X-Git-Url: https://git.exim.org/users/jgh/exim.git/blobdiff_plain/0b4dfe7aa1f12214abdfa1037497d6c49a471612..60ccec196e3b3d7ee46e7b8efbadd8bb7850b014:/doc/doc-docbook/spec.xfpt diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 8e7cb4d92..3672c9fa2 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -52,7 +52,7 @@ .set I "    " .macro copyyear -2019 +2020 .endmacro . ///////////////////////////////////////////////////////////////////////////// @@ -8120,7 +8120,7 @@ daemon as in the other SQL databases. .new .oindex &%sqlite_dbfile%& -The preferred way of specifying the file is by using the +The preferred way of specifying the file is by using the &%sqlite_dbfile%& option, set to an absolute path. .wen @@ -10285,21 +10285,37 @@ ${readsocket{/socket/name}{request string}{3s}} .endd The third argument is a list of options, of which the first element is the timeout -and must be present if the argument is given. +and must be present if any options are given. Further elements are options of form &'name=value'&. -Two option types is currently recognised: shutdown and tls. -The first defines whether (the default) -or not a shutdown is done on the connection after sending the request. -Example, to not do so (preferred, eg. by some webservers): +Example: .code ${readsocket{/socket/name}{request string}{3s:shutdown=no}} .endd -The second, tls, controls the use of TLS on the connection. Example: -.code -${readsocket{/socket/name}{request string}{3s:tls=yes}} -.endd -The default is to not use TLS. + +.new +The following option names are recognised: +.ilist +&*cache*& +Defines if the result data can be cached for use by a later identical +request in the same process. +Values are &"yes"& or &"no"& (the default). +If not, all cached results for this connection specification +will be invalidated. + +.next +&*shutdown*& +Defines whether or not a write-shutdown is done on the connection after +sending the request. Values are &"yes"& (the default) or &"no"& +(preferred, eg. by some webservers). + +.next +&*tls*& +Controls the use of TLS on the connection. +Values are &"yes"& or &"no"& (the default). If it is enabled, a shutdown as descripbed above is never done. +.endlist +.wen + A fourth argument allows you to change any newlines that are in the data that is read, in the same way as for &%readfile%& (see above). This example @@ -13290,6 +13306,18 @@ library, by setting: dns_dnssec_ok = 1 .endd +.new +In addition, on Linux with glibc 2.31 or newer the resolver library will +default to stripping out a successful validation status. +This will break a previously working Exim installation. +Provided that you do trust the resolver (ie, is on localhost) you can tell +glibc to pass through any successful validation with a new option in +&_/etc/resolv.conf_&: +.code +options trust-ad +.endd +.wen + Exim does not perform DNSSEC validation itself, instead leaving that to a validating resolver (e.g. unbound, or bind with suitable configuration). @@ -14562,6 +14590,7 @@ See also the &'Policy controls'& section above. .table2 .row &%dkim_verify_hashes%& "DKIM hash methods accepted for signatures" .row &%dkim_verify_keytypes%& "DKIM key types accepted for signatures" +.row &%dkim_verify_min_keysizes%& "DKIM key sizes accepted for signatures" .row &%dkim_verify_signers%& "DKIM domains for which DKIM ACL is run" .row &%host_lookup%& "host name looked up for these hosts" .row &%host_lookup_order%& "order of DNS and local name lookups" @@ -15336,6 +15365,16 @@ This option gives a list of key types which are acceptable in signatures, and an order of processing. Signatures with algorithms not in the list will be ignored. + +.new +.option dkim_verify_min_keysizes main "string list" "rsa=1024 ed25519=250" +This option gives a list of key sizes which are acceptable in signatures. +The list is keyed by the algorithm type for the key; the values are in bits. +Signatures with keys smaller than given by this option will fail verification. + +The default enforces the RFC 8301 minimum key size for RSA signatures. +.wen + .option dkim_verify_minimal main boolean false If set to true, verification of signatures will terminate after the first success. @@ -15418,6 +15457,18 @@ default. A value of 0 coerces DNSSEC off, a value of 1 coerces DNSSEC on. If the resolver library does not support DNSSEC then this option has no effect. +.new +On Linux with glibc 2.31 or newer this is insufficient, the resolver library +will default to stripping out a successful validation status. +This will break a previously working Exim installation. +Provided that you do trust the resolver (ie, is on localhost) you can tell +glibc to pass through any successful validation with a new option in +&_/etc/resolv.conf_&: +.code +options trust-ad +.endd +.wen + .option dns_ipv4_lookup main "domain list&!!" unset .cindex "IPv6" "DNS lookup for AAAA records" @@ -16955,7 +17006,7 @@ received_header_text = Received: \ ${if def:sender_helo_name {(helo=$sender_helo_name)\n\t}}}}\ by $primary_hostname \ ${if def:received_protocol {with $received_protocol }}\ - ${if def:tls_ver { ($tls_ver)}}\ + ${if def:tls_in_ver { ($tls_in_ver)}}\ ${if def:tls_in_cipher_std { tls $tls_in_cipher_std\n\t}}\ (Exim $version_number)\n\t\ ${if def:sender_address \ @@ -16964,7 +17015,8 @@ received_header_text = Received: \ ${if def:received_for {\n\tfor $received_for}} .endd -The reference to the TLS cipher is omitted when Exim is built without TLS +The references to the TLS version and cipher are +omitted when Exim is built without TLS support. The use of conditional expansions ensures that this works for both locally generated messages and messages received from remote hosts, giving header lines such as the following: @@ -19130,7 +19182,7 @@ but the user is specified symbolically, the gid associated with the uid is used. For example: .code require_files = mail:/some/file -require_files = $local_part:$home/.procmailrc +require_files = $local_part_verified:$home/.procmailrc .endd If a user or group name in a &%require_files%& list does not exist, the &%require_files%& condition fails. @@ -21761,7 +21813,7 @@ local_users: # This transport overrides the group group_delivery: driver = appendfile - file = /var/spool/mail/$local_part + file = /var/spool/mail/$local_part_verified group = mail .endd If &%user%& is set for a transport, its value overrides what is set in the @@ -22596,7 +22648,7 @@ is used as a result of a &"keep"& action in the filter. This example shows one way of handling this requirement: .code file = ${if eq{$address_file}{inbox} \ - {/var/mail/$local_part} \ + {/var/mail/$local_part_verified} \ {${if eq{${substr_0_1:$address_file}}{/} \ {$address_file} \ {$home/mail/$address_file} \ @@ -22777,8 +22829,8 @@ The string value is expanded for each delivery, and must yield an absolute path. The most common settings of this option are variations on one of these examples: .code -file = /var/spool/mail/$local_part -file = /home/$local_part/inbox +file = /var/spool/mail/$local_part_verified +file = /home/$local_part_verified/inbox file = $home/inbox .endd .cindex "&""sticky""& bit" @@ -23534,7 +23586,7 @@ and directories in a maildir mailbox, including subdirectories for maildir++ folders. Consider this example: .code maildir_format = true -directory = /var/mail/$local_part\ +directory = /var/mail/$local_part_verified\ ${if eq{$local_part_suffix}{}{}\ {/.${substr_1:$local_part_suffix}}} maildirfolder_create_regex = /\.[^/]+$ @@ -35086,7 +35138,7 @@ central_filter: check_local_user driver = redirect domains = +local_domains - file = /central/filters/$local_part + file = /central/filters/$local_part_verified no_verify allow_filter allow_freeze @@ -36601,10 +36653,10 @@ lists in a separate domain from normal mail. For example: lists: driver = redirect domains = lists.example - file = /usr/lists/$local_part + file = ${lookup {$local_part} dsearch,ret=full {/usr/lists}} forbid_pipe forbid_file - errors_to = $local_part-request@lists.example + errors_to = ${quote_local_part:$local_part-request}@lists.example no_more .endd This router is skipped for domains other than &'lists.example'&. For addresses @@ -36692,7 +36744,8 @@ lists_request: driver = redirect domains = lists.example local_part_suffix = -request - file = /usr/lists/$local_part$local_part_suffix + local_parts = ${lookup {$local_part} dsearch,filter=file {/usr/lists}} + file = /usr/lists/${local_part_data}-request no_more lists_post: @@ -36700,10 +36753,10 @@ lists_post: domains = lists.example senders = ${if exists {/usr/lists/$local_part}\ {lsearch;/usr/lists/$local_part}{*}} - file = /usr/lists/$local_part + file = ${lookup {$local_part} dsearch,ret=full {/usr/lists}} forbid_pipe forbid_file - errors_to = $local_part-request@lists.example + errors_to = ${quote_local_part:$local_part-request}@lists.example no_more lists_closed: @@ -36761,7 +36814,7 @@ verp_smtp: max_rcpt = 1 return_path = \ ${if match {$return_path}{^(.+?)-request@your.dom.example\$}\ - {$1-request+$local_part=$domain@your.dom.example}fail} + {${quote_local_part:$1-request+$local_part=$domain}@your.dom.example}fail} .endd This has the effect of rewriting the return path (envelope sender) on outgoing SMTP messages, if the local part of the original return path ends in @@ -36812,7 +36865,7 @@ verp_dnslookup: transport = remote_smtp errors_to = \ ${if match {$return_path}{^(.+?)-request@your.dom.example\$}} - {$1-request+$local_part=$domain@your.dom.example}fail} + {${quote_local_part:$1-request+$local_part=$domain}@your.dom.example}fail} no_more .endd Before you start sending out messages with VERPed return paths, you must also @@ -36900,7 +36953,7 @@ follows: .code my_mailboxes: driver = appendfile - file = /var/mail/$domain/$local_part + file = /var/mail/$domain/$local_part_data user = mail .endd This uses a directory of mailboxes for each domain. The &%user%& setting is @@ -40426,7 +40479,7 @@ only supports signing with the same canonicalization method for both headers and .option dkim_strict smtp string&!! unset This option defines how Exim behaves when signing a message that should be signed fails for some reason. When the expansion evaluates to -either "1" or "true", Exim will defer. Otherwise Exim will send the message +either &"1"& or &"true"&, Exim will defer. Otherwise Exim will send the message unsigned. You can use the &%$dkim_domain%& and &%$dkim_selector%& expansion variables here. @@ -40438,16 +40491,19 @@ in the message signature. When unspecified, the header names listed in RFC4871 will be used, whether or not each header is present in the message. The default list is available for the expansion in the macro -"_DKIM_SIGN_HEADERS". +&"_DKIM_SIGN_HEADERS"& +.new +and an oversigning variant is in &"_DKIM_OVERSIGN_HEADERS"&. +.wen If a name is repeated, multiple headers by that name (or the absence thereof) will be signed. The textually later headers in the headers part of the message are signed first, if there are multiples. -A name can be prefixed with either an '=' or a '+' character. -If an '=' prefix is used, all headers that are present with this name +A name can be prefixed with either an &"="& or a &"+"& character. +If an &"="& prefix is used, all headers that are present with this name will be signed. -If a '+' prefix if used, all headers that are present with this name +If a &"+"& prefix if used, all headers that are present with this name will be signed, and one signature added for a missing header with the name will be appended. @@ -40689,6 +40745,10 @@ Notes from the key record (tag n=). .vitem &%$dkim_key_length%& Number of bits in the key. +.new +Valid only once the key is loaded, which is at the time the header signature +is verified, which is after the body hash is. +.wen Note that RFC 8301 says: .code @@ -40696,9 +40756,8 @@ Verifiers MUST NOT consider signatures using RSA keys of less than 1024 bits as valid signatures. .endd -To enforce this you must have a DKIM ACL which checks this variable -and overwrites the &$dkim_verify_status$& variable as discussed above. -As EC keys are much smaller, the check should only do this for RSA keys. +This is enforced by the default setting for the &%dkim_verify_min_keysizes%& +option. .endlist