X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/42bfef1e908fe60f8a7a86e66616b51702f1c0fb..237b2cf2b5bd2539026ce0038d084595589559dd:/doc/doc-docbook/spec.xfpt?ds=sidebyside

diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index ae6e33efe..a35fbc7d2 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -179,12 +179,7 @@
 <author><firstname>Exim</firstname><surname>Maintainers</surname></author>
 <authorinitials>EM</authorinitials>
 <revhistory><revision>
-  <revnumber>
-.version
-  </revnumber>
-  <date>
-.fulldate
-  </date>
+.versiondatexml
   <authorinitials>EM</authorinitials>
 </revision></revhistory>
 <copyright><year>
@@ -10882,6 +10877,16 @@ the value of &$authenticated_id$& is normally the login name of the calling
 process. However, a trusted user can override this by means of the &%-oMai%&
 command line option.
 
+.vitem &$authenticated_fail_id$&
+.cindex "authentication" "fail" "id"
+.vindex "&$authenticated_fail_id$&"
+When an authentication attempt fails, the variable &$authenticated_fail_id$&
+will contain the failed authentication id. If more than one authentication
+id is attempted, it will contain only the last one. The variable is
+available for processing in the ACL's, generally the quit or notquit ACL.
+A message to a local recipient could still be accepted without requiring
+authentication, which means this variable could also be visible in all of
+the ACL's as well.
 
 
 
@@ -16031,6 +16036,21 @@ The available primes are:
 Some of these will be too small to be accepted by clients.
 Some may be too large to be accepted by clients.
 
+The TLS protocol does not negotiate an acceptable size for this; clients tend
+to hard-drop connections if what is offered by the server is unacceptable,
+whether too large or too small, and there's no provision for the client to
+tell the server what these constraints are.  Thus, as a server operator, you
+need to make an educated guess as to what is most likely to work for your
+userbase.
+
+Some known size constraints suggest that a bit-size in the range 2048 to 2236
+is most likely to maximise interoperability.  The upper bound comes from
+applications using the Mozilla Network Security Services (NSS) library, which
+used to set its &`DH_MAX_P_BITS`& upper-bound to 2236.  This affects many
+mail user agents (MUAs). The lower bound comes from Debian installs of Exim4
+prior to the 4.80 release, as Debian used to patch Exim to raise the minimum
+acceptable bound from 1024 to 2048.
+
 
 .option tls_on_connect_ports main "string list" unset
 This option specifies a list of incoming SSMTP (aka SMTPS) ports that should
@@ -24533,7 +24553,8 @@ to be returned. If the result of a successful expansion is an empty string,
 expansion is &"1"&, &"yes"&, or &"true"&, authentication succeeds and the
 generic &%server_set_id%& option is expanded and saved in &$authenticated_id$&.
 For any other result, a temporary error code is returned, with the expanded
-string as the error text.
+string as the error text, and the failed id saved in
+&$authenticated_fail_id$&.
 
 &*Warning*&: If you use a lookup in the expansion to find the user's
 password, be sure to make the authentication fail if the user is unknown.
@@ -25686,7 +25707,7 @@ tls_dhparam = none
 This may also be set to a string identifying a standard prime to be used for
 DH; if it is set to &`default`& or, for OpenSSL, is unset, then the prime
 used is &`ike23`&.  There are a few standard primes available, see the
-documetnation for &%tls_dhparam%& for the complete list.
+documentation for &%tls_dhparam%& for the complete list.
 
 See the command
 .code
@@ -34435,14 +34456,14 @@ options are available:
 
 .vlist
 .vitem &*-f*&&~<&'regex'&>
-Match the sender address. The field that is tested is enclosed in angle
-brackets, so you can test for bounce messages with
+Match the sender address using a case-insensitive search. The field that is
+tested is enclosed in angle brackets, so you can test for bounce messages with
 .code
 exiqgrep -f '^<>$'
 .endd
 .vitem &*-r*&&~<&'regex'&>
-Match a recipient address. The field that is tested is not enclosed in angle
-brackets.
+Match a recipient address using a case-insensitve search. The field that is
+tested is not enclosed in angle brackets.
 
 .vitem &*-s*&&~<&'regex'&>
 Match against the size field.
@@ -36387,7 +36408,7 @@ integer size comparisons against this value.
 A colon-separated list of names of headers included in the signature.
 .vitem &%$dkim_key_testing%&
 "1" if the key record has the "testing" flag set, "0" if not.
-.vitem &%$nosubdomains%&
+.vitem &%$dkim_key_nosubdomains%&
 "1" if the key record forbids subdomaining, "0" otherwise.
 .vitem &%$dkim_key_srvtype%&
 Service type (tag s=) from the key record. Defaults to "*" if not specified
