.vindex "&$config_file$&"
The name of the main configuration file Exim is using.
+.vitem &$dkim_verify_status$& &&&
+Results of DKIM verification.
+For details see chapter &<<CHAPdkim>>&.
+
.vitem &$dkim_cur_signer$& &&&
- &$dkim_verify_status$& &&&
&$dkim_verify_reason$& &&&
&$dkim_domain$& &&&
&$dkim_identity$& &&&
option in the relevant &(smtp)& transport.
.new
+&*Note*&: If you use filenames based on IP addresses, change the list
+separator in the usual way to avoid confusion under IPv6.
+
&*Note*&: Under current versions of OpenSSL, when a list of more than one
file is used, the &$tls_in_ourcert$& veriable is unreliable.
+
+&*Note*&: OCSP stapling is not usable when a list of more than one file is used.
.wen
If the option contains &$tls_out_sni$& and Exim is built against OpenSSL, then
Usable for GnuTLS 3.4.4 or 3.3.17 or OpenSSL 1.1.0 (or later).
+.new
+&*Note*&: There is currently no support for multiple OCSP proofs to match the
+multiple certificates facility.
+.wen
+
.option tls_on_connect_ports main "string list" unset
.cindex SSMTP
.next
.new
With GnuTLS, if an explicit list is used for the &%tls_privatekey%& main option
-main option, it must be ordered to match the %&tls_certificate%& list.
+main option, it must be ordered to match the &%tls_certificate%& list.
.wen
.next
Some other recently added features may only be available in one or the other.
If the &%tls_verify_certificates%& option is set on the &(smtp)& transport, it
specifies a collection of expected server certificates.
-These may be the system default set (depending on library version),
-a file or,
-depending on library version, a directory,
-must name a file or,
-for OpenSSL only (not GnuTLS), a directory.
+These may be
+the system default set (depending on library version),
+a file,
+or (depending on library version) a directory.
The client verifies the server's certificate
against this collection, taking into account any revoked certificates that are
in the list defined by &%tls_crl%&.
item creates a signed address, and the &%prvscheck%& expansion item checks one.
The syntax of these expansion items is described in section
&<<SECTexpansionitems>>&.
+The validity period on signed addresses is seven days.
As an example, suppose the secret per-address keys are stored in an MySQL
database. A query to look up the key for an address could be defined as a macro
Each element in turn is put into the &%$dkim_domain%& expansion variable
while expanding the remaining signing options.
.wen
-If it is empty after expansion, DKIM signing is not done.
+If it is empty after expansion, DKIM signing is not done,
+and no error will result even if &%dkim_strict%& is set.
.option dkim_selector smtp string list&!! unset
This sets the key selector string.
Each element in turn is put in the expansion
variable &%$dkim_selector%& which may be used in the &%dkim_private_key%&
option along with &%$dkim_domain%&.
-If the option is empty after expansion, DKIM signing is not done for this domain.
.wen
+If the option is empty after expansion, DKIM signing is not done for this domain,
+and no error will result even if &%dkim_strict%& is set.
.option dkim_private_key smtp string&!! unset
This sets the private key to use.
be signed. This case will not result in an error, even if &%dkim_strict%&
is set.
.endlist
-If the option is empty after expansion, DKIM signing is not done.
.new
.option dkim_hash smtp string&!! sha256
If a domain or identity is listed several times in the (expanded) value of
&%dkim_verify_signers%&, the ACL is only called once for that domain or identity.
+.new
+If multiple signatures match a domain (or identity), the ACL is called once
+for each matching signature.
+.wen
+
Inside the &%acl_smtp_dkim%&, the following expansion variables are
available (from most to least important):
&%dkim_verify_signers%& (see above).
.vitem &%$dkim_verify_status%&
-A string describing the general status of the signature. One of
+Within the DKIM ACL,
+a string describing the general status of the signature. One of
.ilist
&%none%&: There is no signature in the message for the current domain or
identity (as reflected by &%$dkim_cur_signer%&).
&%pass%&: The signature passed verification. It is valid.
.endlist
+.new
+This variable can be overwritten using an ACL 'set' modifier.
+This might, for instance, be done to enforce a policy restriction on
+hash-method or key-size:
+.code
+ warn condition = ${if eq {$dkim_algo}{rsa-sha1}}
+ condition = ${if eq {$dkim_verify_status}{pass}}
+ logwrite = NOTE: forcing dkim verify fail (was pass)
+ set dkim_verify_status = fail
+ set dkim_verify_reason = hash too weak
+.endd
+
+After all the DKIM ACL runs have completed, the value becomes a
+colon-separated list of the values after each run.
+.wen
+
.vitem &%$dkim_verify_reason%&
A string giving a little bit more detail when &%$dkim_verify_status%& is either
"fail" or "invalid". One of
DKIM verification. It may of course also mean that the signature is forged.
.endlist
+.new
+This variable can be overwritten using an ACL 'set' modifier.
+.wen
+
.vitem &%$dkim_domain%&
The signing domain. IMPORTANT: This variable is only populated if there is
an actual signature in the message for the current domain or identity (as
git://git.exim.org / exim.git / blobdiff