X-Git-Url: https://git.exim.org/users/jgh/exim.git/blobdiff_plain/df6303fac223cae633ac6054ea8d795f2e8bf7ee..7be682ca5ebd9571a01b762195b11c34cd231830:/doc/doc-docbook/spec.xfpt diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index b1984b5cb..32e24ca80 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -1868,6 +1868,14 @@ SUPPORT_TLS=yes TLS_LIBS=-L/usr/local/openssl/lib -lssl -lcrypto TLS_INCLUDE=-I/usr/local/openssl/include/ .endd +.new +.cindex "pkg-config" "OpenSSL" +If you have &'pkg-config'& available, then instead you can just use: +.code +SUPPORT_TLS=yes +USE_OPENSSL_PC=openssl +.endd +.wen .cindex "USE_GNUTLS" If GnuTLS is installed, you should set .code @@ -1883,6 +1891,16 @@ USE_GNUTLS=yes TLS_LIBS=-L/usr/gnu/lib -lgnutls -ltasn1 -lgcrypt TLS_INCLUDE=-I/usr/gnu/include .endd +.new +.cindex "pkg-config" "GnuTLS" +If you have &'pkg-config'& available, then instead you can just use: +.code +SUPPORT_TLS=yes +USE_GNUTLS=yes +USE_GNUTLS_PC=gnutls +.endd +.wen + You do not need to set TLS_INCLUDE if the relevant directory is already specified in INCLUDE. Details of how to configure Exim to make use of TLS are given in chapter &<>&. @@ -2110,6 +2128,28 @@ files or libraries are required. When a lookup type is not included in the binary, attempts to configure Exim to use it cause run time configuration errors. +.new +.cindex "pkg-config" "lookups" +.cindex "pkg-config" "authenticators" +Many systems now use a tool called &'pkg-config'& to encapsulate information +about how to compile against a library; Exim has some initial support for +being able to use pkg-config for lookups and authenticators. For any given +makefile variable which starts &`LOOKUP_`& or &`AUTH_`&, you can add a new +variable with the &`_PC`& suffix in the name and assign as the value the +name of the package to be queried. The results of querying via the +&'pkg-config'& command will be added to the appropriate Makefile variables +with &`+=`& directives, so your version of &'make'& will need to support that +syntax. For instance: +.code +LOOKUP_SQLITE=yes +LOOKUP_SQLITE_PC=sqlite3 +AUTH_GSASL=yes +AUTH_GSASL_PC=libgsasl +AUTH_HEIMDAL_GSSAPI=yes +AUTH_HEIMDAL_GSSAPI_PC=heimdal-gssapi +.endd +.wen + .cindex "Perl" "including support for" Exim can be linked with an embedded Perl interpreter, allowing Perl subroutines to be called during string expansion. To enable this facility, @@ -6183,13 +6223,26 @@ using Berkeley DB versions 3 or 4, it opens existing databases for reading with the DB_UNKNOWN option. This enables it to handle any of the types of database that the library supports, and can be useful for accessing DBM files created by other applications. (For earlier DB versions, DB_HASH is always used.) +.new +.next +.cindex "lookup" "dbmjz" +.cindex "lookup" "dbm &-- embedded NULs" +.cindex "sasldb2" +.cindex "dbmjz lookup type" +&(dbmjz)&: This is the same as &(dbm)&, except that the lookup key is +interpreted as an Exim list; the elements of the list are joined together with +ASCII NUL characters to form the lookup key. An example usage would be to +authenticate incoming SMTP calls using the passwords from Cyrus SASL's +&_/etc/sasldb2_& file with the &(gsasl)& authenticator or Exim's own +&(cram_md5)& authenticator. +.wen .next .cindex "lookup" "dbmnz" .cindex "lookup" "dbm &-- terminating zero" .cindex "binary zero" "in lookup key" .cindex "Courier" .cindex "&_/etc/userdbshadow.dat_&" -.cindex "dmbnz lookup type" +.cindex "dbmnz lookup type" &(dbmnz)&: This is the same as &(dbm)&, except that a terminating binary zero is not included in the key that is passed to the DBM library. You may need this if you want to look up data in files that are created by or shared with some @@ -8483,6 +8536,13 @@ start of a portion of the string that is interpreted and replaced as described below in section &<>& onwards. Backslash is used as an escape character, as described in the following section. +Whether a string is expanded depends upon the context. Usually this is solely +dependent upon the option for which a value is sought; in this documentation, +options for which string expansion is performed are marked with † after +the data type. ACL rules always expand strings. A couple of expansion +conditions do not expand some of the brace-delimited branches, for security +reasons. + .section "Literal text in expanded strings" "SECTlittext" @@ -9864,6 +9924,10 @@ lower case), signifying multiplication by 1024 or 1024*1024, respectively. As a special case, the numerical value of an empty string is taken as zero. +In all cases, a relative comparator OP is testing if <&'string1'&> OP +<&'string2'&>; the above example is checking if &$message_size$& is larger than +10M, not if 10M is larger than &$message_size$&. + .vitem &*bool&~{*&<&'string'&>&*}*& .cindex "expansion" "boolean parsing" @@ -11784,6 +11848,16 @@ command in a filter file. Its use is explained in the description of that command, which can be found in the separate document entitled &'Exim's interfaces to mail filtering'&. +.new +.vitem &$tls_bits$& +.vindex "&$tls_bits$&" +Contains an approximation of the TLS cipher's bit-strength; the meaning of +this depends upon the TLS implementation used. +If TLS has not been negotiated, the value will be 0. +The value of this is automatically fed into the Cyrus SASL authenticator +when acting as a server, to specify the "external SSF" (a SASL term). +.wen + .vitem &$tls_certificate_verified$& .vindex "&$tls_certificate_verified$&" This variable is set to &"1"& if a TLS certificate was verified when the @@ -11814,6 +11888,24 @@ the value of the Distinguished Name of the certificate is made available in the value is retained during message delivery, except during outbound SMTP deliveries. +.new +.vitem &$tls_sni$& +.vindex "&$tls_sni$&" +.cindex "TLS" "Server Name Indication" +When a TLS session is being established, if the client sends the Server +Name Indication extension, the value will be placed in this variable. +If the variable appears in &%tls_certificate%& then this option and +&%tls_privatekey%& will be re-expanded early in the TLS session, to permit +a different certificate to be presented (and optionally a different key to be +used) to the client, based upon the value of the SNI extension. + +The value will be retained for the lifetime of the message, and not changed +during outbound SMTP. + +This is currently only available when using OpenSSL, built with support for +SNI. +.wen + .vitem &$tod_bsdinbox$& .vindex "&$tod_bsdinbox$&" The time of day and the date, in the format required for BSD-style mailbox @@ -14259,16 +14351,12 @@ harm. This option overrides the &%pipe_as_creator%& option of the &(pipe)& transport driver. -.option openssl_options main "string list" +dont_insert_empty_fragments +.option openssl_options main "string list" unset .cindex "OpenSSL "compatibility options" This option allows an administrator to adjust the SSL options applied by OpenSSL to connections. It is given as a space-separated list of items, -each one to be +added or -subtracted from the current value. The default -value is one option which happens to have been set historically. You can -remove all options with: -.code -openssl_options = -all -.endd +each one to be +added or -subtracted from the current value. + This option is only available if Exim is built against OpenSSL. The values available for this option vary according to the age of your OpenSSL install. The &"all"& value controls a subset of flags which are available, typically @@ -14280,14 +14368,76 @@ names lose the leading &"SSL_OP_"& and are lower-cased. Note that adjusting the options can have severe impact upon the security of SSL as used by Exim. It is possible to disable safety checks and shoot yourself in the foot in various unpleasant ways. This option should not be -adjusted lightly. An unrecognised item will be detected at by invoking Exim -with the &%-bV%& flag. +adjusted lightly. An unrecognised item will be detected at startup, by +invoking Exim with the &%-bV%& flag. + +.new +Historical note: prior to release 4.78, Exim defaulted this value to +"+dont_insert_empty_fragments", which may still be needed for compatibility +with some clients, but which lowers security by increasing exposure to +some now infamous attacks. +.wen An example: .code -openssl_options = -all +microsoft_big_sslv3_buffer +openssl_options = -all +microsoft_big_sslv3_buffer +dont_insert_empty_fragments .endd +Possible options may include: +.ilist +&`all`& +.ilist +&`allow_unsafe_legacy_renegotiation`& +.ilist +&`cipher_server_preference`& +.ilist +&`dont_insert_empty_fragments`& +.ilist +&`ephemeral_rsa`& +.ilist +&`legacy_server_connect`& +.ilist +&`microsoft_big_sslv3_buffer`& +.ilist +&`microsoft_sess_id_bug`& +.ilist +&`msie_sslv2_rsa_padding`& +.ilist +&`netscape_challenge_bug`& +.ilist +&`netscape_reuse_cipher_change_bug`& +.ilist +&`no_compression`& +.ilist +&`no_session_resumption_on_renegotiation`& +.ilist +&`no_sslv2`& +.ilist +&`no_sslv3`& +.ilist +&`no_ticket`& +.ilist +&`no_tlsv1`& +.ilist +&`no_tlsv1_1`& +.ilist +&`no_tlsv1_2`& +.ilist +&`single_dh_use`& +.ilist +&`single_ecdh_use`& +.ilist +&`ssleay_080_client_dh_bug`& +.ilist +&`sslref2_reuse_cert_type_bug`& +.ilist +&`tls_block_padding_bug`& +.ilist +&`tls_d5_bug`& +.ilist +&`tls_rollback_bug`& +.endlist + .option oracle_servers main "string list" unset .cindex "Oracle" "server list" @@ -24129,6 +24279,20 @@ lookup_cram: Note that this expansion explicitly forces failure if the lookup fails because &$auth1$& contains an unknown user name. +.new +As another example, if you wish to re-use a Cyrus SASL sasldb2 file without +using the relevant libraries, you need to know the realm to specify in the +lookup and then ask for the &"userPassword"& attribute for that user in that +realm, with: +.code +cyrusless_crammd5: + driver = cram_md5 + public_name = CRAM-MD5 + server_secret = ${lookup{$auth1:mail.example.org:userPassword}\ + dbmjz{/etc/sasldb2}} + server_set_id = $auth1 +.endd +.wen .section "Using cram_md5 as a client" "SECID177" .cindex "options" "&(cram_md5)& authenticator (client)" @@ -24243,8 +24407,10 @@ sasl: server_set_id = $auth1 .endd -.option server_realm cyrus_sasl string unset +.new +.option server_realm cyrus_sasl string&!! unset This specifies the SASL realm that the server claims to be in. +.wen .option server_service cyrus_sasl string &`smtp`& @@ -24458,6 +24624,20 @@ An &'anonymous token'& is something passed along as an unauthenticated identifier; this is analogous to FTP anonymous authentication passing an email address, or software-identifier@, as the "password". + +An example showing the password having the realm specified in the callback +and demonstrating a Cyrus SASL to GSASL migration approach is: +.code +gsasl_cyrusless_crammd5: + driver = gsasl + public_name = CRAM-MD5 + server_realm = imap.example.org + server_password = ${lookup{$auth1:$auth3:userPassword}\ + dbmjz{/etc/sasldb2}{$value}fail} + server_set_id = ${quote:$auth1} + server_condition = yes +.endd + .wen . //////////////////////////////////////////////////////////////////////////// @@ -24506,7 +24686,8 @@ role suffix. For instance, &"joe/admin@EXAMPLE.ORG"&. .next .vindex "&$auth2$&" &$auth2$&: the &'authorization id'&, sent within SASL encapsulation after -authentication. +authentication. If that was empty, this will also be set to the +GSS Display Name. .endlist .wen