X-Git-Url: https://git.exim.org/users/heiko/exim.git/blobdiff_plain/12f6998964d44c0a40783162fc37eabe770f4382..9940096804c9f3985ca3bc9d862cefa0daa29c96:/doc/doc-docbook/spec.xfpt diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 61cdc1ee1..858438431 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -2678,6 +2678,15 @@ no arguments. This option is an alias for &%-bV%& and causes version information to be displayed. +.new +.vitem &%-Ac%& &&& + &%-Am%& +.oindex "&%-Ac%&" +.oindex "&%-Am%&" +These options are used by Sendmail for selecting configuration files and are +ignored by Exim. +.wen + .vitem &%-B%&<&'type'&> .oindex "&%-B%&" .cindex "8-bit characters" @@ -2938,6 +2947,7 @@ if this is required. If the &%bi_command%& option is not set, calling Exim with &%-bi%& is a no-op. .new +. // Keep :help first, then the rest in alphabetical order .vitem &%-bI:help%& .oindex "&%-bI:help%&" .cindex "querying exim information" @@ -2947,6 +2957,12 @@ consumption. This one is not. The &%-bI:help%& option asks Exim for a synopsis of supported options beginning &`-bI:`&. Use of any of these options shall cause Exim to exit after producing the requested output. +.vitem &%-bI:dscp%& +.oindex "&%-bI:dscp%&" +.cindex "DSCP" "values" +This option causes Exim to emit an alphabetically sorted list of all +recognised DSCP names. + .vitem &%-bI:sieve%& .oindex "&%-bI:sieve%&" .cindex "Sieve filter" "capabilities" @@ -3679,8 +3695,19 @@ if &%-f%& is also present, it overrides &"From&~"&. .vitem &%-G%& .oindex "&%-G%&" -.cindex "Sendmail compatibility" "&%-G%& option ignored" -This is a Sendmail option which is ignored by Exim. +.cindex "submission fixups, suppressing (command-line)" +.new +This option is equivalent to an ACL applying: +.code +control = suppress_local_fixups +.endd +for every message received. Note that Sendmail will complain about such +bad formatting, where Exim silently just does not fix it up. This may change +in future. + +As this affects audit information, the caller must be a trusted user to use +this option. +.wen .vitem &%-h%&&~<&'number'&> .oindex "&%-h%&" @@ -3698,6 +3725,19 @@ line by itself should not terminate an incoming, non-SMTP message. I can find no documentation for this option in Solaris 2.4 Sendmail, but the &'mailx'& command in Solaris 2.4 uses it. See also &%-ti%&. +.new +.vitem &%-L%&&~<&'tag'&> +.oindex "&%-L%&" +.cindex "syslog" "process name; set with flag" +This option is equivalent to setting &%syslog_processname%& in the config +file and setting &%log_file_path%& to &`syslog`&. +Its use is restricted to administrators. The configuration file has to be +read and parsed, to determine access rights, before this is set and takes +effect, so early configuration file errors will not honour this flag. + +The tag should not be longer than 32 characters. +.wen + .vitem &%-M%&&~<&'message&~id'&>&~<&'message&~id'&>&~... .oindex "&%-M%&" .cindex "forcing delivery" @@ -4559,6 +4599,13 @@ AIX uses &%-x%& for a private purpose (&"mail from a local mail program has National Language Support extended characters in the body of the mail item"&). It sets &%-x%& when calling the MTA from its &%mail%& command. Exim ignores this option. + +.new +.vitem &%-X%&&~<&'logfile'&> +.oindex "&%-X%&" +This option is interpreted by Sendmail to cause debug information to be sent +to the named file. It is ignored by Exim. +.wen .endlist .ecindex IIDclo1 @@ -11687,6 +11734,31 @@ driver that successfully authenticated the client from which the message was received. It is empty if there was no successful authentication. See also &$authenticated_id$&. +.new +.vitem &$sender_host_dnssec$& +.vindex "&$sender_host_dnssec$&" +If &$sender_host_name$& has been populated (by reference, &%hosts_lookup%& or +otherwise) then this boolean will have been set true if, and only if, the +resolver library states that the reverse DNS was authenticated data. At all +other times, this variable is false. + +It is likely that you will need to coerce DNSSEC support on in the resolver +library, by setting: +.code +dns_use_dnssec = 1 +.endd + +Exim does not perform DNSSEC validation itself, instead leaving that to a +validating resolver (eg, unbound, or bind with suitable configuration). + +Exim does not (currently) check to see if the forward DNS was also secured +with DNSSEC, only the reverse DNS. + +If you have changed &%host_lookup_order%& so that &`bydns`& is not the first +mechanism in the list, then this variable will be false. +.wen + + .vitem &$sender_host_name$& .vindex "&$sender_host_name$&" When a message is received from a remote host, this variable contains the @@ -12836,6 +12908,9 @@ See also the &'Policy controls'& section above. .row &%dns_ipv4_lookup%& "only v4 lookup for these domains" .row &%dns_retrans%& "parameter for resolver" .row &%dns_retry%& "parameter for resolver" +.new +.row &%dns_use_dnssec%& "parameter for resolver" +.wen .row &%dns_use_edns0%& "parameter for resolver" .row &%hold_domains%& "hold delivery for these domains" .row &%local_interfaces%& "for routing checks" @@ -13476,6 +13551,18 @@ to set in them. See &%dns_retrans%& above. +.new +.option dns_use_dnssec main integer -1 +.cindex "DNS" "resolver options" +.cindex "DNS" "DNSSEC" +If this option is set to a non-negative number then Exim will initialise the +DNS resolver library to either use or not use DNSSEC, overriding the system +default. A value of 0 coerces DNSSEC off, a value of 1 coerces DNSSEC on. + +If the resolver library does not support DNSSEC then this option has no effect. +.wen + + .option dns_use_edns0 main integer -1 .cindex "DNS" "resolver options" .cindex "DNS" "EDNS0" @@ -18370,6 +18457,18 @@ quote just the command. An item such as .endd is interpreted as a pipe with a rather strange command name, and no arguments. +.new +Note that the above example assumes that the text comes from a lookup source +of some sort, so that the quotes are part of the data. If composing a +redirect router with a &%data%& option directly specifying this command, the +quotes will be used by the configuration parser to define the extent of one +string, but will not be passed down into the redirect router itself. There +are two main approaches to get around this: escape quotes to be part of the +data itself, or avoid using this mechanism and instead create a custom +transport with the &%command%& option set and reference that transport from +an &%accept%& router. +.wen + .next .cindex "file" "in redirection list" .cindex "address redirection" "to file" @@ -22054,6 +22153,22 @@ See the &%search_parents%& option in chapter &<>& for more details. +.new +.option dscp smtp string&!! unset +.cindex "DCSP" "outbound" +This option causes the DSCP value associated with a socket to be set to one +of a number of fixed strings or to numeric value. +The &%-bI:dscp%& option may be used to ask Exim which names it knows of. +Common values include &`throughput`&, &`mincost`&, and on newer systems +&`ef`&, &`af41`&, etc. Numeric values may be in the range 0 to 0x3F. + +The outbound packets from Exim will be marked with this value in the header +(for IPv4, the TOS field; for IPv6, the TCLASS field); there is no guarantee +that these values will have any effect, not be stripped by networking +equipment, or do much of anything without cooperation with your Network +Engineer and those of all network operators between the source and destination. +.wen + .option fallback_hosts smtp "string list" unset .cindex "fallback" "hosts specified on transport" @@ -22187,6 +22302,13 @@ that matches this list, even if the server host advertises PIPELINING support. Exim will not try to start a TLS session when delivering to any host that matches this list. See chapter &<>& for details of TLS. +.option hosts_verify_avoid_tls smtp "host list&!!" * +.cindex "TLS" "avoiding for certain hosts" +Exim will not try to start a TLS session for a verify callout, +or when delivering in cutthrough mode, +to any host that matches this list. +Note that the default is to not use TLS. + .option hosts_max_try smtp integer 5 .cindex "host" "maximum number to try" @@ -22451,6 +22573,19 @@ This option specifies a certificate revocation list. The expanded value must be the name of a file that contains a CRL in PEM format. +.new +.option tls_dh_min_bits smtp integer 1024 +.cindex "TLS" "Diffie-Hellman minimum acceptable size" +When establishing a TLS session, if a ciphersuite which uses Diffie-Hellman +key agreement is negotiated, the server will provide a large prime number +for use. This option establishes the minimum acceptable size of that number. +If the parameter offered by the server is too small, then the TLS handshake +will fail. + +Only supported when using GnuTLS. +.wen + + .option tls_privatekey smtp string&!! unset .cindex "TLS" "client private key, location of" .vindex "&$host$&" @@ -25004,6 +25139,13 @@ option). The &%tls_require_ciphers%& options operate differently, as described in the sections &<>& and &<>&. .next +.new +The &%tls_dh_min_bits%& SMTP transport option is only honoured by GnuTLS. +When using OpenSSL, this option is ignored. +(If an API is found to let OpenSSL be configured in this way, +let the Exim Maintainers know and we'll likely use it). +.wen +.next Some other recently added features may only be available in one or the other. This should be documented with the feature. If the documentation does not explicitly state that the feature is infeasible in the other TLS @@ -26715,6 +26857,25 @@ Notice that we put back the lower cased version afterwards, assuming that is what is wanted for subsequent tests. +.new +.vitem &*control&~=&~dscp/*&<&'value'&> +.cindex "&ACL;" "setting DSCP value" +.cindex "DSCP" "inbound" +This option causes the DSCP value associated with the socket for the inbound +connection to be adjusted to a given value, given as one of a number of fixed +strings or to numeric value. +The &%-bI:dscp%& option may be used to ask Exim which names it knows of. +Common values include &`throughput`&, &`mincost`&, and on newer systems +&`ef`&, &`af41`&, etc. Numeric values may be in the range 0 to 0x3F. + +The outbound packets from Exim will be marked with this value in the header +(for IPv4, the TOS field; for IPv6, the TCLASS field); there is no guarantee +that these values will have any effect, not be stripped by networking +equipment, or do much of anything without cooperation with your Network +Engineer and those of all network operators between the source and destination. +.wen + + .vitem &*control&~=&~debug/*&<&'options'&> .cindex "&ACL;" "enabling debug logging" .cindex "debugging" "enabling from an ACL"