--- /dev/null
+# Exim test configuration 2033
+# TLS client: verify certificate from server - name-fails
+
+SERVER=
+
+exim_path = EXIM_PATH
+host_lookup_order = bydns
+primary_hostname = myhost.test.ex
+spool_directory = DIR/spool
+log_file_path = DIR/spool/log/SERVER%slog
+gecos_pattern = ""
+gecos_name = CALLER_NAME
+
+FX = DIR/aux-fixed
+S1 = FX/exim-ca/example.com/server1.example.com
+
+CA1 = S1/ca_chain.pem
+CERT1 = S1/server1.example.com.pem
+KEY1 = S1/server1.example.com.unlocked.key
+CA2 = FX/cert2
+CERT2 = FX/cert2
+KEY2 = FX/cert2
+
+# ----- Main settings -----
+
+acl_smtp_rcpt = accept
+
+log_selector = +tls_peerdn+tls_certificate_verified
+
+queue_only
+queue_run_in_order
+
+tls_advertise_hosts = *
+
+# Set certificate only if server
+
+tls_certificate = ${if eq {SERVER}{server}{CERT1}fail}
+tls_privatekey = ${if eq {SERVER}{server}{KEY1}fail}
+
+tls_verify_hosts = *
+tls_verify_certificates = ${if eq {SERVER}{server}{CERT2}fail}
+
+
+# ----- Routers -----
+
+begin routers
+
+server_dump:
+ driver = redirect
+ condition = ${if eq {SERVER}{server}{yes}{no}}
+ data = :blackhole:
+
+client_x:
+ driver = accept
+ local_parts = userx
+ retry_use_local_part
+ transport = send_to_server_failcert
+ errors_to = ""
+
+client_y:
+ driver = accept
+ local_parts = usery
+ retry_use_local_part
+ transport = send_to_server_retry
+
+client_z:
+ driver = accept
+ local_parts = userz
+ retry_use_local_part
+ transport = send_to_server_crypt
+
+client_q:
+ driver = accept
+ local_parts = userq
+ retry_use_local_part
+ transport = send_to_server_req_fail
+
+client_r:
+ driver = accept
+ local_parts = userr
+ retry_use_local_part
+ transport = send_to_server_req_failname
+
+client_s:
+ driver = accept
+ local_parts = users
+ retry_use_local_part
+ transport = send_to_server_req_passname
+
+client_t:
+ driver = accept
+ local_parts = usert
+ retry_use_local_part
+ transport = send_to_server_req_failcarryon
+
+# ----- Transports -----
+
+begin transports
+
+# this will fail to verify the cert at HOSTIPV4 so fail the crypt requirement
+send_to_server_failcert:
+ driver = smtp
+ allow_localhost
+ hosts = HOSTIPV4
+ hosts_require_tls = HOSTIPV4
+ port = PORT_D
+ tls_certificate = CERT2
+ tls_privatekey = CERT2
+
+ tls_verify_certificates = CA2
+
+# this will fail to verify the cert at HOSTIPV4 so fail the crypt, then retry on 127.1; ok
+send_to_server_retry:
+ driver = smtp
+ allow_localhost
+ hosts = HOSTIPV4 : 127.0.0.1
+ hosts_require_tls = HOSTIPV4
+ port = PORT_D
+ tls_certificate = CERT2
+ tls_privatekey = CERT2
+
+ tls_verify_certificates = \
+ ${if eq{$host_address}{127.0.0.1}{CA1}{CA2}}
+
+# this will fail to verify the cert but continue unverified though crypted
+send_to_server_crypt:
+ driver = smtp
+ allow_localhost
+ hosts = HOSTIPV4
+ hosts_require_tls = HOSTIPV4
+ port = PORT_D
+ tls_certificate = CERT2
+ tls_privatekey = CERT2
+
+ tls_verify_certificates = CA2
+ tls_try_verify_hosts = *
+
+# this will fail to verify the cert at HOSTNAME and fallback to unencrypted
+# Fail due to lack of correct CA
+send_to_server_req_fail:
+ driver = smtp
+ allow_localhost
+ hosts = HOSTNAME
+ port = PORT_D
+ tls_certificate = CERT2
+ tls_privatekey = CERT2
+
+ tls_verify_certificates = CA2
+ tls_verify_hosts = *
+
+# this will fail to verify the cert name and fallback to unencrypted
+# fail because the cert is "server1.example.com" and the test system is something else
+send_to_server_req_failname:
+ driver = smtp
+ allow_localhost
+ hosts = HOSTNAME
+ port = PORT_D
+ tls_certificate = CERT2
+ tls_privatekey = CERT2
+
+ tls_verify_certificates = CA1
+ tls_verify_cert_hostnames = *
+ tls_verify_hosts = *
+
+# this will pass the cert verify including name check
+# our stunt DNS has an A record for server1.example.com -> HOSTIPV4
+send_to_server_req_passname:
+ driver = smtp
+ allow_localhost
+ hosts = server1.example.com
+ port = PORT_D
+ tls_certificate = CERT2
+ tls_privatekey = CERT2
+
+ tls_verify_certificates = CA1
+ tls_verify_cert_hostnames = *
+ tls_verify_hosts = *
+
+# this will fail to verify the cert name but carry on (try-verify mode)
+# fail because the cert is "server1.example.com" and the test system is something else
+send_to_server_req_failcarryon:
+ driver = smtp
+ allow_localhost
+ hosts = HOSTNAME
+ port = PORT_D
+ tls_certificate = CERT2
+ tls_privatekey = CERT2
+
+ tls_verify_certificates = CA1
+ tls_verify_cert_hostnames = *
+ tls_try_verify_hosts = *
+
+# End
--- /dev/null
+# Exim test configuration 2133
+# TLS client: verify certificate from server - name-fails
+
+SERVER=
+
+exim_path = EXIM_PATH
+host_lookup_order = bydns
+primary_hostname = myhost.test.ex
+spool_directory = DIR/spool
+log_file_path = DIR/spool/log/SERVER%slog
+gecos_pattern = ""
+gecos_name = CALLER_NAME
+
+FX = DIR/aux-fixed
+S1 = FX/exim-ca/example.com/server1.example.com
+
+CA1 = S1/ca_chain.pem
+CERT1 = S1/server1.example.com.pem
+KEY1 = S1/server1.example.com.unlocked.key
+CA2 = FX/cert2
+CERT2 = FX/cert2
+KEY2 = FX/cert2
+
+# ----- Main settings -----
+
+acl_smtp_rcpt = accept
+
+log_selector = +tls_peerdn+tls_certificate_verified
+
+queue_only
+queue_run_in_order
+
+tls_advertise_hosts = *
+
+# Set certificate only if server
+
+tls_certificate = ${if eq {SERVER}{server}{CERT1}fail}
+tls_privatekey = ${if eq {SERVER}{server}{KEY1}fail}
+
+tls_verify_hosts = *
+tls_verify_certificates = ${if eq {SERVER}{server}{CERT2}fail}
+
+
+# ----- Routers -----
+
+begin routers
+
+server_dump:
+ driver = redirect
+ condition = ${if eq {SERVER}{server}{yes}{no}}
+ data = :blackhole:
+
+client_x:
+ driver = accept
+ local_parts = userx
+ retry_use_local_part
+ transport = send_to_server_failcert
+ errors_to = ""
+
+client_y:
+ driver = accept
+ local_parts = usery
+ retry_use_local_part
+ transport = send_to_server_retry
+
+client_z:
+ driver = accept
+ local_parts = userz
+ retry_use_local_part
+ transport = send_to_server_crypt
+
+client_q:
+ driver = accept
+ local_parts = userq
+ retry_use_local_part
+ transport = send_to_server_req_fail
+
+client_r:
+ driver = accept
+ local_parts = userr
+ retry_use_local_part
+ transport = send_to_server_req_failname
+
+client_s:
+ driver = accept
+ local_parts = users
+ retry_use_local_part
+ transport = send_to_server_req_passname
+
+client_t:
+ driver = accept
+ local_parts = usert
+ retry_use_local_part
+ transport = send_to_server_req_failcarryon
+
+
+# ----- Transports -----
+
+begin transports
+
+# this will fail to verify the cert at HOSTIPV4 so fail the crypt requirement
+send_to_server_failcert:
+ driver = smtp
+ allow_localhost
+ hosts = HOSTIPV4
+ hosts_require_tls = HOSTIPV4
+ port = PORT_D
+ tls_certificate = CERT2
+ tls_privatekey = CERT2
+
+ tls_verify_certificates = CA2
+
+# this will fail to verify the cert at HOSTIPV4 so fail the crypt, then retry on 127.1; ok
+send_to_server_retry:
+ driver = smtp
+ allow_localhost
+ hosts = HOSTIPV4 : 127.0.0.1
+ hosts_require_tls = HOSTIPV4
+ port = PORT_D
+ tls_certificate = CERT2
+ tls_privatekey = CERT2
+
+ tls_verify_certificates = \
+ ${if eq{$host_address}{127.0.0.1}{CA1}{CA2}}
+
+# this will fail to verify the cert but continue unverified though crypted
+send_to_server_crypt:
+ driver = smtp
+ allow_localhost
+ hosts = HOSTIPV4
+ hosts_require_tls = HOSTIPV4
+ port = PORT_D
+ tls_certificate = CERT2
+ tls_privatekey = CERT2
+
+ tls_verify_certificates = CA2
+ tls_try_verify_hosts = *
+
+# this will fail to verify the cert at HOSTNAME and fallback to unencrypted
+# Fail due to lack of correct CA
+send_to_server_req_fail:
+ driver = smtp
+ allow_localhost
+ hosts = HOSTNAME
+ port = PORT_D
+ tls_certificate = CERT2
+ tls_privatekey = CERT2
+
+ tls_verify_certificates = CA2
+ tls_verify_hosts = *
+
+# this will fail to verify the cert name and fallback to unencrypted
+# fail because the cert is "server1.example.com" and the test system is something else
+send_to_server_req_failname:
+ driver = smtp
+ allow_localhost
+ hosts = HOSTNAME
+ port = PORT_D
+ tls_certificate = CERT2
+ tls_privatekey = CERT2
+
+ tls_verify_certificates = CA1
+ tls_verify_cert_hostnames = *
+ tls_verify_hosts = *
+
+# this will pass the cert verify including name check
+# our stunt DNS has an A record for server1.example.com -> HOSTIPV4
+send_to_server_req_passname:
+ driver = smtp
+ allow_localhost
+ hosts = server1.example.com
+ port = PORT_D
+ tls_certificate = CERT2
+ tls_privatekey = CERT2
+
+ tls_verify_certificates = CA1
+ tls_verify_cert_hostnames = *
+ tls_verify_hosts = *
+
+send_to_server_req_failcarryon:
+ driver = smtp
+ allow_localhost
+ hosts = HOSTNAME
+ port = PORT_D
+ tls_certificate = CERT2
+ tls_privatekey = CERT2
+
+ tls_verify_certificates = CA1
+ tls_verify_cert_hostnames = *
+ tls_try_verify_hosts = *
+
+# End
+++ /dev/null
-# Exim test configuration 5440
-# TLS client: verify certificate from server - name-fails
-
-SERVER=
-
-exim_path = EXIM_PATH
-host_lookup_order = bydns
-primary_hostname = myhost.test.ex
-spool_directory = DIR/spool
-log_file_path = DIR/spool/log/SERVER%slog
-gecos_pattern = ""
-gecos_name = CALLER_NAME
-
-FX = DIR/aux-fixed
-S1 = FX/exim-ca/example.com/server1.example.com
-
-CA1 = S1/ca_chain.pem
-CERT1 = S1/server1.example.com.pem
-KEY1 = S1/server1.example.com.unlocked.key
-CA2 = FX/cert2
-CERT2 = FX/cert2
-KEY2 = FX/cert2
-
-# ----- Main settings -----
-
-acl_smtp_rcpt = accept
-
-log_selector = +tls_peerdn+tls_certificate_verified
-
-queue_only
-queue_run_in_order
-
-tls_advertise_hosts = *
-
-# Set certificate only if server
-
-tls_certificate = ${if eq {SERVER}{server}{CERT1}fail}
-tls_privatekey = ${if eq {SERVER}{server}{KEY1}fail}
-
-tls_verify_hosts = *
-tls_verify_certificates = ${if eq {SERVER}{server}{CERT2}fail}
-
-
-# ----- Routers -----
-
-begin routers
-
-server_dump:
- driver = redirect
- condition = ${if eq {SERVER}{server}{yes}{no}}
- data = :blackhole:
-
-client_x:
- driver = accept
- local_parts = userx
- retry_use_local_part
- transport = send_to_server_failcert
- errors_to = ""
-
-client_y:
- driver = accept
- local_parts = usery
- retry_use_local_part
- transport = send_to_server_retry
-
-client_z:
- driver = accept
- local_parts = userz
- retry_use_local_part
- transport = send_to_server_crypt
-
-client_q:
- driver = accept
- local_parts = userq
- retry_use_local_part
- transport = send_to_server_req_fail
-
-client_r:
- driver = accept
- local_parts = userr
- retry_use_local_part
- transport = send_to_server_req_failname
-
-client_s:
- driver = accept
- local_parts = users
- retry_use_local_part
- transport = send_to_server_req_passname
-
-client_t:
- driver = accept
- local_parts = usert
- retry_use_local_part
- transport = send_to_server_req_failcarryon
-
-# ----- Transports -----
-
-begin transports
-
-# this will fail to verify the cert at HOSTIPV4 so fail the crypt requirement
-send_to_server_failcert:
- driver = smtp
- allow_localhost
- hosts = HOSTIPV4
- hosts_require_tls = HOSTIPV4
- port = PORT_D
- tls_certificate = CERT2
- tls_privatekey = CERT2
-
- tls_verify_certificates = CA2
-
-# this will fail to verify the cert at HOSTIPV4 so fail the crypt, then retry on 127.1; ok
-send_to_server_retry:
- driver = smtp
- allow_localhost
- hosts = HOSTIPV4 : 127.0.0.1
- hosts_require_tls = HOSTIPV4
- port = PORT_D
- tls_certificate = CERT2
- tls_privatekey = CERT2
-
- tls_verify_certificates = \
- ${if eq{$host_address}{127.0.0.1}{CA1}{CA2}}
-
-# this will fail to verify the cert but continue unverified though crypted
-send_to_server_crypt:
- driver = smtp
- allow_localhost
- hosts = HOSTIPV4
- hosts_require_tls = HOSTIPV4
- port = PORT_D
- tls_certificate = CERT2
- tls_privatekey = CERT2
-
- tls_verify_certificates = CA2
- tls_try_verify_hosts = *
-
-# this will fail to verify the cert at HOSTNAME and fallback to unencrypted
-# Fail due to lack of correct CA
-send_to_server_req_fail:
- driver = smtp
- allow_localhost
- hosts = HOSTNAME
- port = PORT_D
- tls_certificate = CERT2
- tls_privatekey = CERT2
-
- tls_verify_certificates = CA2
- tls_verify_hosts = *
-
-# this will fail to verify the cert name and fallback to unencrypted
-# fail because the cert is "server1.example.com" and the test system is something else
-send_to_server_req_failname:
- driver = smtp
- allow_localhost
- hosts = HOSTNAME
- port = PORT_D
- tls_certificate = CERT2
- tls_privatekey = CERT2
-
- tls_verify_certificates = CA1
- tls_verify_cert_hostnames = *
- tls_verify_hosts = *
-
-# this will pass the cert verify including name check
-# our stunt DNS has an A record for server1.example.com -> HOSTIPV4
-send_to_server_req_passname:
- driver = smtp
- allow_localhost
- hosts = server1.example.com
- port = PORT_D
- tls_certificate = CERT2
- tls_privatekey = CERT2
-
- tls_verify_certificates = CA1
- tls_verify_cert_hostnames = *
- tls_verify_hosts = *
-
-# this will fail to verify the cert name but carry on (try-verify mode)
-# fail because the cert is "server1.example.com" and the test system is something else
-send_to_server_req_failcarryon:
- driver = smtp
- allow_localhost
- hosts = HOSTNAME
- port = PORT_D
- tls_certificate = CERT2
- tls_privatekey = CERT2
-
- tls_verify_certificates = CA1
- tls_verify_cert_hostnames = *
- tls_try_verify_hosts = *
-
-# End
+++ /dev/null
-# Exim test configuration 5450
-# TLS client: verify certificate from server - name-fails
-
-SERVER=
-
-exim_path = EXIM_PATH
-host_lookup_order = bydns
-primary_hostname = myhost.test.ex
-spool_directory = DIR/spool
-log_file_path = DIR/spool/log/SERVER%slog
-gecos_pattern = ""
-gecos_name = CALLER_NAME
-
-FX = DIR/aux-fixed
-S1 = FX/exim-ca/example.com/server1.example.com
-
-CA1 = S1/ca_chain.pem
-CERT1 = S1/server1.example.com.pem
-KEY1 = S1/server1.example.com.unlocked.key
-CA2 = FX/cert2
-CERT2 = FX/cert2
-KEY2 = FX/cert2
-
-# ----- Main settings -----
-
-acl_smtp_rcpt = accept
-
-log_selector = +tls_peerdn+tls_certificate_verified
-
-queue_only
-queue_run_in_order
-
-tls_advertise_hosts = *
-
-# Set certificate only if server
-
-tls_certificate = ${if eq {SERVER}{server}{CERT1}fail}
-tls_privatekey = ${if eq {SERVER}{server}{KEY1}fail}
-
-tls_verify_hosts = *
-tls_verify_certificates = ${if eq {SERVER}{server}{CERT2}fail}
-
-
-# ----- Routers -----
-
-begin routers
-
-server_dump:
- driver = redirect
- condition = ${if eq {SERVER}{server}{yes}{no}}
- data = :blackhole:
-
-client_x:
- driver = accept
- local_parts = userx
- retry_use_local_part
- transport = send_to_server_failcert
- errors_to = ""
-
-client_y:
- driver = accept
- local_parts = usery
- retry_use_local_part
- transport = send_to_server_retry
-
-client_z:
- driver = accept
- local_parts = userz
- retry_use_local_part
- transport = send_to_server_crypt
-
-client_q:
- driver = accept
- local_parts = userq
- retry_use_local_part
- transport = send_to_server_req_fail
-
-client_r:
- driver = accept
- local_parts = userr
- retry_use_local_part
- transport = send_to_server_req_failname
-
-client_s:
- driver = accept
- local_parts = users
- retry_use_local_part
- transport = send_to_server_req_passname
-
-client_t:
- driver = accept
- local_parts = usert
- retry_use_local_part
- transport = send_to_server_req_failcarryon
-
-
-# ----- Transports -----
-
-begin transports
-
-# this will fail to verify the cert at HOSTIPV4 so fail the crypt requirement
-send_to_server_failcert:
- driver = smtp
- allow_localhost
- hosts = HOSTIPV4
- hosts_require_tls = HOSTIPV4
- port = PORT_D
- tls_certificate = CERT2
- tls_privatekey = CERT2
-
- tls_verify_certificates = CA2
-
-# this will fail to verify the cert at HOSTIPV4 so fail the crypt, then retry on 127.1; ok
-send_to_server_retry:
- driver = smtp
- allow_localhost
- hosts = HOSTIPV4 : 127.0.0.1
- hosts_require_tls = HOSTIPV4
- port = PORT_D
- tls_certificate = CERT2
- tls_privatekey = CERT2
-
- tls_verify_certificates = \
- ${if eq{$host_address}{127.0.0.1}{CA1}{CA2}}
-
-# this will fail to verify the cert but continue unverified though crypted
-send_to_server_crypt:
- driver = smtp
- allow_localhost
- hosts = HOSTIPV4
- hosts_require_tls = HOSTIPV4
- port = PORT_D
- tls_certificate = CERT2
- tls_privatekey = CERT2
-
- tls_verify_certificates = CA2
- tls_try_verify_hosts = *
-
-# this will fail to verify the cert at HOSTNAME and fallback to unencrypted
-# Fail due to lack of correct CA
-send_to_server_req_fail:
- driver = smtp
- allow_localhost
- hosts = HOSTNAME
- port = PORT_D
- tls_certificate = CERT2
- tls_privatekey = CERT2
-
- tls_verify_certificates = CA2
- tls_verify_hosts = *
-
-# this will fail to verify the cert name and fallback to unencrypted
-# fail because the cert is "server1.example.com" and the test system is something else
-send_to_server_req_failname:
- driver = smtp
- allow_localhost
- hosts = HOSTNAME
- port = PORT_D
- tls_certificate = CERT2
- tls_privatekey = CERT2
-
- tls_verify_certificates = CA1
- tls_verify_cert_hostnames = *
- tls_verify_hosts = *
-
-# this will pass the cert verify including name check
-# our stunt DNS has an A record for server1.example.com -> HOSTIPV4
-send_to_server_req_passname:
- driver = smtp
- allow_localhost
- hosts = server1.example.com
- port = PORT_D
- tls_certificate = CERT2
- tls_privatekey = CERT2
-
- tls_verify_certificates = CA1
- tls_verify_cert_hostnames = *
- tls_verify_hosts = *
-
-send_to_server_req_failcarryon:
- driver = smtp
- allow_localhost
- hosts = HOSTNAME
- port = PORT_D
- tls_certificate = CERT2
- tls_privatekey = CERT2
-
- tls_verify_certificates = CA1
- tls_verify_cert_hostnames = *
- tls_try_verify_hosts = *
-
-# End
--- /dev/null
+1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
+1999-03-02 09:44:33 Start queue run: pid=pppp -qf
+1999-03-02 09:44:33 10HmaX-0005vi-00 H=the.local.host.name [ip4.ip4.ip4.ip4] TLS error on connection (certificate verification failed)
+1999-03-02 09:44:33 10HmaX-0005vi-00 TLS session failure: delivering unencrypted to the.local.host.name [ip4.ip4.ip4.ip4] (not in hosts_require_tls)
+1999-03-02 09:44:33 10HmaX-0005vi-00 => userr@test.ex R=client_r T=send_to_server_req_failname H=the.local.host.name [ip4.ip4.ip4.ip4] C="250 OK id=10HmbA-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
+1999-03-02 09:44:33 10HmaY-0005vi-00 => users@test.ex R=client_s T=send_to_server_req_passname H=server1.example.com [ip4.ip4.ip4.ip4] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbB-0005vi-00"
+1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
+1999-03-02 09:44:33 10HmaZ-0005vi-00 => usert@test.ex R=client_t T=send_to_server_req_failcarryon H=the.local.host.name [ip4.ip4.ip4.ip4] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no DN="CN=server1.example.com" C="250 OK id=10HmbC-0005vi-00"
+1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
+1999-03-02 09:44:33 End queue run: pid=pppp -qf
+
+******** SERVER ********
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 TLS error on connection from the.local.host.name [ip4.ip4.ip4.ip4] (recv): A TLS fatal alert has been received.: Certificate is bad
+1999-03-02 09:44:33 TLS error on connection from the.local.host.name [ip4.ip4.ip4.ip4] (send): The specified session has been invalidated for some reason.
+1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmaX-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=yes DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" S=sss id=E10HmaY-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=yes DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" S=sss id=E10HmaZ-0005vi-00@myhost.test.ex
--- /dev/null
+1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
+1999-03-02 09:44:33 Start queue run: pid=pppp -qf
+1999-03-02 09:44:33 10HmaX-0005vi-00 SSL verify error: depth=0 error=unable to get local issuer certificate cert=/CN=server1.example.com
+1999-03-02 09:44:33 10HmaX-0005vi-00 H=the.local.host.name [ip4.ip4.ip4.ip4] TLS error on connection (SSL_connect): error: <<detail omitted>>
+1999-03-02 09:44:33 10HmaX-0005vi-00 TLS session failure: delivering unencrypted to the.local.host.name [ip4.ip4.ip4.ip4] (not in hosts_require_tls)
+1999-03-02 09:44:33 10HmaX-0005vi-00 => userq@test.ex R=client_q T=send_to_server_req_fail H=the.local.host.name [ip4.ip4.ip4.ip4] C="250 OK id=10HmbB-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
+1999-03-02 09:44:33 10HmaY-0005vi-00 SSL verify error: certificate name mismatch: "/CN=server1.example.com"
+
+1999-03-02 09:44:33 10HmaY-0005vi-00 H=the.local.host.name [ip4.ip4.ip4.ip4] TLS error on connection (SSL_connect): error: <<detail omitted>>
+1999-03-02 09:44:33 10HmaY-0005vi-00 TLS session failure: delivering unencrypted to the.local.host.name [ip4.ip4.ip4.ip4] (not in hosts_require_tls)
+1999-03-02 09:44:33 10HmaY-0005vi-00 => userr@test.ex R=client_r T=send_to_server_req_failname H=the.local.host.name [ip4.ip4.ip4.ip4] C="250 OK id=10HmbC-0005vi-00"
+1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
+1999-03-02 09:44:33 10HmaZ-0005vi-00 => users@test.ex R=client_s T=send_to_server_req_passname H=server1.example.com [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbD-0005vi-00"
+1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbA-0005vi-00 SSL verify error: certificate name mismatch: "/CN=server1.example.com"
+
+1999-03-02 09:44:33 10HmbA-0005vi-00 => usert@test.ex R=client_t T=send_to_server_req_failcarryon H=the.local.host.name [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=no DN="/CN=server1.example.com" C="250 OK id=10HmbE-0005vi-00"
+1999-03-02 09:44:33 10HmbA-0005vi-00 Completed
+1999-03-02 09:44:33 End queue run: pid=pppp -qf
+
+******** SERVER ********
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 TLS error on connection from the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] (SSL_accept): error: <<detail omitted>>
+1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?)
+1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmaX-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 TLS error on connection from the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] (SSL_accept): error: <<detail omitted>>
+1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?)
+1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmaY-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" S=sss id=E10HmaZ-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmbE-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" S=sss id=E10HmbA-0005vi-00@myhost.test.ex
+++ /dev/null
-1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
-1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
-1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
-1999-03-02 09:44:33 Start queue run: pid=pppp -qf
-1999-03-02 09:44:33 10HmaX-0005vi-00 H=the.local.host.name [ip4.ip4.ip4.ip4] TLS error on connection (certificate verification failed)
-1999-03-02 09:44:33 10HmaX-0005vi-00 TLS session failure: delivering unencrypted to the.local.host.name [ip4.ip4.ip4.ip4] (not in hosts_require_tls)
-1999-03-02 09:44:33 10HmaX-0005vi-00 => userr@test.ex R=client_r T=send_to_server_req_failname H=the.local.host.name [ip4.ip4.ip4.ip4] C="250 OK id=10HmbA-0005vi-00"
-1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
-1999-03-02 09:44:33 10HmaY-0005vi-00 => users@test.ex R=client_s T=send_to_server_req_passname H=server1.example.com [ip4.ip4.ip4.ip4] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbB-0005vi-00"
-1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
-1999-03-02 09:44:33 10HmaZ-0005vi-00 => usert@test.ex R=client_t T=send_to_server_req_failcarryon H=the.local.host.name [ip4.ip4.ip4.ip4] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no DN="CN=server1.example.com" C="250 OK id=10HmbC-0005vi-00"
-1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
-1999-03-02 09:44:33 End queue run: pid=pppp -qf
-
-******** SERVER ********
-1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 TLS error on connection from the.local.host.name [ip4.ip4.ip4.ip4] (recv): A TLS fatal alert has been received.: Certificate is bad
-1999-03-02 09:44:33 TLS error on connection from the.local.host.name [ip4.ip4.ip4.ip4] (send): The specified session has been invalidated for some reason.
-1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmaX-0005vi-00@myhost.test.ex
-1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=yes DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" S=sss id=E10HmaY-0005vi-00@myhost.test.ex
-1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=yes DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" S=sss id=E10HmaZ-0005vi-00@myhost.test.ex
+++ /dev/null
-1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
-1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
-1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
-1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
-1999-03-02 09:44:33 Start queue run: pid=pppp -qf
-1999-03-02 09:44:33 10HmaX-0005vi-00 SSL verify error: depth=0 error=unable to get local issuer certificate cert=/CN=server1.example.com
-1999-03-02 09:44:33 10HmaX-0005vi-00 H=the.local.host.name [ip4.ip4.ip4.ip4] TLS error on connection (SSL_connect): error: <<detail omitted>>
-1999-03-02 09:44:33 10HmaX-0005vi-00 TLS session failure: delivering unencrypted to the.local.host.name [ip4.ip4.ip4.ip4] (not in hosts_require_tls)
-1999-03-02 09:44:33 10HmaX-0005vi-00 => userq@test.ex R=client_q T=send_to_server_req_fail H=the.local.host.name [ip4.ip4.ip4.ip4] C="250 OK id=10HmbB-0005vi-00"
-1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
-1999-03-02 09:44:33 10HmaY-0005vi-00 SSL verify error: certificate name mismatch: "/CN=server1.example.com"
-
-1999-03-02 09:44:33 10HmaY-0005vi-00 H=the.local.host.name [ip4.ip4.ip4.ip4] TLS error on connection (SSL_connect): error: <<detail omitted>>
-1999-03-02 09:44:33 10HmaY-0005vi-00 TLS session failure: delivering unencrypted to the.local.host.name [ip4.ip4.ip4.ip4] (not in hosts_require_tls)
-1999-03-02 09:44:33 10HmaY-0005vi-00 => userr@test.ex R=client_r T=send_to_server_req_failname H=the.local.host.name [ip4.ip4.ip4.ip4] C="250 OK id=10HmbC-0005vi-00"
-1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
-1999-03-02 09:44:33 10HmaZ-0005vi-00 => users@test.ex R=client_s T=send_to_server_req_passname H=server1.example.com [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbD-0005vi-00"
-1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
-1999-03-02 09:44:33 10HmbA-0005vi-00 SSL verify error: certificate name mismatch: "/CN=server1.example.com"
-
-1999-03-02 09:44:33 10HmbA-0005vi-00 => usert@test.ex R=client_t T=send_to_server_req_failcarryon H=the.local.host.name [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=no DN="/CN=server1.example.com" C="250 OK id=10HmbE-0005vi-00"
-1999-03-02 09:44:33 10HmbA-0005vi-00 Completed
-1999-03-02 09:44:33 End queue run: pid=pppp -qf
-
-******** SERVER ********
-1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 TLS error on connection from the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] (SSL_accept): error: <<detail omitted>>
-1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?)
-1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmaX-0005vi-00@myhost.test.ex
-1999-03-02 09:44:33 TLS error on connection from the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] (SSL_accept): error: <<detail omitted>>
-1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?)
-1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmaY-0005vi-00@myhost.test.ex
-1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" S=sss id=E10HmaZ-0005vi-00@myhost.test.ex
-1999-03-02 09:44:33 10HmbE-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" S=sss id=E10HmbA-0005vi-00@myhost.test.ex
--- /dev/null
+# TLS client: verify certificate from server - name-fails
+gnutls
+exim -DSERVER=server -bd -oX PORT_D
+****
+# this will fail to verify the cert name and fallback to unencrypted
+exim userr@test.ex
+Testing
+****
+# this will pass the cert verify including name check
+exim users@test.ex
+Testing
+****
+# this will fail to verify the cert name but carry on (try-verify mode)
+exim usert@test.ex
+Testing
+****
+exim -qf
+****
+killdaemon
+no_msglog_check
--- /dev/null
+# TLS client: verify certificate from server - name-fails
+exim -DSERVER=server -bd -oX PORT_D
+****
+# this will fail to verify the cert at HOSTIPV4 and fallback to unencrypted
+exim userq@test.ex
+Testing
+****
+# this will fail to verify the cert name and fallback to unencrypted
+exim userr@test.ex
+Testing
+****
+# this will pass the cert verify including name check
+exim users@test.ex
+Testing
+****
+# this will fail to verify the cert name but carry on (try-verify mode)
+exim usert@test.ex
+Testing
+****
+exim -qf
+****
+killdaemon
+no_msglog_check
+++ /dev/null
-# TLS client: verify certificate from server - name-fails
-gnutls
-exim -DSERVER=server -bd -oX PORT_D
-****
-# this will fail to verify the cert name and fallback to unencrypted
-exim userr@test.ex
-Testing
-****
-# this will pass the cert verify including name check
-exim users@test.ex
-Testing
-****
-# this will fail to verify the cert name but carry on (try-verify mode)
-exim usert@test.ex
-Testing
-****
-exim -qf
-****
-killdaemon
-no_msglog_check
+++ /dev/null
-support GnuTLS
-support Experimental_Certnames
-running IPv4
+++ /dev/null
-# TLS client: verify certificate from server - name-fails
-exim -DSERVER=server -bd -oX PORT_D
-****
-# this will fail to verify the cert at HOSTIPV4 and fallback to unencrypted
-exim userq@test.ex
-Testing
-****
-# this will fail to verify the cert name and fallback to unencrypted
-exim userr@test.ex
-Testing
-****
-# this will pass the cert verify including name check
-exim users@test.ex
-Testing
-****
-# this will fail to verify the cert name but carry on (try-verify mode)
-exim usert@test.ex
-Testing
-****
-exim -qf
-****
-killdaemon
-no_msglog_check
+++ /dev/null
-support OpenSSL
-support Experimental_Certnames
-running IPv4
git://git.exim.org / exim.git / commitdiff