DKIM: Allow the DKIM ACL to override verification results. Bug 2186

[exim.git] / doc / doc-docbook / spec.xfpt

diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 7a0841cb28ced57d9ed879dc830a2353c93cba55..98986e0326404b05cf1414d057f1bfc350c82a99 100644 (file)
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -38731,6 +38731,19 @@ available in &%$dkim_verify_reason%&.
 &%pass%&: The signature passed verification. It is valid.
 .endlist
 
 &%pass%&: The signature passed verification. It is valid.
 .endlist
 

+.new
+This variable can be overwritten using an ACL 'set' modifier.
+This might, for instance, be done to enforce a policy restriction on
+hash-method or key-size:
+.code
+  warn condition =     ${if eq {$dkim_algo}{rsa-sha1}}
+       condition =     ${if eq {$dkim_verify_status}{pass}}
+       logwrite =      NOTE: forcing dkim verify fail (was pass)
+       set dkim_verify_status = fail
+       set dkim_verify_reason = hash too weak
+.endd
+.wen
+

 .vitem &%$dkim_verify_reason%&
 A string giving a little bit more detail when &%$dkim_verify_status%& is either
 "fail" or "invalid". One of
 .vitem &%$dkim_verify_reason%&
 A string giving a little bit more detail when &%$dkim_verify_status%& is either
 "fail" or "invalid". One of


@@ -38751,6 +38764,10 @@ re-written or otherwise changed in a way which is incompatible with
 DKIM verification. It may of course also mean that the signature is forged.
 .endlist
 
 DKIM verification. It may of course also mean that the signature is forged.
 .endlist
 

+.new
+This variable can be overwritten using an ACL 'set' modifier.
+.wen
+

 .vitem &%$dkim_domain%&
 The signing domain. IMPORTANT: This variable is only populated if there is
 an actual signature in the message for the current domain or identity (as
 .vitem &%$dkim_domain%&
 The signing domain. IMPORTANT: This variable is only populated if there is
 an actual signature in the message for the current domain or identity (as