X-Git-Url: https://git.exim.org/users/heiko/exim.git/blobdiff_plain/bf7aabb41b04efb076bed9de84b15b03f3006073..7044dd8fd62e215572ecf5a2c7f1bb9581cf6628:/test/confs/5840 diff --git a/test/confs/5840 b/test/confs/5840 index 0447ce36d..1b3b122b3 100644 --- a/test/confs/5840 +++ b/test/confs/5840 @@ -1,45 +1,51 @@ # Exim test configuration 5840 -# DANE +# DANE/OpenSSL SERVER= +CONTROL= * + +.include DIR/aux-var/tls_conf_prefix -exim_path = EXIM_PATH -host_lookup_order = bydns primary_hostname = myhost.test.ex -spool_directory = DIR/spool -log_file_path = DIR/spool/log/SERVER%slog -gecos_pattern = "" -gecos_name = CALLER_NAME # ----- Main settings ----- .ifndef OPT -acl_smtp_rcpt = accept +acl_smtp_rcpt = accept logwrite = "rcpt ACL" .else acl_smtp_rcpt = accept verify = recipient/callout .endif -log_selector = +received_recipients +tls_peerdn +tls_certificate_verified +log_selector = +received_recipients +tls_peerdn +tls_certificate_verified \ + +tls_sni queue_run_in_order tls_advertise_hosts = * # Set certificate only if server -CDIR1 = DIR/aux-fixed +CDIR1 = DIR/aux-fixed/exim-ca/example.net/server1.example.net CDIR2 = DIR/aux-fixed/exim-ca/example.com/server1.example.com +.ifdef CERT +tls_certificate = CERT +.else tls_certificate = ${if eq {SERVER}{server} \ - {${if or {{eq {DETAILS}{ta}} {eq {DETAILS}{ca}}} \ + {${if or {{eq {DETAILS}{ta}} {eq {DETAILS}{ca}} {eq {DETAILS}{ee}}} \ {CDIR2/fullchain.pem}\ - {CDIR1/cert1}}}\ + {CDIR1/fullchain.pem}}}\ fail} +.endif +.ifdef ALLOW +tls_privatekey = ALLOW +.else tls_privatekey = ${if eq {SERVER}{server} \ - {${if or {{eq {DETAILS}{ta}} {eq {DETAILS}{ca}}} \ + {${if or {{eq {DETAILS}{ta}} {eq {DETAILS}{ca}} {eq {DETAILS}{ee}}} \ {CDIR2/server1.example.com.unlocked.key}\ - {CDIR1/cert1}}}\ + {CDIR1/server1.example.net.unlocked.key}}}\ fail} +.endif # ----- Routers ----- @@ -51,6 +57,7 @@ client: dnssec_request_domains = * self = send transport = send_to_server + errors_to = "" server: driver = redirect @@ -65,16 +72,13 @@ send_to_server: driver = smtp allow_localhost port = PORT_D + hosts_try_fastopen = : - hosts_verify_avoid_tls = : - hosts_try_dane = * - hosts_require_dane = !thishost.test.ex - hosts_request_ocsp = ${if or { {= {4}{$tls_out_tlsa_usage}} \ - {= {0}{$tls_out_tlsa_usage}} } \ - {*}{}} + hosts_try_dane = CONTROL + hosts_require_dane = HOSTIPV4 tls_verify_cert_hostnames = ${if eq {OPT}{no_certname} {}{*}} tls_try_verify_hosts = thishost.test.ex - tls_verify_certificates = CDIR2/ca_chain.pem + tls_verify_certificates = ${if eq {DETAILS}{ca} {CDIR2/ca_chain.pem} {}}