1 # Exim test configuration 5655
2 # OCSP stapling, server, multiple chain-element OCSP. Both GnuTLS and OpenSSL.
4 .include DIR/aux-var/tls_conf_prefix
6 primary_hostname = server1.example.com
8 # ----- Main settings -----
10 acl_smtp_mail = check_mail
11 acl_smtp_rcpt = check_recipient
13 log_selector = +tls_peerdn
18 tls_advertise_hosts = *
20 CADIR = DIR/aux-fixed/exim-ca
21 DRSA = CADIR/example.com
22 DECDSA = CADIR/example_ec.com
24 tls_certificate = DRSA/server1.example.com/fullchain.pem
25 tls_privatekey = DRSA/server1.example.com/server1.example.com.unlocked.key
28 tls_ocsp_file = PEM DRSA/server1.example.com/fullchain.ocsp.resp.pem
30 tls_ocsp_file = PEM DIR/tmp/ocsp/double_r.ocsp.pem
35 tls_require_ciphers = ${if eq {LIMIT}{TLS1.2} {NORMAL:!VERS-ALL:+VERS-TLS1.2} {}}
39 openssl_options = ${if eq {LIMIT}{TLS1.2} {+no_tlsv1_3} {}}
48 accept logwrite = acl_mail: ocsp in status: $tls_in_ocsp \
49 (${listextract {${eval:$tls_in_ocsp+1}} \
50 {notreq:notresp:vfynotdone:failed:verified}})
62 condition = ${if !eq {SERVER}{server}}
63 route_list = * 127.0.0.1
65 transport = remote_delivery
71 transport = local_delivery
74 # ----- Transports -----
84 tls_require_ciphers = ${if eq {LIMIT}{TLS1.2} \
86 +SIGN-RSA-SHA256:+VERS-TLS-ALL:+ECDHE-RSA:+DHE-RSA:+RSA\
87 :+CIPHER-ALL:+MAC-ALL:+COMP-NULL:+CURVE-ALL:+CTYPE-X509} \
91 tls_require_ciphers = RSA
93 tls_verify_certificates = CADIR/example.com/server1.example.com/ca_chain.pem
94 hosts_require_ocsp = *
95 tls_verify_cert_hostnames = :
99 file = DIR/test-mail/$local_part
100 create_file = DIR/test-mail
101 headers_add = TLS: cipher=$tls_cipher peerdn=$tls_peerdn