git://git.exim.org
/
users
/
heiko
/
exim.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
doc os fixup script from Phil Pennock. fixes: #765
[users/heiko/exim.git]
/
doc
/
doc-docbook
/
spec.xfpt
diff --git
a/doc/doc-docbook/spec.xfpt
b/doc/doc-docbook/spec.xfpt
index fa29a25243aa0e82b4673f344049000fb5e30ef7..9541d6e061fa51206df5a92c717a5fc86a381545 100644
(file)
--- a/
doc/doc-docbook/spec.xfpt
+++ b/
doc/doc-docbook/spec.xfpt
@@
-1,4
+1,4
@@
-. $Cambridge: exim/doc/doc-docbook/spec.xfpt,v 1.5
7 2009/10/16 08:49:47 tom
Exp $
+. $Cambridge: exim/doc/doc-docbook/spec.xfpt,v 1.5
9 2009/10/16 09:51:12 nm4
Exp $
.
. /////////////////////////////////////////////////////////////////////////////
. This is the primary source of the Exim Manual. It is an xfpt document that is
.
. /////////////////////////////////////////////////////////////////////////////
. This is the primary source of the Exim Manual. It is an xfpt document that is
@@
-12368,6
+12368,7
@@
listed in more than one group.
.row &%gnutls_require_kx%& "control GnuTLS key exchanges"
.row &%gnutls_require_mac%& "control GnuTLS MAC algorithms"
.row &%gnutls_require_protocols%& "control GnuTLS protocols"
.row &%gnutls_require_kx%& "control GnuTLS key exchanges"
.row &%gnutls_require_mac%& "control GnuTLS MAC algorithms"
.row &%gnutls_require_protocols%& "control GnuTLS protocols"
+.row &%gnutls_compat_mode%& "use GnuTLS compatibility mode"
.row &%tls_advertise_hosts%& "advertise TLS to these hosts"
.row &%tls_certificate%& "location of server certificate"
.row &%tls_crl%& "certificate revocation list"
.row &%tls_advertise_hosts%& "advertise TLS to these hosts"
.row &%tls_certificate%& "location of server certificate"
.row &%tls_crl%& "certificate revocation list"
@@
-13367,6
+13368,11
@@
server. For details, see section &<<SECTreqciphgnu>>&.
This option controls the protocols when GnuTLS is used in an Exim
server. For details, see section &<<SECTreqciphgnu>>&.
This option controls the protocols when GnuTLS is used in an Exim
server. For details, see section &<<SECTreqciphgnu>>&.
+.option gnutls_compat_mode main boolean unset
+This option controls whether GnuTLS is used in compatibility mode in an Exim
+server. This reduces security slightly, but improves interworking with older
+implementations of TLS.
+
.option headers_charset main string "see below"
This option sets a default character set for translating from encoded MIME
.option headers_charset main string "see below"
This option sets a default character set for translating from encoded MIME
@@
-21467,6
+21473,11
@@
client. For details, see section &<<SECTreqciphgnu>>&.
This option controls the protocols when GnuTLS is used in an Exim
client. For details, see section &<<SECTreqciphgnu>>&.
This option controls the protocols when GnuTLS is used in an Exim
client. For details, see section &<<SECTreqciphgnu>>&.
+.option gnutls_compat_mode main boolean unset
+This option controls whether GnuTLS is used in compatibility mode in an Exim
+server. This reduces security slightly, but improves interworking with older
+implementations of TLS.
+
.option helo_data smtp string&!! "see below"
.cindex "HELO" "argument, setting"
.cindex "EHLO" "argument, setting"
.option helo_data smtp string&!! "see below"
.cindex "HELO" "argument, setting"
.cindex "EHLO" "argument, setting"
@@
-34406,39
+34417,48
@@
runtime of the ACL.
Calling the ACL only for existing signatures is not sufficient to build
more advanced policies. For that reason, the global option
&%dkim_verify_signers%&, and a global expansion variable
Calling the ACL only for existing signatures is not sufficient to build
more advanced policies. For that reason, the global option
&%dkim_verify_signers%&, and a global expansion variable
-&%$dkim_sign
ing_domain
s%& exist.
+&%$dkim_sign
er
s%& exist.
The global option &%dkim_verify_signers%& can be set to a colon-separated
list of DKIM domains or identities for which the ACL &%acl_smtp_dkim%& is
called. It is expanded when the message has been received. At this point,
The global option &%dkim_verify_signers%& can be set to a colon-separated
list of DKIM domains or identities for which the ACL &%acl_smtp_dkim%& is
called. It is expanded when the message has been received. At this point,
-the expansion variable &%$dkim_signing_domains%& already contains a colon-
-separated list of signer domains for the message. When &%dkim_verify_signers%&
-is not specified in the main configuration, it defaults as:
+the expansion variable &%$dkim_signers%& already contains a colon-
+separated list of signer domains and identities for the message. When
+&%dkim_verify_signers%& is not specified in the main configuration,
+it defaults as:
.code
.code
-dkim_verify_signers = $dkim_sign
ing_domain
s
+dkim_verify_signers = $dkim_sign
er
s
.endd
This leads to the default behaviour of calling &%acl_smtp_dkim%& for each
DKIM signature in the message. Current DKIM verifiers may want to explicitly
call the ACL for known domains or identities. This would be achieved as follows:
.code
.endd
This leads to the default behaviour of calling &%acl_smtp_dkim%& for each
DKIM signature in the message. Current DKIM verifiers may want to explicitly
call the ACL for known domains or identities. This would be achieved as follows:
.code
-dkim_verify_signers = paypal.com:ebay.com:$dkim_sign
ing_domain
s
+dkim_verify_signers = paypal.com:ebay.com:$dkim_sign
er
s
.endd
This would result in &%acl_smtp_dkim%& always being called for "paypal.com"
.endd
This would result in &%acl_smtp_dkim%& always being called for "paypal.com"
-and "ebay.com", plus all domains
that have signatures in the message. You can
-also be more creative in constructing your policy. Example:
+and "ebay.com", plus all domains
and identities that have signatures in the message.
+
You can
also be more creative in constructing your policy. Example:
.code
.code
-dkim_verify_signers = $sender_address_domain:$dkim_sign
ing_domain
s
+dkim_verify_signers = $sender_address_domain:$dkim_sign
er
s
.endd
.endd
+If a domain or identity is listed several times in the (expanded) value of
+&%dkim_verify_signers%&, the ACL is only called once for that domain or identity.
+
+
Inside the &%acl_smtp_dkim%&, the following expansion variables are
available (from most to least important):
.vlist
Inside the &%acl_smtp_dkim%&, the following expansion variables are
available (from most to least important):
.vlist
+.vitem &%$dkim_cur_signer%&
+The signer that is being evaluated in this ACL run. This can be domain or
+an identity. This is one of the list items from the expanded main option
+&%dkim_verify_signers%& (see above).
.vitem &%$dkim_verify_status%&
A string describing the general status of the signature. One of
.ilist
&%none%&: There is no signature in the message for the current domain or
.vitem &%$dkim_verify_status%&
A string describing the general status of the signature. One of
.ilist
&%none%&: There is no signature in the message for the current domain or
-identity.
+identity
(as reflected by &%$dkim_cur_signer%&)
.
.next
&%invalid%&: The signature could not be verified due to a processing error.
More detail is available in &%$dkim_verify_reason%&.
.next
&%invalid%&: The signature could not be verified due to a processing error.
More detail is available in &%$dkim_verify_reason%&.
@@
-34469,14
+34489,12
@@
DKIM verification. It may of course also mean that the signature is forged.
.endlist
.vitem &%$dkim_domain%&
The signing domain. IMPORTANT: This variable is only populated if there is
.endlist
.vitem &%$dkim_domain%&
The signing domain. IMPORTANT: This variable is only populated if there is
-ab actual signature in the message. It does NOT neccessarily carry the
-domain that is currently being evaluated. Please use the &%dkim_signers%& ACL
-condition for that.
+an actual signature in the message for the current domain or identity (as
+reflected by &%$dkim_cur_signer%&).
.vitem &%$dkim_identity%&
.vitem &%$dkim_identity%&
-The signing identity. IMPORTANT: This variable is only populated if there is
-ab actual signature in the message. It does NOT neccessarily carry the
-identity that is currently being evaluated. Please use the &%dkim_signers%& ACL
-condition for that.
+The signing identity, if present. IMPORTANT: This variable is only populated
+if there is an actual signature in the message for the current domain or
+identity (as reflected by &%$dkim_cur_signer%&).
.vitem &%$dkim_selector%&
The key record selector string
.vitem &%$dkim_algo%&
.vitem &%$dkim_selector%&
The key record selector string
.vitem &%$dkim_algo%&
@@
-34521,8
+34539,9
@@
In addition, two ACL conditions are provided:
.vlist
.vitem &%dkim_signers%&
ACL condition that checks a colon-separated list of domains or identities
.vlist
.vitem &%dkim_signers%&
ACL condition that checks a colon-separated list of domains or identities
-for a match against the domain or identity that the ACL is currently verifying.
-This is typically used to restrict an ACL verb to a group of domains or identities, like:
+for a match against the domain or identity that the ACL is currently verifying
+(reflected by &%$dkim_cur_signer%&). This is typically used to restrict an ACL
+verb to a group of domains or identities, like:
.code
# Warn when message apparently from GMail has no signature at all
.code
# Warn when message apparently from GMail has no signature at all