&` _DRIVER_ROUTER_* `& router drivers
&` _DRIVER_TRANSPORT_* `& transport drivers
&` _DRIVER_AUTHENTICATOR_* `& authenticator drivers
+&` _EXP_COND_* `& expansion conditions
+&` _EXP_ITEM_* `& expansion items
+&` _EXP_OP_* `& expansion operators
+&` _EXP_VAR_* `& expansion variables
&` _LOG_* `& log_selector values
&` _OPT_MAIN_* `& main config options
&` _OPT_ROUTERS_* `& generic router options
When the lookup succeeds, the result of the expansion is a list of domains (and
possibly other types of item that are allowed in domain lists).
.cindex "tainted data" "de-tainting"
-.cindex "de-tainting" "using a lookup expansion""
+.cindex "de-tainting" "using a lookup expansion"
The result of the expansion is not tainted.
.next
on the number of entries returned, and no time limit on queries.
When a DN is quoted in the USER= setting for LDAP authentication, Exim
-removes any URL quoting that it may contain before passing it LDAP. Apparently
+removes any URL quoting that it may contain before passing it to the LDAP library.
+Apparently
some libraries do this for themselves, but some do not. Removing the URL
quoting has two advantages:
.code
add_header = :at_start:${authresults {$primary_hostname}}
.endd
-This is safe even if no authentication results are available.
+This is safe even if no authentication results are available
+.new
+and would generally be placed in the DATA ACL.
+.wen
.vitem "&*${certextract{*&<&'field'&>&*}{*&<&'certificate'&>&*}&&&
SRS decode. See SECT &<<SECTSRS>>& for details.
-.vitem &*inlist&~{*&<&'string1'&>&*}{*&<&'string2'&>&*}*& &&&
- &*inlisti&~{*&<&'string1'&>&*}{*&<&'string2'&>&*}*&
+.vitem &*inlist&~{*&<&'subject'&>&*}{*&<&'list'&>&*}*& &&&
+ &*inlisti&~{*&<&'subject'&>&*}{*&<&'list'&>&*}*&
.cindex "string" "comparison"
.cindex "list" "iterative conditions"
Both strings are expanded; the second string is treated as a list of simple
.code
dns_again_means_nonexist = *.in-addr.arpa
.endd
-This option applies to all DNS lookups that Exim does. It also applies when the
+This option applies to all DNS lookups that Exim does,
+.new
+except for TLSA lookups (where knowing about such failures
+is security-relevant).
+.wen
+It also applies when the
&[gethostbyname()]& or &[getipnodebyname()]& functions give temporary errors,
since these are most likely to be caused by DNS lookup problems. The
&(dnslookup)& router has some options of its own for controlling what happens
nowadays the ACL specified by &%acl_smtp_connect%& can also reject incoming
connections immediately.
+.new
+If the connection is on a TLS-on-connect port then the TCP connection is
+just dropped. Otherwise, an SMTP error is sent first.
+.wen
+
The ability to give an immediate rejection (either by this option or using an
ACL) is provided for use in unusual cases. Many hosts will just try again,
sometimes without much delay. Normally, it is better to use an ACL to reject
.cindex "banner for SMTP"
.cindex "welcome banner for SMTP"
.cindex "customizing" "SMTP banner"
-This string, which is expanded every time it is used, is output as the initial
+If a connect ACL does not supply a message,
+this string (which is expanded every time it is used) is output as the initial
positive response to an SMTP connection. The default setting is:
.code
smtp_banner = $smtp_active_hostname ESMTP Exim \
$version_number $tod_full
.endd
-Failure to expand the string causes a panic error. If you want to create a
+.new
+Failure to expand the string causes a panic error;
+a forced fail just closes the connection.
+.wen
+If you want to create a
multiline response to the initial SMTP connection, use &"\n"& in the string at
appropriate points, but not at the end. Note that the 220 code is not included
in this string. Exim adds it automatically (several times in the case of a
acceptable bound from 1024 to 2048.
-.option tls_eccurve main string&!! &`auto`&
+.option tls_eccurve main string list&!! &`auto`&
.cindex TLS "EC cryptography"
-This option selects a EC curve for use by Exim when used with OpenSSL.
-It has no effect when Exim is used with GnuTLS.
+This option selects EC curves for use by Exim when used with OpenSSL.
+It has no effect when Exim is used with GnuTLS
+ (the equivalent can be done using a priority string for the
+&%tls_require_ciphers%& option).
-After expansion it must contain a valid EC curve parameter, such as
-&`prime256v1`&, &`secp384r1`&, or &`P-512`&. Consult your OpenSSL manual
-for valid selections.
+After expansion it must contain
+.new
+one or (only for OpenSSL versiona 1.1.1 onwards) more
+.wen
+EC curve names, such as &`prime256v1`&, &`secp384r1`&, or &`P-521`&.
+Consult your OpenSSL manual for valid curve names.
For OpenSSL versions before (and not including) 1.0.2, the string
&`auto`& selects &`prime256v1`&. For more recent OpenSSL versions
&`auto`& tells the library to choose.
-If the option expands to an empty string, no EC curves will be enabled.
+.new
+If the option expands to an empty string, the effect is undefined.
+.wen
.option tls_ocsp_file main string&!! unset
resent to other recipients.
&*Note:*& If used on a transport handling multiple recipients
-(the smtp transport unless &%rcpt_max%& is 1, the appendfile, pipe or lmtp
+(the smtp transport unless &%max_rcpt%& is 1, the appendfile, pipe or lmtp
transport if &%batch_max%& is greater than 1)
then information about Bcc recipients will be leaked.
Doing so is generally not advised.
&<<CHAPSMTPAUTH>>& for details of authentication.
-.option hosts_request_ocsp smtp "host list&!!" *
+.option hosts_request_ocsp smtp "host list&!!" "see below"
.cindex "TLS" "requiring for certain servers"
Exim will request a Certificate Status on a
TLS session for any host that matches this list.
&%tls_verify_certificates%& should also be set for the transport.
+.new
+The default is &"**"& if DANE is not in use for the connection,
+or if DANE-TA us used.
+It is empty if DANE-EE is used.
+.wen
+
.option hosts_require_alpn smtp "host list&!!" unset
.cindex ALPN "require negotiation in client"
.cindex TLS ALPN
string &`IGNOREQUOTA`& is added to RCPT commands, provided that the LMTP server
has advertised support for IGNOREQUOTA in its response to the LHLO command.
-.option max_rcpt smtp integer 100
+.option max_rcpt smtp integer&!! 100
.cindex "RCPT" "maximum number of outgoing"
-This option limits the number of RCPT commands that are sent in a single
-SMTP message transaction. Each set of addresses is treated independently, and
+This option,
+.new
+after expansion,
+.wen
+limits the number of RCPT commands that are sent in a single
+SMTP message transaction.
+A value setting of zero disables the limit.
+
+.new
+If a constant is given,
+.wen
+each set of addresses is treated independently, and
so can cause parallel connections to the same host if &%remote_max_parallel%&
-permits this. A value setting of zero disables the limit.
+permits this.
.option message_linelength_limit smtp integer 998
operation is as if this option selected all hosts.
&*Warning*&: Including a host in &%tls_verify_hosts%& does not require
that connections use TLS.
-Fallback to in-clear communication will be done unless restricted by
+Fallback to in-clear communication will be done unless restricted by
the &%hosts_require_tls%& option.
.option utf8_downconvert smtp integer&!! -1
The client for the connection proposes a set of protocol names, and
the server responds with a selected one.
It is not, as of 2021, commonly used for SMTP connections.
-However, to guard against misirected or malicious use of web clients
+However, to guard against misdirected or malicious use of web clients
(which often do use ALPN) against MTA ports, Exim by default check that
there is no incompatible ALPN specified by a client for a TLS connection.
If there is, the connection is rejected.
&%tls_alpn%& and &%hosts_require_alpn%&.
There are no variables providing observability.
Some feature-specific logging may appear on denied connections, but this
-depends on the behavious of the peer
+depends on the behaviour of the peer
(not all peers can send a feature-specific TLS Alert).
This feature is available when Exim is built with
.next
The way with most moving parts at query time is Online Certificate
Status Protocol (OCSP), where the client verifies the certificate
-against an OCSP server run by the CA. This lets the CA track all
-usage of the certs. It requires running software with access to the
-private key of the CA, to sign the responses to the OCSP queries. OCSP
-is based on HTTP and can be proxied accordingly.
+against an OCSP server run by the CA.
+OCSP is based on HTTP and can be proxied accordingly.
+It requires the CA running software with access to the
+private key of the CA, to sign the responses to the OCSP queries.
+Because every client TLS transaction with a server results in an OCSP
+access to the CA, it results in a heavy load on the CA.
+It also lets the CA track all usage of the certs, which is a privacy problem.
The only widespread OCSP server implementation (known to this writer)
comes as part of OpenSSL and aborts on an invalid request, such as
.next
The third way is OCSP Stapling; in this, the server using a certificate
issued by the CA periodically requests an OCSP proof of validity from
-the OCSP server, then serves it up inline as part of the TLS
+the OCSP server (probably using the original OCSP above),
+then serves it up inline as part of the TLS
negotiation. This approach adds no extra round trips, does not let the
CA track users, scales well with number of certs issued by the CA and is
resilient to temporary OCSP server failures, as long as the server
the message override the banner message that is otherwise specified by the
&%smtp_banner%& option.
-For tls-on-connect connections, the ACL is run after the TLS connection
-is accepted (however, &%host_reject_connection%& is tested before).
+.new
+For tls-on-connect connections, the ACL is run before the TLS connection
+is accepted; if the ACL does not accept then the TCP connection is dropped without
+any TLS startup attempt and without any SMTP response being transmitted.
+.wen
.subsection "The EHLO/HELO ACL" SECID192
immediate writes to file are done as normal.
trigger=<&'reason'&> This option selects cause for the pretrigger buffer
- see above) to be copied to file. A reason of $*now*
+ see above) to be copied to file. A reason of &*now*&
take effect immediately; one of &*paniclog*& triggers
on a write to the panic log.
.endd
.irow &`etrn`& * "ETRN commands"
.irow &`host_lookup_failed`& * "as it says"
.irow &`ident_timeout`& "timeout for ident connection"
-.irow &`incoming_interface`& "local interface on <= and => lines"
+.irow &`incoming_interface`& "local interface & port on <= and => lines"
.irow &`incoming_port`& "remote port on <= lines"
.irow &`lost_incoming_connection`& * "as it says (includes timeouts)"
.irow &`millisec`& "millisecond timestamps and RT,QT,DT,D times"
.subsection ACL SSECDMARCACL
.cindex DMARC "ACL condition"
-DMARC checks cam be run on incoming SMTP messages by using the
+DMARC checks can be run on incoming SMTP messages by using the
&"dmarc_status"& ACL condition in the DATA ACL. You are required to
call the &"spf"& condition first in the ACLs, then the &"dmarc_status"&
condition. Putting this condition in the ACLs is required in order