, 2019, at 3:41 PM, Evgeniy Berdnikov via Exim-users 
> >  wrote:
> > 
> >> So, how do I configure exim so mail can still be accessed via tls and an 
> >> account can be created without any complaints about certificates from 
> >> Apple Mail?
> > 
> > It sounds as problem is in your Mac Mail, because neither Exim no Dovecot
> > require specific host names for TLS (at least by default). So you should
> > configure your Mac Mail client to use exactly those DNS names for SMTP
> > and IMAP/POP3 that are exposed in server certificates.
> 
> That's the simplest approach to implement server-side.  Anything else
> requires complication provisioning of multiple certificate chains and
> SNI.  The cost is that the IMAP and SUBMIT (outbound SMTP) servers have
> to be the same for all the domains, i.e. the mail clients need to be
> configured to use a fixed pair of server names, regardless of the
> user's mail domain.
> 
> If you have many users, and require the flexibility to move their
> mail servers independently of each other, then you're forced to
> deploy SNI on any servers that handle more than one of these
> domains.
> 
> Exim has supported SNI for a while.  Correctly configured, it
> should work.

 Agree. However, I do not know whether Mac Mail client mentioned above
 sends SNI on TLS handshakes with MTA and mailbox access servers.
-- 
 Eugene Berdnikov

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Problem with tls_certificate and multiple domains

2019-10-18 Thread Jeremy Harris via Exim-users 
On 17/10/2019 08:48, DavidF via Exim-users wrote:
> Why is $tls_in_sni empty in my setup?

May I suggest that you use the debug facilities that Exim provides?
-- 
Cheers,
  Jeremy

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Problem with tls_certificate and multiple domains

2019-10-18 Thread DavidF via Exim-users 
Ok, so if I do:

openssl s_client -tls1 -starttls smtp -connect hosteddomain.com:587 -servername 
mail.hosteddomain.com

My hosts cPanel install with Exim returns my hosteddomain.com certificate. From 
the exim.conf, I see:

tls_certificate = ${if and \
{ \
{gt{$tls_in_sni}{}} \
{!match{$tls_in_sni}{/}} \
} \
{${if exists {/var/cpanel/ssl/domain_tls/$tls_in_sni/combined} \
{/var/cpanel/ssl/domain_tls/$tls_in_sni/combined} \
{${if exists 
{${sg{/var/cpanel/ssl/domain_tls/$tls_in_sni/combined}{(.+/)[^.]+(.+/combined)}{\$1*\$2}}}
 \

{${sg{/var/cpanel/ssl/domain_tls/$tls_in_sni/combined}{(.+/)[^.]+(.+/combined)}{\$1*\$2}}}
 \
{/etc/exim.crt} \
}} \
}} \
{/etc/exim.crt} \
}


tls_privatekey = ${if and \
{ \
{gt{$tls_in_sni}{}} \
{!match{$tls_in_sni}{/}} \
} \
{${if exists {/var/cpanel/ssl/domain_tls/$tls_in_sni/combined} \
{/var/cpanel/ssl/domain_tls/$tls_in_sni/combined} \
{${if exists 
{${sg{/var/cpanel/ssl/domain_tls/$tls_in_sni/combined}{(.+/)[^.]+(.+/combined)}{\$1*\$2}}}
 \

{${sg{/var/cpanel/ssl/domain_tls/$tls_in_sni/combined}{(.+/)[^.]+(.+/combined)}{\$1*\$2}}}
 \
{/etc/exim.key} \
}} \
}} \
{/etc/exim.key} \
}

So it’s using $tls_in_sni. But if I change my paths so they point to valid 
files and:

openssl s_client -tls1 -starttls smtp -connect mytestserverdomain.com:587 
-servername mytestserverdomain.com

It is trying to serve the /etc/exim.key because $tls_in_sni is empty/not 
expanded as main.log shows.

Why is $tls_in_sni empty in my setup?



-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Problem with tls_certificate and multiple domains

2019-10-18 Thread Viktor Dukhovni via Exim-users 
> On Oct 16, 2019, at 3:41 PM, Evgeniy Berdnikov via Exim-users 
>  wrote:
> 
>> So, how do I configure exim so mail can still be accessed via tls and an 
>> account can be created without any complaints about certificates from Apple 
>> Mail?
> 
> It sounds as problem is in your Mac Mail, because neither Exim no Dovecot
> require specific host names for TLS (at least by default). So you should
> configure your Mac Mail client to use exactly those DNS names for SMTP
> and IMAP/POP3 that are exposed in server certificates.

That's the simplest approach to implement server-side.  Anything else
requires complication provisioning of multiple certificate chains and
SNI.  The cost is that the IMAP and SUBMIT (outbound SMTP) servers have
to be the same for all the domains, i.e. the mail clients need to be
configured to use a fixed pair of server names, regardless of the
user's mail domain.

If you have many users, and require the flexibility to move their
mail servers independently of each other, then you're forced to
deploy SNI on any servers that handle more than one of these
domains.

Exim has supported SNI for a while.  Correctly configured, it
should work.

-- 
Viktor.


-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Problem with tls_certificate and multiple domains

2019-10-17 Thread Viktor Dukhovni via Exim-users 
On Thu, Oct 17, 2019 at 10:39:18AM +0200, Cyborg via Exim-users wrote:

> EHLO mail.example.com
> 250-mail.server.de Hello muedsl-82-207-210-124.citykom.de [82.207.210.124]
> ...
> STARTTLS
> 220 TLS go ahead
> 
> There is no way to figure out what to write in the 220 greeting, except
> you have multiply ips on your server and each ip stands for a different
> server.

It does not matter.  What your dog makes of the SMTP banner:

220 blah blah blah...

-- 
Viktor.

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Problem with tls_certificate and multiple domains

2019-10-17 Thread Cyborg via Exim-users 
Am 17.10.19 um 00:17 schrieb Viktor Dukhovni via Exim-users:
>
>> You will never know what to provide, as the servername is part of the
>> initial greeting HELO. Your setup will fail every time, because it's too
>> late when you find out what to use. See below why .
> This is false, neither the name in the 220 greeting (banner) nor
> the initial line of the EHLO response does not preclude the server
> from presenting a different name in its certificate, possibly based
> on SNI.

SMTP:

CONNECTED(0003)
220 mail.server.de ESMTP Exim 4.92.3 Thu, 17 Oct 2019 10:18:20 +0200
EHLO mail.example.com
250-mail.server.de Hello muedsl-82-207-210-124.citykom.de [82.207.210.124]
...
STARTTLS
220 TLS go ahead

There is no way to figure out what to write in the 220 greeting, except
you have multiply ips on your server and each ip stands for a different
server.
Thats how it worked before SNI was introduced back in 1999 and why SNI
is such an improvement for SSL/TLS.

Nothing else was written above.

>>
> False, only MTAs look at MX records, IMAP clients and SUBMIT clients
> do not.
A "client" may not have the need to do it, thats true.
>> And if you can't find out, why your mailclient uses a specific name as
>> server, check the autodiscover result for the domain,
>> you may find a hardcoded servername there.
> For all but the largest email providers (Google, Microsoft, ...),
> there is little use of "autodiscover", the user fills in the IMAP
> and SMTP server names.  The closest to that is:
>

Thanks, didn't know that i already play in the big league :)  I'm sorry
to disappoint you, but if autodiscover isn't working proper, you will be
in a lot of trouble, if you provide mailservices to more than a handful
of your friends. And just for Outlook alone, you have to offer 3
different versions, thanks to (insert higher authority of choice here),
most of the clients use mozillas AD protocol.

Autodiscover (via http) really helps to make it easier for the masses
and anyone, who is offering mail services, should implement the basic
methods for it.

Best regards,
Marius

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Problem with tls_certificate and multiple domains

2019-10-16 Thread Richard James Salts via Exim-users 
On Thursday, 17 October 2019 9:17:04 AM AEDT Viktor Dukhovni via Exim-users 
wrote:
> On Wed, Oct 16, 2019 at 10:04:16PM +0200, Cyborg via Exim-users wrote:
> > Am 16.10.19 um 19:25 schrieb Nospam2k via Exim-users:
> > > I want to use
> > > mail.hosteddomainone.com  for the mail
> > > server names and not maindomain.com  for
> > > the end user.
> > 
> > You will never know what to provide, as the servername is part of the
> > initial greeting HELO. Your setup will fail every time, because it's too
> > late when you find out what to use. See below why .
> 
> This is false, neither the name in the 220 greeting (banner) nor
> the initial line of the EHLO response does not preclude the server
> from presenting a different name in its certificate, possibly based
> on SNI.
> 
> > > So, how do I configure exim so mail can still be accessed via tls and
> > > an account can be created without any complaints about certificates from
> > > Apple Mail?
> > 
> > AppleMail and other Clients do two checks:
> > 
> > a) check for the MX record of your domain and that the server uses this
> > as hostname.
> 
> False, only MTAs look at MX records, IMAP clients and SUBMIT clients
> do not.
> 
> > And if you can't find out, why your mailclient uses a specific name as
> > server, check the autodiscover result for the domain,
> > you may find a hardcoded servername there.
> 
> For all but the largest email providers (Google, Microsoft, ...),
> there is little use of "autodiscover", the user fills in the IMAP
> and SMTP server names.  The closest to that is:
> 
> https://tools.ietf.org/html/rfc6186
> 
> IIRC it is not widely implemented.
I don't think any widely used MUA uses dns autodiscovery based on SRV records.
Most of them seem to follow Microsoft's autodiscover spec: https://
docs.microsoft.com/en-us/exchange/architecture/client-access/autodiscover





-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Problem with tls_certificate and multiple domains

2019-10-16 Thread Viktor Dukhovni via Exim-users 
On Wed, Oct 16, 2019 at 10:04:16PM +0200, Cyborg via Exim-users wrote:

> Am 16.10.19 um 19:25 schrieb Nospam2k via Exim-users:
>
> > I want to use
> > mail.hosteddomainone.com  for the mail
> > server names and not maindomain.com  for
> > the end user.
>
> You will never know what to provide, as the servername is part of the
> initial greeting HELO. Your setup will fail every time, because it's too
> late when you find out what to use. See below why .

This is false, neither the name in the 220 greeting (banner) nor
the initial line of the EHLO response does not preclude the server
from presenting a different name in its certificate, possibly based
on SNI.


> > So, how do I configure exim so mail can still be accessed via tls and
> > an account can be created without any complaints about certificates from
> > Apple Mail?
> 
> AppleMail and other Clients do two checks:
> 
> a) check for the MX record of your domain and that the server uses this
> as hostname.

False, only MTAs look at MX records, IMAP clients and SUBMIT clients
do not.

> And if you can't find out, why your mailclient uses a specific name as
> server, check the autodiscover result for the domain,
> you may find a hardcoded servername there.

For all but the largest email providers (Google, Microsoft, ...),
there is little use of "autodiscover", the user fills in the IMAP
and SMTP server names.  The closest to that is:

https://tools.ietf.org/html/rfc6186

IIRC it is not widely implemented.

-- 
Viktor.

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Problem with tls_certificate and multiple domains

2019-10-16 Thread Cyborg via Exim-users 
Am 16.10.19 um 19:25 schrieb Nospam2k via Exim-users:
> Ok, so. In order to simplify. Let’s say I have several domains being hosted 
> by a server called maindomain.com  providing 
> dovecot/exim as the mail servers. I want to be able to use each domain name 
> as the name of the mail server, ex. for host myhosteddomainone.com 
>  I want to use mail.hosteddomainone.com 
>  for the mail server names and not maindomain.com 
>  for the end user.
You will never know what to provide, as the servername is part of the
initial greeting HELO. Your setup will fail every time, because it's too
late when you find out what to use. See below why .

> When I use Mac Mail and try to create an account, I get a “Mail cannot verify 
> the identity of the server” because the certificate is for maindomain.com 
>  (I’m not sure why that is even being served as I’ve 
> removed all instances of TLS from the exim.conf).
>
> So, how do I configure exim so mail can still be accessed via tls and an 
> account can be created without any complaints about certificates from Apple 
> Mail?
>

AppleMail and other Clients do two checks:

a) check for the MX record of your domain and that the server uses this
as hostname.
b) it checks also, that the name supplied as mailserver in it's account
data matches the server certificate name.

Both must be valid.

So your problem is, that your DNS records do not match the servers
hostname, which he offers.

Thas excatly, what i already wrote earlier. It's a common problem when
setting up mailaccounts in clients.

And if you can't find out, why your mailclient uses a specific name as
server, check the autodiscover result for the domain,
you may find a hardcoded servername there.

best regards,
Marius

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Problem with tls_certificate and multiple domains

2019-10-16 Thread Heiko Schlittermann via Exim-users 
Nospam2k via Exim-users  (Mi 16 Okt 2019 19:25:05 CEST):
> Ok, so. In order to simplify. Let’s say I have several domains being hosted 
> by a server called maindomain.com  providing 
> dovecot/exim as the mail servers. I want to be able to use each domain name 
> as the name of the mail server, ex. for host myhosteddomainone.com 
>  I want to use mail.hosteddomainone.com 
>  for the mail server names and not maindomain.com 
>  for the end user.

While understanding the idea behind, I'd like to repeat myself: you're
asking for PITA - given the level of experience and familiarity with the
products and protocols you're going to use.

> When I use Mac Mail and try to create an account, I get a “Mail cannot verify 
> the identity of the server” because the certificate is for maindomain.com 
>  (I’m not sure why that is even being served as I’ve 
> removed all instances of TLS from the exim.conf).

Probably because recent versions of Exim default to advertise TLS to all
hosts and generate a self signed certificate on demand.

> So, how do I configure exim so mail can still be accessed via tls and an 
> account can be created without any complaints about certificates from Apple 
> Mail?

I'm quite sure that there are other means of informing the Apple Mail
client about the server names it has to use. (DNS (SRV?) records, a magic
provider database, …)

> NOTE: I’m assuming this is related to exim because if I set tls_certificate 
> to point to a certificate for mail.hosteddomainone.com 
> , Apple Mail will create an account with no 
> complaint.

Then -- you got the information you need. Start using it.
And you got the warnings :)

Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
 SCHLITTERMANN.de  internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --- key ID: F69376CE -
 ! key id 7CBF764A and 972EAC9F are revoked since 2015-01  -


signature.asc
Description: PGP signature
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Problem with tls_certificate and multiple domains

2019-10-16 Thread Evgeniy Berdnikov via Exim-users 
On Wed, Oct 16, 2019 at 10:25:05AM -0700, Nospam2k via Exim-users wrote:
> When I use Mac Mail and try to create an account, I get a “Mail cannot verify 
> the identity of the server” because the certificate is for maindomain.com 
>  (I’m not sure why that is even being served as I’ve 
> removed all instances of TLS from the exim.conf).
> 
> So, how do I configure exim so mail can still be accessed via tls and an 
> account can be created without any complaints about certificates from Apple 
> Mail?

 It sounds as problem is in your Mac Mail, because neither Exim no Dovecot
 require specific host names for TLS (at least by default). So you should
 configure your Mac Mail client to use exactly those DNS names for SMTP
 and IMAP/POP3 that are exposed in server certificates.
-- 
 Eugene Berdnikov

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Problem with tls_certificate and multiple domains

2019-10-16 Thread Nospam2k via Exim-users 
Ok, so. In order to simplify. Let’s say I have several domains being hosted by 
a server called maindomain.com  providing dovecot/exim 
as the mail servers. I want to be able to use each domain name as the name of 
the mail server, ex. for host myhosteddomainone.com  I 
want to use mail.hosteddomainone.com  for the mail 
server names and not maindomain.com  for the end user.

When I use Mac Mail and try to create an account, I get a “Mail cannot verify 
the identity of the server” because the certificate is for maindomain.com 
 (I’m not sure why that is even being served as I’ve 
removed all instances of TLS from the exim.conf).

So, how do I configure exim so mail can still be accessed via tls and an 
account can be created without any complaints about certificates from Apple 
Mail?

NOTE: I’m assuming this is related to exim because if I set tls_certificate to 
point to a certificate for mail.hosteddomainone.com 
, Apple Mail will create an account with no 
complaint.

> On Oct 16, 2019, at 8:18 AM, Cyborg via Exim-users  
> wrote:
> 
> Am 16.10.19 um 17:13 schrieb Mike Tubby via Exim-users:
>> All of my users connect to post.thorcom.com as their server (outgoing
>> SMTP; or incoming IMAP) and neither Exim or Dovecot needs SNI or
>> handle multiple certificates.
>> 
>> I think Nospam2k is making it too complex?
>> 
>> 
>> Mike 
> 
> Yes, I think so.
> 
> Grüße,
> Marius
> 
> -- 
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Problem with tls_certificate and multiple domains

2019-10-16 Thread Cyborg via Exim-users 
Am 16.10.19 um 17:13 schrieb Mike Tubby via Exim-users:
> All of my users connect to post.thorcom.com as their server (outgoing
> SMTP; or incoming IMAP) and neither Exim or Dovecot needs SNI or
> handle multiple certificates.
>
> I think Nospam2k is making it too complex?
>
>
> Mike 

Yes, I think so.

Grüße,
Marius

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Problem with tls_certificate and multiple domains

2019-10-16 Thread Mike Tubby via Exim-users 



On 16/10/2019 08:29, Cyborg via Exim-users wrote:

Nospam2k  (Mi 16 Okt 2019 08:05:05 CEST):

Perhaps I should go about this a different way. I am going to be hosting multiple domains. 
Since it seems that $tls_in_sni is returning blank and/or can be unreliable, what is the 
best way to handle things? To just use a default domain for handling mail? For example, use 
mail.myhosting.com  for everything instead of 
mail.mysite.com ?

I can understand that you wanne use the domains own TLS Cert, but SMTP
TLS isn't about authentity, it's about encryption.




Agreed ;-)

Clients connect to a mail server (mail host) and verify the TLS with 
that, for example I run a host called post.thrcom.com but it handles 
email for 30+ different users in different domains.


All of my users connect to post.thorcom.com as their server (outgoing 
SMTP; or incoming IMAP) and neither Exim or Dovecot needs SNI or handle 
multiple certificates.


I think Nospam2k is making it too complex?


Mike



--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

[exim] Problem with tls_certificate and multiple domains

2019-10-16 Thread Nospam2k via Exim-users 
I needed to add that this is in the main body of exim.conf. This is during the 
setup of the email account using the domain appropriate for the account so that 
each “mail server” is the domain of the user.

After many hours of troubleshooting, I cannot figure out how to correctly setup 
tls_certificate for multiple domains. I’m using CentOS 7.7 and Exim 4.92. I 
have only one exim.conf file. I have in the main body:

tls_certificate = /etc/exim/private/certs/${lc:${domain:$h_from:}}/cert.pem
tls_privatekey = /etc/exim/private/certs/${lc:${domain:$h_from:}}/privkey.pem

The expansion results in blank.

I’ve also tried $tls_in_sni and $tls_sni which also return blank. (Using Apple 
Mail on Mojave as a client).

When I use exim -bem  '${lc:${domain:$h_from:}}’ I get the domain 
back as expected.

Most of the examples refer to many other config files in different OS flavors 
so have attempted to work them into the exim.conf and have tried several things 
including:

##

begin transports

remote_smtp:
tls_certificate = /etc/exim/private/certs/${lc:${domain:$h_from:}}/cert.pem
tls_privatekey = 
/etc/exim/private/certs/${lc:${domain:$h_from:}}/privkey.pem

##

The above doesn’t seem to be recognized even with remarking out the main body 
tls_certificate and tls_privatekey.

I also tried sender_address_domain but that contains the root user.

What is the appropriate variable to use for retrieving the senders domain?

Thanks,
Davf
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

[exim] Problem with tls_certificate and multiple domains

2019-10-16 Thread Nospam2k via Exim-users 
After many hours of troubleshooting, I cannot figure out how to correctly setup 
tls_certificate for multiple domains. I’m using CentOS 7.7 and Exim 4.92. I 
have only one exim.conf file. I have in the main body:

tls_certificate = /etc/exim/private/certs/${lc:${domain:$h_from:}}/cert.pem
tls_privatekey = /etc/exim/private/certs/${lc:${domain:$h_from:}}/privkey.pem

The expansion results in blank.

I’ve also tried $tls_in_sni and $tls_sni which also return blank. (Using Apple 
Mail on Mojave as a client).

When I use exim -bem  '${lc:${domain:$h_from:}}’ I get the domain 
back as expected.

Most of the examples refer to many other config files in different OS flavors 
so have attempted to work them into the exim.conf and have tried several things 
including:

##

begin transports

remote_smtp:
tls_certificate = /etc/exim/private/certs/${lc:${domain:$h_from:}}/cert.pem
tls_privatekey = 
/etc/exim/private/certs/${lc:${domain:$h_from:}}/privkey.pem

##

The above doesn’t seem to be recognized even with remarking out the main body 
tls_certificate and tls_privatekey.

I also tried sender_address_domain but that contains the root user.

What is the appropriate variable to use for retrieving the senders domain?

Thanks,
Davf
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Problem with tls_certificate and multiple domains

2019-10-16 Thread Richard James Salts via Exim-users 



On 16 October 2019 6:29:29 pm AEDT, Cyborg via Exim-users  
wrote:
>
>Nospam2k  (Mi 16 Okt 2019 08:05:05 CEST):
>>> Perhaps I should go about this a different way. I am going to be
>hosting multiple domains. Since it seems that $tls_in_sni is returning
>blank and/or can be unreliable, what is the best way to handle things?
>To just use a default domain for handling mail? For example, use
>mail.myhosting.com  for everything instead
>of mail.mysite.com ?
>
>I can understand that you wanne use the domains own TLS Cert, but SMTP
>TLS isn't about authentity, it's about encryption.
>
>The cert, your mailserver presents, must match the name of the hostname
>your mailserver has and which he presents to others. It's 100% ok to
>use
>the hosts cert in TLS, as long as you have that name in your MX.

I don't think that SNI is remotely useful formx traffic. Unless you're 
using dnssec you can't trust that a hostname appearing in an MX response is 
legitimate. If you're wanting to somehow tie the mail server to a legitimate 
certificate where it somehow reflects the recipient address then the only 
trustworthy value is the domain name of that address itself. For this reason a 
better option for authentication of mx records and mail servers is checking 
DANE/TLSA.

Where SNI becomes useful is for submission services. I believe many recent MUAs 
will send the server name extension in their TLS handshake to match what was 
added into the outgoing server setting. If this doesn't match then most will 
display a security warning similar to the way browsers do. 

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Problem with tls_certificate and multiple domains

2019-10-16 Thread Cyborg via Exim-users 


Nospam2k  (Mi 16 Okt 2019 08:05:05 CEST):
>> Perhaps I should go about this a different way. I am going to be hosting 
>> multiple domains. Since it seems that $tls_in_sni is returning blank and/or 
>> can be unreliable, what is the best way to handle things? To just use a 
>> default domain for handling mail? For example, use mail.myhosting.com 
>>  for everything instead of mail.mysite.com 
>> ?

I can understand that you wanne use the domains own TLS Cert, but SMTP
TLS isn't about authentity, it's about encryption.

The cert, your mailserver presents, must match the name of the hostname
your mailserver has and which he presents to others. It's 100% ok to use
the hosts cert in TLS, as long as you have that name in your MX. Example:

mailserver.mx.    IN A 1.2.3.4

domain.at.server. IN A 1.2.3.4
domain.at.server. IN MX 10 mailserver.mx

So you can use the TLS Cert of mailserver.mx as long as you mailserver
says he is mailserver.mx. This makes things a lot easier.

As Heiko has already pointed out, you need such host Cert anyway. What
do you do, when someone presents a domainname, you host, but you don't
have a cert for? What now?

If all your mx entries point ot the servers hostname, you don't need to
even think about SNI anymore.

If the original goal was, to make domain transfers between servers
easier, it's not. If you change the IN A of the domain, you can also
change the MX of it at the same time. Nothing gained or lost here ;)

Keeping your mailserver's config simple, avoids unforseen problems.

Best regards,
Marius


-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Problem with tls_certificate and multiple domains

2019-10-15 Thread Heiko Schlittermann via Exim-users 
Please, use the list for communication, others may be interested in this
too.

Nospam2k  (Mi 16 Okt 2019 08:05:05 CEST):
> Perhaps I should go about this a different way. I am going to be hosting 
> multiple domains. Since it seems that $tls_in_sni is returning blank and/or 
> can be unreliable, what is the best way to handle things? To just use a 
> default domain for handling mail? For example, use mail.myhosting.com 
>  for everything instead of mail.mysite.com 
> ?

tls_in_sni *can* be blank, yes.

Yes, we use *one* MX name for all the domains we host.

That's what we do, yes. The SNI feature I'm only using, because we're in
progress renaming the MX, so I'd like to support both certs, for the old
MX name and for the new one.

I wouldn't do that for many domains, as it doesn't scale well for
millions of domains. You'd have to create a new cert for each domain
you're about to host. I'm not sure if you want to do it.

Yes, you can do it automagically, Even from within Exim. But the effort
increments, as soon as you want to publish TLSA records and such, or
wan't to obtain the certs from a public CA, or even both.

Not impossible, but maybe PITA, depending on your ressources for setup,
maintainance, monitoring and debugging.

Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
 SCHLITTERMANN.de  internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --- key ID: F69376CE -
 ! key id 7CBF764A and 972EAC9F are revoked since 2015-01  -


signature.asc
Description: PGP signature
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Problem with tls_certificate and multiple domains

2019-10-15 Thread Heiko Schlittermann via Exim-users 
Heiko Schlittermann via Exim-users  (Mi 16 Okt 2019 
06:48:25 CEST):
> TLS_DOMAIN = ${if def:tls_in_sni {${lc:tls_in_sni}}{example.com}}
>
> tls_certificate = /etc/exim/private/certs/TLS_DOMAIN/cert.pem
> tls_privatekey  = /etc/exim/private/certs/TLS_DOMAIN/privkey.pem
>
> You need a "fallback", as there is a fair chance, that the client
> doesn't send you a TLS SNI.

The above is nonsens, missing '$' and breaks if $tls_in_sni doesn't
match an existing file. Sorry for that. Now, after a cup of coffee:

That's what I have in my working configuration.

TLS_SNI = ${lc:${extract{-1}{/}{$tls_in_sni}}}

tls_certificate = ${if exists{/var/lib/exim4/TLS_SNI-ssl.pem}\
{/var/lib/exim4/TLS_SNI-ssl.pem}\
{/var/lib/exim4/ssl.schlittermann.de-ssl.pem}}

But now I'm asking myself, if I can be sure that $tls_in_sni doesn't
contain ../../../ and what impact this could have. So, probably in a
first step you should sanitize the $tls_in_sni.

Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
 SCHLITTERMANN.de  internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --- key ID: F69376CE -
 ! key id 7CBF764A and 972EAC9F are revoked since 2015-01  -


signature.asc
Description: PGP signature
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Problem with tls_certificate and multiple domains

2019-10-15 Thread Heiko Schlittermann via Exim-users 
Hi,

1st: please send your questions to exim-users@exim.org (not to the
*-owner address).

Nospam2k  (Mi 16 Okt 2019 01:58:42 CEST):
> After many hours of troubleshooting, I cannot figure out how to correctly 
> setup tls_certificate for multiple domains. I’m using CentOS 7.7 and Exim 
> 4.92. I have only one exim.conf file. I have in the main body:
>
> tls_certificate = /etc/exim/private/certs/${lc:${domain:$h_from:}}/cert.pem
> tls_privatekey = /etc/exim/private/certs/${lc:${domain:$h_from:}}/privkey.pem

Didn't we answer this alreay? The $h_from: isn't available during TLS
session setup.

> begin transports
>
> remote_smtp:
> tls_certificate = 
> /etc/exim/private/certs/${lc:${domain:$h_from:}}/cert.pem
> tls_privatekey = 
> /etc/exim/private/certs/${lc:${domain:$h_from:}}/privkey.pem

The TLS settings in the transports section are for outgoing connections.
The above settings would choose a certificate based on the recipient's
domain for an outgoing mail, I suppose, that's not what you want.

Use in the main section:

TLS_DOMAIN = ${if def:tls_in_sni {${lc:tls_in_sni}}{example.com}}

tls_certificate = /etc/exim/private/certs/TLS_DOMAIN/cert.pem
tls_privatekey  = /etc/exim/private/certs/TLS_DOMAIN/privkey.pem

You need a "fallback", as there is a fair chance, that the client
doesn't send you a TLS SNI.

Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
 SCHLITTERMANN.de  internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --- key ID: F69376CE -
 ! key id 7CBF764A and 972EAC9F are revoked since 2015-01  -


signature.asc
Description: PGP signature
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/