X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/98eb95929140ee1e2b2b367b12abb45762d155e9..e78f5da52ca38d07b0b4ccf565e1b47f477fb5a5:/test/confs/3820 diff --git a/test/confs/3820 b/test/confs/3820 index a0206f3a0..7322c4b7e 100644 --- a/test/confs/3820 +++ b/test/confs/3820 @@ -2,46 +2,119 @@ SERVER= +.ifdef TRUSTED +.include DIR/aux-var/tls_conf_prefix +.else .include DIR/aux-var/std_conf_prefix +.endif primary_hostname = myhost.test.ex +tls_certificate = ${if eq {SERVER}{server}{DIR/aux-fixed/cert1}fail} # ----- Main settings ----- +acl_smtp_rcpt = accept +queue_only + + +begin routers + +client_r: + driver = accept + condition = ${if !eq {SERVER}{server}} + transport = smtp + errors_to = + +begin transports + +smtp: + driver = smtp + hosts = 127.0.0.1 + allow_localhost + port = PORT_D +.ifdef TRUSTED + hosts_require_tls = * + tls_verify_certificates = DIR/aux-fixed/cert1 + tls_verify_cert_hostnames = : +.else + hosts_avoid_tls = * +.endif + hosts_require_auth = * # ----- Authentication ----- begin authenticators +.ifndef TRUSTED sasl1: - driver = gsasl - public_name = ANONYMOUS + driver = gsasl + public_name = ANONYMOUS server_set_id = $auth1 server_condition = true sasl2: - driver = gsasl - public_name = PLAIN + driver = gsasl + public_name = PLAIN server_set_id = $auth1 - server_condition = false + server_condition = ${if eq {$auth3}{pencil}} + + client_condition = ${if eq {plain}{$local_part}} + client_username = ph10 + client_password = pencil +.endif sasl3: - driver = gsasl - public_name = SCRAM-SHA-1 + driver = gsasl +.ifdef TRUSTED + public_name = SCRAM-SHA-1-PLUS + server_advertise_condition = ${if def:tls_in_cipher} + server_channelbinding = true +.else + public_name = SCRAM-SHA-1 +.endif - # will need to give library salt, stored-key, server-key, itercount - # - # sigh - # gsasl takes props: GSASL_SCRAM_ITER, GSASL_SCRAM_SALT. It _might_ take - # a GSASL_SCRAM_SALTED_PASSWORD - but that is only documented for client mode. + server_scram_salt = ${if eq {$auth1}{ph10} {QSXCR+Q6sek8bf92}} +.ifdef _HAVE_AUTH_GSASL_SCRAM_S_KEY + server_key = D+CSWLOshSulAsxiupA+qs2/fTE= + server_skey = 6dlGYMOdZcOPutkcNY8U2g7vK9Y= +.endif + server_password = ${if eq {$auth1}{ph10} {pencil}{unset_password}} + server_condition = true + server_set_id = $auth1 + + client_condition = ${if eq {scram_sha_1}{$local_part}} + client_username = ph10 + client_password = pencil +.ifdef _HAVE_AUTH_GSASL_SCRAM_S_KEY + client_spassword = 1d96ee3a529b5a5f9e47c01f229a2cb8a6e15f7d +.endif +.ifdef TRUSTED + client_channelbinding = true +.endif + +.ifdef _HAVE_AUTH_GSASL_SCRAM_SHA_256 +sasl4: + driver = gsasl +.ifdef TRUSTED + public_name = SCRAM-SHA-256-PLUS + server_advertise_condition = ${if def:tls_in_cipher} + server_channelbinding = true +.else + public_name = SCRAM-SHA-256 +.endif - server_scram_iter = 4096 - # unclear if the salt is given in binary or base64 to the library server_scram_salt = QSXCR+Q6sek8bf92 server_password = pencil - server_condition = true server_set_id = $auth1 + client_condition = ${if eq {scram_sha_256}{$local_part}} + client_username = ph10 + client_password = pencil +.ifdef TRUSTED + client_channelbinding = true +.endif +.endif + # End