Gitweb:
https://git.exim.org/exim.git/commitdiff/e4aba1d8d097db21ac6909341107e51383c5357e
Commit: e4aba1d8d097db21ac6909341107e51383c5357e
Parent: 26739076aecabbede0a75c9554e4562c63bb1616
Author: Jeremy Harris <jgh146exb@???>
AuthorDate: Sat Apr 21 23:59:46 2018 +0100
Committer: Jeremy Harris <jgh146exb@???>
CommitDate: Sat Apr 21 23:59:46 2018 +0100
Docs: clarify DKIM verification
---
doc/doc-docbook/spec.xfpt | 22 ++++++++++++++--------
1 file changed, 14 insertions(+), 8 deletions(-)
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index b1cc468..173d692 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -39037,7 +39037,7 @@ tag value. Note that Exim does not check the value.
This option sets the canonicalization method used when signing a message.
The DKIM RFC currently supports two methods: "simple" and "relaxed".
The option defaults to "relaxed" when unset. Note: the current implementation
-only supports using the same canonicalization method for both headers and body.
+only supports signing with the same canonicalization method for both headers and body.
.option dkim_strict smtp string&!! unset
This option defines how Exim behaves when signing a message that
@@ -39071,22 +39071,28 @@ name will be appended.
.section "Verifying DKIM signatures in incoming mail" "SECDKIMVFY"
.cindex "DKIM" "verification"
-Verification of DKIM signatures in SMTP incoming email is implemented via the
-&%acl_smtp_dkim%& ACL. By default, this ACL is called once for each
+.new
+Verification of DKIM signatures in SMTP incoming email is done for all
+messages for which an ACL control &%dkim_disable_verify%& has not been set.
+.cindex authentication "expansion item"
+Performing verification sets up information used by the
+&$authresults$& expansion item.
+.wen
+
+.new The results of that verification are then made available to the
+&%acl_smtp_dkim%& ACL, &new(which can examine and modify them).
+By default, this ACL is called once for each
syntactically(!) correct signature in the incoming message.
A missing ACL definition defaults to accept.
If any ACL call does not accept, the message is not accepted.
If a cutthrough delivery was in progress for the message, that is
summarily dropped (having wasted the transmission effort).
-To evaluate the signature in the ACL a large number of expansion variables
+To evaluate the &new(verification result) in the ACL
+a large number of expansion variables
containing the signature status and its details are set up during the
runtime of the ACL.
-.cindex authentication "expansion item"
-Performing verification sets up information used by the
-&$authresults$& expansion item.
-
Calling the ACL only for existing signatures is not sufficient to build
more advanced policies. For that reason, the global option
&%dkim_verify_signers%&, and a global expansion variable
