Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. exim>
  3. users
Dynamic certificate paths
exim-users at exim
Apr 15, 2023, 11:36 AM
Post #1 of 7 (263 views)
Permalink
I'd like my TLS certificate paths to be dynamic and based on
primary_hostname. They're currently defined as such:

tls_privatekey = /etc/letsencrypt/live/${primary_hostname}/privkey.pem

This works fine *if* primary_hostname is defined with a string literal.

primary_hostname = smtp.mydomain.com

But I need primary_hostname to be dynamic, say read from a file.

primary_hostname = ${readfile{/etc/mailname}{}}

But when configured this way, TLS connections fail because the readfile is
included in the certificate path, so it's not actually a path. TLS
connection failure error messages include:

key=/etc/letsencrypt/live/${readfile{/etc/mailname}}/privkey.pem

Is what I'm trying to achieve possible? Like, is there a way to force
immediate expansion of the ${readfile{/etc/mailname}{}} assignment so
primary_hostname is considered a string literal by the rest of the
configuration?

My environment:

$ exim --version
Exim version 4.95 #2 built 23-Nov-2022 15:53:26

$ exim -be '${primary_hostname}'
${readfile{/etc/mailname}{}}

$ exim -be '${readfile{/etc/mailname}{}}'
smtp.mydomain.com

Thanks!
Lance
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Dynamic certificate paths [ In reply to ]
exim-users at exim
Apr 16, 2023, 9:52 AM
Post #2 of 7 (263 views)
Permalink
My goal is to have a single configuration file that can run across
different environments (dev/stage/live.)

I was really hoping Exim had an evaluate-once assignment operator like
the Makefile walrus (:=).

No problem, I'll come up with a different solution - an include with
macros or just a simple 'sed'.

FWIW, the readfile assignment hasn't caused issues anywhere else so
far, just in the cert paths, which I presume are a special case for
security.

Thanks!
Lance

?On 4/15/23, 4:43 PM, "Jeremy Harris" <jgh@wizmail.org
<mailto:jgh@wizmail.org>> wrote:


On 15/04/2023 19:36, Lance Lovette via Exim-users wrote:
> But I need primary_hostname to be dynamic, say read from a file.
>
> primary_hostname = ${readfile{/etc/mailname}{}}

You can't do that; the primary_hostname option does not
expand it's argument.

Could you explain your need further? Why do you want this value
to come from a file? Would it suffice to have that line of configuration
come from a file (if so, look into the .include directive).
--
Cheers,
Jeremy

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Dynamic certificate paths [ In reply to ]
exim-users at exim
Apr 16, 2023, 10:13 AM
Post #3 of 7 (263 views)
Permalink
On 16/04/2023 17:52, Lance Lovette wrote:
> My goal is to have a single configuration file that can run across
> different environments (dev/stage/live.)

I'm not seeing why the default of the "uname" result, used
if you don't set this option, is not sufficient in that case.

> FWIW, the readfile assignment hasn't caused issues anywhere else so
> far, just in the cert paths, which I presume are a special case for
> security.

The docs do show which options are expanded (and so, implicitly,
which ones are not).

--
Cheers,
Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Dynamic certificate paths [ In reply to ]
exim-users at exim
Apr 16, 2023, 11:35 AM
Post #4 of 7 (263 views)
Permalink
> I'm not seeing why the default of the "uname" result... is not sufficient
in that case.

Long story short, changing uname to be something other than the container
name will cause ripple effects in other places.

My ultimate goal with setting 'primary_hostname' is to control the host
name exposed in the HELO for outgoing messages. My understanding is some
ESP reverse lookup the host name to assess reputation. Perhaps I can
achieve that goal by instead setting 'qualify_domain' and 'helo_data' in
the smtp transport? But alas, just using a macro will be easy enough :)

> The docs do show which options are expanded (and so, implicitly, which
ones are not).

That would be helpful. Can you point me to a reference? I did not find
anything in the "Specification of the Exim Mail Transfer Agent", Revision
4.96 (25 Jun 2022.)

Thanks!
Lance
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Dynamic certificate paths [ In reply to ]
exim-users at exim
Apr 16, 2023, 11:39 AM
Post #5 of 7 (263 views)
Permalink
On 16/04/2023 19:35, Lance Lovette via Exim-users wrote:
> That would be helpful. Can you point me to a reference?
https://exim.org/exim-html-current/doc/html/spec_html/ch-main_configuration.html#SECTalomo
--
Cheers,
Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Dynamic certificate paths [ In reply to ]
exim-users at exim
Apr 16, 2023, 1:28 PM
Post #6 of 7 (263 views)
Permalink
"Those options that undergo string expansion before use are marked with †."

Thanks! It's always the fine print that gets you :)

After further investigation (thanks -d+expand!), I must retract my earlier
statement about my readfile assignment not causing any issues. It was :)

?considering: $primary_hostname
???expanding: $primary_hostname
??????result: ${readfile{/etc/mailname}{}}
...
SMTP>> EHLO ${readfile{/etc/mailname}{}}

For posterity, going back to my original post, TLS certificate options *are
expanded* and can indeed be dynamic! This works just fine... not that it's
the most efficient way :)

tls_certificate =
/etc/letsencrypt/live/${readfile{/etc/mailname}{}}/fullchain.pem

Thanks Jeremy for the help!

Lance
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Dynamic certificate paths [ In reply to ]
exim-users at exim
Apr 16, 2023, 2:29 PM
Post #7 of 7 (263 views)
Permalink
D?a 16. apríla 2023 20:28:30 UTC používate? Lance Lovette via Exim-users <exim-users@exim.org> napísal:

>tls_certificate =
>/etc/letsencrypt/live/${readfile{/etc/mailname}{}}/fullchain.pem

I lost context, but content of /etc/mailname is in ETC_MAILNAME
macro on debian systems.

regards


--
Slavko
https://www.slavino.sk/

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal