X-Git-Url: https://git.exim.org/users/jgh/exim.git/blobdiff_plain/a23acfd5c4366f1c4d97e87ac61ee841f39b819a..efad2f414afac1b1456299e79b1cdc705b84b71e:/doc/doc-docbook/spec.xfpt diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index f0bfd0eb8..bfacdef81 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -2766,6 +2766,8 @@ used to specify a path on the command line if a pid file is required. The SIGHUP signal .cindex "SIGHUP" .cindex "daemon" "restarting" +.cindex signal "to reload configuration" +.cindex daemon "reload configuration" can be used to cause the daemon to re-execute itself. This should be done whenever Exim's configuration file, or any file that is incorporated into it by means of the &%.include%& facility, is changed, and also whenever a new version @@ -9198,6 +9200,7 @@ Many strings in Exim's runtime configuration are expanded before use. Some of them are expanded every time they are used; others are expanded only once. When a string is being expanded it is copied verbatim from left to right except +.cindex expansion "string concatenation" when a dollar or backslash character is encountered. A dollar specifies the start of a portion of the string that is interpreted and replaced as described below in section &<>& onwards. Backslash is used as an @@ -10954,11 +10957,15 @@ If the string is a single variable of type certificate, returns the SHA-1 hash fingerprint of the certificate. -.vitem &*${sha256:*&<&'string'&>&*}*& +.vitem &*${sha256:*&<&'string'&>&*}*& &&& + &*${sha2:*&<&'string'&>&*}*& &&& + &*${sha2_:*&<&'string'&>&*}*& .cindex "SHA-256 hash" +.cindex "SHA-2 hash" .cindex certificate fingerprint .cindex "expansion" "SHA-256 hashing" .cindex "&%sha256%& expansion item" +.cindex "&%sha2%& expansion item" The &%sha256%& operator computes the SHA-256 hash value of the string and returns it as a 64-digit hexadecimal number, in which any letters are in upper case. @@ -10966,6 +10973,15 @@ it as a 64-digit hexadecimal number, in which any letters are in upper case. If the string is a single variable of type certificate, returns the SHA-256 hash fingerprint of the certificate. +.new +The operator can also be spelled &%sha2%& and does the same as &%sha256%& +(except for certificates, which are not supported). +Finally, if an underbar +and a number is appended it specifies the output length, selecting a +member of the SHA-2 family of hash functions. +Values of 256, 384 and 512 are accepted, with 256 being the default. +.wen + .vitem &*${sha3:*&<&'string'&>&*}*& &&& &*${sha3_:*&<&'string'&>&*}*& @@ -12180,6 +12196,7 @@ This variable contains the version string of the Exim build. The first character is a major version number, currently 4. Then after a dot, the next group of digits is a minor version number. There may be other characters following the minor version. +This value may be overridden by the &%exim_version%& main config option. .vitem &$header_$&<&'name'&> This is not strictly an expansion variable. It is expansion syntax for @@ -13511,7 +13528,8 @@ Otherwise, empty. .vitem &$version_number$& .vindex "&$version_number$&" -The version number of Exim. +The version number of Exim. Same as &$exim_version$&, may be overridden +by the &%exim_version%& main config option. .vitem &$warn_message_delay$& .vindex "&$warn_message_delay$&" @@ -15342,6 +15360,14 @@ not also supplied, the gid is taken from the result of &[getpwnam()]& if it is used. See chapter &<>& for a discussion of security issues. +.option exim_version main string "current version" +.cindex "Exim version" +.cindex customizing "version number" +.cindex "version number of Exim" override +This option allows to override the &$version_number$&/&$exim_version$& Exim reports in +various places. Use with care, this may fool stupid security scanners. + + .option extra_local_interfaces main "string list" unset This option defines network interfaces that are to be considered local when routing, but which are not used for listening by the daemon. See section @@ -16167,7 +16193,7 @@ harm. This option overrides the &%pipe_as_creator%& option of the &(pipe)& transport driver. -.option openssl_options main "string list" "+no_sslv2 +single_dh_use +no_ticket" +.option openssl_options main "string list" "+no_sslv2 +no_sslv3 +single_dh_use +no_ticket" .cindex "OpenSSL "compatibility options" This option allows an administrator to adjust the SSL options applied by OpenSSL to connections. It is given as a space-separated list of items, @@ -17563,7 +17589,7 @@ use when sending messages as a client, you must set the &%tls_certificate%& option in the relevant &(smtp)& transport. &*Note*&: If you use filenames based on IP addresses, change the list -separator in the usual way (&<>&) >to avoid confusion under IPv6. +separator in the usual way (&<>&) to avoid confusion under IPv6. &*Note*&: Under versions of OpenSSL preceding 1.1.1, when a list of more than one @@ -24566,13 +24592,15 @@ been started will not be passed to a new delivery process for sending another message on the same connection. See section &<>& for an explanation of when this might be needed. -.option hosts_noproxy_tls smtp "host list&!!" * +.new +.option hosts_noproxy_tls smtp "host list&!!" unset .cindex "TLS" "passing connection" .cindex "multiple SMTP deliveries" .cindex "TLS" "multiple message deliveries" For any host that matches this list, a TLS session which has been started will not be passed to a new delivery process for sending another message on the same session. +.wen The traditional implementation closes down TLS and re-starts it in the new process, on the same open TCP connection, for each successive message @@ -24668,7 +24696,7 @@ This option provides a list of servers to which, provided they announce CHUNKING support, Exim will attempt to use BDAT commands rather than DATA. BDAT will not be used in conjunction with a transport filter. -.option hosts_try_dane smtp "host list&!!" unset +.option hosts_try_dane smtp "host list&!!" * .cindex DANE "transport options" .cindex DANE "attempting for certain servers" If built with DANE support, Exim will lookup a @@ -24678,7 +24706,7 @@ a DANE-verified TLS connection is made to that host; there will be no fallback to in-clear communication. See section &<>&. -.option hosts_try_fastopen smtp "host list&!!" unset +.option hosts_try_fastopen smtp "host list&!!" * .cindex "fast open, TCP" "enabling, in client" .cindex "TCP Fast Open" "enabling, in client" .cindex "RFC 7413" "TCP Fast Open" @@ -28317,7 +28345,7 @@ There is no current way to staple a proof for a client certificate. -.section "Configuring an Exim client to use TLS" "SECID185" +.section "Configuring an Exim client to use TLS" "SECTclientTLS" .cindex "cipher" "logging" .cindex "log" "TLS cipher" .cindex "log" "distinguished name" @@ -30842,7 +30870,7 @@ For SMTP input that does not come over TCP/IP (the &%-bs%& command line option), this condition is always true. -.vitem &*verify&~=&~not_blind*& +.vitem &*verify&~=&~not_blind/*&<&'options'&> .cindex "verifying" "not blind" .cindex "bcc recipients, verifying none" This condition checks that there are no blind (bcc) recipients in the message. @@ -30852,6 +30880,11 @@ case-sensitively; domains are checked case-insensitively. If &'Resent-To:'& or &'Resent-Cc:'& header lines exist, they are also checked. This condition can be used only in a DATA or non-SMTP ACL. +.new +There is one possible option, &`case_insensitive`&. If this is present then +local parts are checked case-insensitively. +.wen + There are, of course, many legitimate messages that make use of blind (bcc) recipients. This check should not be used on its own for blocking messages. @@ -37702,6 +37735,11 @@ Match only frozen messages. .vitem &*-x*& Match only non-frozen messages. + +.new +.vitem &*-G*&&~<&'queuename'&> +Match only messages in the given queue. Without this, the default queue is searched. +.wen .endlist The following options control the format of the output: