diff options
| author | Jeremy Harris <jgh146exb@wizmail.org> | 2017-12-19 22:14:18 +0000 |
|---|---|---|
| committer | Jeremy Harris <jgh146exb@wizmail.org> | 2017-12-19 22:14:18 +0000 |
| commit | d4fd1b83a197d73cbac114fe53f3448d8b5c7cc2 (patch) | |
| tree | 595ac359ff45f8e9f8b29f6432cb088a17cf7a88 /test/confs | |
| parent | 3721c5545411010ffbea82fc58b883664d07e865 (diff) | |
| parent | b4ad78623875988d016ff816dc6c9c382be897f9 (diff) | |
Merge branch '4.next'
Diffstat (limited to 'test/confs')
| -rw-r--r-- | test/confs/2014 | 6 | ||||
| -rw-r--r-- | test/confs/2114 | 2 | ||||
| -rw-r--r-- | test/confs/3700 | 4 | ||||
| l--------- | test/confs/4504 | 1 | ||||
| -rw-r--r-- | test/confs/5652 | 83 | ||||
| -rw-r--r-- | test/confs/5820 | 52 | ||||
| -rw-r--r-- | test/confs/5840 | 22 | ||||
| -rw-r--r-- | test/confs/5860 | 14 |
8 files changed, 143 insertions, 41 deletions
diff --git a/test/confs/2014 b/test/confs/2014 index f9e2e6a22..a50a875cf 100644 --- a/test/confs/2014 +++ b/test/confs/2014 @@ -22,7 +22,7 @@ tls_privatekey = DIR/aux-fixed/cert1 tls_verify_hosts = HOSTIPV4 tls_try_verify_hosts = * -tls_verify_certificates = DIR/aux-fixed/cert2 +tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/server1.example.com/ca_chain.pem tls_crl = CRL @@ -31,7 +31,7 @@ tls_crl = CRL begin acl check_recipient: - deny message = certificate not verified: peerdn=$tls_peerdn + deny message = certificate not verified: peerdn=$tls_in_peerdn ! verify = certificate accept @@ -53,7 +53,7 @@ begin transports local_delivery: driver = appendfile file = DIR/test-mail/$local_part - headers_add = TLS: cipher=$tls_cipher peerdn=$tls_peerdn + headers_add = TLS: cipher=$tls_cipher peerdn=$tls_in_peerdn user = CALLER # End diff --git a/test/confs/2114 b/test/confs/2114 index 398e2135d..557479dc9 100644 --- a/test/confs/2114 +++ b/test/confs/2114 @@ -22,7 +22,7 @@ tls_privatekey = DIR/aux-fixed/cert1 tls_verify_hosts = HOSTIPV4 tls_try_verify_hosts = * -tls_verify_certificates = DIR/aux-fixed/cert2 +tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/server1.example.com/ca_chain.pem tls_crl = CRL diff --git a/test/confs/3700 b/test/confs/3700 index 94bd26ebd..00a17b497 100644 --- a/test/confs/3700 +++ b/test/confs/3700 @@ -9,6 +9,7 @@ log_selector = +received_recipients +outgoing_port # ----- Main settings ----- +acl_smtp_auth = log_call acl_smtp_mail = check_authd acl_smtp_rcpt = check_authd queue_only @@ -27,6 +28,9 @@ tls_verify_certificates = DIR/aux-fixed/cert2 begin acl +log_call: + accept logwrite = Auth ACL called, after smtp cmd "$smtp_command" + check_authd: deny message = authentication required !authenticated = * diff --git a/test/confs/4504 b/test/confs/4504 new file mode 120000 index 000000000..da89833c9 --- /dev/null +++ b/test/confs/4504 @@ -0,0 +1 @@ +4503
\ No newline at end of file diff --git a/test/confs/5652 b/test/confs/5652 new file mode 100644 index 000000000..13c8d8617 --- /dev/null +++ b/test/confs/5652 @@ -0,0 +1,83 @@ +# Exim test configuration 5652 +# OCSP stapling, server, multiple certs + +.include DIR/aux-var/tls_conf_prefix + +primary_hostname = server1.example.com + +# ----- Main settings ----- + +acl_smtp_mail = check_mail +acl_smtp_rcpt = check_recipient + +log_selector = +tls_peerdn + +queue_only +queue_run_in_order + +tls_advertise_hosts = * + +CADIR = DIR/aux-fixed/exim-ca +DRSA = CADIR/example.com +DECDSA = CADIR/example_ec.com + +tls_certificate = DRSA/server1.example.com/server1.example.com.pem \ + : DECDSA/server1.example_ec.com/server1.example_ec.com.pem +tls_privatekey = DRSA/server1.example.com/server1.example.com.unlocked.key \ + : DECDSA/server1.example_ec.com/server1.example_ec.com.unlocked.key +tls_ocsp_file = DRSA/server1.example.com/server1.example.com.ocsp.good.resp \ + : DECDSA/server1.example_ec.com/server1.example_ec.com.ocsp.good.resp + + + +# ------ ACL ------ + +begin acl + +check_mail: + accept logwrite = acl_mail: ocsp in status: $tls_in_ocsp \ + (${listextract {${eval:$tls_in_ocsp+1}} \ + {notreq:notresp:vfynotdone:failed:verified}}) + +check_recipient: + accept + + +# ----- Routers ----- + +begin routers + +client: + driver = manualroute + condition = ${if !eq {SERVER}{server}} + route_list = * 127.0.0.1 + self = send + transport = remote_delivery + errors_to = "" + +srvr: + driver = accept + retry_use_local_part + transport = local_delivery + + +# ----- Transports ----- + +begin transports + +remote_delivery: + driver = smtp + port = PORT_D + hosts_require_tls = * + tls_require_ciphers = OPT + hosts_require_ocsp = * + tls_verify_certificates = CERT + tls_verify_cert_hostnames = : + +local_delivery: + driver = appendfile + file = DIR/test-mail/$local_part + headers_add = TLS: cipher=$tls_cipher peerdn=$tls_peerdn + user = CALLER + +# End diff --git a/test/confs/5820 b/test/confs/5820 index 6c2f26ce0..d4dce2f85 100644 --- a/test/confs/5820 +++ b/test/confs/5820 @@ -1,19 +1,22 @@ -# Exim test configuration 5800 -# DANE +# Exim test configuration 5820 +# DANE/GnuTLS SERVER= -.include DIR/aux-var/std_conf_prefix +.include DIR/aux-var/tls_conf_prefix primary_hostname = myhost.test.ex # ----- Main settings ----- -acl_smtp_rcpt = accept +.ifndef OPT +acl_smtp_rcpt = accept logwrite = "rcpt ACL" +.else +acl_smtp_rcpt = accept verify = recipient/callout +.endif -log_selector = +tls_peerdn +log_selector = +received_recipients +tls_peerdn +tls_certificate_verified -queue_only queue_run_in_order tls_advertise_hosts = * @@ -21,23 +24,33 @@ tls_advertise_hosts = * tls_dhparam = historic # Set certificate only if server +CDIR1 = DIR/aux-fixed/exim-ca/example.net/server1.example.net +CDIR2 = DIR/aux-fixed/exim-ca/example.com/server1.example.com -tls_certificate = ${if eq {SERVER}{server}{DIR/aux-fixed/cert1}fail} -tls_privatekey = ${if eq {SERVER}{server}{DIR/aux-fixed/cert1}fail} -#tls_verify_hosts = * -#tls_verify_certificates = ${if eq {SERVER}{server}{DIR/aux-fixed/cert2}fail} +tls_certificate = ${if eq {SERVER}{server} \ + {${if or {{eq {DETAILS}{ta}} {eq {DETAILS}{ca}} {eq {DETAILS}{ee}}} \ + {CDIR2/fullchain.pem}\ + {CDIR1/fullchain.pem}}}\ + fail} +tls_privatekey = ${if eq {SERVER}{server} \ + {${if or {{eq {DETAILS}{ta}} {eq {DETAILS}{ca}} {eq {DETAILS}{ee}}} \ + {CDIR2/server1.example.com.unlocked.key}\ + {CDIR1/server1.example.net.unlocked.key}}}\ + fail} # ----- Routers ----- begin routers client: - driver = accept - condition = ${if eq {SERVER}{server}{no}{yes}} - retry_use_local_part + driver = dnslookup + condition = ${if eq {SERVER}{}} + dnssec_request_domains = * + self = send transport = send_to_server + errors_to = "" server: driver = redirect @@ -51,11 +64,14 @@ begin transports send_to_server: driver = smtp allow_localhost - hosts = 127.0.0.1 - port = PORT_D -# tls_certificate = DIR/aux-fixed/cert2 -# tls_privatekey = DIR/aux-fixed/cert2 -# tls_verify_certificates = DIR/aux-fixed/cert2 + port = ${if match {$host}{\Ntest.ex$\N} {PORT_D}{25}} + + hosts_try_dane = * + hosts_require_dane = HOSTIPV4 + tls_verify_cert_hostnames = ${if eq {OPT}{no_certname} {}{*}} + tls_try_verify_hosts = thishost.test.ex + tls_verify_certificates = CDIR2/ca_chain.pem + # ----- Retry ----- diff --git a/test/confs/5840 b/test/confs/5840 index 01c114252..10ca2111b 100644 --- a/test/confs/5840 +++ b/test/confs/5840 @@ -1,5 +1,5 @@ # Exim test configuration 5840 -# DANE +# DANE/OpenSSL SERVER= @@ -10,7 +10,7 @@ primary_hostname = myhost.test.ex # ----- Main settings ----- .ifndef OPT -acl_smtp_rcpt = accept +acl_smtp_rcpt = accept logwrite = "rcpt ACL" .else acl_smtp_rcpt = accept verify = recipient/callout .endif @@ -22,20 +22,28 @@ queue_run_in_order tls_advertise_hosts = * # Set certificate only if server -CDIR1 = DIR/aux-fixed +CDIR1 = DIR/aux-fixed/exim-ca/example.net/server1.example.net CDIR2 = DIR/aux-fixed/exim-ca/example.com/server1.example.com +.ifdef CERT +tls_certificate = CERT +.else tls_certificate = ${if eq {SERVER}{server} \ - {${if or {{eq {DETAILS}{ta}} {eq {DETAILS}{ca}}} \ + {${if or {{eq {DETAILS}{ta}} {eq {DETAILS}{ca}} {eq {DETAILS}{ee}}} \ {CDIR2/fullchain.pem}\ - {CDIR1/cert1}}}\ + {CDIR1/fullchain.pem}}}\ fail} +.endif +.ifdef ALLOW +tls_privatekey = ALLOW +.else tls_privatekey = ${if eq {SERVER}{server} \ - {${if or {{eq {DETAILS}{ta}} {eq {DETAILS}{ca}}} \ + {${if or {{eq {DETAILS}{ta}} {eq {DETAILS}{ca}} {eq {DETAILS}{ee}}} \ {CDIR2/server1.example.com.unlocked.key}\ - {CDIR1/cert1}}}\ + {CDIR1/server1.example.net.unlocked.key}}}\ fail} +.endif # ----- Routers ----- diff --git a/test/confs/5860 b/test/confs/5860 index 81eb5a16d..df9115129 100644 --- a/test/confs/5860 +++ b/test/confs/5860 @@ -19,20 +19,10 @@ queue_run_in_order tls_advertise_hosts = * # Set certificate only if server -CDIR1 = DIR/aux-fixed CDIR2 = DIR/aux-fixed/exim-ca/example.com/server1.example.com -tls_certificate = ${if eq {SERVER}{server} \ - {${if eq {DETAILS}{ta} \ - {CDIR2/fullchain.pem}\ - {CDIR1/cert1}}}\ - fail} - -tls_privatekey = ${if eq {SERVER}{server} \ - {${if eq {DETAILS}{ta} \ - {CDIR2/server1.example.com.unlocked.key}\ - {CDIR1/cert1}}}\ - fail} +tls_certificate = ${if eq {SERVER}{server} {CDIR2/fullchain.pem} fail} +tls_privatekey = ${if eq {SERVER}{server} {CDIR2/server1.example.com.unlocked.key} fail} begin acl |