DKIM: Allow the DKIM ACL to override verification results. Bug 2186

[exim.git] / doc / doc-docbook / spec.xfpt

diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 7a0841cb28ced57d9ed879dc830a2353c93cba55..98986e0326404b05cf1414d057f1bfc350c82a99 100644 (file)
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -38731,6 +38731,19 @@ available in &%$dkim_verify_reason%&.
 &%pass%&: The signature passed verification. It is valid.
 .endlist
 
+.new
+This variable can be overwritten using an ACL 'set' modifier.
+This might, for instance, be done to enforce a policy restriction on
+hash-method or key-size:
+.code
+  warn condition =     ${if eq {$dkim_algo}{rsa-sha1}}
+       condition =     ${if eq {$dkim_verify_status}{pass}}
+       logwrite =      NOTE: forcing dkim verify fail (was pass)
+       set dkim_verify_status = fail
+       set dkim_verify_reason = hash too weak
+.endd
+.wen
+
 .vitem &%$dkim_verify_reason%&
 A string giving a little bit more detail when &%$dkim_verify_status%& is either
 "fail" or "invalid". One of
@@ -38751,6 +38764,10 @@ re-written or otherwise changed in a way which is incompatible with
 DKIM verification. It may of course also mean that the signature is forged.
 .endlist
 
+.new
+This variable can be overwritten using an ACL 'set' modifier.
+.wen
+
 .vitem &%$dkim_domain%&
 The signing domain. IMPORTANT: This variable is only populated if there is
 an actual signature in the message for the current domain or identity (as