Testcases for dane_require_tls_ciphers
[users/jgh/exim.git] / test / confs / 5821
1 # Exim test configuration 5821
2 # DANE/OpenSSL - ciphers option
3
4 SERVER=
5 OPT=
6
7 .include DIR/aux-var/tls_conf_prefix
8
9 primary_hostname = myhost.test.ex
10
11 # ----- Main settings -----
12
13 acl_smtp_rcpt = accept logwrite = "rcpt ACL"
14
15 log_selector =  +received_recipients +tls_peerdn +tls_certificate_verified
16
17 tls_advertise_hosts = *
18
19 # Set certificate only if server
20 CDIR2 = DIR/aux-fixed/exim-ca/example.com/server1.example.com
21
22 tls_certificate = ${if eq {SERVER}{server} {CDIR2/fullchain.pem}fail}
23 tls_privatekey =  ${if eq {SERVER}{server} {CDIR2/server1.example.com.unlocked.key}fail}
24
25 # Permit two specific ciphers
26 tls_require_ciphers = NONE:+VERS-TLS-ALL:+MAC-ALL:+RSA:+AES-128-CBC:+CAMELLIA-256-GCM:+SIGN-ALL:+COMP-NULL
27
28 # ----- Routers -----
29 begin routers
30
31 client:
32   driver =              dnslookup
33   condition =           ${if eq {SERVER}{}}
34   dnssec_request_domains = *
35   self =                send
36   transport =           send_to_server
37   errors_to =           ""
38
39 server:
40   driver =              redirect
41   data =                :blackhole:
42
43 # ----- Transports -----
44 begin transports
45
46 send_to_server:
47   driver =                      smtp
48   allow_localhost
49   port =                        PORT_D
50   hosts_try_dane =              *
51   tls_verify_certificates =     CDIR2/ca_chain.pem
52
53   # Some commonly-available cipher, we hope
54   tls_require_ciphers =         NONE:+VERS-TLS-ALL:+MAC-ALL:+RSA:+AES-128-CBC:+SIGN-ALL:+COMP-NULL
55   dane_require_tls_ciphers =    OPT
56
57 # ----- Retry -----
58 begin retry
59 * * F,5d,10s
60
61 # End