Authenticators: refactor SASL support code

[users/jgh/exim.git] / doc / doc-docbook / spec.xfpt

diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 4998d805489b82d75acde12fb776f8848de1cab6..c8f5a600b6f1aee05903626e123ad456cde00daf 100644 (file)
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -3664,7 +3664,7 @@ in processing.
 .new
 .cindex debugging "UTF-8 in"
 .cindex UTF-8 "in debug output"
-The &`noutf8`& selector disables the use of 
+The &`noutf8`& selector disables the use of
 UTF-8 line-drawing characters to group related information.
 When disabled. ascii-art is used instead.
 Using the &`+all`& option does not set this modifier,
@@ -6733,6 +6733,12 @@ be followed by optional colons.
 &*Warning*&: Unlike most other single-key lookup types, a file of data for
 &((n)wildlsearch)& can &'not'& be turned into a DBM or cdb file, because those
 lookup types support only literal keys.
+
+.next
+.cindex "lookup" "spf"
+If Exim is built with SPF support, manual lookups can be done
+(as opposed to the standard ACL condition method.
+For details see section &<<SECSPF>>&.
 .endlist ilist
 
 
@@ -19611,7 +19617,7 @@ A list of hosts, whether obtained via &%route_data%& or &%route_list%&, is
 always separately expanded before use. If the expansion fails, the router
 declines. The result of the expansion must be a colon-separated list of names
 and/or IP addresses, optionally also including ports.
-If the list is written with spaces, it must be protected with qoutes.
+If the list is written with spaces, it must be protected with quotes.
 The format of each item
 in the list is described in the next section. The list separator can be changed
 as described in section &<<SECTlistconstruct>>&.
@@ -26484,7 +26490,7 @@ to be returned. If the result of a successful expansion is an empty string,
 expansion is &"1"&, &"yes"&, or &"true"&, authentication succeeds and the
 generic &%server_set_id%& option is expanded and saved in &$authenticated_id$&.
 For any other result, a temporary error code is returned, with the expanded
-string as the error text
+string as the error text.
 
 &*Warning*&: If you use a lookup in the expansion to find the user's
 password, be sure to make the authentication fail if the user is unknown.
@@ -27309,20 +27315,25 @@ tls:
   driver = tls
   server_param1 =     ${certextract {subj_altname,mail,>:} \
                                     {$tls_in_peercert}}
-  server_condition =  ${if forany {$auth1} \
+  server_condition =  ${if and { {eq{$tls_in_certificate_verified}{1}} \
+                                 {forany {$auth1} \
                             {!= {0} \
                                 {${lookup ldap{ldap:///\
                          mailname=${quote_ldap_dn:${lc:$item}},\
                          ou=users,LDAP_DC?mailid} {$value}{0} \
-                       }    }   } }
+                       }    }  } }}}
   server_set_id =     ${if = {1}{${listcount:$auth1}} {$auth1}{}}
 .endd
 This accepts a client certificate that is verifiable against any
 of your configured trust-anchors
 (which usually means the full set of public CAs)
 and which has a SAN with a good account name.
-Note that the client cert is on the wire in-clear, including the SAN,
-whereas a plaintext SMTP AUTH done inside TLS is not.
+
+Note that, up to TLS1.2, the client cert is on the wire in-clear, including the SAN,
+The account name is therefore guessable by an opponent.
+TLS 1.3 protects both server and client certificates, and is not vulnerable
+in this way.
+Likewise, a traditional plaintext SMTP AUTH done inside TLS is not.
 
 . An alternative might use
 . .code