X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/a3d3e7ef81a649d2bbd6599fc561cf22c6875e70..c4dee92d5d5ff5e77e29b8ba94ae3a505cb25bb0:/doc/doc-docbook/spec.xfpt?ds=sidebyside diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 8c54931fe..cdac2a266 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -5103,6 +5103,10 @@ The following classes of macros are defined: &` _DRIVER_ROUTER_* `& router drivers &` _DRIVER_TRANSPORT_* `& transport drivers &` _DRIVER_AUTHENTICATOR_* `& authenticator drivers +&` _EXP_COND_* `& expansion conditions +&` _EXP_ITEM_* `& expansion items +&` _EXP_OP_* `& expansion operators +&` _EXP_VAR_* `& expansion variables &` _LOG_* `& log_selector values &` _OPT_MAIN_* `& main config options &` _OPT_ROUTERS_* `& generic router options @@ -6602,7 +6606,7 @@ file that is searched could contain lines like this: When the lookup succeeds, the result of the expansion is a list of domains (and possibly other types of item that are allowed in domain lists). .cindex "tainted data" "de-tainting" -.cindex "de-tainting" "using a lookup expansion"" +.cindex "de-tainting" "using a lookup expansion" The result of the expansion is not tainted. .next @@ -7799,7 +7803,8 @@ connection timeout (the system timeout is used), no user or password, no limit on the number of entries returned, and no time limit on queries. When a DN is quoted in the USER= setting for LDAP authentication, Exim -removes any URL quoting that it may contain before passing it LDAP. Apparently +removes any URL quoting that it may contain before passing it to the LDAP library. +Apparently some libraries do this for themselves, but some do not. Removing the URL quoting has two advantages: @@ -9648,7 +9653,10 @@ Example use (as an ACL modifier): .code add_header = :at_start:${authresults {$primary_hostname}} .endd -This is safe even if no authentication results are available. +This is safe even if no authentication results are available +.new +and would generally be placed in the DATA ACL. +.wen .vitem "&*${certextract{*&<&'field'&>&*}{*&<&'certificate'&>&*}&&& @@ -10511,6 +10519,17 @@ At the end of a &*reduce*& expansion, the values of &$item$& and &$value$& are restored to what they were before. See also the &%filter%& and &%map%& expansion items. +. A bit of a special-case logic error in writing an expansion; +. probably not worth including in the mainline of documentation. +. If only we had footnotes (the html output variant is the problem). +. +. .new +. &*Note*&: if an &'expansion condition'& is used in <&'string3'&> +. and that condition modifies &$value$&, +. then the string expansions dependent on the condition cannot use +. the &$value$& of the reduce iteration. +. .wen + .vitem &*$rheader_*&<&'header&~name'&>&*:*&&~or&~&*$rh_*&<&'header&~name'&>&*:*& This item inserts &"raw"& header lines. It is described with the &%header%& expansion item in section &<>& above. @@ -11748,8 +11767,8 @@ Case and collation order are defined per the system C locale. SRS decode. See SECT &<>& for details. -.vitem &*inlist&~{*&<&'string1'&>&*}{*&<&'string2'&>&*}*& &&& - &*inlisti&~{*&<&'string1'&>&*}{*&<&'string2'&>&*}*& +.vitem &*inlist&~{*&<&'subject'&>&*}{*&<&'list'&>&*}*& &&& + &*inlisti&~{*&<&'subject'&>&*}{*&<&'list'&>&*}*& .cindex "string" "comparison" .cindex "list" "iterative conditions" Both strings are expanded; the second string is treated as a list of simple @@ -16182,6 +16201,11 @@ This option is obsolete, and retained only for backward compatibility, because nowadays the ACL specified by &%acl_smtp_connect%& can also reject incoming connections immediately. +.new +If the connection is on a TLS-on-connect port then the TCP connection is +just dropped. Otherwise, an SMTP error is sent first. +.wen + The ability to give an immediate rejection (either by this option or using an ACL) is provided for use in unusual cases. Many hosts will just try again, sometimes without much delay. Normally, it is better to use an ACL to reject @@ -17672,13 +17696,18 @@ This facility is only available on Linux. .cindex "banner for SMTP" .cindex "welcome banner for SMTP" .cindex "customizing" "SMTP banner" -This string, which is expanded every time it is used, is output as the initial +If a connect ACL does not supply a message, +this string (which is expanded every time it is used) is output as the initial positive response to an SMTP connection. The default setting is: .code smtp_banner = $smtp_active_hostname ESMTP Exim \ $version_number $tod_full .endd -Failure to expand the string causes a panic error. If you want to create a +.new +Failure to expand the string causes a panic error; +a forced fail just closes the connection. +.wen +If you want to create a multiline response to the initial SMTP connection, use &"\n"& in the string at appropriate points, but not at the end. Note that the 220 code is not included in this string. Exim adds it automatically (several times in the case of a @@ -25596,12 +25625,18 @@ hard failure if required. See also &%hosts_try_auth%&, and chapter &<>& for details of authentication. -.option hosts_request_ocsp smtp "host list&!!" * +.option hosts_request_ocsp smtp "host list&!!" "see below" .cindex "TLS" "requiring for certain servers" Exim will request a Certificate Status on a TLS session for any host that matches this list. &%tls_verify_certificates%& should also be set for the transport. +.new +The default is &"**"& if DANE is not in use for the connection, +or if DANE-TA us used. +It is empty if DANE-EE is used. +.wen + .option hosts_require_alpn smtp "host list&!!" unset .cindex ALPN "require negotiation in client" .cindex TLS ALPN @@ -26071,7 +26106,7 @@ If both this option and &%tls_try_verify_hosts%& are unset operation is as if this option selected all hosts. &*Warning*&: Including a host in &%tls_verify_hosts%& does not require that connections use TLS. -Fallback to in-clear communication will be done unless restricted by +Fallback to in-clear communication will be done unless restricted by the &%hosts_require_tls%& option. .option utf8_downconvert smtp integer&!! -1 @@ -29761,7 +29796,7 @@ connection. The client for the connection proposes a set of protocol names, and the server responds with a selected one. It is not, as of 2021, commonly used for SMTP connections. -However, to guard against misirected or malicious use of web clients +However, to guard against misdirected or malicious use of web clients (which often do use ALPN) against MTA ports, Exim by default check that there is no incompatible ALPN specified by a client for a TLS connection. If there is, the connection is rejected. @@ -29771,7 +29806,7 @@ The behaviour of both client and server can be configured using the options &%tls_alpn%& and &%hosts_require_alpn%&. There are no variables providing observability. Some feature-specific logging may appear on denied connections, but this -depends on the behavious of the peer +depends on the behaviour of the peer (not all peers can send a feature-specific TLS Alert). This feature is available when Exim is built with @@ -30463,8 +30498,11 @@ accepted by an &%accept%& verb that has a &%message%& modifier, the contents of the message override the banner message that is otherwise specified by the &%smtp_banner%& option. -For tls-on-connect connections, the ACL is run after the TLS connection -is accepted (however, &%host_reject_connection%& is tested before). +.new +For tls-on-connect connections, the ACL is run before the TLS connection +is accepted; if the ACL does not accept then the TCP connection is dropped without +any TLS startup attempt and without any SMTP response being transmitted. +.wen .subsection "The EHLO/HELO ACL" SECID192 @@ -31615,7 +31653,7 @@ pretrigger=<&'size'&> This option specifies a memory buffuer to be used immediate writes to file are done as normal. trigger=<&'reason'&> This option selects cause for the pretrigger buffer - see above) to be copied to file. A reason of $*now* + see above) to be copied to file. A reason of &*now*& take effect immediately; one of &*paniclog*& triggers on a write to the panic log. .endd @@ -38869,7 +38907,7 @@ selection marked by asterisks: .irow &`etrn`& * "ETRN commands" .irow &`host_lookup_failed`& * "as it says" .irow &`ident_timeout`&   "timeout for ident connection" -.irow &`incoming_interface`&   "local interface on <= and => lines" +.irow &`incoming_interface`&   "local interface & port on <= and => lines" .irow &`incoming_port`&   "remote port on <= lines" .irow &`lost_incoming_connection`& * "as it says (includes timeouts)" .irow &`millisec`&   "millisecond timestamps and RT,QT,DT,D times" @@ -42205,7 +42243,7 @@ the DATA acl. .subsection ACL SSECDMARCACL .cindex DMARC "ACL condition" -DMARC checks cam be run on incoming SMTP messages by using the +DMARC checks can be run on incoming SMTP messages by using the &"dmarc_status"& ACL condition in the DATA ACL. You are required to call the &"spf"& condition first in the ACLs, then the &"dmarc_status"& condition. Putting this condition in the ACLs is required in order