X-Git-Url: https://git.netwichtig.de/gitweb/?a=blobdiff_plain;f=doc%2Fdoc-docbook%2Fspec.xfpt;h=3894c56cf4c41d8a62d807701d624c89d043c371;hb=7a5018557fc37383a98078d7b826c513c2126c2e;hp=37bfeb3f39aa91eda25d53a8b1227c8372a1cb12;hpb=980bb6b778928aeb9401bafc9e1a00c184fb5ff0;p=user%2Fhenk%2Fcode%2Fexim.git diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 37bfeb3f3..3894c56cf 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -3922,6 +3922,18 @@ This option is not intended for use by external callers. It is used internally by Exim in conjunction with the &%-MC%& option, and passes on the fact that the host to which Exim is connected supports TLS encryption. +.new +.vitem &%-MCr%&&~<&'SNI'&> &&& + &%-MCs%&&~<&'SNI'&> +.oindex "&%-MCs%&" +.oindex "&%-MCr%&" +These options are not intended for use by external callers. It is used internally +by Exim in conjunction with the &%-MCt%& option, and passes on the fact that +a TLS Server Name Indication was sent as part of the channel establishment. +The argument gives the SNI string. +The "r" variant indicates a DANE-verified connection. +.wen + .vitem &%-MCt%&&~<&'IP&~address'&>&~<&'port'&>&~<&'cipher'&> .oindex "&%-MCt%&" This option is not intended for use by external callers. It is used internally @@ -17307,6 +17319,9 @@ manager, there is no way of controlling the total number of simultaneous deliveries if the configuration allows a delivery attempt as soon as a message is received. +See also the &%max_parallel%& generic transport option, +and the &%serialize_hosts%& smtp transport option. + .cindex "number of deliveries" .cindex "delivery" "maximum number of" If you want to control the total number of deliveries on the system, you @@ -25761,7 +25776,11 @@ See &<>& for details. .cindex "TLS" SNI .cindex SNI "setting in client" .vindex "&$tls_sni$&" -If this option is set then it sets the $tls_out_sni variable and causes any +If this option is set +.new +and the connection is not DANE-validated +.wen +then it sets the $tls_out_sni variable and causes any TLS session to pass this value as the Server Name Indication extension to the remote side, which can be used by the remote side to select an appropriate certificate and private key for the session. @@ -28767,6 +28786,12 @@ Some other recently added features may only be available in one or the other. This should be documented with the feature. If the documentation does not explicitly state that the feature is infeasible in the other TLS implementation, then patches are welcome. +.new +.next +The output from "exim -bV" will show which (if any) support was included +in the build. +Also, the macro "_HAVE_OPENSSL" or "_HAVE_GNUTLS" will be defined. +.wen .endlist @@ -29395,6 +29420,11 @@ nothing more to it. Choosing a sensible value not derived insecurely is the only point of caution. The &$tls_out_sni$& variable will be set to this string for the lifetime of the client connection (including during authentication). +.new +If DANE validated the connection attempt then the value of the &%tls_sni%& option +is forced to the domain part of the recipient address. +.wen + Except during SMTP client sessions, if &$tls_in_sni$& is set then it is a string received from a client. It can be logged with the &%log_selector%& item &`+tls_sni`&. @@ -29692,7 +29722,7 @@ by (a) is thought to be smaller than that of the set of root CAs. It also allows the server to declare (implicitly) that connections to it should use TLS. An MITM could simply fail to pass on a server's STARTTLS. -DANE scales better than having to maintain (and side-channel communicate) copies of server certificates +DANE scales better than having to maintain (and communicate via side-channel) copies of server certificates for every possible target server. It also scales (slightly) better than having to maintain on an SMTP client a copy of the standard CAs bundle. It also means not having to pay a CA for certificates. @@ -29837,6 +29867,7 @@ If DANE is requested and useable (see above) the following transport options are tls_verify_certificates tls_crl tls_verify_cert_hostnames + tls_sni .endd If DANE is not usable, whether requested or not, and CA-anchored @@ -32580,7 +32611,7 @@ in kilobytes, megabytes, or gigabytes, respectively. The &%per_rcpt%& option causes Exim to limit the rate at which recipients are accepted. It can be used in the &%acl_smtp_rcpt%&, &%acl_smtp_predata%&, -&%acl_smtp_mime%&, &%acl_smtp_data%&, or &%acl_smtp_rcpt%& ACLs. In +&%acl_smtp_mime%&, or &%acl_smtp_data%& ACLs. In &%acl_smtp_rcpt%& the rate is updated one recipient at a time; in the other ACLs the rate is updated with the total (accepted) recipient count in one go. Note that in either case the rate limiting engine will see a message with many @@ -38062,7 +38093,8 @@ fields record the router and transport that were used to process the address. If SMTP AUTH was used for the delivery there is an additional item A= followed by the name of the authenticator that was used. If an authenticated identification was set up by the authenticator's &%client_set_id%& -option, this is logged too, separated by a colon from the authenticator name. +option, this is logged too, as a second colon-separated list item. +Optionally (see the &%smtp_mailauth%& &%log_selector%&) there may be a third list item. If a shadow transport was run after a successful local delivery, the log line for the successful delivery has an item added on the end, of the form @@ -38800,9 +38832,9 @@ the next chapter. The utilities described here are: "check address acceptance from given IP" .irow &<>& &'exim_dbmbuild'& "build a DBM file" .irow &<>& &'exinext'& "extract retry information" -.irow &<>& &'exim_dumpdb'& "dump a hints database" -.irow &<>& &'exim_tidydb'& "clean up a hints database" -.irow &<>& &'exim_fixdb'& "patch a hints database" +.irow &<>& &'exim_dumpdb'& "dump a hints database" +.irow &<>& &'exim_tidydb'& "clean up a hints database" +.irow &<>& &'exim_fixdb'& "patch a hints database" .irow &<>& &'exim_lock'& "lock a mailbox file" .endtable @@ -39308,7 +39340,7 @@ in a transport) -.section "exim_dumpdb" "SECID261" +.section "exim_dumpdb" "SECTdumpdb" .cindex "&'exim_dumpdb'&" The entire contents of a database are written to the standard output by the &'exim_dumpdb'& program, which has no options or arguments other than the @@ -39345,7 +39377,7 @@ cross-references. -.section "exim_tidydb" "SECID262" +.section "exim_tidydb" "SECTtidydb" .cindex "&'exim_tidydb'&" The &'exim_tidydb'& utility program is used to tidy up the contents of a hints database. If run with no options, it removes all records that are more than 30 @@ -39394,7 +39426,7 @@ databases is likely to keep on increasing. -.section "exim_fixdb" "SECID263" +.section "exim_fixdb" "SECTfixdb" .cindex "&'exim_fixdb'&" The &'exim_fixdb'& program is a utility for interactively modifying databases. Its main use is for testing Exim, but it might also be occasionally useful for @@ -41454,7 +41486,7 @@ Example usage: .code #macro SRS_SECRET = - + #routers outbound: @@ -41464,7 +41496,7 @@ Example usage: transport = ${if eq {$local_part@$domain} \ {$original_local_part@$original_domain} \ {remote_smtp} {remote_forwarded_smtp}} - + inbound_srs: driver = redirect senders = : @@ -41472,7 +41504,7 @@ Example usage: # detect inbound bounces which are SRS'd, and decode them condition = ${if inbound_srs {$local_part} {SRS_SECRET}} data = $srs_recipient - + inbound_srs_failure: driver = redirect senders = : @@ -41484,7 +41516,7 @@ Example usage: #... further routers here - + # transport; should look like the non-forward outbound # one, plus the max_rcpt and return_path options remote_forwarded_smtp: