without &%-bd%&, this is the only way of causing Exim to write a pid file,
because in those cases, the normal pid file is not used.
+.new
+.vitem &%-oPX%&
+.oindex "&%-oPX%&"
+.cindex "pid (process id)" "of daemon"
+.cindex "daemon" "process id (pid)"
+This option is not intended for general use.
+The daemon uses it when terminating due to a SIGTEM, possibly in
+combination with &%-oP%&&~<&'path'&>.
+It causes the pid file to be removed.
+.wen
+
.vitem &%-or%&&~<&'time'&>
.oindex "&%-or%&"
.cindex "timeout" "for non-SMTP input"
.cindex headers "authentication-results:"
.cindex authentication "expansion item"
This item returns a string suitable for insertion as an
-&'Authentication-Results"'&
+&'Authentication-Results:'&
header line.
The given <&'authserv-id'&> is included in the result; typically this
will be a domain name identifying the system performing the authentications.
.vindex &$tls_out_tlsa_usage$&
Bitfield of TLSA record types found. See section &<<SECDANE>>&.
+.new
+.vitem &$tls_in_ver$&
+.vindex "&$tls_in_ver$&"
+When a message is received from a remote host over an encrypted SMTP connection
+this variable is set to the protocol version, eg &'TLS1.2'&.
+
+.vitem &$tls_out_ver$&
+.vindex "&$tls_out_ver$&"
+When a message is being delivered to a remote host over an encrypted SMTP connection
+this variable is set to the protocol version.
+.wen
+
+
.vitem &$tod_bsdinbox$&
.vindex "&$tod_bsdinbox$&"
The time of day and the date, in the format required for BSD-style mailbox
.new
-.option dkim_verify_hashes main "string list" "sha256 : sha512 : sha1"
+.option dkim_verify_hashes main "string list" "sha256 : sha512"
.cindex DKIM "selecting signature algorithms"
This option gives a list of hash types which are acceptable in signatures,
and an order of processing.
Signatures with algorithms not in the list will be ignored.
-Note that the presence of sha1 violates RFC 8301.
-Signatures using the rsa-sha1 are however (as of writing) still common.
-The default inclusion of sha1 may be dropped in a future release.
+Acceptable values include:
+.code
+sha1
+sha256
+sha512
+.endd
+
+Note that the acceptance of sha1 violates RFC 8301.
.option dkim_verify_keytypes main "string list" "ed25519 : rsa"
This option gives a list of key types which are acceptable in signatures,
${if def:sender_helo_name {(helo=$sender_helo_name)\n\t}}}}\
by $primary_hostname \
${if def:received_protocol {with $received_protocol }}\
+ ${if def:tls_ver { ($tls_ver)}}\
${if def:tls_in_cipher_std { tls $tls_in_cipher_std\n\t}}\
(Exim $version_number)\n\t\
${if def:sender_address \
The value of this option is expanded and indicates the source of DH parameters
to be used by Exim.
-&*Note: The Exim Maintainers strongly recommend using a filename with site-generated
+.new
+This option is ignored for GnuTLS version 3.6.0 and later.
+The library manages parameter negotiation internally.
+.wen
+
+&*Note: The Exim Maintainers strongly recommend,
+for other TLS library versions,
+using a filename with site-generated
local DH parameters*&, which has been supported across all versions of Exim. The
other specific constants available are a fallback so that even when
"unconfigured", Exim can offer Perfect Forward Secrecy in older ciphersuites in TLS.
Usable for GnuTLS 3.4.4 or 3.3.17 or OpenSSL 1.1.0 (or later).
-For GnuTLS 3.5.6 or later the expanded value of this option can be a list
+.new
+For OpenSSL 1.1.0 or later, and
+.wen
+for GnuTLS 3.5.6 or later the expanded value of this option can be a list
of files, to match a list given for the &%tls_certificate%& option.
The ordering of the two lists must match.
.cindex "RFC 3030" "CHUNKING"
This option provides a list of servers to which, provided they announce
CHUNKING support, Exim will attempt to use BDAT commands rather than DATA.
+.new
+Unless DKIM signing is being done,
+.wen
BDAT will not be used in conjunction with a transport filter.
.option hosts_try_dane smtp "host list&!!" *
non-issue, as a man-in-the-middle attack will cause the correct client and
server to see different identifiers and authentication will fail.
-This is currently only supported when using the GnuTLS library. This is
+.new
+This is
only usable by mechanisms which support "channel binding"; at time of
writing, that's the SCRAM family.
+.wen
This defaults off to ensure smooth upgrade across Exim releases, in case
this option causes some clients to start failing. Some future release
The name is placed in the variable &$event_name$& and the event action
expansion must check this, as it will be called for every possible event type.
+.new
The current list of events is:
+.wen
.display
&`dane:fail after transport `& per connection
&`msg:complete after main `& per message
&`tcp:close after transport `& per connection
&`tls:cert before both `& per certificate in verification chain
&`smtp:connect after transport `& per connection
+&`smtp:ehlo after transport `& per connection
.endd
New event types may be added in future.
&`msg:host:defer `& error string
&`tls:cert `& verification chain depth
&`smtp:connect `& smtp banner
+&`smtp:ehlo `& smtp ehlo response
.endd
The :defer events populate one extra variable: &$event_defer_errno$&.