diff options
Diffstat (limited to 'doc')
-rw-r--r-- | doc/doc-txt/NewStuff | 2 | ||||
-rw-r--r-- | doc/doc-txt/OptionLists.txt | 1 | ||||
-rw-r--r-- | doc/doc-txt/experimental-spec.txt | 47 |
3 files changed, 50 insertions, 0 deletions
diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff index 37f53bf89..071d4a5dc 100644 --- a/doc/doc-txt/NewStuff +++ b/doc/doc-txt/NewStuff @@ -44,6 +44,8 @@ Version 4.91 12. Expansion item ${authresults {<machine>}} for creating an Authentication-Results: header. +13. EXPERIMENTAL_ARC. See the experimental.spec file. + Version 4.90 ------------ diff --git a/doc/doc-txt/OptionLists.txt b/doc/doc-txt/OptionLists.txt index 5728643a8..1fe72be6b 100644 --- a/doc/doc-txt/OptionLists.txt +++ b/doc/doc-txt/OptionLists.txt @@ -82,6 +82,7 @@ allow_localhost boolean false smtp allow_mx_to_ip boolean false main 3.14 allow_symlink boolean false appendfile allow_utf8_domains boolean false main 4.14 +arc_sign string* unset smtp 4.91 with Experimental_ARC auth_advertise_hosts host list "*" main 4.00 authenticated_sender string* unset smtp 4.14 authenticated_sender_force boolean false smtp 4.61 diff --git a/doc/doc-txt/experimental-spec.txt b/doc/doc-txt/experimental-spec.txt index d5140d58b..4ed6f2518 100644 --- a/doc/doc-txt/experimental-spec.txt +++ b/doc/doc-txt/experimental-spec.txt @@ -756,6 +756,53 @@ to your Local/Makefile. (Re-)build/install exim. exim -d should show Experimental_QUEUEFILE in the line "Support for:". +ARC support +----------- +Specification: https://tools.ietf.org/html/draft-ietf-dmarc-arc-protocol-11 +Note that this is not an RFC yet, so may change. + +ARC is intended to support the utility of SPF and DKIM in the presence of +intermediaries in the transmission path - forwarders and mailinglists - +by establishing a cryptographically-signed chain in headers. + +Normally one would only bother doing ARC-signing when functioning as +an intermediary. One might do verify for local destinations. + +ARC uses the notion of a "ADministrative Management Domain" (ADMD). +Described in RFC 5598 (section 2.3), this is essentially the set of +mail-handling systems that the mail transits. A label should be chosen to +identify the ADMD. Messages should be ARC-verified on entry to the ADMD, +and ARC-signed on exit from it. + + +Verification +-- +An ACL condition is provided to perform the "verifier actions" detailed +in section 6 of the above specification. It may be called from the DATA ACL +and succeeds if the result matches any of a given list. +It also records the highest ARC instance number (the chain size) +and verification result for later use in creating an Authentication-Results: +standard header. + + verify = arc/<acceptable_list> none:fail:pass + + add_header = :at_start:${authresults {<admd-identifier>}} + + Note that it would be wise to strip incoming messages of A-R headers + that claim to be from our own <admd-identifier>. + +Receive log lines for an ARC pass will be tagged "ARC". + + +Signing +-- +arc_sign = <admd-identifier> : <selector> : <privkey> +An option on the smtp transport, which constructs and prepends to the message +an ARC set of headers. The textually-first Authentication-Results: header +is used as a basis (you must have added one on entry to the ADMD). + + + -------------------------------------------------------------- End of file -------------------------------------------------------------- |