X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/4613203eae8d2dae9b877f724c52825850c105b7..c86c97065357b1cca9601246cec74aa364a635f5:/doc/doc-docbook/spec.xfpt diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 464449d24..5b3436f74 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -6602,7 +6602,7 @@ file that is searched could contain lines like this: When the lookup succeeds, the result of the expansion is a list of domains (and possibly other types of item that are allowed in domain lists). .cindex "tainted data" "de-tainting" -.cindex "de-tainting" "using a lookup expansion"" +.cindex "de-tainting" "using a lookup expansion" The result of the expansion is not tainted. .next @@ -16189,9 +16189,12 @@ case. That is why the default tries a DNS lookup first. .cindex "host" "rejecting connections from" If this option is set, incoming SMTP calls from the hosts listed are rejected as soon as the connection is made. -This option is obsolete, and retained only for backward compatibility, because +This option is mostly obsolete, retained for backward compatibility because nowadays the ACL specified by &%acl_smtp_connect%& can also reject incoming -connections immediately. +connections immediately +.new +(except for tls-on-connect connections). +.wen The ability to give an immediate rejection (either by this option or using an ACL) is provided for use in unusual cases. Many hosts will just try again, @@ -26088,7 +26091,7 @@ If both this option and &%tls_try_verify_hosts%& are unset operation is as if this option selected all hosts. &*Warning*&: Including a host in &%tls_verify_hosts%& does not require that connections use TLS. -Fallback to in-clear communication will be done unless restricted by +Fallback to in-clear communication will be done unless restricted by the &%hosts_require_tls%& option. .option utf8_downconvert smtp integer&!! -1 @@ -29778,7 +29781,7 @@ connection. The client for the connection proposes a set of protocol names, and the server responds with a selected one. It is not, as of 2021, commonly used for SMTP connections. -However, to guard against misirected or malicious use of web clients +However, to guard against misdirected or malicious use of web clients (which often do use ALPN) against MTA ports, Exim by default check that there is no incompatible ALPN specified by a client for a TLS connection. If there is, the connection is rejected. @@ -29788,7 +29791,7 @@ The behaviour of both client and server can be configured using the options &%tls_alpn%& and &%hosts_require_alpn%&. There are no variables providing observability. Some feature-specific logging may appear on denied connections, but this -depends on the behavious of the peer +depends on the behaviour of the peer (not all peers can send a feature-specific TLS Alert). This feature is available when Exim is built with @@ -42222,7 +42225,7 @@ the DATA acl. .subsection ACL SSECDMARCACL .cindex DMARC "ACL condition" -DMARC checks cam be run on incoming SMTP messages by using the +DMARC checks can be run on incoming SMTP messages by using the &"dmarc_status"& ACL condition in the DATA ACL. You are required to call the &"spf"& condition first in the ACLs, then the &"dmarc_status"& condition. Putting this condition in the ACLs is required in order