Commit | Line | Data |
---|---|---|
ea3bc19b | 1 | $Cambridge: exim/doc/doc-txt/NewStuff,v 1.16 2004/11/24 15:43:36 ph10 Exp $ |
495ae4b0 PH |
2 | |
3 | New Features in Exim | |
4 | -------------------- | |
5 | ||
6 | This file contains descriptions of new features that have been added to Exim, | |
7 | but have not yet made it into the main manual (which is most conveniently | |
8 | updated when there is a relatively large batch of changes). The doc/ChangeLog | |
9 | file contains a listing of all changes, including bug fixes. | |
10 | ||
11 | ||
35edf2ff PH |
12 | Version 4.44 |
13 | ------------ | |
14 | ||
15 | 1. There is a new build-time option called CONFIGURE_GROUP which works like | |
16 | CONFIGURE_OWNER. It specifies one additional group that is permitted for | |
17 | the runtime configuration file when the group write permission is set. | |
18 | ||
69358f02 PH |
19 | 2. The "control=submission" facility has a new option /retain_sender. This |
20 | has the effect of setting local_sender_retain true and local_from_check | |
21 | false for the incoming message in which it is encountered. | |
22 | ||
5131419f PH |
23 | 3. $recipients is now available in the predata ACL (oversight). |
24 | ||
25 | 4. The value of address_data from a sender verification is now available in | |
26 | $sender_address_data in subsequent conditions in the ACL statement. Note: | |
27 | this is just like $address_data. The value does not persist after the end | |
28 | of the current ACL statement. If you want to preserve it, you can use one | |
29 | of the ACL variables. | |
30 | ||
23c7ff99 PH |
31 | 5. The redirect router has two new options: forbid_sieve_filter and |
32 | forbid_exim_filter. When filtering is enabled by allow_filter, these | |
33 | options control which type(s) of filtering are permitted. By default, both | |
34 | Exim and Sieve filters are allowed. | |
35 | ||
4deaf07d PH |
36 | 6. A new option for callouts makes it possible to set a different (usually |
37 | smaller) timeout for making the SMTP connection. The keyword is "connect". | |
38 | For example: | |
39 | ||
40 | verify = sender/callout=5s,connect=1s | |
41 | ||
42 | If not specified, it defaults to the general timeout value. | |
43 | ||
2c7db3f5 PH |
44 | 7. The new variables $sender_verify_failure and $recipient_verify_failure |
45 | contain information about exactly what failed. In an ACL, after one of | |
46 | these failures, the relevant variable contains one of the following words: | |
47 | ||
48 | qualify the address was unqualified (no domain), and the message | |
49 | was neither local nor came from an exempted host; | |
50 | ||
51 | route routing failed; | |
52 | ||
53 | mail routing succeeded, and a callout was attempted; rejection | |
54 | occurred at or before the MAIL command (that is, on initial | |
55 | connection, HELO, or MAIL); | |
56 | ||
57 | recipient the RCPT command in a callout was rejected; | |
58 | ||
59 | postmaster the postmaster check in a callout was rejected. | |
60 | ||
61 | The main use of these variables is expected to be to distinguish between | |
62 | rejections of MAIL and rejections of RCPT. | |
63 | ||
3d235903 PH |
64 | 8. The command line option -dd behaves exactly like -d except when used on a |
65 | command that starts a daemon process. In that case, debugging is turned off | |
66 | for the subprocesses that the daemon creates. Thus, it is useful for | |
67 | monitoring the behaviour of the daemon without creating as much output as | |
68 | full debugging. | |
69 | ||
d4eb88df PH |
70 | 9. $host_address is now set to the target address during the checking of |
71 | ignore_target_hosts. | |
72 | ||
5cb8cbc6 PH |
73 | 10. There are four new variables called $spool_space, $log_space, |
74 | $spool_inodes, and $log_inodes. The first two contain the amount of free | |
75 | space in the disk partitions where Exim has its spool directory and log | |
76 | directory, respectively. (When these are in the same partition, the values | |
77 | will, of course, be the same.) The second two variables contain the numbers | |
78 | of free inodes in the respective partitions. | |
79 | ||
80 | NOTE: Because disks can nowadays be very large, the values in the space | |
81 | variables are in kilobytes rather than in bytes. Thus, for example, to | |
82 | check in an ACL that there is at least 50M free on the spool, you would | |
83 | write: | |
84 | ||
85 | condition = ${if > {$spool_space}{50000}{yes}{no}} | |
86 | ||
87 | The values are recalculated whenever any of these variables is referenced. | |
88 | If the relevant file system does not have the concept of inodes, the value | |
89 | of those variables is -1. If the operating system does not have the ability | |
90 | to find the amount of free space (only true for experimental systems), the | |
91 | space value is -1. | |
2c7db3f5 | 92 | |
063b1e99 PH |
93 | 11. It is now permitted to omit both strings after an "if" condition; if the |
94 | condition is true, the result is the string "true". As before, when the | |
95 | second string is omitted, a false condition yields an empty string. This | |
96 | makes it less cumbersome to write custom ACL and router conditions. For | |
97 | example, instead of | |
98 | ||
99 | condition = ${if eq {$acl_m4}{1}{yes}{no}} | |
100 | ||
101 | or the shorter form | |
102 | ||
103 | condition = ${if eq {$acl_m4}{1}{yes}} | |
104 | ||
105 | (because the second string has always defaulted to ""), you can now write | |
106 | ||
107 | condition = ${if eq {$acl_m4}{1}} | |
108 | ||
109 | Previously this was a syntax error. | |
110 | ||
ea3bc19b | 111 | 12. There is a new "record type" that can be specified in dnsdb lookups. It |
33397d19 PH |
112 | is "zns" (for "zone NS"). It performs a lookup for NS records on the given |
113 | domain, but if none are found, it removes the first component of the domain | |
114 | name, and tries again. This process continues until NS records are found | |
115 | or there are no more components left (or there's a DNS error). In other | |
116 | words, it may return the name servers for a top-level domain, but it never | |
117 | returns the root name servers. If there are no NS records for the top-level | |
118 | domain, the lookup fails. | |
119 | ||
120 | For example, ${lookup dnsdb{zns=xxx.quercite.com}} returns the name | |
121 | servers for quercite.com, whereas ${lookup dnsdb{zns=xxx.edu}} returns | |
122 | the name servers for edu, assuming in each case that there are no NS | |
123 | records for the full domain name. | |
124 | ||
125 | You should be careful about how you use this lookup because, unless the | |
126 | top-level domain does not exist, the lookup will always return some host | |
127 | names. The sort of use to which this might be put is for seeing if the name | |
128 | servers for a given domain are on a blacklist. You can probably assume that | |
129 | the name servers for the high-level domains such as .com or .co.uk are not | |
130 | going to be on such a list. | |
131 | ||
ea3bc19b PH |
132 | 13. Another new "record type" is "mxh"; this looks up MX records just as "mx" |
133 | does, but it returns only the names of the hosts, omitting the priority | |
134 | values. | |
135 | ||
136 | 14. It is now possible to specify a list of domains or IP addresses to be | |
7bb56e1f PH |
137 | looked up in a dnsdb lookup. The list is specified in the normal Exim way, |
138 | with colon as the default separator, but with the ability to change this. | |
139 | For example: | |
140 | ||
141 | ${lookup dnsdb{one.domain.com:two.domain.com}} | |
142 | ${lookup dnsdb{a=one.host.com:two.host.com}} | |
143 | ${lookup dnsdb{ptr = <; 1.2.3.4 ; 4.5.6.8}} | |
144 | ||
145 | In order to retain backwards compatibility, there is one special case: if | |
146 | the lookup type is PTR and no change of separator is specified, Exim looks | |
147 | to see if the rest of the string is precisely one IPv6 address. In this | |
148 | case, it does not treat it as a list. | |
149 | ||
150 | The data from each lookup is concatenated, with newline separators (by | |
151 | default - see 14 below), in the same way that multiple DNS records for a | |
152 | single item are handled. | |
153 | ||
154 | The lookup fails only if all the DNS lookups fail. As long as at least one | |
155 | of them yields some data, the lookup succeeds. However, if there is a | |
156 | temporary DNS error for any of them, the lookup defers. | |
157 | ||
ea3bc19b | 158 | 15. It is now possible to specify the character to be used as a separator when |
7bb56e1f PH |
159 | a dnsdb lookup returns data from more than one DNS record. The default is a |
160 | newline. To specify a different character, put '>' followed by the new | |
161 | character at the start of the query. For example: | |
162 | ||
163 | ${lookup dnsdb{>: a=h1.test.ex:h2.test.ex}} | |
ea3bc19b | 164 | ${lookup dnsdb{>| mxh=<;m1.test.ex;m2.test.ex}} |
7bb56e1f PH |
165 | |
166 | It is permitted to specify a space as the separator character. Note that | |
167 | more than one DNS record can be found for a single lookup item; this | |
168 | feature is relevant even when you do not specify a list. | |
169 | ||
170 | The same effect could be achieved by wrapping the lookup in ${tr...}; this | |
171 | feature is just a syntactic simplification. | |
172 | ||
ea3bc19b | 173 | 16. It is now possible to supply a list of domains and/or IP addresses to be |
0bcb2a0e PH |
174 | lookup up in a DNS blacklist. Previously, only a single domain name could |
175 | be given, for example: | |
176 | ||
177 | dnslists = black.list.tld/$sender_host_name | |
178 | ||
179 | What follows the slash can now be a list. As with all lists, the default | |
180 | separator is a colon. However, because this is a sublist within the list of | |
181 | DNS blacklist domains, it is necessary either to double the separators like | |
182 | this: | |
183 | ||
184 | dnslists = black.list.tld/name.1::name.2 | |
185 | ||
186 | or to change the separator character, like this: | |
187 | ||
188 | dnslists = black.list.tld/<;name.1;name.2 | |
189 | ||
190 | If an item in the list is an IP address, it is inverted before the DNS | |
191 | blacklist domain is appended. If it is not an IP address, no inversion | |
192 | occurs. Consider this condition: | |
193 | ||
194 | dnslists = black.list.tls/<;192.168.1.2;a.domain | |
195 | ||
196 | The DNS lookups that occur are for | |
197 | ||
198 | 2.1.168.192.black.list.tld and a.domain.black.list.tld | |
199 | ||
200 | Once a DNS record has been found (that matches a specific IP return | |
201 | address, if specified), no further lookups are done. | |
202 | ||
ea3bc19b | 203 | 17. The log selector queue_time_overall causes Exim to output the time spent on |
2ac0e484 PH |
204 | the queue as an addition to the "Completed" message. Like queue_time (which |
205 | puts the queue time on individual delivery lines), the time is tagged with | |
206 | "QT=", and it is measured from the time that the message starts to be | |
207 | received, so it includes the reception time. | |
208 | ||
35edf2ff | 209 | |
495ae4b0 PH |
210 | Version 4.43 |
211 | ------------ | |
212 | ||
213 | 1. There is a new Boolean global option called mua_wrapper, defaulting false. | |
214 | This causes Exim to run an a restricted mode, in order to provide a very | |
215 | specific service. | |
216 | ||
217 | Background: On a personal computer, it is a common requirement for all | |
218 | email to be sent to a smarthost. There are plenty of MUAs that can be | |
219 | configured to operate that way, for all the popular operating systems. | |
220 | However, there are MUAs for Unix-like systems that cannot be so configured: | |
221 | they submit messages using the command line interface of | |
222 | /usr/sbin/sendmail. In addition, utility programs such as cron submit | |
223 | messages this way. | |
224 | ||
225 | Requirement: The requirement is for something that can provide the | |
226 | /usr/sbin/sendmail interface and deliver messages to a smarthost, but not | |
227 | provide any queueing or retrying facilities. Furthermore, the delivery to | |
228 | the smarthost should be synchronous, so that if it fails, the sending MUA | |
229 | is immediately informed. In other words, we want something that in effect | |
230 | converts a command-line MUA into a TCP/SMTP MUA. | |
231 | ||
232 | Solutions: There are a number of applications (for example, ssmtp) that do | |
233 | this job. However, people have found them to be lacking in various ways. | |
234 | For instance, some sites want to allow aliasing and forwarding before | |
235 | sending to the smarthost. | |
236 | ||
237 | Using Exim: Exim already had the necessary infrastructure for doing this | |
238 | job. Just a few tweaks were needed to make it behave as required, though it | |
239 | is somewhat of an overkill to use a fully-featured MTA for this purpose. | |
240 | ||
241 | Setting mua_wrapper=true causes Exim to run in a special mode where it | |
242 | assumes that it is being used to "wrap" a command-line MUA in the manner | |
243 | just described. | |
244 | ||
245 | If you set mua_wrapper=true, you also need to provide a compatible router | |
246 | and transport configuration. Typically there will be just one router and | |
247 | one transport, sending everything to a smarthost. | |
248 | ||
249 | When run in MUA wrapping mode, the behaviour of Exim changes in the | |
250 | following ways: | |
251 | ||
252 | (a) A daemon cannot be run, nor will Exim accept incoming messages from | |
253 | inetd. In other words, the only way to submit messages is via the | |
254 | command line. | |
255 | ||
256 | (b) Each message is synchonously delivered as soon as it is received (-odi | |
257 | is assumed). All queueing options (queue_only, queue_smtp_domains, | |
258 | control=queue, control=freeze in an ACL etc.) are quietly ignored. The | |
259 | Exim reception process does not finish until the delivery attempt is | |
260 | complete. If the delivery was successful, a zero return code is given. | |
261 | ||
262 | (c) Address redirection is permitted, but the final routing for all | |
263 | addresses must be to the same remote transport, and to the same list of | |
264 | hosts. Furthermore, the return_address must be the same for all | |
265 | recipients, as must any added or deleted header lines. In other words, | |
266 | it must be possible to deliver the message in a single SMTP | |
267 | transaction, however many recipients there are. | |
268 | ||
269 | (d) If the conditions in (c) are not met, or if routing any address results | |
270 | in a failure or defer status, or if Exim is unable to deliver all the | |
271 | recipients successfully to one of the hosts immediately, delivery of | |
272 | the entire message fails. | |
273 | ||
274 | (e) Because no queueing is allowed, all failures are treated as permanent; | |
275 | there is no distinction between 4xx and 5xx SMTP response codes from | |
276 | the smarthost. Furthermore, because only a single yes/no response can | |
277 | be given to the caller, it is not possible to deliver to some | |
278 | recipients and not others. If there is an error (temporary or | |
279 | permanent) for any recipient, all are failed. | |
280 | ||
281 | (f) If more than one host is listed, Exim will try another host after a | |
282 | connection failure or a timeout, in the normal way. However, if this | |
283 | kind of failure happens for all the hosts, the delivery fails. | |
284 | ||
285 | (g) When delivery fails, an error message is written to the standard error | |
286 | stream (as well as to Exim's log), and Exim exits to the caller with a | |
287 | return code value 1. The message is expunged from Exim's spool files. | |
288 | No bounce messages are ever generated. | |
289 | ||
290 | (h) No retry data is maintained, and any retry rules are ignored. | |
291 | ||
292 | (i) A number of Exim options are overridden: deliver_drop_privilege is | |
293 | forced true, max_rcpt in the smtp transport is forced to "unlimited", | |
294 | remote_max_parallel is forced to one, and fallback hosts are ignored. | |
295 | ||
296 | The overall effect is that Exim makes a single synchronous attempt to | |
297 | deliver the message, failing if there is any kind of problem. Because no | |
298 | local deliveries are done and no daemon can be run, Exim does not need root | |
299 | privilege. It should be possible to run it setuid=exim instead of | |
300 | setuid=root. See section 48.3 in the 4.40 manual for a general discussion | |
301 | about the advantages and disadvantages of running without root privilege. | |
302 | ||
303 | 2. There have been problems with DNS servers when SRV records are looked up. | |
304 | Some mis-behaving servers return a DNS error or timeout when a non-existent | |
305 | SRV record is sought. Similar problems have in the past been reported for | |
306 | MX records. The global dns_again_means_nonexist option can help with this | |
307 | problem, but it is heavy-handed because it is a global option. There are | |
308 | now two new options for the dnslookup router. They are called | |
309 | srv_fail_domains and mx_fail_domains. In each case, the value is a domain | |
310 | list. If an attempt to look up an SRV or MX record results in a DNS failure | |
311 | or "try again" response, and the domain matches the relevant list, Exim | |
312 | behaves as if the DNS had responded "no such record". In the case of an SRV | |
313 | lookup, this means that the router proceeds to look for MX records; in the | |
314 | case of an MX lookup, it proceeds to look for A or AAAA records, unless the | |
315 | domain matches mx_domains. | |
316 | ||
317 | 3. The following functions are now available in the local_scan() API: | |
318 | ||
319 | (a) void header_remove(int occurrence, uschar *name) | |
320 | ||
321 | This function removes header lines. If "occurrence" is zero or negative, | |
322 | all occurrences of the header are removed. If occurrence is greater | |
323 | than zero, that particular instance of the header is removed. If no | |
324 | header(s) can be found that match the specification, the function does | |
325 | nothing. | |
326 | ||
327 | (b) BOOL header_testname(header_line *hdr, uschar *name, int length, | |
328 | BOOL notdel) | |
329 | ||
330 | This function tests whether the given header has the given name. It | |
331 | is not just a string comparison, because whitespace is permitted | |
332 | between the name and the colon. If the "notdel" argument is TRUE, a | |
333 | FALSE return is forced for all "deleted" headers; otherwise they are | |
334 | not treated specially. For example: | |
335 | ||
336 | if (header_testname(h, US"X-Spam", 6, TRUE)) ... | |
337 | ||
338 | (c) void header_add_at_position(BOOL after, uschar *name, BOOL topnot, | |
339 | int type, char *format, ...) | |
340 | ||
341 | This function adds a new header line at a specified point in the header | |
342 | chain. If "name" is NULL, the new header is added at the end of the | |
343 | chain if "after" is TRUE, or at the start if "after" is FALSE. If | |
344 | "name" is not NULL, the headers are searched for the first non-deleted | |
345 | header that matches the name. If one is found, the new header is added | |
346 | before it if "after" is FALSE. If "after" is true, the new header is | |
347 | added after the found header and any adjacent subsequent ones with the | |
348 | same name (even if marked "deleted"). If no matching non-deleted header | |
349 | is found, the "topnot" option controls where the header is added. If it | |
350 | is TRUE, addition is at the top; otherwise at the bottom. Thus, to add | |
351 | a header after all the Received: headers, or at the top if there are no | |
352 | Received: headers, you could use | |
353 | ||
354 | header_add_at_position(TRUE, US"Received", TRUE, ' ', "X-xxx: ..."); | |
355 | ||
356 | Normally, there is always at least one non-deleted Received: header, | |
357 | but there may not be if received_header_text expands to an empty | |
358 | string. | |
359 | ||
360 | (d) BOOL receive_remove_recipient(uschar *recipient) | |
361 | ||
362 | This is a convenience function to remove a named recipient from the | |
363 | list of recipients. It returns TRUE if a recipient was removed, and | |
364 | FALSE if no matching recipient could be found. The argument must be a | |
365 | complete email address. | |
366 | ||
367 | 4. When an ACL "warn" statement adds one or more header lines to a message, | |
368 | they are added at the end of the existing header lines by default. It is | |
369 | now possible to specify that any particular header line should be added | |
370 | right at the start (before all the Received: lines) or immediately after | |
371 | the first block of Received: lines in the message. This is done by | |
372 | specifying :at_start: or :after_received: (or, for completeness, :at_end:) | |
373 | before the text of the header line. (Header text cannot start with a colon, | |
374 | as there has to be a header name first.) For example: | |
375 | ||
376 | warn message = :after_received:X-My-Header: something or other... | |
377 | ||
378 | If more than one header is supplied in a single warn statement, each one is | |
379 | treated independently and can therefore be placed differently. If you add | |
380 | more than one line at the start, or after the Received: block, they will | |
381 | end up in reverse order. | |
382 | ||
383 | Warning: This facility currently applies only to header lines that are | |
384 | added in an ACL. It does NOT work for header lines that are added in a | |
385 | system filter or in a router or transport. | |
386 | ||
387 | 5. There is now a new error code that can be used in retry rules. Its name is | |
388 | "rcpt_4xx", and there are three forms. A literal "rcpt_4xx" matches any 4xx | |
389 | error received for an outgoing SMTP RCPT command; alternatively, either the | |
390 | first or both of the x's can be given as digits, for example: "rcpt_45x" or | |
391 | "rcpt_436". If you want (say) to recognize 452 errors given to RCPT | |
392 | commands by a particular host, and have only a one-hour retry for them, you | |
393 | can set up a retry rule of this form: | |
394 | ||
395 | the.host.name rcpt_452 F,1h,10m | |
396 | ||
397 | Naturally, this rule must come before any others that would match. | |
398 | ||
399 | These new errors apply to both outgoing SMTP (the smtp transport) and | |
400 | outgoing LMTP (either the lmtp transport, or the smtp transport in LMTP | |
401 | mode). Note, however, that they apply only to responses to RCPT commands. | |
402 | ||
403 | 6. The "postmaster" option of the callout feature of address verification has | |
404 | been extended to make it possible to use a non-empty MAIL FROM address when | |
405 | checking a postmaster address. The new suboption is called "postmaster_ | |
406 | mailfrom", and you use it like this: | |
407 | ||
408 | require verify = sender/callout=postmaster_mailfrom=abc@x.y.z | |
409 | ||
410 | Providing this suboption causes the postmaster check to be done using the | |
411 | given address. The original "postmaster" option is equivalent to | |
412 | ||
413 | require verify = sender/callout=postmaster_mailfrom= | |
414 | ||
415 | If both suboptions are present, the rightmost one overrides. | |
416 | ||
417 | Important notes: | |
418 | ||
419 | (1) If you use a non-empty sender address for postmaster checking, there is | |
420 | the likelihood that the remote host will itself initiate a callout | |
421 | check back to your host to check that address. As this is a "normal" | |
422 | callout check, the sender will most probably be empty, thus avoiding | |
423 | possible callout loops. However, to be on the safe side it would be | |
424 | best to set up your own ACLs so that they do not do sender verification | |
425 | checks when the recipient is the address you use for postmaster callout | |
426 | checking. | |
427 | ||
428 | (2) The caching arrangements for postmaster checking do NOT take account of | |
429 | the sender address. It is assumed that either the empty address, or a | |
430 | fixed non-empty address will be used. All that Exim remembers is that | |
431 | the postmaster check for the domain succeeded or failed. | |
432 | ||
433 | 7. When verifying addresses in header lines using the verify=header_sender | |
434 | option, Exim behaves by default as if the addresses are envelope sender | |
435 | addresses from a message. Callout verification therefore tests to see | |
436 | whether a bounce message could be delivered, by using an empty address in | |
437 | the MAIL FROM command. However, it is arguable that these addresses might | |
438 | never be used as envelope senders, and could therefore justifiably reject | |
439 | bounce messages (empty senders). There is now an additional callout option | |
440 | for verify=header_sender that allows you to specify what address to use in | |
441 | the MAIL FROM command. You use it as in this example: | |
442 | ||
443 | require verify = header_sender/callout=mailfrom=abcd@x.y.z | |
444 | ||
445 | Important notes: | |
446 | ||
447 | (1) As in the case of postmaster_mailfrom (see above), you should think | |
448 | about possible loops. | |
449 | ||
450 | (2) In this case, as in the case of recipient callouts with non-empty | |
451 | senders (the use_sender option), caching is done on the basis of a | |
452 | recipient/sender pair. | |
453 | ||
454 | 8. If you build Exim with USE_READLINE=yes in Local/Makefile, it will try to | |
455 | load libreadline dynamically whenever the -be (test expansion) option is | |
456 | used without command line arguments. If successful, it will then use | |
457 | readline() for reading the test data. A line history is supported. By the | |
458 | time Exim does this, it is running as the calling user, so this should not | |
459 | cause any security problems. Security is the reason why this is NOT | |
460 | supported for -bt or -bv, when Exim is running as root or exim, | |
461 | respectively. Note that this option adds to the size of the Exim binary, | |
462 | because the dynamic loading library is not otherwise included. On my | |
463 | desktop it adds about 2.5K. You may need to add -ldl to EXTRA_LIBS when you | |
464 | set USE_READLINE=yes. | |
465 | ||
466 | 9. Added ${str2b64:<string>} to the expansion operators. This operator | |
467 | converts an arbitrary string into one that is base64 encoded. | |
468 | ||
469 | 10. A new authenticator, called cyrus_sasl, has been added. This requires | |
470 | the presence of the Cyrus SASL library; it authenticates by calling this | |
471 | library, which supports a number of authentication mechanisms, including | |
472 | PLAIN and LOGIN, but also several others that Exim does not support | |
473 | directly. The code for this authenticator was provided by Matthew | |
474 | Byng-Maddick of A L Digital Ltd (http://www.aldigital.co.uk). Here follows | |
475 | draft documentation: | |
476 | ||
477 | xx. THE CYRUS_SASL AUTHENTICATOR | |
478 | ||
479 | The cyrus_sasl authenticator provides server support for the Cyrus library | |
480 | Implementation of the RFC 2222 "Simple Authentication and Security Layer". | |
481 | It provides a gatewaying mechanism directly to the Cyrus interface, so if | |
482 | your Cyrus library can do, for example, CRAM-MD5, then so can the | |
483 | cyrus_sasl authenticator. By default it uses the public name of the driver | |
484 | to determine which mechanism to support. | |
485 | ||
486 | Where access to some kind of secret file is required, for example in GSSAPI | |
487 | or CRAM-MD5, it is worth noting that the authenticator runs as the exim | |
488 | user, and that the Cyrus SASL library has no way of escalating privileges | |
489 | by default. You may also find you need to set environment variables, | |
490 | depending on the driver you are using. | |
491 | ||
492 | xx.1 Using cyrus_sasl as a server | |
493 | ||
494 | The cyrus_sasl authenticator has four private options. It puts the username | |
495 | (on a successful authentication) into $1. | |
496 | ||
497 | server_hostname Type: string* Default: $primary_hostname | |
498 | ||
499 | This option selects the hostname that is used when communicating with | |
500 | the library. It is up to the underlying SASL plug-in what it does with | |
501 | this data. | |
502 | ||
503 | server_mech Type: string Default: public_name | |
504 | ||
505 | This option selects the authentication mechanism this driver should | |
506 | use. It allows you to use a different underlying mechanism from the | |
507 | advertised name. For example: | |
508 | ||
509 | sasl: | |
510 | driver = cyrus_sasl | |
511 | public_name = X-ANYTHING | |
512 | server_mech = CRAM-MD5 | |
513 | server_set_id = $1 | |
514 | ||
515 | server_realm Type: string Default: unset | |
516 | ||
517 | This is the SASL realm that the server is claiming to be in. | |
518 | ||
519 | server_service Type: string Default: "smtp" | |
520 | ||
521 | This is the SASL service that the server claims to implement. | |
522 | ||
523 | For straigthforward cases, you do not need to set any of the | |
524 | authenticator's private options. All you need to do is to specify an | |
525 | appropriate mechanism as the public name. Thus, if you have a SASL library | |
526 | that supports CRAM-MD5 and PLAIN, you might have two authenticators as | |
527 | follows: | |
528 | ||
529 | sasl_cram_md5: | |
530 | driver = cyrus_sasl | |
531 | public_name = CRAM-MD5 | |
532 | server_set_id = $1 | |
533 | ||
534 | sasl_plain: | |
535 | driver = cyrus_sasl | |
536 | public_name = PLAIN | |
537 | server_set_id = $1 | |
538 | ||
539 | 11. There is a new global option called tls_on_connect_ports. Its value must be | |
540 | a list of port numbers; the most common use is expected to be | |
541 | ||
542 | tls_on_connect_ports = 465 | |
543 | ||
544 | Setting this option has the same effect as -tls-on-connect on the command | |
545 | line, but only for the specified ports. It applies to all connections, both | |
546 | via the daemon and via inetd. You still need to specify all the ports for | |
547 | the daemon (using daemon_smtp_ports or local_interfaces or the -X command | |
548 | line option) because this option does not add an extra port -- rather, it | |
549 | specifies different behaviour on a port that is defined elsewhere. The | |
550 | -tls-on-connect command line option overrides tls_on_connect_ports, and | |
551 | forces tls-on-connect for all ports. | |
552 | ||
553 | 12. There is a new ACL that is run when a DATA command is received, before the | |
554 | data itself is received. The ACL is defined by acl_smtp_predata. (Compare | |
555 | acl_smtp_data, which is run after the data has been received.) | |
556 | This new ACL allows a negative response to be given to the DATA command | |
557 | itself. Header lines added by MAIL or RCPT ACLs are not visible at this | |
558 | time, but any that are defined here are visible when the acl_smtp_data ACL | |
559 | is run. | |
560 | ||
561 | 13. The "control=submission" ACL modifier has an option "/domain=xxx" which | |
562 | specifies the domain to be used when creating From: or Sender: lines using | |
563 | the authenticated id as a local part. If the option is supplied with an | |
564 | empty domain, that is, just "/domain=", Exim assumes that the authenticated | |
565 | id is a complete email address, and it uses it as is when creating From: | |
566 | or Sender: lines. | |
567 | ||
568 | 14. It is now possible to make retry rules that apply only when the failing | |
569 | message has a specific sender. In particular, this can be used to define | |
570 | retry rules that apply only to bounce messages. The syntax is to add a new | |
571 | third item to a retry rule, of the form "senders=<address list>". The retry | |
572 | timings themselves then become the fourth item. For example: | |
573 | ||
574 | * * senders=: F,1h,30m | |
575 | ||
576 | would match all bounce messages. If the address list contains white space, | |
577 | it must be enclosed in quotes. For example: | |
578 | ||
579 | a.domain timeout senders="x@b.dom : y@c.dom" G,8h,10m,1.5 | |
580 | ||
581 | When testing retry rules using -brt, you can supply a sender using the -f | |
582 | command line option, like this: | |
583 | ||
584 | exim -f "" -brt user@dom.ain | |
585 | ||
586 | If you do not set -f with -brt, a retry rule that contains a senders list | |
587 | will never be matched. | |
588 | ||
589 | 15. Two new control modifiers have been added to ACLs: "control = enforce_sync" | |
590 | and "control = no_enforce_sync". This makes it possible to be selective | |
591 | about when SMTP synchronization is enforced. The global option | |
592 | smtp_enforce_sync now specifies the default state of the switch. These | |
593 | controls can appear in any ACL, but the most obvious place to put them is | |
594 | in the ACL defined by acl_smtp_connect, which is run at the start of an | |
595 | incoming SMTP connection, before the first synchronization check. | |
596 | ||
597 | 16. Another two new control modifiers are "control = caseful_local_part" and | |
598 | "control = caselower_local_part". These are permitted only in the ACL | |
599 | specified by acl_smtp_rcpt (i.e. during RCPT processing). By default, the | |
600 | contents of $local_part are lower cased before ACL processing. | |
601 | After "control = caseful_local_part", any uppercase letters in the original | |
602 | local part are restored in $local_part for the rest of the ACL, or until | |
603 | "control = caselower_local_part" is encountered. However, this applies only | |
604 | to local part handling that takes place directly in the ACL (for example, | |
605 | as a key in lookups). If a "verify = recipient" test is obeyed, the | |
606 | case-related handling of the local part during the verification is | |
607 | controlled by the router configuration (see the caseful_local_part generic | |
608 | router option). | |
609 | ||
610 | This facility could be used, for example, to add a spam score to local | |
611 | parts containing upper case letters. For example, using $acl_m4 to | |
612 | accumulate the spam score: | |
613 | ||
614 | warn control = caseful_local_part | |
615 | set acl_m4 = ${eval:\ | |
616 | $acl_m4 + \ | |
617 | ${if match{$local_part}{[A-Z]}{1}{0}}\ | |
618 | } | |
619 | control = caselower_local_part | |
620 | ||
621 | Notice that we put back the lower cased version afterwards, assuming that | |
622 | is what is wanted for subsequent tests. | |
623 | ||
624 | 17. The option hosts_connection_nolog is provided so that certain hosts can be | |
625 | excepted from logging when the +smtp_connection log selector is set. For | |
626 | example, you might want not to log SMTP connections from local processes, | |
627 | or from 127.0.0.1, or from your local LAN. The option is a host list with | |
628 | an unset default. Because it is consulted in the main loop of the daemon, | |
629 | you should strive to restrict its value to a short inline list of IP | |
630 | addresses and networks. To disable logging SMTP connections from local | |
631 | processes, you must create a host list with an empty item. For example: | |
632 | ||
633 | hosts_connection_nolog = : | |
634 | ||
635 | If the +smtp_connection log selector is not set, this option has no effect. | |
636 | ||
637 | 18. There is now an acl called acl_smtp_quit, which is run for the QUIT | |
638 | command. The outcome of the ACL does not affect the response code to QUIT, | |
639 | which is always 221. Thus, the ACL does not in fact control any access. | |
640 | For this reason, the only verbs that are permitted are "accept" and "warn". | |
641 | ||
642 | The ACL can be used for tasks such as custom logging at the end of an SMTP | |
643 | session. For example, you can use ACL variables in other ACLs to count | |
644 | messages, recipients, etc., and log the totals at QUIT time using one or | |
645 | more "logwrite" modifiers on a "warn" command. | |
646 | ||
647 | You do not need to have a final "accept", but if you do, you can use a | |
648 | "message" modifier to specify custom text that is sent as part of the 221 | |
649 | response. | |
650 | ||
651 | This ACL is run only for a "normal" QUIT. For certain kinds of disastrous | |
652 | failure (for example, failure to open a log file, or when Exim is bombing | |
653 | out because it has detected an unrecoverable error), all SMTP commands | |
654 | from the client are given temporary error responses until QUIT is received | |
655 | or the connection is closed. In these special cases, the ACL is not run. | |
656 | ||
657 | 19. The appendfile transport has two new options, mailbox_size and mailbox_ | |
658 | filecount. If either these options are set, it is expanded, and the result | |
659 | is taken as the current size of the mailbox or the number of files in the | |
660 | mailbox, respectively. This makes it possible to use some external means of | |
661 | maintaining the data about the size of a mailbox for enforcing quota | |
662 | limits. The result of expanding these option values must be a decimal | |
663 | number, optionally followed by "K" or "M". | |
664 | ||
665 | 20. It seems that there are broken clients in use that cannot handle multiline | |
666 | SMTP responses. Can't people who implement these braindead programs read? | |
667 | RFC 821 mentions multiline responses, and it is over 20 years old. They | |
668 | must handle multiline responses for EHLO, or do they still use HELO? | |
669 | Anyway, here is YAWFAB (yet another workaround for asinine brokenness). | |
670 | There's a new ACL switch that can be set by | |
671 | ||
672 | control = no_multiline_responses | |
673 | ||
674 | If this is set, it suppresses multiline SMTP responses from ACL rejections. | |
675 | One way of doing this would have been just to put out these responses as | |
676 | one long line. However, RFC 2821 specifies a maximum of 512 bytes per | |
677 | response ("use multiline responses for more" it says), and some of the | |
678 | responses might get close to that. So I have implemented this by doing two | |
679 | very easy things: | |
680 | ||
681 | (1) Extra information that is normally output as part of a rejection | |
682 | caused by sender verification failure is omitted. Only the final line | |
683 | (typically "sender verification failed") is now sent. | |
684 | ||
685 | (2) If a "message" modifier supplies a multiline response, only the first | |
686 | line is output. | |
687 | ||
688 | The setting of the switch can, of course, be made conditional on the | |
689 | calling host. | |
690 | ||
691 | 21. There is now support for the libradius library that comes with FreeBSD. | |
692 | This is an alternative to the radiusclient library that Exim already | |
693 | supports. To use the FreeBSD library, you need to set | |
694 | ||
695 | RADIUS_LIB_TYPE=RADLIB | |
696 | ||
697 | in Local/Makefile, in addition to RADIUS_CONFIGURE_FILE, and you probably | |
698 | also need -libradius in EXTRALIBS. | |
699 | ||
700 | ||
701 | Version 4.42 | |
702 | ------------ | |
703 | ||
704 | 1. The "personal" filter test is brought up-to-date with recommendations from | |
705 | the Sieve specification: (a) The list of non-personal From: addresses now | |
706 | includes "listserv", "majordomo", and "*-request"; (b) If the message | |
707 | contains any header line starting with "List=-" it is treated as | |
708 | non-personal. | |
709 | ||
710 | 2. The Sieve functionality has been extended to support the "copy" and | |
711 | "vacation" extensions, and comparison tests. | |
712 | ||
713 | 3. There is now an overall timeout for performing a callout verification. It | |
714 | defaults to 4 times the callout timeout, which applies to individual SMTP | |
715 | commands during the callout. The overall timeout applies when there is more | |
716 | than one host that can be tried. The timeout is checked before trying the | |
717 | next host. This prevents very long delays if there are a large number of | |
718 | hosts and all are timing out (e.g. when the network connections are timing | |
719 | out). The value of the overall timeout can be changed by specifying an | |
720 | additional sub-option for "callout", called "maxwait". For example: | |
721 | ||
722 | verify = sender/callout=5s,maxwait=20s | |
723 | ||
724 | 4. Changes to the "personal" filter test: | |
725 | ||
726 | (1) The list of non-personal local parts in From: addresses has been | |
727 | extended to include "listserv", "majordomo", "*-request", and "owner-*", | |
728 | taken from the Sieve specification recommendations. | |
729 | ||
730 | (2) If the message contains any header line starting with "List-" it is | |
731 | treated as non-personal. | |
732 | ||
733 | (3) The test for "circular" in the Subject: header line has been removed | |
734 | because it now seems ill-conceived. | |
735 | ||
736 | 5. The autoreply transport has a new option called never_mail. This is an | |
737 | address list. If any run of the transport creates a message with a | |
738 | recipient that matches any item in the list, that recipient is quietly | |
739 | discarded. If all recipients are discarded, no message is created. | |
740 | ||
741 | ||
742 | Version 4.40 | |
743 | ------------ | |
744 | ||
745 | The documentation is up-to-date for the 4.40 release. What follows here is a | |
746 | brief list of the new features that have been added since 4.30. | |
747 | ||
748 | 1. log_incoming_interface affects more log lines. | |
749 | ||
750 | 2. New ACL modifier "control = submission". | |
751 | ||
752 | 3. CONFIGURE_OWNER can be set at build time to define an alternative owner for | |
753 | the configuration file, in addition to root and exim. | |
754 | ||
755 | 4. Added expansion variables $body_zerocount, $recipient_data, and | |
756 | $sender_data. | |
757 | ||
758 | 5. The time of last modification of the "new" subdirectory is now used as the | |
759 | "mailbox time last read" when there is a quota error for a maildir | |
760 | delivery. | |
761 | ||
762 | 6. The special item "+ignore_unknown" may now appear in host lists. | |
763 | ||
764 | 7. The special domain-matching patterns @mx_any, @mx_primary, and | |
765 | @mx_secondary can now be followed by "/ignore=<ip list>". | |
766 | ||
767 | 8. New expansion conditions: match_domain, match_address, match_local_part, | |
768 | lt, lti, le, lei, gt, gti, ge, and new expansion operators time_interval, | |
769 | eval10, and base62d. | |
770 | ||
771 | 9. New lookup type called "iplsearch". | |
772 | ||
773 | 10. New log selectors ident_timeout, tls_certificate_verified, queue_time, | |
774 | deliver_time, outgoing_port, return_path_on_delivery. | |
775 | ||
776 | 11. New global options smtp_active_hostname and tls_require_ciphers. | |
777 | ||
778 | 12. Exinext has -C and -D options. | |
779 | ||
780 | 13. "domainlist_cache" forces caching of an apparently variable list. | |
781 | ||
782 | 14. For compatibility with Sendmail, the command line option -prval:sval | |
783 | is equivalent to -oMr rval -oMs sval. | |
784 | ||
785 | 15. New callout options use_sender and use_postmaster for use when verifying | |
786 | recipients. | |
787 | ||
788 | 16. John Jetmore's "exipick" utility has been added to the distribution. | |
789 | ||
790 | 17. The TLS code now supports CRLs. | |
791 | ||
792 | 18. The dnslookup router and the dnsdb lookup type now support the use of SRV | |
793 | records. | |
794 | ||
795 | 19. The redirect router has a new option called qualify_domain. | |
796 | ||
797 | 20. exigrep's output now also includes lines that are not related to any | |
798 | particular message, but which do match the pattern. | |
799 | ||
800 | 21. New global option write_rejectlog. If it is set false, Exim no longer | |
801 | writes anything to the reject log. | |
802 | ||
803 | **** |