test/confs/5710

   1 # Exim test configuration 5710 (dup of 5720)
   2 # $tls_out_peercert - GnuTLS
   3
   4 SERVER=
   5
   6 .include DIR/aux-var/tls_conf_prefix
   7
   8 primary_hostname = myhost.test.ex
   9 timezone = UTC
  10
  11 # ----- Main settings -----
  12
  13 acl_smtp_rcpt = accept
  14
  15 log_selector =  +tls_peerdn
  16
  17 queue_only
  18 queue_run_in_order
  19
  20 tls_advertise_hosts = *
  21
  22 tls_certificate = DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.pem
  23 tls_privatekey = DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key
  24
  25 tls_verify_hosts = *
  26 tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/server2.example.com/ca_chain.pem
  27
  28 event_action = ${acl {server_cert_log}}
  29
  30 #
  31
  32 begin acl
  33
  34 server_cert_log:
  35   accept condition = ${if eq {tls:cert}{$event_name}}
  36          logwrite =  [$sender_host_address] \
  37                         depth=$event_data \
  38                         ${certextract{subject}{$tls_in_peercert}}
  39   accept
  40
  41 ev_tls:
  42   accept logwrite =  $event_name depth=$event_data \
  43                         <${certextract {subject} {$tls_out_peercert}}>
  44 #        message = noooo
  45
  46 ev_msg:
  47   warn   logwrite =  $acl_arg1 $local_part
  48   warn   logwrite =  ${if !def:tls_out_ourcert \
  49                 {NO CLIENT CERT presented} \
  50                 {Our cert SN: ${certextract{subject}{$tls_out_ourcert}}}}
  51   accept condition = ${if !def:tls_out_peercert}
  52          logwrite =  No Peer cert
  53   accept logwrite = Peer cert:
  54          logwrite =  ver <${certextract {version}       {$tls_out_peercert}}>
  55          logwrite =  SN  <${certextract {subject}       {$tls_out_peercert}}>
  56          logwrite =  SN; <${certextract {subject,>;}    {$tls_out_peercert}}>
  57          logwrite =  SNCN<${certextract {subject,CN}    {$tls_out_peercert}}>
  58          logwrite =  IN  <${certextract {issuer}        {$tls_out_peercert}}>
  59          logwrite =  NB  <${certextract {notbefore}     {$tls_out_peercert}}>
  60          logwrite =  NA  <${certextract {notafter}      {$tls_out_peercert}}>
  61          logwrite =  SA  <${certextract {sig_algorithm} {$tls_out_peercert}}>
  62          logwrite =  SG  <${certextract {signature}     {$tls_out_peercert}}>
  63          logwrite =       ${certextract {subj_altname}  {$tls_out_peercert}{SAN <$value>}{(no SAN)}}
  64 #        logwrite =       ${certextract {ocsp_uri}      {$tls_out_peercert} {OCU <$value>}{(no OCU)}}
  65          logwrite =       ${certextract {crl_uri}       {$tls_out_peercert} {CRU <$value>}{(no CRU)}}
  66
  67 logger:
  68   accept condition = ${if eq {msg} {${listextract{1}{$event_name}}}}
  69          acl = ev_msg $event_name $acl_arg2
  70   accept condition = ${if eq {tls} {${listextract{1}{$event_name}}}}
  71          message =   ${acl {ev_tls}}
  72   accept
  73
  74 # ----- Routers -----
  75
  76 begin routers
  77
  78 client:
  79   driver = accept
  80   condition = ${if eq {SERVER}{server}{no}{yes}}
  81   retry_use_local_part
  82   transport = send_to_server
  83
  84
  85 # ----- Transports -----
  86
  87 begin transports
  88
  89 send_to_server:
  90   driver = smtp
  91   allow_localhost
  92   hosts = 127.0.0.1
  93   port = PORT_D
  94
  95   tls_certificate = DIR/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.pem
  96   tls_privatekey = DIR/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.unlocked.key
  97
  98   tls_verify_certificates = DIR/aux-fixed/exim-ca/\
  99        ${if eq {$local_part}{good}\
 100 {example.com/server1.example.com/ca_chain.pem}\
 101 {example.net/server1.example.net/ca_chain.pem}}
 102   tls_try_verify_hosts =
 103   tls_verify_cert_hostnames =
 104
 105   event_action =   ${acl {logger} {$event_name} {$domain} }
 106
 107 # ----- Retry -----
 108
 109
 110 begin retry
 111
 112 * * F,5d,10s
 113
 114
 115 # End