### No certificate, certificate required Connecting to ip4.ip4.ip4.ip4 port 1225 ... connected ??? 220 <<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000 >>> ehlo rhu.barb ??? 250- <<< 250-myhost.test.ex Hello rhu.barb [ip4.ip4.ip4.ip4] ??? 250- <<< 250-SIZE 52428800 ??? 250- <<< 250-8BITMIME ??? 250- <<< 250-PIPELINING ??? 250- <<< 250-STARTTLS ??? 250 <<< 250 HELP >>> starttls ??? 220 <<< 220 TLS go ahead Attempting to start TLS pppp:error:dddddddd:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:[...]:SSL alert number 40 Failed to start TLS >>> noop ????554 Security failure >>> noop ??? 554 Security failure <<< 554 Security failure >>> quit ????554 Security failure ????221 ???* Expected EOF read End of script ### No certificate, certificate optional at TLS time, required by ACL Connecting to 127.0.0.1 port 1225 ... connected ??? 220 <<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000 >>> ehlo rhu.barb ??? 250- <<< 250-myhost.test.ex Hello rhu.barb [127.0.0.1] ??? 250- <<< 250-SIZE 52428800 ??? 250- <<< 250-8BITMIME ??? 250- <<< 250-PIPELINING ??? 250- <<< 250-STARTTLS ??? 250 <<< 250 HELP >>> starttls ??? 220 <<< 220 TLS go ahead Attempting to start TLS SSL connection using ke-RSA-AES256-SHA Succeeded in starting TLS >>> helo rhu.barb ??? 250 <<< 250 myhost.test.ex Hello rhu.barb [127.0.0.1] >>> mail from: ??? 250 <<< 250 OK >>> rcpt to: ??? 550 <<< 550 certificate not verified: peerdn= >>> quit ??? 221 <<< 221 myhost.test.ex closing connection End of script ### Good certificate, certificate required Connecting to ip4.ip4.ip4.ip4 port 1225 ... connected Certificate file = aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem Key file = aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key ??? 220 <<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000 >>> ehlo rhu.barb ??? 250- <<< 250-myhost.test.ex Hello rhu.barb [ip4.ip4.ip4.ip4] ??? 250- <<< 250-SIZE 52428800 ??? 250- <<< 250-8BITMIME ??? 250- <<< 250-PIPELINING ??? 250- <<< 250-STARTTLS ??? 250 <<< 250 HELP >>> starttls ??? 220 <<< 220 TLS go ahead Attempting to start TLS SSL connection using ke-RSA-AES256-SHA Succeeded in starting TLS >>> mail from: ??? 250 <<< 250 OK >>> rcpt to: ??? 250 <<< 250 Accepted >>> quit ??? 221 <<< 221 myhost.test.ex closing connection End of script ### Good certificate, certificate optional at TLS time, checked by ACL Connecting to 127.0.0.1 port 1225 ... connected Certificate file = aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem Key file = aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key ??? 220 <<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000 >>> ehlo rhu.barb ??? 250- <<< 250-myhost.test.ex Hello rhu.barb [127.0.0.1] ??? 250- <<< 250-SIZE 52428800 ??? 250- <<< 250-8BITMIME ??? 250- <<< 250-PIPELINING ??? 250- <<< 250-STARTTLS ??? 250 <<< 250 HELP >>> starttls ??? 220 <<< 220 TLS go ahead Attempting to start TLS SSL connection using ke-RSA-AES256-SHA Succeeded in starting TLS >>> mail from: ??? 250 <<< 250 OK >>> rcpt to: ??? 250 <<< 250 Accepted >>> quit ??? 221 <<< 221 myhost.test.ex closing connection End of script ### Bad certificate, certificate required Connecting to ip4.ip4.ip4.ip4 port 1225 ... connected Certificate file = aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.chain.pem Key file = aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.unlocked.key ??? 220 <<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000 >>> ehlo rhu.barb ??? 250- <<< 250-myhost.test.ex Hello rhu.barb [ip4.ip4.ip4.ip4] ??? 250- <<< 250-SIZE 52428800 ??? 250- <<< 250-8BITMIME ??? 250- <<< 250-PIPELINING ??? 250- <<< 250-STARTTLS ??? 250 <<< 250 HELP >>> starttls ??? 220 <<< 220 TLS go ahead Attempting to start TLS pppp:error:dddddddd:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:[...]:SSL alert number 48 Failed to start TLS >>> noop ????554 Security failure >>> noop ??? 554 Security failure <<< 554 Security failure End of script ### Bad certificate, certificate optional at TLS time, reject at ACL time Connecting to 127.0.0.1 port 1225 ... connected Certificate file = aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.chain.pem Key file = aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.unlocked.key ??? 220 <<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000 >>> ehlo rhu.barb ??? 250- <<< 250-myhost.test.ex Hello rhu.barb [127.0.0.1] ??? 250- <<< 250-SIZE 52428800 ??? 250- <<< 250-8BITMIME ??? 250- <<< 250-PIPELINING ??? 250- <<< 250-STARTTLS ??? 250 <<< 250 HELP >>> starttls ??? 220 <<< 220 TLS go ahead Attempting to start TLS SSL connection using ke-RSA-AES256-SHA Succeeded in starting TLS >>> mail from: ??? 250 <<< 250 OK >>> rcpt to: ??? 550 <<< 550 certificate not verified: peerdn=/CN=server1.example.net >>> quit ??? 221 <<< 221 myhost.test.ex closing connection End of script ### Otherwise good but revoked certificate, certificate required Connecting to ip4.ip4.ip4.ip4 port 1225 ... connected Certificate file = aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.chain.pem Key file = aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.unlocked.key ??? 220 <<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000 >>> ehlo rhu.barb ??? 250- <<< 250-myhost.test.ex Hello rhu.barb [ip4.ip4.ip4.ip4] ??? 250- <<< 250-SIZE 52428800 ??? 250- <<< 250-8BITMIME ??? 250- <<< 250-PIPELINING ??? 250- <<< 250-STARTTLS ??? 250 <<< 250 HELP >>> starttls ??? 220 <<< 220 TLS go ahead Attempting to start TLS pppp:error:dddddddd:SSL routines:ssl3_read_bytes:sslv3 alert certificate revoked:[...]:SSL alert number 44 Failed to start TLS >>> noop ????554 Security failure >>> noop ??? 554 Security failure <<< 554 Security failure End of script ### Revoked certificate, certificate optional at TLS time, reject at ACL time Connecting to 127.0.0.1 port 1225 ... connected Certificate file = aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.chain.pem Key file = aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.unlocked.key ??? 220 <<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000 >>> ehlo rhu.barb ??? 250- <<< 250-myhost.test.ex Hello rhu.barb [127.0.0.1] ??? 250- <<< 250-SIZE 52428800 ??? 250- <<< 250-8BITMIME ??? 250- <<< 250-PIPELINING ??? 250- <<< 250-STARTTLS ??? 250 <<< 250 HELP >>> starttls ??? 220 <<< 220 TLS go ahead Attempting to start TLS SSL connection using ke-RSA-AES256-SHA Succeeded in starting TLS >>> mail from: ??? 250 <<< 250 OK >>> rcpt to: ??? 550 <<< 550 certificate not verified: peerdn=/CN=revoked1.example.com >>> quit ??? 221 <<< 221 myhost.test.ex closing connection End of script ### Good certificate, certificate required - but nonmatching CRL also present Connecting to ip4.ip4.ip4.ip4 port 1225 ... connected Certificate file = aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem Key file = aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key ??? 220 <<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000 >>> ehlo rhu.barb ??? 250- <<< 250-myhost.test.ex Hello rhu.barb [ip4.ip4.ip4.ip4] ??? 250- <<< 250-SIZE 52428800 ??? 250- <<< 250-8BITMIME ??? 250- <<< 250-PIPELINING ??? 250- <<< 250-STARTTLS ??? 250 <<< 250 HELP >>> starttls ??? 220 <<< 220 TLS go ahead Attempting to start TLS SSL connection using ke-RSA-AES256-SHA Succeeded in starting TLS >>> mail from: ??? 250 <<< 250 OK >>> rcpt to: ??? 250 <<< 250 Accepted >>> quit ??? 221 <<< 221 myhost.test.ex closing connection End of script ******** SERVER ******** ### No certificate, certificate required ### No certificate, certificate optional at TLS time, required by ACL ### Good certificate, certificate required ### Good certificate, certificate optional at TLS time, checked by ACL ### Bad certificate, certificate required ### Bad certificate, certificate optional at TLS time, reject at ACL time ### Otherwise good but revoked certificate, certificate required ### Revoked certificate, certificate optional at TLS time, reject at ACL time ### Good certificate, certificate required - but nonmatching CRL also present