X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/b2e609941174b22551417f7aa394702d5d575fbf..6d38582bcea0a891244cf24b0b39d5bb310464e9:/doc/doc-docbook/spec.xfpt diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index a7fef970f..e7228c1ab 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -6602,7 +6602,7 @@ file that is searched could contain lines like this: When the lookup succeeds, the result of the expansion is a list of domains (and possibly other types of item that are allowed in domain lists). .cindex "tainted data" "de-tainting" -.cindex "de-tainting" "using a lookup expansion"" +.cindex "de-tainting" "using a lookup expansion" The result of the expansion is not tainted. .next @@ -9907,7 +9907,11 @@ After expansion, <&'string'&> is interpreted as a list, colon-separated by default, but the separator can be changed in the usual way (&<>&). For each item in this list, its value is place in &$item$&, and then the condition is -evaluated. If the condition is true, &$item$& is added to the output as an +evaluated. +.new +Any modification of &$value$& by this evaluation is discarded. +.wen +If the condition is true, &$item$& is added to the output as an item in a new list; if the condition is false, the item is discarded. The separator used for the output list is the same as the one used for the input, but a separator setting is not included in the output. For example: @@ -9915,7 +9919,8 @@ input, but a separator setting is not included in the output. For example: ${filter{a:b:c}{!eq{$item}{b}}} .endd yields &`a:c`&. At the end of the expansion, the value of &$item$& is restored -to what it was before. See also the &%map%& and &%reduce%& expansion items. +to what it was before. +See also the &%map%& and &%reduce%& expansion items. .vitem &*${hash{*&<&'string1'&>&*}{*&<&'string2'&>&*}{*&<&'string3'&>&*}}*& @@ -10506,6 +10511,17 @@ At the end of a &*reduce*& expansion, the values of &$item$& and &$value$& are restored to what they were before. See also the &%filter%& and &%map%& expansion items. +. A bit of a special-case logic error in writing an expansion; +. probably not worth including in the mainline of documentation. +. If only we had footnotes (the html output variant is the problem). +. +. .new +. &*Note*&: if an &'expansion condition'& is used in <&'string3'&> +. and that condition modifies &$value$&, +. then the string expansions dependent on the condition cannot use +. the &$value$& of the reduce iteration. +. .wen + .vitem &*$rheader_*&<&'header&~name'&>&*:*&&~or&~&*$rh_*&<&'header&~name'&>&*:*& This item inserts &"raw"& header lines. It is described with the &%header%& expansion item in section &<>& above. @@ -11658,6 +11674,7 @@ Consider using a dsearch lookup. .cindex "first delivery" .cindex "expansion" "first delivery test" .cindex "&%first_delivery%& expansion condition" +.cindex retry condition This condition, which has no data, is true during a message's first delivery attempt. It is false during any subsequent delivery attempts. @@ -25590,12 +25607,18 @@ hard failure if required. See also &%hosts_try_auth%&, and chapter &<>& for details of authentication. -.option hosts_request_ocsp smtp "host list&!!" * +.option hosts_request_ocsp smtp "host list&!!" "see below" .cindex "TLS" "requiring for certain servers" Exim will request a Certificate Status on a TLS session for any host that matches this list. &%tls_verify_certificates%& should also be set for the transport. +.new +The default is &"**"& if DANE is not in use for the connection, +or if DANE-TA us used. +It is empty if DANE-EE is used. +.wen + .option hosts_require_alpn smtp "host list&!!" unset .cindex ALPN "require negotiation in client" .cindex TLS ALPN @@ -26065,7 +26088,7 @@ If both this option and &%tls_try_verify_hosts%& are unset operation is as if this option selected all hosts. &*Warning*&: Including a host in &%tls_verify_hosts%& does not require that connections use TLS. -Fallback to in-clear communication will be done unless restricted by +Fallback to in-clear communication will be done unless restricted by the &%hosts_require_tls%& option. .option utf8_downconvert smtp integer&!! -1 @@ -29755,7 +29778,7 @@ connection. The client for the connection proposes a set of protocol names, and the server responds with a selected one. It is not, as of 2021, commonly used for SMTP connections. -However, to guard against misirected or malicious use of web clients +However, to guard against misdirected or malicious use of web clients (which often do use ALPN) against MTA ports, Exim by default check that there is no incompatible ALPN specified by a client for a TLS connection. If there is, the connection is rejected. @@ -29765,7 +29788,7 @@ The behaviour of both client and server can be configured using the options &%tls_alpn%& and &%hosts_require_alpn%&. There are no variables providing observability. Some feature-specific logging may appear on denied connections, but this -depends on the behavious of the peer +depends on the behaviour of the peer (not all peers can send a feature-specific TLS Alert). This feature is available when Exim is built with @@ -35858,6 +35881,7 @@ The system filter is run at the start of a delivery attempt, before any routing is done. If a message fails to be completely delivered at the first attempt, the system filter is run again at the start of every retry. If you want your filter to do something only once per message, you can make use +.cindex retry condition of the &%first_delivery%& condition in an &%if%& command in the filter to prevent it happening on retries. @@ -42198,7 +42222,7 @@ the DATA acl. .subsection ACL SSECDMARCACL .cindex DMARC "ACL condition" -DMARC checks cam be run on incoming SMTP messages by using the +DMARC checks can be run on incoming SMTP messages by using the &"dmarc_status"& ACL condition in the DATA ACL. You are required to call the &"spf"& condition first in the ACLs, then the &"dmarc_status"& condition. Putting this condition in the ACLs is required in order