diff options
| author | Jeremy Harris <jgh146exb@wizmail.org> | 2019-02-05 23:19:00 +0000 |
|---|---|---|
| committer | Jeremy Harris <jgh146exb@wizmail.org> | 2019-02-11 00:17:22 +0000 |
| commit | fe12ec888ef7b81ee0f5874ca6201ba11b0e9b19 (patch) | |
| tree | 6f67321aaf0a54244eb2412d0f6dd3f9af70c83f /doc | |
| parent | 7ab90dd415eac327c57c5ba755b2005a8c0b946f (diff) | |
DKIM: ensure that dkim_domain elements are lowercased before use. Bug 2371
(cherry picked from commit f3c73adaa541ae54092467a29668ac32894ef1dc)
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/doc-docbook/spec.xfpt | 16 | ||||
| -rw-r--r-- | doc/doc-txt/ChangeLog | 2 |
2 files changed, 16 insertions, 2 deletions
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 08a0a974a..415c72712 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -39534,7 +39534,7 @@ senders). .cindex "DKIM" "signing" For signing to be usable you must have published a DKIM record in DNS. -Note that RFC 8301 says: +Note that RFC 8301 (which does not cover EC keys) says: .code rsa-sha1 MUST NOT be used for signing or verifying. @@ -39554,7 +39554,11 @@ These options take (expandable) strings as arguments. .option dkim_domain smtp string list&!! unset The domain(s) you want to sign with. After expansion, this can be a list. -Each element in turn is put into the &%$dkim_domain%& expansion variable +Each element in turn, +.new +lowercased, +.wen +is put into the &%$dkim_domain%& expansion variable while expanding the remaining signing options. If it is empty after expansion, DKIM signing is not done, and no error will result even if &%dkim_strict%& is set. @@ -39755,6 +39759,14 @@ dkim_verify_signers = $sender_address_domain:$dkim_signers If a domain or identity is listed several times in the (expanded) value of &%dkim_verify_signers%&, the ACL is only called once for that domain or identity. +.new +Note that if the option is set using untrustworthy data +(such as the From: header) +care should be taken to force lowercase for domains +and for the domain part if identities. +The default setting can be regarded as trustworthy in this respect. +.wen + If multiple signatures match a domain (or identity), the ACL is called once for each matching signature. diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index bc739ae2c..9313c7b28 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -20,6 +20,8 @@ JH/03 Debug output for ACL now gives the config file name and line number for JH/04 The default received_header_text now uses the RFC 8314 tls cipher clause. +JH/05 DKIM: ensure that dkim_domain elements are lowercased before use. + Exim version 4.92 ----------------- |