X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/40df1be3e45617c8f878ad728bd14053a38cd932..2e3177124893f623c037a44f7972d7d4105da87a:/doc/doc-docbook/spec.xfpt diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index a82a5c489..874c3f0e9 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -1,4 +1,4 @@ -. $Cambridge: exim/doc/doc-docbook/spec.xfpt,v 1.38 2008/02/26 11:46:33 fanf2 Exp $ +. $Cambridge: exim/doc/doc-docbook/spec.xfpt,v 1.43 2008/05/14 09:16:38 fanf2 Exp $ . . ///////////////////////////////////////////////////////////////////////////// . This is the primary source of the Exim Manual. It is an xfpt document that is @@ -18958,11 +18958,9 @@ filter itself, and the original process that reads the result and delivers it are all run in parallel, like a shell pipeline. The filter can perform any transformations it likes, but of course should take -care not to break RFC 2822 syntax. A demonstration Perl script is provided in -&_util/transport-filter.pl_&; this makes a few arbitrary modifications just to -show the possibilities. Exim does not check the result, except to test for a -final newline when SMTP is in use. All messages transmitted over SMTP must end -with a newline, so Exim supplies one if it is missing. +care not to break RFC 2822 syntax. Exim does not check the result, except to +test for a final newline when SMTP is in use. All messages transmitted over +SMTP must end with a newline, so Exim supplies one if it is missing. .cindex "content scanning" "per user" A transport filter can be used to provide content-scanning on a per-user basis @@ -24057,11 +24055,11 @@ sections &<>& and &<>&. .section "GnuTLS parameter computation" "SECID181" -GnuTLS uses RSA and D-H parameters that may take a substantial amount of time +GnuTLS uses D-H parameters that may take a substantial amount of time to compute. It is unreasonable to re-compute them for every TLS session. Therefore, Exim keeps this data in a file in its spool directory, called &_gnutls-params_&. The file is owned by the Exim user and is readable only by -its owner. Every Exim process that start up GnuTLS reads the RSA and D-H +its owner. Every Exim process that start up GnuTLS reads the D-H parameters from this file. If the file does not exist, the first Exim process that needs it computes the data and writes it to a temporary file which is renamed once it is complete. It does not matter if several Exim processes do @@ -26317,7 +26315,9 @@ verified as a sender. .cindex "&ACL;" "testing a DNS list" In its simplest form, the &%dnslists%& condition tests whether the calling host is on at least one of a number of DNS lists by looking up the inverted IP -address in one or more DNS domains. For example, if the calling host's IP +address in one or more DNS domains. (Note that DNS list domains are not mail +domains, so the &`+`& syntax for named lists doesn't work - it is used for +special options instead.) For example, if the calling host's IP address is 192.168.62.43, and the ACL statement is .code deny dnslists = blackholes.mail-abuse.org : \ @@ -27552,19 +27552,8 @@ the third string (in this case &"1"&), whether or not the cryptographic and timeout checks succeed. The &$prvscheck_result$& variable contains the result of the checks (empty for failure, &"1"& for success). -There are two more issues you must consider when implementing prvs-signing. -Firstly, you need to ensure that prvs-signed addresses are not blocked by your -ACLs. A prvs-signed address contains a slash character, but the default Exim -configuration contains this statement in the RCPT ACL: -.code -deny message = Restricted characters in address - domains = +local_domains - local_parts = ^[.] : ^.*[@%!/|] -.endd -This is a conservative rule that blocks local parts that contain slashes. You -should remove the slash in the last line. - -Secondly, you have to ensure that the routers accept prvs-signed addresses and +There is one more issue you must consider when implementing prvs-signing: +you have to ensure that the routers accept prvs-signed addresses and deliver them correctly. The easiest way to handle this is to use a &(redirect)& router to remove the signature with a configuration along these lines: .code