# Exim test configuration 2112 # TLS client: verify certificate from server - fails SERVER= .include DIR/aux-var/tls_conf_prefix primary_hostname = myhost.test.ex FX = DIR/aux-fixed S1 = FX/exim-ca/example.com/server1.example.com CA1 = S1/ca_chain.pem CERT1 = S1/server1.example.com.pem KEY1 = S1/server1.example.com.unlocked.key CA2 = FX/cert2 CERT2 = FX/cert2 KEY2 = FX/cert2 # ----- Main settings ----- acl_smtp_rcpt = accept log_selector = +tls_peerdn+tls_certificate_verified +received_recipients queue_only queue_run_in_order tls_advertise_hosts = * # Set certificate only if server tls_certificate = ${if eq {SERVER}{server}{CERT1}fail} tls_privatekey = ${if eq {SERVER}{server}{KEY1}fail} tls_verify_hosts = * tls_verify_certificates = ${if eq {SERVER}{server}{CERT2}fail} # ----- Routers ----- begin routers server_dump: driver = redirect condition = ${if eq {SERVER}{server}{yes}{no}} data = :blackhole: client_x: driver = accept local_parts = userx retry_use_local_part transport = send_to_server_failcert errors_to = "" client_y: driver = accept local_parts = usery retry_use_local_part transport = send_to_server_retry client_z: driver = accept local_parts = userz retry_use_local_part transport = send_to_server_crypt client_q: driver = accept local_parts = userq retry_use_local_part transport = send_to_server_req_fail client_r: driver = accept local_parts = userr retry_use_local_part transport = send_to_server_req_failname client_s: driver = accept local_parts = user_s retry_use_local_part transport = send_to_server_req_passname # ----- Transports ----- begin transports # this will fail to verify the cert at HOSTIPV4 so fail the crypt requirement send_to_server_failcert: driver = smtp allow_localhost hosts = HOSTIPV4 port = PORT_D hosts_try_fastopen = : hosts_require_tls = HOSTIPV4 tls_certificate = CERT2 tls_privatekey = CERT2 tls_verify_certificates = CA2 tls_try_verify_hosts = tls_verify_cert_hostnames = # this will fail to verify the cert at HOSTIPV4 so fail the crypt, then retry on 127.1; ok send_to_server_retry: driver = smtp allow_localhost hosts = HOSTIPV4 : 127.0.0.1 port = PORT_D hosts_try_fastopen = : hosts_require_tls = HOSTIPV4 tls_certificate = CERT2 tls_privatekey = CERT2 tls_verify_certificates = \ ${if eq{$host_address}{127.0.0.1}{CA1}{CA2}} tls_try_verify_hosts = tls_verify_cert_hostnames = # this will fail to verify the cert but continue unverified though crypted send_to_server_crypt: driver = smtp allow_localhost hosts = HOSTIPV4 port = PORT_D hosts_try_fastopen = : hosts_require_tls = HOSTIPV4 tls_certificate = CERT2 tls_privatekey = CERT2 tls_verify_certificates = CA2 tls_try_verify_hosts = * tls_verify_cert_hostnames = # this will fail to verify the cert at HOSTIPV4 and fallback to unencrypted send_to_server_req_fail: driver = smtp allow_localhost hosts = HOSTIPV4 port = PORT_D hosts_try_fastopen = : tls_certificate = CERT2 tls_privatekey = CERT2 tls_verify_certificates = CA2 tls_verify_hosts = * tls_verify_cert_hostnames = # this will fail to verify the cert name and fallback to unencrypted send_to_server_req_failname: driver = smtp allow_localhost hosts = HOSTIPV4 port = PORT_D hosts_try_fastopen = : tls_certificate = CERT2 tls_privatekey = CERT2 tls_verify_certificates = CA1 tls_verify_cert_hostnames = server1.example.net : server1.example.org tls_verify_hosts = * # this will pass the cert verify including name check send_to_server_req_passname: driver = smtp allow_localhost hosts = HOSTIPV4 port = PORT_D hosts_try_fastopen = : tls_certificate = CERT2 tls_privatekey = CERT2 tls_verify_certificates = CA1 tls_verify_cert_hostnames = noway.example.com : server1.example.com tls_verify_hosts = * # End