.set I " "
.macro copyyear
-2018
+2018, 2019
.endmacro
. /////////////////////////////////////////////////////////////////////////////
.section "Including TLS/SSL encryption support" "SECTinctlsssl"
.cindex "TLS" "including support for TLS"
.cindex "encryption" "including support for"
-.cindex "SUPPORT_TLS"
.cindex "OpenSSL" "building Exim with"
.cindex "GnuTLS" "building Exim with"
-Exim can be built to support encrypted SMTP connections, using the STARTTLS
-command as per RFC 2487. It can also support legacy clients that expect to
+Exim is usually built to support encrypted SMTP connections, using the STARTTLS
+command as per RFC 2487. It can also support clients that expect to
start a TLS session immediately on connection to a non-standard port (see the
&%tls_on_connect_ports%& runtime option and the &%-tls-on-connect%& command
line option).
OpenSSL or GnuTLS library. There is no cryptographic code in Exim itself for
implementing SSL.
+.new
+If you do not want TLS support you should set
+.code
+DISABLE_TLS=yes
+.endd
+in &_Local/Makefile_&.
+.wen
+
If OpenSSL is installed, you should set
.code
-SUPPORT_TLS=yes
+USE_OPENSL=yes
TLS_LIBS=-lssl -lcrypto
.endd
in &_Local/Makefile_&. You may also need to specify the locations of the
OpenSSL library and include files. For example:
.code
-SUPPORT_TLS=yes
+USE_OPENSL=yes
TLS_LIBS=-L/usr/local/openssl/lib -lssl -lcrypto
TLS_INCLUDE=-I/usr/local/openssl/include/
.endd
.cindex "pkg-config" "OpenSSL"
If you have &'pkg-config'& available, then instead you can just use:
.code
-SUPPORT_TLS=yes
+USE_OPENSL=yes
USE_OPENSSL_PC=openssl
.endd
.cindex "USE_GNUTLS"
If GnuTLS is installed, you should set
.code
-SUPPORT_TLS=yes
USE_GNUTLS=yes
TLS_LIBS=-lgnutls -ltasn1 -lgcrypt
.endd
in &_Local/Makefile_&, and again you may need to specify the locations of the
library and include files. For example:
.code
-SUPPORT_TLS=yes
USE_GNUTLS=yes
TLS_LIBS=-L/usr/gnu/lib -lgnutls -ltasn1 -lgcrypt
TLS_INCLUDE=-I/usr/gnu/include
.cindex "pkg-config" "GnuTLS"
If you have &'pkg-config'& available, then instead you can just use:
.code
-SUPPORT_TLS=yes
USE_GNUTLS=yes
USE_GNUTLS_PC=gnutls
.endd
Bounce messages are just discarded. This option can be used only by an admin
user.
+.new
+.vitem &%-MG%&&~<&'queue&~name'&&~<&'message&~id'&>&~<&'message&~id'&>&~...
+.oindex "&%-MG%&"
+.cindex queue named
+.cindex "named queues"
+.cindex "queue" "moving messages"
+This option requests that each listed message be moved from its current
+queue to the given named queue.
+The destination queue name argument is required, but can be an empty
+string to define the default queue.
+If the messages are not currently located in the default queue,
+a &%-qG<name>%& option will be required to define the source queue.
+.wen
+
.vitem &%-Mmad%&&~<&'message&~id'&>&~<&'message&~id'&>&~...
.oindex "&%-Mmad%&"
.cindex "delivery" "cancelling all"
domains = ! +local_domains
transport = remote_smtp
ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
-.ifdef _HAVE_DNSSEC
- dnssec_request_domains = *
-.endif
no_more
.endd
The &%domains%& option behaves as per smarthost, above.
remote_smtp:
driver = smtp
message_size_limit = ${if > {$max_received_linelength}{998} {1}{0}}
-.ifdef _HAVE_DANE
- hosts_try_dane = *
-.endif
.ifdef _HAVE_PRDR
hosts_try_prdr = *
.endif
tools for building the files can be found in several places:
.display
&url(https://cr.yp.to/cdb.html)
-&url(http://www.corpit.ru/mjt/tinycdb.html)
+&url(https://www.corpit.ru/mjt/tinycdb.html)
&url(https://packages.debian.org/stable/utils/freecdb)
&url(https://github.com/philpennock/cdbtools) (in Go)
.endd
-. --- 2018-09-07: corpit.ru http:-only
A cdb distribution is not needed in order to build Exim with cdb support,
because the code for reading cdb files is included directly in Exim itself.
However, no means of building or testing cdb files is provided with Exim, so
With &"strict"& a response from the DNS resolver that
is not labelled as authenticated data
is treated as equivalent to a temporary DNS error.
-The default is &"never"&.
+The default is &"lax"&.
See also the &$lookup_dnssec_authenticated$& variable.
object so that it doesn't reload the same object file in the same Exim process
(but of course Exim does start new processes frequently).
-There may be from zero to eight arguments to the function. When compiling
-a local function that is to be called in this way, &_local_scan.h_& should be
-included. The Exim variables and functions that are defined by that API
+There may be from zero to eight arguments to the function.
+
+.new
+When compiling
+a local function that is to be called in this way,
+first &_DLFUNC_IMPL_& should be defined,
+and second &_local_scan.h_& should be included.
+.wen
+The Exim variables and functions that are defined by that API
are also available for dynamically loaded functions. The function itself
must have the following type:
.code
&*Note*&: Under versions of OpenSSL preceding 1.1.1,
when a list of more than one
file is used for &%tls_certificate%&, this variable is not reliable.
+.new
+The macro "_TLS_BAD_MULTICERT_IN_OURCERT" will be defined for those versions.
+.wen
.vitem &$tls_in_peercert$&
.vindex "&$tls_in_peercert$&"
transport driver.
-.option openssl_options main "string list" "+no_sslv2 +no_sslv3 +single_dh_use +no_ticket"
+.option openssl_options main "string list" "+no_sslv2 +no_sslv3 +single_dh_use +no_ticket +no_renegotiation"
.cindex "OpenSSL "compatibility options"
This option allows an administrator to adjust the SSL options applied
by OpenSSL to connections. It is given as a space-separated list of items,
commands are acceptable.
When used, the pipelining saves on roundtrip times.
+See also the &%hosts_pipe_connect%& smtp transport option.
+
Currently the option name &"X_PIPE_CONNECT"& is used.
.wen
&*Note*&: Under versions of OpenSSL preceding 1.1.1,
when a list of more than one
file is used, the &$tls_in_ourcert$& variable is unreliable.
-
-&*Note*&: OCSP stapling is not usable under OpenSSL
-when a list of more than one file is used.
+.new
+The macro "_TLS_BAD_MULTICERT_IN_OURCERT" will be defined for those versions.
+.wen
If the option contains &$tls_out_sni$& and Exim is built against OpenSSL, then
if the OpenSSL build supports TLS extensions and the TLS client sends the
The value of this option is expanded and indicates the source of DH parameters
to be used by Exim.
-&*Note: The Exim Maintainers strongly recommend using a filename with site-generated
+.new
+This option is ignored for GnuTLS version 3.6.0 and later.
+The library manages parameter negotiation internally.
+.wen
+
+&*Note: The Exim Maintainers strongly recommend,
+for other TLS library versions,
+using a filename with site-generated
local DH parameters*&, which has been supported across all versions of Exim. The
other specific constants available are a fallback so that even when
"unconfigured", Exim can offer Perfect Forward Secrecy in older ciphersuites in TLS.
Certificate Authority.
Usable for GnuTLS 3.4.4 or 3.3.17 or OpenSSL 1.1.0 (or later).
+.new
+The macro "_HAVE_TLS_OCSP" will be defined for those versions.
+.wen
.new
For OpenSSL 1.1.0 or later, and
for GnuTLS 3.5.6 or later the expanded value of this option can be a list
of files, to match a list given for the &%tls_certificate%& option.
The ordering of the two lists must match.
+.new
+The macro "_HAVE_TLS_OCSP_LIST" will be defined for those versions.
+.wen
.new
The file(s) should be in DER format,
-except for GnuTLS 3.6.3 or later when an optional filetype prefix
-can be used. The prefix must be one of "DER" or "PEM", followed by
+except for GnuTLS 3.6.3 or later
+or for OpenSSL,
+when an optional filetype prefix can be used.
+The prefix must be one of "DER" or "PEM", followed by
a single space. If one is used it sets the format for subsequent
files in the list; the initial format is DER.
-When a PEM format file is used it may contain multiple proofs,
-for multiple certificate chain element proofs under TLS1.3.
+If multiple proofs are wanted, for multiple chain elements
+(this only works under TLS1.3)
+they must be coded as a combined OCSP response.
+
+Although GnuTLS will accept PEM files with multiple separate
+PEM blobs (ie. separate OCSP responses), it sends them in the
+TLS Certificate record interleaved with the certificates of the chain;
+although a GnuTLS client is happy with that, an OpenSSL client is not.
.wen
.option tls_on_connect_ports main "string list" unset
unless you really, really know what you are doing. See also the generic
transport option of the same name.
-.option dnssec_request_domains routers "domain list&!!" unset
+.option dnssec_request_domains routers "domain list&!!" *
.cindex "MX record" "security"
.cindex "DNSSEC" "MX lookup"
.cindex "security" "MX lookup"
details.
-.option dnssec_request_domains smtp "domain list&!!" unset
+.option dnssec_request_domains smtp "domain list&!!" *
.cindex "MX record" "security"
.cindex "DNSSEC" "MX lookup"
.cindex "security" "MX lookup"
It also turns SMTP into a client-first protocol
so combines well with TCP Fast Open.
+See also the &%pipelining_connect_advertise_hosts%& main option.
+
Note:
When the facility is used, the transport &%helo_data%& option
will be expanded before the &$sending_ip_address$& variable
.code
USE_GNUTLS=yes
.endd
-in Local/Makefile, in addition to
-.code
-SUPPORT_TLS=yes
-.endd
-You must also set TLS_LIBS and TLS_INCLUDE appropriately, so that the
+in Local/Makefile
+you must also set TLS_LIBS and TLS_INCLUDE appropriately, so that the
include files and libraries for GnuTLS can be found.
There are some differences in usage when using GnuTLS instead of OpenSSL:
If DANE is not usable, whether requested or not, and CA-anchored
verification evaluation is wanted, the above variables should be set appropriately.
-Currently the (router or transport options) &%dnssec_request_domains%& must be active and &%dnssec_require_domains%& is ignored.
+The router and transport option &%dnssec_request_domains%& must not be
+set to "never" and &%dnssec_require_domains%& is ignored.
If verification was successful using DANE then the "CV" item in the delivery log line will show as "CV=dane".
SPF is a mechanism whereby a domain may assert which IP addresses may transmit
messages with its domain in the envelope from, documented by RFC 7208.
-For more information on SPF see &url(http://www.openspf.org).
-. --- 2018-09-07: still not https
+For more information on SPF see &url(http://www.open-spf.org), a static copy of
+the &url(http://openspf.org).
+. --- 2019-10-28: still not https, open-spf.org is told to be a
+. --- web-archive copy of the now dead openspf.org site
+. --- See https://www.mail-archive.com/mailop@mailop.org/msg08019.html for a
+. --- discussion.
Messages sent by a system not authorised will fail checking of such assertions.
This includes retransmissions done by traditional forwarders.
message = $sender_host_address is not allowed to send mail from \
${if def:sender_address_domain \
{$sender_address_domain}{$sender_helo_name}}. \
- Please see http://www.openspf.org/Why?scope=\
+ Please see http://www.open-spf.org/Why?scope=\
${if def:sender_address_domain {mfrom}{helo}};\
identity=${if def:sender_address_domain \
{$sender_address}{$sender_helo_name}};\
"Best-guess". Strictly speaking, "Best-guess" is not standard
SPF, but it is supported by the same framework that enables SPF
capability.
-Refer to &url(http://www.openspf.org/FAQ/Best_guess_record)
+Refer to &url(http://www.open-spf.org/FAQ/Best_guess_record)
for a description of what it means.
-. --- 2018-09-07: still not https:
+. --- 2019-10-28: still not https:
To access this feature, simply use the spf_guess condition in place
of the spf one. For example: