X-Git-Url: https://git.exim.org/users/heiko/exim.git/blobdiff_plain/f846c8f531d5615c24a6d4dc0afb9815c4f766f7..3386088d5af4d4c61faa12ae29560e2c5bd43304:/doc/doc-docbook/spec.xfpt diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 9b7ada823..2f3e494db 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -52,7 +52,7 @@ .set I "    " .macro copyyear -2014 +2015 .endmacro . ///////////////////////////////////////////////////////////////////////////// @@ -6878,16 +6878,9 @@ is used on its own as the result. If the lookup does not succeed, the &`fail`& keyword causes a &'forced expansion failure'& &-- see section &<>& for an explanation of what this means. -The supported DNS record types are A, CNAME, MX, NS, PTR, SPF, SRV, TLSA and TXT, -and, when Exim is compiled with IPv6 support, AAAA. -If no type is given, TXT is assumed. When the type is PTR, -the data can be an IP address, written as normal; inversion and the addition of -&%in-addr.arpa%& or &%ip6.arpa%& happens automatically. For example: -.code -${lookup dnsdb{ptr=192.168.4.5}{$value}fail} -.endd -If the data for a PTR record is not a syntactically valid IP address, it is not -altered and nothing is added. +The supported DNS record types are A, CNAME, MX, NS, PTR, SOA, SPF, SRV, TLSA +and TXT, and, when Exim is compiled with IPv6 support, AAAA. +If no type is given, TXT is assumed. For any record type, if multiple records are found, the data is returned as a concatenation, with newline as the default separator. The order, of course, @@ -6899,21 +6892,33 @@ ${lookup dnsdb{>: a=host1.example}} .endd It is permitted to specify a space as the separator character. Further white space is ignored. +For lookup types that return multiple fields per record, +an alternate field separator can be specified using a comma after the main +separator character, followed immediately by the field separator. + +.cindex "PTR record" "in &(dnsdb)& lookup" +When the type is PTR, +the data can be an IP address, written as normal; inversion and the addition of +&%in-addr.arpa%& or &%ip6.arpa%& happens automatically. For example: +.code +${lookup dnsdb{ptr=192.168.4.5}{$value}fail} +.endd +If the data for a PTR record is not a syntactically valid IP address, it is not +altered and nothing is added. .cindex "MX record" "in &(dnsdb)& lookup" .cindex "SRV record" "in &(dnsdb)& lookup" For an MX lookup, both the preference value and the host name are returned for each record, separated by a space. For an SRV lookup, the priority, weight, port, and host name are returned for each record, separated by spaces. -An alternate field separator can be specified using a comma after the main -separator character, followed immediately by the field separator. +The field separator can be modified as above. .cindex "TXT record" "in &(dnsdb)& lookup" .cindex "SPF record" "in &(dnsdb)& lookup" For TXT records with multiple items of data, only the first item is returned, -unless a separator for them is specified using a comma after the separator -character followed immediately by the TXT record item separator. To concatenate -items without a separator, use a semicolon instead. For SPF records the +unless a field separator is specified. +To concatenate items without a separator, use a semicolon instead. +For SPF records the default behaviour is to concatenate multiple items without using a separator. .code ${lookup dnsdb{>\n,: txt=a.b.example}} @@ -6923,6 +6928,15 @@ ${lookup dnsdb{spf=example.org}} It is permitted to specify a space as the separator character. Further white space is ignored. +.cindex "SOA record" "in &(dnsdb)& lookup" +For an SOA lookup, while no result is obtained the lookup is redone with +successively more leading components dropped from the given domain. +Only the primary-nameserver field is returned unless a field separator is +specified. +.code +${lookup dnsdb{>:,; soa=a.b.example.com}} +.endd + .section "Dnsdb lookup modifiers" "SECTdnsdb_mod" .cindex "dnsdb modifiers" .cindex "modifiers" "dnsdb" @@ -6962,6 +6976,17 @@ The default is &"never"&. See also the &$lookup_dnssec_authenticated$& variable. +.cindex timeout "dns lookup" +.cindex "DNS" timeout +Timeout for the dnsdb lookup can be controlled by a retrans modifier. +The form is &"retrans_VAL"& where VAL is an Exim time specification +(eg &"5s"&). +The default value is set by the main configuration option &%dns_retrans%&. + +Retries for the dnsdb lookup can be controlled by a retry modifier. +The form if &"retry_VAL"& where VAL is an integer. +The default count is set by the main configuration option &%dns_retry%&. + .section "Pseudo dnsdb record types" "SECID66" .cindex "MX record" "in &(dnsdb)& lookup" @@ -8940,7 +8965,7 @@ The field selectors marked as "RFC4514" above output a Distinguished Name string which is not quite parseable by Exim as a comma-separated tagged list -(the exceptions being elements containin commas). +(the exceptions being elements containing commas). RDN elements of a single type may be selected by a modifier of the type label; if so the expansion result is a list (newline-separated by default). @@ -9006,6 +9031,30 @@ When compiling a function that is to be used in this way with gcc, you need to add &%-shared%& to the gcc command. Also, in the Exim build-time configuration, you must add &%-export-dynamic%& to EXTRALIBS. + +.vitem "&*${env{*&<&'key'&>&*}{*&<&'string1'&>&*}{*&<&'string2'&>&*}}*&" +.cindex "expansion" "extracting value from environment" +.cindex "environment" "value from" +The key is first expanded separately, and leading and trailing white space +removed. +This is then searched for as a name in the environment. +If a variable is found then its value is placed in &$value$& +and <&'string1'&> is expanded, otherwise <&'string2'&> is expanded. + +Instead of {<&'string2'&>} the word &"fail"& (not in curly brackets) can +appear, for example: +.code +${env{USER}{$value} fail } +.endd +This forces an expansion failure (see section &<>&); +{<&'string1'&>} must be present for &"fail"& to be recognized. + +If {<&'string2'&>} is omitted an empty string is substituted on +search failure. +If {<&'string1'&>} is omitted the search result is substituted on +search success. + + .vitem "&*${extract{*&<&'key'&>&*}{*&<&'string1'&>&*}{*&<&'string2'&>&*}&&& {*&<&'string3'&>&*}}*&" .cindex "expansion" "extracting substrings by key" @@ -9711,8 +9760,9 @@ the regular expression from string expansion. .vitem &*${sort{*&<&'string'&>&*}{*&<&'comparator'&>&*}{*&<&'extractor'&>&*}}*& -.cindex sorting a list +.cindex sorting "a list" .cindex list sorting +.cindex expansion "list sorting" After expansion, <&'string'&> is interpreted as a list, colon-separated by default, but the separator can be changed in the usual way. The <&'comparator'&> argument is interpreted as the operator @@ -11389,7 +11439,7 @@ This variable contains the numerical value of the Exim user id. .new .vitem &$exim_version$& -.vindex "&$exim_uid$&" +.vindex "&$exim_version$&" This variable contains the version string of the Exim build. The first character is a major version number, currently 4. Then after a dot, the next group of digits is a minor version number. @@ -11655,6 +11705,7 @@ the space value is -1. See also the &%check_log_space%& option. .vindex "&$lookup_dnssec_authenticated$&" This variable is set after a DNS lookup done by a dnsdb lookup expansion, dnslookup router or smtp transport. +.cindex "DNS" "DNSSEC" It will be empty if &(DNSSEC)& was not requested, &"no"& if the result was not labelled as authenticated data and &"yes"& if it was. @@ -12172,6 +12223,14 @@ verification either failed or was not requested. A host name in parentheses is the argument of a HELO or EHLO command. This is omitted if it is identical to the verified host name or to the host's IP address in square brackets. +.new +.vitem &$sender_helo_dnssec$& +.vindex "&$sender_helo_dnssec$&" +This boolean variable is true if a successful HELO verification was +.cindex "DNS" "DNSSEC" +done using DNS information the resolver library stated was authenticatied data. +.wen + .vitem &$sender_helo_name$& .vindex "&$sender_helo_name$&" When a message is received from a remote host that has issued a HELO or EHLO @@ -12197,9 +12256,11 @@ received. It is empty if there was no successful authentication. See also If an attempt to populate &$sender_host_name$& has been made (by reference, &%hosts_lookup%& or otherwise) then this boolean will have been set true if, and only if, the -resolver library states that the reverse DNS was authenticated data. At all +resolver library states that both +the reverse and forward DNS were authenticated data. At all other times, this variable is false. +.cindex "DNS" "DNSSEC" It is likely that you will need to coerce DNSSEC support on in the resolver library, by setting: .code @@ -12209,9 +12270,6 @@ dns_dnssec_ok = 1 Exim does not perform DNSSEC validation itself, instead leaving that to a validating resolver (eg, unbound, or bind with suitable configuration). -Exim does not (currently) check to see if the forward DNS was also secured -with DNSSEC, only the reverse DNS. - If you have changed &%host_lookup_order%& so that &`bydns`& is not the first mechanism in the list, then this variable will be false. @@ -13175,6 +13233,7 @@ listed in more than one group. .row &%message_logs%& "create per-message logs" .row &%preserve_message_logs%& "after message completion" .row &%process_log_path%& "for SIGUSR1 and &'exiwhat'&" +.row &%slow_lookup_log%& "control logging of slow DNS lookups" .row &%syslog_duplication%& "controls duplicate log lines on syslog" .row &%syslog_facility%& "set syslog &""facility""& field" .row &%syslog_processname%& "set syslog &""ident""& field" @@ -14154,6 +14213,8 @@ servers have all been upgraded, there should be no need for this option. .option dns_retrans main time 0s .cindex "DNS" "resolver options" +.cindex timeout "dns lookup" +.cindex "DNS" timeout The options &%dns_retrans%& and &%dns_retry%& can be used to set the retransmission and retry parameters for DNS lookups. Values of zero (the defaults) leave the system default settings unchanged. The first value is the @@ -14163,6 +14224,7 @@ take. I haven't found any documentation about timeouts on DNS lookups; these parameter values are available in the external resolver interface structure, but nowhere does it seem to describe how they are used or what you might want to set in them. +See also the &%slow_lookup_log%& option. .option dns_retry main integer 0 @@ -14507,14 +14569,17 @@ is an IP literal matching the calling address of the host, or matches the host name that Exim obtains by doing a reverse lookup of the calling host address, or .next -when looked up using &[gethostbyname()]& (or &[getipnodebyname()]& when -available) yields the calling host address. +when looked up in DNS yields the calling host address. .endlist However, the EHLO or HELO command is not rejected if any of the checks fail. Processing continues, but the result of the check is remembered, and can be detected later in an ACL by the &`verify = helo`& condition. +If DNS was used for successful verification, the variable +.cindex "DNS" "DNSSEC" +&$helo_verify_dnssec$& records the DNSSEC status of the lookups. + .option helo_verify_hosts main "host list&!!" unset .cindex "HELO verifying" "mandatory" .cindex "EHLO" "verifying, mandatory" @@ -14888,8 +14953,9 @@ section &<>&. This option sets the path which is used to determine the names of Exim's log files, or indicates that logging is to be to syslog, or both. It is expanded when Exim is entered, so it can, for example, contain a reference to the host -name. If no specific path is set for the log files at compile or run time, they -are written in a sub-directory called &_log_& in Exim's spool directory. +name. If no specific path is set for the log files at compile or run time, +or if the option is unset at run time (i.e. &`log_file_path = `&) +they are written in a sub-directory called &_log_& in Exim's spool directory. Chapter &<>& contains further details about Exim's logging, and section &<>& describes how the contents of &%log_file_path%& are used. If this string is fixed at your installation (contains no expansion @@ -15722,6 +15788,16 @@ it qualifies them only if the message came from a host that matches using TCP/IP), and the &%-bnq%& option was not set. +.option slow_lookup_log main integer 0 +.cindex "logging" "slow lookups" +.cindex "dns" "logging slow lookups" +This option controls logging of slow lookups. +If the value is nonzero it is taken as a number of milliseconds +and lookups taking longer than this are logged. +Currently this applies only to DNS lookups. + + + .option smtp_accept_keepalive main boolean true .cindex "keepalive" "on incoming connection" This option controls the setting of the SO_KEEPALIVE option on incoming @@ -17034,7 +17110,7 @@ This applies to all of the SRV, MX, AAAA, A lookup sequence. .cindex "DNS" "DNSSEC" DNS lookups for domains matching &%dnssec_request_domains%& will be done with the dnssec request bit set. Any returns not having the Authenticated Data bit -(AD bit) set wil be ignored and logged as a host-lookup failure. +(AD bit) set will be ignored and logged as a host-lookup failure. This applies to all of the SRV, MX, AAAA, A lookup sequence. @@ -24790,6 +24866,7 @@ AUTH_GSASL=yes AUTH_HEIMDAL_GSSAPI=yes AUTH_PLAINTEXT=yes AUTH_SPA=yes +AUTH_TLS=yes .endd in &_Local/Makefile_&, respectively. The first of these supports the CRAM-MD5 authentication mechanism (RFC 2195), and the second provides an interface to @@ -24804,6 +24881,8 @@ The sixth can be configured to support the PLAIN authentication mechanism (RFC 2595) or the LOGIN mechanism, which is not formally documented, but used by several MUAs. The seventh authenticator supports Microsoft's &'Secure Password Authentication'& mechanism. +The eighth is an Exim authenticator but not an SMTP one; +instead it can use information from a TLS negotiation. The authenticators are configured using the same syntax as other drivers (see section &<>&). If no authenticators are required, no @@ -26010,6 +26089,81 @@ msn: +. //////////////////////////////////////////////////////////////////////////// +. //////////////////////////////////////////////////////////////////////////// + +.new +.chapter "The tls authenticator" "CHAPtlsauth" +.scindex IIDtlsauth1 "&(tls)& authenticator" +.scindex IIDtlsauth2 "authenticators" "&(tls)&" +.cindex "authentication" "Client Certificate" +.cindex "authentication" "X509" +.cindex "Certificate-based authentication" +The &(tls)& authenticator provides server support for +authentication based on client certificates. + +It is not an SMTP authentication mechanism and is not +advertised by the server as part of the SMTP EHLO response. +It is an Exim authenticator in the sense that it affects +the protocol element of the log line, can be tested for +by the &%authenticated%& ACL condition, and can set +the &$authenticated_id$& variable. + +The client must present a verifiable certificate, +for which it must have been requested via the +&%tls_verify_hosts%& or &%tls_try_verify_hosts%& main options +(see &<>&). + +If an authenticator of this type is configured it is +run before any SMTP-level communication is done, +and can authenticate the connection. +If it does, SMTP suthentication is not offered. + +A maximum of one authenticator of this type may be present. + + +.cindex "options" "&(tls)& authenticator (server)" +The &(tls)& authenticator has three server options: + +.option server_param1 tls string&!! unset +.cindex "variables (&$auth1$& &$auth2$& etc)" "in &(tls)& authenticator" +This option is expanded after the TLS negotiation and +the result is placed in &$auth1$&. +If the expansion is forced to fail, authentication fails. Any other expansion +failure causes a temporary error code to be returned. + +.option server_param2 tls string&!! unset +.option server_param3 tls string&!! unset +As above, for &$auth2$& and &$auth3$&. + +&%server_param1%& may also be spelled &%server_param%&. + + +Example: +.code +tls: + driver = tls + server_param1 = ${certextract {subj_altname,mail,>:} \ + {$tls_in_peercert}} + server_condition = ${if forany {$auth1} \ + {!= {0} \ + {${lookup ldap{ldap:///\ + mailname=${quote_ldap_dn:${lc:$item}},\ + ou=users,LDAP_DC?mailid} {$value}{0} \ + } } } } + server_set_id = ${if = {1}{${listcount:$auth1}} {$auth1}{}} +.endd +.ecindex IIDtlsauth1 +.ecindex IIDtlsauth2 +.wen + + +Note that because authentication is traditionally an SMTP operation, +the &%authenticated%& ACL condition cannot be used in +a connect- or helo-ACL. + + + . //////////////////////////////////////////////////////////////////////////// . //////////////////////////////////////////////////////////////////////////// @@ -34596,8 +34750,9 @@ equivalent to the setting: .code log_file_path = $spool_directory/log/%slog .endd -If you do not specify anything at build time or run time, that is where the -logs are written. +If you do not specify anything at build time or run time, +or if you unset the option at run time (i.e. &`log_file_path = `&), +that is where the logs are written. A log file path may also contain &`%D`& or &`%M`& if datestamped log file names are in use &-- see section &<>& below. @@ -35713,6 +35868,8 @@ search term. If the location of a &'zcat'& command is known from the definition of ZCAT_COMMAND in &_Local/Makefile_&, &'exigrep'& automatically passes any file whose name ends in COMPRESS_SUFFIX through &'zcat'& as it searches it. +If the ZCAT_COMMAND is not executable, &'exigrep'& tries to use +autodetection of some well known compression extensions. .section "Selecting messages by various criteria (exipick)" "SECTexipick"