summaryrefslogtreecommitdiff
path: root/doc/doc-docbook/spec.xfpt
diff options
context:
space:
mode:
authorJeremy Harris <jgh146exb@wizmail.org>2018-04-21 23:59:46 +0100
committerJeremy Harris <jgh146exb@wizmail.org>2018-04-21 23:59:46 +0100
commite4aba1d8d097db21ac6909341107e51383c5357e (patch)
tree97f5e8b622faf43003a0823b3e684ae1537c30a1 /doc/doc-docbook/spec.xfpt
parent26739076aecabbede0a75c9554e4562c63bb1616 (diff)
Docs: clarify DKIM verification
Diffstat (limited to 'doc/doc-docbook/spec.xfpt')
-rw-r--r--doc/doc-docbook/spec.xfpt22
1 files changed, 14 insertions, 8 deletions
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index b1cc46862..173d69222 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -39037,7 +39037,7 @@ tag value. Note that Exim does not check the value.
This option sets the canonicalization method used when signing a message.
The DKIM RFC currently supports two methods: "simple" and "relaxed".
The option defaults to "relaxed" when unset. Note: the current implementation
-only supports using the same canonicalization method for both headers and body.
+only supports signing with the same canonicalization method for both headers and body.
.option dkim_strict smtp string&!! unset
This option defines how Exim behaves when signing a message that
@@ -39071,22 +39071,28 @@ name will be appended.
.section "Verifying DKIM signatures in incoming mail" "SECDKIMVFY"
.cindex "DKIM" "verification"
-Verification of DKIM signatures in SMTP incoming email is implemented via the
-&%acl_smtp_dkim%& ACL. By default, this ACL is called once for each
+.new
+Verification of DKIM signatures in SMTP incoming email is done for all
+messages for which an ACL control &%dkim_disable_verify%& has not been set.
+.cindex authentication "expansion item"
+Performing verification sets up information used by the
+&$authresults$& expansion item.
+.wen
+
+.new The results of that verification are then made available to the
+&%acl_smtp_dkim%& ACL, &new(which can examine and modify them).
+By default, this ACL is called once for each
syntactically(!) correct signature in the incoming message.
A missing ACL definition defaults to accept.
If any ACL call does not accept, the message is not accepted.
If a cutthrough delivery was in progress for the message, that is
summarily dropped (having wasted the transmission effort).
-To evaluate the signature in the ACL a large number of expansion variables
+To evaluate the &new(verification result) in the ACL
+a large number of expansion variables
containing the signature status and its details are set up during the
runtime of the ACL.
-.cindex authentication "expansion item"
-Performing verification sets up information used by the
-&$authresults$& expansion item.
-
Calling the ACL only for existing signatures is not sufficient to build
more advanced policies. For that reason, the global option
&%dkim_verify_signers%&, and a global expansion variable