X-Git-Url: https://git.netwichtig.de/gitweb/?a=blobdiff_plain;ds=inline;f=doc%2Fdoc-docbook%2Fspec.xfpt;h=f865fc9a1b43aed8423668d52462aaff810eb93b;hb=d6e7df900550f1a63e066f8a4a7d023e8d8e312b;hp=b1cc46862743cda0f8fc56ebf931a7655d6b5ad2;hpb=25ca84e25a47ccf8e1e0560ebd88794dabeb8db5;p=user%2Fhenk%2Fcode%2Fexim.git diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index b1cc46862..f865fc9a1 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -15082,7 +15082,7 @@ server. This reduces security slightly, but improves interworking with older implementations of TLS. -option gnutls_allow_auto_pkcs11 main boolean unset +.option gnutls_allow_auto_pkcs11 main boolean unset This option will let GnuTLS (2.12.0 or later) autoload PKCS11 modules with the p11-kit configuration files in &_/etc/pkcs11/modules/_&. @@ -17369,7 +17369,7 @@ The ordering of the two lists must match. .cindex SSMTP .cindex SMTPS This option specifies a list of incoming SSMTP (aka SMTPS) ports that should -operate the obsolete SSMTP (SMTPS) protocol, where a TLS session is immediately +operate the SSMTP (SMTPS) protocol, where a TLS session is immediately set up without waiting for the client to issue a STARTTLS command. For further details, see section &<>&. @@ -39037,7 +39037,7 @@ tag value. Note that Exim does not check the value. This option sets the canonicalization method used when signing a message. The DKIM RFC currently supports two methods: "simple" and "relaxed". The option defaults to "relaxed" when unset. Note: the current implementation -only supports using the same canonicalization method for both headers and body. +only supports signing with the same canonicalization method for both headers and body. .option dkim_strict smtp string&!! unset This option defines how Exim behaves when signing a message that @@ -39071,22 +39071,28 @@ name will be appended. .section "Verifying DKIM signatures in incoming mail" "SECDKIMVFY" .cindex "DKIM" "verification" -Verification of DKIM signatures in SMTP incoming email is implemented via the -&%acl_smtp_dkim%& ACL. By default, this ACL is called once for each +.new +Verification of DKIM signatures in SMTP incoming email is done for all +messages for which an ACL control &%dkim_disable_verify%& has not been set. +.cindex authentication "expansion item" +Performing verification sets up information used by the +&$authresults$& expansion item. +.wen + +.new The results of that verification are then made available to the +&%acl_smtp_dkim%& ACL, &new(which can examine and modify them). +By default, this ACL is called once for each syntactically(!) correct signature in the incoming message. A missing ACL definition defaults to accept. If any ACL call does not accept, the message is not accepted. If a cutthrough delivery was in progress for the message, that is summarily dropped (having wasted the transmission effort). -To evaluate the signature in the ACL a large number of expansion variables +To evaluate the &new(verification result) in the ACL +a large number of expansion variables containing the signature status and its details are set up during the runtime of the ACL. -.cindex authentication "expansion item" -Performing verification sets up information used by the -&$authresults$& expansion item. - Calling the ACL only for existing signatures is not sufficient to build more advanced policies. For that reason, the global option &%dkim_verify_signers%&, and a global expansion variable