DANE: fix TA-mode verify under GnuTLS. Bug 2311
[exim.git] / test / confs / 2032
1 # Exim test configuration 2032 (close copy of 2002)
2
3 .include DIR/aux-var/tls_conf_prefix
4
5 primary_hostname = myhost.test.ex
6
7 # ----- Main settings -----
8
9 acl_smtp_rcpt = check_recipient
10
11 log_selector = +tls_peerdn
12
13 queue_only
14 queue_run_in_order
15
16 tls_advertise_hosts = 127.0.0.1 : HOSTIPV4
17
18 tls_certificate = DIR/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.pem
19 tls_privatekey = DIR/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.unlocked.key
20
21 tls_verify_hosts = HOSTIPV4
22 tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/server1.example.com/certdir
23
24
25 # ------ ACL ------
26
27 begin acl
28
29 check_recipient:
30   accept  hosts = :
31   deny    hosts = HOSTIPV4
32          !encrypted = AES256-SHA : \
33                       AES256-GCM-SHA384 : \
34                       IDEA-CBC-MD5 : \
35                       DES-CBC3-SHA : \
36                       DHE_RSA_AES_256_CBC_SHA1 : \
37                       DHE_RSA_3DES_EDE_CBC_SHA : \
38                       RSA_AES_256_CBC_SHA1
39   warn    logwrite =  ${if def:tls_in_ourcert \
40                 {Our cert SN: <${certextract{subject}{$tls_in_ourcert}}>} \
41                 {We did not present a cert}}
42   accept  condition = ${if !def:tls_in_peercert}
43           logwrite =  Peer did not present a cert
44   accept  logwrite =  SN  <${certextract {subject}      {$tls_in_peercert}}>
45
46
47 # ----- Routers -----
48
49 begin routers
50
51 abc:
52   driver = accept
53   retry_use_local_part
54   transport = local_delivery
55   headers_add = tls-certificate-verified: $tls_certificate_verified
56
57
58 # ----- Transports -----
59
60 begin transports
61
62 local_delivery:
63   driver = appendfile
64   file = DIR/test-mail/$local_part
65   headers_add = TLS: cipher=$tls_cipher peerdn=$tls_peerdn
66   user = CALLER
67
68 # End