X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/a368cc11b211657f86f2495002823bc09b71a9f1..4284f0712acb9ba047fc32792472b348181d98d8:/doc/doc-docbook/spec.xfpt diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index a05ad6650..a1f361339 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -3910,7 +3910,7 @@ messages through the same SMTP connection. .oindex "&%-MCS%&" This option is not intended for use by external callers. It is used internally by Exim in conjunction with the &%-MC%& option, and passes on the fact that the -SMTP SIZE option should be used on messages delivered down the existing +ESMTP SIZE option should be used on messages delivered down the existing connection. .vitem &%-MCT%& @@ -4518,6 +4518,7 @@ appear in the correct order. Each flag is described in a separate item below. .cindex "queue" "routing" .cindex "routing" "whole queue before delivery" .cindex "first pass routing" +.cindex "queue runner" "two phase" An option starting with &%-qq%& requests a two-stage queue run. In the first stage, the queue is scanned as if the &%queue_smtp_domains%& option matched every domain. Addresses are routed, local deliveries happen, but no remote @@ -4525,6 +4526,10 @@ transports are run. .new Performance will be best if the &%queue_run_in_order%& option is false. +If that is so and the &%queue_fast_ramp%& option is true then +in the first phase of the run, +once a threshold number of messages are routed for a given host, +a delivery process is forked in parallel with the rest of the scan. .wen .cindex "hints database" "remembering routing" @@ -6641,6 +6646,8 @@ file that is searched could contain lines like this: .endd When the lookup succeeds, the result of the expansion is a list of domains (and possibly other types of item that are allowed in domain lists). +.cindex "tainted data" "de-tainting" +The result of the expansion is not tainted. In the second example, the lookup is a single item in a domain list. It causes Exim to use a lookup to see if the domain that is being processed can be found @@ -6661,6 +6668,18 @@ If the value of &$sender_host_address$& is 192.168.5.6, expansion of the first &%domains%& setting above generates the second setting, which therefore causes a second lookup to occur. +.new +The lookup type may optionally be followed by a comma +and a comma-separated list of options. +Each option is a &"name=value"& pair. +Whether an option is meaningful depands on the lookup type. + +All lookups support the option &"cache=no_rd"&. +If this is given then the cache that Exim manages for lookup results +is not checked before diong the lookup. +The result of the lookup is still written to the cache. +.wen + The rest of this chapter describes the different lookup types that are available. Any of them can be used in any part of the configuration where a lookup is permitted. @@ -6678,6 +6697,13 @@ lookup to succeed. The lookup type determines how the file is searched. .new .cindex "tainted data" "single-key lookups" The file string may not be tainted + +All single-key lookups support the option &"ret=key"&. +If this is given and the lookup +(either underlying implementation or cached value) +returns data, the result is replaced with a non-tainted +version of the lookup key. +.cindex "tainted data" "de-tainting" .wen .next .cindex "query-style lookup" "definition of" @@ -6856,6 +6882,29 @@ The final resulting element can be a simple JSON type or a JSON object or array; for the latter two a string-representation of the JSON is returned. For elements of type string, the returned value is de-quoted. + + +.new +.next +.cindex LMDB +.cindex lookup lmdb +.cindex database lmdb +&(lmdb)&: The given file is an LMDB database. +LMDB is a memory-mapped key-value store, +with API modeled loosely on that of BerkeleyDB. +See &url(https://symas.com/products/lightning-memory-mapped-database/) +for the feature set and operation modes. + +Exim provides read-only access via the LMDB C library. +The library can be obtained from &url(https://github.com/LMDB/lmdb) +or your operating system package repository. +To enable LMDB support in Exim set LOOKUP_LMDB=yes in &_Local/Makefile_&. + +You will need to separately create the LMDB database file, +possibly using the &"mdb_load"& utility. +.wen + + .next .cindex "linear search" .cindex "lookup" "lsearch" @@ -8528,7 +8577,7 @@ possible to use the same configuration file on several different hosts that differ only in their names. .new -The value for a match will be the primary host name/ +The value for a match will be the primary host name. .wen @@ -8541,10 +8590,11 @@ in square brackets (as in an email address that contains a domain literal), but only if that IP address is recognized as local for email routing purposes. The &%local_interfaces%& and &%extra_local_interfaces%& options can be used to control which of a host's several IP addresses are treated as local. -In today's Internet, the use of domain literals is controversial. +In today's Internet, the use of domain literals is controversial; +see the &%allow_domain_literals%& main option. .new -The value for a match will be the &`@[]`& string. +The value for a match will be the string &`@[]`&. .wen @@ -8615,6 +8665,8 @@ list item such as &`*key.ex`& matches &'donkey.ex'& as well as .new The value for a match will be the list element string (starting with the asterisk). +Additionally, &$0$& will be set to the matched string +and &$1$& to the variable portion which the asterisk matched. .wen .next @@ -8636,6 +8688,8 @@ expression by expansion, of course). .new The value for a match will be the list element string (starting with the circumflex). +Additionally, &$0$& will be set to the string matching the regular expression, +and &$1$& (onwards) to any submatches identified by parentheses. .wen @@ -10590,6 +10644,14 @@ ${sort {${lookup dnsdb{>:,,mx=example.com}}} {<} {${listextract{1}{<,$item}}}} will sort an MX lookup into priority order. + +.new +.vitem &*${srs_encode&~{*&<&'secret'&>&*}{*&<&'return&~path'&>&*}{*&<&'original&~domain'&>&*}}*& +SRS encoding. See SECT &<>& for details. +.wen + + + .vitem &*${substr{*&<&'string1'&>&*}{*&<&'string2'&>&*}{*&<&'string3'&>&*}}*& .cindex "&%substr%& expansion item" .cindex "substring extraction" @@ -11652,6 +11714,13 @@ includes the case of letters, whereas for &%gti%& the comparison is case-independent. Case and collation order are defined per the system C locale. + +.new +.vitem &*inbound_srs&~{*&<&'local&~part'&>&*}{*&<&'secret'&>&*}*& +SRS decode. See SECT &<>& for details. +.wen + + .vitem &*inlist&~{*&<&'string1'&>&*}{*&<&'string2'&>&*}*& &&& &*inlisti&~{*&<&'string1'&>&*}{*&<&'string2'&>&*}*& .cindex "string" "comparison" @@ -13744,6 +13813,17 @@ the value of the Distinguished Name of the certificate is made available in the If certificate verification fails it may refer to a failing chain element which is not the leaf. + +.new +.vitem &$tls_in_resumption$& &&& + &$tls_out_resumption$& +.vindex &$tls_in_resumption$& +.vindex &$tls_out_resumption$& +.cindex TLS resumption +Observability for TLS session resumption. See &<>& for details. +.wen + + .vitem &$tls_in_sni$& .vindex "&$tls_in_sni$&" .vindex "&$tls_sni$&" @@ -14744,6 +14824,7 @@ See also the &'Policy controls'& section above. .row &%hold_domains%& "hold delivery for these domains" .row &%local_interfaces%& "for routing checks" .row &%queue_domains%& "no immediate delivery for these" +.row &%queue_fast_ramp%& "parallel delivery with 2-phase queue run" .row &%queue_only%& "no immediate delivery at all" .row &%queue_only_file%& "no immediate delivery if file exists" .row &%queue_only_load%& "no immediate delivery if load is high" @@ -14790,6 +14871,7 @@ Those options that undergo string expansion before use are marked with .cindex "8-bit characters" .cindex "log" "selectors" .cindex "log" "8BITMIME" +.cindex "ESMTP extensions" 8BITMIME This option causes Exim to send 8BITMIME in its response to an SMTP EHLO command, and to accept the BODY= parameter on MAIL commands. However, though Exim is 8-bit clean, it is not a protocol converter, and it @@ -15003,6 +15085,7 @@ That is, set the option to an empty string so that no check is done. .option auth_advertise_hosts main "host list&!!" * .cindex "authentication" "advertising" .cindex "AUTH" "advertising" +.cindex "ESMTP extensions" AUTH If any server authentication mechanisms are configured, Exim advertises them in response to an EHLO command only if the calling host matches this list. Otherwise, Exim does not advertise AUTH. @@ -15264,6 +15347,7 @@ may wish to deliberately disable them. .option chunking_advertise_hosts main "host list&!!" * .cindex CHUNKING advertisement .cindex "RFC 3030" "CHUNKING" +.cindex "ESMTP extensions" CHUNKING The CHUNKING extension (RFC3030) will be advertised in the EHLO message to these hosts. Hosts may use the BDAT command as an alternate to DATA. @@ -15615,6 +15699,7 @@ described in section &<>&. .cindex "bounce messages" "success" .cindex "DSN" "success" .cindex "Delivery Status Notification" "success" +.cindex "ESMTP extensions" DSN DSN extensions (RFC3461) will be advertised in the EHLO message to, and accepted from, these hosts. Hosts may use the NOTIFY and ENVID options on RCPT TO commands, @@ -15622,6 +15707,10 @@ and RET and ORCPT options on MAIL FROM commands. A NOTIFY=SUCCESS option requests success-DSN messages. A NOTIFY= option with no argument requests that no delay or failure DSNs are sent. +.new +&*Note*&: Supplying success-DSN messages has been criticised +on privacy grounds; it can leak details of internal forwarding. +.wen .option dsn_from main "string&!!" "see below" .cindex "&'From:'& header line" "in bounces" @@ -16503,6 +16592,11 @@ to depend on the IP address of the remote host for messages arriving via TCP/IP. After expansion, the value must be a sequence of decimal digits, optionally followed by K or M. +.cindex "SIZE" "ESMTP extension, advertising" +.cindex "ESMTP extensions" SIZE +If nonzero the value will be advertised as a parameter to the ESMTP SIZE +service extension keyword. + &*Note*&: This limit cannot be made to depend on a message's sender or any other properties of an individual message, because it has to be advertised in the server's response to EHLO. String expansion failure causes a temporary @@ -16770,6 +16864,7 @@ of the &%-oX%& option, unless a path is explicitly supplied by &%-oP%&. .option pipelining_advertise_hosts main "host list&!!" * .cindex "PIPELINING" "suppressing advertising" +.cindex "ESMTP extensions" PIPELINING This option can be used to suppress the advertisement of the SMTP PIPELINING extension to specific hosts. See also the &*no_pipelining*& control in section &<>&. When PIPELINING is not advertised and @@ -16781,6 +16876,7 @@ not count as protocol errors (see &%smtp_max_synprot_errors%&). .option pipelining_connect_advertise_hosts main "host list&!!" * .cindex "pipelining" "early connection" .cindex "pipelining" PIPE_CONNECT +.cindex "ESMTP extensions" X_PIPE_CONNECT If Exim is built with the SUPPORT_PIPE_CONNECT build option this option controls which hosts the facility is advertised to and from which pipeline early-connection (before MAIL) SMTP @@ -16794,6 +16890,7 @@ Currently the option name &"X_PIPE_CONNECT"& is used. .option prdr_enable main boolean false .cindex "PRDR" "enabling on server" +.cindex "ESMTP extensions" PRDR This option can be used to enable the Per-Recipient Data Response extension to SMTP, defined by Eric Hall. If the option is set, PRDR is advertised by Exim when operating as a server. @@ -16904,6 +17001,17 @@ domains that do not match are processed. All other deliveries wait until the next queue run. See also &%hold_domains%& and &%queue_smtp_domains%&. +.new +.option queue_fast_ramp main boolean false +.cindex "queue runner" "two phase" +.cindex "queue" "double scanning" +If set to true, two-phase queue runs, initiated using &%-qq%& on the +command line, may start parallel delivery processes during their first +phase. This will be done when a threshold number of messages have been +routed for a single host. +.wen + + .option queue_list_requires_admin main boolean true .cindex "restricting access to features" .oindex "&%-bp%&" @@ -17513,6 +17621,7 @@ hosts), you can do so by an appropriate use of a &%control%& modifier in an ACL .option smtp_etrn_command main string&!! unset .cindex "ETRN" "command to be run" +.cindex "ESMTP extensions" ETRN .vindex "&$domain$&" If this option is set, the given command is run whenever an SMTP ETRN command is received from a host that is permitted to issue such commands (see @@ -17693,7 +17802,8 @@ example, instead of &"Administrative prohibition"&, it might give: .option smtputf8_advertise_hosts main "host list&!!" * -.cindex "SMTPUTF8" "advertising" +.cindex "SMTPUTF8" "ESMTP extension, advertising" +.cindex "ESMTP extensions" SMTPUTF8 When Exim is built with support for internationalised mail names, the availability thereof is advertised in response to EHLO only to those client hosts that match this option. See @@ -17984,6 +18094,7 @@ unfortunately not all, operating systems. .cindex "TLS" "advertising" .cindex "encryption" "on SMTP connection" .cindex "SMTP" "encrypted connection" +.cindex "ESMTP extensions" STARTTLS When Exim is built with support for TLS encrypted connections, the availability of the STARTTLS command to set up an encrypted session is advertised in response to EHLO only to those client hosts that match this option. See @@ -18233,6 +18344,14 @@ preference order of the available ciphers. Details are given in sections &<>& and &<>&. +.new +.option tls_resumption_hosts main "host list&!!" unset +.cindex TLS resumption +This option controls which connections to offer the TLS resumption feature. +See &<>& for details. +.wen + + .option tls_try_verify_hosts main "host list&!!" unset .cindex "TLS" "client certificate verification" .cindex "certificate" "verification of client" @@ -22391,7 +22510,7 @@ message. For example, a content scan could insert a new header line containing a spam score. This could be interpreted by a filter in the user's MUA. It is not possible to discard a message at this stage. -.cindex "SMTP" "SIZE" +.cindex "SIZE" "ESMTP extension" A problem might arise if the filter increases the size of a message that is being sent down an SMTP connection. If the receiving SMTP server has indicated support for the SIZE parameter, Exim will have sent the size of the message @@ -25104,7 +25223,8 @@ facilities such as AUTH, PIPELINING, SIZE, and STARTTLS. .option hosts_avoid_pipelining smtp "host list&!!" unset .cindex "PIPELINING" "avoiding the use of" -Exim will not use the SMTP PIPELINING extension when delivering to any host +.cindex "ESMTP extensions" PIPELINING +Exim will not use the ESMTP PIPELINING extension when delivering to any host that matches this list, even if the server host advertises PIPELINING support. .option hosts_pipe_connect smtp "host list&!!" unset @@ -25308,6 +25428,7 @@ such as DNSBL lookups, will still delay the emission of the SMTP banner. .option hosts_try_prdr smtp "host list&!!" * .cindex "PRDR" "enabling, optional in client" +.cindex "ESMTP extensions" PRDR This option provides a list of servers to which, provided they announce PRDR support, Exim will attempt to negotiate PRDR for multi-recipient messages. @@ -25370,6 +25491,20 @@ so can cause parallel connections to the same host if &%remote_max_parallel%& permits this. +.new +.option message_linelength_limit smtp integer 998 +.cindex "line length" limit +This option sets the maximum line length, in bytes, that the transport +will send. Any messages with lines exceeding the given value +will fail and a failure-DSN ("bounce") message will if possible be returned +to the sender. +The default value is that defined by the SMTP standards. + +It is generally wise to also check in the data ACL so that messages +received via SMTP can be refused without producing a bounce. +.wen + + .option multi_domain smtp boolean&!! true .vindex "&$domain$&" When this option is set, the &(smtp)& transport can handle a number of @@ -25465,7 +25600,7 @@ See also the &%max_parallel%& generic transport option. .option size_addition smtp integer 1024 -.cindex "SMTP" "SIZE" +.cindex "SIZE" "ESMTP extension" .cindex "message" "size issue for transport filter" .cindex "size" "of message" .cindex "transport" "filter" @@ -25551,6 +25686,14 @@ is used in different ways by OpenSSL and GnuTLS (see sections ciphers is a preference order. +.new +.option tls_resumption_hosts smtp "host list&!!" unset +.cindex TLS resumption +This option controls which connections to use the TLS resumption feature. +See &<>& for details. +.wen + + .option tls_sni smtp string&!! unset .cindex "TLS" "Server Name Indication" @@ -25650,13 +25793,17 @@ The &%tls_verify_certificates%& option must also be set. If both this option and &%tls_try_verify_hosts%& are unset operation is as if this option selected all hosts. -.option utf8_downconvert smtp integer!! unset +.option utf8_downconvert smtp integer&!! -1 .cindex utf8 "address downconversion" .cindex i18n "utf8 address downconversion" If built with internationalization support, -this option controls conversion of UTF-8 in message addresses +this option controls conversion of UTF-8 in message envelope addresses to a-label form. -For details see section &<>&. +If, after expansion, the value is 1, 0, or -1 then this value overrides +any value previously set for the message. Otherwise, any previously +set value is used. To permit use of a previous value, +set this option to an empty string. +For details on the values see section &<>&. @@ -26764,6 +26911,7 @@ transfer of mail between servers that have no managerial connection with each other. .cindex "AUTH" "description of" +.cindex "ESMTP extensions" AUTH Very briefly, the way SMTP authentication works is as follows: .ilist @@ -28795,6 +28943,7 @@ tls_require_ciphers = ${if =={$received_port}{25}\ .section "Configuring an Exim server to use TLS" "SECID182" .cindex "TLS" "configuring an Exim server" +.cindex "ESMTP extensions" STARTTLS When Exim has been built with TLS support, it advertises the availability of the STARTTLS command to client hosts that match &%tls_advertise_hosts%&, but not to any others. The default value of this option is *, which means @@ -29054,6 +29203,7 @@ deliveries as well as to incoming, the latter one causing logging of the server certificate's DN. The remaining client configuration for TLS is all within the &(smtp)& transport. +.cindex "ESMTP extensions" STARTTLS It is not necessary to set any options to have TLS work in the &(smtp)& transport. If Exim is built with TLS support, and TLS is advertised by a server, the &(smtp)& transport always tries to start a TLS session. However, @@ -29374,6 +29524,100 @@ Open-source PKI book, available online at .ecindex IIDencsmtp2 +.new +.section "TLS Resumption" "SECTresumption" +.cindex TLS resumption +TLS Session Resumption for TLS 1.2 and TLS 1.3 connections can be used (defined +in RFC 5077 for 1.2). The support for this requires GnuTLS 3.6.3 or OpenSSL 1.1.1 +(or later). + +Session resumption (this is the "stateless" variant) involves the server sending +a "session ticket" to the client on one connection, which can be stored by the +client and used for a later session. The ticket contains sufficient state for +the server to reconstruct the TLS session, avoiding some expensive crypto +calculation and (on TLS1.2) one full packet roundtrip time. + +.ilist +Operational cost/benefit: + + The extra data being transmitted costs a minor amount, and the client has + extra costs in storing and retrieving the data. + + In the Exim/Gnutls implementation the extra cost on an initial connection + which is TLS1.2 over a loopback path is about 6ms on 2017-laptop class hardware. + The saved cost on a subsequent connection is about 4ms; three or more + connections become a net win. On longer network paths, two or more + connections will have an average lower startup time thanks to the one + saved packet roundtrip. TLS1.3 will save the crypto cpu costs but not any + packet roundtrips. + +.cindex "hints database" tls + Since a new hints DB is used on the TLS client, + the hints DB maintenance should be updated to additionally handle "tls". + +.next +Security aspects: + + The session ticket is encrypted, but is obviously an additional security + vulnarability surface. An attacker able to decrypt it would have access + all connections using the resumed session. + The session ticket encryption key is not committed to storage by the server + and is rotated regularly (OpenSSL: 1hr, and one previous key is used for + overlap; GnuTLS 6hr but does not specify any overlap). + Tickets have limited lifetime (2hr, and new ones issued after 1hr under + OpenSSL. GnuTLS 2hr, appears to not do overlap). + + There is a question-mark over the security of the Diffie-Helman parameters + used for session negotiation. + +.next +Observability: + + The &%log_selector%& "tls_resumption" appends an asterisk to the tls_cipher "X=" + element. + + The variables &$tls_in_resumption$& and &$tls_out_resumption$& + have bits 0-4 indicating respectively + support built, client requested ticket, client offered session, + server issued ticket, resume used. A suitable decode list is provided + in the builtin macro _RESUME_DECODE for in &%listextract%& expansions. + +.next +Control: + +The &%tls_resumption_hosts%& main option specifies a hostlist for which +exim, operating as a server, will offer resumption to clients. +Current best practice is to not offer the feature to MUA connection. +Commonly this can be done like this: +.code +tls_resumption_hosts = ${if inlist {$received_port}{587:465} {:}{*}} +.endd +If the peer host matches the list after expansion then resumption +is offered and/or accepted. + +The &%tls_resumption_hosts%& smtp transport option performs the +equivalent function for operation as a client. +If the peer host matches the list after expansion then resumption +is attempted (if a stored session is available) or the information +stored (if supplied by the peer). + + +.next +Issues: + + In a resumed session: +.ilist + The variables &$tls_{in,out}_cipher$& will have values different + to the original (under GnuTLS). +.next + The variables &$tls_{in,out}_ocsp$& will be "not requested" or "no response", + and the &%hosts_require_ocsp%& smtp trasnport option will fail. +. XXX need to do something with that hosts_require_ocsp +.endlist + +.endlist +.wen + .section DANE "SECDANE" .cindex DANE @@ -30996,6 +31240,7 @@ calling host. Its effect lasts until the end of the SMTP connection. .vitem &*control&~=&~no_pipelining*& .cindex "PIPELINING" "suppressing advertising" +.cindex "ESMTP extensions" PIPELINING This control turns off the advertising of the PIPELINING extension to SMTP in the current session. To be useful, it must be obeyed before Exim sends its response to an EHLO command. Therefore, it should normally appear in an ACL @@ -31071,7 +31316,7 @@ data is read. that are being submitted at the same time using &%-bs%& or &%-bS%&. .vitem &*control&~=&~utf8_downconvert*& -This control enables conversion of UTF-8 in message addresses +This control enables conversion of UTF-8 in message envelope addresses to a-label form. For details see section &<>&. .endlist vlist @@ -35959,13 +36204,14 @@ used to contain the envelope information. .cindex "outgoing LMTP over TCP/IP" .cindex "EHLO" .cindex "HELO" -.cindex "SIZE option on MAIL command" +.cindex "SIZE" "option on MAIL command" Outgoing SMTP and LMTP over TCP/IP is implemented by the &(smtp)& transport. The &%protocol%& option selects which protocol is to be used, but the actual processing is the same in both cases. +.cindex "ESMTP extensions" SIZE If, in response to its EHLO command, Exim is told that the SIZE -parameter is supported, it adds SIZE=<&'n'&> to each subsequent MAIL +extension is supported, it adds SIZE=<&'n'&> to each subsequent MAIL command. The value of <&'n'&> is the message size plus the value of the &%size_addition%& option (default 1024) to allow for additions to the message such as per-transport header lines, or changes made in a @@ -36361,7 +36607,8 @@ RCPT failures. .section "The ETRN command" "SECTETRN" .cindex "ETRN" "processing" -RFC 1985 describes an SMTP command called ETRN that is designed to +.cindex "ESMTP extensions" ETRN +RFC 1985 describes an ESMTP command called ETRN that is designed to overcome the security problems of the TURN command (which has fallen into disuse). When Exim receives an ETRN command on a TCP/IP connection, it runs the ACL specified by &%acl_smtp_etrn%& in order to decide whether the command @@ -37990,6 +38237,7 @@ selection marked by asterisks: &`*tls_certificate_verified `& certificate verification status &`*tls_cipher `& TLS cipher suite on <= and => lines &` tls_peerdn `& TLS peer DN on <= and => lines +&` tls_resumption `& append * to cipher field &` tls_sni `& TLS SNI on <= lines &` unknown_in_list `& DNS lookup failed in list match @@ -38391,6 +38639,14 @@ connection, the cipher suite used is added to the log line, preceded by X=. connection, and a certificate is supplied by the remote host, the peer DN is added to the log line, preceded by DN=. .next +.cindex "log" "TLS resumption" +.cindex "TLS" "logging session resumption" +.new +&%tls_resumption%&: When a message is sent or received over an encrypted +connection and the TLS session resumed one used on a previous TCP connection, +an asterisk is appended to the X= cipher field in the log line. +.wen +.next .cindex "log" "TLS SNI" .cindex "TLS" "logging SNI" &%tls_sni%&: When a message is received over an encrypted connection, and @@ -38936,6 +39192,10 @@ for remote hosts .next &'ratelimit'&: the data for implementing the ratelimit ACL condition .next +.new +&'tls'&: TLS session resumption data +.wen +.next &'misc'&: other hints data .endlist @@ -40349,8 +40609,8 @@ There is no dot-stuffing (and no dot-termination). . //////////////////////////////////////////////////////////////////////////// . //////////////////////////////////////////////////////////////////////////// -.chapter "DKIM, SPF and DMARC" "CHAPdkim" &&& - "DKIM, SPF and DMARC Support" +.chapter "DKIM, SPF, SRS and DMARC" "CHAPdkim" &&& + "DKIM, SPF, SRS and DMARC Support" .section "DKIM (DomainKeys Identified Mail)" SECDKIM .cindex "DKIM" @@ -41040,6 +41300,108 @@ The lookup will return the same result strings as can appear in +.section "SRS (Sender Rewriting Scheme)" SECTSRS +.cindex SRS "sender rewriting scheme" + +.new +SRS can be used to modify sender addresses when forwarding so that +SPF verification does not object to them. +It operates by encoding the original envelope sender in a new +sender local part and using a domain run by the forwarding site +as the new domain for the sender. Any DSN message should be returned +to this new sender at the forwarding site, which can extract the +original sender from the coded local part and forward the DSN to +the originator. + +This is a way of avoiding the breakage that SPF does to forwarding. +The constructed local-part will be longer than the original, +leading to possible problems with very long addresses. +The changing of the sender address also hinders the tracing of mail +problems. + +Exim can be built to include native SRS support. To do this +SUPPORT_SRS=yes must be defined in &_Local/Makefile_&. +If this has been done, the macros _HAVE_SRS and _HAVE_NATIVE_SRS +will be defined. +The support is limited to SRS0-encoding; SRS1 is not supported. + +.cindex SRS excoding +To encode an address use this expansion item: +.vlist +.vitem &*${srs_encode&~{*&<&'secret'&>&*}{*&<&'return&~path'&>&*}{*&<&'original&~domain'&>&*}}*& +.cindex "&%srs_encode%& expansion item" +.cindex SRS "expansion item" +The first argument should be a secret known and used by all systems +handling the recipient domain for the original message. +There is no need to periodically change this key; a timestamp is also +encoded. +The second argument should be given as the envelope sender address before this +encoding operation. +The third argument should be the recipient domain of the message when +it arrived at this system. +.endlist + +.cindex SRS decoding +To decode an address use this expansion condition: +.vlist +.vitem &*inbound_srs&~{*&<&'local&~part'&>&*}{*&<&'secret'&>&*}*& +The first argument should be the recipient local prt as is was received. +The second argument is the site secret. + +If the messages is not for an SRS-encoded recipient the condition will +return false. If it is, the condition will return true and the variable +&$srs_recipient$& will be set to the decoded (original) value. +.endlist + +Example usage: +.code + #macro + SRS_SECRET = + + #routers + + outbound: + driver = dnslookup + # if outbound, and forwarding has been done, use an alternate transport + domains = ! +my_domains + transport = ${if eq {$local_part@$domain} \ + {$original_local_part@$original_domain} \ + {remote_smtp} {remote_forwarded_smtp}} + + inbound_srs: + driver = redirect + senders = : + domains = +my_domains + # detect inbound bounces which are SRS'd, and decode them + condition = ${if inbound_srs {$local_part} {SRS_SECRET}} + data = $srs_recipient + + inbound_srs_failure: + driver = redirect + senders = : + domains = +my_domains + # detect inbound bounces which look SRS'd but are invalid + condition = ${if inbound_srs {$local_part} {}} + allow_fail + data = :fail: Invalid SRS recipient address + + #... further routers here + + + # transport; should look like the non-forward outbound + # one, plus the max_rcpt and return_path options + remote_forwarded_smtp: + driver = smtp + # modify the envelope from, for mails that we forward + max_rcpt = 1 + return_path = ${srs_encode {SRS_SECRET} {$return_path} {$original_domain}} +.endd + + +.wen + + + .section DMARC SECDMARC .cindex DMARC verification @@ -41449,6 +41811,7 @@ requirement, upon libidn2. .section "MTA operations" SECTi18nMTA .cindex SMTPUTF8 "ESMTP option" +.cindex "ESMTP extensions" SMTPUTF8 The main configuration option &%smtputf8_advertise_hosts%& specifies a host list. If this matches the sending host and accept_8bitmime is true (the default) then the ESMTP option @@ -41495,22 +41858,27 @@ may use the following modifier: control = utf8_downconvert control = utf8_downconvert/ .endd -This sets a flag requiring that addresses are converted to -a-label form before smtp delivery, for use in a -Message Submission Agent context. +This sets a flag requiring that envelope addresses are converted to +a-label form before smtp delivery. +This is usually for use in a Message Submission Agent context, +but could be used for any message. + If a value is appended it may be: .display -&`1 `& (default) mandatory downconversion +&`1 `& mandatory downconversion &`0 `& no downconversion &`-1 `& if SMTPUTF8 not supported by destination host .endd +If no value is given, 1 is used. If mua_wrapper is set, the utf8_downconvert control is initially set to -1. The smtp transport has an option &%utf8_downconvert%&. If set it must expand to one of the three values described above, -and it overrides any previously set value. +or an empty string. +If non-empty it overrides value previously set +(due to mua_wrapper or by an ACL control). There is no explicit support for VRFY and EXPN.