# Set certificate only if server
-tls_certificate = ${if eq {SERVER}{server}{DIR/aux-fixed/cert1}fail}
+CDIR=DIR/aux-fixed/exim-ca/example.com
+
+tls_certificate = CDIR/server1.example.com/server1.example.com.chain.pem
+tls_privatekey = CDIR/server1.example.com/server1.example.com.unlocked.key
tls_require_ciphers = OPTION
tls_resumption_hosts = 127.0.0.1
logwrite = peer cert subject\t${certextract {subject}{$tls_in_peercert}}
logwrite = peer cert verified\t${tls_in_certificate_verified}
logwrite = peer dn\t${tls_in_peerdn}
- logwrite = ocsp\t${tls_in_ocsp}
logwrite = cipher\t${tls_in_cipher}
logwrite = bits\t${tls_in_bits}
accept
logwrite = peer cert subject\t${certextract {subject}{$tls_out_peercert}}
logwrite = peer cert verified\t${tls_out_certificate_verified}
logwrite = peer dn\t${tls_out_peerdn}
- logwrite = ocsp\t${tls_out_ocsp}
logwrite = cipher\t${tls_out_cipher}
logwrite = bits\t${tls_out_bits}
.else
tls_resumption_hosts = :
.endif
- tls_verify_certificates = DIR/aux-fixed/cert1
+ tls_verify_certificates = CDIR/CA/CA.pem
tls_verify_cert_hostnames = ${if match {$local_part}{^noverify} {*}{:}}
tls_try_verify_hosts = *
event_action = ${acl {log_resumption}}
allow_localhost
hosts = HOSTIPV4
port = PORT_D
- tls_verify_certificates = DIR/aux-fixed/cert1
- tls_verify_cert_hostnames = :
- event_action = ${acl {log_resumption}}
+ hosts_try_fastopen = :
+ tls_verify_certificates = CDIR/CA/CA.pem
+ tls_verify_cert_hostnames = :
+ event_action = ${acl {log_resumption}}
# ----- Retry -----