X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/df586a7720a17ac8221c9dfcf915d8185a25b282..ea98874e2a6a5aee2d512f3246f7d3c19c2ec63d:/doc/doc-docbook/spec.xfpt diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 1309299e8..00f0dac02 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -1756,7 +1756,7 @@ headers are in an unusual location you will need to either set the PCRE2_LIBS and INCLUDE directives appropriately, or set PCRE2_CONFIG=yes to use the installed &(pcre-config)& command. If your operating system has no -PCRE2 support then you will need to obtain and build the current PCRE +PCRE2 support then you will need to obtain and build the current PCRE2 from &url(https://github.com/PhilipHazel/pcre2/releases). More information on PCRE2 is available at &url(https://www.pcre.org/). @@ -6813,7 +6813,7 @@ The &'single-key'& type requires the specification of a file in which to look, and a single key to search for. The key must be a non-empty string for the lookup to succeed. The lookup type determines how the file is searched. .cindex "tainted data" "single-key lookups" -The file string may not be tainted +The file string may not be tainted. .cindex "tainted data" "de-tainting" All single-key lookups support the option &"ret=key"&. @@ -10575,7 +10575,7 @@ sending the request. Values are &"yes"& (the default) or &"no"& &*tls*& Controls the use of TLS on the connection. Values are &"yes"& or &"no"& (the default). -If it is enabled, a shutdown as descripbed above is never done. +If it is enabled, a shutdown as described above is never done. .endlist @@ -12098,8 +12098,9 @@ matched using &%match_ip%&. .cindex "&%pam%& expansion condition" &'Pluggable Authentication Modules'& (&url(https://mirrors.edge.kernel.org/pub/linux/libs/pam/)) are a facility that is -available in the latest releases of Solaris and in some GNU/Linux -distributions. The Exim support, which is intended for use in conjunction with +available in Solaris +and in some GNU/Linux distributions. +The Exim support, which is intended for use in conjunction with the SMTP AUTH command, is available only if Exim is compiled with .code SUPPORT_PAM=yes @@ -15873,8 +15874,8 @@ described in section &<>&. .cindex "ESMTP extensions" DSN DSN extensions (RFC3461) will be advertised in the EHLO message to, and accepted from, these hosts. -Hosts may use the NOTIFY and ENVID options on RCPT TO commands, -and RET and ORCPT options on MAIL FROM commands. +Hosts may use the NOTIFY and ORCPT options on RCPT TO commands, +and RET and ENVID options on MAIL FROM commands. A NOTIFY=SUCCESS option requests success-DSN messages. A NOTIFY= option with no argument requests that no delay or failure DSNs are sent. @@ -18429,12 +18430,7 @@ larger prime than requested. The value of this option is expanded and indicates the source of DH parameters to be used by Exim. -This option is ignored for GnuTLS version 3.6.0 and later. -The library manages parameter negotiation internally. - -&*Note: The Exim Maintainers strongly recommend, -for other TLS library versions, -using a filename with site-generated +&*Note: The Exim Maintainers strongly recommend using a filename with site-generated local DH parameters*&, which has been supported across all versions of Exim. The other specific constants available are a fallback so that even when "unconfigured", Exim can offer Perfect Forward Secrecy in older ciphersuites in TLS. @@ -18485,8 +18481,17 @@ of the later IKE values, which led into RFC7919 providing new fixed constants (the "ffdhe" identifiers). At this point, all of the "ike" values should be considered obsolete; -they're still in Exim to avoid breaking unusual configurations, but are +they are still in Exim to avoid breaking unusual configurations, but are candidates for removal the next time we have backwards-incompatible changes. +.new +Two of them in particular (&`ike1`& and &`ike22`&) are called out by RFC 8247 +as MUST NOT use for IPSEC, and two more (&`ike23`& and &`ike24`&) as +SHOULD NOT. +Because of this, Exim regards them as deprecated; if either of the first pair +are used, warnings will be logged in the paniclog, and if any are used then +warnings will be logged in the mainlog. +All four will be removed in a future Exim release. +.wen The TLS protocol does not negotiate an acceptable size for this; clients tend to hard-drop connections if what is offered by the server is unacceptable, @@ -18659,7 +18664,8 @@ either &%tls_verify_hosts%& or &%tls_try_verify_hosts%& is set and Any client that matches &%tls_verify_hosts%& is constrained by &%tls_verify_certificates%&. When the client initiates a TLS session, it must present one of the listed certificates. If it does not, the connection is -aborted. &*Warning*&: Including a host in &%tls_verify_hosts%& does not require +aborted. +&*Warning*&: Including a host in &%tls_verify_hosts%& does not require the host to use TLS. It can still send SMTP commands through unencrypted connections. Forcing a client to use TLS has to be done separately using an ACL to reject inappropriate commands when the connection is not encrypted. @@ -26114,6 +26120,10 @@ certificate verification must succeed. The &%tls_verify_certificates%& option must also be set. If both this option and &%tls_try_verify_hosts%& are unset operation is as if this option selected all hosts. +&*Warning*&: Including a host in &%tls_verify_hosts%& does not require +that connections use TLS. +Fallback to in-clear communication will be done unless restricted by +the &%hosts_require_tls%& option. .option utf8_downconvert smtp integer&!! -1 .cindex utf8 "address downconversion" @@ -39827,7 +39837,8 @@ For example, to dump the retry database: .code exim_dumpdb /var/spool/exim retry .endd -Two lines of output are produced for each entry: +For the retry database +two lines of output are produced for each entry: .code T:mail.ref.example:192.168.242.242 146 77 Connection refused 31-Oct-1995 12:00:12 02-Nov-1995 12:21:39 02-Nov-1995 20:21:39 *