&*Note*&: Under current versions of OpenSSL, when a list of more than one
file is used, the &$tls_in_ourcert$& veriable is unreliable.
-&*Note*&: OCSP stapling is not usable when a list of more than one file is used.
+&*Note*&: OCSP stapling is not usable under OpenSSL
+when a list of more than one file is used.
If the option contains &$tls_out_sni$& and Exim is built against OpenSSL, then
if the OpenSSL build supports TLS extensions and the TLS client sends the
.cindex "TLS" "server certificate revocation list"
.cindex "certificate" "revocation list for server"
This option specifies a certificate revocation list. The expanded value must
-be the name of a file that contains a CRL in PEM format.
+be the name of a file that contains CRLs in PEM format.
+
+.new
+Under OpenSSL the option can specify a directory with CRL files.
+
+&*Note:*& Under OpenSSL the option must, if given, supply a CRL
+for each signing element of the certificate chain (i.e. all but the leaf).
+For the file variant this can be multiple PEM blocks in the one file.
+.wen
See &<<SECTtlssni>>& for discussion of when this option might be re-expanded.
Usable for GnuTLS 3.4.4 or 3.3.17 or OpenSSL 1.1.0 (or later).
-&*Note*&: There is currently no support for multiple OCSP proofs to match the
-multiple certificates facility.
+.new
+For GnuTLS 3.5.6 or later the expanded value of this option can be a list
+of files, to match a list given for the &%tls_certificate%& option.
+The ordering of the two lists must match.
+.wen
.option tls_on_connect_ports main "string list" unset
during TLS session handshake, to permit alternative values to be chosen:
.ilist
-.vindex "&%tls_certificate%&"
&%tls_certificate%&
.next
-.vindex "&%tls_crl%&"
&%tls_crl%&
.next
-.vindex "&%tls_privatekey%&"
&%tls_privatekey%&
.next
-.vindex "&%tls_verify_certificates%&"
&%tls_verify_certificates%&
.next
-.vindex "&%tls_ocsp_file%&"
&%tls_ocsp_file%&
.endlist
.vitem &*queue*&&~=&~<&'text'&>
+.cindex "&%queue%& ACL modifier"
+.cindex "named queues" "selecting in ACL"
This modifier specifies the use of a named queue for spool files
for the message.
It can only be used before the message is received (i.e. not in
If the value of &%av_scanner%& starts with a dollar character, it is expanded
before use.
The usual list-parsing of the content (see &<<SECTlistconstruct>>&) applies.
-The following scanner types are supported in this release:
+The following scanner types are supported in this release,
+.new
+though individual ones can be included or not at build time:
+.wen
.vlist
.vitem &%avast%&
to be scanned, which will should normally result in less I/O happening and be
more efficient. Normally in the TCP case, the data is streamed to ClamAV as
Exim does not assume that there is a common filesystem with the remote host.
-There is an option WITH_OLD_CLAMAV_STREAM in &_src/EDITME_& available, should
-you be running a version of ClamAV prior to 0.95.
The final example shows that multiple TCP targets can be specified. Exim will
randomly use one for each incoming email (i.e. it load balances them). Note