X-Git-Url: https://git.exim.org/users/jgh/exim.git/blobdiff_plain/71e1673fc67e46389d29b88b2e8930f5294ea380..94a6bd0b2b09631dd89da8a91c972caf87b65271:/doc/doc-docbook/spec.xfpt
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index c9bafdd74..6a1d7ce12 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -1,4 +1,4 @@
-. $Cambridge: exim/doc/doc-docbook/spec.xfpt,v 1.64 2009/10/27 14:42:57 nm4 Exp $
+. $Cambridge: exim/doc/doc-docbook/spec.xfpt,v 1.72 2010/03/05 16:26:46 nm4 Exp $
.
. /////////////////////////////////////////////////////////////////////////////
. This is the primary source of the Exim Manual. It is an xfpt document that is
@@ -48,7 +48,7 @@
. /////////////////////////////////////////////////////////////////////////////
.set previousversion "4.69"
-.set version "4.70"
+.set version "4.71"
.set ACL "access control lists (ACLs)"
.set I " "
@@ -172,15 +172,13 @@
Specification of the Exim Mail Transfer Agent
The Exim MTA
-27 October 2009
-PhilipHazel
-PH
-University of Cambridge Computing Service
-New Museums Site, Pembroke Street, Cambridge CB2 3QH, England
+5 November 2009
+EximMaintainers
+EM
- 4.70
- 27 October 2009
- PH
+ 4.71
+ 5 November 2009
+ EM
2009University of Cambridge
@@ -728,14 +726,12 @@ the Exim documentation, &"spool"& is always used in the first sense.
A number of pieces of external code are included in the Exim distribution.
.ilist
-.new
Regular expressions are supported in the main Exim program and in the
Exim monitor using the freely-distributable PCRE library, copyright
© University of Cambridge. The source to PCRE is no longer shipped with
Exim, so you will need to use the version of PCRE shipped with your system,
or obtain and install the full version of the library from
&url(ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre).
-.wen
.next
.cindex "cdb" "acknowledgment"
Support for the cdb (Constant DataBase) lookup method is provided by code
@@ -2223,14 +2219,12 @@ configuration. (If a default alias file is created, its name &'is'& modified.)
For backwards compatibility, ROOT is used if DESTDIR is not set,
but this usage is deprecated.
-.new
.cindex "installing Exim" "what is not installed"
Running &'make install'& does not copy the Exim 4 conversion script
&'convert4r4'&. You will probably run this only once if you are
upgrading from Exim 3. None of the documentation files in the &_doc_&
directory are copied, except for the info files when you have set
INFO_DIRECTORY, as described in section &<>& below.
-.wen
For the utility programs, old versions are renamed by adding the suffix &_.O_&
to their names. The Exim binary itself, however, is handled differently. It is
@@ -2993,13 +2987,11 @@ using one of the words &%router_list%&, &%transport_list%&, or
settings can be obtained by using &%routers%&, &%transports%&, or
&%authenticators%&.
-.new
.cindex "options" "macro &-- extracting"
If invoked by an admin user, then &%macro%&, &%macro_list%& and &%macros%&
are available, similarly to the drivers. Because macros are sometimes used
for storing passwords, this option is restricted.
The output format is one item per line.
-.wen
.vitem &%-bp%&
.oindex "&%-bp%&"
@@ -5897,11 +5889,9 @@ password are correct. In the examples it just produces an error message.
To make the authenticators work, you can use a string expansion
expression like one of the examples in &<>&.
-.new
Beware that the sequence of the parameters to PLAIN and LOGIN differ; the
usercode and password are in different positions. &<>&
covers both.
-.wen
.ecindex IIDconfiwal
@@ -5921,14 +5911,12 @@ regular expressions is discussed in many Perl reference books, and also in
Jeffrey Friedl's &'Mastering Regular Expressions'&, which is published by
O'Reilly (see &url(http://www.oreilly.com/catalog/regex2/)).
-.new
The documentation for the syntax and semantics of the regular expressions that
are supported by PCRE is included in the PCRE distribution, and no further
description is included here. The PCRE functions are called from Exim using
the default option settings (that is, with no PCRE options set), except that
the PCRE_CASELESS option is set when the matching is required to be
case-insensitive.
-.wen
In most cases, when a regular expression is required in an Exim configuration,
it has to start with a circumflex, in order to distinguish it from plain text
@@ -9591,6 +9579,17 @@ For single-key lookup types, no quoting is ever necessary and this operator
yields an unchanged string.
+.vitem &*${randint:*&<&'n'&>&*}*&
+.cindex "random number"
+This operator returns a somewhat random number which is less than the
+supplied number and is at least 0. The quality of this randomness depends
+on how Exim was built; the values are not suitable for keying material.
+If Exim is linked against OpenSSL then RAND_pseudo_bytes() is used.
+Otherwise, the implementation may be arc4random(), random() seeded by
+srandomdev() or srandom(), or a custom implementation even weaker than
+random().
+
+
.vitem &*${rfc2047:*&<&'string'&>&*}*&
.cindex "expansion" "RFC 2047"
.cindex "RFC 2047" "expansion operator"
@@ -9752,7 +9751,6 @@ lower case), signifying multiplication by 1024 or 1024*1024, respectively.
As a special case, the numerical value of an empty string is taken as
zero.
-.new
.vitem &*bool&~{*&<&'string'&>&*}*&
.cindex "expansion" "boolean parsing"
.cindex "&%bool%& expansion condition"
@@ -9768,7 +9766,6 @@ For example,
.code
${if bool{$acl_m_privileged_sender} ...
.endd
-.wen
.vitem &*crypteq&~{*&<&'string1'&>&*}{*&<&'string2'&>&*}*&
.cindex "expansion" "encrypted comparison"
@@ -10221,12 +10218,10 @@ configuration, you might have this:
.code
server_condition = ${if pwcheck{$auth1:$auth2}}
.endd
-.new
Again, for a PLAIN authenticator configuration, this would be:
.code
server_condition = ${if pwcheck{$auth2:$auth3}}
.endd
-.wen
.vitem &*queue_running*&
.cindex "queue runner" "detecting when delivering from"
.cindex "expansion" "queue runner test"
@@ -11013,12 +11008,10 @@ doing a delivery in maildir format, the value of &$message_size$& is the
precise size of the file that has been written. See also
&$message_body_size$&, &$body_linecount$&, and &$body_zerocount$&.
-.new
.cindex "RCPT" "value of &$message_size$&"
While running a per message ACL (mail/rcpt/predata), &$message_size$&
contains the size supplied on the MAIL command, or -1 if no size was given. The
value may not, of course, be truthful.
-.wen
.vitem &$mime_$&&'xxx'&
A number of variables whose names start with &$mime$& are
@@ -13384,12 +13377,10 @@ server. For details, see section &<>&.
This option controls the protocols when GnuTLS is used in an Exim
server. For details, see section &<>&.
-.new
.option gnutls_compat_mode main boolean unset
This option controls whether GnuTLS is used in compatibility mode in an Exim
server. This reduces security slightly, but improves interworking with older
implementations of TLS.
-.wen
.option headers_charset main string "see below"
This option sets a default character set for translating from encoded MIME
@@ -13464,7 +13455,7 @@ to do more extensive checking of the data supplied by these commands. The ACL
condition &`verify = helo`& is provided to make this possible.
Formerly, it was necessary also to set this option (&%helo_try_verify_hosts%&)
to force the check to occur. From release 4.53 onwards, this is no longer
-necessary. If the check has not been done before &`verify`& &`=`& &`helo`& is
+necessary. If the check has not been done before &`verify = helo`& is
encountered, it is done at that time. Consequently, this option is obsolete.
Its specification is retained here for backwards compatibility.
@@ -13486,7 +13477,7 @@ available) yields the calling host address.
However, the EHLO or HELO command is not rejected if any of the checks
fail. Processing continues, but the result of the check is remembered, and can
-be detected later in an ACL by the &`verify`& &`=`& &`helo`& condition.
+be detected later in an ACL by the &`verify = helo`& condition.
.option helo_verify_hosts main "host list&!!" unset
.cindex "HELO verifying" "mandatory"
@@ -13542,8 +13533,8 @@ this check fails, Exim behaves as if the name lookup failed.
.vindex "&$sender_host_name$&"
After any kind of failure, the host name (in &$sender_host_name$&) remains
unset, and &$host_lookup_failed$& is set to the string &"1"&. See also
-&%dns_again_means_nonexist%&, &%helo_lookup_domains%&, and &`verify`& &`=`&
-&`reverse_host_lookup`& in ACLs.
+&%dns_again_means_nonexist%&, &%helo_lookup_domains%&, and
+&`verify = reverse_host_lookup`& in ACLs.
.option host_lookup_order main "string list" &`bydns:byaddr`&
@@ -17863,12 +17854,10 @@ redirection items of the form
:defer:
:fail:
.endd
-.new
respectively. When a redirection list contains such an item, it applies
to the entire redirection; any other items in the list are ignored. Any
text following &':fail:'& or &':defer:'& is placed in the error text
associated with the failure. For example, an alias file might contain:
-.wen
.code
X.Employee: :fail: Gone away, no forwarding address
.endd
@@ -19012,12 +19001,10 @@ destination. The process that writes the message to the filter, the
filter itself, and the original process that reads the result and delivers it
are all run in parallel, like a shell pipeline.
-.new
The filter can perform any transformations it likes, but of course should take
care not to break RFC 2822 syntax. Exim does not check the result, except to
test for a final newline when SMTP is in use. All messages transmitted over
SMTP must end with a newline, so Exim supplies one if it is missing.
-.wen
.cindex "content scanning" "per user"
A transport filter can be used to provide content-scanning on a per-user basis
@@ -21183,6 +21170,7 @@ procmail_pipe:
envelope_to_add
check_string = "From "
escape_string = ">From "
+ umask = 077
user = $local_part
group = mail
@@ -21482,24 +21470,22 @@ being used, names are looked up using &[gethostbyname()]&
instead of using the DNS. Of course, that function may in fact use the DNS, but
it may also consult other sources of information such as &_/etc/hosts_&.
-.option gnutls_require_kx main string unset
+.option gnutls_require_kx smtp string unset
This option controls the key exchange mechanisms when GnuTLS is used in an Exim
client. For details, see section &<>&.
-.option gnutls_require_mac main string unset
+.option gnutls_require_mac smtp string unset
This option controls the MAC algorithms when GnuTLS is used in an Exim
client. For details, see section &<>&.
-.option gnutls_require_protocols main string unset
+.option gnutls_require_protocols smtp string unset
This option controls the protocols when GnuTLS is used in an Exim
client. For details, see section &<>&.
-.new
-.option gnutls_compat_mode main boolean unset
+.option gnutls_compat_mode smtp boolean unset
This option controls whether GnuTLS is used in compatibility mode in an Exim
server. This reduces security slightly, but improves interworking with older
implementations of TLS.
-.wen
.option helo_data smtp string&!! "see below"
.cindex "HELO" "argument, setting"
@@ -23593,7 +23579,6 @@ login:
ldap://ldap.example.org/} }} }
server_set_id = uid=$auth1,ou=people,o=example.org
.endd
-.new
We have to check that the username is not empty before using it, because LDAP
does not permit empty DN components. We must also use the &%quote_ldap_dn%&
operator to correctly quote the DN for authentication. However, the basic
@@ -23601,7 +23586,6 @@ operator to correctly quote the DN for authentication. However, the basic
correct one to use for the password, because quoting is needed only to make
the password conform to the Exim syntax. At the LDAP level, the password is an
uninterpreted string.
-.wen
.section "Support for different kinds of authentication" "SECID174"
@@ -24493,13 +24477,11 @@ list of permitted cipher suites. If either of these checks fails, delivery to
the current host is abandoned, and the &(smtp)& transport tries to deliver to
alternative hosts, if any.
-.new
&*Note*&:
These options must be set in the &(smtp)& transport for Exim to use TLS when it
is operating as a client. Exim does not assume that a server certificate (set
by the global options of the same name) should also be used when operating as a
client.
-.wen
.vindex "&$host$&"
.vindex "&$host_address$&"
@@ -24835,7 +24817,6 @@ client are given temporary error responses until QUIT is received or the
connection is closed. In these special cases, the QUIT ACL does not run.
-.new
.section "The not-QUIT ACL" "SECTNOTQUITACL"
.vindex &$acl_smtp_notquit$&
The not-QUIT ACL, specified by &%acl_smtp_notquit%&, is run in most cases when
@@ -24843,7 +24824,6 @@ an SMTP session ends without sending QUIT. However, when Exim itself is is bad
trouble, such as being unable to write to its log files, this ACL is not run,
because it might try to do things (such as write to log files) that make the
situation even worse.
-.wen
Like the QUIT ACL, this ACL is provided to make it possible to do customized
logging or to gather statistics, and its outcome is ignored. The &%delay%&
@@ -25837,7 +25817,7 @@ This control is permitted only for the MAIL, RCPT, and start of data ACLs (the
latter is the one defined by &%acl_smtp_predata%&). Setting it tells Exim that
the current message is a submission from a local MUA. In this case, Exim
operates in &"submission mode"&, and applies certain fixups to the message if
-necessary. For example, it add a &'Date:'& header line if one is not present.
+necessary. For example, it adds a &'Date:'& header line if one is not present.
This control is not permitted in the &%acl_smtp_data%& ACL, because that is too
late (the message has already been created).
@@ -25850,7 +25830,7 @@ that may be received in the same SMTP connection.
.vitem &*control&~=&~suppress_local_fixups*&
.cindex "submission fixups, suppressing"
This control applies to locally submitted (non TCP/IP) messages, and is the
-complement of &`control`& &`=`& &`submission`&. It disables the fixups that are
+complement of &`control = submission`&. It disables the fixups that are
normally applied to locally-submitted messages. Specifically:
.ilist
@@ -25879,12 +25859,12 @@ All four possibilities for message fixups can be specified:
.ilist
Locally submitted, fixups applied: the default.
.next
-Locally submitted, no fixups applied: use &`control`& &`=`&
-&`suppress_local_fixups`&.
+Locally submitted, no fixups applied: use
+&`control = suppress_local_fixups`&.
.next
Remotely submitted, no fixups applied: the default.
.next
-Remotely submitted, fixups applied: use &`control`& &`=`& &`submission`&.
+Remotely submitted, fixups applied: use &`control = submission`&.
.endlist
@@ -27625,12 +27605,10 @@ the third string (in this case &"1"&), whether or not the cryptographic and
timeout checks succeed. The &$prvscheck_result$& variable contains the result
of the checks (empty for failure, &"1"& for success).
-.new
There is one more issue you must consider when implementing prvs-signing:
you have to ensure that the routers accept prvs-signed addresses and
deliver them correctly. The easiest way to handle this is to use a &(redirect)&
router to remove the signature with a configuration along these lines:
-.wen
.code
batv_redirect:
driver = redirect
@@ -30330,8 +30308,8 @@ If a message contains a number of different addresses, all those with the same
characteristics (for example, the same envelope sender) that resolve to the
same set of hosts, in the same order, are sent in a single SMTP transaction,
even if they are for different domains, unless there are more than the setting
-of the &%max_rcpts%& option in the &(smtp)& transport allows, in which case
-they are split into groups containing no more than &%max_rcpts%& addresses
+of the &%max_rcpt%&s option in the &(smtp)& transport allows, in which case
+they are split into groups containing no more than &%max_rcpt%&s addresses
each. If &%remote_max_parallel%& is greater than one, such groups may be sent
in parallel sessions. The order of hosts with identical MX values is not
significant when checking whether addresses can be batched in this way.
@@ -34343,7 +34321,6 @@ unqualified domain &'foundation'&.
. ////////////////////////////////////////////////////////////////////////////
. ////////////////////////////////////////////////////////////////////////////
-.new
.chapter "Support for DKIM (DomainKeys Identified Mail) - RFC4871" "CHID12" &&&
"DKIM Support"
.cindex "DKIM"
@@ -34600,7 +34577,6 @@ The possible status keywords are: 'none','invalid','fail' and 'pass'. Please
see the documentation of the &%$dkim_verify_status%& expansion variable above
for more information of what they mean.
.endlist
-.wen
. ////////////////////////////////////////////////////////////////////////////
. ////////////////////////////////////////////////////////////////////////////