summaryrefslogtreecommitdiff
path: root/test/confs/5440
diff options
context:
space:
mode:
authorJeremy Harris <jgh146exb@wizmail.org>2014-05-20 21:25:10 +0100
committerJeremy Harris <jgh146exb@wizmail.org>2014-05-20 21:25:10 +0100
commite51c7be22dfccad376659a1a46cee93c9979bbf7 (patch)
tree3a6facf5bd5b51f1b3e21c62736ae04bc7504099 /test/confs/5440
parent2e6afa4f11972312d3dbb9bb1d4f4bf585a3cdd2 (diff)
Support optional server certificate name checking. Bug 1479
Enable EXPERIMENTAL_CERTNAMES to include.
Diffstat (limited to 'test/confs/5440')
-rw-r--r--test/confs/5440172
1 files changed, 172 insertions, 0 deletions
diff --git a/test/confs/5440 b/test/confs/5440
new file mode 100644
index 000000000..955641246
--- /dev/null
+++ b/test/confs/5440
@@ -0,0 +1,172 @@
+# Exim test configuration 2012
+# TLS client: verify certificate from server - fails
+
+SERVER=
+
+exim_path = EXIM_PATH
+host_lookup_order = bydns
+primary_hostname = myhost.test.ex
+rfc1413_query_timeout = 0s
+spool_directory = DIR/spool
+log_file_path = DIR/spool/log/SERVER%slog
+gecos_pattern = ""
+gecos_name = CALLER_NAME
+
+FX = DIR/aux-fixed
+S1 = FX/exim-ca/example.com/server1.example.com
+
+CA1 = S1/ca_chain.pem
+CERT1 = S1/server1.example.com.pem
+KEY1 = S1/server1.example.com.unlocked.key
+CA2 = FX/cert2
+CERT2 = FX/cert2
+KEY2 = FX/cert2
+
+# ----- Main settings -----
+
+acl_smtp_rcpt = accept
+
+log_selector = +tls_peerdn+tls_certificate_verified
+
+queue_only
+queue_run_in_order
+
+tls_advertise_hosts = *
+
+# Set certificate only if server
+
+tls_certificate = ${if eq {SERVER}{server}{CERT1}fail}
+tls_privatekey = ${if eq {SERVER}{server}{KEY1}fail}
+
+tls_verify_hosts = *
+tls_verify_certificates = ${if eq {SERVER}{server}{CERT2}fail}
+
+
+# ----- Routers -----
+
+begin routers
+
+server_dump:
+ driver = redirect
+ condition = ${if eq {SERVER}{server}{yes}{no}}
+ data = :blackhole:
+
+client_x:
+ driver = accept
+ local_parts = userx
+ retry_use_local_part
+ transport = send_to_server_failcert
+ errors_to = ""
+
+client_y:
+ driver = accept
+ local_parts = usery
+ retry_use_local_part
+ transport = send_to_server_retry
+
+client_z:
+ driver = accept
+ local_parts = userz
+ retry_use_local_part
+ transport = send_to_server_crypt
+
+client_q:
+ driver = accept
+ local_parts = userq
+ retry_use_local_part
+ transport = send_to_server_req_fail
+
+client_r:
+ driver = accept
+ local_parts = userr
+ retry_use_local_part
+ transport = send_to_server_req_failname
+
+client_s:
+ driver = accept
+ local_parts = users
+ retry_use_local_part
+ transport = send_to_server_req_passname
+
+
+# ----- Transports -----
+
+begin transports
+
+# this will fail to verify the cert at HOSTIPV4 so fail the crypt requirement
+send_to_server_failcert:
+ driver = smtp
+ allow_localhost
+ hosts = HOSTIPV4
+ hosts_require_tls = HOSTIPV4
+ port = PORT_D
+ tls_certificate = CERT2
+ tls_privatekey = CERT2
+
+ tls_verify_certificates = CA2
+
+# this will fail to verify the cert at HOSTIPV4 so fail the crypt, then retry on 127.1; ok
+send_to_server_retry:
+ driver = smtp
+ allow_localhost
+ hosts = HOSTIPV4 : 127.0.0.1
+ hosts_require_tls = HOSTIPV4
+ port = PORT_D
+ tls_certificate = CERT2
+ tls_privatekey = CERT2
+
+ tls_verify_certificates = \
+ ${if eq{$host_address}{127.0.0.1}{CA1}{CA2}}
+
+# this will fail to verify the cert but continue unverified though crypted
+send_to_server_crypt:
+ driver = smtp
+ allow_localhost
+ hosts = HOSTIPV4
+ hosts_require_tls = HOSTIPV4
+ port = PORT_D
+ tls_certificate = CERT2
+ tls_privatekey = CERT2
+
+ tls_verify_certificates = CA2
+ tls_try_verify_hosts = *
+
+# this will fail to verify the cert at HOSTIPV4 and fallback to unencrypted
+send_to_server_req_fail:
+ driver = smtp
+ allow_localhost
+ hosts = HOSTIPV4
+ port = PORT_D
+ tls_certificate = CERT2
+ tls_privatekey = CERT2
+
+ tls_verify_certificates = CA2
+ tls_verify_hosts = *
+
+# this will fail to verify the cert name and fallback to unencrypted
+send_to_server_req_failname:
+ driver = smtp
+ allow_localhost
+ hosts = HOSTIPV4
+ port = PORT_D
+ tls_certificate = CERT2
+ tls_privatekey = CERT2
+
+ tls_verify_certificates = CA1
+ tls_verify_cert_hostnames = server1.example.net : server1.example.org
+ tls_verify_hosts = *
+
+# this will pass the cert verify including name check
+send_to_server_req_passname:
+ driver = smtp
+ allow_localhost
+ hosts = HOSTIPV4
+ port = PORT_D
+ tls_certificate = CERT2
+ tls_privatekey = CERT2
+
+ tls_verify_certificates = CA1
+ tls_verify_cert_hostnames = noway.example.com : server1.example.com
+ tls_verify_hosts = *
+
+# End