&*Warning 2*&: In a host list, you must always use &(net-iplsearch)& so that
the implicit key is the host's IP address rather than its name (see section
&<<SECThoslispatsikey>>&).
+
+.new
+&*Warning 3*&: Do not use an IPv4-mapped IPv6 address for a key; use the
+IPv4. Such addresses being searched for are converted to IPv4.
+.wen
.next
.new
.cindex lookup json
&`F `& sender address (on delivery lines)
&`H `& host name and IP address
&`I `& local interface used
-&`id `& message id for incoming message
+&`id `& message id (from header) for incoming message
&`K `& CHUNKING extension used
&`L `& on &`<=`& and &`=>`& lines: PIPELINING extension used
&`M8S `& 8BITMIME status for incoming message
&` incoming_port `& remote port on <= lines
&`*lost_incoming_connection `& as it says (includes timeouts)
&` millisec `& millisecond timestamps and RT,QT,DT,D times
+&`*msg_id `& on <= lines, Message-ID: header value
+&` msg_id_created `& on <= lines, Message-ID: header value when one had to be added
&` outgoing_interface `& local interface on => lines
&` outgoing_port `& add remote port to => lines
&`*queue_run `& start and end queue runs
&%millisec%&: Timestamps have a period and three decimal places of finer granularity
appended to the seconds value.
.next
+.new
+.cindex "log" "message id"
+&%msg_id%&: The value of the Message-ID: header.
+.next
+&%msg_id_created%&: The value of the Message-ID: header, when one had to be created.
+This will be either because the message is a bounce, or was submitted locally
+(submission mode) without one.
+The field identifier will have an asterix appended: &"id*="&.
+.wen
+.next
.cindex "log" "outgoing interface"
.cindex "log" "local interface"
.cindex "log" "local address and port"
.cindex "DKIM" "signing"
For signing to be usable you must have published a DKIM record in DNS.
-Note that RFC 8301 says:
+Note that RFC 8301 (which does not cover EC keys) says:
.code
rsa-sha1 MUST NOT be used for signing or verifying.
.option dkim_domain smtp string list&!! unset
The domain(s) you want to sign with.
After expansion, this can be a list.
-Each element in turn is put into the &%$dkim_domain%& expansion variable
+Each element in turn,
+.new
+lowercased,
+.wen
+is put into the &%$dkim_domain%& expansion variable
while expanding the remaining signing options.
If it is empty after expansion, DKIM signing is not done,
and no error will result even if &%dkim_strict%& is set.
Signers SHOULD use RSA keys of at least 2048 bits.
.endd
-Support for EC keys is being developed under
-&url(https://datatracker.ietf.org/doc/draft-ietf-dcrup-dkim-crypto/).
+.new
+EC keys for DKIM are defined by RFC 8463.
+.wen
They are considerably smaller than RSA keys for equivalent protection.
As they are a recent development, users should consider dual-signing
(by setting a list of selectors, and an expansion for this option)
certtool --load_privkey=dkim_ed25519.private --pubkey_info --outder | tail -c +13 | base64
.endd
-Note that the format
-of Ed25519 keys in DNS has not yet been decided; this release supports
-both of the leading candidates at this time, a future release will
-probably drop support for whichever proposal loses.
+.new
+Exim also supports an alternate format
+of Ed25519 keys in DNS which was a candidate during development
+of the standard, but not adopted.
+A future release will probably drop that support.
+.wen
.option dkim_hash smtp string&!! sha256
Can be set to any one of the supported hash methods, which are:
If a domain or identity is listed several times in the (expanded) value of
&%dkim_verify_signers%&, the ACL is only called once for that domain or identity.
+.new
+Note that if the option is set using untrustworthy data
+(such as the From: header)
+care should be taken to force lowercase for domains
+and for the domain part if identities.
+The default setting can be regarded as trustworthy in this respect.
+.wen
+
If multiple signatures match a domain (or identity), the ACL is called once
for each matching signature.
projects / exim.git / blobdiff