X-Git-Url: https://git.exim.org/users/heiko/exim.git/blobdiff_plain/7044dd8fd62e215572ecf5a2c7f1bb9581cf6628..210135138f6150c46e8abc54f6ccf82a860d510f:/doc/doc-docbook/spec.xfpt diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index ab13a427b..d0c3e7846 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -3922,6 +3922,18 @@ This option is not intended for use by external callers. It is used internally by Exim in conjunction with the &%-MC%& option, and passes on the fact that the host to which Exim is connected supports TLS encryption. +.new +.vitem &%-MCr%&&~<&'SNI'&> &&& + &%-MCs%&&~<&'SNI'&> +.oindex "&%-MCs%&" +.oindex "&%-MCr%&" +These options are not intended for use by external callers. It is used internally +by Exim in conjunction with the &%-MCt%& option, and passes on the fact that +a TLS Server Name Indication was sent as part of the channel establishment. +The argument gives the SNI string. +The "r" variant indicates a DANE-verified connection. +.wen + .vitem &%-MCt%&&~<&'IP&~address'&>&~<&'port'&>&~<&'cipher'&> .oindex "&%-MCt%&" This option is not intended for use by external callers. It is used internally @@ -17307,6 +17319,9 @@ manager, there is no way of controlling the total number of simultaneous deliveries if the configuration allows a delivery attempt as soon as a message is received. +See also the &%max_parallel%& generic transport option, +and the &%serialize_hosts%& smtp transport option. + .cindex "number of deliveries" .cindex "delivery" "maximum number of" If you want to control the total number of deliveries on the system, you @@ -25579,6 +25594,12 @@ It is expanded per-address and can depend on any of &$address_data$&, &$domain_data$&, &$local_part_data$&, &$host$&, &$host_address$& and &$host_port$&. +.new +If the connection is DANE-enabled then this option is ignored; +only messages having the domain used for the DANE TLSA lookup are +sent on the connection. +.wen + .option port smtp string&!! "see below" .cindex "port" "sending TCP/IP" .cindex "TCP/IP" "setting outgoing port" @@ -28771,6 +28792,12 @@ Some other recently added features may only be available in one or the other. This should be documented with the feature. If the documentation does not explicitly state that the feature is infeasible in the other TLS implementation, then patches are welcome. +.new +.next +The output from "exim -bV" will show which (if any) support was included +in the build. +Also, the macro "_HAVE_OPENSSL" or "_HAVE_GNUTLS" will be defined. +.wen .endlist @@ -29244,6 +29271,61 @@ There is no current way to staple a proof for a client certificate. .endd +.new +.section "Caching of static server configuration items" "SECTserverTLScache" +.cindex certificate caching +.cindex privatekey caching +.cindex crl caching +.cindex ocsp caching +.cindex ciphers caching +.cindex "CA bundle" caching +.cindex "certificate authorities" caching +.cindex tls_certificate caching +.cindex tls_privatekey caching +.cindex tls_crl caching +.cindex tls_ocsp_file caching +.cindex tls_require_ciphers caching +.cindex tls_verify_certificate caching +.cindex caching certificate +.cindex caching privatekey +.cindex caching crl +.cindex caching ocsp +.cindex caching ciphers +.cindex caching "certificate authorities +If any of the main configuration options &%tls_certificate%&, &%tls_privatekey%&, +&%tls_crl%& and &%tls_ocsp_file%& have values with no +expandable elements, +then the associated information is loaded at daemon startup. +It is made available +to child processes forked for handling received SMTP connections. + +This caching is currently only supported under Linux. + +If caching is not possible, for example if an item has to be dependent +on the peer host so contains a &$sender_host_name$& expansion, the load +of the associated information is done at the startup of the TLS connection. + +The cache is invalidated and reloaded after any changes to the directories +containing files specified by these options. + +The information specified by the main option &%tls_verify_certificates%& +is similarly cached so long as it specifies files explicitly +or (under GnuTLS) is the string &"system,cache"&. +The latter case is not automatically invaludated; +it is the operator's responsibility to arrange for a daemon restart +any time the system certificate authority bundle is updated. +A HUP signal is sufficient for this. +The value &"system"& results in no caching under GnuTLS. + +The macro _HAVE_TLS_CA_CACHE will be defined if the suffix for "system" +is acceptable in configurations for the Exim executavble. + +Caching of the system Certificate Authorities bundle can +save siginificant time and processing on every TLS connection +accepted by Exim. +.wen + + .section "Configuring an Exim client to use TLS" "SECTclientTLS" @@ -29284,7 +29366,10 @@ unencrypted. The &%tls_certificate%& and &%tls_privatekey%& options of the &(smtp)& transport provide the client with a certificate, which is passed to the server -if it requests it. If the server is Exim, it will request a certificate only if +if it requests it. +This is an optional thing for TLS connections, although either end +may insist on it. +If the server is Exim, it will request a certificate only if &%tls_verify_hosts%& or &%tls_try_verify_hosts%& matches the client. &*Note*&: Do not use a certificate which has the OCSP-must-staple extension, @@ -29364,6 +29449,62 @@ outgoing connection. +.new +.section "Caching of static client configuration items" "SECTclientTLScache" +.cindex certificate caching +.cindex privatekey caching +.cindex crl caching +.cindex ciphers caching +.cindex "CA bundle" caching +.cindex "certificate authorities" caching +.cindex tls_certificate caching +.cindex tls_privatekey caching +.cindex tls_crl caching +.cindex tls_require_ciphers caching +.cindex tls_verify_certificate caching +.cindex caching certificate +.cindex caching privatekey +.cindex caching crl +.cindex caching ciphers +.cindex caching "certificate authorities +If any of the transport configuration options &%tls_certificate%&, &%tls_privatekey%& +and &%tls_crl%& have values with no +expandable elements, +then the associated information is loaded per smtp transport +at daemon startup, at the start of a queue run, or on a +command-line specified message delivery. +It is made available +to child processes forked for handling making SMTP connections. + +This caching is currently only supported under Linux. + +If caching is not possible, the load +of the associated information is done at the startup of the TLS connection. + +The cache is invalidated in the daemon +and reloaded after any changes to the directories +containing files specified by these options. + +The information specified by the main option &%tls_verify_certificates%& +is similarly cached so long as it specifies files explicitly +or (under GnuTLS) is the string &"system,cache"&. +The latter case is not automatically invaludated; +it is the operator's responsibility to arrange for a daemon restart +any time the system certificate authority bundle is updated. +A HUP signal is sufficient for this. +The value &"system"& results in no caching under GnuTLS. + +The macro _HAVE_TLS_CA_CACHE will be defined if the suffix for "system" +is acceptable in configurations for the Exim executavble. + +Caching of the system Certificate Authorities bundle can +save siginificant time and processing on every TLS connection +initiated by Exim. +.wen + + + + .section "Use of TLS Server Name Indication" "SECTtlssni" .cindex "TLS" "Server Name Indication" .cindex "TLS" SNI @@ -29400,7 +29541,7 @@ only point of caution. The &$tls_out_sni$& variable will be set to this string for the lifetime of the client connection (including during authentication). .new -If DAVE validated the connection attempt then the value of the &%tls_sni%& option +If DANE validated the connection attempt then the value of the &%tls_sni%& option is forced to the domain part of the recipient address. .wen @@ -32590,7 +32731,7 @@ in kilobytes, megabytes, or gigabytes, respectively. The &%per_rcpt%& option causes Exim to limit the rate at which recipients are accepted. It can be used in the &%acl_smtp_rcpt%&, &%acl_smtp_predata%&, -&%acl_smtp_mime%&, &%acl_smtp_data%&, or &%acl_smtp_rcpt%& ACLs. In +&%acl_smtp_mime%&, or &%acl_smtp_data%& ACLs. In &%acl_smtp_rcpt%& the rate is updated one recipient at a time; in the other ACLs the rate is updated with the total (accepted) recipient count in one go. Note that in either case the rate limiting engine will see a message with many @@ -38072,7 +38213,8 @@ fields record the router and transport that were used to process the address. If SMTP AUTH was used for the delivery there is an additional item A= followed by the name of the authenticator that was used. If an authenticated identification was set up by the authenticator's &%client_set_id%& -option, this is logged too, separated by a colon from the authenticator name. +option, this is logged too, as a second colon-separated list item. +Optionally (see the &%smtp_mailauth%& &%log_selector%&) there may be a third list item. If a shadow transport was run after a successful local delivery, the log line for the successful delivery has an item added on the end, of the form @@ -38810,9 +38952,9 @@ the next chapter. The utilities described here are: "check address acceptance from given IP" .irow &<>& &'exim_dbmbuild'& "build a DBM file" .irow &<>& &'exinext'& "extract retry information" -.irow &<>& &'exim_dumpdb'& "dump a hints database" -.irow &<>& &'exim_tidydb'& "clean up a hints database" -.irow &<>& &'exim_fixdb'& "patch a hints database" +.irow &<>& &'exim_dumpdb'& "dump a hints database" +.irow &<>& &'exim_tidydb'& "clean up a hints database" +.irow &<>& &'exim_fixdb'& "patch a hints database" .irow &<>& &'exim_lock'& "lock a mailbox file" .endtable @@ -39318,7 +39460,7 @@ in a transport) -.section "exim_dumpdb" "SECID261" +.section "exim_dumpdb" "SECTdumpdb" .cindex "&'exim_dumpdb'&" The entire contents of a database are written to the standard output by the &'exim_dumpdb'& program, which has no options or arguments other than the @@ -39355,7 +39497,7 @@ cross-references. -.section "exim_tidydb" "SECID262" +.section "exim_tidydb" "SECTtidydb" .cindex "&'exim_tidydb'&" The &'exim_tidydb'& utility program is used to tidy up the contents of a hints database. If run with no options, it removes all records that are more than 30 @@ -39404,7 +39546,7 @@ databases is likely to keep on increasing. -.section "exim_fixdb" "SECID263" +.section "exim_fixdb" "SECTfixdb" .cindex "&'exim_fixdb'&" The &'exim_fixdb'& program is a utility for interactively modifying databases. Its main use is for testing Exim, but it might also be occasionally useful for @@ -40790,7 +40932,7 @@ but for EC keys it is the base64 of the pure key; no ASN.1 wrapping. Signing is enabled by setting private options on the SMTP transport. These options take (expandable) strings as arguments. -.option dkim_domain smtp string list&!! unset +.option dkim_domain smtp "string list&!!" unset The domain(s) you want to sign with. After expansion, this can be a list. Each element in turn, @@ -40800,7 +40942,7 @@ while expanding the remaining signing options. If it is empty after expansion, DKIM signing is not done, and no error will result even if &%dkim_strict%& is set. -.option dkim_selector smtp string list&!! unset +.option dkim_selector smtp "string list&!!" unset This sets the key selector string. After expansion, which can use &$dkim_domain$&, this can be a list. Each element in turn is put in the expansion @@ -41464,7 +41606,7 @@ Example usage: .code #macro SRS_SECRET = - + #routers outbound: @@ -41474,7 +41616,7 @@ Example usage: transport = ${if eq {$local_part@$domain} \ {$original_local_part@$original_domain} \ {remote_smtp} {remote_forwarded_smtp}} - + inbound_srs: driver = redirect senders = : @@ -41482,7 +41624,7 @@ Example usage: # detect inbound bounces which are SRS'd, and decode them condition = ${if inbound_srs {$local_part} {SRS_SECRET}} data = $srs_recipient - + inbound_srs_failure: driver = redirect senders = : @@ -41494,7 +41636,7 @@ Example usage: #... further routers here - + # transport; should look like the non-forward outbound # one, plus the max_rcpt and return_path options remote_forwarded_smtp: