X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/7f6c1f2e14fd20ffe43c86087ab0aca50f240d00..c679ee08b006c8fe4c62b353d909c992a725fc11:/doc/doc-docbook/spec.xfpt?ds=inline diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index c1e451d4d..585f5e310 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -7839,6 +7839,17 @@ ${lookup redis{set keyname ${quote_redis:objvalue plus}}} ${lookup redis{get keyname}} .endd +As of release 4.91, "lightweight" support for Redis Cluster is available. +Requires &%redis_servers%& list to contain all the servers in the cluster, all +of which must be reachable from the running exim instance. If the cluster has +master/slave replication, the list must contain all the master and slave +servers. + +When the Redis Cluster returns a "MOVED" response to a query, exim does not +immediately follow the redirection but treats the response as a DEFER, moving on +to the next server in the &%redis_servers%& list until the correct server is +reached. + .ecindex IIDfidalo1 .ecindex IIDfidalo2 @@ -28153,7 +28164,16 @@ If verification was successful using DANE then the "CV" item in the delivery log There is a new variable &$tls_out_dane$& which will have "yes" if verification succeeded using DANE and "no" otherwise (only useful -in combination with EXPERIMENTAL_EVENT), and a new variable &$tls_out_tlsa_usage$& (detailed above). +in combination with events; see &<>&), +and a new variable &$tls_out_tlsa_usage$& (detailed above). + +.cindex DANE reporting +An event (see &<>&) of type "dane:fail" will be raised on failures +to achieve DANE-verified connection, if one was either requested and offered, or +required. This is intended to support TLS-reporting as defined in +&url(https://tools.ietf.org/html/draft-ietf-uta-smtp-tlsrpt-17). +The &$event_data$& will be one of the Result Types defined in +Section 4.3 of that document. Under GnuTLS, DANE is only supported from version 3.0.0 onwards. .wen @@ -31797,9 +31817,9 @@ though individual ones can be included or not at build time: .vitem &%avast%& .cindex "virus scanners" "avast" This is the scanner daemon of Avast. It has been tested with Avast Core -Security (currently at version 1.1.7). -You can get a trial version at &url(http://www.avast.com) or for Linux -at &url(http://www.avast.com/linux-server-antivirus). +Security (currently at version 2.2.0). +You can get a trial version at &url(https://www.avast.com) or for Linux +at &url(https://www.avast.com/linux-server-antivirus). This scanner type takes one option, which can be either a full path to a UNIX socket, or host and port specifiers separated by white space. @@ -31826,6 +31846,8 @@ $ socat UNIX:/var/run/avast/scan.sock STDIO: PACK .endd +Only the first virus detected will be reported. + .vitem &%aveserver%& .cindex "virus scanners" "Kaspersky" @@ -39040,11 +39062,13 @@ This variable can be overwritten using an ACL 'set' modifier. This might, for instance, be done to enforce a policy restriction on hash-method or key-size: .code - warn condition = ${if eq {$dkim_algo}{rsa-sha1}} - condition = ${if eq {$dkim_verify_status}{pass}} + warn condition = ${if eq {$dkim_verify_status}{pass}} + condition = ${if eq {$len_3:$dkim_algo}{rsa}} + condition = ${if or {eq {$dkim_algo}{rsa-sha1}} \ + {< {$dkim_key_length}{1024}} } logwrite = NOTE: forcing dkim verify fail (was pass) set dkim_verify_status = fail - set dkim_verify_reason = hash too weak + set dkim_verify_reason = hash too weak or key too short .endd After all the DKIM ACL runs have completed, the value becomes a @@ -39133,6 +39157,9 @@ UNIX timestamp reflecting the date and time when the signer wants the signature to be treated as "expired". When this was not specified by the signer, "9999999999999" is returned. This makes it possible to do useful integer size comparisons against this value. +.new +Note that Exim does not check this value. +.wen .vitem &%$dkim_headernames%& A colon-separated list of names of headers included in the signature. @@ -39166,6 +39193,7 @@ less than 1024 bits as valid signatures. To enforce this you must have a DKIM ACL which checks this variable and overwrites the &$dkim_verify_status$& variable as discussed above. +As EC keys are much smaller, the check should only do this for RSA keys. .wen .endlist @@ -39703,6 +39731,7 @@ expansion must check this, as it will be called for every possible event type. The current list of events is: .display +&`dane:fail after transport `& per connection &`msg:complete after main `& per message &`msg:delivery after transport `& per recipient &`msg:rcpt:host:defer after transport `& per recipient per host @@ -39731,6 +39760,7 @@ should define the event action. An additional variable, &$event_data$&, is filled with information varying with the event type: .display +&`dane:fail `& failure reason &`msg:delivery `& smtp confirmation message &`msg:rcpt:host:defer `& error string &`msg:rcpt:defer `& error string @@ -39758,15 +39788,12 @@ The expansion of the event_action option should normally return an empty string. Should it return anything else the following will be forced: .display -&`msg:delivery `& (ignored) -&`msg:host:defer `& (ignored) -&`msg:fail:delivery`& (ignored) &`tcp:connect `& do not connect -&`tcp:close `& (ignored) &`tls:cert `& refuse verification &`smtp:connect `& close connection .endd -No other use is made of the result string. +All other message types ignore the result string, and +no other use is made of it. For a tcp:connect event, if the connection is being made to a proxy then the address and port variables will be that of the proxy and not