ARC: limit verify chain to 50-deep
[users/heiko/exim.git] / test / confs / 5820
1 # Exim test configuration 5820
2 # DANE/GnuTLS
3
4 SERVER=
5
6 .include DIR/aux-var/tls_conf_prefix
7
8 primary_hostname = myhost.test.ex
9
10 # ----- Main settings -----
11
12 .ifndef OPT
13 acl_smtp_rcpt = accept logwrite = "rcpt ACL"
14 .else
15 acl_smtp_rcpt = accept verify = recipient/callout
16 .endif
17
18 log_selector =  +received_recipients +tls_peerdn +tls_certificate_verified
19
20 queue_run_in_order
21
22 tls_advertise_hosts = *
23 # needed to force generation
24 tls_dhparam = historic
25
26 # Set certificate only if server
27 CDIR1 = DIR/aux-fixed/exim-ca/example.net/server1.example.net
28 CDIR2 = DIR/aux-fixed/exim-ca/example.com/server1.example.com
29
30
31 tls_certificate = ${if eq {SERVER}{server} \
32         {${if or {{eq {DETAILS}{ta}} {eq {DETAILS}{ca}} {eq {DETAILS}{ee}}} \
33                 {CDIR2/fullchain.pem}\
34                 {CDIR1/fullchain.pem}}}\
35         fail}
36
37 tls_privatekey = ${if eq {SERVER}{server} \
38         {${if or {{eq {DETAILS}{ta}} {eq {DETAILS}{ca}} {eq {DETAILS}{ee}}} \
39                 {CDIR2/server1.example.com.unlocked.key}\
40                 {CDIR1/server1.example.net.unlocked.key}}}\
41         fail}
42
43 # ----- Routers -----
44
45 begin routers
46
47 client:
48   driver = dnslookup
49   condition = ${if eq {SERVER}{}}
50   dnssec_request_domains = *
51   self = send
52   transport = send_to_server
53   errors_to = ""
54
55 server:
56   driver = redirect
57   data = :blackhole:
58
59
60 # ----- Transports -----
61
62 begin transports
63
64 send_to_server:
65   driver = smtp
66   allow_localhost
67   port = PORT_D
68
69   hosts_try_dane =     *
70   hosts_require_dane = HOSTIPV4
71   tls_verify_cert_hostnames = ${if eq {OPT}{no_certname} {}{*}}
72   tls_try_verify_hosts = thishost.test.ex
73   tls_verify_certificates = CDIR2/ca_chain.pem
74
75
76
77 # ----- Retry -----
78
79
80 begin retry
81
82 * * F,5d,10s
83
84
85 # End