X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/405074adb94eb8402e9ffd0abe7da4f7c8c827bc..ad93c40fe70f7de49ffb8601a589e9ffa117d512:/doc/doc-docbook/spec.xfpt

diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 9722c0063..6353e29fb 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -23941,6 +23941,24 @@ For testing purposes, this value can be overridden by the &%-oB%& command line
 option.
 
 
+.new
+.option dane_require_tls_ciphers smtp string&!! unset
+.cindex "TLS" "requiring specific ciphers for DANE"
+.cindex "cipher" "requiring specific"
+.cindex DANE "TLS ciphers"
+This option may be used to override &%tls_require_ciphers%& for connections
+where DANE has been determined to be in effect.
+If not set, then &%tls_require_ciphers%& will be used.
+Normal SMTP delivery is not able to make strong demands of TLS cipher
+configuration, because delivery will fall back to plaintext.  Once DANE has
+been determined to be in effect, there is no plaintext fallback and making the
+TLS cipherlist configuration stronger will increase security, rather than
+counter-intuitively decreasing it.
+If the option expands to be empty or is forced to fail, then it will
+be treated as unset and &%tls_require_ciphers%& will be used instead.
+.wen
+
+
 .option data_timeout smtp time 5m
 This sets a timeout for the transmission of each block in the data portion of
 the message. As a result, the overall timeout for a message depends on the size
@@ -31877,7 +31895,12 @@ $ socat UNIX:/var/run/avast/scan.sock STDIO:
     PACK
 .endd
 
-Only the first virus detected will be reported.
+A paniclog entry is logged and the message is deferred (except the
+malware condition uses "defer_ok") if the scanner returns a tmpfail
+(e.g. on license issues, or permission problems). If the scanner can't
+scan a file for internal reasons (e.g. decompression bomb), this is
+treated as an infection and malware_name is set to the error message.
+We do this err on the safe side.
 
 
 .vitem &%aveserver%&