1 # Exim test configuration 2012
2 # TLS client: verify certificate from server - fails
8 host_lookup_order = bydns
9 primary_hostname = myhost.test.ex
10 rfc1413_query_timeout = 0s
11 spool_directory = DIR/spool
12 log_file_path = DIR/spool/log/SERVER%slog
14 gecos_name = CALLER_NAME
17 S1 = FX/exim-ca/example.com/server1.example.com
20 CERT1 = S1/server1.example.com.pem
21 KEY1 = S1/server1.example.com.unlocked.key
26 # ----- Main settings -----
28 acl_smtp_rcpt = accept
30 log_selector = +tls_peerdn+tls_certificate_verified
35 tls_advertise_hosts = *
37 # Set certificate only if server
39 tls_certificate = ${if eq {SERVER}{server}{CERT1}fail}
40 tls_privatekey = ${if eq {SERVER}{server}{KEY1}fail}
43 tls_verify_certificates = ${if eq {SERVER}{server}{CERT2}fail}
52 condition = ${if eq {SERVER}{server}{yes}{no}}
59 transport = send_to_server_failcert
66 transport = send_to_server_retry
72 transport = send_to_server_crypt
78 transport = send_to_server_req_fail
84 transport = send_to_server_req_failname
90 transport = send_to_server_req_passname
93 # ----- Transports -----
97 # this will fail to verify the cert at HOSTIPV4 so fail the crypt requirement
98 send_to_server_failcert:
102 hosts_require_tls = HOSTIPV4
104 tls_certificate = CERT2
105 tls_privatekey = CERT2
107 tls_verify_certificates = CA2
109 # this will fail to verify the cert at HOSTIPV4 so fail the crypt, then retry on 127.1; ok
110 send_to_server_retry:
113 hosts = HOSTIPV4 : 127.0.0.1
114 hosts_require_tls = HOSTIPV4
116 tls_certificate = CERT2
117 tls_privatekey = CERT2
119 tls_verify_certificates = \
120 ${if eq{$host_address}{127.0.0.1}{CA1}{CA2}}
122 # this will fail to verify the cert but continue unverified though crypted
123 send_to_server_crypt:
127 hosts_require_tls = HOSTIPV4
129 tls_certificate = CERT2
130 tls_privatekey = CERT2
132 tls_verify_certificates = CA2
133 tls_try_verify_hosts = *
135 # this will fail to verify the cert at HOSTIPV4 and fallback to unencrypted
136 send_to_server_req_fail:
141 tls_certificate = CERT2
142 tls_privatekey = CERT2
144 tls_verify_certificates = CA2
147 # this will fail to verify the cert name and fallback to unencrypted
148 send_to_server_req_failname:
153 tls_certificate = CERT2
154 tls_privatekey = CERT2
156 tls_verify_certificates = CA1
157 tls_verify_cert_hostnames = server1.example.net : server1.example.org
160 # this will pass the cert verify including name check
161 send_to_server_req_passname:
166 tls_certificate = CERT2
167 tls_privatekey = CERT2
169 tls_verify_certificates = CA1
170 tls_verify_cert_hostnames = noway.example.com : server1.example.com