.code
${readsocket{/socket/name}{request string}{3s}}
.endd
+
The third argument is a list of options, of which the first element is the timeout
and must be present if the argument is given.
Further elements are options of form &'name=value'&.
-One option type is currently recognised, defining whether (the default)
+Two option types is currently recognised: shutdown and tls.
+The first defines whether (the default)
or not a shutdown is done on the connection after sending the request.
Example, to not do so (preferred, eg. by some webservers):
.code
${readsocket{/socket/name}{request string}{3s:shutdown=no}}
.endd
+.new
+The second, tls, controls the use of TLS on the connection. Example:
+.code
+${readsocket{/socket/name}{request string}{3s:tls=yes}}
+.endd
+The default is to not use TLS.
+If it is enabled, a shutdown as descripbed above is never done.
+.wen
+
A fourth argument allows you to change any newlines that are in the data
that is read, in the same way as for &%readfile%& (see above). This example
turns them into spaces:
.row &%av_scanner%& "specify virus scanner"
.row &%check_rfc2047_length%& "check length of RFC 2047 &""encoded &&&
words""&"
+.row &%dns_cname_loops%& "follow CNAMEs returned by resolver"
.row &%dns_csa_search_limit%& "control CSA parent search depth"
.row &%dns_csa_use_reverse%& "en/disable CSA IP reverse search"
.row &%header_maxsize%& "total size of message header"
reversed and looked up in the reverse DNS, as described in more detail in
section &<<SECTverifyCSA>>&.
+.new
+.option dns_cname_loops main integer 1
+.cindex DNS "CNAME following"
+This option controls the following of CNAME chains, needed if the resolver does
+not do it internally.
+As of 2018 most should, and the default can be left.
+If you have an ancient one, a value of 10 is likely needed.
+
+The default value of one CNAME-follow is needed
+thanks to the observed return for an MX request,
+given no MX presence but a CNAME to an A, of the CNAME.
+.wen
+
.option dns_dnssec_ok main integer -1
.cindex "DNS" "resolver options"
of the message. Its value must not be zero. See also &%final_timeout%&.
+.option dkim_canon smtp string&!! unset
.option dkim_domain smtp string list&!! unset
-.option dkim_selector smtp string&!! unset
+.option dkim_hash smtp string&!! sha256
+.option dkim_identity smtp string&!! unset
.option dkim_private_key smtp string&!! unset
-.option dkim_canon smtp string&!! unset
+.option dkim_selector smtp string&!! unset
.option dkim_strict smtp string&!! unset
.option dkim_sign_headers smtp string&!! "per RFC"
-.option dkim_hash smtp string&!! sha256
-.option dkim_identity smtp string&!! unset
+.option dkim_timestamps smtp string&!! unset
DKIM signing options. For details see section &<<SECDKIMSIGN>>&.
.option server_socket dovecot string unset
-This option must specify the socket that is the interface to Dovecot
+This option must specify the UNIX socket that is the interface to Dovecot
authentication. The &%public_name%& option must specify an authentication
mechanism that Dovecot is configured to support. You can have several
authenticators for different mechanisms. For example:
.oindex "&%tls_require_ciphers%&" "OpenSSL"
There is a function in the OpenSSL library that can be passed a list of cipher
suites before the cipher negotiation takes place. This specifies which ciphers
-are acceptable. The list is colon separated and may contain names like
+.new
+are acceptable for TLS versions prior to 1.3.
+.wen
+The list is colon separated and may contain names like
DES-CBC3-SHA. Exim passes the expanded value of &%tls_require_ciphers%&
directly to this function call.
Many systems will install the OpenSSL manual-pages, so you may have
tls_require_ciphers = ECDSA:RSA:!COMPLEMENTOFDEFAULT
.endd
+.new
+For TLS version 1.3 the control available is less fine-grained
+and Exim does not provide access to it at present.
+The value of the &%tls_require_ciphers%& option is ignored when
+TLS version 1.3 is negotiated.
+
+As of writing the library default cipher suite list for TLSv1.3 is
+.code
+TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
+.endd
+.wen
+
.section "Requiring specific ciphers or other parameters in GnuTLS" &&&
"SECTreqciphgnu"
will be signed, and one signature added for a missing header with the
name will be appended.
+.new
+.option dkim_timestamps smtp integer&!! unset
+This option controls the inclusion of timestamp information in the signature.
+If not set, no such information will be included.
+Otherwise, must be an unsigned number giving an offset in seconds from the current time
+for the expiry tag
+(eg. 1209600 for two weeks);
+both creation (t=) and expiry (x=) tags will be included.
+
+RFC 6376 lists these tags as RECOMMENDED.
+.wen
+
.section "Verifying DKIM signatures in incoming mail" "SECDKIMVFY"
.cindex "DKIM" "verification"