X-Git-Url: https://git.exim.org/users/heiko/exim.git/blobdiff_plain/9aa35e9ce70bb9bf61e4e4dbc7089e49eeded1b3..fd4f9c92ea39447557f1847c6bdb4e178e972fec:/doc/doc-docbook/spec.xfpt diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 6f6ee4557..4cc7b6ee9 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -9677,7 +9677,8 @@ ${readsocket{inet:[::1]:1234}{request string}} Only a single host name may be given, but if looking it up yields more than one IP address, they are each tried in turn until a connection is made. For both kinds of socket, Exim makes a connection, writes the request string -(unless it is an empty string) and reads from the socket until an end-of-file +unless it is an empty string; and no terminating NUL is ever sent) +and reads from the socket until an end-of-file is read. A timeout of 5 seconds is applied. Additional, optional arguments extend what can be done. Firstly, you can vary the timeout. For example: .code @@ -10015,6 +10016,21 @@ Last:user@example.com user@example.com .endd +.new +.vitem &*${base32:*&<&'digits'&>&*}*& +.cindex "&%base32%& expansion item" +.cindex "expansion" "conversion to base 32" +The string must consist entirely of decimal digits. The number is converted to +base 32 and output as a (empty, for zero) string of characters. +Only lowercase letters are used. + +.vitem &*${base32d:*&<&'base-32&~digits'&>&*}*& +.cindex "&%base32d%& expansion item" +.cindex "expansion" "conversion to base 32" +The string must consist entirely of base-32 digits. +The number is converted to decimal and output as a string. +.wen + .vitem &*${base62:*&<&'digits'&>&*}*& .cindex "&%base62%& expansion item" .cindex "expansion" "conversion to base 62" @@ -10038,8 +10054,13 @@ string. .cindex "expansion" "base64 encoding" .cindex "base64 encoding" "in string expansion" .cindex "&%base64%& expansion item" +.cindex certificate "base64 of DER" This operator converts a string into one that is base64 encoded. +If the string is a single variable of type certificate, +returns the base64 encoding of the DER form of the certificate. + + .vitem &*${base64d:*&<&'string'&>&*}*& .cindex "expansion" "base64 decoding" .cindex "base64 decoding" "in string expansion" @@ -12961,6 +12982,14 @@ overriding the setting of &%perl_at_start%&. There is also a command line option &%-pd%& (for delay) which suppresses the initial startup, even if &%perl_at_start%& is set. +.ilist +.oindex "&%perl_taintmode%&" +To provide more security executing Perl code via the embedded Perl +interpeter, the &%perl_taintmode%& option can be set. This enables the +taint mode of the Perl interpreter. You are encouraged to set this +option to a true value. To avoid breaking existing installations, it +defaults to false. + .section "Calling Perl subroutines" "SECID86" When the configuration file includes a &%perl_startup%& option you can make use @@ -13489,6 +13518,7 @@ listed in more than one group. .table2 .row &%perl_at_start%& "always start the interpreter" .row &%perl_startup%& "code to obey when starting Perl" +.row &%perl_taintmode%& "enable taint mode in Perl" .endtable @@ -13781,6 +13811,7 @@ See also the &'Policy controls'& section above. .row &%bounce_message_file%& "content of bounce" .row &%bounce_message_text%& "content of bounce" .row &%bounce_return_body%& "include body if returning message" +.row &%bounce_return_linesize_limit%& "limit on returned message line length" .row &%bounce_return_message%& "include original message in bounce" .row &%bounce_return_size_limit%& "limit on returned message" .row &%bounce_sender_authentication%& "send authenticated sender with bounce" @@ -14089,6 +14120,24 @@ error that is detected during reception, only those header lines preceding the point at which the error was detected are returned. .cindex "bounce message" "including original" +.option bounce_return_linesize_limit main integer 998 +.cindex "size" "of bounce lines, limit" +.cindex "bounce message" "line length limit" +.cindex "limit" "bounce message line length" +This option sets a limit in bytes on the line length of messages +that are returned to senders due to delivery problems, +when &%bounce_return_message%& is true. +The default value corresponds to RFC limits. +If the message being returned has lines longer than this value it is +treated as if the &%bounce_return_size_limit%& (below) restriction was exceeded. + +The option also applies to bounces returned when an error is detected +during reception of a messsage. +In this case lines from the original are truncated. + +The option does not apply to messages generated by an &(autoreply)& transport. + + .option bounce_return_message main boolean true If this option is set false, none of the original message is included in bounce messages generated by Exim. See also &%bounce_return_size_limit%& and @@ -15426,7 +15475,7 @@ harm. This option overrides the &%pipe_as_creator%& option of the &(pipe)& transport driver. -.option openssl_options main "string list" "+no_sslv2" +.option openssl_options main "string list" "+no_sslv2 +single_dh_use" .cindex "OpenSSL "compatibility options" This option allows an administrator to adjust the SSL options applied by OpenSSL to connections. It is given as a space-separated list of items, @@ -15557,14 +15606,20 @@ local parts. Exim's default configuration does this. .option perl_at_start main boolean false +.cindex "Perl" This option is available only when Exim is built with an embedded Perl interpreter. See chapter &<>& for details of its use. .option perl_startup main string unset +.cindex "Perl" This option is available only when Exim is built with an embedded Perl interpreter. See chapter &<>& for details of its use. +.option perl_startup main boolean false +.cindex "Perl" +This Option enables the taint mode of the embedded Perl interpreter. + .option pgsql_servers main "string list" unset .cindex "PostgreSQL lookup type" "server list" @@ -23393,6 +23448,15 @@ the message. As a result, the overall timeout for a message depends on the size of the message. Its value must not be zero. See also &%final_timeout%&. +.option dkim_domain smtp string&!! unset +.option dkim_selector smtp string&!! unset +.option dkim_private_key smtp string&!! unset +.option dkim_canon smtp string&!! unset +.option dkim_strict smtp string&!! unset +.option dkim_sign_headers smtp string&!! unset +DKIM signing options. For details see &<>&. + + .option delay_after_cutoff smtp boolean true This option controls what happens when all remote IP addresses for a given domain have been inaccessible for so long that they have passed their retry @@ -27543,6 +27607,12 @@ Note that a client may issue more than one EHLO or HELO command in an SMTP session, and indeed is required to issue a new EHLO or HELO after successfully setting up encryption following a STARTTLS command. +.new +Note also that a deny neither forces the client to go away nor means that +mail will be refused on the connection. Consider checking for +&$sender_helo_name$& being defined in a MAIL or RCPT ACL to do that. +.wen + If the command is accepted by an &%accept%& verb that has a &%message%& modifier, the message may not contain more than one line (it will be truncated at the first newline and a panic logged if it does). Such a message cannot @@ -34035,13 +34105,20 @@ specific badly-behaved hosts that you have to live with. When Exim receives a VRFY or EXPN command on a TCP/IP connection, it runs the ACL specified by &%acl_smtp_vrfy%& or &%acl_smtp_expn%& (as appropriate) in order to decide whether the command should be accepted or not. -If no ACL is defined, the command is rejected. +.new .cindex "VRFY" "processing" +When no ACL is defined for VRFY, or if it rejects without +setting an explicit response code, the command is accepted +(with a 252 SMTP response code) +in order to support awkward clients that do a VRFY before every RCPT. +.wen When VRFY is accepted, it runs exactly the same code as when Exim is -called with the &%-bv%& option. +called with the &%-bv%& option, and returns 250/451/550 +SMTP response codes. .cindex "EXPN" "processing" +If no ACL for EXPN is defined, the command is rejected. When EXPN is accepted, a single-level expansion of the address is done. EXPN is treated as an &"address test"& (similar to the &%-bt%& option) rather than a verification (the &%-bv%& option). If an unqualified local part is given @@ -37930,8 +38007,10 @@ linked to a domain which that entity controls. It permits reputation to be tracked on a per-domain basis, rather than merely upon source IP address. DKIM is documented in RFC 4871. -Since version 4.70, DKIM support is compiled into Exim by default. It can be -disabled by setting DISABLE_DKIM=yes in &_Local/Makefile_&. +.new +DKIM support is compiled into Exim by default if TLS support is present. +.wen +It can be disabled by setting DISABLE_DKIM=yes in &_Local/Makefile_&. Exim's DKIM implementation allows to .olist @@ -37966,7 +38045,7 @@ where you accept mail from relay sources (internal hosts or authenticated senders). -.section "Signing outgoing messages" "SECID513" +.section "Signing outgoing messages" "SECDKIMSIGN" .cindex "DKIM" "signing" Signing is implemented by setting private options on the SMTP transport. @@ -37981,7 +38060,7 @@ option is put into the &%$dkim_domain%& expansion variable. MANDATORY: This sets the key selector string. You can use the &%$dkim_domain%& expansion variable to look up a matching selector. The result is put in the expansion -variable &%$dkim_selector%& which should be used in the &%dkim_private_key%& +variable &%$dkim_selector%& which may be used in the &%dkim_private_key%& option along with &%$dkim_domain%&. .option dkim_private_key smtp string&!! unset