# Exim test configuration 5821
-# DANE/OpenSSL - ciphers option
+# DANE/GnuTLS - ciphers option
SERVER=
OPT=
# ----- Main settings -----
-acl_smtp_rcpt = accept logwrite = "rcpt ACL"
+acl_smtp_rcpt = accept logwrite = "rcpt ACL: tls_in_bits $tls_in_bits"
log_selector = +received_recipients +tls_peerdn +tls_certificate_verified
# Set certificate only if server
CDIR2 = DIR/aux-fixed/exim-ca/example.com/server1.example.com
-tls_certificate = ${if eq {SERVER}{server} {CDIR2/fullchain.pem}fail}
-tls_privatekey = ${if eq {SERVER}{server} {CDIR2/server1.example.com.unlocked.key}fail}
+tls_certificate = CDIR2/fullchain.pem
+tls_privatekey = CDIR2/server1.example.com.unlocked.key
# Permit two specific ciphers
-tls_require_ciphers = NONE:+VERS-TLS-ALL:+MAC-ALL:+RSA:+AES-128-CBC:+CAMELLIA-256-GCM:+SIGN-ALL:+COMP-NULL
+tls_require_ciphers = NORMAL:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+RSA:-CIPHER-ALL:+AES-128-CBC:+AES-256-GCM
# ----- Routers -----
begin routers
client:
driver = dnslookup
condition = ${if eq {SERVER}{}}
+ ignore_target_hosts = <; 0::0/0
dnssec_request_domains = *
self = send
transport = send_to_server
driver = smtp
allow_localhost
port = PORT_D
+ hosts_try_fastopen = :
hosts_try_dane = *
tls_verify_certificates = CDIR2/ca_chain.pem
# Some commonly-available cipher, we hope
- tls_require_ciphers = NONE:+VERS-TLS-ALL:+MAC-ALL:+RSA:+AES-128-CBC:+SIGN-ALL:+COMP-NULL
+ tls_require_ciphers = NORMAL:-CIPHER-ALL:+AES-128-CBC
dane_require_tls_ciphers = OPT
# ----- Retry -----