X-Git-Url: https://git.exim.org/users/jgh/exim.git/blobdiff_plain/da47dd4d092ba35e4f8ff055d79693cc1266c816..6e2400bf8b3c728f5bf8af52054fcab4e2351e21:/doc/doc-docbook/spec.xfpt?ds=inline diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 28c8b1462..e29f1333a 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -6606,14 +6606,15 @@ cause parts of the string to be replaced by data that is obtained from the lookup. Lookups of this type are conditional expansion items. Different results can be defined for the cases of lookup success and failure. See chapter &<>&, where string expansions are described in detail. -The key for the lookup is specified as part of the string expansion. +The key for the lookup is &*specified*& as part of the string expansion. .next Lists of domains, hosts, and email addresses can contain lookup requests as a way of avoiding excessively long linear lists. In this case, the data that is returned by the lookup is often (but not always) discarded; whether the lookup succeeds or fails is what really counts. These kinds of list are described in chapter &<>&. -The key for the lookup is given by the context in which the list is expanded. +The key for the lookup is &*implicit*&, +given by the context in which the list is expanded. .endlist String expansions, lists, and lookups interact with each other in such a way @@ -6648,7 +6649,8 @@ The result of the expansion is not tainted. In the second example, the lookup is a single item in a domain list. It causes Exim to use a lookup to see if the domain that is being processed can be found -in the file. The file could contains lines like this: +in the file. +The file could contains lines like this: .code domain1: domain2: @@ -7093,10 +7095,7 @@ passed to a Redis database. See section &<>&. .cindex "sqlite lookup type" .cindex "lookup" "sqlite" &(sqlite)&: The format of the query is -new -an optional filename -followed by an SQL statement -that is passed to an SQLite database. See section &<>&. +an SQL statement that is passed to an SQLite database. See section &<>&. .next &(testdb)&: This is a lookup type that is used for testing Exim. It is @@ -8061,8 +8060,8 @@ For MySQL, PostgreSQL and Redis lookups (but not currently for Oracle and InterB it is possible to specify a list of servers with an individual query. This is done by appending a comma-separated option to the query type: .display -.endd &`,servers=`&&'server1:server2:server3:...'& +.endd Each item in the list may take one of two forms: .olist If it contains no slashes it is assumed to be just a host name. The appropriate @@ -8096,7 +8095,7 @@ option, you can still update it by a query of this form: ${lookup pgsql,servers=master/db/name/pw {UPDATE ...} } .endd -An older syntax places the servers speciification before the qury, +An older syntax places the servers specification before the query, semicolon separated: .code ${lookup mysql{servers=master; UPDATE ...} } @@ -8155,18 +8154,28 @@ SQLite is different to the other SQL lookups because a filename is required in addition to the SQL query. An SQLite database is a single file, and there is no daemon as in the other SQL databases. +.new .oindex &%sqlite_dbfile%& -The preferred way of specifying the file is by using the -&%sqlite_dbfile%& option, set to -an absolute path. +There are two ways of +specifying the file. +The first is is by using the &%sqlite_dbfile%& main option. +The second, which allows separate files for each query, +is to use an option appended, comma-separated, to the &"sqlite"& +lookup type word. The option is the word &"file"&, then an equals, +then the filename. +The filename in this case cannot contain whitespace or open-brace charachters. +.wen + A deprecated method is available, prefixing the query with the filename separated by white space. -This means that the path name cannot contain white space. +This means that .cindex "tainted data" "sqlite file" -It also means that the query cannot use any tainted values, as that taints +the query cannot use any tainted values, as that taints the entire query including the filename - resulting in a refusal to open the file. +In all the above cases the filename must be an absolute path. + Here is a lookup expansion example: .code sqlite_dbfile = /some/thing/sqlitedb @@ -9453,10 +9462,22 @@ the data type. ACL rules always expand strings. A couple of expansion conditions do not expand some of the brace-delimited branches, for security reasons, .cindex "tainted data" expansion +.cindex "tainted data" definition .cindex expansion "tainted data" and expansion of data deriving from the sender (&"tainted data"&) is not permitted. +.new +Common ways of obtaining untainted equivalents of variables with +tainted values +.cindex "tainted data" "de-tainting" +come down to using the tainted value as a lookup key in a trusted database. +This database could be the filesystem structure, +or the password file, +or accessed via a DBMS. +Specific methods are indexed under &"de-tainting"&. +.wen + .section "Literal text in expanded strings" "SECTlittext" @@ -10168,12 +10189,21 @@ extracted is used. You can use &`fail`& instead of {<&'string3'&>} as in a string extract. -.vitem "&*${lookup{*&<&'key'&>&*}&~*&<&'search&~type'&>&*&~&&& - {*&<&'file'&>&*}&~{*&<&'string1'&>&*}&~{*&<&'string2'&>&*}}*&" -This is the first of one of two different types of lookup item, which are both -described in the next item. +.new +.vitem &*${listquote{*&<&'separator'&>&*}{*&<&'string'&>&*}}*& +.cindex quoting "for list" +.cindex list quoting +This item doubles any occurrence of the separator character +in the given string. +An empty string is replaced with a single space. +This converts the string into a safe form for use as a list element, +in a list using the given separator. +.wen + -.vitem "&*${lookup&~*&<&'search&~type'&>&*&~{*&<&'query'&>&*}&~&&& +.vitem "&*${lookup&~{*&<&'key'&>&*}&~*&<&'search&~type'&>&*&~&&& + {*&<&'file'&>&*}&~{*&<&'string1'&>&*}&~{*&<&'string2'&>&*}}*&" &&& + "&*${lookup&~*&<&'search&~type'&>&*&~{*&<&'query'&>&*}&~&&& {*&<&'string1'&>&*}&~{*&<&'string2'&>&*}}*&" .cindex "expansion" "lookup in" .cindex "file" "lookups" @@ -11933,15 +11963,12 @@ request, for a password, so the data consists of just two strings. There can be problems if any of the strings are permitted to contain colon characters. In the usual way, these have to be doubled to avoid being taken as -separators. If the data is being inserted from a variable, the &%sg%& expansion -item can be used to double any existing colons. For example, the configuration +separators. +The &%listquote%& expansion item can be used for this. +For example, the configuration of a LOGIN authenticator might contain this setting: .code -server_condition = ${if pam{$auth1:${sg{$auth2}{:}{::}}}} -.endd -For a PLAIN authenticator you could use: -.code -server_condition = ${if pam{$auth2:${sg{$auth3}{:}{::}}}} +server_condition = ${if pam{$auth1:${listquote{:}{$auth2}}}} .endd In some operating systems, PAM authentication can be done only from a process running as root. Since Exim is running as the Exim user when receiving @@ -12445,8 +12472,9 @@ the complete argument of the ETRN command (see section &<>&). .cindex "tainted data" If the origin of the data is an incoming message, -the result of expanding this variable is tainted. -When un untainted version is needed, one should be obtained from +the result of expanding this variable is tainted and may not +be further expanded or used as a filename. +When an untainted version is needed, one should be obtained from looking up the value in a local (therefore trusted) database. Often &$domain_data$& is usable in this role. @@ -12645,7 +12673,8 @@ once. .cindex "tainted data" If the origin of the data is an incoming message, -the result of expanding this variable is tainted. +the result of expanding this variable is tainted and +may not be further expanded or used as a filename. &*Warning*&: the content of this variable is usually provided by a potential attacker. @@ -13781,6 +13810,8 @@ Observability for TLS session resumption. See &<>& for details. .vindex "&$tls_in_sni$&" .vindex "&$tls_sni$&" .cindex "TLS" "Server Name Indication" +.cindex "TLS" SNI +.cindex SNI "observability on server" When a TLS session is being established, if the client sends the Server Name Indication extension, the value will be placed in this variable. If the variable appears in &%tls_certificate%& then this option and @@ -13796,6 +13827,8 @@ the outbound. .vitem &$tls_out_sni$& .vindex "&$tls_out_sni$&" .cindex "TLS" "Server Name Indication" +.cindex "TLS" SNI +.cindex SNI "observability in client" During outbound SMTP deliveries, this variable reflects the value of the &%tls_sni%& option on the transport. @@ -17963,6 +17996,7 @@ syslog. The value must be no longer than 32 characters. See chapter .option syslog_timestamp main boolean true .cindex "syslog" "timestamps" +.cindex timestamps syslog If &%syslog_timestamp%& is set false, the timestamps on Exim's log lines are omitted when these lines are sent to syslog. See chapter &<>& for details of Exim's logging. @@ -18118,6 +18152,7 @@ when a list of more than one file is used, the &$tls_in_ourcert$& variable is unreliable. The macro "_TLS_BAD_MULTICERT_IN_OURCERT" will be defined for those versions. +.cindex SNI "selecting server certificate based on" If the option contains &$tls_out_sni$& and Exim is built against OpenSSL, then if the OpenSSL build supports TLS extensions and the TLS client sends the Server Name Indication extension, then this option and others documented in @@ -25670,6 +25705,8 @@ See &<>& for details. .option tls_sni smtp string&!! unset .cindex "TLS" "Server Name Indication" +.cindex "TLS" SNI +.cindex SNI "setting in client" .vindex "&$tls_sni$&" If this option is set then it sets the $tls_out_sni variable and causes any TLS session to pass this value as the Server Name Indication extension to @@ -29215,8 +29252,14 @@ certificate verification to the listed servers. Verification either must or need not succeed respectively. The &%tls_verify_cert_hostnames%& option lists hosts for which additional -checks are made: that the host name (the one in the DNS A record) -is valid for the certificate. +name checks are made on the server certificate. +.new +The match against this list is, as per other Exim usage, the +IP for the host. That is most closely associated with the +name on the DNS A (or AAAA) record for the host. +However, the name that needs to be in the certificate +is the one at the head of any CNAME chain leading to the A record. +.wen The option defaults to always checking. The &(smtp)& transport has two OCSP-related options: @@ -29266,6 +29309,8 @@ outgoing connection. .section "Use of TLS Server Name Indication" "SECTtlssni" .cindex "TLS" "Server Name Indication" +.cindex "TLS" SNI +.cindex SNI .vindex "&$tls_in_sni$&" .oindex "&%tls_in_sni%&" With TLS1.0 or above, there is an extension mechanism by which extra @@ -31743,8 +31788,9 @@ send email. Details of how this works are given in section .cindex "header lines" "verifying header names only ASCII" .cindex "verifying" "header names only ASCII" This condition is relevant only in an ACL that is run after a message has been -received, that is, in an ACL specified by &%acl_smtp_data%& or -&%acl_not_smtp%&. It checks all header names (not the content) to make sure +received. +This usually means an ACL specified by &%acl_smtp_data%& or &%acl_not_smtp%&. +It checks all header names (not the content) to make sure there are no non-ASCII characters, also excluding control characters. The allowable characters are decimal ASCII values 33 through 126. @@ -31899,7 +31945,7 @@ Note that '/' is legal in local-parts; if the address may have such (eg. is generated from the received message) they must be protected from the options parsing by doubling: .code -verify = sender=${sg{${address:$h_sender:}}{/}{//}} +verify = sender=${listquote{/}{${address:$h_sender:}}} .endd .endlist @@ -35430,14 +35476,14 @@ address if its delivery failed. .section "Per-address filtering" "SECTperaddfil" -.vindex "&$domain$&" -.vindex "&$local_part$&" +.vindex "&$domain_data$&" +.vindex "&$local_part_data$&" In contrast to the system filter, which is run just once per message for each delivery attempt, it is also possible to set up a system-wide filtering operation that runs once for each recipient address. In this case, variables -such as &$local_part$& and &$domain$& can be used, and indeed, the choice of -filter file could be made dependent on them. This is an example of a router -which implements such a filter: +such as &$local_part_data$& and &$domain_data$& can be used, +and indeed, the choice of filter file could be made dependent on them. +This is an example of a router which implements such a filter: .code central_filter: check_local_user @@ -37258,7 +37304,7 @@ follows: .code my_mailboxes: driver = appendfile - file = /var/mail/$domain/$local_part_data + file = /var/mail/$domain_data/$local_part_data user = mail .endd This uses a directory of mailboxes for each domain. The &%user%& setting is @@ -37298,7 +37344,7 @@ It runs a user's &_.forward_& file for all local parts of the form cases by testing the variable &$local_part_suffix$&. For example: .code if $local_part_suffix contains -special then -save /home/$local_part/Mail/special +save /home/$local_part_data/Mail/special endif .endd If the filter file does not exist, or does not deal with such addresses, they @@ -38644,6 +38690,7 @@ an asterisk is appended to the X= cipher field in the log line. .next .cindex "log" "TLS SNI" .cindex "TLS" "logging SNI" +.cindex SNI logging &%tls_sni%&: When a message is received over an encrypted connection, and the remote host provided the Server Name Indication extension, the SNI is added to the log line, preceded by SNI=.