X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/5d9c27ecfbf6ac99d49c3e72e14737e1407c8d59..400eda432747c1844509404aa905a76ea78fc8ed:/doc/doc-docbook/spec.xfpt diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index fa29a2524..f90427020 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -1,4 +1,4 @@ -. $Cambridge: exim/doc/doc-docbook/spec.xfpt,v 1.57 2009/10/16 08:49:47 tom Exp $ +. $Cambridge: exim/doc/doc-docbook/spec.xfpt,v 1.62 2009/10/26 13:10:23 nm4 Exp $ . . ///////////////////////////////////////////////////////////////////////////// . This is the primary source of the Exim Manual. It is an xfpt document that is @@ -6138,7 +6138,7 @@ IPv6 addresses must be enclosed in quotes to prevent the first internal colon being interpreted as a key terminator. For example: .code 1.2.3.4: data for 1.2.3.4 -192.168.0.0/16 data for 192.168.0.0/16 +192.168.0.0/16: data for 192.168.0.0/16 "abcd::cdab": data for abcd::cdab "abcd:abcd::/32" data for abcd:abcd::/32 .endd @@ -11000,7 +11000,7 @@ precise size of the file that has been written. See also &$message_body_size$&, &$body_linecount$&, and &$body_zerocount$&. .cindex "RCPT" "value of &$message_size$&" -While running an ACL at the time of an SMTP RCPT command, &$message_size$& +While running a per message ACL (mail/rcpt/predata), &$message_size$& contains the size supplied on the MAIL command, or -1 if no size was given. The value may not, of course, be truthful. @@ -12368,6 +12368,7 @@ listed in more than one group. .row &%gnutls_require_kx%& "control GnuTLS key exchanges" .row &%gnutls_require_mac%& "control GnuTLS MAC algorithms" .row &%gnutls_require_protocols%& "control GnuTLS protocols" +.row &%gnutls_compat_mode%& "use GnuTLS compatibility mode" .row &%tls_advertise_hosts%& "advertise TLS to these hosts" .row &%tls_certificate%& "location of server certificate" .row &%tls_crl%& "certificate revocation list" @@ -13367,6 +13368,11 @@ server. For details, see section &<>&. This option controls the protocols when GnuTLS is used in an Exim server. For details, see section &<>&. +.option gnutls_compat_mode main boolean unset +This option controls whether GnuTLS is used in compatibility mode in an Exim +server. This reduces security slightly, but improves interworking with older +implementations of TLS. + .option headers_charset main string "see below" This option sets a default character set for translating from encoded MIME @@ -13438,7 +13444,7 @@ do. By default, Exim just checks the syntax of HELO and EHLO commands (see &%helo_accept_junk_hosts%& and &%helo_allow_chars%&). However, some sites like to do more extensive checking of the data supplied by these commands. The ACL -condition &`verify`& &`=`& &`helo`& is provided to make this possible. +condition &`verify = helo`& is provided to make this possible. Formerly, it was necessary also to set this option (&%helo_try_verify_hosts%&) to force the check to occur. From release 4.53 onwards, this is no longer necessary. If the check has not been done before &`verify`& &`=`& &`helo`& is @@ -17840,10 +17846,10 @@ redirection items of the form :defer: :fail: .endd -respectively. When a redirection list contains such an item, it applies to the -entire redirection; any other items in the list are ignored (&':blackhole:'& is -different). Any text following &':fail:'& or &':defer:'& is placed in the error -text associated with the failure. For example, an alias file might contain: +respectively. When a redirection list contains such an item, it applies +to the entire redirection; any other items in the list are ignored. Any +text following &':fail:'& or &':defer:'& is placed in the error text +associated with the failure. For example, an alias file might contain: .code X.Employee: :fail: Gone away, no forwarding address .endd @@ -21467,6 +21473,11 @@ client. For details, see section &<>&. This option controls the protocols when GnuTLS is used in an Exim client. For details, see section &<>&. +.option gnutls_compat_mode main boolean unset +This option controls whether GnuTLS is used in compatibility mode in an Exim +server. This reduces security slightly, but improves interworking with older +implementations of TLS. + .option helo_data smtp string&!! "see below" .cindex "HELO" "argument, setting" .cindex "EHLO" "argument, setting" @@ -26989,7 +27000,7 @@ entry must set the rate for the same key (otherwise it will always be zero). For example: .code acl_check_connect: - deny ratelimit = 100 / 5m / strict / noupdate + deny ratelimit = 100 / 5m / strict / per_cmd / noupdate log_message = RATE: $sender_rate/$sender_rate_period \ (max $sender_rate_limit) .endd @@ -34406,39 +34417,48 @@ runtime of the ACL. Calling the ACL only for existing signatures is not sufficient to build more advanced policies. For that reason, the global option &%dkim_verify_signers%&, and a global expansion variable -&%$dkim_signing_domains%& exist. +&%$dkim_signers%& exist. The global option &%dkim_verify_signers%& can be set to a colon-separated list of DKIM domains or identities for which the ACL &%acl_smtp_dkim%& is called. It is expanded when the message has been received. At this point, -the expansion variable &%$dkim_signing_domains%& already contains a colon- -separated list of signer domains for the message. When &%dkim_verify_signers%& -is not specified in the main configuration, it defaults as: +the expansion variable &%$dkim_signers%& already contains a colon- +separated list of signer domains and identities for the message. When +&%dkim_verify_signers%& is not specified in the main configuration, +it defaults as: .code -dkim_verify_signers = $dkim_signing_domains +dkim_verify_signers = $dkim_signers .endd This leads to the default behaviour of calling &%acl_smtp_dkim%& for each DKIM signature in the message. Current DKIM verifiers may want to explicitly call the ACL for known domains or identities. This would be achieved as follows: .code -dkim_verify_signers = paypal.com:ebay.com:$dkim_signing_domains +dkim_verify_signers = paypal.com:ebay.com:$dkim_signers .endd This would result in &%acl_smtp_dkim%& always being called for "paypal.com" -and "ebay.com", plus all domains that have signatures in the message. You can -also be more creative in constructing your policy. Example: +and "ebay.com", plus all domains and identities that have signatures in the message. +You can also be more creative in constructing your policy. Example: .code -dkim_verify_signers = $sender_address_domain:$dkim_signing_domains +dkim_verify_signers = $sender_address_domain:$dkim_signers .endd +If a domain or identity is listed several times in the (expanded) value of +&%dkim_verify_signers%&, the ACL is only called once for that domain or identity. + + Inside the &%acl_smtp_dkim%&, the following expansion variables are available (from most to least important): .vlist +.vitem &%$dkim_cur_signer%& +The signer that is being evaluated in this ACL run. This can be domain or +an identity. This is one of the list items from the expanded main option +&%dkim_verify_signers%& (see above). .vitem &%$dkim_verify_status%& A string describing the general status of the signature. One of .ilist &%none%&: There is no signature in the message for the current domain or -identity. +identity (as reflected by &%$dkim_cur_signer%&). .next &%invalid%&: The signature could not be verified due to a processing error. More detail is available in &%$dkim_verify_reason%&. @@ -34469,14 +34489,12 @@ DKIM verification. It may of course also mean that the signature is forged. .endlist .vitem &%$dkim_domain%& The signing domain. IMPORTANT: This variable is only populated if there is -ab actual signature in the message. It does NOT neccessarily carry the -domain that is currently being evaluated. Please use the &%dkim_signers%& ACL -condition for that. +an actual signature in the message for the current domain or identity (as +reflected by &%$dkim_cur_signer%&). .vitem &%$dkim_identity%& -The signing identity. IMPORTANT: This variable is only populated if there is -ab actual signature in the message. It does NOT neccessarily carry the -identity that is currently being evaluated. Please use the &%dkim_signers%& ACL -condition for that. +The signing identity, if present. IMPORTANT: This variable is only populated +if there is an actual signature in the message for the current domain or +identity (as reflected by &%$dkim_cur_signer%&). .vitem &%$dkim_selector%& The key record selector string .vitem &%$dkim_algo%& @@ -34521,8 +34539,9 @@ In addition, two ACL conditions are provided: .vlist .vitem &%dkim_signers%& ACL condition that checks a colon-separated list of domains or identities -for a match against the domain or identity that the ACL is currently verifying. -This is typically used to restrict an ACL verb to a group of domains or identities, like: +for a match against the domain or identity that the ACL is currently verifying +(reflected by &%$dkim_cur_signer%&). This is typically used to restrict an ACL +verb to a group of domains or identities, like: .code # Warn when message apparently from GMail has no signature at all