X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/f5496b0e47269b2648057470c0f1626e1912fbba..6741531cf79cbd3b403b8a52ed07635fe543cd3a:/doc/doc-docbook/spec.xfpt diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 0eccce1ec..03310fc22 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -3162,6 +3162,10 @@ If invoked by an admin user, then &%macro%&, &%macro_list%& and &%macros%& are available, similarly to the drivers. Because macros are sometimes used for storing passwords, this option is restricted. The output format is one item per line. +.new +For the "-bP macro " form, if no such macro is found +the exit status will be nonzero. +.wen .vitem &%-bp%& .oindex "&%-bp%&" @@ -10648,6 +10652,7 @@ The &%sha3%& expansion item is only supported if Exim has been compiled with GnuTLS 3.5.0 or later, .new or OpenSSL 1.1.1 or later. +The macro "_CRYPTO_HASH_SHA3" will be defined if it is supported. .wen @@ -38594,7 +38599,7 @@ There is no dot-stuffing (and no dot-termination). DKIM is a mechanism by which messages sent by some entity can be provably linked to a domain which that entity controls. It permits reputation to be tracked on a per-domain basis, rather than merely upon source IP address. -DKIM is documented in RFC 4871. +DKIM is documented in RFC 6376. .new As DKIM relies on the message being unchanged in transit, messages handled @@ -38656,7 +38661,12 @@ rsa-sha1 MUST NOT be used for signing or verifying. Signers MUST use RSA keys of at least 1024 bits for all keys. Signers SHOULD use RSA keys of at least 2048 bits. .endd -.wen + +Note also that the key content (the 'p=' field) +in the DNS record is different between RSA and EC keys; +for the former it is the base64 of the ASN.1 for the RSA public key +(equivalent to the private-key .pem with the header/trailer stripped) +but for EC keys it is the base64 of the pure key; no ASN.1 wrapping. .wen Signing is enabled by setting private options on the SMTP transport. @@ -38685,10 +38695,14 @@ You can use the &%$dkim_domain%& and &%$dkim_selector%& expansion variables to determine the private key to use. The result can either .ilist -be a valid RSA private key in ASCII armor, including line breaks. +be a valid RSA private key in ASCII armor (.pem file), including line breaks +.new +.next +with GnuTLS 3.6.0 or later, be a valid Ed25519 private key (same format as above) +.wen .next start with a slash, in which case it is treated as a file that contains -the private key. +the private key .next be "0", "false" or the empty string, in which case the message will not be signed. This case will not result in an error, even if &%dkim_strict%& @@ -38701,6 +38715,15 @@ Note that RFC 8301 says: Signers MUST use RSA keys of at least 1024 bits for all keys. Signers SHOULD use RSA keys of at least 2048 bits. .endd + +Support for EC keys is being developed under +&url(https://datatracker.ietf.org/doc/draft-ietf-dcrup-dkim-crypto/). +They are considerably smaller than RSA keys for equivalent protection. +As they are a recent development, users should consider dual-signing +(by setting a list of selectors, and an expansion for this option) +for some transition period. +The "_CRYPTO_SIGN_ED25519" macro will be defined if support is present +for EC keys. .wen .option dkim_hash smtp string&!! sha256 @@ -38883,6 +38906,11 @@ The key record selector string. .vitem &%$dkim_algo%& The algorithm used. One of 'rsa-sha1' or 'rsa-sha256'. +.new +If running under GnuTLS 3.6.0 or later, may also be 'ed25519-sha256'. +The "_CRYPTO_SIGN_ED25519" macro will be defined if support is present +for EC keys. +.wen .new Note that RFC 8301 says: @@ -39331,7 +39359,7 @@ This will add a component tagged with &"PRX="& to the line. .cindex internationalisation "email address" .cindex EAI .cindex i18n -.cindex UTF-8 "mail name handling" +.cindex utf8 "mail name handling" Exim has support for Internationalised mail names. To include this it must be built with SUPPORT_I18N and the libidn library. @@ -39369,6 +39397,7 @@ form of the name. .cindex log protocol .cindex SMTPUTF8 logging +.cindex i18n logging Log lines and Received-by: header lines will acquire a "utf8" prefix on the protocol element, eg. utf8esmtp. @@ -39380,7 +39409,12 @@ ${utf8_localpart_to_alabel:str} ${utf8_localpart_from_alabel:str} .endd -ACLs may use the following modifier: +.cindex utf8 "address downconversion" +.cindev i18n "utf8 address downconversion" +.new +The RCPT ACL +.wen +may use the following modifier: .display control = utf8_downconvert control = utf8_downconvert/