git://git.exim.org
/
exim.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
Auths: in plaintext authenticator, fix parsing of consecutive circuflex. Bug 2687
[exim.git]
/
doc
/
doc-docbook
/
spec.xfpt
diff --git
a/doc/doc-docbook/spec.xfpt
b/doc/doc-docbook/spec.xfpt
index 302a62312ecc2f10d03d17ddb41109bf51f7229a..15b03eabbe43909ca04e7feb8dc99b6164ce7b05 100644
(file)
--- a/
doc/doc-docbook/spec.xfpt
+++ b/
doc/doc-docbook/spec.xfpt
@@
-3885,7
+3885,9
@@
id, and the remaining ones must be email addresses. However, if the message is
active (in the middle of a delivery attempt), it is not altered. This option
can be used only by an admin user.
active (in the middle of a delivery attempt), it is not altered. This option
can be used only by an admin user.
-.vitem "&%-MC%&&~<&'transport'&>&~<&'hostname'&>&~<&'sequence&~number'&>&&&
+.vitem "&%-MC%&&~<&'transport'&>&~<&'hostname'&>&&&
+ &~<&'host&~IP'&>&&&
+ &~<&'sequence&~number'&>&&&
&~<&'message&~id'&>"
.oindex "&%-MC%&"
.cindex "SMTP" "passed connection"
&~<&'message&~id'&>"
.oindex "&%-MC%&"
.cindex "SMTP" "passed connection"
@@
-27822,7
+27824,14
@@
fixed_plain:
client_send = ^username^mysecret
.endd
The lack of colons means that the entire text is sent with the AUTH
client_send = ^username^mysecret
.endd
The lack of colons means that the entire text is sent with the AUTH
-command, with the circumflex characters converted to NULs. A similar example
+command, with the circumflex characters converted to NULs.
+.new
+Note that due to the ambiguity of parsing three consectutive circumflex characters
+there is no way to provide a password having a leading circumflex.
+.wen
+
+
+A similar example
that uses the LOGIN mechanism is:
.code
fixed_login:
that uses the LOGIN mechanism is:
.code
fixed_login:
@@
-28179,6
+28188,10
@@
supplied by the server.
.option server_channelbinding gsasl boolean false
Do not set this true and rely on the properties
without consulting a cryptographic engineer.
.option server_channelbinding gsasl boolean false
Do not set this true and rely on the properties
without consulting a cryptographic engineer.
+. Unsure what that's about. It might be the "Triple Handshake"
+. vulnerability; cf. https://www.mitls.org/pages/attacks/3SHAKE
+. If so, we're ok, requiring Extended Master Secret if TLS
+. Session Resumption was used.
Some authentication mechanisms are able to use external context at both ends
of the session to bind the authentication to that context, and fail the
Some authentication mechanisms are able to use external context at both ends
of the session to bind the authentication to that context, and fail the
@@
-38310,8
+38323,11
@@
parentheses afterwards.
When more than one address is included in a single delivery (for example, two
SMTP RCPT commands in one transaction) the second and subsequent addresses are
flagged with &`->`& instead of &`=>`&. When two or more messages are delivered
When more than one address is included in a single delivery (for example, two
SMTP RCPT commands in one transaction) the second and subsequent addresses are
flagged with &`->`& instead of &`=>`&. When two or more messages are delivered
-down a single SMTP connection, an asterisk follows the IP address in the log
-lines for the second and subsequent messages.
+down a single SMTP connection, an asterisk follows the
+.new
+remote IP address (and port if enabled)
+.wen
+in the log lines for the second and subsequent messages.
When two or more messages are delivered down a single TLS connection, the
DNS and some TLS-related information logged for the first message delivered
will not be present in the log lines for the second and subsequent messages.
When two or more messages are delivered down a single TLS connection, the
DNS and some TLS-related information logged for the first message delivered
will not be present in the log lines for the second and subsequent messages.