X-Git-Url: https://git.exim.org/users/jgh/exim.git/blobdiff_plain/2043336d393ea7725942b5be81b486b214eb7b9e..5fae29d5b430d6a5f58c6c02cdefbbf307e258a9:/doc/doc-docbook/spec.xfpt?ds=sidebyside diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index ceb377b0a..8be9b7121 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -45,14 +45,14 @@ . Update the Copyright year (only) when changing content. . ///////////////////////////////////////////////////////////////////////////// -.set previousversion "4.92" +.set previousversion "4.93" .include ./local_params .set ACL "access control lists (ACLs)" .set I "    " .macro copyyear -2018, 2019 +2019 .endmacro . ///////////////////////////////////////////////////////////////////////////// @@ -371,11 +371,13 @@ contributors. .section "Exim documentation" "SECID1" . Keep this example change bar when updating the documentation! +.new .cindex "documentation" This edition of the Exim specification applies to version &version() of Exim. Substantive changes from the &previousversion; edition are marked in some renditions of this document; this paragraph is so marked if the rendition is capable of showing a change indicator. +.wen This document is very much a reference manual; it is not a tutorial. The reader is expected to have some familiarity with the SMTP mail transfer protocol and @@ -1898,13 +1900,11 @@ If you want to build Exim with TLS support, you must first install either the OpenSSL or GnuTLS library. There is no cryptographic code in Exim itself for implementing SSL. -.new If you do not want TLS support you should set .code DISABLE_TLS=yes .endd in &_Local/Makefile_&. -.wen If OpenSSL is installed, you should set .code @@ -1914,14 +1914,14 @@ TLS_LIBS=-lssl -lcrypto in &_Local/Makefile_&. You may also need to specify the locations of the OpenSSL library and include files. For example: .code -USE_OPENSL=yes +USE_OPENSSL=yes TLS_LIBS=-L/usr/local/openssl/lib -lssl -lcrypto TLS_INCLUDE=-I/usr/local/openssl/include/ .endd .cindex "pkg-config" "OpenSSL" If you have &'pkg-config'& available, then instead you can just use: .code -USE_OPENSL=yes +USE_OPENSSL=yes USE_OPENSSL_PC=openssl .endd .cindex "USE_GNUTLS" @@ -3963,8 +3963,7 @@ is sent to the sender, containing the text &"cancelled by administrator"&. Bounce messages are just discarded. This option can be used only by an admin user. -.new -.vitem &%-MG%&&~<&'queue&~name'&&~<&'message&~id'&>&~<&'message&~id'&>&~... +.vitem &%-MG%&&~<&'queue&~name'&>&~<&'message&~id'&>&~<&'message&~id'&>&~... .oindex "&%-MG%&" .cindex queue named .cindex "named queues" @@ -3975,7 +3974,6 @@ The destination queue name argument is required, but can be an empty string to define the default queue. If the messages are not currently located in the default queue, a &%-qG%& option will be required to define the source queue. -.wen .vitem &%-Mmad%&&~<&'message&~id'&>&~<&'message&~id'&>&~... .oindex "&%-Mmad%&" @@ -4385,6 +4383,17 @@ written. When &%-oX%& is used with &%-bd%&, or when &%-q%& with a time is used without &%-bd%&, this is the only way of causing Exim to write a pid file, because in those cases, the normal pid file is not used. +.new +.vitem &%-oPX%& +.oindex "&%-oPX%&" +.cindex "pid (process id)" "of daemon" +.cindex "daemon" "process id (pid)" +This option is not intended for general use. +The daemon uses it when terminating due to a SIGTEM, possibly in +combination with &%-oP%&&~<&'path'&>. +It causes the pid file to be removed. +.wen + .vitem &%-or%&&~<&'time'&> .oindex "&%-or%&" .cindex "timeout" "for non-SMTP input" @@ -6284,9 +6293,7 @@ remote_smtp: This transport is used for delivering messages over SMTP connections. The list of remote hosts comes from the router. The &%message_size_limit%& usage is a hack to avoid sending on messages -with over-long lines. The built-in macro _HAVE_DANE guards configuration -to use DANE for delivery; -see section &<>& for more details. +with over-long lines. The &%hosts_try_prdr%& option enables an efficiency SMTP option. It is negotiated between client and server and not expected to cause problems @@ -6765,13 +6772,10 @@ lookup types support only literal keys. the implicit key is the host's IP address rather than its name (see section &<>&). -.new &*Warning 3*&: Do not use an IPv4-mapped IPv6 address for a key; use the IPv4, in dotted-quad form. (Exim converts IPv4-mapped IPv6 addresses to this notation before executing the lookup.) -.wen .next -.new .cindex lookup json .cindex json "lookup type" .cindex JSON expansions @@ -6788,7 +6792,6 @@ The final resulting element can be a simple JSON type or a JSON object or array; for the latter two a string-representation os the JSON is returned. For elements of type string, the returned value is de-quoted. -.wen .next .cindex "linear search" .cindex "lookup" "lsearch" @@ -8708,11 +8711,9 @@ recently implemented &(iplsearch)& files do require colons in IPv6 keys (notated using the quoting facility) so as to distinguish them from IPv4 keys. For this reason, when the lookup type is &(iplsearch)&, IPv6 addresses are converted using colons and not dots. -.new In all cases except IPv4-mapped IPv6, full, unabbreviated IPv6 addresses are always used. The latter are converted to IPv4 addresses, in dotted-quad form. -.wen Ideally, it would be nice to tidy up this anomalous situation by changing to colons in all cases, given that quoting is now available for &(lsearch)&. @@ -9233,12 +9234,10 @@ options for which string expansion is performed are marked with † after the data type. ACL rules always expand strings. A couple of expansion conditions do not expand some of the brace-delimited branches, for security reasons, -.new .cindex "tainted data" expansion .cindex expansion "tainted data" and expansion of data deriving from the sender (&"tainted data"&) is not permitted. -.wen @@ -9487,12 +9486,10 @@ object so that it doesn't reload the same object file in the same Exim process There may be from zero to eight arguments to the function. -.new When compiling a local function that is to be called in this way, first &_DLFUNC_IMPL_& should be defined, and second &_local_scan.h_& should be included. -.wen The Exim variables and functions that are defined by that API are also available for dynamically loaded functions. The function itself must have the following type: @@ -9602,10 +9599,8 @@ Matching of the key against the member names is done case-sensitively. For the &"json"& variant, if a returned value is a JSON string, it retains its leading and trailing quotes. -.new For the &"jsons"& variant, which is intended for use with JSON strings, the leading and trailing quotes are removed from the returned value. -.wen . XXX should be a UTF-8 compare The results of matching are handled as above. @@ -9656,10 +9651,8 @@ there is no choice of field separator. For the &"json"& variant, if a returned value is a JSON string, it retains its leading and trailing quotes. -.new For the &"jsons"& variant, which is intended for use with JSON strings, the leading and trailing quotes are removed from the returned value. -.wen .vitem &*${filter{*&<&'string'&>&*}{*&<&'condition'&>&*}}*& @@ -11006,14 +10999,12 @@ it as a 64-digit hexadecimal number, in which any letters are in upper case. If the string is a single variable of type certificate, returns the SHA-256 hash fingerprint of the certificate. -.new The operator can also be spelled &%sha2%& and does the same as &%sha256%& (except for certificates, which are not supported). Finally, if an underbar and a number is appended it specifies the output length, selecting a member of the SHA-2 family of hash functions. Values of 256, 384 and 512 are accepted, with 256 being the default. -.wen .vitem &*${sha3:*&<&'string'&>&*}*& &&& @@ -11400,7 +11391,6 @@ being processed, to enable these expansion items to be nested. To scan a named list, expand it with the &*listnamed*& operator. -.new .vitem "&*forall_json{*&<&'a JSON array'&>&*}{*&<&'a condition'&>&*}*&" &&& "&*forany_json{*&<&'a JSON array'&>&*}{*&<&'a condition'&>&*}*&" &&& "&*forall_jsons{*&<&'a JSON array'&>&*}{*&<&'a condition'&>&*}*&" &&& @@ -11416,7 +11406,6 @@ be a JSON array. The array separator is not changeable. For the &"jsons"& variants the elements are expected to be JSON strings and have their quotes removed before the evaluation of the condition. -.wen @@ -12096,14 +12085,12 @@ contain the trailing slash. If &$config_file$& does not contain a slash, .vindex "&$config_file$&" The name of the main configuration file Exim is using. -.new .vitem &$dmarc_domain_policy$& &&& &$dmarc_status$& &&& &$dmarc_status_text$& &&& &$dmarc_used_domains$& Results of DMARC verification. For details see section &<>&. -.wen .vitem &$dkim_verify_status$& Results of DKIM verification. @@ -12798,7 +12785,6 @@ or if not set, the value of &$qualify_domain$&. .cindex queues named The name of the spool queue in use; empty for the default queue. -.new .vitem &$r_...$& .vindex &$r_...$& .cindex router variables @@ -12806,7 +12792,6 @@ Values can be placed in these variables by the &%set%& option of a router. They can be given any name that starts with &$r_$&. The values persist for the address being handled through subsequent routers and the eventual transport. -.wen .vitem &$rcpt_count$& .vindex "&$rcpt_count$&" @@ -13370,9 +13355,7 @@ or a &%def%& condition. &*Note*&: Under versions of OpenSSL preceding 1.1.1, when a list of more than one file is used for &%tls_certificate%&, this variable is not reliable. -.new The macro "_TLS_BAD_MULTICERT_IN_OURCERT" will be defined for those versions. -.wen .vitem &$tls_in_peercert$& .vindex "&$tls_in_peercert$&" @@ -13429,11 +13412,9 @@ The deprecated &$tls_cipher$& variable is the same as &$tls_in_cipher$& during m but in the context of an outward SMTP delivery taking place via the &(smtp)& transport becomes the same as &$tls_out_cipher$&. -.new .vitem &$tls_in_cipher_std$& .vindex "&$tls_in_cipher_std$&" As above, but returning the RFC standard name for the cipher suite. -.wen .vitem &$tls_out_cipher$& .vindex "&$tls_out_cipher$&" @@ -13443,11 +13424,9 @@ and then set to the outgoing cipher suite if one is negotiated. See chapter &<>& for details of TLS support and chapter &<>& for details of the &(smtp)& transport. -,new .vitem &$tls_out_cipher_std$& .vindex "&$tls_out_cipher_std$&" As above, but returning the RFC standard name for the cipher suite. -.wen .vitem &$tls_out_dane$& .vindex &$tls_out_dane$& @@ -13522,6 +13501,17 @@ the transport. .vindex &$tls_out_tlsa_usage$& Bitfield of TLSA record types found. See section &<>&. +.vitem &$tls_in_ver$& +.vindex "&$tls_in_ver$&" +When a message is received from a remote host over an encrypted SMTP connection +this variable is set to the protocol version, eg &'TLS1.2'&. + +.vitem &$tls_out_ver$& +.vindex "&$tls_out_ver$&" +When a message is being delivered to a remote host over an encrypted SMTP connection +this variable is set to the protocol version. + + .vitem &$tod_bsdinbox$& .vindex "&$tod_bsdinbox$&" The time of day and the date, in the format required for BSD-style mailbox @@ -14666,8 +14656,10 @@ received. See chapter &<>& for further details. .option add_environment main "string list" empty .cindex "environment" "set values" -This option allows to set individual environment variables that the -currently linked libraries and programs in child processes use. +This option adds individual environment variables that the +currently linked libraries and programs in child processes may use. +Each list element should be of the form &"name=value"&. + See &<>& for the environment of &(pipe)& transports. .option admin_groups main "string list&!!" unset @@ -14718,11 +14710,9 @@ If it is set true, Exim's domain parsing function allows valid UTF-8 multicharacters to appear in domain name components, in addition to letters, digits, and hyphens. -.new If Exim is built with internationalization support and the SMTPUTF8 ESMTP option is in use (see chapter &<>&) this option can be left as default. -.wen Without that, if you want to look up such domain names in the DNS, you must also adjust the value of &%dns_check_names_pattern%& to match the extended form. A @@ -15133,15 +15123,21 @@ to handle IPv6 literal addresses. .new -.option dkim_verify_hashes main "string list" "sha256 : sha512 : sha1" +.option dkim_verify_hashes main "string list" "sha256 : sha512" .cindex DKIM "selecting signature algorithms" This option gives a list of hash types which are acceptable in signatures, +.wen and an order of processing. Signatures with algorithms not in the list will be ignored. -Note that the presence of sha1 violates RFC 8301. -Signatures using the rsa-sha1 are however (as of writing) still common. -The default inclusion of sha1 may be dropped in a future release. +Acceptable values include: +.code +sha1 +sha256 +sha512 +.endd + +Note that the acceptance of sha1 violates RFC 8301. .option dkim_verify_keytypes main "string list" "ed25519 : rsa" This option gives a list of key types which are acceptable in signatures, @@ -15151,7 +15147,6 @@ Signatures with algorithms not in the list will be ignored. .option dkim_verify_minimal main boolean false If set to true, verification of signatures will terminate after the first success. -.wen .option dkim_verify_signers main "domain list&!!" $dkim_signers .cindex DKIM "controlling calls to the ACL" @@ -15244,11 +15239,9 @@ domain matches this list. This is a fudge to help with name servers that give big delays or otherwise do not work for the AAAA record type. In due course, when the world's name servers have all been upgraded, there should be no need for this option. -.new Note that all lookups, including those done for verification, are affected; this will result in verify failure for IPv6 connections or ones using names only valid for IPv6 addresses. -.wen .option dns_retrans main time 0s @@ -15455,8 +15448,8 @@ used. See chapter &<>& for a discussion of security issues. .cindex "Exim version" .cindex customizing "version number" .cindex "version number of Exim" override -This option allows to override the &$version_number$&/&$exim_version$& Exim reports in -various places. Use with care, this may fool stupid security scanners. +This option overrides the &$version_number$&/&$exim_version$& that Exim reports in +various places. Use with care; this may fool stupid security scanners. .option extra_local_interfaces main "string list" unset @@ -16079,10 +16072,8 @@ when Exim is entered, so it can, for example, contain a reference to the host name. If no specific path is set for the log files at compile or runtime, or if the option is unset at runtime (i.e. &`log_file_path = `&) they are written in a sub-directory called &_log_& in Exim's spool directory. -.new A path must start with a slash. To send to syslog, use the word &"syslog"&. -.wen Chapter &<>& contains further details about Exim's logging, and section &<>& describes how the contents of &%log_file_path%& are used. If this string is fixed at your installation (contains no expansion @@ -16430,9 +16421,9 @@ interpreter. See chapter &<>& for details of its use. This option is available only when Exim is built with an embedded Perl interpreter. See chapter &<>& for details of its use. -.option perl_startup main boolean false +.option perl_taintmode main boolean false .cindex "Perl" -This Option enables the taint mode of the embedded Perl interpreter. +This option enables the taint mode of the embedded Perl interpreter. .option pgsql_servers main "string list" unset @@ -16469,7 +16460,6 @@ for each SMTP command and response. When PIPELINING is advertised, Exim assumes that clients will use it; &"out of order"& commands that are &"expected"& do not count as protocol errors (see &%smtp_max_synprot_errors%&). -.new .option pipelining_connect_advertise_hosts main "host list&!!" * .cindex "pipelining" "early connection" .cindex "pipelining" PIPE_CONNECT @@ -16482,7 +16472,6 @@ When used, the pipelining saves on roundtrip times. See also the &%hosts_pipe_connect%& smtp transport option. Currently the option name &"X_PIPE_CONNECT"& is used. -.wen .option prdr_enable main boolean false @@ -16745,7 +16734,6 @@ used. If the expansion yields an empty string, no &'Received:'& header line is added to the message. Otherwise, the string should start with the text &"Received:"& and conform to the RFC 2822 specification for &'Received:'& header lines. -.new The default setting is: .code @@ -16756,6 +16744,7 @@ received_header_text = Received: \ ${if def:sender_helo_name {(helo=$sender_helo_name)\n\t}}}}\ by $primary_hostname \ ${if def:received_protocol {with $received_protocol }}\ + ${if def:tls_ver { ($tls_ver)}}\ ${if def:tls_in_cipher_std { tls $tls_in_cipher_std\n\t}}\ (Exim $version_number)\n\t\ ${if def:sender_address \ @@ -16763,7 +16752,6 @@ received_header_text = Received: \ id $message_exim_id\ ${if def:received_for {\n\tfor $received_for}} .endd -.wen The reference to the TLS cipher is omitted when Exim is built without TLS support. The use of conditional expansions ensures that this works for both @@ -16942,12 +16930,6 @@ it qualifies them only if the message came from a host that matches &%sender_unqualified_hosts%&, or if the message was submitted locally (not using TCP/IP), and the &%-bnq%& option was not set. -.option add_environment main "string list" empty -.cindex "environment" -This option allows to add individual environment variables that the -currently linked libraries and programs in child processes use. The -default list is empty. - .option slow_lookup_log main integer 0 .cindex "logging" "slow lookups" @@ -17705,9 +17687,7 @@ separator in the usual way (&<>&) to avoid confusion under IP &*Note*&: Under versions of OpenSSL preceding 1.1.1, when a list of more than one file is used, the &$tls_in_ourcert$& variable is unreliable. -.new The macro "_TLS_BAD_MULTICERT_IN_OURCERT" will be defined for those versions. -.wen If the option contains &$tls_out_sni$& and Exim is built against OpenSSL, then if the OpenSSL build supports TLS extensions and the TLS client sends the @@ -17758,10 +17738,8 @@ larger prime than requested. The value of this option is expanded and indicates the source of DH parameters to be used by Exim. -.new This option is ignored for GnuTLS version 3.6.0 and later. The library manages parameter negotiation internally. -.wen &*Note: The Exim Maintainers strongly recommend, for other TLS library versions, @@ -17860,21 +17838,14 @@ status proof for the server's certificate, as obtained from the Certificate Authority. Usable for GnuTLS 3.4.4 or 3.3.17 or OpenSSL 1.1.0 (or later). -.new The macro "_HAVE_TLS_OCSP" will be defined for those versions. -.wen -.new For OpenSSL 1.1.0 or later, and -.wen for GnuTLS 3.5.6 or later the expanded value of this option can be a list of files, to match a list given for the &%tls_certificate%& option. The ordering of the two lists must match. -.new The macro "_HAVE_TLS_OCSP_LIST" will be defined for those versions. -.wen -.new The file(s) should be in DER format, except for GnuTLS 3.6.3 or later or for OpenSSL, @@ -17890,7 +17861,6 @@ Although GnuTLS will accept PEM files with multiple separate PEM blobs (ie. separate OCSP responses), it sends them in the TLS Certificate record interleaved with the certificates of the chain; although a GnuTLS client is happy with that, an OpenSSL client is not. -.wen .option tls_on_connect_ports main "string list" unset .cindex SSMTP @@ -18199,9 +18169,7 @@ file = ${extract{mailbox}{$address_data}} This makes the configuration file less messy, and also reduces the number of lookups (though Exim does cache lookups). -.new See also the &%set%& option below. -.wen .vindex "&$sender_address_data$&" .vindex "&$address_data$&" @@ -18984,7 +18952,6 @@ latter kind. This option controls whether the local part is used to form the key for retry hints for addresses that suffer temporary errors while being handled by this -.new router. The default value is true for any router that has any of &%check_local_user%&, &%local_parts%&, @@ -18993,7 +18960,6 @@ router. The default value is true for any router that has any of &%local_part_suffix%&, &%senders%& or &%require_files%& -.wen set, and false otherwise. Note that this option does not apply to hints keys for transport delays; they are controlled by a generic transport option of the same name. @@ -19130,7 +19096,6 @@ SMTP VRFY command is enabled, it must be used after MAIL if the sender address matters. -.new .option set routers "string list" unset .cindex router variables This option may be used multiple times on a router; @@ -19138,7 +19103,7 @@ because of this the list aspect is mostly irrelevant. The list separator is a semicolon but can be changed in the usual way. -Each list-element given must be of the form $"name = value"$ +Each list-element given must be of the form &"name = value"& and the names used must start with the string &"r_"&. Values containing a list-separator should have them doubled. When a router runs, the strings are evaluated in order, @@ -19149,11 +19114,10 @@ The variables can be used by the router options (not including any preconditions) and by the transport. Later definitions of a given named variable will override former ones. -Varible use is via the usual &$r_...$& syntax. +Variable use is via the usual &$r_...$& syntax. This is similar to the &%address_data%& option, except that many independent variables can be used, with choice of naming. -.wen .option translate_ip_address routers string&!! unset @@ -22936,14 +22900,12 @@ sometimes add other information onto the ends of message filenames. Section &<>& contains further information. -.new This option should not be used when other message-handling software may duplicate messages by making hardlinks to the files. When that is done Exim will count the message size once for each filename, in contrast with the actual disk usage. When the option is not set, calculating total usage requires a system-call per file to get the size; the number of links is then available also as is used to adjust the effective size. -.wen .option quota_warn_message appendfile string&!! "see below" @@ -24762,7 +24724,6 @@ facilities such as AUTH, PIPELINING, SIZE, and STARTTLS. Exim will not use the SMTP PIPELINING extension when delivering to any host that matches this list, even if the server host advertises PIPELINING support. -.new .option hosts_pipe_connect smtp "host list&!!" unset .cindex "pipelining" "early connection" .cindex "pipelining" PIPE_CONNECT @@ -24786,7 +24747,6 @@ A check is made for the use of that variable, without the presence of a &"def:"& test on it, but suitably complex coding can avoid the check and produce unexpected results. You have been warned. -.wen .option hosts_avoid_tls smtp "host list&!!" unset @@ -24827,7 +24787,6 @@ been started will not be passed to a new delivery process for sending another message on the same connection. See section &<>& for an explanation of when this might be needed. -.new .option hosts_noproxy_tls smtp "host list&!!" unset .cindex "TLS" "passing connection" .cindex "multiple SMTP deliveries" @@ -24835,7 +24794,6 @@ explanation of when this might be needed. For any host that matches this list, a TLS session which has been started will not be passed to a new delivery process for sending another message on the same session. -.wen The traditional implementation closes down TLS and re-starts it in the new process, on the same open TCP connection, for each successive message @@ -24930,6 +24888,9 @@ unauthenticated. See also &%hosts_require_auth%&, and chapter .cindex "RFC 3030" "CHUNKING" This option provides a list of servers to which, provided they announce CHUNKING support, Exim will attempt to use BDAT commands rather than DATA. +.new +Unless DKIM signing is being done, +.wen BDAT will not be used in conjunction with a transport filter. .option hosts_try_dane smtp "host list&!!" * @@ -26486,10 +26447,8 @@ authentication mechanism (RFC 2195), and the second provides an interface to the Cyrus SASL authentication library. The third is an interface to Dovecot's authentication system, delegating the work via a socket interface. -.new The fourth provides for negotiation of authentication done via non-SMTP means, as defined by RFC 4422 Appendix A. -.wen The fifth provides an interface to the GNU SASL authentication library, which provides mechanisms but typically not data sources. The sixth provides direct access to Heimdal GSSAPI, geared for Kerberos, but @@ -26914,7 +26873,19 @@ security risk; you are strongly advised to insist on the use of SMTP encryption use unencrypted plain text, you should not use the same passwords for SMTP connections as you do for login accounts. -.section "Plaintext options" "SECID171" +.section "Avoiding cleartext use" "SECTplain_TLS" +The following generic option settings will disable &(plaintext)& authenticators when +TLS is not being used: +.code + server_advertise_condition = ${if def:tls_in_cipher } + client_condition = ${if def:tls_out_cipher} +.endd + +&*Note*&: a plaintext SMTP AUTH done inside TLS is not vulnerable to casual snooping, +but is still vulnerable to a Man In The Middle attack unless certificates +(including their names) have been properly verified. + +.section "Plaintext server options" "SECID171" .cindex "options" "&(plaintext)& authenticator (server)" When configured as a server, &(plaintext)& uses the following options: @@ -26922,7 +26893,7 @@ When configured as a server, &(plaintext)& uses the following options: This is actually a global authentication option, but it must be set in order to configure the &(plaintext)& driver as a server. Its use is described below. -.option server_prompts plaintext string&!! unset +.option server_prompts plaintext "string list&!!" unset The contents of this option, after expansion, must be a colon-separated list of prompt strings. If expansion fails, a temporary authentication rejection is given. @@ -27465,9 +27436,11 @@ This should have meant that certificate identity and verification becomes a non-issue, as a man-in-the-middle attack will cause the correct client and server to see different identifiers and authentication will fail. -This is currently only supported when using the GnuTLS library. This is +.new +This is only usable by mechanisms which support "channel binding"; at time of writing, that's the SCRAM family. +.wen This defaults off to ensure smooth upgrade across Exim releases, in case this option causes some clients to start failing. Some future release @@ -27838,11 +27811,10 @@ of your configured trust-anchors (which usually means the full set of public CAs) and which has a mail-SAN matching the claimed identity sent by the client. -Note that, up to TLS1.2, the client cert is on the wire in-clear, including the SAN, +&*Note*&: up to TLS1.2, the client cert is on the wire in-clear, including the SAN. The account name is therefore guessable by an opponent. TLS 1.3 protects both server and client certificates, and is not vulnerable in this way. -Likewise, a traditional plaintext SMTP AUTH done inside TLS is not. .section "Using external in a client" "SECTexternclient" @@ -28055,14 +28027,20 @@ There is also a &%-tls-on-connect%& command line option. This overrides .section "OpenSSL vs GnuTLS" "SECTopenvsgnu" .cindex "TLS" "OpenSSL &'vs'& GnuTLS" -The first TLS support in Exim was implemented using OpenSSL. Support for GnuTLS -followed later, when the first versions of GnuTLS were released. To build Exim -to use GnuTLS, you need to set +TLS is supported in Exim using either the OpenSSL or GnuTLS library. +To build Exim to use OpenSSL you need to set +.code +USE_OPENSSL=yes +.endd +in Local/Makefile. + +To build Exim to use GnuTLS, you need to set .code USE_GNUTLS=yes .endd -in Local/Makefile -you must also set TLS_LIBS and TLS_INCLUDE appropriately, so that the +in Local/Makefile. + +You must also set TLS_LIBS and TLS_INCLUDE appropriately, so that the include files and libraries for GnuTLS can be found. There are some differences in usage when using GnuTLS instead of OpenSSL: @@ -28619,12 +28597,10 @@ transport provide the client with a certificate, which is passed to the server if it requests it. If the server is Exim, it will request a certificate only if &%tls_verify_hosts%& or &%tls_try_verify_hosts%& matches the client. -.new -Do not use a certificate which has the OCSP-must-staple extension, +&*Note*&: Do not use a certificate which has the OCSP-must-staple extension, for client use (they are usable for server use). -As TLS has no means for the client to staple before TLS 1.3 it will result +As the TLS protocol has no means for the client to staple before TLS 1.3 it will result in failed connections. -.wen If the &%tls_verify_certificates%& option is set on the &(smtp)& transport, it specifies a collection of expected server certificates. @@ -29046,7 +29022,7 @@ those who use &%hosts_require_ocsp%&, should consider the interaction with DANE For client-side DANE there are three new smtp transport options, &%hosts_try_dane%&, &%hosts_require_dane%& and &%dane_require_tls_ciphers%&. -The require variant will result in failure if the target host is not +The &"require"& variant will result in failure if the target host is not DNSSEC-secured. To get DNSSEC-secured hostname resolution, use the &%dnssec_request_domains%& router or transport option. @@ -29079,7 +29055,7 @@ If DANE is not usable, whether requested or not, and CA-anchored verification evaluation is wanted, the above variables should be set appropriately. The router and transport option &%dnssec_request_domains%& must not be -set to "never" and &%dnssec_require_domains%& is ignored. +set to &"never"&, and &%dnssec_require_domains%& is ignored. If verification was successful using DANE then the "CV" item in the delivery log line will show as "CV=dane". @@ -30398,6 +30374,13 @@ This control turns off DKIM verification processing entirely. For details on the operation and configuration of DKIM, see section &<>&. +.vitem &*control&~=&~dmarc_disable_verify*& +.cindex "disable DMARC verify" +.cindex "DMARC" "disable verify" +This control turns off DMARC verification processing entirely. For details on +the operation and configuration of DMARC, see section &<>&. + + .vitem &*control&~=&~dscp/*&<&'value'&> .cindex "&ACL;" "setting DSCP value" .cindex "DSCP" "inbound" @@ -31141,10 +31124,8 @@ case-sensitively; domains are checked case-insensitively. If &'Resent-To:'& or &'Resent-Cc:'& header lines exist, they are also checked. This condition can be used only in a DATA or non-SMTP ACL. -.new There is one possible option, &`case_insensitive`&. If this is present then local parts are checked case-insensitively. -.wen There are, of course, many legitimate messages that make use of blind (bcc) recipients. This check should not be used on its own for blocking messages. @@ -32752,14 +32733,12 @@ It supports a &"generic"& interface to scanners called via the shell, and specialized interfaces for &"daemon"& type virus scanners, which are resident in memory and thus are much faster. -.new Since message data needs to have arrived, the condition may be only called in ACL defined by &%acl_smtp_data%&, &%acl_smtp_data_prdr%&, &%acl_smtp_mime%& or &%acl_smtp_dkim%& -.wen A timeout of 2 minutes is applied to a scanner call (by default); if it expires then a defer action is taken. @@ -33669,7 +33648,12 @@ directory, so you might set HAVE_LOCAL_SCAN=yes LOCAL_SCAN_SOURCE=Local/local_scan.c .endd -for example. The function must be called &[local_scan()]&. It is called by +for example. The function must be called &[local_scan()]&; +.new +the source file(s) for it should first #define LOCAL_SCAN +and then #include "local_scan.h". +.wen +It is called by Exim after it has received a message, when the success return code is about to be sent. This is after all the ACLs have been run. The return code from your function controls whether the message is actually accepted or not. There is a @@ -34299,8 +34283,8 @@ with translation. This function is used in conjunction with &'smtp_printf()'&, as described below. -.vitem &*void&~smtp_printf(char&~*,&~...)*& -The arguments of this function are like &[printf()]&; it writes to the SMTP +.vitem &*void&~smtp_printf(char&~*,BOOL,&~...)*& +The arguments of this function are almost like &[printf()]&; it writes to the SMTP output stream. You should use this function only when there is an SMTP output stream, that is, when the incoming message is being received via interactive SMTP. This is the case when &%smtp_input%& is TRUE and &%smtp_batched_input%& @@ -34312,6 +34296,15 @@ is involved. If an SMTP TLS connection is established, &'smtp_printf()'& uses the TLS output function, so it can be used for all forms of SMTP connection. +The second argument is used to request that the data be buffered +(when TRUE) or flushed (along with any previously buffered, when FALSE). +This is advisory only, but likely to save on system-calls and packets +sent when a sequence of calls to the function are made. + +The argument was added in Exim version 4.90 - changing the API/ABI. +Nobody noticed until 4.93 was imminent, at which point the +ABI version number was incremented. + Strings that are written by &'smtp_printf()'& from within &[local_scan()]& must start with an appropriate response code: 550 if you are going to return LOCAL_SCAN_REJECT, 451 if you are going to return @@ -34329,7 +34322,9 @@ the data returned via the &%return_text%& argument. The added value of using multiple output lines. The &'smtp_printf()'& function does not return any error indication, because it -does not automatically flush pending output, and therefore does not test +does not +guarantee a flush of +pending output, and therefore does not test the state of the stream. (In the main code of Exim, flushing and error detection is done when Exim is ready for the next SMTP input command.) If you want to flush the output and check for an error (for example, the @@ -34337,12 +34332,18 @@ dropping of a TCP/IP connection), you can call &'smtp_fflush()'&, which has no arguments. It flushes the output stream, and returns a non-zero value if there is an error. -.vitem &*void&~*store_get(int)*& +.new +.vitem &*void&~*store_get(int,BOOL)*& This function accesses Exim's internal store (memory) manager. It gets a new -chunk of memory whose size is given by the argument. Exim bombs out if it ever +chunk of memory whose size is given by the first argument. +The second argument should be given as TRUE if the memory will be used for +data possibly coming from an attacker (eg. the message content), +FALSE if it is locally-sourced. +Exim bombs out if it ever runs out of memory. See the next section for a discussion of memory handling. +.wen -.vitem &*void&~*store_get_perm(int)*& +.vitem &*void&~*store_get_perm(int,BOOL)*& This function is like &'store_get()'&, but it always gets memory from the permanent pool. See the next section for a discussion of memory handling. @@ -37609,7 +37610,6 @@ connection is unexpectedly dropped. &%millisec%&: Timestamps have a period and three decimal places of finer granularity appended to the seconds value. .next -.new .cindex "log" "message id" &%msg_id%&: The value of the Message-ID: header. .next @@ -37617,7 +37617,6 @@ appended to the seconds value. This will be either because the message is a bounce, or was submitted locally (submission mode) without one. The field identifier will have an asterix appended: &"id*="&. -.wen .next .cindex "log" "outgoing interface" .cindex "log" "local interface" @@ -37654,13 +37653,11 @@ The field is a single "L". On accept lines, where PIPELINING was offered but not used by the client, the field has a minus appended. -.new .cindex "pipelining" "early connection" If Exim is built with the SUPPORT_PIPE_CONNECT build option accept "L" fields have a period appended if the feature was offered but not used, or an asterisk appended if used. Delivery "L" fields have an asterisk appended if used. -.wen .next .cindex "log" "queue run" @@ -38018,10 +38015,8 @@ Match only frozen messages. .vitem &*-x*& Match only non-frozen messages. -.new .vitem &*-G*&&~<&'queuename'&> Match only messages in the given queue. Without this, the default queue is searched. -.wen .endlist The following options control the format of the output: @@ -39709,10 +39704,8 @@ was received from the client, this records the Distinguished Name from that certificate. .endlist -.new Any of the above may have an extra hyphen prepended, to indicate the the corresponding data is untrusted. -.wen Following the options there is a list of those addresses to which the message is not to be delivered. This set of addresses is initialized from the command @@ -39902,9 +39895,7 @@ These options take (expandable) strings as arguments. The domain(s) you want to sign with. After expansion, this can be a list. Each element in turn, -.new lowercased, -.wen is put into the &%$dkim_domain%& expansion variable while expanding the remaining signing options. If it is empty after expansion, DKIM signing is not done, @@ -39959,9 +39950,7 @@ Signers MUST use RSA keys of at least 1024 bits for all keys. Signers SHOULD use RSA keys of at least 2048 bits. .endd -.new EC keys for DKIM are defined by RFC 8463. -.wen They are considerably smaller than RSA keys for equivalent protection. As they are a recent development, users should consider dual-signing (by setting a list of selectors, and an expansion for this option) @@ -39981,12 +39970,10 @@ openssl pkey -outform DER -pubout -in dkim_ed25519.private | tail -c +13 | base6 certtool --load_privkey=dkim_ed25519.private --pubkey_info --outder | tail -c +13 | base64 .endd -.new Exim also supports an alternate format of Ed25519 keys in DNS which was a candidate during development of the standard, but not adopted. A future release will probably drop that support. -.wen .option dkim_hash smtp string&!! sha256 Can be set to any one of the supported hash methods, which are: @@ -40060,22 +40047,18 @@ RFC 6376 lists these tags as RECOMMENDED. Verification of DKIM signatures in SMTP incoming email is done for all messages for which an ACL control &%dkim_disable_verify%& has not been set. -.new .cindex DKIM "selecting signature algorithms" Individual classes of signature algorithm can be ignored by changing the main options &%dkim_verify_hashes%& or &%dkim_verify_keytypes%&. The &%dkim_verify_minimal%& option can be set to cease verification processing for a message once the first passing signature is found. -.wen .cindex authentication "expansion item" Performing verification sets up information used by the &%authresults%& expansion item. -.new For most purposes the default option settings suffice and the remainder of this section can be ignored. -.wen The results of verification are made available to the &%acl_smtp_dkim%& ACL, which can examine and modify them. @@ -40122,13 +40105,11 @@ dkim_verify_signers = $sender_address_domain:$dkim_signers If a domain or identity is listed several times in the (expanded) value of &%dkim_verify_signers%&, the ACL is only called once for that domain or identity. -.new Note that if the option is set using untrustworthy data (such as the From: header) care should be taken to force lowercase for domains and for the domain part if identities. The default setting can be regarded as trustworthy in this respect. -.wen If multiple signatures match a domain (or identity), the ACL is called once for each matching signature. @@ -40230,10 +40211,8 @@ algorithms (currently, rsa-sha1) have permanently failed evaluation To enforce this you must either have a DKIM ACL which checks this variable and overwrites the &$dkim_verify_status$& variable as discussed above, -.new or have set the main option &%dkim_verify_hashes%& to exclude processing of such signatures. -.wen .vitem &%$dkim_canon_body%& The body canonicalization method. One of 'relaxed' or 'simple'. @@ -40505,9 +40484,7 @@ would relax host matching rules to a broader network range. .cindex lookup spf A lookup expansion is also available. It takes an email address as the key and an IP address -.new (v4 or v6) -.wen as the database: .code @@ -40521,7 +40498,6 @@ The lookup will return the same result strings as can appear in -.new .section DMARC SECDMARC .cindex DMARC verification @@ -40536,7 +40512,7 @@ the libopendmarc library is used. For building Exim yourself, obtain the library from &url(http://sourceforge.net/projects/opendmarc/) -to obtain a copy, or find it in your favorite rpm package +to obtain a copy, or find it in your favorite package repository. You will need to attend to the local/Makefile feature SUPPORT_DMARC and the associated LDFLAGS addition. This description assumes @@ -40592,7 +40568,7 @@ non-authenticated user. It makes sense to only verify DMARC status of messages coming from remote, untrusted sources. You can use standard conditions such as hosts, senders, etc, to decide that DMARC verification should *not* be performed for them and disable -DMARC with a control setting: +DMARC with an ACL control modifier: .code control = dmarc_disable_verify .endd @@ -40603,15 +40579,15 @@ results in unintended information leakage (what lists a user might be subscribed to, etc). You must configure exim to submit forensic reports to the owner of the domain. If the DMARC record contains a forensic address and you specify the control statement below, then -exim will send these forensic emails. It's also advised that you -configure a dmarc_forensic_sender because the default sender address +exim will send these forensic emails. It is also advised that you +configure a &%dmarc_forensic_sender%& because the default sender address construction might be inadequate. .code control = dmarc_enable_forensic .endd (AGAIN: You can choose not to send these forensic reports by simply not putting the dmarc_enable_forensic control line at any point in -your exim config. If you don't tell it to send them, it will not +your exim config. If you don't tell exim to send them, it will not send them.) There are no options to either control. Both must appear before @@ -40620,14 +40596,14 @@ the DATA acl. . subsection DMARC checks cam be run on incoming SMTP messages by using the -"dmarc_status" ACL condition in the DATA ACL. You are required to -call the "spf" condition first in the ACLs, then the "dmarc_status" +&"dmarc_status"& ACL condition in the DATA ACL. You are required to +call the &"spf"& condition first in the ACLs, then the &"dmarc_status"& condition. Putting this condition in the ACLs is required in order for a DMARC check to actually occur. All of the variables are set up before the DATA ACL, but there is no actual DMARC check that -occurs until a "dmarc_status" condition is encountered in the ACLs. +occurs until a &"dmarc_status"& condition is encountered in the ACLs. -The dmarc_status condition takes a list of strings on its +The &"dmarc_status"& condition takes a list of strings on its right-hand side. These strings describe recommended action based on the DMARC check. To understand what the policy recommendations mean, refer to the DMARC website above. Valid strings are: @@ -40660,28 +40636,30 @@ Several expansion variables are set before the DATA ACL is processed, and you can use them in this ACL. The following expansion variables are available: -&$dmarc_status$& +.vlist +.vitem &$dmarc_status$& .vindex &$dmarc_status$& .cindex DMARC result -is a one word status indicating what the DMARC library +A one word status indicating what the DMARC library thinks of the email. It is a combination of the results of DMARC record lookup and the SPF/DKIM/DMARC processing results (if a DMARC record was found). The actual policy declared in the DMARC record is in a separate expansion variable. -&$dmarc_status_text$& +.vitem &$dmarc_status_text$& .vindex &$dmarc_status_text$& -is a slightly longer, human readable status. +Slightly longer, human readable status. -&$dmarc_used_domain$& +.vitem &$dmarc_used_domain$& .vindex &$dmarc_used_domain$& -is the domain which DMARC used to look up the DMARC policy record. +The domain which DMARC used to look up the DMARC policy record. -&$dmarc_domain_policy$& +.vitem &$dmarc_domain_policy$& .vindex &$dmarc_domain_policy$& -is the policy declared in the DMARC record. Valid values +The policy declared in the DMARC record. Valid values are "none", "reject" and "quarantine". It is blank when there is any error, including no DMARC record. +.endlist . subsection @@ -40696,7 +40674,7 @@ processing or failure delivery issues). In order to log statistics suitable to be imported by the opendmarc tools, you need to: .ilist -Configure the global setting dmarc_history_file +Configure the global option &%dmarc_history_file%& .next Configure cron jobs to call the appropriate opendmarc history import scripts and truncating the dmarc_history_file @@ -40704,7 +40682,7 @@ import scripts and truncating the dmarc_history_file In order to send forensic reports, you need to: .ilist -Configure the global setting dmarc_forensic_sender +Configure the global option &%dmarc_forensic_sender%& .next Configure, somewhere before the DATA ACL, the control option to enable sending DMARC forensic reports @@ -40750,7 +40728,6 @@ Example usage: warn add_header = :at_start:${authresults {$primary_hostname}} .endd -.wen @@ -41079,9 +41056,7 @@ Events have names which correspond to the point in process at which they fire. The name is placed in the variable &$event_name$& and the event action expansion must check this, as it will be called for every possible event type. -.new The current list of events is: -.wen .display &`dane:fail after transport `& per connection &`msg:complete after main `& per message