X-Git-Url: https://git.exim.org/users/jgh/exim.git/blobdiff_plain/a79d883474c84fa2a286b7797a7664b599912fcd..47195144861c416c402191b697c5d3d489b1dcb2:/doc/doc-docbook/spec.xfpt diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 98986e032..5778ce6a8 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -11665,8 +11665,11 @@ contain the trailing slash. If &$config_file$& does not contain a slash, .vindex "&$config_file$&" The name of the main configuration file Exim is using. +.vitem &$dkim_verify_status$& &&& +Results of DKIM verification. +For details see chapter &<>&. + .vitem &$dkim_cur_signer$& &&& - &$dkim_verify_status$& &&& &$dkim_verify_reason$& &&& &$dkim_domain$& &&& &$dkim_identity$& &&& @@ -17130,8 +17133,13 @@ use when sending messages as a client, you must set the &%tls_certificate%& option in the relevant &(smtp)& transport. .new +&*Note*&: If you use filenames based on IP addresses, change the list +separator in the usual way to avoid confusion under IPv6. + &*Note*&: Under current versions of OpenSSL, when a list of more than one file is used, the &$tls_in_ourcert$& veriable is unreliable. + +&*Note*&: OCSP stapling is not usable when a list of more than one file is used. .wen If the option contains &$tls_out_sni$& and Exim is built against OpenSSL, then @@ -17273,6 +17281,12 @@ Certificate Authority. Usable for GnuTLS 3.4.4 or 3.3.17 or OpenSSL 1.1.0 (or later). +.new +For GnuTLS 3.5.6 or later the expanded value of this option can be a list +of files, to match a list given for the &%tls_certificate%& option. +The ordering of the two lists must match. +.wen + .option tls_on_connect_ports main "string list" unset .cindex SSMTP @@ -27134,7 +27148,7 @@ let the Exim Maintainers know and we'll likely use it). .next .new With GnuTLS, if an explicit list is used for the &%tls_privatekey%& main option -main option, it must be ordered to match the %&tls_certificate%& list. +main option, it must be ordered to match the &%tls_certificate%& list. .wen .next Some other recently added features may only be available in one or the other. @@ -31324,6 +31338,7 @@ address and some time-based randomizing information. The &%prvs%& expansion item creates a signed address, and the &%prvscheck%& expansion item checks one. The syntax of these expansion items is described in section &<>&. +The validity period on signed addresses is seven days. As an example, suppose the secret per-address keys are stored in an MySQL database. A query to look up the key for an address could be defined as a macro @@ -38705,6 +38720,11 @@ dkim_verify_signers = $sender_address_domain:$dkim_signers If a domain or identity is listed several times in the (expanded) value of &%dkim_verify_signers%&, the ACL is only called once for that domain or identity. +.new +If multiple signatures match a domain (or identity), the ACL is called once +for each matching signature. +.wen + Inside the &%acl_smtp_dkim%&, the following expansion variables are available (from most to least important): @@ -38717,7 +38737,8 @@ an identity. This is one of the list items from the expanded main option &%dkim_verify_signers%& (see above). .vitem &%$dkim_verify_status%& -A string describing the general status of the signature. One of +Within the DKIM ACL, +a string describing the general status of the signature. One of .ilist &%none%&: There is no signature in the message for the current domain or identity (as reflected by &%$dkim_cur_signer%&). @@ -38742,6 +38763,9 @@ hash-method or key-size: set dkim_verify_status = fail set dkim_verify_reason = hash too weak .endd + +After all the DKIM ACL runs have completed, the value becomes a +colon-separated list of the values after each run. .wen .vitem &%$dkim_verify_reason%&