X-Git-Url: https://git.exim.org/users/jgh/exim.git/blobdiff_plain/8fd715e80d7848fa463f06951a42967bd7123756..a799883d8ad340d935db4d729a31c02cb8a1d977:/doc/doc-docbook/spec.xfpt?ds=sidebyside diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 0815c0e4d..beb0522be 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -46,7 +46,7 @@ . ///////////////////////////////////////////////////////////////////////////// .set previousversion "4.75" -.set version "4.77" +.set version "4.80" .set ACL "access control lists (ACLs)" .set I "    " @@ -170,15 +170,15 @@ Specification of the Exim Mail Transfer Agent The Exim MTA -06 May 2011 +17 May 2012 EximMaintainers EM - 4.77 - 10 Oct 2011 + 4.80 + 17 May 2012 EM -2011University of Cambridge +2012University of Cambridge .literal off @@ -2991,6 +2991,26 @@ The specified sender is treated as if it were given as the argument to the preference to the address taken from the message. The caller of Exim must be a trusted user for the sender of a message to be set in this way. +.vitem &%-bmalware%&&~<&'filename'&> +.oindex "&%-bmalware%&" +.cindex "testing", "malware" +.cindex "malware scan test" +This debugging option causes Exim to scan the given file, +using the malware scanning framework. The option of &%av_scanner%& influences +this option, so if &%av_scanner%&'s value is dependent upon an expansion then +the expansion should have defaults which apply to this invocation. ACLs are +not invoked, so if &%av_scanner%& references an ACL variable then that variable +will never be populated and &%-bmalware%& will fail. + +Exim will have changed working directory before resolving the filename, so +using fully qualified pathnames is advisable. Exim will be running as the Exim +user when it tries to open the file, rather than as the invoking user. +This option requires admin privileges. + +The &%-bmalware%& option will not be extended to be more generally useful, +there are better tools for file-scanning. This option exists to help +administrators verify their Exim and AV scanner configuration. + .vitem &%-bnq%& .oindex "&%-bnq%&" .cindex "address qualification, suppressing" @@ -3251,26 +3271,6 @@ above concerning senders and qualification do not apply. In this situation, Exim behaves in exactly the same way as it does when receiving a message via the listening daemon. -.vitem &%-bmalware%&&~<&'filename'&> -.oindex "&%-bmalware%&" -.cindex "testing", "malware" -.cindex "malware scan test" -This debugging option causes Exim to scan the given file, -using the malware scanning framework. The option of &%av_scanner%& influences -this option, so if &%av_scanner%&'s value is dependent upon an expansion then -the expansion should have defaults which apply to this invocation. ACLs are -not invoked, so if &%av_scanner%& references an ACL variable then that variable -will never be populated and &%-bmalware%& will fail. - -Exim will have changed working directory before resolving the filename, so -using fully qualified pathnames is advisable. Exim will be running as the Exim -user when it tries to open the file, rather than as the invoking user. -This option requires admin privileges. - -The &%-bmalware%& option will not be extended to be more generally useful, -there are better tools for file-scanning. This option exists to help -administrators verify their Exim and AV scanner configuration. - .vitem &%-bt%& .oindex "&%-bt%&" .cindex "testing" "addresses" @@ -6026,16 +6026,16 @@ that it implements the details of the specific authentication mechanism, i.e. PLAIN or LOGIN. The &%server_advertise_condition%& setting controls when Exim offers authentication to clients; in the examples, this is only when TLS or SSL has been started, so to enable the authenticators you also -need to add support for TLS as described in &<>&. +need to add support for TLS as described in section &<>&. The &%server_condition%& setting defines how to verify that the username and password are correct. In the examples it just produces an error message. To make the authenticators work, you can use a string expansion -expression like one of the examples in &<>&. +expression like one of the examples in chapter &<>&. Beware that the sequence of the parameters to PLAIN and LOGIN differ; the -usercode and password are in different positions. &<>& -covers both. +usercode and password are in different positions. +Chapter &<>& covers both. .ecindex IIDconfiwal @@ -6756,11 +6756,13 @@ is used on its own as the result. If the lookup does not succeed, the &`fail`& keyword causes a &'forced expansion failure'& &-- see section &<>& for an explanation of what this means. -The supported DNS record types are A, CNAME, MX, NS, PTR, SRV, and TXT, and, -when Exim is compiled with IPv6 support, AAAA (and A6 if that is also +.new +The supported DNS record types are A, CNAME, MX, NS, PTR, SPF, SRV, and TXT, +and, when Exim is compiled with IPv6 support, AAAA (and A6 if that is also configured). If no type is given, TXT is assumed. When the type is PTR, the data can be an IP address, written as normal; inversion and the addition of &%in-addr.arpa%& or &%ip6.arpa%& happens automatically. For example: +.wen .code ${lookup dnsdb{ptr=192.168.4.5}{$value}fail} .endd @@ -6786,13 +6788,18 @@ It is permitted to specify a space as the separator character. Further white space is ignored. .cindex "TXT record" "in &(dnsdb)& lookup" +.cindex "SPF record" "in &(dnsdb)& lookup" +.new For TXT records with multiple items of data, only the first item is returned, unless a separator for them is specified using a comma after the separator character followed immediately by the TXT record item separator. To concatenate -items without a separator, use a semicolon instead. +items without a separator, use a semicolon instead. For SPF records the +default behaviour is to concatenate multiple items without using a separator. +.wen .code ${lookup dnsdb{>\n,: txt=a.b.example}} ${lookup dnsdb{>\n; txt=a.b.example}} +${lookup dnsdb{spf=example.org}} .endd It is permitted to specify a space as the separator character. Further white space is ignored. @@ -9766,6 +9773,10 @@ This operator returns a somewhat random number which is less than the supplied number and is at least 0. The quality of this randomness depends on how Exim was built; the values are not suitable for keying material. If Exim is linked against OpenSSL then RAND_pseudo_bytes() is used. +.new +If Exim is linked against GnuTLS then gnutls_rnd(GNUTLS_RND_NONCE) is used, +for versions of GnuTLS with that function. +.wen Otherwise, the implementation may be arc4random(), random() seeded by srandomdev() or srandom(), or a custom implementation even weaker than random(). @@ -11928,9 +11939,6 @@ used) to the client, based upon the value of the SNI extension. The value will be retained for the lifetime of the message. During outbound SMTP deliveries, it reflects the value of the &%tls_sni%& option on the transport. - -This is currently only available when using OpenSSL, built with support for -SNI. .wen .vitem &$tod_bsdinbox$& @@ -11942,6 +11950,10 @@ files, for example: Thu Oct 17 17:14:09 1995. .vindex "&$tod_epoch$&" The time and date as a number of seconds since the start of the Unix epoch. +.vitem &$tod_epoch_l$& +.vindex "&$tod_epoch_l$&" +The time and date as a number of microseconds since the start of the Unix epoch. + .vitem &$tod_full$& .vindex "&$tod_full$&" A full version of the time and date, for example: Wed, 16 Oct 1995 09:51:40 @@ -12677,14 +12689,12 @@ listed in more than one group. .section "TLS" "SECID108" .table2 -.row &%gnutls_require_kx%& "control GnuTLS key exchanges" -.row &%gnutls_require_mac%& "control GnuTLS MAC algorithms" -.row &%gnutls_require_protocols%& "control GnuTLS protocols" .row &%gnutls_compat_mode%& "use GnuTLS compatibility mode" .row &%openssl_options%& "adjust OpenSSL compatibility options" .row &%tls_advertise_hosts%& "advertise TLS to these hosts" .row &%tls_certificate%& "location of server certificate" .row &%tls_crl%& "certificate revocation list" +.row &%tls_dh_max_bits%& "clamp D-H bit count suggestion" .row &%tls_dhparam%& "DH parameters for server" .row &%tls_on_connect_ports%& "specify SSMTP (SMTPS) ports" .row &%tls_privatekey%& "location of server private key" @@ -13692,18 +13702,6 @@ gecos_name = $1 See &%gecos_name%& above. -.option gnutls_require_kx main string unset -This option controls the key exchange mechanisms when GnuTLS is used in an Exim -server. For details, see section &<>&. - -.option gnutls_require_mac main string unset -This option controls the MAC algorithms when GnuTLS is used in an Exim -server. For details, see section &<>&. - -.option gnutls_require_protocols main string unset -This option controls the protocols when GnuTLS is used in an Exim -server. For details, see section &<>&. - .option gnutls_compat_mode main boolean unset This option controls whether GnuTLS is used in compatibility mode in an Exim server. This reduces security slightly, but improves interworking with older @@ -14408,7 +14406,7 @@ adjusted lightly. An unrecognised item will be detected at startup, by invoking Exim with the &%-bV%& flag. .new -Historical note: prior to release 4.78, Exim defaulted this value to +Historical note: prior to release 4.80, Exim defaulted this value to "+dont_insert_empty_fragments", which may still be needed for compatibility with some clients, but which lowers security by increasing exposure to some now infamous attacks. @@ -15683,12 +15681,69 @@ See &<>& for discussion of when this option might be re-expanded. .wen +.new +.option tls_dh_max_bits main integer 2236 +.cindex "TLS" "D-H bit count" +The number of bits used for Diffie-Hellman key-exchange may be suggested by +the chosen TLS library. That value might prove to be too high for +interoperability. This option provides a maximum clamp on the value +suggested, trading off security for interoperability. + +The value must be at least 1024. + +The value 2236 was chosen because, at time of adding the option, it was the +hard-coded maximum value supported by the NSS cryptographic library, as used +by Thunderbird, while GnuTLS was suggesting 2432 bits as normal. + +If you prefer more security and are willing to break some clients, raise this +number. + +Note that the value passed to GnuTLS for *generating* a new prime may be a +little less than this figure, because GnuTLS is inexact and may produce a +larger prime than requested. +.wen + + .option tls_dhparam main string&!! unset .cindex "TLS" "D-H parameters for server" -The value of this option is expanded, and must then be the absolute path to -a file which contains the server's DH parameter values. -This is used only for OpenSSL. When Exim is linked with GnuTLS, this option is -ignored. See section &<>& for further details. +.new +The value of this option is expanded and indicates the source of DH parameters +to be used by Exim. + +If it is a filename starting with a &`/`&, then it names a file from which DH +parameters should be loaded. If the file exists, it should hold a PEM-encoded +PKCS#3 representation of the DH prime. If the file does not exist, for +OpenSSL it is an error. For GnuTLS, Exim will attempt to create the file and +fill it with a generated DH prime. For OpenSSL, if the DH bit-count from +loading the file is greater than &%tls_dh_max_bits$& then it will be ignored, +and treated as though the &%tls_dhparam%& were set to "none". + +If this option expands to the string "none", then no DH parameters will be +loaded by Exim. + +If this option expands to the string "historic" and Exim is using GnuTLS, then +Exim will attempt to load a file from inside the spool directory. If the file +does not exist, Exim will attempt to create it. +See section &<>& for further details. + +If Exim is using OpenSSL and this option is empty or unset, then Exim will load +a default DH prime; the default is the 2048 bit prime described in section +2.2 of RFC 5114, "2048-bit MODP Group with 224-bit Prime Order Subgroup", which +in IKE is assigned number 23. + +Otherwise, the option must expand to the name used by Exim for any of a number +of DH primes specified in RFC 2409, RFC 3526 and RFC 5114. As names, Exim uses +"ike" followed by the number used by IKE, of "default" which corresponds to +"ike23". + +The available primes are: +&`ike1`&, &`ike2`&, &`ike5`&, +&`ike14`&, &`ike15`&, &`ike16`&, &`ike17`&, &`ike18`&, +&`ike22`&, &`ike23`& (aka &`default`&) and &`ike24`&. + +Some of these will be too small to be accepted by clients. +Some may be too large to be accepted by clients. +.wen .option tls_on_connect_ports main "string list" unset @@ -17081,6 +17136,40 @@ look for A or AAAA records, unless the domain matches &%mx_domains%&, in which case routing fails. +.new +.section "Declining addresses by dnslookup" "SECTdnslookupdecline" +.cindex "&(dnslookup)& router" "declines" +There are a few cases where a &(dnslookup)& router will decline to accept +an address; if such a router is expected to handle "all remaining non-local +domains", then it is important to set &%no_more%&. + +Reasons for a &(dnslookup)& router to decline currently include: +.ilist +The domain does not exist in DNS +.next +The domain exists but the MX record's host part is just "."; this is a common +convention (borrowed from SRV) used to indicate that there is no such service +for this domain and to not fall back to trying A/AAAA records. +.next +Ditto, but for SRV records, when &%check_srv%& is set on this router. +.next +MX record points to a non-existent host. +.next +MX record points to an IP address and the main section option +&%allow_mx_to_ip%& is not set. +.next +MX records exist and point to valid hosts, but all hosts resolve only to +addresses blocked by the &%ignore_target_hosts%& generic option on this router. +.next +The domain is not syntactically valid (see also &%allow_utf8_domains%& and +&%dns_check_names_pattern%& for handling one variant of this) +.next +&%check_secondary_mx%& is set on this router but the local host can +not be found in the MX records (see below) +.endlist +.wen + + .section "Private options for dnslookup" "SECID118" @@ -22037,18 +22126,6 @@ being used, names are looked up using &[gethostbyname()]& instead of using the DNS. Of course, that function may in fact use the DNS, but it may also consult other sources of information such as &_/etc/hosts_&. -.option gnutls_require_kx smtp string unset -This option controls the key exchange mechanisms when GnuTLS is used in an Exim -client. For details, see section &<>&. - -.option gnutls_require_mac smtp string unset -This option controls the MAC algorithms when GnuTLS is used in an Exim -client. For details, see section &<>&. - -.option gnutls_require_protocols smtp string unset -This option controls the protocols when GnuTLS is used in an Exim -client. For details, see section &<>&. - .option gnutls_compat_mode smtp boolean unset This option controls whether GnuTLS is used in compatibility mode in an Exim server. This reduces security slightly, but improves interworking with older @@ -24573,14 +24650,14 @@ who authenticated is placed in &$auth1$&. .cindex "authentication" "CRAM-MD5" .cindex "authentication" "SCRAM-SHA-1" The &(gsasl)& authenticator provides server integration for the GNU SASL -library and the mechanisms it provides. This is new as of the 4.78 release +library and the mechanisms it provides. This is new as of the 4.80 release and there are a few areas where the library does not let Exim smoothly scale to handle future authentication mechanisms, so no guarantee can be made that any particular new authentication mechanism will be supported without code changes in Exim. -.option server_channelbinding gsasl bool false +.option server_channelbinding gsasl boolean false Some authentication mechanisms are able to use external context at both ends of the session to bind the authentication to that context, and fail the authentication process if that context differs. Specifically, some TLS @@ -24952,9 +25029,9 @@ There are some differences in usage when using GnuTLS instead of OpenSSL: The &%tls_verify_certificates%& option must contain the name of a file, not the name of a directory (for OpenSSL it can be either). .next -The &%tls_dhparam%& option is ignored, because early versions of GnuTLS had no -facility for varying its Diffie-Hellman parameters. I understand that this has -changed, but Exim has not been updated to provide this facility. +.new +The default value for &%tls_dhparam%& differs for historical reasons. +.wen .next .vindex "&$tls_peerdn$&" Distinguished Name (DN) strings reported by the OpenSSL library use a slash for @@ -24962,10 +25039,11 @@ separating fields; GnuTLS uses commas, in accordance with RFC 2253. This affects the value of the &$tls_peerdn$& variable. .next OpenSSL identifies cipher suites using hyphens as separators, for example: -DES-CBC3-SHA. GnuTLS uses underscores, for example: RSA_ARCFOUR_SHA. What is -more, OpenSSL complains if underscores are present in a cipher list. To make -life simpler, Exim changes underscores to hyphens for OpenSSL and hyphens to -underscores for GnuTLS when processing lists of cipher suites in the +DES-CBC3-SHA. GnuTLS historically used underscores, for example: +RSA_ARCFOUR_SHA. What is more, OpenSSL complains if underscores are present +in a cipher list. To make life simpler, Exim changes underscores to hyphens +for OpenSSL and passes the string unchanged to GnuTLS (expecting the library +to handle its own older variants) when processing lists of cipher suites in the &%tls_require_ciphers%& options (the global option and the &(smtp)& transport option). .next @@ -24981,11 +25059,14 @@ implementation, then patches are welcome. .endlist -.section "GnuTLS parameter computation" "SECID181" +.section "GnuTLS parameter computation" "SECTgnutlsparam" +.new GnuTLS uses D-H parameters that may take a substantial amount of time to compute. It is unreasonable to re-compute them for every TLS session. Therefore, Exim keeps this data in a file in its spool directory, called -&_gnutls-params_&. The file is owned by the Exim user and is readable only by +&_gnutls-params-NNNN_& for some value of NNNN, corresponding to the number +of bits requested. +The file is owned by the Exim user and is readable only by its owner. Every Exim process that start up GnuTLS reads the D-H parameters from this file. If the file does not exist, the first Exim process that needs it computes the data and writes it to a temporary file which is @@ -25003,26 +25084,55 @@ until enough randomness (entropy) is available. This may cause Exim to hang for a substantial amount of time, causing timeouts on incoming connections. The solution is to generate the parameters externally to Exim. They are stored -in &_gnutls-params_& in PEM format, which means that they can be generated -externally using the &(certtool)& command that is part of GnuTLS. +in &_gnutls-params-N_& in PEM format, which means that they can be +generated externally using the &(certtool)& command that is part of GnuTLS. To replace the parameters with new ones, instead of deleting the file and letting Exim re-create it, you can generate new parameters using &(certtool)& and, when this has been done, replace Exim's cache file by renaming. The relevant commands are something like this: .code +# ls +[ look for file; assume gnutls-params-2236 is the most recent ] # rm -f new-params # touch new-params # chown exim:exim new-params +# chmod 0600 new-params +# certtool --generate-dh-params --bits 2236 >>new-params +# openssl dhparam -noout -text -in new-params | head +[ check the first line, make sure it's not more than 2236; + if it is, then go back to the start ("rm") and repeat + until the size generated is at most the size requested ] # chmod 0400 new-params -# certtool --generate-privkey --bits 512 >new-params -# echo "" >>new-params -# certtool --generate-dh-params --bits 1024 >> new-params -# mv new-params gnutls-params +# mv new-params gnutls-params-2236 .endd If Exim never has to generate the parameters itself, the possibility of stalling is removed. +The filename changed in Exim 4.80, to gain the -bits suffix. The value which +Exim will choose depends upon the version of GnuTLS in use. For older GnuTLS, +the value remains hard-coded in Exim as 1024. As of GnuTLS 2.12.x, there is +a way for Exim to ask for the "normal" number of bits for D-H public-key usage, +and Exim does so. This attempt to remove Exim from TLS policy decisions +failed, as GnuTLS 2.12 returns a value higher than the current hard-coded limit +of the NSS library. Thus Exim gains the &%tls_dh_max_bits%& global option, +which applies to all D-H usage, client or server. If the value returned by +GnuTLS is greater than &%tls_dh_max_bits%& then the value will be clamped down +to &%tls_dh_max_bits%&. The default value has been set at the current NSS +limit, which is still much higher than Exim historically used. + +The filename and bits used will change as the GnuTLS maintainers change the +value for their parameter &`GNUTLS_SEC_PARAM_NORMAL`&, as clamped by +&%tls_dh_max_bits%&. At the time of writing (mid 2012), GnuTLS 2.12 recommends +2432 bits, while NSS is limited to 2236 bits. + +In fact, the requested value will be *lower* than &%tls_dh_max_bits%&, to +increase the chance of the generated prime actually being within acceptable +bounds, as GnuTLS has been observed to overshoot. Note the check step in the +procedure above. There is no sane procedure available to Exim to double-check +the size of the generated prime, so it might still be too large. +.wen + .section "Requiring specific ciphers in OpenSSL" "SECTreqciphssl" .cindex "TLS" "requiring specific ciphers (OpenSSL)" @@ -25031,7 +25141,10 @@ There is a function in the OpenSSL library that can be passed a list of cipher suites before the cipher negotiation takes place. This specifies which ciphers are acceptable. The list is colon separated and may contain names like DES-CBC3-SHA. Exim passes the expanded value of &%tls_require_ciphers%& -directly to this function call. The following quotation from the OpenSSL +directly to this function call. +Many systems will install the OpenSSL manual-pages, so you may have +&'ciphers(1)'& available to you. +The following quotation from the OpenSSL documentation specifies what forms of item are allowed in the cipher string: .ilist @@ -25068,8 +25181,29 @@ includes any ciphers already present they will be ignored: that is, they will not be moved to the end of the list. .endlist +.new +The OpenSSL &'ciphers(1)'& command may be used to test the results of a given +string: +.code +# note single-quotes to get ! past any shell history expansion +$ openssl ciphers 'HIGH:!MD5:!SHA1' +.endd + +This example will let the library defaults be permitted on the MX port, where +there's probably no identity verification anyway, but ups the ante on the +submission ports where the administrator might have some influence on the +choice of clients used: +.code +# OpenSSL variant; see man ciphers(1) +tls_require_ciphers = ${if =={$received_port}{25}\ + {DEFAULT}\ + {HIGH:!MD5:!SHA1}} +.endd +.wen + +.new .section "Requiring specific ciphers or other parameters in GnuTLS" &&& "SECTreqciphgnu" .cindex "GnuTLS" "specifying parameters for" @@ -25077,85 +25211,46 @@ not be moved to the end of the list. .cindex "TLS" "specifying key exchange methods (GnuTLS)" .cindex "TLS" "specifying MAC algorithms (GnuTLS)" .cindex "TLS" "specifying protocols (GnuTLS)" +.cindex "TLS" "specifying priority string (GnuTLS)" .oindex "&%tls_require_ciphers%&" "GnuTLS" -The GnuTLS library allows the caller to specify separate lists of permitted key -exchange methods, main cipher algorithms, MAC algorithms, and protocols. -Unfortunately, these lists are numerical, and the library does not have a -function for turning names into numbers. Consequently, lists of recognized -names have to be built into the application. The permitted key exchange -methods, ciphers, and MAC algorithms may be used in any combination to form a -cipher suite. This is unlike OpenSSL, where complete cipher suite names are -passed to its control function. - -For compatibility with OpenSSL, the &%tls_require_ciphers%& option can be set -to complete cipher suite names such as RSA_ARCFOUR_SHA, but for GnuTLS this -option controls only the cipher algorithms. Exim searches each item in the -list for the name of an available algorithm. For example, if the list -contains RSA_AES_SHA, then AES is recognized, and the behaviour is exactly -the same as if just AES were given. - -.oindex "&%gnutls_require_kx%&" -.oindex "&%gnutls_require_mac%&" -.oindex "&%gnutls_require_protocols%&" -There are additional options called &%gnutls_require_kx%&, -&%gnutls_require_mac%&, and &%gnutls_require_protocols%& that can be used to -restrict the key exchange methods, MAC algorithms, and protocols, respectively. -These options are ignored if OpenSSL is in use. - -All four options are available as global options, controlling how Exim -behaves as a server, and also as options of the &(smtp)& transport, controlling -how Exim behaves as a client. All the values are string expanded. After -expansion, the values must be colon-separated lists, though the separator -can be changed in the usual way. - -Each of the four lists starts out with a default set of algorithms. If the -first item in a list does &'not'& start with an exclamation mark, all the -default items are deleted. In this case, only those that are explicitly -specified can be used. If the first item in a list &'does'& start with an -exclamation mark, the defaults are left on the list. - -Then, any item that starts with an exclamation mark causes the relevant -entry to be removed from the list, and any item that does not start with an -exclamation mark causes a new entry to be added to the list. Unrecognized -items in the list are ignored. Thus: -.code -tls_require_ciphers = !ARCFOUR -.endd -allows all the defaults except ARCFOUR, whereas -.code -tls_require_ciphers = AES : 3DES -.endd -allows only cipher suites that use AES or 3DES. - -For &%tls_require_ciphers%& the recognized names are AES_256, AES_128, AES -(both of the preceding), 3DES, ARCFOUR_128, ARCFOUR_40, and ARCFOUR (both of -the preceding). The default list does not contain all of these; it just has -AES_256, AES_128, 3DES, and ARCFOUR_128. - -For &%gnutls_require_kx%&, the recognized names are DHE_RSA, RSA (which -includes DHE_RSA), DHE_DSS, and DHE (which includes both DHE_RSA and -DHE_DSS). The default list contains RSA, DHE_DSS, DHE_RSA. - -For &%gnutls_require_mac%&, the recognized names are SHA (synonym SHA1), and -MD5. The default list contains SHA, MD5. - -.new -For &%gnutls_require_protocols%&, the recognized names are TLS1.2, TLS1.1, -TLS1.0, (TLS1) and SSL3. -The default list contains TLS1.2, TLS1.1, TLS1.0, SSL3. -TLS1 is an alias for TLS1.0, for backwards compatibility. -For sufficiently old versions of the GnuTLS library, TLS1.2 or TLS1.1 might -not be supported and will not be recognised by Exim. +The GnuTLS library allows the caller to provide a "priority string", documented +as part of the &[gnutls_priority_init]& function. This is very similar to the +ciphersuite specification in OpenSSL. + +The &%tls_require_ciphers%& option is treated as the GnuTLS priority string. + +The &%tls_require_ciphers%& option is available both as an global option, +controlling how Exim behaves as a server, and also as an option of the +&(smtp)& transport, controlling how Exim behaves as a client. In both cases +the value is string expanded. The resulting string is not an Exim list and +the string is given to the GnuTLS library, so that Exim does not need to be +aware of future feature enhancements of GnuTLS. + +Documentation of the strings accepted may be found in the GnuTLS manual, under +"Priority strings". This is online as +&url(http://www.gnu.org/software/gnutls/manual/html_node/Priority-Strings.html), +but beware that this relates to GnuTLS 3, which may be newer than the version +installed on your system. If you are using GnuTLS 3, +&url(http://www.gnu.org/software/gnutls/manual/html_node/Listing-the-ciphersuites-in-a-priority-string.html, then the example code) +on that site can be used to test a given string. + +Prior to Exim 4.80, an older API of GnuTLS was used, and Exim supported three +additional options, "&%gnutls_require_kx%&", "&%gnutls_require_mac%&" and +"&%gnutls_require_protocols%&". &%tls_require_ciphers%& was an Exim list. + +This example will let the library defaults be permitted on the MX port, where +there's probably no identity verification anyway, and lowers security further +by increasing compatibility; but this ups the ante on the submission ports +where the administrator might have some influence on the choice of clients +used: +.code +# GnuTLS variant +tls_require_ciphers = ${if =={$received_port}{25}\ + {NORMAL:%COMPAT}\ + {SECURE128}} +.endd .wen -In a server, the order of items in these lists is unimportant. The server -advertises the availability of all the relevant cipher suites. However, in a -client, the order in the &%tls_require_ciphers%& list specifies a preference -order for the cipher algorithms. The first one in the client's list that is -also advertised by the server is tried first. The default order is as listed -above. - - .section "Configuring an Exim server to use TLS" "SECID182" .cindex "TLS" "configuring an Exim server" @@ -25214,13 +25309,24 @@ this). There is one other option that may be needed in other situations. If tls_dhparam = /some/file/name .endd is set, the SSL library is initialized for the use of Diffie-Hellman ciphers -with the parameters contained in the file. This increases the set of cipher -suites that the server supports. See the command +with the parameters contained in the file. +.new +Set this to &`none`& to disable use of DH entirely, by making no prime +available: +.code +tls_dhparam = none +.endd +This may also be set to a string identifying a standard prime to be used for +DH; if it is set to &`default`& or, for OpenSSL, is unset, then the prime +used is &`ike23`&. There are a few standard primes available, see the +documetnation for &%tls_dhparam%& for the complete list. + +See the command .code openssl dhparam .endd -for a way of generating this data. At present, &%tls_dhparam%& is used only -when Exim is linked with OpenSSL. It is ignored if GnuTLS is being used. +for a way of generating file data. +.wen The strings supplied for these three options are expanded every time a client host connects. It is therefore possible to use different certificates and keys @@ -25451,8 +25557,14 @@ arbitrary unverified data provided prior to authentication. The Exim developers are proceeding cautiously and so far no other TLS options are re-expanded. -Currently SNI support is only available if using OpenSSL, with TLS Extensions -support enabled therein. +When Exim is built againt OpenSSL, OpenSSL must have been built with support +for TLS Extensions. This holds true for OpenSSL 1.0.0+ and 0.9.8+ with +enable-tlsext in EXTRACONFIGURE. If you invoke &(openssl s_client -h)& and +see &`-servername`& in the output, then OpenSSL has support. + +When Exim is built against GnuTLS, SNI support is available as of GnuTLS +0.5.10. (Its presence predates the current API which Exim uses, so if Exim +built, then you have SNI support). .wen