X-Git-Url: https://git.exim.org/users/heiko/exim.git/blobdiff_plain/2f06ffd252140e2cb71050aa8a9d45a75bc3437b..277b99794bf90e4a64b4adee88c08bed417bc5ee:/doc/doc-docbook/spec.xfpt diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index f5c0d3f9e..0e7d7655c 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -4367,6 +4367,17 @@ written. When &%-oX%& is used with &%-bd%&, or when &%-q%& with a time is used without &%-bd%&, this is the only way of causing Exim to write a pid file, because in those cases, the normal pid file is not used. +.new +.vitem &%-oPX%& +.oindex "&%-oPX%&" +.cindex "pid (process id)" "of daemon" +.cindex "daemon" "process id (pid)" +This option is not intended for general use. +The daemon uses it when terminating due to a SIGTEM, possibly in +combination with &%-oP%&&~<&'path'&>. +It causes the pid file to be removed. +.wen + .vitem &%-or%&&~<&'time'&> .oindex "&%-or%&" .cindex "timeout" "for non-SMTP input" @@ -9377,7 +9388,7 @@ If the ACL returns defer the result is a forced-fail. Otherwise the expansion f .cindex headers "authentication-results:" .cindex authentication "expansion item" This item returns a string suitable for insertion as an -&'Authentication-Results"'& +&'Authentication-Results:'& header line. The given <&'authserv-id'&> is included in the result; typically this will be a domain name identifying the system performing the authentications. @@ -13502,6 +13513,19 @@ the transport. .vindex &$tls_out_tlsa_usage$& Bitfield of TLSA record types found. See section &<>&. +.new +.vitem &$tls_in_ver$& +.vindex "&$tls_in_ver$&" +When a message is received from a remote host over an encrypted SMTP connection +this variable is set to the protocol version, eg &'TLS1.2'&. + +.vitem &$tls_out_ver$& +.vindex "&$tls_out_ver$&" +When a message is being delivered to a remote host over an encrypted SMTP connection +this variable is set to the protocol version. +.wen + + .vitem &$tod_bsdinbox$& .vindex "&$tod_bsdinbox$&" The time of day and the date, in the format required for BSD-style mailbox @@ -15113,15 +15137,20 @@ to handle IPv6 literal addresses. .new -.option dkim_verify_hashes main "string list" "sha256 : sha512 : sha1" +.option dkim_verify_hashes main "string list" "sha256 : sha512" .cindex DKIM "selecting signature algorithms" This option gives a list of hash types which are acceptable in signatures, and an order of processing. Signatures with algorithms not in the list will be ignored. -Note that the presence of sha1 violates RFC 8301. -Signatures using the rsa-sha1 are however (as of writing) still common. -The default inclusion of sha1 may be dropped in a future release. +Acceptable values include: +.code +sha1 +sha256 +sha512 +.endd + +Note that the acceptance of sha1 violates RFC 8301. .option dkim_verify_keytypes main "string list" "ed25519 : rsa" This option gives a list of key types which are acceptable in signatures, @@ -16734,6 +16763,7 @@ received_header_text = Received: \ ${if def:sender_helo_name {(helo=$sender_helo_name)\n\t}}}}\ by $primary_hostname \ ${if def:received_protocol {with $received_protocol }}\ + ${if def:tls_ver { ($tls_ver)}}\ ${if def:tls_in_cipher_std { tls $tls_in_cipher_std\n\t}}\ (Exim $version_number)\n\t\ ${if def:sender_address \ @@ -17736,7 +17766,14 @@ larger prime than requested. The value of this option is expanded and indicates the source of DH parameters to be used by Exim. -&*Note: The Exim Maintainers strongly recommend using a filename with site-generated +.new +This option is ignored for GnuTLS version 3.6.0 and later. +The library manages parameter negotiation internally. +.wen + +&*Note: The Exim Maintainers strongly recommend, +for other TLS library versions, +using a filename with site-generated local DH parameters*&, which has been supported across all versions of Exim. The other specific constants available are a fallback so that even when "unconfigured", Exim can offer Perfect Forward Secrecy in older ciphersuites in TLS. @@ -17832,7 +17869,10 @@ Certificate Authority. Usable for GnuTLS 3.4.4 or 3.3.17 or OpenSSL 1.1.0 (or later). -For GnuTLS 3.5.6 or later the expanded value of this option can be a list +.new +For OpenSSL 1.1.0 or later, and +.wen +for GnuTLS 3.5.6 or later the expanded value of this option can be a list of files, to match a list given for the &%tls_certificate%& option. The ordering of the two lists must match. @@ -24882,6 +24922,9 @@ unauthenticated. See also &%hosts_require_auth%&, and chapter .cindex "RFC 3030" "CHUNKING" This option provides a list of servers to which, provided they announce CHUNKING support, Exim will attempt to use BDAT commands rather than DATA. +.new +Unless DKIM signing is being done, +.wen BDAT will not be used in conjunction with a transport filter. .option hosts_try_dane smtp "host list&!!" * @@ -27417,9 +27460,11 @@ This should have meant that certificate identity and verification becomes a non-issue, as a man-in-the-middle attack will cause the correct client and server to see different identifiers and authentication will fail. -This is currently only supported when using the GnuTLS library. This is +.new +This is only usable by mechanisms which support "channel binding"; at time of writing, that's the SCRAM family. +.wen This defaults off to ensure smooth upgrade across Exim releases, in case this option causes some clients to start failing. Some future release @@ -41029,7 +41074,9 @@ Events have names which correspond to the point in process at which they fire. The name is placed in the variable &$event_name$& and the event action expansion must check this, as it will be called for every possible event type. +.new The current list of events is: +.wen .display &`dane:fail after transport `& per connection &`msg:complete after main `& per message @@ -41043,6 +41090,7 @@ The current list of events is: &`tcp:close after transport `& per connection &`tls:cert before both `& per certificate in verification chain &`smtp:connect after transport `& per connection +&`smtp:ehlo after transport `& per connection .endd New event types may be added in future. @@ -41069,6 +41117,7 @@ with the event type: &`msg:host:defer `& error string &`tls:cert `& verification chain depth &`smtp:connect `& smtp banner +&`smtp:ehlo `& smtp ehlo response .endd The :defer events populate one extra variable: &$event_defer_errno$&.