git://git.exim.org
/
exim.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
|
inline
| side by side (parent:
0a3c9b0
)
Docs: add warning to transport tls_require_verify option
author
Jeremy Harris
<jgh146exb@wizmail.org>
Sun, 31 Oct 2021 13:28:31 +0000
(13:28 +0000)
committer
Jeremy Harris
<jgh146exb@wizmail.org>
Sun, 31 Oct 2021 13:28:31 +0000
(13:28 +0000)
doc/doc-docbook/spec.xfpt
patch
|
blob
|
history
diff --git
a/doc/doc-docbook/spec.xfpt
b/doc/doc-docbook/spec.xfpt
index 1309299e83affe62079889c48c85c110370b1a19..dcda2ff798f9d55334358050368dc5ec2f62d354 100644
(file)
--- a/
doc/doc-docbook/spec.xfpt
+++ b/
doc/doc-docbook/spec.xfpt
@@
-18659,7
+18659,8
@@
either &%tls_verify_hosts%& or &%tls_try_verify_hosts%& is set and
Any client that matches &%tls_verify_hosts%& is constrained by
&%tls_verify_certificates%&. When the client initiates a TLS session, it must
present one of the listed certificates. If it does not, the connection is
Any client that matches &%tls_verify_hosts%& is constrained by
&%tls_verify_certificates%&. When the client initiates a TLS session, it must
present one of the listed certificates. If it does not, the connection is
-aborted. &*Warning*&: Including a host in &%tls_verify_hosts%& does not require
+aborted.
+&*Warning*&: Including a host in &%tls_verify_hosts%& does not require
the host to use TLS. It can still send SMTP commands through unencrypted
connections. Forcing a client to use TLS has to be done separately using an
ACL to reject inappropriate commands when the connection is not encrypted.
the host to use TLS. It can still send SMTP commands through unencrypted
connections. Forcing a client to use TLS has to be done separately using an
ACL to reject inappropriate commands when the connection is not encrypted.
@@
-26114,6
+26115,10
@@
certificate verification must succeed.
The &%tls_verify_certificates%& option must also be set.
If both this option and &%tls_try_verify_hosts%& are unset
operation is as if this option selected all hosts.
The &%tls_verify_certificates%& option must also be set.
If both this option and &%tls_try_verify_hosts%& are unset
operation is as if this option selected all hosts.
+&*Warning*&: Including a host in &%tls_verify_hosts%& does not require
+that connections use TLS.
+Fallback to in-clear communication will be done unless restricted by
+the &%hosts_require_tls%& option.
.option utf8_downconvert smtp integer&!! -1
.cindex utf8 "address downconversion"
.option utf8_downconvert smtp integer&!! -1
.cindex utf8 "address downconversion"