[exim.git] / test / confs / 5652

# Exim test configuration 5652
# OCSP stapling, server, multiple leaf-certs

.include DIR/aux-var/tls_conf_prefix

primary_hostname = server1.example.com

# ----- Main settings -----

acl_smtp_mail = check_mail
acl_smtp_rcpt = check_recipient

log_selector = +tls_peerdn

queue_only
queue_run_in_order

tls_advertise_hosts = *

CADIR = DIR/aux-fixed/exim-ca
DRSA = CADIR/example.com
DECDSA = CADIR/example_ec.com

tls_certificate = DRSA/server1.example.com/server1.example.com.pem \
	      : DECDSA/server1.example_ec.com/server1.example_ec.com.pem
tls_privatekey =  DRSA/server1.example.com/server1.example.com.unlocked.key \
	      : DECDSA/server1.example_ec.com/server1.example_ec.com.unlocked.key
tls_ocsp_file =   DRSA/server1.example.com/server1.example.com.ocsp.good.resp \
	      : DECDSA/server1.example_ec.com/server1.example_ec.com.ocsp.good.resp


.ifdef _HAVE_GNUTLS
tls_require_ciphers = NORMAL:!VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.0
.endif
.ifdef _OPT_OPENSSL_NO_TLSV1_3_X
openssl_options = +no_tlsv1_3
.endif

# ------ ACL ------

begin acl

check_mail:
  accept   logwrite = acl_mail: ocsp in status: $tls_in_ocsp \
    (${listextract {${eval:$tls_in_ocsp+1}} \
		{notreq:notresp:vfynotdone:failed:verified}})

check_recipient:
  accept


# ----- Routers -----

begin routers

client:
  driver = manualroute
  condition = ${if !eq {SERVER}{server}}
  route_list = * 127.0.0.1
  self = send
  transport = remote_delivery
  errors_to = ""

srvr:
  driver = accept
  retry_use_local_part
  transport = local_delivery


# ----- Transports -----

begin transports

remote_delivery:
  driver =			smtp
  port =			PORT_D
  hosts_require_tls =		*
.ifdef _HAVE_GNUTLS
  tls_require_ciphers =		NONE:\
				${if eq {SELECTOR}{auth_ecdsa} \
					{+SIGN-ECDSA-SHA512:+VERS-TLS-ALL:+KX-ALL:} \
					{+SIGN-RSA-SHA256:+VERS-TLS-ALL:+ECDHE-RSA:+DHE-RSA:+RSA:}}\
				+CIPHER-ALL:+MAC-ALL:+COMP-NULL:+CURVE-ALL:+CTYPE-X509
.endif
.ifdef _HAVE_OPENSSL
  tls_require_ciphers =		${if eq {SELECTOR}{auth_ecdsa} {ECDSA:RSA:!COMPLEMENTOFDEFAULT} {RSA}}
.endif
  hosts_require_ocsp =		*
  tls_verify_certificates =	CADIR/\
				${if eq {SELECTOR}{auth_ecdsa} \
					{example_ec.com/server1.example_ec.com/ca_chain.pem}\
					{example.com/server1.example.com/ca_chain.pem}}
  tls_verify_cert_hostnames =	:

local_delivery:
  driver = appendfile
  file = DIR/test-mail/$local_part
  headers_add = TLS: cipher=$tls_cipher peerdn=$tls_peerdn
  user = CALLER

# End
Commit	Line	Data
47195144	1	# Exim test configuration 5652
5b2fd993	2	# OCSP stapling, server, multiple leaf-certs
47195144 JH	3
	4	.include DIR/aux-var/tls_conf_prefix
	5
	6	primary_hostname = server1.example.com
	7
	8	# ----- Main settings -----
	9
	10	acl_smtp_mail = check_mail
	11	acl_smtp_rcpt = check_recipient
	12
	13	log_selector = +tls_peerdn
	14
	15	queue_only
	16	queue_run_in_order
	17
	18	tls_advertise_hosts = *
	19
	20	CADIR = DIR/aux-fixed/exim-ca
	21	DRSA = CADIR/example.com
	22	DECDSA = CADIR/example_ec.com
	23
	24	tls_certificate = DRSA/server1.example.com/server1.example.com.pem \
	25	: DECDSA/server1.example_ec.com/server1.example_ec.com.pem
	26	tls_privatekey = DRSA/server1.example.com/server1.example.com.unlocked.key \
	27	: DECDSA/server1.example_ec.com/server1.example_ec.com.unlocked.key
	28	tls_ocsp_file = DRSA/server1.example.com/server1.example.com.ocsp.good.resp \
	29	: DECDSA/server1.example_ec.com/server1.example_ec.com.ocsp.good.resp
	30
	31
5b2fd993	32	.ifdef _HAVE_GNUTLS
e20c4072	33	tls_require_ciphers = NORMAL:!VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.0
5b2fd993 JH	34	.endif
	35	.ifdef _OPT_OPENSSL_NO_TLSV1_3_X
	36	openssl_options = +no_tlsv1_3
	37	.endif
47195144 JH	38
	39	# ------ ACL ------
	40
	41	begin acl
	42
	43	check_mail:
	44	accept logwrite = acl_mail: ocsp in status: $tls_in_ocsp \
	45	(${listextract {${eval:$tls_in_ocsp+1}} \
	46	{notreq:notresp:vfynotdone:failed:verified}})
	47
	48	check_recipient:
	49	accept
	50
	51
	52	# ----- Routers -----
	53
	54	begin routers
	55
	56	client:
	57	driver = manualroute
	58	condition = ${if !eq {SERVER}{server}}
	59	route_list = * 127.0.0.1
	60	self = send
	61	transport = remote_delivery
	62	errors_to = ""
	63
	64	srvr:
	65	driver = accept
	66	retry_use_local_part
	67	transport = local_delivery
	68
	69
	70	# ----- Transports -----
	71
	72	begin transports
	73
	74	remote_delivery:
	75	driver = smtp
	76	port = PORT_D
	77	hosts_require_tls = *
5b2fd993 JH	78	.ifdef _HAVE_GNUTLS
	79	tls_require_ciphers = NONE:\
	80	${if eq {SELECTOR}{auth_ecdsa} \
	81	{+SIGN-ECDSA-SHA512:+VERS-TLS-ALL:+KX-ALL:} \
	82	{+SIGN-RSA-SHA256:+VERS-TLS-ALL:+ECDHE-RSA:+DHE-RSA:+RSA:}}\
	83	+CIPHER-ALL:+MAC-ALL:+COMP-NULL:+CURVE-ALL:+CTYPE-X509
	84	.endif
	85	.ifdef _HAVE_OPENSSL
	86	tls_require_ciphers = ${if eq {SELECTOR}{auth_ecdsa} {ECDSA:RSA:!COMPLEMENTOFDEFAULT} {RSA}}
	87	.endif
47195144	88	hosts_require_ocsp = *
5b2fd993 JH	89	tls_verify_certificates = CADIR/\
	90	${if eq {SELECTOR}{auth_ecdsa} \
	91	{example_ec.com/server1.example_ec.com/ca_chain.pem}\
	92	{example.com/server1.example.com/ca_chain.pem}}
d2f0eca8	93	tls_verify_cert_hostnames = :
47195144 JH	94
	95	local_delivery:
	96	driver = appendfile
	97	file = DIR/test-mail/$local_part
	98	headers_add = TLS: cipher=$tls_cipher peerdn=$tls_peerdn
	99	user = CALLER
	100
	101	# End