X-Git-Url: https://git.exim.org/users/heiko/exim.git/blobdiff_plain/1459a03dd783ad1eef72bc4fce93e84e83fc9238..e6d2a9894df8c3b65920e903ab21076a0a37e20e:/doc/doc-docbook/spec.xfpt diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index af41e4493..418cb1a11 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -7314,6 +7314,8 @@ The value of the DEREFERENCE parameter must be one of the words &"never"&, must be &"follow"& (the default) or &"nofollow"&. The latter stops the LDAP library from trying to follow referrals issued by the LDAP server. +.cindex LDAP timeout +.cindex timeout "LDAP lookup" The name CONNECT is an obsolete name for NETTIME, retained for backwards compatibility. This timeout (specified as a number of seconds) is enforced from the client end for operations that can be carried out over a @@ -7663,6 +7665,8 @@ domainlist relay_to_domains = sqlite;/some/thing/sqlitedb \ The only character affected by the &%quote_sqlite%& operator is a single quote, which it doubles. +.cindex timeout SQLite +.cindex sqlite "lookup timeout" The SQLite library handles multiple simultaneous accesses to the database internally. Multiple readers are permitted, but only one process can update at once. Attempts to access the database while it is being updated @@ -11417,7 +11421,8 @@ see section &<>&. &$dkim_key_nosubdomains$& &&& &$dkim_key_srvtype$& &&& &$dkim_key_granularity$& &&& - &$dkim_key_notes$& + &$dkim_key_notes$& &&& + &$dkim_key_length$& These variables are only available within the DKIM ACL. For details see chapter &<>&. @@ -12027,6 +12032,17 @@ a single-component name, Exim calls &[gethostbyname()]& (or qualified host name. See also &$smtp_active_hostname$&. +.new +.vitem &$proxy_host_address$& &&& + &$proxy_host_port$& &&& + &$proxy_target_address$& &&& + &$proxy_target_port$& &&& + &$proxy_session$& +These variables are only available when built with Proxy Protocol +or Socks5 support +For details see chapter &<>&. +.wen + .new .vitem &$prdr_requested$& .cindex "PRDR" "variable for" @@ -13464,6 +13480,7 @@ listed in more than one group. .row &%helo_verify_hosts%& "HELO hard-checked for these hosts" .row &%host_lookup%& "host name looked up for these hosts" .row &%host_lookup_order%& "order of DNS and local name lookups" +.row &%hosts_proxy%& "use proxy protocol for these hosts" .row &%host_reject_connection%& "reject connection from these hosts" .row &%hosts_treat_as_local%& "useful in some cluster configurations" .row &%local_scan_timeout%& "timeout for &[local_scan()]&" @@ -14819,6 +14836,14 @@ If the &%smtp_connection%& log selector is not set, this option has no effect. +.new +.option hosts_proxy main "host list&!!" unset +.cindex proxy "proxy protocol" +This option enables use of Proxy Protocol proxies for incoming +connections. For details see &<>&. +.wen + + .option hosts_treat_as_local main "domain list&!!" unset .cindex "local host" "domains treated as" .cindex "host" "treated as local" @@ -23724,6 +23749,14 @@ Alternatively, if the value of &%size_addition%& is set negative, it disables the use of the SIZE option altogether. +.new +.option socks_proxy smtp string&!! unset +.cindex proxy SOCKS +This option enables use of SOCKS proxies for connections made by the +transport. For details see &<>&. +.wen + + .option tls_certificate smtp string&!! unset .cindex "TLS" "client certificate, location of" .cindex "certificate" "client, location of" @@ -35448,6 +35481,9 @@ selection marked by asterisks: &` queue_time `& time on queue for one recipient &` queue_time_overall `& time on queue for whole message &` pid `& Exim process id +.new +&` proxy `& proxy address on <= and => lines +.wen &` received_recipients `& recipients on <= lines &` received_sender `& sender on <= lines &`*rejected_header `& header contents on reject log @@ -35574,6 +35610,17 @@ rejection lines, and (despite the name) to outgoing &"=>"& and &"->"& lines. The latter can be disabled by turning off the &%outgoing_interface%& option. .wen .next +.new +.cindex log "incoming proxy address" +.cindex proxy "logging proxy address" +.cindex "TCP/IP" "logging proxy address" +&%proxy%&: The internal (closest to the system running Exim) IP address +of the proxy, tagged by PRX=, on the &"<="& line for a message accepted +on a proxied connection +or the &"=>"& line for a message delivered on a proxied connection.. +See &<>& for more information. +.wen +.next .cindex "log" "incoming remote port" .cindex "port" "logging remote" .cindex "TCP/IP" "logging incoming remote port" @@ -37962,6 +38009,8 @@ Key granularity (tag g=) from the key record. Defaults to "*" if not specified in the key record. .vitem &%$dkim_key_notes%& Notes from the key record (tag n=). +.vitem &%$dkim_key_length%& +Number of bits in the key. .endlist In addition, two ACL conditions are provided: @@ -38001,6 +38050,154 @@ for more information of what they mean. . //////////////////////////////////////////////////////////////////////////// . //////////////////////////////////////////////////////////////////////////// +.chapter "Proxies" "CHAPproxies" &&& + "Proxy support" +.cindex "proxy support" +.cindex "proxy" "access via" + +.new +A proxy is an intermediate system through which communication is passed. +Proxies may provide a security, availability or load-distribution function. + + +.section "Inbound proxies" SECTproxyInbound +.cindex proxy inbound +.cindex proxy "server side" +.cindex proxy "Proxy protocol" +.cindex "Proxy protocol" proxy + +Exim has support for receiving inbound SMTP connections via a proxy +that uses &"Proxy Protocol"& to speak to it. +To include this support, include &"SUPPORT_PROXY=yes"& +in Local/Makefile. + +It was built on specifications from: +http://haproxy.1wt.eu/download/1.5/doc/proxy-protocol.txt +That URL was revised in May 2014 to version 2 spec: +http://git.1wt.eu/web?p=haproxy.git;a=commitdiff;h=afb768340c9d7e50d8e + +The purpose of this facility is so that an application load balancer, +such as HAProxy, can sit in front of several Exim servers +to distribute load. +Exim uses the local protocol communication with the proxy to obtain +the remote SMTP system IP address and port information. +There is no logging if a host passes or +fails Proxy Protocol negotiation, but it can easily be determined and +recorded in an ACL (example is below). + +Use of a proxy is enabled by setting the &%hosts_proxy%& +main configuration option to a hostlist; connections from these +hosts will use Proxy Protocol. + +The following expansion variables are usable +(&"internal"& and &"external"& here refer to the interfaces +of the proxy): +.display +&'proxy_host_address '& internal IP address of the proxy +&'proxy_host_port '& internal TCP port of the proxy +&'proxy_target_address '& external IP address of the proxy +&'proxy_target_port '& external TCP port of the proxy +&'proxy_session '& boolean: SMTP connection via proxy +.endd +If &$proxy_session$& is set but &$proxy_host_address$& is empty +there was a protocol error. + +Since the real connections are all coming from the proxy, and the +per host connection tracking is done before Proxy Protocol is +evaluated, &%smtp_accept_max_per_host%& must be set high enough to +handle all of the parallel volume you expect per inbound proxy. +With the option set so high, you lose the ability +to protect your server from many connections from one IP. +In order to prevent your server from overload, you +need to add a per connection ratelimit to your connect ACL. +A possible solution is: +.display + # Set max number of connections per host + LIMIT = 5 + # Or do some kind of IP lookup in a flat file or database + # LIMIT = ${lookup{$sender_host_address}iplsearch{/etc/exim/proxy_limits}} + + defer message = Too many connections from this IP right now + ratelimit = LIMIT / 5s / per_conn / strict +.endd + + + +.section "Outbound proxies" SECTproxySOCKS +.cindex proxy outbound +.cindex proxy "client side" +.cindex proxy SOCKS +.cindex SOCKS proxy +Exim has support for sending outbound SMTP via a proxy +using a protocol called SOCKS5 (defined by RFC1928). +The support can be optionally included by defining SUPPORT_SOCKS=yes in +Local/Makefile. + +Use of a proxy is enabled by setting the &%socks_proxy%& option +on an smtp transport. +The option value is expanded and should then be a list +(colon-separated by default) of proxy specifiers. +Each proxy specifier is a list +(space-separated by default) where the initial element +is an IP address and any subsequent elements are options. + +Options are a string =. +The list of options is in the following table: +.display +&`auth `& authentication method +&`name `& authentication username +&`pass `& authentication password +&`port `& tcp port +&`tmo `& connection timeout +&`pri `& priority +&`weight `& selection bias +.endd + +More details on each of these options follows: + +.ilist +.cindex authentication "to proxy" +.cindex proxy authentication +&%auth%&: Either &"none"& (default) or &"name"&. +Using &"name"& selects username/password authentication per RFC 1929 +for access to the proxy. +Default is &"none"&. +.next +&%name%&: sets the username for the &"name"& authentication method. +Default is empty. +.next +&%pass%&: sets the password for the &"name"& authentication method. +Default is empty. +.next +&%port%&: the TCP port number to use for the connection to the proxy. +Default is 1080. +.next +&%tmo%&: sets a connection timeout in seconds for this proxy. +Default is 5. +.next +&%pri%&: specifies a priority for the proxy within the list, +higher values being tried first. +The default priority is 1. +.next +&%weight%&: specifies a selection bias. +Within a priority set servers are queried in a random fashion, +weighted by this value. +The default value for selection bias is 1. +.endlist + +Proxies from the list are tried according to their priority +and weight settings until one responds. The timeout for the +overall connection applies to the set of proxied attempts. + +.section Logging SECTproxyLog +To log the (local) IP of a proxy in the incoming or delivery logline, +add &"+proxy"& to the &%log_selector%& option. +This will add a component tagged with &"PRX="& to the line. +.wen + +. //////////////////////////////////////////////////////////////////////////// +. //////////////////////////////////////////////////////////////////////////// + .chapter "Adding new drivers or lookup types" "CHID13" &&& "Adding drivers or lookups" .cindex "adding drivers"