X-Git-Url: https://git.exim.org/users/jgh/exim.git/blobdiff_plain/2d27e55347ad123ceeb75f7d8c31d0edb66b09e4..f3d11401d1cf97be77dbaa3246e06d07809f48b5:/doc/doc-docbook/spec.xfpt diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 534e1b8f3..3bd98cd71 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -8939,8 +8939,10 @@ a right angle-bracket followed immediately by the new separator. Recognised RDN type labels include "CN", "O", "OU" and "DC". The field selectors marked as "time" above -may output a number of seconds since epoch -if the modifier "int" is used. +take an optional modifier of "int" +for which the result is the number of seconds since epoch. +Otherwise the result is a human-readable string +in the timezone selected by the main "timezone" option. The field selectors marked as "list" above return a list, newline-separated by default, @@ -15062,16 +15064,21 @@ yourself in the foot in various unpleasant ways. This option should not be adjusted lightly. An unrecognised item will be detected at startup, by invoking Exim with the &%-bV%& flag. +The option affects Exim operating both as a server and as a client. + Historical note: prior to release 4.80, Exim defaulted this value to "+dont_insert_empty_fragments", which may still be needed for compatibility with some clients, but which lowers security by increasing exposure to some now infamous attacks. -An example: +Examples: .code # Make both old MS and old Eudora happy: openssl_options = -all +microsoft_big_sslv3_buffer \ +dont_insert_empty_fragments + +# Disable older protocol versions: +openssl_options = +no_sslv2 +no_sslv3 .endd Possible options may include: @@ -23274,7 +23281,7 @@ connecting, as an outbound SSL-on-connect, instead of using STARTTLS to upgrade. The Internet standards bodies strongly discourage use of this mode. -.option retry_include_ip_address smtp boolean true +.option retry_include_ip_address smtp boolean&!! true Exim normally includes both the host name and the IP address in the key it constructs for indexing retry data after a temporary delivery failure. This means that when one of several IP addresses for a host is failing, it gets @@ -23284,9 +23291,8 @@ addresses is not affected. However, in some dialup environments hosts are assigned a different IP address each time they connect. In this situation the use of the IP address as part of the retry key leads to undesirable behaviour. Setting this option false causes -Exim to use only the host name. This should normally be done on a separate -instance of the &(smtp)& transport, set up specially to handle the dialup -hosts. +Exim to use only the host name. +Since it is expanded it can be made to depend on the host or domain. .option serialize_hosts smtp "host list&!!" unset @@ -26131,7 +26137,8 @@ The GnuTLS library allows the caller to provide a "priority string", documented as part of the &[gnutls_priority_init]& function. This is very similar to the ciphersuite specification in OpenSSL. -The &%tls_require_ciphers%& option is treated as the GnuTLS priority string. +The &%tls_require_ciphers%& option is treated as the GnuTLS priority string +and controls both protocols and ciphers. The &%tls_require_ciphers%& option is available both as an global option, controlling how Exim behaves as a server, and also as an option of the @@ -26148,6 +26155,12 @@ installed on your system. If you are using GnuTLS 3, &url(http://www.gnutls.org/manual/gnutls.html#Listing-the-ciphersuites-in-a-priority-string, then the example code) on that site can be used to test a given string. +For example: +.code +# Disable older versions of protocols +tls_require_ciphers = NORMAL:%LATEST_RECORD_VERSION:-VERS-SSL3.0 +.endd + Prior to Exim 4.80, an older API of GnuTLS was used, and Exim supported three additional options, "&%gnutls_require_kx%&", "&%gnutls_require_mac%&" and "&%gnutls_require_protocols%&". &%tls_require_ciphers%& was an Exim list.