X-Git-Url: https://git.exim.org/users/jgh/exim.git/blobdiff_plain/05c39afa86ea3d0dd619e7d75554c701f96d2da4..9162b43bbdc6f71cffbc92489d33ea204b76bad4:/doc/doc-txt/experimental-spec.txt diff --git a/doc/doc-txt/experimental-spec.txt b/doc/doc-txt/experimental-spec.txt index 8d1ebef13..a7651f6c0 100644 --- a/doc/doc-txt/experimental-spec.txt +++ b/doc/doc-txt/experimental-spec.txt @@ -69,7 +69,7 @@ starts retrying to fetch an OCSP proof some time before its current proof expires. The downside is that it requires server support. If Exim is built with EXPERIMENTAL_OCSP and it was built with OpenSSL, -then it gains one new option: "tls_ocsp_file". +then it gains a new global option: "tls_ocsp_file". The file specified therein is expected to be in DER format, and contain an OCSP proof. Exim will serve it as part of the TLS handshake. This @@ -86,10 +86,30 @@ next connection. Exim will check for a valid next update timestamp in the OCSP proof; if not present, or if the proof has expired, it will be ignored. +Also, given EXPERIMENTAL_OCSP and OpenSSL, the smtp transport gains +a "hosts_require_ocsp" option; a host-list for which an OCSP Stapling +is requested and required for the connection to proceed. The host(s) +should also be in "hosts_require_tls", and "tls_verify_certificates" +configured for the transport. + +For the client to be able to verify the stapled OCSP the server must +also supply, in its stapled information, any intermediate +certificates for the chain leading to the OCSP proof from the signer +of the server certificate. There may be zero or one such. These +intermediate certificates should be added to the server OCSP stapling +file (named by tls_ocsp_file). + At this point in time, we're gathering feedback on use, to determine if it's worth adding complexity to the Exim daemon to periodically re-fetch -OCSP files and somehow handling multiple files. There is no client support -for OCSP in Exim, this is feature expected to be used by mail clients. +OCSP files and somehow handling multiple files. + + A helper script "ocsp_fetch.pl" for fetching a proof from a CA + OCSP server is supplied. The server URL may be included in the + server certificate, if the CA is helpful. + + One fail mode seen was the OCSP Signer cert expiring before the end + of vailidity of the OCSP proof. The checking done by Exim/OpenSSL + noted this as invalid overall, but the re-fetch script did not. @@ -622,6 +642,294 @@ mout.gmx.net 212.227.15.16 Use a reasonable IP. eg. one the sending cluster acutally uses. +DMARC Support +-------------------------------------------------------------- + +DMARC combines feedback from SPF, DKIM, and header From: in order +to attempt to provide better indicators of the authenticity of an +email. This document does not explain the fundamentals, you +should read and understand how it works by visiting the website at +http://www.dmarc.org/. + +DMARC support is added via the libopendmarc library. Visit: + + http://sourceforge.net/projects/opendmarc/ + +to obtain a copy, or find it in your favorite rpm package +repository. If building from source, this description assumes +that headers will be in /usr/local/include, and that the libraries +are in /usr/local/lib. + +1. To compile Exim with DMARC support, you must first enable SPF. +Please read the above section on enabling the EXPERIMENTAL_SPF +feature. You must also have DKIM support, so you cannot set the +DISABLE_DKIM feature. Once both of those conditions have been met +you can enable DMARC in Local/Makefile: + +EXPERIMENTAL_DMARC=yes +LDFLAGS += -lopendmarc +# CFLAGS += -I/usr/local/include +# LDFLAGS += -L/usr/local/lib + +The first line sets the feature to include the correct code, and +the second line says to link the libopendmarc libraries into the +exim binary. The commented out lines should be uncommented if you +built opendmarc from source and installed in the default location. +Adjust the paths if you installed them elsewhere, but you do not +need to uncomment them if an rpm (or you) installed them in the +package controlled locations (/usr/include and /usr/lib). + + +2. Use the following global settings to configure DMARC: + +Required: +dmarc_tld_file Defines the location of a text file of valid + top level domains the opendmarc library uses + during domain parsing. Maintained by Mozilla, + the most current version can be downloaded + from a link at http://publicsuffix.org/list/. + +Optional: +dmarc_history_file Defines the location of a file to log results + of dmarc verification on inbound emails. The + contents are importable by the opendmarc tools + which will manage the data, send out DMARC + reports, and expire the data. Make sure the + directory of this file is writable by the user + exim runs as. + +dmarc_forensic_sender The email address to use when sending a + forensic report detailing alignment failures + if a sender domain's dmarc record specifies it + and you have configured Exim to send them. + Default: do-not-reply@$default_hostname + + +3. By default, the DMARC processing will run for any remote, +non-authenticated user. It makes sense to only verify DMARC +status of messages coming from remote, untrusted sources. You can +use standard conditions such as hosts, senders, etc, to decide that +DMARC verification should *not* be performed for them and disable +DMARC with a control setting: + + control = dmarc_verify_disable + +A DMARC record can also specify a "forensic address", which gives +exim an email address to submit reports about failed alignment. +Exim does not do this by default because in certain conditions it +results in unintended information leakage (what lists a user might +be subscribed to, etc). You must configure exim to submit forensic +reports to the owner of the domain. If the DMARC record contains a +forensic address and you specify the control statement below, then +exim will send these forensic emails. It's also advised that you +configure a dmarc_forensic_sender because the default sender address +construction might be inadequate. + + control = dmarc_forensic_enable + +(AGAIN: You can choose not to send these forensic reports by simply +not putting the dmarc_forensic_enable control line at any point in +your exim config. If you don't tell it to send them, it will not +send them.) + +There are no options to either control. Both must appear before +the DATA acl. + + +4. You can now run DMARC checks in incoming SMTP by using the +"dmarc_status" ACL condition in the DATA ACL. You are required to +call the spf condition first in the ACLs, then the "dmarc_status" +condition. Putting this condition in the ACLs is required in order +for a DMARC check to actually occur. All of the variables are set +up before the DATA ACL, but there is no actual DMARC check that +occurs until a "dmarc_status" condition is encountered in the ACLs. + +The dmarc_status condition takes a list of strings on its +right-hand side. These strings describe recommended action based +on the DMARC check. To understand what the policy recommendations +mean, refer to the DMARC website above. Valid strings are: + + o accept The DMARC check passed and the library recommends + accepting the email. + o reject The DMARC check failed and the library recommends + rejecting the email. + o quarantine The DMARC check failed and the library recommends + keeping it for further inspection. + o norecord No policy section in the DMARC record for this + sender domain. + o nofrom Unable to determine the domain of the sender. + o none There is no DMARC record for this sender domain. + o error Library error or dns error. + +You can prefix each string with an exclamation mark to invert its +meaning, for example "!accept" will match all results but +"accept". The string list is evaluated left-to-right in a +short-circuit fashion. When a string matches the outcome of the +DMARC check, the condition succeeds. If none of the listed +strings matches the outcome of the DMARC check, the condition +fails. + +Of course, you can also use any other lookup method that Exim +supports, including LDAP, Postgres, MySQL, etc, as long as the +result is a list of colon-separated strings; + +Several expansion variables are set before the DATA ACL is +processed, and you can use them in this ACL. The following +expansion variables are available: + + o $dmarc_status + This is a one word status indicating what the DMARC library + thinks of the email. + + o $dmarc_status_text + This is a slightly longer, human readable status. + + o $dmarc_used_domain + This is the domain which DMARC used to look up the DMARC + policy record. + + o $dmarc_ar_header + This is the entire Authentication-Results header which you can + add using an add_header modifier. + + +5. How to enable DMARC advanced operation: +By default, Exim's DMARC configuration is intended to be +non-intrusive and conservative. To facilitate this, Exim will not +create any type of logging files without explicit configuration by +you, the admin. Nor will Exim send out any emails/reports about +DMARC issues without explicit configuration by you, the admin (other +than typical bounce messages that may come about due to ACL +processing or failure delivery issues). + +In order to log statistics suitable to be imported by the opendmarc +tools, you need to: +a. Configure the global setting dmarc_history_file. +b. Configure cron jobs to call the appropriate opendmarc history + import scripts and truncating the dmarc_history_file. + +In order to send forensic reports, you need to: +a. Configure the global setting dmarc_forensic_sender. +b. Configure, somewhere before the DATA ACL, the control option to + enable sending DMARC forensic reports. + + +6. Example usage: +(RCPT ACL) + warn domains = +local_domains + hosts = +local_hosts + control = dmarc_verify_disable + + warn !domains = +screwed_up_dmarc_records + control = dmarc_enable_forensic + +(DATA ACL) + warn dmarc_status = accept : none : off + !authenticated = * + log_message = DMARC DEBUG: $dmarc_status $dmarc_used_domain + add_header = $dmarc_ar_header + + warn dmarc_status = !accept + !authenticated = * + log_message = DMARC DEBUG: '$dmarc_status' for $dmarc_used_domain + + warn dmarc_status = quarantine + !authenticated = * + set $acl_m_quarantine = 1 + # Do something in a transport with this flag variable + + deny dmarc_status = reject + !authenticated = * + message = Message from $domain_used_domain failed sender's DMARC policy, REJECT + + + +DBL (Database Logging) +-------------------------------------------------------------- + +An arbitrary per-transport string can be expanded on successful delivery, +and (for SMTP transports) a second string on deferrals caused by a host error. +This feature allows the writing of exim internal log information +(not available otherwise) into a database. + +In order to use DBL, you must set + +EXPERIMENTAL_DBL=yes + +in your Local/Makefile + +and define the expandable strings in the runtime config file, to +be executed at end of delivery. + +Additionally, there are 8 more variables, available at end of +delivery: + +dbl_delivery_ip IP of host, which has accepted delivery +dbl_delivery_port Port of remote host which has accepted delivery +dbl_delivery_fqdn FQDN of host, which has accepted delivery +dbl_delivery_local_part local part of address being delivered +dbl_delivery_domain domain part of address being delivered +dbl_delivery_confirmation SMTP confirmation message +router_name name of router +transport_name name of transport + +In case of a deferral caused by a host-error: +dbl_defer_errno Error number +dbl_defer_errstr Error string possibly containing more details + + + +To log successful deliveries, set the following option +on any transport of interest. + +dbl_delivery_query + +An example might look like: + +dbl_delivery_query = \ +${lookup pgsql {SELECT * FROM record_Delivery( \ + '${quote_pgsql:$sender_address_domain}',\ + '${quote_pgsql:${lc:$sender_address_local_part}}', \ + '${quote_pgsql:$dbl_delivery_domain}', \ + '${quote_pgsql:${lc:$dbl_delivery_local_part}}', \ + '${quote_pgsql:$dbl_delivery_ip}', \ + '${quote_pgsql:${lc:$dbl_delivery_fqdn}}', \ + '${quote_pgsql:$message_exim_id}')}} + +The string is expanded after the delivery completes and any +side-effects will happen. The result is then discarded. +Note that for complex operations an ACL expansion can be used. + + +In order to log host deferrals, add the following option to an SMTP +transport: + +dbl_host_defer_query + +This is a private option of the SMTP transport. It is intended to +log failures of remote hosts. It is executed only when exim has +attempted to deliver a message to a remote host and failed due to +an error which doesn't seem to be related to the individual +message, sender, or recipient address. +See section 45.2 of the exim documentation for more details on how +this is determined. + +Example: + +dbl_host_defer_query = \ +${lookup mysql {insert into delivlog set \ + msgid = '${quote_mysql:$message_exim_id}', \ + senderlp = '${quote_mysql:${lc:$sender_address_local_part}}', \ + senderdom = '${quote_mysql:$sender_address_domain}', \ + delivlp = '${quote_mysql:${lc:$dbl_delivery_local_part}}', \ + delivdom = '${quote_mysql:$dbl_delivery_domain}', \ + delivip = '${quote_mysql:$dbl_delivery_ip}', \ + delivport = '${quote_mysql:$dbl_delivery_port}', \ + delivfqdn = '${quote_mysql:$dbl_delivery_fqdn}', \ + deliverrno = '${quote_mysql:$dbl_defer_errno}', \ + deliverrstr = '${quote_mysql:$dbl_defer_errstr}' \ + }} + -------------------------------------------------------------- End of file --------------------------------------------------------------