+++ /dev/null
-# Exim test configuration 5608
-# OCSP stapling, client, events
-
-SERVER =
-
-exim_path = EXIM_PATH
-host_lookup_order = bydns
-primary_hostname = server1.example.com
-spool_directory = DIR/spool
-log_file_path = DIR/spool/log/SERVER%slog
-gecos_pattern = ""
-gecos_name = CALLER_NAME
-
-
-# ----- Main settings -----
-
-domainlist local_domains = test.ex : *.test.ex
-
-acl_smtp_rcpt = check_recipient
-acl_smtp_data = check_data
-
-log_selector = +tls_peerdn
-remote_max_parallel = 1
-
-tls_advertise_hosts = *
-
-# Set certificate only if server
-
-tls_certificate = ${if eq {SERVER}{server}\
-{DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem}\
-fail\
-}
-
-#{DIR/aux-fixed/exim-ca/example.com/CA/CA.pem}\
-
-tls_privatekey = ${if eq {SERVER}{server}\
-{DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key}\
-fail}
-
-tls_ocsp_file = OCSP
-
-
-# ------ ACL ------
-
-begin acl
-
-check_recipient:
- accept domains = +local_domains
- deny message = relay not permitted
-
-check_data:
- warn condition = ${if def:h_X-TLS-out:}
- logwrite = client claims: $h_X-TLS-out:
- accept
-
-logger:
- accept condition = ${if !eq {msg} {${listextract{1}{$event_name}}}}
- warn logwrite = client ocsp status: $tls_out_ocsp \
- (${listextract {${eval:$tls_out_ocsp+1}} \
- {notreq:notresp:vfynotdone:failed:verified}})
- accept
-
-# ----- Routers -----
-
-begin routers
-
-client:
- driver = accept
- condition = ${if eq {SERVER}{server}{no}{yes}}
- retry_use_local_part
- transport = send_to_server${if eq{$local_part}{nostaple}{1} \
- {${if eq{$local_part}{norequire} {2} \
- {${if eq{$local_part}{smtps} {4}{3}}} \
- }}}
-
-server:
- driver = redirect
- data = :blackhole:
- #retry_use_local_part
- #transport = local_delivery
-
-
-# ----- Transports -----
-
-begin transports
-
-local_delivery:
- driver = appendfile
- file = DIR/test-mail/$local_part
- headers_add = TLS: cipher=$tls_cipher peerdn=$tls_peerdn
- user = CALLER
-
-# nostaple: deliberately do not request cert-status
-send_to_server1:
- driver = smtp
- allow_localhost
- hosts = HOSTIPV4
- port = PORT_D
- tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
- tls_verify_cert_hostnames =
- hosts_require_tls = *
- hosts_request_ocsp = :
- headers_add = X-TLS-out: ocsp status $tls_out_ocsp
- event_action = ${acl {logger}}
-
-# norequire: request stapling but do not verify
-send_to_server2:
- driver = smtp
- allow_localhost
- hosts = HOSTIPV4
- port = PORT_D
- tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
- tls_verify_cert_hostnames =
- hosts_require_tls = *
-# note no ocsp mention here
- headers_add = X-TLS-out: ocsp status $tls_out_ocsp
- event_action = ${acl {logger}}
-
-# (any other name): request and verify
-send_to_server3:
- driver = smtp
- allow_localhost
- hosts = 127.0.0.1
- port = PORT_D
- helo_data = helo.data.changed
- tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
- tls_verify_cert_hostnames =
- hosts_require_tls = *
- hosts_require_ocsp = *
- headers_add = X-TLS-out: ocsp status $tls_out_ocsp
- event_action = ${acl {logger}}
-
-# (any other name): request and verify, ssl-on-connect
-send_to_server4:
- driver = smtp
- allow_localhost
- hosts = 127.0.0.1
- port = PORT_D
- helo_data = helo.data.changed
- tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
- tls_verify_cert_hostnames =
- protocol = smtps
- hosts_require_tls = *
- hosts_require_ocsp = *
- headers_add = X-TLS-out: ocsp status $tls_out_ocsp
- event_action = ${acl {logger}}
-
-
-# ----- Retry -----
-
-
-begin retry
-
-* * F,5d,1s
-
-
-# End