blob: 18b2fd780f730487edaca1f738292e765e59ca02 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
|
# Exim test configuration 2112
# TLS client: verify certificate from server - fails
SERVER=
exim_path = EXIM_PATH
host_lookup_order = bydns
primary_hostname = myhost.test.ex
spool_directory = DIR/spool
log_file_path = DIR/spool/log/SERVER%slog
gecos_pattern = ""
gecos_name = CALLER_NAME
FX = DIR/aux-fixed
S1 = FX/exim-ca/example.com/server1.example.com
CA1 = S1/ca_chain.pem
CERT1 = S1/server1.example.com.pem
KEY1 = S1/server1.example.com.unlocked.key
CA2 = FX/cert2
CERT2 = FX/cert2
KEY2 = FX/cert2
# ----- Main settings -----
acl_smtp_rcpt = accept
log_selector = +tls_peerdn+tls_certificate_verified +received_recipients
queue_only
queue_run_in_order
tls_advertise_hosts = *
# Set certificate only if server
tls_certificate = ${if eq {SERVER}{server}{CERT1}fail}
tls_privatekey = ${if eq {SERVER}{server}{KEY1}fail}
tls_verify_hosts = *
tls_verify_certificates = ${if eq {SERVER}{server}{CERT2}fail}
# ----- Routers -----
begin routers
server_dump:
driver = redirect
condition = ${if eq {SERVER}{server}{yes}{no}}
data = :blackhole:
client_x:
driver = accept
local_parts = userx
retry_use_local_part
transport = send_to_server_failcert
errors_to = ""
client_y:
driver = accept
local_parts = usery
retry_use_local_part
transport = send_to_server_retry
client_z:
driver = accept
local_parts = userz
retry_use_local_part
transport = send_to_server_crypt
client_q:
driver = accept
local_parts = userq
retry_use_local_part
transport = send_to_server_req_fail
client_r:
driver = accept
local_parts = userr
retry_use_local_part
transport = send_to_server_req_failname
client_s:
driver = accept
local_parts = users
retry_use_local_part
transport = send_to_server_req_passname
# ----- Transports -----
begin transports
# this will fail to verify the cert at HOSTIPV4 so fail the crypt requirement
send_to_server_failcert:
driver = smtp
allow_localhost
hosts = HOSTIPV4
hosts_require_tls = HOSTIPV4
port = PORT_D
tls_certificate = CERT2
tls_privatekey = CERT2
tls_verify_certificates = CA2
tls_try_verify_hosts =
tls_verify_cert_hostnames =
# this will fail to verify the cert at HOSTIPV4 so fail the crypt, then retry on 127.1; ok
send_to_server_retry:
driver = smtp
allow_localhost
hosts = HOSTIPV4 : 127.0.0.1
hosts_require_tls = HOSTIPV4
port = PORT_D
tls_certificate = CERT2
tls_privatekey = CERT2
tls_verify_certificates = \
${if eq{$host_address}{127.0.0.1}{CA1}{CA2}}
tls_try_verify_hosts =
tls_verify_cert_hostnames =
# this will fail to verify the cert but continue unverified though crypted
send_to_server_crypt:
driver = smtp
allow_localhost
hosts = HOSTIPV4
hosts_require_tls = HOSTIPV4
port = PORT_D
tls_certificate = CERT2
tls_privatekey = CERT2
tls_verify_certificates = CA2
tls_try_verify_hosts = *
tls_verify_cert_hostnames =
# this will fail to verify the cert at HOSTIPV4 and fallback to unencrypted
send_to_server_req_fail:
driver = smtp
allow_localhost
hosts = HOSTIPV4
port = PORT_D
tls_certificate = CERT2
tls_privatekey = CERT2
tls_verify_certificates = CA2
tls_verify_hosts = *
tls_verify_cert_hostnames =
# this will fail to verify the cert name and fallback to unencrypted
send_to_server_req_failname:
driver = smtp
allow_localhost
hosts = HOSTIPV4
port = PORT_D
tls_certificate = CERT2
tls_privatekey = CERT2
tls_verify_certificates = CA1
tls_verify_cert_hostnames = server1.example.net : server1.example.org
tls_verify_hosts = *
# this will pass the cert verify including name check
send_to_server_req_passname:
driver = smtp
allow_localhost
hosts = HOSTIPV4
port = PORT_D
tls_certificate = CERT2
tls_privatekey = CERT2
tls_verify_certificates = CA1
tls_verify_cert_hostnames = noway.example.com : server1.example.com
tls_verify_hosts = *
# End
|