X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/535c964b8a4855448b8cc39ec301831a2b96c3a9..20395676aba7fa5eb9a2c5e0b9f582ec2b3e71e4:/doc/doc-docbook/spec.xfpt
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 1c7cf8eee..05d8e6ed1 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -51,6 +51,8 @@
.set ACL "access control lists (ACLs)"
.set I " "
+.set drivernamemax "64"
+
.macro copyyear
2020
.endmacro
@@ -237,6 +239,14 @@
failure report
bounce message
+
+ de-tainting
+ tainting, de-tainting
+
+
+ detainting
+ tainting, de-tainting
+
dialup
intermittently connected hosts
@@ -3848,9 +3858,11 @@ headers.)
.cindex "Solaris" "&'mail'& command"
.cindex "dot" "in incoming non-SMTP message"
This option, which has the same effect as &%-oi%&, specifies that a dot on a
-line by itself should not terminate an incoming, non-SMTP message. I can find
-no documentation for this option in Solaris 2.4 Sendmail, but the &'mailx'&
-command in Solaris 2.4 uses it. See also &%-ti%&.
+line by itself should not terminate an incoming, non-SMTP message.
+Solaris 2.4 (SunOS 5.4) Sendmail has a similar &%-i%& processing option
+&url(https://docs.oracle.com/cd/E19457-01/801-6680-1M/801-6680-1M.pdf),
+p. 1M-529), and therefore a &%-oi%& command line option, which both are used
+by its &'mailx'& command.
.vitem &%-L%&&~<&'tag'&>
.oindex "&%-L%&"
@@ -4170,8 +4182,9 @@ the standard output. This option can be used only by an admin user.
.vitem &%-m%&
.oindex "&%-m%&"
-This is apparently a synonym for &%-om%& that is accepted by Sendmail, so Exim
-treats it that way too.
+This is a synonym for &%-om%& that is accepted by Sendmail
+(&url(https://docs.oracle.com/cd/E19457-01/801-6680-1M/801-6680-1M.pdf)
+p. 1M-258), so Exim treats it that way too.
.vitem &%-N%&
.oindex "&%-N%&"
@@ -5968,7 +5981,7 @@ Libraries you use may depend on specific environment settings. This
imposes a security risk (e.g. PATH). There are two lists:
&%keep_environment%& for the variables to import as they are, and
&%add_environment%& for variables we want to set to a fixed value.
-Note that TZ is handled separately, by the $%timezone%$ runtime
+Note that TZ is handled separately, by the &%timezone%& runtime
option and by the TIMEZONE_DEFAULT buildtime option.
.code
# keep_environment = ^LDAP
@@ -8502,7 +8515,7 @@ will store a result in the &$local_part_data$& variable.
.vitem domains
.new
A &%domains%& router option or &%domains%& ACL condition
-will store a result in the &$domain_data$& variable
+will store a result in the &$domain_data$& variable.
.wen
.vitem senders
A &%senders%& router option or &%senders%& ACL condition
@@ -8855,7 +8868,7 @@ If the pattern starts with the name of a lookup type
of either kind (single-key or query-style) it may be
followed by a comma and options,
The options are lookup-type specific and consist of a comma-separated list.
-Each item starts with a tag and and equals "=".
+Each item starts with a tag and and equals "=" sign.
.next
.cindex "domain list" "matching literal domain name"
@@ -8974,9 +8987,13 @@ accept hosts = @[]
.endd
.next
.cindex "CIDR notation"
-If the pattern is an IP address followed by a slash and a mask length (for
-example 10.11.42.0/24), it is matched against the IP address of the subject
-host under the given mask. This allows, an entire network of hosts to be
+If the pattern is an IP address followed by a slash and a mask length, for
+example
+.code
+10.11.42.0/24
+.endd
+, it is matched against the IP address of the subject
+host under the given mask. This allows an entire network of hosts to be
included (or excluded) by a single item. The mask uses CIDR notation; it
specifies the number of address bits that must match, starting from the most
significant end of the address.
@@ -9597,6 +9614,8 @@ reasons,
and expansion of data deriving from the sender (&"tainted data"&)
.new
is not permitted (including acessing a file using a tainted name).
+The main config option &%allow_insecure_tainted_data%& can be used as
+mitigation during uprades to more secure configurations.
.wen
.new
@@ -10165,7 +10184,7 @@ They are visible in DKIM, PRDR and DATA ACLs.
Header lines that are added in a RCPT ACL (for example)
are saved until the message's incoming header lines are available, at which
point they are added.
-When any of the above ACLs ar
+When any of the above ACLs are
running, however, header lines added by earlier ACLs are visible.
Upper case and lower case letters are synonymous in header names. If the
@@ -10441,10 +10460,11 @@ additional arguments need be given; the maximum number permitted, including the
name of the subroutine, is nine.
The return value of the subroutine is inserted into the expanded string, unless
-the return value is &%undef%&. In that case, the expansion fails in the same
-way as an explicit &"fail"& on a lookup item. The return value is a scalar.
-Whatever you return is evaluated in a scalar context. For example, if you
-return the name of a Perl vector, the return value is the size of the vector,
+the return value is &%undef%&. In that case, the entire expansion is
+forced to fail, in the same way as an explicit &"fail"& on a lookup item
+does (see section &<>&). Whatever you return is evaluated
+in a scalar context, thus the return value is a scalar. For example, if you
+return a Perl vector, the return value is the size of the vector,
not its contents.
If the subroutine exits by calling Perl's &%die%& function, the expansion fails
@@ -10494,7 +10514,7 @@ For more discussion and an example, see section &<>&.
.cindex "expansion" "inserting an entire file"
.cindex "file" "inserting into expansion"
.cindex "&%readfile%& expansion item"
-The filename and end-of-line string are first expanded separately. The file is
+The filename and end-of-line (eol) string are first expanded separately. The file is
then read, and its contents replace the entire item. All newline characters in
the file are replaced by the end-of-line string if it is present. Otherwise,
newlines are left in the string.
@@ -10531,7 +10551,7 @@ ${readsocket{inet:[::1]:1234}{request string}}
Only a single host name may be given, but if looking it up yields more than
one IP address, they are each tried in turn until a connection is made. For
both kinds of socket, Exim makes a connection, writes the request string
-unless it is an empty string; and no terminating NUL is ever sent)
+(unless it is an empty string; no terminating NUL is ever sent)
and reads from the socket until an end-of-file
is read. A timeout of 5 seconds is applied. Additional, optional arguments
extend what can be done. Firstly, you can vary the timeout. For example:
@@ -10997,7 +11017,7 @@ is controlled by the &%print_topbitchars%& option.
.vitem &*${escape8bit:*&<&'string'&>&*}*&
.cindex "expansion" "escaping 8-bit characters"
.cindex "&%escape8bit%& expansion item"
-If the string contains and characters with the most significant bit set,
+If the string contains any characters with the most significant bit set,
they are converted to escape sequences starting with a backslash.
Backslashes and DEL characters are also converted.
@@ -11464,7 +11484,7 @@ Now deprecated, a synonym for the &%base64%& expansion operator.
.cindex "expansion" "string length"
.cindex "string" "length in expansion"
.cindex "&%strlen%& expansion item"
-The item is replace by the length of the expanded string, expressed as a
+The item is replaced by the length of the expanded string, expressed as a
decimal number. &*Note*&: Do not confuse &%strlen%& with &%length%&.
All measurement is done in bytes and is not UTF-8 aware.
@@ -14580,6 +14600,7 @@ listed in more than one group.
.section "Miscellaneous" "SECID96"
.table2
.row &%add_environment%& "environment variables"
+.row &%allow_insecure_tainted_data%& "turn taint errors into warnings"
.row &%bi_command%& "to run for &%-bi%& command line option"
.row &%debug_store%& "do extra internal checks"
.row &%disable_ipv6%& "do no IPv6 processing"
@@ -14704,6 +14725,7 @@ listed in more than one group.
.row &%notifier_socket%& "override compiled-in value"
.row &%pid_file_path%& "override compiled-in value"
.row &%queue_run_max%& "maximum simultaneous queue runners"
+.row &%smtp_backlog_monitor%& "level to log listen backlog"
.endtable
@@ -15190,6 +15212,18 @@ domains (defined in the named domain list &%local_domains%& in the default
configuration). This &"magic string"& matches the domain literal form of all
the local host's IP addresses.
+.new
+.option allow_insecure_tainted_data main boolean false
+.cindex "de-tainting"
+.oindex "allow_insecure_tainted_data"
+The handling of tainted data may break older (pre 4.94) configurations.
+Setting this option to "true" turns taint errors (which result in a temporary
+message rejection) into warnings. This option is meant as mitigation only
+and deprecated already today. Future releases of Exim may ignore it.
+The &%taint%& log selector can be used to suppress even the warnings.
+.wen
+
+
.option allow_mx_to_ip main boolean false
.cindex "MX record" "pointing to IP address"
@@ -17384,7 +17418,7 @@ or if the message was submitted locally (not using TCP/IP), and the &%-bnq%&
option was not set.
-.option recipients_max main integer 0
+.option recipients_max main integer 50000
.cindex "limit" "number of recipients"
.cindex "recipient" "maximum number"
If this option is set greater than zero, it specifies the maximum number of
@@ -17722,6 +17756,14 @@ messages, it is also used as the default for HELO commands in callout
verification if there is no remote transport from which to obtain a
&%helo_data%& value.
+.option smtp_backlog_monitor main integer 0
+.cindex "connection backlog" monitoring
+If this option is set to greater than zero, and the backlog of available
+TCP connections on a socket listening for SMTP is larger than it, a line
+is logged giving the value and the socket address and port.
+The value is retrived jsut before an accept call.
+This facility is only available on Linux.
+
.option smtp_banner main string&!! "see below"
.cindex "SMTP" "welcome banner"
.cindex "banner for SMTP"
@@ -17752,7 +17794,7 @@ is zero). If there isn't enough space, a temporary error code is returned.
.option smtp_connect_backlog main integer 20
-.cindex "connection backlog"
+.cindex "connection backlog" "set maximum"
.cindex "SMTP" "connection backlog"
.cindex "backlog of connections"
This option specifies a maximum number of waiting SMTP connections. Exim passes
@@ -18794,6 +18836,11 @@ which the preconditions are tested. The order of expansion of the options that
provide data for a transport is: &%errors_to%&, &%headers_add%&,
&%headers_remove%&, &%transport%&.
+.new
+The name of a router is limited to be &drivernamemax; ASCII characters long;
+prior to Exim 4.95 names would be silently truncated at this length, but now
+it is enforced.
+.wen
.option address_data routers string&!! unset
@@ -21500,7 +21547,7 @@ The text is not included in the response to an EXPN command. In non-SMTP cases
the text is included in the error message that Exim generates.
.cindex "SMTP" "error codes"
-By default, Exim sends a 451 SMTP code for a &':defer:'&, and 550 for
+By default for verify, Exim sends a 451 SMTP code for a &':defer:'&, and 550 for
&':fail:'&. However, if the message starts with three digits followed by a
space, optionally followed by an extended code of the form &'n.n.n'&, also
followed by a space, and the very first digit is the same as the default error
@@ -22337,6 +22384,12 @@ and &$original_domain$& is never set.
.scindex IIDgenoptra1 "generic options" "transport"
.scindex IIDgenoptra2 "options" "generic; for transports"
.scindex IIDgenoptra3 "transport" "generic options for"
+.new
+The name of a transport is limited to be &drivernamemax; ASCII characters long;
+prior to Exim 4.95 names would be silently truncated at this length, but now
+it is enforced.
+.wen
+
The following generic options apply to all transports:
@@ -25611,6 +25664,11 @@ There will be no fallback to in-clear communication.
See the &%dnssec_request_domains%& router and transport options.
See section &<>&.
+.option hosts_require_helo smtp "host list&!!" *
+.cindex "HELO/EHLO" requiring
+Exim will require an accepted HELO or EHLO command from a host matching
+this list, before accepting a MAIL command.
+
.option hosts_require_ocsp smtp "host list&!!" unset
.cindex "TLS" "requiring for certain servers"
Exim will request, and check for a valid Certificate Status being given, on a
@@ -27173,6 +27231,12 @@ permitted to use it as a relay. SMTP authentication is not of relevance to the
transfer of mail between servers that have no managerial connection with each
other.
+.new
+The name of an authenticator is limited to be &drivernamemax; ASCII characters long;
+prior to Exim 4.95 names would be silently truncated at this length, but now
+it is enforced.
+.wen
+
.cindex "AUTH" "description of"
.cindex "ESMTP extensions" AUTH
Very briefly, the way SMTP authentication works is as follows:
@@ -38141,7 +38205,7 @@ implying the use of a default path.
When Exim encounters an empty item in the list, it searches the list defined by
LOG_FILE_PATH, and uses the first item it finds that is neither empty nor
&"syslog"&. This means that an empty item in &%log_file_path%& can be used to
-mean &"use the path specified at build time"&. It no such item exists, log
+mean &"use the path specified at build time"&. If no such item exists, log
files are written in the &_log_& subdirectory of the spool directory. This is
equivalent to the setting:
.code
@@ -38709,6 +38773,7 @@ selection marked by asterisks:
&` smtp_protocol_error `& SMTP protocol errors
&` smtp_syntax_error `& SMTP syntax errors
&` subject `& contents of &'Subject:'& on <= lines
+&`*taint `& taint errors or warnings
&`*tls_certificate_verified `& certificate verification status
&`*tls_cipher `& TLS cipher suite on <= and => lines
&` tls_peerdn `& TLS peer DN on <= and => lines
@@ -38993,10 +39058,12 @@ it is too big.
.cindex "log" "frozen messages; skipped"
.cindex "frozen messages" "logging skipping"
&%skip_delivery%&: A log line is written whenever a message is skipped during a
-queue run because it is frozen or because another process is already delivering
-it.
+queue run because it another process is already delivering it or because
+it is frozen.
.cindex "&""spool file is locked""&"
-The message that is written is &"spool file is locked"&.
+.cindex "&""message is frozen""&"
+The message that is written is either &"spool file is locked"& or
+&"message is frozen"&.
.next
.cindex "log" "smtp confirmation"
.cindex "SMTP" "logging confirmation"
@@ -39102,6 +39169,11 @@ using a CA trust anchor,
&`CV=dane`& if using a DNS trust anchor,
and &`CV=no`& if not.
.next
+.cindex "log" "Taint warnings"
+&%taint%&: Log warnings about tainted data. This selector can't be
+turned of if &%allow_insecure_tainted_data%& is false (which is the
+default).
+.next
.cindex "log" "TLS cipher"
.cindex "TLS" "logging cipher"
&%tls_cipher%&: When a message is sent or received over an encrypted