X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/2081aac24b67f3f3f34389aadc06354abcad0cad..20395676aba7fa5eb9a2c5e0b9f582ec2b3e71e4:/doc/doc-docbook/spec.xfpt
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 5c42afc93..05d8e6ed1 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -51,6 +51,8 @@
.set ACL "access control lists (ACLs)"
.set I " "
+.set drivernamemax "64"
+
.macro copyyear
2020
.endmacro
@@ -237,6 +239,14 @@
failure report
bounce message
+
+ de-tainting
+ tainting, de-tainting
+
+
+ detainting
+ tainting, de-tainting
+
dialup
intermittently connected hosts
@@ -3848,9 +3858,11 @@ headers.)
.cindex "Solaris" "&'mail'& command"
.cindex "dot" "in incoming non-SMTP message"
This option, which has the same effect as &%-oi%&, specifies that a dot on a
-line by itself should not terminate an incoming, non-SMTP message. I can find
-no documentation for this option in Solaris 2.4 Sendmail, but the &'mailx'&
-command in Solaris 2.4 uses it. See also &%-ti%&.
+line by itself should not terminate an incoming, non-SMTP message.
+Solaris 2.4 (SunOS 5.4) Sendmail has a similar &%-i%& processing option
+&url(https://docs.oracle.com/cd/E19457-01/801-6680-1M/801-6680-1M.pdf),
+p. 1M-529), and therefore a &%-oi%& command line option, which both are used
+by its &'mailx'& command.
.vitem &%-L%&&~<&'tag'&>
.oindex "&%-L%&"
@@ -3940,6 +3952,16 @@ This option is not intended for use by external callers. It is used internally
by Exim in conjunction with the &%-MC%& option. It signifies that a
remote host supports the ESMTP &_CHUNKING_& extension.
+.new
+.vitem &%-MCL%&
+.oindex "&%-MCL%&"
+This option is not intended for use by external callers. It is used internally
+by Exim in conjunction with the &%-MC%& option. It signifies that the server to
+which Exim is connected advertised limits on numbers of mails, recipients or
+recipient domains.
+The limits are given by the following three arguments.
+.wen
+
.vitem &%-MCP%&
.oindex "&%-MCP%&"
This option is not intended for use by external callers. It is used internally
@@ -4160,8 +4182,9 @@ the standard output. This option can be used only by an admin user.
.vitem &%-m%&
.oindex "&%-m%&"
-This is apparently a synonym for &%-om%& that is accepted by Sendmail, so Exim
-treats it that way too.
+This is a synonym for &%-om%& that is accepted by Sendmail
+(&url(https://docs.oracle.com/cd/E19457-01/801-6680-1M/801-6680-1M.pdf)
+p. 1M-258), so Exim treats it that way too.
.vitem &%-N%&
.oindex "&%-N%&"
@@ -5958,7 +5981,7 @@ Libraries you use may depend on specific environment settings. This
imposes a security risk (e.g. PATH). There are two lists:
&%keep_environment%& for the variables to import as they are, and
&%add_environment%& for variables we want to set to a fixed value.
-Note that TZ is handled separately, by the $%timezone%$ runtime
+Note that TZ is handled separately, by the &%timezone%& runtime
option and by the TIMEZONE_DEFAULT buildtime option.
.code
# keep_environment = ^LDAP
@@ -8492,7 +8515,7 @@ will store a result in the &$local_part_data$& variable.
.vitem domains
.new
A &%domains%& router option or &%domains%& ACL condition
-will store a result in the &$domain_data$& variable
+will store a result in the &$domain_data$& variable.
.wen
.vitem senders
A &%senders%& router option or &%senders%& ACL condition
@@ -8845,7 +8868,7 @@ If the pattern starts with the name of a lookup type
of either kind (single-key or query-style) it may be
followed by a comma and options,
The options are lookup-type specific and consist of a comma-separated list.
-Each item starts with a tag and and equals "=".
+Each item starts with a tag and and equals "=" sign.
.next
.cindex "domain list" "matching literal domain name"
@@ -8964,9 +8987,13 @@ accept hosts = @[]
.endd
.next
.cindex "CIDR notation"
-If the pattern is an IP address followed by a slash and a mask length (for
-example 10.11.42.0/24), it is matched against the IP address of the subject
-host under the given mask. This allows, an entire network of hosts to be
+If the pattern is an IP address followed by a slash and a mask length, for
+example
+.code
+10.11.42.0/24
+.endd
+, it is matched against the IP address of the subject
+host under the given mask. This allows an entire network of hosts to be
included (or excluded) by a single item. The mask uses CIDR notation; it
specifies the number of address bits that must match, starting from the most
significant end of the address.
@@ -9587,6 +9614,8 @@ reasons,
and expansion of data deriving from the sender (&"tainted data"&)
.new
is not permitted (including acessing a file using a tainted name).
+The main config option &%allow_insecure_tainted_data%& can be used as
+mitigation during uprades to more secure configurations.
.wen
.new
@@ -10155,7 +10184,7 @@ They are visible in DKIM, PRDR and DATA ACLs.
Header lines that are added in a RCPT ACL (for example)
are saved until the message's incoming header lines are available, at which
point they are added.
-When any of the above ACLs ar
+When any of the above ACLs are
running, however, header lines added by earlier ACLs are visible.
Upper case and lower case letters are synonymous in header names. If the
@@ -10431,10 +10460,11 @@ additional arguments need be given; the maximum number permitted, including the
name of the subroutine, is nine.
The return value of the subroutine is inserted into the expanded string, unless
-the return value is &%undef%&. In that case, the expansion fails in the same
-way as an explicit &"fail"& on a lookup item. The return value is a scalar.
-Whatever you return is evaluated in a scalar context. For example, if you
-return the name of a Perl vector, the return value is the size of the vector,
+the return value is &%undef%&. In that case, the entire expansion is
+forced to fail, in the same way as an explicit &"fail"& on a lookup item
+does (see section &<>&). Whatever you return is evaluated
+in a scalar context, thus the return value is a scalar. For example, if you
+return a Perl vector, the return value is the size of the vector,
not its contents.
If the subroutine exits by calling Perl's &%die%& function, the expansion fails
@@ -10484,7 +10514,7 @@ For more discussion and an example, see section &<>&.
.cindex "expansion" "inserting an entire file"
.cindex "file" "inserting into expansion"
.cindex "&%readfile%& expansion item"
-The filename and end-of-line string are first expanded separately. The file is
+The filename and end-of-line (eol) string are first expanded separately. The file is
then read, and its contents replace the entire item. All newline characters in
the file are replaced by the end-of-line string if it is present. Otherwise,
newlines are left in the string.
@@ -10521,7 +10551,7 @@ ${readsocket{inet:[::1]:1234}{request string}}
Only a single host name may be given, but if looking it up yields more than
one IP address, they are each tried in turn until a connection is made. For
both kinds of socket, Exim makes a connection, writes the request string
-unless it is an empty string; and no terminating NUL is ever sent)
+(unless it is an empty string; no terminating NUL is ever sent)
and reads from the socket until an end-of-file
is read. A timeout of 5 seconds is applied. Additional, optional arguments
extend what can be done. Firstly, you can vary the timeout. For example:
@@ -10987,7 +11017,7 @@ is controlled by the &%print_topbitchars%& option.
.vitem &*${escape8bit:*&<&'string'&>&*}*&
.cindex "expansion" "escaping 8-bit characters"
.cindex "&%escape8bit%& expansion item"
-If the string contains and characters with the most significant bit set,
+If the string contains any characters with the most significant bit set,
they are converted to escape sequences starting with a backslash.
Backslashes and DEL characters are also converted.
@@ -11454,7 +11484,7 @@ Now deprecated, a synonym for the &%base64%& expansion operator.
.cindex "expansion" "string length"
.cindex "string" "length in expansion"
.cindex "&%strlen%& expansion item"
-The item is replace by the length of the expanded string, expressed as a
+The item is replaced by the length of the expanded string, expressed as a
decimal number. &*Note*&: Do not confuse &%strlen%& with &%length%&.
All measurement is done in bytes and is not UTF-8 aware.
@@ -14570,6 +14600,7 @@ listed in more than one group.
.section "Miscellaneous" "SECID96"
.table2
.row &%add_environment%& "environment variables"
+.row &%allow_insecure_tainted_data%& "turn taint errors into warnings"
.row &%bi_command%& "to run for &%-bi%& command line option"
.row &%debug_store%& "do extra internal checks"
.row &%disable_ipv6%& "do no IPv6 processing"
@@ -14694,6 +14725,7 @@ listed in more than one group.
.row &%notifier_socket%& "override compiled-in value"
.row &%pid_file_path%& "override compiled-in value"
.row &%queue_run_max%& "maximum simultaneous queue runners"
+.row &%smtp_backlog_monitor%& "level to log listen backlog"
.endtable
@@ -15180,6 +15212,18 @@ domains (defined in the named domain list &%local_domains%& in the default
configuration). This &"magic string"& matches the domain literal form of all
the local host's IP addresses.
+.new
+.option allow_insecure_tainted_data main boolean false
+.cindex "de-tainting"
+.oindex "allow_insecure_tainted_data"
+The handling of tainted data may break older (pre 4.94) configurations.
+Setting this option to "true" turns taint errors (which result in a temporary
+message rejection) into warnings. This option is meant as mitigation only
+and deprecated already today. Future releases of Exim may ignore it.
+The &%taint%& log selector can be used to suppress even the warnings.
+.wen
+
+
.option allow_mx_to_ip main boolean false
.cindex "MX record" "pointing to IP address"
@@ -17374,7 +17418,7 @@ or if the message was submitted locally (not using TCP/IP), and the &%-bnq%&
option was not set.
-.option recipients_max main integer 0
+.option recipients_max main integer 50000
.cindex "limit" "number of recipients"
.cindex "recipient" "maximum number"
If this option is set greater than zero, it specifies the maximum number of
@@ -17712,6 +17756,14 @@ messages, it is also used as the default for HELO commands in callout
verification if there is no remote transport from which to obtain a
&%helo_data%& value.
+.option smtp_backlog_monitor main integer 0
+.cindex "connection backlog" monitoring
+If this option is set to greater than zero, and the backlog of available
+TCP connections on a socket listening for SMTP is larger than it, a line
+is logged giving the value and the socket address and port.
+The value is retrived jsut before an accept call.
+This facility is only available on Linux.
+
.option smtp_banner main string&!! "see below"
.cindex "SMTP" "welcome banner"
.cindex "banner for SMTP"
@@ -17742,7 +17794,7 @@ is zero). If there isn't enough space, a temporary error code is returned.
.option smtp_connect_backlog main integer 20
-.cindex "connection backlog"
+.cindex "connection backlog" "set maximum"
.cindex "SMTP" "connection backlog"
.cindex "backlog of connections"
This option specifies a maximum number of waiting SMTP connections. Exim passes
@@ -18331,8 +18383,12 @@ if the OpenSSL build supports TLS extensions and the TLS client sends the
Server Name Indication extension, then this option and others documented in
&<>& will be re-expanded.
-If this option is unset or empty a fresh self-signed certificate will be
-generated for every connection.
+If this option is unset or empty a self-signed certificate will be
+.new
+used.
+Under Linux this is generated at daemon startup; on other platforms it will be
+generated fresh for every connection.
+.wen
.option tls_crl main string&!! unset
.cindex "TLS" "server certificate revocation list"
@@ -18780,6 +18836,11 @@ which the preconditions are tested. The order of expansion of the options that
provide data for a transport is: &%errors_to%&, &%headers_add%&,
&%headers_remove%&, &%transport%&.
+.new
+The name of a router is limited to be &drivernamemax; ASCII characters long;
+prior to Exim 4.95 names would be silently truncated at this length, but now
+it is enforced.
+.wen
.option address_data routers string&!! unset
@@ -21486,7 +21547,7 @@ The text is not included in the response to an EXPN command. In non-SMTP cases
the text is included in the error message that Exim generates.
.cindex "SMTP" "error codes"
-By default, Exim sends a 451 SMTP code for a &':defer:'&, and 550 for
+By default for verify, Exim sends a 451 SMTP code for a &':defer:'&, and 550 for
&':fail:'&. However, if the message starts with three digits followed by a
space, optionally followed by an extended code of the form &'n.n.n'&, also
followed by a space, and the very first digit is the same as the default error
@@ -22323,6 +22384,12 @@ and &$original_domain$& is never set.
.scindex IIDgenoptra1 "generic options" "transport"
.scindex IIDgenoptra2 "options" "generic; for transports"
.scindex IIDgenoptra3 "transport" "generic options for"
+.new
+The name of a transport is limited to be &drivernamemax; ASCII characters long;
+prior to Exim 4.95 names would be silently truncated at this length, but now
+it is enforced.
+.wen
+
The following generic options apply to all transports:
@@ -22998,6 +23065,11 @@ If &%file%& or &%directory%& is set for a delivery from a redirection, it is
used to determine the file or directory name for the delivery. Normally, the
contents of &$address_file$& are used in some way in the string expansion.
.endlist
+If the &%create_file%& option is set to a path which
+matches (see the option definition below for details)
+a file or directory name
+for the delivery, that name becomes de-tainted.
+
.cindex "tainted data" "in filenames"
.cindex appendfile "tainted data"
Tainted data may not be used for a file or directory name.
@@ -23145,14 +23217,34 @@ directories defined by the &%directory%& option. In the case of maildir
delivery, it applies to the top level directory, not the maildir directories
beneath.
+.new
The option must be set to one of the words &"anywhere"&, &"inhome"&, or
-&"belowhome"&. In the second and third cases, a home directory must have been
-set for the transport. This option is not useful when an explicit filename is
+&"belowhome"&, or to an absolute path.
+.wen
+
+In the second and third cases, a home directory must have been
+set for the transport, and the file or directory being created must
+reside within it.
+The "belowhome" checking additionally checks for attempts to use "../"
+to evade the testing.
+This option is not useful when an explicit filename is
given for normal mailbox deliveries. It is intended for the case when filenames
are generated from users' &_.forward_& files. These are usually handled
by an &(appendfile)& transport called &%address_file%&. See also
&%file_must_exist%&.
+.new
+In the fourth case,
+the value given for this option must be an absolute path for an
+existing directory.
+The value is used for checking instead of a home directory;
+checking is done in "belowhome" mode.
+
+.cindex "tainted data" "de-tainting"
+If "belowhome" checking is used, the file or directory path
+becomes de-tainted.
+.wen
+
.option directory appendfile string&!! unset
This option is mutually exclusive with the &%file%& option, but one of &%file%&
@@ -23165,6 +23257,11 @@ appended to a single mailbox file. A number of different formats are provided
(see &%maildir_format%& and &%mailstore_format%&), and see section
&<>& for further details of this form of delivery.
+.new
+The result of expansion must not be tainted, unless the &%create_file%& option
+specifies a path.
+.wen
+
.option directory_file appendfile string&!! "see below"
.cindex "base62"
@@ -23197,6 +23294,11 @@ specifies a single file, to which the message is appended. One or more of
&%use_fcntl_lock%&, &%use_flock_lock%&, or &%use_lockfile%& must be set with
&%file%&.
+.new
+The result of expansion must not be tainted, unless the &%create_file%& option
+specifies a path.
+.wen
+
.cindex "NFS" "lock file"
.cindex "locking files"
.cindex "lock files"
@@ -25562,6 +25664,11 @@ There will be no fallback to in-clear communication.
See the &%dnssec_request_domains%& router and transport options.
See section &<>&.
+.option hosts_require_helo smtp "host list&!!" *
+.cindex "HELO/EHLO" requiring
+Exim will require an accepted HELO or EHLO command from a host matching
+this list, before accepting a MAIL command.
+
.option hosts_require_ocsp smtp "host list&!!" unset
.cindex "TLS" "requiring for certain servers"
Exim will request, and check for a valid Certificate Status being given, on a
@@ -25690,7 +25797,7 @@ has advertised support for IGNOREQUOTA in its response to the LHLO command.
This option limits the number of RCPT commands that are sent in a single
SMTP message transaction. Each set of addresses is treated independently, and
so can cause parallel connections to the same host if &%remote_max_parallel%&
-permits this.
+permits this. A value setting of zero disables the limit.
.new
@@ -27124,6 +27231,12 @@ permitted to use it as a relay. SMTP authentication is not of relevance to the
transfer of mail between servers that have no managerial connection with each
other.
+.new
+The name of an authenticator is limited to be &drivernamemax; ASCII characters long;
+prior to Exim 4.95 names would be silently truncated at this length, but now
+it is enforced.
+.wen
+
.cindex "AUTH" "description of"
.cindex "ESMTP extensions" AUTH
Very briefly, the way SMTP authentication works is as follows:
@@ -38092,7 +38205,7 @@ implying the use of a default path.
When Exim encounters an empty item in the list, it searches the list defined by
LOG_FILE_PATH, and uses the first item it finds that is neither empty nor
&"syslog"&. This means that an empty item in &%log_file_path%& can be used to
-mean &"use the path specified at build time"&. It no such item exists, log
+mean &"use the path specified at build time"&. If no such item exists, log
files are written in the &_log_& subdirectory of the spool directory. This is
equivalent to the setting:
.code
@@ -38637,6 +38750,7 @@ selection marked by asterisks:
&` outgoing_port `& add remote port to => lines
&`*queue_run `& start and end queue runs
&` queue_time `& time on queue for one recipient
+&`*queue_time_exclusive `& exclude recieve time from QT times
&` queue_time_overall `& time on queue for whole message
&` pid `& Exim process id
&` pipelining `& PIPELINING use, on <= and => lines
@@ -38659,6 +38773,7 @@ selection marked by asterisks:
&` smtp_protocol_error `& SMTP protocol errors
&` smtp_syntax_error `& SMTP syntax errors
&` subject `& contents of &'Subject:'& on <= lines
+&`*taint `& taint errors or warnings
&`*tls_certificate_verified `& certificate verification status
&`*tls_cipher `& TLS cipher suite on <= and => lines
&` tls_peerdn `& TLS peer DN on <= and => lines
@@ -38878,18 +38993,13 @@ Delivery "L" fields have an asterisk appended if used.
.cindex "log" "queue time"
&%queue_time%&: The amount of time the message has been in the queue on the
local host is logged as QT=<&'time'&> on delivery (&`=>`&) lines, for example,
-&`QT=3m45s`&. The clock starts when Exim starts to receive the message, so it
-includes reception time as well as the delivery time for the current address.
-This means that it may be longer than the difference between the arrival and
-delivery log line times, because the arrival log line is not written until the
-message has been successfully received.
+&`QT=3m45s`&.
If millisecond logging is enabled, short times will be shown with greater
precision, eg. &`QT=1.578s`&.
.next
&%queue_time_overall%&: The amount of time the message has been in the queue on
the local host is logged as QT=<&'time'&> on &"Completed"& lines, for
-example, &`QT=3m45s`&. The clock starts when Exim starts to receive the
-message, so it includes reception time as well as the total delivery time.
+example, &`QT=3m45s`&.
.next
.cindex "log" "receive duration"
&%receive_time%&: For each message, the amount of real time it has taken to
@@ -38948,10 +39058,12 @@ it is too big.
.cindex "log" "frozen messages; skipped"
.cindex "frozen messages" "logging skipping"
&%skip_delivery%&: A log line is written whenever a message is skipped during a
-queue run because it is frozen or because another process is already delivering
-it.
+queue run because it another process is already delivering it or because
+it is frozen.
.cindex "&""spool file is locked""&"
-The message that is written is &"spool file is locked"&.
+.cindex "&""message is frozen""&"
+The message that is written is either &"spool file is locked"& or
+&"message is frozen"&.
.next
.cindex "log" "smtp confirmation"
.cindex "SMTP" "logging confirmation"
@@ -39057,6 +39169,11 @@ using a CA trust anchor,
&`CV=dane`& if using a DNS trust anchor,
and &`CV=no`& if not.
.next
+.cindex "log" "Taint warnings"
+&%taint%&: Log warnings about tainted data. This selector can't be
+turned of if &%allow_insecure_tainted_data%& is false (which is the
+default).
+.next
.cindex "log" "TLS cipher"
.cindex "TLS" "logging cipher"
&%tls_cipher%&: When a message is sent or received over an encrypted