Commit | Line | Data |
---|---|---|
2b4a568d JH |
1 | # Exim test configuration 5651 |
2 | # OCSP stapling, client | |
3 | ||
4 | SERVER = | |
5 | ||
0a6583ae | 6 | .include DIR/aux-var/tls_conf_prefix |
2b4a568d | 7 | |
d4dc049f | 8 | primary_hostname = server1.example.com |
2b4a568d JH |
9 | |
10 | # ----- Main settings ----- | |
11 | ||
12 | domainlist local_domains = test.ex : *.test.ex | |
13 | ||
14 | acl_smtp_rcpt = check_recipient | |
44662487 JH |
15 | acl_smtp_data = check_data |
16 | ||
2b4a568d JH |
17 | log_selector = +tls_peerdn |
18 | remote_max_parallel = 1 | |
19 | ||
20 | tls_advertise_hosts = * | |
21 | ||
22 | # Set certificate only if server | |
23 | tls_certificate = ${if eq {SERVER}{server}\ | |
24 | {DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem}\ | |
25 | fail\ | |
26 | } | |
27 | tls_privatekey = ${if eq {SERVER}{server}\ | |
28 | {DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key}\ | |
29 | fail} | |
30 | ||
31 | # from cmdline define | |
0a6583ae | 32 | tls_ocsp_file = OPT |
2b4a568d JH |
33 | |
34 | ||
35 | # ------ ACL ------ | |
36 | ||
37 | begin acl | |
38 | ||
39 | check_recipient: | |
40 | accept domains = +local_domains | |
41 | deny message = relay not permitted | |
42 | ||
44662487 JH |
43 | check_data: |
44 | warn condition = ${if def:h_X-TLS-out:} | |
45 | logwrite = client claims: $h_X-TLS-out: | |
46 | accept | |
47 | ||
2b4a568d JH |
48 | |
49 | # ----- Routers ----- | |
50 | ||
51 | begin routers | |
52 | ||
53 | client: | |
54 | driver = accept | |
55 | condition = ${if eq {SERVER}{server}{no}{yes}} | |
56 | retry_use_local_part | |
57 | transport = send_to_server${if eq{$local_part}{nostaple}{1} \ | |
44662487 JH |
58 | {${if eq{$local_part}{norequire} {2} \ |
59 | {${if eq{$local_part}{smtps} {4}{3}}} \ | |
60 | }}} | |
2b4a568d JH |
61 | |
62 | server: | |
63 | driver = redirect | |
64 | data = :blackhole: | |
65 | #retry_use_local_part | |
66 | #transport = local_delivery | |
67 | ||
68 | ||
69 | # ----- Transports ----- | |
70 | ||
71 | begin transports | |
72 | ||
73 | local_delivery: | |
74 | driver = appendfile | |
75 | file = DIR/test-mail/$local_part | |
76 | headers_add = TLS: cipher=$tls_cipher peerdn=$tls_peerdn | |
77 | user = CALLER | |
78 | ||
79 | send_to_server1: | |
80 | driver = smtp | |
81 | allow_localhost | |
82 | hosts = HOSTIPV4 | |
83 | port = PORT_D | |
84 | tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem | |
01a4a5c5 | 85 | tls_verify_cert_hostnames = |
2b4a568d | 86 | hosts_require_tls = * |
44662487 | 87 | hosts_request_ocsp = : |
018058b2 JH |
88 | headers_add = X-TLS-out: OCSP status $tls_out_ocsp \ |
89 | (${listextract {${eval:$tls_out_ocsp+1}} \ | |
90 | {notreq:notresp:vfynotdone:failed:verified}}) | |
2b4a568d JH |
91 | |
92 | send_to_server2: | |
44662487 JH |
93 | driver = smtp |
94 | allow_localhost | |
95 | hosts = HOSTIPV4 | |
96 | port = PORT_D | |
97 | tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem | |
01a4a5c5 | 98 | tls_verify_cert_hostnames = |
44662487 JH |
99 | hosts_require_tls = * |
100 | # note no ocsp mention here | |
018058b2 JH |
101 | headers_add = X-TLS-out: OCSP status $tls_out_ocsp \ |
102 | (${listextract {${eval:$tls_out_ocsp+1}} \ | |
103 | {notreq:notresp:vfynotdone:failed:verified}}) | |
44662487 JH |
104 | |
105 | send_to_server3: | |
2b4a568d JH |
106 | driver = smtp |
107 | allow_localhost | |
108 | hosts = 127.0.0.1 | |
109 | port = PORT_D | |
110 | helo_data = helo.data.changed | |
111 | #tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/server1.example.com/ca_chain.pem | |
112 | tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem | |
610ff438 | 113 | tls_try_verify_hosts = |
01a4a5c5 | 114 | tls_verify_cert_hostnames = |
2b4a568d JH |
115 | hosts_require_tls = * |
116 | hosts_require_ocsp = * | |
018058b2 JH |
117 | headers_add = X-TLS-out: OCSP status $tls_out_ocsp \ |
118 | (${listextract {${eval:$tls_out_ocsp+1}} \ | |
119 | {notreq:notresp:vfynotdone:failed:verified}}) | |
2b4a568d | 120 | |
44662487 | 121 | send_to_server4: |
2b4a568d JH |
122 | driver = smtp |
123 | allow_localhost | |
124 | hosts = 127.0.0.1 | |
125 | port = PORT_D | |
126 | helo_data = helo.data.changed | |
127 | #tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/server1.example.com/ca_chain.pem | |
128 | tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem | |
01a4a5c5 | 129 | tls_verify_cert_hostnames = |
2b4a568d JH |
130 | protocol = smtps |
131 | hosts_require_tls = * | |
132 | hosts_require_ocsp = * | |
018058b2 JH |
133 | headers_add = X-TLS-out: OCSP status $tls_out_ocsp \ |
134 | (${listextract {${eval:$tls_out_ocsp+1}} \ | |
135 | {notreq:notresp:vfynotdone:failed:verified}}) | |
2b4a568d JH |
136 | |
137 | ||
138 | # ----- Retry ----- | |
139 | ||
140 | ||
141 | begin retry | |
142 | ||
143 | * * F,5d,1s | |
144 | ||
145 | ||
146 | # End |