X-Git-Url: https://git.exim.org/users/heiko/exim.git/blobdiff_plain/7a5018557fc37383a98078d7b826c513c2126c2e..811622b672d4a4cf3d71fbd66810a66adf76826e:/doc/doc-docbook/spec.xfpt?ds=sidebyside diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 3894c56cf..7f9f42630 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -14680,6 +14680,7 @@ listed in more than one group. .row &%local_scan_timeout%& "timeout for &[local_scan()]&" .row &%message_size_limit%& "for all messages" .row &%percent_hack_domains%& "recognize %-hack for these domains" +.row &%proxy_protocol_timeout%& "timeout for proxy protocol negotiation" .row &%spamd_address%& "set interface to SpamAssassin" .row &%strict_acl_vars%& "object to unset ACL variables" .row &%spf_smtp_comment_template%& "template for &$spf_smtp_comment$&" @@ -17017,6 +17018,14 @@ admin user unless &%prod_requires_admin%& is set false. See also &%queue_list_requires_admin%& and &%commandline_checks_require_admin%&. +.new +.option proxy_protocol_timeout main time 3s +.cindex proxy "proxy protocol" +This option sets the timeout for proxy protocol negotiation. +For details see section &<>&. +.wen + + .option qualify_domain main string "see below" .cindex "domain" "for qualifying addresses" .cindex "address" "qualification" @@ -18480,7 +18489,9 @@ than the public cert of individual clients. With both OpenSSL and GnuTLS, if the value is a file then the certificates are sent by Exim as a server to connecting clients, defining the list of accepted certificate authorities. Thus the values defined should be considered public data. To avoid this, -use the explicit directory version. +use the explicit directory version. (If your peer is Exim up to 4.85, +using GnuTLS, you may need to send the CAs (thus using the file +variant). Otherwise the peer doesn't send its certificate.) See &<>& for discussion of when this option might be re-expanded. @@ -18799,7 +18810,10 @@ address (with affixes removed if relevant) is the name of an account on the local system. The check is done by calling the &[getpwnam()]& function rather than trying to read &_/etc/passwd_& directly. This means that other methods of holding password data (such as NIS) are supported. If the local part is a local -user, &$home$& is set from the password data, and can be tested in other +user, +.cindex "tainted data" "de-tainting" +&$local_part_data$& is set to an untainted version of the local part and +&$home$& is set from the password data. The latter can be tested in other preconditions that are evaluated after this one (the order of evaluation is given in section &<>&). However, the value of &$home$& can be overridden by &%router_home_directory%&. If the local part is not a local user, @@ -25034,12 +25048,14 @@ authenticated as a client. .option command_timeout smtp time 5m +.cindex timeout "smtp transport command" This sets a timeout for receiving a response to an SMTP command that has been sent out. It is also used when waiting for the initial banner line from the remote host. Its value must not be zero. .option connect_timeout smtp time 5m +.cindex timeout "smtp transport connect" This sets a timeout for the &[connect()]& function, which sets up a TCP/IP call to a remote host. A setting of zero allows the system timeout (typically several minutes) to act. To have any effect, the value of this option must be @@ -25075,6 +25091,7 @@ be treated as unset and &%tls_require_ciphers%& will be used instead. .option data_timeout smtp time 5m +.cindex timeout "for transmitted SMTP data blocks" This sets a timeout for the transmission of each block in the data portion of the message. As a result, the overall timeout for a message depends on the size of the message. Its value must not be zero. See also &%final_timeout%&. @@ -25213,6 +25230,7 @@ fails"& facility. .option final_timeout smtp time 10m +.cindex timeout "for transmitted SMTP data accept" This is the timeout that applies while waiting for the response to the final line containing just &"."& that terminates a message. Its value must not be zero. @@ -25594,6 +25612,12 @@ It is expanded per-address and can depend on any of &$address_data$&, &$domain_data$&, &$local_part_data$&, &$host$&, &$host_address$& and &$host_port$&. +.new +If the connection is DANE-enabled then this option is ignored; +only messages having the domain used for the DANE TLSA lookup are +sent on the connection. +.wen + .option port smtp string&!! "see below" .cindex "port" "sending TCP/IP" .cindex "TCP/IP" "setting outgoing port" @@ -29265,6 +29289,61 @@ There is no current way to staple a proof for a client certificate. .endd +.new +.section "Caching of static server configuration items" "SECTserverTLScache" +.cindex certificate caching +.cindex privatekey caching +.cindex crl caching +.cindex ocsp caching +.cindex ciphers caching +.cindex "CA bundle" caching +.cindex "certificate authorities" caching +.cindex tls_certificate caching +.cindex tls_privatekey caching +.cindex tls_crl caching +.cindex tls_ocsp_file caching +.cindex tls_require_ciphers caching +.cindex tls_verify_certificate caching +.cindex caching certificate +.cindex caching privatekey +.cindex caching crl +.cindex caching ocsp +.cindex caching ciphers +.cindex caching "certificate authorities +If any of the main configuration options &%tls_certificate%&, &%tls_privatekey%&, +&%tls_crl%& and &%tls_ocsp_file%& have values with no +expandable elements, +then the associated information is loaded at daemon startup. +It is made available +to child processes forked for handling received SMTP connections. + +This caching is currently only supported under Linux and FreeBSD. + +If caching is not possible, for example if an item has to be dependent +on the peer host so contains a &$sender_host_name$& expansion, the load +of the associated information is done at the startup of the TLS connection. + +The cache is invalidated and reloaded after any changes to the directories +containing files specified by these options. + +The information specified by the main option &%tls_verify_certificates%& +is similarly cached so long as it specifies files explicitly +or (under GnuTLS) is the string &"system,cache"&. +The latter case is not automatically invalidated; +it is the operator's responsibility to arrange for a daemon restart +any time the system certificate authority bundle is updated. +A HUP signal is sufficient for this. +The value &"system"& results in no caching under GnuTLS. + +The macro _HAVE_TLS_CA_CACHE will be defined if the suffix for "system" +is acceptable in configurations for the Exim executavble. + +Caching of the system Certificate Authorities bundle can +save siginificant time and processing on every TLS connection +accepted by Exim. +.wen + + .section "Configuring an Exim client to use TLS" "SECTclientTLS" @@ -29305,7 +29384,10 @@ unencrypted. The &%tls_certificate%& and &%tls_privatekey%& options of the &(smtp)& transport provide the client with a certificate, which is passed to the server -if it requests it. If the server is Exim, it will request a certificate only if +if it requests it. +This is an optional thing for TLS connections, although either end +may insist on it. +If the server is Exim, it will request a certificate only if &%tls_verify_hosts%& or &%tls_try_verify_hosts%& matches the client. &*Note*&: Do not use a certificate which has the OCSP-must-staple extension, @@ -29385,6 +29467,62 @@ outgoing connection. +.new +.section "Caching of static client configuration items" "SECTclientTLScache" +.cindex certificate caching +.cindex privatekey caching +.cindex crl caching +.cindex ciphers caching +.cindex "CA bundle" caching +.cindex "certificate authorities" caching +.cindex tls_certificate caching +.cindex tls_privatekey caching +.cindex tls_crl caching +.cindex tls_require_ciphers caching +.cindex tls_verify_certificate caching +.cindex caching certificate +.cindex caching privatekey +.cindex caching crl +.cindex caching ciphers +.cindex caching "certificate authorities +If any of the transport configuration options &%tls_certificate%&, &%tls_privatekey%& +and &%tls_crl%& have values with no +expandable elements, +then the associated information is loaded per smtp transport +at daemon startup, at the start of a queue run, or on a +command-line specified message delivery. +It is made available +to child processes forked for handling making SMTP connections. + +This caching is currently only supported under Linux. + +If caching is not possible, the load +of the associated information is done at the startup of the TLS connection. + +The cache is invalidated in the daemon +and reloaded after any changes to the directories +containing files specified by these options. + +The information specified by the main option &%tls_verify_certificates%& +is similarly cached so long as it specifies files explicitly +or (under GnuTLS) is the string &"system,cache"&. +The latter case is not automatically invaludated; +it is the operator's responsibility to arrange for a daemon restart +any time the system certificate authority bundle is updated. +A HUP signal is sufficient for this. +The value &"system"& results in no caching under GnuTLS. + +The macro _HAVE_TLS_CA_CACHE will be defined if the suffix for "system" +is acceptable in configurations for the Exim executavble. + +Caching of the system Certificate Authorities bundle can +save siginificant time and processing on every TLS connection +initiated by Exim. +.wen + + + + .section "Use of TLS Server Name Indication" "SECTtlssni" .cindex "TLS" "Server Name Indication" .cindex "TLS" SNI @@ -40812,7 +40950,7 @@ but for EC keys it is the base64 of the pure key; no ASN.1 wrapping. Signing is enabled by setting private options on the SMTP transport. These options take (expandable) strings as arguments. -.option dkim_domain smtp string list&!! unset +.option dkim_domain smtp "string list&!!" unset The domain(s) you want to sign with. After expansion, this can be a list. Each element in turn, @@ -40822,7 +40960,7 @@ while expanding the remaining signing options. If it is empty after expansion, DKIM signing is not done, and no error will result even if &%dkim_strict%& is set. -.option dkim_selector smtp string list&!! unset +.option dkim_selector smtp "string list&!!" unset This sets the key selector string. After expansion, which can use &$dkim_domain$&, this can be a list. Each element in turn is put in the expansion @@ -41809,7 +41947,8 @@ automatically determines which version is in use. The Proxy Protocol header is the first data received on a TCP connection and is inserted before any TLS-on-connect handshake from the client; Exim negotiates TLS between Exim-as-server and the remote client, not between -Exim and the proxy server. +Exim and the proxy server. The Proxy Protocol header must be received +within &%proxy_protocol_timeout%&, which defaults to 3s. The following expansion variables are usable (&"internal"& and &"external"& here refer to the interfaces