.set I " "
.macro copyyear
-2014
+2015
.endmacro
. /////////////////////////////////////////////////////////////////////////////
content-scanning extension and the obsolete &%demime%& condition. For details,
see section &<<SECTdemimecond>>&.
+.vitem &$dkim_cur_signer$& &&&
+ &$dkim_verify_status$& &&&
+ &$dkim_verify_reason$& &&&
+ &$dkim_domain$& &&&
+ &$dkim_identity$& &&&
+ &$dkim_selector$& &&&
+ &$dkim_algo$& &&&
+ &$dkim_canon_body$& &&&
+ &$dkim_canon_headers$& &&&
+ &$dkim_copiedheaders$& &&&
+ &$dkim_bodylength$& &&&
+ &$dkim_created$& &&&
+ &$dkim_expires$& &&&
+ &$dkim_headernames$& &&&
+ &$dkim_key_testing$& &&&
+ &$dkim_key_nosubdomains$& &&&
+ &$dkim_key_srvtype$& &&&
+ &$dkim_key_granularity$& &&&
+ &$dkim_key_notes$&
+These variables are only available within the DKIM ACL.
+For details see chapter &<<CHAPdkim>>&.
+
+.vitem &$dkim_signers$&
+.vindex &$dkim_signers$&
+When a message has been received this variable contains
+a colon-separated list of signer domains and identities for the message.
+For details see chapter &<<CHAPdkim>>&.
+
.vitem &$dnslist_domain$& &&&
&$dnslist_matched$& &&&
&$dnslist_text$& &&&
See also the &'Policy controls'& section above.
.table2
+.row &%dkim_verify_signers%& "DKIM domain for which DKIM ACL is run"
.row &%host_lookup%& "host name looked up for these hosts"
.row &%host_lookup_order%& "order of DNS and local name lookups"
.row &%recipient_unqualified_hosts%& "may send unqualified recipients"
processed and the message itself has been received, but before the
acknowledgment is sent. See chapter &<<CHAPACL>>& for further details.
+.option acl_smtp_dkim main string&!! unset
+.cindex DKIM "ACL for"
+This option defines the ACL that is run for each DKIM signature
+of a received message.
+See chapter &<<CHAPdkim>>& for further details.
+
.option acl_smtp_etrn main string&!! unset
.cindex "ETRN" "ACL for"
This option defines the ACL that is run when an SMTP ETRN command is
to handle IPv6 literal addresses.
+.option dkim_verify_signers main "domain list&!!" $dkim_signers
+.cindex DKIM "controlling calls to the ACL"
+This option gives a list of DKIM domains for which the DKIM ACL is run.
+It is expanded after the message is received; by default it runs
+the ACL once for each signature in the message.
+See chapter &<<CHAPdkim>>&.
+
+
.option dns_again_means_nonexist main "domain list&!!" unset
.cindex "DNS" "&""try again""& response; overriding"
DNS lookups give a &"try again"& response for the DNS errors
This option sets the path which is used to determine the names of Exim's log
files, or indicates that logging is to be to syslog, or both. It is expanded
when Exim is entered, so it can, for example, contain a reference to the host
-name. If no specific path is set for the log files at compile or run time, they
-are written in a sub-directory called &_log_& in Exim's spool directory.
+name. If no specific path is set for the log files at compile or run time,
+or if the option is unset at run time (i.e. &`log_file_path = `&)
+they are written in a sub-directory called &_log_& in Exim's spool directory.
Chapter &<<CHAPlog>>& contains further details about Exim's logging, and
section &<<SECTwhelogwri>>& describes how the contents of &%log_file_path%& are
used. If this string is fixed at your installation (contains no expansion
AUTH_HEIMDAL_GSSAPI=yes
AUTH_PLAINTEXT=yes
AUTH_SPA=yes
+AUTH_TLS=yes
.endd
in &_Local/Makefile_&, respectively. The first of these supports the CRAM-MD5
authentication mechanism (RFC 2195), and the second provides an interface to
the PLAIN authentication mechanism (RFC 2595) or the LOGIN mechanism, which is
not formally documented, but used by several MUAs. The seventh authenticator
supports Microsoft's &'Secure Password Authentication'& mechanism.
+The eighth is an Exim authenticator but not an SMTP one;
+instead it can use information from a TLS negotiation.
The authenticators are configured using the same syntax as other drivers (see
section &<<SECTfordricon>>&). If no authenticators are required, no
+. ////////////////////////////////////////////////////////////////////////////
+. ////////////////////////////////////////////////////////////////////////////
+
+.new
+.chapter "The tls authenticator" "CHAPtlsauth"
+.scindex IIDtlsauth1 "&(tls)& authenticator"
+.scindex IIDtlsauth2 "authenticators" "&(tls)&"
+.cindex "authentication" "Client Certificate"
+.cindex "authentication" "X509"
+.cindex "Certificate-based authentication"
+The &(tls)& authenticator provides server support for
+authentication based on client certificates.
+
+It is not an SMTP authentication mechanism and is not
+advertised by the server as part of the SMTP EHLO response.
+It is an Exim authenticator in the sense that it affects
+the protocol element of the log line, can be tested for
+by the &%authenticated%& ACL condition, and can set
+the &$authenticated_id$& variable.
+
+The client must present a verifiable certificate,
+for which it must have been requested via the
+&%tls_verify_hosts%& or &%tls_try_verify_hosts%& main options
+(see &<<CHAPTLS>>&).
+
+If an authenticator of this type is configured it is
+run before any SMTP-level communication is done,
+and can authenticate the connection.
+If it does, SMTP suthentication is not offered.
+
+A maximum of one authenticator of this type may be present.
+
+
+.cindex "options" "&(tls)& authenticator (server)"
+The &(tls)& authenticator has three server options:
+
+.option server_param1 tls string&!! unset
+.cindex "variables (&$auth1$& &$auth2$& etc)" "in &(tls)& authenticator"
+This option is expanded after the TLS negotiation and
+the result is placed in &$auth1$&.
+If the expansion is forced to fail, authentication fails. Any other expansion
+failure causes a temporary error code to be returned.
+
+.option server_param2 tls string&!! unset
+.option server_param3 tls string&!! unset
+As above, for &$auth2$& and &$auth3$&.
+
+&%server_param1%& may also be spelled &%server_param%&.
+
+
+Example:
+.code
+tls:
+ driver = tls
+ server_param1 = ${certextract {subj_altname,mail,>:} \
+ {$tls_in_peercert}}
+ server_condition = ${if forany {$auth1} \
+ {!= {0} \
+ {${lookup ldap{ldap:///\
+ mailname=${quote_ldap_dn:${lc:$item}},\
+ ou=users,LDAP_DC?mailid} {$value}{0} \
+ } } } }
+ server_set_id = ${if = {1}{${listcount:$auth1}} {$auth1}{}}
+.endd
+.ecindex IIDtlsauth1
+.ecindex IIDtlsauth2
+.wen
+
+
+Note that because authentication is traditionally an SMTP operation,
+the &%authenticated%& ACL condition cannot be used in
+a connect- or helo-ACL.
+
+
+
. ////////////////////////////////////////////////////////////////////////////
. ////////////////////////////////////////////////////////////////////////////
.cindex "EXPN" "ACL for"
.cindex "HELO" "ACL for"
.cindex "EHLO" "ACL for"
+.cindex "DKIM" "ACL for"
.cindex "MAIL" "ACL for"
.cindex "QUIT, ACL for"
.cindex "RCPT" "ACL for"
.irow &%acl_smtp_connect%& "ACL for start of SMTP connection"
.irow &%acl_smtp_data%& "ACL after DATA is complete"
.irow &%acl_smtp_data_prdr%& "ACL for each recipient, after DATA is complete"
+.irow &%acl_smtp_dkim%& "ACL for each DKIM signer"
.irow &%acl_smtp_etrn%& "ACL for ETRN"
.irow &%acl_smtp_expn%& "ACL for EXPN"
.irow &%acl_smtp_helo%& "ACL for HELO or EHLO"
.code
log_file_path = $spool_directory/log/%slog
.endd
-If you do not specify anything at build time or run time, that is where the
-logs are written.
+If you do not specify anything at build time or run time,
+or if you unset the option at run time (i.e. &`log_file_path = `&),
+that is where the logs are written.
A log file path may also contain &`%D`& or &`%M`& if datestamped log file names
are in use &-- see section &<<SECTdatlogfil>>& below.
git://git.exim.org / users / jgh / exim.git / blobdiff