# TLS server: mandatory, optional, and revoked certificates exim -DSERVER=server -bd -oX PORT_D **** ### No certificate, certificate required client-ssl -t2 HOSTIPV4 PORT_D ??? 220 ehlo rhu.barb ??? 250- ??? 250- ??? 250- ??? 250- ??? 250- ??? 250- ??? 250 starttls ??? 220 noop ????554 Security failure noop ??? 554 Security failure quit ????554 Security failure ????221 ???* **** ### No certificate, certificate optional at TLS time, required by ACL client-ssl 127.0.0.1 PORT_D ??? 220 ehlo rhu.barb ??? 250- ??? 250- ??? 250- ??? 250- ??? 250- ??? 250- ??? 250 starttls ??? 220 helo rhu.barb ??? 250 mail from: ??? 250 rcpt to: ??? 550 quit ??? 221 **** ### Good certificate, certificate required client-ssl HOSTIPV4 PORT_D aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key ??? 220 ehlo rhu.barb ??? 250- ??? 250- ??? 250- ??? 250- ??? 250- ??? 250- ??? 250 starttls ??? 220 helo test ??? 250 mail from: ??? 250 rcpt to: ??? 250 quit ??? 221 **** ### Good certificate, certificate optional at TLS time, checked by ACL client-ssl 127.0.0.1 PORT_D aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key ??? 220 ehlo rhu.barb ??? 250- ??? 250- ??? 250- ??? 250- ??? 250- ??? 250- ??? 250 starttls ??? 220 helo test ??? 250 mail from: ??? 250 rcpt to: ??? 250 quit ??? 221 **** ### Bad certificate, certificate required client-ssl HOSTIPV4 PORT_D aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.chain.pem aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.unlocked.key ??? 220 ehlo rhu.barb ??? 250- ??? 250- ??? 250- ??? 250- ??? 250- ??? 250- ??? 250 starttls ??? 220 noop ????554 Security failure noop ??? 554 Security failure **** ### Bad certificate, certificate optional at TLS time, reject at ACL time client-ssl 127.0.0.1 PORT_D aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.chain.pem aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.unlocked.key ??? 220 ehlo rhu.barb ??? 250- ??? 250- ??? 250- ??? 250- ??? 250- ??? 250- ??? 250 starttls ??? 220 helo test ??? 250 mail from: ??? 250 rcpt to: ??? 550 quit ??? 221 **** killdaemon # # # # exim -DCRL=DIR/aux-fixed/exim-ca/example.com/CA/crl.chain.pem -DSERVER=server -bd -oX PORT_D **** ### Otherwise good but revoked certificate, certificate required client-ssl HOSTIPV4 PORT_D aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.chain.pem aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.unlocked.key ??? 220 ehlo rhu.barb ??? 250- ??? 250- ??? 250- ??? 250- ??? 250- ??? 250- ??? 250 starttls ??? 220 noop ????554 Security failure noop ??? 554 Security failure **** ### Revoked certificate, certificate optional at TLS time, reject at ACL time client-ssl 127.0.0.1 PORT_D aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.chain.pem aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.unlocked.key ??? 220 ehlo rhu.barb ??? 250- ??? 250- ??? 250- ??? 250- ??? 250- ??? 250- ??? 250 starttls ??? 220 helo test ??? 250 mail from: ??? 250 rcpt to: ??? 550 quit ??? 221 **** ### Good certificate, certificate required - but nonmatching CRL also present client-ssl HOSTIPV4 PORT_D aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key ??? 220 ehlo rhu.barb ??? 250- ??? 250- ??? 250- ??? 250- ??? 250- ??? 250- ??? 250 starttls ??? 220 helo test ??? 250 mail from: ??? 250 rcpt to: ??? 250 quit ??? 221 **** killdaemon