.set I " "
.macro copyyear
-2019
+2020
.endmacro
. /////////////////////////////////////////////////////////////////////////////
.new
.oindex &%sqlite_dbfile%&
-The preferred way of specifying the file is by using the
+The preferred way of specifying the file is by using the
&%sqlite_dbfile%& option, set to
an absolute path.
.wen
.endd
The third argument is a list of options, of which the first element is the timeout
-and must be present if the argument is given.
+and must be present if any options are given.
Further elements are options of form &'name=value'&.
-Two option types is currently recognised: shutdown and tls.
-The first defines whether (the default)
-or not a shutdown is done on the connection after sending the request.
-Example, to not do so (preferred, eg. by some webservers):
+Example:
.code
${readsocket{/socket/name}{request string}{3s:shutdown=no}}
.endd
-The second, tls, controls the use of TLS on the connection. Example:
-.code
-${readsocket{/socket/name}{request string}{3s:tls=yes}}
-.endd
-The default is to not use TLS.
+
+.new
+The following option names are recognised:
+.ilist
+&*cache*&
+Defines if the result data can be cached for use by a later identical
+request in the same process.
+Values are &"yes"& or &"no"& (the default).
+If not, all cached results for this connection specification
+will be invalidated.
+
+.next
+&*shutdown*&
+Defines whether or not a write-shutdown is done on the connection after
+sending the request. Values are &"yes"& (the default) or &"no"&
+(preferred, eg. by some webservers).
+
+.next
+&*tls*&
+Controls the use of TLS on the connection.
+Values are &"yes"& or &"no"& (the default).
If it is enabled, a shutdown as descripbed above is never done.
+.endlist
+.wen
+
A fourth argument allows you to change any newlines that are in the data
that is read, in the same way as for &%readfile%& (see above). This example
.cindex "tainted data"
If the origin of the data is an incoming message,
the result of expanding this variable is tainted.
-See also &$domain_verified$&.
+When un untainted version is needed, one should be obtained from
+looking up the value in a local (therefore trusted) database.
+See also &$domain_data$&.
.wen
dns_dnssec_ok = 1
.endd
+.new
+In addition, on Linux with glibc 2.31 or newer the resolver library will
+default to stripping out a successful validation status.
+This will break a previously working Exim installation.
+Provided that you do trust the resolver (ie, is on localhost) you can tell
+glibc to pass through any successful validation with a new option in
+&_/etc/resolv.conf_&:
+.code
+options trust-ad
+.endd
+.wen
+
Exim does not perform DNSSEC validation itself, instead leaving that to a
validating resolver (e.g. unbound, or bind with suitable configuration).
.table2
.row &%dkim_verify_hashes%& "DKIM hash methods accepted for signatures"
.row &%dkim_verify_keytypes%& "DKIM key types accepted for signatures"
+.row &%dkim_verify_min_keysizes%& "DKIM key sizes accepted for signatures"
.row &%dkim_verify_signers%& "DKIM domains for which DKIM ACL is run"
.row &%host_lookup%& "host name looked up for these hosts"
.row &%host_lookup_order%& "order of DNS and local name lookups"
and an order of processing.
Signatures with algorithms not in the list will be ignored.
+
+.new
+.option dkim_verify_min_keysizes main "string list" "rsa=1024 ed25519=250"
+This option gives a list of key sizes which are acceptable in signatures.
+The list is keyed by the algorithm type for the key; the values are in bits.
+Signatures with keys smaller than given by this option will fail verification.
+
+The default enforces the RFC 8301 minimum key size for RSA signatures.
+.wen
+
.option dkim_verify_minimal main boolean false
If set to true, verification of signatures will terminate after the
first success.
If the resolver library does not support DNSSEC then this option has no effect.
+.new
+On Linux with glibc 2.31 or newer this is insufficient, the resolver library
+will default to stripping out a successful validation status.
+This will break a previously working Exim installation.
+Provided that you do trust the resolver (ie, is on localhost) you can tell
+glibc to pass through any successful validation with a new option in
+&_/etc/resolv.conf_&:
+.code
+options trust-ad
+.endd
+.wen
+
.option dns_ipv4_lookup main "domain list&!!" unset
.cindex "IPv6" "DNS lookup for AAAA records"
used. For example:
.code
require_files = mail:/some/file
-require_files = $local_part:$home/.procmailrc
+require_files = $local_part_verified:$home/.procmailrc
.endd
If a user or group name in a &%require_files%& list does not exist, the
&%require_files%& condition fails.
# This transport overrides the group
group_delivery:
driver = appendfile
- file = /var/spool/mail/$local_part
+ file = /var/spool/mail/$local_part_verified
group = mail
.endd
If &%user%& is set for a transport, its value overrides what is set in the
way of handling this requirement:
.code
file = ${if eq{$address_file}{inbox} \
- {/var/mail/$local_part} \
+ {/var/mail/$local_part_verified} \
{${if eq{${substr_0_1:$address_file}}{/} \
{$address_file} \
{$home/mail/$address_file} \
path. The most common settings of this option are variations on one of these
examples:
.code
-file = /var/spool/mail/$local_part
-file = /home/$local_part/inbox
+file = /var/spool/mail/$local_part_verified
+file = /home/$local_part_verified/inbox
file = $home/inbox
.endd
.cindex "&""sticky""& bit"
folders. Consider this example:
.code
maildir_format = true
-directory = /var/mail/$local_part\
+directory = /var/mail/$local_part_verified\
${if eq{$local_part_suffix}{}{}\
{/.${substr_1:$local_part_suffix}}}
maildirfolder_create_regex = /\.[^/]+$
check_local_user
driver = redirect
domains = +local_domains
- file = /central/filters/$local_part
+ file = /central/filters/$local_part_verified
no_verify
allow_filter
allow_freeze
lists:
driver = redirect
domains = lists.example
- file = /usr/lists/$local_part
+ file = ${lookup {$local_part} dsearch,ret=full {/usr/lists}}
forbid_pipe
forbid_file
- errors_to = $local_part-request@lists.example
+ errors_to = ${quote_local_part:$local_part-request}@lists.example
no_more
.endd
This router is skipped for domains other than &'lists.example'&. For addresses
driver = redirect
domains = lists.example
local_part_suffix = -request
- file = /usr/lists/$local_part$local_part_suffix
+ local_parts = ${lookup {$local_part} dsearch,filter=file {/usr/lists}}
+ file = /usr/lists/${local_part_data}-request
no_more
lists_post:
domains = lists.example
senders = ${if exists {/usr/lists/$local_part}\
{lsearch;/usr/lists/$local_part}{*}}
- file = /usr/lists/$local_part
+ file = ${lookup {$local_part} dsearch,ret=full {/usr/lists}}
forbid_pipe
forbid_file
- errors_to = $local_part-request@lists.example
+ errors_to = ${quote_local_part:$local_part-request}@lists.example
no_more
lists_closed:
max_rcpt = 1
return_path = \
${if match {$return_path}{^(.+?)-request@your.dom.example\$}\
- {$1-request+$local_part=$domain@your.dom.example}fail}
+ {${quote_local_part:$1-request+$local_part=$domain}@your.dom.example}fail}
.endd
This has the effect of rewriting the return path (envelope sender) on outgoing
SMTP messages, if the local part of the original return path ends in
transport = remote_smtp
errors_to = \
${if match {$return_path}{^(.+?)-request@your.dom.example\$}}
- {$1-request+$local_part=$domain@your.dom.example}fail}
+ {${quote_local_part:$1-request+$local_part=$domain}@your.dom.example}fail}
no_more
.endd
Before you start sending out messages with VERPed return paths, you must also
.code
my_mailboxes:
driver = appendfile
- file = /var/mail/$domain/$local_part
+ file = /var/mail/$domain/$local_part_data
user = mail
.endd
This uses a directory of mailboxes for each domain. The &%user%& setting is
.vitem &%$dkim_key_length%&
Number of bits in the key.
+.new
+Valid only once the key is loaded, which is at the time the header signature
+is verified, which is after the body hash is.
+.wen
Note that RFC 8301 says:
.code
less than 1024 bits as valid signatures.
.endd
-To enforce this you must have a DKIM ACL which checks this variable
-and overwrites the &$dkim_verify_status$& variable as discussed above.
-As EC keys are much smaller, the check should only do this for RSA keys.
+This is enforced by the default setting for the &%dkim_verify_min_keysizes%&
+option.
.endlist
projects / exim.git / blobdiff