X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/3c4a5f3613224bfe3bb8ce8fb9d2bf87c601364c..2b2cfa838f206b5d97a120722861f42780bc6a6a:/doc/doc-docbook/spec.xfpt diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index bb19e3915..bca6689b6 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -52,7 +52,7 @@ .set I "    " .macro copyyear -2018 +2018, 2019 .endmacro . ///////////////////////////////////////////////////////////////////////////// @@ -1886,11 +1886,10 @@ to your &_Local/Makefile_& and rebuild Exim. .section "Including TLS/SSL encryption support" "SECTinctlsssl" .cindex "TLS" "including support for TLS" .cindex "encryption" "including support for" -.cindex "SUPPORT_TLS" .cindex "OpenSSL" "building Exim with" .cindex "GnuTLS" "building Exim with" -Exim can be built to support encrypted SMTP connections, using the STARTTLS -command as per RFC 2487. It can also support legacy clients that expect to +Exim is usually built to support encrypted SMTP connections, using the STARTTLS +command as per RFC 2487. It can also support clients that expect to start a TLS session immediately on connection to a non-standard port (see the &%tls_on_connect_ports%& runtime option and the &%-tls-on-connect%& command line option). @@ -1899,35 +1898,41 @@ If you want to build Exim with TLS support, you must first install either the OpenSSL or GnuTLS library. There is no cryptographic code in Exim itself for implementing SSL. +.new +If you do not want TLS support you should set +.code +DISABLE_TLS=yes +.endd +in &_Local/Makefile_&. +.wen + If OpenSSL is installed, you should set .code -SUPPORT_TLS=yes +USE_OPENSL=yes TLS_LIBS=-lssl -lcrypto .endd in &_Local/Makefile_&. You may also need to specify the locations of the OpenSSL library and include files. For example: .code -SUPPORT_TLS=yes +USE_OPENSL=yes TLS_LIBS=-L/usr/local/openssl/lib -lssl -lcrypto TLS_INCLUDE=-I/usr/local/openssl/include/ .endd .cindex "pkg-config" "OpenSSL" If you have &'pkg-config'& available, then instead you can just use: .code -SUPPORT_TLS=yes +USE_OPENSL=yes USE_OPENSSL_PC=openssl .endd .cindex "USE_GNUTLS" If GnuTLS is installed, you should set .code -SUPPORT_TLS=yes USE_GNUTLS=yes TLS_LIBS=-lgnutls -ltasn1 -lgcrypt .endd in &_Local/Makefile_&, and again you may need to specify the locations of the library and include files. For example: .code -SUPPORT_TLS=yes USE_GNUTLS=yes TLS_LIBS=-L/usr/gnu/lib -lgnutls -ltasn1 -lgcrypt TLS_INCLUDE=-I/usr/gnu/include @@ -1935,7 +1940,6 @@ TLS_INCLUDE=-I/usr/gnu/include .cindex "pkg-config" "GnuTLS" If you have &'pkg-config'& available, then instead you can just use: .code -SUPPORT_TLS=yes USE_GNUTLS=yes USE_GNUTLS_PC=gnutls .endd @@ -3959,6 +3963,20 @@ is sent to the sender, containing the text &"cancelled by administrator"&. Bounce messages are just discarded. This option can be used only by an admin user. +.new +.vitem &%-MG%&&~<&'queue&~name'&&~<&'message&~id'&>&~<&'message&~id'&>&~... +.oindex "&%-MG%&" +.cindex queue named +.cindex "named queues" +.cindex "queue" "moving messages" +This option requests that each listed message be moved from its current +queue to the given named queue. +The destination queue name argument is required, but can be an empty +string to define the default queue. +If the messages are not currently located in the default queue, +a &%-qG%& option will be required to define the source queue. +.wen + .vitem &%-Mmad%&&~<&'message&~id'&>&~<&'message&~id'&>&~... .oindex "&%-Mmad%&" .cindex "delivery" "cancelling all" @@ -6109,9 +6127,6 @@ dnslookup: domains = ! +local_domains transport = remote_smtp ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 -.ifdef _HAVE_DNSSEC - dnssec_request_domains = * -.endif no_more .endd The &%domains%& option behaves as per smarthost, above. @@ -6262,9 +6277,6 @@ Two remote transports and four local transports are defined. remote_smtp: driver = smtp message_size_limit = ${if > {$max_received_linelength}{998} {1}{0}} -.ifdef _HAVE_DANE - hosts_try_dane = * -.endif .ifdef _HAVE_PRDR hosts_try_prdr = * .endif @@ -6665,11 +6677,10 @@ aliases or other indexed data referenced by an MTA. Information about cdb and tools for building the files can be found in several places: .display &url(https://cr.yp.to/cdb.html) -&url(http://www.corpit.ru/mjt/tinycdb.html) +&url(https://www.corpit.ru/mjt/tinycdb.html) &url(https://packages.debian.org/stable/utils/freecdb) &url(https://github.com/philpennock/cdbtools) (in Go) .endd -. --- 2018-09-07: corpit.ru http:-only A cdb distribution is not needed in order to build Exim with cdb support, because the code for reading cdb files is included directly in Exim itself. However, no means of building or testing cdb files is provided with Exim, so @@ -7331,7 +7342,7 @@ with the lookup. With &"strict"& a response from the DNS resolver that is not labelled as authenticated data is treated as equivalent to a temporary DNS error. -The default is &"never"&. +The default is &"lax"&. See also the &$lookup_dnssec_authenticated$& variable. @@ -13353,6 +13364,9 @@ or a &%def%& condition. &*Note*&: Under versions of OpenSSL preceding 1.1.1, when a list of more than one file is used for &%tls_certificate%&, this variable is not reliable. +.new +The macro "_TLS_BAD_MULTICERT_IN_OURCERT" will be defined for those versions. +.wen .vitem &$tls_in_peercert$& .vindex "&$tls_in_peercert$&" @@ -16459,6 +16473,8 @@ and from which pipeline early-connection (before MAIL) SMTP commands are acceptable. When used, the pipelining saves on roundtrip times. +See also the &%hosts_pipe_connect%& smtp transport option. + Currently the option name &"X_PIPE_CONNECT"& is used. .wen @@ -17683,9 +17699,9 @@ separator in the usual way (&<>&) to avoid confusion under IP &*Note*&: Under versions of OpenSSL preceding 1.1.1, when a list of more than one file is used, the &$tls_in_ourcert$& variable is unreliable. - -&*Note*&: OCSP stapling is not usable under OpenSSL -when a list of more than one file is used. +.new +The macro "_TLS_BAD_MULTICERT_IN_OURCERT" will be defined for those versions. +.wen If the option contains &$tls_out_sni$& and Exim is built against OpenSSL, then if the OpenSSL build supports TLS extensions and the TLS client sends the @@ -17838,6 +17854,9 @@ status proof for the server's certificate, as obtained from the Certificate Authority. Usable for GnuTLS 3.4.4 or 3.3.17 or OpenSSL 1.1.0 (or later). +.new +The macro "_HAVE_TLS_OCSP" will be defined for those versions. +.wen .new For OpenSSL 1.1.0 or later, and @@ -17845,15 +17864,26 @@ For OpenSSL 1.1.0 or later, and for GnuTLS 3.5.6 or later the expanded value of this option can be a list of files, to match a list given for the &%tls_certificate%& option. The ordering of the two lists must match. +.new +The macro "_HAVE_TLS_OCSP_LIST" will be defined for those versions. +.wen .new The file(s) should be in DER format, -except for GnuTLS 3.6.3 or later when an optional filetype prefix -can be used. The prefix must be one of "DER" or "PEM", followed by +except for GnuTLS 3.6.3 or later +or for OpenSSL, +when an optional filetype prefix can be used. +The prefix must be one of "DER" or "PEM", followed by a single space. If one is used it sets the format for subsequent files in the list; the initial format is DER. -When a PEM format file is used it may contain multiple proofs, -for multiple certificate chain element proofs under TLS1.3. +If multiple proofs are wanted, for multiple chain elements +(this only works under TLS1.3) +they must be coded as a combined OCSP response. + +Although GnuTLS will accept PEM files with multiple separate +PEM blobs (ie. separate OCSP responses), it sends them in the +TLS Certificate record interleaved with the certificates of the chain; +although a GnuTLS client is happy with that, an OpenSSL client is not. .wen .option tls_on_connect_ports main "string list" unset @@ -18372,7 +18402,7 @@ or for any deliveries caused by this router. You should not set this option unless you really, really know what you are doing. See also the generic transport option of the same name. -.option dnssec_request_domains routers "domain list&!!" unset +.option dnssec_request_domains routers "domain list&!!" * .cindex "MX record" "security" .cindex "DNSSEC" "MX lookup" .cindex "security" "MX lookup" @@ -24561,7 +24591,7 @@ See the &%search_parents%& option in chapter &<>& for more details. -.option dnssec_request_domains smtp "domain list&!!" unset +.option dnssec_request_domains smtp "domain list&!!" * .cindex "MX record" "security" .cindex "DNSSEC" "MX lookup" .cindex "security" "MX lookup" @@ -24740,6 +24770,8 @@ When used, the pipelining saves on roundtrip times. It also turns SMTP into a client-first protocol so combines well with TCP Fast Open. +See also the &%pipelining_connect_advertise_hosts%& main option. + Note: When the facility is used, the transport &%helo_data%& option will be expanded before the &$sending_ip_address$& variable @@ -28023,11 +28055,8 @@ to use GnuTLS, you need to set .code USE_GNUTLS=yes .endd -in Local/Makefile, in addition to -.code -SUPPORT_TLS=yes -.endd -You must also set TLS_LIBS and TLS_INCLUDE appropriately, so that the +in Local/Makefile +you must also set TLS_LIBS and TLS_INCLUDE appropriately, so that the include files and libraries for GnuTLS can be found. There are some differences in usage when using GnuTLS instead of OpenSSL: @@ -29043,7 +29072,8 @@ If DANE is requested and useable (see above) the following transport options are If DANE is not usable, whether requested or not, and CA-anchored verification evaluation is wanted, the above variables should be set appropriately. -Currently the (router or transport options) &%dnssec_request_domains%& must be active and &%dnssec_require_domains%& is ignored. +The router and transport option &%dnssec_request_domains%& must not be +set to "never" and &%dnssec_require_domains%& is ignored. If verification was successful using DANE then the "CV" item in the delivery log line will show as "CV=dane". @@ -40312,8 +40342,12 @@ for more information of what they mean. SPF is a mechanism whereby a domain may assert which IP addresses may transmit messages with its domain in the envelope from, documented by RFC 7208. -For more information on SPF see &url(http://www.openspf.org). -. --- 2018-09-07: still not https +For more information on SPF see &url(http://www.open-spf.org), a static copy of +the &url(http://openspf.org). +. --- 2019-10-28: still not https, open-spf.org is told to be a +. --- web-archive copy of the now dead openspf.org site +. --- See https://www.mail-archive.com/mailop@mailop.org/msg08019.html for a +. --- discussion. Messages sent by a system not authorised will fail checking of such assertions. This includes retransmissions done by traditional forwarders. @@ -40376,7 +40410,7 @@ deny spf = fail message = $sender_host_address is not allowed to send mail from \ ${if def:sender_address_domain \ {$sender_address_domain}{$sender_helo_name}}. \ - Please see http://www.openspf.org/Why?scope=\ + Please see http://www.open-spf.org/Why?scope=\ ${if def:sender_address_domain {mfrom}{helo}};\ identity=${if def:sender_address_domain \ {$sender_address}{$sender_helo_name}};\ @@ -40429,9 +40463,9 @@ In addition to SPF, you can also perform checks for so-called "Best-guess". Strictly speaking, "Best-guess" is not standard SPF, but it is supported by the same framework that enables SPF capability. -Refer to &url(http://www.openspf.org/FAQ/Best_guess_record) +Refer to &url(http://www.open-spf.org/FAQ/Best_guess_record) for a description of what it means. -. --- 2018-09-07: still not https: +. --- 2019-10-28: still not https: To access this feature, simply use the spf_guess condition in place of the spf one. For example: