This item inserts &"basic"& header lines. It is described with the &%header%&
expansion item below.
+
+ .vitem "&*${acl{*&<&'name'&>&*}{*&<&'arg'&>&*}...}*&"
+ .cindex "expansion" "calling an acl"
+ .cindex "&%acl%&" "call from expansion"
+ The name and zero to nine argument strings are first expanded separately. The expanded
+ arguments are assigned to the variables &$acl_arg1$& to &$acl_arg9$& in order.
+ Any unused are made empty. The variable &$acl_narg$& is set to the number of
+ arguments. The named ACL (see chapter &<<CHAPACL>>&) is called
+ and may use the variables; if another acl expansion is used the values
+ are overwritten. If the ACL sets
+ a value using a "message =" modifier and returns accept or deny, the value becomes
+ the result of the expansion.
+ If no message was set and the ACL returned accept or deny
+ the value is an empty string.
+ If the ACL returned defer the result is a forced-fail. Otherwise the expansion fails.
+
+
.vitem "&*${dlfunc{*&<&'file'&>&*}{*&<&'function'&>&*}{*&<&'arg'&>&*}&&&
{*&<&'arg'&>&*}...}*&"
.cindex &%dlfunc%&
10M, not if 10M is larger than &$message_size$&.
+ .vitem &*acl&~{{*&<&'name'&>&*}{*&<&'arg1'&>&*}&&&
+ {*&<&'arg2'&>&*}...}*&
+ .cindex "expansion" "calling an acl"
+ .cindex "&%acl%&" "expansion condition"
+ The name and zero to nine argument strings are first expanded separately. The expanded
+ arguments are assigned to the variables &$acl_arg1$& to &$acl_arg9$& in order.
+ Any unused are made empty. The variable &$acl_narg$& is set to the number of
+ arguments. The named ACL (see chapter &<<CHAPACL>>&) is called
+ and may use the variables; if another acl expansion is used the values
+ are overwritten. If the ACL sets
+ a value using a "message =" modifier the variable $value becomes
+ the result of the expansion, otherwise it is empty.
+ If the ACL returns accept the condition is true; if deny, false.
+ If the ACL returns defer the result is a forced-fail.
+
.vitem &*bool&~{*&<&'string'&>&*}*&
.cindex "expansion" "boolean parsing"
.cindex "&%bool%& expansion condition"
.section "TLS" "SECID108"
.table2
.row &%gnutls_compat_mode%& "use GnuTLS compatibility mode"
+.new
+.row &%gnutls_enable_pkcs11%& "allow GnuTLS to autoload PKCS11 modules"
+.wen
.row &%openssl_options%& "adjust OpenSSL compatibility options"
.row &%tls_advertise_hosts%& "advertise TLS to these hosts"
.row &%tls_certificate%& "location of server certificate"
server. This reduces security slightly, but improves interworking with older
implementations of TLS.
+
+.new
+option gnutls_enable_pkcs11 main boolean unset
+This option will let GnuTLS (2.12.0 or later) autoload PKCS11 modules with
+the p11-kit configuration files in &_/etc/pkcs11/modules/_&.
+
+See
+&url(http://www.gnu.org/software/gnutls/manual/gnutls.html#Smart-cards-and-HSMs)
+for documentation.
+.wen
+
+
+
.option headers_charset main string "see below"
This option sets a default character set for translating from encoded MIME
&"words"& in header lines, when referenced by an &$h_xxx$& expansion item. The
.vitem &*acl&~=&~*&<&'name&~of&~acl&~or&~ACL&~string&~or&~file&~name&~'&>
.cindex "&ACL;" "nested"
.cindex "&ACL;" "indirect"
+ .cindex "&ACL;" "arguments"
.cindex "&%acl%& ACL condition"
The possible values of the argument are the same as for the
&%acl_smtp_%&&'xxx'& options. The named or inline ACL is run. If it returns
condition false. This means that further processing of the &%warn%& verb
ceases, but processing of the ACL continues.
+ If the argument is a named ACL, up to nine space-separated optional values
+ can be appended; they appear in $acl_arg1 to $acl_arg9, and $acl_narg is set
+ to the count of values. The name and values are expanded separately.
+
If the nested &%acl%& returns &"drop"& and the outer condition denies access,
the connection is dropped. If it returns &"discard"&, the verb must be
&%accept%& or &%discard%&, and the action is taken immediately &-- no further
8. New expansion operators ${listnamed:name} to get the content of a named list
and ${listcount:string} to count the items in a list.
- 9. The "acl = name" condition on an ACL now supports optional arguments.
+ 9. New global option "gnutls_enable_pkcs11", defaults false. The GnuTLS
+ rewrite in 4.80 combines with GnuTLS 2.12.0 or later, to autoload PKCS11
+ modules. For some situations this is desirable, but we expect admin in
+ those situations to know they want the feature. More commonly, it means
+ that GUI user modules get loaded and are broken by the setuid Exim being
+ unable to access files specified in environment variables and passed
+ through, thus breakage. So we explicitly inhibit the PKCS11 initialisation
+ unless this new option is set.
+
++10. The "acl = name" condition on an ACL now supports optional arguments.
+ New expansion item "${acl {name}{arg}...}" and expansion condition
+ "acl {{name}{arg}...}" are added. In all cases up to nine arguments
+ can be used, appearing in $acl_arg1 to $acl_arg9 for the called ACL.
+ Variable $acl_narg contains the number of arguments. If the ACL sets
+ a "message =" value this becomes the result of the expansion item,
+ or the value of $value for the expansion condition. If the ACL returns
+ accept the expansion condition is true; if reject, false. A defer
+ return results in a forced fail.
Version 4.80
------------
#ifdef SUPPORT_TLS
BOOL gnutls_compat_mode = FALSE;
+BOOL gnutls_enable_pkcs11 = FALSE;
uschar *gnutls_require_mac = NULL;
uschar *gnutls_require_kx = NULL;
uschar *gnutls_require_proto = NULL;
header_line *acl_added_headers = NULL;
tree_node *acl_anchor = NULL;
+ uschar *acl_arg[9] = {NULL, NULL, NULL, NULL, NULL,
+ NULL, NULL, NULL, NULL};
+ int acl_narg = 0;
uschar *acl_not_smtp = NULL;
#ifdef WITH_CONTENT_SCAN
uschar *acl_not_smtp_mime = NULL;
#endif
uschar *acl_not_smtp_start = NULL;
-
uschar *acl_smtp_auth = NULL;
uschar *acl_smtp_connect = NULL;
uschar *acl_smtp_data = NULL;
US"NOTQUIT",
US"QUIT",
US"STARTTLS",
- US"VRFY"
+ US"VRFY",
+ US"expansion"
};
uschar *acl_wherecodes[] = { US"550", /* RCPT */
US"0", /* NOTQUIT; not relevant */
US"0", /* QUIT; not relevant */
US"550", /* STARTTLS */
- US"252" /* VRFY */
+ US"252", /* VRFY */
+ US"0" /* unknown; not relevant */
};
BOOL active_local_from_check = FALSE;
#ifdef SUPPORT_TLS
extern BOOL gnutls_compat_mode; /* Less security, more compatibility */
+extern BOOL gnutls_enable_pkcs11; /* Let GnuTLS autoload PKCS11 modules */
extern uschar *gnutls_require_mac; /* So some can be avoided */
extern uschar *gnutls_require_kx; /* So some can be avoided */
extern uschar *gnutls_require_proto; /* So some can be avoided */
extern BOOL accept_8bitmime; /* Allow *BITMIME incoming */
extern header_line *acl_added_headers; /* Headers added by an ACL */
extern tree_node *acl_anchor; /* Tree of named ACLs */
+ extern uschar *acl_arg[9]; /* Argument to ACL call */
+ extern int acl_narg; /* Number of arguments to ACL call */
extern uschar *acl_not_smtp; /* ACL run for non-SMTP messages */
#ifdef WITH_CONTENT_SCAN
extern uschar *acl_not_smtp_mime; /* For MIME parts of ditto */