test/confs/5861

   1 # Exim test configuration 5890
   2 # DANE/fail-events
   3
   4 SERVER=
   5
   6 .include DIR/aux-var/tls_conf_prefix
   7
   8 primary_hostname = myhost.test.ex
   9
  10 # ----- Main settings -----
  11
  12 .ifndef OPT
  13 acl_smtp_rcpt = accept logwrite = "rcpt ACL"
  14 .else
  15 acl_smtp_rcpt = accept verify = recipient/callout
  16 .endif
  17
  18 log_selector =  +received_recipients +tls_peerdn +tls_certificate_verified
  19
  20 queue_run_in_order
  21
  22 tls_advertise_hosts = *
  23
  24 .ifdef _HAVE_GNUTLS
  25 # needed to force generation
  26 tls_dhparam = historic
  27 .endif
  28
  29 # Set certificate only if server
  30 CDIR1 = DIR/aux-fixed/exim-ca/example.net/server1.example.net
  31 CDIR2 = DIR/aux-fixed/exim-ca/example.com/server1.example.com
  32
  33
  34 tls_certificate = ${if eq {SERVER}{server} \
  35         {${if or {{eq {DETAILS}{ta}} {eq {DETAILS}{ca}} {eq {DETAILS}{ee}}} \
  36                 {CDIR2/fullchain.pem}\
  37                 {CDIR1/fullchain.pem}}}\
  38         fail}
  39
  40 tls_privatekey = ${if eq {SERVER}{server} \
  41         {${if or {{eq {DETAILS}{ta}} {eq {DETAILS}{ca}} {eq {DETAILS}{ee}}} \
  42                 {CDIR2/server1.example.com.unlocked.key}\
  43                 {CDIR1/server1.example.net.unlocked.key}}}\
  44         fail}
  45
  46 # ----- ACL -----
  47 begin acl
  48
  49 dane_fail:
  50   accept        condition =     ${if eq {dane} {${listextract{1}{$event_name}}}}
  51                 logwrite =      $event_name <$event_data>
  52
  53 # ----- Routers -----
  54
  55 begin routers
  56
  57 client:
  58   driver =              dnslookup
  59   condition =           ${if eq {SERVER}{}}
  60   dnssec_request_domains = *
  61   self =                send
  62   transport =           send_to_server
  63   errors_to =           ""
  64
  65 server:
  66   driver = redirect
  67   data = :blackhole:
  68
  69
  70 # ----- Transports -----
  71
  72 begin transports
  73
  74 send_to_server:
  75   driver = smtp
  76   allow_localhost
  77   port = PORT_D
  78
  79   hosts_try_dane =     *
  80   hosts_require_dane = HOSTIPV4
  81   tls_verify_cert_hostnames = ${if eq {OPT}{no_certname} {}{*}}
  82   tls_try_verify_hosts = thishost.test.ex
  83   tls_verify_certificates = CDIR2/ca_chain.pem
  84   event_action =        ${acl {dane_fail}}
  85
  86
  87
  88 # ----- Retry -----
  89
  90
  91 begin retry
  92
  93 * * F,5d,10s
  94
  95
  96 # End