Expansions: add ${sha3:<string>} item

[exim.git] / doc / doc-docbook / spec.xfpt

diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index db5a245533af1b1be9c1538fca8b620a00e271be..c46b503074b13693c5fb4c6a9f5858776d9e6997 100644 (file)
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -3049,7 +3049,8 @@ trusted user for the sender of a message to be set in this way.
 .oindex "&%-bmalware%&"
 .cindex "testing", "malware"
 .cindex "malware scan test"
 .oindex "&%-bmalware%&"
 .cindex "testing", "malware"
 .cindex "malware scan test"

-This debugging option causes Exim to scan the given file,
+This debugging option causes Exim to scan the given file or directory
+(depending on the used scanner interface),

 using the malware scanning framework.  The option of &%av_scanner%& influences
 this option, so if &%av_scanner%&'s value is dependent upon an expansion then
 the expansion should have defaults which apply to this invocation.  ACLs are
 using the malware scanning framework.  The option of &%av_scanner%& influences
 this option, so if &%av_scanner%&'s value is dependent upon an expansion then
 the expansion should have defaults which apply to this invocation.  ACLs are


@@ -6147,7 +6148,8 @@ errors:
 This causes any temporarily failing address to be retried every 15 minutes for
 2 hours, then at intervals starting at one hour and increasing by a factor of
 1.5 until 16 hours have passed, then every 6 hours up to 4 days. If an address
 This causes any temporarily failing address to be retried every 15 minutes for
 2 hours, then at intervals starting at one hour and increasing by a factor of
 1.5 until 16 hours have passed, then every 6 hours up to 4 days. If an address

-is not delivered after 4 days of temporary failure, it is bounced.
+is not delivered after 4 days of temporary failure, it is bounced. The time is
+measured from first failure, not from the time the message was received.

 
 If the retry section is removed from the configuration, or is empty (that is,
 if no retry rules are defined), Exim will not retry deliveries. This turns
 
 If the retry section is removed from the configuration, or is empty (that is,
 if no retry rules are defined), Exim will not retry deliveries. This turns


@@ -6609,7 +6611,7 @@ lookup types support only literal keys.
 .endlist ilist
 
 
 .endlist ilist
 
 

-.section "Query-style lookup types" "SECID62"
+.section "Query-style lookup types" "SECTquerystylelookups"

 .cindex "lookup" "query-style types"
 .cindex "query-style lookup" "list of types"
 The supported query-style lookup types are listed below. Further details about
 .cindex "lookup" "query-style types"
 .cindex "query-style lookup" "list of types"
 The supported query-style lookup types are listed below. Further details about


@@ -10480,7 +10482,7 @@ variables or headers inside regular expressions.
 .cindex "SHA-1 hash"
 .cindex "expansion" "SHA-1 hashing"
 .cindex certificate fingerprint
 .cindex "SHA-1 hash"
 .cindex "expansion" "SHA-1 hashing"
 .cindex certificate fingerprint

-.cindex "&%sha2%& expansion item"
+.cindex "&%sha1%& expansion item"

 The &%sha1%& operator computes the SHA-1 hash value of the string, and returns
 it as a 40-digit hexadecimal number, in which any letters are in upper case.
 
 The &%sha1%& operator computes the SHA-1 hash value of the string, and returns
 it as a 40-digit hexadecimal number, in which any letters are in upper case.
 


@@ -10488,16 +10490,38 @@ If the string is a single variable of type certificate,
 returns the SHA-1 hash fingerprint of the certificate.
 
 
 returns the SHA-1 hash fingerprint of the certificate.
 
 

-.vitem &*${sha256:*&<&'certificate'&>&*}*&
+.vitem &*${sha256:*&<&'string'&>&*}*&

 .cindex "SHA-256 hash"
 .cindex certificate fingerprint
 .cindex "expansion" "SHA-256 hashing"
 .cindex "&%sha256%& expansion item"
 .cindex "SHA-256 hash"
 .cindex certificate fingerprint
 .cindex "expansion" "SHA-256 hashing"
 .cindex "&%sha256%& expansion item"

-The &%sha256%& operator computes the SHA-256 hash fingerprint of the
-certificate,
+.new
+The &%sha256%& operator computes the SHA-256 hash value of the string
+and returns
+it as a 64-digit hexadecimal number, in which any letters are in upper case.
+.wen
+
+If the string is a single variable of type certificate,
+returns the SHA-256 hash fingerprint of the certificate.
+
+
+.new
+.vitem &*${sha3:*&<&'string'&>&*}*&
+.vitem &*${sha3_<n>:*&<&'string'&>&*}*&
+.cindex "SHA3 hash"
+.cindex "expansion" "SHA3 hashing"
+.cindex "&%sha3%& expansion item"
+The &%sha3%& operator computes the SHA3-256 hash value of the string

 and returns
 it as a 64-digit hexadecimal number, in which any letters are in upper case.
 and returns
 it as a 64-digit hexadecimal number, in which any letters are in upper case.

-Only arguments which are a single variable of certificate type are supported.
+
+If a number is appended, separated by an underbar, it specifies
+the output length.  Values of 224, 256, 384 and 512 are accepted;
+with 256 being the default.
+
+The &%sha3%& expansion item is only supported if Exim has been
+compiled with GnuTLS 3.5.0 or later.
+.wen

 
 
 .vitem &*${stat:*&<&'string'&>&*}*&
 
 
 .vitem &*${stat:*&<&'string'&>&*}*&


@@ -12146,6 +12170,7 @@ a single-component name, Exim calls &[gethostbyname()]& (or
 qualified host name. See also &$smtp_active_hostname$&.
 
 
 qualified host name. See also &$smtp_active_hostname$&.
 
 

+.new

 .vitem &$proxy_external_address$& &&&
        &$proxy_external_port$& &&&
        &$proxy_local_address$& &&&
 .vitem &$proxy_external_address$& &&&
        &$proxy_external_port$& &&&
        &$proxy_local_address$& &&&


@@ -12154,6 +12179,7 @@ qualified host name. See also &$smtp_active_hostname$&.
 These variables are only available when built with Proxy Protocol
 or Socks5 support
 For details see chapter &<<SECTproxyInbound>>&.
 These variables are only available when built with Proxy Protocol
 or Socks5 support
 For details see chapter &<<SECTproxyInbound>>&.

+.wen

 
 .vitem &$prdr_requested$&
 .cindex "PRDR" "variable for"
 
 .vitem &$prdr_requested$&
 .cindex "PRDR" "variable for"


@@ -16839,8 +16865,8 @@ of the STARTTLS command to set up an encrypted session is advertised in
 response to EHLO only to those client hosts that match this option. See
 chapter &<<CHAPTLS>>& for details of Exim's support for TLS.
 Note that the default value requires that a certificate be supplied
 response to EHLO only to those client hosts that match this option. See
 chapter &<<CHAPTLS>>& for details of Exim's support for TLS.
 Note that the default value requires that a certificate be supplied

-using the &%tls_certificate%& option.  If no certificate is available then
-the &%tls_advertise_hosts%& option should be set empty.
+using the &%tls_certificate%& option.  If TLS support for incoming connections
+is not required the &%tls_advertise_hosts%& option should be set empty.

 
 
 .option tls_certificate main string&!! unset
 
 
 .option tls_certificate main string&!! unset


@@ -16861,6 +16887,11 @@ if the OpenSSL build supports TLS extensions and the TLS client sends the
 Server Name Indication extension, then this option and others documented in
 &<<SECTtlssni>>& will be re-expanded.
 
 Server Name Indication extension, then this option and others documented in
 &<<SECTtlssni>>& will be re-expanded.
 

+.new
+If this option is unset or empty a fresh self-signed certificate will be
+generated for every connection.
+.wen
+

 .option tls_crl main string&!! unset
 .cindex "TLS" "server certificate revocation list"
 .cindex "certificate" "revocation list for server"
 .option tls_crl main string&!! unset
 .cindex "TLS" "server certificate revocation list"
 .cindex "certificate" "revocation list for server"


@@ -26954,10 +26985,17 @@ with the error
 If a STARTTLS command is issued within an existing TLS session, it is
 rejected with a 554 error code.
 
 If a STARTTLS command is issued within an existing TLS session, it is
 rejected with a 554 error code.
 

-To enable TLS operations on a server, you must set &%tls_advertise_hosts%& to
-match some hosts. You can, of course, set it to * to match all hosts.
-However, this is not all you need to do. TLS sessions to a server won't work
-without some further configuration at the server end.
+To enable TLS operations on a server, the &%tls_advertise_hosts%& option
+must be set to match some hosts. The default is * which matches all hosts.
+
+.new
+If this is all you do, TLS encryption will be enabled but not authentication -
+meaning that the peer has no assurance it is actually you he is talking to.
+You gain protection from a passive sniffer listening on the wire but not
+from someone able to intercept the communication.
+.wen
+
+Further protection requires some further configuration at the server end.

 
 It is rumoured that all existing clients that support TLS/SSL use RSA
 encryption. To make this work you need to set, in the server,
 
 It is rumoured that all existing clients that support TLS/SSL use RSA
 encryption. To make this work you need to set, in the server,


@@ -28696,13 +28734,18 @@ with &`-d`&, with the output going to a new logfile, by default called
 &'debuglog'&.  The filename can be adjusted with the &'tag'& option, which
 may access any variables already defined.  The logging may be adjusted with
 the &'opts'& option, which takes the same values as the &`-d`& command-line
 &'debuglog'&.  The filename can be adjusted with the &'tag'& option, which
 may access any variables already defined.  The logging may be adjusted with
 the &'opts'& option, which takes the same values as the &`-d`& command-line

-option.  Some examples (which depend on variables that don't exist in all
+option.
+.new
+Logging may be stopped, and the file removed, with the &'kill'& option.
+.wen
+Some examples (which depend on variables that don't exist in all

 contexts):
 .code
       control = debug
       control = debug/tag=.$sender_host_address
       control = debug/opts=+expand+acl
       control = debug/tag=.$message_exim_id/opts=+expand
 contexts):
 .code
       control = debug
       control = debug/tag=.$sender_host_address
       control = debug/opts=+expand+acl
       control = debug/tag=.$message_exim_id/opts=+expand

+      control = debug/kill

 .endd
 
 
 .endd
 
 


@@ -35512,6 +35555,7 @@ the following table:
 &`CV  `&        certificate verification status
 &`D   `&        duration of &"no mail in SMTP session"&
 &`DN  `&        distinguished name from peer certificate
 &`CV  `&        certificate verification status
 &`D   `&        duration of &"no mail in SMTP session"&
 &`DN  `&        distinguished name from peer certificate

+&`DS  `&        DNSSEC secured lookups

 &`DT  `&        on &`=>`& lines: time taken for a delivery
 &`F   `&        sender address (on delivery lines)
 &`H   `&        host name and IP address
 &`DT  `&        on &`=>`& lines: time taken for a delivery
 &`F   `&        sender address (on delivery lines)
 &`H   `&        host name and IP address


@@ -35602,6 +35646,7 @@ selection marked by asterisks:
 &` deliver_time               `&  time taken to perform delivery
 &` delivery_size              `&  add &`S=`&&'nnn'& to => lines
 &`*dnslist_defer              `&  defers of DNS list (aka RBL) lookups
 &` deliver_time               `&  time taken to perform delivery
 &` delivery_size              `&  add &`S=`&&'nnn'& to => lines
 &`*dnslist_defer              `&  defers of DNS list (aka RBL) lookups

+&` dnssec                     `&  DNSSEC secured lookups

 &`*etrn                       `&  ETRN commands
 &`*host_lookup_failed         `&  as it says
 &` ident_timeout              `&  timeout for ident connection
 &`*etrn                       `&  ETRN commands
 &`*host_lookup_failed         `&  as it says
 &` ident_timeout              `&  timeout for ident connection


@@ -35709,6 +35754,14 @@ the &"=>"& line, tagged with S=.
 &%dnslist_defer%&: A log entry is written if an attempt to look up a host in a
 DNS black list suffers a temporary error.
 .next
 &%dnslist_defer%&: A log entry is written if an attempt to look up a host in a
 DNS black list suffers a temporary error.
 .next

+.cindex log dnssec
+.cindex dnssec logging
+&%dnssec%&: For message acceptance and (attempted) delivery log lines, when
+dns lookups gave secure results a tag of DS is added.
+For acceptance this covers the reverse and forward lookups for host name verification.
+It does not cover helo-name verification.
+For delivery this covers the SRV, MX, A and/or AAAA lookups.
+.next

 .cindex "log" "ETRN commands"
 .cindex "ETRN" "logging"
 &%etrn%&: Every valid ETRN command that is received is logged, before the ACL
 .cindex "log" "ETRN commands"
 .cindex "ETRN" "logging"
 &%etrn%&: Every valid ETRN command that is received is logged, before the ACL


@@ -38211,6 +38264,7 @@ Use of a proxy is enabled by setting the &%hosts_proxy%&
 main configuration option to a hostlist; connections from these
 hosts will use Proxy Protocol.
 
 main configuration option to a hostlist; connections from these
 hosts will use Proxy Protocol.
 

+.new

 The following expansion variables are usable
 (&"internal"& and &"external"& here refer to the interfaces
 of the proxy):
 The following expansion variables are usable
 (&"internal"& and &"external"& here refer to the interfaces
 of the proxy):


@@ -38223,6 +38277,7 @@ of the proxy):
 .endd
 If &$proxy_session$& is set but &$proxy_external_address$& is empty
 there was a protocol error.
 .endd
 If &$proxy_session$& is set but &$proxy_external_address$& is empty
 there was a protocol error.

+.wen

 
 Since the real connections are all coming from the proxy, and the
 per host connection tracking is done before Proxy Protocol is
 
 Since the real connections are all coming from the proxy, and the
 per host connection tracking is done before Proxy Protocol is


@@ -38361,7 +38416,7 @@ form of the name.
 Log lines and Received-by: header lines will acquire a "utf8"
 prefix on the protocol element, eg. utf8esmtp.
 
 Log lines and Received-by: header lines will acquire a "utf8"
 prefix on the protocol element, eg. utf8esmtp.
 

-The following expansion operator can be used:
+The following expansion operators can be used:

 .code
 ${utf8_domain_to_alabel:str}
 ${utf8_domain_from_alabel:str}
 .code
 ${utf8_domain_to_alabel:str}
 ${utf8_domain_from_alabel:str}