X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/fde873f3a2871df467e5783eaa685295015c0089..fc7bae7f2fa3668ada9bd173e9f24c7166e1dd13:/doc/doc-docbook/spec.xfpt diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index e48b3539f..7cd3e8621 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -1886,11 +1886,10 @@ to your &_Local/Makefile_& and rebuild Exim. .section "Including TLS/SSL encryption support" "SECTinctlsssl" .cindex "TLS" "including support for TLS" .cindex "encryption" "including support for" -.cindex "SUPPORT_TLS" .cindex "OpenSSL" "building Exim with" .cindex "GnuTLS" "building Exim with" -Exim can be built to support encrypted SMTP connections, using the STARTTLS -command as per RFC 2487. It can also support legacy clients that expect to +Exim is usually built to support encrypted SMTP connections, using the STARTTLS +command as per RFC 2487. It can also support clients that expect to start a TLS session immediately on connection to a non-standard port (see the &%tls_on_connect_ports%& runtime option and the &%-tls-on-connect%& command line option). @@ -1899,35 +1898,41 @@ If you want to build Exim with TLS support, you must first install either the OpenSSL or GnuTLS library. There is no cryptographic code in Exim itself for implementing SSL. +.new +If you do not want TLS support you should set +.code +DISABLE_TLS=yes +.endd +in &_Local/Makefile_&. +.wen + If OpenSSL is installed, you should set .code -SUPPORT_TLS=yes +USE_OPENSL=yes TLS_LIBS=-lssl -lcrypto .endd in &_Local/Makefile_&. You may also need to specify the locations of the OpenSSL library and include files. For example: .code -SUPPORT_TLS=yes +USE_OPENSL=yes TLS_LIBS=-L/usr/local/openssl/lib -lssl -lcrypto TLS_INCLUDE=-I/usr/local/openssl/include/ .endd .cindex "pkg-config" "OpenSSL" If you have &'pkg-config'& available, then instead you can just use: .code -SUPPORT_TLS=yes +USE_OPENSL=yes USE_OPENSSL_PC=openssl .endd .cindex "USE_GNUTLS" If GnuTLS is installed, you should set .code -SUPPORT_TLS=yes USE_GNUTLS=yes TLS_LIBS=-lgnutls -ltasn1 -lgcrypt .endd in &_Local/Makefile_&, and again you may need to specify the locations of the library and include files. For example: .code -SUPPORT_TLS=yes USE_GNUTLS=yes TLS_LIBS=-L/usr/gnu/lib -lgnutls -ltasn1 -lgcrypt TLS_INCLUDE=-I/usr/gnu/include @@ -1935,7 +1940,6 @@ TLS_INCLUDE=-I/usr/gnu/include .cindex "pkg-config" "GnuTLS" If you have &'pkg-config'& available, then instead you can just use: .code -SUPPORT_TLS=yes USE_GNUTLS=yes USE_GNUTLS_PC=gnutls .endd @@ -3959,6 +3963,20 @@ is sent to the sender, containing the text &"cancelled by administrator"&. Bounce messages are just discarded. This option can be used only by an admin user. +.new +.vitem &%-MG%&&~<&'queue&~name'&&~<&'message&~id'&>&~<&'message&~id'&>&~... +.oindex "&%-MG%&" +.cindex queue named +.cindex "named queues" +.cindex "queue" "moving messages" +This option requests that each listed message be moved from its current +queue to the given named queue. +The destination queue name argument is required, but can be an empty +string to define the default queue. +If the messages are not currently located in the default queue, +a &%-qG%& option will be required to define the source queue. +.wen + .vitem &%-Mmad%&&~<&'message&~id'&>&~<&'message&~id'&>&~... .oindex "&%-Mmad%&" .cindex "delivery" "cancelling all" @@ -6109,9 +6127,6 @@ dnslookup: domains = ! +local_domains transport = remote_smtp ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 -.ifdef _HAVE_DNSSEC - dnssec_request_domains = * -.endif no_more .endd The &%domains%& option behaves as per smarthost, above. @@ -13350,6 +13365,9 @@ or a &%def%& condition. &*Note*&: Under versions of OpenSSL preceding 1.1.1, when a list of more than one file is used for &%tls_certificate%&, this variable is not reliable. +.new +The macro "_TLS_BAD_MULTICERT_IN_OURCERT" will be defined for those versions. +.wen .vitem &$tls_in_peercert$& .vindex "&$tls_in_peercert$&" @@ -17682,9 +17700,9 @@ separator in the usual way (&<>&) to avoid confusion under IP &*Note*&: Under versions of OpenSSL preceding 1.1.1, when a list of more than one file is used, the &$tls_in_ourcert$& variable is unreliable. - -&*Note*&: OCSP stapling is not usable under OpenSSL -when a list of more than one file is used. +.new +The macro "_TLS_BAD_MULTICERT_IN_OURCERT" will be defined for those versions. +.wen If the option contains &$tls_out_sni$& and Exim is built against OpenSSL, then if the OpenSSL build supports TLS extensions and the TLS client sends the @@ -17837,6 +17855,9 @@ status proof for the server's certificate, as obtained from the Certificate Authority. Usable for GnuTLS 3.4.4 or 3.3.17 or OpenSSL 1.1.0 (or later). +.new +The macro "_HAVE_TLS_OCSP" will be defined for those versions. +.wen .new For OpenSSL 1.1.0 or later, and @@ -17844,6 +17865,9 @@ For OpenSSL 1.1.0 or later, and for GnuTLS 3.5.6 or later the expanded value of this option can be a list of files, to match a list given for the &%tls_certificate%& option. The ordering of the two lists must match. +.new +The macro "_HAVE_TLS_OCSP_LIST" will be defined for those versions. +.wen .new The file(s) should be in DER format, @@ -28032,11 +28056,8 @@ to use GnuTLS, you need to set .code USE_GNUTLS=yes .endd -in Local/Makefile, in addition to -.code -SUPPORT_TLS=yes -.endd -You must also set TLS_LIBS and TLS_INCLUDE appropriately, so that the +in Local/Makefile +you must also set TLS_LIBS and TLS_INCLUDE appropriately, so that the include files and libraries for GnuTLS can be found. There are some differences in usage when using GnuTLS instead of OpenSSL: