deliveries if the configuration allows a delivery attempt as soon as a message
is received.
+See also the &%max_parallel%& generic transport option,
+and the &%serialize_hosts%& smtp transport option.
+
.cindex "number of deliveries"
.cindex "delivery" "maximum number of"
If you want to control the total number of deliveries on the system, you
&$address_data$&, &$domain_data$&, &$local_part_data$&,
&$host$&, &$host_address$& and &$host_port$&.
+.new
+If the connection is DANE-enabled then this option is ignored;
+only messages having the domain used for the DANE TLSA lookup are
+sent on the connection.
+.wen
+
.option port smtp string&!! "see below"
.cindex "port" "sending TCP/IP"
.cindex "TCP/IP" "setting outgoing port"
.endd
+.new
+.section "Caching of static server configuration items" "SECTserverTLScache"
+.cindex certificate caching
+.cindex privatekey caching
+.cindex crl caching
+.cindex ocsp caching
+.cindex ciphers caching
+.cindex "CA bundle" caching
+.cindex "certificate authorities" caching
+.cindex tls_certificate caching
+.cindex tls_privatekey caching
+.cindex tls_crl caching
+.cindex tls_ocsp_file caching
+.cindex tls_require_ciphers caching
+.cindex tls_verify_certificate caching
+.cindex caching certificate
+.cindex caching privatekey
+.cindex caching crl
+.cindex caching ocsp
+.cindex caching ciphers
+.cindex caching "certificate authorities
+If any of the main configuration options &%tls_certificate%&, &%tls_privatekey%&,
+&%tls_crl%& and &%tls_ocsp_file%& have values with no
+expandable elements,
+then the associated information is loaded at daemon startup.
+It is made available
+to child processes forked for handling received SMTP connections.
+
+This caching is currently only supported under Linux.
+
+If caching is not possible, for example if an item has to be dependent
+on the peer host so contains a &$sender_host_name$& expansion, the load
+of the associated information is done at the startup of the TLS connection.
+
+The cache is invalidated and reloaded after any changes to the directories
+containing files specified by these options.
+
+The information specified by the main option &%tls_verify_certificates%&
+is similarly cached so long as it specifies files explicitly
+or (under GnuTLS) is the string &"system,cache"&.
+The latter case is not automatically invaludated;
+it is the operator's responsibility to arrange for a daemon restart
+any time the system certificate authority bundle is updated.
+A HUP signal is sufficient for this.
+The value &"system"& results in no caching under GnuTLS.
+
+The macro _HAVE_TLS_CA_CACHE will be defined if the suffix for "system"
+is acceptable in configurations for the Exim executavble.
+
+Caching of the system Certificate Authorities bundle can
+save siginificant time and processing on every TLS connection
+accepted by Exim.
+.wen
+
+
.section "Configuring an Exim client to use TLS" "SECTclientTLS"
The &%tls_certificate%& and &%tls_privatekey%& options of the &(smtp)&
transport provide the client with a certificate, which is passed to the server
-if it requests it. If the server is Exim, it will request a certificate only if
+if it requests it.
+This is an optional thing for TLS connections, although either end
+may insist on it.
+If the server is Exim, it will request a certificate only if
&%tls_verify_hosts%& or &%tls_try_verify_hosts%& matches the client.
&*Note*&: Do not use a certificate which has the OCSP-must-staple extension,
+.new
+.section "Caching of static client configuration items" "SECTclientTLScache"
+.cindex certificate caching
+.cindex privatekey caching
+.cindex crl caching
+.cindex ciphers caching
+.cindex "CA bundle" caching
+.cindex "certificate authorities" caching
+.cindex tls_certificate caching
+.cindex tls_privatekey caching
+.cindex tls_crl caching
+.cindex tls_require_ciphers caching
+.cindex tls_verify_certificate caching
+.cindex caching certificate
+.cindex caching privatekey
+.cindex caching crl
+.cindex caching ciphers
+.cindex caching "certificate authorities
+If any of the transport configuration options &%tls_certificate%&, &%tls_privatekey%&
+and &%tls_crl%& have values with no
+expandable elements,
+then the associated information is loaded per smtp transport
+at daemon startup, at the start of a queue run, or on a
+command-line specified message delivery.
+It is made available
+to child processes forked for handling making SMTP connections.
+
+This caching is currently only supported under Linux.
+
+If caching is not possible, the load
+of the associated information is done at the startup of the TLS connection.
+
+The cache is invalidated in the daemon
+and reloaded after any changes to the directories
+containing files specified by these options.
+
+The information specified by the main option &%tls_verify_certificates%&
+is similarly cached so long as it specifies files explicitly
+or (under GnuTLS) is the string &"system,cache"&.
+The latter case is not automatically invaludated;
+it is the operator's responsibility to arrange for a daemon restart
+any time the system certificate authority bundle is updated.
+A HUP signal is sufficient for this.
+The value &"system"& results in no caching under GnuTLS.
+
+The macro _HAVE_TLS_CA_CACHE will be defined if the suffix for "system"
+is acceptable in configurations for the Exim executavble.
+
+Caching of the system Certificate Authorities bundle can
+save siginificant time and processing on every TLS connection
+initiated by Exim.
+.wen
+
+
+
+
.section "Use of TLS Server Name Indication" "SECTtlssni"
.cindex "TLS" "Server Name Indication"
.cindex "TLS" SNI
for the lifetime of the client connection (including during authentication).
.new
-If DAVE validated the connection attempt then the value of the &%tls_sni%& option
+If DANE validated the connection attempt then the value of the &%tls_sni%& option
is forced to the domain part of the recipient address.
.wen
Signing is enabled by setting private options on the SMTP transport.
These options take (expandable) strings as arguments.
-.option dkim_domain smtp string list&!! unset
+.option dkim_domain smtp "string list&!!" unset
The domain(s) you want to sign with.
After expansion, this can be a list.
Each element in turn,
If it is empty after expansion, DKIM signing is not done,
and no error will result even if &%dkim_strict%& is set.
-.option dkim_selector smtp string list&!! unset
+.option dkim_selector smtp "string list&!!" unset
This sets the key selector string.
After expansion, which can use &$dkim_domain$&, this can be a list.
Each element in turn is put in the expansion
.code
#macro
SRS_SECRET = <pick something unique for your site for this. Use on all MXs.>
-
+
#routers
outbound:
transport = ${if eq {$local_part@$domain} \
{$original_local_part@$original_domain} \
{remote_smtp} {remote_forwarded_smtp}}
-
+
inbound_srs:
driver = redirect
senders = :
# detect inbound bounces which are SRS'd, and decode them
condition = ${if inbound_srs {$local_part} {SRS_SECRET}}
data = $srs_recipient
-
+
inbound_srs_failure:
driver = redirect
senders = :
#... further routers here
-
+
# transport; should look like the non-forward outbound
# one, plus the max_rcpt and return_path options
remote_forwarded_smtp: