X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/5a2f75c8079c858e14cfb054bc20580a31cecee6..cf1cce5e82df2da1875f51ef25fd4259d6e33e61:/doc/doc-docbook/spec.xfpt diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index f5eda68cd..7ad6f0275 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -11661,7 +11661,7 @@ The name of the main configuration file Exim is using. .vitem &$dkim_verify_status$& &&& Results of DKIM verification. -For details see chapter &<>&. +For details see section &<>&. .vitem &$dkim_cur_signer$& &&& &$dkim_verify_reason$& &&& @@ -11683,13 +11683,13 @@ For details see chapter &<>&. &$dkim_key_notes$& &&& &$dkim_key_length$& These variables are only available within the DKIM ACL. -For details see chapter &<>&. +For details see section &<>&. .vitem &$dkim_signers$& .vindex &$dkim_signers$& When a message has been received this variable contains a colon-separated list of signer domains and identities for the message. -For details see chapter &<>&. +For details see section &<>&. .vitem &$dnslist_domain$& &&& &$dnslist_matched$& &&& @@ -12833,6 +12833,14 @@ A number of variables whose names start with &$spam$& are available when Exim is compiled with the content-scanning extension. For details, see section &<>&. +.new +.vitem &$spf_header_comment$& &&& + &$spf_received$& &&& + &$spf_result$& &&& + &$spf_smtp_comment$& +These variables are only available if Exim is built with SPF support. +For details see section &<>&. +.wen .vitem &$spool_directory$& .vindex "&$spool_directory$&" @@ -14086,7 +14094,7 @@ acknowledgment is sent. See chapter &<>& for further details. This option defines the ACL that is run for each DKIM signature (by default, or as specified in the dkim_verify_signers option) of a received message. -See chapter &<>& for further details. +See section &<>& for further details. .option acl_smtp_etrn main string&!! unset .cindex "ETRN" "ACL for" @@ -14619,7 +14627,7 @@ to handle IPv6 literal addresses. This option gives a list of DKIM domains for which the DKIM ACL is run. It is expanded after the message is received; by default it runs the ACL once for each signature in the message. -See chapter &<>&. +See section &<>&. .option dns_again_means_nonexist main "domain list&!!" unset @@ -14685,6 +14693,7 @@ If the resolver library does not support DNSSEC then this option has no effect. .option dns_ipv4_lookup main "domain list&!!" unset .cindex "IPv6" "DNS lookup for AAAA records" .cindex "DNS" "IPv6 lookup for AAAA records" +.cindex DNS "IPv6 disabling" When Exim is compiled with IPv6 support and &%disable_ipv6%& is not set, it looks for IPv6 address records (AAAA records) as well as IPv4 address records (A records) when trying to find IP addresses for hosts, unless the host's @@ -16804,17 +16813,21 @@ response to EHLO only to those client hosts that match this option. See chapter &<>& for details of Exim's support for internationalisation. -.option spamd_address main string "see below" +.option spamd_address main string "127.0.0.1 783" This option is available when Exim is compiled with the content-scanning extension. It specifies how Exim connects to SpamAssassin's &%spamd%& daemon. -The default value is -.code -127.0.0.1 783 -.endd See section &<>& for more details. +.new +.option spf_guess main string "v=spf1 a/24 mx/24 ptr ?all" +This option is available when Exim is compiled with SPF support. +See section &<>& for more details. +.wen + + + .option split_spool_directory main boolean false .cindex "multiple spool directories" .cindex "spool directory" "split" @@ -18733,7 +18746,9 @@ records. MX records of equal priority are sorted by Exim into a random order. Exim then looks for address records for the host names obtained from MX or SRV records. When a host has more than one IP address, they are sorted into a random order, -except that IPv6 addresses are always sorted before IPv4 addresses. If all the +.new +except that IPv6 addresses are sorted before IPv4 addresses. If all the +.wen IP addresses found are discarded by a setting of the &%ignore_target_hosts%& generic option, the router declines. @@ -18866,6 +18881,24 @@ However, it will result in any message with mistyped domains also being queued. +.new +.option ipv4_only "string&!!" unset +.cindex IPv6 disabling +.cindex DNS "IPv6 disabling" +The string is expanded, and if the result is anything but a forced failure, +or an empty string, or one of the strings “0” or “no” or “false” +(checked without regard to the case of the letters), +only A records are used. + +.option ipv4_prefer "string&!!" unset +.cindex IPv4 preference +.cindex DNS "IPv4 preference" +The string is expanded, and if the result is anything but a forced failure, +or an empty string, or one of the strings “0” or “no” or “false” +(checked without regard to the case of the letters), +A records are sorted before AAAA records (inverting the default). +.wen + .option mx_domains dnslookup "domain list&!!" unset .cindex "MX record" "required to exist" .cindex "SRV record" "required to exist" @@ -19470,8 +19503,8 @@ whether obtained from an MX lookup or not. .section "How the options are used" "SECThowoptused" -The options are a sequence of words; in practice no more than three are ever -present. One of the words can be the name of a transport; this overrides the +The options are a sequence of words, space-separated. +One of the words can be the name of a transport; this overrides the &%transport%& option on the router for this particular routing rule only. The other words (if present) control randomization of the list of hosts on a per-rule basis, and how the IP addresses of the hosts are to be found when @@ -19491,6 +19524,12 @@ also look in &_/etc/hosts_& or other sources of information. &%bydns%&: look up address records for the hosts directly in the DNS; fail if no address records are found. If there is a temporary DNS error (such as a timeout), delivery is deferred. +.new +.next +&%ipv4_only%&: in direct DNS lookups, look up only A records. +.next +&%ipv4_prefer%&: in direct DNS lookups, sort A records before AAAA records. +.wen .endlist For example: @@ -27737,19 +27776,14 @@ option (prior to expansion) then the following options will be re-expanded during TLS session handshake, to permit alternative values to be chosen: .ilist -.vindex "&%tls_certificate%&" &%tls_certificate%& .next -.vindex "&%tls_crl%&" &%tls_crl%& .next -.vindex "&%tls_privatekey%&" &%tls_privatekey%& .next -.vindex "&%tls_verify_certificates%&" &%tls_verify_certificates%& .next -.vindex "&%tls_ocsp_file%&" &%tls_ocsp_file%& .endlist @@ -28120,7 +28154,7 @@ otherwise specified, the default action is to accept. This ACL is evaluated before &%acl_smtp_mime%& and &%acl_smtp_data%&. -For details on the operation of DKIM, see chapter &<>&. +For details on the operation of DKIM, see section &<>&. .section "The SMTP MIME ACL" "SECID194" @@ -29186,7 +29220,7 @@ contexts): .cindex "disable DKIM verify" .cindex "DKIM" "disable verify" This control turns off DKIM verification processing entirely. For details on -the operation and configuration of DKIM, see chapter &<>&. +the operation and configuration of DKIM, see section &<>&. .vitem &*control&~=&~dscp/*&<&'value'&> @@ -31541,7 +31575,10 @@ av_scanner = sophie:/var/run/sophie If the value of &%av_scanner%& starts with a dollar character, it is expanded before use. The usual list-parsing of the content (see &<>&) applies. -The following scanner types are supported in this release: +The following scanner types are supported in this release, +.new +though individual ones can be included or not at build time: +.wen .vlist .vitem &%avast%& @@ -36048,6 +36085,7 @@ the following table: &` `& command list for &"no mail in SMTP session"& &`CV `& certificate verification status &`D `& duration of &"no mail in SMTP session"& +&`DKIM`& domain verified in incoming message &`DN `& distinguished name from peer certificate &`DS `& DNSSEC secured lookups &`DT `& on &`=>`& lines: time taken for a delivery @@ -36066,6 +36104,7 @@ the following table: &` `& on &"Completed"& lines: time spent on queue &`R `& on &`<=`& lines: reference for local bounce &` `& on &`=>`& &`>>`& &`**`& and &`==`& lines: router name +&`RT `& on &`<=`& lines: time taken for reception &`S `& size of message in bytes &`SNI `& server name indication from TLS client hello &`ST `& shadow transport name @@ -36117,6 +36156,12 @@ A delivery set up by a router configured with .endd failed. The delivery was discarded. .endlist olist +.next +.new +.cindex DKIM "log line" +&'DKIM: d='&&~&~Verbose results of a DKIM verification attempt, if enabled for +logging and the message has a DKIM signature header. +.wen .endlist ilist @@ -36144,6 +36189,8 @@ selection marked by asterisks: &`*delay_delivery `& immediate delivery delayed &` deliver_time `& time taken to perform delivery &` delivery_size `& add &`S=`&&'nnn'& to => lines +&`*dkim `& DKIM verified domain on <= lines +&` dkim_verbose `& separate full DKIM verification result line, per signature &`*dnslist_defer `& defers of DNS list (aka RBL) lookups &` dnssec `& DNSSEC secured lookups &`*etrn `& ETRN commands @@ -36152,7 +36199,7 @@ selection marked by asterisks: &` incoming_interface `& local interface on <= and => lines &` incoming_port `& remote port on <= lines &`*lost_incoming_connection `& as it says (includes timeouts) -&` millisec `& millisecond timestamps and QT,DT,D times +&` millisec `& millisecond timestamps and RT,QT,DT,D times &` outgoing_interface `& local interface on => lines &` outgoing_port `& add remote port to => lines &`*queue_run `& start and end queue runs @@ -36243,13 +36290,24 @@ process is started because &%queue_only%& is set or &%-odq%& was used. &%deliver_time%&: For each delivery, the amount of real time it has taken to perform the actual delivery is logged as DT=<&'time'&>, for example, &`DT=1s`&. If millisecond logging is enabled, short times will be shown with greater -precision, eg. &`DT=0.304`&. +precision, eg. &`DT=0.304s`&. .next .cindex "log" "message size on delivery" .cindex "size" "of message" &%delivery_size%&: For each delivery, the size of message delivered is added to the &"=>"& line, tagged with S=. .next +.new +.cindex log "DKIM verification" +.cindex DKIM "verification logging" +&%dkim%&: For message acceptance log lines, when an DKIM signture in the header +verifies successfully a tag of DKIM is added, with one of the verified domains. +.next +.cindex log "DKIM verification" +.cindex DKIM "verification logging" +&%dkim_verbose%&: A log entry is written for each attempted DKIM verification. +.wen +.next .cindex "log" "dnslist defer" .cindex "DNS list" "logging defer" .cindex "black list (DNS)" @@ -36370,6 +36428,14 @@ precision, eg. &`QT=1.578s`&. the local host is logged as QT=<&'time'&> on &"Completed"& lines, for example, &`QT=3m45s`&. The clock starts when Exim starts to receive the message, so it includes reception time as well as the total delivery time. +.new +.next +.cindex "log" "receive duration" +&%receive_time%&: For each message, the amount of real time it has taken to +perform the reception is logged as RT=<&'time'&>, for example, &`RT=1s`&. +If millisecond logging is enabled, short times will be shown with greater +precision, eg. &`RT=0.204s`&. +.wen .next .cindex "log" "recipients" &%received_recipients%&: The recipients of a message are listed in the main log @@ -38485,15 +38551,23 @@ There is no dot-stuffing (and no dot-termination). . //////////////////////////////////////////////////////////////////////////// . //////////////////////////////////////////////////////////////////////////// -.chapter "Support for DKIM (DomainKeys Identified Mail)" "CHAPdkim" &&& - "DKIM Support" +.chapter "DKIM and SPF" "CHAPdkim" &&& + "DKIM and SPF Support" .cindex "DKIM" +.section "DKIM (DomainKeys Identified Mail)" SECDKIM + DKIM is a mechanism by which messages sent by some entity can be provably linked to a domain which that entity controls. It permits reputation to be tracked on a per-domain basis, rather than merely upon source IP address. DKIM is documented in RFC 4871. +.new +As DKIM relies on the message being unchanged in transit, messages handled +by a mailing-list (which traditionally adds to the message) will not match +any original DKIM signature. +.wen + DKIM support is compiled into Exim by default if TLS support is present. It can be disabled by setting DISABLE_DKIM=yes in &_Local/Makefile_&. @@ -38513,8 +38587,12 @@ In typical Exim style, the verification implementation does not include any default "policy". Instead it enables you to build your own policy using Exim's standard controls. +.new Please note that verification of DKIM signatures in incoming mail is turned -on by default for logging purposes. For each signature in incoming email, +on by default for logging (in the <= line) purposes. + +Additional log detail can be enabled using the &%dkim_verbose%& log_selector. +When set, for each signature in incoming email, exim will log a line displaying the most important signature details, and the signature status. Here is an example (with line-breaks added for clarity): .code @@ -38523,6 +38601,8 @@ signature status. Here is an example (with line-breaks added for clarity): c=relaxed/relaxed a=rsa-sha1 i=@facebookmail.com t=1252484542 [verification succeeded] .endd +.wen + You might want to turn off DKIM verification processing entirely for internal or relay mail sources. To do that, set the &%dkim_disable_verify%& ACL control modifier. This should typically be done in the RCPT ACL, at points @@ -38533,6 +38613,18 @@ senders). .section "Signing outgoing messages" "SECDKIMSIGN" .cindex "DKIM" "signing" +.new +For signing to be usable you must have published a DKIM record in DNS. +Note that RFC 8301 says: +.code +rsa-sha1 MUST NOT be used for signing or verifying. + +Signers MUST use RSA keys of at least 1024 bits for all keys. +Signers SHOULD use RSA keys of at least 2048 bits. +.endd +.wen +.wen + Signing is enabled by setting private options on the SMTP transport. These options take (expandable) strings as arguments. @@ -38541,7 +38633,8 @@ The domain(s) you want to sign with. After expansion, this can be a list. Each element in turn is put into the &%$dkim_domain%& expansion variable while expanding the remaining signing options. -If it is empty after expansion, DKIM signing is not done. +If it is empty after expansion, DKIM signing is not done, +and no error will result even if &%dkim_strict%& is set. .option dkim_selector smtp string list&!! unset This sets the key selector string. @@ -38549,7 +38642,8 @@ After expansion, which can use &$dkim_domain$&, this can be a list. Each element in turn is put in the expansion variable &%$dkim_selector%& which may be used in the &%dkim_private_key%& option along with &%$dkim_domain%&. -If the option is empty after expansion, DKIM signing is not done for this domain. +If the option is empty after expansion, DKIM signing is not done for this domain, +and no error will result even if &%dkim_strict%& is set. .option dkim_private_key smtp string&!! unset This sets the private key to use. @@ -38566,11 +38660,25 @@ be "0", "false" or the empty string, in which case the message will not be signed. This case will not result in an error, even if &%dkim_strict%& is set. .endlist -If the option is empty after expansion, DKIM signing is not done. + +.new +Note that RFC 8301 says: +.code +Signers MUST use RSA keys of at least 1024 bits for all keys. +Signers SHOULD use RSA keys of at least 2048 bits. +.endd +.wen .option dkim_hash smtp string&!! sha256 Can be set alternatively to &"sha1"& to use an alternate hash -method. Note that sha1 is now condidered insecure, and deprecated. +method. + +.new +Note that RFC 8301 says: +.code +rsa-sha1 MUST NOT be used for signing or verifying. +.endd +.wen .option dkim_identity smtp string&!! unset If set after expansion, the value is used to set an "i=" tag in @@ -38614,7 +38722,7 @@ will be signed, and one signtature added for a missing header with the name will be appended. -.section "Verifying DKIM signatures in incoming mail" "SECID514" +.section "Verifying DKIM signatures in incoming mail" "SECDKIMVFY" .cindex "DKIM" "verification" Verification of DKIM signatures in SMTP incoming email is implemented via the @@ -38724,7 +38832,7 @@ re-written or otherwise changed in a way which is incompatible with DKIM verification. It may of course also mean that the signature is forged. .endlist -This variable can be overwritten using an ACL 'set' modifier. +This variable can be overwritten, with any value, using an ACL 'set' modifier. .vitem &%$dkim_domain%& The signing domain. IMPORTANT: This variable is only populated if there is @@ -38742,6 +38850,19 @@ The key record selector string. .vitem &%$dkim_algo%& The algorithm used. One of 'rsa-sha1' or 'rsa-sha256'. +.new +Note that RFC 8301 says: +.code +rsa-sha1 MUST NOT be used for signing or verifying. + +DKIM signatures identified as having been signed with historic +algorithms (currently, rsa-sha1) have permanently failed evaluation +.endd + +To enforce this you must have a DKIM ACL which checks this variable +and overwrites the &$dkim_verify_status$& variable as discussed above. +.wen + .vitem &%$dkim_canon_body%& The body canonicalization method. One of 'relaxed' or 'simple'. @@ -38792,6 +38913,18 @@ Notes from the key record (tag n=). .vitem &%$dkim_key_length%& Number of bits in the key. + +.new +Note that RFC 8301 says: +.code +Verifiers MUST NOT consider signatures using RSA keys of +less than 1024 bits as valid signatures. +.endd + +To enforce this you must have a DKIM ACL which checks this variable +and overwrites the &$dkim_verify_status$& variable as discussed above. +.wen + .endlist In addition, two ACL conditions are provided: @@ -38831,6 +38964,178 @@ see the documentation of the &%$dkim_verify_status%& expansion variable above for more information of what they mean. .endlist + + + +.new +.section "SPF (Sender Policy Framework)" SECSPF +.cindex SPF verification + +SPF is a mechanism whereby a domain may assert which IP addresses may transmit +messages with its domain in the envelope from, documented by RFC 7208. +For more information on SPF see &url(http://www.openspf.org). + +Messages sent by a system not authorised will fail checking of such assertions. +This includes retransmissions done by traditional forwarders. + +SPF verification support is built into Exim if SUPPORT_SPF=yes is set in +&_Local/Makefile_&. The support uses the &_libspf2_& library +&url(http://www.libspf2.org/). +There is no Exim involvement on the trasmission of messages; publishing certain +DNS records is all that is required. + +For verification, an ACL condition and an expansion lookup are provided. + +.cindex SPF "ACL condition" +.cindex ACL "spf condition" +The ACL condition "spf" can be used at or after the MAIL ACL. +It takes as an argument a list of strings giving the outcome of the SPF check, +and will succeed for any matching outcome. +Valid strings are: +.vlist +.vitem &%pass%& +The SPF check passed, the sending host is positively verified by SPF. + +.vitem &%fail%& +The SPF check failed, the sending host is NOT allowed to send mail for the +domain in the envelope-from address. + +.vitem &%softfail%& +The SPF check failed, but the queried domain can't absolutely confirm that this +is a forgery. + +.vitem &%none%& +The queried domain does not publish SPF records. + +.vitem &%neutral%& +The SPF check returned a "neutral" state. This means the queried domain has +published a SPF record, but wants to allow outside servers to send mail under +its domain as well. This should be treated like "none". + +.vitem &%permerror%& +This indicates a syntax error in the SPF record of the queried domain. +You may deny messages when this occurs. (Changed in 4.83) + +.vitem &%temperror%& +This indicates a temporary error during all processing, including Exim's +SPF processing. You may defer messages when this occurs. +(Changed in 4.83) + +.vitem &%err_temp%& +Same as permerror, deprecated in 4.83, will be removed in a future release. + +.vitem &%err_perm%& +Same as temperror, deprecated in 4.83, will be removed in a future release. +.endlist + +You can prefix each string with an exclamation mark to invert +its meaning, for example "!fail" will match all results but +"fail". The string list is evaluated left-to-right, in a +short-circuit fashion. + +Example: +.code +deny spf = fail + message = $sender_host_address is not allowed to send mail from \ + ${if def:sender_address_domain \ + {$sender_address_domain}{$sender_helo_name}}. \ + Please see http://www.openspf.org/Why?scope=\ + ${if def:sender_address_domain {mfrom}{helo}};\ + identity=${if def:sender_address_domain \ + {$sender_address}{$sender_helo_name}};\ + ip=$sender_host_address +.endd + +When the spf condition has run, it sets up several expansion +variables: + +.cindex SPF "verification variables" +.vlist +.vitem &$spf_header_comment$& +.vindex &$spf_header_comment$& + This contains a human-readable string describing the outcome + of the SPF check. You can add it to a custom header or use + it for logging purposes. + +.vitem &$spf_received$& +.vindex &$spf_received$& + This contains a complete Received-SPF: header that can be + added to the message. Please note that according to the SPF + draft, this header must be added at the top of the header + list. Please see section 10 on how you can do this. + + Note: in case of "Best-guess" (see below), the convention is + to put this string in a header called X-SPF-Guess: instead. + +.vitem &$spf_result$& +.vindex &$spf_result$& + This contains the outcome of the SPF check in string form, + one of pass, fail, softfail, none, neutral, permerror or + temperror. + +.vitem &$spf_smtp_comment$& +.vindex &$spf_smtp_comment$& + This contains a string that can be used in a SMTP response + to the calling party. Useful for "fail". +.endlist + + +.cindex SPF "ACL condition" +.cindex ACL "spf_guess condition" +.cindex SPF "best guess" +In addition to SPF, you can also perform checks for so-called +"Best-guess". Strictly speaking, "Best-guess" is not standard +SPF, but it is supported by the same framework that enables SPF +capability. +Refer to &url(http://www.openspf.org/FAQ/Best_guess_record) +for a description of what it means. + +To access this feature, simply use the spf_guess condition in place +of the spf one. For example: + +.code +deny spf_guess = fail + message = $sender_host_address doesn't look trustworthy to me +.endd + +In case you decide to reject messages based on this check, you +should note that although it uses the same framework, "Best-guess" +is not SPF, and therefore you should not mention SPF at all in your +reject message. + +When the spf_guess condition has run, it sets up the same expansion +variables as when spf condition is run, described above. + +Additionally, since Best-guess is not standardized, you may redefine +what "Best-guess" means to you by redefining the main configuration +&%spf_guess%& option. +For example, the following: + +.code +spf_guess = v=spf1 a/16 mx/16 ptr ?all +.endd + +would relax host matching rules to a broader network range. + + +.cindex SPF "lookup expansion" +.cindex lookup spf +A lookup expansion is also available. It takes an email +address as the key and an IP address as the database: + +.code + ${lookup {username@domain} spf {ip.ip.ip.ip}} +.endd + +The lookup will return the same result strings as they can appear in +&$spf_result$& (pass,fail,softfail,neutral,none,err_perm,err_temp). +Currently, only IPv4 addresses are supported. + + +. wen-for SPF section +.wen + + . //////////////////////////////////////////////////////////////////////////// . ////////////////////////////////////////////////////////////////////////////