From 875512a36119423217802de1f79350e7fce1cd9b Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Tue, 7 Mar 2017 22:35:18 +0000 Subject: Delivery: contined-connection maintaining TLS --- doc/doc-docbook/spec.xfpt | 36 +++++++++++++++++++++++++++++++++++- doc/doc-txt/ChangeLog | 7 +++++++ doc/doc-txt/NewStuff | 6 ++++++ doc/doc-txt/OptionLists.txt | 1 + 4 files changed, 49 insertions(+), 1 deletion(-) (limited to 'doc') diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 9e1aa4e4b..ed8bdfd77 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -3828,7 +3828,7 @@ This option is not intended for use by external callers. It is used internally by Exim in conjunction with the &%-MC%& option. It signifies that the remote host supports the ESMTP &_DSN_& extension. -.vitem &%-MCG%& +.vitem &%-MCG%&&~<&'queue&~name'&> .oindex "&%-MCG%&" This option is not intended for use by external callers. It is used internally by Exim in conjunction with the &%-MC%& option. It signifies that an @@ -3868,6 +3868,15 @@ This option is not intended for use by external callers. It is used internally by Exim in conjunction with the &%-MC%& option, and passes on the fact that the host to which Exim is connected supports TLS encryption. +.new +.vitem &%-MCt%&&~<&'IP&~address'&>&~<&'port&'&>&~ +.oindex "&%-MCt%&" +This option is not intended for use by external callers. It is used internally +by Exim in conjunction with the &%-MC%& option, and passes on the fact that the +connection is being proxied by a parent process for handling TLS encryption. +The pair of arguments give the local address and port being proxied. +.wen + .vitem &%-Mc%&&~<&'message&~id'&>&~<&'message&~id'&>&~... .oindex "&%-Mc%&" .cindex "hints database" "not overridden by &%-Mc%&" @@ -23935,6 +23944,25 @@ been started will not be passed to a new delivery process for sending another message on the same connection. See section &<>& for an explanation of when this might be needed. +.new +.option hosts_noproxy_tls smtp "host list&!!" * +.cindex "TLS" "passing connection" +.cindex "multiple SMTP deliveries" +.cindex "TLS" "multiple message deliveries" +For any host that matches this list, a TLS session which has +been started will not be passed to a new delivery process for sending another +message on the same session. + +The traditional implementation closes down TLS and re-starts it in the new +process, on the same open TCP connection, for each successive message +sent. If permitted by this option a pipe to to the new process is set up +instead, and the original process maintains the TLS connection and proxies +the SMTP connection from and to the new process and any subsequents. +The new process has no access to TLS information, so cannot include it in +logging. +.wen + + .option hosts_override smtp boolean false If this option is set and the &%hosts%& option is also set, any hosts that are @@ -35725,6 +35753,12 @@ SMTP RCPT commands in one transaction) the second and subsequent addresses are flagged with &`->`& instead of &`=>`&. When two or more messages are delivered down a single SMTP connection, an asterisk follows the IP address in the log lines for the second and subsequent messages. +.new +When two or more messages are delivered down a single TLS connection, the +TLS-related information logged for the first message delivered +(which may not be the earliest line in the log) +will not be present in the log lines for the second and subsequent messages. +.wen .cindex "delivery" "cutthrough; logging" .cindex "cutthrough" "logging" diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 35947201c..8462107c7 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -19,6 +19,13 @@ PP/01 Allow PKG_CONFIG_PATH to be set in Local/Makefile and use it correctly JH/02 Rework error string handling in DKIM to pass more info back to callers. This permits better logging. +JH/03 Rework the transport continued-connection mechanism: when TLS is active, + do not close it down and have the child transport start it up again on + the passed-on TCP connection. Instead, proxy the child (and any + subsequent ones) for TLS via a unix-domain socket channel. Logging is + affected: the continued delivery log lines do not have any DNSSEC, TLS + cipher, Certificate or OCSP information. + Exim version 4.89 ----------------- diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff index efb8592cf..3594d1d6a 100644 --- a/doc/doc-txt/NewStuff +++ b/doc/doc-txt/NewStuff @@ -15,6 +15,12 @@ Version 4.90 2. The ${readsocket } expansion now takes an option to not shutdown the connection after sending the query string. The default remains to do so. + 3. An smtp transport option "hosts_noproxy_tls" to control whether multiple + deliveries on a single TCP connection can maintain a TLS connection + open. By default disabled for all hosts, doing so saves the cost of + making new TLS sessions, at the cost of having to proxy the data via + another process. Logging is also affected. + Version 4.89 ------------ diff --git a/doc/doc-txt/OptionLists.txt b/doc/doc-txt/OptionLists.txt index 696b5f3fa..b6439e6ed 100644 --- a/doc/doc-txt/OptionLists.txt +++ b/doc/doc-txt/OptionLists.txt @@ -293,6 +293,7 @@ hosts_connection_nolog host list unset main hosts_max_try integer 5 smtp 3.20 hosts_max_try_hardlimit integer 50 smtp 4.50 hosts_nopass_tls host list unset smtp 4.00 +hosts_noproxy_tls host list "*" smtp 4.90 hosts_override boolean false smtp 2.11 hosts_randomize boolean false manualroute 4.00 false smtp 3.14 -- cgit v1.2.3