X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/afda344b580b54a4513569720aec3260cd5ba546..ee549a2ed04164407f4f897be3bf545f32579c5c:/test/confs/2112 diff --git a/test/confs/2112 b/test/confs/2112 index 78733513e..4ec0b4fcd 100644 --- a/test/confs/2112 +++ b/test/confs/2112 @@ -1,21 +1,27 @@ # Exim test configuration 2112 +# TLS client: verify certificate from server - fails SERVER= -exim_path = EXIM_PATH -host_lookup_order = bydns +.include DIR/aux-var/tls_conf_prefix + primary_hostname = myhost.test.ex -rfc1413_query_timeout = 0s -spool_directory = DIR/spool -log_file_path = DIR/spool/log/SERVER%slog -gecos_pattern = "" -gecos_name = CALLER_NAME + +FX = DIR/aux-fixed +S1 = FX/exim-ca/example.com/server1.example.com + +CA1 = S1/ca_chain.pem +CERT1 = S1/server1.example.com.pem +KEY1 = S1/server1.example.com.unlocked.key +CA2 = FX/cert2 +CERT2 = FX/cert2 +KEY2 = FX/cert2 # ----- Main settings ----- acl_smtp_rcpt = accept -log_selector = +tls_peerdn+tls_certificate_verified +log_selector = +tls_peerdn+tls_certificate_verified +received_recipients queue_only queue_run_in_order @@ -24,36 +30,190 @@ tls_advertise_hosts = * # Set certificate only if server -tls_certificate = ${if eq {SERVER}{server}{DIR/aux-fixed/cert1}fail} -tls_privatekey = ${if eq {SERVER}{server}{DIR/aux-fixed/cert1}fail} +tls_certificate = ${if eq {SERVER}{server}{CERT1}fail} +tls_privatekey = ${if eq {SERVER}{server}{KEY1}fail} tls_verify_hosts = * -tls_verify_certificates = ${if eq {SERVER}{server}{DIR/aux-fixed/cert2}fail} +tls_verify_certificates = ${if eq {SERVER}{server}{CERT2}fail} # ----- Routers ----- begin routers -client: +server_dump: + driver = redirect + condition = ${if eq {SERVER}{server}{yes}{no}} + data = :blackhole: + +client_x: + driver = accept + local_parts = userx + retry_use_local_part + transport = send_to_server_failcert + errors_to = "" + +client_y: + driver = accept + local_parts = usery + retry_use_local_part + transport = send_to_server_retry + +client_z: + driver = accept + local_parts = userz + retry_use_local_part + transport = send_to_server_crypt + +client_q: + driver = accept + local_parts = userq + retry_use_local_part + transport = send_to_server_req_fail + +client_r: + driver = accept + local_parts = userr + retry_use_local_part + transport = send_to_server_req_failname + +client_s: + driver = accept + local_parts = user_s + retry_use_local_part + transport = send_to_server_req_passname + +client_t: driver = accept - condition = ${if eq {SERVER}{server}{no}{yes}} + local_parts = usert retry_use_local_part - transport = send_to_server + transport = send_to_server_req_failchain + +client_u: + driver = accept + local_parts = useru + retry_use_local_part + transport = send_to_server_req_passchain # ----- Transports ----- begin transports -send_to_server: +# this will fail to verify the cert at HOSTIPV4 so fail the crypt requirement +send_to_server_failcert: driver = smtp allow_localhost - hosts = HOSTIPV4 : 127.0.0.1 + hosts = HOSTIPV4 + port = PORT_D + hosts_try_fastopen = : hosts_require_tls = HOSTIPV4 + tls_certificate = CERT2 + tls_privatekey = CERT2 + + tls_verify_certificates = CA2 + tls_try_verify_hosts = + tls_verify_cert_hostnames = + +# this will fail to verify the cert at HOSTIPV4 so fail the crypt, then retry on 127.1; ok +send_to_server_retry: + driver = smtp + allow_localhost + hosts = HOSTIPV4 : 127.0.0.1 port = PORT_D - tls_certificate = DIR/aux-fixed/cert2 + hosts_try_fastopen = : + hosts_require_tls = HOSTIPV4 + tls_certificate = CERT2 + tls_privatekey = CERT2 + tls_verify_certificates = \ - ${if eq{$host_address}{127.0.0.1}{DIR/aux-fixed/cert1}{DIR/aux-fixed/cert2}} + ${if eq{$host_address}{127.0.0.1}{CA1}{CA2}} + tls_try_verify_hosts = + tls_verify_cert_hostnames = + +# this will fail to verify the cert but continue unverified though crypted +send_to_server_crypt: + driver = smtp + allow_localhost + hosts = HOSTIPV4 + port = PORT_D + hosts_try_fastopen = : + hosts_require_tls = HOSTIPV4 + tls_certificate = CERT2 + tls_privatekey = CERT2 + + tls_verify_certificates = CA2 + tls_try_verify_hosts = * + tls_verify_cert_hostnames = + +# this will fail to verify the cert at HOSTIPV4 and fallback to unencrypted +send_to_server_req_fail: + driver = smtp + allow_localhost + hosts = HOSTIPV4 + port = PORT_D + hosts_try_fastopen = : + tls_certificate = CERT2 + tls_privatekey = CERT2 + + tls_verify_certificates = CA2 + tls_verify_hosts = * + tls_verify_cert_hostnames = + +# this will fail to verify the cert name and fallback to unencrypted +send_to_server_req_failname: + driver = smtp + allow_localhost + hosts = serverbadname.example.com + port = PORT_D + hosts_try_fastopen = : + tls_certificate = CERT2 + tls_privatekey = CERT2 + + tls_verify_certificates = CA1 + tls_verify_cert_hostnames = HOSTIPV4 + tls_verify_hosts = * + +# this will pass the cert verify including name check +send_to_server_req_passname: + driver = smtp + allow_localhost + hosts = server1.example.com + port = PORT_D + hosts_try_fastopen = : + tls_certificate = CERT2 + tls_privatekey = CERT2 + + tls_verify_certificates = CA1 + tls_verify_cert_hostnames = HOSTIPV4 + tls_verify_hosts = * + + # this will fail the cert verify name check, because CNAME rules + send_to_server_req_failchain: + driver = smtp + allow_localhost + hosts = serverchain1.example.com + port = PORT_D + hosts_try_fastopen = : + tls_certificate = CERT2 + tls_privatekey = CERT2 + + tls_verify_certificates = CA1 + tls_verify_cert_hostnames = HOSTIPV4 + tls_verify_hosts = * + + # this will pass the cert verify name check, because CNAME rules + send_to_server_req_passchain: + driver = smtp + allow_localhost + hosts = alternatename.server1.example.com + port = PORT_D + hosts_try_fastopen = : + tls_certificate = CERT2 + tls_privatekey = CERT2 + + tls_verify_certificates = CA1 + tls_verify_cert_hostnames = HOSTIPV4 + tls_verify_hosts = * # End