blob: e05197980dd7cf1dc926138829ab50db263bdd70 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
|
# Exim test configuration 2133
# TLS client: verify certificate from server - name-fails
SERVER=
exim_path = EXIM_PATH
host_lookup_order = bydns
primary_hostname = myhost.test.ex
spool_directory = DIR/spool
log_file_path = DIR/spool/log/SERVER%slog
gecos_pattern = ""
gecos_name = CALLER_NAME
FX = DIR/aux-fixed
S1 = FX/exim-ca/example.com/server1.example.com
CA1 = S1/ca_chain.pem
CERT1 = S1/server1.example.com.pem
KEY1 = S1/server1.example.com.unlocked.key
CA2 = FX/cert2
CERT2 = FX/cert2
KEY2 = FX/cert2
# ----- Main settings -----
acl_smtp_rcpt = accept
log_selector = +tls_peerdn+tls_certificate_verified
queue_only
queue_run_in_order
tls_advertise_hosts = *
# Set certificate only if server
tls_certificate = ${if eq {SERVER}{server}{CERT1}fail}
tls_privatekey = ${if eq {SERVER}{server}{KEY1}fail}
tls_verify_hosts = *
tls_verify_certificates = ${if eq {SERVER}{server}{CERT2}fail}
# ----- Routers -----
begin routers
server_dump:
driver = redirect
condition = ${if eq {SERVER}{server}{yes}{no}}
data = :blackhole:
client_x:
driver = accept
local_parts = userx
retry_use_local_part
transport = send_to_server_failcert
errors_to = ""
client_y:
driver = accept
local_parts = usery
retry_use_local_part
transport = send_to_server_retry
client_z:
driver = accept
local_parts = userz
retry_use_local_part
transport = send_to_server_crypt
client_q:
driver = accept
local_parts = userq
retry_use_local_part
transport = send_to_server_req_fail
client_r:
driver = accept
local_parts = userr
retry_use_local_part
transport = send_to_server_req_failname
client_s:
driver = accept
local_parts = users
retry_use_local_part
transport = send_to_server_req_passname
client_t:
driver = accept
local_parts = usert
retry_use_local_part
transport = send_to_server_req_failcarryon
# ----- Transports -----
begin transports
# this will fail to verify the cert at HOSTIPV4 so fail the crypt requirement
send_to_server_failcert:
driver = smtp
allow_localhost
hosts = HOSTIPV4
hosts_require_tls = HOSTIPV4
port = PORT_D
tls_certificate = CERT2
tls_privatekey = CERT2
tls_verify_certificates = CA2
# this will fail to verify the cert at HOSTIPV4 so fail the crypt, then retry on 127.1; ok
send_to_server_retry:
driver = smtp
allow_localhost
hosts = HOSTIPV4 : 127.0.0.1
hosts_require_tls = HOSTIPV4
port = PORT_D
tls_certificate = CERT2
tls_privatekey = CERT2
tls_verify_certificates = \
${if eq{$host_address}{127.0.0.1}{CA1}{CA2}}
# this will fail to verify the cert but continue unverified though crypted
send_to_server_crypt:
driver = smtp
allow_localhost
hosts = HOSTIPV4
hosts_require_tls = HOSTIPV4
port = PORT_D
tls_certificate = CERT2
tls_privatekey = CERT2
tls_verify_certificates = CA2
tls_try_verify_hosts = *
# this will fail to verify the cert at HOSTNAME and fallback to unencrypted
# Fail due to lack of correct CA
send_to_server_req_fail:
driver = smtp
allow_localhost
hosts = HOSTNAME
port = PORT_D
tls_certificate = CERT2
tls_privatekey = CERT2
tls_verify_certificates = CA2
tls_verify_hosts = *
# this will fail to verify the cert name and fallback to unencrypted
# fail because the cert is "server1.example.com" and the test system is something else
send_to_server_req_failname:
driver = smtp
allow_localhost
hosts = HOSTNAME
port = PORT_D
tls_certificate = CERT2
tls_privatekey = CERT2
tls_verify_certificates = CA1
tls_verify_cert_hostnames = *
tls_verify_hosts = *
# this will pass the cert verify including name check
# our stunt DNS has an A record for server1.example.com -> HOSTIPV4
send_to_server_req_passname:
driver = smtp
allow_localhost
hosts = server1.example.com
port = PORT_D
tls_certificate = CERT2
tls_privatekey = CERT2
tls_verify_certificates = CA1
tls_verify_cert_hostnames = *
tls_verify_hosts = *
send_to_server_req_failcarryon:
driver = smtp
allow_localhost
hosts = HOSTNAME
port = PORT_D
tls_certificate = CERT2
tls_privatekey = CERT2
tls_verify_certificates = CA1
tls_verify_cert_hostnames = *
tls_try_verify_hosts = *
# End
|