X-Git-Url: https://git.exim.org/users/heiko/exim.git/blobdiff_plain/0f773e4df59a9d35929d5839f89c15487a1dd0be..725900cda2676bad205fb9ff44e563332766479e:/doc/doc-docbook/spec.xfpt diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index edba1232f..2a2f81c72 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -8788,6 +8788,13 @@ other statements in the same ACL. .cindex "tainted data" "de-tainting" The value will be untainted. +.new +&*Note*&: If the data result of the lookup (as opposed to the key) +is empty, then this empty value is stored in &$domain_data$&. +The option to return the key for the lookup, as the value, +may be what is wanted. +.wen + .next Any of the single-key lookup type names may be preceded by @@ -19009,7 +19016,7 @@ transport option of the same name. .cindex "security" "MX lookup" .cindex "DNS" "DNSSEC" DNS lookups for domains matching &%dnssec_request_domains%& will be done with -the dnssec request bit set. +the DNSSEC request bit set. This applies to all of the SRV, MX, AAAA, A lookup sequence. .option dnssec_require_domains routers "domain list&!!" unset @@ -19018,7 +19025,7 @@ This applies to all of the SRV, MX, AAAA, A lookup sequence. .cindex "security" "MX lookup" .cindex "DNS" "DNSSEC" DNS lookups for domains matching &%dnssec_require_domains%& will be done with -the dnssec request bit set. Any returns not having the Authenticated Data bit +the DNSSEC request bit set. Any returns not having the Authenticated Data bit (AD bit) set will be ignored and logged as a host-lookup failure. This applies to all of the SRV, MX, AAAA, A lookup sequence. @@ -25237,7 +25244,7 @@ details. .cindex "security" "MX lookup" .cindex "DNS" "DNSSEC" DNS lookups for domains matching &%dnssec_request_domains%& will be done with -the dnssec request bit set. Setting this transport option is only useful if the +the DNSSEC request bit set. Setting this transport option is only useful if the transport overrides or sets the host names. See the &%dnssec_request_domains%& router option. @@ -25249,7 +25256,7 @@ router option. .cindex "security" "MX lookup" .cindex "DNS" "DNSSEC" DNS lookups for domains matching &%dnssec_require_domains%& will be done with -the dnssec request bit set. Setting this transport option is only +the DNSSEC request bit set. Setting this transport option is only useful if the transport overrides or sets the host names. See the &%dnssec_require_domains%& router option. @@ -25530,9 +25537,9 @@ TLS session for any host that matches this list. .cindex DANE "requiring for certain servers" If built with DANE support, Exim will require that a DNSSEC-validated TLSA record is present for any host matching the list, -and that a DANE-verified TLS connection is made. See -the &%dnssec_request_domains%& router and transport options. +and that a DANE-verified TLS connection is made. There will be no fallback to in-clear communication. +See the &%dnssec_request_domains%& router and transport options. See section &<>&. .option hosts_require_ocsp smtp "host list&!!" unset @@ -25571,11 +25578,14 @@ BDAT will not be used in conjunction with a transport filter. .option hosts_try_dane smtp "host list&!!" * .cindex DANE "transport options" .cindex DANE "attempting for certain servers" -If built with DANE support, Exim will require that a DNSSEC-validated -TLSA record is present for any host matching the list, -and that a DANE-verified TLS connection is made. See -the &%dnssec_request_domains%& router and transport options. -There will be no fallback to in-clear communication. +.new +If built with DANE support, Exim will look up a +TLSA record for any host matching the list, +If one is found and that lookup was DNSSEC-validated, +then Exim requires that a DANE-verified TLS connection is made for that host; +there will be no fallback to in-clear communication. +.wen +See the &%dnssec_request_domains%& router and transport options. See section &<>&. .option hosts_try_fastopen smtp "host list&!!" * @@ -28117,7 +28127,7 @@ connection, a client certificate has been verified, the &"valid-client-cert"& option is passed. When authentication succeeds, the identity of the user who authenticated is placed in &$auth1$&. -The Dovecot configuration to match the above wil look +The Dovecot configuration to match the above will look something like: .code conf.d/10-master.conf :- @@ -28578,7 +28588,7 @@ and for clients to only attempt, this authentication method on a secure (eg. under TLS) connection. One possible use, compatible with the -K-9 Mail Andoid client (&url(https://k9mail.github.io/)), +K-9 Mail Android client (&url(https://k9mail.github.io/)), is for using X509 client certificates. It thus overlaps in function with the TLS authenticator @@ -30105,7 +30115,7 @@ the &%dnssec_request_domains%& router or transport option. DANE will only be usable if the target host has DNSSEC-secured MX, A and TLSA records. -A TLSA lookup will be done if either of the above options match and the host-lookup succeeded using dnssec. +A TLSA lookup will be done if either of the above options match and the host-lookup succeeded using DNSSEC. If a TLSA lookup is done and succeeds, a DANE-verified TLS connection will be required for the host. If it does not, the host will not be used; there is no fallback to non-DANE or non-TLS. @@ -32496,6 +32506,13 @@ Section &<>& below describes how you can distinguish between different values. Some DNS lists may return more than one address record; see section &<>& for details of how they are checked. +.new +Values returned by a properly running DBSBL should be in the 127.0.0.0/8 +range. If a DNSBL operator loses control of the domain, lookups on it +may start returning other addresses. Because of this, Exim now ignores +returned values outside the 127/8 region. +.wen + .section "Variables set from DNS lists" "SECID204" .cindex "expansion" "variables, set from DNS list" @@ -32632,6 +32649,14 @@ deny dnslists = relays.ordb.org .endd which is less clear, and harder to maintain. +Negation can also be used with a bitwise-and restriction. +The dnslists condition with only be trus if a result is returned +by the lookup which, anded with the restriction, is all zeroes. +For example: +.code +deny dnslists = zen.spamhaus.org!&0.255.255.0 +.endd + @@ -39009,7 +39034,7 @@ unchanged, or whether they should be rendered as escape sequences. when TLS is in use. The item is &`CV=yes`& if the peer's certificate was verified using a CA trust anchor, -&`CA=dane`& if using a DNS trust anchor, +&`CV=dane`& if using a DNS trust anchor, and &`CV=no`& if not. .next .cindex "log" "TLS cipher"