Mailing List Archive

Multiple sll virtual hosting for STMP
All right trying to put multiple wilcard SSL certidficates in
the configuration. When I do, I manage to kill the SSL funcationality.

in the configuraton file I have

local_interfaces = 0.0.0.0.25 : 127.0.0.1.10025 : 0.0.0.0.465 : 0.0.0.0.587

domainlist local_domains = @
domainlist relay_to_domains =
hostlist relay_from_hosts = 127.0.0.1 : 204.209.81.0/24

# Allow any client to use TLS.

tls_advertise_hosts = *
log_selector = +all

# Specify the location of the Exim server's TLS certificate and private key.
# The private key must not be encrypted (password protected). You can put
# the certificate and private key in the same file, in which case you only
# need the first setting, or in separate files, in which case you need both
# options.

#tls_certificate = ${if exists{/etc/ssl/certs/${tls_sni}.chain.cert}{/etc/ssl/ce
rts/${tls_sni}.chain.cert}{/etc/ssl/certs/wilcard.nk.ca.2018.chain.cert}}
#tls_privatekey = $if exists{/etc/ssl/certs/${tls_sni}.key}{/etc/ssl/certs/${tls
_sni}.key}{/etc/ssl/certs/wilcard.nk.ca.2018.key}}
tls_certificate = /etc/ssl/certs/wilcard.nk.ca.2018.chain.cert
tls_privatekey = /etc/ssl/certs/wilcard.nk.ca.2018.key

Also from the cert directory I have

-rw-r--r-- 1 root wheel 2273 May 31 2018 wilcard.nk.ca.2018.cert
-rw-r--r-- 1 root wheel 7068 May 31 2018 wilcard.nk.ca.2018.chain.cert
-rw-r--r-- 1 root wheel 1098 May 14 2018 wilcard.nk.ca.2018.csr
-rw-r--r-- 1 root wheel 4795 May 31 2018 wilcard.nk.ca.2018.int.cert
-rw-r--r-- 1 root wheel 1679 May 14 2018 wilcard.nk.ca.2018.key
-rw-r--r-- 1 root wheel 1746 May 14 2018 wilcard.nk.ca.2018.key.orig
-rw-r--r-- 1 root wheel 4867 May 31 2018 wilcard.nk.ca.zip
-rw-r--r-- 1 root wheel 2240 Dec 14 23:52 wildcard.acebizventures.com.2019.cert
-rw-r--r-- 1 root wheel 7036 Dec 15 08:17 wildcard.acebizventures.com.2019.chain.cert
-rw-r--r-- 1 root wheel 1424 Dec 14 22:03 wildcard.acebizventures.com.2019.crt
-rw-r--r-- 1 root wheel 1115 Dec 14 21:59 wildcard.acebizventures.com.2019.csr
-rw-r--r-- 1 root wheel 4796 Dec 14 23:52 wildcard.acebizventures.com.2019.int.cert
-rw-r--r-- 1 root wheel 1675 Dec 14 22:00 wildcard.acebizventures.com.2019.key
-rw-r--r-- 1 root wheel 1743 Dec 14 22:00 wildcard.acebizventures.com.2019.key.orig


Pointers please.

--
Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca
Yahweh, Queen & country!Never Satan President Republic!Beware AntiChrist rising!
https://www.empire.kred/ROOTNK?t=94a1f39b Look at Psalms 14 and 53 on Atheism
Merry Christmas 2018 and Happy New Year 2019!!

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Multiple sll virtual hosting for STMP [ In reply to ]
Am 15.12.18 um 18:28 schrieb The Doctor via Exim-users:
> All right trying to put multiple wilcard SSL certidficates in
> the configuration. When I do, I manage to kill the SSL funcationality.
>
> in the configuraton file I have
>
> local_interfaces = 0.0.0.0.25 : 127.0.0.1.10025 : 0.0.0.0.465 : 0.0.0.0.587
>
> domainlist local_domains = @
> domainlist relay_to_domains =
> hostlist relay_from_hosts = 127.0.0.1 : 204.209.81.0/24
>
> # Allow any client to use TLS.
>
> tls_advertise_hosts = *
> log_selector = +all
>
> # Specify the location of the Exim server's TLS certificate and private key.
> # The private key must not be encrypted (password protected). You can put
> # the certificate and private key in the same file, in which case you only
> # need the first setting, or in separate files, in which case you need both
> # options.
>
> #tls_certificate = ${if exists{/etc/ssl/certs/${tls_sni}.chain.cert}{/etc/ssl/ce
> rts/${tls_sni}.chain.cert}{/etc/ssl/certs/wilcard.nk.ca.2018.chain.cert}}
> #tls_privatekey = $if exists{/etc/ssl/certs/${tls_sni}.key}{/etc/ssl/certs/${tls
> _sni}.key}{/etc/ssl/certs/wilcard.nk.ca.2018.key}}

That something breaks seems to be a typo.
You need an opening bracket "{" in front of the "if" for your key.

I assume that this config will not fit your intention.
When you get a connect with SNI = "whateverhost.acebizventures.com"
the config will search for:

/etc/ssl/certs/whateverhost.acebizventures.com.chain.cert
which will always bring you to the fall-back cert
...and beside: is their not an "2019" in your filename, but not in the
config?

You have to cut the tls_sni down to the domainame first.
Afterwards, don't forget to add "wildcard." in front of that.



> tls_certificate = /etc/ssl/certs/wilcard.nk.ca.2018.chain.cert
> tls_privatekey = /etc/ssl/certs/wilcard.nk.ca.2018.key
>
> Also from the cert directory I have
>
> -rw-r--r-- 1 root wheel 2273 May 31 2018 wilcard.nk.ca.2018.cert
> -rw-r--r-- 1 root wheel 7068 May 31 2018 wilcard.nk.ca.2018.chain.cert
> -rw-r--r-- 1 root wheel 1098 May 14 2018 wilcard.nk.ca.2018.csr
> -rw-r--r-- 1 root wheel 4795 May 31 2018 wilcard.nk.ca.2018.int.cert
> -rw-r--r-- 1 root wheel 1679 May 14 2018 wilcard.nk.ca.2018.key
> -rw-r--r-- 1 root wheel 1746 May 14 2018 wilcard.nk.ca.2018.key.orig
> -rw-r--r-- 1 root wheel 4867 May 31 2018 wilcard.nk.ca.zip
> -rw-r--r-- 1 root wheel 2240 Dec 14 23:52 wildcard.acebizventures.com.2019.cert
> -rw-r--r-- 1 root wheel 7036 Dec 15 08:17 wildcard.acebizventures.com.2019.chain.cert
> -rw-r--r-- 1 root wheel 1424 Dec 14 22:03 wildcard.acebizventures.com.2019.crt
> -rw-r--r-- 1 root wheel 1115 Dec 14 21:59 wildcard.acebizventures.com.2019.csr
> -rw-r--r-- 1 root wheel 4796 Dec 14 23:52 wildcard.acebizventures.com.2019.int.cert
> -rw-r--r-- 1 root wheel 1675 Dec 14 22:00 wildcard.acebizventures.com.2019.key
> -rw-r--r-- 1 root wheel 1743 Dec 14 22:00 wildcard.acebizventures.com.2019.key.orig
>
>
> Pointers please.
>
--
Torsten


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/