X-Git-Url: https://git.exim.org/users/heiko/exim.git/blobdiff_plain/ff5929e3b91747e2ecb600711d17a7d0e21749ad..refs/remotes/origin/pdp_new_dhparam:/doc/doc-docbook/spec.xfpt diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 4ebeaa0c6..7608dc680 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -6268,7 +6268,11 @@ Chapter &<>& covers both. Exim supports the use of regular expressions in many of its options. It uses the PCRE regular expression library; this provides regular expression matching that is compatible with Perl 5. The syntax and semantics of -regular expressions is discussed in many Perl reference books, and also in +regular expressions is discussed in +.new +online Perl manpages, in +.wen +many Perl reference books, and also in Jeffrey Friedl's &'Mastering Regular Expressions'&, which is published by O'Reilly (see &url(http://www.oreilly.com/catalog/regex2/)). @@ -14320,11 +14324,15 @@ $primary_hostname-$tod_epoch-testing See section &<>& for details of how this value is used. -.option check_log_inodes main integer 0 +.new +.option check_log_inodes main integer 100 +.wen See &%check_spool_space%& below. -.option check_log_space main integer 0 +.new +.option check_log_space main integer 10M +.wen See &%check_spool_space%& below. .oindex "&%check_rfc2047_length%&" @@ -14339,11 +14347,15 @@ of the RFC, generates overlong encoded words. If &%check_rfc2047_length%& is set false, Exim recognizes encoded words of any length. -.option check_spool_inodes main integer 0 +.new +.option check_spool_inodes main integer 100 +.wen See &%check_spool_space%& below. -.option check_spool_space main integer 0 +.new +.option check_spool_space main integer 10M +.wen .cindex "checking disk space" .cindex "disk space, checking" .cindex "spool directory" "checking space" @@ -14354,7 +14366,7 @@ message is accepted. .vindex "&$log_space$&" .vindex "&$spool_inodes$&" .vindex "&$spool_space$&" -When any of these options are set, they apply to all incoming messages. If you +When any of these options are nonzero, they apply to all incoming messages. If you want to apply different checks to different kinds of message, you can do so by testing the variables &$log_inodes$&, &$log_space$&, &$spool_inodes$&, and &$spool_space$& in an ACL with appropriate additional conditions. @@ -14363,7 +14375,7 @@ testing the variables &$log_inodes$&, &$log_space$&, &$spool_inodes$&, and &%check_spool_space%& and &%check_spool_inodes%& check the spool partition if either value is greater than zero, for example: .code -check_spool_space = 10M +check_spool_space = 100M check_spool_inodes = 100 .endd The spool partition is the one that contains the directory defined by @@ -14382,12 +14394,20 @@ SIZE parameter on the MAIL command, its value is added to the &%check_spool_space%& is zero, unless &%no_smtp_check_spool_space%& is set. The values for &%check_spool_space%& and &%check_log_space%& are held as a -number of kilobytes. If a non-multiple of 1024 is specified, it is rounded up. +number of kilobytes (though specified in bytes). +If a non-multiple of 1024 is specified, it is rounded up. For non-SMTP input and for batched SMTP input, the test is done at start-up; on failure a message is written to stderr and Exim exits with a non-zero code, as it obviously cannot send an error message of any kind. +.new +There is a slight performance penalty for these checks. +Versions of Exim preceding 4.88 had these disabled by default; +high-rate intallations confident they will never run out of resources +may wish to deliberately disable them. +.wen + .new .option chunking_advertise_hosts main "host list&!!" * .cindex CHUNKING advertisement @@ -14418,6 +14438,7 @@ See &%daemon_startup_retries%&. .option delay_warning main "time list" 24h .cindex "warning of delay" .cindex "delay warning, specifying" +.cindex "queue" "delay warning" When a message is delayed, Exim sends a warning message to the sender at intervals specified by this option. The data is a colon-separated list of times after which to send warning messages. If the value of the option is an empty @@ -17013,7 +17034,15 @@ larger prime than requested. The value of this option is expanded and indicates the source of DH parameters to be used by Exim. -If it is a filename starting with a &`/`&, then it names a file from which DH +.new +&*Note: The Exim Maintainers strongly recommend using a filename with site-generated +local DH parameters*&, which has been supported across all versions of Exim. The +other specific constants available are a fallback so that even when +"unconfigured", Exim can offer Perfect Forward Secrecy in older ciphersuites in TLS. +.wen + +If &%tls_dhparam%& is a filename starting with a &`/`&, +then it names a file from which DH parameters should be loaded. If the file exists, it should hold a PEM-encoded PKCS#3 representation of the DH prime. If the file does not exist, for OpenSSL it is an error. For GnuTLS, Exim will attempt to create the file and @@ -17029,23 +17058,39 @@ Exim will attempt to load a file from inside the spool directory. If the file does not exist, Exim will attempt to create it. See section &<>& for further details. +.new If Exim is using OpenSSL and this option is empty or unset, then Exim will load -a default DH prime; the default is the 2048 bit prime described in section +a default DH prime; the default is Exim-specific but lacks verifiable provenance. + +In older versions of Exim the default was the 2048 bit prime described in section 2.2 of RFC 5114, "2048-bit MODP Group with 224-bit Prime Order Subgroup", which in IKE is assigned number 23. Otherwise, the option must expand to the name used by Exim for any of a number -of DH primes specified in RFC 2409, RFC 3526 and RFC 5114. As names, Exim uses -"ike" followed by the number used by IKE, or "default" which corresponds to -"ike23". +of DH primes specified in RFC 2409, RFC 3526, RFC 5114, RFC 7919, or from other +sources. As names, Exim uses a standard specified name, else "ike" followed by +the number used by IKE, or "default" which corresponds to +&`exim.dev.20160529.3`&. -The available primes are: +The available standard primes are: +&`ffdhe2048`&, &`ffdhe3072`&, &`ffdhe4096`&, &`ffdhe6144`&, &`ffdhe8192`&, &`ike1`&, &`ike2`&, &`ike5`&, &`ike14`&, &`ike15`&, &`ike16`&, &`ike17`&, &`ike18`&, -&`ike22`&, &`ike23`& (aka &`default`&) and &`ike24`&. +&`ike22`&, &`ike23`& and &`ike24`&. + +The available additional primes are: +&`exim.dev.20160529.1`&, &`exim.dev.20160529.2`& and &`exim.dev.20160529.3`&. Some of these will be too small to be accepted by clients. Some may be too large to be accepted by clients. +The open cryptographic community has suspicions about the integrity of some +of the later IKE values, which led into RFC7919 providing new fixed constants +(the "ffdhe" identifiers). + +At this point, all of the "ike" values should be considered obsolete; +they're still in Exim to avoid breaking unusual configurations, but are +candidates for removal the next time we have backwards-incompatible changes. +.wen The TLS protocol does not negotiate an acceptable size for this; clients tend to hard-drop connections if what is offered by the server is unacceptable, @@ -35714,7 +35759,7 @@ the following table: &`P `& on &`<=`& lines: protocol used &` `& on &`=>`& and &`**`& lines: return path &`PRDR`& PRDR extension used -&`PRX `& on &'<='& and &`=>`& lines: proxy address +&`PRX `& on &`<=`& and &`=>`& lines: proxy address &`Q `& alternate queue name &`QT `& on &`=>`& lines: time spent on queue so far &` `& on &"Completed"& lines: time spent on queue @@ -38375,13 +38420,18 @@ for a match against the domain or identity that the ACL is currently verifying verb to a group of domains or identities. For example: .code -# Warn when Mail purportedly from GMail has no signature at all -warn log_message = GMail sender without DKIM signature +# Warn when Mail purportedly from GMail has no gmail signature +warn log_message = GMail sender without gmail.com DKIM signature sender_domains = gmail.com dkim_signers = gmail.com dkim_status = none .endd +.new +Note that the above does not check for a total lack of DKIM signing; +for that check for empty &$h_DKIM-Signature:$& in the data ACL. +.wen + .vitem &%dkim_status%& ACL condition that checks a colon-separated list of possible DKIM verification results against the actual result of verification. This is typically used