contains two IP addresses, the IPv4 address 127.0.0.1 and the IPv6 address ::1.
&*Note*&: Although leading and trailing white space is ignored in individual
-list items, it is not ignored when parsing the list. The space after the first
-colon in the example above is necessary. If it were not there, the list would
+list items, it is not ignored when parsing the list. The spaces around the first
+colon in the example above are necessary. If they were not there, the list would
be interpreted as the two items 127.0.0.1:: and 1.
.section "Changing list separators" "SECTlistsepchange"
# request with your smarthost provider to get things fixed:
hosts_require_tls = *
tls_verify_hosts = *
- # As long as tls_verify_hosts is enabled, this won't matter, but if you
- # have to comment it out then this will at least log whether you succeed
- # or not:
+ # As long as tls_verify_hosts is enabled, this this will have no effect,
+ # but if you have to comment it out then this will at least log whether
+ # you succeed or not:
tls_try_verify_hosts = *
#
# The SNI name should match the name which we'll expect to verify;
.cindex "tainted data" "de-tainting"
The value will be untainted.
+.new
+&*Note*&: If the data result of the lookup (as opposed to the key)
+is empty, then this empty value is stored in &$domain_data$&.
+The option to return the key for the lookup, as the value,
+may be what is wanted.
+.wen
+
.next
Any of the single-key lookup type names may be preceded by
. searchable. NM changed this occurrence for bug 1197 to no longer allow
. the option name to split.
-.option "smtp_accept_max_per_connection" main integer 1000 &&&
+.option "smtp_accept_max_per_connection" main integer&!! 1000 &&&
smtp_accept_max_per_connection
.cindex "SMTP" "limiting incoming message count"
.cindex "limit" "messages per SMTP connection"
response is given to subsequent MAIL commands. This limit is a safety
precaution against a client that goes mad (incidents of this type have been
seen).
+.new
+The option is expanded after the HELO or EHLO is received
+and may depend on values available at that time.
+An empty or zero value after expansion removes the limit.
+.wen
.option smtp_accept_max_per_host main string&!! unset
.cindex "security" "MX lookup"
.cindex "DNS" "DNSSEC"
DNS lookups for domains matching &%dnssec_request_domains%& will be done with
-the dnssec request bit set.
+the DNSSEC request bit set.
This applies to all of the SRV, MX, AAAA, A lookup sequence.
.option dnssec_require_domains routers "domain list&!!" unset
.cindex "security" "MX lookup"
.cindex "DNS" "DNSSEC"
DNS lookups for domains matching &%dnssec_require_domains%& will be done with
-the dnssec request bit set. Any returns not having the Authenticated Data bit
+the DNSSEC request bit set. Any returns not having the Authenticated Data bit
(AD bit) set will be ignored and logged as a host-lookup failure.
This applies to all of the SRV, MX, AAAA, A lookup sequence.
.cindex "security" "MX lookup"
.cindex "DNS" "DNSSEC"
DNS lookups for domains matching &%dnssec_request_domains%& will be done with
-the dnssec request bit set. Setting this transport option is only useful if the
+the DNSSEC request bit set. Setting this transport option is only useful if the
transport overrides or sets the host names. See the &%dnssec_request_domains%&
router option.
.cindex "security" "MX lookup"
.cindex "DNS" "DNSSEC"
DNS lookups for domains matching &%dnssec_require_domains%& will be done with
-the dnssec request bit set. Setting this transport option is only
+the DNSSEC request bit set. Setting this transport option is only
useful if the transport overrides or sets the host names. See the
&%dnssec_require_domains%& router option.
.cindex DANE "requiring for certain servers"
If built with DANE support, Exim will require that a DNSSEC-validated
TLSA record is present for any host matching the list,
-and that a DANE-verified TLS connection is made. See
-the &%dnssec_request_domains%& router and transport options.
+and that a DANE-verified TLS connection is made.
There will be no fallback to in-clear communication.
+See the &%dnssec_request_domains%& router and transport options.
See section &<<SECDANE>>&.
.option hosts_require_ocsp smtp "host list&!!" unset
.option hosts_try_dane smtp "host list&!!" *
.cindex DANE "transport options"
.cindex DANE "attempting for certain servers"
-If built with DANE support, Exim will require that a DNSSEC-validated
-TLSA record is present for any host matching the list,
-and that a DANE-verified TLS connection is made. See
-the &%dnssec_request_domains%& router and transport options.
-There will be no fallback to in-clear communication.
+.new
+If built with DANE support, Exim will look up a
+TLSA record for any host matching the list,
+If one is found and that lookup was DNSSEC-validated,
+then Exim requires that a DANE-verified TLS connection is made for that host;
+there will be no fallback to in-clear communication.
+.wen
+See the &%dnssec_request_domains%& router and transport options.
See section &<<SECDANE>>&.
.option hosts_try_fastopen smtp "host list&!!" *
option is passed. When authentication succeeds, the identity of the user
who authenticated is placed in &$auth1$&.
-The Dovecot configuration to match the above wil look
+The Dovecot configuration to match the above will look
something like:
.code
conf.d/10-master.conf :-
this authentication method on a secure (eg. under TLS) connection.
One possible use, compatible with the
-K-9 Mail Andoid client (&url(https://k9mail.github.io/)),
+K-9 Mail Android client (&url(https://k9mail.github.io/)),
is for using X509 client certificates.
It thus overlaps in function with the TLS authenticator
.section "Certificate chains" "SECID186"
-The file named by &%tls_certificate%& may contain more than one
+A file named by &%tls_certificate%& may contain more than one
certificate. This is useful in the case where the certificate that is being
sent is validated by an intermediate certificate which the other end does
not have. Multiple certificates must be in the correct order in the file.
DANE will only be usable if the target host has DNSSEC-secured MX, A and TLSA records.
-A TLSA lookup will be done if either of the above options match and the host-lookup succeeded using dnssec.
+A TLSA lookup will be done if either of the above options match and the host-lookup succeeded using DNSSEC.
If a TLSA lookup is done and succeeds, a DANE-verified TLS connection
will be required for the host. If it does not, the host will not
be used; there is no fallback to non-DANE or non-TLS.
different values. Some DNS lists may return more than one address record;
see section &<<SECThanmuldnsrec>>& for details of how they are checked.
+.new
+Values returned by a properly running DBSBL should be in the 127.0.0.0/8
+range. If a DNSBL operator loses control of the domain, lookups on it
+may start returning other addresses. Because of this, Exim now ignores
+returned values outside the 127/8 region.
+.wen
+
.section "Variables set from DNS lists" "SECID204"
.cindex "expansion" "variables, set from DNS list"
.endd
which is less clear, and harder to maintain.
+Negation can also be used with a bitwise-and restriction.
+The dnslists condition with only be trus if a result is returned
+by the lookup which, anded with the restriction, is all zeroes.
+For example:
+.code
+deny dnslists = zen.spamhaus.org!&0.255.255.0
+.endd
+
when TLS is in use. The item is &`CV=yes`& if the peer's certificate was
verified
using a CA trust anchor,
-&`CA=dane`& if using a DNS trust anchor,
+&`CV=dane`& if using a DNS trust anchor,
and &`CV=no`& if not.
.next
.cindex "log" "TLS cipher"