X-Git-Url: https://git.exim.org/users/heiko/exim.git/blobdiff_plain/a0093024fe0f1c50705f5463832ae04eea64dd97..0694f91e89112483d7ffb8312471b132c2acce77:/doc/doc-docbook/spec.xfpt?ds=sidebyside diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index ba128334b..c865e111b 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -14680,6 +14680,7 @@ listed in more than one group. .row &%local_scan_timeout%& "timeout for &[local_scan()]&" .row &%message_size_limit%& "for all messages" .row &%percent_hack_domains%& "recognize %-hack for these domains" +.row &%proxy_protocol_timeout%& "timeout for proxy protocol negotiation" .row &%spamd_address%& "set interface to SpamAssassin" .row &%strict_acl_vars%& "object to unset ACL variables" .row &%spf_smtp_comment_template%& "template for &$spf_smtp_comment$&" @@ -17017,6 +17018,14 @@ admin user unless &%prod_requires_admin%& is set false. See also &%queue_list_requires_admin%& and &%commandline_checks_require_admin%&. +.new +.option proxy_protocol_timeout main time 3s +.cindex proxy "proxy protocol" +This option sets the timeout for proxy protocol negotiation. +For details see section &<>&. +.wen + + .option qualify_domain main string "see below" .cindex "domain" "for qualifying addresses" .cindex "address" "qualification" @@ -18480,7 +18489,9 @@ than the public cert of individual clients. With both OpenSSL and GnuTLS, if the value is a file then the certificates are sent by Exim as a server to connecting clients, defining the list of accepted certificate authorities. Thus the values defined should be considered public data. To avoid this, -use the explicit directory version. +use the explicit directory version. (If your peer is Exim up to 4.85, +using GnuTLS, you may need to send the CAs (thus using the file +variant). Otherwise the peer doesn't send its certificate.) See &<>& for discussion of when this option might be re-expanded. @@ -25594,6 +25605,12 @@ It is expanded per-address and can depend on any of &$address_data$&, &$domain_data$&, &$local_part_data$&, &$host$&, &$host_address$& and &$host_port$&. +.new +If the connection is DANE-enabled then this option is ignored; +only messages having the domain used for the DANE TLSA lookup are +sent on the connection. +.wen + .option port smtp string&!! "see below" .cindex "port" "sending TCP/IP" .cindex "TCP/IP" "setting outgoing port" @@ -29265,6 +29282,61 @@ There is no current way to staple a proof for a client certificate. .endd +.new +.section "Caching of static server configuration items" "SECTserverTLScache" +.cindex certificate caching +.cindex privatekey caching +.cindex crl caching +.cindex ocsp caching +.cindex ciphers caching +.cindex "CA bundle" caching +.cindex "certificate authorities" caching +.cindex tls_certificate caching +.cindex tls_privatekey caching +.cindex tls_crl caching +.cindex tls_ocsp_file caching +.cindex tls_require_ciphers caching +.cindex tls_verify_certificate caching +.cindex caching certificate +.cindex caching privatekey +.cindex caching crl +.cindex caching ocsp +.cindex caching ciphers +.cindex caching "certificate authorities +If any of the main configuration options &%tls_certificate%&, &%tls_privatekey%&, +&%tls_crl%& and &%tls_ocsp_file%& have values with no +expandable elements, +then the associated information is loaded at daemon startup. +It is made available +to child processes forked for handling received SMTP connections. + +This caching is currently only supported under Linux and FreeBSD. + +If caching is not possible, for example if an item has to be dependent +on the peer host so contains a &$sender_host_name$& expansion, the load +of the associated information is done at the startup of the TLS connection. + +The cache is invalidated and reloaded after any changes to the directories +containing files specified by these options. + +The information specified by the main option &%tls_verify_certificates%& +is similarly cached so long as it specifies files explicitly +or (under GnuTLS) is the string &"system,cache"&. +The latter case is not automatically invalidated; +it is the operator's responsibility to arrange for a daemon restart +any time the system certificate authority bundle is updated. +A HUP signal is sufficient for this. +The value &"system"& results in no caching under GnuTLS. + +The macro _HAVE_TLS_CA_CACHE will be defined if the suffix for "system" +is acceptable in configurations for the Exim executavble. + +Caching of the system Certificate Authorities bundle can +save siginificant time and processing on every TLS connection +accepted by Exim. +.wen + + .section "Configuring an Exim client to use TLS" "SECTclientTLS" @@ -29305,7 +29377,10 @@ unencrypted. The &%tls_certificate%& and &%tls_privatekey%& options of the &(smtp)& transport provide the client with a certificate, which is passed to the server -if it requests it. If the server is Exim, it will request a certificate only if +if it requests it. +This is an optional thing for TLS connections, although either end +may insist on it. +If the server is Exim, it will request a certificate only if &%tls_verify_hosts%& or &%tls_try_verify_hosts%& matches the client. &*Note*&: Do not use a certificate which has the OCSP-must-staple extension, @@ -29385,6 +29460,62 @@ outgoing connection. +.new +.section "Caching of static client configuration items" "SECTclientTLScache" +.cindex certificate caching +.cindex privatekey caching +.cindex crl caching +.cindex ciphers caching +.cindex "CA bundle" caching +.cindex "certificate authorities" caching +.cindex tls_certificate caching +.cindex tls_privatekey caching +.cindex tls_crl caching +.cindex tls_require_ciphers caching +.cindex tls_verify_certificate caching +.cindex caching certificate +.cindex caching privatekey +.cindex caching crl +.cindex caching ciphers +.cindex caching "certificate authorities +If any of the transport configuration options &%tls_certificate%&, &%tls_privatekey%& +and &%tls_crl%& have values with no +expandable elements, +then the associated information is loaded per smtp transport +at daemon startup, at the start of a queue run, or on a +command-line specified message delivery. +It is made available +to child processes forked for handling making SMTP connections. + +This caching is currently only supported under Linux. + +If caching is not possible, the load +of the associated information is done at the startup of the TLS connection. + +The cache is invalidated in the daemon +and reloaded after any changes to the directories +containing files specified by these options. + +The information specified by the main option &%tls_verify_certificates%& +is similarly cached so long as it specifies files explicitly +or (under GnuTLS) is the string &"system,cache"&. +The latter case is not automatically invaludated; +it is the operator's responsibility to arrange for a daemon restart +any time the system certificate authority bundle is updated. +A HUP signal is sufficient for this. +The value &"system"& results in no caching under GnuTLS. + +The macro _HAVE_TLS_CA_CACHE will be defined if the suffix for "system" +is acceptable in configurations for the Exim executavble. + +Caching of the system Certificate Authorities bundle can +save siginificant time and processing on every TLS connection +initiated by Exim. +.wen + + + + .section "Use of TLS Server Name Indication" "SECTtlssni" .cindex "TLS" "Server Name Indication" .cindex "TLS" SNI @@ -29421,7 +29552,7 @@ only point of caution. The &$tls_out_sni$& variable will be set to this string for the lifetime of the client connection (including during authentication). .new -If DAVE validated the connection attempt then the value of the &%tls_sni%& option +If DANE validated the connection attempt then the value of the &%tls_sni%& option is forced to the domain part of the recipient address. .wen @@ -40812,7 +40943,7 @@ but for EC keys it is the base64 of the pure key; no ASN.1 wrapping. Signing is enabled by setting private options on the SMTP transport. These options take (expandable) strings as arguments. -.option dkim_domain smtp string list&!! unset +.option dkim_domain smtp "string list&!!" unset The domain(s) you want to sign with. After expansion, this can be a list. Each element in turn, @@ -40822,7 +40953,7 @@ while expanding the remaining signing options. If it is empty after expansion, DKIM signing is not done, and no error will result even if &%dkim_strict%& is set. -.option dkim_selector smtp string list&!! unset +.option dkim_selector smtp "string list&!!" unset This sets the key selector string. After expansion, which can use &$dkim_domain$&, this can be a list. Each element in turn is put in the expansion @@ -41486,7 +41617,7 @@ Example usage: .code #macro SRS_SECRET = - + #routers outbound: @@ -41496,7 +41627,7 @@ Example usage: transport = ${if eq {$local_part@$domain} \ {$original_local_part@$original_domain} \ {remote_smtp} {remote_forwarded_smtp}} - + inbound_srs: driver = redirect senders = : @@ -41504,7 +41635,7 @@ Example usage: # detect inbound bounces which are SRS'd, and decode them condition = ${if inbound_srs {$local_part} {SRS_SECRET}} data = $srs_recipient - + inbound_srs_failure: driver = redirect senders = : @@ -41516,7 +41647,7 @@ Example usage: #... further routers here - + # transport; should look like the non-forward outbound # one, plus the max_rcpt and return_path options remote_forwarded_smtp: @@ -41809,7 +41940,8 @@ automatically determines which version is in use. The Proxy Protocol header is the first data received on a TCP connection and is inserted before any TLS-on-connect handshake from the client; Exim negotiates TLS between Exim-as-server and the remote client, not between -Exim and the proxy server. +Exim and the proxy server. The Proxy Protocol header must be received +within &%proxy_protocol_timeout%&, which defaults to 3s. The following expansion variables are usable (&"internal"& and &"external"& here refer to the interfaces