From 77cc1ad3058e4ef7ae82adb914ccff0be9fe2c8b Mon Sep 17 00:00:00 2001
From: "Heiko Schlittermann (HS12-RIPE)" <hs@schlittermann.de>
Date: Sat, 3 Apr 2021 09:29:13 +0200
Subject: [PATCH 18/23] update doc

---
 doc/doc-docbook/spec.xfpt | 45 ++++++++++++++++++++++++++++++++++++++-
 doc/NewStuff      | 45 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 89 insertions(+), 1 deletion(-)

--- a/doc/NewStuff
+++ b/doc/NewStuff
@@ -4,10 +4,55 @@
 This file contains descriptions of new features that have been added to Exim.
 Before a formal release, there may be quite a lot of detail so that people can
 test from the snapshots or the Git before the documentation is updated. Once
 the documentation is updated, this file is reduced to a short list.
 
+Version 4.95
+------------
+
+ 1. The fast-ramp two phase queue run support, previously experimental, is
+    now supported by default.
+
+ 2. The native SRS support, previously experimental, is now supported. It is
+    not built unless specified in the Local/Makefile.
+
+ 3. TLS resumption support, previously experimental, is now supported and
+    included in default builds.
+
+ 4. Single-key LMDB lookups, previously experimental, are now supported.
+    The support is not built unless specified in the Local/Makefile.
+
+ 5. Option "message_linelength_limit" on the smtp transport to enforce (by
+    default) the RFC 998 character limit.
+
+ 6. An option to ignore the cache on a lookup.
+
+ 7. Quota checking during reception (i.e. at SMTP time) for appendfile-
+    transport-managed quotas.
+
+ 8. Sqlite lookups accept a "file=<path>" option to specify a per-operation
+    db file, replacing the previous prefix to the SQL string (which had
+    issues when the SQL used tainted values).
+
+ 9. Lsearch lookups accept a "ret=full" option, to return both the portion
+    of the line matching the key, and the remainder.
+
+10. A command-line option to have a daemon not create a notifier socket.
+
+11. Faster TLS startup.  When various configuration options contain no
+    expandable elements, the information can be preloaded and cached rather
+    than the provious behaviour of always loading at startup time for every
+    connection.  This helps particularly for the CA bundle.
+
+12. Proxy Protocol Timeout is configurable via "proxy_protocol_timeout"
+    main config option.
+
+13. Option "smtp_accept_msx_per_connection" is now expanded.
+
+13. A main config option "allow_insecure_tainted_data" allows to turn
+    taint errors into warnings.
+
 Version 4.94
 ------------
 
  1. EXPERIMENTAL_SRS_NATIVE optional build feature.  See the experimental.spec
     file.
--- a/doc/spec.txt
+++ b/doc/spec.txt
@@ -8650,12 +8650,20 @@
 Whether a string is expanded depends upon the context. Usually this is solely
 dependent upon the option for which a value is sought; in this documentation,
 options for which string expansion is performed are marked with * after the
 data type. ACL rules always expand strings. A couple of expansion conditions do
 not expand some of the brace-delimited branches, for security reasons, and
-expansion of data deriving from the sender ("tainted data") is not permitted.
-
+expansion of data deriving from the sender ("tainted data") is not permitted
+(including acessing a file using a tainted name).  The main config
+option allow_insecure_tainted_data can be used as mitigation during
+uprades to more secure configurations.
+
+Common ways of obtaining untainted equivalents of variables with tainted
+values come down to using the tainted value as a lookup key in a trusted
+database.  This database could be the filesystem structure, or the
+password file, or accessed via a DBMS.  Specific methods are indexed
+under "de-tainting".
 
 11.1 Literal text in expanded strings
 -------------------------------------
 
 An uninterpreted dollar can be included in an expanded string by putting a
@@ -12946,10 +12954,12 @@
 
 
 14.1 Miscellaneous
 ------------------
 
+add_environment       environment variables
+allow_insecure_tainted_data   turn taint errors into warnings
 bi_command            to run for -bi command line option
 debug_store           do extra internal checks
 disable_ipv6          do no IPv6 processing
 keep_malformed        for broken files - should not happen
 localhost_number      for unique message ids in clusters
@@ -13553,10 +13563,20 @@
 true, and also to add "@[]" to the list of local domains (defined in the named
 domain list local_domains in the default configuration). This "magic string"
 matches the domain literal form of all the local host's IP addresses.
 
 +-----------------------------------------------------+
+|allow_insecure_tainted_data main boolean false       |
++-----------------------------------------------------+
+
+The handling of tainted data may break older (pre 4.94) configurations.
+Setting this option to "true" turns taint errors (which result in a temporary
+message rejection) into warnings. This option is meant as mitigation only
+and deprecated already today. Future releases of Exim may ignore it.
+The taint log selector can be used to suppress even the warnings.
+
++-----------------------------------------------------+
 |allow_mx_to_ip|Use: main|Type: boolean|Default: false|
 +-----------------------------------------------------+
 
 It appears that more and more DNS zone administrators are breaking the rules
 and putting domain names that look like IP addresses on the right hand side of
@@ -35316,10 +35336,11 @@
  smtp_mailauth                AUTH argument to MAIL commands
  smtp_no_mail                 session with no MAIL commands
  smtp_protocol_error          SMTP protocol errors
  smtp_syntax_error            SMTP syntax errors
  subject                      contents of Subject: on <= lines
+*taint                        taint errors or warnings
 *tls_certificate_verified     certificate verification status
 *tls_cipher                   TLS cipher suite on <= and => lines
  tls_peerdn                   TLS peer DN on <= and => lines
  tls_sni                      TLS SNI on <= lines
  unknown_in_list              DNS lookup failed in list match
@@ -35604,11 +35625,13 @@
 
   * tls_certificate_verified: An extra item is added to <= and => log lines
     when TLS is in use. The item is "CV=yes" if the peer's certificate was
     verified using a CA trust anchor, "CA=dane" if using a DNS trust anchor,
     and "CV=no" if not.
-
+  * taint: Log warnings about tainted data. This selector can't be
+    turned of if allow_insecure_tainted_data is false (which is the
+    default).
   * tls_cipher: When a message is sent or received over an encrypted
     connection, the cipher suite used is added to the log line, preceded by X=.
 
   * tls_peerdn: When a message is sent or received over an encrypted
     connection, and a certificate is supplied by the remote host, the peer DN