taint-enforce DB filenames
[users/jgh/exim.git] / test / confs / 5600
1 # Exim test configuration 5600
2 # OCSP stapling, server
3
4 CRL=
5
6 .include DIR/aux-var/tls_conf_prefix
7
8 primary_hostname = server1.example.com
9
10 # ----- Main settings -----
11
12 acl_smtp_connect = check_connect
13 acl_smtp_mail = check_mail
14 acl_smtp_rcpt = check_recipient
15
16 log_selector = +tls_peerdn
17
18 queue_only
19 queue_run_in_order
20
21 tls_advertise_hosts = *
22
23 tls_certificate = DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.pem
24 tls_privatekey = DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key
25
26 tls_verify_hosts = HOSTIPV4
27 tls_try_verify_hosts = *
28 tls_verify_certificates = DIR/aux-fixed/cert2
29 tls_crl = CRL
30 tls_ocsp_file = RETURN
31
32
33 # ------ ACL ------
34
35 begin acl
36
37 check_connect:
38   accept   logwrite = acl_conn: ocsp in status: $tls_in_ocsp \
39     (${listextract {${eval:$tls_in_ocsp+1}} \
40                 {notreq:notresp:vfynotdone:failed:verified}})
41
42 check_mail:
43   accept   logwrite = acl_mail: ocsp in status: $tls_in_ocsp \
44     (${listextract {${eval:$tls_in_ocsp+1}} \
45                 {notreq:notresp:vfynotdone:failed:verified}})
46
47 check_recipient:
48   deny     message = certificate not verified: peerdn=$tls_peerdn
49          ! verify = certificate
50   accept
51
52
53 # ----- Routers -----
54
55 begin routers
56
57 abc:
58   driver = accept
59   retry_use_local_part
60   transport = local_delivery
61
62
63 # ----- Transports -----
64
65 begin transports
66
67 local_delivery:
68   driver = appendfile
69   file = DIR/test-mail/${bless:$local_part}
70   headers_add = TLS: cipher=$tls_cipher peerdn=$tls_peerdn
71   user = CALLER
72
73 # End