X-Git-Url: https://git.exim.org/users/heiko/exim.git/blobdiff_plain/ab1d90d75696e3ae0dc210d0e4e8da39fc3ac27c..96d16729c2267491424478e623a492acaec6b35e:/doc/doc-docbook/spec.xfpt diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index dcbcbea7d..4c79e87cf 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -1394,9 +1394,22 @@ Again, cutthrough delivery counts as a verification. .next Individual routers can be explicitly skipped when running the routers to check an address given in the SMTP EXPN command (see the &%expn%& option). + .next If the &%domains%& option is set, the domain of the address must be in the set of domains that it defines. +.new +.cindex "tainted data" "de-tainting" +A match verifies the variable &$domain$& (which carries tainted data) +and assigns an untainted value to the &$domain_data$& variable. +Such an untainted value is often needed in the transport. +For specifics of the matching operation and the resulting untainted value, +refer to section &<>&. + +When an untainted value is wanted, use this option +rather than the generic &%condition%& option. +.wen + .next .vindex "&$local_part_prefix$&" .vindex "&$local_part_prefix_v$&" @@ -1405,13 +1418,26 @@ of domains that it defines. .vindex "&$local_part_suffix_v$&" .cindex affix "router precondition" If the &%local_parts%& option is set, the local part of the address must be in -the set of local parts that it defines. If &%local_part_prefix%& or +the set of local parts that it defines. +.new +A match verifies the variable &$local_part$& (which carries tainted data) +and assigns an untainted value to the &$local_part_data$& variable. +Such an untainted value is often needed in the transport. +For specifics of the matching operation and the resulting untainted value, +refer to section &<>&. + +When an untainted value is wanted, use this option +rather than the generic &%condition%& option. +.wen + +If &%local_part_prefix%& or &%local_part_suffix%& is in use, the prefix or suffix is removed from the local part before this check. If you want to do precondition tests on local parts that include affixes, you can do so by using a &%condition%& option (see below) that uses the variables &$local_part$&, &$local_part_prefix$&, &$local_part_prefix_v$&, &$local_part_suffix$& and &$local_part_suffix_v$& as necessary. + .next .vindex "&$local_user_uid$&" .vindex "&$local_user_gid$&" @@ -1421,23 +1447,37 @@ an account on the local host. If this check succeeds, the uid and gid of the local user are placed in &$local_user_uid$& and &$local_user_gid$& and the user's home directory is placed in &$home$&; these values can be used in the remaining preconditions. + .next If the &%router_home_directory%& option is set, it is expanded at this point, because it overrides the value of &$home$&. If this expansion were left till later, the value of &$home$& as set by &%check_local_user%& would be used in subsequent tests. Having two different values of &$home$& in the same router could lead to confusion. + .next If the &%senders%& option is set, the envelope sender address must be in the set of addresses that it defines. + .next If the &%require_files%& option is set, the existence or non-existence of specified files is tested. + .next .cindex "customizing" "precondition" If the &%condition%& option is set, it is evaluated and tested. This option uses an expanded string to allow you to set up your own custom preconditions. Expanded strings are described in chapter &<>&. + +.new +Note that while using +this option for address matching technically works, +it does not set any de-tainted values. +Such values are often needed, either for router-specific options or +for transport options. +Using the &%domains%& and &%local_parts%& options is usually the most +convenient way to obtain them. +.wen .endlist @@ -3845,7 +3885,9 @@ id, and the remaining ones must be email addresses. However, if the message is active (in the middle of a delivery attempt), it is not altered. This option can be used only by an admin user. -.vitem "&%-MC%&&~<&'transport'&>&~<&'hostname'&>&~<&'sequence&~number'&>&&& +.vitem "&%-MC%&&~<&'transport'&>&~<&'hostname'&>&&& + &~<&'host&~IP'&>&&& + &~<&'sequence&~number'&>&&& &~<&'message&~id'&>" .oindex "&%-MC%&" .cindex "SMTP" "passed connection" @@ -8428,7 +8470,10 @@ will store a result in the &$host_data$& variable. A &%local_parts%& router option or &%local_parts%& ACL condition will store a result in the &$local_part_data$& variable. .vitem domains +.new A &%domains%& router option or &%domains%& ACL condition +will store a result in the &$domain_data$& variable +.wen .vitem senders A &%senders%& router option or &%senders%& ACL condition will store a result in the &$sender_data$& variable. @@ -9513,7 +9558,9 @@ reasons, .cindex "tainted data" definition .cindex expansion "tainted data" and expansion of data deriving from the sender (&"tainted data"&) -is not permitted. +.new +is not permitted (including acessing a file using a tainted name). +.wen .new Common ways of obtaining untainted equivalents of variables with @@ -10102,7 +10149,7 @@ newline at the very end. For the &%header%& and &%bheader%& expansion, for those headers that contain lists of addresses, a comma is also inserted at the junctions between headers. This does not happen for the &%rheader%& expansion. -.cindex "tainted data" +.cindex "tainted data" "message headers" When the headers are from an incoming message, the result of expanding any of these variables is tainted. @@ -13658,7 +13705,11 @@ filter file to set values that can be tested in users' filter files. For example, a system filter could set a value indicating how likely it is that a message is junk mail. -.vitem &$spam_$&&'xxx'& +.vitem &$spam_score$& &&& + &$spam_score_int$& &&& + &$spam_bar$& &&& + &$spam_report$& &&& + &$spam_action$& A number of variables whose names start with &$spam$& are available when Exim is compiled with the content-scanning extension. For details, see section &<>&. @@ -14048,6 +14099,10 @@ taint mode of the Perl interpreter. You are encouraged to set this option to a true value. To avoid breaking existing installations, it defaults to false. +.new +&*Note*&: This is entirely separate from Exim's tainted-data tracking. +.wen + .section "Calling Perl subroutines" "SECID86" When the configuration file includes a &%perl_startup%& option you can make use @@ -14680,6 +14735,7 @@ listed in more than one group. .row &%local_scan_timeout%& "timeout for &[local_scan()]&" .row &%message_size_limit%& "for all messages" .row &%percent_hack_domains%& "recognize %-hack for these domains" +.row &%proxy_protocol_timeout%& "timeout for proxy protocol negotiation" .row &%spamd_address%& "set interface to SpamAssassin" .row &%strict_acl_vars%& "object to unset ACL variables" .row &%spf_smtp_comment_template%& "template for &$spf_smtp_comment$&" @@ -16927,7 +16983,7 @@ not count as protocol errors (see &%smtp_max_synprot_errors%&). .option pipelining_connect_advertise_hosts main "host list&!!" * .cindex "pipelining" "early connection" .cindex "pipelining" PIPE_CONNECT -.cindex "ESMTP extensions" X_PIPE_CONNECT +.cindex "ESMTP extensions" PIPE_CONNECT If Exim is built with the SUPPORT_PIPE_CONNECT build option this option controls which hosts the facility is advertised to and from which pipeline early-connection (before MAIL) SMTP @@ -16936,7 +16992,9 @@ When used, the pipelining saves on roundtrip times. See also the &%hosts_pipe_connect%& smtp transport option. -Currently the option name &"X_PIPE_CONNECT"& is used. +.new +The SMTP service extension keyword advertised is &"PIPE_CONNECT"&. +.wen .option prdr_enable main boolean false @@ -17017,6 +17075,14 @@ admin user unless &%prod_requires_admin%& is set false. See also &%queue_list_requires_admin%& and &%commandline_checks_require_admin%&. +.new +.option proxy_protocol_timeout main time 3s +.cindex proxy "proxy protocol" +This option sets the timeout for proxy protocol negotiation. +For details see section &<>&. +.wen + + .option qualify_domain main string "see below" .cindex "domain" "for qualifying addresses" .cindex "address" "qualification" @@ -17319,6 +17385,9 @@ manager, there is no way of controlling the total number of simultaneous deliveries if the configuration allows a delivery attempt as soon as a message is received. +See also the &%max_parallel%& generic transport option, +and the &%serialize_hosts%& smtp transport option. + .cindex "number of deliveries" .cindex "delivery" "maximum number of" If you want to control the total number of deliveries on the system, you @@ -18477,7 +18546,9 @@ than the public cert of individual clients. With both OpenSSL and GnuTLS, if the value is a file then the certificates are sent by Exim as a server to connecting clients, defining the list of accepted certificate authorities. Thus the values defined should be considered public data. To avoid this, -use the explicit directory version. +use the explicit directory version. (If your peer is Exim up to 4.85, +using GnuTLS, you may need to send the CAs (thus using the file +variant). Otherwise the peer doesn't send its certificate.) See &<>& for discussion of when this option might be re-expanded. @@ -18796,7 +18867,10 @@ address (with affixes removed if relevant) is the name of an account on the local system. The check is done by calling the &[getpwnam()]& function rather than trying to read &_/etc/passwd_& directly. This means that other methods of holding password data (such as NIS) are supported. If the local part is a local -user, &$home$& is set from the password data, and can be tested in other +user, +.cindex "tainted data" "de-tainting" +&$local_part_data$& is set to an untainted version of the local part and +&$home$& is set from the password data. The latter can be tested in other preconditions that are evaluated after this one (the order of evaluation is given in section &<>&). However, the value of &$home$& can be overridden by &%router_home_directory%&. If the local part is not a local user, @@ -18943,7 +19017,8 @@ This applies to all of the SRV, MX, AAAA, A lookup sequence. If this option is set, the router is skipped unless the current domain matches the list. If the match is achieved by means of a file lookup, the data that the lookup returned for the domain is placed in &$domain_data$& for use in string -expansions of the driver's private options. See section &<>& for +expansions of the driver's private options and in the transport. +See section &<>& for a list of the order in which preconditions are evaluated. @@ -19306,12 +19381,13 @@ section &<>& for a discussion of local part lists. Because the string is expanded, it is possible to make it depend on the domain, for example: .code -local_parts = dbm;/usr/local/specials/$domain +local_parts = dbm;/usr/local/specials/$domain_data .endd .vindex "&$local_part_data$&" If the match is achieved by a lookup, the data that the lookup returned for the local part is placed in the variable &$local_part_data$& for use in -expansions of the router's private options. You might use this option, for +expansions of the router's private options or in the transport. +You might use this option, for example, if you have a large number of local virtual domains, and you want to send all postmaster mail to the same place without having to set up an alias in each virtual domain: @@ -19656,6 +19732,10 @@ Values containing a list-separator should have them doubled. When a router runs, the strings are evaluated in order, to create variables which are added to the set associated with the address. +.new +This is done immediately after all the preconditions, before the +evaluation of the &%address_data%& option. +.wen The variable is set with the expansion of the value. The variables can be used by the router options (not including any preconditions) @@ -25031,12 +25111,14 @@ authenticated as a client. .option command_timeout smtp time 5m +.cindex timeout "smtp transport command" This sets a timeout for receiving a response to an SMTP command that has been sent out. It is also used when waiting for the initial banner line from the remote host. Its value must not be zero. .option connect_timeout smtp time 5m +.cindex timeout "smtp transport connect" This sets a timeout for the &[connect()]& function, which sets up a TCP/IP call to a remote host. A setting of zero allows the system timeout (typically several minutes) to act. To have any effect, the value of this option must be @@ -25072,6 +25154,7 @@ be treated as unset and &%tls_require_ciphers%& will be used instead. .option data_timeout smtp time 5m +.cindex timeout "for transmitted SMTP data blocks" This sets a timeout for the transmission of each block in the data portion of the message. As a result, the overall timeout for a message depends on the size of the message. Its value must not be zero. See also &%final_timeout%&. @@ -25210,6 +25293,7 @@ fails"& facility. .option final_timeout smtp time 10m +.cindex timeout "for transmitted SMTP data accept" This is the timeout that applies while waiting for the response to the final line containing just &"."& that terminates a message. Its value must not be zero. @@ -25456,9 +25540,12 @@ incoming messages, use an appropriate ACL. .cindex "authentication" "optional in client" This option provides a list of servers to which, provided they announce authentication support, Exim will attempt to authenticate as a client when it -connects. If authentication fails, Exim will try to transfer the message -unauthenticated. See also &%hosts_require_auth%&, and chapter -&<>& for details of authentication. +connects. If authentication fails +.new +and &%hosts_require_auth%& permits, +.wen +Exim will try to transfer the message unauthenticated. +See also chapter &<>& for details of authentication. .option hosts_try_chunking smtp "host list&!!" * .cindex CHUNKING "enabling, in client" @@ -25591,6 +25678,12 @@ It is expanded per-address and can depend on any of &$address_data$&, &$domain_data$&, &$local_part_data$&, &$host$&, &$host_address$& and &$host_port$&. +.new +If the connection is DANE-enabled then this option is ignored; +only messages having the domain used for the DANE TLSA lookup are +sent on the connection. +.wen + .option port smtp string&!! "see below" .cindex "port" "sending TCP/IP" .cindex "TCP/IP" "setting outgoing port" @@ -27281,7 +27374,7 @@ conditions: .ilist The client host must match &%auth_advertise_hosts%& (default *). .next -It the &%server_advertise_condition%& option is set, its expansion must not +If the &%server_advertise_condition%& option is set, its expansion must not yield the empty string, &"0"&, &"no"&, or &"false"&. .endlist @@ -27389,7 +27482,7 @@ encode '\0user@domain.com\0pas$$word' .endd gives an incorrect answer because of the unescaped &"@"& and &"$"& characters. -If you have the &%mimencode%& command installed, another way to do produce +If you have the &%mimencode%& command installed, another way to produce base64-encoded strings is to run the command .code echo -e -n `\0user\0password' | mimencode @@ -28088,6 +28181,10 @@ supplied by the server. .option server_channelbinding gsasl boolean false Do not set this true and rely on the properties without consulting a cryptographic engineer. +. Unsure what that's about. It might be the "Triple Handshake" +. vulnerability; cf. https://www.mitls.org/pages/attacks/3SHAKE +. If so, we're ok, requiring Extended Master Secret if TLS +. Session Resumption was used. Some authentication mechanisms are able to use external context at both ends of the session to bind the authentication to that context, and fail the @@ -29262,6 +29359,61 @@ There is no current way to staple a proof for a client certificate. .endd +.new +.section "Caching of static server configuration items" "SECTserverTLScache" +.cindex certificate caching +.cindex privatekey caching +.cindex crl caching +.cindex ocsp caching +.cindex ciphers caching +.cindex "CA bundle" caching +.cindex "certificate authorities" caching +.cindex tls_certificate caching +.cindex tls_privatekey caching +.cindex tls_crl caching +.cindex tls_ocsp_file caching +.cindex tls_require_ciphers caching +.cindex tls_verify_certificate caching +.cindex caching certificate +.cindex caching privatekey +.cindex caching crl +.cindex caching ocsp +.cindex caching ciphers +.cindex caching "certificate authorities +If any of the main configuration options &%tls_certificate%&, &%tls_privatekey%&, +&%tls_crl%& and &%tls_ocsp_file%& have values with no +expandable elements, +then the associated information is loaded at daemon startup. +It is made available +to child processes forked for handling received SMTP connections. + +This caching is currently only supported under Linux and FreeBSD. + +If caching is not possible, for example if an item has to be dependent +on the peer host so contains a &$sender_host_name$& expansion, the load +of the associated information is done at the startup of the TLS connection. + +The cache is invalidated and reloaded after any changes to the directories +containing files specified by these options. + +The information specified by the main option &%tls_verify_certificates%& +is similarly cached so long as it specifies files explicitly +or (under GnuTLS) is the string &"system,cache"&. +The latter case is not automatically invalidated; +it is the operator's responsibility to arrange for a daemon restart +any time the system certificate authority bundle is updated. +A HUP signal is sufficient for this. +The value &"system"& results in no caching under GnuTLS. + +The macro _HAVE_TLS_CA_CACHE will be defined if the suffix for "system" +is acceptable in configurations for the Exim executavble. + +Caching of the system Certificate Authorities bundle can +save siginificant time and processing on every TLS connection +accepted by Exim. +.wen + + .section "Configuring an Exim client to use TLS" "SECTclientTLS" @@ -29302,7 +29454,10 @@ unencrypted. The &%tls_certificate%& and &%tls_privatekey%& options of the &(smtp)& transport provide the client with a certificate, which is passed to the server -if it requests it. If the server is Exim, it will request a certificate only if +if it requests it. +This is an optional thing for TLS connections, although either end +may insist on it. +If the server is Exim, it will request a certificate only if &%tls_verify_hosts%& or &%tls_try_verify_hosts%& matches the client. &*Note*&: Do not use a certificate which has the OCSP-must-staple extension, @@ -29382,6 +29537,62 @@ outgoing connection. +.new +.section "Caching of static client configuration items" "SECTclientTLScache" +.cindex certificate caching +.cindex privatekey caching +.cindex crl caching +.cindex ciphers caching +.cindex "CA bundle" caching +.cindex "certificate authorities" caching +.cindex tls_certificate caching +.cindex tls_privatekey caching +.cindex tls_crl caching +.cindex tls_require_ciphers caching +.cindex tls_verify_certificate caching +.cindex caching certificate +.cindex caching privatekey +.cindex caching crl +.cindex caching ciphers +.cindex caching "certificate authorities +If any of the transport configuration options &%tls_certificate%&, &%tls_privatekey%& +and &%tls_crl%& have values with no +expandable elements, +then the associated information is loaded per smtp transport +at daemon startup, at the start of a queue run, or on a +command-line specified message delivery. +It is made available +to child processes forked for handling making SMTP connections. + +This caching is currently only supported under Linux. + +If caching is not possible, the load +of the associated information is done at the startup of the TLS connection. + +The cache is invalidated in the daemon +and reloaded after any changes to the directories +containing files specified by these options. + +The information specified by the main option &%tls_verify_certificates%& +is similarly cached so long as it specifies files explicitly +or (under GnuTLS) is the string &"system,cache"&. +The latter case is not automatically invaludated; +it is the operator's responsibility to arrange for a daemon restart +any time the system certificate authority bundle is updated. +A HUP signal is sufficient for this. +The value &"system"& results in no caching under GnuTLS. + +The macro _HAVE_TLS_CA_CACHE will be defined if the suffix for "system" +is acceptable in configurations for the Exim executavble. + +Caching of the system Certificate Authorities bundle can +save siginificant time and processing on every TLS connection +initiated by Exim. +.wen + + + + .section "Use of TLS Server Name Indication" "SECTtlssni" .cindex "TLS" "Server Name Indication" .cindex "TLS" SNI @@ -29418,7 +29629,7 @@ only point of caution. The &$tls_out_sni$& variable will be set to this string for the lifetime of the client connection (including during authentication). .new -If DAVE validated the connection attempt then the value of the &%tls_sni%& option +If DANE validated the connection attempt then the value of the &%tls_sni%& option is forced to the domain part of the recipient address. .wen @@ -38105,8 +38316,11 @@ parentheses afterwards. When more than one address is included in a single delivery (for example, two SMTP RCPT commands in one transaction) the second and subsequent addresses are flagged with &`->`& instead of &`=>`&. When two or more messages are delivered -down a single SMTP connection, an asterisk follows the IP address in the log -lines for the second and subsequent messages. +down a single SMTP connection, an asterisk follows the +.new +remote IP address (and port if enabled) +.wen +in the log lines for the second and subsequent messages. When two or more messages are delivered down a single TLS connection, the DNS and some TLS-related information logged for the first message delivered will not be present in the log lines for the second and subsequent messages. @@ -38473,6 +38687,7 @@ routing email addresses, but it does apply to &"byname"& lookups. client's ident port times out. .next .cindex "log" "incoming interface" +.cindex "log" "outgoing interface" .cindex "log" "local interface" .cindex "log" "local address and port" .cindex "TCP/IP" "logging local address and port" @@ -38481,7 +38696,10 @@ client's ident port times out. to the &"<="& line as an IP address in square brackets, tagged by I= and followed by a colon and the port number. The local interface and port are also added to other SMTP log lines, for example, &"SMTP connection from"&, to -rejection lines, and (despite the name) to outgoing &"=>"& and &"->"& lines. +rejection lines, and (despite the name) to outgoing +.new +&"=>"&, &"->"&, &"=="& and &"**"& lines. +.wen The latter can be disabled by turning off the &%outgoing_interface%& option. .next .cindex log "incoming proxy address" @@ -40809,7 +41027,7 @@ but for EC keys it is the base64 of the pure key; no ASN.1 wrapping. Signing is enabled by setting private options on the SMTP transport. These options take (expandable) strings as arguments. -.option dkim_domain smtp string list&!! unset +.option dkim_domain smtp "string list&!!" unset The domain(s) you want to sign with. After expansion, this can be a list. Each element in turn, @@ -40819,7 +41037,7 @@ while expanding the remaining signing options. If it is empty after expansion, DKIM signing is not done, and no error will result even if &%dkim_strict%& is set. -.option dkim_selector smtp string list&!! unset +.option dkim_selector smtp "string list&!!" unset This sets the key selector string. After expansion, which can use &$dkim_domain$&, this can be a list. Each element in turn is put in the expansion @@ -41483,7 +41701,7 @@ Example usage: .code #macro SRS_SECRET = - + #routers outbound: @@ -41493,7 +41711,7 @@ Example usage: transport = ${if eq {$local_part@$domain} \ {$original_local_part@$original_domain} \ {remote_smtp} {remote_forwarded_smtp}} - + inbound_srs: driver = redirect senders = : @@ -41501,7 +41719,7 @@ Example usage: # detect inbound bounces which are SRS'd, and decode them condition = ${if inbound_srs {$local_part} {SRS_SECRET}} data = $srs_recipient - + inbound_srs_failure: driver = redirect senders = : @@ -41513,7 +41731,7 @@ Example usage: #... further routers here - + # transport; should look like the non-forward outbound # one, plus the max_rcpt and return_path options remote_forwarded_smtp: @@ -41806,7 +42024,8 @@ automatically determines which version is in use. The Proxy Protocol header is the first data received on a TCP connection and is inserted before any TLS-on-connect handshake from the client; Exim negotiates TLS between Exim-as-server and the remote client, not between -Exim and the proxy server. +Exim and the proxy server. The Proxy Protocol header must be received +within &%proxy_protocol_timeout%&, which defaults to 3s. The following expansion variables are usable (&"internal"& and &"external"& here refer to the interfaces