X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/6242a0bdfb6bacb2fc52e335ca550b62f2f39020..415c5379af11bf8777af1a082a336ad7c5369525:/test/confs/5847 diff --git a/test/confs/5847 b/test/confs/5847 new file mode 100644 index 000000000..9f3277cb0 --- /dev/null +++ b/test/confs/5847 @@ -0,0 +1,150 @@ +# Exim test configuration 5847 +# OCSP stapling under DANE, client + +SERVER = + +exim_path = EXIM_PATH +keep_environment = ^EXIM_TESTHARNESS_DISABLE_[O]CSPVALIDITYCHECK$ +host_lookup_order = bydns +spool_directory = DIR/spool +log_file_path = DIR/spool/log/SERVER%slog +gecos_pattern = "" +gecos_name = CALLER_NAME +chunking_advertise_hosts = +primary_hostname = server1.example.com + +.ifdef _HAVE_DMARC +dmarc_tld_file = +.endif + + +# ----- Main settings ----- + +domainlist local_domains = test.ex : *.test.ex + +.ifndef OPT +acl_smtp_rcpt = check_recipient +.else +acl_smtp_rcpt = accept verify = recipient/callout +.endif +acl_smtp_data = check_data + +log_selector = +received_recipients +tls_peerdn +tls_certificate_verified +tls_sni +remote_max_parallel = 1 +queue_run_in_order + +tls_advertise_hosts = * + +CDIR1 = DIR/aux-fixed/exim-ca/example.net/server1.example.net +CDIR2 = DIR/aux-fixed/exim-ca/example.com/server1.example.com + +.ifdef CERT +tls_certificate = CERT +.else +tls_certificate = ${if or {{eq {DETAILS}{ta}} {eq {DETAILS}{ca}} {eq {DETAILS}{ee}}} \ + {CDIR2/fullchain.pem}\ + {CDIR1/fullchain.pem}} +.endif + +.ifdef ALLOW +tls_privatekey = ALLOW +.else +tls_privatekey = ${if or {{eq {DETAILS}{ta}} {eq {DETAILS}{ca}} {eq {DETAILS}{ee}}} \ + {CDIR2/server1.example.com.unlocked.key}\ + {CDIR1/server1.example.net.unlocked.key}} +.endif + +tls_ocsp_file = RETURN + + +# ------ ACL ------ + +begin acl + +check_recipient: + accept domains = +local_domains + deny message = relay not permitted + +check_data: + warn condition = ${if def:h_X-TLS-out:} + logwrite = client claims: $h_X-TLS-out: + accept + +# ----- Routers ----- + +begin routers + +client: + driver = dnslookup + condition = ${if eq {SERVER}{server}{no}{yes}} + dnssec_request_domains = * + self = send + retry_use_local_part + transport = send_to_server${if eq{$local_part}{norequest}{1} \ + {${if eq{$local_part}{norequire} {2} \ + {3} \ + }}} + errors_to = "" + +server: + driver = redirect + data = :blackhole: + + +# ----- Transports ----- + +begin transports + + # nostaple +send_to_server1: + driver = smtp + allow_localhost + port = PORT_D + hosts_try_fastopen = : + tls_verify_certificates = ${if eq {DETAILS}{ca} {CDIR2/ca_chain.pem} {}} + tls_verify_cert_hostnames = ${if eq {OPT}{no_certname} {}{*}} + hosts_try_dane = * + hosts_require_tls = * + hosts_request_ocsp = : + headers_add = X-TLS-out: ocsp status $tls_out_ocsp \ + (${listextract {${eval:$tls_out_ocsp+1}} {notreq:notresp:vfynotdone:failed:verified}}) + + # norequire +send_to_server2: + driver = smtp + allow_localhost + port = PORT_D + hosts_try_fastopen = : + tls_verify_certificates = ${if eq {DETAILS}{ca} {CDIR2/ca_chain.pem} {}} + tls_verify_cert_hostnames = ${if eq {OPT}{no_certname} {}{*}} + hosts_try_dane = * + hosts_require_tls = * +# note no ocsp mention here + headers_add = X-TLS-out: ocsp status $tls_out_ocsp \ + (${listextract {${eval:$tls_out_ocsp+1}} {notreq:notresp:vfynotdone:failed:verified}}) + +# default +send_to_server3: + driver = smtp + allow_localhost + port = PORT_D + hosts_try_fastopen = : + helo_data = helo.data.changed + tls_verify_certificates = ${if eq {DETAILS}{ca} {CDIR2/ca_chain.pem} {}} + tls_verify_cert_hostnames = ${if eq {OPT}{no_certname} {}{*}} + hosts_try_dane = * + hosts_require_tls = * + hosts_require_ocsp = * + headers_add = X-TLS-out: ocsp status $tls_out_ocsp \ + (${listextract {${eval:$tls_out_ocsp+1}} {notreq:notresp:vfynotdone:failed:verified}}) + + +# ----- Retry ----- + + +begin retry + +* * F,5d,1s + + +# End