X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/09c17790eec23907b93df1ec7cee746b28dfc836..f1a63a6c523ab9f13481f1f3cfc828ee04ef2aa6:/doc/doc-docbook/spec.xfpt diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 20bfb406c..20592a332 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -45,7 +45,7 @@ . Update the Copyright year (only) when changing content. . ///////////////////////////////////////////////////////////////////////////// -.set previousversion "4.83" +.set previousversion "4.84" .include ./local_params .set ACL "access control lists (ACLs)" @@ -5567,7 +5567,7 @@ of an incoming SMTP connection. If you have hosts for which you trust RFC1413 and need this information, you can change this. -This line enables an efficiency SMTP option. It is negociated by clients +This line enables an efficiency SMTP option. It is negotiated by clients and not expected to cause problems but can be disabled if needed. .code prdr_enable = true @@ -8939,8 +8939,10 @@ a right angle-bracket followed immediately by the new separator. Recognised RDN type labels include "CN", "O", "OU" and "DC". The field selectors marked as "time" above -may output a number of seconds since epoch -if the modifier "int" is used. +take an optional modifier of "int" +for which the result is the number of seconds since epoch. +Otherwise the result is a human-readable string +in the timezone selected by the main "timezone" option. The field selectors marked as "list" above return a list, newline-separated by default, @@ -9507,7 +9509,7 @@ locks out the use of this expansion item in filter files. .cindex "expansion" "inserting from a socket" .cindex "socket, use of in expansion" .cindex "&%readsocket%& expansion item" -This item inserts data from a Unix domain or Internet socket into the expanded +This item inserts data from a Unix domain or TCP socket into the expanded string. The minimal way of using it uses just two arguments, as in these examples: .code @@ -11930,10 +11932,7 @@ on which interface and/or port is being used for the incoming connection. The values of &$received_ip_address$& and &$received_port$& are saved with any messages that are received, thus making these variables available at delivery time. - -&*Note:*& There are no equivalent variables for outgoing connections, because -the values are unknown (unless they are explicitly set by options of the -&(smtp)& transport). +For outbound connections see &$sending_ip_address$&. .vitem &$received_port$& .vindex "&$received_port$&" @@ -16503,12 +16502,17 @@ directory containing certificate files. For earlier versions of GnuTLS the option must be set to the name of a single file. +With OpenSSL the certificates specified +explicitly +either by file or directory +are added to those given by the system default location. + These certificates should be for the certificate authorities trusted, rather than the public cert of individual clients. With both OpenSSL and GnuTLS, if the value is a file then the certificates are sent by Exim as a server to connecting clients, defining the list of accepted certificate authorities. Thus the values defined should be considered public data. To avoid this, -use OpenSSL with a directory. +use the explicit directory version. See &<>& for discussion of when this option might be re-expanded. @@ -23429,7 +23433,7 @@ unknown state), opens a new one to the same host, and then tries the delivery in clear. -.option tls_try_verify_hosts smtp "host list&!! unset +.option tls_try_verify_hosts smtp "host list&!!" unset .cindex "TLS" "server certificate verification" .cindex "certificate" "verification of server" This option gives a list of hosts for which, on encrypted connections, @@ -23437,7 +23441,7 @@ certificate verification will be tried but need not succeed. The &%tls_verify_certificates%& option must also be set. Note that unless the host is in this list TLS connections will be denied to hosts using self-signed certificates -when &%tls_verify_certificates%& is set. +when &%tls_verify_certificates%& is matched. The &$tls_out_certificate_verified$& variable is set when certificate verification succeeds. @@ -23456,6 +23460,12 @@ you can set files. For earlier versions of GnuTLS the option must be set to the name of a single file. + +With OpenSSL the certificates specified +explicitly +either by file or directory +are added to those given by the system default location. + The values of &$host$& and &$host_address$& are set to the name and address of the server during the expansion of this option. See chapter &<>& for details of TLS. @@ -23465,7 +23475,7 @@ if neither tls_verify_hosts nor tls_try_verify_hosts are set and certificate verification fails the TLS connection is closed. -.option tls_verify_hosts smtp "host list&!! unset +.option tls_verify_hosts smtp "host list&!!" unset .cindex "TLS" "server certificate verification" .cindex "certificate" "verification of server" This option gives a list of hosts for which. on encrypted connections, @@ -26563,7 +26573,7 @@ during TLS session handshake, to permit alternative values to be chosen: &%tls_verify_certificates%& .next .vindex "&%tls_ocsp_file%&" -&%tls_verify_certificates%& +&%tls_ocsp_file%& .endlist Great care should be taken to deal with matters of case, various injection @@ -27872,10 +27882,16 @@ is what is wanted for subsequent tests. .cindex "&ACL;" "cutthrough routing" .cindex "cutthrough" "requesting" This option requests delivery be attempted while the item is being received. -It is usable in the RCPT ACL and valid only for single-recipient mails forwarded -from one SMTP connection to another. If a recipient-verify callout connection is -requested in the same ACL it is held open and used for the data, otherwise one is made -after the ACL completes. + +The option usable in the RCPT ACL. +If enabled for a message recieved via smtp and routed to an smtp transport, +and the message has only one recipient, +then the delivery connection is made while the receiving connection is open +and data is copied from one to the other. + +If a recipient-verify callout connection is subsequently +requested in the same ACL it is held open and used for the data, +otherwise one is made after the initial RCPT ACL completes. Note that routers are used in verify mode, and cannot depend on content of received headers. @@ -27890,11 +27906,12 @@ before the entire message has been received from the source. Should the ultimate destination system positively accept or reject the mail, a corresponding indication is given to the source system and nothing is queued. If there is a temporary error the item is queued for later delivery in the -usual fashion. If the item is successfully delivered in cutthrough mode the log line -is tagged with ">>" rather than "=>" and appears before the acceptance "<=" -line. +usual fashion. If the item is successfully delivered in cutthrough mode +the log line is tagged with ">>" rather than "=>" and appears +before the acceptance "<=" line. -Delivery in this mode avoids the generation of a bounce mail to a (possibly faked) +Delivery in this mode avoids the generation of a bounce mail to a +(possibly faked) sender when the destination system is doing content-scan based rejection. @@ -30346,9 +30363,13 @@ av_scanner = cmdline:\ .endd .vitem &%drweb%& .cindex "virus scanners" "DrWeb" -The DrWeb daemon scanner (&url(http://www.sald.com/)) interface takes one -argument, either a full path to a UNIX socket, or an IP address and port -separated by white space, as in these examples: +The DrWeb daemon scanner (&url(http://www.sald.com/)) interface +takes one option, +either a full path to a UNIX socket, +or host and port specifiers separated by white space. +The host may be a name or an IP address; the port is either a +single number or a pair of numbers with a dash between. +For example: .code av_scanner = drweb:/var/run/drwebd.sock av_scanner = drweb:192.168.2.20 31337 @@ -30356,6 +30377,17 @@ av_scanner = drweb:192.168.2.20 31337 If you omit the argument, the default path &_/usr/local/drweb/run/drwebd.sock_& is used. Thanks to Alex Miller for contributing the code for this scanner. +.vitem &%f-protd%& +.cindex "virus scanners" "f-protd" +The f-protd scanner is accessed via HTTP over TCP. +One argument is taken, being a space-separated hostname and port number +(or port-range). +For example: +.code +av_scanner = f-protd:localhost 10200-10204 +.endd +If you omit the argument, the default values show above are used. + .vitem &%fsecure%& .cindex "virus scanners" "F-Secure" The F-Secure daemon scanner (&url(http://www.f-secure.com)) takes one