.subsection General
Under GnuTLS, DANE is only supported from version 3.0.0 onwards.
-DANE is specified in published RFCs and decouples certificate authority trust
+DANE is specified in RFC 6698. It decouples certificate authority trust
selection from a "race to the bottom" of "you must trust everything for mail
to get through".
-There is an alternative technology called MTA-STS, which
-instead publishes MX trust anchor information on an HTTPS website. At the
-time this text was last updated, MTA-STS was still a draft, not yet an RFC.
+It does retain the need to trust the assurances provided by the DNSSEC tree.
+
+There is an alternative technology called MTA-STS (RFC 8461), which
+instead publishes MX trust anchor information on an HTTPS website.
+The discovery of the address for that website does not (per standard)
+require DNSSEC, and could be regarded as being less secure than DANE
+as a result.
+
Exim has no support for MTA-STS as a client, but Exim mail server operators
can choose to publish information describing their TLS configuration using
MTA-STS to let those clients who do use that protocol derive trust
allow_fail
data = :fail: Invalid SRS recipient address
- #... further routers here
+ #... further routers here get inbound_srs-redirected recipients
+ # and any that were not SRS'd
# transport; should look like the non-forward outbound
The name is placed in the variable &$event_name$& and the event action
expansion must check this, as it will be called for every possible event type.
+.new
The current list of events is:
+.wen
.itable all 0 0 4 25* left 10* center 15* center 50* left
.row auth:fail after both "per driver per authentication attempt"
.row dane:fail after transport "per connection"
+.row dns:fail after both "per lookup"
.row msg:complete after main "per message"
.row msg:defer after transport "per message per delivery try"
.row msg:delivery after transport "per recipient"
.itable all 0 0 2 20* left 80* left
.row auth:fail "smtp response"
.row dane:fail "failure reason"
+.row dns:fail "failure reason, key and lookup-type"
.row msg:defer "error string"
.row msg:delivery "smtp confirmation message"
.row msg:fail:internal "failure reason"
For OpenSSL it will trigger for every chain element including those
loaded locally.
+.new
+For dns:fail events from dnsdb lookups, a &"defer_never"& option does not
+affect the reporting of DNS_AGAIN.
+.wen
+
. ////////////////////////////////////////////////////////////////////////////
. ////////////////////////////////////////////////////////////////////////////
git://git.exim.org / exim.git / blobdiff