DANE: Remove fallback from hosts_try_dane. If TLSA record not retrieved,
[users/jgh/exim.git] / test / confs / 5600
1 # Exim test configuration 5600
2 # OCSP stapling, server
3
4 CRL=
5
6 exim_path = EXIM_PATH
7 keep_environment =
8 host_lookup_order = bydns
9 primary_hostname = server1.example.com
10 spool_directory = DIR/spool
11 log_file_path = DIR/spool/log/%slog
12 gecos_pattern = ""
13 gecos_name = CALLER_NAME
14
15 # ----- Main settings -----
16
17 acl_smtp_connect = check_connect
18 acl_smtp_mail = check_mail
19 acl_smtp_rcpt = check_recipient
20
21 log_selector = +tls_peerdn
22
23 queue_only
24 queue_run_in_order
25
26 tls_advertise_hosts = *
27
28 tls_certificate = DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.pem
29 tls_privatekey = DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key
30
31 tls_verify_hosts = HOSTIPV4
32 tls_try_verify_hosts = *
33 tls_verify_certificates = DIR/aux-fixed/cert2
34 tls_crl = CRL
35 tls_ocsp_file = OCSP
36
37
38 # ------ ACL ------
39
40 begin acl
41
42 check_connect:
43   accept   logwrite = acl_conn: ocsp in status: $tls_in_ocsp \
44     (${listextract {${eval:$tls_in_ocsp+1}} \
45                 {notreq:notresp:vfynotdone:failed:verified}})
46
47 check_mail:
48   accept   logwrite = acl_mail: ocsp in status: $tls_in_ocsp \
49     (${listextract {${eval:$tls_in_ocsp+1}} \
50                 {notreq:notresp:vfynotdone:failed:verified}})
51
52 check_recipient:
53   deny     message = certificate not verified: peerdn=$tls_peerdn
54          ! verify = certificate
55   accept
56
57
58 # ----- Routers -----
59
60 begin routers
61
62 abc:
63   driver = accept
64   retry_use_local_part
65   transport = local_delivery
66
67
68 # ----- Transports -----
69
70 begin transports
71
72 local_delivery:
73   driver = appendfile
74   file = DIR/test-mail/$local_part
75   headers_add = TLS: cipher=$tls_cipher peerdn=$tls_peerdn
76   user = CALLER
77
78 # End