Commit | Line | Data |
---|---|---|
c4b57fdd JH |
1 | # Exim test configuration 5890 |
2 | # DANE/fail-events | |
3 | ||
4 | SERVER= | |
5 | ||
6 | .include DIR/aux-var/tls_conf_prefix | |
7 | ||
8 | primary_hostname = myhost.test.ex | |
9 | ||
10 | # ----- Main settings ----- | |
11 | ||
12 | .ifndef OPT | |
13 | acl_smtp_rcpt = accept logwrite = "rcpt ACL" | |
14 | .else | |
15 | acl_smtp_rcpt = accept verify = recipient/callout | |
16 | .endif | |
17 | ||
18 | log_selector = +received_recipients +tls_peerdn +tls_certificate_verified | |
19 | ||
20 | queue_run_in_order | |
21 | ||
22 | tls_advertise_hosts = * | |
23 | ||
24 | .ifdef _HAVE_GNUTLS | |
25 | # needed to force generation | |
26 | tls_dhparam = historic | |
27 | .endif | |
28 | ||
29 | # Set certificate only if server | |
30 | CDIR1 = DIR/aux-fixed/exim-ca/example.net/server1.example.net | |
31 | CDIR2 = DIR/aux-fixed/exim-ca/example.com/server1.example.com | |
32 | ||
33 | ||
34 | tls_certificate = ${if eq {SERVER}{server} \ | |
35 | {${if or {{eq {DETAILS}{ta}} {eq {DETAILS}{ca}} {eq {DETAILS}{ee}}} \ | |
36 | {CDIR2/fullchain.pem}\ | |
37 | {CDIR1/fullchain.pem}}}\ | |
38 | fail} | |
39 | ||
40 | tls_privatekey = ${if eq {SERVER}{server} \ | |
41 | {${if or {{eq {DETAILS}{ta}} {eq {DETAILS}{ca}} {eq {DETAILS}{ee}}} \ | |
42 | {CDIR2/server1.example.com.unlocked.key}\ | |
43 | {CDIR1/server1.example.net.unlocked.key}}}\ | |
44 | fail} | |
45 | ||
46 | # ----- ACL ----- | |
47 | begin acl | |
48 | ||
49 | dane_fail: | |
50 | accept condition = ${if eq {dane} {${listextract{1}{$event_name}}}} | |
51 | logwrite = $event_name <$event_data> | |
52 | ||
53 | # ----- Routers ----- | |
54 | ||
55 | begin routers | |
56 | ||
57 | client: | |
58 | driver = dnslookup | |
59 | condition = ${if eq {SERVER}{}} | |
60 | dnssec_request_domains = * | |
61 | self = send | |
62 | transport = send_to_server | |
63 | errors_to = "" | |
64 | ||
65 | server: | |
66 | driver = redirect | |
67 | data = :blackhole: | |
68 | ||
69 | ||
70 | # ----- Transports ----- | |
71 | ||
72 | begin transports | |
73 | ||
74 | send_to_server: | |
75 | driver = smtp | |
76 | allow_localhost | |
77 | port = PORT_D | |
277b9979 | 78 | hosts_try_fastopen = : |
c4b57fdd JH |
79 | |
80 | hosts_try_dane = * | |
81 | hosts_require_dane = HOSTIPV4 | |
82 | tls_verify_cert_hostnames = ${if eq {OPT}{no_certname} {}{*}} | |
83 | tls_try_verify_hosts = thishost.test.ex | |
84 | tls_verify_certificates = CDIR2/ca_chain.pem | |
85 | event_action = ${acl {dane_fail}} | |
86 | ||
87 | ||
88 | ||
89 | # ----- Retry ----- | |
90 | ||
91 | ||
92 | begin retry | |
93 | ||
94 | * * F,5d,10s | |
95 | ||
96 | ||
97 | # End |