# Exim test configuration 5601 # OCSP stapling, client, tpda SERVER = exim_path = EXIM_PATH keep_environment = ^EXIM_TESTHARNESS_DISABLE_[O]CSPVALIDITYCHECK$ host_lookup_order = bydns primary_hostname = server1.example.com rfc1413_query_timeout = 0s spool_directory = DIR/spool log_file_path = DIR/spool/log/SERVER%slog gecos_pattern = "" gecos_name = CALLER_NAME # ----- Main settings ----- domainlist local_domains = test.ex : *.test.ex acl_smtp_rcpt = check_recipient acl_smtp_data = check_data log_selector = +tls_peerdn remote_max_parallel = 1 tls_advertise_hosts = * # Set certificate only if server tls_certificate = ${if eq {SERVER}{server}\ {DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem}\ fail\ } #{DIR/aux-fixed/exim-ca/example.com/CA/CA.pem}\ tls_privatekey = ${if eq {SERVER}{server}\ {DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key}\ fail} tls_ocsp_file = OCSP # ------ ACL ------ begin acl check_recipient: accept domains = +local_domains deny message = relay not permitted check_data: warn condition = ${if def:h_X-TLS-out:} logwrite = client claims: $h_X-TLS-out: accept logger: warn logwrite = client ocsp status: $tls_out_ocsp \ (${listextract {${eval:$tls_out_ocsp+1}} \ {notreq:notresp:vfynotdone:failed:verified}}) accept # ----- Routers ----- begin routers client: driver = accept condition = ${if eq {SERVER}{server}{no}{yes}} retry_use_local_part transport = send_to_server${if eq{$local_part}{nostaple}{1} \ {${if eq{$local_part}{norequire} {2} \ {${if eq{$local_part}{smtps} {4}{3}}} \ }}} server: driver = redirect data = :blackhole: #retry_use_local_part #transport = local_delivery # ----- Transports ----- begin transports local_delivery: driver = appendfile file = DIR/test-mail/$local_part headers_add = TLS: cipher=$tls_cipher peerdn=$tls_peerdn user = CALLER # nostaple: deliberately do not request cert-status send_to_server1: driver = smtp allow_localhost hosts = HOSTIPV4 port = PORT_D tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem hosts_require_tls = * hosts_request_ocsp = : headers_add = X-TLS-out: ocsp status $tls_out_ocsp tpda_delivery_action = ${acl {logger}} tpda_host_defer_action = ${acl {logger}} # norequire: request stapling but do not verify send_to_server2: driver = smtp allow_localhost hosts = HOSTIPV4 port = PORT_D tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem hosts_require_tls = * # note no ocsp mention here headers_add = X-TLS-out: ocsp status $tls_out_ocsp tpda_delivery_action = ${acl {logger}} tpda_host_defer_action = ${acl {logger}} # (any other name): request and verify send_to_server3: driver = smtp allow_localhost hosts = 127.0.0.1 port = PORT_D helo_data = helo.data.changed tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem hosts_require_tls = * hosts_require_ocsp = * headers_add = X-TLS-out: ocsp status $tls_out_ocsp tpda_delivery_action = ${acl {logger}} tpda_host_defer_action = ${acl {logger}} # (any other name): request and verify, ssl-on-connect send_to_server4: driver = smtp allow_localhost hosts = 127.0.0.1 port = PORT_D helo_data = helo.data.changed tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem protocol = smtps hosts_require_tls = * hosts_require_ocsp = * headers_add = X-TLS-out: ocsp status $tls_out_ocsp tpda_delivery_action = ${acl {logger}} tpda_host_defer_action = ${acl {logger}} # ----- Retry ----- begin retry * * F,5d,1s # End