X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/be2b133acc9607bad24c7fe5a6cd06624701281a..a310a8d09c56e6049714ae4e4070c16ecb6aa2b1:/doc/doc-docbook/spec.xfpt diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 4998d8054..c8f5a600b 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -3664,7 +3664,7 @@ in processing. .new .cindex debugging "UTF-8 in" .cindex UTF-8 "in debug output" -The &`noutf8`& selector disables the use of +The &`noutf8`& selector disables the use of UTF-8 line-drawing characters to group related information. When disabled. ascii-art is used instead. Using the &`+all`& option does not set this modifier, @@ -6733,6 +6733,12 @@ be followed by optional colons. &*Warning*&: Unlike most other single-key lookup types, a file of data for &((n)wildlsearch)& can &'not'& be turned into a DBM or cdb file, because those lookup types support only literal keys. + +.next +.cindex "lookup" "spf" +If Exim is built with SPF support, manual lookups can be done +(as opposed to the standard ACL condition method. +For details see section &<>&. .endlist ilist @@ -19611,7 +19617,7 @@ A list of hosts, whether obtained via &%route_data%& or &%route_list%&, is always separately expanded before use. If the expansion fails, the router declines. The result of the expansion must be a colon-separated list of names and/or IP addresses, optionally also including ports. -If the list is written with spaces, it must be protected with qoutes. +If the list is written with spaces, it must be protected with quotes. The format of each item in the list is described in the next section. The list separator can be changed as described in section &<>&. @@ -26484,7 +26490,7 @@ to be returned. If the result of a successful expansion is an empty string, expansion is &"1"&, &"yes"&, or &"true"&, authentication succeeds and the generic &%server_set_id%& option is expanded and saved in &$authenticated_id$&. For any other result, a temporary error code is returned, with the expanded -string as the error text +string as the error text. &*Warning*&: If you use a lookup in the expansion to find the user's password, be sure to make the authentication fail if the user is unknown. @@ -27309,20 +27315,25 @@ tls: driver = tls server_param1 = ${certextract {subj_altname,mail,>:} \ {$tls_in_peercert}} - server_condition = ${if forany {$auth1} \ + server_condition = ${if and { {eq{$tls_in_certificate_verified}{1}} \ + {forany {$auth1} \ {!= {0} \ {${lookup ldap{ldap:///\ mailname=${quote_ldap_dn:${lc:$item}},\ ou=users,LDAP_DC?mailid} {$value}{0} \ - } } } } + } } } }}} server_set_id = ${if = {1}{${listcount:$auth1}} {$auth1}{}} .endd This accepts a client certificate that is verifiable against any of your configured trust-anchors (which usually means the full set of public CAs) and which has a SAN with a good account name. -Note that the client cert is on the wire in-clear, including the SAN, -whereas a plaintext SMTP AUTH done inside TLS is not. + +Note that, up to TLS1.2, the client cert is on the wire in-clear, including the SAN, +The account name is therefore guessable by an opponent. +TLS 1.3 protects both server and client certificates, and is not vulnerable +in this way. +Likewise, a traditional plaintext SMTP AUTH done inside TLS is not. . An alternative might use . .code