diff options
Diffstat (limited to 'test/confs')
| -rw-r--r-- | test/confs/2002 | 3 | ||||
| -rw-r--r-- | test/confs/2102 | 5 | ||||
| -rw-r--r-- | test/confs/5600 | 8 | ||||
| -rw-r--r-- | test/confs/5601 | 16 | ||||
| -rw-r--r-- | test/confs/5608 | 157 | ||||
| -rw-r--r-- | test/confs/5650 | 8 | ||||
| -rw-r--r-- | test/confs/5651 | 16 | ||||
| -rw-r--r-- | test/confs/5658 | 161 |
8 files changed, 359 insertions, 15 deletions
diff --git a/test/confs/2002 b/test/confs/2002 index dfb4feef5..178265d65 100644 --- a/test/confs/2002 +++ b/test/confs/2002 @@ -58,8 +58,9 @@ check_recipient: logwrite = ${certextract {subj_altname} {$tls_in_peercert} {SAN <$value>}{(no SAN)}} # logwrite = ${certextract {ocsp_uri} {$tls_in_peercert} {OCU <$value>}{(no OCU)}} logwrite = ${certextract {crl_uri} {$tls_in_peercert} {CRU <$value>}{(no CRU)}} - logwrite = md5 fingerprint ${md5:$tls_in_peercert} + logwrite = md5 fingerprint ${md5:$tls_in_peercert} logwrite = sha1 fingerprint ${sha1:$tls_in_peercert} + logwrite = sha256 fingerprint ${sha256:$tls_in_peercert} # ----- Routers ----- diff --git a/test/confs/2102 b/test/confs/2102 index 6f29298b1..3d5e51ae6 100644 --- a/test/confs/2102 +++ b/test/confs/2102 @@ -59,8 +59,9 @@ check_recipient: logwrite = ${certextract {subj_altname} {$tls_in_peercert} {SAN <$value>}{(no SAN)}} logwrite = ${certextract {ocsp_uri} {$tls_in_peercert} {OCU <$value>}{(no OCU)}} logwrite = ${certextract {crl_uri} {$tls_in_peercert} {CRU <$value>}{(no CRU)}} - logwrite = md5 fingerprint ${md5:$tls_in_peercert} - logwrite = sha1 fingerprint ${sha1:$tls_in_peercert} + logwrite = md5 fingerprint ${md5:$tls_in_peercert} + logwrite = sha1 fingerprint ${sha1:$tls_in_peercert} + logwrite = sha256 fingerprint ${sha256:$tls_in_peercert} # ----- Routers ----- diff --git a/test/confs/5600 b/test/confs/5600 index cd5f3c8e7..018ee3a78 100644 --- a/test/confs/5600 +++ b/test/confs/5600 @@ -40,10 +40,14 @@ tls_ocsp_file = OCSP begin acl check_connect: - accept logwrite = acl_conn: ocsp in status: $tls_in_ocsp + accept logwrite = acl_conn: ocsp in status: $tls_in_ocsp \ + (${listextract {${eval:$tls_in_ocsp+1}} \ + {notreq:notresp:vfynotdone:failed:verified}}) check_mail: - accept logwrite = acl_mail: ocsp in status: $tls_in_ocsp + accept logwrite = acl_mail: ocsp in status: $tls_in_ocsp \ + (${listextract {${eval:$tls_in_ocsp+1}} \ + {notreq:notresp:vfynotdone:failed:verified}}) check_recipient: deny message = certificate not verified: peerdn=$tls_peerdn diff --git a/test/confs/5601 b/test/confs/5601 index 7eb19f754..3e97fcbea 100644 --- a/test/confs/5601 +++ b/test/confs/5601 @@ -92,7 +92,9 @@ send_to_server1: tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem hosts_require_tls = * hosts_request_ocsp = : - headers_add = X-TLS-out: ocsp status $tls_out_ocsp + headers_add = X-TLS-out: ocsp status $tls_out_ocsp \ + (${listextract {${eval:$tls_out_ocsp+1}} \ + {notreq:notresp:vfynotdone:failed:verified}}) send_to_server2: driver = smtp @@ -102,7 +104,9 @@ send_to_server2: tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem hosts_require_tls = * # note no ocsp mention here - headers_add = X-TLS-out: ocsp status $tls_out_ocsp + headers_add = X-TLS-out: ocsp status $tls_out_ocsp \ + (${listextract {${eval:$tls_out_ocsp+1}} \ + {notreq:notresp:vfynotdone:failed:verified}}) send_to_server3: driver = smtp @@ -113,7 +117,9 @@ send_to_server3: tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem hosts_require_tls = * hosts_require_ocsp = * - headers_add = X-TLS-out: ocsp status $tls_out_ocsp + headers_add = X-TLS-out: ocsp status $tls_out_ocsp \ + (${listextract {${eval:$tls_out_ocsp+1}} \ + {notreq:notresp:vfynotdone:failed:verified}}) send_to_server4: driver = smtp @@ -125,7 +131,9 @@ send_to_server4: protocol = smtps hosts_require_tls = * hosts_require_ocsp = * - headers_add = X-TLS-out: ocsp status $tls_out_ocsp + headers_add = X-TLS-out: ocsp status $tls_out_ocsp \ + (${listextract {${eval:$tls_out_ocsp+1}} \ + {notreq:notresp:vfynotdone:failed:verified}}) # ----- Retry ----- diff --git a/test/confs/5608 b/test/confs/5608 new file mode 100644 index 000000000..55d9a2015 --- /dev/null +++ b/test/confs/5608 @@ -0,0 +1,157 @@ +# Exim test configuration 5601 +# OCSP stapling, client, tpda + +SERVER = + +exim_path = EXIM_PATH +host_lookup_order = bydns +primary_hostname = server1.example.com +rfc1413_query_timeout = 0s +spool_directory = DIR/spool +log_file_path = DIR/spool/log/SERVER%slog +gecos_pattern = "" +gecos_name = CALLER_NAME + + +# ----- Main settings ----- + +domainlist local_domains = test.ex : *.test.ex + +acl_smtp_rcpt = check_recipient +acl_smtp_data = check_data + +log_selector = +tls_peerdn +remote_max_parallel = 1 + +tls_advertise_hosts = * + +# Set certificate only if server + +tls_certificate = ${if eq {SERVER}{server}\ +{DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem}\ +fail\ +} + +#{DIR/aux-fixed/exim-ca/example.com/CA/CA.pem}\ + +tls_privatekey = ${if eq {SERVER}{server}\ +{DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key}\ +fail} + +tls_ocsp_file = OCSP + + +# ------ ACL ------ + +begin acl + +check_recipient: + accept domains = +local_domains + deny message = relay not permitted + +check_data: + warn condition = ${if def:h_X-TLS-out:} + logwrite = client claims: $h_X-TLS-out: + accept + +logger: + warn logwrite = client ocsp status: $tls_out_ocsp \ + (${listextract {${eval:$tls_out_ocsp+1}} \ + {notreq:notresp:vfynotdone:failed:verified}}) + accept + +# ----- Routers ----- + +begin routers + +client: + driver = accept + condition = ${if eq {SERVER}{server}{no}{yes}} + retry_use_local_part + transport = send_to_server${if eq{$local_part}{nostaple}{1} \ + {${if eq{$local_part}{norequire} {2} \ + {${if eq{$local_part}{smtps} {4}{3}}} \ + }}} + +server: + driver = redirect + data = :blackhole: + #retry_use_local_part + #transport = local_delivery + + +# ----- Transports ----- + +begin transports + +local_delivery: + driver = appendfile + file = DIR/test-mail/$local_part + headers_add = TLS: cipher=$tls_cipher peerdn=$tls_peerdn + user = CALLER + +# nostaple: deliberately do not request cert-status +send_to_server1: + driver = smtp + allow_localhost + hosts = HOSTIPV4 + port = PORT_D + tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem + hosts_require_tls = * + hosts_request_ocsp = : + headers_add = X-TLS-out: ocsp status $tls_out_ocsp + tpda_delivery_action = ${acl {logger}} + tpda_host_defer_action = ${acl {logger}} + +# norequire: request stapling but do not verify +send_to_server2: + driver = smtp + allow_localhost + hosts = HOSTIPV4 + port = PORT_D + tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem + hosts_require_tls = * +# note no ocsp mention here + headers_add = X-TLS-out: ocsp status $tls_out_ocsp + tpda_delivery_action = ${acl {logger}} + tpda_host_defer_action = ${acl {logger}} + +# (any other name): request and verify +send_to_server3: + driver = smtp + allow_localhost + hosts = 127.0.0.1 + port = PORT_D + helo_data = helo.data.changed + tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem + hosts_require_tls = * + hosts_require_ocsp = * + headers_add = X-TLS-out: ocsp status $tls_out_ocsp + tpda_delivery_action = ${acl {logger}} + tpda_host_defer_action = ${acl {logger}} + +# (any other name): request and verify, ssl-on-connect +send_to_server4: + driver = smtp + allow_localhost + hosts = 127.0.0.1 + port = PORT_D + helo_data = helo.data.changed + tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem + protocol = smtps + hosts_require_tls = * + hosts_require_ocsp = * + headers_add = X-TLS-out: ocsp status $tls_out_ocsp + tpda_delivery_action = ${acl {logger}} + tpda_host_defer_action = ${acl {logger}} + + +# ----- Retry ----- + + +begin retry + +* * F,5d,1s + + +# End diff --git a/test/confs/5650 b/test/confs/5650 index 3d4a68ef3..2b8960366 100644 --- a/test/confs/5650 +++ b/test/confs/5650 @@ -41,10 +41,14 @@ tls_ocsp_file = OCSP begin acl check_connect: - accept logwrite = acl_conn: ocsp in status: $tls_in_ocsp + accept logwrite = acl_conn: ocsp in status: $tls_in_ocsp \ + (${listextract {${eval:$tls_in_ocsp+1}} \ + {notreq:notresp:vfynotdone:failed:verified}}) check_mail: - accept logwrite = acl_mail: ocsp in status: $tls_in_ocsp + accept logwrite = acl_mail: ocsp in status: $tls_in_ocsp \ + (${listextract {${eval:$tls_in_ocsp+1}} \ + {notreq:notresp:vfynotdone:failed:verified}}) check_recipient: accept diff --git a/test/confs/5651 b/test/confs/5651 index 4a1989f43..6b70d33b2 100644 --- a/test/confs/5651 +++ b/test/confs/5651 @@ -90,7 +90,9 @@ send_to_server1: tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem hosts_require_tls = * hosts_request_ocsp = : - headers_add = X-TLS-out: OCSP status $tls_out_ocsp + headers_add = X-TLS-out: OCSP status $tls_out_ocsp \ + (${listextract {${eval:$tls_out_ocsp+1}} \ + {notreq:notresp:vfynotdone:failed:verified}}) send_to_server2: driver = smtp @@ -100,7 +102,9 @@ send_to_server2: tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem hosts_require_tls = * # note no ocsp mention here - headers_add = X-TLS-out: OCSP status $tls_out_ocsp + headers_add = X-TLS-out: OCSP status $tls_out_ocsp \ + (${listextract {${eval:$tls_out_ocsp+1}} \ + {notreq:notresp:vfynotdone:failed:verified}}) send_to_server3: driver = smtp @@ -112,7 +116,9 @@ send_to_server3: tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem hosts_require_tls = * hosts_require_ocsp = * - headers_add = X-TLS-out: OCSP status $tls_out_ocsp + headers_add = X-TLS-out: OCSP status $tls_out_ocsp \ + (${listextract {${eval:$tls_out_ocsp+1}} \ + {notreq:notresp:vfynotdone:failed:verified}}) send_to_server4: driver = smtp @@ -125,7 +131,9 @@ send_to_server4: protocol = smtps hosts_require_tls = * hosts_require_ocsp = * - headers_add = X-TLS-out: OCSP status $tls_out_ocsp + headers_add = X-TLS-out: OCSP status $tls_out_ocsp \ + (${listextract {${eval:$tls_out_ocsp+1}} \ + {notreq:notresp:vfynotdone:failed:verified}}) # ----- Retry ----- diff --git a/test/confs/5658 b/test/confs/5658 new file mode 100644 index 000000000..e8f2494f6 --- /dev/null +++ b/test/confs/5658 @@ -0,0 +1,161 @@ +# Exim test configuration 5658 +# OCSP stapling, client, tpda + +SERVER = + +exim_path = EXIM_PATH +host_lookup_order = bydns +primary_hostname = server1.example.com +rfc1413_query_timeout = 0s +spool_directory = DIR/spool +log_file_path = DIR/spool/log/SERVER%slog +gecos_pattern = "" +gecos_name = CALLER_NAME + + +# ----- Main settings ----- + +domainlist local_domains = test.ex : *.test.ex + +acl_smtp_rcpt = check_recipient +acl_smtp_data = check_data + +log_selector = +tls_peerdn +remote_max_parallel = 1 + +tls_advertise_hosts = * + +# Set certificate only if server +tls_certificate = ${if eq {SERVER}{server}\ +{DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem}\ +fail\ +} +tls_privatekey = ${if eq {SERVER}{server}\ +{DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key}\ +fail} + +# from cmdline define +tls_ocsp_file = OCSP + + +# ------ ACL ------ + +begin acl + +check_recipient: + accept domains = +local_domains + deny message = relay not permitted + +check_data: + warn condition = ${if def:h_X-TLS-out:} + logwrite = client claims: $h_X-TLS-out: + accept + +logger: + warn logwrite = client ocsp status: $tls_out_ocsp \ + (${listextract {${eval:$tls_out_ocsp+1}} \ + {notreq:notresp:vfynotdone:failed:verified}}) + accept + + +# ----- Routers ----- + +begin routers + +client: + driver = accept + condition = ${if eq {SERVER}{server}{no}{yes}} + retry_use_local_part + transport = send_to_server${if eq{$local_part}{nostaple}{1} \ + {${if eq{$local_part}{norequire} {2} \ + {${if eq{$local_part}{smtps} {4}{3}}} \ + }}} + +server: + driver = redirect + data = :blackhole: + #retry_use_local_part + #transport = local_delivery + + +# ----- Transports ----- + +begin transports + +local_delivery: + driver = appendfile + file = DIR/test-mail/$local_part + headers_add = TLS: cipher=$tls_cipher peerdn=$tls_peerdn + user = CALLER + +send_to_server1: + driver = smtp + allow_localhost + hosts = HOSTIPV4 + port = PORT_D + tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem + hosts_require_tls = * + hosts_request_ocsp = : + headers_add = X-TLS-out: OCSP status $tls_out_ocsp \ + (${listextract {${eval:$tls_out_ocsp+1}} \ + {notreq:notresp:vfynotdone:failed:verified}}) + tpda_delivery_action = ${acl {logger}} + tpda_host_defer_action = ${acl {logger}} + +send_to_server2: + driver = smtp + allow_localhost + hosts = HOSTIPV4 + port = PORT_D + tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem + hosts_require_tls = * +# note no ocsp mention here + headers_add = X-TLS-out: OCSP status $tls_out_ocsp \ + (${listextract {${eval:$tls_out_ocsp+1}} \ + {notreq:notresp:vfynotdone:failed:verified}}) + tpda_delivery_action = ${acl {logger}} + tpda_host_defer_action = ${acl {logger}} + +send_to_server3: + driver = smtp + allow_localhost + hosts = 127.0.0.1 + port = PORT_D + helo_data = helo.data.changed + #tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/server1.example.com/ca_chain.pem + tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem + hosts_require_tls = * + hosts_require_ocsp = * + headers_add = X-TLS-out: OCSP status $tls_out_ocsp \ + (${listextract {${eval:$tls_out_ocsp+1}} \ + {notreq:notresp:vfynotdone:failed:verified}}) + tpda_delivery_action = ${acl {logger}} + tpda_host_defer_action = ${acl {logger}} + +send_to_server4: + driver = smtp + allow_localhost + hosts = 127.0.0.1 + port = PORT_D + helo_data = helo.data.changed + #tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/server1.example.com/ca_chain.pem + tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem + protocol = smtps + hosts_require_tls = * + hosts_require_ocsp = * + headers_add = X-TLS-out: OCSP status $tls_out_ocsp \ + (${listextract {${eval:$tls_out_ocsp+1}} \ + {notreq:notresp:vfynotdone:failed:verified}}) + tpda_delivery_action = ${acl {logger}} + tpda_host_defer_action = ${acl {logger}} + + +# ----- Retry ----- + + +begin retry + +* * F,5d,1s + + +# End |