From 578897ea8764001d0538b8b645d161524ba1fa4e Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Sun, 27 Apr 2014 18:17:29 +0100 Subject: Add options dnssec_request_domains, dnssec_require_domains to the smtp transport Note there are no testsuite cases included. TODO in this area: - dnssec during verify-callouts - dnssec on the forward lookup of a verify=helo and verify=reverse_host_lookup --- doc/doc-docbook/spec.xfpt | 31 ++++++++++++++++++++++++++++--- doc/doc-txt/ChangeLog | 3 ++- doc/doc-txt/NewStuff | 2 ++ 3 files changed, 32 insertions(+), 4 deletions(-) (limited to 'doc') diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 0e6a38bd9..0ecbaac5a 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -11457,7 +11457,7 @@ the space value is -1. See also the &%check_log_space%& option. .vitem &$lookup_dnssec_authenticated$& .vindex "&$lookup_dnssec_authenticated$&" This variable is set after a DNS lookup done by -either a dnslookup router or a dnsdb lookup expansion. +a dnsdb lookup expansion, dnslookup router or smtp transport. It will be empty if &(DNSSEC)& was not requested, &"no"& if the result was not labelled as authenticated data and &"yes"& if it was. @@ -17673,8 +17673,6 @@ when there is a DNS lookup error. DNS lookups for domains matching &%dnssec_request_domains%& will be done with the dnssec request bit set. This applies to all of the SRV, MX A6, AAAA, A lookup sequence. - -See also the &$lookup_dnssec_authenticated$& variable. .wen @@ -22596,6 +22594,33 @@ See the &%search_parents%& option in chapter &<>& for more details. +.new +.option dnssec_request_domains smtp "domain list&!!" unset +.cindex "MX record" "security" +.cindex "DNSSEC" "MX lookup" +.cindex "security" "MX lookup" +.cindex "DNS" "DNSSEC" +DNS lookups for domains matching &%dnssec_request_domains%& will be done with +the dnssec request bit set. +This applies to all of the SRV, MX A6, AAAA, A lookup sequence. +.wen + + + +.new +.option dnssec_require_domains smtp "domain list&!!" unset +.cindex "MX record" "security" +.cindex "DNSSEC" "MX lookup" +.cindex "security" "MX lookup" +.cindex "DNS" "DNSSEC" +DNS lookups for domains matching &%dnssec_request_domains%& will be done with +the dnssec request bit set. Any returns not having the Authenticated Data bit +(AD bit) set wil be ignored and logged as a host-lookup failure. +This applies to all of the SRV, MX A6, AAAA, A lookup sequence. +.wen + + + .option dscp smtp string&!! unset .cindex "DCSP" "outbound" This option causes the DSCP value associated with a socket to be set to one diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index cff9803d7..d4240fa29 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -85,7 +85,8 @@ TL/07 Add new dmarc expansion variable $dmarc_domain_policy to directly JH/13 Fix handling of $tls_cipher et.al. in (non-verify) transport. Bug 1455. JH/14 New options dnssec_request_domains, dnssec_require_domains on the - dnslookup router (applying to the forward lookup). + dnslookup router and the smtp transport (applying to the forward + lookup). TL/08 Bugzilla 1453: New LDAP "SERVERS=" option allows admin to override list of ldap servers used for a specific lookup. Patch provided by Heiko diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff index 6a1a5e8d1..33c66ceb9 100644 --- a/doc/doc-txt/NewStuff +++ b/doc/doc-txt/NewStuff @@ -42,6 +42,8 @@ Version 4.83 8. EXPERIMENTAL_OCSP now supports GnuTLS also, if you have version 3.1.3 or later of that. + 9. Support for DNSSEC on outbound connections. + Version 4.82 ------------ -- cgit v1.2.3