colon in the example above are necessary. If they were not there, the list would
be interpreted as the two items 127.0.0.1:: and 1.
-.section "Changing list separators" "SECTlistsepchange"
+.subsection "Changing list separators" "SECTlistsepchange"
.cindex "list separator" "changing"
.cindex "IPv6" "addresses in lists"
Doubling colons in IPv6 addresses is an unwelcome chore, so a mechanism was
-.section "Empty items in lists" "SECTempitelis"
+.subsection "Empty items in lists" "SECTempitelis"
.cindex "list" "empty item in"
An empty item at the end of a list is always ignored. In other words, trailing
separator characters are ignored. Thus, the list in
.vitem &*${srs_encode&~{*&<&'secret'&>&*}{*&<&'return&~path'&>&*}{*&<&'original&~domain'&>&*}}*&
-SRS encoding. See SECT &<<SECTSRS>>& for details.
+SRS encoding. See section &<<SECTSRS>>& for details.
the operation and configuration of DKIM, see section &<<SECDKIM>>&.
-.vitem &*control&~=&~dmarc_disable_verify*&
+.vitem &*control&~=&~dmarc_disable_verify*& &&&
+ &*control&~=&~dmarc_enable_forensic*&
.cindex "disable DMARC verify"
-.cindex "DMARC" "disable verify"
-This control turns off DMARC verification processing entirely. For details on
+.cindex DMARC "disable verify"
+.cindex DMARC controls
+.cindex DMARC "forensic mails"
+These control affect DMARC processing. For details on
the operation and configuration of DMARC, see section &<<SECDMARC>>&.
+The &"disable"& turns off DMARC verification processing entirely.
+
.vitem &*control&~=&~dscp/*&<&'value'&>
.cindex "&ACL;" "setting DSCP value"
.next
A queue runner process retains root privilege throughout its execution. Its
job is to fork a controlled sequence of delivery processes.
+
.next
-A delivery process retains root privilege throughout most of its execution,
-but any actual deliveries (that is, the transports themselves) are run in
-subprocesses which always change to a non-root uid and gid. For local
-deliveries this is typically the uid and gid of the owner of the mailbox; for
-remote deliveries, the Exim uid and gid are used. Once all the delivery
+A delivery process retains root privilege throughout most of its execution.,
+including while the recipient addresses in a message are being routed.
+
+.ilist
+However, if a user's filter file has to be processed,
+this is done in a subprocess that runs under the individual user's uid and
+gid. A system filter is run as root unless &%system_filter_user%& is set.
+.endlist
+
+Any actual deliveries (that is, the transports themselves) are run in
+subprocesses which always change to a non-root uid and gid.
+.ilist
+For local
+deliveries this is typically the uid and gid of the owner of the mailbox.
+.next
+For remote deliveries, the Exim uid and gid are used.
+.endlist
+
+Once all the delivery
subprocesses have been run, a delivery process changes to the Exim uid and gid
while doing post-delivery tidying up such as updating the retry database and
generating bounce and warning messages.
-While the recipient addresses in a message are being routed, the delivery
-process runs as root. However, if a user's filter file has to be processed,
-this is done in a subprocess that runs under the individual user's uid and
-gid. A system filter is run as root unless &%system_filter_user%& is set.
.next
A process that is testing addresses (the &%-bt%& option) runs as root so that
the routing is done in the same environment as a message delivery.