1 files changed, 7 insertions, 2 deletions

diff --git a/qmail-smtpd.c b/qmail-smtpd.c
index eebba2e..e1bde44 100644
--- a/qmail-smtpd.c
+++ b/qmail-smtpd.c
@@ -1200,6 +1200,11 @@ void tls_init()
   stralloc saciphers = {0};
   X509_STORE *store;
   X509_LOOKUP *lookup;
+  const char *servercert;
+
+  /* if set, use servercert selected through SMTP_SERVERCERT env var */
+  servercert = env_get("SMTP_SERVERCERT");
+  if (!servercert) servercert = SERVERCERT;
 
   SSL_library_init();
 
@@ -1207,7 +1212,7 @@ void tls_init()
   ctx = SSL_CTX_new(SSLv23_server_method());
   if (!ctx) { tls_err("unable to initialize ctx"); return; }
 
-  if (!SSL_CTX_use_certificate_chain_file(ctx, SERVERCERT))
+  if (!SSL_CTX_use_certificate_chain_file(ctx, servercert))
     { SSL_CTX_free(ctx); tls_err("missing certificate"); return; }
   SSL_CTX_load_verify_locations(ctx, CLIENTCA, NULL);
 
@@ -1229,7 +1234,7 @@ void tls_init()
   if (!myssl) { tls_err("unable to initialize ssl"); return; }
 
   /* this will also check whether public and private keys match */
-  if (!SSL_use_RSAPrivateKey_file(myssl, SERVERCERT, SSL_FILETYPE_PEM))
+  if (!SSL_use_RSAPrivateKey_file(myssl, servercert, SSL_FILETYPE_PEM))
     { SSL_free(myssl); tls_err("no valid RSA private key"); return; }
 
   ciphers = env_get("TLSCIPHERS");