should also be in "hosts_require_tls", and "tls_verify_certificates"
configured for the transport.
+For the client to be able to verify the stapled OCSP the server must
+also supply, in its stapled information, any intermediate
+certificates for the chain leading to the OCSP proof from the signer
+of the server certificate. There may be zero or one such. These
+intermediate certificates should be added to the server OCSP stapling
+file (named by tls_ocsp_file).
+
At this point in time, we're gathering feedback on use, to determine if
it's worth adding complexity to the Exim daemon to periodically re-fetch
OCSP files and somehow handling multiple files.
+ A helper script "ocsp_fetch.pl" for fetching a proof from a CA
+ OCSP server is supplied. The server URL may be included in the
+ server certificate, if the CA is helpful.
+
+ One fail mode seen was the OCSP Signer cert expiring before the end
+ of vailidity of the OCSP proof. The checking done by Exim/OpenSSL
+ noted this as invalid overall, but the re-fetch script did not.
+
DMARC verification should *not* be performed for them and disable
DMARC with a control setting:
- control = dmarc_verify_disable
+ control = dmarc_disable_verify
A DMARC record can also specify a "forensic address", which gives
exim an email address to submit reports about failed alignment.
rejecting the email.
o quarantine The DMARC check failed and the library recommends
keeping it for further inspection.
+ o none The DMARC check passed and the library recommends
+ no specific action, neutral.
o norecord No policy section in the DMARC record for this
sender domain.
o nofrom Unable to determine the domain of the sender.
- o none There is no DMARC record for this sender domain.
- o error Library error or dns error.
+ o temperror Library error or dns error.
+ o off The DMARC check was disable for this email.
You can prefix each string with an exclamation mark to invert its
meaning, for example "!accept" will match all results but
(RCPT ACL)
warn domains = +local_domains
hosts = +local_hosts
- control = dmarc_verify_disable
+ control = dmarc_disable_verify
warn !domains = +screwed_up_dmarc_records
control = dmarc_enable_forensic