log_file_path = DIR/spool/log/SERVER%slog
gecos_pattern = ""
gecos_name = CALLER_NAME
+timezone = UTC
# ----- Main settings -----
tls_verify_hosts = *
tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/server2.example.com/ca_chain.pem
+event_action = ${acl {server_cert_log}}
+
#
begin acl
+server_cert_log:
+ accept condition = ${if eq {tls:cert}{$event_name}}
+ logwrite = [$sender_host_address] \
+ depth=$event_data \
+ ${certextract{subject}{$tls_in_peercert}}
+ accept
+
ev_tls:
accept logwrite = $event_name depth=$event_data \
<${certextract {subject} {$tls_out_peercert}}>
accept logwrite = Peer cert:
logwrite = ver <${certextract {version} {$tls_out_peercert}}>
logwrite = SN <${certextract {subject} {$tls_out_peercert}}>
+ logwrite = SN; <${certextract {subject,>;} {$tls_out_peercert}}>
+ logwrite = SNCN<${certextract {subject,CN} {$tls_out_peercert}}>
logwrite = IN <${certextract {issuer} {$tls_out_peercert}}>
logwrite = NB <${certextract {notbefore} {$tls_out_peercert}}>
logwrite = NA <${certextract {notafter} {$tls_out_peercert}}>
${if eq {$local_part}{good}\
{example.com/server1.example.com/ca_chain.pem}\
{example.net/server1.example.net/ca_chain.pem}}
+ tls_try_verify_hosts =
+ tls_verify_cert_hostnames =
event_action = ${acl {logger} {$event_name} {$domain} }