X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/d79247e6321bd44f4f21bc1234e0424d0fa558eb..c1fb74d63ecf0cd1501e53352419bfdfd154b7ea:/doc/doc-docbook/spec.xfpt diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 357fbca62..61abb70c0 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -51,6 +51,8 @@ .set ACL "access control lists (ACLs)" .set I "    " +.set drivernamemax "64" + .macro copyyear 2020 .endmacro @@ -161,6 +163,13 @@ .macro index .echo "** Don't use .index; use .cindex or .oindex or .vindex" .endmacro + + +. use this for a concept-index entry for a header line +.macro chindex +.cindex "&'$1'& header line" +.cindex "header lines" $1 +.endmacro . //////////////////////////////////////////////////////////////////////////// @@ -193,6 +202,8 @@ . This chunk of literal XML implements index entries of the form "x, see y" and . "x, see also y". However, the DocBook DTD doesn't allow entries . at the top level, so we have to put the .chapter directive first. + +. These do not turn up in the HTML output, unfortunately. The PDF does get them. . ///////////////////////////////////////////////////////////////////////////// .chapter "Introduction" "CHID1" @@ -318,6 +329,10 @@ zero, binary binary zero + + headers + header lines + .literal off @@ -1394,9 +1409,22 @@ Again, cutthrough delivery counts as a verification. .next Individual routers can be explicitly skipped when running the routers to check an address given in the SMTP EXPN command (see the &%expn%& option). + .next If the &%domains%& option is set, the domain of the address must be in the set of domains that it defines. +.new +.cindex "tainted data" "de-tainting" +A match verifies the variable &$domain$& (which carries tainted data) +and assigns an untainted value to the &$domain_data$& variable. +Such an untainted value is often needed in the transport. +For specifics of the matching operation and the resulting untainted value, +refer to section &<>&. + +When an untainted value is wanted, use this option +rather than the generic &%condition%& option. +.wen + .next .vindex "&$local_part_prefix$&" .vindex "&$local_part_prefix_v$&" @@ -1405,13 +1433,26 @@ of domains that it defines. .vindex "&$local_part_suffix_v$&" .cindex affix "router precondition" If the &%local_parts%& option is set, the local part of the address must be in -the set of local parts that it defines. If &%local_part_prefix%& or +the set of local parts that it defines. +.new +A match verifies the variable &$local_part$& (which carries tainted data) +and assigns an untainted value to the &$local_part_data$& variable. +Such an untainted value is often needed in the transport. +For specifics of the matching operation and the resulting untainted value, +refer to section &<>&. + +When an untainted value is wanted, use this option +rather than the generic &%condition%& option. +.wen + +If &%local_part_prefix%& or &%local_part_suffix%& is in use, the prefix or suffix is removed from the local part before this check. If you want to do precondition tests on local parts that include affixes, you can do so by using a &%condition%& option (see below) that uses the variables &$local_part$&, &$local_part_prefix$&, &$local_part_prefix_v$&, &$local_part_suffix$& and &$local_part_suffix_v$& as necessary. + .next .vindex "&$local_user_uid$&" .vindex "&$local_user_gid$&" @@ -1421,23 +1462,37 @@ an account on the local host. If this check succeeds, the uid and gid of the local user are placed in &$local_user_uid$& and &$local_user_gid$& and the user's home directory is placed in &$home$&; these values can be used in the remaining preconditions. + .next If the &%router_home_directory%& option is set, it is expanded at this point, because it overrides the value of &$home$&. If this expansion were left till later, the value of &$home$& as set by &%check_local_user%& would be used in subsequent tests. Having two different values of &$home$& in the same router could lead to confusion. + .next If the &%senders%& option is set, the envelope sender address must be in the set of addresses that it defines. + .next If the &%require_files%& option is set, the existence or non-existence of specified files is tested. + .next .cindex "customizing" "precondition" If the &%condition%& option is set, it is evaluated and tested. This option uses an expanded string to allow you to set up your own custom preconditions. Expanded strings are described in chapter &<>&. + +.new +Note that while using +this option for address matching technically works, +it does not set any de-tainted values. +Such values are often needed, either for router-specific options or +for transport options. +Using the &%domains%& and &%local_parts%& options is usually the most +convenient way to obtain them. +.wen .endlist @@ -2643,10 +2698,8 @@ Exim through the local interface (see the &%-bm%& and &%-f%& options below). See the &%untrusted_set_sender%& option for a way of permitting non-trusted users to set envelope senders. -.cindex "&'From:'& header line" -.cindex "&'Sender:'& header line" -.cindex "header lines" "From:" -.cindex "header lines" "Sender:" +.chindex From: +.chindex Sender: For a trusted user, there is never any check on the contents of the &'From:'& header line, and a &'Sender:'& line is never added. Furthermore, any existing &'Sender:'& line in incoming local (non-TCP/IP) messages is not removed. @@ -3797,9 +3850,11 @@ headers.) .cindex "Solaris" "&'mail'& command" .cindex "dot" "in incoming non-SMTP message" This option, which has the same effect as &%-oi%&, specifies that a dot on a -line by itself should not terminate an incoming, non-SMTP message. I can find -no documentation for this option in Solaris 2.4 Sendmail, but the &'mailx'& -command in Solaris 2.4 uses it. See also &%-ti%&. +line by itself should not terminate an incoming, non-SMTP message. +Solaris 2.4 (SunOS 5.4) Sendmail has a similar &%-i%& processing option +&url(https://docs.oracle.com/cd/E19457-01/801-6680-1M/801-6680-1M.pdf), +p. 1M-529), and therefore a &%-oi%& command line option, which both are used +by its &'mailx'& command. .vitem &%-L%&&~<&'tag'&> .oindex "&%-L%&" @@ -3845,7 +3900,9 @@ id, and the remaining ones must be email addresses. However, if the message is active (in the middle of a delivery attempt), it is not altered. This option can be used only by an admin user. -.vitem "&%-MC%&&~<&'transport'&>&~<&'hostname'&>&~<&'sequence&~number'&>&&& +.vitem "&%-MC%&&~<&'transport'&>&~<&'hostname'&>&&& + &~<&'host&~IP'&>&&& + &~<&'sequence&~number'&>&&& &~<&'message&~id'&>" .oindex "&%-MC%&" .cindex "SMTP" "passed connection" @@ -3887,12 +3944,31 @@ This option is not intended for use by external callers. It is used internally by Exim in conjunction with the &%-MC%& option. It signifies that a remote host supports the ESMTP &_CHUNKING_& extension. +.new +.vitem &%-MCL%& +.oindex "&%-MCL%&" +This option is not intended for use by external callers. It is used internally +by Exim in conjunction with the &%-MC%& option. It signifies that the server to +which Exim is connected advertised limits on numbers of mails, recipients or +recipient domains. +The limits are given by the following three arguments. +.wen + .vitem &%-MCP%& .oindex "&%-MCP%&" This option is not intended for use by external callers. It is used internally by Exim in conjunction with the &%-MC%& option. It signifies that the server to which Exim is connected supports pipelining. +.new +.vitem &%-MCp%& +.oindex "&%-MCp%&" +This option is not intended for use by external callers. It is used internally +by Exim in conjunction with the &%-MC%& option. It signifies that the connection +t a remote server is via a SOCKS proxy, using addresses and ports given by +the following four arguments. +.wen + .vitem &%-MCQ%&&~<&'process&~id'&>&~<&'pipe&~fd'&> .oindex "&%-MCQ%&" This option is not intended for use by external callers. It is used internally @@ -4098,8 +4174,9 @@ the standard output. This option can be used only by an admin user. .vitem &%-m%& .oindex "&%-m%&" -This is apparently a synonym for &%-om%& that is accepted by Sendmail, so Exim -treats it that way too. +This is a synonym for &%-om%& that is accepted by Sendmail +(&url(https://docs.oracle.com/cd/E19457-01/801-6680-1M/801-6680-1M.pdf) +p. 1M-258), so Exim treats it that way too. .vitem &%-N%& .oindex "&%-N%&" @@ -4742,9 +4819,9 @@ recognized when Exim is run normally. It allows for the setting up of explicit .vitem &%-t%& .oindex "&%-t%&" .cindex "recipient" "extracting from header lines" -.cindex "&'Bcc:'& header line" -.cindex "&'Cc:'& header line" -.cindex "&'To:'& header line" +.chindex Bcc: +.chindex Cc: +.chindex To: When Exim is receiving a locally-generated, non-SMTP message on its standard input, the &%-t%& option causes the recipients of the message to be obtained from the &'To:'&, &'Cc:'&, and &'Bcc:'& header lines in the message instead of @@ -5436,8 +5513,8 @@ local_interfaces = 127.0.0.1 : ::::1 contains two IP addresses, the IPv4 address 127.0.0.1 and the IPv6 address ::1. &*Note*&: Although leading and trailing white space is ignored in individual -list items, it is not ignored when parsing the list. The space after the first -colon in the example above is necessary. If it were not there, the list would +list items, it is not ignored when parsing the list. The spaces around the first +colon in the example above are necessary. If they were not there, the list would be interpreted as the two items 127.0.0.1:: and 1. .section "Changing list separators" "SECTlistsepchange" @@ -5896,7 +5973,7 @@ Libraries you use may depend on specific environment settings. This imposes a security risk (e.g. PATH). There are two lists: &%keep_environment%& for the variables to import as they are, and &%add_environment%& for variables we want to set to a fixed value. -Note that TZ is handled separately, by the $%timezone%$ runtime +Note that TZ is handled separately, by the &%timezone%& runtime option and by the TIMEZONE_DEFAULT buildtime option. .code # keep_environment = ^LDAP @@ -6371,9 +6448,9 @@ smarthost_smtp: # request with your smarthost provider to get things fixed: hosts_require_tls = * tls_verify_hosts = * - # As long as tls_verify_hosts is enabled, this won't matter, but if you - # have to comment it out then this will at least log whether you succeed - # or not: + # As long as tls_verify_hosts is enabled, this this will have no effect, + # but if you have to comment it out then this will at least log whether + # you succeed or not: tls_try_verify_hosts = * # # The SNI name should match the name which we'll expect to verify; @@ -8428,7 +8505,10 @@ will store a result in the &$host_data$& variable. A &%local_parts%& router option or &%local_parts%& ACL condition will store a result in the &$local_part_data$& variable. .vitem domains +.new A &%domains%& router option or &%domains%& ACL condition +will store a result in the &$domain_data$& variable. +.wen .vitem senders A &%senders%& router option or &%senders%& ACL condition will store a result in the &$sender_data$& variable. @@ -8732,6 +8812,13 @@ other statements in the same ACL. .cindex "tainted data" "de-tainting" The value will be untainted. +.new +&*Note*&: If the data result of the lookup (as opposed to the key) +is empty, then this empty value is stored in &$domain_data$&. +The option to return the key for the lookup, as the value, +may be what is wanted. +.wen + .next Any of the single-key lookup type names may be preceded by @@ -8773,7 +8860,7 @@ If the pattern starts with the name of a lookup type of either kind (single-key or query-style) it may be followed by a comma and options, The options are lookup-type specific and consist of a comma-separated list. -Each item starts with a tag and and equals "=". +Each item starts with a tag and and equals "=" sign. .next .cindex "domain list" "matching literal domain name" @@ -8892,9 +8979,13 @@ accept hosts = @[] .endd .next .cindex "CIDR notation" -If the pattern is an IP address followed by a slash and a mask length (for -example 10.11.42.0/24), it is matched against the IP address of the subject -host under the given mask. This allows, an entire network of hosts to be +If the pattern is an IP address followed by a slash and a mask length, for +example +.code +10.11.42.0/24 +.endd +, it is matched against the IP address of the subject +host under the given mask. This allows an entire network of hosts to be included (or excluded) by a single item. The mask uses CIDR notation; it specifies the number of address bits that must match, starting from the most significant end of the address. @@ -9513,7 +9604,9 @@ reasons, .cindex "tainted data" definition .cindex expansion "tainted data" and expansion of data deriving from the sender (&"tainted data"&) -is not permitted. +.new +is not permitted (including acessing a file using a tainted name). +.wen .new Common ways of obtaining untainted equivalents of variables with @@ -9671,7 +9764,7 @@ If the ACL returns defer the result is a forced-fail. Otherwise the expansion f .vitem "&*${authresults{*&<&'authserv-id'&>&*}}*&" .cindex authentication "results header" -.cindex headers "authentication-results:" +.chindex Authentication-Results: .cindex authentication "expansion item" This item returns a string suitable for insertion as an &'Authentication-Results:'& @@ -10081,7 +10174,7 @@ They are visible in DKIM, PRDR and DATA ACLs. Header lines that are added in a RCPT ACL (for example) are saved until the message's incoming header lines are available, at which point they are added. -When any of the above ACLs ar +When any of the above ACLs are running, however, header lines added by earlier ACLs are visible. Upper case and lower case letters are synonymous in header names. If the @@ -10102,7 +10195,7 @@ newline at the very end. For the &%header%& and &%bheader%& expansion, for those headers that contain lists of addresses, a comma is also inserted at the junctions between headers. This does not happen for the &%rheader%& expansion. -.cindex "tainted data" +.cindex "tainted data" "message headers" When the headers are from an incoming message, the result of expanding any of these variables is tainted. @@ -10357,10 +10450,11 @@ additional arguments need be given; the maximum number permitted, including the name of the subroutine, is nine. The return value of the subroutine is inserted into the expanded string, unless -the return value is &%undef%&. In that case, the expansion fails in the same -way as an explicit &"fail"& on a lookup item. The return value is a scalar. -Whatever you return is evaluated in a scalar context. For example, if you -return the name of a Perl vector, the return value is the size of the vector, +the return value is &%undef%&. In that case, the entire expansion is +forced to fail, in the same way as an explicit &"fail"& on a lookup item +does (see section &<>&). Whatever you return is evaluated +in a scalar context, thus the return value is a scalar. For example, if you +return a Perl vector, the return value is the size of the vector, not its contents. If the subroutine exits by calling Perl's &%die%& function, the expansion fails @@ -10410,7 +10504,7 @@ For more discussion and an example, see section &<>&. .cindex "expansion" "inserting an entire file" .cindex "file" "inserting into expansion" .cindex "&%readfile%& expansion item" -The filename and end-of-line string are first expanded separately. The file is +The filename and end-of-line (eol) string are first expanded separately. The file is then read, and its contents replace the entire item. All newline characters in the file are replaced by the end-of-line string if it is present. Otherwise, newlines are left in the string. @@ -10447,7 +10541,7 @@ ${readsocket{inet:[::1]:1234}{request string}} Only a single host name may be given, but if looking it up yields more than one IP address, they are each tried in turn until a connection is made. For both kinds of socket, Exim makes a connection, writes the request string -unless it is an empty string; and no terminating NUL is ever sent) +(unless it is an empty string; no terminating NUL is ever sent) and reads from the socket until an end-of-file is read. A timeout of 5 seconds is applied. Additional, optional arguments extend what can be done. Firstly, you can vary the timeout. For example: @@ -10913,7 +11007,7 @@ is controlled by the &%print_topbitchars%& option. .vitem &*${escape8bit:*&<&'string'&>&*}*& .cindex "expansion" "escaping 8-bit characters" .cindex "&%escape8bit%& expansion item" -If the string contains and characters with the most significant bit set, +If the string contains any characters with the most significant bit set, they are converted to escape sequences starting with a backslash. Backslashes and DEL characters are also converted. @@ -11109,6 +11203,10 @@ If the optional type is given it must be one of "a", "d", "h" or "l" and selects address-, domain-, host- or localpart- lists to search among respectively. Otherwise all types are searched in an undefined order and the first matching list is returned. +.new +&*Note*&: Neither string-expansion of lists referenced by named-list syntax elements, +nor expansion of lookup elements, is done by the &%listnamed%& operator. +.wen .vitem &*${local_part:*&<&'string'&>&*}*& @@ -11376,7 +11474,7 @@ Now deprecated, a synonym for the &%base64%& expansion operator. .cindex "expansion" "string length" .cindex "string" "length in expansion" .cindex "&%strlen%& expansion item" -The item is replace by the length of the expanded string, expressed as a +The item is replaced by the length of the expanded string, expressed as a decimal number. &*Note*&: Do not confuse &%strlen%& with &%length%&. All measurement is done in bytes and is not UTF-8 aware. @@ -11674,6 +11772,7 @@ users' filter files may be locked out by the system administrator. .new &*Note:*& Testing a path using this condition is not a sufficient way of de-tainting it. +Consider using a dsearch lookup. .wen .vitem &*first_delivery*& @@ -12279,7 +12378,7 @@ to the relevant file. When, as a result of aliasing or forwarding, a message is directed to a pipe, this variable holds the pipe command when the transport is running. -.vitem "&$auth1$& &-- &$auth3$&" +.vitem "&$auth1$& &-- &$auth4$&" .vindex "&$auth1$&, &$auth2$&, etc" These variables are used in SMTP authenticators (see chapters &<>&&--&<>&). Elsewhere, they are empty. @@ -13658,7 +13757,11 @@ filter file to set values that can be tested in users' filter files. For example, a system filter could set a value indicating how likely it is that a message is junk mail. -.vitem &$spam_$&&'xxx'& +.vitem &$spam_score$& &&& + &$spam_score_int$& &&& + &$spam_bar$& &&& + &$spam_report$& &&& + &$spam_action$& A number of variables whose names start with &$spam$& are available when Exim is compiled with the content-scanning extension. For details, see section &<>&. @@ -14048,6 +14151,10 @@ taint mode of the Perl interpreter. You are encouraged to set this option to a true value. To avoid breaking existing installations, it defaults to false. +.new +&*Note*&: This is entirely separate from Exim's tainted-data tracking. +.wen + .section "Calling Perl subroutines" "SECID86" When the configuration file includes a &%perl_startup%& option you can make use @@ -14482,9 +14589,11 @@ listed in more than one group. .section "Miscellaneous" "SECID96" .table2 +.row &%add_environment%& "environment variables" .row &%bi_command%& "to run for &%-bi%& command line option" .row &%debug_store%& "do extra internal checks" .row &%disable_ipv6%& "do no IPv6 processing" +.row &%keep_environment%& "environment variables" .row &%keep_malformed%& "for broken files &-- should not happen" .row &%localhost_number%& "for unique message ids in clusters" .row &%message_body_newlines%& "retain newlines in &$message_body$&" @@ -14680,6 +14789,7 @@ listed in more than one group. .row &%local_scan_timeout%& "timeout for &[local_scan()]&" .row &%message_size_limit%& "for all messages" .row &%percent_hack_domains%& "recognize %-hack for these domains" +.row &%proxy_protocol_timeout%& "timeout for proxy protocol negotiation" .row &%spamd_address%& "set interface to SpamAssassin" .row &%strict_acl_vars%& "object to unset ACL variables" .row &%spf_smtp_comment_template%& "template for &$spf_smtp_comment$&" @@ -16927,7 +17037,7 @@ not count as protocol errors (see &%smtp_max_synprot_errors%&). .option pipelining_connect_advertise_hosts main "host list&!!" * .cindex "pipelining" "early connection" .cindex "pipelining" PIPE_CONNECT -.cindex "ESMTP extensions" X_PIPE_CONNECT +.cindex "ESMTP extensions" PIPE_CONNECT If Exim is built with the SUPPORT_PIPE_CONNECT build option this option controls which hosts the facility is advertised to and from which pipeline early-connection (before MAIL) SMTP @@ -16936,7 +17046,9 @@ When used, the pipelining saves on roundtrip times. See also the &%hosts_pipe_connect%& smtp transport option. -Currently the option name &"X_PIPE_CONNECT"& is used. +.new +The SMTP service extension keyword advertised is &"PIPE_CONNECT"&. +.wen .option prdr_enable main boolean false @@ -17017,6 +17129,14 @@ admin user unless &%prod_requires_admin%& is set false. See also &%queue_list_requires_admin%& and &%commandline_checks_require_admin%&. +.new +.option proxy_protocol_timeout main time 3s +.cindex proxy "proxy protocol" +This option sets the timeout for proxy protocol negotiation. +For details see section &<>&. +.wen + + .option qualify_domain main string "see below" .cindex "domain" "for qualifying addresses" .cindex "address" "qualification" @@ -17319,6 +17439,9 @@ manager, there is no way of controlling the total number of simultaneous deliveries if the configuration allows a delivery attempt as soon as a message is received. +See also the &%max_parallel%& generic transport option, +and the &%serialize_hosts%& smtp transport option. + .cindex "number of deliveries" .cindex "delivery" "maximum number of" If you want to control the total number of deliveries on the system, you @@ -17487,7 +17610,7 @@ live with. . searchable. NM changed this occurrence for bug 1197 to no longer allow . the option name to split. -.option "smtp_accept_max_per_connection" main integer 1000 &&& +.option "smtp_accept_max_per_connection" main integer&!! 1000 &&& smtp_accept_max_per_connection .cindex "SMTP" "limiting incoming message count" .cindex "limit" "messages per SMTP connection" @@ -17497,6 +17620,11 @@ results in the transfer of a message. After the limit is reached, a 421 response is given to subsequent MAIL commands. This limit is a safety precaution against a client that goes mad (incidents of this type have been seen). +.new +The option is expanded after the HELO or EHLO is received +and may depend on values available at that time. +An empty or zero value after expansion removes the limit. +.wen .option smtp_accept_max_per_host main string&!! unset @@ -18223,8 +18351,12 @@ if the OpenSSL build supports TLS extensions and the TLS client sends the Server Name Indication extension, then this option and others documented in &<>& will be re-expanded. -If this option is unset or empty a fresh self-signed certificate will be -generated for every connection. +If this option is unset or empty a self-signed certificate will be +.new +used. +Under Linux this is generated at daemon startup; on other platforms it will be +generated fresh for every connection. +.wen .option tls_crl main string&!! unset .cindex "TLS" "server certificate revocation list" @@ -18477,7 +18609,9 @@ than the public cert of individual clients. With both OpenSSL and GnuTLS, if the value is a file then the certificates are sent by Exim as a server to connecting clients, defining the list of accepted certificate authorities. Thus the values defined should be considered public data. To avoid this, -use the explicit directory version. +use the explicit directory version. (If your peer is Exim up to 4.85, +using GnuTLS, you may need to send the CAs (thus using the file +variant). Otherwise the peer doesn't send its certificate.) See &<>& for discussion of when this option might be re-expanded. @@ -18670,6 +18804,11 @@ which the preconditions are tested. The order of expansion of the options that provide data for a transport is: &%errors_to%&, &%headers_add%&, &%headers_remove%&, &%transport%&. +.new +The name of a router is limited to be &drivernamemax; ASCII characters long; +prior to Exim 4.95 names would be silently truncated at this length, but now +it is enforced. +.wen .option address_data routers string&!! unset @@ -18796,7 +18935,10 @@ address (with affixes removed if relevant) is the name of an account on the local system. The check is done by calling the &[getpwnam()]& function rather than trying to read &_/etc/passwd_& directly. This means that other methods of holding password data (such as NIS) are supported. If the local part is a local -user, &$home$& is set from the password data, and can be tested in other +user, +.cindex "tainted data" "de-tainting" +&$local_part_data$& is set to an untainted version of the local part and +&$home$& is set from the password data. The latter can be tested in other preconditions that are evaluated after this one (the order of evaluation is given in section &<>&). However, the value of &$home$& can be overridden by &%router_home_directory%&. If the local part is not a local user, @@ -18923,7 +19065,7 @@ transport option of the same name. .cindex "security" "MX lookup" .cindex "DNS" "DNSSEC" DNS lookups for domains matching &%dnssec_request_domains%& will be done with -the dnssec request bit set. +the DNSSEC request bit set. This applies to all of the SRV, MX, AAAA, A lookup sequence. .option dnssec_require_domains routers "domain list&!!" unset @@ -18932,7 +19074,7 @@ This applies to all of the SRV, MX, AAAA, A lookup sequence. .cindex "security" "MX lookup" .cindex "DNS" "DNSSEC" DNS lookups for domains matching &%dnssec_require_domains%& will be done with -the dnssec request bit set. Any returns not having the Authenticated Data bit +the DNSSEC request bit set. Any returns not having the Authenticated Data bit (AD bit) set will be ignored and logged as a host-lookup failure. This applies to all of the SRV, MX, AAAA, A lookup sequence. @@ -18943,7 +19085,8 @@ This applies to all of the SRV, MX, AAAA, A lookup sequence. If this option is set, the router is skipped unless the current domain matches the list. If the match is achieved by means of a file lookup, the data that the lookup returned for the domain is placed in &$domain_data$& for use in string -expansions of the driver's private options. See section &<>& for +expansions of the driver's private options and in the transport. +See section &<>& for a list of the order in which preconditions are evaluated. @@ -19306,12 +19449,13 @@ section &<>& for a discussion of local part lists. Because the string is expanded, it is possible to make it depend on the domain, for example: .code -local_parts = dbm;/usr/local/specials/$domain +local_parts = dbm;/usr/local/specials/$domain_data .endd .vindex "&$local_part_data$&" If the match is achieved by a lookup, the data that the lookup returned for the local part is placed in the variable &$local_part_data$& for use in -expansions of the router's private options. You might use this option, for +expansions of the router's private options or in the transport. +You might use this option, for example, if you have a large number of local virtual domains, and you want to send all postmaster mail to the same place without having to set up an alias in each virtual domain: @@ -19656,6 +19800,10 @@ Values containing a list-separator should have them doubled. When a router runs, the strings are evaluated in order, to create variables which are added to the set associated with the address. +.new +This is done immediately after all the preconditions, before the +evaluation of the &%address_data%& option. +.wen The variable is set with the expansion of the value. The variables can be used by the router options (not including any preconditions) @@ -22204,6 +22352,12 @@ and &$original_domain$& is never set. .scindex IIDgenoptra1 "generic options" "transport" .scindex IIDgenoptra2 "options" "generic; for transports" .scindex IIDgenoptra3 "transport" "generic options for" +.new +The name of a transport is limited to be &drivernamemax; ASCII characters long; +prior to Exim 4.95 names would be silently truncated at this length, but now +it is enforced. +.wen + The following generic options apply to all transports: @@ -22503,7 +22657,7 @@ This defaults to the incoming sender address, but can be changed by setting .option return_path_add transports boolean false -.cindex "&'Return-path:'& header line" +.chindex Return-path: If this option is true, a &'Return-path:'& header is added to the message. Although the return path is normally available in the prefix line of BSD mailboxes, this is commonly not displayed by MUAs, and so the user does not @@ -22879,6 +23033,11 @@ If &%file%& or &%directory%& is set for a delivery from a redirection, it is used to determine the file or directory name for the delivery. Normally, the contents of &$address_file$& are used in some way in the string expansion. .endlist +If the &%create_file%& option is set to a path which +matches (see the option definition below for details) +a file or directory name +for the delivery, that name becomes de-tainted. + .cindex "tainted data" "in filenames" .cindex appendfile "tainted data" Tainted data may not be used for a file or directory name. @@ -23026,14 +23185,34 @@ directories defined by the &%directory%& option. In the case of maildir delivery, it applies to the top level directory, not the maildir directories beneath. +.new The option must be set to one of the words &"anywhere"&, &"inhome"&, or -&"belowhome"&. In the second and third cases, a home directory must have been -set for the transport. This option is not useful when an explicit filename is +&"belowhome"&, or to an absolute path. +.wen + +In the second and third cases, a home directory must have been +set for the transport, and the file or directory being created must +reside within it. +The "belowhome" checking additionally checks for attempts to use "../" +to evade the testing. +This option is not useful when an explicit filename is given for normal mailbox deliveries. It is intended for the case when filenames are generated from users' &_.forward_& files. These are usually handled by an &(appendfile)& transport called &%address_file%&. See also &%file_must_exist%&. +.new +In the fourth case, +the value given for this option must be an absolute path for an +existing directory. +The value is used for checking instead of a home directory; +checking is done in "belowhome" mode. + +.cindex "tainted data" "de-tainting" +If "belowhome" checking is used, the file or directory path +becomes de-tainted. +.wen + .option directory appendfile string&!! unset This option is mutually exclusive with the &%file%& option, but one of &%file%& @@ -23046,6 +23225,11 @@ appended to a single mailbox file. A number of different formats are provided (see &%maildir_format%& and &%mailstore_format%&), and see section &<>& for further details of this form of delivery. +.new +The result of expansion must not be tainted, unless the &%create_file%& option +specifies a path. +.wen + .option directory_file appendfile string&!! "see below" .cindex "base62" @@ -23078,6 +23262,11 @@ specifies a single file, to which the message is appended. One or more of &%use_fcntl_lock%&, &%use_flock_lock%&, or &%use_lockfile%& must be set with &%file%&. +.new +The result of expansion must not be tainted, unless the &%create_file%& option +specifies a path. +.wen + .cindex "NFS" "lock file" .cindex "locking files" .cindex "lock files" @@ -25031,12 +25220,14 @@ authenticated as a client. .option command_timeout smtp time 5m +.cindex timeout "smtp transport command" This sets a timeout for receiving a response to an SMTP command that has been sent out. It is also used when waiting for the initial banner line from the remote host. Its value must not be zero. .option connect_timeout smtp time 5m +.cindex timeout "smtp transport connect" This sets a timeout for the &[connect()]& function, which sets up a TCP/IP call to a remote host. A setting of zero allows the system timeout (typically several minutes) to act. To have any effect, the value of this option must be @@ -25072,6 +25263,7 @@ be treated as unset and &%tls_require_ciphers%& will be used instead. .option data_timeout smtp time 5m +.cindex timeout "for transmitted SMTP data blocks" This sets a timeout for the transmission of each block in the data portion of the message. As a result, the overall timeout for a message depends on the size of the message. Its value must not be zero. See also &%final_timeout%&. @@ -25142,7 +25334,7 @@ details. .cindex "security" "MX lookup" .cindex "DNS" "DNSSEC" DNS lookups for domains matching &%dnssec_request_domains%& will be done with -the dnssec request bit set. Setting this transport option is only useful if the +the DNSSEC request bit set. Setting this transport option is only useful if the transport overrides or sets the host names. See the &%dnssec_request_domains%& router option. @@ -25154,7 +25346,7 @@ router option. .cindex "security" "MX lookup" .cindex "DNS" "DNSSEC" DNS lookups for domains matching &%dnssec_require_domains%& will be done with -the dnssec request bit set. Setting this transport option is only +the DNSSEC request bit set. Setting this transport option is only useful if the transport overrides or sets the host names. See the &%dnssec_require_domains%& router option. @@ -25210,6 +25402,7 @@ fails"& facility. .option final_timeout smtp time 10m +.cindex timeout "for transmitted SMTP data accept" This is the timeout that applies while waiting for the response to the final line containing just &"."& that terminates a message. Its value must not be zero. @@ -25434,9 +25627,9 @@ TLS session for any host that matches this list. .cindex DANE "requiring for certain servers" If built with DANE support, Exim will require that a DNSSEC-validated TLSA record is present for any host matching the list, -and that a DANE-verified TLS connection is made. See -the &%dnssec_request_domains%& router and transport options. +and that a DANE-verified TLS connection is made. There will be no fallback to in-clear communication. +See the &%dnssec_request_domains%& router and transport options. See section &<>&. .option hosts_require_ocsp smtp "host list&!!" unset @@ -25456,9 +25649,12 @@ incoming messages, use an appropriate ACL. .cindex "authentication" "optional in client" This option provides a list of servers to which, provided they announce authentication support, Exim will attempt to authenticate as a client when it -connects. If authentication fails, Exim will try to transfer the message -unauthenticated. See also &%hosts_require_auth%&, and chapter -&<>& for details of authentication. +connects. If authentication fails +.new +and &%hosts_require_auth%& permits, +.wen +Exim will try to transfer the message unauthenticated. +See also chapter &<>& for details of authentication. .option hosts_try_chunking smtp "host list&!!" * .cindex CHUNKING "enabling, in client" @@ -25472,11 +25668,14 @@ BDAT will not be used in conjunction with a transport filter. .option hosts_try_dane smtp "host list&!!" * .cindex DANE "transport options" .cindex DANE "attempting for certain servers" -If built with DANE support, Exim will require that a DNSSEC-validated -TLSA record is present for any host matching the list, -and that a DANE-verified TLS connection is made. See -the &%dnssec_request_domains%& router and transport options. -There will be no fallback to in-clear communication. +.new +If built with DANE support, Exim will look up a +TLSA record for any host matching the list, +If one is found and that lookup was DNSSEC-validated, +then Exim requires that a DANE-verified TLS connection is made for that host; +there will be no fallback to in-clear communication. +.wen +See the &%dnssec_request_domains%& router and transport options. See section &<>&. .option hosts_try_fastopen smtp "host list&!!" * @@ -25561,7 +25760,7 @@ has advertised support for IGNOREQUOTA in its response to the LHLO command. This option limits the number of RCPT commands that are sent in a single SMTP message transaction. Each set of addresses is treated independently, and so can cause parallel connections to the same host if &%remote_max_parallel%& -permits this. +permits this. A value setting of zero disables the limit. .new @@ -25591,6 +25790,12 @@ It is expanded per-address and can depend on any of &$address_data$&, &$domain_data$&, &$local_part_data$&, &$host$&, &$host_address$& and &$host_port$&. +.new +If the connection is DANE-enabled then this option is ignored; +only messages having the domain used for the DANE TLSA lookup are +sent on the connection. +.wen + .option port smtp string&!! "see below" .cindex "port" "sending TCP/IP" .cindex "TCP/IP" "setting outgoing port" @@ -25628,7 +25833,7 @@ If this option is set to &"smtps"&, the default value for the &%port%& option changes to &"smtps"&, and the transport initiates TLS immediately after connecting, as an outbound SSL-on-connect, instead of using STARTTLS to upgrade. The Internet standards bodies used to strongly discourage use of this mode, -but as of RFC 8314 it is perferred over STARTTLS for message submission +but as of RFC 8314 it is preferred over STARTTLS for message submission (as distinct from MTA-MTA communication). @@ -26989,6 +27194,12 @@ permitted to use it as a relay. SMTP authentication is not of relevance to the transfer of mail between servers that have no managerial connection with each other. +.new +The name of an authenticator is limited to be &drivernamemax; ASCII characters long; +prior to Exim 4.95 names would be silently truncated at this length, but now +it is enforced. +.wen + .cindex "AUTH" "description of" .cindex "ESMTP extensions" AUTH Very briefly, the way SMTP authentication works is as follows: @@ -27281,7 +27492,7 @@ conditions: .ilist The client host must match &%auth_advertise_hosts%& (default *). .next -It the &%server_advertise_condition%& option is set, its expansion must not +If the &%server_advertise_condition%& option is set, its expansion must not yield the empty string, &"0"&, &"no"&, or &"false"&. .endlist @@ -27389,7 +27600,7 @@ encode '\0user@domain.com\0pas$$word' .endd gives an incorrect answer because of the unescaped &"@"& and &"$"& characters. -If you have the &%mimencode%& command installed, another way to do produce +If you have the &%mimencode%& command installed, another way to produce base64-encoded strings is to run the command .code echo -e -n `\0user\0password' | mimencode @@ -27731,7 +27942,14 @@ fixed_plain: client_send = ^username^mysecret .endd The lack of colons means that the entire text is sent with the AUTH -command, with the circumflex characters converted to NULs. A similar example +command, with the circumflex characters converted to NULs. +.new +Note that due to the ambiguity of parsing three consectutive circumflex characters +there is no way to provide a password having a leading circumflex. +.wen + + +A similar example that uses the LOGIN mechanism is: .code fixed_login: @@ -28005,7 +28223,7 @@ connection, a client certificate has been verified, the &"valid-client-cert"& option is passed. When authentication succeeds, the identity of the user who authenticated is placed in &$auth1$&. -The Dovecot configuration to match the above wil look +The Dovecot configuration to match the above will look something like: .code conf.d/10-master.conf :- @@ -28055,6 +28273,12 @@ realease for the SCRAM-SHA-256 method. The macro _HAVE_AUTH_GSASL_SCRAM_SHA_256 will be defined when this happens. +.new +To see the list of mechanisms supported by the library run Exim with "auth" debug +enabled and look for a line containing "GNU SASL supports". +Note however that some may not have been tested from Exim. +.wen + .option client_authz gsasl string&!! unset This option can be used to supply an &'authorization id'& @@ -28074,21 +28298,44 @@ the password to be used, in clear. This option is exapanded before use, and should result in the account name to be used. + .option client_spassword gsasl string&!! unset +.new +This option is only supported for library versions 1.9.1 and greater. +The macro _HAVE_AUTH_GSASL_SCRAM_S_KEY will be defined when this is so. +.wen + If a SCRAM mechanism is being used and this option is set +and correctly sized it is used in preference to &%client_password%&. The value after expansion should be a 40 (for SHA-1) or 64 (for SHA-256) character string with the PBKDF2-prepared password, hex-encoded. + Note that this value will depend on the salt and iteration-count supplied by the server. - +The option is expanded before use. +.new +During the expansion &$auth1$& is set with the client username, +&$auth2$& with the iteration count, and +&$auth3$& with the salt. + +The intent of this option +is to support clients that can cache thes salted password +to save on recalculation costs. +The cache lookup should return an unusable value +(eg. an empty string) +if the salt or iteration count has changed + +If the authentication succeeds then the above variables are set, +.vindex "&$auth4$&" +plus the calculated salted password value value in &$auth4$&, +during the expansion of the &%client_set_id%& option. +A side-effect of this expansion can be used to prime the cache. +.wen .option server_channelbinding gsasl boolean false -Do not set this true and rely on the properties -without consulting a cryptographic engineer. - Some authentication mechanisms are able to use external context at both ends of the session to bind the authentication to that context, and fail the authentication process if that context differs. Specifically, some TLS @@ -28108,9 +28355,16 @@ This defaults off to ensure smooth upgrade across Exim releases, in case this option causes some clients to start failing. Some future release of Exim might have switched the default to be true. -However, Channel Binding in TLS has proven to be vulnerable in current versions. -Do not plan to rely upon this feature for security, ever, without consulting -with a subject matter expert (a cryptographic engineer). +. However, Channel Binding in TLS has proven to be vulnerable in current versions. +. Do not plan to rely upon this feature for security, ever, without consulting +. with a subject matter expert (a cryptographic engineer). + +.new +This option was deprecated in previous releases due to doubts over +the "Triple Handshake" vulnerability. +Exim takes suitable precausions (requiring Extended Master Secret if TLS +Session Resumption was used) for safety. +.wen .option server_hostname gsasl string&!! "see below" @@ -28430,7 +28684,7 @@ and for clients to only attempt, this authentication method on a secure (eg. under TLS) connection. One possible use, compatible with the -K-9 Mail Andoid client (&url(https://k9mail.github.io/)), +K-9 Mail Android client (&url(https://k9mail.github.io/)), is for using X509 client certificates. It thus overlaps in function with the TLS authenticator @@ -29262,6 +29516,61 @@ There is no current way to staple a proof for a client certificate. .endd +.new +.section "Caching of static server configuration items" "SECTserverTLScache" +.cindex certificate caching +.cindex privatekey caching +.cindex crl caching +.cindex ocsp caching +.cindex ciphers caching +.cindex "CA bundle" caching +.cindex "certificate authorities" caching +.cindex tls_certificate caching +.cindex tls_privatekey caching +.cindex tls_crl caching +.cindex tls_ocsp_file caching +.cindex tls_require_ciphers caching +.cindex tls_verify_certificate caching +.cindex caching certificate +.cindex caching privatekey +.cindex caching crl +.cindex caching ocsp +.cindex caching ciphers +.cindex caching "certificate authorities +If any of the main configuration options &%tls_certificate%&, &%tls_privatekey%&, +&%tls_crl%& and &%tls_ocsp_file%& have values with no +expandable elements, +then the associated information is loaded at daemon startup. +It is made available +to child processes forked for handling received SMTP connections. + +This caching is currently only supported under Linux and FreeBSD. + +If caching is not possible, for example if an item has to be dependent +on the peer host so contains a &$sender_host_name$& expansion, the load +of the associated information is done at the startup of the TLS connection. + +The cache is invalidated and reloaded after any changes to the directories +containing files specified by these options. + +The information specified by the main option &%tls_verify_certificates%& +is similarly cached so long as it specifies files explicitly +or (under GnuTLS) is the string &"system,cache"&. +The latter case is not automatically invalidated; +it is the operator's responsibility to arrange for a daemon restart +any time the system certificate authority bundle is updated. +A HUP signal is sufficient for this. +The value &"system"& results in no caching under GnuTLS. + +The macro _HAVE_TLS_CA_CACHE will be defined if the suffix for "system" +is acceptable in configurations for the Exim executavble. + +Caching of the system Certificate Authorities bundle can +save siginificant time and processing on every TLS connection +accepted by Exim. +.wen + + .section "Configuring an Exim client to use TLS" "SECTclientTLS" @@ -29302,7 +29611,10 @@ unencrypted. The &%tls_certificate%& and &%tls_privatekey%& options of the &(smtp)& transport provide the client with a certificate, which is passed to the server -if it requests it. If the server is Exim, it will request a certificate only if +if it requests it. +This is an optional thing for TLS connections, although either end +may insist on it. +If the server is Exim, it will request a certificate only if &%tls_verify_hosts%& or &%tls_try_verify_hosts%& matches the client. &*Note*&: Do not use a certificate which has the OCSP-must-staple extension, @@ -29382,6 +29694,62 @@ outgoing connection. +.new +.section "Caching of static client configuration items" "SECTclientTLScache" +.cindex certificate caching +.cindex privatekey caching +.cindex crl caching +.cindex ciphers caching +.cindex "CA bundle" caching +.cindex "certificate authorities" caching +.cindex tls_certificate caching +.cindex tls_privatekey caching +.cindex tls_crl caching +.cindex tls_require_ciphers caching +.cindex tls_verify_certificate caching +.cindex caching certificate +.cindex caching privatekey +.cindex caching crl +.cindex caching ciphers +.cindex caching "certificate authorities +If any of the transport configuration options &%tls_certificate%&, &%tls_privatekey%& +and &%tls_crl%& have values with no +expandable elements, +then the associated information is loaded per smtp transport +at daemon startup, at the start of a queue run, or on a +command-line specified message delivery. +It is made available +to child processes forked for handling making SMTP connections. + +This caching is currently only supported under Linux. + +If caching is not possible, the load +of the associated information is done at the startup of the TLS connection. + +The cache is invalidated in the daemon +and reloaded after any changes to the directories +containing files specified by these options. + +The information specified by the main option &%tls_verify_certificates%& +is similarly cached so long as it specifies files explicitly +or (under GnuTLS) is the string &"system,cache"&. +The latter case is not automatically invaludated; +it is the operator's responsibility to arrange for a daemon restart +any time the system certificate authority bundle is updated. +A HUP signal is sufficient for this. +The value &"system"& results in no caching under GnuTLS. + +The macro _HAVE_TLS_CA_CACHE will be defined if the suffix for "system" +is acceptable in configurations for the Exim executavble. + +Caching of the system Certificate Authorities bundle can +save siginificant time and processing on every TLS connection +initiated by Exim. +.wen + + + + .section "Use of TLS Server Name Indication" "SECTtlssni" .cindex "TLS" "Server Name Indication" .cindex "TLS" SNI @@ -29418,7 +29786,7 @@ only point of caution. The &$tls_out_sni$& variable will be set to this string for the lifetime of the client connection (including during authentication). .new -If DAVE validated the connection attempt then the value of the &%tls_sni%& option +If DANE validated the connection attempt then the value of the &%tls_sni%& option is forced to the domain part of the recipient address. .wen @@ -29535,7 +29903,7 @@ Ivan is the author of the popular TLS testing tools at .section "Certificate chains" "SECID186" -The file named by &%tls_certificate%& may contain more than one +A file named by &%tls_certificate%& may contain more than one certificate. This is useful in the case where the certificate that is being sent is validated by an intermediate certificate which the other end does not have. Multiple certificates must be in the correct order in the file. @@ -29843,7 +30211,7 @@ the &%dnssec_request_domains%& router or transport option. DANE will only be usable if the target host has DNSSEC-secured MX, A and TLSA records. -A TLSA lookup will be done if either of the above options match and the host-lookup succeeded using dnssec. +A TLSA lookup will be done if either of the above options match and the host-lookup succeeded using DNSSEC. If a TLSA lookup is done and succeeds, a DANE-verified TLS connection will be required for the host. If it does not, the host will not be used; there is no fallback to non-DANE or non-TLS. @@ -32234,6 +32602,13 @@ Section &<>& below describes how you can distinguish between different values. Some DNS lists may return more than one address record; see section &<>& for details of how they are checked. +.new +Values returned by a properly running DBSBL should be in the 127.0.0.0/8 +range. If a DNSBL operator loses control of the domain, lookups on it +may start returning other addresses. Because of this, Exim now ignores +returned values outside the 127/8 region. +.wen + .section "Variables set from DNS lists" "SECID204" .cindex "expansion" "variables, set from DNS list" @@ -32370,6 +32745,14 @@ deny dnslists = relays.ordb.org .endd which is less clear, and harder to maintain. +Negation can also be used with a bitwise-and restriction. +The dnslists condition with only be trus if a result is returned +by the lookup which, anded with the restriction, is all zeroes. +For example: +.code +deny dnslists = zen.spamhaus.org!&0.255.255.0 +.endd + @@ -32608,7 +32991,7 @@ in kilobytes, megabytes, or gigabytes, respectively. The &%per_rcpt%& option causes Exim to limit the rate at which recipients are accepted. It can be used in the &%acl_smtp_rcpt%&, &%acl_smtp_predata%&, -&%acl_smtp_mime%&, &%acl_smtp_data%&, or &%acl_smtp_rcpt%& ACLs. In +&%acl_smtp_mime%&, or &%acl_smtp_data%& ACLs. In &%acl_smtp_rcpt%& the rate is updated one recipient at a time; in the other ACLs the rate is updated with the total (accepted) recipient count in one go. Note that in either case the rate limiting engine will see a message with many @@ -35812,8 +36195,7 @@ incoming SMTP message from a source that is not permitted to send them. .section "Resent- header lines" "SECID220" -.cindex "&%Resent-%& header lines" -.cindex "header lines" "Resent-" +.chindex Resent- RFC 2822 makes provision for sets of header lines starting with the string &`Resent-`& to be added to a message when it is resent by the original recipient to somebody else. These headers are &'Resent-Date:'&, @@ -35869,8 +36251,7 @@ existing &'Bcc:'& is not removed. .section "The Date: header line" "SECID223" -.cindex "&'Date:'& header line" -.cindex "header lines" "Date:" +.cindex Date: If a locally-generated or submission-mode message has no &'Date:'& header line, Exim adds one, using the current date and time, unless the &%suppress_local_fixups%& control has been specified. @@ -35887,8 +36268,7 @@ messages. .section "The Envelope-to: header line" "SECID225" -.cindex "&'Envelope-to:'& header line" -.cindex "header lines" "Envelope-to:" +.chindex Envelope-to: .oindex "&%envelope_to_remove%&" &'Envelope-to:'& header lines are not part of the standard RFC 2822 header set. Exim can be configured to add them to the final delivery of messages. (See the @@ -35899,8 +36279,7 @@ messages. .section "The From: header line" "SECTthefrohea" -.cindex "&'From:'& header line" -.cindex "header lines" "From:" +.chindex From: .cindex "Sendmail compatibility" "&""From""& line" .cindex "message" "submission" .cindex "submission mode" @@ -35943,8 +36322,7 @@ name as described in section &<>&. .section "The Message-ID: header line" "SECID226" -.cindex "&'Message-ID:'& header line" -.cindex "header lines" "Message-ID:" +.chindex Message-ID: .cindex "message" "submission" .oindex "&%message_id_header_text%&" If a locally-generated or submission-mode incoming message does not contain a @@ -35959,8 +36337,7 @@ in this header line by setting the &%message_id_header_text%& and/or .section "The Received: header line" "SECID227" -.cindex "&'Received:'& header line" -.cindex "header lines" "Received:" +.chindex Received: A &'Received:'& header line is added at the start of every message. The contents are defined by the &%received_header_text%& configuration option, and Exim automatically adds a semicolon and a timestamp to the configured string. @@ -35976,8 +36353,7 @@ changed to the time of acceptance, which is (apart from a small delay while the .section "The References: header line" "SECID228" -.cindex "&'References:'& header line" -.cindex "header lines" "References:" +.chindex References: Messages created by the &(autoreply)& transport include a &'References:'& header line. This is constructed according to the rules that are described in section 3.64 of RFC 2822 (which states that replies should contain such a @@ -35991,8 +36367,7 @@ incoming message. If there are more than 12, the first one and then the final .section "The Return-path: header line" "SECID229" -.cindex "&'Return-path:'& header line" -.cindex "header lines" "Return-path:" +.chindex Return-path: .oindex "&%return_path_remove%&" &'Return-path:'& header lines are defined as something an MTA may insert when it does the final delivery of messages. (See the generic &%return_path_add%& @@ -36005,7 +36380,7 @@ default), Exim removes &'Return-path:'& header lines from incoming messages. .section "The Sender: header line" "SECTthesenhea" .cindex "&'Sender:'& header line" .cindex "message" "submission" -.cindex "header lines" "Sender:" +.chindex Sender: For a locally-originated message from an untrusted user, Exim may remove an existing &'Sender:'& header line, and it may add a new one. You can modify these actions by setting the &%local_sender_retain%& option true, the @@ -37793,7 +38168,7 @@ implying the use of a default path. When Exim encounters an empty item in the list, it searches the list defined by LOG_FILE_PATH, and uses the first item it finds that is neither empty nor &"syslog"&. This means that an empty item in &%log_file_path%& can be used to -mean &"use the path specified at build time"&. It no such item exists, log +mean &"use the path specified at build time"&. If no such item exists, log files are written in the &_log_& subdirectory of the spool directory. This is equivalent to the setting: .code @@ -38105,8 +38480,11 @@ parentheses afterwards. When more than one address is included in a single delivery (for example, two SMTP RCPT commands in one transaction) the second and subsequent addresses are flagged with &`->`& instead of &`=>`&. When two or more messages are delivered -down a single SMTP connection, an asterisk follows the IP address in the log -lines for the second and subsequent messages. +down a single SMTP connection, an asterisk follows the +.new +remote IP address (and port if enabled) +.wen +in the log lines for the second and subsequent messages. When two or more messages are delivered down a single TLS connection, the DNS and some TLS-related information logged for the first message delivered will not be present in the log lines for the second and subsequent messages. @@ -38335,6 +38713,7 @@ selection marked by asterisks: &` outgoing_port `& add remote port to => lines &`*queue_run `& start and end queue runs &` queue_time `& time on queue for one recipient +&`*queue_time_exclusive `& exclude recieve time from QT times &` queue_time_overall `& time on queue for whole message &` pid `& Exim process id &` pipelining `& PIPELINING use, on <= and => lines @@ -38473,6 +38852,7 @@ routing email addresses, but it does apply to &"byname"& lookups. client's ident port times out. .next .cindex "log" "incoming interface" +.cindex "log" "outgoing interface" .cindex "log" "local interface" .cindex "log" "local address and port" .cindex "TCP/IP" "logging local address and port" @@ -38481,7 +38861,10 @@ client's ident port times out. to the &"<="& line as an IP address in square brackets, tagged by I= and followed by a colon and the port number. The local interface and port are also added to other SMTP log lines, for example, &"SMTP connection from"&, to -rejection lines, and (despite the name) to outgoing &"=>"& and &"->"& lines. +rejection lines, and (despite the name) to outgoing +.new +&"=>"&, &"->"&, &"=="& and &"**"& lines. +.wen The latter can be disabled by turning off the &%outgoing_interface%& option. .next .cindex log "incoming proxy address" @@ -38572,18 +38955,13 @@ Delivery "L" fields have an asterisk appended if used. .cindex "log" "queue time" &%queue_time%&: The amount of time the message has been in the queue on the local host is logged as QT=<&'time'&> on delivery (&`=>`&) lines, for example, -&`QT=3m45s`&. The clock starts when Exim starts to receive the message, so it -includes reception time as well as the delivery time for the current address. -This means that it may be longer than the difference between the arrival and -delivery log line times, because the arrival log line is not written until the -message has been successfully received. +&`QT=3m45s`&. If millisecond logging is enabled, short times will be shown with greater precision, eg. &`QT=1.578s`&. .next &%queue_time_overall%&: The amount of time the message has been in the queue on the local host is logged as QT=<&'time'&> on &"Completed"& lines, for -example, &`QT=3m45s`&. The clock starts when Exim starts to receive the -message, so it includes reception time as well as the total delivery time. +example, &`QT=3m45s`&. .next .cindex "log" "receive duration" &%receive_time%&: For each message, the amount of real time it has taken to @@ -38642,10 +39020,12 @@ it is too big. .cindex "log" "frozen messages; skipped" .cindex "frozen messages" "logging skipping" &%skip_delivery%&: A log line is written whenever a message is skipped during a -queue run because it is frozen or because another process is already delivering -it. +queue run because it another process is already delivering it or because +it is frozen. .cindex "&""spool file is locked""&" -The message that is written is &"spool file is locked"&. +.cindex "&""message is frozen""&" +The message that is written is either &"spool file is locked"& or +&"message is frozen"&. .next .cindex "log" "smtp confirmation" .cindex "SMTP" "logging confirmation" @@ -38748,7 +39128,7 @@ unchanged, or whether they should be rendered as escape sequences. when TLS is in use. The item is &`CV=yes`& if the peer's certificate was verified using a CA trust anchor, -&`CA=dane`& if using a DNS trust anchor, +&`CV=dane`& if using a DNS trust anchor, and &`CV=no`& if not. .next .cindex "log" "TLS cipher" @@ -40809,7 +41189,7 @@ but for EC keys it is the base64 of the pure key; no ASN.1 wrapping. Signing is enabled by setting private options on the SMTP transport. These options take (expandable) strings as arguments. -.option dkim_domain smtp string list&!! unset +.option dkim_domain smtp "string list&!!" unset The domain(s) you want to sign with. After expansion, this can be a list. Each element in turn, @@ -40819,7 +41199,7 @@ while expanding the remaining signing options. If it is empty after expansion, DKIM signing is not done, and no error will result even if &%dkim_strict%& is set. -.option dkim_selector smtp string list&!! unset +.option dkim_selector smtp "string list&!!" unset This sets the key selector string. After expansion, which can use &$dkim_domain$&, this can be a list. Each element in turn is put in the expansion @@ -40828,6 +41208,15 @@ option along with &%$dkim_domain%&. If the option is empty after expansion, DKIM signing is not done for this domain, and no error will result even if &%dkim_strict%& is set. +.new +To do, for example, dual-signing with RSA and EC keys +this could be be used: +.code +dkim_selector = ec_sel : rsa_sel +dkim_private_key = KEYS_DIR/$dkim_selector +.endd +.wen + .option dkim_private_key smtp string&!! unset This sets the private key to use. You can use the &%$dkim_domain%& and @@ -41483,7 +41872,7 @@ Example usage: .code #macro SRS_SECRET = - + #routers outbound: @@ -41493,7 +41882,7 @@ Example usage: transport = ${if eq {$local_part@$domain} \ {$original_local_part@$original_domain} \ {remote_smtp} {remote_forwarded_smtp}} - + inbound_srs: driver = redirect senders = : @@ -41501,7 +41890,7 @@ Example usage: # detect inbound bounces which are SRS'd, and decode them condition = ${if inbound_srs {$local_part} {SRS_SECRET}} data = $srs_recipient - + inbound_srs_failure: driver = redirect senders = : @@ -41513,7 +41902,7 @@ Example usage: #... further routers here - + # transport; should look like the non-forward outbound # one, plus the max_rcpt and return_path options remote_forwarded_smtp: @@ -41806,7 +42195,8 @@ automatically determines which version is in use. The Proxy Protocol header is the first data received on a TCP connection and is inserted before any TLS-on-connect handshake from the client; Exim negotiates TLS between Exim-as-server and the remote client, not between -Exim and the proxy server. +Exim and the proxy server. The Proxy Protocol header must be received +within &%proxy_protocol_timeout%&, which defaults to 3s. The following expansion variables are usable (&"internal"& and &"external"& here refer to the interfaces