X-Git-Url: https://git.exim.org/users/heiko/exim.git/blobdiff_plain/a2ce7b0f5da40b6a7a3094f75b156eede00539c0..5031095fd4553935c70e1c24a9936dfc609cdc67:/doc/doc-docbook/spec.xfpt?ds=inline diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index abd15d452..55ab7f25b 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -4383,6 +4383,17 @@ written. When &%-oX%& is used with &%-bd%&, or when &%-q%& with a time is used without &%-bd%&, this is the only way of causing Exim to write a pid file, because in those cases, the normal pid file is not used. +.new +.vitem &%-oPX%& +.oindex "&%-oPX%&" +.cindex "pid (process id)" "of daemon" +.cindex "daemon" "process id (pid)" +This option is not intended for general use. +The daemon uses it when terminating due to a SIGTEM, possibly in +combination with &%-oP%&&~<&'path'&>. +It causes the pid file to be removed. +.wen + .vitem &%-or%&&~<&'time'&> .oindex "&%-or%&" .cindex "timeout" "for non-SMTP input" @@ -15111,15 +15122,22 @@ etc. are ignored. If IP literals are enabled, the &(ipliteral)& router declines to handle IPv6 literal addresses. -.option dkim_verify_hashes main "string list" "sha256 : sha512 : sha1" +.new +.option dkim_verify_hashes main "string list" "sha256 : sha512" .cindex DKIM "selecting signature algorithms" This option gives a list of hash types which are acceptable in signatures, +.wen and an order of processing. Signatures with algorithms not in the list will be ignored. -Note that the presence of sha1 violates RFC 8301. -Signatures using the rsa-sha1 are however (as of writing) still common. -The default inclusion of sha1 may be dropped in a future release. +Acceptable values include: +.code +sha1 +sha256 +sha512 +.endd + +Note that the acceptance of sha1 violates RFC 8301. .option dkim_verify_keytypes main "string list" "ed25519 : rsa" This option gives a list of key types which are acceptable in signatures, @@ -24870,6 +24888,9 @@ unauthenticated. See also &%hosts_require_auth%&, and chapter .cindex "RFC 3030" "CHUNKING" This option provides a list of servers to which, provided they announce CHUNKING support, Exim will attempt to use BDAT commands rather than DATA. +.new +Unless DKIM signing is being done, +.wen BDAT will not be used in conjunction with a transport filter. .option hosts_try_dane smtp "host list&!!" * @@ -27415,9 +27436,11 @@ This should have meant that certificate identity and verification becomes a non-issue, as a man-in-the-middle attack will cause the correct client and server to see different identifiers and authentication will fail. -This is currently only supported when using the GnuTLS library. This is +.new +This is only usable by mechanisms which support "channel binding"; at time of writing, that's the SCRAM family. +.wen This defaults off to ensure smooth upgrade across Exim releases, in case this option causes some clients to start failing. Some future release @@ -30351,6 +30374,13 @@ This control turns off DKIM verification processing entirely. For details on the operation and configuration of DKIM, see section &<>&. +.vitem &*control&~=&~dmarc_disable_verify*& +.cindex "disable DMARC verify" +.cindex "DMARC" "disable verify" +This control turns off DMARC verification processing entirely. For details on +the operation and configuration of DMARC, see section &<>&. + + .vitem &*control&~=&~dscp/*&<&'value'&> .cindex "&ACL;" "setting DSCP value" .cindex "DSCP" "inbound" @@ -33618,7 +33648,12 @@ directory, so you might set HAVE_LOCAL_SCAN=yes LOCAL_SCAN_SOURCE=Local/local_scan.c .endd -for example. The function must be called &[local_scan()]&. It is called by +for example. The function must be called &[local_scan()]&; +.new +the source file(s) for it should first #define LOCAL_SCAN +and then #include "local_scan.h". +.wen +It is called by Exim after it has received a message, when the success return code is about to be sent. This is after all the ACLs have been run. The return code from your function controls whether the message is actually accepted or not. There is a @@ -34297,12 +34332,18 @@ dropping of a TCP/IP connection), you can call &'smtp_fflush()'&, which has no arguments. It flushes the output stream, and returns a non-zero value if there is an error. -.vitem &*void&~*store_get(int)*& +.new +.vitem &*void&~*store_get(int,BOOL)*& This function accesses Exim's internal store (memory) manager. It gets a new -chunk of memory whose size is given by the argument. Exim bombs out if it ever +chunk of memory whose size is given by the first argument. +The second argument should be given as TRUE if the memory will be used for +data possibly coming from an attacker (eg. the message content), +FALSE if it is locally-sourced. +Exim bombs out if it ever runs out of memory. See the next section for a discussion of memory handling. +.wen -.vitem &*void&~*store_get_perm(int)*& +.vitem &*void&~*store_get_perm(int,BOOL)*& This function is like &'store_get()'&, but it always gets memory from the permanent pool. See the next section for a discussion of memory handling. @@ -40492,7 +40533,10 @@ the most current version can be downloaded from a link at &url(https://publicsuffix.org/list/, currently pointing at https://publicsuffix.org/list/public_suffix_list.dat) See also util/renew-opendmarc-tlds.sh script. -The default for the option is /etc/exim/opendmarc.tlds. +.new +The default for the option is unset. +If not set, DMARC processing is disabled. +.wen The &%dmarc_history_file%& option, if set @@ -41015,14 +41059,17 @@ Events have names which correspond to the point in process at which they fire. The name is placed in the variable &$event_name$& and the event action expansion must check this, as it will be called for every possible event type. +.new The current list of events is: +.wen .display &`dane:fail after transport `& per connection &`msg:complete after main `& per message +&`msg:defer after transport `& per message per delivery try &`msg:delivery after transport `& per recipient &`msg:rcpt:host:defer after transport `& per recipient per host &`msg:rcpt:defer after transport `& per recipient -&`msg:host:defer after transport `& per attempt +&`msg:host:defer after transport `& per host per delivery try; host errors &`msg:fail:delivery after transport `& per recipient &`msg:fail:internal after main `& per recipient &`tcp:connect before transport `& per connection @@ -41048,12 +41095,13 @@ An additional variable, &$event_data$&, is filled with information varying with the event type: .display &`dane:fail `& failure reason +&`msg:defer `& error string &`msg:delivery `& smtp confirmation message &`msg:fail:internal `& failure reason &`msg:fail:delivery `& smtp error message +&`msg:host:defer `& error string &`msg:rcpt:host:defer `& error string &`msg:rcpt:defer `& error string -&`msg:host:defer `& error string &`tls:cert `& verification chain depth &`smtp:connect `& smtp banner &`smtp:ehlo `& smtp ehlo response