Log certificate verification status by default
[users/jgh/exim.git] / test / confs / 5750
1 # Exim test configuration 5750 (dup of 5760)
2 # $tls_out_peercert - GnuTLS
3
4 SERVER=
5
6 exim_path = EXIM_PATH
7 host_lookup_order = bydns
8 primary_hostname = myhost.test.ex
9 rfc1413_query_timeout = 0s
10 spool_directory = DIR/spool
11 log_file_path = DIR/spool/log/SERVER%slog
12 gecos_pattern = ""
13 gecos_name = CALLER_NAME
14 timezone = UTC
15
16 # ----- Main settings -----
17
18 acl_smtp_rcpt = accept
19
20 log_selector =  +tls_peerdn
21
22 queue_only
23 queue_run_in_order
24
25 tls_advertise_hosts = *
26
27 tls_certificate = DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.pem
28 tls_privatekey = DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key
29
30 tls_verify_hosts = *
31 tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/server2.example.com/ca_chain.pem
32
33 event_action = ${acl {server_cert_log}}
34
35 #
36
37 begin acl
38
39 server_cert_log:
40   accept condition = ${if eq {tls:cert}{$event_name}}
41          logwrite =  [$sender_host_address] \
42                         depth=$event_data \
43                         ${certextract{subject}{$tls_in_peercert}}
44   accept
45
46 ev_tls:
47   accept logwrite =  $event_name depth=$event_data \
48                         <${certextract {subject} {$tls_out_peercert}}>
49 #        message = noooo
50
51 ev_msg:
52   warn   logwrite =  $acl_arg1 $local_part
53   warn   logwrite =  ${if !def:tls_out_ourcert \
54                 {NO CLIENT CERT presented} \
55                 {Our cert SN: ${certextract{subject}{$tls_out_ourcert}}}}
56   accept condition = ${if !def:tls_out_peercert}
57          logwrite =  No Peer cert
58   accept logwrite = Peer cert:
59          logwrite =  ver <${certextract {version}       {$tls_out_peercert}}>
60          logwrite =  SN  <${certextract {subject}       {$tls_out_peercert}}>
61          logwrite =  SN; <${certextract {subject,>;}    {$tls_out_peercert}}>
62          logwrite =  SNCN<${certextract {subject,CN}    {$tls_out_peercert}}>
63          logwrite =  IN  <${certextract {issuer}        {$tls_out_peercert}}>
64          logwrite =  NB  <${certextract {notbefore}     {$tls_out_peercert}}>
65          logwrite =  NA  <${certextract {notafter}      {$tls_out_peercert}}>
66          logwrite =  SA  <${certextract {sig_algorithm} {$tls_out_peercert}}>
67          logwrite =  SG  <${certextract {signature}     {$tls_out_peercert}}>
68          logwrite =       ${certextract {subj_altname}  {$tls_out_peercert}{SAN <$value>}{(no SAN)}}
69 #        logwrite =       ${certextract {ocsp_uri}      {$tls_out_peercert} {OCU <$value>}{(no OCU)}}
70          logwrite =       ${certextract {crl_uri}       {$tls_out_peercert} {CRU <$value>}{(no CRU)}}
71
72 logger:
73   accept condition = ${if eq {msg} {${listextract{1}{$event_name}}}}
74          acl = ev_msg $event_name $acl_arg2
75   accept condition = ${if eq {tls} {${listextract{1}{$event_name}}}}
76          message =   ${acl {ev_tls}}
77   accept
78
79 # ----- Routers -----
80
81 begin routers
82
83 client:
84   driver = accept
85   condition = ${if eq {SERVER}{server}{no}{yes}}
86   retry_use_local_part
87   transport = send_to_server
88
89
90 # ----- Transports -----
91
92 begin transports
93
94 send_to_server:
95   driver = smtp
96   allow_localhost
97   hosts = 127.0.0.1
98   port = PORT_D
99
100   tls_certificate = DIR/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.pem
101   tls_privatekey = DIR/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.unlocked.key
102
103   tls_verify_certificates = DIR/aux-fixed/exim-ca/\
104        ${if eq {$local_part}{good}\
105 {example.com/server1.example.com/ca_chain.pem}\
106 {example.net/server1.example.net/ca_chain.pem}}
107   tls_try_verify_hosts =
108   tls_verify_cert_hostnames =
109
110   event_action =   ${acl {logger} {$event_name} {$domain} }
111
112 # ----- Retry -----
113
114
115 begin retry
116
117 * * F,5d,10s
118
119
120 # End