X-Git-Url: https://git.exim.org/users/heiko/exim.git/blobdiff_plain/7d0ab55cbe2498a27fc54a779d82b5240e440517..0b23848a94f10065be92d0e06382cff4236dcb89:/doc/doc-docbook/spec.xfpt diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 41c977589..7b5d5c44a 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -1,4 +1,4 @@ -. $Cambridge: exim/doc/doc-docbook/spec.xfpt,v 1.32 2008/01/29 17:14:47 fanf2 Exp $ +. $Cambridge: exim/doc/doc-docbook/spec.xfpt,v 1.50 2009/06/11 14:07:57 tom Exp $ . . ///////////////////////////////////////////////////////////////////////////// . This is the primary source of the Exim Manual. It is an xfpt document that is @@ -367,11 +367,14 @@ contributors. .section "Exim documentation" "SECID1" +. Keep this example change bar when updating the documentation! +.new .cindex "documentation" This edition of the Exim specification applies to version &version; of Exim. Substantive changes from the &previousversion; edition are marked in some renditions of the document; this paragraph is so marked if the rendition is capable of showing a change indicator. +.wen This document is very much a reference manual; it is not a tutorial. The reader is expected to have some familiarity with the SMTP mail transfer protocol and @@ -428,8 +431,6 @@ directory are: .row &_exim.8_& "a man page of Exim's command line options" .row &_experimental.txt_& "documentation of experimental features" .row &_filter.txt_& "specification of the filter language" -.row &_pcrepattern.txt_& "specification of PCRE regular expressions" -.row &_pcretest.txt_& "specification of the PCRE testing program" .row &_Exim3.upgrade_& "upgrade notes from release 2 to release 3" .row &_Exim4.upgrade_& "upgrade notes from release 3 to release 4" .endtable @@ -729,10 +730,9 @@ A number of pieces of external code are included in the Exim distribution. .ilist Regular expressions are supported in the main Exim program and in the Exim monitor using the freely-distributable PCRE library, copyright -© University of Cambridge. The source to a cut down version of PCRE -used to be distributed in the directory &_src/pcre_&. However, this is -no longer the case and you will need to use a system PCRE library or -obtain and install the full version of the library from +© University of Cambridge. The source to PCRE is no longer shipped with +Exim, so you will need to use the version of PCRE shipped with your system, +or obtain and install the full version of the library from &url(ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre). .next .cindex "cdb" "acknowledgment" @@ -1652,7 +1652,7 @@ architecture and operating system for itself, but the defaults can be overridden if necessary. -.section "PCRE library" "SECTdb" +.section "PCRE library" "SECTpcre" .cindex "PCRE library" Exim no longer has an embedded PCRE library as the vast majority of modern systems include PCRE as a system library, although you may need @@ -2223,9 +2223,8 @@ but this usage is deprecated. .cindex "installing Exim" "what is not installed" Running &'make install'& does not copy the Exim 4 conversion script -&'convert4r4'&, or the &'pcretest'& test program. You will probably run the -first of these only once (if you are upgrading from Exim 3), and the second -isn't really part of Exim. None of the documentation files in the &_doc_& +&'convert4r4'&. You will probably run this only once if you are +upgrading from Exim 3. None of the documentation files in the &_doc_& directory are copied, except for the info files when you have set INFO_DIRECTORY, as described in section &<>& below. @@ -4719,7 +4718,7 @@ up in a MySQL database. It helps to keep the file less cluttered if long strings such as SQL statements are defined separately as macros, for example: .code ALIAS_QUERY = select mailbox from user where \ - login=${quote_mysql:$local_part}; + login='${quote_mysql:$local_part}'; .endd This can then be used in a &(redirect)& router setting like this: .code @@ -5905,13 +5904,11 @@ Jeffrey Friedl's &'Mastering Regular Expressions'&, which is published by O'Reilly (see &url(http://www.oreilly.com/catalog/regex2/)). The documentation for the syntax and semantics of the regular expressions that -are supported by PCRE is included in plain text in the file -&_doc/pcrepattern.txt_& in the Exim distribution, and also in the HTML -tarbundle of Exim documentation. It describes in detail the features of the -regular expressions that PCRE supports, so no further description is included -here. The PCRE functions are called from Exim using the default option settings -(that is, with no PCRE options set), except that the PCRE_CASELESS option is -set when the matching is required to be case-insensitive. +are supported by PCRE is included in the PCRE distribution, and no further +description is included here. The PCRE functions are called from Exim using +the default option settings (that is, with no PCRE options set), except that +the PCRE_CASELESS option is set when the matching is required to be +case-insensitive. In most cases, when a regular expression is required in an Exim configuration, it has to start with a circumflex, in order to distinguish it from plain text @@ -5950,47 +5947,6 @@ $ is needed because string expansion also interprets dollar characters. -.section "Testing regular expressions" "SECID59" -.cindex "testing" "regular expressions" -.cindex "regular expressions" "testing" -.cindex "&'pcretest'&" -A program called &'pcretest'& forms part of the PCRE distribution and is built -with PCRE during the process of building Exim. It is primarily intended for -testing PCRE itself, but it can also be used for experimenting with regular -expressions. After building Exim, the binary can be found in the build -directory (it is not installed anywhere automatically). There is documentation -of various options in &_doc/pcretest.txt_&, but for simple testing, none are -needed. This is the output of a sample run of &'pcretest'&: -.display -&` re> `&&*&`/^([@]+)@.+\.(ac|edu)\.(?!kr)[a-z]{2}$/`&*& -&`data> `&&*&`x@y.ac.uk`&*& -&` 0: x@y.ac.uk`& -&` 1: x`& -&` 2: ac`& -&`data> `&&*&`x@y.ac.kr`&*& -&`No match`& -&`data> `&&*&`x@y.edu.com`&*& -&`No match`& -&`data> `&&*&`x@y.edu.co`&*& -&` 0: x@y.edu.co`& -&` 1: x`& -&` 2: edu`& -.endd -Input typed by the user is shown in bold face. After the &"re>"& prompt, a -regular expression enclosed in delimiters is expected. If this compiles without -error, &"data>"& prompts are given for strings against which the expression is -matched. An empty data line causes a new regular expression to be read. If the -match is successful, the captured substring values (that is, what would be in -the variables &$0$&, &$1$&, &$2$&, etc.) are shown. The above example tests for -an email address whose domain ends with either &"ac"& or &"edu"& followed by a -two-character top-level domain that is not &"kr"&. The local part is captured -in &$1$& and the &"ac"& or &"edu"& in &$2$&. - - - - - - . //////////////////////////////////////////////////////////////////////////// . //////////////////////////////////////////////////////////////////////////// @@ -7216,13 +7172,13 @@ mysql_servers = slave1/db/name/pw:\ .endd In an updating lookup, you could then write: .code -${lookup mysql{servers=master; UPDATE ...} +${lookup mysql{servers=master; UPDATE ...} } .endd That query would then be sent only to the master server. If, on the other hand, the master is not to be used for reading, and so is not present in the global option, you can still update it by a query of this form: .code -${lookup pgsql{servers=master/db/name/pw; UPDATE ...} +${lookup pgsql{servers=master/db/name/pw; UPDATE ...} } .endd @@ -10760,7 +10716,7 @@ This is an obsolete name for &$received_port$&. .vitem &$item$& .vindex "&$item$&" This variable is used during the expansion of &*forall*& and &*forany*& -conditions (see section &<>&), and &*filter*&, &*man*&, and +conditions (see section &<>&), and &*filter*&, &*map*&, and &*reduce*& items (see section &<>&). In other circumstances, it is empty. @@ -19002,11 +18958,9 @@ filter itself, and the original process that reads the result and delivers it are all run in parallel, like a shell pipeline. The filter can perform any transformations it likes, but of course should take -care not to break RFC 2822 syntax. A demonstration Perl script is provided in -&_util/transport-filter.pl_&; this makes a few arbitrary modifications just to -show the possibilities. Exim does not check the result, except to test for a -final newline when SMTP is in use. All messages transmitted over SMTP must end -with a newline, so Exim supplies one if it is missing. +care not to break RFC 2822 syntax. Exim does not check the result, except to +test for a final newline when SMTP is in use. All messages transmitted over +SMTP must end with a newline, so Exim supplies one if it is missing. .cindex "content scanning" "per user" A transport filter can be used to provide content-scanning on a per-user basis @@ -23568,17 +23522,20 @@ login: driver = plaintext public_name = LOGIN server_prompts = Username:: : Password:: - server_condition = ${if ldapauth \ - {user="cn=${quote_ldap_dn:$auth1},ou=people,o=example.org" \ - pass=${quote:$auth2} \ - ldap://ldap.example.org/}} + server_condition = ${if and{{ + !eq{}{$auth1} }{ \ + ldapauth{user="cn=${quote_ldap_dn:$auth1},ou=people,o=example.org" \ + pass=${quote:$auth2} \ + ldap://ldap.example.org/} }} } server_set_id = uid=$auth1,ou=people,o=example.org .endd -Note the use of the &%quote_ldap_dn%& operator to correctly quote the DN for -authentication. However, the basic &%quote%& operator, rather than any of the -LDAP quoting operators, is the correct one to use for the password, because -quoting is needed only to make the password conform to the Exim syntax. At the -LDAP level, the password is an uninterpreted string. +We have to check that the username is not empty before using it, because LDAP +does not permit empty DN components. We must also use the &%quote_ldap_dn%& +operator to correctly quote the DN for authentication. However, the basic +&%quote%& operator, rather than any of the LDAP quoting operators, is the +correct one to use for the password, because quoting is needed only to make +the password conform to the Exim syntax. At the LDAP level, the password is an +uninterpreted string. @@ -24098,11 +24055,11 @@ sections &<>& and &<>&. .section "GnuTLS parameter computation" "SECID181" -GnuTLS uses RSA and D-H parameters that may take a substantial amount of time +GnuTLS uses D-H parameters that may take a substantial amount of time to compute. It is unreasonable to re-compute them for every TLS session. Therefore, Exim keeps this data in a file in its spool directory, called &_gnutls-params_&. The file is owned by the Exim user and is readable only by -its owner. Every Exim process that start up GnuTLS reads the RSA and D-H +its owner. Every Exim process that start up GnuTLS reads the D-H parameters from this file. If the file does not exist, the first Exim process that needs it computes the data and writes it to a temporary file which is renamed once it is complete. It does not matter if several Exim processes do @@ -24810,7 +24767,8 @@ connection is closed. In these special cases, the QUIT ACL does not run. .section "The not-QUIT ACL" "SECTNOTQUITACL" -The not-QUIT ACL, specified by &%smtp_notquit_acl%&, is run in most cases when +.vindex &$acl_smtp_notquit$& +The not-QUIT ACL, specified by &%acl_smtp_notquit%&, is run in most cases when an SMTP session ends without sending QUIT. However, when Exim itself is is bad trouble, such as being unable to write to its log files, this ACL is not run, because it might try to do things (such as write to log files) that make the @@ -25122,7 +25080,7 @@ the sending entity receives a &"success"& response. However, &%discard%& causes recipients to be discarded. If it is used in an ACL for RCPT, just the one recipient is discarded; if used for MAIL, DATA or in the non-SMTP ACL, all the message's recipients are discarded. Recipients that are discarded before DATA -do not appear in the log line when the &%log_recipients%& log selector is set. +do not appear in the log line when the &%received_recipients%& log selector is set. If the &%log_message%& modifier is set when &%discard%& operates, its contents are added to the line that is automatically written to the log. @@ -25512,7 +25470,8 @@ ACL fragment writes no logging information when access is denied: &` log_reject_target =`& .endd This modifier can be used in SMTP and non-SMTP ACLs. It applies to both -permanent and temporary rejections. +permanent and temporary rejections. Its effect lasts for the rest of the +current ACL. .vitem &*logwrite*&&~=&~<&'text'&> @@ -26358,7 +26317,9 @@ verified as a sender. .cindex "&ACL;" "testing a DNS list" In its simplest form, the &%dnslists%& condition tests whether the calling host is on at least one of a number of DNS lists by looking up the inverted IP -address in one or more DNS domains. For example, if the calling host's IP +address in one or more DNS domains. (Note that DNS list domains are not mail +domains, so the &`+`& syntax for named lists doesn't work - it is used for +special options instead.) For example, if the calling host's IP address is 192.168.62.43, and the ACL statement is .code deny dnslists = blackholes.mail-abuse.org : \ @@ -26935,7 +26896,7 @@ value. You can work out the time (the number of smoothing periods) that a client is subjected to counter-measures after an over-limit burst with this formula: .code -ln(peakrate/maxrate) + ln(peakrate/maxrate) .endd The &%leaky%& (default) option means that the client's recorded rate is not updated if it is above the limit. The effect of this is that Exim measures the @@ -27593,19 +27554,8 @@ the third string (in this case &"1"&), whether or not the cryptographic and timeout checks succeed. The &$prvscheck_result$& variable contains the result of the checks (empty for failure, &"1"& for success). -There are two more issues you must consider when implementing prvs-signing. -Firstly, you need to ensure that prvs-signed addresses are not blocked by your -ACLs. A prvs-signed address contains a slash character, but the default Exim -configuration contains this statement in the RCPT ACL: -.code -deny message = Restricted characters in address - domains = +local_domains - local_parts = ^[.] : ^.*[@%!/|] -.endd -This is a conservative rule that blocks local parts that contain slashes. You -should remove the slash in the last line. - -Secondly, you have to ensure that the routers accept prvs-signed addresses and +There is one more issue you must consider when implementing prvs-signing: +you have to ensure that the routers accept prvs-signed addresses and deliver them correctly. The easiest way to handle this is to use a &(redirect)& router to remove the signature with a configuration along these lines: .code @@ -34317,13 +34267,81 @@ unqualified domain &'foundation'&. .ecindex IIDforspo2 .ecindex IIDforspo3 +. //////////////////////////////////////////////////////////////////////////// +. //////////////////////////////////////////////////////////////////////////// + +.chapter "Support for DKIM (DomainKeys Identified Mail) - RFC4871" "CHID12" &&& + "DKIM Support" +.cindex "DKIM" + +Since version 4.70, DKIM support is compiled into Exim by default. It can be +disabled by setting DISABLE_DKIM=yes in Local/Makefile. + +Exim's DKIM implementation allows to +.olist +Sign outgoing messages: This function is implemented in the SMTP transport. +It can co-exist with all other Exim features, including transport filters. +.next +Verify signatures in incoming messages: This is implemented by an additional +ACL (acl_smtp_dkim), which can be called several times per message, with +different signature context. +.endlist + +.section "Signing outgoing messages" "SECID513" +.cindex "DKIM" "signing" + +Signing is implemented by setting private options on the SMTP transport. +These options take (expandable) strings as arguments. + +.vitem &%dkim_domain = [MANDATORY]%& +The domain you want to sign with. The result of this expanded +option is put into the $dkim_domain expansion variable. + +.vitem &%dkim_selector = [MANDATORY]%& +This sets the key selector string. You can use the $dkim_domain expansion +variable to look up a matching selector. The result is put in the expansion +variable $dkim_selector which should be used in the dkim_private_key option +along with $dkim_domain. + +.vitem &%dkim_private_key = [MANDATORY]%& +This sets the private key to use. You can use the $dkim_domain and +$dkim_selector expansion variables to determine the private key to use. +The result can either +.ulist +be a valid RSA private key in ASCII armor, including line breaks. +.next +start with a slash, in which case it is treated as a file that contains +the private key. +.next +be "0", "false" or the empty string, in which case the message will not +be signed. This case will not result in an error, even if dkim_strict is set. +.endlist + +.vitem &%dkim_canon = [OPTIONAL]%& +This option sets the canonicalization method used when signing a message. +The DKIM RFC currently supports two methods: "simple" and "relaxed". +The option defaults to "relaxed" when unset. Note: the current implementation +only support using the same canonicalization method for both headers and body. + +.vitem &%dkim_strict = [OPTIONAL]%& +This option defines how Exim behaves when signing a message that +should be signed fails for some reason. When the expansion evaluates to +either "1" or "true", Exim will defer. Otherwise Exim will send the message +unsigned. You can use the $dkim_domain and $dkim_selector expansion +variables here. + +.vitem &%dkim_sign_headers = [OPTIONAL]%& +When set, this option must expand to (or be specified as) a colon-separated +list of header names. These headers will be included in the message +signature. When unspecified, the headers recommended in RFC4871 will be used. + . //////////////////////////////////////////////////////////////////////////// . //////////////////////////////////////////////////////////////////////////// -.chapter "Adding new drivers or lookup types" "CHID12" &&& +.chapter "Adding new drivers or lookup types" "CHID13" &&& "Adding drivers or lookups" .cindex "adding drivers" .cindex "new drivers, adding"