X-Git-Url: https://git.exim.org/users/jgh/exim.git/blobdiff_plain/8c5d388a6e12d1a8bd4aa565920238f8a921414a..f42deca923414cedcbb6d6646afbef460f50080c:/doc/doc-txt/experimental-spec.txt?ds=sidebyside diff --git a/doc/doc-txt/experimental-spec.txt b/doc/doc-txt/experimental-spec.txt index aa4cb464d..993b5b05c 100644 --- a/doc/doc-txt/experimental-spec.txt +++ b/doc/doc-txt/experimental-spec.txt @@ -771,208 +771,6 @@ b. Configure, somewhere before the DATA ACL, the control option to -Event Actions --------------------------------------------------------------- - -(Renamed from TPDA, Transport post-delivery actions) - -An arbitrary per-transport string can be expanded upon various transport events. -Additionally a main-section configuration option can be expanded on some -per-message events. -This feature may be used, for example, to write exim internal log information -(not available otherwise) into a database. - -In order to use the feature, you must compile with - -EXPERIMENTAL_EVENT=yes - -in your Local/Makefile - -and define one or both of -- the event_action option in the transport -- the event_action main option -to be expanded when the event fires. - -A new variable, $event_name, is set to the event type when the -expansion is done. The current list of events is: - - msg:complete after main per message - msg:delivery after transport per recipient - msg:rcpt:host:defer after transport per recipient per host - msg:rcpt:defer after transport per recipient - msg:host:defer after transport per attempt - msg:fail:delivery after main per recipient - msg:fail:internal after main per recipient - tcp:connect before transport per connection - tcp:close after transport per connection - tls:cert before both per certificate in verification chain - smtp:connect after transport per connection - -The expansion is called for all event types, and should use the $event_name -variable to decide when to act. The value of the variable is a colon-separated -list, defining a position in the tree of possible events; it may be used as -a list or just matched on as a whole. There will be no whitespace. - -New event types may be added in the future. - - -There is an auxilary variable, $event_data, for which the -content is event_dependent: - - msg:delivery smtp confirmation mssage - msg:rcpt:host:defer error string - msg:rcpt:defer error string - msg:host:defer error string - tls:cert verification chain depth - smtp:connect smtp banner - -The :defer events populate one extra variable, $event_defer_errno. - -The following variables are likely to be useful depending on the event type: - - router_name, transport_name - local_part, domain - host, host_address, host_port - tls_out_peercert - lookup_dnssec_authenticated, tls_out_dane - sending_ip_address, sending_port - message_exim_id, verify_mode - - -An example might look like: - -event_action = ${if eq {msg:delivery}{$event_name} \ -{${lookup pgsql {SELECT * FROM record_Delivery( \ - '${quote_pgsql:$sender_address_domain}',\ - '${quote_pgsql:${lc:$sender_address_local_part}}', \ - '${quote_pgsql:$domain}', \ - '${quote_pgsql:${lc:$local_part}}', \ - '${quote_pgsql:$host_address}', \ - '${quote_pgsql:${lc:$host}}', \ - '${quote_pgsql:$message_exim_id}')}} \ -} {}} - -The string is expanded when each of the supported events occur -and any side-effects of the expansion will happen. - -Note that for complex operations an ACL expansion can be used, -however due to the multiple contexts the Exim operates in -a) variables set in events raised from transports will not - be visible outside that transport call. -b) acl_m variables in a server context are lost on a new connection, - and after helo/ehlo/mail/starttls/rset commands -Using an ACL expansion with the logwrite modifier can be a -useful way of writing to the main log. - - - -The expansion of the event_action option should normally -return an empty string. Should it return anything else the -following will be forced: - - msg:delivery (ignored) - msg:host:defer (ignored) - msg:fail:delivery (ignored) - tcp:connect do not connect - tcp:close (ignored) - tls:cert refuse verification - smtp:connect close connection - -No other use is made of the result string. - -If transport proxying is used, the remote IP/port during a -tcp:connect event will be that of the proxy. - - -Known issues: -- the tls:cert event is only called for the cert chain elements - received over the wire, with GnuTLS. OpenSSL gives the entire - chain including those loaded locally. - - -Redis Lookup --------------------------------------------------------------- - -Redis is open source advanced key-value data store. This document -does not explain the fundamentals, you should read and understand how -it works by visiting the website at http://www.redis.io/. - -Redis lookup support is added via the hiredis library. Visit: - - https://github.com/redis/hiredis - -to obtain a copy, or find it in your operating systems package repository. -If building from source, this description assumes that headers will be in -/usr/local/include, and that the libraries are in /usr/local/lib. - -1. In order to build exim with Redis lookup support add - -EXPERIMENTAL_REDIS=yes - -to your Local/Makefile. (Re-)build/install exim. exim -d should show -Experimental_Redis in the line "Support for:". - -EXPERIMENTAL_REDIS=yes -LDFLAGS += -lhiredis -# CFLAGS += -I/usr/local/include -# LDFLAGS += -L/usr/local/lib - -The first line sets the feature to include the correct code, and -the second line says to link the hiredis libraries into the -exim binary. The commented out lines should be uncommented if you -built hiredis from source and installed in the default location. -Adjust the paths if you installed them elsewhere, but you do not -need to uncomment them if an rpm (or you) installed them in the -package controlled locations (/usr/include and /usr/lib). - - -2. Use the following global settings to configure Redis lookup support: - -Required: -redis_servers This option provides a list of Redis servers - and associated connection data, to be used in - conjunction with redis lookups. The option is - only available if Exim is configured with Redis - support. - -For example: - -redis_servers = 127.0.0.1/10/ - using database 10 with no password -redis_servers = 127.0.0.1//password - to make use of the default database of 0 with a password -redis_servers = 127.0.0.1// - for default database of 0 with no password - -3. Once you have the Redis servers defined you can then make use of the -experimental Redis lookup by specifying ${lookup redis{}} in a lookup query. - -4. Example usage: - -(Host List) -hostlist relay_from_ips = <\n ${lookup redis{SMEMBERS relay_from_ips}} - -Where relay_from_ips is a Redis set which contains entries such as "192.168.0.0/24" "10.0.0.0/8" and so on. -The result set is returned as -192.168.0.0/24 -10.0.0.0/8 -.. -. - -(Domain list) -domainlist virtual_domains = ${lookup redis {HGET $domain domain}} - -Where $domain is a hash which includes the key 'domain' and the value '$domain'. - -(Adding or updating an existing key) -set acl_c_spammer = ${if eq{${lookup redis{SPAMMER_SET}}}{OK}} - -Where SPAMMER_SET is a macro and it is defined as - -"SET SPAMMER " - -(Getting a value from Redis) - -set acl_c_spam_host = ${lookup redis{GET...}} - - DANE ------------------------------------------------------------ DNS-based Authentication of Named Entities, as applied @@ -1086,18 +884,20 @@ with DANE in their OCSP settings. For client-side DANE there are two new smtp transport options, -hosts_try_dane and hosts_require_dane. They do the obvious thing. +hosts_try_dane and hosts_require_dane. [ should they be domain-based rather than host-based? ] +Hosts_require_dane will result in failure if the target host +is not DNSSEC-secured. + DANE will only be usable if the target host has DNSSEC-secured MX, A and TLSA records. A TLSA lookup will be done if either of the above options match and the host-lookup succeded using dnssec. If a TLSA lookup is done and succeeds, a DANE-verified TLS connection -will be required for the host. - -(TODO: specify when fallback happens vs. when the host is not used) +will be required for the host. If it does not, the host will not +be used; there is no fallback to non-DANE or non-TLS. If DANE is requested and useable (see above) the following transport options are ignored: