-. $Cambridge: exim/doc/doc-docbook/spec.xfpt,v 1.54 2009/10/13 08:46:06 tom Exp $
+. $Cambridge: exim/doc/doc-docbook/spec.xfpt,v 1.59 2009/10/16 09:51:12 nm4 Exp $
.
. /////////////////////////////////////////////////////////////////////////////
. This is the primary source of the Exim Manual. It is an xfpt document that is
.cindex "options" "router &-- extracting"
.cindex "options" "transport &-- extracting"
+.cindex "options" "authenticator &-- extracting"
If one of the words &%router%&, &%transport%&, or &%authenticator%& is given,
followed by the name of an appropriate driver instance, the option settings for
that driver are output. For example:
settings can be obtained by using &%routers%&, &%transports%&, or
&%authenticators%&.
+.cindex "options" "macro &-- extracting"
+If invoked by an admin user, then &%macro%&, &%macro_list%& and &%macros%&
+are available, similarly to the drivers. Because macros are sometimes used
+for storing passwords, this option is restricted.
+The output format is one item per line.
.vitem &%-bp%&
.oindex "&%-bp%&"
To make the authenticators work, you can use a string expansion
expression like one of the examples in &<<CHAPplaintext>>&.
+Beware that the sequence of the parameters to PLAIN and LOGIN differ; the
+usercode and password are in different positions. &<<CHAPplaintext>>&
+covers both.
+
.ecindex IIDconfiwal
As a special case, the numerical value of an empty string is taken as
zero.
+.vitem &*bool&~{*&<&'string'&>&*}*&
+.cindex "expansion" "boolean parsing"
+.cindex "&%bool%& expansion condition"
+This condition turns a string holding a true or false representation into
+a boolean state. It parses &"true"&, &"false"&, &"yes"& and &"no"&
+(case-insensitively); also positive integer numbers map to true if non-zero,
+false if zero. Leading whitespace is ignored.
+All other string values will result in expansion failure.
+
+When combined with ACL variables, this expansion condition will let you
+make decisions in one place and act on those decisions in another place.
+For example,
+.code
+${if bool{$acl_m_privileged_sender} ...
+.endd
+
.vitem &*crypteq&~{*&<&'string1'&>&*}{*&<&'string2'&>&*}*&
.cindex "expansion" "encrypted comparison"
.cindex "encrypted strings, comparing"
.code
server_condition = ${if pwcheck{$auth1:$auth2}}
.endd
+Again, for a PLAIN authenticator configuration, this would be:
+.code
+server_condition = ${if pwcheck{$auth2:$auth3}}
+.endd
.vitem &*queue_running*&
.cindex "queue runner" "detecting when delivering from"
.cindex "expansion" "queue runner test"
.row &%gnutls_require_kx%& "control GnuTLS key exchanges"
.row &%gnutls_require_mac%& "control GnuTLS MAC algorithms"
.row &%gnutls_require_protocols%& "control GnuTLS protocols"
+.row &%gnutls_compat_mode%& "use GnuTLS compatibility mode"
.row &%tls_advertise_hosts%& "advertise TLS to these hosts"
.row &%tls_certificate%& "location of server certificate"
.row &%tls_crl%& "certificate revocation list"
This option controls the protocols when GnuTLS is used in an Exim
server. For details, see section &<<SECTreqciphgnu>>&.
+.option gnutls_compat_mode main boolean unset
+This option controls whether GnuTLS is used in compatibility mode in an Exim
+server. This reduces security slightly, but improves interworking with older
+implementations of TLS.
+
.option headers_charset main string "see below"
This option sets a default character set for translating from encoded MIME
This option controls the protocols when GnuTLS is used in an Exim
client. For details, see section &<<SECTreqciphgnu>>&.
+.option gnutls_compat_mode main boolean unset
+This option controls whether GnuTLS is used in compatibility mode in an Exim
+server. This reduces security slightly, but improves interworking with older
+implementations of TLS.
+
.option helo_data smtp string&!! "see below"
.cindex "HELO" "argument, setting"
.cindex "EHLO" "argument, setting"
sasl_plain:
driver = cyrus_sasl
public_name = PLAIN
- server_set_id = $auth1
+ server_set_id = $auth2
.endd
Cyrus SASL does implement the LOGIN authentication method, even though it is
not a standard method. It is disabled by default in the source distribution,
driver = dovecot
public_name = PLAIN
server_socket = /var/run/dovecot/auth-client
- server_set_id = $auth1
+ server_set_id = $auth2
dovecot_ntlm:
driver = dovecot
Calling the ACL only for existing signatures is not sufficient to build
more advanced policies. For that reason, the global option
&%dkim_verify_signers%&, and a global expansion variable
-&%$dkim_signing_domains%& exist.
+&%$dkim_signers%& exist.
The global option &%dkim_verify_signers%& can be set to a colon-separated
list of DKIM domains or identities for which the ACL &%acl_smtp_dkim%& is
called. It is expanded when the message has been received. At this point,
-the expansion variable &%$dkim_signing_domains%& already contains a colon-
-separated list of signer domains for the message. When &%dkim_verify_signers%&
-is not specified in the main configuration, it defaults as:
+the expansion variable &%$dkim_signers%& already contains a colon-
+separated list of signer domains and identities for the message. When
+&%dkim_verify_signers%& is not specified in the main configuration,
+it defaults as:
.code
-dkim_verify_signers = $dkim_signing_domains
+dkim_verify_signers = $dkim_signers
.endd
This leads to the default behaviour of calling &%acl_smtp_dkim%& for each
DKIM signature in the message. Current DKIM verifiers may want to explicitly
call the ACL for known domains or identities. This would be achieved as follows:
.code
-dkim_verify_signers = paypal.com:ebay.com:$dkim_signing_domains
+dkim_verify_signers = paypal.com:ebay.com:$dkim_signers
.endd
This would result in &%acl_smtp_dkim%& always being called for "paypal.com"
-and "ebay.com", plus all domains that have signatures in the message. You can
-also be more creative in constructing your policy. Example:
+and "ebay.com", plus all domains and identities that have signatures in the message.
+You can also be more creative in constructing your policy. Example:
.code
-dkim_verify_signers = $sender_address_domain:$dkim_signing_domains
+dkim_verify_signers = $sender_address_domain:$dkim_signers
.endd
+If a domain or identity is listed several times in the (expanded) value of
+&%dkim_verify_signers%&, the ACL is only called once for that domain or identity.
+
+
Inside the &%acl_smtp_dkim%&, the following expansion variables are
available (from most to least important):
.vlist
+.vitem &%$dkim_cur_signer%&
+The signer that is being evaluated in this ACL run. This can be domain or
+an identity. This is one of the list items from the expanded main option
+&%dkim_verify_signers%& (see above).
.vitem &%$dkim_verify_status%&
A string describing the general status of the signature. One of
.ilist
&%none%&: There is no signature in the message for the current domain or
-identity.
+identity (as reflected by &%$dkim_cur_signer%&).
.next
&%invalid%&: The signature could not be verified due to a processing error.
More detail is available in &%$dkim_verify_reason%&.
.endlist
.vitem &%$dkim_domain%&
The signing domain. IMPORTANT: This variable is only populated if there is
-ab actual signature in the message. It does NOT neccessarily carry the
-domain that is currently being evaluated. Please use the &%dkim_signers%& ACL
-condition for that.
+an actual signature in the message for the current domain or identity (as
+reflected by &%$dkim_cur_signer%&).
.vitem &%$dkim_identity%&
-The signing identity. IMPORTANT: This variable is only populated if there is
-ab actual signature in the message. It does NOT neccessarily carry the
-identity that is currently being evaluated. Please use the &%dkim_signers%& ACL
-condition for that.
+The signing identity, if present. IMPORTANT: This variable is only populated
+if there is an actual signature in the message for the current domain or
+identity (as reflected by &%$dkim_cur_signer%&).
.vitem &%$dkim_selector%&
The key record selector string
.vitem &%$dkim_algo%&
.vlist
.vitem &%dkim_signers%&
ACL condition that checks a colon-separated list of domains or identities
-for a match against the domain or identity that the ACL is currently verifying.
-This is typically used to restrict an ACL verb to a group of domains or identities, like:
+for a match against the domain or identity that the ACL is currently verifying
+(reflected by &%$dkim_cur_signer%&). This is typically used to restrict an ACL
+verb to a group of domains or identities, like:
.code
# Warn when message apparently from GMail has no signature at all
git://git.exim.org / exim.git / blobdiff