message_size_limit = 100M
.endif
.endd
-sets a message size limit of 50M if the macro &`AAA`& is defined, and 100M
+sets a message size limit of 50M if the macro &`AAA`& is defined
+(or &`A`& or &`AA`&), and 100M
otherwise. If there is more than one macro named on the line, the condition
is true if any of them are defined. That is, it is an &"or"& condition. To
obtain an &"and"& condition, you need to use nested &`.ifdef`&s.
colon in the example above is necessary. If it were not there, the list would
be interpreted as the two items 127.0.0.1:: and 1.
-.section "Changing list separators" "SECID53"
+.section "Changing list separators" "SECTlistsepchange"
.cindex "list separator" "changing"
.cindex "IPv6" "addresses in lists"
Doubling colons in IPv6 addresses is an unwelcome chore, so a mechanism was
show how you can specify hosts that are permitted to send unqualified sender
and recipient addresses, respectively.
+The &%log_selector%& option is used to increase the detail of logging
+over the default:
+.code
+log_selector = +smtp_protocol_error +smtp_syntax_error \
+ +tls_certificate_verified
+.endd
+
The &%percent_hack_domains%& option is also commented out:
.code
# percent_hack_domains =
It will be empty if &(DNSSEC)& was not requested,
&"no"& if the result was not labelled as authenticated data
and &"yes"& if it was.
+Results that are labelled as authoritive answer that match
+the $%dns_trust_aa%$ configuration variable count also
+as authenticated data.
.vitem &$mailstore_basename$&
.vindex "&$mailstore_basename$&"
.row &%tls_crl%& "certificate revocation list"
.row &%tls_dh_max_bits%& "clamp D-H bit count suggestion"
.row &%tls_dhparam%& "DH parameters for server"
+.row &%tls_eccurve%& "EC curve selection for server"
.row &%tls_ocsp_file%& "location of server certificate status proof"
.row &%tls_on_connect_ports%& "specify SSMTP (SMTPS) ports"
.row &%tls_privatekey%& "location of server private key"
.row &%dns_ipv4_lookup%& "only v4 lookup for these domains"
.row &%dns_retrans%& "parameter for resolver"
.row &%dns_retry%& "parameter for resolver"
+.row &%dns_trust_aa%& "nameservers trusted as authentic"
.row &%dns_use_edns0%& "parameter for resolver"
.row &%hold_domains%& "hold delivery for these domains"
.row &%local_interfaces%& "for routing checks"
See &%dns_retrans%& above.
+.option dns_trust_aa main domain list&!! unset
+.cindex "DNS" "resolver options"
+.cindex "DNS" "DNSSEC"
+If this option is set then lookup results marked with an AA bit
+(Authoratative Answer) are trusted when they come from one
+of the listed domains, as if they were marked as having been
+DNSSEC-verified.
+
+Use this option only if you talk directly to the resolver
+for your local domains, and list only it.
+It is needed when the resolver does not return an AD bit
+for its local domains.
+The first SOA or NS record appearing in the results is compared
+against the option value.
+
+
+.cindex "DNS" "resolver options"
.option dns_use_edns0 main integer -1
.cindex "DNS" "resolver options"
.cindex "DNS" "EDNS0"
acceptable bound from 1024 to 2048.
+.option tls_eccurve main string&!! prime256v1
+.cindex TLS "EC cryptography"
+If built with a recent-enough version of OpenSSL,
+this option selects a EC curve for use by Exim.
+
+Curve names of the form &'prime256v1'& are accepted.
+For even more-recent library versions, names of the form &'P-512'&
+are also accepted, plus the special value &'auto'&
+which tell the library to choose.
+
+If the option is set to an empty string, no EC curves will be enabled.
+
+
.option tls_ocsp_file main string&!! unset
+.cindex TLS "certificate status"
+.cindex TLS "OCSP proof file"
This option
must if set expand to the absolute path to a file which contains a current
status proof for the server's certificate, as obtained from the
.option tls_on_connect_ports main "string list" unset
+.cindex SSMTP
+.cindex SMTPS
This option specifies a list of incoming SSMTP (aka SMTPS) ports that should
operate the obsolete SSMTP (SMTPS) protocol, where a TLS session is immediately
set up without waiting for the client to issue a STARTTLS command. For
routers, and this can lead to problems with duplicates -- see the similar
warning for &%headers_add%& above.
+&*Warning 3*&: Because of the separate expansion of the list items,
+items that contain a list separator must have it doubled.
+To avoid this, change the list separator (&<<SECTlistsepchange>>&).
+
+
.option ignore_target_hosts routers "host list&!!" unset
.cindex "IP address" "discarding"
Unlike most options, &%headers_remove%& can be specified multiple times
for a router; all listed headers are removed.
+&*Warning*&: Because of the separate expansion of the list items,
+items that contain a list separator must have it doubled.
+To avoid this, change the list separator (&<<SECTlistsepchange>>&).
+
.option headers_rewrite transports string unset
driver = cram_md5
public_name = CRAM-MD5
server_secret = ${lookup{$auth1:mail.example.org:userPassword}\
- dbmjz{/etc/sasldb2}}
+ dbmjz{/etc/sasldb2}{$value}fail}
server_set_id = $auth1
.endd
accepted. It can be used in the &%acl_smtp_rcpt%&, &%acl_smtp_predata%&,
&%acl_smtp_mime%&, &%acl_smtp_data%&, or &%acl_smtp_rcpt%& ACLs. In
&%acl_smtp_rcpt%& the rate is updated one recipient at a time; in the other
-ACLs the rate is updated with the total recipient count in one go. Note that
+ACLs the rate is updated with the total (accepted) recipient count in one go. Note that
in either case the rate limiting engine will see a message with many
recipients as a large high-speed burst.