When the lookup succeeds, the result of the expansion is a list of domains (and
possibly other types of item that are allowed in domain lists).
.cindex "tainted data" "de-tainting"
-.cindex "de-tainting" "using a lookup expansion""
+.cindex "de-tainting" "using a lookup expansion"
The result of the expansion is not tainted.
.next
.cindex "host" "rejecting connections from"
If this option is set, incoming SMTP calls from the hosts listed are rejected
as soon as the connection is made.
-This option is obsolete, and retained only for backward compatibility, because
+This option is mostly obsolete, retained for backward compatibility because
nowadays the ACL specified by &%acl_smtp_connect%& can also reject incoming
-connections immediately.
+connections immediately
+.new
+(except for tls-on-connect connections).
+.wen
The ability to give an immediate rejection (either by this option or using an
ACL) is provided for use in unusual cases. Many hosts will just try again,
operation is as if this option selected all hosts.
&*Warning*&: Including a host in &%tls_verify_hosts%& does not require
that connections use TLS.
-Fallback to in-clear communication will be done unless restricted by
+Fallback to in-clear communication will be done unless restricted by
the &%hosts_require_tls%& option.
.option utf8_downconvert smtp integer&!! -1
The client for the connection proposes a set of protocol names, and
the server responds with a selected one.
It is not, as of 2021, commonly used for SMTP connections.
-However, to guard against misirected or malicious use of web clients
+However, to guard against misdirected or malicious use of web clients
(which often do use ALPN) against MTA ports, Exim by default check that
there is no incompatible ALPN specified by a client for a TLS connection.
If there is, the connection is rejected.
&%tls_alpn%& and &%hosts_require_alpn%&.
There are no variables providing observability.
Some feature-specific logging may appear on denied connections, but this
-depends on the behavious of the peer
+depends on the behaviour of the peer
(not all peers can send a feature-specific TLS Alert).
This feature is available when Exim is built with
.subsection ACL SSECDMARCACL
.cindex DMARC "ACL condition"
-DMARC checks cam be run on incoming SMTP messages by using the
+DMARC checks can be run on incoming SMTP messages by using the
&"dmarc_status"& ACL condition in the DATA ACL. You are required to
call the &"spf"& condition first in the ACLs, then the &"dmarc_status"&
condition. Putting this condition in the ACLs is required in order