# TLS server: mandatory, optional, and revoked certificates
exim -DSERVER=server -bd -oX PORT_D
****
### No certificate, certificate required
client-ssl -t2 HOSTIPV4 PORT_D
??? 220
ehlo rhu.barb
??? 250-
??? 250-
??? 250-
??? 250-
??? 250-
??? 250-
??? 250
starttls
??? 220
noop
????554 Security failure
noop
??? 554 Security failure
quit
????554 Security failure
????221
???*
****
### No certificate, certificate optional at TLS time, required by ACL
client-ssl 127.0.0.1 PORT_D
??? 220
ehlo rhu.barb
??? 250-
??? 250-
??? 250-
??? 250-
??? 250-
??? 250-
??? 250
starttls
??? 220
helo rhu.barb
??? 250
mail from:<userx@test.ex>
??? 250
rcpt to:<userx@test.ex>
??? 550
quit
??? 221
****
### Good certificate, certificate required
client-ssl HOSTIPV4 PORT_D aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key
??? 220
ehlo rhu.barb
??? 250-
??? 250-
??? 250-
??? 250-
??? 250-
??? 250-
??? 250
starttls
??? 220
helo test
??? 250
mail from:<userx@test.ex>
??? 250
rcpt to:<userx@test.ex>
??? 250
quit
??? 221
****
### Good certificate, certificate optional at TLS time, checked by ACL
client-ssl 127.0.0.1 PORT_D aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key
??? 220
ehlo rhu.barb
??? 250-
??? 250-
??? 250-
??? 250-
??? 250-
??? 250-
??? 250
starttls
??? 220
helo test
??? 250
mail from:<userx@test.ex>
??? 250
rcpt to:<userx@test.ex>
??? 250
quit
??? 221
****
### Bad certificate, certificate required
client-ssl HOSTIPV4 PORT_D aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.chain.pem aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.unlocked.key
??? 220
ehlo rhu.barb
??? 250-
??? 250-
??? 250-
??? 250-
??? 250-
??? 250-
??? 250
starttls
??? 220
noop
????554 Security failure
noop
??? 554 Security failure
****
### Bad certificate, certificate optional at TLS time, reject at ACL time
client-ssl 127.0.0.1 PORT_D aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.chain.pem aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.unlocked.key
??? 220
ehlo rhu.barb
??? 250-
??? 250-
??? 250-
??? 250-
??? 250-
??? 250-
??? 250
starttls
??? 220
helo test
??? 250
mail from:<userx@test.ex>
??? 250
rcpt to:<userx@test.ex>
??? 550
quit
??? 221
****
killdaemon
#
#
#
#
exim -DCRL=DIR/aux-fixed/exim-ca/example.com/CA/crl.chain.pem -DSERVER=server -bd -oX PORT_D
****
### Otherwise good but revoked certificate, certificate required
client-ssl HOSTIPV4 PORT_D aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.chain.pem aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.unlocked.key
??? 220
ehlo rhu.barb
??? 250-
??? 250-
??? 250-
??? 250-
??? 250-
??? 250-
??? 250
starttls
??? 220
noop
????554 Security failure
noop
??? 554 Security failure
****
### Revoked certificate, certificate optional at TLS time, reject at ACL time
client-ssl 127.0.0.1 PORT_D aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.chain.pem aux-fixed/exim-ca/example.com/revoked1.example.com/revoked1.example.com.unlocked.key
??? 220
ehlo rhu.barb
??? 250-
??? 250-
??? 250-
??? 250-
??? 250-
??? 250-
??? 250
starttls
??? 220
helo test
??? 250
mail from:<userx@test.ex>
??? 250
rcpt to:<userx@test.ex>
??? 550
quit
??? 221
****
### Good certificate, certificate required - but nonmatching CRL also present
client-ssl HOSTIPV4 PORT_D aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.chain.pem aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key
??? 220
ehlo rhu.barb
??? 250-
??? 250-
??? 250-
??? 250-
??? 250-
??? 250-
??? 250
starttls
??? 220
helo test
??? 250
mail from:<userx@test.ex>
??? 250
rcpt to:<userx@test.ex>
??? 250
quit
??? 221
****
killdaemon
