The SIGHUP signal
.cindex "SIGHUP"
.cindex "daemon" "restarting"
+.cindex signal "to reload configuration"
+.cindex daemon "reload configuration"
can be used to cause the daemon to re-execute itself. This should be done
whenever Exim's configuration file, or any file that is incorporated into it by
means of the &%.include%& facility, is changed, and also whenever a new version
&*Warning 2*&: In a host list, you must always use &(net-iplsearch)& so that
the implicit key is the host's IP address rather than its name (see section
&<<SECThoslispatsikey>>&).
+
+.new
+&*Warning 3*&: Do not use an IPv4-mapped IPv6 address for a key; use the
+IPv4, in dotted-quad form. (Exim converts IPv4-mapped IPv6 addresses to this
+notation before executing the lookup.)
+.wen
.next
.new
.cindex lookup json
recently implemented &(iplsearch)& files do require colons in IPv6 keys
(notated using the quoting facility) so as to distinguish them from IPv4 keys.
For this reason, when the lookup type is &(iplsearch)&, IPv6 addresses are
-converted using colons and not dots. In all cases, full, unabbreviated IPv6
+converted using colons and not dots.
+.new
+In all cases except IPv4-mapped IPv6, full, unabbreviated IPv6
addresses are always used.
+The latter are converted to IPv4 addresses, in dotted-quad form.
+.wen
Ideally, it would be nice to tidy up this anomalous situation by changing to
colons in all cases, given that quoting is now available for &(lsearch)&.
transport driver.
-.option openssl_options main "string list" "+no_sslv2 +single_dh_use +no_ticket"
+.option openssl_options main "string list" "+no_sslv2 +no_sslv3 +single_dh_use +no_ticket"
.cindex "OpenSSL "compatibility options"
This option allows an administrator to adjust the SSL options applied
by OpenSSL to connections. It is given as a space-separated list of items,
-.section "Configuring an Exim client to use TLS" "SECID185"
+.section "Configuring an Exim client to use TLS" "SECTclientTLS"
.cindex "cipher" "logging"
.cindex "log" "TLS cipher"
.cindex "log" "distinguished name"
option), this condition is always true.
-.vitem &*verify&~=&~not_blind*&
+.vitem &*verify&~=&~not_blind/*&<&'options'&>
.cindex "verifying" "not blind"
.cindex "bcc recipients, verifying none"
This condition checks that there are no blind (bcc) recipients in the message.
&'Resent-Cc:'& header lines exist, they are also checked. This condition can be
used only in a DATA or non-SMTP ACL.
+.new
+There is one possible option, &`case_insensitive`&. If this is present then
+local parts are checked case-insensitively.
+.wen
+
There are, of course, many legitimate messages that make use of blind (bcc)
recipients. This check should not be used on its own for blocking messages.
Signers SHOULD use RSA keys of at least 2048 bits.
.endd
-Support for EC keys is being developed under
-&url(https://datatracker.ietf.org/doc/draft-ietf-dcrup-dkim-crypto/).
+.new
+EC keys for DKIM are defined by RFC 8463.
+.wen
They are considerably smaller than RSA keys for equivalent protection.
As they are a recent development, users should consider dual-signing
(by setting a list of selectors, and an expansion for this option)
certtool --load_privkey=dkim_ed25519.private --pubkey_info --outder | tail -c +13 | base64
.endd
-Note that the format
-of Ed25519 keys in DNS has not yet been decided; this release supports
-both of the leading candidates at this time, a future release will
-probably drop support for whichever proposal loses.
+.new
+Exim also supports an alternate format
+of Ed25519 keys in DNS which was a candidate during development
+of the standard, but not adopted.
+A future release will probably drop that support.
+.wen
.option dkim_hash smtp string&!! sha256
Can be set to any one of the supported hash methods, which are:
git://git.exim.org / exim.git / blobdiff