X-Git-Url: https://git.exim.org/users/heiko/exim.git/blobdiff_plain/d223e9344978ee88ad04a231f00f7540d2b841e2..23bb69826c8d600ce4a268ad27e14b0390e540c8:/doc/doc-docbook/spec.xfpt diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index b670c1ff9..ba32403d6 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -3049,7 +3049,8 @@ trusted user for the sender of a message to be set in this way. .oindex "&%-bmalware%&" .cindex "testing", "malware" .cindex "malware scan test" -This debugging option causes Exim to scan the given file, +This debugging option causes Exim to scan the given file or directory +(depending on the used scanner interface), using the malware scanning framework. The option of &%av_scanner%& influences this option, so if &%av_scanner%&'s value is dependent upon an expansion then the expansion should have defaults which apply to this invocation. ACLs are @@ -6147,7 +6148,8 @@ errors: This causes any temporarily failing address to be retried every 15 minutes for 2 hours, then at intervals starting at one hour and increasing by a factor of 1.5 until 16 hours have passed, then every 6 hours up to 4 days. If an address -is not delivered after 4 days of temporary failure, it is bounced. +is not delivered after 4 days of temporary failure, it is bounced. The time is +measured from first failure, not from the time the message was received. If the retry section is removed from the configuration, or is empty (that is, if no retry rules are defined), Exim will not retry deliveries. This turns @@ -6609,7 +6611,7 @@ lookup types support only literal keys. .endlist ilist -.section "Query-style lookup types" "SECID62" +.section "Query-style lookup types" "SECTquerystylelookups" .cindex "lookup" "query-style types" .cindex "query-style lookup" "list of types" The supported query-style lookup types are listed below. Further details about @@ -7773,7 +7775,14 @@ domain, host, address and local part lists. .section "Expansion of lists" "SECTlistexpand" .cindex "expansion" "of lists" -Each list is expanded as a single string before it is used. The result of +Each list is expanded as a single string before it is used. + +.new +&'Exception: the router headers_remove option, where list-item +splitting is done before string-expansion.'& +.wen + +The result of expansion must be a list, possibly containing empty items, which is split up into separate items for matching. By default, colon is the separator character, but this can be varied if necessary. See sections &<>& and @@ -12139,6 +12148,7 @@ a single-component name, Exim calls &[gethostbyname()]& (or qualified host name. See also &$smtp_active_hostname$&. +.new .vitem &$proxy_external_address$& &&& &$proxy_external_port$& &&& &$proxy_local_address$& &&& @@ -12147,6 +12157,7 @@ qualified host name. See also &$smtp_active_hostname$&. These variables are only available when built with Proxy Protocol or Socks5 support For details see chapter &<>&. +.wen .vitem &$prdr_requested$& .cindex "PRDR" "variable for" @@ -16832,8 +16843,8 @@ of the STARTTLS command to set up an encrypted session is advertised in response to EHLO only to those client hosts that match this option. See chapter &<>& for details of Exim's support for TLS. Note that the default value requires that a certificate be supplied -using the &%tls_certificate%& option. If no certificate is available then -the &%tls_advertise_hosts%& option should be set empty. +using the &%tls_certificate%& option. If TLS support for incoming connections +is not required the &%tls_advertise_hosts%& option should be set empty. .option tls_certificate main string&!! unset @@ -16854,6 +16865,11 @@ if the OpenSSL build supports TLS extensions and the TLS client sends the Server Name Indication extension, then this option and others documented in &<>& will be re-expanded. +.new +If this option is unset or empty a fresh self-signed certificate will be +generated for every connection. +.wen + .option tls_crl main string&!! unset .cindex "TLS" "server certificate revocation list" .cindex "certificate" "revocation list for server" @@ -26901,7 +26917,8 @@ Documentation of the strings accepted may be found in the GnuTLS manual, under &url(http://www.gnutls.org/manual/html_node/Priority-Strings.html), but beware that this relates to GnuTLS 3, which may be newer than the version installed on your system. If you are using GnuTLS 3, -&url(http://www.gnutls.org/manual/gnutls.html#Listing-the-ciphersuites-in-a-priority-string, then the example code) +then the example code +&url(http://www.gnutls.org/manual/gnutls.html#Listing-the-ciphersuites-in-a-priority-string) on that site can be used to test a given string. For example: @@ -26946,10 +26963,17 @@ with the error If a STARTTLS command is issued within an existing TLS session, it is rejected with a 554 error code. -To enable TLS operations on a server, you must set &%tls_advertise_hosts%& to -match some hosts. You can, of course, set it to * to match all hosts. -However, this is not all you need to do. TLS sessions to a server won't work -without some further configuration at the server end. +To enable TLS operations on a server, the &%tls_advertise_hosts%& option +must be set to match some hosts. The default is * which matches all hosts. + +.new +If this is all you do, TLS encryption will be enabled but not authentication - +meaning that the peer has no assurance it is actually you he is talking to. +You gain protection from a passive sniffer listening on the wire but not +from someone able to intercept the communication. +.wen + +Further protection requires some further configuration at the server end. It is rumoured that all existing clients that support TLS/SSL use RSA encryption. To make this work you need to set, in the server, @@ -38203,6 +38227,7 @@ Use of a proxy is enabled by setting the &%hosts_proxy%& main configuration option to a hostlist; connections from these hosts will use Proxy Protocol. +.new The following expansion variables are usable (&"internal"& and &"external"& here refer to the interfaces of the proxy): @@ -38215,6 +38240,7 @@ of the proxy): .endd If &$proxy_session$& is set but &$proxy_external_address$& is empty there was a protocol error. +.wen Since the real connections are all coming from the proxy, and the per host connection tracking is done before Proxy Protocol is