Documentation ownership tweaks

[users/jgh/exim.git] / doc / doc-docbook / spec.xfpt

diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 2dbe124a9970724de57d0c73ad18f64f4764c299..2a986f38e0ba7756251183f811efdcf4adc95d28 100644 (file)
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -1,4 +1,4 @@
-. $Cambridge: exim/doc/doc-docbook/spec.xfpt,v 1.52 2009/06/30 17:36:39 tom Exp $
+. $Cambridge: exim/doc/doc-docbook/spec.xfpt,v 1.65 2009/11/05 19:24:35 nm4 Exp $

 .
 . /////////////////////////////////////////////////////////////////////////////
 . This is the primary source of the Exim Manual. It is an xfpt document that is
 .
 . /////////////////////////////////////////////////////////////////////////////
 . This is the primary source of the Exim Manual. It is an xfpt document that is


@@ -172,15 +172,13 @@
 <bookinfo>
 <title>Specification of the Exim Mail Transfer Agent</title>
 <titleabbrev>The Exim MTA</titleabbrev>
 <bookinfo>
 <title>Specification of the Exim Mail Transfer Agent</title>
 <titleabbrev>The Exim MTA</titleabbrev>

-<date>09 June 2009</date>
-<author><firstname>Philip</firstname><surname>Hazel</surname></author>
-<authorinitials>PH</authorinitials>
-<affiliation><orgname>University of Cambridge Computing Service</orgname></affiliation>
-<address>New Museums Site, Pembroke Street, Cambridge CB2 3QH, England</address>
+<date>5 November 2009</date>
+<author><firstname>Exim</firstname><surname>Maintainers</surname></author>
+<authorinitials>EM</authorinitials>

 <revhistory><revision>
   <revnumber>4.70</revnumber>
 <revhistory><revision>
   <revnumber>4.70</revnumber>

-  <date>10 June 2009</date>
-  <authorinitials>PH</authorinitials>
+  <date>5 November 2009</date>
+  <authorinitials>EM</authorinitials>

 </revision></revhistory>
 <copyright><year>2009</year><holder>University of Cambridge</holder></copyright>
 </bookinfo>
 </revision></revhistory>
 <copyright><year>2009</year><holder>University of Cambridge</holder></copyright>
 </bookinfo>


@@ -728,12 +726,14 @@ the Exim documentation, &"spool"& is always used in the first sense.
 A number of pieces of external code are included in the Exim distribution.
 
 .ilist
 A number of pieces of external code are included in the Exim distribution.
 
 .ilist

+.new

 Regular expressions are supported in the main Exim program and in the
 Exim monitor using the freely-distributable PCRE library, copyright
 &copy; University of Cambridge. The source to PCRE is no longer shipped with
 Exim, so you will need to use the version of PCRE shipped with your system,
 or obtain and install the full version of the library from
 &url(ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre).
 Regular expressions are supported in the main Exim program and in the
 Exim monitor using the freely-distributable PCRE library, copyright
 &copy; University of Cambridge. The source to PCRE is no longer shipped with
 Exim, so you will need to use the version of PCRE shipped with your system,
 or obtain and install the full version of the library from
 &url(ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre).

+.wen

 .next
 .cindex "cdb" "acknowledgment"
 Support for the cdb (Constant DataBase) lookup method is provided by code
 .next
 .cindex "cdb" "acknowledgment"
 Support for the cdb (Constant DataBase) lookup method is provided by code


@@ -2221,12 +2221,14 @@ configuration. (If a default alias file is created, its name &'is'& modified.)
 For backwards compatibility, ROOT is used if DESTDIR is not set,
 but this usage is deprecated.
 
 For backwards compatibility, ROOT is used if DESTDIR is not set,
 but this usage is deprecated.
 

+.new

 .cindex "installing Exim" "what is not installed"
 Running &'make install'& does not copy the Exim 4 conversion script
 &'convert4r4'&. You will probably run this only once if you are
 upgrading from Exim 3. None of the documentation files in the &_doc_&
 directory are copied, except for the info files when you have set
 INFO_DIRECTORY, as described in section &<<SECTinsinfdoc>>& below.
 .cindex "installing Exim" "what is not installed"
 Running &'make install'& does not copy the Exim 4 conversion script
 &'convert4r4'&. You will probably run this only once if you are
 upgrading from Exim 3. None of the documentation files in the &_doc_&
 directory are copied, except for the info files when you have set
 INFO_DIRECTORY, as described in section &<<SECTinsinfdoc>>& below.

+.wen

 
 For the utility programs, old versions are renamed by adding the suffix &_.O_&
 to their names. The Exim binary itself, however, is handled differently. It is
 
 For the utility programs, old versions are renamed by adding the suffix &_.O_&
 to their names. The Exim binary itself, however, is handled differently. It is


@@ -2975,6 +2977,7 @@ local part) and outputs what it finds.
 
 .cindex "options" "router &-- extracting"
 .cindex "options" "transport &-- extracting"
 
 .cindex "options" "router &-- extracting"
 .cindex "options" "transport &-- extracting"

+.cindex "options" "authenticator &-- extracting"

 If one of the words &%router%&, &%transport%&, or &%authenticator%& is given,
 followed by the name of an appropriate driver instance, the option settings for
 that driver are output. For example:
 If one of the words &%router%&, &%transport%&, or &%authenticator%& is given,
 followed by the name of an appropriate driver instance, the option settings for
 that driver are output. For example:


@@ -2988,6 +2991,13 @@ using one of the words &%router_list%&, &%transport_list%&, or
 settings can be obtained by using &%routers%&, &%transports%&, or
 &%authenticators%&.
 
 settings can be obtained by using &%routers%&, &%transports%&, or
 &%authenticators%&.
 

+.new
+.cindex "options" "macro &-- extracting"
+If invoked by an admin user, then &%macro%&, &%macro_list%& and &%macros%&
+are available, similarly to the drivers.  Because macros are sometimes used
+for storing passwords, this option is restricted.
+The output format is one item per line.
+.wen

 
 .vitem &%-bp%&
 .oindex "&%-bp%&"
 
 .vitem &%-bp%&
 .oindex "&%-bp%&"


@@ -5885,6 +5895,12 @@ password are correct. In the examples it just produces an error message.
 To make the authenticators work, you can use a string expansion
 expression like one of the examples in &<<CHAPplaintext>>&.
 
 To make the authenticators work, you can use a string expansion
 expression like one of the examples in &<<CHAPplaintext>>&.
 

+.new
+Beware that the sequence of the parameters to PLAIN and LOGIN differ; the
+usercode and password are in different positions.  &<<CHAPplaintext>>&
+covers both.
+.wen
+

 .ecindex IIDconfiwal
 
 
 .ecindex IIDconfiwal
 
 


@@ -5903,12 +5919,14 @@ regular expressions is discussed in many Perl reference books, and also in
 Jeffrey Friedl's &'Mastering Regular Expressions'&, which is published by
 O'Reilly (see &url(http://www.oreilly.com/catalog/regex2/)).
 
 Jeffrey Friedl's &'Mastering Regular Expressions'&, which is published by
 O'Reilly (see &url(http://www.oreilly.com/catalog/regex2/)).
 

+.new

 The documentation for the syntax and semantics of the regular expressions that
 are supported by PCRE is included in the PCRE distribution, and no further
 description is included here. The PCRE functions are called from Exim using
 the default option settings (that is, with no PCRE options set), except that
 the PCRE_CASELESS option is set when the matching is required to be
 case-insensitive.
 The documentation for the syntax and semantics of the regular expressions that
 are supported by PCRE is included in the PCRE distribution, and no further
 description is included here. The PCRE functions are called from Exim using
 the default option settings (that is, with no PCRE options set), except that
 the PCRE_CASELESS option is set when the matching is required to be
 case-insensitive.

+.wen

 
 In most cases, when a regular expression is required in an Exim configuration,
 it has to start with a circumflex, in order to distinguish it from plain text
 
 In most cases, when a regular expression is required in an Exim configuration,
 it has to start with a circumflex, in order to distinguish it from plain text


@@ -6128,7 +6146,7 @@ IPv6 addresses must be enclosed in quotes to prevent the first internal colon
 being interpreted as a key terminator. For example:
 .code
 1.2.3.4:           data for 1.2.3.4
 being interpreted as a key terminator. For example:
 .code
 1.2.3.4:           data for 1.2.3.4

-192.168.0.0/16     data for 192.168.0.0/16
+192.168.0.0/16:    data for 192.168.0.0/16

 "abcd::cdab":      data for abcd::cdab
 "abcd:abcd::/32"   data for abcd:abcd::/32
 .endd
 "abcd::cdab":      data for abcd::cdab
 "abcd:abcd::/32"   data for abcd:abcd::/32
 .endd


@@ -9732,6 +9750,24 @@ lower case), signifying multiplication by 1024 or 1024*1024, respectively.
 As a special case, the numerical value of an empty string is taken as
 zero.
 
 As a special case, the numerical value of an empty string is taken as
 zero.
 

+.new
+.vitem &*bool&~{*&<&'string'&>&*}*&
+.cindex "expansion" "boolean parsing"
+.cindex "&%bool%& expansion condition"
+This condition turns a string holding a true or false representation into
+a boolean state.  It parses &"true"&, &"false"&, &"yes"& and &"no"&
+(case-insensitively); also positive integer numbers map to true if non-zero,
+false if zero.  Leading whitespace is ignored.
+All other string values will result in expansion failure.
+
+When combined with ACL variables, this expansion condition will let you
+make decisions in one place and act on those decisions in another place.
+For example,
+.code
+${if bool{$acl_m_privileged_sender} ...
+.endd
+.wen
+

 .vitem &*crypteq&~{*&<&'string1'&>&*}{*&<&'string2'&>&*}*&
 .cindex "expansion" "encrypted comparison"
 .cindex "encrypted strings, comparing"
 .vitem &*crypteq&~{*&<&'string1'&>&*}{*&<&'string2'&>&*}*&
 .cindex "expansion" "encrypted comparison"
 .cindex "encrypted strings, comparing"


@@ -10183,6 +10219,12 @@ configuration, you might have this:
 .code
 server_condition = ${if pwcheck{$auth1:$auth2}}
 .endd
 .code
 server_condition = ${if pwcheck{$auth1:$auth2}}
 .endd

+.new
+Again, for a PLAIN authenticator configuration, this would be:
+.code
+server_condition = ${if pwcheck{$auth2:$auth3}}
+.endd
+.wen

 .vitem &*queue_running*&
 .cindex "queue runner" "detecting when delivering from"
 .cindex "expansion" "queue runner test"
 .vitem &*queue_running*&
 .cindex "queue runner" "detecting when delivering from"
 .cindex "expansion" "queue runner test"


@@ -10969,10 +11011,12 @@ doing a delivery in maildir format, the value of &$message_size$& is the
 precise size of the file that has been written. See also
 &$message_body_size$&, &$body_linecount$&, and &$body_zerocount$&.
 
 precise size of the file that has been written. See also
 &$message_body_size$&, &$body_linecount$&, and &$body_zerocount$&.
 

+.new

 .cindex "RCPT" "value of &$message_size$&"
 .cindex "RCPT" "value of &$message_size$&"

-While running an ACL at the time of an SMTP RCPT command, &$message_size$&
+While running a per message ACL (mail/rcpt/predata), &$message_size$&

 contains the size supplied on the MAIL command, or -1 if no size was given. The
 value may not, of course, be truthful.
 contains the size supplied on the MAIL command, or -1 if no size was given. The
 value may not, of course, be truthful.

+.wen

 
 .vitem &$mime_$&&'xxx'&
 A number of variables whose names start with &$mime$& are
 
 .vitem &$mime_$&&'xxx'&
 A number of variables whose names start with &$mime$& are


@@ -12338,6 +12382,7 @@ listed in more than one group.
 .row &%gnutls_require_kx%&           "control GnuTLS key exchanges"
 .row &%gnutls_require_mac%&          "control GnuTLS MAC algorithms"
 .row &%gnutls_require_protocols%&    "control GnuTLS protocols"
 .row &%gnutls_require_kx%&           "control GnuTLS key exchanges"
 .row &%gnutls_require_mac%&          "control GnuTLS MAC algorithms"
 .row &%gnutls_require_protocols%&    "control GnuTLS protocols"

+.row &%gnutls_compat_mode%&          "use GnuTLS compatibility mode"

 .row &%tls_advertise_hosts%&         "advertise TLS to these hosts"
 .row &%tls_certificate%&             "location of server certificate"
 .row &%tls_crl%&                     "certificate revocation list"
 .row &%tls_advertise_hosts%&         "advertise TLS to these hosts"
 .row &%tls_certificate%&             "location of server certificate"
 .row &%tls_crl%&                     "certificate revocation list"


@@ -13337,6 +13382,12 @@ server. For details, see section &<<SECTreqciphgnu>>&.
 This option controls the protocols when GnuTLS is used in an Exim
 server. For details, see section &<<SECTreqciphgnu>>&.
 
 This option controls the protocols when GnuTLS is used in an Exim
 server. For details, see section &<<SECTreqciphgnu>>&.
 

+.new
+.option gnutls_compat_mode main boolean unset
+This option controls whether GnuTLS is used in compatibility mode in an Exim
+server. This reduces security slightly, but improves interworking with older
+implementations of TLS.
+.wen

 
 .option headers_charset main string "see below"
 This option sets a default character set for translating from encoded MIME
 
 .option headers_charset main string "see below"
 This option sets a default character set for translating from encoded MIME


@@ -13408,7 +13459,7 @@ do.
 By default, Exim just checks the syntax of HELO and EHLO commands (see
 &%helo_accept_junk_hosts%& and &%helo_allow_chars%&). However, some sites like
 to do more extensive checking of the data supplied by these commands. The ACL
 By default, Exim just checks the syntax of HELO and EHLO commands (see
 &%helo_accept_junk_hosts%& and &%helo_allow_chars%&). However, some sites like
 to do more extensive checking of the data supplied by these commands. The ACL

-condition &`verify`& &`=`& &`helo`& is provided to make this possible.
+condition &`verify = helo`& is provided to make this possible.

 Formerly, it was necessary also to set this option (&%helo_try_verify_hosts%&)
 to force the check to occur. From release 4.53 onwards, this is no longer
 necessary. If the check has not been done before &`verify`& &`=`& &`helo`& is
 Formerly, it was necessary also to set this option (&%helo_try_verify_hosts%&)
 to force the check to occur. From release 4.53 onwards, this is no longer
 necessary. If the check has not been done before &`verify`& &`=`& &`helo`& is


@@ -17810,10 +17861,12 @@ redirection items of the form
 :defer:
 :fail:
 .endd
 :defer:
 :fail:
 .endd

-respectively. When a redirection list contains such an item, it applies to the
-entire redirection; any other items in the list are ignored (&':blackhole:'& is
-different). Any text following &':fail:'& or &':defer:'& is placed in the error
-text associated with the failure. For example, an alias file might contain:
+.new
+respectively. When a redirection list contains such an item, it applies
+to the entire redirection; any other items in the list are ignored. Any
+text following &':fail:'& or &':defer:'& is placed in the error text
+associated with the failure. For example, an alias file might contain:
+.wen

 .code
 X.Employee:  :fail: Gone away, no forwarding address
 .endd
 .code
 X.Employee:  :fail: Gone away, no forwarding address
 .endd


@@ -18957,10 +19010,12 @@ destination. The process that writes the message to the filter, the
 filter itself, and the original process that reads the result and delivers it
 are all run in parallel, like a shell pipeline.
 
 filter itself, and the original process that reads the result and delivers it
 are all run in parallel, like a shell pipeline.
 

+.new

 The filter can perform any transformations it likes, but of course should take
 care not to break RFC 2822 syntax. Exim does not check the result, except to
 test for a final newline when SMTP is in use. All messages transmitted over
 SMTP must end with a newline, so Exim supplies one if it is missing.
 The filter can perform any transformations it likes, but of course should take
 care not to break RFC 2822 syntax. Exim does not check the result, except to
 test for a final newline when SMTP is in use. All messages transmitted over
 SMTP must end with a newline, so Exim supplies one if it is missing.

+.wen

 
 .cindex "content scanning" "per user"
 A transport filter can be used to provide content-scanning on a per-user basis
 
 .cindex "content scanning" "per user"
 A transport filter can be used to provide content-scanning on a per-user basis


@@ -21437,6 +21492,13 @@ client. For details, see section &<<SECTreqciphgnu>>&.
 This option controls the protocols when GnuTLS is used in an Exim
 client. For details, see section &<<SECTreqciphgnu>>&.
 
 This option controls the protocols when GnuTLS is used in an Exim
 client. For details, see section &<<SECTreqciphgnu>>&.
 

+.new
+.option gnutls_compat_mode main boolean unset
+This option controls whether GnuTLS is used in compatibility mode in an Exim
+server. This reduces security slightly, but improves interworking with older
+implementations of TLS.
+.wen
+

 .option helo_data smtp string&!! "see below"
 .cindex "HELO" "argument, setting"
 .cindex "EHLO" "argument, setting"
 .option helo_data smtp string&!! "see below"
 .cindex "HELO" "argument, setting"
 .cindex "EHLO" "argument, setting"


@@ -23529,6 +23591,7 @@ login:
              ldap://ldap.example.org/} }} }
   server_set_id = uid=$auth1,ou=people,o=example.org
 .endd
              ldap://ldap.example.org/} }} }
   server_set_id = uid=$auth1,ou=people,o=example.org
 .endd

+.new

 We have to check that the username is not empty before using it, because LDAP
 does not permit empty DN components. We must also use the &%quote_ldap_dn%&
 operator to correctly quote the DN for authentication. However, the basic
 We have to check that the username is not empty before using it, because LDAP
 does not permit empty DN components. We must also use the &%quote_ldap_dn%&
 operator to correctly quote the DN for authentication. However, the basic


@@ -23536,7 +23599,7 @@ operator to correctly quote the DN for authentication. However, the basic
 correct one to use for the password, because quoting is needed only to make
 the password conform to the Exim syntax. At the LDAP level, the password is an
 uninterpreted string.
 correct one to use for the password, because quoting is needed only to make
 the password conform to the Exim syntax. At the LDAP level, the password is an
 uninterpreted string.

-
+.wen

 
 
 .section "Support for different kinds of authentication" "SECID174"
 
 
 .section "Support for different kinds of authentication" "SECID174"


@@ -23797,7 +23860,7 @@ sasl_cram_md5:
 sasl_plain:
   driver = cyrus_sasl
   public_name = PLAIN
 sasl_plain:
   driver = cyrus_sasl
   public_name = PLAIN

-  server_set_id = $auth1
+  server_set_id = $auth2

 .endd
 Cyrus SASL does implement the LOGIN authentication method, even though it is
 not a standard method. It is disabled by default in the source distribution,
 .endd
 Cyrus SASL does implement the LOGIN authentication method, even though it is
 not a standard method. It is disabled by default in the source distribution,


@@ -23830,7 +23893,7 @@ dovecot_plain:
   driver = dovecot
   public_name = PLAIN
   server_socket = /var/run/dovecot/auth-client
   driver = dovecot
   public_name = PLAIN
   server_socket = /var/run/dovecot/auth-client

-  server_set_id = $auth1
+  server_set_id = $auth2

 
 dovecot_ntlm:
   driver = dovecot
 
 dovecot_ntlm:
   driver = dovecot


@@ -24413,13 +24476,10 @@ unencrypted.
 The &%tls_certificate%& and &%tls_privatekey%& options of the &(smtp)&
 transport provide the client with a certificate, which is passed to the server
 if it requests it. If the server is Exim, it will request a certificate only if
 The &%tls_certificate%& and &%tls_privatekey%& options of the &(smtp)&
 transport provide the client with a certificate, which is passed to the server
 if it requests it. If the server is Exim, it will request a certificate only if

-&%tls_verify_hosts%& or &%tls_try_verify_hosts%& matches the client. &*Note*&:
-These options must be set in the &(smtp)& transport for Exim to use TLS when it
-is operating as a client. Exim does not assume that a server certificate (set
-by the global options of the same name) should also be used when operating as a
-client.
+&%tls_verify_hosts%& or &%tls_try_verify_hosts%& matches the client.

 
 

-If &%tls_verify_certificates%& is set, it must name a file or,
+If the &%tls_verify_certificates%& option is set on the &(smtp)& transport, it
+must name a file or,

 for OpenSSL only (not GnuTLS), a directory, that contains a collection of
 expected server certificates. The client verifies the server's certificate
 against this collection, taking into account any revoked certificates that are
 for OpenSSL only (not GnuTLS), a directory, that contains a collection of
 expected server certificates. The client verifies the server's certificate
 against this collection, taking into account any revoked certificates that are


@@ -24431,6 +24491,14 @@ list of permitted cipher suites. If either of these checks fails, delivery to
 the current host is abandoned, and the &(smtp)& transport tries to deliver to
 alternative hosts, if any.
 
 the current host is abandoned, and the &(smtp)& transport tries to deliver to
 alternative hosts, if any.
 

+.new
+ &*Note*&:
+These options must be set in the &(smtp)& transport for Exim to use TLS when it
+is operating as a client. Exim does not assume that a server certificate (set
+by the global options of the same name) should also be used when operating as a
+client.
+.wen
+

 .vindex "&$host$&"
 .vindex "&$host_address$&"
 All the TLS options in the &(smtp)& transport are expanded before use, with
 .vindex "&$host$&"
 .vindex "&$host_address$&"
 All the TLS options in the &(smtp)& transport are expanded before use, with


@@ -24765,7 +24833,7 @@ client are given temporary error responses until QUIT is received or the
 connection is closed. In these special cases, the QUIT ACL does not run.
 
 
 connection is closed. In these special cases, the QUIT ACL does not run.
 
 

-
+.new

 .section "The not-QUIT ACL" "SECTNOTQUITACL"
 .vindex &$acl_smtp_notquit$&
 The not-QUIT ACL, specified by &%acl_smtp_notquit%&, is run in most cases when
 .section "The not-QUIT ACL" "SECTNOTQUITACL"
 .vindex &$acl_smtp_notquit$&
 The not-QUIT ACL, specified by &%acl_smtp_notquit%&, is run in most cases when


@@ -24773,6 +24841,7 @@ an SMTP session ends without sending QUIT. However, when Exim itself is is bad
 trouble, such as being unable to write to its log files, this ACL is not run,
 because it might try to do things (such as write to log files) that make the
 situation even worse.
 trouble, such as being unable to write to its log files, this ACL is not run,
 because it might try to do things (such as write to log files) that make the
 situation even worse.

+.wen

 
 Like the QUIT ACL, this ACL is provided to make it possible to do customized
 logging or to gather statistics, and its outcome is ignored. The &%delay%&
 
 Like the QUIT ACL, this ACL is provided to make it possible to do customized
 logging or to gather statistics, and its outcome is ignored. The &%delay%&


@@ -26959,7 +27028,7 @@ entry must set the rate for the same key (otherwise it will always be zero).
 For example:
 .code
 acl_check_connect:
 For example:
 .code
 acl_check_connect:

-  deny ratelimit = 100 / 5m / strict / noupdate
+  deny ratelimit = 100 / 5m / strict / per_cmd / noupdate

        log_message = RATE: $sender_rate/$sender_rate_period \
                      (max $sender_rate_limit)
 .endd
        log_message = RATE: $sender_rate/$sender_rate_period \
                      (max $sender_rate_limit)
 .endd


@@ -27554,10 +27623,12 @@ the third string (in this case &"1"&), whether or not the cryptographic and
 timeout checks succeed. The &$prvscheck_result$& variable contains the result
 of the checks (empty for failure, &"1"& for success).
 
 timeout checks succeed. The &$prvscheck_result$& variable contains the result
 of the checks (empty for failure, &"1"& for success).
 

+.new

 There is one more issue you must consider when implementing prvs-signing:
 you have to ensure that the routers accept prvs-signed addresses and
 deliver them correctly. The easiest way to handle this is to use a &(redirect)&
 router to remove the signature with a configuration along these lines:
 There is one more issue you must consider when implementing prvs-signing:
 you have to ensure that the routers accept prvs-signed addresses and
 deliver them correctly. The easiest way to handle this is to use a &(redirect)&
 router to remove the signature with a configuration along these lines:

+.wen

 .code
 batv_redirect:
   driver = redirect
 .code
 batv_redirect:
   driver = redirect


@@ -34270,6 +34341,7 @@ unqualified domain &'foundation'&.
 . ////////////////////////////////////////////////////////////////////////////
 . ////////////////////////////////////////////////////////////////////////////
 
 . ////////////////////////////////////////////////////////////////////////////
 . ////////////////////////////////////////////////////////////////////////////
 

+.new

 .chapter "Support for DKIM (DomainKeys Identified Mail) - RFC4871" "CHID12" &&&
          "DKIM Support"
 .cindex "DKIM"
 .chapter "Support for DKIM (DomainKeys Identified Mail) - RFC4871" "CHID12" &&&
          "DKIM Support"
 .cindex "DKIM"


@@ -34287,26 +34359,46 @@ ACL (acl_smtp_dkim), which can be called several times per message, with
 different signature context.
 .endlist
 
 different signature context.
 .endlist
 

+In typical Exim style, the verification implementation does not include any
+default "policy". Instead it enables you to build your own policy using
+Exim's standard controls.
+
+Please note that verification of DKIM signatures in incoming mail is turned
+on by default for logging purposes. For each signature in incoming email,
+exim will log a line displaying the most important signature details, and the
+signature status. Here is an example:
+.code
+2009-09-09 10:22:28 1MlIRf-0003LU-U3 DKIM: d=facebookmail.com s=q1-2009b c=relaxed/relaxed a=rsa-sha1 i=@facebookmail.com t=1252484542 [verification succeeded]
+.endd
+You might want to turn off DKIM verification processing entirely for internal
+or relay mail sources. To do that, set the &%dkim_disable_verify%& ACL
+control modifier. This should typically be done in the RCPT ACL, at points
+where you accept mail from relay sources (internal hosts or authenticated
+senders).
+
+

 .section "Signing outgoing messages" "SECID513"
 .cindex "DKIM" "signing"
 
 Signing is implemented by setting private options on the SMTP transport.
 These options take (expandable) strings as arguments.
 
 .section "Signing outgoing messages" "SECID513"
 .cindex "DKIM" "signing"
 
 Signing is implemented by setting private options on the SMTP transport.
 These options take (expandable) strings as arguments.
 

-.vlist
-.vitem dkim_domain = <expanded string> [MANDATORY]
+.option dkim_domain smtp string&!! unset
+MANDATORY

 The domain you want to sign with. The result of this expanded
 The domain you want to sign with. The result of this expanded

-option is put into the $dkim_domain expansion variable.
+option is put into the &%$dkim_domain%& expansion variable.

 
 

-.vitem dkim_selector = <expanded string> [MANDATORY]
-This sets the key selector string. You can use the $dkim_domain expansion
+.option dkim_selector smtp string&!! unset
+MANDATORY
+This sets the key selector string. You can use the &%$dkim_domain%& expansion

 variable to look up a matching selector. The result is put in the expansion
 variable to look up a matching selector. The result is put in the expansion

-variable $dkim_selector which should be used in the dkim_private_key option
-along with $dkim_domain.
+variable &%$dkim_selector%& which should be used in the &%dkim_private_key%&
+option along with &%$dkim_domain%&.

 
 

-.vitem dkim_private_key = <expanded string> [MANDATORY]
-This sets the private key to use. You can use the $dkim_domain and
-$dkim_selector expansion variables to determine the private key to use.
+.option dkim_private_key smtp string&!! unset
+MANDATORY
+This sets the private key to use. You can use the &%$dkim_domain%& and
+&%$dkim_selector%& expansion variables to determine the private key to use.

 The result can either
 .ilist
 be a valid RSA private key in ASCII armor, including line breaks.
 The result can either
 .ilist
 be a valid RSA private key in ASCII armor, including line breaks.


@@ -34315,29 +34407,198 @@ start with a slash, in which case it is treated as a file that contains
 the private key.
 .next
 be "0", "false" or the empty string, in which case the message will not
 the private key.
 .next
 be "0", "false" or the empty string, in which case the message will not

-be signed. This case will not result in an error, even if dkim_strict is set.
+be signed. This case will not result in an error, even if &%dkim_strict%&
+is set.

 .endlist
 
 .endlist
 

-.vitem dkim_canon = <expanded string> [OPTIONAL]
+.option dkim_canon smtp string&!! unset
+OPTIONAL

 This option sets the canonicalization method used when signing a message.
 The DKIM RFC currently supports two methods: "simple" and "relaxed".
 The option defaults to "relaxed" when unset. Note: the current implementation
 This option sets the canonicalization method used when signing a message.
 The DKIM RFC currently supports two methods: "simple" and "relaxed".
 The option defaults to "relaxed" when unset. Note: the current implementation

-only support using the same canonicalization method for both headers and body.
+only supports using the same canonicalization method for both headers and body.

 
 

-.vitem dkim_strict = <expanded string> [OPTIONAL]
+.option dkim_strict smtp string&!! unset
+OPTIONAL

 This  option  defines  how  Exim  behaves  when  signing a message that
 should be signed fails for some reason.  When the expansion evaluates to
 either "1" or "true", Exim will defer. Otherwise Exim will send the message
 This  option  defines  how  Exim  behaves  when  signing a message that
 should be signed fails for some reason.  When the expansion evaluates to
 either "1" or "true", Exim will defer. Otherwise Exim will send the message

-unsigned. You can use the $dkim_domain and $dkim_selector expansion
+unsigned. You can use the &%$dkim_domain%& and &%$dkim_selector%& expansion

 variables here.
 
 variables here.
 

-.vitem dkim_sign_headers = <expanded string> [OPTIONAL]
+.option dkim_sign_headers smtp string&!! unset
+OPTIONAL

 When set, this option must expand to (or be specified as) a colon-separated
 When set, this option must expand to (or be specified as) a colon-separated

-list of header names. These headers will be included in the message
-signature. When unspecified, the headers recommended in RFC4871 will be used.
+list of header names. Headers with these names will be included in the message
+signature. When unspecified, the header names recommended in RFC4871 will be
+used.
+
+
+.section "Verifying DKIM signatures in incoming mail" "SECID514"
+.cindex "DKIM" "verification"
+
+Verification of DKIM signatures in incoming email is implemented via the
+&%acl_smtp_dkim%& ACL. By default, this ACL is called once for each
+syntactically(!) correct signature in the incoming message.
+
+To evaluate the signature in the ACL a large number of expansion variables
+containing the signature status and its details are set up during the
+runtime of the ACL.
+
+Calling the ACL only for existing signatures is not sufficient to build
+more advanced policies. For that reason, the global option
+&%dkim_verify_signers%&, and a global expansion variable
+&%$dkim_signers%& exist.
+
+The global option &%dkim_verify_signers%& can be set to a colon-separated
+list of DKIM domains or identities for which the ACL &%acl_smtp_dkim%& is
+called. It is expanded when the message has been received. At this point,
+the expansion variable &%$dkim_signers%& already contains a colon-
+separated list of signer domains and identities for the message. When
+&%dkim_verify_signers%& is not specified in the main configuration,
+it defaults as:
+.code
+dkim_verify_signers = $dkim_signers
+.endd
+This leads to the default behaviour of calling &%acl_smtp_dkim%& for each
+DKIM signature in the message. Current DKIM verifiers may want to explicitly
+call the ACL for known domains or identities. This would be achieved as follows:
+.code
+dkim_verify_signers = paypal.com:ebay.com:$dkim_signers
+.endd
+This would result in &%acl_smtp_dkim%& always being called for "paypal.com"
+and "ebay.com", plus all domains and identities that have signatures in the message.
+You can also be more creative in constructing your policy. Example:
+.code
+dkim_verify_signers = $sender_address_domain:$dkim_signers
+.endd
+
+If a domain or identity is listed several times in the (expanded) value of
+&%dkim_verify_signers%&, the ACL is only called once for that domain or identity.
+
+
+Inside the &%acl_smtp_dkim%&, the following expansion variables are
+available (from most to least important):
+
+.vlist
+.vitem &%$dkim_cur_signer%&
+The signer that is being evaluated in this ACL run. This can be domain or
+an identity. This is one of the list items from the expanded main option
+&%dkim_verify_signers%& (see above).
+.vitem &%$dkim_verify_status%&
+A string describing the general status of the signature. One of
+.ilist
+&%none%&: There is no signature in the message for the current domain or
+identity (as reflected by &%$dkim_cur_signer%&).
+.next
+&%invalid%&: The signature could not be verified due to a processing error.
+More detail is available in &%$dkim_verify_reason%&.
+.next
+&%fail%&: Verification of the signature failed.  More detail is
+available in &%$dkim_verify_reason%&.
+.next
+&%pass%&: The signature passed verification. It is valid.
+.endlist
+.vitem &%$dkim_verify_reason%&
+A string giving a litte bit more detail when &%$dkim_verify_status%& is either
+"fail" or "invalid". One of
+.ilist
+&%pubkey_unavailable%& (when &%$dkim_verify_status%&="invalid"): The public
+key for the domain could not be retrieved. This may be a temporary problem.
+.next
+&%pubkey_syntax%& (when &%$dkim_verify_status%&="invalid"): The public key
+record for the domain is syntactically invalid.
+.next
+&%bodyhash_mismatch%& (when &%$dkim_verify_status%&="fail"): The calculated
+body hash does not match the one specified in the signature header. This
+means that the message body was modified in transit.
+.next
+&%signature_incorrect%& (when &%$dkim_verify_status%&="fail"): The signature
+could not be verified. This may mean that headers were modified,
+re-written or otherwise changed in a way which is incompatible with
+DKIM verification. It may of course also mean that the signature is forged.

 .endlist
 .endlist

+.vitem &%$dkim_domain%&
+The signing domain. IMPORTANT: This variable is only populated if there is
+an actual signature in the message for the current domain or identity (as
+reflected by &%$dkim_cur_signer%&).
+.vitem &%$dkim_identity%&
+The signing identity, if present. IMPORTANT: This variable is only populated
+if there is an actual signature in the message for the current domain or
+identity (as reflected by &%$dkim_cur_signer%&).
+.vitem &%$dkim_selector%&
+The key record selector string
+.vitem &%$dkim_algo%&
+The algorithm used. One of 'rsa-sha1' or 'rsa-sha256'.
+.vitem &%$dkim_canon_body%&
+The body canonicalization method. One of 'relaxed' or 'simple'.
+.vitem &%dkim_canon_headers%&
+The header canonicalization method. One of 'relaxed' or 'simple'.
+.vitem &%$dkim_copiedheaders%&
+A transcript of headers and their values which are included in the signature
+(copied from the 'z=' tag of the signature).
+.vitem &%$dkim_bodylength%&
+The number of signed body bytes. If zero ("0"), the body is unsigned. If no
+limit was set by the signer, "9999999999999" is returned. This makes sure
+that this variable always expands to an integer value.
+.vitem &%$dkim_created%&
+UNIX timestamp reflecting the date and time when the signature was created.
+When this was not specified by the signer, "0" is returned.
+.vitem &%$dkim_expires%&
+UNIX timestamp reflecting the date and time when the signer wants the
+signature to be treated as "expired". When this was not specified by the
+signer, "9999999999999" is returned. This makes it possible to do useful
+integer size comparisons against this value.
+.vitem &%$dkim_headernames%&
+A colon-separated list of names of headers included in the signature.
+.vitem &%$dkim_key_testing%&
+"1" if the key record has the "testing" flag set, "0" if not.
+.vitem &%$dkim_key_nosubdomaining%&
+"1" if the key record forbids subdomaining, "0" otherwise.
+.vitem &%$dkim_key_srvtype%&
+Service type (tag s=) from the key record. Defaults to "*" if not specified
+in the key record.
+.vitem &%$dkim_key_granularity%&
+Key granularity (tag g=) from the key record. Defaults to "*" if not specified
+in the key record.
+.vitem &%$dkim_key_notes%&
+Notes from the key record (tag n=)
+.endlist
+
+In addition, two ACL conditions are provided:
+
+.vlist
+.vitem &%dkim_signers%&
+ACL condition that checks a colon-separated list of domains or identities
+for a match against the domain or identity that the ACL is currently verifying
+(reflected by &%$dkim_cur_signer%&). This is typically used to restrict an ACL
+verb to a group of domains or identities, like:
+
+.code
+# Warn when message apparently from GMail has no signature at all
+warn log_message = GMail sender without DKIM signature
+     sender_domains = gmail.com
+     dkim_signers = gmail.com
+     dkim_status = none
+.endd
+
+.vitem &%dkim_status%&
+ACL condition that checks a colon-separated list of possible DKIM verification
+results agains the actual result of verification. This is typically used
+to restrict an ACL verb to a list of verification outcomes, like:

 
 

+.code
+deny message = Message from Paypal with invalid or missing signature
+     sender_domains = paypal.com:paypal.de
+     dkim_signers = paypal.com:paypal.de
+     dkim_status = none:invalid:fail
+.endd

 
 

+The possible status keywords are: 'none','invalid','fail' and 'pass'. Please
+see the documentation of the &%$dkim_verify_status%& expansion variable above
+for more information of what they mean.
+.endlist
+.wen

 
 . ////////////////////////////////////////////////////////////////////////////
 . ////////////////////////////////////////////////////////////////////////////
 
 . ////////////////////////////////////////////////////////////////////////////
 . ////////////////////////////////////////////////////////////////////////////