[exim.git] / test / confs / 5820

# Exim test configuration 5820
# DANE/GnuTLS

SERVER=
CONTROL= *

.include DIR/aux-var/tls_conf_prefix

primary_hostname = myhost.test.ex

# ----- Main settings -----

.ifndef OPT
acl_smtp_rcpt = accept logwrite = "rcpt ACL"
.else
acl_smtp_rcpt = accept verify = recipient/callout
.endif

log_selector =  +received_recipients +tls_peerdn +tls_certificate_verified

queue_run_in_order

tls_advertise_hosts = *
# needed to force generation
tls_dhparam = historic

# Set certificate only if server
CDIR1 = DIR/aux-fixed/exim-ca/example.net/server1.example.net
CDIR2 = DIR/aux-fixed/exim-ca/example.com/server1.example.com


tls_certificate = ${if eq {SERVER}{server} \
	{${if or {{eq {DETAILS}{ta}} {eq {DETAILS}{ca}} {eq {DETAILS}{ee}}} \
		{CDIR2/fullchain.pem}\
		{CDIR1/fullchain.pem}}}\
	fail}

tls_privatekey = ${if eq {SERVER}{server} \
	{${if or {{eq {DETAILS}{ta}} {eq {DETAILS}{ca}} {eq {DETAILS}{ee}}} \
		{CDIR2/server1.example.com.unlocked.key}\
		{CDIR1/server1.example.net.unlocked.key}}}\
	fail}

# ----- Routers -----

begin routers

client:
  driver = dnslookup
  condition = ${if eq {SERVER}{}}
  dnssec_request_domains = *
  self = send
  transport = send_to_server
  errors_to = ""

server:
  driver = redirect
  data = :blackhole:


# ----- Transports -----

begin transports

send_to_server:
  driver = smtp
  allow_localhost
  port = PORT_D
  hosts_try_fastopen =	:

  hosts_try_dane =     CONTROL
  hosts_require_dane = HOSTIPV4
  tls_verify_cert_hostnames = ${if eq {OPT}{no_certname} {}{*}}
  tls_try_verify_hosts = thishost.test.ex
  tls_verify_certificates = ${if eq {DETAILS}{ca} {CDIR2/ca_chain.pem} {}}


# ----- Retry -----


begin retry

* * F,5d,10s


# End
Commit	Line	Data
899b8bbc JH	1	# Exim test configuration 5820
899b8bbc JH	2	# DANE/GnuTLS
12ee8cf9 JH	3
12ee8cf9 JH	4	SERVER=
59c0959a	5	CONTROL= *
12ee8cf9	6
899b8bbc	7	.include DIR/aux-var/tls_conf_prefix
d4dc049f	8
12ee8cf9	9	primary_hostname = myhost.test.ex
12ee8cf9 JH	10
	11	# ----- Main settings -----
	12
899b8bbc JH	13	.ifndef OPT
	14	acl_smtp_rcpt = accept logwrite = "rcpt ACL"
	15	.else
	16	acl_smtp_rcpt = accept verify = recipient/callout
	17	.endif
12ee8cf9	18
899b8bbc	19	log_selector = +received_recipients +tls_peerdn +tls_certificate_verified
12ee8cf9	20
12ee8cf9 JH	21	queue_run_in_order
	22
	23	tls_advertise_hosts = *
360c0492 JH	24	# needed to force generation
360c0492 JH	25	tls_dhparam = historic
12ee8cf9 JH	26
12ee8cf9 JH	27	# Set certificate only if server
899b8bbc JH	28	CDIR1 = DIR/aux-fixed/exim-ca/example.net/server1.example.net
899b8bbc JH	29	CDIR2 = DIR/aux-fixed/exim-ca/example.com/server1.example.com
12ee8cf9	30
82525c6f	31
899b8bbc JH	32	tls_certificate = ${if eq {SERVER}{server} \
	33	{${if or {{eq {DETAILS}{ta}} {eq {DETAILS}{ca}} {eq {DETAILS}{ee}}} \
	34	{CDIR2/fullchain.pem}\
	35	{CDIR1/fullchain.pem}}}\
	36	fail}
12ee8cf9	37
899b8bbc JH	38	tls_privatekey = ${if eq {SERVER}{server} \
	39	{${if or {{eq {DETAILS}{ta}} {eq {DETAILS}{ca}} {eq {DETAILS}{ee}}} \
	40	{CDIR2/server1.example.com.unlocked.key}\
	41	{CDIR1/server1.example.net.unlocked.key}}}\
	42	fail}
12ee8cf9 JH	43
	44	# ----- Routers -----
	45
	46	begin routers
	47
	48	client:
899b8bbc JH	49	driver = dnslookup
	50	condition = ${if eq {SERVER}{}}
	51	dnssec_request_domains = *
	52	self = send
12ee8cf9	53	transport = send_to_server
899b8bbc	54	errors_to = ""
12ee8cf9 JH	55
	56	server:
	57	driver = redirect
	58	data = :blackhole:
	59
	60
	61	# ----- Transports -----
	62
	63	begin transports
	64
	65	send_to_server:
	66	driver = smtp
	67	allow_localhost
28646fa9	68	port = PORT_D
277b9979	69	hosts_try_fastopen = :
899b8bbc	70
59c0959a	71	hosts_try_dane = CONTROL
899b8bbc JH	72	hosts_require_dane = HOSTIPV4
	73	tls_verify_cert_hostnames = ${if eq {OPT}{no_certname} {}{*}}
	74	tls_try_verify_hosts = thishost.test.ex
570cb1bd	75	tls_verify_certificates = ${if eq {DETAILS}{ca} {CDIR2/ca_chain.pem} {}}
899b8bbc	76
7a31d643	77
12ee8cf9 JH	78
	79	# ----- Retry -----
	80
	81
	82	begin retry
	83
	84	* * F,5d,10s
	85
	86
	87	# End