Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: exim: users

multiple IPs and multiple SSL certificates + single exim

  

 
exim users RSS feed   Index | Next | Previous | View Threaded


arekm at maven

May 16, 2008, 6:36 AM

Post #1 of 8 (1423 views)
Permalink
multiple IPs and multiple SSL certificates + single exim
Hello,

I'm trying to get different certificates in single exim instance. I tried
first thing that came to my head:

tls_certificate = /etc/openssl/mail-${interface_address}.crt
tls_privatekey = /etc/openssl/mail-${interface_address}.key
tls_advertise_hosts = *

but that doesn't really work:

"expansion of tls_certificate failed: letter or digit expected after ${"

Any other ideas how to force exim to serve different certificates depending on
to which IP client is connected to?

--
Arkadiusz Miƛkiewicz PLD/Linux Team
arekm / maven.pl http://ftp.pld-linux.org/

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


bryan.rawlins at onlymyemail

May 16, 2008, 6:55 AM

Post #2 of 8 (1383 views)
Permalink
Re: multiple IPs and multiple SSL certificates + single exim [In reply to]
Arkadiusz Miskiewicz wrote:
> Any other ideas how to force exim to serve different certificates depending on
> to which IP client is connected to?
>
Here's what I use in our shared hosting enviroment, there may be a
better way, but it does work.

main exim config:
tls_certificate = ${lookup {$received_ip_address}
lsearch{/etc/exim/ssl-cert.map}}

ssl-cert.map:
---
127.0.0.1: /etc/ssl/cert1.pem
172.30.0.25: /etc/ssl/cert2.pem
172.30.0.140: /etc/ssl/cert3.pem
---

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


exim-users at lists

May 16, 2008, 7:00 AM

Post #3 of 8 (1398 views)
Permalink
Re: multiple IPs and multiple SSL certificates + single exim [In reply to]
Arkadiusz Miskiewicz wrote:

> I'm trying to get different certificates in single exim instance. I tried
> first thing that came to my head:
>
> tls_certificate = /etc/openssl/mail-${interface_address}.crt
> tls_privatekey = /etc/openssl/mail-${interface_address}.key
> tls_advertise_hosts = *
>
> but that doesn't really work:
>
> "expansion of tls_certificate failed: letter or digit expected after ${"
>
> Any other ideas how to force exim to serve different certificates depending on
> to which IP client is connected to?

You shouldn't use the extra squiggly brackets there. Ie just do this:

tls_certificate = /etc/openssl/mail-$interface_address.crt
tls_privatekey = /etc/openssl/mail-$interface_address.key

Mike

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


dot at dotat

May 16, 2008, 7:43 AM

Post #4 of 8 (1386 views)
Permalink
Re: multiple IPs and multiple SSL certificates + single exim [In reply to]
On Fri, 16 May 2008, Mike Cardwell wrote:
> Arkadiusz Miskiewicz wrote:
> >
> > tls_certificate = /etc/openssl/mail-${interface_address}.crt
> >
> > "expansion of tls_certificate failed: letter or digit expected after ${"
>
> You shouldn't use the extra squiggly brackets there.

That isn't the problem: you are allowed {} around variable names in a
string expansion. There must be some other syntax error in the
tls_certificate setting that is causing the problem. Extraneous space,
perhaps?

Tony.
--
<fanf [at] exim> <dot [at] dotat> http://dotat.at/ ${sg{\N${sg{\
N\}{([^N]*)(.)(.)(.*)}{\$1\$3\$2\$1\$3\n\$2\$3\$4\$3\n\$3\$2\$4}}\
\N}{([^N]*)(.)(.)(.*)}{\$1\$3\$2\$1\$3\n\$2\$3\$4\$3\n\$3\$2\$4}}

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


Frank.Elsner at TU-Berlin

May 16, 2008, 8:52 AM

Post #5 of 8 (1381 views)
Permalink
Re: multiple IPs and multiple SSL certificates + single exim [In reply to]
On Fri, 16 May 2008 15:43:41 +0100 Tony Finch wrote:
> On Fri, 16 May 2008, Mike Cardwell wrote:
> > Arkadiusz Miskiewicz wrote:
> > >
> > > tls_certificate = /etc/openssl/mail-${interface_address}.crt
> > >
> > > "expansion of tls_certificate failed: letter or digit expected after ${"
> >
> > You shouldn't use the extra squiggly brackets there.
>
> That isn't the problem: you are allowed {} around variable names in a
> string expansion. There must be some other syntax error in the
> tls_certificate setting that is causing the problem. Extraneous space,
> perhaps?

Instead of ${interface_address}
it should be {$interface_address}
^^----------------------- Note the swap!


--Frank Elsner

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


dot at dotat

May 16, 2008, 9:19 AM

Post #6 of 8 (1382 views)
Permalink
Re: multiple IPs and multiple SSL certificates + single exim [In reply to]
On Fri, 16 May 2008, Frank Elsner wrote:
>
> Instead of ${interface_address}
> it should be {$interface_address}
> ^^----------------------- Note the swap!

You are absolutely wrong.

Tony.
--
<fanf [at] exim> <dot [at] dotat> http://dotat.at/ ${sg{\N${sg{\
N\}{([^N]*)(.)(.)(.*)}{\$1\$3\$2\$1\$3\n\$2\$3\$4\$3\n\$3\$2\$4}}\
\N}{([^N]*)(.)(.)(.*)}{\$1\$3\$2\$1\$3\n\$2\$3\$4\$3\n\$3\$2\$4}}

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


wbh at conducive

May 16, 2008, 9:56 AM

Post #7 of 8 (1389 views)
Permalink
Re: multiple IPs and multiple SSL certificates + single exim [In reply to]
Arkadiusz Miskiewicz wrote:
> Hello,
>
> I'm trying to get different certificates in single exim instance. I tried
> first thing that came to my head:
>
> tls_certificate = /etc/openssl/mail-${interface_address}.crt
> tls_privatekey = /etc/openssl/mail-${interface_address}.key
> tls_advertise_hosts = *
>
> but that doesn't really work:
>
> "expansion of tls_certificate failed: letter or digit expected after ${"
>
> Any other ideas how to force exim to serve different certificates depending on
> to which IP client is connected to?
>

ISTR if you search the archives you will find examples where the
'elements' are constructed more simply.

Something along the lines of:

~ = /path/$interface_address/filename.crt

~ = /path/$interface_address/filename.key

IOW the $interface_address sets the subdir, and all files have the same
name(s).

I may be wrong - that's just from memory.

We just use the same cert for all.

Bill

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


hs at schlittermann

May 18, 2008, 3:22 PM

Post #8 of 8 (1345 views)
Permalink
Re: multiple IPs and multiple SSL certificates + single exim [In reply to]
Arkadiusz Miskiewicz <arekm [at] maven> (Fr 16 Mai 2008 15:36:56 CEST):
> Hello,
>
> I'm trying to get different certificates in single exim instance. I tried
> first thing that came to my head:
>
> tls_certificate = /etc/openssl/mail-${interface_address}.crt
> tls_privatekey = /etc/openssl/mail-${interface_address}.key
> tls_advertise_hosts = *
>
> but that doesn't really work:
>
> "expansion of tls_certificate failed: letter or digit expected after ${"

May be you could check using some HEX-dump (xxd, od, ...) if you've
really the letter 'i' there.

--
Heiko
Attachments: signature.asc (0.18 KB)

exim users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.