X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/2b8d6aff36a25e06f418aec9e90fe7668562914b..c4a8c663b74a35b547d8320547079ca56b3b772e:/doc/doc-docbook/spec.xfpt?ds=sidebyside diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 8ae08e787..f2902dc95 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -509,7 +509,7 @@ message to the &'exim-dev'& mailing list and have it discussed. .cindex "distribution" "https site" The master distribution site for the Exim distribution is .display -.url(https://downloads.exim.org/) +&url(https://downloads.exim.org/) .endd The service is available over HTTPS, HTTP and FTP. We encourage people to migrate to HTTPS. @@ -3620,7 +3620,8 @@ are: &<>&) &`lookup `& general lookup code and all lookups &`memory `& memory handling -&`pid `& add pid to debug output lines +&`noutf8 `& modifier: avoid UTF-8 line-drawing +&`pid `& modifier: add pid to debug output lines &`process_info `& setting info for the process log &`queue_run `& queue runs &`receive `& general message reception logic @@ -3628,7 +3629,7 @@ are: &`retry `& retry handling &`rewrite `& address rewriting &`route `& address routing -&`timestamp `& add timestamp to debug output lines +&`timestamp `& modifier: add timestamp to debug output lines &`tls `& TLS logic &`transport `& transports &`uid `& changes of uid/gid and looking up uid/gid @@ -3660,6 +3661,15 @@ The &`timestamp`& selector causes the current time to be inserted at the start of all debug output lines. This can be useful when trying to track down delays in processing. +.new +.cindex debugging "UTF-8 in" +.cindex UTF-8 "in debug output" +The &`noutf8`& selector disables the use of +UTF-8 line-drawing characters to group related information. +When disabled. ascii-art is used instead. +Using the &`+all`& option does not set this modifier, +.wen + If the &%debug_print%& option is set in any driver, it produces output whenever any debugging is selected, or if &%-v%& is used. @@ -6723,6 +6733,12 @@ be followed by optional colons. &*Warning*&: Unlike most other single-key lookup types, a file of data for &((n)wildlsearch)& can &'not'& be turned into a DBM or cdb file, because those lookup types support only literal keys. + +.next +.cindex "lookup" "spf" +If Exim is built with SPF support, manual lookups can be done +(as opposed to the standard ACL condition method. +For details see section &<>&. .endlist ilist @@ -9374,6 +9390,27 @@ ${extract{Z}{A=... B=...}{$value} fail } This forces an expansion failure (see section &<>&); {<&'string2'&>} must be present for &"fail"& to be recognized. +.new +.vitem "&*${extract json{*&<&'key'&>&*}{*&<&'string1'&>&*}{*&<&'string2'&>&*}&&& + {*&<&'string3'&>&*}}*&" +.cindex "expansion" "extracting from JSON object" +.cindex JSON expansions +The key and <&'string1'&> are first expanded separately. Leading and trailing +white space is removed from the key (but not from any of the strings). The key +must not be empty and must not consist entirely of digits. +The expanded <&'string1'&> must be of the form: +.display +{ <&'"key1"'&> : <&'value1'&> , <&'"key2"'&> , <&'value2'&> ... } +.endd +.vindex "&$value$&" +The braces, commas and colons, and the quoting of the member name are required; +the spaces are optional. +Matching of the key against the member names is done case-sensitively. +. XXX should be a UTF-8 compare + +The results of matching are handled as above. +.wen + .vitem "&*${extract{*&<&'number'&>&*}{*&<&'separators'&>&*}&&& {*&<&'string1'&>&*}{*&<&'string2'&>&*}{*&<&'string3'&>&*}}*&" @@ -9406,6 +9443,19 @@ yields &"99"&. Two successive separators mean that the field between them is empty (for example, the fifth field above). +.new +.vitem "&*${extract json{*&<&'number'&>&*}}&&& + {*&<&'string1'&>&*}{*&<&'string2'&>&*}{*&<&'string3'&>&*}}*&" +.cindex "expansion" "extracting from JSON array" +.cindex JSON expansions +The <&'number'&> argument must consist entirely of decimal digits, +apart from leading and trailing white space, which is ignored. + +Field selection and result handling is as above; +there is no choice of field separator. +.wen + + .vitem &*${filter{*&<&'string'&>&*}{*&<&'condition'&>&*}}*& .cindex "list" "selecting by condition" .cindex "expansion" "selecting from list by condition" @@ -9988,7 +10038,7 @@ expansion items. .vitem &*$rheader_*&<&'header&~name'&>&*:*&&~or&~&*$rh_*&<&'header&~name'&>&*:*& This item inserts &"raw"& header lines. It is described with the &%header%& -expansion item above. +expansion item in section &<>& above. .vitem "&*${run{*&<&'command'&>&*&~*&<&'args'&>&*}{*&<&'string1'&>&*}&&& {*&<&'string2'&>&*}}*&" @@ -11690,7 +11740,7 @@ When a message is submitted locally (that is, not over a TCP connection) the value of &$authenticated_id$& is normally the login name of the calling process. However, a trusted user can override this by means of the &%-oMai%& command line option. -This second case also sets up inforamtion used by the +This second case also sets up information used by the &$authresults$& expansion item. .vitem &$authenticated_fail_id$& @@ -11947,6 +11997,7 @@ This is not strictly an expansion variable. It is expansion syntax for inserting the message header line with the given name. Note that the name must be terminated by colon or white space, because it may contain a wide variety of characters. Note also that braces must &'not'& be used. +See the full description in section &<>& above. .vitem &$headers_added$& .vindex "&$headers_added$&" @@ -19565,7 +19616,9 @@ be enclosed in quotes if it contains white space. A list of hosts, whether obtained via &%route_data%& or &%route_list%&, is always separately expanded before use. If the expansion fails, the router declines. The result of the expansion must be a colon-separated list of names -and/or IP addresses, optionally also including ports. The format of each item +and/or IP addresses, optionally also including ports. +If the list is written with spaces, it must be protected with quotes. +The format of each item in the list is described in the next section. The list separator can be changed as described in section &<>&. @@ -24067,6 +24120,8 @@ DKIM signing options. For details see section &<>&. .option delay_after_cutoff smtp boolean true +.cindex "final cutoff" "retries, controlling" +.cindex retry "final cutoff" This option controls what happens when all remote IP addresses for a given domain have been inaccessible for so long that they have passed their retry cutoff times. @@ -24525,10 +24580,17 @@ variable that contains an outgoing port. If the value of this option begins with a digit it is taken as a port number; otherwise it is looked up using &[getservbyname()]&. The default value is -normally &"smtp"&, but if &%protocol%& is set to &"lmtp"&, the default is -&"lmtp"&. If the expansion fails, or if a port number cannot be found, delivery +normally &"smtp"&, +but if &%protocol%& is set to &"lmtp"& the default is &"lmtp"& +and if &%protocol%& is set to &"smtps"& the default is &"smtps"&. +If the expansion fails, or if a port number cannot be found, delivery is deferred. +.new +Note that at least one Linux distribution has been seen failing +to put &"smtps"& in its &"/etc/services"& file, resulting is such deferrals. +.wen + .option protocol smtp string smtp @@ -24545,7 +24607,11 @@ over a pipe to a local process &-- see chapter &<>&. If this option is set to &"smtps"&, the default value for the &%port%& option changes to &"smtps"&, and the transport initiates TLS immediately after connecting, as an outbound SSL-on-connect, instead of using STARTTLS to upgrade. -The Internet standards bodies strongly discourage use of this mode. +.new +The Internet standards bodies used to strongly discourage use of this mode, +but as of RFC 8314 it is perferred over STARTTLS for message submission +(as distinct from MTA-MTA communication). +.wen .option retry_include_ip_address smtp boolean&!! true @@ -25811,10 +25877,13 @@ For local deliveries, one delivery attempt is always made for any subsequent messages. If this delivery fails, the address fails immediately. The post-cutoff retry time is not used. +.cindex "final cutoff" "retries, controlling" +.cindex retry "final cutoff" If the delivery is remote, there are two possibilities, controlled by the .oindex "&%delay_after_cutoff%&" &%delay_after_cutoff%& option of the &(smtp)& transport. The option is true by -default. Until the post-cutoff retry time for one of the IP addresses is +default. Until the post-cutoff retry time for one of the IP addresses, +as set by the &%retry_data_expire%& option, is reached, the failing email address is bounced immediately, without a delivery attempt taking place. After that time, one new delivery attempt is made to those IP addresses that are past their retry times, and if that still fails, @@ -25940,6 +26009,7 @@ included by setting AUTH_CRAM_MD5=yes AUTH_CYRUS_SASL=yes AUTH_DOVECOT=yes +AUTH_EXTERNAL=yes AUTH_GSASL=yes AUTH_HEIMDAL_GSSAPI=yes AUTH_PLAINTEXT=yes @@ -25951,15 +26021,20 @@ authentication mechanism (RFC 2195), and the second provides an interface to the Cyrus SASL authentication library. The third is an interface to Dovecot's authentication system, delegating the work via a socket interface. -The fourth provides an interface to the GNU SASL authentication library, which +.new +The fourth provides for negotiation of authentication done via non-SMTP means, +as defined by RFC 4422 Appendix A. +.wen +The fifth provides an interface to the GNU SASL authentication library, which provides mechanisms but typically not data sources. -The fifth provides direct access to Heimdal GSSAPI, geared for Kerberos, but +The sixth provides direct access to Heimdal GSSAPI, geared for Kerberos, but supporting setting a server keytab. -The sixth can be configured to support +The seventh can be configured to support the PLAIN authentication mechanism (RFC 2595) or the LOGIN mechanism, which is -not formally documented, but used by several MUAs. The seventh authenticator +not formally documented, but used by several MUAs. +The eighth authenticator supports Microsoft's &'Secure Password Authentication'& mechanism. -The eighth is an Exim authenticator but not an SMTP one; +The last is an Exim authenticator but not an SMTP one; instead it can use information from a TLS negotiation. The authenticators are configured using the same syntax as other drivers (see @@ -26089,12 +26164,15 @@ output, and Exim carries on processing. .option server_set_id authenticators string&!! unset .vindex "&$authenticated_id$&" +.vindex "&$authenticated_fail_id$&" When an Exim server successfully authenticates a client, this string is expanded using data from the authentication, and preserved for any incoming messages in the variable &$authenticated_id$&. It is also included in the log lines for incoming messages. For example, a user/password authenticator configuration might preserve the user name that was used to authenticate, and refer to it subsequently during delivery of the message. +On a failing authentication the expansion result is instead saved in +the &$authenticated_fail_id$& variable. If expansion fails, the option is ignored. @@ -26418,7 +26496,7 @@ to be returned. If the result of a successful expansion is an empty string, expansion is &"1"&, &"yes"&, or &"true"&, authentication succeeds and the generic &%server_set_id%& option is expanded and saved in &$authenticated_id$&. For any other result, a temporary error code is returned, with the expanded -string as the error text +string as the error text. &*Warning*&: If you use a lookup in the expansion to find the user's password, be sure to make the authentication fail if the user is unknown. @@ -27188,6 +27266,143 @@ msn: +. //////////////////////////////////////////////////////////////////////////// +. //////////////////////////////////////////////////////////////////////////// + +.chapter "The external authenticator" "CHAPexternauth" +.scindex IIDexternauth1 "&(external)& authenticator" +.scindex IIDexternauth2 "authenticators" "&(external)&" +.cindex "authentication" "Client Certificate" +.cindex "authentication" "X509" +.cindex "Certificate-based authentication" +The &(external)& authenticator provides support for +authentication based on non-SMTP information. +The specification is in RFC 4422 Appendix A +(&url(https://tools.ietf.org/html/rfc4422)). +It is only a transport and negotiation mechanism; +the process of authentication is entirely controlled +by the server configuration. + +The client presents an identity in-clear. +It is probably wise for a server to only advertise, +and for clients to only attempt, +this authentication method on a secure (eg. under TLS) connection. + +One possible use, compatible with the +K-9 Mail Andoid client (&url(https://k9mail.github.io/)), +is for using X509 client certificates. + +It thus overlaps in function with the TLS authenticator +(see &<>&) +but is a full SMTP SASL authenticator +rather than being implicit for TLS-connection carried +client certificates only. + +The examples and discussion in this chapter assume that +client-certificate authentication is being done. + +The client must present a certificate, +for which it must have been requested via the +&%tls_verify_hosts%& or &%tls_try_verify_hosts%& main options +(see &<>&). +For authentication to be effective the certificate should be +verifiable against a trust-anchor certificate known to the server. + +.section "External options" "SECTexternsoptions" +.cindex "options" "&(external)& authenticator (server)" +The &(external)& authenticator has two server options: + +.option server_param2 external string&!! unset +.option server_param3 external string&!! unset +.cindex "variables (&$auth1$& &$auth2$& etc)" "in &(external)& authenticator" +These options are expanded before the &%server_condition%& option +and the result are placed in &$auth2$& and &$auth3$& resectively. +If the expansion is forced to fail, authentication fails. Any other expansion +failure causes a temporary error code to be returned. + +They can be used to clarify the coding of a complex &%server_condition%&. + +.section "Using external in a server" "SECTexternserver" +.cindex "AUTH" "in &(external)& authenticator" +.cindex "numerical variables (&$1$& &$2$& etc)" &&& + "in &(external)& authenticator" +.vindex "&$auth1$&, &$auth2$&, etc" +.cindex "base64 encoding" "in &(external)& authenticator" + +When running as a server, &(external)& performs the authentication test by +expanding a string. The data sent by the client with the AUTH command, or in +response to subsequent prompts, is base64 encoded, and so may contain any byte +values when decoded. The decoded value is treated as +an identity for authentication and +placed in the expansion variable &$auth1$&. + +For compatibility with previous releases of Exim, the value is also placed in +the expansion variable &$1$&. However, the use of this +variable for this purpose is now deprecated, as it can lead to confusion in +string expansions that also use them for other things. + +.vindex "&$authenticated_id$&" +Once an identity has been received, +&%server_condition%& is expanded. If the expansion is forced to fail, +authentication fails. Any other expansion failure causes a temporary error code +to be returned. If the result of a successful expansion is an empty string, +&"0"&, &"no"&, or &"false"&, authentication fails. If the result of the +expansion is &"1"&, &"yes"&, or &"true"&, authentication succeeds and the +generic &%server_set_id%& option is expanded and saved in &$authenticated_id$&. +For any other result, a temporary error code is returned, with the expanded +string as the error text. + +Example: +.code +ext_ccert_san_mail: + driver = external + public_name = EXTERNAL + + server_advertise_condition = $tls_in_certificate_verified + server_param2 = ${certextract {subj_altname,mail,>:} \ + {$tls_in_peercert}} + server_condition = ${if forany {$auth2} \ + {eq {$item}{$auth1}}} + server_set_id = $auth1 +.endd +This accepts a client certificate that is verifiable against any +of your configured trust-anchors +(which usually means the full set of public CAs) +and which has a mail-SAN matching the claimed identity sent by the client. + +Note that, up to TLS1.2, the client cert is on the wire in-clear, including the SAN, +The account name is therefore guessable by an opponent. +TLS 1.3 protects both server and client certificates, and is not vulnerable +in this way. +Likewise, a traditional plaintext SMTP AUTH done inside TLS is not. + + +.section "Using external in a client" "SECTexternclient" +.cindex "options" "&(external)& authenticator (client)" +The &(external)& authenticator has one client option: + +.option client_send external string&!! unset +This option is expanded and sent with the AUTH command as the +identity being asserted. + +Example: +.code +ext_ccert: + driver = external + public_name = EXTERNAL + + client_condition = ${if !eq{$tls_out_cipher}{}} + client_send = myaccount@smarthost.example.net +.endd + + +.ecindex IIDexternauth1 +.ecindex IIDexternauth2 + + + + + . //////////////////////////////////////////////////////////////////////////// . //////////////////////////////////////////////////////////////////////////// @@ -27243,20 +27458,25 @@ tls: driver = tls server_param1 = ${certextract {subj_altname,mail,>:} \ {$tls_in_peercert}} - server_condition = ${if forany {$auth1} \ + server_condition = ${if and { {eq{$tls_in_certificate_verified}{1}} \ + {forany {$auth1} \ {!= {0} \ {${lookup ldap{ldap:///\ mailname=${quote_ldap_dn:${lc:$item}},\ ou=users,LDAP_DC?mailid} {$value}{0} \ - } } } } + } } } }}} server_set_id = ${if = {1}{${listcount:$auth1}} {$auth1}{}} .endd This accepts a client certificate that is verifiable against any of your configured trust-anchors (which usually means the full set of public CAs) and which has a SAN with a good account name. -Note that the client cert is on the wire in-clear, including the SAN, -whereas a plaintext SMTP AUTH done inside TLS is not. + +Note that, up to TLS1.2, the client cert is on the wire in-clear, including the SAN, +The account name is therefore guessable by an opponent. +TLS 1.3 protects both server and client certificates, and is not vulnerable +in this way. +Likewise, a traditional plaintext SMTP AUTH done inside TLS is not. . An alternative might use . .code @@ -27773,7 +27993,7 @@ session with a client, you must set either &%tls_verify_hosts%& or apply to all TLS connections. For any host that matches one of these options, Exim requests a certificate as part of the setup of the TLS session. The contents of the certificate are verified by comparing it with a list of -expected certificates. +expected trust-anchors or certificates. These may be the system default set (depending on library version), an explicit file or, depending on library version, a directory, identified by @@ -27790,6 +28010,9 @@ openssl x509 -hash -noout -in /cert/file .endd where &_/cert/file_& contains a single certificate. +There is no checking of names of the client against the certificate +Subject Name or Subject Alternate Names. + The difference between &%tls_verify_hosts%& and &%tls_try_verify_hosts%& is what happens if the client does not supply a certificate, or if the certificate does not match any of the certificates in the collection named by @@ -27951,6 +28174,11 @@ The &%tls_verify_hosts%& and &%tls_try_verify_hosts%& options restrict certificate verification to the listed servers. Verification either must or need not succeed respectively. +The &%tls_verify_cert_hostnames%& option lists hosts for which additional +checks are made: that the host name (the one in the DNS A record) +is valid for the certificate. +The option defaults to always checking. + The &(smtp)& transport has two OCSP-related options: &%hosts_require_ocsp%&; a host-list for which a Certificate Status is requested and required for the connection to proceed. The default @@ -28125,7 +28353,7 @@ The Apache web-server was for a long time the canonical guide, so their documentation is a good place to start; their SSL module's Introduction document is currently at .display -.url(https://httpd.apache.org/docs/current/ssl/ssl_intro.html) +&url(https://httpd.apache.org/docs/current/ssl/ssl_intro.html) .endd and their FAQ is at .display @@ -28256,7 +28484,7 @@ this is appropriate for a single system, using a self-signed certificate. DANE-TA usage is effectively declaring a specific CA to be used; this might be a private CA or a public, well-known one. A private CA at simplest is just a self-signed certificate (with certain -attributes) which is used to sign cerver certificates, but running one securely +attributes) which is used to sign server certificates, but running one securely does require careful arrangement. With DANE-TA, as implemented in Exim and commonly in other MTAs, the server TLS handshake must transmit the entire certificate chain from CA to server-certificate. @@ -36913,6 +37141,7 @@ immediately after the time and date. &%pipelining%&: A field is added to delivery and accept log lines when the ESMTP PIPELINING extension was used. The field is a single "L". + On accept lines, where PIPELINING was offered but not used by the client, the field has a minus appended. .next @@ -40089,6 +40318,8 @@ with the event type: .display &`dane:fail `& failure reason &`msg:delivery `& smtp confirmation message +&`msg:fail:internal `& failure reason +&`msg:fail:delivery `& smtp error message &`msg:rcpt:host:defer `& error string &`msg:rcpt:defer `& error string &`msg:host:defer `& error string