X-Git-Url: https://git.exim.org/users/heiko/exim.git/blobdiff_plain/4aaeaddeaa130a227a694d32b7214689e982a39e..a841a6eca79ff08b36f2225dcf89c1c162bb8777:/doc/doc-docbook/spec.xfpt?ds=sidebyside diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 9a7f9113e..870248570 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -8016,12 +8016,14 @@ The &%quote_redis%& expansion operator escapes whitespace and backslash characters with a backslash. .section "Specifying the server in the query" "SECTspeserque" +.new For MySQL, PostgreSQL and Redis lookups (but not currently for Oracle and InterBase), it is possible to specify a list of servers with an individual query. This is -done by starting the query with +done by appending a comma-separated option to the query type: .display -&`servers=`&&'server1:server2:server3:...'&&`;`& .endd +&`,servers=`&&'server1:server2:server3:...'& +.wen Each item in the list may take one of two forms: .olist If it contains no slashes it is assumed to be just a host name. The appropriate @@ -8046,14 +8048,25 @@ mysql_servers = slave1/db/name/pw:\ .endd In an updating lookup, you could then write: .code -${lookup mysql{servers=master; UPDATE ...} } +${lookup mysql,servers=master {UPDATE ...} } .endd That query would then be sent only to the master server. If, on the other hand, the master is not to be used for reading, and so is not present in the global option, you can still update it by a query of this form: .code -${lookup pgsql{servers=master/db/name/pw; UPDATE ...} } +${lookup pgsql,servers=master/db/name/pw {UPDATE ...} } +.endd + +.new +An older syntax places the servers speciification before the qury, +semicolon separated: +.code +${lookup mysql{servers=master; UPDATE ...} } .endd +The new version avoids potential issues with tainted +arguments in the query, for explicit expansion. +&*Note*&: server specifications in list-style lookups are still problematic. +.wen .section "Special MySQL features" "SECID73" @@ -8107,7 +8120,7 @@ daemon as in the other SQL databases. .new .oindex &%sqlite_dbfile%& -The preferred way of specifying the file is by using the +The preferred way of specifying the file is by using the &%sqlite_dbfile%& option, set to an absolute path. .wen @@ -8619,6 +8632,14 @@ whether or not the query succeeds. However, when a lookup is used for the &%domains%& option on a router, the data is preserved in the &$domain_data$& variable and can be referred to in other options. .next +.new +If the pattern starts with the name of a lookup type +of either kind (single-key or query-style) it may be +followed by a command and options, +The options are lookup-type specific and consist of a comma-separated list. +Each item starts with a tag and and equals "=". +.wen +.next .cindex "domain list" "matching literal domain name" If none of the above cases apply, a caseless textual comparison is made between the pattern and the domain. @@ -10264,21 +10285,37 @@ ${readsocket{/socket/name}{request string}{3s}} .endd The third argument is a list of options, of which the first element is the timeout -and must be present if the argument is given. +and must be present if any options are given. Further elements are options of form &'name=value'&. -Two option types is currently recognised: shutdown and tls. -The first defines whether (the default) -or not a shutdown is done on the connection after sending the request. -Example, to not do so (preferred, eg. by some webservers): +Example: .code ${readsocket{/socket/name}{request string}{3s:shutdown=no}} .endd -The second, tls, controls the use of TLS on the connection. Example: -.code -${readsocket{/socket/name}{request string}{3s:tls=yes}} -.endd -The default is to not use TLS. + +.new +The following option names are recognised: +.ilist +&*cache*& +Defines if the result data can be cached for use by a later identical +request in the same process. +Values are &"yes"& or &"no"& (the default). +If not, all cached results for this connection specification +will be invalidated. + +.next +&*shutdown*& +Defines whether or not a write-shutdown is done on the connection after +sending the request. Values are &"yes"& (the default) or &"no"& +(preferred, eg. by some webservers). + +.next +&*tls*& +Controls the use of TLS on the connection. +Values are &"yes"& or &"no"& (the default). If it is enabled, a shutdown as descripbed above is never done. +.endlist +.wen + A fourth argument allows you to change any newlines that are in the data that is read, in the same way as for &%readfile%& (see above). This example @@ -13269,6 +13306,18 @@ library, by setting: dns_dnssec_ok = 1 .endd +.new +In addition, on Linux with glibc 2.31 or newer the resolver library will +default to stripping out a successful validation status. +This will break a previously working Exim installation. +Provided that you do trust the resolver (ie, is on localhost) you can tell +glibc to pass through any successful validation with a new option in +&_/etc/resolv.conf_&: +.code +options trust-ad +.endd +.wen + Exim does not perform DNSSEC validation itself, instead leaving that to a validating resolver (e.g. unbound, or bind with suitable configuration). @@ -15397,6 +15446,18 @@ default. A value of 0 coerces DNSSEC off, a value of 1 coerces DNSSEC on. If the resolver library does not support DNSSEC then this option has no effect. +.new +On Linux with glibc 2.31 or newer this is insufficient, the resolver library +will default to stripping out a successful validation status. +This will break a previously working Exim installation. +Provided that you do trust the resolver (ie, is on localhost) you can tell +glibc to pass through any successful validation with a new option in +&_/etc/resolv.conf_&: +.code +options trust-ad +.endd +.wen + .option dns_ipv4_lookup main "domain list&!!" unset .cindex "IPv6" "DNS lookup for AAAA records" @@ -16934,7 +16995,7 @@ received_header_text = Received: \ ${if def:sender_helo_name {(helo=$sender_helo_name)\n\t}}}}\ by $primary_hostname \ ${if def:received_protocol {with $received_protocol }}\ - ${if def:tls_ver { ($tls_ver)}}\ + ${if def:tls_in_ver { ($tls_in_ver)}}\ ${if def:tls_in_cipher_std { tls $tls_in_cipher_std\n\t}}\ (Exim $version_number)\n\t\ ${if def:sender_address \ @@ -16943,7 +17004,8 @@ received_header_text = Received: \ ${if def:received_for {\n\tfor $received_for}} .endd -The reference to the TLS cipher is omitted when Exim is built without TLS +The references to the TLS version and cipher are +omitted when Exim is built without TLS support. The use of conditional expansions ensures that this works for both locally generated messages and messages received from remote hosts, giving header lines such as the following: @@ -40405,7 +40467,7 @@ only supports signing with the same canonicalization method for both headers and .option dkim_strict smtp string&!! unset This option defines how Exim behaves when signing a message that should be signed fails for some reason. When the expansion evaluates to -either "1" or "true", Exim will defer. Otherwise Exim will send the message +either &"1"& or &"true"&, Exim will defer. Otherwise Exim will send the message unsigned. You can use the &%$dkim_domain%& and &%$dkim_selector%& expansion variables here. @@ -40417,16 +40479,19 @@ in the message signature. When unspecified, the header names listed in RFC4871 will be used, whether or not each header is present in the message. The default list is available for the expansion in the macro -"_DKIM_SIGN_HEADERS". +&"_DKIM_SIGN_HEADERS"& +.new +and an oversigning variant is in &"_DKIM_OVERSIGN_HEADERS"&. +.wen If a name is repeated, multiple headers by that name (or the absence thereof) will be signed. The textually later headers in the headers part of the message are signed first, if there are multiples. -A name can be prefixed with either an '=' or a '+' character. -If an '=' prefix is used, all headers that are present with this name +A name can be prefixed with either an &"="& or a &"+"& character. +If an &"="& prefix is used, all headers that are present with this name will be signed. -If a '+' prefix if used, all headers that are present with this name +If a &"+"& prefix if used, all headers that are present with this name will be signed, and one signature added for a missing header with the name will be appended.