[exim.git] / test / confs / 5861

# Exim test configuration 5890
# DANE/fail-events

SERVER=

.include DIR/aux-var/tls_conf_prefix

primary_hostname = myhost.test.ex

# ----- Main settings -----

.ifndef OPT
acl_smtp_rcpt = accept logwrite = "rcpt ACL"
.else
acl_smtp_rcpt = accept verify = recipient/callout
.endif

log_selector =  +received_recipients +tls_peerdn +tls_certificate_verified

queue_run_in_order

tls_advertise_hosts = *

.ifdef _HAVE_GNUTLS
# needed to force generation
tls_dhparam = historic
.endif

# Set certificate only if server
CDIR1 = DIR/aux-fixed/exim-ca/example.net/server1.example.net
CDIR2 = DIR/aux-fixed/exim-ca/example.com/server1.example.com


tls_certificate = ${if eq {SERVER}{server} \
	{${if or {{eq {DETAILS}{ta}} {eq {DETAILS}{ca}} {eq {DETAILS}{ee}}} \
		{CDIR2/fullchain.pem}\
		{CDIR1/fullchain.pem}}}\
	fail}

tls_privatekey = ${if eq {SERVER}{server} \
	{${if or {{eq {DETAILS}{ta}} {eq {DETAILS}{ca}} {eq {DETAILS}{ee}}} \
		{CDIR2/server1.example.com.unlocked.key}\
		{CDIR1/server1.example.net.unlocked.key}}}\
	fail}

# ----- ACL -----
begin acl

dane_fail:
  accept	condition =	${if eq {dane} {${listextract{1}{$event_name}}}}
		logwrite =	$event_name <$event_data>

# ----- Routers -----

begin routers

client:
  driver =		dnslookup
  condition =		${if eq {SERVER}{}}
  dnssec_request_domains = *
  self =		send
  transport =		send_to_server
  errors_to =		""

server:
  driver = redirect
  data = :blackhole:


# ----- Transports -----

begin transports

send_to_server:
  driver = smtp
  allow_localhost
  port = PORT_D
  hosts_try_fastopen =	:

  hosts_try_dane =     *
  hosts_require_dane = HOSTIPV4
  tls_verify_cert_hostnames = ${if eq {OPT}{no_certname} {}{*}}
  tls_try_verify_hosts = thishost.test.ex
  tls_verify_certificates = CDIR2/ca_chain.pem
  event_action =	${acl {dane_fail}}


# ----- Retry -----


begin retry

* * F,5d,10s


# End
Commit	Line	Data
c4b57fdd JH	1	# Exim test configuration 5890
	2	# DANE/fail-events
	3
	4	SERVER=
	5
	6	.include DIR/aux-var/tls_conf_prefix
	7
	8	primary_hostname = myhost.test.ex
	9
	10	# ----- Main settings -----
	11
	12	.ifndef OPT
	13	acl_smtp_rcpt = accept logwrite = "rcpt ACL"
	14	.else
	15	acl_smtp_rcpt = accept verify = recipient/callout
	16	.endif
	17
	18	log_selector = +received_recipients +tls_peerdn +tls_certificate_verified
	19
	20	queue_run_in_order
	21
	22	tls_advertise_hosts = *
	23
	24	.ifdef _HAVE_GNUTLS
	25	# needed to force generation
	26	tls_dhparam = historic
	27	.endif
	28
	29	# Set certificate only if server
	30	CDIR1 = DIR/aux-fixed/exim-ca/example.net/server1.example.net
	31	CDIR2 = DIR/aux-fixed/exim-ca/example.com/server1.example.com
	32
	33
	34	tls_certificate = ${if eq {SERVER}{server} \
	35	{${if or {{eq {DETAILS}{ta}} {eq {DETAILS}{ca}} {eq {DETAILS}{ee}}} \
	36	{CDIR2/fullchain.pem}\
	37	{CDIR1/fullchain.pem}}}\
	38	fail}
	39
	40	tls_privatekey = ${if eq {SERVER}{server} \
	41	{${if or {{eq {DETAILS}{ta}} {eq {DETAILS}{ca}} {eq {DETAILS}{ee}}} \
	42	{CDIR2/server1.example.com.unlocked.key}\
	43	{CDIR1/server1.example.net.unlocked.key}}}\
	44	fail}
	45
	46	# ----- ACL -----
	47	begin acl
	48
	49	dane_fail:
	50	accept condition = ${if eq {dane} {${listextract{1}{$event_name}}}}
	51	logwrite = $event_name <$event_data>
	52
	53	# ----- Routers -----
	54
	55	begin routers
	56
	57	client:
	58	driver = dnslookup
	59	condition = ${if eq {SERVER}{}}
	60	dnssec_request_domains = *
	61	self = send
	62	transport = send_to_server
	63	errors_to = ""
	64
65	server:
66	driver = redirect
67	data = :blackhole:
68
69
70	# ----- Transports -----
71
72	begin transports
73
74	send_to_server:
75	driver = smtp
76	allow_localhost
77	port = PORT_D
277b9979	78	hosts_try_fastopen = :
c4b57fdd JH	79
	80	hosts_try_dane = *
	81	hosts_require_dane = HOSTIPV4
	82	tls_verify_cert_hostnames = ${if eq {OPT}{no_certname} {}{*}}
	83	tls_try_verify_hosts = thishost.test.ex
	84	tls_verify_certificates = CDIR2/ca_chain.pem
	85	event_action = ${acl {dane_fail}}
	86
	87
	88
	89	# ----- Retry -----
	90
	91
	92	begin retry
	93
	94	* * F,5d,10s
	95
	96
	97	# End