Skip to content

Commit e2d9013

Browse files
author
Kristan Kenney
committed
Enable TLS SNI detection for Exim4
1 parent d2e8b4c commit e2d9013

File tree

1 file changed

+27
-5
lines changed

1 file changed

+27
-5
lines changed

install/deb/exim/exim4.conf.template

Lines changed: 27 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,7 @@
88
#SPAM_SCORE = 50
99
#CLAMD = yes
1010

11-
smtp_banner = $smtp_active_hostname \
11+
smtp_banner = $smtp_active_hostname
1212
add_environment = <; PATH=/bin:/usr/bin
1313
keep_environment =
1414
disable_ipv6 = true
@@ -34,9 +34,31 @@ spamd_address = 127.0.0.1 783
3434
av_scanner = clamd: /var/run/clamav/clamd.ctl
3535
.endif
3636

37+
log_selector = +tls_sni
38+
3739
tls_advertise_hosts = *
38-
tls_certificate = /usr/local/hestia/ssl/certificate.crt
39-
tls_privatekey = /usr/local/hestia/ssl/certificate.key
40+
41+
# here we test that $tls_in_sni really is a domain, but constructing an arbitrary email address foo@...
42+
# and then extracting the domain with a function that should fails if the email address is not valid
43+
# then we looks to see that the cert exists, and use it
44+
# otherwise we use the default cert in /etc/ssl
45+
tls_certificate = \
46+
${if and {\
47+
{ eq {${domain:foo@$tls_in_sni}} {$tls_in_sni}}\
48+
{ exists{/usr/local/hestia/ssl/mail/$tls_in_sni.crt} }\
49+
}\
50+
{/usr/local/hestia/ssl/mail/$tls_in_sni.crt}\
51+
{/usr/local/hestia/ssl/certificate.crt}\
52+
}
53+
54+
tls_privatekey = \
55+
${if and {\
56+
{ eq {${domain:foo@$tls_in_sni}} {$tls_in_sni}}\
57+
{ exists{/usr/local/hestia/ssl/mail/$tls_in_sni.key} }\
58+
}\
59+
{/usr/local/hestia/ssl/mail/$tls_in_sni.key}\
60+
{/usr/local/hestia/ssl/certificate.key}\
61+
}
4062

4163
daemon_smtp_ports = 25 : 465 : 587
4264
tls_on_connect_ports = 465
@@ -86,7 +108,7 @@ acl_check_mail:
86108
deny condition = ${if eq{$sender_helo_name}{}}
87109
message = HELO required before MAIL
88110

89-
drop message = Helo name contains a ip address (HELO was $sender_helo_name) and not is valid
111+
drop message = Helo name contains an IP address (HELO was $sender_helo_name) and not is valid
90112
condition = ${if match{$sender_helo_name}{\N((\d{1,3}[.-]\d{1,3}[.-]\d{1,3}[.-]\d{1,3})|([0-9a-f]{8})|([0-9A-F]{8}))\N}{yes}{no}}
91113
condition = ${if match {${lookup dnsdb{>: defer_never,ptr=$sender_host_address}}\}{$sender_helo_name}{no}{yes}}
92114
delay = 45s
@@ -303,7 +325,7 @@ begin transports
303325

304326
remote_smtp:
305327
driver = smtp
306-
#helo_data = $sender_address_domain
328+
helo_data = mail.$sender_address_domain
307329
dkim_domain = DKIM_DOMAIN
308330
dkim_selector = mail
309331
dkim_private_key = DKIM_PRIVATE_KEY

0 commit comments

Comments
 (0)