Add event for inbound cert visibility
[users/jgh/exim.git] / test / confs / 5750
1 # Exim test configuration 5750 (dup of 5760)
2 # $tls_out_peercert - GnuTLS
3
4 SERVER=
5
6 exim_path = EXIM_PATH
7 host_lookup_order = bydns
8 primary_hostname = myhost.test.ex
9 rfc1413_query_timeout = 0s
10 spool_directory = DIR/spool
11 log_file_path = DIR/spool/log/SERVER%slog
12 gecos_pattern = ""
13 gecos_name = CALLER_NAME
14
15 # ----- Main settings -----
16
17 acl_smtp_rcpt = accept
18
19 log_selector =  +tls_peerdn
20
21 queue_only
22 queue_run_in_order
23
24 tls_advertise_hosts = *
25
26 tls_certificate = DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.pem
27 tls_privatekey = DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key
28
29 tls_verify_hosts = *
30 tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/server2.example.com/ca_chain.pem
31
32 event_action = ${acl {server_cert_log}}
33
34 #
35
36 begin acl
37
38 server_cert_log:
39   accept condition = ${if eq {tls:cert}{$event_name}}
40          logwrite =  [$sender_host_address] \
41                         depth=$event_data \
42                         ${certextract{subject}{$tls_in_peercert}}
43   accept
44
45 ev_tls:
46   accept logwrite =  $event_name depth=$event_data \
47                         <${certextract {subject} {$tls_out_peercert}}>
48 #        message = noooo
49
50 ev_msg:
51   warn   logwrite =  $acl_arg1 $local_part
52   warn   logwrite =  ${if !def:tls_out_ourcert \
53                 {NO CLIENT CERT presented} \
54                 {Our cert SN: ${certextract{subject}{$tls_out_ourcert}}}}
55   accept condition = ${if !def:tls_out_peercert}
56          logwrite =  No Peer cert
57   accept logwrite = Peer cert:
58          logwrite =  ver <${certextract {version}       {$tls_out_peercert}}>
59          logwrite =  SN  <${certextract {subject}       {$tls_out_peercert}}>
60          logwrite =  IN  <${certextract {issuer}        {$tls_out_peercert}}>
61          logwrite =  NB  <${certextract {notbefore}     {$tls_out_peercert}}>
62          logwrite =  NA  <${certextract {notafter}      {$tls_out_peercert}}>
63          logwrite =  SA  <${certextract {sig_algorithm} {$tls_out_peercert}}>
64          logwrite =  SG  <${certextract {signature}     {$tls_out_peercert}}>
65          logwrite =       ${certextract {subj_altname}  {$tls_out_peercert}{SAN <$value>}{(no SAN)}}
66 #        logwrite =       ${certextract {ocsp_uri}      {$tls_out_peercert} {OCU <$value>}{(no OCU)}}
67          logwrite =       ${certextract {crl_uri}       {$tls_out_peercert} {CRU <$value>}{(no CRU)}}
68
69 logger:
70   accept condition = ${if eq {msg} {${listextract{1}{$event_name}}}}
71          acl = ev_msg $event_name $acl_arg2
72   accept condition = ${if eq {tls} {${listextract{1}{$event_name}}}}
73          message =   ${acl {ev_tls}}
74   accept
75
76 # ----- Routers -----
77
78 begin routers
79
80 client:
81   driver = accept
82   condition = ${if eq {SERVER}{server}{no}{yes}}
83   retry_use_local_part
84   transport = send_to_server
85
86
87 # ----- Transports -----
88
89 begin transports
90
91 send_to_server:
92   driver = smtp
93   allow_localhost
94   hosts = 127.0.0.1
95   port = PORT_D
96
97   tls_certificate = DIR/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.pem
98   tls_privatekey = DIR/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.unlocked.key
99
100   tls_verify_certificates = DIR/aux-fixed/exim-ca/\
101        ${if eq {$local_part}{good}\
102 {example.com/server1.example.com/ca_chain.pem}\
103 {example.net/server1.example.net/ca_chain.pem}}
104
105   event_action =   ${acl {logger} {$event_name} {$domain} }
106
107 # ----- Retry -----
108
109
110 begin retry
111
112 * * F,5d,10s
113
114
115 # End