X-Git-Url: https://git.exim.org/users/jgh/exim.git/blobdiff_plain/39fdec3c4a4b4c1cc60cd17413b096dd07344734..85e453f622a540ecc8c86b3817e8b85d8218c474:/doc/doc-docbook/spec.xfpt diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index a92ac9151..1d4c39c6d 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -27363,7 +27363,7 @@ but it is present in many binary distributions. .scindex IIDdcotauth1 "&(dovecot)& authenticator" .scindex IIDdcotauth2 "authenticators" "&(dovecot)&" This authenticator is an interface to the authentication facility of the -Dovecot POP/IMAP server, which can support a number of authentication methods. +Dovecot 2 POP/IMAP server, which can support a number of authentication methods. Note that Dovecot must be configured to use auth-client not auth-userdb. If you are using Dovecot to authenticate POP/IMAP clients, it might be helpful to use the same mechanisms for SMTP authentication. This is a server @@ -27394,6 +27394,29 @@ option is passed in the Dovecot authentication command. If, for a TLS connection, a client certificate has been verified, the &"valid-client-cert"& option is passed. When authentication succeeds, the identity of the user who authenticated is placed in &$auth1$&. + +.new +The Dovecot configuration to match the above wil look +something like: +.code +conf.d/10-master.conf :- + +service auth { +... +#SASL + unix_listener auth-client { + mode = 0660 + user = mail + } +... +} + +conf.d/10-auth.conf :- + +auth_mechanisms = plain login ntlm +.endd +.wen + .ecindex IIDdcotauth1 .ecindex IIDdcotauth2 @@ -27412,19 +27435,37 @@ who authenticated is placed in &$auth1$&. .cindex "authentication" "DIGEST-MD5" .cindex "authentication" "CRAM-MD5" .cindex "authentication" "SCRAM-SHA-1" -The &(gsasl)& authenticator provides server integration for the GNU SASL +The &(gsasl)& authenticator provides integration for the GNU SASL library and the mechanisms it provides. This is new as of the 4.80 release and there are a few areas where the library does not let Exim smoothly scale to handle future authentication mechanisms, so no guarantee can be made that any particular new authentication mechanism will be supported without code changes in Exim. -Exim's &(gsasl)& authenticator does not have client-side support at this -time; only the server-side support is implemented. Patches welcome. +.new +.option client_authz gsasl string&!! unset +This option can be used to supply an &'authorization id'& +which is different to the &'authentication_id'& provided +by &%client_username%& option. +If unset or (after expansion) empty it is not used, +which is the common case. + +.option client_channelbinding gsasl boolean false +See &%server_channelbinding%& below. + +.option client_password gsasl string&!! unset +This option is exapanded before use, and should result in +the password to be used, in clear. + +.option client_username gsasl string&!! unset +This option is exapanded before use, and should result in +the account name to be used. +.wen .option server_channelbinding gsasl boolean false -Do not set this true without consulting a cryptographic engineer. +Do not set this true and rely on the properties +without consulting a cryptographic engineer. Some authentication mechanisms are able to use external context at both ends of the session to bind the authentication to that context, and fail the @@ -27446,7 +27487,7 @@ This defaults off to ensure smooth upgrade across Exim releases, in case this option causes some clients to start failing. Some future release of Exim might have switched the default to be true. -However, Channel Binding in TLS has proven to be broken in current versions. +However, Channel Binding in TLS has proven to be vulnerable in current versions. Do not plan to rely upon this feature for security, ever, without consulting with a subject matter expert (a cryptographic engineer). @@ -41059,14 +41100,17 @@ Events have names which correspond to the point in process at which they fire. The name is placed in the variable &$event_name$& and the event action expansion must check this, as it will be called for every possible event type. +.new The current list of events is: +.wen .display &`dane:fail after transport `& per connection &`msg:complete after main `& per message +&`msg:defer after transport `& per message per delivery try &`msg:delivery after transport `& per recipient &`msg:rcpt:host:defer after transport `& per recipient per host &`msg:rcpt:defer after transport `& per recipient -&`msg:host:defer after transport `& per attempt +&`msg:host:defer after transport `& per host per delivery try; host errors &`msg:fail:delivery after transport `& per recipient &`msg:fail:internal after main `& per recipient &`tcp:connect before transport `& per connection @@ -41092,12 +41136,13 @@ An additional variable, &$event_data$&, is filled with information varying with the event type: .display &`dane:fail `& failure reason +&`msg:defer `& error string &`msg:delivery `& smtp confirmation message &`msg:fail:internal `& failure reason &`msg:fail:delivery `& smtp error message +&`msg:host:defer `& error string &`msg:rcpt:host:defer `& error string &`msg:rcpt:defer `& error string -&`msg:host:defer `& error string &`tls:cert `& verification chain depth &`smtp:connect `& smtp banner &`smtp:ehlo `& smtp ehlo response