using the same syntax as for &%-oMa%&. The interface address is placed in
&$received_ip_address$& and the port number, if present, in &$received_port$&.
+.vitem &%-oMm%&&~<&'message&~reference'&>
+.oindex "&%-oMm%&"
+.cindex "message reference" "message reference, specifying for local message"
+See &%-oMa%& above for general remarks about the &%-oM%& options. The &%-oMm%&
+option sets the message reference, e.g. message-id, and is logged during
+delivery. This is useful when some kind of audit trail is required to tie
+messages together. The format of the message reference is checked and will
+abort if the format is invalid. The option will only be accepted if exim is
+running in trusted mode, not as any regular user.
+
+The best example of a message reference is when Exim sends a bounce message.
+The message reference is the message-id of the original message for which Exim
+is sending the bounce.
+
.vitem &%-oMr%&&~<&'protocol&~name'&>
.oindex "&%-oMr%&"
.cindex "protocol, specifying for local message"
If the ACL returns defer the result is a forced-fail. Otherwise the expansion fails.
+.new
+.vitem "&*${certextract{*&<&'field'&>&*}{*&<&'certificate'&>&*}&&&
+ {*&<&'string2'&>&*}{*&<&'string3'&>&*}}*&"
+.cindex "expansion" "extracting cerificate fields"
+.cindex "&%certextract%&" "certificate fields"
+.cindex "certificate" "extracting fields"
+The <&'certificate'&> must be a variable of type certificate.
+The field name is expanded and used to retrive the relevant field from
+the certificate. Supported fields are:
+.display
+&`version `&
+&`serial_number `&
+&`subject `&
+&`issuer `&
+&`notbefore `&
+&`notafter `&
+&`sig_algorithm `&
+&`signature `&
+&`subj_altname `& tagged list
+&`ocsp_uri `& list
+&`crl_uri `& list
+.endd
+If the field is found,
+<&'string2'&> is expanded, and replaces the whole item;
+otherwise <&'string3'&> is used. During the expansion of <&'string2'&> the
+variable &$value$& contains the value that has been extracted. Afterwards, it
+is restored to any previous value it might have had.
+
+If {<&'string3'&>} is omitted, the item is replaced by an empty string if the
+key is not found. If {<&'string2'&>} is also omitted, the value that was
+extracted is used.
+
+Some field names take optional modifiers, appended and separated by commas.
+
+The field selectors marked as "list" above return a list,
+newline-separated by default,
+(embedded separator characters in elements are doubled).
+The separator may be changed by a modifier of
+a right angle-bracket followed immediately by the new separator.
+
+The field selectors marked as "tagged" above
+prefix each list element with a type string and an equals sign.
+Elements of only one type may be selected by a modifier
+which is one of "dns", "uri" or "mail";
+if so the elenment tags are omitted.
+
+Field values are generally presented in human-readable form.
+.wen
+
.vitem "&*${dlfunc{*&<&'file'&>&*}{*&<&'function'&>&*}{*&<&'arg'&>&*}&&&
{*&<&'arg'&>&*}...}*&"
.cindex &%dlfunc%&
.vitem &*${md5:*&<&'string'&>&*}*&
.cindex "MD5 hash"
.cindex "expansion" "MD5 hash"
+.cindex "certificate fingerprint"
.cindex "&%md5%& expansion item"
The &%md5%& operator computes the MD5 hash value of the string, and returns it
as a 32-digit hexadecimal number, in which any letters are in lower case.
.vitem &*${sha1:*&<&'string'&>&*}*&
.cindex "SHA-1 hash"
.cindex "expansion" "SHA-1 hashing"
+.cindex "certificate fingerprint"
.cindex "&%sha2%& expansion item"
The &%sha1%& operator computes the SHA-1 hash value of the string, and returns
it as a 40-digit hexadecimal number, in which any letters are in upper case.
+.vitem &*${sha256:*&<&'certificate'&>&*}*&
+.cindex "SHA-256 hash"
+.cindex "certificate fingerprint"
+.cindex "expansion" "SHA-256 hashing"
+.cindex "&%sha256%& expansion item"
+The &%sha256%& operator computes the SHA-256 hash fingerprint of the
+certificate,
+and returns
+it as a 64-digit hexadecimal number, in which any letters are in upper case.
+Only arguments which are a single variable of certificate type are supported.
+
+
.vitem &*${stat:*&<&'string'&>&*}*&
.cindex "expansion" "statting a file"
.cindex "file" "extracting characteristics"
this depends upon the TLS implementation used.
If TLS has not been negotiated, the value will be 0.
+.new
+.vitem &$tls_in_ourcert$&
+.vindex "&$tls_in_ourcert$&"
+This variable refers to the certificate presented to the peer of an
+inbound connection when the message was received.
+It is only useful as the argument of a
+&%certextract%& expansion item, &%md5%& or &%sha1%& operator,
+or a &%def%& condition.
+.wen
+
+.new
+.vitem &$tls_in_peercert$&
+.vindex "&$tls_in_peercert$&"
+This variable refers to the certificate presented by the peer of an
+inbound connection when the message was received.
+It is only useful as the argument of a
+&%certextract%& expansion item, &%md5%& or &%sha1%& operator,
+or a &%def%& condition.
+.wen
+
+.new
+.vitem &$tls_out_ourcert$&
+.vindex "&$tls_out_ourcert$&"
+This variable refers to the certificate presented to the peer of an
+outbound connection. It is only useful as the argument of a
+&%certextract%& expansion item, &%md5%& or &%sha1%& operator,
+or a &%def%& condition.
+.wen
+
+.new
+.vitem &$tls_out_peercert$&
+.vindex "&$tls_out_peercert$&"
+This variable refers to the certificate presented by the peer of an
+outbound connection. It is only useful as the argument of a
+&%certextract%& expansion item, &%md5%& or &%sha1%& operator,
+or a &%def%& condition.
+.wen
+
.vitem &$tls_in_certificate_verified$&
.vindex "&$tls_in_certificate_verified$&"
This variable is set to &"1"& if a TLS certificate was verified when the
git://git.exim.org / exim.git / blobdiff