X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/8d042305ef14df8cabcf7ae33767d019741dd59f..9e716cdf98e2c9e771471249a6b75e7481a54b0b:/doc/doc-docbook/spec.xfpt diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 33c8e5e2b..15e36f7ac 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -11509,18 +11509,6 @@ contain the trailing slash. If &$config_file$& does not contain a slash, .vindex "&$config_file$&" The name of the main configuration file Exim is using. -.vitem &$demime_errorlevel$& -.vindex "&$demime_errorlevel$&" -This variable is available when Exim is compiled with -the content-scanning extension and the obsolete &%demime%& condition. For -details, see section &<>&. - -.vitem &$demime_reason$& -.vindex "&$demime_reason$&" -This variable is available when Exim is compiled with the -content-scanning extension and the obsolete &%demime%& condition. For details, -see section &<>&. - .vitem &$dkim_cur_signer$& &&& &$dkim_verify_status$& &&& &$dkim_verify_reason$& &&& @@ -11652,12 +11640,6 @@ The first character is a major version number, currently 4. Then after a dot, the next group of digits is a minor version number. There may be other characters following the minor version. -.vitem &$found_extension$& -.vindex "&$found_extension$&" -This variable is available when Exim is compiled with the -content-scanning extension and the obsolete &%demime%& condition. For details, -see section &<>&. - .vitem &$header_$&<&'name'&> This is not strictly an expansion variable. It is expansion syntax for inserting the message header line with the given name. Note that the name must @@ -12157,10 +12139,10 @@ a single-component name, Exim calls &[gethostbyname()]& (or qualified host name. See also &$smtp_active_hostname$&. -.vitem &$proxy_host_address$& &&& - &$proxy_host_port$& &&& - &$proxy_target_address$& &&& - &$proxy_target_port$& &&& +.vitem &$proxy_external_address$& &&& + &$proxy_external_port$& &&& + &$proxy_local_address$& &&& + &$proxy_local_port$& &&& &$proxy_session$& These variables are only available when built with Proxy Protocol or Socks5 support @@ -12995,6 +12977,17 @@ overriding the setting of &%perl_at_start%&. There is also a command line option &%-pd%& (for delay) which suppresses the initial startup, even if &%perl_at_start%& is set. +.new +.ilist +.oindex "&%perl_taintmode%&" +.cindex "Perl" "taintmode" +To provide more security executing Perl code via the embedded Perl +interpeter, the &%perl_taintmode%& option can be set. This enables the +taint mode of the Perl interpreter. You are encouraged to set this +option to a true value. To avoid breaking existing installations, it +defaults to false. +.wen + .section "Calling Perl subroutines" "SECID86" When the configuration file includes a &%perl_startup%& option you can make use @@ -13523,6 +13516,7 @@ listed in more than one group. .table2 .row &%perl_at_start%& "always start the interpreter" .row &%perl_startup%& "code to obey when starting Perl" +.row &%perl_taintmode%& "enable taint mode in Perl" .endtable @@ -15640,14 +15634,20 @@ local parts. Exim's default configuration does this. .option perl_at_start main boolean false +.cindex "Perl" This option is available only when Exim is built with an embedded Perl interpreter. See chapter &<>& for details of its use. .option perl_startup main string unset +.cindex "Perl" This option is available only when Exim is built with an embedded Perl interpreter. See chapter &<>& for details of its use. +.option perl_startup main boolean false +.cindex "Perl" +This Option enables the taint mode of the embedded Perl interpreter. + .option pgsql_servers main "string list" unset .cindex "PostgreSQL lookup type" "server list" @@ -26901,7 +26901,8 @@ Documentation of the strings accepted may be found in the GnuTLS manual, under &url(http://www.gnutls.org/manual/html_node/Priority-Strings.html), but beware that this relates to GnuTLS 3, which may be newer than the version installed on your system. If you are using GnuTLS 3, -&url(http://www.gnutls.org/manual/gnutls.html#Listing-the-ciphersuites-in-a-priority-string, then the example code) +then the example code +&url(http://www.gnutls.org/manual/gnutls.html#Listing-the-ciphersuites-in-a-priority-string) on that site can be used to test a given string. For example: @@ -29173,12 +29174,6 @@ If all goes well, the condition is true. It is false only if there are problems such as a syntax error or a memory shortage. For more details, see chapter &<>&. -.vitem &*demime&~=&~*&<&'extension&~list'&> -.cindex "&%demime%& ACL condition" -This condition is available only when Exim is compiled with the -content-scanning extension. Its use is described in section -&<>&. - .vitem &*dnslists&~=&~*&<&'list&~of&~domain&~names&~and&~other&~data'&> .cindex "&%dnslists%& ACL condition" .cindex "DNS list" "in ACL" @@ -30989,10 +30984,6 @@ conditions. Two new main configuration options: &%av_scanner%& and &%spamd_address%&. .endlist -There is another content-scanning configuration option for &_Local/Makefile_&, -called WITH_OLD_DEMIME. If this is set, the old, deprecated &%demime%& ACL -condition is compiled, in addition to all the other content-scanning features. - Content-scanning is continually evolving, and new features are still being added. While such features are still unstable and liable to incompatible changes, they are made available in Exim by setting options whose names begin @@ -31242,7 +31233,7 @@ This is a daemon type scanner that is aimed mainly at Polish users, though some parts of documentation are now available in English. You can get it at &url(http://linux.mks.com.pl/). The only option for this scanner type is the maximum number of processes used simultaneously to scan the attachments, -provided that the demime facility is employed and also provided that mksd has +provided that mksd has been run with at least the same number of child processes. For example: .code av_scanner = mksd:2 @@ -31333,23 +31324,17 @@ When a virus is found, the condition sets up an expansion variable called &%message%& modifier that specifies the error returned to the sender, and/or in logging data. -If your virus scanner cannot unpack MIME and TNEF containers itself, you should -use the &%demime%& condition (see section &<>&) before the -&%malware%& condition. - Beware the interaction of Exim's &%message_size_limit%& with any size limits imposed by your anti-virus scanner. Here is a very simple scanning example: .code deny message = This message contains malware ($malware_name) - demime = * malware = * .endd The next example accepts messages when there is a problem with the scanner: .code deny message = This message contains malware ($malware_name) - demime = * malware = */defer_ok .endd The next example shows how to use an ACL variable to scan with both sophie and @@ -31845,90 +31830,6 @@ are set to any substrings captured by the regular expression. &*Warning*&: With large messages, these conditions can be fairly CPU-intensive. - - - -.section "The demime condition" "SECTdemimecond" -.cindex "content scanning" "MIME checking" -.cindex "MIME content scanning" -The &%demime%& ACL condition provides MIME unpacking, sanity checking and file -extension blocking. It is usable only in the DATA and non-SMTP ACLs. The -&%demime%& condition uses a simpler interface to MIME decoding than the MIME -ACL functionality, but provides no additional facilities. Please note that this -condition is deprecated and kept only for backward compatibility. You must set -the WITH_OLD_DEMIME option in &_Local/Makefile_& at build time to be able to -use the &%demime%& condition. - -The &%demime%& condition unpacks MIME containers in the message. It detects -errors in MIME containers and can match file extensions found in the message -against a list. Using this facility produces files containing the unpacked MIME -parts of the message in the temporary scan directory. If you do antivirus -scanning, it is recommended that you use the &%demime%& condition before the -antivirus (&%malware%&) condition. - -On the right-hand side of the &%demime%& condition you can pass a -colon-separated list of file extensions that it should match against. For -example: -.code -deny message = Found blacklisted file attachment - demime = vbs:com:bat:pif:prf:lnk -.endd -If one of the file extensions is found, the condition is true, otherwise it is -false. If there is a temporary error while demimeing (for example, &"disk -full"&), the condition defers, and the message is temporarily rejected (unless -the condition is on a &%warn%& verb). - -The right-hand side is expanded before being treated as a list, so you can have -conditions and lookups there. If it expands to an empty string, &"false"&, or -zero (&"0"&), no demimeing is done and the condition is false. - -The &%demime%& condition set the following variables: - -.vlist -.vitem &$demime_errorlevel$& -.vindex "&$demime_errorlevel$&" -When an error is detected in a MIME container, this variable contains the -severity of the error, as an integer number. The higher the value, the more -severe the error (the current maximum value is 3). If this variable is unset or -zero, no error occurred. - -.vitem &$demime_reason$& -.vindex "&$demime_reason$&" -When &$demime_errorlevel$& is greater than zero, this variable contains a -human-readable text string describing the MIME error that occurred. -.endlist - -.vlist -.vitem &$found_extension$& -.vindex "&$found_extension$&" -When the &%demime%& condition is true, this variable contains the file -extension it found. -.endlist - -Both &$demime_errorlevel$& and &$demime_reason$& are set by the first call of -the &%demime%& condition, and are not changed on subsequent calls. - -If you do not want to check for file extensions, but rather use the &%demime%& -condition for unpacking or error checking purposes, pass &"*"& as the -right-hand side value. Here is a more elaborate example of how to use this -facility: -.code -# Reject messages with serious MIME container errors -deny message = Found MIME error ($demime_reason). - demime = * - condition = ${if >{$demime_errorlevel}{2}{1}{0}} - -# Reject known virus spreading file extensions. -# Accepting these is pretty much braindead. -deny message = contains $found_extension file (blacklisted). - demime = com:vbs:bat:pif:scr - -# Freeze .exe and .doc files. Postmaster can -# examine them and eventually thaw them. -deny log_message = Another $found_extension file. - demime = exe:doc - control = freeze -.endd .ecindex IIDcosca @@ -38307,13 +38208,13 @@ The following expansion variables are usable (&"internal"& and &"external"& here refer to the interfaces of the proxy): .display -&'proxy_host_address '& internal IP address of the proxy -&'proxy_host_port '& internal TCP port of the proxy -&'proxy_target_address '& external IP address of the proxy -&'proxy_target_port '& external TCP port of the proxy +&'proxy_external_address '& IP of host being proxied or IP of remote interface of proxy +&'proxy_external_port '& Port of host being proxied or Port on remote interface of proxy +&'proxy_local_address '& IP of proxy server inbound or IP of local interface of proxy +&'proxy_local_port '& Port of proxy server inbound or Port on local interface of proxy &'proxy_session '& boolean: SMTP connection via proxy .endd -If &$proxy_session$& is set but &$proxy_host_address$& is empty +If &$proxy_session$& is set but &$proxy_external_address$& is empty there was a protocol error. Since the real connections are all coming from the proxy, and the