X-Git-Url: https://git.exim.org/users/heiko/exim.git/blobdiff_plain/9e716cdf98e2c9e771471249a6b75e7481a54b0b..ee0bbe8dc5170856375348f302ce73535da1bbe9:/doc/doc-docbook/spec.xfpt diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 15e36f7ac..a39f4fd0a 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -3049,7 +3049,8 @@ trusted user for the sender of a message to be set in this way. .oindex "&%-bmalware%&" .cindex "testing", "malware" .cindex "malware scan test" -This debugging option causes Exim to scan the given file, +This debugging option causes Exim to scan the given file or directory +(depending on the used scanner interface), using the malware scanning framework. The option of &%av_scanner%& influences this option, so if &%av_scanner%&'s value is dependent upon an expansion then the expansion should have defaults which apply to this invocation. ACLs are @@ -6147,7 +6148,8 @@ errors: This causes any temporarily failing address to be retried every 15 minutes for 2 hours, then at intervals starting at one hour and increasing by a factor of 1.5 until 16 hours have passed, then every 6 hours up to 4 days. If an address -is not delivered after 4 days of temporary failure, it is bounced. +is not delivered after 4 days of temporary failure, it is bounced. The time is +measured from first failure, not from the time the message was received. If the retry section is removed from the configuration, or is empty (that is, if no retry rules are defined), Exim will not retry deliveries. This turns @@ -6609,7 +6611,7 @@ lookup types support only literal keys. .endlist ilist -.section "Query-style lookup types" "SECID62" +.section "Query-style lookup types" "SECTquerystylelookups" .cindex "lookup" "query-style types" .cindex "query-style lookup" "list of types" The supported query-style lookup types are listed below. Further details about @@ -7773,7 +7775,14 @@ domain, host, address and local part lists. .section "Expansion of lists" "SECTlistexpand" .cindex "expansion" "of lists" -Each list is expanded as a single string before it is used. The result of +Each list is expanded as a single string before it is used. + +.new +&'Exception: the router headers_remove option, where list-item +splitting is done before string-expansion.'& +.wen + +The result of expansion must be a list, possibly containing empty items, which is split up into separate items for matching. By default, colon is the separator character, but this can be varied if necessary. See sections &<>& and @@ -10473,7 +10482,7 @@ variables or headers inside regular expressions. .cindex "SHA-1 hash" .cindex "expansion" "SHA-1 hashing" .cindex certificate fingerprint -.cindex "&%sha2%& expansion item" +.cindex "&%sha1%& expansion item" The &%sha1%& operator computes the SHA-1 hash value of the string, and returns it as a 40-digit hexadecimal number, in which any letters are in upper case. @@ -10481,16 +10490,38 @@ If the string is a single variable of type certificate, returns the SHA-1 hash fingerprint of the certificate. -.vitem &*${sha256:*&<&'certificate'&>&*}*& +.vitem &*${sha256:*&<&'string'&>&*}*& .cindex "SHA-256 hash" .cindex certificate fingerprint .cindex "expansion" "SHA-256 hashing" .cindex "&%sha256%& expansion item" -The &%sha256%& operator computes the SHA-256 hash fingerprint of the -certificate, +.new +The &%sha256%& operator computes the SHA-256 hash value of the string +and returns +it as a 64-digit hexadecimal number, in which any letters are in upper case. +.wen + +If the string is a single variable of type certificate, +returns the SHA-256 hash fingerprint of the certificate. + + +.new +.vitem &*${sha3:*&<&'string'&>&*}*& &&& + &*${sha3_:*&<&'string'&>&*}*& +.cindex "SHA3 hash" +.cindex "expansion" "SHA3 hashing" +.cindex "&%sha3%& expansion item" +The &%sha3%& operator computes the SHA3-256 hash value of the string and returns it as a 64-digit hexadecimal number, in which any letters are in upper case. -Only arguments which are a single variable of certificate type are supported. + +If a number is appended, separated by an underbar, it specifies +the output length. Values of 224, 256, 384 and 512 are accepted; +with 256 being the default. + +The &%sha3%& expansion item is only supported if Exim has been +compiled with GnuTLS 3.5.0 or later. +.wen .vitem &*${stat:*&<&'string'&>&*}*& @@ -12139,6 +12170,7 @@ a single-component name, Exim calls &[gethostbyname()]& (or qualified host name. See also &$smtp_active_hostname$&. +.new .vitem &$proxy_external_address$& &&& &$proxy_external_port$& &&& &$proxy_local_address$& &&& @@ -12147,6 +12179,7 @@ qualified host name. See also &$smtp_active_hostname$&. These variables are only available when built with Proxy Protocol or Socks5 support For details see chapter &<>&. +.wen .vitem &$prdr_requested$& .cindex "PRDR" "variable for" @@ -16832,8 +16865,8 @@ of the STARTTLS command to set up an encrypted session is advertised in response to EHLO only to those client hosts that match this option. See chapter &<>& for details of Exim's support for TLS. Note that the default value requires that a certificate be supplied -using the &%tls_certificate%& option. If no certificate is available then -the &%tls_advertise_hosts%& option should be set empty. +using the &%tls_certificate%& option. If TLS support for incoming connections +is not required the &%tls_advertise_hosts%& option should be set empty. .option tls_certificate main string&!! unset @@ -16854,6 +16887,11 @@ if the OpenSSL build supports TLS extensions and the TLS client sends the Server Name Indication extension, then this option and others documented in &<>& will be re-expanded. +.new +If this option is unset or empty a fresh self-signed certificate will be +generated for every connection. +.wen + .option tls_crl main string&!! unset .cindex "TLS" "server certificate revocation list" .cindex "certificate" "revocation list for server" @@ -26947,10 +26985,17 @@ with the error If a STARTTLS command is issued within an existing TLS session, it is rejected with a 554 error code. -To enable TLS operations on a server, you must set &%tls_advertise_hosts%& to -match some hosts. You can, of course, set it to * to match all hosts. -However, this is not all you need to do. TLS sessions to a server won't work -without some further configuration at the server end. +To enable TLS operations on a server, the &%tls_advertise_hosts%& option +must be set to match some hosts. The default is * which matches all hosts. + +.new +If this is all you do, TLS encryption will be enabled but not authentication - +meaning that the peer has no assurance it is actually you he is talking to. +You gain protection from a passive sniffer listening on the wire but not +from someone able to intercept the communication. +.wen + +Further protection requires some further configuration at the server end. It is rumoured that all existing clients that support TLS/SSL use RSA encryption. To make this work you need to set, in the server, @@ -28689,13 +28734,18 @@ with &`-d`&, with the output going to a new logfile, by default called &'debuglog'&. The filename can be adjusted with the &'tag'& option, which may access any variables already defined. The logging may be adjusted with the &'opts'& option, which takes the same values as the &`-d`& command-line -option. Some examples (which depend on variables that don't exist in all +option. +.new +Logging may be stopped, and the file removed, with the &'kill'& option. +.wen +Some examples (which depend on variables that don't exist in all contexts): .code control = debug control = debug/tag=.$sender_host_address control = debug/opts=+expand+acl control = debug/tag=.$message_exim_id/opts=+expand + control = debug/kill .endd @@ -35505,6 +35555,7 @@ the following table: &`CV `& certificate verification status &`D `& duration of &"no mail in SMTP session"& &`DN `& distinguished name from peer certificate +&`DS `& DNSSEC secured lookups &`DT `& on &`=>`& lines: time taken for a delivery &`F `& sender address (on delivery lines) &`H `& host name and IP address @@ -35595,6 +35646,7 @@ selection marked by asterisks: &` deliver_time `& time taken to perform delivery &` delivery_size `& add &`S=`&&'nnn'& to => lines &`*dnslist_defer `& defers of DNS list (aka RBL) lookups +&` dnssec `& DNSSEC secured lookups &`*etrn `& ETRN commands &`*host_lookup_failed `& as it says &` ident_timeout `& timeout for ident connection @@ -35702,6 +35754,14 @@ the &"=>"& line, tagged with S=. &%dnslist_defer%&: A log entry is written if an attempt to look up a host in a DNS black list suffers a temporary error. .next +.cindex log dnssec +.cindex dnssec logging +&%dnssec%&: For message acceptance and (attempted) delivery log lines, when +dns lookups gave secure results a tag of DS is added. +For acceptance this covers the reverse and forward lookups for host name verification. +It does not cover helo-name verification. +For delivery this covers the SRV, MX, A and/or AAAA lookups. +.next .cindex "log" "ETRN commands" .cindex "ETRN" "logging" &%etrn%&: Every valid ETRN command that is received is logged, before the ACL @@ -38204,6 +38264,7 @@ Use of a proxy is enabled by setting the &%hosts_proxy%& main configuration option to a hostlist; connections from these hosts will use Proxy Protocol. +.new The following expansion variables are usable (&"internal"& and &"external"& here refer to the interfaces of the proxy): @@ -38216,6 +38277,7 @@ of the proxy): .endd If &$proxy_session$& is set but &$proxy_external_address$& is empty there was a protocol error. +.wen Since the real connections are all coming from the proxy, and the per host connection tracking is done before Proxy Protocol is @@ -38354,7 +38416,7 @@ form of the name. Log lines and Received-by: header lines will acquire a "utf8" prefix on the protocol element, eg. utf8esmtp. -The following expansion operator can be used: +The following expansion operators can be used: .code ${utf8_domain_to_alabel:str} ${utf8_domain_from_alabel:str}