X-Git-Url: https://git.exim.org/users/jgh/exim.git/blobdiff_plain/6219e0ec4a59a06b84eaabb6b3ae5d9e8f166672..00ac951dc593268b8f27a9c24c31e737644edd5a:/doc/doc-docbook/spec.xfpt diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 5acdce0a6..4fa87ff9e 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -1886,11 +1886,10 @@ to your &_Local/Makefile_& and rebuild Exim. .section "Including TLS/SSL encryption support" "SECTinctlsssl" .cindex "TLS" "including support for TLS" .cindex "encryption" "including support for" -.cindex "SUPPORT_TLS" .cindex "OpenSSL" "building Exim with" .cindex "GnuTLS" "building Exim with" -Exim can be built to support encrypted SMTP connections, using the STARTTLS -command as per RFC 2487. It can also support legacy clients that expect to +Exim is usually built to support encrypted SMTP connections, using the STARTTLS +command as per RFC 2487. It can also support clients that expect to start a TLS session immediately on connection to a non-standard port (see the &%tls_on_connect_ports%& runtime option and the &%-tls-on-connect%& command line option). @@ -1899,35 +1898,41 @@ If you want to build Exim with TLS support, you must first install either the OpenSSL or GnuTLS library. There is no cryptographic code in Exim itself for implementing SSL. +.new +If you do not want TLS support you should set +.code +DISABLE_TLS=yes +.endd +in &_Local/Makefile_&. +.wen + If OpenSSL is installed, you should set .code -SUPPORT_TLS=yes +USE_OPENSL=yes TLS_LIBS=-lssl -lcrypto .endd in &_Local/Makefile_&. You may also need to specify the locations of the OpenSSL library and include files. For example: .code -SUPPORT_TLS=yes +USE_OPENSL=yes TLS_LIBS=-L/usr/local/openssl/lib -lssl -lcrypto TLS_INCLUDE=-I/usr/local/openssl/include/ .endd .cindex "pkg-config" "OpenSSL" If you have &'pkg-config'& available, then instead you can just use: .code -SUPPORT_TLS=yes +USE_OPENSL=yes USE_OPENSSL_PC=openssl .endd .cindex "USE_GNUTLS" If GnuTLS is installed, you should set .code -SUPPORT_TLS=yes USE_GNUTLS=yes TLS_LIBS=-lgnutls -ltasn1 -lgcrypt .endd in &_Local/Makefile_&, and again you may need to specify the locations of the library and include files. For example: .code -SUPPORT_TLS=yes USE_GNUTLS=yes TLS_LIBS=-L/usr/gnu/lib -lgnutls -ltasn1 -lgcrypt TLS_INCLUDE=-I/usr/gnu/include @@ -1935,7 +1940,6 @@ TLS_INCLUDE=-I/usr/gnu/include .cindex "pkg-config" "GnuTLS" If you have &'pkg-config'& available, then instead you can just use: .code -SUPPORT_TLS=yes USE_GNUTLS=yes USE_GNUTLS_PC=gnutls .endd @@ -6109,9 +6113,6 @@ dnslookup: domains = ! +local_domains transport = remote_smtp ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 -.ifdef _HAVE_DNSSEC - dnssec_request_domains = * -.endif no_more .endd The &%domains%& option behaves as per smarthost, above. @@ -6262,9 +6263,6 @@ Two remote transports and four local transports are defined. remote_smtp: driver = smtp message_size_limit = ${if > {$max_received_linelength}{998} {1}{0}} -.ifdef _HAVE_DANE - hosts_try_dane = * -.endif .ifdef _HAVE_PRDR hosts_try_prdr = * .endif @@ -7331,7 +7329,7 @@ with the lookup. With &"strict"& a response from the DNS resolver that is not labelled as authenticated data is treated as equivalent to a temporary DNS error. -The default is &"never"&. +The default is &"lax"&. See also the &$lookup_dnssec_authenticated$& variable. @@ -9377,7 +9375,7 @@ If the ACL returns defer the result is a forced-fail. Otherwise the expansion f .cindex headers "authentication-results:" .cindex authentication "expansion item" This item returns a string suitable for insertion as an -&'Authentication-Results"'& +&'Authentication-Results:'& header line. The given <&'authserv-id'&> is included in the result; typically this will be a domain name identifying the system performing the authentications. @@ -13353,6 +13351,9 @@ or a &%def%& condition. &*Note*&: Under versions of OpenSSL preceding 1.1.1, when a list of more than one file is used for &%tls_certificate%&, this variable is not reliable. +.new +The macro "_TLS_BAD_MULTICERT_IN_OURCERT" will be defined for those versions. +.wen .vitem &$tls_in_peercert$& .vindex "&$tls_in_peercert$&" @@ -16459,6 +16460,8 @@ and from which pipeline early-connection (before MAIL) SMTP commands are acceptable. When used, the pipelining saves on roundtrip times. +See also the &%hosts_pipe_connect%& smtp transport option. + Currently the option name &"X_PIPE_CONNECT"& is used. .wen @@ -17683,9 +17686,9 @@ separator in the usual way (&<>&) to avoid confusion under IP &*Note*&: Under versions of OpenSSL preceding 1.1.1, when a list of more than one file is used, the &$tls_in_ourcert$& variable is unreliable. - -&*Note*&: OCSP stapling is not usable under OpenSSL -when a list of more than one file is used. +.new +The macro "_TLS_BAD_MULTICERT_IN_OURCERT" will be defined for those versions. +.wen If the option contains &$tls_out_sni$& and Exim is built against OpenSSL, then if the OpenSSL build supports TLS extensions and the TLS client sends the @@ -17736,7 +17739,14 @@ larger prime than requested. The value of this option is expanded and indicates the source of DH parameters to be used by Exim. -&*Note: The Exim Maintainers strongly recommend using a filename with site-generated +.new +This option is ignored for GnuTLS version 3.6.0 and later. +The library manages parameter negotiation internally. +.wen + +&*Note: The Exim Maintainers strongly recommend, +for other TLS library versions, +using a filename with site-generated local DH parameters*&, which has been supported across all versions of Exim. The other specific constants available are a fallback so that even when "unconfigured", Exim can offer Perfect Forward Secrecy in older ciphersuites in TLS. @@ -17831,12 +17841,37 @@ status proof for the server's certificate, as obtained from the Certificate Authority. Usable for GnuTLS 3.4.4 or 3.3.17 or OpenSSL 1.1.0 (or later). +.new +The macro "_HAVE_TLS_OCSP" will be defined for those versions. +.wen -For GnuTLS 3.5.6 or later the expanded value of this option can be a list +.new +For OpenSSL 1.1.0 or later, and +.wen +for GnuTLS 3.5.6 or later the expanded value of this option can be a list of files, to match a list given for the &%tls_certificate%& option. The ordering of the two lists must match. +.new +The macro "_HAVE_TLS_OCSP_LIST" will be defined for those versions. +.wen -The file(s) should be in DER format +.new +The file(s) should be in DER format, +except for GnuTLS 3.6.3 or later +or for OpenSSL, +when an optional filetype prefix can be used. +The prefix must be one of "DER" or "PEM", followed by +a single space. If one is used it sets the format for subsequent +files in the list; the initial format is DER. +If multiple proofs are wanted, for multiple chain elements +(this only works under TLS1.3) +they must be coded as a combined OCSP response. + +Although GnuTLS will accept PEM files with multiple separate +PEM blobs (ie. separate OCSP responses), it sends them in the +TLS Certificate record interleaved with the certificates of the chain; +although a GnuTLS client is happy with that, an OpenSSL client is not. +.wen .option tls_on_connect_ports main "string list" unset .cindex SSMTP @@ -18354,7 +18389,7 @@ or for any deliveries caused by this router. You should not set this option unless you really, really know what you are doing. See also the generic transport option of the same name. -.option dnssec_request_domains routers "domain list&!!" unset +.option dnssec_request_domains routers "domain list&!!" * .cindex "MX record" "security" .cindex "DNSSEC" "MX lookup" .cindex "security" "MX lookup" @@ -24543,7 +24578,7 @@ See the &%search_parents%& option in chapter &<>& for more details. -.option dnssec_request_domains smtp "domain list&!!" unset +.option dnssec_request_domains smtp "domain list&!!" * .cindex "MX record" "security" .cindex "DNSSEC" "MX lookup" .cindex "security" "MX lookup" @@ -24722,6 +24757,8 @@ When used, the pipelining saves on roundtrip times. It also turns SMTP into a client-first protocol so combines well with TCP Fast Open. +See also the &%pipelining_connect_advertise_hosts%& main option. + Note: When the facility is used, the transport &%helo_data%& option will be expanded before the &$sending_ip_address$& variable @@ -28005,11 +28042,8 @@ to use GnuTLS, you need to set .code USE_GNUTLS=yes .endd -in Local/Makefile, in addition to -.code -SUPPORT_TLS=yes -.endd -You must also set TLS_LIBS and TLS_INCLUDE appropriately, so that the +in Local/Makefile +you must also set TLS_LIBS and TLS_INCLUDE appropriately, so that the include files and libraries for GnuTLS can be found. There are some differences in usage when using GnuTLS instead of OpenSSL: @@ -29025,7 +29059,8 @@ If DANE is requested and useable (see above) the following transport options are If DANE is not usable, whether requested or not, and CA-anchored verification evaluation is wanted, the above variables should be set appropriately. -Currently the (router or transport options) &%dnssec_request_domains%& must be active and &%dnssec_require_domains%& is ignored. +The router and transport option &%dnssec_request_domains%& must not be +set to "never" and &%dnssec_require_domains%& is ignored. If verification was successful using DANE then the "CV" item in the delivery log line will show as "CV=dane". @@ -40496,10 +40531,11 @@ defines the location of a text file of valid top level domains the opendmarc library uses during domain parsing. Maintained by Mozilla, the most current version can be downloaded -from a link at &url(http://publicsuffix.org/list/). +from a link at &url(https://publicsuffix.org/list/, currently pointing +at https://publicsuffix.org/list/public_suffix_list.dat) See also util/renew-opendmarc-tlds.sh script. -The default for the option is currently -/etc/exim/opendmarc.tlds +The default for the option is /etc/exim/opendmarc.tlds. + The &%dmarc_history_file%& option, if set .oindex &%dmarc_history_file%& @@ -41020,7 +41056,9 @@ Events have names which correspond to the point in process at which they fire. The name is placed in the variable &$event_name$& and the event action expansion must check this, as it will be called for every possible event type. +.new The current list of events is: +.wen .display &`dane:fail after transport `& per connection &`msg:complete after main `& per message @@ -41034,6 +41072,7 @@ The current list of events is: &`tcp:close after transport `& per connection &`tls:cert before both `& per certificate in verification chain &`smtp:connect after transport `& per connection +&`smtp:ehlo after transport `& per connection .endd New event types may be added in future. @@ -41060,6 +41099,7 @@ with the event type: &`msg:host:defer `& error string &`tls:cert `& verification chain depth &`smtp:connect `& smtp banner +&`smtp:ehlo `& smtp ehlo response .endd The :defer events populate one extra variable: &$event_defer_errno$&.