X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/c4ceed07f17f67af7d96e7fd27c92eb374e62e19..exim-4_80_RC4:/doc/doc-docbook/spec.xfpt?ds=sidebyside diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 9370f737b..1c2fa8401 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -6790,14 +6790,16 @@ white space is ignored. .cindex "TXT record" "in &(dnsdb)& lookup" .cindex "SPF record" "in &(dnsdb)& lookup" .new -For TXT and SPF records with multiple items of data, only the first item is returned, +For TXT records with multiple items of data, only the first item is returned, unless a separator for them is specified using a comma after the separator -character followed immediately by the TXT/SPF record item separator. To concatenate -items without a separator, use a semicolon instead. +character followed immediately by the TXT record item separator. To concatenate +items without a separator, use a semicolon instead. For SPF records the +default behaviour is to concatenate multiple items without using a separator. .wen .code ${lookup dnsdb{>\n,: txt=a.b.example}} ${lookup dnsdb{>\n; txt=a.b.example}} +${lookup dnsdb{spf=example.org}} .endd It is permitted to specify a space as the separator character. Further white space is ignored. @@ -11948,6 +11950,10 @@ files, for example: Thu Oct 17 17:14:09 1995. .vindex "&$tod_epoch$&" The time and date as a number of seconds since the start of the Unix epoch. +.vitem &$tod_epoch_l$& +.vindex "&$tod_epoch_l$&" +The time and date as a number of microseconds since the start of the Unix epoch. + .vitem &$tod_full$& .vindex "&$tod_full$&" A full version of the time and date, for example: Wed, 16 Oct 1995 09:51:40 @@ -12688,6 +12694,7 @@ listed in more than one group. .row &%tls_advertise_hosts%& "advertise TLS to these hosts" .row &%tls_certificate%& "location of server certificate" .row &%tls_crl%& "certificate revocation list" +.row &%tls_dh_max_bits%& "clamp D-H bit count suggestion" .row &%tls_dhparam%& "DH parameters for server" .row &%tls_on_connect_ports%& "specify SSMTP (SMTPS) ports" .row &%tls_privatekey%& "location of server private key" @@ -15674,6 +15681,25 @@ See &<>& for discussion of when this option might be re-expanded. .wen +.new +.option tls_dh_max_bits main integer 2236 +.cindex "TLS" "D-H bit count" +The number of bits used for Diffie-Hellman key-exchange may be suggested by +the chosen TLS library. That value might prove to be too high for +interoperability. This option provides a maximum clamp on the value +suggested, trading off security for interoperability. + +The value must be at least 1024. + +The value 2236 was chosen because, at time of adding the option, it was the +hard-coded maximum value supported by the NSS cryptographic library, as used +by Thunderbird, while GnuTLS was suggesting 2432 bits as normal. + +If you prefer more security and are willing to break some clients, raise this +number. +.wen + + .option tls_dhparam main string&!! unset .cindex "TLS" "D-H parameters for server" The value of this option is expanded, and must then be the absolute path to @@ -15681,6 +15707,11 @@ a file which contains the server's DH parameter values. This is used only for OpenSSL. When Exim is linked with GnuTLS, this option is ignored. See section &<>& for further details. +.new +If the DH bit-count from loading the file is greater than tls_dh_max_bits then +it will be ignored. +.wen + .option tls_on_connect_ports main "string list" unset This option specifies a list of incoming SSMTP (aka SMTPS) ports that should @@ -24559,7 +24590,7 @@ made that any particular new authentication mechanism will be supported without code changes in Exim. -.option server_channelbinding gsasl bool false +.option server_channelbinding gsasl boolean false Some authentication mechanisms are able to use external context at both ends of the session to bind the authentication to that context, and fail the authentication process if that context differs. Specifically, some TLS @@ -24932,8 +24963,12 @@ The &%tls_verify_certificates%& option must contain the name of a file, not the name of a directory (for OpenSSL it can be either). .next The &%tls_dhparam%& option is ignored, because early versions of GnuTLS had no -facility for varying its Diffie-Hellman parameters. I understand that this has -changed, but Exim has not been updated to provide this facility. +facility for varying its Diffie-Hellman parameters. +.new +Since then, the GnuTLS support has been updated to generate parameters upon +demand, keeping them in the spool directory. See &<>& for +details. +.wen .next .vindex "&$tls_peerdn$&" Distinguished Name (DN) strings reported by the OpenSSL library use a slash for @@ -24941,10 +24976,11 @@ separating fields; GnuTLS uses commas, in accordance with RFC 2253. This affects the value of the &$tls_peerdn$& variable. .next OpenSSL identifies cipher suites using hyphens as separators, for example: -DES-CBC3-SHA. GnuTLS uses underscores, for example: RSA_ARCFOUR_SHA. What is -more, OpenSSL complains if underscores are present in a cipher list. To make -life simpler, Exim changes underscores to hyphens for OpenSSL and hyphens to -underscores for GnuTLS when processing lists of cipher suites in the +DES-CBC3-SHA. GnuTLS historically used underscores, for example: +RSA_ARCFOUR_SHA. What is more, OpenSSL complains if underscores are present +in a cipher list. To make life simpler, Exim changes underscores to hyphens +for OpenSSL and passes the string unchanged to GnuTLS (expecting the library +to handle its own older variants) when processing lists of cipher suites in the &%tls_require_ciphers%& options (the global option and the &(smtp)& transport option). .next @@ -24960,7 +24996,7 @@ implementation, then patches are welcome. .endlist -.section "GnuTLS parameter computation" "SECID181" +.section "GnuTLS parameter computation" "SECTgnutlsparam" .new GnuTLS uses D-H parameters that may take a substantial amount of time to compute. It is unreasonable to re-compute them for every TLS session. @@ -24994,14 +25030,14 @@ and letting Exim re-create it, you can generate new parameters using renaming. The relevant commands are something like this: .code # ls -[ look for file; assume gnutls-params-1024 is the most recent ] +[ look for file; assume gnutls-params-2236 is the most recent ] # rm -f new-params # touch new-params # chown exim:exim new-params # chmod 0600 new-params -# certtool --generate-dh-params --bits 1024 >>new-params +# certtool --generate-dh-params --bits 2236 >>new-params # chmod 0400 new-params -# mv new-params gnutls-params-1024 +# mv new-params gnutls-params-2236 .endd If Exim never has to generate the parameters itself, the possibility of stalling is removed. @@ -25010,10 +25046,18 @@ The filename changed in Exim 4.80, to gain the -bits suffix. The value which Exim will choose depends upon the version of GnuTLS in use. For older GnuTLS, the value remains hard-coded in Exim as 1024. As of GnuTLS 2.12.x, there is a way for Exim to ask for the "normal" number of bits for D-H public-key usage, -and Exim does so. Exim thus removes itself from the policy decision, and the -filename and bits used change as the GnuTLS maintainers change the value for -their parameter &`GNUTLS_SEC_PARAM_NORMAL`&. At the time of writing, this -gives 2432 bits. +and Exim does so. This attempt to remove Exim from TLS policy decisions +failed, as GnuTLS 2.12 returns a value higher than the current hard-coded limit +of the NSS library. Thus Exim gains the &%tls_dh_max_bits%& global option, +which applies to all D-H usage, client or server. If the value returned by +GnuTLS is greater than &%tls_dh_max_bits%& then the value will be clamped down +to &%tls_dh_max_bits%&. The default value has been set at the current NSS +limit, which is still much higher than Exim historically used. + +The filename and bits used will change as the GnuTLS maintainers change the +value for their parameter &`GNUTLS_SEC_PARAM_NORMAL`&, as clamped by +&%tls_dh_max_bits%&. At the time of writing (mid 2012), GnuTLS 2.12 recommends +2432 bits, while NSS is limited to 2236 bits. .wen