# Exim test configuration 5450 # TLS client: verify certificate from server - name-fails SERVER= exim_path = EXIM_PATH keep_environment = host_lookup_order = bydns primary_hostname = myhost.test.ex rfc1413_query_timeout = 0s spool_directory = DIR/spool log_file_path = DIR/spool/log/SERVER%slog gecos_pattern = "" gecos_name = CALLER_NAME FX = DIR/aux-fixed S1 = FX/exim-ca/example.com/server1.example.com CA1 = S1/ca_chain.pem CERT1 = S1/server1.example.com.pem KEY1 = S1/server1.example.com.unlocked.key CA2 = FX/cert2 CERT2 = FX/cert2 KEY2 = FX/cert2 # ----- Main settings ----- acl_smtp_rcpt = accept log_selector = +tls_peerdn+tls_certificate_verified queue_only queue_run_in_order tls_advertise_hosts = * # Set certificate only if server tls_certificate = ${if eq {SERVER}{server}{CERT1}fail} tls_privatekey = ${if eq {SERVER}{server}{KEY1}fail} tls_verify_hosts = * tls_verify_certificates = ${if eq {SERVER}{server}{CERT2}fail} # ----- Routers ----- begin routers server_dump: driver = redirect condition = ${if eq {SERVER}{server}{yes}{no}} data = :blackhole: client_x: driver = accept local_parts = userx retry_use_local_part transport = send_to_server_failcert errors_to = "" client_y: driver = accept local_parts = usery retry_use_local_part transport = send_to_server_retry client_z: driver = accept local_parts = userz retry_use_local_part transport = send_to_server_crypt client_q: driver = accept local_parts = userq retry_use_local_part transport = send_to_server_req_fail client_r: driver = accept local_parts = userr retry_use_local_part transport = send_to_server_req_failname client_s: driver = accept local_parts = users retry_use_local_part transport = send_to_server_req_passname client_t: driver = accept local_parts = usert retry_use_local_part transport = send_to_server_req_failcarryon # ----- Transports ----- begin transports # this will fail to verify the cert at HOSTIPV4 so fail the crypt requirement send_to_server_failcert: driver = smtp allow_localhost hosts = HOSTIPV4 hosts_require_tls = HOSTIPV4 port = PORT_D tls_certificate = CERT2 tls_privatekey = CERT2 tls_verify_certificates = CA2 # this will fail to verify the cert at HOSTIPV4 so fail the crypt, then retry on 127.1; ok send_to_server_retry: driver = smtp allow_localhost hosts = HOSTIPV4 : 127.0.0.1 hosts_require_tls = HOSTIPV4 port = PORT_D tls_certificate = CERT2 tls_privatekey = CERT2 tls_verify_certificates = \ ${if eq{$host_address}{127.0.0.1}{CA1}{CA2}} # this will fail to verify the cert but continue unverified though crypted send_to_server_crypt: driver = smtp allow_localhost hosts = HOSTIPV4 hosts_require_tls = HOSTIPV4 port = PORT_D tls_certificate = CERT2 tls_privatekey = CERT2 tls_verify_certificates = CA2 tls_try_verify_hosts = * # this will fail to verify the cert at HOSTNAME and fallback to unencrypted # Fail due to lack of correct CA send_to_server_req_fail: driver = smtp allow_localhost hosts = HOSTNAME port = PORT_D tls_certificate = CERT2 tls_privatekey = CERT2 tls_verify_certificates = CA2 tls_verify_hosts = * # this will fail to verify the cert name and fallback to unencrypted # fail because the cert is "server1.example.com" and the test system is something else send_to_server_req_failname: driver = smtp allow_localhost hosts = HOSTNAME port = PORT_D tls_certificate = CERT2 tls_privatekey = CERT2 tls_verify_certificates = CA1 tls_verify_cert_hostnames = * tls_verify_hosts = * # this will pass the cert verify including name check # our stunt DNS has an A record for server1.example.com -> HOSTIPV4 send_to_server_req_passname: driver = smtp allow_localhost hosts = server1.example.com port = PORT_D tls_certificate = CERT2 tls_privatekey = CERT2 tls_verify_certificates = CA1 tls_verify_cert_hostnames = * tls_verify_hosts = * send_to_server_req_failcarryon: driver = smtp allow_localhost hosts = HOSTNAME port = PORT_D tls_certificate = CERT2 tls_privatekey = CERT2 tls_verify_certificates = CA1 tls_verify_cert_hostnames = * tls_try_verify_hosts = * # End