Docs: tidy variables lists

[exim.git] / doc / doc-docbook / spec.xfpt

diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 68d9c056f6623fb9c51c1987f1ae7f4262cf0c53..cea21a18f930f85ac2e8e94a2ff827e0b9fe0a98 100644 (file)
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -239,6 +239,14 @@
   <secondary>failure report</secondary>
   <see><emphasis>bounce message</emphasis></see>
 </indexterm>
   <secondary>failure report</secondary>
   <see><emphasis>bounce message</emphasis></see>
 </indexterm>

+<indexterm role="concept">
+  <primary>de-tainting</primary>
+  <see><emphasis>tainting, de-tainting</emphasis></see>
+</indexterm>
+<indexterm role="concept">
+  <primary>detainting</primary>
+  <see><emphasis>tainting, de-tainting</emphasis></see>
+</indexterm>

 <indexterm role="concept">
   <primary>dialup</primary>
   <see><emphasis>intermittently connected hosts</emphasis></see>
 <indexterm role="concept">
   <primary>dialup</primary>
   <see><emphasis>intermittently connected hosts</emphasis></see>


@@ -9606,6 +9614,8 @@ reasons,
 and expansion of data deriving from the sender (&"tainted data"&)
 .new
 is not permitted (including acessing a file using a tainted name).
 and expansion of data deriving from the sender (&"tainted data"&)
 .new
 is not permitted (including acessing a file using a tainted name).

+The main config option &%allow_insecure_tainted_data%& can be used as
+mitigation during uprades to more secure configurations.

 .wen
 
 .new
 .wen
 
 .new


@@ -12322,8 +12332,8 @@ this variable has the number of arguments.
 .vitem &$acl_verify_message$&
 .vindex "&$acl_verify_message$&"
 After an address verification has failed, this variable contains the failure
 .vitem &$acl_verify_message$&
 .vindex "&$acl_verify_message$&"
 After an address verification has failed, this variable contains the failure

-message. It retains its value for use in subsequent modifiers. The message can
-be preserved by coding like this:
+message. It retains its value for use in subsequent modifiers of the verb.
+The message can be preserved by coding like this:

 .code
 warn !verify = sender
      set acl_m0 = $acl_verify_message
 .code
 warn !verify = sender
      set acl_m0 = $acl_verify_message


@@ -12331,6 +12341,9 @@ warn !verify = sender
 You can use &$acl_verify_message$& during the expansion of the &%message%& or
 &%log_message%& modifiers, to include information about the verification
 failure.
 You can use &$acl_verify_message$& during the expansion of the &%message%& or
 &%log_message%& modifiers, to include information about the verification
 failure.

+.new
+&*Note*&: The variable is cleared at the end of processing the ACL verb.
+.wen

 
 .vitem &$address_data$&
 .vindex "&$address_data$&"
 
 .vitem &$address_data$&
 .vindex "&$address_data$&"


@@ -13102,7 +13115,22 @@ While running a per message ACL (mail/rcpt/predata), &$message_size$&
 contains the size supplied on the MAIL command, or -1 if no size was given. The
 value may not, of course, be truthful.
 
 contains the size supplied on the MAIL command, or -1 if no size was given. The
 value may not, of course, be truthful.
 

-.vitem &$mime_$&&'xxx'&
+.vitem &$mime_anomaly_level$& &&&
+       &$mime_anomaly_text$& &&&
+       &$mime_boundary$& &&&
+       &$mime_charset$& &&&
+       &$mime_content_description$& &&&
+       &$mime_content_disposition$& &&&
+       &$mime_content_id$& &&&
+       &$mime_content_size$& &&&
+       &$mime_content_transfer_encoding$& &&&
+       &$mime_content_type$& &&&
+       &$mime_decoded_filename$& &&&
+       &$mime_filename$& &&&
+       &$mime_is_coverletter$& &&&
+       &$mime_is_multipart$& &&&
+       &$mime_is_rfc822$& &&&
+       &$mime_part_count$&

 A number of variables whose names start with &$mime$& are
 available when Exim is compiled with the content-scanning extension. For
 details, see section &<<SECTscanmimepart>>&.
 A number of variables whose names start with &$mime$& are
 available when Exim is compiled with the content-scanning extension. For
 details, see section &<<SECTscanmimepart>>&.


@@ -13215,18 +13243,10 @@ For details see chapter &<<SECTproxyInbound>>&.
 This variable is set to &"yes"& if PRDR was requested by the client for the
 current message, otherwise &"no"&.
 
 This variable is set to &"yes"& if PRDR was requested by the client for the
 current message, otherwise &"no"&.
 

-.vitem &$prvscheck_address$&
-This variable is used in conjunction with the &%prvscheck%& expansion item,
-which is described in sections &<<SECTexpansionitems>>& and
-&<<SECTverifyPRVS>>&.
-
-.vitem &$prvscheck_keynum$&
-This variable is used in conjunction with the &%prvscheck%& expansion item,
-which is described in sections &<<SECTexpansionitems>>& and
-&<<SECTverifyPRVS>>&.
-
-.vitem &$prvscheck_result$&
-This variable is used in conjunction with the &%prvscheck%& expansion item,
+.vitem &$prvscheck_address$& &&&
+       &$prvscheck_keynum$& &&&
+       &$prvscheck_result$&
+These variables are used in conjunction with the &%prvscheck%& expansion item,

 which is described in sections &<<SECTexpansionitems>>& and
 &<<SECTverifyPRVS>>&.
 
 which is described in sections &<<SECTexpansionitems>>& and
 &<<SECTverifyPRVS>>&.
 


@@ -14590,6 +14610,7 @@ listed in more than one group.
 .section "Miscellaneous" "SECID96"
 .table2
 .row &%add_environment%&             "environment variables"
 .section "Miscellaneous" "SECID96"
 .table2
 .row &%add_environment%&             "environment variables"

+.row &%allow_insecure_tainted_data%& "turn taint errors into warnings"

 .row &%bi_command%&                  "to run for &%-bi%& command line option"
 .row &%debug_store%&                 "do extra internal checks"
 .row &%disable_ipv6%&                "do no IPv6 processing"
 .row &%bi_command%&                  "to run for &%-bi%& command line option"
 .row &%debug_store%&                 "do extra internal checks"
 .row &%disable_ipv6%&                "do no IPv6 processing"


@@ -14714,6 +14735,7 @@ listed in more than one group.
 .row &%notifier_socket%&             "override compiled-in value"
 .row &%pid_file_path%&               "override compiled-in value"
 .row &%queue_run_max%&               "maximum simultaneous queue runners"
 .row &%notifier_socket%&             "override compiled-in value"
 .row &%pid_file_path%&               "override compiled-in value"
 .row &%queue_run_max%&               "maximum simultaneous queue runners"

+.row &%smtp_backlog_monitor%&        "level to log listen backlog"

 .endtable
 
 
 .endtable
 
 


@@ -14814,8 +14836,10 @@ listed in more than one group.
 .table2
 .row &%gnutls_compat_mode%&          "use GnuTLS compatibility mode"
 .row &%gnutls_allow_auto_pkcs11%&    "allow GnuTLS to autoload PKCS11 modules"
 .table2
 .row &%gnutls_compat_mode%&          "use GnuTLS compatibility mode"
 .row &%gnutls_allow_auto_pkcs11%&    "allow GnuTLS to autoload PKCS11 modules"

+.row &%hosts_require_alpn%&          "mandatory ALPN"

 .row &%openssl_options%&             "adjust OpenSSL compatibility options"
 .row &%tls_advertise_hosts%&         "advertise TLS to these hosts"
 .row &%openssl_options%&             "adjust OpenSSL compatibility options"
 .row &%tls_advertise_hosts%&         "advertise TLS to these hosts"

+.row &%tls_alpn%&                   "acceptable protocol names"

 .row &%tls_certificate%&             "location of server certificate"
 .row &%tls_crl%&                     "certificate revocation list"
 .row &%tls_dh_max_bits%&             "clamp D-H bit count suggestion"
 .row &%tls_certificate%&             "location of server certificate"
 .row &%tls_crl%&                     "certificate revocation list"
 .row &%tls_dh_max_bits%&             "clamp D-H bit count suggestion"


@@ -15200,6 +15224,18 @@ domains (defined in the named domain list &%local_domains%& in the default
 configuration). This &"magic string"& matches the domain literal form of all
 the local host's IP addresses.
 
 configuration). This &"magic string"& matches the domain literal form of all
 the local host's IP addresses.
 

+.new
+.option allow_insecure_tainted_data main boolean false
+.cindex "de-tainting"
+.oindex "allow_insecure_tainted_data"
+The handling of tainted data may break older (pre 4.94) configurations.
+Setting this option to "true" turns taint errors (which result in a temporary
+message rejection) into warnings. This option is meant as mitigation only
+and deprecated already today. Future releases of Exim may ignore it.
+The &%taint%& log selector can be used to suppress even the warnings.
+.wen
+
+

 
 .option allow_mx_to_ip main boolean false
 .cindex "MX record" "pointing to IP address"
 
 .option allow_mx_to_ip main boolean false
 .cindex "MX record" "pointing to IP address"


@@ -16304,6 +16340,20 @@ hosts_connection_nolog = :
 If the &%smtp_connection%& log selector is not set, this option has no effect.
 
 
 If the &%smtp_connection%& log selector is not set, this option has no effect.
 
 

+.new
+.option hosts_require_alpn main "host list&!!" unset
+.cindex ALPN "require negotiation in server"
+.cindex TLS ALPN
+.cindex TLS "Application Layer Protocol Names"
+If the TLS library supports ALPN
+then a successful negotiation of ALPN will be required for any client
+matching the list, for TLS to be used.
+See also the &%tls_alpn%& option.
+
+&*Note*&: prevention of fallback to in-clear connection is not
+managed by this option, and should be done separately.
+.wen
+

 
 .option hosts_proxy main "host list&!!" unset
 .cindex proxy "proxy protocol"
 
 .option hosts_proxy main "host list&!!" unset
 .cindex proxy "proxy protocol"


@@ -17732,6 +17782,14 @@ messages, it is also used as the default for HELO commands in callout
 verification if there is no remote transport from which to obtain a
 &%helo_data%& value.
 
 verification if there is no remote transport from which to obtain a
 &%helo_data%& value.
 

+.option smtp_backlog_monitor main integer 0
+.cindex "connection backlog" monitoring
+If this option is set to greater than zero, and the backlog of available
+TCP connections on a socket listening for SMTP is larger than it, a line
+is logged giving the value and the socket address and port.
+The value is retrived jsut before an accept call.
+This facility is only available on Linux.
+

 .option smtp_banner main string&!! "see below"
 .cindex "SMTP" "welcome banner"
 .cindex "banner for SMTP"
 .option smtp_banner main string&!! "see below"
 .cindex "SMTP" "welcome banner"
 .cindex "banner for SMTP"


@@ -17762,7 +17820,7 @@ is zero). If there isn't enough space, a temporary error code is returned.
 
 
 .option smtp_connect_backlog main integer 20
 
 
 .option smtp_connect_backlog main integer 20

-.cindex "connection backlog"
+.cindex "connection backlog" "set maximum"

 .cindex "SMTP" "connection backlog"
 .cindex "backlog of connections"
 This option specifies a maximum number of waiting SMTP connections. Exim passes
 .cindex "SMTP" "connection backlog"
 .cindex "backlog of connections"
 This option specifies a maximum number of waiting SMTP connections. Exim passes


@@ -18322,7 +18380,20 @@ using the &%tls_certificate%& option.  If TLS support for incoming connections
 is not required the &%tls_advertise_hosts%& option should be set empty.
 
 
 is not required the &%tls_advertise_hosts%& option should be set empty.
 
 

-.option tls_certificate main string list&!! unset
+.new
+.option tls_alpn main "string list&!!" "smtp : esmtp"
+.cindex TLS "Application Layer Protocol Names"
+.cindex TLS ALPN
+.cindex ALPN "set acceptable names for server"
+If this option is set,
+the TLS library supports ALPN,
+and the client offers either more than
+ALPN name or a name which does not match the list,
+the TLS connection is declined.
+.wen
+
+
+.option tls_certificate main "string list&!!" unset

 .cindex "TLS" "server certificate; location of"
 .cindex "certificate" "server, location of"
 The value of this option is expanded, and must then be a list of absolute paths to
 .cindex "TLS" "server certificate; location of"
 .cindex "certificate" "server, location of"
 The value of this option is expanded, and must then be a list of absolute paths to


@@ -18533,7 +18604,7 @@ further details, see section &<<SECTsupobssmt>>&.
 
 
 
 
 
 

-.option tls_privatekey main string list&!! unset
+.option tls_privatekey main "string list&!!" unset

 .cindex "TLS" "server private key; location of"
 The value of this option is expanded, and must then be a list of absolute paths to
 files which contains the server's private keys.
 .cindex "TLS" "server private key; location of"
 The value of this option is expanded, and must then be a list of absolute paths to
 files which contains the server's private keys.


@@ -21515,7 +21586,7 @@ The text is not included in the response to an EXPN command. In non-SMTP cases
 the text is included in the error message that Exim generates.
 
 .cindex "SMTP" "error codes"
 the text is included in the error message that Exim generates.
 
 .cindex "SMTP" "error codes"

-By default, Exim sends a 451 SMTP code for a &':defer:'&, and 550 for
+By default for verify, Exim sends a 451 SMTP code for a &':defer:'&, and 550 for

 &':fail:'&. However, if the message starts with three digits followed by a
 space, optionally followed by an extended code of the form &'n.n.n'&, also
 followed by a space, and the very first digit is the same as the default error
 &':fail:'&. However, if the message starts with three digits followed by a
 space, optionally followed by an extended code of the form &'n.n.n'&, also
 followed by a space, and the very first digit is the same as the default error


@@ -25271,7 +25342,7 @@ of the message. Its value must not be zero. See also &%final_timeout%&.
 
 .option dkim_canon smtp string&!! unset
 DKIM signing option.  For details see section &<<SECDKIMSIGN>>&.
 
 .option dkim_canon smtp string&!! unset
 DKIM signing option.  For details see section &<<SECDKIMSIGN>>&.

-.option dkim_domain smtp string list&!! unset
+.option dkim_domain smtp "string list&!!" unset

 DKIM signing option.  For details see section &<<SECDKIMSIGN>>&.
 .option dkim_hash smtp string&!! sha256
 DKIM signing option.  For details see section &<<SECDKIMSIGN>>&.
 DKIM signing option.  For details see section &<<SECDKIMSIGN>>&.
 .option dkim_hash smtp string&!! sha256
 DKIM signing option.  For details see section &<<SECDKIMSIGN>>&.


@@ -25622,6 +25693,20 @@ Exim will request a Certificate Status on a
 TLS session for any host that matches this list.
 &%tls_verify_certificates%& should also be set for the transport.
 
 TLS session for any host that matches this list.
 &%tls_verify_certificates%& should also be set for the transport.
 

+.new
+.option hosts_require_alpn smtp "host list&!!" unset
+.cindex ALPN "require negotiation in client"
+.cindex TLS ALPN
+.cindex TLS "Application Layer Protocol Names"
+If the TLS library supports ALPN
+then a successful negotiation of ALPN will be required for any host
+matching the list, for TLS to be used.
+See also the &%tls_alpn%& option.
+
+&*Note*&: prevention of fallback to in-clear connection is not
+managed by this option; see &%hosts_require_tls%&.
+.wen
+

 .option hosts_require_dane smtp "host list&!!" unset
 .cindex DANE "transport options"
 .cindex DANE "requiring for certain servers"
 .option hosts_require_dane smtp "host list&!!" unset
 .cindex DANE "transport options"
 .cindex DANE "requiring for certain servers"


@@ -25632,6 +25717,11 @@ There will be no fallback to in-clear communication.
 See the &%dnssec_request_domains%& router and transport options.
 See section &<<SECDANE>>&.
 
 See the &%dnssec_request_domains%& router and transport options.
 See section &<<SECDANE>>&.
 

+.option hosts_require_helo smtp "host list&!!" *
+.cindex "HELO/EHLO" requiring
+Exim will require an accepted HELO or EHLO command from a host matching
+this list, before accepting a MAIL command.
+

 .option hosts_require_ocsp smtp "host list&!!" unset
 .cindex "TLS" "requiring for certain servers"
 Exim will request, and check for a valid Certificate Status being given, on a
 .option hosts_require_ocsp smtp "host list&!!" unset
 .cindex "TLS" "requiring for certain servers"
 Exim will request, and check for a valid Certificate Status being given, on a


@@ -25900,6 +25990,21 @@ This option enables use of SOCKS proxies for connections made by the
 transport.  For details see section &<<SECTproxySOCKS>>&.
 
 
 transport.  For details see section &<<SECTproxySOCKS>>&.
 
 

+.new
+.option tls_alpn smtp string&!! unset
+.cindex TLS "Application Layer Protocol Names"
+.cindex TLS ALPN
+.cindex ALPN "set name in client"
+If this option is set
+and the TLS library supports ALPN,
+the value given is used.
+
+As of writing no value has been standardised for email use.
+The authors suggest using &"smtp"&.
+.wen
+
+
+

 .option tls_certificate smtp string&!! unset
 .cindex "TLS" "client certificate, location of"
 .cindex "certificate" "client, location of"
 .option tls_certificate smtp string&!! unset
 .cindex "TLS" "client certificate, location of"
 .cindex "certificate" "client, location of"


@@ -29830,6 +29935,35 @@ When Exim is built against GnuTLS, SNI support is available as of GnuTLS
 0.5.10.  (Its presence predates the current API which Exim uses, so if Exim
 built, then you have SNI support).
 
 0.5.10.  (Its presence predates the current API which Exim uses, so if Exim
 built, then you have SNI support).
 

+.new
+.cindex TLS ALPN
+.cindex ALPN "general information"
+.cindex TLS "Application Layer Protocol Names"
+There is a TLS feature related to SNI
+called Application Layer Protocol Name (ALPN).
+This is intended to declare, or select, what protocol layer will be using a TLS
+connection.
+The client for the connection proposes a set of protocol names, and
+the server responds with a selected one.
+It is not, as of 2021, commonly used for SMTP connections.
+However, to guard against misirected or malicious use of web clients
+(which often do use ALPN) against MTA ports, Exim by default check that
+there is no incompatible ALPN specified by a client for a TLS connection.
+If there is, the connection is rejected.
+
+As a client Exim does not supply ALPN by default.
+The behaviour of both client and server can be configured using the options
+&%tls_alpn%& and &%hosts_require_alpn%&.
+There are no variables providing observability.
+Some feature-specific logging may appear on denied connections, but this
+depends on the behavious of the peer
+(not all peers can send a feature-specific TLS Alert).
+
+This feature is available when Exim is built with
+OpenSSL 1.1.0 or later or GnuTLS 3.2.0 or later;
+the macro _HAVE_TLS_ALPN will be defined when this is so.
+.wen
+

 
 
 .section "Multiple messages on the same encrypted TCP/IP connection" &&&
 
 
 .section "Multiple messages on the same encrypted TCP/IP connection" &&&


@@ -31346,8 +31480,11 @@ anyway. If the message contains newlines, this gives rise to a multi-line SMTP
 response.
 
 .vindex "&$acl_verify_message$&"
 response.
 
 .vindex "&$acl_verify_message$&"

-For ACLs that are called by an &%acl =%& ACL condition, the message is
-stored in &$acl_verify_message$&, from which the calling ACL may use it.
+.new
+While the text is being expanded, the &$acl_verify_message$& variable
+contains any message previously set.
+Afterwards, &$acl_verify_message$& is cleared.
+.wen

 
 If &%message%& is used on a statement that verifies an address, the message
 specified overrides any message that is generated by the verification process.
 
 If &%message%& is used on a statement that verifies an address, the message
 specified overrides any message that is generated by the verification process.


@@ -33232,6 +33369,7 @@ warn  !verify = sender
 If you are writing your own custom rejection message or log message when
 denying access, you can use this variable to include information about the
 verification failure.
 If you are writing your own custom rejection message or log message when
 denying access, you can use this variable to include information about the
 verification failure.

+This variable is cleared at the end of processing the ACL verb.

 
 In addition, &$sender_verify_failure$& or &$recipient_verify_failure$& (as
 appropriate) contains one of the following words:
 
 In addition, &$sender_verify_failure$& or &$recipient_verify_failure$& (as
 appropriate) contains one of the following words:


@@ -38736,6 +38874,7 @@ selection marked by asterisks:
 &` smtp_protocol_error        `&  SMTP protocol errors
 &` smtp_syntax_error          `&  SMTP syntax errors
 &` subject                    `&  contents of &'Subject:'& on <= lines
 &` smtp_protocol_error        `&  SMTP protocol errors
 &` smtp_syntax_error          `&  SMTP syntax errors
 &` subject                    `&  contents of &'Subject:'& on <= lines

+&`*taint                      `&  taint errors or warnings

 &`*tls_certificate_verified   `&  certificate verification status
 &`*tls_cipher                 `&  TLS cipher suite on <= and => lines
 &` tls_peerdn                 `&  TLS peer DN on <= and => lines
 &`*tls_certificate_verified   `&  certificate verification status
 &`*tls_cipher                 `&  TLS cipher suite on <= and => lines
 &` tls_peerdn                 `&  TLS peer DN on <= and => lines


@@ -39131,6 +39270,11 @@ using a CA trust anchor,
 &`CV=dane`& if using a DNS trust anchor,
 and &`CV=no`& if not.
 .next
 &`CV=dane`& if using a DNS trust anchor,
 and &`CV=no`& if not.
 .next

+.cindex "log" "Taint warnings"
+&%taint%&: Log warnings about tainted data. This selector can't be
+turned of if &%allow_insecure_tainted_data%& is false (which is the
+default).
+.next

 .cindex "log" "TLS cipher"
 .cindex "TLS" "logging cipher"
 &%tls_cipher%&: When a message is sent or received over an encrypted
 .cindex "log" "TLS cipher"
 .cindex "TLS" "logging cipher"
 &%tls_cipher%&: When a message is sent or received over an encrypted


@@ -41693,6 +41837,9 @@ You may deny messages when this occurs.
 .vitem &%temperror%&
 This indicates a temporary error during all processing, including Exim's
 SPF processing.  You may defer messages when this occurs.
 .vitem &%temperror%&
 This indicates a temporary error during all processing, including Exim's
 SPF processing.  You may defer messages when this occurs.

+
+.vitem &%invalid%&
+There was an error during processing of the SPF lookup

 .endlist
 
 You can prefix each string with an exclamation mark to  invert
 .endlist
 
 You can prefix each string with an exclamation mark to  invert


@@ -41729,10 +41876,14 @@ variables:
 
 .vitem &$spf_received$&
 .vindex &$spf_received$&
 
 .vitem &$spf_received$&
 .vindex &$spf_received$&

-  This contains a complete Received-SPF: header that can be
-  added to the message. Please note that according to the SPF
-  draft, this header must be added at the top of the header
-  list. Please see section 10 on how you can do this.
+  This contains a complete Received-SPF: header (name and
+  content) that can be added to the message. Please note that
+  according to the SPF draft, this header must be added at the
+  top of the header list, i.e. with
+.code
+add_header = :at_start:$spf_received
+.endd
+  See section &<<SECTaddheadacl>>& for further details.

 
   Note: in case of "Best-guess" (see below), the convention is
   to put this string in a header called X-SPF-Guess: instead.
 
   Note: in case of "Best-guess" (see below), the convention is
   to put this string in a header called X-SPF-Guess: instead.


@@ -41740,8 +41891,8 @@ variables:
 .vitem &$spf_result$&
 .vindex &$spf_result$&
   This contains the outcome of the SPF check in string form,
 .vitem &$spf_result$&
 .vindex &$spf_result$&
   This contains the outcome of the SPF check in string form,

-  one of pass, fail, softfail, none, neutral, permerror or
-  temperror.
+  currently one of pass, fail, softfail, none, neutral, permerror,
+  temperror, or &"(invalid)"&.

 
 .vitem &$spf_result_guessed$&
 .vindex &$spf_result_guessed$&
 
 .vitem &$spf_result_guessed$&
 .vindex &$spf_result_guessed$&