section &<<SECTnamedlists>>&.
+.new
+.section "Builtin macros" "SECTbuiltinmacros"
+Exim defines some macros depending on facilities available, which may
+differ due to build-time definitions and from one release to another.
+All of these macros start with an underscore.
+They can be used to conditionally include parts of a configuration
+(see below).
+
+The following classes of macros are defined:
+.display
+&` _HAVE_ `& build-time defines
+&` _DRVR_AUTH_ `& authehticator drivers
+&` _DRVR_RTR_ `& router drivers
+&` _DRVR_TPT_ `& transport drivers
+&` _OPT_ `& configuration option support
+.endd
+
+Use an &"exim -bP macros"& command to get the list of macros.
+.wen
+
+
.section "Conditional skips in the configuration file" "SECID46"
.cindex "configuration file" "conditional skips"
.cindex "&`.ifdef`&"
.row &%slow_lookup_log%& "control logging of slow DNS lookups"
.row &%syslog_duplication%& "controls duplicate log lines on syslog"
.row &%syslog_facility%& "set syslog &""facility""& field"
+.row &%syslog_pid%& "pid in syslog lines"
.row &%syslog_processname%& "set syslog &""ident""& field"
.row &%syslog_timestamp%& "timestamp syslog lines"
.row &%write_rejectlog%& "control use of message log"
.option delay_warning main "time list" 24h
.cindex "warning of delay"
.cindex "delay warning, specifying"
+.cindex "queue" "delay warning"
When a message is delayed, Exim sends a warning message to the sender at
intervals specified by this option. The data is a colon-separated list of times
after which to send warning messages. If the value of the option is an empty
details of Exim's logging.
+.option syslog_pid main boolean true
+.cindex "syslog" "pid"
+If &%syslog_pid%& is set false, the PID on Exim's log lines are
+omitted when these lines are sent to syslog. (Syslog normally prefixes
+the log lines with the PID of the logging process automatically.) You need
+to enable the &`+pid`& log selector item, if you want Exim to write it's PID
+into the logs.) See chapter &<<CHAPlog>>& for details of Exim's logging.
+
+
.option syslog_processname main string &`exim`&
.cindex "syslog" "process name; setting"
The value of this option is expanded and indicates the source of DH parameters
to be used by Exim.
-If it is a filename starting with a &`/`&, then it names a file from which DH
+.new
+&*Note: The Exim Maintainers strongly recommend using a filename with site-generated
+local DH parameters*&, which has been supported across all versions of Exim. The
+other specific constants available are a fallback so that even when
+"unconfigured", Exim can offer Perfect Forward Secrecy in older ciphersuites in TLS.
+.wen
+
+If &%tls_dhparam%& is a filename starting with a &`/`&,
+then it names a file from which DH
parameters should be loaded. If the file exists, it should hold a PEM-encoded
PKCS#3 representation of the DH prime. If the file does not exist, for
OpenSSL it is an error. For GnuTLS, Exim will attempt to create the file and
does not exist, Exim will attempt to create it.
See section &<<SECTgnutlsparam>>& for further details.
+.new
If Exim is using OpenSSL and this option is empty or unset, then Exim will load
-a default DH prime; the default is the 2048 bit prime described in section
+a default DH prime; the default is Exim-specific but lacks verifiable provenance.
+
+In older versions of Exim the default was the 2048 bit prime described in section
2.2 of RFC 5114, "2048-bit MODP Group with 224-bit Prime Order Subgroup", which
in IKE is assigned number 23.
Otherwise, the option must expand to the name used by Exim for any of a number
-of DH primes specified in RFC 2409, RFC 3526 and RFC 5114. As names, Exim uses
-"ike" followed by the number used by IKE, or "default" which corresponds to
-"ike23".
+of DH primes specified in RFC 2409, RFC 3526, RFC 5114, RFC 7919, or from other
+sources. As names, Exim uses a standard specified name, else "ike" followed by
+the number used by IKE, or "default" which corresponds to
+&`exim.dev.20160529.3`&.
-The available primes are:
+The available standard primes are:
+&`ffdhe2048`&, &`ffdhe3072`&, &`ffdhe4096`&, &`ffdhe6144`&, &`ffdhe8192`&,
&`ike1`&, &`ike2`&, &`ike5`&,
&`ike14`&, &`ike15`&, &`ike16`&, &`ike17`&, &`ike18`&,
-&`ike22`&, &`ike23`& (aka &`default`&) and &`ike24`&.
+&`ike22`&, &`ike23`& and &`ike24`&.
+
+The available additional primes are:
+&`exim.dev.20160529.1`&, &`exim.dev.20160529.2`& and &`exim.dev.20160529.3`&.
Some of these will be too small to be accepted by clients.
Some may be too large to be accepted by clients.
+The open cryptographic community has suspicions about the integrity of some
+of the later IKE values, which led into RFC7919 providing new fixed constants
+(the "ffdhe" identifiers).
+
+At this point, all of the "ike" values should be considered obsolete;
+they're still in Exim to avoid breaking unusual configurations, but are
+candidates for removal the next time we have backwards-incompatible changes.
+.wen
The TLS protocol does not negotiate an acceptable size for this; clients tend
to hard-drop connections if what is offered by the server is unacceptable,
.cindex CHUNKING "enabling, in client"
.cindex BDAT "SMTP command"
.cindex "RFC 3030" "CHUNKING"
-This option provides a list of server to which, provided they announce
+This option provides a list of servers to which, provided they announce
CHUNKING support, Exim will attempt to use BDAT commands rather than DATA.
BDAT will not be used in conjuction with a transport filter.
.wen
+.new
+.option hosts_try_fastopen smtp "host list!!" unset
+.option "fast open, TCP" "enabling, in client"
+.option "TCP Fast Open" "enabling, in client"
+.option "RFC 7413" "TCP Fast Open"
+This option provides a list of servers to which, provided
+the facility is supported by this system, Exim will attempt to
+perform a TCP Fast Open.
+No data is sent on the SYN segment but, if the remote server also
+supports the facility, it can send its SMTP banner immediately after
+the SYN,ACK segment. This can save up to one round-trip time.
+
+The facility is only active for previously-contacted servers,
+as the initiator must present a cookie in the SYN segment.
+
+On (at least some) current Linux distributions the facility must be enabled
+in the kernel by the sysadmin before the support is usable.
+.wen
+
.option hosts_try_prdr smtp "host list&!!" *
.cindex "PRDR" "enabling, optional in client"
This option provides a list of servers to which, provided they announce
Great care should be taken to deal with matters of case, various injection
attacks in the string (&`../`& or SQL), and ensuring that a valid filename
-can always be referenced; it is important to remember that &$tls_sni$& is
+can always be referenced; it is important to remember that &$tls_in_sni$& is
arbitrary unverified data provided prior to authentication.
+.new
+Further, the initial cerificate is loaded before SNI is arrived, so
+an expansion for &%tls_certificate%& must have a default which is used
+when &$tls_in_sni$& is empty.
+.wen
The Exim developers are proceeding cautiously and so far no other TLS options
are re-expanded.