Copyright updates
[exim.git] / test / confs / 5841
1 # Exim test configuration 5841
2 # DANE/OpenSSL - ciphers option
3
4 SERVER=
5 LIST=
6
7 .include DIR/aux-var/tls_conf_prefix
8
9 primary_hostname = myhost.test.ex
10
11 # ----- Main settings -----
12
13 acl_smtp_rcpt = accept logwrite = "rcpt ACL"
14
15 log_selector =  +received_recipients +tls_peerdn +tls_certificate_verified
16
17 tls_advertise_hosts = *
18
19 # Set certificate only if server
20 CDIR2 = DIR/aux-fixed/exim-ca/example.com/server1.example.com
21
22 tls_certificate = ${if eq {SERVER}{server} {CDIR2/fullchain.pem}fail}
23 tls_privatekey =  ${if eq {SERVER}{server} {CDIR2/server1.example.com.unlocked.key}fail}
24
25 # Permit two specific ciphers
26 tls_require_ciphers = DHE-RSA-CAMELLIA256-SHA:ECDHE-RSA-AES256-GCM-SHA384
27
28 # Force TLS1.2 so that the ciphers choice works
29
30 .ifdef _OPT_OPENSSL_NO_TLSV1_3_X
31 openssl_options = +no_tlsv1_3
32 .endif
33
34 # ----- Routers -----
35 begin routers
36
37 client:
38   driver =              dnslookup
39   condition =           ${if eq {SERVER}{}}
40   ignore_target_hosts = <; 0::0/0
41   dnssec_request_domains = *
42   self =                send
43   transport =           send_to_server
44   errors_to =           ""
45
46 server:
47   driver =              redirect
48   data =                :blackhole:
49
50 # ----- Transports -----
51 begin transports
52
53 send_to_server:
54   driver =                      smtp
55   allow_localhost
56   port =                        PORT_D
57   hosts_try_fastopen =          :
58   hosts_try_dane =              *
59   tls_verify_certificates =     CDIR2/ca_chain.pem
60
61   # Some commonly-available cipher, we hope
62   tls_require_ciphers =         ECDHE-RSA-AES256-GCM-SHA384
63   dane_require_tls_ciphers =    LIST
64
65 # ----- Retry -----
66 begin retry
67 * * F,5d,10s
68
69 # End