test/confs/5841

   1 # Exim test configuration 5841
   2 # DANE/OpenSSL - ciphers option
   3
   4 SERVER=
   5 LIST=
   6
   7 .include DIR/aux-var/tls_conf_prefix
   8
   9 primary_hostname = myhost.test.ex
  10
  11 # ----- Main settings -----
  12
  13 acl_smtp_rcpt = accept logwrite = "rcpt ACL"
  14
  15 log_selector =  +received_recipients +tls_peerdn +tls_certificate_verified
  16
  17 tls_advertise_hosts = *
  18
  19 # Set certificate only if server
  20 CDIR2 = DIR/aux-fixed/exim-ca/example.com/server1.example.com
  21
  22 tls_certificate = ${if eq {SERVER}{server} {CDIR2/fullchain.pem}fail}
  23 tls_privatekey =  ${if eq {SERVER}{server} {CDIR2/server1.example.com.unlocked.key}fail}
  24
  25 # Permit two specific ciphers
  26 tls_require_ciphers = DHE-RSA-CAMELLIA256-SHA:ECDHE-RSA-AES256-GCM-SHA384
  27
  28 # Force TLS1.2 so that the ciphers choice works
  29
  30 .ifdef _OPT_OPENSSL_NO_TLSV1_3_X
  31 openssl_options = +no_tlsv1_3
  32 .endif
  33
  34 # ----- Routers -----
  35 begin routers
  36
  37 client:
  38   driver =              dnslookup
  39   condition =           ${if eq {SERVER}{}}
  40   ignore_target_hosts = <; 0::0/0
  41   dnssec_request_domains = *
  42   self =                send
  43   transport =           send_to_server
  44   errors_to =           ""
  45
  46 server:
  47   driver =              redirect
  48   data =                :blackhole:
  49
  50 # ----- Transports -----
  51 begin transports
  52
  53 send_to_server:
  54   driver =                      smtp
  55   allow_localhost
  56   port =                        PORT_D
  57   hosts_try_dane =              *
  58   tls_verify_certificates =     CDIR2/ca_chain.pem
  59
  60   # Some commonly-available cipher, we hope
  61   tls_require_ciphers =         ECDHE-RSA-AES256-GCM-SHA384
  62   dane_require_tls_ciphers =    LIST
  63
  64 # ----- Retry -----
  65 begin retry
  66 * * F,5d,10s
  67
  68 # End