X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/8497e842ec8a55daad7ce936aedf01227fa0f4d1..7f3555b3d8e1fccfe8f5d450bdde367018a5e764:/test/confs/2133 diff --git a/test/confs/2133 b/test/confs/2133 new file mode 100644 index 000000000..e05197980 --- /dev/null +++ b/test/confs/2133 @@ -0,0 +1,192 @@ +# Exim test configuration 2133 +# TLS client: verify certificate from server - name-fails + +SERVER= + +exim_path = EXIM_PATH +host_lookup_order = bydns +primary_hostname = myhost.test.ex +spool_directory = DIR/spool +log_file_path = DIR/spool/log/SERVER%slog +gecos_pattern = "" +gecos_name = CALLER_NAME + +FX = DIR/aux-fixed +S1 = FX/exim-ca/example.com/server1.example.com + +CA1 = S1/ca_chain.pem +CERT1 = S1/server1.example.com.pem +KEY1 = S1/server1.example.com.unlocked.key +CA2 = FX/cert2 +CERT2 = FX/cert2 +KEY2 = FX/cert2 + +# ----- Main settings ----- + +acl_smtp_rcpt = accept + +log_selector = +tls_peerdn+tls_certificate_verified + +queue_only +queue_run_in_order + +tls_advertise_hosts = * + +# Set certificate only if server + +tls_certificate = ${if eq {SERVER}{server}{CERT1}fail} +tls_privatekey = ${if eq {SERVER}{server}{KEY1}fail} + +tls_verify_hosts = * +tls_verify_certificates = ${if eq {SERVER}{server}{CERT2}fail} + + +# ----- Routers ----- + +begin routers + +server_dump: + driver = redirect + condition = ${if eq {SERVER}{server}{yes}{no}} + data = :blackhole: + +client_x: + driver = accept + local_parts = userx + retry_use_local_part + transport = send_to_server_failcert + errors_to = "" + +client_y: + driver = accept + local_parts = usery + retry_use_local_part + transport = send_to_server_retry + +client_z: + driver = accept + local_parts = userz + retry_use_local_part + transport = send_to_server_crypt + +client_q: + driver = accept + local_parts = userq + retry_use_local_part + transport = send_to_server_req_fail + +client_r: + driver = accept + local_parts = userr + retry_use_local_part + transport = send_to_server_req_failname + +client_s: + driver = accept + local_parts = users + retry_use_local_part + transport = send_to_server_req_passname + +client_t: + driver = accept + local_parts = usert + retry_use_local_part + transport = send_to_server_req_failcarryon + + +# ----- Transports ----- + +begin transports + +# this will fail to verify the cert at HOSTIPV4 so fail the crypt requirement +send_to_server_failcert: + driver = smtp + allow_localhost + hosts = HOSTIPV4 + hosts_require_tls = HOSTIPV4 + port = PORT_D + tls_certificate = CERT2 + tls_privatekey = CERT2 + + tls_verify_certificates = CA2 + +# this will fail to verify the cert at HOSTIPV4 so fail the crypt, then retry on 127.1; ok +send_to_server_retry: + driver = smtp + allow_localhost + hosts = HOSTIPV4 : 127.0.0.1 + hosts_require_tls = HOSTIPV4 + port = PORT_D + tls_certificate = CERT2 + tls_privatekey = CERT2 + + tls_verify_certificates = \ + ${if eq{$host_address}{127.0.0.1}{CA1}{CA2}} + +# this will fail to verify the cert but continue unverified though crypted +send_to_server_crypt: + driver = smtp + allow_localhost + hosts = HOSTIPV4 + hosts_require_tls = HOSTIPV4 + port = PORT_D + tls_certificate = CERT2 + tls_privatekey = CERT2 + + tls_verify_certificates = CA2 + tls_try_verify_hosts = * + +# this will fail to verify the cert at HOSTNAME and fallback to unencrypted +# Fail due to lack of correct CA +send_to_server_req_fail: + driver = smtp + allow_localhost + hosts = HOSTNAME + port = PORT_D + tls_certificate = CERT2 + tls_privatekey = CERT2 + + tls_verify_certificates = CA2 + tls_verify_hosts = * + +# this will fail to verify the cert name and fallback to unencrypted +# fail because the cert is "server1.example.com" and the test system is something else +send_to_server_req_failname: + driver = smtp + allow_localhost + hosts = HOSTNAME + port = PORT_D + tls_certificate = CERT2 + tls_privatekey = CERT2 + + tls_verify_certificates = CA1 + tls_verify_cert_hostnames = * + tls_verify_hosts = * + +# this will pass the cert verify including name check +# our stunt DNS has an A record for server1.example.com -> HOSTIPV4 +send_to_server_req_passname: + driver = smtp + allow_localhost + hosts = server1.example.com + port = PORT_D + tls_certificate = CERT2 + tls_privatekey = CERT2 + + tls_verify_certificates = CA1 + tls_verify_cert_hostnames = * + tls_verify_hosts = * + +send_to_server_req_failcarryon: + driver = smtp + allow_localhost + hosts = HOSTNAME + port = PORT_D + tls_certificate = CERT2 + tls_privatekey = CERT2 + + tls_verify_certificates = CA1 + tls_verify_cert_hostnames = * + tls_try_verify_hosts = * + +# End