X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/fdf795c0825dd7c052de4725b5842e0747a536dd..8544e77a6ed430f7063162906c449f1353d72e58:/doc/doc-docbook/spec.xfpt diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index b33edeb97..5cd8f1c0d 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -1,4 +1,4 @@ -. $Cambridge: exim/doc/doc-docbook/spec.xfpt,v 1.74 2010/05/29 19:26:31 nm4 Exp $ +. $Cambridge: exim/doc/doc-docbook/spec.xfpt,v 1.77 2010/06/05 11:13:29 pdp Exp $ . . ///////////////////////////////////////////////////////////////////////////// . This is the primary source of the Exim Manual. It is an xfpt document that is @@ -3169,6 +3169,17 @@ above concerning senders and qualification do not apply. In this situation, Exim behaves in exactly the same way as it does when receiving a message via the listening daemon. +.vitem &%-bmalware%&&~<&'filename'&> +.oindex "&%-bmalware%&" +.cindex "testing", "malware" +.cindex "malware scan test" +This debugging option causes Exim to scan the given file, +using the malware scanning framework. The option of av_scanner influences +this option, so if av_scanner's value is dependent upon an expansion then +the expansion should have defaults which apply to this invocation. Exim will +have changed working directory before resolving the filename, so using fully +qualified pathnames is advisable. This option requires admin privileges. + .vitem &%-bt%& .oindex "&%-bt%&" .cindex "testing" "addresses" @@ -12392,6 +12403,7 @@ listed in more than one group. .row &%gnutls_require_mac%& "control GnuTLS MAC algorithms" .row &%gnutls_require_protocols%& "control GnuTLS protocols" .row &%gnutls_compat_mode%& "use GnuTLS compatibility mode" +.row &%openssl_options%& "adjust OpenSSL compatibility options" .row &%tls_advertise_hosts%& "advertise TLS to these hosts" .row &%tls_certificate%& "location of server certificate" .row &%tls_crl%& "certificate revocation list" @@ -13951,6 +13963,14 @@ an oversized message is logged in both the main and the reject logs. See also the generic transport option &%message_size_limit%&, which limits the size of message that an individual transport can process. +If you use a virus-scanner and set this option to to a value larger than the +maximum size that your virus-scanner is configured to support, you may get +failures triggered by large mails. The right size to configure for the +virus-scanner depends upon what data is passed and the options in use but it's +probably safest to just set it to a little larger than this value. Eg, with a +default Exim message size of 50M and a default ClamAV StreamMaxLength of 10M, +some problems may result. + .option move_frozen_messages main boolean false .cindex "frozen messages" "moving" @@ -14003,6 +14023,36 @@ harm. This option overrides the &%pipe_as_creator%& option of the &(pipe)& transport driver. +.option openssl_options main "string list" +dont_insert_empty_fragments +.cindex "OpenSSL "compatibility options" +This option allows an administrator to adjust the SSL options applied +by OpenSSL to connections. It is given as a space-separated list of items, +each one to be +added or -subtracted from the current value. The default +value is one option which happens to have been set historically. You can +remove all options with: +.code +openssl_options = -all +.endd +This option is only available if Exim is built against OpenSSL. The values +available for this option vary according to the age of your OpenSSL install. +The &"all"& value controls a subset of flags which are available, typically +the bug workaround options. The &'SSL_CTX_set_options'& man page will +list the values known on your system and Exim should support all the +&"bug workaround"& options and many of the &"modifying"& options. The Exim +names lose the leading &"SSL_OP_"& and are lower-cased. + +Note that adjusting the options can have severe impact upon the security of +SSL as used by Exim. It is possible to disable safety checks and shoot +yourself in the foot in various unpleasant ways. This option should not be +adjusted lightly. An unrecognised item will be detected at by invoking Exim +with the &%-bV%& flag. + +An example: +.code +openssl_options = -all +microsoft_big_sslv3_buffer +.endd + + .option oracle_servers main "string list" unset .cindex "Oracle" "server list" This option provides a list of Oracle servers and associated connection data, @@ -21044,6 +21094,17 @@ sought in the PATH directories, in the usual way. &*Warning*&: This does not apply to a command specified as a transport filter. +.option permit_coredump pipe boolean false +Normally Exim inhibits core-dumps during delivery. If you have a need to get +a core-dump of a pipe command, enable this command. This enables core-dumps +during delivery and affects both the Exim binary and the pipe command run. +It is recommended that this option remain off unless and until you have a need +for it and that this only be enabled when needed, as the risk of excessive +resource consumption can be quite high. Note also that Exim is typically +installed as a setuid binary and most operating systems will inhibit coredumps +of these by default, so further OS-specific action may be required. + + .option pipe_as_creator pipe boolean false .cindex "uid (user id)" "local delivery" If the generic &%user%& option is not set and this option is true, the delivery @@ -27842,8 +27903,16 @@ required: either the path and name of a UNIX socket file, or a hostname or IP number, and a port, separated by space, as in the second of these examples: .code av_scanner = clamd:/opt/clamd/socket -av_scanner = clamd:192.168.2.100 1234 -.endd +av_scanner = clamd:192.0.2.3 1234 +av_scanner = clamd:192.0.2.3 1234:local +.endd +If the value of av_scanner points to a UNIX socket file or contains the local +keyword, then the ClamAV interface will pass a filename containing the data +to be scanned, which will should normally result in less I/O happening and be +more efficient. Normally in the TCP case, the data is streamed to ClamAV as +Exim does not assume that there is a common filesystem with the remote host. +There is an option WITH_OLD_CLAMAV_STREAM in &_src/EDITME_& available, should +you be running a version of ClamAV prior to 0.95. If the option is unset, the default is &_/tmp/clamd_&. Thanks to David Saez for contributing the code for this scanner. @@ -27983,6 +28052,9 @@ If your virus scanner cannot unpack MIME and TNEF containers itself, you should use the &%demime%& condition (see section &<>&) before the &%malware%& condition. +Beware the interaction of Exim's &%message_size_limit%& with any size limits +imposed by your anti-virus scanner. + Here is a very simple scanning example: .code deny message = This message contains malware ($malware_name)