Add tls_verify_hosts and tls_try_verify_hosts to smtp transport, GnuTLS.
[users/jgh/exim.git] / test / confs / 2112
1 # Exim test configuration 2112
2 # TLS client: verify certificate from server - fails
3
4 SERVER=
5
6 exim_path = EXIM_PATH
7 host_lookup_order = bydns
8 primary_hostname = myhost.test.ex
9 rfc1413_query_timeout = 0s
10 spool_directory = DIR/spool
11 log_file_path = DIR/spool/log/SERVER%slog
12 gecos_pattern = ""
13 gecos_name = CALLER_NAME
14
15 # ----- Main settings -----
16
17 acl_smtp_rcpt = accept
18
19 log_selector =  +tls_peerdn+tls_certificate_verified
20
21 queue_only
22 queue_run_in_order
23
24 tls_advertise_hosts = *
25
26 # Set certificate only if server
27
28 tls_certificate = ${if eq {SERVER}{server}{DIR/aux-fixed/cert1}fail}
29 tls_privatekey = ${if eq {SERVER}{server}{DIR/aux-fixed/cert1}fail}
30
31 tls_verify_hosts = *
32 tls_verify_certificates = ${if eq {SERVER}{server}{DIR/aux-fixed/cert2}fail}
33
34
35 # ----- Routers -----
36
37 begin routers
38
39 server_dump:
40   driver = redirect
41   condition = ${if eq {SERVER}{server}{yes}{no}}
42   data = :blackhole:
43
44 client_x:
45   driver = accept
46   local_parts = userx
47   retry_use_local_part
48   transport = send_to_server_failcert
49   errors_to = ""
50
51 client_y:
52   driver = accept
53   local_parts = usery
54   retry_use_local_part
55   transport = send_to_server_retry
56
57 client_z:
58   driver = accept
59   local_parts = userz
60   retry_use_local_part
61   transport = send_to_server_crypt
62
63 client_q:
64   driver = accept
65   local_parts = userq
66   retry_use_local_part
67   transport = send_to_server_req_fail
68
69
70 # ----- Transports -----
71
72 begin transports
73
74 # this will fail to verify the cert at HOSTIPV4 so fail the crypt requirement
75 send_to_server_failcert:
76   driver = smtp
77   allow_localhost
78   hosts = HOSTIPV4
79   hosts_require_tls = HOSTIPV4
80   port = PORT_D
81   tls_certificate = DIR/aux-fixed/cert2
82   tls_verify_certificates = DIR/aux-fixed/cert2
83
84 # this will fail to verify the cert at HOSTIPV4 so fail the crypt, then retry on 127.1; ok
85 send_to_server_retry:
86   driver = smtp
87   allow_localhost
88   hosts = HOSTIPV4 : 127.0.0.1
89   hosts_require_tls = HOSTIPV4
90   port = PORT_D
91   tls_certificate = DIR/aux-fixed/cert2
92   tls_verify_certificates = \
93     ${if eq{$host_address}{127.0.0.1}{DIR/aux-fixed/cert1}{DIR/aux-fixed/cert2}}
94
95 # this will fail to verify the cert but continue unverified though crypted
96 send_to_server_crypt:
97   driver = smtp
98   allow_localhost
99   hosts = HOSTIPV4
100   hosts_require_tls = HOSTIPV4
101   port = PORT_D
102   tls_certificate = DIR/aux-fixed/cert2
103   tls_verify_certificates = DIR/aux-fixed/cert2
104   tls_try_verify_hosts = *
105
106 # this will fail to verify the cert at HOSTIPV4 and fallback to unencrypted
107 send_to_server_req_fail:
108   driver = smtp
109   allow_localhost
110   hosts = HOSTIPV4
111   port = PORT_D
112   tls_certificate = DIR/aux-fixed/cert2
113   tls_verify_certificates = DIR/aux-fixed/cert2
114   tls_verify_hosts = *
115
116 # End