the value is a file then the certificates are sent by Exim as a server to
connecting clients, defining the list of accepted certificate authorities.
Thus the values defined should be considered public data. To avoid this,
-use the explicit directory version.
+use the explicit directory version. (If your peer is Exim up to 4.85,
+using GnuTLS, you may need to send the CAs (thus using the file
+variant). Otherwise the peer doesn't send its certificate.)
See &<<SECTtlssni>>& for discussion of when this option might be re-expanded.
It is made available
to child processes forked for handling received SMTP connections.
-This caching is currently only supported under Linux.
+This caching is currently only supported under Linux and FreeBSD.
If caching is not possible, for example if an item has to be dependent
on the peer host so contains a &$sender_host_name$& expansion, the load
The information specified by the main option &%tls_verify_certificates%&
is similarly cached so long as it specifies files explicitly
or (under GnuTLS) is the string &"system,cache"&.
-The latter case is not automatically invaludated;
+The latter case is not automatically invalidated;
it is the operator's responsibility to arrange for a daemon restart
any time the system certificate authority bundle is updated.
A HUP signal is sufficient for this.