diff options
Diffstat (limited to 'test/confs/5665')
| -rw-r--r-- | test/confs/5665 | 101 |
1 files changed, 101 insertions, 0 deletions
diff --git a/test/confs/5665 b/test/confs/5665 new file mode 100644 index 000000000..da6e5197a --- /dev/null +++ b/test/confs/5665 @@ -0,0 +1,101 @@ +# Exim test configuration 5652 +# OCSP stapling, server, multiple leaf-certs + +.include DIR/aux-var/tls_conf_prefix + +primary_hostname = server1.example.com + +# ----- Main settings ----- + +acl_smtp_mail = check_mail +acl_smtp_rcpt = check_recipient + +log_selector = +tls_peerdn + +queue_only +queue_run_in_order + +tls_advertise_hosts = * + +CADIR = DIR/aux-fixed/exim-ca +DRSA = CADIR/example.com +DECDSA = CADIR/example_ec.com + +tls_certificate = DRSA/server1.example.com/server1.example.com.pem \ + : DECDSA/server1.example_ec.com/server1.example_ec.com.pem +tls_privatekey = DRSA/server1.example.com/server1.example.com.unlocked.key \ + : DECDSA/server1.example_ec.com/server1.example_ec.com.unlocked.key +tls_ocsp_file = DRSA/server1.example.com/server1.example.com.ocsp.good.resp \ + : DECDSA/server1.example_ec.com/server1.example_ec.com.ocsp.good.resp + + +.ifdef _HAVE_GNUTLS +tls_require_ciphers = NORMAL:!VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.0 +.endif +.ifdef _OPT_OPENSSL_NO_TLSV1_3_X +openssl_options = +no_tlsv1_3 +.endif + +# ------ ACL ------ + +begin acl + +check_mail: + accept logwrite = acl_mail: ocsp in status: $tls_in_ocsp \ + (${listextract {${eval:$tls_in_ocsp+1}} \ + {notreq:notresp:vfynotdone:failed:verified}}) + +check_recipient: + accept + + +# ----- Routers ----- + +begin routers + +client: + driver = manualroute + condition = ${if !eq {SERVER}{server}} + route_list = * 127.0.0.1 + self = send + transport = remote_delivery + errors_to = "" + +srvr: + driver = accept + retry_use_local_part + transport = local_delivery + + +# ----- Transports ----- + +begin transports + +remote_delivery: + driver = smtp + port = PORT_D + hosts_require_tls = * +.ifdef _HAVE_GNUTLS + tls_require_ciphers = NONE:\ + ${if eq {SELECTOR}{auth_ecdsa} \ + {+SIGN-ECDSA-SHA512:+VERS-TLS-ALL:+KX-ALL:} \ + {+SIGN-RSA-SHA256:+VERS-TLS-ALL:+ECDHE-RSA:+DHE-RSA:+RSA:}}\ + +CIPHER-ALL:+MAC-ALL:+COMP-NULL:+CURVE-ALL:+CTYPE-X509 +.endif +.ifdef _HAVE_OPENSSL + tls_require_ciphers = ${if eq {SELECTOR}{auth_ecdsa} {ECDSA:RSA:!COMPLEMENTOFDEFAULT} {RSA}} +.endif + hosts_require_ocsp = * + tls_verify_certificates = CADIR/\ + ${if eq {SELECTOR}{auth_ecdsa} \ + {example_ec.com/server1.example_ec.com/ca_chain.pem}\ + {example.com/server1.example.com/ca_chain.pem}} + tls_verify_cert_hostnames = : + +local_delivery: + driver = appendfile + file = DIR/test-mail/$local_part + headers_add = TLS: cipher=$tls_cipher peerdn=$tls_peerdn + user = CALLER + +# End |