X-Git-Url: https://git.exim.org/users/heiko/exim.git/blobdiff_plain/4c7f095f4f32a2259017fa5acab6b1278af9e702..811622b672d4a4cf3d71fbd66810a66adf76826e:/doc/doc-docbook/spec.xfpt diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 31c8c5653..7f9f42630 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -18489,7 +18489,9 @@ than the public cert of individual clients. With both OpenSSL and GnuTLS, if the value is a file then the certificates are sent by Exim as a server to connecting clients, defining the list of accepted certificate authorities. Thus the values defined should be considered public data. To avoid this, -use the explicit directory version. +use the explicit directory version. (If your peer is Exim up to 4.85, +using GnuTLS, you may need to send the CAs (thus using the file +variant). Otherwise the peer doesn't send its certificate.) See &<>& for discussion of when this option might be re-expanded. @@ -18808,7 +18810,10 @@ address (with affixes removed if relevant) is the name of an account on the local system. The check is done by calling the &[getpwnam()]& function rather than trying to read &_/etc/passwd_& directly. This means that other methods of holding password data (such as NIS) are supported. If the local part is a local -user, &$home$& is set from the password data, and can be tested in other +user, +.cindex "tainted data" "de-tainting" +&$local_part_data$& is set to an untainted version of the local part and +&$home$& is set from the password data. The latter can be tested in other preconditions that are evaluated after this one (the order of evaluation is given in section &<>&). However, the value of &$home$& can be overridden by &%router_home_directory%&. If the local part is not a local user, @@ -25043,12 +25048,14 @@ authenticated as a client. .option command_timeout smtp time 5m +.cindex timeout "smtp transport command" This sets a timeout for receiving a response to an SMTP command that has been sent out. It is also used when waiting for the initial banner line from the remote host. Its value must not be zero. .option connect_timeout smtp time 5m +.cindex timeout "smtp transport connect" This sets a timeout for the &[connect()]& function, which sets up a TCP/IP call to a remote host. A setting of zero allows the system timeout (typically several minutes) to act. To have any effect, the value of this option must be @@ -25084,6 +25091,7 @@ be treated as unset and &%tls_require_ciphers%& will be used instead. .option data_timeout smtp time 5m +.cindex timeout "for transmitted SMTP data blocks" This sets a timeout for the transmission of each block in the data portion of the message. As a result, the overall timeout for a message depends on the size of the message. Its value must not be zero. See also &%final_timeout%&. @@ -25222,6 +25230,7 @@ fails"& facility. .option final_timeout smtp time 10m +.cindex timeout "for transmitted SMTP data accept" This is the timeout that applies while waiting for the response to the final line containing just &"."& that terminates a message. Its value must not be zero. @@ -29308,7 +29317,7 @@ then the associated information is loaded at daemon startup. It is made available to child processes forked for handling received SMTP connections. -This caching is currently only supported under Linux. +This caching is currently only supported under Linux and FreeBSD. If caching is not possible, for example if an item has to be dependent on the peer host so contains a &$sender_host_name$& expansion, the load @@ -29320,7 +29329,7 @@ containing files specified by these options. The information specified by the main option &%tls_verify_certificates%& is similarly cached so long as it specifies files explicitly or (under GnuTLS) is the string &"system,cache"&. -The latter case is not automatically invaludated; +The latter case is not automatically invalidated; it is the operator's responsibility to arrange for a daemon restart any time the system certificate authority bundle is updated. A HUP signal is sufficient for this.