tainted values
.cindex "tainted data" "de-tainting"
come down to using the tainted value as a lookup key in a trusted database.
-This database could be the filestem structure,
+This database could be the filesystem structure,
or the password file,
or accessed via a DBMS.
Specific methods are indexed under &"de-tainting"&.
.wen
-.vitem "&*${lookup{*&<&'key'&>&*}&~*&<&'search&~type'&>&*&~&&&
+.vitem "&*${lookup&~{*&<&'key'&>&*}&~*&<&'search&~type'&>&*&~&&&
{*&<&'file'&>&*}&~{*&<&'string1'&>&*}&~{*&<&'string2'&>&*}}*&" &&&
"&*${lookup&~*&<&'search&~type'&>&*&~{*&<&'query'&>&*}&~&&&
{*&<&'string1'&>&*}&~{*&<&'string2'&>&*}}*&"
.cindex "tainted data"
If the origin of the data is an incoming message,
the result of expanding this variable is tainted.
-When un untainted version is needed, one should be obtained from
+When in untainted version is needed, one should be obtained from
looking up the value in a local (therefore trusted) database.
Often &$domain_data$& is usable in this role.
or need not succeed respectively.
The &%tls_verify_cert_hostnames%& option lists hosts for which additional
-checks are made: that the host name (the one in the DNS A record)
-is valid for the certificate.
+name checks are made on the server certificate.
+.new
+The match against this list is, as per other Exim usage, the
+IP for the host. That is most closely associated with the
+name on the DNS A (or AAAA) record for the host.
+However, the name that needs to be in the certificate
+is the one at the head of any CNAME chain leading to the A record.
+.wen
The option defaults to always checking.
The &(smtp)& transport has two OCSP-related options: