summaryrefslogtreecommitdiff
path: root/test/confs
diff options
context:
space:
mode:
authorJeremy Harris <jgh146exb@wizmail.org>2014-05-07 20:46:49 +0100
committerJeremy Harris <jgh146exb@wizmail.org>2014-05-09 21:36:27 +0100
commit018058b21d17a988ed29cf31a7002da74b599d1a (patch)
tree13529249a6547ea48029f5fb2f183bce7e6b5ff3 /test/confs
parent80c974f8633781c6f10a196ed33e6cdce605bcd4 (diff)
Make $tls_out_ocsp visible to TPDA (mostly testsuite)
Diffstat (limited to 'test/confs')
-rw-r--r--test/confs/56008
-rw-r--r--test/confs/560116
-rw-r--r--test/confs/5608157
-rw-r--r--test/confs/56508
-rw-r--r--test/confs/565116
-rw-r--r--test/confs/5658161
6 files changed, 354 insertions, 12 deletions
diff --git a/test/confs/5600 b/test/confs/5600
index cd5f3c8e7..018ee3a78 100644
--- a/test/confs/5600
+++ b/test/confs/5600
@@ -40,10 +40,14 @@ tls_ocsp_file = OCSP
begin acl
check_connect:
- accept logwrite = acl_conn: ocsp in status: $tls_in_ocsp
+ accept logwrite = acl_conn: ocsp in status: $tls_in_ocsp \
+ (${listextract {${eval:$tls_in_ocsp+1}} \
+ {notreq:notresp:vfynotdone:failed:verified}})
check_mail:
- accept logwrite = acl_mail: ocsp in status: $tls_in_ocsp
+ accept logwrite = acl_mail: ocsp in status: $tls_in_ocsp \
+ (${listextract {${eval:$tls_in_ocsp+1}} \
+ {notreq:notresp:vfynotdone:failed:verified}})
check_recipient:
deny message = certificate not verified: peerdn=$tls_peerdn
diff --git a/test/confs/5601 b/test/confs/5601
index 7eb19f754..3e97fcbea 100644
--- a/test/confs/5601
+++ b/test/confs/5601
@@ -92,7 +92,9 @@ send_to_server1:
tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
hosts_require_tls = *
hosts_request_ocsp = :
- headers_add = X-TLS-out: ocsp status $tls_out_ocsp
+ headers_add = X-TLS-out: ocsp status $tls_out_ocsp \
+ (${listextract {${eval:$tls_out_ocsp+1}} \
+ {notreq:notresp:vfynotdone:failed:verified}})
send_to_server2:
driver = smtp
@@ -102,7 +104,9 @@ send_to_server2:
tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
hosts_require_tls = *
# note no ocsp mention here
- headers_add = X-TLS-out: ocsp status $tls_out_ocsp
+ headers_add = X-TLS-out: ocsp status $tls_out_ocsp \
+ (${listextract {${eval:$tls_out_ocsp+1}} \
+ {notreq:notresp:vfynotdone:failed:verified}})
send_to_server3:
driver = smtp
@@ -113,7 +117,9 @@ send_to_server3:
tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
hosts_require_tls = *
hosts_require_ocsp = *
- headers_add = X-TLS-out: ocsp status $tls_out_ocsp
+ headers_add = X-TLS-out: ocsp status $tls_out_ocsp \
+ (${listextract {${eval:$tls_out_ocsp+1}} \
+ {notreq:notresp:vfynotdone:failed:verified}})
send_to_server4:
driver = smtp
@@ -125,7 +131,9 @@ send_to_server4:
protocol = smtps
hosts_require_tls = *
hosts_require_ocsp = *
- headers_add = X-TLS-out: ocsp status $tls_out_ocsp
+ headers_add = X-TLS-out: ocsp status $tls_out_ocsp \
+ (${listextract {${eval:$tls_out_ocsp+1}} \
+ {notreq:notresp:vfynotdone:failed:verified}})
# ----- Retry -----
diff --git a/test/confs/5608 b/test/confs/5608
new file mode 100644
index 000000000..55d9a2015
--- /dev/null
+++ b/test/confs/5608
@@ -0,0 +1,157 @@
+# Exim test configuration 5601
+# OCSP stapling, client, tpda
+
+SERVER =
+
+exim_path = EXIM_PATH
+host_lookup_order = bydns
+primary_hostname = server1.example.com
+rfc1413_query_timeout = 0s
+spool_directory = DIR/spool
+log_file_path = DIR/spool/log/SERVER%slog
+gecos_pattern = ""
+gecos_name = CALLER_NAME
+
+
+# ----- Main settings -----
+
+domainlist local_domains = test.ex : *.test.ex
+
+acl_smtp_rcpt = check_recipient
+acl_smtp_data = check_data
+
+log_selector = +tls_peerdn
+remote_max_parallel = 1
+
+tls_advertise_hosts = *
+
+# Set certificate only if server
+
+tls_certificate = ${if eq {SERVER}{server}\
+{DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem}\
+fail\
+}
+
+#{DIR/aux-fixed/exim-ca/example.com/CA/CA.pem}\
+
+tls_privatekey = ${if eq {SERVER}{server}\
+{DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key}\
+fail}
+
+tls_ocsp_file = OCSP
+
+
+# ------ ACL ------
+
+begin acl
+
+check_recipient:
+ accept domains = +local_domains
+ deny message = relay not permitted
+
+check_data:
+ warn condition = ${if def:h_X-TLS-out:}
+ logwrite = client claims: $h_X-TLS-out:
+ accept
+
+logger:
+ warn logwrite = client ocsp status: $tls_out_ocsp \
+ (${listextract {${eval:$tls_out_ocsp+1}} \
+ {notreq:notresp:vfynotdone:failed:verified}})
+ accept
+
+# ----- Routers -----
+
+begin routers
+
+client:
+ driver = accept
+ condition = ${if eq {SERVER}{server}{no}{yes}}
+ retry_use_local_part
+ transport = send_to_server${if eq{$local_part}{nostaple}{1} \
+ {${if eq{$local_part}{norequire} {2} \
+ {${if eq{$local_part}{smtps} {4}{3}}} \
+ }}}
+
+server:
+ driver = redirect
+ data = :blackhole:
+ #retry_use_local_part
+ #transport = local_delivery
+
+
+# ----- Transports -----
+
+begin transports
+
+local_delivery:
+ driver = appendfile
+ file = DIR/test-mail/$local_part
+ headers_add = TLS: cipher=$tls_cipher peerdn=$tls_peerdn
+ user = CALLER
+
+# nostaple: deliberately do not request cert-status
+send_to_server1:
+ driver = smtp
+ allow_localhost
+ hosts = HOSTIPV4
+ port = PORT_D
+ tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
+ hosts_require_tls = *
+ hosts_request_ocsp = :
+ headers_add = X-TLS-out: ocsp status $tls_out_ocsp
+ tpda_delivery_action = ${acl {logger}}
+ tpda_host_defer_action = ${acl {logger}}
+
+# norequire: request stapling but do not verify
+send_to_server2:
+ driver = smtp
+ allow_localhost
+ hosts = HOSTIPV4
+ port = PORT_D
+ tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
+ hosts_require_tls = *
+# note no ocsp mention here
+ headers_add = X-TLS-out: ocsp status $tls_out_ocsp
+ tpda_delivery_action = ${acl {logger}}
+ tpda_host_defer_action = ${acl {logger}}
+
+# (any other name): request and verify
+send_to_server3:
+ driver = smtp
+ allow_localhost
+ hosts = 127.0.0.1
+ port = PORT_D
+ helo_data = helo.data.changed
+ tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
+ hosts_require_tls = *
+ hosts_require_ocsp = *
+ headers_add = X-TLS-out: ocsp status $tls_out_ocsp
+ tpda_delivery_action = ${acl {logger}}
+ tpda_host_defer_action = ${acl {logger}}
+
+# (any other name): request and verify, ssl-on-connect
+send_to_server4:
+ driver = smtp
+ allow_localhost
+ hosts = 127.0.0.1
+ port = PORT_D
+ helo_data = helo.data.changed
+ tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
+ protocol = smtps
+ hosts_require_tls = *
+ hosts_require_ocsp = *
+ headers_add = X-TLS-out: ocsp status $tls_out_ocsp
+ tpda_delivery_action = ${acl {logger}}
+ tpda_host_defer_action = ${acl {logger}}
+
+
+# ----- Retry -----
+
+
+begin retry
+
+* * F,5d,1s
+
+
+# End
diff --git a/test/confs/5650 b/test/confs/5650
index 3d4a68ef3..2b8960366 100644
--- a/test/confs/5650
+++ b/test/confs/5650
@@ -41,10 +41,14 @@ tls_ocsp_file = OCSP
begin acl
check_connect:
- accept logwrite = acl_conn: ocsp in status: $tls_in_ocsp
+ accept logwrite = acl_conn: ocsp in status: $tls_in_ocsp \
+ (${listextract {${eval:$tls_in_ocsp+1}} \
+ {notreq:notresp:vfynotdone:failed:verified}})
check_mail:
- accept logwrite = acl_mail: ocsp in status: $tls_in_ocsp
+ accept logwrite = acl_mail: ocsp in status: $tls_in_ocsp \
+ (${listextract {${eval:$tls_in_ocsp+1}} \
+ {notreq:notresp:vfynotdone:failed:verified}})
check_recipient:
accept
diff --git a/test/confs/5651 b/test/confs/5651
index 4a1989f43..6b70d33b2 100644
--- a/test/confs/5651
+++ b/test/confs/5651
@@ -90,7 +90,9 @@ send_to_server1:
tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
hosts_require_tls = *
hosts_request_ocsp = :
- headers_add = X-TLS-out: OCSP status $tls_out_ocsp
+ headers_add = X-TLS-out: OCSP status $tls_out_ocsp \
+ (${listextract {${eval:$tls_out_ocsp+1}} \
+ {notreq:notresp:vfynotdone:failed:verified}})
send_to_server2:
driver = smtp
@@ -100,7 +102,9 @@ send_to_server2:
tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
hosts_require_tls = *
# note no ocsp mention here
- headers_add = X-TLS-out: OCSP status $tls_out_ocsp
+ headers_add = X-TLS-out: OCSP status $tls_out_ocsp \
+ (${listextract {${eval:$tls_out_ocsp+1}} \
+ {notreq:notresp:vfynotdone:failed:verified}})
send_to_server3:
driver = smtp
@@ -112,7 +116,9 @@ send_to_server3:
tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
hosts_require_tls = *
hosts_require_ocsp = *
- headers_add = X-TLS-out: OCSP status $tls_out_ocsp
+ headers_add = X-TLS-out: OCSP status $tls_out_ocsp \
+ (${listextract {${eval:$tls_out_ocsp+1}} \
+ {notreq:notresp:vfynotdone:failed:verified}})
send_to_server4:
driver = smtp
@@ -125,7 +131,9 @@ send_to_server4:
protocol = smtps
hosts_require_tls = *
hosts_require_ocsp = *
- headers_add = X-TLS-out: OCSP status $tls_out_ocsp
+ headers_add = X-TLS-out: OCSP status $tls_out_ocsp \
+ (${listextract {${eval:$tls_out_ocsp+1}} \
+ {notreq:notresp:vfynotdone:failed:verified}})
# ----- Retry -----
diff --git a/test/confs/5658 b/test/confs/5658
new file mode 100644
index 000000000..e8f2494f6
--- /dev/null
+++ b/test/confs/5658
@@ -0,0 +1,161 @@
+# Exim test configuration 5658
+# OCSP stapling, client, tpda
+
+SERVER =
+
+exim_path = EXIM_PATH
+host_lookup_order = bydns
+primary_hostname = server1.example.com
+rfc1413_query_timeout = 0s
+spool_directory = DIR/spool
+log_file_path = DIR/spool/log/SERVER%slog
+gecos_pattern = ""
+gecos_name = CALLER_NAME
+
+
+# ----- Main settings -----
+
+domainlist local_domains = test.ex : *.test.ex
+
+acl_smtp_rcpt = check_recipient
+acl_smtp_data = check_data
+
+log_selector = +tls_peerdn
+remote_max_parallel = 1
+
+tls_advertise_hosts = *
+
+# Set certificate only if server
+tls_certificate = ${if eq {SERVER}{server}\
+{DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem}\
+fail\
+}
+tls_privatekey = ${if eq {SERVER}{server}\
+{DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key}\
+fail}
+
+# from cmdline define
+tls_ocsp_file = OCSP
+
+
+# ------ ACL ------
+
+begin acl
+
+check_recipient:
+ accept domains = +local_domains
+ deny message = relay not permitted
+
+check_data:
+ warn condition = ${if def:h_X-TLS-out:}
+ logwrite = client claims: $h_X-TLS-out:
+ accept
+
+logger:
+ warn logwrite = client ocsp status: $tls_out_ocsp \
+ (${listextract {${eval:$tls_out_ocsp+1}} \
+ {notreq:notresp:vfynotdone:failed:verified}})
+ accept
+
+
+# ----- Routers -----
+
+begin routers
+
+client:
+ driver = accept
+ condition = ${if eq {SERVER}{server}{no}{yes}}
+ retry_use_local_part
+ transport = send_to_server${if eq{$local_part}{nostaple}{1} \
+ {${if eq{$local_part}{norequire} {2} \
+ {${if eq{$local_part}{smtps} {4}{3}}} \
+ }}}
+
+server:
+ driver = redirect
+ data = :blackhole:
+ #retry_use_local_part
+ #transport = local_delivery
+
+
+# ----- Transports -----
+
+begin transports
+
+local_delivery:
+ driver = appendfile
+ file = DIR/test-mail/$local_part
+ headers_add = TLS: cipher=$tls_cipher peerdn=$tls_peerdn
+ user = CALLER
+
+send_to_server1:
+ driver = smtp
+ allow_localhost
+ hosts = HOSTIPV4
+ port = PORT_D
+ tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
+ hosts_require_tls = *
+ hosts_request_ocsp = :
+ headers_add = X-TLS-out: OCSP status $tls_out_ocsp \
+ (${listextract {${eval:$tls_out_ocsp+1}} \
+ {notreq:notresp:vfynotdone:failed:verified}})
+ tpda_delivery_action = ${acl {logger}}
+ tpda_host_defer_action = ${acl {logger}}
+
+send_to_server2:
+ driver = smtp
+ allow_localhost
+ hosts = HOSTIPV4
+ port = PORT_D
+ tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
+ hosts_require_tls = *
+# note no ocsp mention here
+ headers_add = X-TLS-out: OCSP status $tls_out_ocsp \
+ (${listextract {${eval:$tls_out_ocsp+1}} \
+ {notreq:notresp:vfynotdone:failed:verified}})
+ tpda_delivery_action = ${acl {logger}}
+ tpda_host_defer_action = ${acl {logger}}
+
+send_to_server3:
+ driver = smtp
+ allow_localhost
+ hosts = 127.0.0.1
+ port = PORT_D
+ helo_data = helo.data.changed
+ #tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/server1.example.com/ca_chain.pem
+ tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
+ hosts_require_tls = *
+ hosts_require_ocsp = *
+ headers_add = X-TLS-out: OCSP status $tls_out_ocsp \
+ (${listextract {${eval:$tls_out_ocsp+1}} \
+ {notreq:notresp:vfynotdone:failed:verified}})
+ tpda_delivery_action = ${acl {logger}}
+ tpda_host_defer_action = ${acl {logger}}
+
+send_to_server4:
+ driver = smtp
+ allow_localhost
+ hosts = 127.0.0.1
+ port = PORT_D
+ helo_data = helo.data.changed
+ #tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/server1.example.com/ca_chain.pem
+ tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
+ protocol = smtps
+ hosts_require_tls = *
+ hosts_require_ocsp = *
+ headers_add = X-TLS-out: OCSP status $tls_out_ocsp \
+ (${listextract {${eval:$tls_out_ocsp+1}} \
+ {notreq:notresp:vfynotdone:failed:verified}})
+ tpda_delivery_action = ${acl {logger}}
+ tpda_host_defer_action = ${acl {logger}}
+
+
+# ----- Retry -----
+
+
+begin retry
+
+* * F,5d,1s
+
+
+# End