X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/caba963291bb43dfc0e2cc0d0c6b3347aec09ce5..f0ce0ecaa054ad9773a2078bc8f011a59518120a:/doc/doc-docbook/spec.xfpt diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 2bdb2bbdf..2c90ec5f3 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -6742,11 +6742,11 @@ Exim variables you need to construct the database query. For the string-expansion kind of lookups, the query is given in the first bracketed argument of the &${lookup ...}$& expansion. -For the list-argument kind of lookup the quury is given by the remainder of the +For the list-argument kind of lookup the query is given by the remainder of the list item after the first semicolon. .cindex "tainted data" "quoting for lookups" -If tainted data is used in the query then it should be quuted by +If tainted data is used in the query then it should be quoted by using the &*${quote_*&<&'lookup-type'&>&*:*&<&'string'&>&*}*& expansion operator appropriate for the lookup. .endlist @@ -16640,15 +16640,21 @@ See also the ACL modifier &`control = suppress_local_fixups`&. Section .option localhost_number main string&!! unset .cindex "host" "locally unique number for" .cindex "message ids" "with multiple hosts" +.cindex multiple "systems sharing a spool" +.cindex "multiple hosts" "sharing a spool" +.cindex "shared spool directory" +.cindex "spool directory" sharing .vindex "&$localhost_number$&" Exim's message ids are normally unique only within the local host. If -uniqueness among a set of hosts is required, each host must set a different +uniqueness among a set of hosts is required +(eg. because they share a spool directory), +each host must set a different value for the &%localhost_number%& option. The string is expanded immediately after reading the configuration file (so that a number can be computed from the host name, for example) and the result of the expansion must be a number in the range 0&--16 (or 0&--10 on operating systems with case-insensitive file systems). This is available in subsequent string expansions via the variable -&$localhost_number$&. When &%localhost_number is set%&, the final two +&$localhost_number$&. When &%localhost_number%& is set, the final four characters of the message id, instead of just being a fractional part of the time, are computed from the time and the local host number as described in section &<>&. @@ -22792,8 +22798,11 @@ If unset, or expanding to an empty string, no filtering is done. When the message is about to be written out, the command specified by &%transport_filter%& is started up in a separate, parallel process, and the entire message, including the header lines, is passed to it on its standard -input (this in fact is done from a third process, to avoid deadlock). The -command must be specified as an absolute path. +input (this in fact is done from a third process, to avoid deadlock). +The command must be specified as an absolute path. + +The process run by the command must use its standard input as the message +data to be transformed, and write the results on its standard output. The lines of the message that are written to the transport filter are terminated by newline (&"\n"&). The message is passed to the filter before any @@ -24828,7 +24837,7 @@ Exim, and each argument is separately expanded, as described in section No part of the resulting command may be tainted. -.option environment pipe string&!! unset +.option environment pipe "string list&!!" unset .cindex "&(pipe)& transport" "environment for command" .cindex "environment" "&(pipe)& transport" This option is used to add additional variables to the environment in which the @@ -25546,15 +25555,24 @@ load-balancer, matching the session stored in the client's cache. Exim can pull out a server name, if there is one, from the response to the client's SMTP EHLO command. -The default value of this option: +For normal STARTTLS use, the default value of this option: .code ${if and { {match {$host} {.outlook.com\$}} \ {match {$item} {\N^250-([\w.]+)\s\N}} \ } {$1}} .endd suffices for one known case. + During the expansion of this option the &$item$& variable will have the server's EHLO response. + +.new +For TLS-on-connect connections we do not have an EHLO +response to use. Because of this the default value of this option is +set to a static string for those cases, meaning that resumption will +always be attempted if permitted by the &%tls_resumption_hosts%& option. +.wen + The result of the option expansion is included in the key used to store and retrieve the TLS session, for session resumption. @@ -25906,6 +25924,7 @@ permits this. .cindex "line length" limit This option sets the maximum line length, in bytes, that the transport will send. Any messages with lines exceeding the given value +(before a transport filter, if any) will fail and a failure-DSN ("bounce") message will if possible be returned to the sender. The default value is that defined by the SMTP standards. @@ -35323,9 +35342,10 @@ The arguments are as follows: (the -D file). The file is open for reading and writing, but updating it is not recommended. &*Warning*&: You must &'not'& close this file descriptor. -The descriptor is positioned at character 19 of the file, which is the first -character of the body itself, because the first 19 characters are the message -id followed by &`-D`& and a newline. If you rewind the file, you should use the +The descriptor is positioned at character 26 of the file, which is the first +character of the body itself, because the first 26 characters (19 characters +before Exim 4.97) are the message id followed by &`-D`& and a newline. +If you rewind the file, you should use the macro SPOOL_DATA_START_OFFSET to reset to the start of the data, just in case this changes in some future version. .next @@ -36441,8 +36461,6 @@ other MTAs, the way Exim handles line endings for all messages is now as follows: .ilist -LF not preceded by CR is treated as a line ending. -.next CR is treated as a line ending; if it is immediately followed by LF, the LF is ignored. .next @@ -36457,7 +36475,10 @@ people trying to play silly games. .next If the first header line received in a message ends with CRLF, a subsequent bare LF in a header line is treated in the same way as a bare CR in a header -line. +line and a bare LF in a body line is replaced with a space. +.next +If the first header line received in a message does not end with CRLF, a subsequent +LF not preceded by CR is treated as a line ending. .endlist @@ -39040,7 +39061,7 @@ selection marked by asterisks: .irow &`deliver_time`&   "time taken to attempt delivery" .irow &`delivery_size`&   "add &`S=`&&'nnn'& to => lines" .irow &`dkim`& * "DKIM verified domain on <= lines" -.irow &`dkim_verbose`&   "separate full DKIM verification result line, per signature" +.irow &`dkim_verbose`&   "separate full DKIM verification result line, per signature; DKIM signing" .irow &`dnslist_defer`& * "defers of DNS list (aka RBL) lookups" .irow &`dnssec`&   "DNSSEC secured lookups" .irow &`etrn`& * "ETRN commands" @@ -39084,7 +39105,7 @@ selection marked by asterisks: .irow &`tls_peerdn`&   "TLS peer DN on <= and => lines" .irow &`tls_resumption`&   "append * to cipher field" .irow &`tls_sni`&   "TLS SNI on <= lines" -.irow &`unknown_in_list`&   "DNS lookup failed in list match" +.irow &`unknown_in_list`&   "lookup failed in list match" .irow &`all`&   "&*all of the above*&" .endtable See also the &%slow_lookup_log%& main configuration option, @@ -39166,6 +39187,10 @@ verifies successfully a tag of DKIM is added, with one of the verified domains. .cindex log "DKIM verification" .cindex DKIM "verification logging" &%dkim_verbose%&: A log entry is written for each attempted DKIM verification. +.new +Also, on message delivery lines signing information (domain and selector) +is added, tagged with DKIM=. +.wen .next .cindex "log" "dnslist defer" .cindex "DNS list" "logging defer" @@ -39503,7 +39528,8 @@ added to the log line, preceded by SNI=. .next .cindex "log" "DNS failure in list" &%unknown_in_list%&: This setting causes a log entry to be written when the -result of a list match is failure because a DNS lookup failed. +result of a list match is failure because a DNS lookup failed, or because +a bad IP address was in the list. .endlist @@ -41698,7 +41724,7 @@ variables here. .option dkim_sign_headers smtp string&!! "see below" If set, this option must expand to a colon-separated list of header names. -Headers with these names, or the absence or such a header, will be included +Headers with these names, or the absence of such a header, will be included in the message signature. When unspecified, the header names listed in RFC4871 will be used, whether or not each header is present in the message. @@ -41733,8 +41759,9 @@ RFC 6376 lists these tags as RECOMMENDED. Verification of DKIM signatures in SMTP incoming email is done for all messages for which an ACL control &%dkim_disable_verify%& has not been set. + .cindex DKIM "selecting signature algorithms" -Individual classes of signature algorithm can be ignored by changing +Individual classes of DKIM signature algorithm can be ignored by changing the main options &%dkim_verify_hashes%& or &%dkim_verify_keytypes%&. The &%dkim_verify_minimal%& option can be set to cease verification processing for a message once the first passing signature is found. @@ -41747,7 +41774,7 @@ For most purposes the default option settings suffice and the remainder of this section can be ignored. The results of verification are made available to the -&%acl_smtp_dkim%& ACL, which can examine and modify them. +&%acl_smtp_dkim%& ACL, which (for complex needs) can examine and modify them. A missing ACL definition defaults to accept. By default, the ACL is called once for each syntactically(!) correct signature in the incoming message. @@ -41812,6 +41839,12 @@ an identity. This is one of the list items from the expanded main option &%dkim_verify_signers%& (see above). .vitem &%$dkim_verify_status%& +So long as a DKIM ACL is defined +(it need do no more than accept, which is the default), +after all the DKIM ACL runs have completed, the value becomes a +colon-separated list of the values after each run. +The value is maintained for the MIME, PRDR and DATA ACLs. + Within the DKIM ACL, a string describing the general status of the signature. One of .ilist @@ -41840,11 +41873,6 @@ hash-method or key-size: set dkim_verify_reason = hash too weak or key too short .endd -So long as a DKIM ACL is defined (it need do no more than accept), -after all the DKIM ACL runs have completed, the value becomes a -colon-separated list of the values after each run. -This is maintained for the mime, prdr and data ACLs. - .vitem &%$dkim_verify_reason%& A string giving a little bit more detail when &%$dkim_verify_status%& is either "fail" or "invalid". One of @@ -41969,13 +41997,15 @@ option. .endlist -In addition, two ACL conditions are provided, usable only in a DKIM ACL: +In addition, two ACL conditions are provided: .vlist .vitem &%dkim_signers%& ACL condition that checks a colon-separated list of domains or identities for a match against the domain or identity that the ACL is currently verifying -(reflected by &%$dkim_cur_signer%&). This is typically used to restrict an ACL +(reflected by &%$dkim_cur_signer%&). +This condition is only usable in a DKIM ACL. +This is typically used to restrict an ACL verb to a group of domains or identities. For example: .code @@ -41991,7 +42021,18 @@ for that check for empty &$h_DKIM-Signature:$& in the data ACL. .vitem &%dkim_status%& ACL condition that checks a colon-separated list of possible DKIM verification -results against the actual result of verification. This is typically used +results against the actual result of verification, +given by &$dkim_verify_status$& if that is non-empty or "none" if empty. +.new +This condition may be used in DKIM, MIME, PRDR and DATA ACLs. +.wen + +A basic verification might be: +.code +deny !dkim_status = pass:none:invalid +.endd + +A more complex use could be to restrict an ACL verb to a list of verification outcomes, for example: .code @@ -42004,6 +42045,12 @@ deny sender_domains = paypal.com:paypal.de The possible status keywords are: 'none','invalid','fail' and 'pass'. Please see the documentation of the &%$dkim_verify_status%& expansion variable above for more information of what they mean. + +The condition is true if the status +.new +(or any of the list of status values) +.wen +is any one of the supplied list. .endlist