# Exim test configuration 5651 # OCSP stapling, client SERVER = exim_path = EXIM_PATH keep_environment = ^EXIM_TESTHARNESS_DISABLE_[O]CSPVALIDITYCHECK$ host_lookup_order = bydns spool_directory = DIR/spool log_file_path = DIR/spool/log/SERVER%slog gecos_pattern = "" gecos_name = CALLER_NAME chunking_advertise_hosts = primary_hostname = server1.example.com .ifdef _HAVE_DMARC dmarc_tld_file = .endif # ----- Main settings ----- domainlist local_domains = test.ex : *.test.ex acl_smtp_rcpt = check_recipient acl_smtp_data = check_data log_selector = +tls_peerdn remote_max_parallel = 1 tls_advertise_hosts = * # Set certificate only if server tls_certificate = ${if eq {SERVER}{server}\ {DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem}\ fail\ } tls_privatekey = ${if eq {SERVER}{server}\ {DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key}\ fail} # from cmdline define tls_ocsp_file = OPT # ------ ACL ------ begin acl check_recipient: accept domains = +local_domains deny message = relay not permitted check_data: warn condition = ${if def:h_X-TLS-out:} logwrite = client claims: $h_X-TLS-out: accept # ----- Routers ----- begin routers client: driver = accept condition = ${if eq {SERVER}{server}{no}{yes}} retry_use_local_part transport = send_to_server${if eq{$local_part}{nostaple}{1} \ {${if eq{$local_part}{norequire} {2} \ {${if eq{$local_part}{smtps} {4}{3}}} \ }}} server: driver = redirect data = :blackhole: #retry_use_local_part #transport = local_delivery # ----- Transports ----- begin transports local_delivery: driver = appendfile file = DIR/test-mail/$local_part headers_add = TLS: cipher=$tls_cipher peerdn=$tls_peerdn user = CALLER send_to_server1: driver = smtp allow_localhost hosts = HOSTIPV4 port = PORT_D hosts_try_fastopen = : tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem tls_verify_cert_hostnames = hosts_require_tls = * hosts_request_ocsp = : headers_add = X-TLS-out: OCSP status $tls_out_ocsp \ (${listextract {${eval:$tls_out_ocsp+1}} \ {notreq:notresp:vfynotdone:failed:verified}}) send_to_server2: driver = smtp allow_localhost hosts = HOSTIPV4 port = PORT_D hosts_try_fastopen = : tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem tls_verify_cert_hostnames = hosts_require_tls = * # note no ocsp mention here headers_add = X-TLS-out: OCSP status $tls_out_ocsp \ (${listextract {${eval:$tls_out_ocsp+1}} \ {notreq:notresp:vfynotdone:failed:verified}}) send_to_server3: driver = smtp allow_localhost hosts = 127.0.0.1 port = PORT_D hosts_try_fastopen = : helo_data = helo.data.changed #tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/server1.example.com/ca_chain.pem tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem tls_try_verify_hosts = tls_verify_cert_hostnames = hosts_require_tls = * hosts_require_ocsp = * headers_add = X-TLS-out: OCSP status $tls_out_ocsp \ (${listextract {${eval:$tls_out_ocsp+1}} \ {notreq:notresp:vfynotdone:failed:verified}}) send_to_server4: driver = smtp allow_localhost hosts = 127.0.0.1 port = PORT_D hosts_try_fastopen = : helo_data = helo.data.changed #tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/server1.example.com/ca_chain.pem tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem tls_verify_cert_hostnames = protocol = smtps hosts_require_tls = * hosts_require_ocsp = * headers_add = X-TLS-out: OCSP status $tls_out_ocsp \ (${listextract {${eval:$tls_out_ocsp+1}} \ {notreq:notresp:vfynotdone:failed:verified}}) # ----- Retry ----- begin retry * * F,5d,1s # End