log_file_path = DIR/spool/log/SERVER%slog
gecos_pattern = ""
gecos_name = CALLER_NAME
+timezone = UTC
# ----- Main settings -----
tls_verify_hosts = *
tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/server2.example.com/ca_chain.pem
+event_action = ${acl {server_cert_log}}
+
#
begin acl
-logger:
- warn logwrite = $acl_arg1 $tpda_delivery_local_part
+
+server_cert_log:
+ accept condition = ${if eq {tls:cert}{$event_name}}
+ logwrite = [$sender_host_address] \
+ depth=$event_data \
+ ${certextract{subject}{$tls_in_peercert}}
+ accept
+
+ev_tls:
+ accept logwrite = $event_name depth=$event_data \
+ <${certextract {subject} {$tls_out_peercert}}>
+# message = nooooo
+
+ev_msg:
+ warn logwrite = $acl_arg1 $local_part
warn logwrite = ${if !def:tls_out_ourcert \
- {NO CLENT CERT presented} \
+ {NO CLIENT CERT presented} \
{Our cert SN: ${certextract{subject}{$tls_out_ourcert}}}}
accept condition = ${if !def:tls_out_peercert}
logwrite = No Peer cert
logwrite = IN <${certextract {issuer} {$tls_out_peercert}}>
logwrite = NB <${certextract {notbefore} {$tls_out_peercert}}>
logwrite = NA <${certextract {notafter} {$tls_out_peercert}}>
- logwrite = SA <${certextract {signature_algorithm}{$tls_out_peercert}}>
+ logwrite = SA <${certextract {sig_algorithm} {$tls_out_peercert}}>
logwrite = SG <${certextract {signature} {$tls_out_peercert}}>
- logwrite = ${certextract {subject_altname}{$tls_out_peercert}{SAN <$value>}{(no SAN)}}
+ logwrite = ${certextract {subj_altname,>;}{$tls_out_peercert}{SAN <$value>}{(no SAN)}}
logwrite = ${certextract {ocsp_uri} {$tls_out_peercert} {OCU <$value>}{(no OCU)}}
logwrite = ${certextract {crl_uri} {$tls_out_peercert} {CRU <$value>}{(no CRU)}}
+logger:
+ accept condition = ${if eq {msg} {${listextract{1}{$event_name}}}}
+ acl = ev_msg $event_name $acl_arg2
+ accept condition = ${if eq {tls} {${listextract{1}{$event_name}}}}
+ message = ${acl {ev_tls}}
+ accept
# ----- Routers -----
${if eq {$local_part}{good}\
{example.com/server1.example.com/ca_chain.pem}\
{example.net/server1.example.net/ca_chain.pem}}
+ tls_verify_cert_hostnames =
+ tls_try_verify_hosts =
- tpda_delivery_action = ${acl {logger} {delivery} {$domain} }
- tpda_host_defer_action = ${acl {logger} {deferral} {$domain} }
+ event_action = ${acl {logger} {$event_name} {$domain} }
# ----- Retry -----