X-Git-Url: https://git.exim.org/users/heiko/exim.git/blobdiff_plain/0719afe27105e35ad40805dabb66dbbcb44dab52..3478b06a31d23f9d519ee4541cb3d8b51afc299d:/doc/doc-docbook/spec.xfpt diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index c29ab47ba..978d51fd7 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -9154,6 +9154,7 @@ If the ACL returns defer the result is a forced-fail. Otherwise the expansion f .vitem "&*${authresults{*&<&'authserv-id'&>&*}}*&" .cindex authentication "results header" .cindex headers "authentication-results:" +.cindex authentication "expansion item" This item returns a string suitable for insertion as an &'Authentication-Results"'& header line. @@ -9172,6 +9173,7 @@ Example use (as an ACL modifier): .code add_header = :at_start:${authresults {$primary_hostname}} .endd +This is safe even if no authentication reselts are available. .wen @@ -11936,6 +11938,13 @@ lookup succeeds, but there is a lookup problem such as a timeout when checking the result, the name is not accepted, and &$host_lookup_deferred$& is set to &"1"&. See also &$sender_host_name$&. +.new +.cindex authentication "expansion item" +Performing these checks sets up information used by the +&$authresults$& expansion item. +.wen + + .vitem &$host_lookup_failed$& .vindex "&$host_lookup_failed$&" See &$host_lookup_deferred$&. @@ -26105,6 +26114,12 @@ public name) of the authenticator driver that successfully authenticated the client from which the message was received. This variable is empty if there was no successful authentication. +.new +.cindex authentication "expansion item" +Successful authentication sets up information used by the +&$authresults$& expansion item. +.wen + @@ -38931,6 +38946,21 @@ As they are a recent development, users should consider dual-signing for some transition period. The "_CRYPTO_SIGN_ED25519" macro will be defined if support is present for EC keys. + +As of writing, producing EC key materials is not well supported +by the major libraries. OpenSSL 1.1.1 and GnuTLS 3.6.0 can create private keys: +.code +openssl genpkey -algorithm ed25519 -out dkim_ed25519.private +certtool --generate-privkey --key-type=ed25519 --outfile=dkim_ed25519.private +.endd + +To help in producing the required public key value for a DNS record +the release package &_util/_& directory contains source for a utility +buildable with GnuTLS 3.6.0; +use it like this: +.code +ed25519_privkey_pem_to_pubkey_raw_b64 dkim_ed25519.private +.endd .wen .option dkim_hash smtp string&!! sha256 @@ -39001,6 +39031,12 @@ To evaluate the signature in the ACL a large number of expansion variables containing the signature status and its details are set up during the runtime of the ACL. +.new +.cindex authentication "expansion item" +Performing verification sets up information used by the +&$authresults$& expansion item. +.wen + Calling the ACL only for existing signatures is not sufficient to build more advanced policies. For that reason, the global option &%dkim_verify_signers%&, and a global expansion variable @@ -39261,6 +39297,12 @@ There is no Exim involvement on the trasmission of messages; publishing certain DNS records is all that is required. For verification, an ACL condition and an expansion lookup are provided. +.new +.cindex authentication "expansion item" +Performing verification sets up information used by the +&$authresults$& expansion item. +.wen + .cindex SPF "ACL condition" .cindex ACL "spf condition"