test/confs/5670

   1 # Exim test configuration 5655
   2 # OCSP stapling, server, multiple chain-element OCSP.  Both GnuTLS and OpenSSL.
   3
   4 .include DIR/aux-var/tls_conf_prefix
   5
   6 primary_hostname = server1.example.com
   7
   8 # ----- Main settings -----
   9
  10 acl_smtp_mail = check_mail
  11 acl_smtp_rcpt = check_recipient
  12
  13 log_selector = +tls_peerdn
  14
  15 queue_only
  16 queue_run_in_order
  17
  18 tls_advertise_hosts = *
  19
  20 CADIR = DIR/aux-fixed/exim-ca
  21 DRSA = CADIR/example.com
  22 DECDSA = CADIR/example_ec.com
  23
  24 tls_certificate = DRSA/server1.example.com/fullchain.pem
  25 tls_privatekey =  DRSA/server1.example.com/server1.example.com.unlocked.key
  26
  27 .ifndef CONTROL
  28 tls_ocsp_file =   PEM DRSA/server1.example.com/fullchain.ocsp.resp.pem
  29 .else
  30 tls_ocsp_file =   PEM DIR/tmp/ocsp/double_r.ocsp.pem
  31 .endif
  32
  33
  34 .ifdef _HAVE_GNUTLS
  35 tls_require_ciphers = ${if eq {TRUSTED}{TLS1.2} {NORMAL:!VERS-ALL:+VERS-TLS1.2} {}}
  36 .endif
  37 .ifdef _HAVE_OPENSSL
  38 .ifdef  TRUSTED
  39 openssl_options = ${if eq {TRUSTED}{TLS1.2} {+no_tlsv1_3} {}}
  40 .endif
  41 .endif
  42
  43 # ------ ACL ------
  44
  45 begin acl
  46
  47 check_mail:
  48   accept   logwrite = acl_mail: ocsp in status: $tls_in_ocsp \
  49     (${listextract {${eval:$tls_in_ocsp+1}} \
  50                 {notreq:notresp:vfynotdone:failed:verified}})
  51
  52 check_recipient:
  53   accept
  54
  55
  56 # ----- Routers -----
  57
  58 begin routers
  59
  60 client:
  61   driver = manualroute
  62   condition = ${if !eq {SERVER}{server}}
  63   route_list = * 127.0.0.1
  64   self = send
  65   transport = remote_delivery
  66   errors_to = ""
  67
  68 srvr:
  69   driver = accept
  70   retry_use_local_part
  71   transport = local_delivery
  72
  73
  74 # ----- Transports -----
  75
  76 begin transports
  77
  78 remote_delivery:
  79   driver =                      smtp
  80   port =                        PORT_D
  81   hosts_require_tls =           *
  82
  83 .ifdef _HAVE_GNUTLS
  84   tls_require_ciphers =         ${if eq {TRUSTED}{TLS1.2} \
  85                                   {NONE:\
  86                                       +SIGN-RSA-SHA256:+VERS-TLS-ALL:+ECDHE-RSA:+DHE-RSA:+RSA\
  87                                   :+CIPHER-ALL:+MAC-ALL:+COMP-NULL:+CURVE-ALL:+CTYPE-X509} \
  88                                   {}}
  89 .endif
  90 .ifdef _HAVE_OPENSSL
  91   tls_require_ciphers =         RSA
  92 .endif
  93   tls_verify_certificates =     CADIR/example.com/server1.example.com/ca_chain.pem
  94   hosts_require_ocsp =          *
  95   tls_verify_cert_hostnames =   :
  96
  97 local_delivery:
  98   driver = appendfile
  99   file = DIR/test-mail/$local_part
 100   create_file = DIR/test-mail
 101   headers_add = TLS: cipher=$tls_cipher peerdn=$tls_peerdn
 102   user = CALLER
 103
 104 # End