ARC: limit verify chain to 50-deep
[users/heiko/exim.git] / test / confs / 5740
1 # Exim test configuration 5740
2 # OCSP stapling, client, events
3
4 SERVER =
5
6 exim_path = EXIM_PATH
7 keep_environment = ^EXIM_TESTHARNESS_DISABLE_[O]CSPVALIDITYCHECK$
8 host_lookup_order = bydns
9 spool_directory = DIR/spool
10 log_file_path = DIR/spool/log/SERVER%slog
11 gecos_pattern = ""
12 gecos_name = CALLER_NAME
13 chunking_advertise_hosts =
14 primary_hostname = server1.example.com
15
16
17 # ----- Main settings -----
18
19 domainlist local_domains = test.ex : *.test.ex
20
21 acl_smtp_rcpt = check_recipient
22 acl_smtp_data = check_data
23
24 log_selector = +tls_peerdn +received_recipients
25 remote_max_parallel = 1
26
27 tls_advertise_hosts = *
28
29 # Set certificate only if server
30
31 tls_certificate = ${if eq {SERVER}{server}\
32 {DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem}\
33 fail\
34 }
35
36 #{DIR/aux-fixed/exim-ca/example.com/CA/CA.pem}\
37
38 tls_privatekey = ${if eq {SERVER}{server}\
39 {DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key}\
40 fail}
41
42 tls_ocsp_file = RETURN
43
44
45 # ------ ACL ------
46
47 begin acl
48
49 check_recipient:
50   accept  domains = +local_domains
51   deny    message = relay not permitted
52
53 check_data:
54   warn    condition   = ${if def:h_X-TLS-out:}
55           logwrite = client claims: $h_X-TLS-out:
56   accept
57
58 logger:
59   accept condition = ${if !eq {msg} {${listextract{1}{$event_name}}}}
60   warn  logwrite = client ocsp status: $tls_out_ocsp \
61     (${listextract {${eval:$tls_out_ocsp+1}} \
62                 {notreq:notresp:vfynotdone:failed:verified}})
63   accept
64
65 # ----- Routers -----
66
67 begin routers
68
69 client:
70   driver = accept
71   condition = ${if eq {SERVER}{server}{no}{yes}}
72   retry_use_local_part
73   transport = send_to_server${if eq{$local_part}{nostaple}{1} \
74                                 {${if match{$local_part}{norequire} {2} \
75                                 {${if eq{$local_part}{smtps} {4}{3}}} \
76                              }}}
77
78 server:
79   driver = redirect
80   data = :blackhole:
81   #retry_use_local_part
82   #transport = local_delivery
83
84
85 # ----- Transports -----
86
87 begin transports
88
89 local_delivery:
90   driver = appendfile
91   file = DIR/test-mail/$local_part
92   headers_add = TLS: cipher=$tls_cipher peerdn=$tls_peerdn
93   user = CALLER
94
95 # nostaple: deliberately do not request cert-status
96 send_to_server1:
97   driver = smtp
98   allow_localhost
99   hosts = HOSTIPV4
100   port = PORT_D
101   tls_verify_certificates =     DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
102   tls_verify_cert_hostnames =
103   hosts_require_tls =   *
104   hosts_request_ocsp =  :
105   headers_add =                 X-TLS-out: ocsp status $tls_out_ocsp
106   event_action =                ${acl {logger}}
107
108 # norequire: request stapling but do not verify
109 send_to_server2:
110   driver = smtp
111   allow_localhost
112   hosts = HOSTIPV4
113   port = PORT_D
114   tls_verify_certificates =     DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
115   tls_verify_cert_hostnames =
116   hosts_require_tls =   *
117 # note no ocsp mention here
118   headers_add =                 X-TLS-out: ocsp status $tls_out_ocsp
119   event_action =                ${acl {logger}}
120
121 # (any other name): request and verify
122 send_to_server3:
123   driver = smtp
124   allow_localhost
125   hosts = 127.0.0.1
126   port = PORT_D
127   helo_data = helo.data.changed
128   tls_verify_certificates =     DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
129   tls_verify_cert_hostnames =
130   hosts_require_tls =   *
131   hosts_require_ocsp =  *
132   headers_add =                 X-TLS-out: ocsp status $tls_out_ocsp
133   event_action =                ${acl {logger}}
134
135 # (any other name): request and verify, ssl-on-connect
136 send_to_server4:
137   driver = smtp
138   allow_localhost
139   hosts = 127.0.0.1
140   port = PORT_D
141   helo_data = helo.data.changed
142   tls_verify_certificates =     DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
143   tls_verify_cert_hostnames =
144   protocol =           smtps
145   hosts_require_tls =  *
146   hosts_require_ocsp = *
147   headers_add =                 X-TLS-out: ocsp status $tls_out_ocsp
148   event_action =                ${acl {logger}}
149
150
151 # ----- Retry -----
152
153
154 begin retry
155
156 * * F,5d,1s
157
158
159 # End