summaryrefslogtreecommitdiff
path: root/doc/doc-docbook
diff options
context:
space:
mode:
authorHeiko Schlittermann (HS12-RIPE) <hs@schlittermann.de>2021-04-03 09:29:13 +0200
committerHeiko Schlittermann (HS12-RIPE) <hs@schlittermann.de>2021-06-24 21:43:16 +0200
commit368ecb000c58995c5f61443d45d43942f1f431d0 (patch)
treef320354ecf2e0bba8736dd62ecb5be3b9b8cc2e4 /doc/doc-docbook
parent16c884a4818594069253de460bf9926f69d50fe5 (diff)
update doc
(cherry picked from commit 77cc1ad3058e4ef7ae82adb914ccff0be9fe2c8b)
Diffstat (limited to 'doc/doc-docbook')
-rw-r--r--doc/doc-docbook/spec.xfpt29
1 files changed, 29 insertions, 0 deletions
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index c59468716..05d8e6ed1 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -240,6 +240,14 @@
<see><emphasis>bounce message</emphasis></see>
</indexterm>
<indexterm role="concept">
+ <primary>de-tainting</primary>
+ <see><emphasis>tainting, de-tainting</emphasis></see>
+</indexterm>
+<indexterm role="concept">
+ <primary>detainting</primary>
+ <see><emphasis>tainting, de-tainting</emphasis></see>
+</indexterm>
+<indexterm role="concept">
<primary>dialup</primary>
<see><emphasis>intermittently connected hosts</emphasis></see>
</indexterm>
@@ -9606,6 +9614,8 @@ reasons,
and expansion of data deriving from the sender (&"tainted data"&)
.new
is not permitted (including acessing a file using a tainted name).
+The main config option &%allow_insecure_tainted_data%& can be used as
+mitigation during uprades to more secure configurations.
.wen
.new
@@ -14590,6 +14600,7 @@ listed in more than one group.
.section "Miscellaneous" "SECID96"
.table2
.row &%add_environment%& "environment variables"
+.row &%allow_insecure_tainted_data%& "turn taint errors into warnings"
.row &%bi_command%& "to run for &%-bi%& command line option"
.row &%debug_store%& "do extra internal checks"
.row &%disable_ipv6%& "do no IPv6 processing"
@@ -15201,6 +15212,18 @@ domains (defined in the named domain list &%local_domains%& in the default
configuration). This &"magic string"& matches the domain literal form of all
the local host's IP addresses.
+.new
+.option allow_insecure_tainted_data main boolean false
+.cindex "de-tainting"
+.oindex "allow_insecure_tainted_data"
+The handling of tainted data may break older (pre 4.94) configurations.
+Setting this option to "true" turns taint errors (which result in a temporary
+message rejection) into warnings. This option is meant as mitigation only
+and deprecated already today. Future releases of Exim may ignore it.
+The &%taint%& log selector can be used to suppress even the warnings.
+.wen
+
+
.option allow_mx_to_ip main boolean false
.cindex "MX record" "pointing to IP address"
@@ -38750,6 +38773,7 @@ selection marked by asterisks:
&` smtp_protocol_error `& SMTP protocol errors
&` smtp_syntax_error `& SMTP syntax errors
&` subject `& contents of &'Subject:'& on <= lines
+&`*taint `& taint errors or warnings
&`*tls_certificate_verified `& certificate verification status
&`*tls_cipher `& TLS cipher suite on <= and => lines
&` tls_peerdn `& TLS peer DN on <= and => lines
@@ -39145,6 +39169,11 @@ using a CA trust anchor,
&`CV=dane`& if using a DNS trust anchor,
and &`CV=no`& if not.
.next
+.cindex "log" "Taint warnings"
+&%taint%&: Log warnings about tainted data. This selector can't be
+turned of if &%allow_insecure_tainted_data%& is false (which is the
+default).
+.next
.cindex "log" "TLS cipher"
.cindex "TLS" "logging cipher"
&%tls_cipher%&: When a message is sent or received over an encrypted