X-Git-Url: https://git.exim.org/users/heiko/exim.git/blobdiff_plain/ad07e9add2a9959a2cc07c996452fcfc10ccab9f..f926e27276301de1e2fd011b7edcd1b85d8c4754:/doc/doc-docbook/spec.xfpt?ds=sidebyside diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 542ccaf86..3419b768b 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -11254,6 +11254,17 @@ The building process for Exim keeps a count of the number of times it has been compiled. This serves to distinguish different compilations of the same version of the program. +.vitem &$config_dir$& +.vindex "&$config_dir$&" +The directory name of the main configuration file. That is, the content of +&$config_file$& with the last component stripped. The value does not +contain the trailing slash. If &$config_file$& does not contain a slash, +&$config_dir$& is ".". + +.vitem &$config_file$& +.vindex "&$config_file$&" +The name of the main configuration file Exim is using. + .vitem &$demime_errorlevel$& .vindex "&$demime_errorlevel$&" This variable is available when Exim is compiled with @@ -11361,6 +11372,13 @@ This variable contains the path to the Exim binary. .vindex "&$exim_uid$&" This variable contains the numerical value of the Exim user id. +.vitem &$exim_version$& +.vindex "&$exim_uid$&" +This variable contains the version string of the Exim build. +The first character is a major version number, currently 4. +Then after a dot, the next group of digits is a minor version number. +There may be other characters following the minor version. + .vitem &$found_extension$& .vindex "&$found_extension$&" This variable is available when Exim is compiled with the @@ -15624,13 +15642,15 @@ the time of delivery. They are normally used only for final local deliveries. This option is an obsolete synonym for &%bounce_return_size_limit%&. -.option rfc1413_hosts main "host list&!!" * +.option rfc1413_hosts main "host list&!!" @[] .cindex "RFC 1413" .cindex "host" "for RFC 1413 calls" -RFC 1413 identification calls are made to any client host which matches an item -in the list. +RFC 1413 identification calls are made to any client host which matches +an item in the list. +The default value specifies just this host, being any local interface +for the system. -.option rfc1413_query_timeout main time 5s +.option rfc1413_query_timeout main time 0s .cindex "RFC 1413" "query timeout" .cindex "timeout" "for RFC 1413 call" This sets the timeout on RFC 1413 identification calls. If it is set to zero, @@ -16478,17 +16498,28 @@ preference order of the available ciphers. Details are given in sections See &%tls_verify_hosts%& below. -.option tls_verify_certificates main string&!! unset +.option tls_verify_certificates main string&!! system .cindex "TLS" "client certificate verification" .cindex "certificate" "verification of client" -The value of this option is expanded, and must then be the absolute path to -a file containing permitted certificates for clients that -match &%tls_verify_hosts%& or &%tls_try_verify_hosts%&. Alternatively, if you -are using either GnuTLS version 3.3.6 (or later) or OpenSSL, -you can set &%tls_verify_certificates%& to the name of a -directory containing certificate files. -For earlier versions of GnuTLS -the option must be set to the name of a single file. +The value of this option is expanded, and must then be either the +word "system" +or the absolute path to +a file or directory containing permitted certificates for clients that +match &%tls_verify_hosts%& or &%tls_try_verify_hosts%&. + +The "system" value for the option will use a +system default location compiled into the SSL library. +This is not available for GnuTLS versions preceding 3.0.20, +and will be taken as empty; an explicit location +must be specified. + +The use of a directory for the option value is not avilable for GnuTLS versions +preceding 3.3.6 and a single file must be used. + +With OpenSSL the certificates specified +explicitly +either by file or directory +are added to those given by the system default location. With OpenSSL the certificates specified explicitly @@ -23422,7 +23453,7 @@ unknown state), opens a new one to the same host, and then tries the delivery in clear. -.option tls_try_verify_hosts smtp "host list&!!" unset +.option tls_try_verify_hosts smtp "host list&!!" * .cindex "TLS" "server certificate verification" .cindex "certificate" "verification of server" This option gives a list of hosts for which, on encrypted connections, @@ -23435,20 +23466,37 @@ The &$tls_out_certificate_verified$& variable is set when certificate verification succeeds. -.option tls_verify_certificates smtp string&!! unset +.option tls_verify_cert_hostnames smtp "host list&!!" * +.cindex "TLS" "server certificate hostname verification" +.cindex "certificate" "verification of server" +This option give a list of hosts for which, +while verifying the server certificate, +checks will be included on the host name +(note that this will generally be the result of a DNS MX lookup) +versus Subject and Subject-Alternate-Name fields. Wildcard names are permitted +limited to being the initial component of a 3-or-more component FQDN. + +There is no equivalent checking on client certificates. + + +.option tls_verify_certificates smtp string&!! system .cindex "TLS" "server certificate verification" .cindex "certificate" "verification of server" .vindex "&$host$&" .vindex "&$host_address$&" -The value of this option must be the absolute path to a file containing -permitted server certificates, for use when setting up an encrypted connection. -Alternatively, -if you are using either GnuTLS version 3.3.6 (or later) or OpenSSL, -you can set -&%tls_verify_certificates%& to the name of a directory containing certificate -files. -For earlier versions of GnuTLS the option must be set to the name of a -single file. +The value of this option must be either the +word "system" +or the absolute path to +a file or directory containing permitted certificates for servers, +for use when setting up an encrypted connection. + +The "system" value for the option will use a location compiled into the SSL library. +This is not available for GnuTLS versions preceding 3.0.20; a value of "system" +is taken as empty and an explicit location +must be specified. + +The use of a directory for the option value is not avilable for GnuTLS versions +preceding 3.3.6 and a single file must be used. With OpenSSL the certificates specified explicitly @@ -23461,6 +23509,7 @@ expansion of this option. See chapter &<>& for details of TLS. For back-compatability, if neither tls_verify_hosts nor tls_try_verify_hosts are set +(a single-colon empty list counts as being set) and certificate verification fails the TLS connection is closed. @@ -25936,8 +25985,9 @@ include files and libraries for GnuTLS can be found. There are some differences in usage when using GnuTLS instead of OpenSSL: .ilist -The &%tls_verify_certificates%& option must contain the name of a file, not the -name of a directory for GnuTLS versions before 3.3.6 +The &%tls_verify_certificates%& option +cannot be the path of a directory +for GnuTLS versions before 3.3.6 (for later versions, or OpenSSL, it can be either). .next The default value for &%tls_dhparam%& differs for historical reasons. @@ -26289,8 +26339,10 @@ session with a client, you must set either &%tls_verify_hosts%& or apply to all TLS connections. For any host that matches one of these options, Exim requests a certificate as part of the setup of the TLS session. The contents of the certificate are verified by comparing it with a list of -expected certificates. These must be available in a file or, -for OpenSSL only (not GnuTLS), a directory, identified by +expected certificates. +These may be the system default set (depending on library version), +an explicit file or, +depending on library version, a directory, identified by &%tls_verify_certificates%&. A file can contain multiple certificates, concatenated end to end. If a @@ -26450,9 +26502,13 @@ if it requests it. If the server is Exim, it will request a certificate only if &%tls_verify_hosts%& or &%tls_try_verify_hosts%& matches the client. If the &%tls_verify_certificates%& option is set on the &(smtp)& transport, it +specifies a collection of expected server certificates. +These may be the system default set (depeding on library version), +a file or, +depnding on liibrary version, a directory, must name a file or, -for OpenSSL only (not GnuTLS), a directory, that contains a collection of -expected server certificates. The client verifies the server's certificate +for OpenSSL only (not GnuTLS), a directory. +The client verifies the server's certificate against this collection, taking into account any revoked certificates that are in the list defined by &%tls_crl%&. Failure to verify fails the TLS connection unless either of the @@ -34784,7 +34840,7 @@ selection marked by asterisks: &` smtp_protocol_error `& SMTP protocol errors &` smtp_syntax_error `& SMTP syntax errors &` subject `& contents of &'Subject:'& on <= lines -&` tls_certificate_verified `& certificate verification status +&`*tls_certificate_verified `& certificate verification status &`*tls_cipher `& TLS cipher suite on <= and => lines &` tls_peerdn `& TLS peer DN on <= and => lines &` tls_sni `& TLS SNI on <= lines