X-Git-Url: https://git.exim.org/users/heiko/exim.git/blobdiff_plain/ed7f7860402395aedcb9e9c0cbade291c675a12f..b25bdce654559e4c832e0d557b986687edb2ccf0:/doc/doc-docbook/spec.xfpt diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 02020dc50..22815a9d1 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -1,4 +1,4 @@ -. $Cambridge: exim/doc/doc-docbook/spec.xfpt,v 1.80 2010/06/06 00:25:46 pdp Exp $ +. $Cambridge: exim/doc/doc-docbook/spec.xfpt,v 1.88 2010/06/14 18:51:09 pdp Exp $ . . ///////////////////////////////////////////////////////////////////////////// . This is the primary source of the Exim Manual. It is an xfpt document that is @@ -1896,6 +1896,8 @@ given in chapter &<>&. .section "Use of tcpwrappers" "SECID27" .cindex "tcpwrappers, building Exim to support" .cindex "USE_TCP_WRAPPERS" +.cindex "TCP_WRAPPERS_DAEMON_NAME" +.cindex "tcp_wrappers_daemon_name" Exim can be linked with the &'tcpwrappers'& library in order to check incoming SMTP calls using the &'tcpwrappers'& control files. This may be a convenient alternative to Exim's own checking facilities for installations that are @@ -1910,14 +1912,17 @@ USE_TCP_WRAPPERS=yes CFLAGS=-O -I/usr/local/include EXTRALIBS_EXIM=-L/usr/local/lib -lwrap .endd -in &_Local/Makefile_&. The name to use in the &'tcpwrappers'& control files is -&"exim"&. For example, the line +in &_Local/Makefile_&. The daemon name to use in the &'tcpwrappers'& control +files is &"exim"&. For example, the line .code exim : LOCAL 192.168.1. .friendly.domain.example .endd in your &_/etc/hosts.allow_& file allows connections from the local host, from the subnet 192.168.1.0/24, and from all hosts in &'friendly.domain.example'&. -All other connections are denied. Consult the &'tcpwrappers'& documentation for +All other connections are denied. The daemon name used by &'tcpwrappers'& +can be changed at build time by setting TCP_WRAPPERS_DAEMON_NAME in +in &_Local/Makefile_&, or by setting tcp_wrappers_daemon_name in the +configure file. Consult the &'tcpwrappers'& documentation for further details. @@ -2604,6 +2609,11 @@ This option causes Exim to output a few sentences stating what it is. The same output is generated if the Exim binary is called with no options and no arguments. +.vitem &%--version%& +.oindex "&%--version%&" +This option is an alias for &%-bV%& and causes version information to be +displayed. + .vitem &%-B%&<&'type'&> .oindex "&%-B%&" .cindex "8-bit characters" @@ -3174,11 +3184,20 @@ the listening daemon. .cindex "testing", "malware" .cindex "malware scan test" This debugging option causes Exim to scan the given file, -using the malware scanning framework. The option of av_scanner influences -this option, so if av_scanner's value is dependent upon an expansion then -the expansion should have defaults which apply to this invocation. Exim will -have changed working directory before resolving the filename, so using fully -qualified pathnames is advisable. This option requires admin privileges. +using the malware scanning framework. The option of &%av_scanner%& influences +this option, so if &%av_scanner%&'s value is dependent upon an expansion then +the expansion should have defaults which apply to this invocation. ACLs are +not invoked, so if &%av_scanner%& references an ACL variable then that variable +will never be populated and &%-bmalware%& will fail. + +Exim will have changed working directory before resolving the filename, so +using fully qualified pathnames is advisable. Exim will be running as the Exim +user when it tries to open the file, rather than as the invoking user. +This option requires admin privileges. + +The &%-bmalware%& option will not be extended to be more generally useful, +there are better tools for file-scanning. This option exists to help +administrators verify their Exim and AV scanner configuration. .vitem &%-bt%& .oindex "&%-bt%&" @@ -3312,25 +3331,21 @@ name, but it can be a colon-separated list of names. In this case, the first file that exists is used. Failure to open an existing file stops Exim from proceeding any further along the list, and an error is generated. -When this option is used by a caller other than root or the Exim user, and the -list is different from the compiled-in list, Exim gives up its root privilege -immediately, and runs with the real and effective uid and gid set to those of -the caller. However, if ALT_CONFIG_ROOT_ONLY is defined in -&_Local/Makefile_&, root privilege is retained for &%-C%& only if the caller of -Exim is root. - -That is, the Exim user is no longer privileged in this regard. This build-time -option is not set by default in the Exim source distribution tarbundle. -However, if you are using a &"packaged"& version of Exim (source or binary), -the packagers might have enabled it. - -Setting ALT_CONFIG_ROOT_ONLY locks out the possibility of testing a -configuration using &%-C%& right through message reception and delivery, even -if the caller is root. The reception works, but by that time, Exim is running -as the Exim user, so when it re-executes to regain privilege for the delivery, -the use of &%-C%& causes privilege to be lost. However, root can test reception -and delivery using two separate commands (one to put a message on the queue, -using &%-odq%&, and another to do the delivery, using &%-M%&). +When this option is used by a caller other than root, and the list is different +from the compiled-in list, Exim gives up its root privilege immediately, and +runs with the real and effective uid and gid set to those of the caller. +However, if a TRUSTED_CONFIG_LIST file is defined in &_Local/Makefile_&, root +privilege is retained for any configuration file which is listed in that file +as long as the caller is the Exim user (or the user specified in the +CONFIGURE_OWNER option, if any). + +Leaving TRUSTED_CONFIG_LIST unset precludes the possibility of testing a +configuration using &%-C%& right through message reception and delivery, +even if the caller is root. The reception works, but by that time, Exim is +running as the Exim user, so when it re-executes to regain privilege for the +delivery, the use of &%-C%& causes privilege to be lost. However, root can +test reception and delivery using two separate commands (one to put a message +on the queue, using &%-odq%&, and another to do the delivery, using &%-M%&). If ALT_CONFIG_PREFIX is defined &_in Local/Makefile_&, it specifies a prefix string with which any file named in a &%-C%& command line option @@ -3360,6 +3375,14 @@ unprivileged caller, it causes Exim to give up its root privilege. If DISABLE_D_OPTION is defined in &_Local/Makefile_&, the use of &%-D%& is completely disabled, and its use causes an immediate error exit. +If WHITELIST_D_MACROS is defined in &_Local/Makefile_& then it should be a +colon-separated list of macros which are considered safe and, if &%-D%& only +supplies macros from this list, and the values are acceptable, then Exim will +not give up root privilege if the caller is root, the Exim run-time user, or +the CONFIGURE_OWNER, if set. This is a transition mechanism and is expected +to be removed in the future. Acceptable values for the macros satisfy the +regexp: &`^[A-Za-z0-9_/.-]*$`& + The entire option (including equals sign if present) must all be within one command line item. &%-D%& can be used to set the value of a macro to the empty string, in which case the equals sign is optional. These two commands are @@ -4482,17 +4505,21 @@ existing file in the list. .cindex "configuration file" "ownership" .cindex "ownership" "configuration file" The run time configuration file must be owned by root or by the user that is -specified at compile time by the EXIM_USER option, or by the user that is specified at compile time by the CONFIGURE_OWNER option (if set). The -configuration file must not be world-writeable or group-writeable, unless its -group is the one specified at compile time by the EXIM_GROUP option or by the +configuration file must not be world-writeable, or group-writeable unless its +group is the root group or the one specified at compile time by the CONFIGURE_GROUP option. &*Warning*&: In a conventional configuration, where the Exim binary is setuid to root, anybody who is able to edit the run time configuration file has an -easy way to run commands as root. If you make your mail administrators members -of the Exim group, but do not trust them with root, make sure that the run time -configuration is not group writeable. +easy way to run commands as root. If you specify a user or group in the +CONFIGURE_OWNER or CONFIGURE_GROUP options, then that user and/or any users +who are members of that group will trivially be able to obtain root privileges. + +Up to Exim version 4.72, the run time configuration file was also permitted to +be writeable by the Exim user and/or group. That has been changed in Exim 4.73 +since it offered a simple privilege escalation for any attacker who managed to +compromise the Exim user account. A default configuration file, which will work correctly in simple situations, is provided in the file &_src/configure.default_&. If CONFIGURE_FILE @@ -4508,21 +4535,24 @@ configuration. .cindex "configuration file" "alternate" A one-off alternate configuration can be specified by the &%-C%& command line option, which may specify a single file or a list of files. However, when -&%-C%& is used, Exim gives up its root privilege, unless called by root or the -Exim user (or unless the argument for &%-C%& is identical to the built-in value -from CONFIGURE_FILE). &%-C%& is useful mainly for checking the syntax of -configuration files before installing them. No owner or group checks are done -on a configuration file specified by &%-C%&. - -The privileged use of &%-C%& by the Exim user can be locked out by setting -ALT_CONFIG_ROOT_ONLY in &_Local/Makefile_& when building Exim. However, -if you do this, you also lock out the possibility of testing a -configuration using &%-C%& right through message reception and delivery, even -if the caller is root. The reception works, but by that time, Exim is running -as the Exim user, so when it re-execs to regain privilege for the delivery, the -use of &%-C%& causes privilege to be lost. However, root can test reception and -delivery using two separate commands (one to put a message on the queue, using -&%-odq%&, and another to do the delivery, using &%-M%&). +&%-C%& is used, Exim gives up its root privilege, unless called by root (or +unless the argument for &%-C%& is identical to the built-in value from +CONFIGURE_FILE), or is listed in the TRUSTED_CONFIG_LIST file and the caller +is the Exim user or the user specified in the CONFIGURE_OWNER setting. &%-C%& +is useful mainly for checking the syntax of configuration files before +installing them. No owner or group checks are done on a configuration file +specified by &%-C%&, if root privilege has been dropped. + +Even the Exim user is not trusted to specify an arbitrary configuration file +with the &%-C%& option to be used with root privileges, unless that file is +listed in the TRUSTED_CONFIG_LIST file. This locks out the possibility of +testing a configuration using &%-C%& right through message reception and +delivery, even if the caller is root. The reception works, but by that time, +Exim is running as the Exim user, so when it re-execs to regain privilege for +the delivery, the use of &%-C%& causes privilege to be lost. However, root +can test reception and delivery using two separate commands (one to put a +message on the queue, using &%-odq%&, and another to do the delivery, using +&%-M%&). If ALT_CONFIG_PREFIX is defined &_in Local/Makefile_&, it specifies a prefix string with which any file named in a &%-C%& command line option must @@ -4537,6 +4567,16 @@ non-privileged user causes Exim to discard its root privilege. If DISABLE_D_OPTION is defined in &_Local/Makefile_&, the use of &%-D%& is completely disabled, and its use causes an immediate error exit. +The WHITELIST_D_MACROS option in &_Local/Makefile_& permits the binary builder +to declare certain macro names trusted, such that root privilege will not +necessarily be discarded. +WHITELIST_D_MACROS defines a colon-separated list of macros which are +considered safe and, if &%-D%& only supplies macros from this list, and the +values are acceptable, then Exim will not give up root privilege if the caller +is root, the Exim run-time user, or the CONFIGURE_OWNER, if set. This is a +transition mechanism and is expected to be removed in the future. Acceptable +values for the macros satisfy the regexp: &`^[A-Za-z0-9_/.-]*$`& + Some sites may wish to use the same Exim binary on different machines that share a file system, but to use different configuration files on each machine. If CONFIGURE_FILE_USE_NODE is defined in &_Local/Makefile_&, Exim first @@ -9797,16 +9837,27 @@ zero. This condition turns a string holding a true or false representation into a boolean state. It parses &"true"&, &"false"&, &"yes"& and &"no"& (case-insensitively); also positive integer numbers map to true if non-zero, -false if zero. Leading whitespace is ignored. +false if zero. Leading and trailing whitespace is ignored. All other string values will result in expansion failure. When combined with ACL variables, this expansion condition will let you make decisions in one place and act on those decisions in another place. -For example, +For example: .code ${if bool{$acl_m_privileged_sender} ... .endd +.vitem &*bool_lax&~{*&<&'string'&>&*}*& +.cindex "expansion" "boolean parsing" +.cindex "&%bool_lax%& expansion condition" +Like &%bool%&, this condition turns a string into a boolean state. But +where &%bool%& accepts a strict set of strings, &%bool_lax%& uses the same +loose definition that the Router &%condition%& option uses. The empty string +and the values &"false"&, &"no"& and &"0"& map to false, all others map to +true. Leading and trailing whitespace is ignored. + +Note that where &"bool{00}"& is false, &"bool_lax{00}"& is true. + .vitem &*crypteq&~{*&<&'string1'&>&*}{*&<&'string2'&>&*}*& .cindex "expansion" "encrypted comparison" .cindex "encrypted strings, comparing" @@ -12363,6 +12414,7 @@ listed in more than one group. .row &%acl_smtp_auth%& "ACL for AUTH" .row &%acl_smtp_connect%& "ACL for connection" .row &%acl_smtp_data%& "ACL for DATA" +.row &%acl_smtp_dkim%& "ACL for DKIM verification" .row &%acl_smtp_etrn%& "ACL for ETRN" .row &%acl_smtp_expn%& "ACL for EXPN" .row &%acl_smtp_helo%& "ACL for EHLO or HELO" @@ -12824,7 +12876,7 @@ It specifies which anti-virus scanner to use. The default value is: .code sophie:/var/run/sophie .endd -If the value of &%av_scanner%& starts with dollar character, it is expanded +If the value of &%av_scanner%& starts with a dollar character, it is expanded before use. See section &<>& for further details. @@ -15170,9 +15222,10 @@ is used in a system filter. .option system_filter_user main string unset .cindex "uid (user id)" "system filter" -If this option is not set, the system filter is run in the main Exim delivery -process, as root. When the option is set, the system filter runs in a separate -process, as the given user. Unless the string consists entirely of digits, it +If this option is set to root, the system filter is run in the main Exim +delivery process, as root. Otherwise, the system filter runs in a separate +process, as the given user, defaulting to the Exim run-time user. +Unless the string consists entirely of digits, it is looked up in the password data. Failure to find the named user causes a configuration error. The gid is either taken from the password data, or specified by &%system_filter_group%&. When the uid is specified numerically, @@ -15180,8 +15233,7 @@ specified by &%system_filter_group%&. When the uid is specified numerically, If the system filter generates any pipe, file, or reply deliveries, the uid under which the filter is run is used when transporting them, unless a -transport option overrides. Normally you should set &%system_filter_user%& if -your system filter generates these kinds of delivery. +transport option overrides. .option tcp_nodelay main boolean true @@ -15663,6 +15715,9 @@ router is skipped, and the address is offered to the next one. If the result is any other value, the router is run (as this is the last precondition to be evaluated, all the other preconditions must be true). +This option is unique in that multiple &%condition%& options may be present. +All &%condition%& options must succeed. + The &%condition%& option provides a means of applying custom conditions to the running of routers. Note that in the case of a simple conditional expansion, the default expansion values are exactly what is wanted. For example: @@ -15673,6 +15728,12 @@ Because of the default behaviour of the string expansion, this is equivalent to .code condition = ${if >{$message_age}{600}{true}{}} .endd +A multiple condition example, which succeeds: +.code +condition = ${if >{$message_age}{600}} +condition = ${if !eq{${lc:$local_part}}{postmaster}} +condition = foobar +.endd If the expansion fails (other than forced failure) delivery is deferred. Some of the other precondition options are common special cases that could in fact be specified using &%condition%&. @@ -27911,7 +27972,7 @@ If you do not set &%av_scanner%&, it defaults to .code av_scanner = sophie:/var/run/sophie .endd -If the value of &%av_scanner%& starts with dollar character, it is expanded +If the value of &%av_scanner%& starts with a dollar character, it is expanded before use. The following scanner types are supported in this release: .vlist @@ -28209,9 +28270,8 @@ it always return &"true"& by appending &`:true`& to the username. .cindex "spam scanning" "returned variables" When the &%spam%& condition is run, it sets up a number of expansion -variables. With the exception of &$spam_score_int$&, these are usable only -within ACLs; their values are not retained with the message and so cannot be -used at delivery time. +variables. These variables are saved with the received message, thus they are +available for use at delivery time. .vlist .vitem &$spam_score$& @@ -28222,11 +28282,8 @@ for inclusion in log or reject messages. The spam score of the message, multiplied by ten, as an integer value. For example &"34"& or &"305"&. It may appear to disagree with &$spam_score$& because &$spam_score$& is rounded and &$spam_score_int$& is truncated. -The integer value is useful for numeric comparisons in -conditions. This variable is special; its value is saved with the message, and -written to Exim's spool file. This means that it can be used during the whole -life of the message on your Exim system, in particular, in routers or -transports during the later delivery phase. +The integer value is useful for numeric comparisons in conditions. + .vitem &$spam_bar$& A string consisting of a number of &"+"& or &"-"& characters, representing the @@ -33765,15 +33822,24 @@ which only root has access, this guards against someone who has broken into the Exim account from running a privileged Exim with an arbitrary configuration file, and using it to break into other accounts. .next -If ALT_CONFIG_ROOT_ONLY is defined, root privilege is retained for &%-C%& -and &%-D%& only if the caller of Exim is root. Without it, the Exim user may -also use &%-C%& and &%-D%& and retain privilege. Setting this option locks out -the possibility of testing a configuration using &%-C%& right through message -reception and delivery, even if the caller is root. The reception works, but by -that time, Exim is running as the Exim user, so when it re-execs to regain -privilege for the delivery, the use of &%-C%& causes privilege to be lost. -However, root can test reception and delivery using two separate commands. -ALT_CONFIG_ROOT_ONLY is not set by default. +If a non-trusted configuration file (i.e. not the default configuration file +or one which is trusted by virtue of being listed in the TRUSTED_CONFIG_LIST +file) is specified with &%-C%&, or if macros are given with &%-D%& (but see +the next item), then root privilege is retained only if the caller of Exim is +root. This locks out the possibility of testing a configuration using &%-C%& +right through message reception and delivery, even if the caller is root. The +reception works, but by that time, Exim is running as the Exim user, so when +it re-execs to regain privilege for the delivery, the use of &%-C%& causes +privilege to be lost. However, root can test reception and delivery using two +separate commands. +.next +The WHITELIST_D_MACROS build option declares some macros to be safe to override +with &%-D%& if the real uid is one of root, the Exim run-time user or the +CONFIGURE_OWNER, if defined. The potential impact of this option is limited by +requiring the run-time value supplied to &%-D%& to match a regex that errs on +the restrictive side. Requiring build-time selection of safe macros is onerous +but this option is intended solely as a transition mechanism to permit +previously-working configurations to continue to work after release 4.73. .next If DISABLE_D_OPTION is defined, the use of the &%-D%& command line option is disabled. @@ -33829,11 +33895,13 @@ uid and gid in the following cases: .oindex "&%-D%&" If the &%-C%& option is used to specify an alternate configuration file, or if the &%-D%& option is used to define macro values for the configuration, and the -calling process is not running as root or the Exim user, the uid and gid are -changed to those of the calling process. -However, if ALT_CONFIG_ROOT_ONLY is defined in &_Local/Makefile_&, only -root callers may use &%-C%& and &%-D%& without losing privilege, and if -DISABLE_D_OPTION is set, the &%-D%& option may not be used at all. +calling process is not running as root, the uid and gid are changed to those of +the calling process. +However, if DISABLE_D_OPTION is defined in &_Local/Makefile_&, the &%-D%& +option may not be used at all. +If WHITELIST_D_MACROS is defined in &_Local/Makefile_&, then some macro values +can be supplied if the calling process is running as root, the Exim run-time +user or CONFIGURE_OWNER, if defined. .next .oindex "&%-be%&" .oindex "&%-bf%&" @@ -34453,7 +34521,7 @@ It can co-exist with all other Exim features, including transport filters. .next Verify signatures in incoming messages: This is implemented by an additional ACL (acl_smtp_dkim), which can be called several times per message, with -different signature context. +different signature contexts. .endlist In typical Exim style, the verification implementation does not include any @@ -34481,19 +34549,19 @@ Signing is implemented by setting private options on the SMTP transport. These options take (expandable) strings as arguments. .option dkim_domain smtp string&!! unset -MANDATORY +MANDATORY: The domain you want to sign with. The result of this expanded option is put into the &%$dkim_domain%& expansion variable. .option dkim_selector smtp string&!! unset -MANDATORY +MANDATORY: This sets the key selector string. You can use the &%$dkim_domain%& expansion variable to look up a matching selector. The result is put in the expansion variable &%$dkim_selector%& which should be used in the &%dkim_private_key%& option along with &%$dkim_domain%&. .option dkim_private_key smtp string&!! unset -MANDATORY +MANDATORY: This sets the private key to use. You can use the &%$dkim_domain%& and &%$dkim_selector%& expansion variables to determine the private key to use. The result can either @@ -34509,14 +34577,14 @@ is set. .endlist .option dkim_canon smtp string&!! unset -OPTIONAL +OPTIONAL: This option sets the canonicalization method used when signing a message. The DKIM RFC currently supports two methods: "simple" and "relaxed". The option defaults to "relaxed" when unset. Note: the current implementation only supports using the same canonicalization method for both headers and body. .option dkim_strict smtp string&!! unset -OPTIONAL +OPTIONAL: This option defines how Exim behaves when signing a message that should be signed fails for some reason. When the expansion evaluates to either "1" or "true", Exim will defer. Otherwise Exim will send the message @@ -34524,7 +34592,7 @@ unsigned. You can use the &%$dkim_domain%& and &%$dkim_selector%& expansion variables here. .option dkim_sign_headers smtp string&!! unset -OPTIONAL +OPTIONAL: When set, this option must expand to (or be specified as) a colon-separated list of header names. Headers with these names will be included in the message signature. When unspecified, the header names recommended in RFC4871 will be @@ -34550,8 +34618,8 @@ more advanced policies. For that reason, the global option The global option &%dkim_verify_signers%& can be set to a colon-separated list of DKIM domains or identities for which the ACL &%acl_smtp_dkim%& is called. It is expanded when the message has been received. At this point, -the expansion variable &%$dkim_signers%& already contains a colon- -separated list of signer domains and identities for the message. When +the expansion variable &%$dkim_signers%& already contains a colon-separated +list of signer domains and identities for the message. When &%dkim_verify_signers%& is not specified in the main configuration, it defaults as: .code @@ -34565,7 +34633,7 @@ dkim_verify_signers = paypal.com:ebay.com:$dkim_signers .endd This would result in &%acl_smtp_dkim%& always being called for "paypal.com" and "ebay.com", plus all domains and identities that have signatures in the message. -You can also be more creative in constructing your policy. Example: +You can also be more creative in constructing your policy. For example: .code dkim_verify_signers = $sender_address_domain:$dkim_signers .endd @@ -34579,7 +34647,7 @@ available (from most to least important): .vlist .vitem &%$dkim_cur_signer%& -The signer that is being evaluated in this ACL run. This can be domain or +The signer that is being evaluated in this ACL run. This can be a domain or an identity. This is one of the list items from the expanded main option &%dkim_verify_signers%& (see above). .vitem &%$dkim_verify_status%& @@ -34624,7 +34692,7 @@ The signing identity, if present. IMPORTANT: This variable is only populated if there is an actual signature in the message for the current domain or identity (as reflected by &%$dkim_cur_signer%&). .vitem &%$dkim_selector%& -The key record selector string +The key record selector string. .vitem &%$dkim_algo%& The algorithm used. One of 'rsa-sha1' or 'rsa-sha256'. .vitem &%$dkim_canon_body%& @@ -34659,7 +34727,7 @@ in the key record. Key granularity (tag g=) from the key record. Defaults to "*" if not specified in the key record. .vitem &%$dkim_key_notes%& -Notes from the key record (tag n=) +Notes from the key record (tag n=). .endlist In addition, two ACL conditions are provided: @@ -34669,7 +34737,7 @@ In addition, two ACL conditions are provided: ACL condition that checks a colon-separated list of domains or identities for a match against the domain or identity that the ACL is currently verifying (reflected by &%$dkim_cur_signer%&). This is typically used to restrict an ACL -verb to a group of domains or identities, like: +verb to a group of domains or identities. For example: .code # Warn when message apparently from GMail has no signature at all