X-Git-Url: https://git.exim.org/users/heiko/exim.git/blobdiff_plain/d9b2312be1c63d0bf94dfaea9c82c6def6b45884..b5b871aca49fbf0fcc2c91997e70c3c57f77faa9:/doc/doc-docbook/spec.xfpt?ds=sidebyside diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 0ea36adc2..eb359d088 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -5369,7 +5369,7 @@ it is unset, Exim uses the &[uname()]& system function to obtain the host name. The first three non-comment configuration lines are as follows: .code -domainlist local_domains = @ +domainlist local_domains = @ domainlist relay_to_domains = hostlist relay_from_hosts = 127.0.0.1 .endd @@ -5711,7 +5711,7 @@ examples described in &<>&. This means that no client can in fact authenticate until you complete the authenticator definitions. .code require message = relay not permitted - domains = +local_domains : +relay_domains + domains = +local_domains : +relay_to_domains .endd This statement rejects the address if its domain is neither a local domain nor one of the domains for which this host is a relay. @@ -7485,7 +7485,7 @@ ${lookup sqlite {/some/thing/sqlitedb \ .endd In a list, the syntax is similar. For example: .code -domainlist relay_domains = sqlite;/some/thing/sqlitedb \ +domainlist relay_to_domains = sqlite;/some/thing/sqlitedb \ select * from relays where ip='$sender_host_address'; .endd The only character affected by the &%quote_sqlite%& operator is a single @@ -7567,13 +7567,13 @@ subject is not in the set. If the end of the list is reached without the subject having matched any of the patterns, it is in the set if the last item was a negative one, but not if it was a positive one. For example, the list in .code -domainlist relay_domains = !a.b.c : *.b.c +domainlist relay_to_domains = !a.b.c : *.b.c .endd matches any domain ending in &'.b.c'& except for &'a.b.c'&. Domains that match neither &'a.b.c'& nor &'*.b.c'& do not match, because the last item in the list is positive. However, if the setting were .code -domainlist relay_domains = !a.b.c +domainlist relay_to_domains = !a.b.c .endd then all domains other than &'a.b.c'& would match because the last item in the list is negative. In other words, a list that ends with a negative item behaves @@ -7677,7 +7677,7 @@ the words &%domainlist%&, &%hostlist%&, &%addresslist%&, or &%localpartlist%&, respectively. Then there follows the name that you are defining, followed by an equals sign and the list itself. For example: .code -hostlist relay_hosts = 192.168.23.0/24 : my.friend.example +hostlist relay_from_hosts = 192.168.23.0/24 : my.friend.example addresslist bad_senders = cdb;/etc/badsenders .endd A named list may refer to other named lists: @@ -8758,6 +8758,23 @@ string easier to understand. This item inserts &"basic"& header lines. It is described with the &%header%& expansion item below. + +.vitem "&*${acl{*&<&'name'&>&*}{*&<&'arg'&>&*}...}*&" +.cindex "expansion" "calling an acl" +.cindex "&%acl%&" "call from expansion" +The name and zero to nine argument strings are first expanded separately. The expanded +arguments are assigned to the variables &$acl_arg1$& to &$acl_arg9$& in order. +Any unused are made empty. The variable &$acl_narg$& is set to the number of +arguments. The named ACL (see chapter &<>&) is called +and may use the variables; if another acl expansion is used the values +are overwritten. If the ACL sets +a value using a "message =" modifier and returns accept or deny, the value becomes +the result of the expansion. +If no message was set and the ACL returned accept or deny +the value is an empty string. +If the ACL returned defer the result is a forced-fail. Otherwise the expansion fails. + + .vitem "&*${dlfunc{*&<&'file'&>&*}{*&<&'function'&>&*}{*&<&'arg'&>&*}&&& {*&<&'arg'&>&*}...}*&" .cindex &%dlfunc%& @@ -9567,6 +9584,7 @@ environments where Exim uses base 36 instead of base 62 for its message identifiers, base-36 digits. The number is converted to decimal and output as a string. + .vitem &*${domain:*&<&'string'&>&*}*& .cindex "domain" "extraction" .cindex "expansion" "domain extraction" @@ -9726,6 +9744,25 @@ See the description of the general &%length%& item above for details. Note that when &%length%& is used as an operator. +.vitem &*${listcount:*&<&'string'&>&*}*& +.cindex "expansion" "list item count" +.cindex "list" "item count" +.cindex "list" "count of items" +.cindex "&%listcount%& expansion item" +The string is interpreted as a list and the number of items is returned. + + +.vitem &*${listnamed:*&<&'name'&>&*}*&&~and&~&*${list_*&<&'type'&>&*name'&>&*}*& +.cindex "expansion" "named list" +.cindex "&%listnamed%& expansion item" +The name is interpreted as a named list and the content of the list is returned, +expanding any referenced lists, re-quoting as needed for colon-separation. +If the optional type if given it must be one of "a", "d", "h" or "l" +and selects address-, domain-, host- or localpart- lists to search among respectively. +Otherwise all types are searched in an undefined order and the first +matching list is returned. + + .vitem &*${local_part:*&<&'string'&>&*}*& .cindex "expansion" "local part extraction" .cindex "&%local_part%& expansion item" @@ -10013,8 +10050,8 @@ ${if >{$message_size}{10M} ... .endd Note that the general negation operator provides for inequality testing. The two strings must take the form of optionally signed decimal integers, -optionally followed by one of the letters &"K"& or &"M"& (in either upper or -lower case), signifying multiplication by 1024 or 1024*1024, respectively. +optionally followed by one of the letters &"K"&, &"M"& or &"G"& (in either upper or +lower case), signifying multiplication by 1024, 1024*1024 or 1024*1024*1024, respectively. As a special case, the numerical value of an empty string is taken as zero. @@ -10023,6 +10060,21 @@ In all cases, a relative comparator OP is testing if <&'string1'&> OP 10M, not if 10M is larger than &$message_size$&. +.vitem &*acl&~{{*&<&'name'&>&*}{*&<&'arg1'&>&*}&&& + {*&<&'arg2'&>&*}...}*& +.cindex "expansion" "calling an acl" +.cindex "&%acl%&" "expansion condition" +The name and zero to nine argument strings are first expanded separately. The expanded +arguments are assigned to the variables &$acl_arg1$& to &$acl_arg9$& in order. +Any unused are made empty. The variable &$acl_narg$& is set to the number of +arguments. The named ACL (see chapter &<>&) is called +and may use the variables; if another acl expansion is used the values +are overwritten. If the ACL sets +a value using a "message =" modifier the variable $value becomes +the result of the expansion, otherwise it is empty. +If the ACL returns accept the condition is true; if deny, false. +If the ACL returns defer the result is a forced-fail. + .vitem &*bool&~{*&<&'string'&>&*}*& .cindex "expansion" "boolean parsing" .cindex "&%bool%& expansion condition" @@ -12805,6 +12857,9 @@ listed in more than one group. .section "TLS" "SECID108" .table2 .row &%gnutls_compat_mode%& "use GnuTLS compatibility mode" +.new +.row &%gnutls_enable_pkcs11%& "allow GnuTLS to autoload PKCS11 modules" +.wen .row &%openssl_options%& "adjust OpenSSL compatibility options" .row &%tls_advertise_hosts%& "advertise TLS to these hosts" .row &%tls_certificate%& "location of server certificate" @@ -13833,6 +13888,19 @@ This option controls whether GnuTLS is used in compatibility mode in an Exim server. This reduces security slightly, but improves interworking with older implementations of TLS. + +.new +option gnutls_enable_pkcs11 main boolean unset +This option will let GnuTLS (2.12.0 or later) autoload PKCS11 modules with +the p11-kit configuration files in &_/etc/pkcs11/modules/_&. + +See +&url(http://www.gnu.org/software/gnutls/manual/gnutls.html#Smart-cards-and-HSMs) +for documentation. +.wen + + + .option headers_charset main string "see below" This option sets a default character set for translating from encoded MIME &"words"& in header lines, when referenced by an &$h_xxx$& expansion item. The @@ -15168,7 +15236,7 @@ live with. . Allow this long option name to split; give it unsplit as a fifth argument . for the automatic .oindex that is generated by .option. -.option "smtp_accept_max_per_ &~&~connection" main integer 1000 &&& +.option "smtp_accept_max_per_connection" main integer 1000 &&& smtp_accept_max_per_connection .cindex "SMTP" "limiting incoming message count" .cindex "limit" "messages per SMTP connection" @@ -26905,6 +26973,27 @@ Notice that we put back the lower cased version afterwards, assuming that is what is wanted for subsequent tests. +.new +.vitem &*control&~=&~cutthrough_delivery*& +.cindex "&ACL;" "cutthrough routing" +This option requests delivery be attempted while the item is being received. +It is usable in the RCPT ACL and valid only for single-recipient mails forwarded +from one SMTP connection to another. If a recipient-verify callout connection is +requested in the same ACL it is held open and used for the data, otherwise one is made +after the ACL completes. + +Should the ultimate destination system positively accept or reject the mail, +a corresponding indication is given to the source system and nothing is queued. +If there is a temporary error the item is queued for later delivery in the +usual fashion. If the item is successfully delivered in cutthrough mode the log line +is tagged with ">>" rather than "=>" and appears before the acceptance "<=" +line. + +Delivery in this mode avoids the generation of a bounce mail to a (possibly faked) +sender when the destination system is doing content-scan based rejection. +.wen + + .new .vitem &*control&~=&~dscp/*&<&'value'&> .cindex "&ACL;" "setting DSCP value" @@ -27244,6 +27333,7 @@ The conditions are as follows: .vitem &*acl&~=&~*&<&'name&~of&~acl&~or&~ACL&~string&~or&~file&~name&~'&> .cindex "&ACL;" "nested" .cindex "&ACL;" "indirect" +.cindex "&ACL;" "arguments" .cindex "&%acl%& ACL condition" The possible values of the argument are the same as for the &%acl_smtp_%&&'xxx'& options. The named or inline ACL is run. If it returns @@ -27253,6 +27343,10 @@ condition is on a &%warn%& verb. In that case, a &"defer"& return makes the condition false. This means that further processing of the &%warn%& verb ceases, but processing of the ACL continues. +If the argument is a named ACL, up to nine space-separated optional values +can be appended; they appear in $acl_arg1 to $acl_arg9, and $acl_narg is set +to the count of values. The name and values are expanded separately. + If the nested &%acl%& returns &"drop"& and the outer condition denies access, the connection is dropped. If it returns &"discard"&, the verb must be &%accept%& or &%discard%&, and the action is taken immediately &-- no further @@ -29011,16 +29105,16 @@ Suppose your LAN is 192.168.45.0/24. In the main part of the configuration, you put the following definitions: .code -domainlist local_domains = my.dom1.example : my.dom2.example -domainlist relay_domains = friend1.example : friend2.example -hostlist relay_hosts = 192.168.45.0/24 +domainlist local_domains = my.dom1.example : my.dom2.example +domainlist relay_to_domains = friend1.example : friend2.example +hostlist relay_from_hosts = 192.168.45.0/24 .endd Now you can use these definitions in the ACL that is run for every RCPT command: .code acl_check_rcpt: - accept domains = +local_domains : +relay_domains - accept hosts = +relay_hosts + accept domains = +local_domains : +relay_to_domains + accept hosts = +relay_from_hosts .endd The first statement accepts any RCPT command that contains an address in the local or relay domains. For any other domain, control passes to the second @@ -31632,6 +31726,8 @@ required for the transaction. If the remote server advertises support for the STARTTLS command, and Exim was built to support TLS encryption, it tries to start a TLS session unless the server matches &%hosts_avoid_tls%&. See chapter &<>& for more details. +Either a match in that or &%hosts_verify_avoid_tls%& apply when the transport +is called for verification. If the remote server advertises support for the AUTH command, Exim scans the authenticators configuration for any suitable client settings, as described