X-Git-Url: https://git.exim.org/users/heiko/exim.git/blobdiff_plain/1a2e76e1676bf405a464a233950a95012533c227..9f125d9fab3f3f3dd2244caa28914c256d01c339:/doc/doc-docbook/spec.xfpt diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index c2adc9ea6..a93f61182 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -4367,6 +4367,17 @@ written. When &%-oX%& is used with &%-bd%&, or when &%-q%& with a time is used without &%-bd%&, this is the only way of causing Exim to write a pid file, because in those cases, the normal pid file is not used. +.new +.vitem &%-oPX%& +.oindex "&%-oPX%&" +.cindex "pid (process id)" "of daemon" +.cindex "daemon" "process id (pid)" +This option is not intended for general use. +The daemon uses it when terminating due to a SIGTEM, possibly in +combination with &%-oP%&&~<&'path'&>. +It causes the pid file to be removed. +.wen + .vitem &%-or%&&~<&'time'&> .oindex "&%-or%&" .cindex "timeout" "for non-SMTP input" @@ -9377,7 +9388,7 @@ If the ACL returns defer the result is a forced-fail. Otherwise the expansion f .cindex headers "authentication-results:" .cindex authentication "expansion item" This item returns a string suitable for insertion as an -&'Authentication-Results"'& +&'Authentication-Results:'& header line. The given <&'authserv-id'&> is included in the result; typically this will be a domain name identifying the system performing the authentications. @@ -13502,6 +13513,19 @@ the transport. .vindex &$tls_out_tlsa_usage$& Bitfield of TLSA record types found. See section &<>&. +.new +.vitem &$tls_in_ver$& +.vindex "&$tls_in_ver$&" +When a message is received from a remote host over an encrypted SMTP connection +this variable is set to the protocol version, eg &'TLS1.2'&. + +.vitem &$tls_out_ver$& +.vindex "&$tls_out_ver$&" +When a message is being delivered to a remote host over an encrypted SMTP connection +this variable is set to the protocol version. +.wen + + .vitem &$tod_bsdinbox$& .vindex "&$tod_bsdinbox$&" The time of day and the date, in the format required for BSD-style mailbox @@ -14691,13 +14715,20 @@ recommended, except when you have no other choice. .cindex "UTF-8" "in domain name" Lots of discussion is going on about internationalized domain names. One camp is strongly in favour of just using UTF-8 characters, and it seems -that at least two other MTAs permit this. This option allows Exim users to -experiment if they wish. +that at least two other MTAs permit this. +This option allows Exim users to experiment if they wish. If it is set true, Exim's domain parsing function allows valid UTF-8 multicharacters to appear in domain name components, in addition to -letters, digits, and hyphens. However, just setting this option is not -enough; if you want to look up these domain names in the DNS, you must also +letters, digits, and hyphens. + +.new +If Exim is built with internationalization support +and the SMTPUTF8 ESMTP option is in use (see chapter &<>&) +this option can be left as default. +.wen +Without that, +if you want to look up such domain names in the DNS, you must also adjust the value of &%dns_check_names_pattern%& to match the extended form. A suitable setting is: .code @@ -15106,15 +15137,20 @@ to handle IPv6 literal addresses. .new -.option dkim_verify_hashes main "string list" "sha256 : sha512 : sha1" +.option dkim_verify_hashes main "string list" "sha256 : sha512" .cindex DKIM "selecting signature algorithms" This option gives a list of hash types which are acceptable in signatures, and an order of processing. Signatures with algorithms not in the list will be ignored. -Note that the presence of sha1 violates RFC 8301. -Signatures using the rsa-sha1 are however (as of writing) still common. -The default inclusion of sha1 may be dropped in a future release. +Acceptable values include: +.code +sha1 +sha256 +sha512 +.endd + +Note that the acceptance of sha1 violates RFC 8301. .option dkim_verify_keytypes main "string list" "ed25519 : rsa" This option gives a list of key types which are acceptable in signatures, @@ -16727,6 +16763,7 @@ received_header_text = Received: \ ${if def:sender_helo_name {(helo=$sender_helo_name)\n\t}}}}\ by $primary_hostname \ ${if def:received_protocol {with $received_protocol }}\ + ${if def:tls_ver { ($tls_ver)}}\ ${if def:tls_in_cipher_std { tls $tls_in_cipher_std\n\t}}\ (Exim $version_number)\n\t\ ${if def:sender_address \ @@ -17729,7 +17766,14 @@ larger prime than requested. The value of this option is expanded and indicates the source of DH parameters to be used by Exim. -&*Note: The Exim Maintainers strongly recommend using a filename with site-generated +.new +This option is ignored for GnuTLS version 3.6.0 and later. +The library manages parameter negotiation internally. +.wen + +&*Note: The Exim Maintainers strongly recommend, +for other TLS library versions, +using a filename with site-generated local DH parameters*&, which has been supported across all versions of Exim. The other specific constants available are a fallback so that even when "unconfigured", Exim can offer Perfect Forward Secrecy in older ciphersuites in TLS. @@ -17825,11 +17869,22 @@ Certificate Authority. Usable for GnuTLS 3.4.4 or 3.3.17 or OpenSSL 1.1.0 (or later). -For GnuTLS 3.5.6 or later the expanded value of this option can be a list +.new +For OpenSSL 1.1.0 or later, and +.wen +for GnuTLS 3.5.6 or later the expanded value of this option can be a list of files, to match a list given for the &%tls_certificate%& option. The ordering of the two lists must match. -The file(s) should be in DER format +.new +The file(s) should be in DER format, +except for GnuTLS 3.6.3 or later when an optional filetype prefix +can be used. The prefix must be one of "DER" or "PEM", followed by +a single space. If one is used it sets the format for subsequent +files in the list; the initial format is DER. +When a PEM format file is used it may contain multiple proofs, +for multiple certificate chain element proofs under TLS1.3. +.wen .option tls_on_connect_ports main "string list" unset .cindex SSMTP @@ -24867,6 +24922,9 @@ unauthenticated. See also &%hosts_require_auth%&, and chapter .cindex "RFC 3030" "CHUNKING" This option provides a list of servers to which, provided they announce CHUNKING support, Exim will attempt to use BDAT commands rather than DATA. +.new +Unless DKIM signing is being done, +.wen BDAT will not be used in conjunction with a transport filter. .option hosts_try_dane smtp "host list&!!" * @@ -40489,10 +40547,11 @@ defines the location of a text file of valid top level domains the opendmarc library uses during domain parsing. Maintained by Mozilla, the most current version can be downloaded -from a link at &url(http://publicsuffix.org/list/). +from a link at &url(https://publicsuffix.org/list/, currently pointing +at https://publicsuffix.org/list/public_suffix_list.dat) See also util/renew-opendmarc-tlds.sh script. -The default for the option is currently -/etc/exim/opendmarc.tlds +The default for the option is /etc/exim/opendmarc.tlds. + The &%dmarc_history_file%& option, if set .oindex &%dmarc_history_file%& @@ -41013,7 +41072,9 @@ Events have names which correspond to the point in process at which they fire. The name is placed in the variable &$event_name$& and the event action expansion must check this, as it will be called for every possible event type. +.new The current list of events is: +.wen .display &`dane:fail after transport `& per connection &`msg:complete after main `& per message @@ -41027,6 +41088,7 @@ The current list of events is: &`tcp:close after transport `& per connection &`tls:cert before both `& per certificate in verification chain &`smtp:connect after transport `& per connection +&`smtp:ehlo after transport `& per connection .endd New event types may be added in future. @@ -41053,6 +41115,7 @@ with the event type: &`msg:host:defer `& error string &`tls:cert `& verification chain depth &`smtp:connect `& smtp banner +&`smtp:ehlo `& smtp ehlo response .endd The :defer events populate one extra variable: &$event_defer_errno$&.