From a7fec7a71987d40dc09601ae33902d0a761887b9 Mon Sep 17 00:00:00 2001
From: Jeremy Harris <jgh146exb@wizmail.org>
Date: Thu, 16 Oct 2014 19:11:45 +0100
Subject: Handle certificate dir under GnuTLS, if recent enough Add testcases
 for certificate directories

The GnuTLS implementation has been tested on Fedora 21 (alpha),
using GnuTLS 3.3.9.  The testsuite case is here but with the
script commented-out.  When enabled, the log/mail/stdout/stderr
files will be created fresh.
---
 test/confs/2132 | 74 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 74 insertions(+)
 create mode 100644 test/confs/2132

(limited to 'test/confs/2132')

diff --git a/test/confs/2132 b/test/confs/2132
new file mode 100644
index 000000000..069249322
--- /dev/null
+++ b/test/confs/2132
@@ -0,0 +1,74 @@
+# Exim test configuration 2132 (close copy of 2102)
+
+exim_path = EXIM_PATH
+host_lookup_order = bydns
+primary_hostname = myhost.test.ex
+rfc1413_query_timeout = 0s
+spool_directory = DIR/spool
+log_file_path = DIR/spool/log/%slog
+gecos_pattern = ""
+gecos_name = CALLER_NAME
+
+# ----- Main settings -----
+
+acl_smtp_rcpt = check_recipient
+
+log_selector = +tls_peerdn
+
+queue_only
+queue_run_in_order
+
+tls_advertise_hosts = 127.0.0.1 : HOSTIPV4
+
+tls_certificate = DIR/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.pem
+tls_privatekey = DIR/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.unlocked.key
+
+tls_verify_hosts = HOSTIPV4
+tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/server1.example.com/certdir
+
+
+# ------ ACL ------
+
+begin acl
+
+check_recipient:
+  accept  hosts = :
+  deny    hosts = HOSTIPV4
+         !encrypted = AES256-SHA : \
+                      AES256-GCM-SHA384 : \
+                      IDEA-CBC-MD5 : \
+                      DES-CBC3-SHA : \
+		      DHE-RSA-AES256-SHA : \
+		      DHE-RSA-AES256-GCM-SHA384 : \
+                      DHE_RSA_AES_256_CBC_SHA1 : \
+                      DHE_RSA_3DES_EDE_CBC_SHA
+  warn    logwrite =  ${if def:tls_in_ourcert \
+		{Our cert SN: <${certextract{subject}{$tls_in_ourcert}}>} \
+		{We did not present a cert}}
+  accept  condition = ${if !def:tls_in_peercert}
+	  logwrite =  Peer did not present a cert
+  accept  logwrite =  SN  <${certextract {subject}	{$tls_in_peercert}}>
+
+
+# ----- Routers -----
+
+begin routers
+
+abc:
+  driver = accept
+  retry_use_local_part
+  transport = local_delivery
+  headers_add = tls-certificate-verified: $tls_certificate_verified
+
+
+# ----- Transports -----
+
+begin transports
+
+local_delivery:
+  driver = appendfile
+  file = DIR/test-mail/$local_part
+  headers_add = TLS: cipher=$tls_cipher peerdn=$tls_peerdn
+  user = CALLER
+
+# End
-- 
cgit v1.2.3