Docs: add notes on smtps

[exim.git] / doc / doc-docbook / spec.xfpt

diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 8ae08e78709ba0790db3f183570b3e83ca9fffad..8e083d63a2f1eed380b8445fc0b81b4d46d7b9d3 100644 (file)
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -509,7 +509,7 @@ message to the &'exim-dev'& mailing list and have it discussed.
 .cindex "distribution" "https site"
 The master distribution site for the Exim distribution is
 .display
 .cindex "distribution" "https site"
 The master distribution site for the Exim distribution is
 .display

-.url(https://downloads.exim.org/)
+&url(https://downloads.exim.org/)

 .endd
 The service is available over HTTPS, HTTP and FTP.
 We encourage people to migrate to HTTPS.
 .endd
 The service is available over HTTPS, HTTP and FTP.
 We encourage people to migrate to HTTPS.


@@ -3620,7 +3620,8 @@ are:
                     &<<CHAPlocalscan>>&)
 &`lookup         `& general lookup code and all lookups
 &`memory         `& memory handling
                     &<<CHAPlocalscan>>&)
 &`lookup         `& general lookup code and all lookups
 &`memory         `& memory handling

-&`pid            `& add pid to debug output lines
+&`noutf8         `& modifier: avoid UTF-8 line-drawing
+&`pid            `& modifier: add pid to debug output lines

 &`process_info   `& setting info for the process log
 &`queue_run      `& queue runs
 &`receive        `& general message reception logic
 &`process_info   `& setting info for the process log
 &`queue_run      `& queue runs
 &`receive        `& general message reception logic


@@ -3628,7 +3629,7 @@ are:
 &`retry          `& retry handling
 &`rewrite        `& address rewriting
 &`route          `& address routing
 &`retry          `& retry handling
 &`rewrite        `& address rewriting
 &`route          `& address routing

-&`timestamp      `& add timestamp to debug output lines
+&`timestamp      `& modifier: add timestamp to debug output lines

 &`tls            `& TLS logic
 &`transport      `& transports
 &`uid            `& changes of uid/gid and looking up uid/gid
 &`tls            `& TLS logic
 &`transport      `& transports
 &`uid            `& changes of uid/gid and looking up uid/gid


@@ -3660,6 +3661,15 @@ The &`timestamp`& selector causes the current time to be inserted at the start
 of all debug output lines. This can be useful when trying to track down delays
 in processing.
 
 of all debug output lines. This can be useful when trying to track down delays
 in processing.
 

+.new
+.cindex debugging "UTF-8 in"
+.cindex UTF-8 "in debug output"
+The &`noutf8`& selector disables the use of 
+UTF-8 line-drawing characters to group related information.
+When disabled. ascii-art is used instead.
+Using the &`+all`& option does not set this modifier,
+.wen
+

 If the &%debug_print%& option is set in any driver, it produces output whenever
 any debugging is selected, or if &%-v%& is used.
 
 If the &%debug_print%& option is set in any driver, it produces output whenever
 any debugging is selected, or if &%-v%& is used.
 


@@ -9374,6 +9384,27 @@ ${extract{Z}{A=... B=...}{$value} fail }
 This forces an expansion failure (see section &<<SECTforexpfai>>&);
 {<&'string2'&>} must be present for &"fail"& to be recognized.
 
 This forces an expansion failure (see section &<<SECTforexpfai>>&);
 {<&'string2'&>} must be present for &"fail"& to be recognized.
 

+.new
+.vitem "&*${extract json{*&<&'key'&>&*}{*&<&'string1'&>&*}{*&<&'string2'&>&*}&&&
+       {*&<&'string3'&>&*}}*&"
+.cindex "expansion" "extracting from JSON object"
+.cindex JSON expansions
+The key and <&'string1'&> are first expanded separately. Leading and trailing
+white space is removed from the key (but not from any of the strings). The key
+must not be empty and must not consist entirely of digits.
+The expanded <&'string1'&> must be of the form:
+.display
+{ <&'"key1"'&> : <&'value1'&> ,  <&'"key2"'&> , <&'value2'&> ... }
+.endd
+.vindex "&$value$&"
+The braces, commas and colons, and the quoting of the member name are required;
+the spaces are optional.
+Matching of the key against the member names is done case-sensitively.
+. XXX should be a UTF-8 compare
+
+The results of matching are handled as above.
+.wen
+

 
 .vitem "&*${extract{*&<&'number'&>&*}{*&<&'separators'&>&*}&&&
         {*&<&'string1'&>&*}{*&<&'string2'&>&*}{*&<&'string3'&>&*}}*&"
 
 .vitem "&*${extract{*&<&'number'&>&*}{*&<&'separators'&>&*}&&&
         {*&<&'string1'&>&*}{*&<&'string2'&>&*}{*&<&'string3'&>&*}}*&"


@@ -9406,6 +9437,19 @@ yields &"99"&. Two successive separators mean that the field between them is
 empty (for example, the fifth field above).
 
 
 empty (for example, the fifth field above).
 
 

+.new
+.vitem "&*${extract json{*&<&'number'&>&*}}&&&
+        {*&<&'string1'&>&*}{*&<&'string2'&>&*}{*&<&'string3'&>&*}}*&"
+.cindex "expansion" "extracting from JSON array"
+.cindex JSON expansions
+The <&'number'&> argument must consist entirely of decimal digits,
+apart from leading and trailing white space, which is ignored.
+
+Field selection and result handling is as above;
+there is no choice of field separator.
+.wen
+
+

 .vitem &*${filter{*&<&'string'&>&*}{*&<&'condition'&>&*}}*&
 .cindex "list" "selecting by condition"
 .cindex "expansion" "selecting from list by condition"
 .vitem &*${filter{*&<&'string'&>&*}{*&<&'condition'&>&*}}*&
 .cindex "list" "selecting by condition"
 .cindex "expansion" "selecting from list by condition"


@@ -24525,10 +24569,17 @@ variable that contains an outgoing port.
 
 If the value of this option begins with a digit it is taken as a port number;
 otherwise it is looked up using &[getservbyname()]&. The default value is
 
 If the value of this option begins with a digit it is taken as a port number;
 otherwise it is looked up using &[getservbyname()]&. The default value is

-normally &"smtp"&, but if &%protocol%& is set to &"lmtp"&, the default is
-&"lmtp"&. If the expansion fails, or if a port number cannot be found, delivery
+normally &"smtp"&,
+but if &%protocol%& is set to &"lmtp"& the default is &"lmtp"&
+and if &%protocol%& is set to &"smtps"& the default is &"smtps"&.
+If the expansion fails, or if a port number cannot be found, delivery

 is deferred.
 
 is deferred.
 

+.new
+Note that at least one Linux distribution has been seen failing
+to put &"smtps"& in its &"/etc/services"& file, resulting is such deferrals.
+.wen
+

 
 
 .option protocol smtp string smtp
 
 
 .option protocol smtp string smtp


@@ -24545,7 +24596,11 @@ over a pipe to a local process &-- see chapter &<<CHAPLMTP>>&.
 If this option is set to &"smtps"&, the default value for the &%port%& option
 changes to &"smtps"&, and the transport initiates TLS immediately after
 connecting, as an outbound SSL-on-connect, instead of using STARTTLS to upgrade.
 If this option is set to &"smtps"&, the default value for the &%port%& option
 changes to &"smtps"&, and the transport initiates TLS immediately after
 connecting, as an outbound SSL-on-connect, instead of using STARTTLS to upgrade.

-The Internet standards bodies strongly discourage use of this mode.
+.new
+The Internet standards bodies used to strongly discourage use of this mode,
+but as of RFC 8314 it is perferred over STARTTLS for message submission
+(as distinct from MTA-MTA communication).
+.wen

 
 
 .option retry_include_ip_address smtp boolean&!! true
 
 
 .option retry_include_ip_address smtp boolean&!! true


@@ -27773,7 +27828,7 @@ session with a client, you must set either &%tls_verify_hosts%& or
 apply to all TLS connections. For any host that matches one of these options,
 Exim requests a certificate as part of the setup of the TLS session. The
 contents of the certificate are verified by comparing it with a list of
 apply to all TLS connections. For any host that matches one of these options,
 Exim requests a certificate as part of the setup of the TLS session. The
 contents of the certificate are verified by comparing it with a list of

-expected certificates.
+expected trust-anchors or certificates.

 These may be the system default set (depending on library version),
 an explicit file or,
 depending on library version, a directory, identified by
 These may be the system default set (depending on library version),
 an explicit file or,
 depending on library version, a directory, identified by


@@ -27790,6 +27845,9 @@ openssl x509 -hash -noout -in /cert/file
 .endd
 where &_/cert/file_& contains a single certificate.
 
 .endd
 where &_/cert/file_& contains a single certificate.
 

+There is no checking of names of the client against the certificate
+Subject Name or Subject Alternate Names.
+

 The difference between &%tls_verify_hosts%& and &%tls_try_verify_hosts%& is
 what happens if the client does not supply a certificate, or if the certificate
 does not match any of the certificates in the collection named by
 The difference between &%tls_verify_hosts%& and &%tls_try_verify_hosts%& is
 what happens if the client does not supply a certificate, or if the certificate
 does not match any of the certificates in the collection named by


@@ -27951,6 +28009,11 @@ The &%tls_verify_hosts%& and &%tls_try_verify_hosts%& options restrict
 certificate verification to the listed servers.  Verification either must
 or need not succeed respectively.
 
 certificate verification to the listed servers.  Verification either must
 or need not succeed respectively.
 

+The &%tls_verify_cert_hostnames%& option lists hosts for which additional
+checks are made: that the host name (the one in the DNS A record)
+is valid for the certificate.
+The option defaults to always checking.
+

 The &(smtp)& transport has two OCSP-related options:
 &%hosts_require_ocsp%&; a host-list for which a Certificate Status
 is requested and required for the connection to proceed.  The default
 The &(smtp)& transport has two OCSP-related options:
 &%hosts_require_ocsp%&; a host-list for which a Certificate Status
 is requested and required for the connection to proceed.  The default


@@ -28125,7 +28188,7 @@ The Apache web-server was for a long time the canonical guide, so their
 documentation is a good place to start; their SSL module's Introduction
 document is currently at
 .display
 documentation is a good place to start; their SSL module's Introduction
 document is currently at
 .display

-.url(https://httpd.apache.org/docs/current/ssl/ssl_intro.html)
+&url(https://httpd.apache.org/docs/current/ssl/ssl_intro.html)

 .endd
 and their FAQ is at
 .display
 .endd
 and their FAQ is at
 .display


@@ -28256,7 +28319,7 @@ this is appropriate for a single system, using a self-signed certificate.
 DANE-TA usage is effectively declaring a specific CA to be used; this might be a private CA or a public,
 well-known one.
 A private CA at simplest is just a self-signed certificate (with certain
 DANE-TA usage is effectively declaring a specific CA to be used; this might be a private CA or a public,
 well-known one.
 A private CA at simplest is just a self-signed certificate (with certain

-attributes) which is used to sign cerver certificates, but running one securely
+attributes) which is used to sign server certificates, but running one securely

 does require careful arrangement.
 With DANE-TA, as implemented in Exim and commonly in other MTAs,
 the server TLS handshake must transmit the entire certificate chain from CA to server-certificate.
 does require careful arrangement.
 With DANE-TA, as implemented in Exim and commonly in other MTAs,
 the server TLS handshake must transmit the entire certificate chain from CA to server-certificate.


@@ -36913,6 +36976,7 @@ immediately after the time and date.
 &%pipelining%&: A field is added to delivery and accept
 log lines when the ESMTP PIPELINING extension was used.
 The field is a single "L".
 &%pipelining%&: A field is added to delivery and accept
 log lines when the ESMTP PIPELINING extension was used.
 The field is a single "L".

+

 On accept lines, where PIPELINING was offered but not used by the client,
 the field has a minus appended.
 .next
 On accept lines, where PIPELINING was offered but not used by the client,
 the field has a minus appended.
 .next


@@ -40089,6 +40153,8 @@ with the event type:
 .display
 &`dane:fail            `& failure reason
 &`msg:delivery         `& smtp confirmation message
 .display
 &`dane:fail            `& failure reason
 &`msg:delivery         `& smtp confirmation message

+&`msg:fail:internal    `& failure reason
+&`msg:fail:delivery    `& smtp error message

 &`msg:rcpt:host:defer  `& error string
 &`msg:rcpt:defer       `& error string
 &`msg:host:defer       `& error string
 &`msg:rcpt:host:defer  `& error string
 &`msg:rcpt:defer       `& error string
 &`msg:host:defer       `& error string