X-Git-Url: https://git.exim.org/users/jgh/exim.git/blobdiff_plain/e8793bad207763b266bedcb9d859e238b6a3a04e..1e06383a8b5eaaf67910c94c737e8d9b5d16a00a:/doc/doc-docbook/spec.xfpt diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index ae4d75ecb..c00469b0d 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -6840,7 +6840,7 @@ is used on its own as the result. If the lookup does not succeed, the &`fail`& keyword causes a &'forced expansion failure'& &-- see section &<>& for an explanation of what this means. -The supported DNS record types are A, CNAME, MX, NS, PTR, SPF, SRV, and TXT, +The supported DNS record types are A, CNAME, MX, NS, PTR, SPF, SRV, TLSA and TXT, and, when Exim is compiled with IPv6 support, AAAA (and A6 if that is also configured). If no type is given, TXT is assumed. When the type is PTR, the data can be an IP address, written as normal; inversion and the addition of @@ -10247,7 +10247,7 @@ If the ACL returns defer the result is a forced-fail. .cindex "&%bool%& expansion condition" This condition turns a string holding a true or false representation into a boolean state. It parses &"true"&, &"false"&, &"yes"& and &"no"& -(case-insensitively); also positive integer numbers map to true if non-zero, +(case-insensitively); also integer numbers map to true if non-zero, false if zero. An empty string is treated as false. Leading and trailing whitespace is ignored; @@ -23030,7 +23030,7 @@ in clear. .option tls_try_verify_hosts smtp "host list&!! unset .cindex "TLS" "server certificate verification" .cindex "certificate" "verification of server" -For OpenSSL only, this option gives a list of hosts for which, on encrypted connections, +This option gives a list of hosts for which, on encrypted connections, certificate verification will be tried but need not succeed. The &%tls_verify_certificates%& option must also be set. @@ -23049,7 +23049,7 @@ single file if you are using GnuTLS. The values of &$host$& and &$host_address$& are set to the name and address of the server during the expansion of this option. See chapter &<>& for details of TLS. -For back-compatability, or when GnuTLS is used, +For back-compatability, if neither tls_verify_hosts nor tls_try_verify_hosts are set and certificate verification fails the TLS connection is closed. @@ -23057,7 +23057,7 @@ and certificate verification fails the TLS connection is closed. .option tls_verify_hosts smtp "host list&!! unset .cindex "TLS" "server certificate verification" .cindex "certificate" "verification of server" -For OpenSSL only, this option gives a list of hosts for which. on encrypted connections, +This option gives a list of hosts for which. on encrypted connections, certificate verification must succeed. The &%tls_verify_certificates%& option must also be set. If both this option and &%tls_try_verify_hosts%& are unset @@ -27330,8 +27330,12 @@ from one SMTP connection to another. If a recipient-verify callout connection i requested in the same ACL it is held open and used for the data, otherwise one is made after the ACL completes. -Note that routers are used in verify mode. Note also that headers cannot be +Note that routers are used in verify mode, +and cannot depend on content of received headers. +Note also that headers cannot be modified by any of the post-data ACLs (DATA, MIME and DKIM). +Headers may be modified by routers (subject to the above) and transports. + Cutthrough delivery is not supported via transport-filters or when DKIM signing of outgoing messages is done, because it sends data to the ultimate destination before the entire message has been received from the source. @@ -29035,6 +29039,7 @@ router that does not set up hosts routes to an &(smtp)& transport with a &%hosts%& setting, the transport's hosts are used. If an &(smtp)& transport has &%hosts_override%& set, its hosts are always used, whether or not the router supplies a host list. +Callouts are only supported on &(smtp)& transports. The port that is used is taken from the transport, if it is specified and is a remote transport. (For routers that do verification only, no transport need be