Fix three issues highlighted by clang analyser.

[users/heiko/exim.git] / doc / doc-docbook / spec.xfpt

diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 167208ac9482e4d8648cd22dfbaf03d42a4ac36b..c4c181ef1a9f426ba75c5617f4cc0482aa4855a9 100644 (file)
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -46,7 +46,7 @@
 . /////////////////////////////////////////////////////////////////////////////
 
 .set previousversion "4.75"
 . /////////////////////////////////////////////////////////////////////////////
 
 .set previousversion "4.75"

-.set version "4.77"
+.set version "4.80"

 
 .set ACL "access control lists (ACLs)"
 .set I   "    "
 
 .set ACL "access control lists (ACLs)"
 .set I   "    "


@@ -170,15 +170,15 @@
 <bookinfo>
 <title>Specification of the Exim Mail Transfer Agent</title>
 <titleabbrev>The Exim MTA</titleabbrev>
 <bookinfo>
 <title>Specification of the Exim Mail Transfer Agent</title>
 <titleabbrev>The Exim MTA</titleabbrev>

-<date>06 May 2011</date>
+<date>17 May 2012</date>

 <author><firstname>Exim</firstname><surname>Maintainers</surname></author>
 <authorinitials>EM</authorinitials>
 <revhistory><revision>
 <author><firstname>Exim</firstname><surname>Maintainers</surname></author>
 <authorinitials>EM</authorinitials>
 <revhistory><revision>

-  <revnumber>4.77</revnumber>
-  <date>10 Oct 2011</date>
+  <revnumber>4.80</revnumber>
+  <date>17 May 2012</date>

   <authorinitials>EM</authorinitials>
 </revision></revhistory>
   <authorinitials>EM</authorinitials>
 </revision></revhistory>

-<copyright><year>2011</year><holder>University of Cambridge</holder></copyright>
+<copyright><year>2012</year><holder>University of Cambridge</holder></copyright>

 </bookinfo>
 .literal off
 
 </bookinfo>
 .literal off
 


@@ -6756,11 +6756,13 @@ is used on its own as the result. If the lookup does not succeed, the
 &`fail`& keyword causes a &'forced expansion failure'& &-- see section
 &<<SECTforexpfai>>& for an explanation of what this means.
 
 &`fail`& keyword causes a &'forced expansion failure'& &-- see section
 &<<SECTforexpfai>>& for an explanation of what this means.
 

-The supported DNS record types are A, CNAME, MX, NS, PTR, SRV, and TXT, and,
-when Exim is compiled with IPv6 support, AAAA (and A6 if that is also
+.new
+The supported DNS record types are A, CNAME, MX, NS, PTR, SPF, SRV, and TXT,
+and, when Exim is compiled with IPv6 support, AAAA (and A6 if that is also

 configured). If no type is given, TXT is assumed. When the type is PTR,
 the data can be an IP address, written as normal; inversion and the addition of
 &%in-addr.arpa%& or &%ip6.arpa%& happens automatically. For example:
 configured). If no type is given, TXT is assumed. When the type is PTR,
 the data can be an IP address, written as normal; inversion and the addition of
 &%in-addr.arpa%& or &%ip6.arpa%& happens automatically. For example:

+.wen

 .code
 ${lookup dnsdb{ptr=192.168.4.5}{$value}fail}
 .endd
 .code
 ${lookup dnsdb{ptr=192.168.4.5}{$value}fail}
 .endd


@@ -6786,13 +6788,18 @@ It is permitted to specify a space as the separator character. Further
 white space is ignored.
 
 .cindex "TXT record" "in &(dnsdb)& lookup"
 white space is ignored.
 
 .cindex "TXT record" "in &(dnsdb)& lookup"

+.cindex "SPF record" "in &(dnsdb)& lookup"
+.new

 For TXT records with multiple items of data, only the first item is returned,
 unless a separator for them is specified using a comma after the separator
 character followed immediately by the TXT record item separator. To concatenate
 For TXT records with multiple items of data, only the first item is returned,
 unless a separator for them is specified using a comma after the separator
 character followed immediately by the TXT record item separator. To concatenate

-items without a separator, use a semicolon instead.
+items without a separator, use a semicolon instead. For SPF records the
+default behaviour is to concatenate multiple items without using a separator.
+.wen

 .code
 ${lookup dnsdb{>\n,: txt=a.b.example}}
 ${lookup dnsdb{>\n; txt=a.b.example}}
 .code
 ${lookup dnsdb{>\n,: txt=a.b.example}}
 ${lookup dnsdb{>\n; txt=a.b.example}}

+${lookup dnsdb{spf=example.org}}

 .endd
 It is permitted to specify a space as the separator character. Further
 white space is ignored.
 .endd
 It is permitted to specify a space as the separator character. Further
 white space is ignored.


@@ -9767,7 +9774,8 @@ supplied number and is at least 0.  The quality of this randomness depends
 on how Exim was built; the values are not suitable for keying material.
 If Exim is linked against OpenSSL then RAND_pseudo_bytes() is used.
 .new
 on how Exim was built; the values are not suitable for keying material.
 If Exim is linked against OpenSSL then RAND_pseudo_bytes() is used.
 .new

-if Exim is linked against GnuTLS then gnutls_rnd(GNUTLS_RND_NONCE) is used.
+If Exim is linked against GnuTLS then gnutls_rnd(GNUTLS_RND_NONCE) is used,
+for versions of GnuTLS with that function.

 .wen
 Otherwise, the implementation may be arc4random(), random() seeded by
 srandomdev() or srandom(), or a custom implementation even weaker than
 .wen
 Otherwise, the implementation may be arc4random(), random() seeded by
 srandomdev() or srandom(), or a custom implementation even weaker than


@@ -11942,6 +11950,10 @@ files, for example: Thu Oct 17 17:14:09 1995.
 .vindex "&$tod_epoch$&"
 The time and date as a number of seconds since the start of the Unix epoch.
 
 .vindex "&$tod_epoch$&"
 The time and date as a number of seconds since the start of the Unix epoch.
 

+.vitem &$tod_epoch_l$&
+.vindex "&$tod_epoch_l$&"
+The time and date as a number of microseconds since the start of the Unix epoch.
+

 .vitem &$tod_full$&
 .vindex "&$tod_full$&"
 A full version of the time and date, for example: Wed, 16 Oct 1995 09:51:40
 .vitem &$tod_full$&
 .vindex "&$tod_full$&"
 A full version of the time and date, for example: Wed, 16 Oct 1995 09:51:40


@@ -14393,7 +14405,7 @@ adjusted lightly.  An unrecognised item will be detected at startup, by
 invoking Exim with the &%-bV%& flag.
 
 .new
 invoking Exim with the &%-bV%& flag.
 
 .new

-Historical note: prior to release 4.78, Exim defaulted this value to
+Historical note: prior to release 4.80, Exim defaulted this value to

 "+dont_insert_empty_fragments", which may still be needed for compatibility
 with some clients, but which lowers security by increasing exposure to
 some now infamous attacks.
 "+dont_insert_empty_fragments", which may still be needed for compatibility
 with some clients, but which lowers security by increasing exposure to
 some now infamous attacks.


@@ -24546,7 +24558,7 @@ who authenticated is placed in &$auth1$&.
 .cindex "authentication" "CRAM-MD5"
 .cindex "authentication" "SCRAM-SHA-1"
 The &(gsasl)& authenticator provides server integration for the GNU SASL
 .cindex "authentication" "CRAM-MD5"
 .cindex "authentication" "SCRAM-SHA-1"
 The &(gsasl)& authenticator provides server integration for the GNU SASL

-library and the mechanisms it provides.  This is new as of the 4.78 release
+library and the mechanisms it provides.  This is new as of the 4.80 release

 and there are a few areas where the library does not let Exim smoothly
 scale to handle future authentication mechanisms, so no guarantee can be
 made that any particular new authentication mechanism will be supported
 and there are a few areas where the library does not let Exim smoothly
 scale to handle future authentication mechanisms, so no guarantee can be
 made that any particular new authentication mechanism will be supported


@@ -24959,7 +24971,8 @@ implementation, then patches are welcome.
 GnuTLS uses D-H parameters that may take a substantial amount of time
 to compute. It is unreasonable to re-compute them for every TLS session.
 Therefore, Exim keeps this data in a file in its spool directory, called
 GnuTLS uses D-H parameters that may take a substantial amount of time
 to compute. It is unreasonable to re-compute them for every TLS session.
 Therefore, Exim keeps this data in a file in its spool directory, called

-&_gnutls-params-normal_&.
+&_gnutls-params-NNNN_& for some value of NNNN, corresponding to the number
+of bits requested.

 The file is owned by the Exim user and is readable only by
 its owner. Every Exim process that start up GnuTLS reads the D-H
 parameters from this file. If the file does not exist, the first Exim process
 The file is owned by the Exim user and is readable only by
 its owner. Every Exim process that start up GnuTLS reads the D-H
 parameters from this file. If the file does not exist, the first Exim process


@@ -24978,7 +24991,7 @@ until enough randomness (entropy) is available. This may cause Exim to hang for
 a substantial amount of time, causing timeouts on incoming connections.
 
 The solution is to generate the parameters externally to Exim. They are stored
 a substantial amount of time, causing timeouts on incoming connections.
 
 The solution is to generate the parameters externally to Exim. They are stored

-in &_gnutls-params-normal_& in PEM format, which means that they can be
+in &_gnutls-params-N_& in PEM format, which means that they can be

 generated externally using the &(certtool)& command that is part of GnuTLS.
 
 To replace the parameters with new ones, instead of deleting the file
 generated externally using the &(certtool)& command that is part of GnuTLS.
 
 To replace the parameters with new ones, instead of deleting the file


@@ -24986,20 +24999,27 @@ and letting Exim re-create it, you can generate new parameters using
 &(certtool)& and, when this has been done, replace Exim's cache file by
 renaming. The relevant commands are something like this:
 .code
 &(certtool)& and, when this has been done, replace Exim's cache file by
 renaming. The relevant commands are something like this:
 .code

+# ls
+[ look for file; assume gnutls-params-1024 is the most recent ]

 # rm -f new-params
 # touch new-params
 # chown exim:exim new-params
 # chmod 0600 new-params
 # rm -f new-params
 # touch new-params
 # chown exim:exim new-params
 # chmod 0600 new-params

-# certtool --generate-dh-params >>new-params
+# certtool --generate-dh-params --bits 1024 >>new-params

 # chmod 0400 new-params
 # chmod 0400 new-params

-# mv new-params gnutls-params-normal
+# mv new-params gnutls-params-1024

 .endd
 If Exim never has to generate the parameters itself, the possibility of
 stalling is removed.
 
 .endd
 If Exim never has to generate the parameters itself, the possibility of
 stalling is removed.
 

-The filename changed in Exim 4.78, to gain the -normal suffix, corresponding
-to the GnuTLS constant &`GNUTLS_SEC_PARAM_NORMAL`&, defining the number of
-bits to include.  At time of writing, NORMAL corresponds to 2432 bits for D-H.
+The filename changed in Exim 4.80, to gain the -bits suffix.  The value which
+Exim will choose depends upon the version of GnuTLS in use.  For older GnuTLS,
+the value remains hard-coded in Exim as 1024.  As of GnuTLS 2.12.x, there is
+a way for Exim to ask for the "normal" number of bits for D-H public-key usage,
+and Exim does so.  Exim thus removes itself from the policy decision, and the
+filename and bits used change as the GnuTLS maintainers change the value for
+their parameter &`GNUTLS_SEC_PARAM_NORMAL`&.  At the time of writing, this
+gives 2432 bits.

 .wen
 
 
 .wen
 
 


@@ -25076,7 +25096,7 @@ Documentation of the strings accepted may be found in the GnuTLS manual, under
 "Priority strings".  This is online as
 &url(http://www.gnu.org/software/gnutls/manual/html_node/Priority-Strings.html).
 
 "Priority strings".  This is online as
 &url(http://www.gnu.org/software/gnutls/manual/html_node/Priority-Strings.html).
 

-Prior to Exim 4.78, an older API of GnuTLS was used, and Exim supported three
+Prior to Exim 4.80, an older API of GnuTLS was used, and Exim supported three

 additional options, "&%gnutls_require_kx%&", "&%gnutls_require_mac%&" and
 "&%gnutls_require_protocols%&".  &%tls_require_ciphers%& was an Exim list.
 .wen
 additional options, "&%gnutls_require_kx%&", "&%gnutls_require_mac%&" and
 "&%gnutls_require_protocols%&".  &%tls_require_ciphers%& was an Exim list.
 .wen