. Update the Copyright year (only) when changing content.
. /////////////////////////////////////////////////////////////////////////////
-.set previousversion "4.83"
+.set previousversion "4.84"
.include ./local_params
.set ACL "access control lists (ACLs)"
If you have hosts for which you trust RFC1413 and need this
information, you can change this.
-This line enables an efficiency SMTP option. It is negociated by clients
+This line enables an efficiency SMTP option. It is negotiated by clients
and not expected to cause problems but can be disabled if needed.
.code
prdr_enable = true
.cindex "expansion" "inserting from a socket"
.cindex "socket, use of in expansion"
.cindex "&%readsocket%& expansion item"
-This item inserts data from a Unix domain or Internet socket into the expanded
+This item inserts data from a Unix domain or TCP socket into the expanded
string. The minimal way of using it uses just two arguments, as in these
examples:
.code
For earlier versions of GnuTLS
the option must be set to the name of a single file.
+With OpenSSL the certificates specified
+explicitly
+either by file or directory
+are added to those given by the system default location.
+
These certificates should be for the certificate authorities trusted, rather
than the public cert of individual clients. With both OpenSSL and GnuTLS, if
the value is a file then the certificates are sent by Exim as a server to
connecting clients, defining the list of accepted certificate authorities.
Thus the values defined should be considered public data. To avoid this,
-use OpenSSL with a directory.
+use the explicit directory version.
See &<<SECTtlssni>>& for discussion of when this option might be re-expanded.
in clear.
-.option tls_try_verify_hosts smtp "host list&!! unset
+.option tls_try_verify_hosts smtp "host list&!!" unset
.cindex "TLS" "server certificate verification"
.cindex "certificate" "verification of server"
This option gives a list of hosts for which, on encrypted connections,
The &%tls_verify_certificates%& option must also be set.
Note that unless the host is in this list
TLS connections will be denied to hosts using self-signed certificates
-when &%tls_verify_certificates%& is set.
+when &%tls_verify_certificates%& is matched.
The &$tls_out_certificate_verified$& variable is set when
certificate verification succeeds.
files.
For earlier versions of GnuTLS the option must be set to the name of a
single file.
+
+With OpenSSL the certificates specified
+explicitly
+either by file or directory
+are added to those given by the system default location.
+
The values of &$host$& and
&$host_address$& are set to the name and address of the server during the
expansion of this option. See chapter &<<CHAPTLS>>& for details of TLS.
and certificate verification fails the TLS connection is closed.
-.option tls_verify_hosts smtp "host list&!! unset
+.option tls_verify_hosts smtp "host list&!!" unset
.cindex "TLS" "server certificate verification"
.cindex "certificate" "verification of server"
This option gives a list of hosts for which. on encrypted connections,
&%tls_verify_certificates%&
.next
.vindex "&%tls_ocsp_file%&"
-&%tls_verify_certificates%&
+&%tls_ocsp_file%&
.endlist
Great care should be taken to deal with matters of case, various injection
.endd
.vitem &%drweb%&
.cindex "virus scanners" "DrWeb"
-The DrWeb daemon scanner (&url(http://www.sald.com/)) interface takes one
-argument, either a full path to a UNIX socket, or an IP address and port
-separated by white space, as in these examples:
+The DrWeb daemon scanner (&url(http://www.sald.com/)) interface
+takes one option,
+either a full path to a UNIX socket,
+or host and port specifiers separated by white space.
+The host may be a name or an IP address; the port is either a
+single number or a pair of numbers with a dash between.
+For example:
.code
av_scanner = drweb:/var/run/drwebd.sock
av_scanner = drweb:192.168.2.20 31337
If you omit the argument, the default path &_/usr/local/drweb/run/drwebd.sock_&
is used. Thanks to Alex Miller for contributing the code for this scanner.
+.vitem &%f-protd%&
+.cindex "virus scanners" "f-protd"
+The f-protd scanner is accessed via HTTP over TCP.
+One argument is taken, being a space-separated hostname and port number
+(or port-range).
+For example:
+.code
+av_scanner = f-protd:localhost 10200-10204
+.endd
+If you omit the argument, the default values show above are used.
+
.vitem &%fsecure%&
.cindex "virus scanners" "F-Secure"
The F-Secure daemon scanner (&url(http://www.f-secure.com)) takes one