test/confs/2112

   1 # Exim test configuration 2112
   2 # TLS client: verify certificate from server - fails
   3
   4 SERVER=
   5
   6 .include DIR/aux-var/tls_conf_prefix
   7
   8 primary_hostname = myhost.test.ex
   9
  10 FX = DIR/aux-fixed
  11 S1 = FX/exim-ca/example.com/server1.example.com
  12
  13 CA1 =   S1/ca_chain.pem
  14 CERT1 = S1/server1.example.com.pem
  15 KEY1 =  S1/server1.example.com.unlocked.key
  16 CA2 =   FX/cert2
  17 CERT2 = FX/cert2
  18 KEY2 =  FX/cert2
  19
  20 # ----- Main settings -----
  21
  22 acl_smtp_rcpt = accept
  23
  24 log_selector =  +tls_peerdn+tls_certificate_verified +received_recipients
  25
  26 queue_only
  27 queue_run_in_order
  28
  29 tls_advertise_hosts = *
  30
  31 # Set certificate only if server
  32
  33 tls_certificate = ${if eq {SERVER}{server}{CERT1}fail}
  34 tls_privatekey = ${if eq {SERVER}{server}{KEY1}fail}
  35
  36 tls_verify_hosts = *
  37 tls_verify_certificates = ${if eq {SERVER}{server}{CERT2}fail}
  38
  39
  40 # ----- Routers -----
  41
  42 begin routers
  43
  44 server_dump:
  45   driver = redirect
  46   condition = ${if eq {SERVER}{server}{yes}{no}}
  47   data = :blackhole:
  48
  49 client_x:
  50   driver = accept
  51   local_parts = userx
  52   retry_use_local_part
  53   transport = send_to_server_failcert
  54   errors_to = ""
  55
  56 client_y:
  57   driver = accept
  58   local_parts = usery
  59   retry_use_local_part
  60   transport = send_to_server_retry
  61
  62 client_z:
  63   driver = accept
  64   local_parts = userz
  65   retry_use_local_part
  66   transport = send_to_server_crypt
  67
  68 client_q:
  69   driver = accept
  70   local_parts = userq
  71   retry_use_local_part
  72   transport = send_to_server_req_fail
  73
  74 client_r:
  75   driver = accept
  76   local_parts = userr
  77   retry_use_local_part
  78   transport = send_to_server_req_failname
  79
  80 client_s:
  81   driver = accept
  82   local_parts = users
  83   retry_use_local_part
  84   transport = send_to_server_req_passname
  85
  86
  87 # ----- Transports -----
  88
  89 begin transports
  90
  91 # this will fail to verify the cert at HOSTIPV4 so fail the crypt requirement
  92 send_to_server_failcert:
  93   driver = smtp
  94   allow_localhost
  95   hosts = HOSTIPV4
  96   hosts_require_tls = HOSTIPV4
  97   port = PORT_D
  98   tls_certificate = CERT2
  99   tls_privatekey = CERT2
 100
 101   tls_verify_certificates = CA2
 102   tls_try_verify_hosts =
 103   tls_verify_cert_hostnames =
 104
 105 # this will fail to verify the cert at HOSTIPV4 so fail the crypt, then retry on 127.1; ok
 106 send_to_server_retry:
 107   driver = smtp
 108   allow_localhost
 109   hosts = HOSTIPV4 : 127.0.0.1
 110   hosts_require_tls = HOSTIPV4
 111   port = PORT_D
 112   tls_certificate = CERT2
 113   tls_privatekey = CERT2
 114
 115   tls_verify_certificates = \
 116     ${if eq{$host_address}{127.0.0.1}{CA1}{CA2}}
 117   tls_try_verify_hosts =
 118   tls_verify_cert_hostnames =
 119
 120 # this will fail to verify the cert but continue unverified though crypted
 121 send_to_server_crypt:
 122   driver = smtp
 123   allow_localhost
 124   hosts = HOSTIPV4
 125   hosts_require_tls = HOSTIPV4
 126   port = PORT_D
 127   tls_certificate = CERT2
 128   tls_privatekey = CERT2
 129
 130   tls_verify_certificates = CA2
 131   tls_try_verify_hosts = *
 132   tls_verify_cert_hostnames =
 133
 134 # this will fail to verify the cert at HOSTIPV4 and fallback to unencrypted
 135 send_to_server_req_fail:
 136   driver = smtp
 137   allow_localhost
 138   hosts = HOSTIPV4
 139   port = PORT_D
 140   tls_certificate = CERT2
 141   tls_privatekey = CERT2
 142
 143   tls_verify_certificates = CA2
 144   tls_verify_hosts = *
 145   tls_verify_cert_hostnames =
 146
 147 # this will fail to verify the cert name and fallback to unencrypted
 148 send_to_server_req_failname:
 149    driver = smtp
 150    allow_localhost
 151    hosts = HOSTIPV4
 152    port = PORT_D
 153    tls_certificate = CERT2
 154    tls_privatekey = CERT2
 155
 156    tls_verify_certificates = CA1
 157    tls_verify_cert_hostnames = server1.example.net : server1.example.org
 158    tls_verify_hosts = *
 159
 160 # this will pass the cert verify including name check
 161 send_to_server_req_passname:
 162    driver = smtp
 163    allow_localhost
 164    hosts = HOSTIPV4
 165    port = PORT_D
 166    tls_certificate = CERT2
 167    tls_privatekey = CERT2
 168
 169    tls_verify_certificates = CA1
 170    tls_verify_cert_hostnames = noway.example.com : server1.example.com
 171    tls_verify_hosts = *
 172
 173 # End