X-Git-Url: https://git.exim.org/users/jgh/exim.git/blobdiff_plain/f16d3973f79d47921ef2aa537da4708ff67f2be5..6808e0f19ec9a9544241e26cf1e3179eb86bbd00:/doc/doc-docbook/spec.xfpt?ds=sidebyside diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 07b496676..4147ee205 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -5905,13 +5905,13 @@ messages that are submitted by SMTP from local processes using the standard input and output (that is, not using TCP/IP). A number of MUAs operate in this manner. .code -deny message = Restricted characters in address - domains = +local_domains +deny domains = +local_domains local_parts = ^[.] : ^.*[@%!/|] + message = Restricted characters in address -deny message = Restricted characters in address - domains = !+local_domains +deny domains = !+local_domains local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./ + message = Restricted characters in address .endd These statements are concerned with local parts that contain any of the characters &"@"&, &"%"&, &"!"&, &"/"&, &"|"&, or dots in unusual places. @@ -6015,10 +6015,10 @@ require verify = recipient This statement requires the recipient address to be verified; if verification fails, the address is rejected. .code -# deny message = rejected because $sender_host_address \ +# deny dnslists = black.list.example +# message = rejected because $sender_host_address \ # is in a black list at $dnslist_domain\n\ # $dnslist_text -# dnslists = black.list.example # # warn dnslists = black.list.example # add_header = X-Warning: $sender_host_address is in \ @@ -6641,6 +6641,8 @@ file that is searched could contain lines like this: .endd When the lookup succeeds, the result of the expansion is a list of domains (and possibly other types of item that are allowed in domain lists). +.cindex "tainted data" "de-tainting" +The result of the expansion is not tainted. In the second example, the lookup is a single item in a domain list. It causes Exim to use a lookup to see if the domain that is being processed can be found @@ -6661,6 +6663,13 @@ If the value of &$sender_host_address$& is 192.168.5.6, expansion of the first &%domains%& setting above generates the second setting, which therefore causes a second lookup to occur. +.new +The lookup type may optionally be followed by a comma +and a comma-separated list of options. +Each option is a &"name=value"& pair. +Whether an option is meaningful depands on the lookup type. +.wen + The rest of this chapter describes the different lookup types that are available. Any of them can be used in any part of the configuration where a lookup is permitted. @@ -6678,6 +6687,13 @@ lookup to succeed. The lookup type determines how the file is searched. .new .cindex "tainted data" "single-key lookups" The file string may not be tainted + +.cindex "tainted data" "de-tainting" +All single-key lookups support the option &"ret=key"&. +If this is given and the lookup +(either underlying implementation or cached value) +returns data, the result is replaced with a non-tainted +version of the lookup key. .wen .next .cindex "query-style lookup" "definition of" @@ -10869,8 +10885,7 @@ a decimal representation of the answer (without &"K"&, &"M"& or &"G"&). For exam As a more realistic example, in an ACL you might have .code -deny message = Too many bad recipients - condition = \ +deny condition = \ ${if and { \ {>{$rcpt_count}{10}} \ { \ @@ -10879,6 +10894,7 @@ deny message = Too many bad recipients {${eval:$rcpt_count/2}} \ } \ }{yes}{no}} + message = Too many bad recipients .endd The condition is true if there have been more than 10 RCPT commands and fewer than half of them have resulted in a valid recipient. @@ -12309,13 +12325,6 @@ contain the trailing slash. If &$config_file$& does not contain a slash, .vindex "&$config_file$&" The name of the main configuration file Exim is using. -.vitem &$dmarc_domain_policy$& &&& - &$dmarc_status$& &&& - &$dmarc_status_text$& &&& - &$dmarc_used_domains$& -Results of DMARC verification. -For details see section &<>&. - .vitem &$dkim_verify_status$& Results of DKIM verification. For details see section &<>&. @@ -12348,6 +12357,13 @@ When a message has been received this variable contains a colon-separated list of signer domains and identities for the message. For details see section &<>&. +.vitem &$dmarc_domain_policy$& &&& + &$dmarc_status$& &&& + &$dmarc_status_text$& &&& + &$dmarc_used_domains$& +Results of DMARC verification. +For details see section &<>&. + .vitem &$dnslist_domain$& &&& &$dnslist_matched$& &&& &$dnslist_text$& &&& @@ -12519,7 +12535,7 @@ result of the lookup is made available in the &$host_data$& variable. This allows you, for example, to do things like this: .code deny hosts = net-lsearch;/some/file -message = $host_data + message = $host_data .endd .vitem &$host_lookup_deferred$& .cindex "host name" "lookup, failure of" @@ -12871,9 +12887,9 @@ header and the body). Here is an example of the use of this variable in a DATA ACL: .code -deny message = Too many lines in message header - condition = \ +deny condition = \ ${if <{250}{${eval:$message_linecount - $body_linecount}}} + message = Too many lines in message header .endd In the MAIL and RCPT ACLs, the value is zero because at that stage the message has not yet been received. @@ -14648,6 +14664,9 @@ See also the &'Policy controls'& section above. .row &%dkim_verify_keytypes%& "DKIM key types accepted for signatures" .row &%dkim_verify_min_keysizes%& "DKIM key sizes accepted for signatures" .row &%dkim_verify_signers%& "DKIM domains for which DKIM ACL is run" +.row &%dmarc_forensic_sender%& "DMARC sender for report messages" +.row &%dmarc_history_file%& "DMARC results log" +.row &%dmarc_tld_file%& "DMARC toplevel domains file" .row &%host_lookup%& "host name looked up for these hosts" .row &%host_lookup_order%& "order of DNS and local name lookups" .row &%recipient_unqualified_hosts%& "may send unqualified recipients" @@ -15452,6 +15471,14 @@ the ACL once for each signature in the message. See section &<>&. +.option dmarc_forensic_sender main string&!! unset +.option dmarc_history_file main string unset +.option dmarc_tld_file main string unset +.cindex DMARC "main section options" +These options control DMARC processing. +See section &<>& for details. + + .option dns_again_means_nonexist main "domain list&!!" unset .cindex "DNS" "&""try again""& response; overriding" DNS lookups give a &"try again"& response for the DNS errors @@ -15631,6 +15658,10 @@ and RET and ORCPT options on MAIL FROM commands. A NOTIFY=SUCCESS option requests success-DSN messages. A NOTIFY= option with no argument requests that no delay or failure DSNs are sent. +.new +&*Note*&: Supplying success-DSN messages has been criticised +on privacy grounds; it can leak details of internal forwarding. +.wen .option dsn_from main "string&!!" "see below" .cindex "&'From:'& header line" "in bounces" @@ -25672,13 +25703,17 @@ The &%tls_verify_certificates%& option must also be set. If both this option and &%tls_try_verify_hosts%& are unset operation is as if this option selected all hosts. -.option utf8_downconvert smtp integer&!! unset +.option utf8_downconvert smtp integer&!! -1 .cindex utf8 "address downconversion" .cindex i18n "utf8 address downconversion" If built with internationalization support, -this option controls conversion of UTF-8 in message addresses +this option controls conversion of UTF-8 in message envelope addresses to a-label form. -For details see section &<>&. +If, after expansion, the value is 1, 0, or -1 then this value overrides +any value previously set for the message. Otherwise, any previously +set value is used. To permit use of a previous value, +set this option to an empty string. +For details on the values see section &<>&. @@ -30217,8 +30252,8 @@ The &%message%& modifier operates exactly as it does for &%accept%&. &%drop%&: This verb behaves like &%deny%&, except that an SMTP connection is forcibly closed after the 5&'xx'& error message has been sent. For example: .code -drop message = I don't take more than 20 RCPTs - condition = ${if > {$rcpt_count}{20}} +drop condition = ${if > {$rcpt_count}{20}} + message = I don't take more than 20 RCPTs .endd There is no difference between &%deny%& and &%drop%& for the connect-time ACL. The connection is always dropped after sending a 550 response. @@ -31097,7 +31132,7 @@ data is read. that are being submitted at the same time using &%-bs%& or &%-bS%&. .vitem &*control&~=&~utf8_downconvert*& -This control enables conversion of UTF-8 in message addresses +This control enables conversion of UTF-8 in message envelope addresses to a-label form. For details see section &<>&. .endlist vlist @@ -31454,7 +31489,7 @@ of the lookup is made available in the &$host_data$& variable. This allows you, for example, to set up a statement like this: .code deny hosts = net-lsearch;/some/file -message = $host_data + message = $host_data .endd which gives a custom error message for each denied host. @@ -31598,8 +31633,8 @@ section &<>& (callouts are described in section condition to restrict it to bounce messages only: .code deny senders = : - message = A valid sender header is required for bounces !verify = header_sender + message = A valid sender header is required for bounces .endd .vitem &*verify&~=&~header_syntax*& @@ -31781,8 +31816,8 @@ Testing the list of domains stops as soon as a match is found. If you want to warn for one list and block for another, you can use two different statements: .code deny dnslists = blackholes.mail-abuse.org -warn message = X-Warn: sending host is on dialups list - dnslists = dialups.mail-abuse.org +warn dnslists = dialups.mail-abuse.org + message = X-Warn: sending host is on dialups list .endd .cindex caching "of dns lookup" .cindex DNS TTL @@ -31823,8 +31858,8 @@ addresses (see, e.g., the &'domain based zones'& link at with these lists. You can change the name that is looked up in a DNS list by listing it after the domain name, introduced by a slash. For example, .code -deny message = Sender's domain is listed at $dnslist_domain - dnslists = dsn.rfc-ignorant.org/$sender_address_domain +deny dnslists = dsn.rfc-ignorant.org/$sender_address_domain + message = Sender's domain is listed at $dnslist_domain .endd This particular example is useful only in ACLs that are obeyed after the RCPT or DATA commands, when a sender address is available. If (for @@ -31888,13 +31923,13 @@ dnslists = black.list.tld/a.domain::b.domain However, when the data for the list is obtained from a lookup, the second form is usually much more convenient. Consider this example: .code -deny message = The mail servers for the domain \ +deny dnslists = sbl.spamhaus.org/<|${lookup dnsdb {>|a=<|\ + ${lookup dnsdb {>|mxh=\ + $sender_address_domain} }} } + message = The mail servers for the domain \ $sender_address_domain \ are listed at $dnslist_domain ($dnslist_value); \ see $dnslist_text. - dnslists = sbl.spamhaus.org/<|${lookup dnsdb {>|a=<|\ - ${lookup dnsdb {>|mxh=\ - $sender_address_domain} }} } .endd Note the use of &`>|`& in the dnsdb lookup to specify the separator for multiple DNS records. The inner dnsdb lookup produces a list of MX hosts @@ -31967,7 +32002,7 @@ very meaningful. See section &<>& for a way of obtaining more information. You can use the DNS list variables in &%message%& or &%log_message%& modifiers -&-- although these appear before the condition in the ACL, they are not +&-- even if these appear before the condition in the ACL, they are not expanded until after it has failed. For example: .code deny hosts = !+local_networks @@ -32153,12 +32188,12 @@ restrictions, to get the TXT record. As a byproduct of this, there is also a check that the IP being tested is indeed on the first list. The first domain is the one that is put in &$dnslist_domain$&. For example: .code -deny message = \ - rejected because $sender_host_address is blacklisted \ - at $dnslist_domain\n$dnslist_text - dnslists = \ +deny dnslists = \ sbl.spamhaus.org,sbl-xbl.spamhaus.org=127.0.0.2 : \ dul.dnsbl.sorbs.net,dnsbl.sorbs.net=127.0.0.10 + message = \ + rejected because $sender_host_address is blacklisted \ + at $dnslist_domain\n$dnslist_text .endd For the first blacklist item, this starts by doing a lookup in &'sbl-xbl.spamhaus.org'& and testing for a 127.0.0.2 return. If there is a @@ -32348,12 +32383,12 @@ new rate. .code acl_check_connect: deny ratelimit = 100 / 5m / readonly - log_message = RATE CHECK: $sender_rate/$sender_rate_period \ + log_message = RATE CHECK: $sender_rate/$sender_rate_period \ (max $sender_rate_limit) # ... acl_check_mail: warn ratelimit = 100 / 5m / strict - log_message = RATE UPDATE: $sender_rate/$sender_rate_period \ + log_message = RATE UPDATE: $sender_rate/$sender_rate_period \ (max $sender_rate_limit) .endd @@ -32463,16 +32498,16 @@ deny authenticated = * ratelimit = 100 / 1d / strict / $authenticated_id # System-wide rate limit -defer message = Sorry, too busy. Try again later. - ratelimit = 10 / 1s / $primary_hostname +defer ratelimit = 10 / 1s / $primary_hostname + message = Sorry, too busy. Try again later. # Restrict incoming rate from each host, with a default # set using a macro and special cases looked up in a table. -defer message = Sender rate exceeds $sender_rate_limit \ - messages per $sender_rate_period - ratelimit = ${lookup {$sender_host_address} \ +defer ratelimit = ${lookup {$sender_host_address} \ cdb {DB/ratelimits.cdb} \ {$value} {RATELIMIT} } + message = Sender rate exceeds $sender_rate_limit \ + messages per $sender_rate_period .endd &*Warning*&: If you have a busy server with a lot of &%ratelimit%& tests, especially with the &%per_rcpt%& option, you may suffer from a performance @@ -33061,16 +33096,16 @@ list called &%batv_senders%&. Then, in the ACL for RCPT commands, you could use this: .code # Bounces: drop unsigned addresses for BATV senders -deny message = This address does not send an unsigned reverse path - senders = : +deny senders = : recipients = +batv_senders + message = This address does not send an unsigned reverse path # Bounces: In case of prvs-signed address, check signature. -deny message = Invalid reverse path signature. - senders = : +deny senders = : condition = ${prvscheck {$local_part@$domain}\ {PRVSCHECK_SQL}{1}} !condition = $prvscheck_result + message = Invalid reverse path signature. .endd The first statement rejects recipients for bounce messages that are addressed to plain BATV sender addresses, because it is known that BATV senders do not @@ -33607,13 +33642,13 @@ imposed by your anti-virus scanner. Here is a very simple scanning example: .code -deny message = This message contains malware ($malware_name) - malware = * +deny malware = * + message = This message contains malware ($malware_name) .endd The next example accepts messages when there is a problem with the scanner: .code -deny message = This message contains malware ($malware_name) - malware = */defer_ok +deny malware = */defer_ok + message = This message contains malware ($malware_name) .endd The next example shows how to use an ACL variable to scan with both sophie and aveserver. It assumes you have set: @@ -33622,13 +33657,13 @@ av_scanner = $acl_m0 .endd in the main Exim configuration. .code -deny message = This message contains malware ($malware_name) - set acl_m0 = sophie +deny set acl_m0 = sophie malware = * + message = This message contains malware ($malware_name) -deny message = This message contains malware ($malware_name) - set acl_m0 = aveserver +deny set acl_m0 = aveserver malware = * + message = This message contains malware ($malware_name) .endd @@ -33757,8 +33792,8 @@ is set to record the actual address used. .section "Calling SpamAssassin from an Exim ACL" "SECID206" Here is a simple example of the use of the &%spam%& condition in a DATA ACL: .code -deny message = This message was classified as SPAM - spam = joe +deny spam = joe + message = This message was classified as SPAM .endd The right-hand side of the &%spam%& condition specifies a name. This is relevant if you have set up multiple SpamAssassin profiles. If you do not want @@ -33790,9 +33825,9 @@ large ones may cause significant performance degradation. As most spam messages are quite small, it is recommended that you do not scan the big ones. For example: .code -deny message = This message was classified as SPAM - condition = ${if < {$message_size}{10K}} +deny condition = ${if < {$message_size}{10K}} spam = nobody + message = This message was classified as SPAM .endd The &%spam%& condition returns true if the threshold specified in the user's @@ -33850,8 +33885,8 @@ failed. If you want to treat DEFER as FAIL (to pass on to the next ACL statement block), append &`/defer_ok`& to the right-hand side of the spam condition, like this: .code -deny message = This message was classified as SPAM - spam = joe/defer_ok +deny spam = joe/defer_ok + message = This message was classified as SPAM .endd This causes messages to be accepted even if there is a problem with &%spamd%&. @@ -33869,9 +33904,9 @@ warn spam = nobody add_header = Subject: *SPAM* $h_Subject: # reject spam at high scores (> 12) -deny message = This message scored $spam_score spam points. - spam = nobody:true +deny spam = nobody:true condition = ${if >{$spam_score_int}{120}{1}{0}} + message = This message scored $spam_score spam points. .endd @@ -34075,10 +34110,10 @@ As an example, the following will ban &"HTML mail"& (including that sent with alternative plain text), while allowing HTML files to be attached. HTML coverletter mail attached to non-HTML coverletter mail will also be allowed: .code -deny message = HTML mail is not accepted here -!condition = $mime_is_rfc822 -condition = $mime_is_coverletter -condition = ${if eq{$mime_content_type}{text/html}{1}{0}} +deny !condition = $mime_is_rfc822 + condition = $mime_is_coverletter + condition = ${if eq{$mime_content_type}{text/html}{1}{0}} + message = HTML mail is not accepted here .endd .vitem &$mime_is_multipart$& @@ -34131,8 +34166,8 @@ expanded before being used, you must also escape dollar signs and backslashes with more backslashes, or use the &`\N`& facility to disable expansion. Here is a simple example that contains two regular expressions: .code -deny message = contains blacklisted regex ($regex_match_string) - regex = [Mm]ortgage : URGENT BUSINESS PROPOSAL +deny regex = [Mm]ortgage : URGENT BUSINESS PROPOSAL + message = contains blacklisted regex ($regex_match_string) .endd The conditions returns true if any one of the regular expressions matches. The &$regex_match_string$& expansion variable is then set up and contains the @@ -40863,10 +40898,10 @@ verb to a group of domains or identities. For example: .code # Warn when Mail purportedly from GMail has no gmail signature -warn log_message = GMail sender without gmail.com DKIM signature - sender_domains = gmail.com +warn sender_domains = gmail.com dkim_signers = gmail.com dkim_status = none + log_message = GMail sender without gmail.com DKIM signature .endd Note that the above does not check for a total lack of DKIM signing; @@ -40878,10 +40913,10 @@ results against the actual result of verification. This is typically used to restrict an ACL verb to a list of verification outcomes, for example: .code -deny message = Mail from Paypal with invalid/missing signature - sender_domains = paypal.com:paypal.de +deny sender_domains = paypal.com:paypal.de dkim_signers = paypal.com:paypal.de dkim_status = none:invalid:fail + message = Mail from Paypal with invalid/missing signature .endd The possible status keywords are: 'none','invalid','fail' and 'pass'. Please @@ -40965,13 +41000,16 @@ deny spf = fail message = $sender_host_address is not allowed to send mail from \ ${if def:sender_address_domain \ {$sender_address_domain}{$sender_helo_name}}. \ - Please see http://www.open-spf.org/Why?scope=\ - ${if def:sender_address_domain {mfrom}{helo}};\ + Please see http://www.open-spf.org/Why;\ identity=${if def:sender_address_domain \ {$sender_address}{$sender_helo_name}};\ ip=$sender_host_address .endd +Note: The above mentioned URL may not be as helpful as expected. You are +encouraged to replace the link with a link to a site with more +explanations. + When the spf condition has run, it sets up several expansion variables: @@ -41380,8 +41418,8 @@ A possible solution is: # Or do some kind of IP lookup in a flat file or database # LIMIT = ${lookup{$sender_host_address}iplsearch{/etc/exim/proxy_limits}} - defer message = Too many connections from this IP right now - ratelimit = LIMIT / 5s / per_conn / strict + defer ratelimit = LIMIT / 5s / per_conn / strict + message = Too many connections from this IP right now .endd @@ -41524,22 +41562,27 @@ may use the following modifier: control = utf8_downconvert control = utf8_downconvert/ .endd -This sets a flag requiring that addresses are converted to -a-label form before smtp delivery, for use in a -Message Submission Agent context. +This sets a flag requiring that envelope addresses are converted to +a-label form before smtp delivery. +This is usually for use in a Message Submission Agent context, +but could be used for any message. + If a value is appended it may be: .display -&`1 `& (default) mandatory downconversion +&`1 `& mandatory downconversion &`0 `& no downconversion &`-1 `& if SMTPUTF8 not supported by destination host .endd +If no value is given, 1 is used. If mua_wrapper is set, the utf8_downconvert control is initially set to -1. The smtp transport has an option &%utf8_downconvert%&. If set it must expand to one of the three values described above, -and it overrides any previously set value. +or an empty string. +If non-empty it overrides value previously set +(due to mua_wrapper or by an ACL control). There is no explicit support for VRFY and EXPN.