.set I " "
.macro copyyear
-2017
+2018
.endmacro
. /////////////////////////////////////////////////////////////////////////////
${lookup redis{get keyname}}
.endd
+.new
As of release 4.91, "lightweight" support for Redis Cluster is available.
Requires &%redis_servers%& list to contain all the servers in the cluster, all
of which must be reachable from the running exim instance. If the cluster has
immediately follow the redirection but treats the response as a DEFER, moving on
to the next server in the &%redis_servers%& list until the correct server is
reached.
+.wen
.ecindex IIDfidalo1
.ecindex IIDfidalo2
.vitem "&*${authresults{*&<&'authserv-id'&>&*}}*&"
.cindex authentication "results header"
.cindex headers "authentication-results:"
+.cindex authentication "expansion item"
This item returns a string suitable for insertion as an
&'Authentication-Results"'&
header line.
.code
add_header = :at_start:${authresults {$primary_hostname}}
.endd
+This is safe even if no authentication reselts are available.
.wen
user/password authenticator configuration might preserve the user name for use
in the routers. Note that this is not the same information that is saved in
&$sender_host_authenticated$&.
+
When a message is submitted locally (that is, not over a TCP connection)
the value of &$authenticated_id$& is normally the login name of the calling
process. However, a trusted user can override this by means of the &%-oMai%&
command line option.
+.new
+This second case also sets up inforamtion used by the
+&$authresults$& expansion item.
+.wen
.vitem &$authenticated_fail_id$&
.cindex "authentication" "fail" "id"
the result, the name is not accepted, and &$host_lookup_deferred$& is set to
&"1"&. See also &$sender_host_name$&.
+.new
+.cindex authentication "expansion item"
+Performing these checks sets up information used by the
+&$authresults$& expansion item.
+.wen
+
+
.vitem &$host_lookup_failed$&
.vindex "&$host_lookup_failed$&"
See &$host_lookup_deferred$&.
.vitem &$spf_header_comment$& &&&
&$spf_received$& &&&
&$spf_result$& &&&
+ &$spf_result_guessed$& &&&
&$spf_smtp_comment$&
These variables are only available if Exim is built with SPF support.
For details see section &<<SECSPF>>&.
client from which the message was received. This variable is empty if there was
no successful authentication.
+.new
+.cindex authentication "expansion item"
+Successful authentication sets up information used by the
+&$authresults$& expansion item.
+.wen
+
be a valid RSA private key in ASCII armor (.pem file), including line breaks
.new
.next
-with GnuTLS 3.6.0 or later, be a valid Ed25519 private key (same format as above)
+with GnuTLS 3.6.0 or OpenSSL 1.1.1 or later,
+be a valid Ed25519 private key (same format as above)
.wen
.next
start with a slash, in which case it is treated as a file that contains
.endlist
.new
+To generate keys under OpenSSL:
+.code
+openssl genrsa -out dkim_rsa.private 2048
+openssl rsa -in dkim_rsa.private -out /dev/stdout -pubout -outform PEM
+.endd
+Take the base-64 lines from the output of the second command, concatenated,
+for the DNS TXT record.
+See section 3.6 of RFC6376 for the record specification.
+
+Under GnuTLS:
+.code
+certtool --generate-privkey --rsa --bits=2048 --password='' -8 --outfile=dkim_rsa.private
+certtool --load-privkey=dkim_rsa.private --pubkey-info
+.endd
+
Note that RFC 8301 says:
.code
Signers MUST use RSA keys of at least 1024 bits for all keys.
for some transition period.
The "_CRYPTO_SIGN_ED25519" macro will be defined if support is present
for EC keys.
+
+OpenSSL 1.1.1 and GnuTLS 3.6.0 can create Ed25519 private keys:
+.code
+openssl genpkey -algorithm ed25519 -out dkim_ed25519.private
+certtool --generate-privkey --key-type=ed25519 --outfile=dkim_ed25519.private
+.endd
+
+To produce the required public key value for a DNS record:
+.code
+openssl pkey -outform DER -pubout -in dkim_ed25519.private | tail -c +13 | base64
+certtool --load_privkey=dkim_ed25519.private --pubkey_info --outder | tail -c +13 | base64
+.endd
.wen
.option dkim_hash smtp string&!! sha256
containing the signature status and its details are set up during the
runtime of the ACL.
+.new
+.cindex authentication "expansion item"
+Performing verification sets up information used by the
+&$authresults$& expansion item.
+.wen
+
Calling the ACL only for existing signatures is not sufficient to build
more advanced policies. For that reason, the global option
&%dkim_verify_signers%&, and a global expansion variable
.vitem &%$dkim_algo%&
The algorithm used. One of 'rsa-sha1' or 'rsa-sha256'.
.new
-If running under GnuTLS 3.6.0 or later, may also be 'ed25519-sha256'.
+If running under GnuTLS 3.6.0 or OpenSSL 1.1.1 or later,
+may also be 'ed25519-sha256'.
The "_CRYPTO_SIGN_ED25519" macro will be defined if support is present
for EC keys.
.wen
DNS records is all that is required.
For verification, an ACL condition and an expansion lookup are provided.
+.new
+.cindex authentication "expansion item"
+Performing verification sets up information used by the
+&$authresults$& expansion item.
+.wen
+
.cindex SPF "ACL condition"
.cindex ACL "spf condition"
one of pass, fail, softfail, none, neutral, permerror or
temperror.
+.vitem &$spf_result_guessed$&
+.vindex &$spf_result_guessed$&
+ This boolean is true only if a best-guess operation was used
+ and required in order to obtain a result.
+
.vitem &$spf_smtp_comment$&
.vindex &$spf_smtp_comment$&
This contains a string that can be used in a SMTP response