below in section &<<SECTexpansionitems>>& onwards. Backslash is used as an
escape character, as described in the following section.
+Whether a string is expanded depends upon the context. Usually this is solely
+dependent upon the option for which a value is sought; in this documentation,
+options for which string expansion is performed are marked with † after
+the data type. ACL rules always expand strings. A couple of expansion
+conditions do not expand some of the brace-delimited branches, for security
+reasons.
+
.section "Literal text in expanded strings" "SECTlittext"
As a special case, the numerical value of an empty string is taken as
zero.
+In all cases, a relative comparator OP is testing if <&'string1'&> OP
+<&'string2'&>; the above example is checking if &$message_size$& is larger than
+10M, not if 10M is larger than &$message_size$&.
+
.vitem &*bool&~{*&<&'string'&>&*}*&
.cindex "expansion" "boolean parsing"
value is retained during message delivery, except during outbound SMTP
deliveries.
+.new
+.vitem &$tls_sni$&
+.vindex "&$tls_sni$&"
+.cindex "TLS" "Server Name Indication"
+When a TLS session is being established, if the client sends the Server
+Name Indication extension, the value will be placed in this variable.
+If the variable appears in &%tls_certificate%& then this option and
+&%tls_privatekey%& will be re-expanded early in the TLS session, to permit
+a different certificate to be presented (and optionally a different key to be
+used) to the client, based upon the value of the SNI extension.
+
+The value will be retained for the lifetime of the message, and not changed
+during outbound SMTP.
+
+This is currently only available when using OpenSSL, built with support for
+SNI.
+.wen
+
.vitem &$tod_bsdinbox$&
.vindex "&$tod_bsdinbox$&"
The time of day and the date, in the format required for BSD-style mailbox
transport driver.
-.option openssl_options main "string list" +dont_insert_empty_fragments
+.option openssl_options main "string list" unset
.cindex "OpenSSL "compatibility options"
This option allows an administrator to adjust the SSL options applied
by OpenSSL to connections. It is given as a space-separated list of items,
-each one to be +added or -subtracted from the current value. The default
-value is one option which happens to have been set historically. You can
-remove all options with:
-.code
-openssl_options = -all
-.endd
+each one to be +added or -subtracted from the current value.
+
This option is only available if Exim is built against OpenSSL. The values
available for this option vary according to the age of your OpenSSL install.
The &"all"& value controls a subset of flags which are available, typically
Note that adjusting the options can have severe impact upon the security of
SSL as used by Exim. It is possible to disable safety checks and shoot
yourself in the foot in various unpleasant ways. This option should not be
-adjusted lightly. An unrecognised item will be detected at by invoking Exim
-with the &%-bV%& flag.
+adjusted lightly. An unrecognised item will be detected at startup, by
+invoking Exim with the &%-bV%& flag.
+
+.new
+Historical note: prior to release 4.78, Exim defaulted this value to
+"+dont_insert_empty_fragments", which may still be needed for compatibility
+with some clients, but which lowers security by increasing exposure to
+some now infamous attacks.
+.wen
An example:
.code
-openssl_options = -all +microsoft_big_sslv3_buffer
+openssl_options = -all +microsoft_big_sslv3_buffer +dont_insert_empty_fragments
.endd
+Possible options may include:
+.ilist
+&`all`&
+.ilist
+&`allow_unsafe_legacy_renegotiation`&
+.ilist
+&`cipher_server_preference`&
+.ilist
+&`dont_insert_empty_fragments`&
+.ilist
+&`ephemeral_rsa`&
+.ilist
+&`legacy_server_connect`&
+.ilist
+&`microsoft_big_sslv3_buffer`&
+.ilist
+&`microsoft_sess_id_bug`&
+.ilist
+&`msie_sslv2_rsa_padding`&
+.ilist
+&`netscape_challenge_bug`&
+.ilist
+&`netscape_reuse_cipher_change_bug`&
+.ilist
+&`no_compression`&
+.ilist
+&`no_session_resumption_on_renegotiation`&
+.ilist
+&`no_sslv2`&
+.ilist
+&`no_sslv3`&
+.ilist
+&`no_ticket`&
+.ilist
+&`no_tlsv1`&
+.ilist
+&`no_tlsv1_1`&
+.ilist
+&`no_tlsv1_2`&
+.ilist
+&`single_dh_use`&
+.ilist
+&`single_ecdh_use`&
+.ilist
+&`ssleay_080_client_dh_bug`&
+.ilist
+&`sslref2_reuse_cert_type_bug`&
+.ilist
+&`tls_block_padding_bug`&
+.ilist
+&`tls_d5_bug`&
+.ilist
+&`tls_rollback_bug`&
+.endlist
+
.option oracle_servers main "string list" unset
.cindex "Oracle" "server list"
.next
.vindex "&$auth2$&"
&$auth2$&: the &'authorization id'&, sent within SASL encapsulation after
-authentication.
+authentication. If that was empty, this will also be set to the
+GSS Display Name.
.endlist
.wen