X-Git-Url: https://vcs.fsf.org/?p=exim.git;a=blobdiff_plain;f=doc%2Fdoc-docbook%2Fspec.xfpt;h=91dacb7bb8f239421c496cfe5b073cf77a9c47bd;hp=769b9e1c9885912cbed9d9d796ba032a112274b0;hb=5e6d12accb0bdfa1cee9d8c9a1ecec3131b9f502;hpb=33f316f2c5fad1f91b627fce7473da287bb23162 diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 769b9e1c9..91dacb7bb 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -45,14 +45,14 @@ . Update the Copyright year (only) when changing content. . ///////////////////////////////////////////////////////////////////////////// -.set previousversion "4.88" +.set previousversion "4.89" .include ./local_params .set ACL "access control lists (ACLs)" .set I "    " .macro copyyear -2016 +2017 .endmacro . ///////////////////////////////////////////////////////////////////////////// @@ -371,11 +371,13 @@ contributors. .section "Exim documentation" "SECID1" . Keep this example change bar when updating the documentation! +.new .cindex "documentation" This edition of the Exim specification applies to version &version() of Exim. Substantive changes from the &previousversion; edition are marked in some renditions of the document; this paragraph is so marked if the rendition is capable of showing a change indicator. +.wen This document is very much a reference manual; it is not a tutorial. The reader is expected to have some familiarity with the SMTP mail transfer protocol and @@ -434,6 +436,7 @@ directory are: .row &_filter.txt_& "specification of the filter language" .row &_Exim3.upgrade_& "upgrade notes from release 2 to release 3" .row &_Exim4.upgrade_& "upgrade notes from release 3 to release 4" +.row &_openssl.txt_& "installing a current OpenSSL release" .endtable The main specification and the specification of the filtering language are also @@ -3825,11 +3828,17 @@ This option is not intended for use by external callers. It is used internally by Exim in conjunction with the &%-MC%& option. It signifies that the remote host supports the ESMTP &_DSN_& extension. -.vitem &%-MCG%& +.vitem &%-MCG%&&~<&'queue&~name'&> .oindex "&%-MCG%&" This option is not intended for use by external callers. It is used internally by Exim in conjunction with the &%-MC%& option. It signifies that an -alternate queue is used, named by the following option. +alternate queue is used, named by the following argument. + +.vitem &%-MCK%& +.oindex "&%-MCK%&" +This option is not intended for use by external callers. It is used internally +by Exim in conjunction with the &%-MC%& option. It signifies that an +remote host supports the ESMTP &_CHUNKING_& extension. .vitem &%-MCP%& .oindex "&%-MCP%&" @@ -3859,6 +3868,15 @@ This option is not intended for use by external callers. It is used internally by Exim in conjunction with the &%-MC%& option, and passes on the fact that the host to which Exim is connected supports TLS encryption. +.new +.vitem &%-MCt%&&~<&'IP&~address'&>&~<&'port'&> +.oindex "&%-MCt%&" +This option is not intended for use by external callers. It is used internally +by Exim in conjunction with the &%-MC%& option, and passes on the fact that the +connection is being proxied by a parent process for handling TLS encryption. +The pair of arguments give the local address and port being proxied. +.wen + .vitem &%-Mc%&&~<&'message&~id'&>&~<&'message&~id'&>&~... .oindex "&%-Mc%&" .cindex "hints database" "not overridden by &%-Mc%&" @@ -4479,7 +4497,7 @@ will specify a queue to operate on. For example: .code exim -bp -qGquarantine -mailq -qGquarantime +mailq -qGquarantine exim -qGoffpeak -Rf @special.domain.example .endd @@ -4919,11 +4937,9 @@ using this syntax: on a line by itself. Double quotes round the file name are optional. If you use the first form, a configuration error occurs if the file does not exist; the second form does nothing for non-existent files. -.new The first form allows a relative name. It is resolved relative to the directory of the including file. For the second form an absolute file name is required. -.wen Includes may be nested to any depth, but remember that Exim reads its configuration file often, so it is a good idea to keep them to a minimum. @@ -6730,8 +6746,8 @@ PostgreSQL database. See section &<>&. .next .cindex "Redis lookup type" .cindex lookup Redis -&(redis)&: The format of the query is an SQL statement that is passed to a -Redis database. See section &<>&. +&(redis)&: The format of the query is either a simple get or simple set, +passed to a Redis database. See section &<>&. .next .cindex "sqlite lookup type" @@ -7109,7 +7125,7 @@ Retries for the dnsdb lookup can be controlled by a retry modifier. The form if &"retry_VAL"& where VAL is an integer. The default count is set by the main configuration option &%dns_retry%&. -.cindex cacheing "of dns lookup" +.cindex caching "of dns lookup" .cindex TTL "of dns lookup" .cindex DNS TTL Dnsdb lookup results are cached within a single process (and its children). @@ -7804,6 +7820,17 @@ are rejected after a timeout period, during which the SQLite library waits for the lock to be released. In Exim, the default timeout is set to 5 seconds, but it can be changed by means of the &%sqlite_lock_timeout%& option. + +.section "More about Redis" "SECTredis" +.cindex "lookup" "Redis" +.cindex "redis lookup type" +Redis is a non-SQL database. Commands are simple get and set. +Examples: +.code +${lookup redis{set keyname ${quote_redis:objvalue plus}}} +${lookup redis{get keyname}} +.endd + .ecindex IIDfidalo1 .ecindex IIDfidalo2 @@ -9104,7 +9131,7 @@ If the ACL returns defer the result is a forced-fail. Otherwise the expansion f .vitem "&*${certextract{*&<&'field'&>&*}{*&<&'certificate'&>&*}&&& {*&<&'string2'&>&*}{*&<&'string3'&>&*}}*&" -.cindex "expansion" "extracting cerificate fields" +.cindex "expansion" "extracting certificate fields" .cindex "&%certextract%&" "certificate fields" .cindex "certificate" "extracting fields" The <&'certificate'&> must be a variable of type certificate. @@ -9422,17 +9449,13 @@ filter. Header lines that are added to a particular copy of a message by a router or transport are not accessible. For incoming SMTP messages, no header lines are visible in -.new ACLs that are obeyed before the data phase completes, -.wen because the header structure is not set up until the message is received. They are visible in DKIM, PRDR and DATA ACLs. Header lines that are added in a RCPT ACL (for example) are saved until the message's incoming header lines are available, at which point they are added. -.new When any of the above ACLs ar -.wen running, however, header lines added by earlier ACLs are visible. Upper case and lower case letters are synonymous in header names. If the @@ -9760,7 +9783,7 @@ locks out the use of this expansion item in filter files. .vitem "&*${readsocket{*&<&'name'&>&*}{*&<&'request'&>&*}&&& - {*&<&'timeout'&>&*}{*&<&'eol&~string'&>&*}{*&<&'fail&~string'&>&*}}*&" + {*&<&'options'&>&*}{*&<&'eol&~string'&>&*}{*&<&'fail&~string'&>&*}}*&" .cindex "expansion" "inserting from a socket" .cindex "socket, use of in expansion" .cindex "&%readsocket%& expansion item" @@ -9790,6 +9813,15 @@ extend what can be done. Firstly, you can vary the timeout. For example: .code ${readsocket{/socket/name}{request string}{3s}} .endd +The third argument is a list of options, of which the first element is the timeout +and must be present if the argument is given. +Further elements are options of form &'name=value'&. +One option type is currently recognised, defining whether (the default) +or not a shutdown is done on the connection after sending the request. +Example, to not do so (preferred, eg. by some webservers): +.code +${readsocket{/socket/name}{request string}{3s:shutdown=no}} +.endd A fourth argument allows you to change any newlines that are in the data that is read, in the same way as for &%readfile%& (see above). This example turns them into spaces: @@ -12209,7 +12241,7 @@ normally the gid of the Exim user. .cindex "uid (user id)" "of originating user" .cindex "sender" "uid" .vindex "&$caller_uid$&" -.vindex "&$originaltor_uid$&" +.vindex "&$originator_uid$&" The value of &$caller_uid$& that was set when the message was received. For messages received via the command line, this is the uid of the sending user. For messages received by SMTP over TCP/IP, this is normally the uid of the Exim @@ -12256,7 +12288,7 @@ qualified host name. See also &$smtp_active_hostname$&. &$proxy_local_port$& &&& &$proxy_session$& These variables are only available when built with Proxy Protocol -or Socks5 support +or SOCKS5 support. For details see chapter &<>&. .vitem &$prdr_requested$& @@ -12606,6 +12638,11 @@ validating resolver (e.g. unbound, or bind with suitable configuration). If you have changed &%host_lookup_order%& so that &`bydns`& is not the first mechanism in the list, then this variable will be false. +This requires that your system resolver library support EDNS0 (and that +DNSSEC flags exist in the system headers). If the resolver silently drops +all EDNS0 options, then this will have no effect. OpenBSD's asr resolver +is known to currently ignore EDNS0, documented in CAVEATS of asr_run(3). + .vitem &$sender_host_name$& .vindex "&$sender_host_name$&" @@ -12827,7 +12864,7 @@ If TLS has not been negotiated, the value will be 0. .vitem &$tls_in_ourcert$& .vindex "&$tls_in_ourcert$&" -.cindex certificate veriables +.cindex certificate variables This variable refers to the certificate presented to the peer of an inbound connection when the message was received. It is only useful as the argument of a @@ -13097,7 +13134,7 @@ initial startup, even if &%perl_at_start%& is set. .oindex "&%perl_taintmode%&" .cindex "Perl" "taintmode" To provide more security executing Perl code via the embedded Perl -interpeter, the &%perl_taintmode%& option can be set. This enables the +interpreter, the &%perl_taintmode%& option can be set. This enables the taint mode of the Perl interpreter. You are encouraged to set this option to a true value. To avoid breaking existing installations, it defaults to false. @@ -13527,6 +13564,7 @@ listed in more than one group. .section "Miscellaneous" "SECID96" .table2 .row &%bi_command%& "to run for &%-bi%& command line option" +.row &%debug_store%& "do extra internal checks" .row &%disable_ipv6%& "do no IPv6 processing" .row &%keep_malformed%& "for broken files &-- should not happen" .row &%localhost_number%& "for unique message ids in clusters" @@ -14017,6 +14055,7 @@ acknowledgment is sent. See chapter &<>& for further details. .option acl_smtp_dkim main string&!! unset .cindex DKIM "ACL for" This option defines the ACL that is run for each DKIM signature +(by default, or as specified in the dkim_verify_signers option) of a received message. See chapter &<>& for further details. @@ -14404,7 +14443,7 @@ it obviously cannot send an error message of any kind. There is a slight performance penalty for these checks. Versions of Exim preceding 4.88 had these disabled by default; -high-rate intallations confident they will never run out of resources +high-rate installations confident they will never run out of resources may wish to deliberately disable them. .option chunking_advertise_hosts main "host list&!!" * @@ -14414,6 +14453,13 @@ The CHUNKING extension (RFC3030) will be advertised in the EHLO message to these hosts. Hosts may use the BDAT command as an alternate to DATA. +.option debug_store main boolean &`false`& +.cindex debugging "memory corruption" +.cindex memory debugging +This option, when true, enables extra checking in Exim's internal memory +management. For use when a memory corruption issue is being investigated, +it should normally be left as default. + .option daemon_smtp_ports main string &`smtp`& .cindex "port" "for daemon" .cindex "TCP/IP" "setting listening ports" @@ -14663,6 +14709,7 @@ record in the authoritative section is used instead. .option dns_use_edns0 main integer -1 .cindex "DNS" "resolver options" .cindex "DNS" "EDNS0" +.cindex "DNS" "OpenBSD If this option is set to a non-negative number then Exim will initialise the DNS resolver library to either use or not use EDNS0 extensions, overriding the system default. A value of 0 coerces EDNS0 off, a value of 1 coerces EDNS0 @@ -14670,6 +14717,10 @@ on. If the resolver library does not support EDNS0 then this option has no effect. +OpenBSD's asr resolver routines are known to ignore the EDNS0 option; this +means that DNSSEC will not work with Exim on that platform either, unless Exim +is linked against an alternative DNS client library. + .option drop_cr main boolean false This is an obsolete option that is now a no-op. It used to affect the way Exim @@ -15293,6 +15344,7 @@ connecting on a regular LDAP port. This is the LDAP equivalent of SMTP's of SSL-on-connect. In the event of failure to negotiate TLS, the action taken is controlled by &%ldap_require_cert%&. +This option is ignored for &`ldapi`& connections. .option ldap_version main integer unset @@ -16709,7 +16761,7 @@ example, instead of &"Administrative prohibition"&, it might give: .option smtputf8_advertise_hosts main "host list&!!" * .cindex "SMTPUTF8" "advertising" When Exim is built with support for internationalised mail names, -the availability therof is advertised in +the availability thereof is advertised in response to EHLO only to those client hosts that match this option. See chapter &<>& for details of Exim's support for internationalisation. @@ -16866,6 +16918,7 @@ generates any deliveries to files or pipes, or any new mail messages, the appropriate &%system_filter_..._transport%& option(s) must be set, to define which transports are to be used. Details of this facility are given in chapter &<>&. +A forced expansion failure results in no filter operation. .option system_filter_directory_transport main string&!! unset @@ -17108,7 +17161,8 @@ acceptable bound from 1024 to 2048. .option tls_eccurve main string&!! &`auto`& .cindex TLS "EC cryptography" -This option selects a EC curve for use by Exim. +This option selects a EC curve for use by Exim when used with OpenSSL. +It has no effect when Exim is used with GnuTLS. After expansion it must contain a valid EC curve parameter, such as &`prime256v1`&, &`secp384r1`&, or &`P-512`&. Consult your OpenSSL manual @@ -21002,7 +21056,7 @@ The control does not apply to shadow transports. .cindex "hints database" "transport concurrency control" Exim implements this control by means of a hints database in which a record is -incremented whenever a transport process is beaing created. The record +incremented whenever a transport process is being created. The record is decremented and possibly removed when the process terminates. Obviously there is scope for records to get left lying around if there is a system or program crash. To @@ -23260,9 +23314,7 @@ message_suffix = .option path pipe string&!! "/bin:/usr/bin" -.new This option is expanded and -.wen specifies the string that is set up in the PATH environment variable of the subprocess. If the &%command%& option does not yield an absolute path name, the command is @@ -23892,6 +23944,25 @@ been started will not be passed to a new delivery process for sending another message on the same connection. See section &<>& for an explanation of when this might be needed. +.new +.option hosts_noproxy_tls smtp "host list&!!" * +.cindex "TLS" "passing connection" +.cindex "multiple SMTP deliveries" +.cindex "TLS" "multiple message deliveries" +For any host that matches this list, a TLS session which has +been started will not be passed to a new delivery process for sending another +message on the same session. + +The traditional implementation closes down TLS and re-starts it in the new +process, on the same open TCP connection, for each successive message +sent. If permitted by this option a pipe to to the new process is set up +instead, and the original process maintains the TLS connection and proxies +the SMTP connection from and to the new process and any subsequents. +The new process has no access to TLS information, so cannot include it in +logging. +.wen + + .option hosts_override smtp boolean false If this option is set and the &%hosts%& option is also set, any hosts that are @@ -23966,12 +24037,12 @@ unauthenticated. See also &%hosts_require_auth%&, and chapter .cindex "RFC 3030" "CHUNKING" This option provides a list of servers to which, provided they announce CHUNKING support, Exim will attempt to use BDAT commands rather than DATA. -BDAT will not be used in conjuction with a transport filter. +BDAT will not be used in conjunction with a transport filter. .option hosts_try_fastopen smtp "host list!!" unset -.option "fast open, TCP" "enabling, in client" -.option "TCP Fast Open" "enabling, in client" -.option "RFC 7413" "TCP Fast Open" +.cindex "fast open, TCP" "enabling, in client" +.cindex "TCP Fast Open" "enabling, in client" +.cindex "RFC 7413" "TCP Fast Open" This option provides a list of servers to which, provided the facility is supported by this system, Exim will attempt to perform a TCP Fast Open. @@ -25860,6 +25931,17 @@ turned into a permanent error if you wish. In the second case, Exim tries to deliver the message unauthenticated. .endlist +Note that the hostlist test for whether to do authentication can be +confused if name-IP lookups change between the time the peer is decided +on and the transport running. For example, with a manualroute +router given a host name, and DNS "round-robin" use by that name: if +the local resolver cache times out between the router and the transport +running, the transport may get an IP for the name for its authentication +check which does not match the connection peer IP. +No authentication will then be done, despite the names being identical. + +For such cases use a separate transport which always authenticates. + .cindex "AUTH" "on MAIL command" When Exim has authenticated itself to a remote server, it adds the AUTH parameter to the MAIL commands it sends, if it has an authenticated sender for @@ -27131,10 +27213,12 @@ tls_require_ciphers = ${if =={$received_port}{25}\ .cindex "TLS" "configuring an Exim server" When Exim has been built with TLS support, it advertises the availability of the STARTTLS command to client hosts that match &%tls_advertise_hosts%&, -but not to any others. The default value of this option is unset, which means -that STARTTLS is not advertised at all. This default is chosen because you -need to set some other options in order to make TLS available, and also it is -sensible for systems that want to use TLS only as a client. +but not to any others. The default value of this option is *, which means +that STARTTLS is alway advertised. Set it to blank to never advertise; +this is reasonble for systems that want to use TLS only as a client. + +If STARTTLS is to be used you +need to set some other options in order to make TLS available. If a client issues a STARTTLS command and there is some configuration problem in the server, the command is rejected with a 454 error. If the client @@ -27531,7 +27615,7 @@ Great care should be taken to deal with matters of case, various injection attacks in the string (&`../`& or SQL), and ensuring that a valid filename can always be referenced; it is important to remember that &$tls_in_sni$& is arbitrary unverified data provided prior to authentication. -Further, the initial cerificate is loaded before SNI is arrived, so +Further, the initial certificate is loaded before SNI is arrived, so an expansion for &%tls_certificate%& must have a default which is used when &$tls_in_sni$& is empty. @@ -28075,6 +28159,9 @@ run. A &"discard"& return from the DATA or the non-SMTP ACL discards all the remaining recipients. The &"discard"& return is not permitted for the &%acl_smtp_predata%& ACL. +If the ACL for VRFY returns &"accept"&, a recipient verify (without callout) +is done on the address and the result determines the SMTP response. + .cindex "&[local_scan()]& function" "when all recipients discarded" The &[local_scan()]& function is always run, even if there are no remaining @@ -28894,7 +28981,9 @@ message body. Cutthrough delivery is not supported via transport-filters or when DKIM signing of outgoing messages is done, because it sends data to the ultimate destination before the entire message has been received from the source. -It is not supported for messages received with the SMTP PRDR option in use. +It is not supported for messages received with the SMTP PRDR +or CHUNKING +options in use. Should the ultimate destination system positively accept or reject the mail, a corresponding indication is given to the source system and nothing is queued. @@ -28908,7 +28997,7 @@ This behaviour can be adjusted by appending the option &*defer=*&<&'value'&> to the control; the default value is &"spool"& and the alternate value &"pass"& copies an SMTP defer response from the target back to the initiator and does not queue the message. -Note that this is independent of any receipient verify conditions in the ACL. +Note that this is independent of any recipient verify conditions in the ACL. Delivery in this mode avoids the generation of a bounce mail to a (possibly faked) @@ -29745,6 +29834,13 @@ to avoid doing it more than once per message. .cindex "&%verify%& ACL condition" This is a variation of the previous option, in which a modified address is verified as a sender. + +Note that '/' is legal in local-parts; if the address may have such +(eg. is generated from the received message) +they must be protected from the options parsing by doubling: +.code +verify = sender=${sg{${address:$h_sender:}}{/}{//}} +.endd .endlist @@ -29804,7 +29900,7 @@ deny dnslists = blackholes.mail-abuse.org warn message = X-Warn: sending host is on dialups list dnslists = dialups.mail-abuse.org .endd -.cindex cacheing "of dns lookup" +.cindex caching "of dns lookup" .cindex DNS TTL DNS list lookups are cached by Exim for the duration of the SMTP session (but limited by the DNS return TTL value), @@ -29917,7 +30013,7 @@ multiple DNS records. The inner dnsdb lookup produces a list of MX hosts and the outer dnsdb lookup finds the IP addresses for these hosts. The result of expanding the condition might be something like this: .code -dnslists = sbl.spahmaus.org/<|192.168.2.3|192.168.5.6|... +dnslists = sbl.spamhaus.org/<|192.168.2.3|192.168.5.6|... .endd Thus, this example checks whether or not the IP addresses of the sender domain's mail servers are on the Spamhaus black list. @@ -31443,6 +31539,18 @@ av_scanner = f-protd:localhost 10200-10204 .endd If you omit the argument, the default values show above are used. +.new +.vitem &%f-prot6d%& +.cindex "virus scanners" "f-prot6d" +The f-prot6d scanner is accessed using the FPSCAND protocol over TCP. +One argument is taken, being a space-separated hostname and port number. +For example: +.code +av_scanner = f-prot6d:localhost 10200 +.endd +If you omit the argument, the default values show above are used. +.wen + .vitem &%fsecure%& .cindex "virus scanners" "F-Secure" The F-Secure daemon scanner (&url(http://www.f-secure.com)) takes one @@ -35659,6 +35767,13 @@ SMTP RCPT commands in one transaction) the second and subsequent addresses are flagged with &`->`& instead of &`=>`&. When two or more messages are delivered down a single SMTP connection, an asterisk follows the IP address in the log lines for the second and subsequent messages. +.new +When two or more messages are delivered down a single TLS connection, the +DNS and TLS-related information logged for the first message delivered +will not be present in the log lines for the second and subsequent messages. +A TLS-marker indication of &'X=*'& is added to the log line instead of +cipher information. +.wen .cindex "delivery" "cutthrough; logging" .cindex "cutthrough" "logging" @@ -35786,7 +35901,7 @@ the following table: &`T `& on &`<=`& lines: message subject (topic) &` `& on &`=>`& &`**`& and &`==`& lines: transport name &`U `& local user or RFC 1413 identity -&`X `& TLS cipher suite +&`X `& TLS cipher suite, or TLS usage mark .endd @@ -36010,7 +36125,7 @@ The latter can be disabled by turning off the &%outgoing_interface%& option. &%proxy%&: The internal (closest to the system running Exim) IP address of the proxy, tagged by PRX=, on the &"<="& line for a message accepted on a proxied connection -or the &"=>"& line for a message delivered on a proxied connection.. +or the &"=>"& line for a message delivered on a proxied connection. See &<>& for more information. .next .cindex "log" "incoming remote port" @@ -36041,7 +36156,7 @@ off the &%outgoing_interface%& option. .next .cindex "log" "outgoing remote port" .cindex "port" "logging outgoint remote" -.cindex "TCP/IP" "logging ougtoing remote port" +.cindex "TCP/IP" "logging outgoing remote port" &%outgoing_port%&: The remote port number is added to delivery log lines (those containing => tags) following the IP address. The local port is also added if &%incoming_interface%& and @@ -37870,9 +37985,8 @@ lock will be lost at the instant of rename. .next .vindex "&$body_linecount$&" If you change the number of lines in the file, the value of -&$body_linecount$&, which is stored in the -H file, will be incorrect. At -present, this value is not used by Exim, but there is no guarantee that this -will always be the case. +&$body_linecount$&, which is stored in the -H file, will be incorrect and can +cause incomplete transmission of messages or undeliverable messages. .next If the message is in MIME format, you must take care not to break it. .next @@ -38485,9 +38599,9 @@ To include this support, include &"SUPPORT_PROXY=yes"& in Local/Makefile. It was built on specifications from: -http://haproxy.1wt.eu/download/1.5/doc/proxy-protocol.txt +(&url(http://haproxy.1wt.eu/download/1.5/doc/proxy-protocol.txt)). That URL was revised in May 2014 to version 2 spec: -http://git.1wt.eu/web?p=haproxy.git;a=commitdiff;h=afb768340c9d7e50d8e +(&url(http://git.1wt.eu/web?p=haproxy.git;a=commitdiff;h=afb768340c9d7e50d8e)). The purpose of this facility is so that an application load balancer, such as HAProxy, can sit in front of several Exim servers @@ -38501,6 +38615,13 @@ recorded in an ACL (example is below). Use of a proxy is enabled by setting the &%hosts_proxy%& main configuration option to a hostlist; connections from these hosts will use Proxy Protocol. +Exim supports both version 1 and version 2 of the Proxy Protocol and +automatically determines which version is in use. + +The Proxy Protocol header is the first data received on a TCP connection +and is inserted before any TLS-on-connect handshake from the client; Exim +negotiates TLS between Exim-as-server and the remote client, not between +Exim and the proxy server. The following expansion variables are usable (&"internal"& and &"external"& here refer to the interfaces @@ -38508,9 +38629,9 @@ of the proxy): .display &'proxy_external_address '& IP of host being proxied or IP of remote interface of proxy &'proxy_external_port '& Port of host being proxied or Port on remote interface of proxy -&'proxy_local_address '& IP of proxy server inbound or IP of local interface of proxy -&'proxy_local_port '& Port of proxy server inbound or Port on local interface of proxy -&'proxy_session '& boolean: SMTP connection via proxy +&'proxy_local_address '& IP of proxy server inbound or IP of local interface of proxy +&'proxy_local_port '& Port of proxy server inbound or Port on local interface of proxy +&'proxy_session '& boolean: SMTP connection via proxy .endd If &$proxy_session$& is set but &$proxy_external_address$& is empty there was a protocol error. @@ -38621,6 +38742,10 @@ Exim has support for Internationalised mail names. To include this it must be built with SUPPORT_I18N and the libidn library. Standards supported are RFCs 2060, 5890, 6530 and 6533. +If Exim is built with SUPPORT_I18N_2008 (in addition to SUPPORT_I18N, not +instead of it) then IDNA2008 is supported; this adds an extra library +requirement, upon libidn2. + .section "MTA operations" SECTi18nMTA .cindex SMTPUTF8 "ESMTP option" The main configuration option &%smtputf8_advertise_hosts%& specifies @@ -38793,7 +38918,7 @@ can be used to affect that action (more on this below). An additional variable, &$event_data$&, is filled with information varying with the event type: .display -&`msg:delivery `& smtp confirmation mssage +&`msg:delivery `& smtp confirmation message &`msg:rcpt:host:defer `& error string &`msg:rcpt:defer `& error string &`msg:host:defer `& error string