+++ /dev/null
-# Exim test configuration 5450
-# TLS client: verify certificate from server - name-fails
-
-SERVER=
-
-exim_path = EXIM_PATH
-host_lookup_order = bydns
-primary_hostname = myhost.test.ex
-spool_directory = DIR/spool
-log_file_path = DIR/spool/log/SERVER%slog
-gecos_pattern = ""
-gecos_name = CALLER_NAME
-
-FX = DIR/aux-fixed
-S1 = FX/exim-ca/example.com/server1.example.com
-
-CA1 = S1/ca_chain.pem
-CERT1 = S1/server1.example.com.pem
-KEY1 = S1/server1.example.com.unlocked.key
-CA2 = FX/cert2
-CERT2 = FX/cert2
-KEY2 = FX/cert2
-
-# ----- Main settings -----
-
-acl_smtp_rcpt = accept
-
-log_selector = +tls_peerdn+tls_certificate_verified
-
-queue_only
-queue_run_in_order
-
-tls_advertise_hosts = *
-
-# Set certificate only if server
-
-tls_certificate = ${if eq {SERVER}{server}{CERT1}fail}
-tls_privatekey = ${if eq {SERVER}{server}{KEY1}fail}
-
-tls_verify_hosts = *
-tls_verify_certificates = ${if eq {SERVER}{server}{CERT2}fail}
-
-
-# ----- Routers -----
-
-begin routers
-
-server_dump:
- driver = redirect
- condition = ${if eq {SERVER}{server}{yes}{no}}
- data = :blackhole:
-
-client_x:
- driver = accept
- local_parts = userx
- retry_use_local_part
- transport = send_to_server_failcert
- errors_to = ""
-
-client_y:
- driver = accept
- local_parts = usery
- retry_use_local_part
- transport = send_to_server_retry
-
-client_z:
- driver = accept
- local_parts = userz
- retry_use_local_part
- transport = send_to_server_crypt
-
-client_q:
- driver = accept
- local_parts = userq
- retry_use_local_part
- transport = send_to_server_req_fail
-
-client_r:
- driver = accept
- local_parts = userr
- retry_use_local_part
- transport = send_to_server_req_failname
-
-client_s:
- driver = accept
- local_parts = users
- retry_use_local_part
- transport = send_to_server_req_passname
-
-client_t:
- driver = accept
- local_parts = usert
- retry_use_local_part
- transport = send_to_server_req_failcarryon
-
-
-# ----- Transports -----
-
-begin transports
-
-# this will fail to verify the cert at HOSTIPV4 so fail the crypt requirement
-send_to_server_failcert:
- driver = smtp
- allow_localhost
- hosts = HOSTIPV4
- hosts_require_tls = HOSTIPV4
- port = PORT_D
- tls_certificate = CERT2
- tls_privatekey = CERT2
-
- tls_verify_certificates = CA2
-
-# this will fail to verify the cert at HOSTIPV4 so fail the crypt, then retry on 127.1; ok
-send_to_server_retry:
- driver = smtp
- allow_localhost
- hosts = HOSTIPV4 : 127.0.0.1
- hosts_require_tls = HOSTIPV4
- port = PORT_D
- tls_certificate = CERT2
- tls_privatekey = CERT2
-
- tls_verify_certificates = \
- ${if eq{$host_address}{127.0.0.1}{CA1}{CA2}}
-
-# this will fail to verify the cert but continue unverified though crypted
-send_to_server_crypt:
- driver = smtp
- allow_localhost
- hosts = HOSTIPV4
- hosts_require_tls = HOSTIPV4
- port = PORT_D
- tls_certificate = CERT2
- tls_privatekey = CERT2
-
- tls_verify_certificates = CA2
- tls_try_verify_hosts = *
-
-# this will fail to verify the cert at HOSTNAME and fallback to unencrypted
-# Fail due to lack of correct CA
-send_to_server_req_fail:
- driver = smtp
- allow_localhost
- hosts = HOSTNAME
- port = PORT_D
- tls_certificate = CERT2
- tls_privatekey = CERT2
-
- tls_verify_certificates = CA2
- tls_verify_hosts = *
-
-# this will fail to verify the cert name and fallback to unencrypted
-# fail because the cert is "server1.example.com" and the test system is something else
-send_to_server_req_failname:
- driver = smtp
- allow_localhost
- hosts = HOSTNAME
- port = PORT_D
- tls_certificate = CERT2
- tls_privatekey = CERT2
-
- tls_verify_certificates = CA1
- tls_verify_cert_hostnames = *
- tls_verify_hosts = *
-
-# this will pass the cert verify including name check
-# our stunt DNS has an A record for server1.example.com -> HOSTIPV4
-send_to_server_req_passname:
- driver = smtp
- allow_localhost
- hosts = server1.example.com
- port = PORT_D
- tls_certificate = CERT2
- tls_privatekey = CERT2
-
- tls_verify_certificates = CA1
- tls_verify_cert_hostnames = *
- tls_verify_hosts = *
-
-send_to_server_req_failcarryon:
- driver = smtp
- allow_localhost
- hosts = HOSTNAME
- port = PORT_D
- tls_certificate = CERT2
- tls_privatekey = CERT2
-
- tls_verify_certificates = CA1
- tls_verify_cert_hostnames = *
- tls_try_verify_hosts = *
-
-# End
git://git.exim.org / exim.git / blobdiff