X-Git-Url: https://vcs.fsf.org/?a=blobdiff_plain;f=doc%2Fdoc-docbook%2Fspec.xfpt;h=b65b6fe5b6cc60e4e4b633d3fa5efaadffb94c60;hb=40394cc11a826278cef2e205313f9339ca90d16d;hp=f950a4dac31e9d6754c6e89b99c3f3f1bafcaa2b;hpb=c4b57fddcae8301f324d2626083c13b2c5e60521;p=exim.git diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index f950a4dac..b65b6fe5b 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -52,7 +52,7 @@ .set I "    " .macro copyyear -2017 +2018 .endmacro . ///////////////////////////////////////////////////////////////////////////// @@ -7839,6 +7839,19 @@ ${lookup redis{set keyname ${quote_redis:objvalue plus}}} ${lookup redis{get keyname}} .endd +.new +As of release 4.91, "lightweight" support for Redis Cluster is available. +Requires &%redis_servers%& list to contain all the servers in the cluster, all +of which must be reachable from the running exim instance. If the cluster has +master/slave replication, the list must contain all the master and slave +servers. + +When the Redis Cluster returns a "MOVED" response to a query, exim does not +immediately follow the redirection but treats the response as a DEFER, moving on +to the next server in the &%redis_servers%& list until the correct server is +reached. +.wen + .ecindex IIDfidalo1 .ecindex IIDfidalo2 @@ -9141,6 +9154,7 @@ If the ACL returns defer the result is a forced-fail. Otherwise the expansion f .vitem "&*${authresults{*&<&'authserv-id'&>&*}}*&" .cindex authentication "results header" .cindex headers "authentication-results:" +.cindex authentication "expansion item" This item returns a string suitable for insertion as an &'Authentication-Results"'& header line. @@ -9159,6 +9173,7 @@ Example use (as an ACL modifier): .code add_header = :at_start:${authresults {$primary_hostname}} .endd +This is safe even if no authentication reselts are available. .wen @@ -11580,10 +11595,15 @@ preserve some of the authentication information in the variable user/password authenticator configuration might preserve the user name for use in the routers. Note that this is not the same information that is saved in &$sender_host_authenticated$&. + When a message is submitted locally (that is, not over a TCP connection) the value of &$authenticated_id$& is normally the login name of the calling process. However, a trusted user can override this by means of the &%-oMai%& command line option. +.new +This second case also sets up inforamtion used by the +&$authresults$& expansion item. +.wen .vitem &$authenticated_fail_id$& .cindex "authentication" "fail" "id" @@ -11923,6 +11943,13 @@ lookup succeeds, but there is a lookup problem such as a timeout when checking the result, the name is not accepted, and &$host_lookup_deferred$& is set to &"1"&. See also &$sender_host_name$&. +.new +.cindex authentication "expansion item" +Performing these checks sets up information used by the +&$authresults$& expansion item. +.wen + + .vitem &$host_lookup_failed$& .vindex "&$host_lookup_failed$&" See &$host_lookup_deferred$&. @@ -12878,6 +12905,7 @@ is compiled with the content-scanning extension. For details, see section .vitem &$spf_header_comment$& &&& &$spf_received$& &&& &$spf_result$& &&& + &$spf_result_guessed$& &&& &$spf_smtp_comment$& These variables are only available if Exim is built with SPF support. For details see section &<>&. @@ -26091,6 +26119,12 @@ public name) of the authenticator driver that successfully authenticated the client from which the message was received. This variable is empty if there was no successful authentication. +.new +.cindex authentication "expansion item" +Successful authentication sets up information used by the +&$authresults$& expansion item. +.wen + @@ -31806,9 +31840,9 @@ though individual ones can be included or not at build time: .vitem &%avast%& .cindex "virus scanners" "avast" This is the scanner daemon of Avast. It has been tested with Avast Core -Security (currently at version 1.1.7). -You can get a trial version at &url(http://www.avast.com) or for Linux -at &url(http://www.avast.com/linux-server-antivirus). +Security (currently at version 2.2.0). +You can get a trial version at &url(https://www.avast.com) or for Linux +at &url(https://www.avast.com/linux-server-antivirus). This scanner type takes one option, which can be either a full path to a UNIX socket, or host and port specifiers separated by white space. @@ -31835,6 +31869,8 @@ $ socat UNIX:/var/run/avast/scan.sock STDIO: PACK .endd +Only the first virus detected will be reported. + .vitem &%aveserver%& .cindex "virus scanners" "Kaspersky" @@ -38888,7 +38924,8 @@ The result can either be a valid RSA private key in ASCII armor (.pem file), including line breaks .new .next -with GnuTLS 3.6.0 or later, be a valid Ed25519 private key (same format as above) +with GnuTLS 3.6.0 or OpenSSL 1.1.1 or later, +be a valid Ed25519 private key (same format as above) .wen .next start with a slash, in which case it is treated as a file that contains @@ -38900,6 +38937,21 @@ is set. .endlist .new +To generate keys under OpenSSL: +.code +openssl genrsa -out dkim_rsa.private 2048 +openssl rsa -in dkim_rsa.private -out /dev/stdout -pubout -outform PEM +.endd +Take the base-64 lines from the output of the second command, concatenated, +for the DNS TXT record. +See section 3.6 of RFC6376 for the record specification. + +Under GnuTLS: +.code +certtool --generate-privkey --rsa --bits=2048 --password='' -8 --outfile=dkim_rsa.private +certtool --load-privkey=dkim_rsa.private --pubkey-info +.endd + Note that RFC 8301 says: .code Signers MUST use RSA keys of at least 1024 bits for all keys. @@ -38914,6 +38966,21 @@ As they are a recent development, users should consider dual-signing for some transition period. The "_CRYPTO_SIGN_ED25519" macro will be defined if support is present for EC keys. + +As of writing, producing EC key materials is not well supported +by the major libraries. OpenSSL 1.1.1 and GnuTLS 3.6.0 can create private keys: +.code +openssl genpkey -algorithm ed25519 -out dkim_ed25519.private +certtool --generate-privkey --key-type=ed25519 --outfile=dkim_ed25519.private +.endd + +To help in producing the required public key value for a DNS record +the release package &_util/_& directory contains source for a utility +buildable with GnuTLS 3.6.0; +use it like this: +.code +ed25519_privkey_pem_to_pubkey_raw_b64 dkim_ed25519.private +.endd .wen .option dkim_hash smtp string&!! sha256 @@ -38984,6 +39051,12 @@ To evaluate the signature in the ACL a large number of expansion variables containing the signature status and its details are set up during the runtime of the ACL. +.new +.cindex authentication "expansion item" +Performing verification sets up information used by the +&$authresults$& expansion item. +.wen + Calling the ACL only for existing signatures is not sufficient to build more advanced policies. For that reason, the global option &%dkim_verify_signers%&, and a global expansion variable @@ -39099,7 +39172,8 @@ The key record selector string. .vitem &%$dkim_algo%& The algorithm used. One of 'rsa-sha1' or 'rsa-sha256'. .new -If running under GnuTLS 3.6.0 or later, may also be 'ed25519-sha256'. +If running under GnuTLS 3.6.0 or OpenSSL 1.1.1 or later, +may also be 'ed25519-sha256'. The "_CRYPTO_SIGN_ED25519" macro will be defined if support is present for EC keys. .wen @@ -39243,6 +39317,12 @@ There is no Exim involvement on the trasmission of messages; publishing certain DNS records is all that is required. For verification, an ACL condition and an expansion lookup are provided. +.new +.cindex authentication "expansion item" +Performing verification sets up information used by the +&$authresults$& expansion item. +.wen + .cindex SPF "ACL condition" .cindex ACL "spf condition" @@ -39331,6 +39411,11 @@ variables: one of pass, fail, softfail, none, neutral, permerror or temperror. +.vitem &$spf_result_guessed$& +.vindex &$spf_result_guessed$& + This boolean is true only if a best-guess operation was used + and required in order to obtain a result. + .vitem &$spf_smtp_comment$& .vindex &$spf_smtp_comment$& This contains a string that can be used in a SMTP response