TLS: fix resumption for TLS-on-connect
[exim.git] / test / confs / 5892
1 # Exim test configuration 5892
2
3 SERVER =
4 OPTION =
5
6 .include DIR/aux-var/tls_conf_prefix
7
8 primary_hostname = myhost.test.ex
9
10 # ----- Main settings -----
11
12 domainlist local_domains = test.ex : *.test.ex
13
14 acl_smtp_helo = check_helo
15 acl_smtp_rcpt = check_recipient
16 log_selector = +received_recipients +tls_resumption +tls_peerdn +outgoing_port
17
18 .ifdef _OPT_OPENSSL_NO_TLSV1_3_X
19 openssl_options = +no_sslv2 +no_sslv3 +single_dh_use OPTION
20 .else
21 openssl_options = +no_sslv2 +no_sslv3 +single_dh_use
22 .endif
23 tls_advertise_hosts = *
24 tls_on_connect_ports =  PORT_D2
25
26 # Set certificate only if server
27
28 CDIR=DIR/aux-fixed/exim-ca/example.com
29
30 tls_certificate = CDIR/server1.example.com/server1.example.com.chain.pem
31 tls_privatekey =  CDIR/server1.example.com/server1.example.com.unlocked.key
32
33 tls_resumption_hosts = 127.0.0.1
34 remote_max_parallel = 1
35
36
37 # ------ ACL ------
38
39 begin acl
40
41 check_helo:
42   accept condition =    ${if def:tls_in_cipher}
43          logwrite =     tls_in_ver\t$tls_in_ver
44          logwrite =     tls_in_resumption\t${listextract {$tls_in_resumption} {_RESUME_DECODE}}
45          logwrite =     our cert subject\t${certextract {subject}{$tls_in_ourcert}}
46          logwrite =     peer cert subject\t${certextract {subject}{$tls_in_peercert}}
47          logwrite =     peer cert verified\t${tls_in_certificate_verified}
48          logwrite =     peer dn\t${tls_in_peerdn}
49          logwrite =     cipher\t${tls_in_cipher}
50          logwrite =     bits\t${tls_in_bits}
51   accept
52
53 check_recipient:
54   accept domains =      +local_domains
55   deny   message =      relay not permitted
56
57 log_resumption:
58   accept condition =    ${if def:tls_out_cipher}
59          condition =    ${if eq {$event_name}{tcp:close}}
60          logwrite =     tls_out_ver\t$tls_out_ver
61          logwrite =     tls_out_resumption ${listextract {$tls_out_resumption} {_RESUME_DECODE}}
62          logwrite =     our cert subject\t${certextract {subject}{$tls_out_ourcert}}
63          logwrite =     peer cert subject\t${certextract {subject}{$tls_out_peercert}}
64          logwrite =     peer cert verified\t${tls_out_certificate_verified}
65          logwrite =     peer dn\t${tls_out_peerdn}
66          logwrite =     cipher\t${tls_out_cipher}
67          logwrite =     bits\t${tls_out_bits}
68
69
70 # ----- Routers -----
71
72 begin routers
73
74 client:
75   driver =      accept
76   condition =   ${if eq {SERVER}{server}{no}{yes}}
77   transport =   send_to_server${if eq{$local_part}{hostnotresume}{2}{1}}
78
79 server:
80   driver = redirect
81   data = :blackhole:
82
83 # ----- Transports -----
84
85 begin transports
86
87 send_to_server1:
88   driver =                      smtp
89   allow_localhost
90   hosts =                       127.0.0.1
91 .ifdef SELECTOR
92   port =                        PORT_D2
93   protocol =                    smtps
94   # Use HELO purely to get a P= different on the server <= line
95   hosts_avoid_esmtp =           *
96 .else
97   port =                        PORT_D
98 .endif
99   helo_data =                   helo.data.changed
100 .ifdef HELO_MSG
101   host_name_extract =           HELO_MSG
102 .endif
103 .ifdef VALUE
104   tls_resumption_hosts =        *
105 .else
106   tls_resumption_hosts =        :
107 .endif
108   tls_verify_certificates =     CDIR/CA/CA.pem
109   tls_verify_cert_hostnames =   ${if match {$local_part}{^noverify} {*}{:}}
110   tls_try_verify_hosts =        *
111   event_action =                ${acl {log_resumption}}
112
113 send_to_server2:
114   driver =                      smtp
115   allow_localhost
116   hosts =                       HOSTIPV4
117   port =                        PORT_D
118   hosts_try_fastopen =          :
119   tls_verify_certificates =     CDIR/CA/CA.pem
120   tls_verify_cert_hostnames =   :
121   event_action =                ${acl {log_resumption}}
122
123
124 # ----- Retry -----
125
126
127 begin retry
128
129 * * F,5d,10s
130
131
132 # End