X-Git-Url: https://git.exim.org/users/heiko/exim.git/blobdiff_plain/ee8b809061baea861fc87c41bcb72a62d76b0047..a310a8d09c56e6049714ae4e4070c16ecb6aa2b1:/doc/doc-docbook/spec.xfpt?ds=sidebyside diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 4e99e6c0d..c8f5a600b 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -3664,7 +3664,7 @@ in processing. .new .cindex debugging "UTF-8 in" .cindex UTF-8 "in debug output" -The &`noutf8`& selector disables the use of +The &`noutf8`& selector disables the use of UTF-8 line-drawing characters to group related information. When disabled. ascii-art is used instead. Using the &`+all`& option does not set this modifier, @@ -6733,6 +6733,12 @@ be followed by optional colons. &*Warning*&: Unlike most other single-key lookup types, a file of data for &((n)wildlsearch)& can &'not'& be turned into a DBM or cdb file, because those lookup types support only literal keys. + +.next +.cindex "lookup" "spf" +If Exim is built with SPF support, manual lookups can be done +(as opposed to the standard ACL condition method. +For details see section &<>&. .endlist ilist @@ -10032,7 +10038,7 @@ expansion items. .vitem &*$rheader_*&<&'header&~name'&>&*:*&&~or&~&*$rh_*&<&'header&~name'&>&*:*& This item inserts &"raw"& header lines. It is described with the &%header%& -expansion item above. +expansion item in section &<>& above. .vitem "&*${run{*&<&'command'&>&*&~*&<&'args'&>&*}{*&<&'string1'&>&*}&&& {*&<&'string2'&>&*}}*&" @@ -11734,7 +11740,7 @@ When a message is submitted locally (that is, not over a TCP connection) the value of &$authenticated_id$& is normally the login name of the calling process. However, a trusted user can override this by means of the &%-oMai%& command line option. -This second case also sets up inforamtion used by the +This second case also sets up information used by the &$authresults$& expansion item. .vitem &$authenticated_fail_id$& @@ -11991,6 +11997,7 @@ This is not strictly an expansion variable. It is expansion syntax for inserting the message header line with the given name. Note that the name must be terminated by colon or white space, because it may contain a wide variety of characters. Note also that braces must &'not'& be used. +See the full description in section &<>& above. .vitem &$headers_added$& .vindex "&$headers_added$&" @@ -19609,7 +19616,9 @@ be enclosed in quotes if it contains white space. A list of hosts, whether obtained via &%route_data%& or &%route_list%&, is always separately expanded before use. If the expansion fails, the router declines. The result of the expansion must be a colon-separated list of names -and/or IP addresses, optionally also including ports. The format of each item +and/or IP addresses, optionally also including ports. +If the list is written with spaces, it must be protected with quotes. +The format of each item in the list is described in the next section. The list separator can be changed as described in section &<>&. @@ -24111,6 +24120,8 @@ DKIM signing options. For details see section &<>&. .option delay_after_cutoff smtp boolean true +.cindex "final cutoff" "retries, controlling" +.cindex retry "final cutoff" This option controls what happens when all remote IP addresses for a given domain have been inaccessible for so long that they have passed their retry cutoff times. @@ -24569,10 +24580,17 @@ variable that contains an outgoing port. If the value of this option begins with a digit it is taken as a port number; otherwise it is looked up using &[getservbyname()]&. The default value is -normally &"smtp"&, but if &%protocol%& is set to &"lmtp"&, the default is -&"lmtp"&. If the expansion fails, or if a port number cannot be found, delivery +normally &"smtp"&, +but if &%protocol%& is set to &"lmtp"& the default is &"lmtp"& +and if &%protocol%& is set to &"smtps"& the default is &"smtps"&. +If the expansion fails, or if a port number cannot be found, delivery is deferred. +.new +Note that at least one Linux distribution has been seen failing +to put &"smtps"& in its &"/etc/services"& file, resulting is such deferrals. +.wen + .option protocol smtp string smtp @@ -24589,7 +24607,11 @@ over a pipe to a local process &-- see chapter &<>&. If this option is set to &"smtps"&, the default value for the &%port%& option changes to &"smtps"&, and the transport initiates TLS immediately after connecting, as an outbound SSL-on-connect, instead of using STARTTLS to upgrade. -The Internet standards bodies strongly discourage use of this mode. +.new +The Internet standards bodies used to strongly discourage use of this mode, +but as of RFC 8314 it is perferred over STARTTLS for message submission +(as distinct from MTA-MTA communication). +.wen .option retry_include_ip_address smtp boolean&!! true @@ -25855,10 +25877,13 @@ For local deliveries, one delivery attempt is always made for any subsequent messages. If this delivery fails, the address fails immediately. The post-cutoff retry time is not used. +.cindex "final cutoff" "retries, controlling" +.cindex retry "final cutoff" If the delivery is remote, there are two possibilities, controlled by the .oindex "&%delay_after_cutoff%&" &%delay_after_cutoff%& option of the &(smtp)& transport. The option is true by -default. Until the post-cutoff retry time for one of the IP addresses is +default. Until the post-cutoff retry time for one of the IP addresses, +as set by the &%retry_data_expire%& option, is reached, the failing email address is bounced immediately, without a delivery attempt taking place. After that time, one new delivery attempt is made to those IP addresses that are past their retry times, and if that still fails, @@ -26133,12 +26158,15 @@ output, and Exim carries on processing. .option server_set_id authenticators string&!! unset .vindex "&$authenticated_id$&" +.vindex "&$authenticated_fail_id$&" When an Exim server successfully authenticates a client, this string is expanded using data from the authentication, and preserved for any incoming messages in the variable &$authenticated_id$&. It is also included in the log lines for incoming messages. For example, a user/password authenticator configuration might preserve the user name that was used to authenticate, and refer to it subsequently during delivery of the message. +On a failing authentication the expansion result is instead saved in +the &$authenticated_fail_id$& variable. If expansion fails, the option is ignored. @@ -26462,7 +26490,7 @@ to be returned. If the result of a successful expansion is an empty string, expansion is &"1"&, &"yes"&, or &"true"&, authentication succeeds and the generic &%server_set_id%& option is expanded and saved in &$authenticated_id$&. For any other result, a temporary error code is returned, with the expanded -string as the error text +string as the error text. &*Warning*&: If you use a lookup in the expansion to find the user's password, be sure to make the authentication fail if the user is unknown. @@ -27287,20 +27315,25 @@ tls: driver = tls server_param1 = ${certextract {subj_altname,mail,>:} \ {$tls_in_peercert}} - server_condition = ${if forany {$auth1} \ + server_condition = ${if and { {eq{$tls_in_certificate_verified}{1}} \ + {forany {$auth1} \ {!= {0} \ {${lookup ldap{ldap:///\ mailname=${quote_ldap_dn:${lc:$item}},\ ou=users,LDAP_DC?mailid} {$value}{0} \ - } } } } + } } } }}} server_set_id = ${if = {1}{${listcount:$auth1}} {$auth1}{}} .endd This accepts a client certificate that is verifiable against any of your configured trust-anchors (which usually means the full set of public CAs) and which has a SAN with a good account name. -Note that the client cert is on the wire in-clear, including the SAN, -whereas a plaintext SMTP AUTH done inside TLS is not. + +Note that, up to TLS1.2, the client cert is on the wire in-clear, including the SAN, +The account name is therefore guessable by an opponent. +TLS 1.3 protects both server and client certificates, and is not vulnerable +in this way. +Likewise, a traditional plaintext SMTP AUTH done inside TLS is not. . An alternative might use . .code