[exim.git] / test / confs / 5730

# Exim test configuration 5730
# OCSP stapling, client, events

SERVER =

exim_path = EXIM_PATH
keep_environment  = ^EXIM_TESTHARNESS_DISABLE_[O]CSPVALIDITYCHECK$
host_lookup_order = bydns
spool_directory = DIR/spool
log_file_path = DIR/spool/log/SERVER%slog
gecos_pattern = ""
gecos_name = CALLER_NAME
chunking_advertise_hosts =

primary_hostname = server1.example.com
 
.ifdef _HAVE_DMARC
dmarc_tld_file =
.endif


# ----- Main settings -----

domainlist local_domains = test.ex : *.test.ex

acl_smtp_rcpt = check_recipient
acl_smtp_data = check_data

log_selector = +tls_peerdn
remote_max_parallel = 1

tls_advertise_hosts = *

# Set certificate only if server
tls_certificate = ${if eq {SERVER}{server}\
{DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem}\
fail\
}
tls_privatekey = ${if eq {SERVER}{server}\
{DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key}\
fail}

# from cmdline define
tls_ocsp_file = OPT


# ------ ACL ------

begin acl

check_recipient:
  accept  domains = +local_domains
  deny    message = relay not permitted

check_data:
  warn	  condition   = ${if def:h_X-TLS-out:}
	  logwrite = client claims: $h_X-TLS-out:
  accept

logger:
  accept condition = ${if !eq {msg} {${listextract{1}{$event_name}}}}
  warn	logwrite = client ocsp status: $tls_out_ocsp \
    (${listextract {${eval:$tls_out_ocsp+1}} \
		{notreq:notresp:vfynotdone:failed:verified}})
  accept


# ----- Routers -----

begin routers

client:
  driver = accept
  condition = ${if eq {SERVER}{server}{no}{yes}}
  retry_use_local_part
  transport = send_to_server${if eq{$local_part}{nostaple}{1} \
				{${if eq{$local_part}{norequire} {2} \
				{${if eq{$local_part}{smtps} {4}{3}}} \
			     }}}

server:
  driver = redirect
  data = :blackhole:
  #retry_use_local_part
  #transport = local_delivery


# ----- Transports -----

begin transports

local_delivery:
  driver = appendfile
  file = DIR/test-mail/$local_part
  headers_add = TLS: cipher=$tls_cipher peerdn=$tls_peerdn
  user = CALLER

send_to_server1:
  driver = smtp
  allow_localhost
  hosts = HOSTIPV4
  port = PORT_D
  hosts_try_fastopen =	:
  tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
  tls_verify_cert_hostnames =
  hosts_require_tls = *
  hosts_request_ocsp = :
  headers_add = X-TLS-out: OCSP status $tls_out_ocsp \
    (${listextract {${eval:$tls_out_ocsp+1}} \
		{notreq:notresp:vfynotdone:failed:verified}})
  event_action =	${acl {logger}}

send_to_server2:
  driver = smtp
  allow_localhost
  hosts = HOSTIPV4
  port = PORT_D
  hosts_try_fastopen =	:
  tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
  tls_verify_cert_hostnames =
  hosts_require_tls = *
# note no ocsp mention here
  headers_add = X-TLS-out: OCSP status $tls_out_ocsp \
    (${listextract {${eval:$tls_out_ocsp+1}} \
		{notreq:notresp:vfynotdone:failed:verified}})
  event_action =	${acl {logger}}

send_to_server3:
  driver = smtp
  allow_localhost
  hosts = 127.0.0.1
  port = PORT_D
  hosts_try_fastopen =	:
  helo_data = helo.data.changed
  #tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/server1.example.com/ca_chain.pem
  tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
  tls_try_verify_hosts =
  tls_verify_cert_hostnames =
  hosts_require_tls =  *
  hosts_require_ocsp = *
  headers_add = X-TLS-out: OCSP status $tls_out_ocsp \
    (${listextract {${eval:$tls_out_ocsp+1}} \
		{notreq:notresp:vfynotdone:failed:verified}})
  event_action =	${acl {logger}}

send_to_server4:
  driver = smtp
  allow_localhost
  hosts = 127.0.0.1
  port = PORT_D
  hosts_try_fastopen =	:
  helo_data = helo.data.changed
  #tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/server1.example.com/ca_chain.pem
  tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
  tls_verify_cert_hostnames =
  protocol =           smtps
  hosts_require_tls =  *
  hosts_require_ocsp = *
  headers_add = X-TLS-out: OCSP status $tls_out_ocsp \
    (${listextract {${eval:$tls_out_ocsp+1}} \
		{notreq:notresp:vfynotdone:failed:verified}})
  event_action =	${acl {logger}}


# ----- Retry -----


begin retry

* * F,5d,1s


# End
Commit	Line	Data
4b4a0e99	1	# Exim test configuration 5730
774ef2d7	2	# OCSP stapling, client, events
018058b2 JH	3
	4	SERVER =
	5
e5489333 JH	6	exim_path = EXIM_PATH
	7	keep_environment = ^EXIM_TESTHARNESS_DISABLE_[O]CSPVALIDITYCHECK$
	8	host_lookup_order = bydns
	9	spool_directory = DIR/spool
	10	log_file_path = DIR/spool/log/SERVER%slog
	11	gecos_pattern = ""
	12	gecos_name = CALLER_NAME
	13	chunking_advertise_hosts =
d4dc049f	14
018058b2	15	primary_hostname = server1.example.com
e5489333 JH	16
	17	.ifdef _HAVE_DMARC
	18	dmarc_tld_file =
	19	.endif
018058b2 JH	20
	21
	22	# ----- Main settings -----
	23
	24	domainlist local_domains = test.ex : *.test.ex
	25
	26	acl_smtp_rcpt = check_recipient
	27	acl_smtp_data = check_data
	28
	29	log_selector = +tls_peerdn
	30	remote_max_parallel = 1
	31
	32	tls_advertise_hosts = *
	33
	34	# Set certificate only if server
	35	tls_certificate = ${if eq {SERVER}{server}\
	36	{DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem}\
	37	fail\
	38	}
	39	tls_privatekey = ${if eq {SERVER}{server}\
	40	{DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key}\
	41	fail}
	42
	43	# from cmdline define
0a6583ae	44	tls_ocsp_file = OPT
018058b2 JH	45
	46
	47	# ------ ACL ------
	48
	49	begin acl
	50
	51	check_recipient:
	52	accept domains = +local_domains
	53	deny message = relay not permitted
	54
	55	check_data:
	56	warn condition = ${if def:h_X-TLS-out:}
	57	logwrite = client claims: $h_X-TLS-out:
	58	accept
	59
	60	logger:
774ef2d7	61	accept condition = ${if !eq {msg} {${listextract{1}{$event_name}}}}
018058b2 JH	62	warn logwrite = client ocsp status: $tls_out_ocsp \
	63	(${listextract {${eval:$tls_out_ocsp+1}} \
	64	{notreq:notresp:vfynotdone:failed:verified}})
	65	accept
	66
	67
	68	# ----- Routers -----
	69
	70	begin routers
	71
	72	client:
	73	driver = accept
	74	condition = ${if eq {SERVER}{server}{no}{yes}}
	75	retry_use_local_part
	76	transport = send_to_server${if eq{$local_part}{nostaple}{1} \
	77	{${if eq{$local_part}{norequire} {2} \
	78	{${if eq{$local_part}{smtps} {4}{3}}} \
	79	}}}
	80
	81	server:
	82	driver = redirect
	83	data = :blackhole:
	84	#retry_use_local_part
	85	#transport = local_delivery
	86
	87
	88	# ----- Transports -----
	89
	90	begin transports
	91
	92	local_delivery:
	93	driver = appendfile
	94	file = DIR/test-mail/$local_part
	95	headers_add = TLS: cipher=$tls_cipher peerdn=$tls_peerdn
	96	user = CALLER
	97
	98	send_to_server1:
	99	driver = smtp
	100	allow_localhost
	101	hosts = HOSTIPV4
	102	port = PORT_D
277b9979	103	hosts_try_fastopen = :
018058b2	104	tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
01a4a5c5	105	tls_verify_cert_hostnames =
018058b2 JH	106	hosts_require_tls = *
	107	hosts_request_ocsp = :
	108	headers_add = X-TLS-out: OCSP status $tls_out_ocsp \
	109	(${listextract {${eval:$tls_out_ocsp+1}} \
	110	{notreq:notresp:vfynotdone:failed:verified}})
774ef2d7	111	event_action = ${acl {logger}}
018058b2 JH	112
	113	send_to_server2:
	114	driver = smtp
	115	allow_localhost
	116	hosts = HOSTIPV4
	117	port = PORT_D
277b9979	118	hosts_try_fastopen = :
018058b2	119	tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
01a4a5c5	120	tls_verify_cert_hostnames =
018058b2 JH	121	hosts_require_tls = *
	122	# note no ocsp mention here
	123	headers_add = X-TLS-out: OCSP status $tls_out_ocsp \
	124	(${listextract {${eval:$tls_out_ocsp+1}} \
	125	{notreq:notresp:vfynotdone:failed:verified}})
774ef2d7	126	event_action = ${acl {logger}}
018058b2 JH	127
	128	send_to_server3:
	129	driver = smtp
	130	allow_localhost
	131	hosts = 127.0.0.1
	132	port = PORT_D
277b9979	133	hosts_try_fastopen = :
018058b2 JH	134	helo_data = helo.data.changed
	135	#tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/server1.example.com/ca_chain.pem
	136	tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
610ff438	137	tls_try_verify_hosts =
01a4a5c5	138	tls_verify_cert_hostnames =
018058b2 JH	139	hosts_require_tls = *
	140	hosts_require_ocsp = *
	141	headers_add = X-TLS-out: OCSP status $tls_out_ocsp \
	142	(${listextract {${eval:$tls_out_ocsp+1}} \
	143	{notreq:notresp:vfynotdone:failed:verified}})
774ef2d7	144	event_action = ${acl {logger}}
018058b2 JH	145
	146	send_to_server4:
	147	driver = smtp
	148	allow_localhost
	149	hosts = 127.0.0.1
	150	port = PORT_D
277b9979	151	hosts_try_fastopen = :
018058b2 JH	152	helo_data = helo.data.changed
	153	#tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/server1.example.com/ca_chain.pem
	154	tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
01a4a5c5	155	tls_verify_cert_hostnames =
018058b2 JH	156	protocol = smtps
	157	hosts_require_tls = *
	158	hosts_require_ocsp = *
	159	headers_add = X-TLS-out: OCSP status $tls_out_ocsp \
	160	(${listextract {${eval:$tls_out_ocsp+1}} \
	161	{notreq:notresp:vfynotdone:failed:verified}})
774ef2d7	162	event_action = ${acl {logger}}
018058b2 JH	163
	164
	165	# ----- Retry -----
	166
	167
	168	begin retry
	169
	170	* * F,5d,1s
	171
	172
	173	# End