X-Git-Url: https://git.exim.org/users/heiko/exim.git/blobdiff_plain/3721c5545411010ffbea82fc58b883664d07e865..3249f1b7dc4893c2b896db3813bc6222d2dc9bef:/doc/doc-docbook/spec.xfpt diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 48cb0155e..f247e9ab8 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -17116,7 +17116,8 @@ separator in the usual way to avoid confusion under IPv6. &*Note*&: Under current versions of OpenSSL, when a list of more than one file is used, the &$tls_in_ourcert$& veriable is unreliable. -&*Note*&: OCSP stapling is not usable when a list of more than one file is used. +&*Note*&: OCSP stapling is not usable under OpenSSL +when a list of more than one file is used. If the option contains &$tls_out_sni$& and Exim is built against OpenSSL, then if the OpenSSL build supports TLS extensions and the TLS client sends the @@ -17130,7 +17131,15 @@ generated for every connection. .cindex "TLS" "server certificate revocation list" .cindex "certificate" "revocation list for server" This option specifies a certificate revocation list. The expanded value must -be the name of a file that contains a CRL in PEM format. +be the name of a file that contains CRLs in PEM format. + +.new +Under OpenSSL the option can specify a directory with CRL files. + +&*Note:*& Under OpenSSL the option must, if given, supply a CRL +for each signing element of the certificate chain (i.e. all but the leaf). +For the file variant this can be multiple PEM blocks in the one file. +.wen See &<>& for discussion of when this option might be re-expanded. @@ -17257,8 +17266,11 @@ Certificate Authority. Usable for GnuTLS 3.4.4 or 3.3.17 or OpenSSL 1.1.0 (or later). -&*Note*&: There is currently no support for multiple OCSP proofs to match the -multiple certificates facility. +.new +For GnuTLS 3.5.6 or later the expanded value of this option can be a list +of files, to match a list given for the &%tls_certificate%& option. +The ordering of the two lists must match. +.wen .option tls_on_connect_ports main "string list" unset @@ -27725,19 +27737,14 @@ option (prior to expansion) then the following options will be re-expanded during TLS session handshake, to permit alternative values to be chosen: .ilist -.vindex "&%tls_certificate%&" &%tls_certificate%& .next -.vindex "&%tls_crl%&" &%tls_crl%& .next -.vindex "&%tls_privatekey%&" &%tls_privatekey%& .next -.vindex "&%tls_verify_certificates%&" &%tls_verify_certificates%& .next -.vindex "&%tls_ocsp_file%&" &%tls_ocsp_file%& .endlist @@ -28986,6 +28993,8 @@ effect. .vitem &*queue*&&~=&~<&'text'&> +.cindex "&%queue%& ACL modifier" +.cindex "named queues" "selecting in ACL" This modifier specifies the use of a named queue for spool files for the message. It can only be used before the message is received (i.e. not in @@ -31527,7 +31536,10 @@ av_scanner = sophie:/var/run/sophie If the value of &%av_scanner%& starts with a dollar character, it is expanded before use. The usual list-parsing of the content (see &<>&) applies. -The following scanner types are supported in this release: +The following scanner types are supported in this release, +.new +though individual ones can be included or not at build time: +.wen .vlist .vitem &%avast%& @@ -31615,8 +31627,6 @@ option, then the ClamAV interface will pass a filename containing the data to be scanned, which will should normally result in less I/O happening and be more efficient. Normally in the TCP case, the data is streamed to ClamAV as Exim does not assume that there is a common filesystem with the remote host. -There is an option WITH_OLD_CLAMAV_STREAM in &_src/EDITME_& available, should -you be running a version of ClamAV prior to 0.95. The final example shows that multiple TCP targets can be specified. Exim will randomly use one for each incoming email (i.e. it load balances them). Note