[exim.git] / test / confs / 2112

# Exim test configuration 2112
# TLS client: verify certificate from server - fails

SERVER=

.include DIR/aux-var/tls_conf_prefix

primary_hostname = myhost.test.ex

FX = DIR/aux-fixed
S1 = FX/exim-ca/example.com/server1.example.com

CA1 =   S1/ca_chain.pem 
CERT1 = S1/server1.example.com.pem
KEY1 =  S1/server1.example.com.unlocked.key
CA2 =   FX/cert2
CERT2 = FX/cert2
KEY2 =  FX/cert2

# ----- Main settings -----

acl_smtp_rcpt = accept

log_selector =  +tls_peerdn+tls_certificate_verified +received_recipients

queue_only
queue_run_in_order

tls_advertise_hosts = *

# Set certificate only if server

tls_certificate = ${if eq {SERVER}{server}{CERT1}fail}
tls_privatekey = ${if eq {SERVER}{server}{KEY1}fail}

tls_verify_hosts = *
tls_verify_certificates = ${if eq {SERVER}{server}{CERT2}fail}


# ----- Routers -----

begin routers

server_dump:
  driver = redirect
  condition = ${if eq {SERVER}{server}{yes}{no}}
  data = :blackhole:

client_x:
  driver = accept
  local_parts = userx
  retry_use_local_part
  transport = send_to_server_failcert
  errors_to = ""

client_y:
  driver = accept
  local_parts = usery
  retry_use_local_part
  transport = send_to_server_retry

client_z:
  driver = accept
  local_parts = userz
  retry_use_local_part
  transport = send_to_server_crypt

client_q:
  driver = accept
  local_parts = userq
  retry_use_local_part
  transport = send_to_server_req_fail

client_r:
  driver = accept
  local_parts = userr
  retry_use_local_part
  transport = send_to_server_req_failname

client_s:
  driver = accept
  local_parts = users
  retry_use_local_part
  transport = send_to_server_req_passname


# ----- Transports -----

begin transports

# this will fail to verify the cert at HOSTIPV4 so fail the crypt requirement
send_to_server_failcert:
  driver = smtp
  allow_localhost
  hosts = HOSTIPV4
  hosts_require_tls = HOSTIPV4
  port = PORT_D
  tls_certificate = CERT2
  tls_privatekey = CERT2

  tls_verify_certificates = CA2
  tls_try_verify_hosts =
  tls_verify_cert_hostnames =

# this will fail to verify the cert at HOSTIPV4 so fail the crypt, then retry on 127.1; ok
send_to_server_retry:
  driver = smtp
  allow_localhost
  hosts = HOSTIPV4 : 127.0.0.1
  hosts_require_tls = HOSTIPV4
  port = PORT_D
  tls_certificate = CERT2
  tls_privatekey = CERT2

  tls_verify_certificates = \
    ${if eq{$host_address}{127.0.0.1}{CA1}{CA2}}
  tls_try_verify_hosts =
  tls_verify_cert_hostnames =

# this will fail to verify the cert but continue unverified though crypted
send_to_server_crypt:
  driver = smtp
  allow_localhost
  hosts = HOSTIPV4
  hosts_require_tls = HOSTIPV4
  port = PORT_D
  tls_certificate = CERT2
  tls_privatekey = CERT2

  tls_verify_certificates = CA2
  tls_try_verify_hosts = *
  tls_verify_cert_hostnames =

# this will fail to verify the cert at HOSTIPV4 and fallback to unencrypted
send_to_server_req_fail:
  driver = smtp
  allow_localhost
  hosts = HOSTIPV4
  port = PORT_D
  tls_certificate = CERT2
  tls_privatekey = CERT2

  tls_verify_certificates = CA2
  tls_verify_hosts = *
  tls_verify_cert_hostnames =

# this will fail to verify the cert name and fallback to unencrypted
send_to_server_req_failname:
   driver = smtp
   allow_localhost
   hosts = HOSTIPV4
   port = PORT_D
   tls_certificate = CERT2
   tls_privatekey = CERT2
 
   tls_verify_certificates = CA1
   tls_verify_cert_hostnames = server1.example.net : server1.example.org
   tls_verify_hosts = *
 
# this will pass the cert verify including name check
send_to_server_req_passname:
   driver = smtp
   allow_localhost
   hosts = HOSTIPV4
   port = PORT_D
   tls_certificate = CERT2
   tls_privatekey = CERT2
 
   tls_verify_certificates = CA1
   tls_verify_cert_hostnames = noway.example.com : server1.example.com
   tls_verify_hosts = *

# End
Commit	Line	Data
	1	# Exim test configuration 2112
	2	# TLS client: verify certificate from server - fails
	3
	4	SERVER=
	5
	6	.include DIR/aux-var/tls_conf_prefix
	7
	8	primary_hostname = myhost.test.ex
	9
	10	FX = DIR/aux-fixed
	11	S1 = FX/exim-ca/example.com/server1.example.com
	12
	13	CA1 = S1/ca_chain.pem
	14	CERT1 = S1/server1.example.com.pem
	15	KEY1 = S1/server1.example.com.unlocked.key
	16	CA2 = FX/cert2
	17	CERT2 = FX/cert2
	18	KEY2 = FX/cert2
	19
	20	# ----- Main settings -----
	21
	22	acl_smtp_rcpt = accept
	23
	24	log_selector = +tls_peerdn+tls_certificate_verified +received_recipients
	25
	26	queue_only
	27	queue_run_in_order
	28
	29	tls_advertise_hosts = *
	30
	31	# Set certificate only if server
	32
	33	tls_certificate = ${if eq {SERVER}{server}{CERT1}fail}
	34	tls_privatekey = ${if eq {SERVER}{server}{KEY1}fail}
	35
	36	tls_verify_hosts = *
	37	tls_verify_certificates = ${if eq {SERVER}{server}{CERT2}fail}
	38
	39
	40	# ----- Routers -----
	41
	42	begin routers
	43
	44	server_dump:
	45	driver = redirect
	46	condition = ${if eq {SERVER}{server}{yes}{no}}
	47	data = :blackhole:
	48
	49	client_x:
	50	driver = accept
	51	local_parts = userx
	52	retry_use_local_part
	53	transport = send_to_server_failcert
	54	errors_to = ""
	55
	56	client_y:
	57	driver = accept
	58	local_parts = usery
	59	retry_use_local_part
	60	transport = send_to_server_retry
	61
	62	client_z:
	63	driver = accept
	64	local_parts = userz
	65	retry_use_local_part
	66	transport = send_to_server_crypt
	67
	68	client_q:
	69	driver = accept
	70	local_parts = userq
	71	retry_use_local_part
	72	transport = send_to_server_req_fail
	73
	74	client_r:
	75	driver = accept
	76	local_parts = userr
	77	retry_use_local_part
	78	transport = send_to_server_req_failname
	79
	80	client_s:
	81	driver = accept
	82	local_parts = users
	83	retry_use_local_part
	84	transport = send_to_server_req_passname
	85
	86
	87	# ----- Transports -----
	88
	89	begin transports
	90
	91	# this will fail to verify the cert at HOSTIPV4 so fail the crypt requirement
	92	send_to_server_failcert:
	93	driver = smtp
	94	allow_localhost
	95	hosts = HOSTIPV4
	96	hosts_require_tls = HOSTIPV4
	97	port = PORT_D
	98	tls_certificate = CERT2
	99	tls_privatekey = CERT2
	100
	101	tls_verify_certificates = CA2
	102	tls_try_verify_hosts =
	103	tls_verify_cert_hostnames =
	104
	105	# this will fail to verify the cert at HOSTIPV4 so fail the crypt, then retry on 127.1; ok
	106	send_to_server_retry:
	107	driver = smtp
	108	allow_localhost
	109	hosts = HOSTIPV4 : 127.0.0.1
	110	hosts_require_tls = HOSTIPV4
	111	port = PORT_D
	112	tls_certificate = CERT2
	113	tls_privatekey = CERT2
	114
	115	tls_verify_certificates = \
	116	${if eq{$host_address}{127.0.0.1}{CA1}{CA2}}
	117	tls_try_verify_hosts =
	118	tls_verify_cert_hostnames =
	119
	120	# this will fail to verify the cert but continue unverified though crypted
	121	send_to_server_crypt:
	122	driver = smtp
	123	allow_localhost
	124	hosts = HOSTIPV4
	125	hosts_require_tls = HOSTIPV4
	126	port = PORT_D
	127	tls_certificate = CERT2
	128	tls_privatekey = CERT2
	129
	130	tls_verify_certificates = CA2
	131	tls_try_verify_hosts = *
	132	tls_verify_cert_hostnames =
	133
	134	# this will fail to verify the cert at HOSTIPV4 and fallback to unencrypted
	135	send_to_server_req_fail:
	136	driver = smtp
	137	allow_localhost
	138	hosts = HOSTIPV4
	139	port = PORT_D
	140	tls_certificate = CERT2
	141	tls_privatekey = CERT2
	142
	143	tls_verify_certificates = CA2
	144	tls_verify_hosts = *
	145	tls_verify_cert_hostnames =
	146
	147	# this will fail to verify the cert name and fallback to unencrypted
	148	send_to_server_req_failname:
	149	driver = smtp
	150	allow_localhost
	151	hosts = HOSTIPV4
	152	port = PORT_D
	153	tls_certificate = CERT2
	154	tls_privatekey = CERT2
	155
	156	tls_verify_certificates = CA1
	157	tls_verify_cert_hostnames = server1.example.net : server1.example.org
	158	tls_verify_hosts = *
	159
	160	# this will pass the cert verify including name check
	161	send_to_server_req_passname:
	162	driver = smtp
	163	allow_localhost
	164	hosts = HOSTIPV4
	165	port = PORT_D
	166	tls_certificate = CERT2
	167	tls_privatekey = CERT2
	168
	169	tls_verify_certificates = CA1
	170	tls_verify_cert_hostnames = noway.example.com : server1.example.com
	171	tls_verify_hosts = *
	172
	173	# End