&` _DRIVER_ROUTER_* `& router drivers
&` _DRIVER_TRANSPORT_* `& transport drivers
&` _DRIVER_AUTHENTICATOR_* `& authenticator drivers
+&` _EXP_COND_* `& expansion conditions
+&` _EXP_ITEM_* `& expansion items
+&` _EXP_OP_* `& expansion operators
+&` _EXP_VAR_* `& expansion variables
&` _LOG_* `& log_selector values
&` _OPT_MAIN_* `& main config options
&` _OPT_ROUTERS_* `& generic router options
When the lookup succeeds, the result of the expansion is a list of domains (and
possibly other types of item that are allowed in domain lists).
.cindex "tainted data" "de-tainting"
-.cindex "de-tainting" "using a lookup expansion""
+.cindex "de-tainting" "using a lookup expansion"
The result of the expansion is not tainted.
.next
nowadays the ACL specified by &%acl_smtp_connect%& can also reject incoming
connections immediately.
+.new
+If the connection is on a TLS-on-connect port then the TCP connection is
+just dropped. Otherwise, an SMTP error is sent first.
+.wen
+
The ability to give an immediate rejection (either by this option or using an
ACL) is provided for use in unusual cases. Many hosts will just try again,
sometimes without much delay. Normally, it is better to use an ACL to reject
&<<CHAPSMTPAUTH>>& for details of authentication.
-.option hosts_request_ocsp smtp "host list&!!" *
+.option hosts_request_ocsp smtp "host list&!!" "see below"
.cindex "TLS" "requiring for certain servers"
Exim will request a Certificate Status on a
TLS session for any host that matches this list.
&%tls_verify_certificates%& should also be set for the transport.
+.new
+The default is &"**"& if DANE is not in use for the connection,
+or if DANE-TA us used.
+It is empty if DANE-EE is used.
+.wen
+
.option hosts_require_alpn smtp "host list&!!" unset
.cindex ALPN "require negotiation in client"
.cindex TLS ALPN
operation is as if this option selected all hosts.
&*Warning*&: Including a host in &%tls_verify_hosts%& does not require
that connections use TLS.
-Fallback to in-clear communication will be done unless restricted by
+Fallback to in-clear communication will be done unless restricted by
the &%hosts_require_tls%& option.
.option utf8_downconvert smtp integer&!! -1
The client for the connection proposes a set of protocol names, and
the server responds with a selected one.
It is not, as of 2021, commonly used for SMTP connections.
-However, to guard against misirected or malicious use of web clients
+However, to guard against misdirected or malicious use of web clients
(which often do use ALPN) against MTA ports, Exim by default check that
there is no incompatible ALPN specified by a client for a TLS connection.
If there is, the connection is rejected.
&%tls_alpn%& and &%hosts_require_alpn%&.
There are no variables providing observability.
Some feature-specific logging may appear on denied connections, but this
-depends on the behavious of the peer
+depends on the behaviour of the peer
(not all peers can send a feature-specific TLS Alert).
This feature is available when Exim is built with
the message override the banner message that is otherwise specified by the
&%smtp_banner%& option.
-For tls-on-connect connections, the ACL is run after the TLS connection
-is accepted (however, &%host_reject_connection%& is tested before).
+.new
+For tls-on-connect connections, the ACL is run before the TLS connection
+is accepted; if the ACL does not accept then the TCP connection is dropped without
+any TLS startup attempt and without any SMTP response being transmitted.
+.wen
.subsection "The EHLO/HELO ACL" SECID192
immediate writes to file are done as normal.
trigger=<&'reason'&> This option selects cause for the pretrigger buffer
- see above) to be copied to file. A reason of $*now*
+ see above) to be copied to file. A reason of &*now*&
take effect immediately; one of &*paniclog*& triggers
on a write to the panic log.
.endd
.subsection ACL SSECDMARCACL
.cindex DMARC "ACL condition"
-DMARC checks cam be run on incoming SMTP messages by using the
+DMARC checks can be run on incoming SMTP messages by using the
&"dmarc_status"& ACL condition in the DATA ACL. You are required to
call the &"spf"& condition first in the ACLs, then the &"dmarc_status"&
condition. Putting this condition in the ACLs is required in order
git://git.exim.org / exim.git / blobdiff