X-Git-Url: https://git.exim.org/users/heiko/exim.git/blobdiff_plain/012dd02e8436a8451afc4a8f69e128e257566c80..86ede124f0ce622b4f73e05504abc11fece021e3:/doc/doc-docbook/spec.xfpt diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 273348ac8..6cfe0bf63 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -16459,6 +16459,8 @@ and from which pipeline early-connection (before MAIL) SMTP commands are acceptable. When used, the pipelining saves on roundtrip times. +See also the &%hosts_pipe_connect%& smtp transport option. + Currently the option name &"X_PIPE_CONNECT"& is used. .wen @@ -17736,7 +17738,14 @@ larger prime than requested. The value of this option is expanded and indicates the source of DH parameters to be used by Exim. -&*Note: The Exim Maintainers strongly recommend using a filename with site-generated +.new +This option is ignored for GnuTLS version 3.6.0 and later. +The library manages parameter negotiation internally. +.wen + +&*Note: The Exim Maintainers strongly recommend, +for other TLS library versions, +using a filename with site-generated local DH parameters*&, which has been supported across all versions of Exim. The other specific constants available are a fallback so that even when "unconfigured", Exim can offer Perfect Forward Secrecy in older ciphersuites in TLS. @@ -17841,12 +17850,20 @@ The ordering of the two lists must match. .new The file(s) should be in DER format, -except for GnuTLS 3.6.3 or later when an optional filetype prefix -can be used. The prefix must be one of "DER" or "PEM", followed by +except for GnuTLS 3.6.3 or later +or for OpenSSL, +when an optional filetype prefix can be used. +The prefix must be one of "DER" or "PEM", followed by a single space. If one is used it sets the format for subsequent files in the list; the initial format is DER. -When a PEM format file is used it may contain multiple proofs, -for multiple certificate chain element proofs under TLS1.3. +If multiple proofs are wanted, for multiple chain elements +(this only works under TLS1.3) +they must be coded as a combined OCSP response. + +Although GnuTLS will accept PEM files with multiple separate +PEM blobs (ie. separate OCSP responses), it sends them in the +TLS Certificate record interleaved with the certificates of the chain; +although a GnuTLS client is happy with that, an OpenSSL client is not. .wen .option tls_on_connect_ports main "string list" unset @@ -24733,6 +24750,8 @@ When used, the pipelining saves on roundtrip times. It also turns SMTP into a client-first protocol so combines well with TCP Fast Open. +See also the &%pipelining_connect_advertise_hosts%& main option. + Note: When the facility is used, the transport &%helo_data%& option will be expanded before the &$sending_ip_address$& variable @@ -41032,7 +41051,9 @@ Events have names which correspond to the point in process at which they fire. The name is placed in the variable &$event_name$& and the event action expansion must check this, as it will be called for every possible event type. +.new The current list of events is: +.wen .display &`dane:fail after transport `& per connection &`msg:complete after main `& per message @@ -41046,6 +41067,7 @@ The current list of events is: &`tcp:close after transport `& per connection &`tls:cert before both `& per certificate in verification chain &`smtp:connect after transport `& per connection +&`smtp:ehlo after transport `& per connection .endd New event types may be added in future. @@ -41072,6 +41094,7 @@ with the event type: &`msg:host:defer `& error string &`tls:cert `& verification chain depth &`smtp:connect `& smtp banner +&`smtp:ehlo `& smtp ehlo response .endd The :defer events populate one extra variable: &$event_defer_errno$&.