<secondary>failure report</secondary>
<see><emphasis>bounce message</emphasis></see>
</indexterm>
+<indexterm role="concept">
+ <primary>de-tainting</primary>
+ <see><emphasis>tainting, de-tainting</emphasis></see>
+</indexterm>
+<indexterm role="concept">
+ <primary>detainting</primary>
+ <see><emphasis>tainting, de-tainting</emphasis></see>
+</indexterm>
<indexterm role="concept">
<primary>dialup</primary>
<see><emphasis>intermittently connected hosts</emphasis></see>
active (in the middle of a delivery attempt), it is not altered. This option
can be used only by an admin user.
-.vitem "&%-MC%&&~<&'transport'&>&~<&'hostname'&>&~<&'sequence&~number'&>&&&
+.vitem "&%-MC%&&~<&'transport'&>&~<&'hostname'&>&&&
+ &~<&'host&~IP'&>&&&
+ &~<&'sequence&~number'&>&&&
&~<&'message&~id'&>"
.oindex "&%-MC%&"
.cindex "SMTP" "passed connection"
by Exim in conjunction with the &%-MC%& option, and passes on the fact that the
host to which Exim is connected supports TLS encryption.
+.new
+.vitem &%-MCr%&&~<&'SNI'&> &&&
+ &%-MCs%&&~<&'SNI'&>
+.oindex "&%-MCs%&"
+.oindex "&%-MCr%&"
+These options are not intended for use by external callers. It is used internally
+by Exim in conjunction with the &%-MCt%& option, and passes on the fact that
+a TLS Server Name Indication was sent as part of the channel establishment.
+The argument gives the SNI string.
+The "r" variant indicates a DANE-verified connection.
+.wen
+
.vitem &%-MCt%&&~<&'IP&~address'&>&~<&'port'&>&~<&'cipher'&>
.oindex "&%-MCt%&"
This option is not intended for use by external callers. It is used internally
first &%domains%& setting above generates the second setting, which therefore
causes a second lookup to occur.
+.new
+The lookup type may optionally be followed by a comma
+and a comma-separated list of options.
+Each option is a &"name=value"& pair.
+Whether an option is meaningful depands on the lookup type.
+.wen
+
The rest of this chapter describes the different lookup types that are
available. Any of them can be used in any part of the configuration where a
lookup is permitted.
.new
.cindex "tainted data" "single-key lookups"
The file string may not be tainted
+
+.cindex "tainted data" "de-tainting"
+All single-key lookups support the option &"ret=key"&.
+If this is given and the lookup
+(either underlying implementation or cached value)
+returns data, the result is replaced with a non-tainted
+version of the lookup key.
.wen
.next
.cindex "query-style lookup" "definition of"
it is possible to specify a list of servers with an individual query. This is
done by appending a comma-separated option to the query type:
.display
-.endd
&`,servers=`&&'server1:server2:server3:...'&
+.endd
.wen
Each item in the list may take one of two forms:
.olist
.cindex "tainted data" "de-tainting"
Note that this is commonly untainted
(depending on the way the list was created).
+Specifically, explicit text in the configuration file in not tainted.
This is a useful way of obtaining an untainted equivalent to
the domain, for later operations.
+
+However if the list (including one-element lists)
+is created by expanding a variable containing tainted data,
+it is tainted and so will the match value be.
.endlist
.cindex "tainted data" expansion
.cindex expansion "tainted data"
and expansion of data deriving from the sender (&"tainted data"&)
-is not permitted.
+.new
+is not permitted (including acessing a file using a tainted name).
+The main config option &%allow_insecure_tainted_data%& can be used as
+mitigation during uprades to more secure configurations.
+.wen
+
+.new
+Common ways of obtaining untainted equivalents of variables with
+tainted values
+.cindex "tainted data" "de-tainting"
+come down to using the tainted value as a lookup key in a trusted database.
+This database could be the filesystem structure,
+or the password file,
+or accessed via a DBMS.
+Specific methods are indexed under &"de-tainting"&.
+.wen
You can use &`fail`& instead of {<&'string3'&>} as in a string extract.
+.new
+.vitem &*${listquote{*&<&'separator'&>&*}{*&<&'string'&>&*}}*&
+.cindex quoting "for list"
+.cindex list quoting
+This item doubles any occurrence of the separator character
+in the given string.
+An empty string is replaced with a single space.
+This converts the string into a safe form for use as a list element,
+in a list using the given separator.
+.wen
+
+
.vitem "&*${lookup{*&<&'key'&>&*}&~*&<&'search&~type'&>&*&~&&&
{*&<&'file'&>&*}&~{*&<&'string1'&>&*}&~{*&<&'string2'&>&*}}*&"
This is the first of one of two different types of lookup item, which are both
There can be problems if any of the strings are permitted to contain colon
characters. In the usual way, these have to be doubled to avoid being taken as
-separators. If the data is being inserted from a variable, the &%sg%& expansion
-item can be used to double any existing colons. For example, the configuration
+separators.
+The &%listquote%& expansion item can be used for this.
+For example, the configuration
of a LOGIN authenticator might contain this setting:
.code
-server_condition = ${if pam{$auth1:${sg{$auth2}{:}{::}}}}
-.endd
-For a PLAIN authenticator you could use:
-.code
-server_condition = ${if pam{$auth2:${sg{$auth3}{:}{::}}}}
+server_condition = ${if pam{$auth1:${listquote{:}{$auth2}}}}
.endd
In some operating systems, PAM authentication can be done only from a process
running as root. Since Exim is running as the Exim user when receiving
.vindex "&$config_file$&"
The name of the main configuration file Exim is using.
-.vitem &$dmarc_domain_policy$& &&&
- &$dmarc_status$& &&&
- &$dmarc_status_text$& &&&
- &$dmarc_used_domains$&
-Results of DMARC verification.
-For details see section &<<SECDMARC>>&.
-
.vitem &$dkim_verify_status$&
Results of DKIM verification.
For details see section &<<SECDKIMVFY>>&.
a colon-separated list of signer domains and identities for the message.
For details see section &<<SECDKIMVFY>>&.
+.vitem &$dmarc_domain_policy$& &&&
+ &$dmarc_status$& &&&
+ &$dmarc_status_text$& &&&
+ &$dmarc_used_domains$&
+Results of DMARC verification.
+For details see section &<<SECDMARC>>&.
+
.vitem &$dnslist_domain$& &&&
&$dnslist_matched$& &&&
&$dnslist_text$& &&&
.vitem &$domain_data$&
.vindex "&$domain_data$&"
-When the &%domains%& option on a router matches a domain by
-means of a lookup, the data read by the lookup is available during the running
-of the router as &$domain_data$&. In addition, if the driver routes the
+When the &%domains%& condition on a router
+.new
+or an ACL
+matches a domain
+against a list, the match value is copied to &$domain_data$&.
+This is an enhancement over previous versions of Exim, when it only
+applied to the data read by a lookup.
+For details on match values see section &<<SECTlistresults>>& et. al.
+.wen
+
+If the router routes the
address to a transport, the value is available in that transport. If the
transport is handling multiple addresses, the value from the first address is
used.
-&$domain_data$& is also set when the &%domains%& condition in an ACL matches a
-domain by means of a lookup. The data read by the lookup is available during
-the rest of the ACL statement. In all other situations, this variable expands
-to nothing.
+&$domain_data$& set in an ACL is available during
+the rest of the ACL statement.
.vitem &$exim_gid$&
.vindex "&$exim_gid$&"
.vitem &$local_part_data$&
.vindex "&$local_part_data$&"
-When the &%local_parts%& option on a router matches a local part by means of a
-lookup, the data read by the lookup is available during the running of the
-router as &$local_part_data$&. In addition, if the driver routes the address
-to a transport, the value is available in that transport. If the transport is
-handling multiple addresses, the value from the first address is used.
+When the &%local_parts%& condition on a router or ACL
+matches a local part list
+.new
+the match value is copied to &$local_part_data$&.
+This is an enhancement over previous versions of Exim, when it only
+applied to the data read by a lookup.
+For details on match values see section &<<SECTlistresults>>& et. al.
+.wen
.new
The &%check_local_user%& router option also sets this variable.
.wen
-&$local_part_data$& is also set when the &%local_parts%& condition in an ACL
-matches a local part by means of a lookup. The data read by the lookup is
-available during the rest of the ACL statement. In all other situations, this
-variable expands to nothing.
-
.vindex &$local_part_prefix$& &&&
&$local_part_prefix_v$& &&&
&$local_part_suffix$& &&&
.section "Miscellaneous" "SECID96"
.table2
+.row &%add_environment%& "environment variables"
+.row &%allow_insecure_tainted_data%& "turn taint errors into warnings"
.row &%bi_command%& "to run for &%-bi%& command line option"
.row &%debug_store%& "do extra internal checks"
.row &%disable_ipv6%& "do no IPv6 processing"
.row &%percent_hack_domains%& "recognize %-hack for these domains"
.row &%spamd_address%& "set interface to SpamAssassin"
.row &%strict_acl_vars%& "object to unset ACL variables"
+.row &%spf_smtp_comment_template%& "template for &$spf_smtp_comment$&"
.endtable
.row &%dkim_verify_keytypes%& "DKIM key types accepted for signatures"
.row &%dkim_verify_min_keysizes%& "DKIM key sizes accepted for signatures"
.row &%dkim_verify_signers%& "DKIM domains for which DKIM ACL is run"
+.row &%dmarc_forensic_sender%& "DMARC sender for report messages"
+.row &%dmarc_history_file%& "DMARC results log"
+.row &%dmarc_tld_file%& "DMARC toplevel domains file"
.row &%host_lookup%& "host name looked up for these hosts"
.row &%host_lookup_order%& "order of DNS and local name lookups"
.row &%recipient_unqualified_hosts%& "may send unqualified recipients"
configuration). This &"magic string"& matches the domain literal form of all
the local host's IP addresses.
+.new
+.option allow_insecure_tainted_data main boolean false
+.cindex "de-tainting"
+.oindex "allow_insecure_tainted_data"
+The handling of tainted data may break older (pre 4.94) configurations.
+Setting this option to "true" turns taint errors (which result in a temporary
+message rejection) into warnings. This option is meant as mitigation only
+and deprecated already today. Future releases of Exim may ignore it.
+The &%taint%& log selector can be used to suppress even the warnings.
+.wen
+
+
.option allow_mx_to_ip main boolean false
.cindex "MX record" "pointing to IP address"
See section &<<SECDKIMVFY>>&.
+.option dmarc_forensic_sender main string&!! unset
+.option dmarc_history_file main string unset
+.option dmarc_tld_file main string unset
+.cindex DMARC "main section options"
+These options control DMARC processing.
+See section &<<SECDMARC>>& for details.
+
+
.option dns_again_means_nonexist main "domain list&!!" unset
.cindex "DNS" "&""try again""& response; overriding"
DNS lookups give a &"try again"& response for the DNS errors
.option pipelining_connect_advertise_hosts main "host list&!!" *
.cindex "pipelining" "early connection"
.cindex "pipelining" PIPE_CONNECT
-.cindex "ESMTP extensions" X_PIPE_CONNECT
+.cindex "ESMTP extensions" PIPE_CONNECT
If Exim is built with the SUPPORT_PIPE_CONNECT build option
this option controls which hosts the facility is advertised to
and from which pipeline early-connection (before MAIL) SMTP
See also the &%hosts_pipe_connect%& smtp transport option.
-Currently the option name &"X_PIPE_CONNECT"& is used.
+.new
+The SMTP service extension keyword advertised is &"PIPE_CONNECT"&.
+.wen
.option prdr_enable main boolean false
This option is available when Exim is compiled with SPF support.
See section &<<SECSPF>>& for more details.
+.new
+.option spf_smtp_comment_template main string&!! "Please%_see%_http://www.open-spf.org/Why"
+This option is available when Exim is compiled with SPF support. It
+allows the customisation of the SMTP comment that the SPF library
+generates. You are strongly encouraged to link to your own explanative
+site. The template must not contain spaces. If you need spaces in the
+output, use the proper placeholder. If libspf2 can not parse the
+template, it uses a built-in default broken link. The following placeholders
+(along with Exim variables (but see below)) are allowed in the template:
+.ilist
+&*%_*&: A space.
+.next
+&*%{L}*&: Envelope sender's local part.
+.next
+&*%{S}*&: Envelope sender.
+.next
+&*%{O}*&: Envelope sender's domain.
+.next
+&*%{D}*&: Current(?) domain.
+.next
+&*%{I}*&: SMTP client Ip.
+.next
+&*%{C}*&: SMTP client pretty IP.
+.next
+&*%{T}*&: Epoch time (UTC).
+.next
+&*%{P}*&: SMTP client domain name.
+.next
+&*%{V}*&: IP version.
+.next
+&*%{H}*&: EHLO/HELO domain.
+.next
+&*%{R}*&: Receiving domain.
+.endlist
+The capitalized placeholders do proper URL encoding, if you use them
+lowercased, no encoding takes place. This list was compiled from the
+libspf2 sources.
+
+A note on using Exim variables: As
+currently the SPF library is initialized before the SMTP EHLO phase,
+the variables useful for expansion are quite limited.
+.wen
.option split_spool_directory main boolean false
.option hosts_try_dane smtp "host list&!!" *
.cindex DANE "transport options"
.cindex DANE "attempting for certain servers"
-If built with DANE support, Exim will require that a DNSSEC-validated
-TLSA record is present for any host matching the list,
-and that a DANE-verified TLS connection is made. See
-the &%dnssec_request_domains%& router and transport options.
-There will be no fallback to in-clear communication.
+.new
+If built with DANE support, Exim will look up a
+TLSA record for any host matching the list,
+If one is found and that lookup was DNSSEC-validated,
+then Exim requires that a DANE-verified TLS connection is made for that host;
+there will be no fallback to in-clear communication.
+.wen
+See the &%dnssec_request_domains%& router and transport options.
See section &<<SECDANE>>&.
.option hosts_try_fastopen smtp "host list&!!" *
.option tls_sni smtp string&!! unset
.cindex "TLS" "Server Name Indication"
.vindex "&$tls_sni$&"
-If this option is set then it sets the $tls_out_sni variable and causes any
+If this option is set
+.new
+and the connection is not DANE-validated
+.wen
+then it sets the $tls_out_sni variable and causes any
TLS session to pass this value as the Server Name Indication extension to
the remote side, which can be used by the remote side to select an appropriate
certificate and private key for the session.
client_send = ^username^mysecret
.endd
The lack of colons means that the entire text is sent with the AUTH
-command, with the circumflex characters converted to NULs. A similar example
+command, with the circumflex characters converted to NULs.
+.new
+Note that due to the ambiguity of parsing three consectutive circumflex characters
+there is no way to provide a password having a leading circumflex.
+.wen
+
+
+A similar example
that uses the LOGIN mechanism is:
.code
fixed_login:
This should be documented with the feature. If the documentation does not
explicitly state that the feature is infeasible in the other TLS
implementation, then patches are welcome.
+.new
+.next
+The output from "exim -bV" will show which (if any) support was included
+in the build.
+Also, the macro "_HAVE_OPENSSL" or "_HAVE_GNUTLS" will be defined.
+.wen
.endlist
or need not succeed respectively.
The &%tls_verify_cert_hostnames%& option lists hosts for which additional
-checks are made: that the host name (the one in the DNS A record)
-is valid for the certificate.
+name checks are made on the server certificate.
+.new
+The match against this list is, as per other Exim usage, the
+IP for the host. That is most closely associated with the
+name on the DNS A (or AAAA) record for the host.
+However, the name that needs to be in the certificate
+is the one at the head of any CNAME chain leading to the A record.
+.wen
The option defaults to always checking.
The &(smtp)& transport has two OCSP-related options:
only point of caution. The &$tls_out_sni$& variable will be set to this string
for the lifetime of the client connection (including during authentication).
+.new
+If DAVE validated the connection attempt then the value of the &%tls_sni%& option
+is forced to the domain part of the recipient address.
+.wen
+
Except during SMTP client sessions, if &$tls_in_sni$& is set then it is a string
received from a client.
It can be logged with the &%log_selector%& item &`+tls_sni`&.
It also allows the server to declare (implicitly) that connections to it should use TLS. An MITM could simply
fail to pass on a server's STARTTLS.
-DANE scales better than having to maintain (and side-channel communicate) copies of server certificates
+DANE scales better than having to maintain (and communicate via side-channel) copies of server certificates
for every possible target server. It also scales (slightly) better than having to maintain on an SMTP
client a copy of the standard CAs bundle. It also means not having to pay a CA for certificates.
tls_verify_certificates
tls_crl
tls_verify_cert_hostnames
+ tls_sni
.endd
If DANE is not usable, whether requested or not, and CA-anchored
&` smtp_protocol_error `& SMTP protocol errors
&` smtp_syntax_error `& SMTP syntax errors
&` subject `& contents of &'Subject:'& on <= lines
+&`*taint `& taint errors or warnings
&`*tls_certificate_verified `& certificate verification status
&`*tls_cipher `& TLS cipher suite on <= and => lines
&` tls_peerdn `& TLS peer DN on <= and => lines
&`CA=dane`& if using a DNS trust anchor,
and &`CV=no`& if not.
.next
+.cindex "log" "Taint warnings"
+&%taint%&: Log warnings about tainted data. This selector can't be
+turned of if &%allow_insecure_tainted_data%& is false (which is the
+default).
+.next
.cindex "log" "TLS cipher"
.cindex "TLS" "logging cipher"
&%tls_cipher%&: When a message is sent or received over an encrypted
"check address acceptance from given IP"
.irow &<<SECTdbmbuild>>& &'exim_dbmbuild'& "build a DBM file"
.irow &<<SECTfinindret>>& &'exinext'& "extract retry information"
-.irow &<<SECThindatmai>>& &'exim_dumpdb'& "dump a hints database"
-.irow &<<SECThindatmai>>& &'exim_tidydb'& "clean up a hints database"
-.irow &<<SECThindatmai>>& &'exim_fixdb'& "patch a hints database"
+.irow &<<SECTdumpdb>>& &'exim_dumpdb'& "dump a hints database"
+.irow &<<SECTtidydb>>& &'exim_tidydb'& "clean up a hints database"
+.irow &<<SECTfixdb>>& &'exim_fixdb'& "patch a hints database"
.irow &<<SECTmailboxmaint>>& &'exim_lock'& "lock a mailbox file"
.endtable
-.section "exim_dumpdb" "SECID261"
+.section "exim_dumpdb" "SECTdumpdb"
.cindex "&'exim_dumpdb'&"
The entire contents of a database are written to the standard output by the
&'exim_dumpdb'& program, which has no options or arguments other than the
-.section "exim_tidydb" "SECID262"
+.section "exim_tidydb" "SECTtidydb"
.cindex "&'exim_tidydb'&"
The &'exim_tidydb'& utility program is used to tidy up the contents of a hints
database. If run with no options, it removes all records that are more than 30
-.section "exim_fixdb" "SECID263"
+.section "exim_fixdb" "SECTfixdb"
.cindex "&'exim_fixdb'&"
The &'exim_fixdb'& program is a utility for interactively modifying databases.
Its main use is for testing Exim, but it might also be occasionally useful for
message = $sender_host_address is not allowed to send mail from \
${if def:sender_address_domain \
{$sender_address_domain}{$sender_helo_name}}. \
- Please see http://www.open-spf.org/Why?scope=\
- ${if def:sender_address_domain {mfrom}{helo}};\
+ Please see http://www.open-spf.org/Why;\
identity=${if def:sender_address_domain \
{$sender_address}{$sender_helo_name}};\
ip=$sender_host_address
.endd
+Note: The above mentioned URL may not be as helpful as expected. You are
+encouraged to replace the link with a link to a site with more
+explanations.
+
When the spf condition has run, it sets up several expansion
variables:
.vitem &$spf_smtp_comment$&
.vindex &$spf_smtp_comment$&
+.vindex &%spf_smtp_comment_template%&
This contains a string that can be used in a SMTP response
to the calling party. Useful for "fail".
+.new
+ The string is generated by the SPF library from the template configured in the main config
+ option &%spf_smtp_comment_template%&.
+.wen
.endlist
git://git.exim.org / exim.git / blobdiff