X-Git-Url: https://git.exim.org/users/jgh/exim.git/blobdiff_plain/397060bdd3aa70eab4a01a10d0abb2481d809e0f..eb4d1c0be04d768afe4947f75724a130b2bd2256:/doc/doc-docbook/spec.xfpt?ds=sidebyside diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 6a9b43c0e..aa9d23ddb 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -5556,10 +5556,12 @@ unreachable. The next two lines are concerned with &'ident'& callbacks, as defined by RFC 1413 (hence their names): +.new .code rfc1413_hosts = * rfc1413_query_timeout = 0s .endd +.wen These settings cause Exim to avoid ident callbacks for all incoming SMTP calls. Few hosts offer RFC1413 service these days; calls have to be terminated by a timeout and this needlessly delays the startup @@ -10998,7 +11000,7 @@ Exim filter files include an &%if%& command with its own regular expression matching condition. .new -.vitem "&$acl_arg1$&, &$acl_arg2$&, etc$&" +.vitem "&$acl_arg1$&, &$acl_arg2$&, etc" Within an acl condition, expansion condition or expansion item any arguments are copied to these variables, any unused variables being made empty. @@ -12421,6 +12423,26 @@ and then set to the outgoing cipher suite if one is negotiated. See chapter &<>& for details of TLS support and chapter &<>& for details of the &(smtp)& transport. +.new +.vitem &$tls_in_ocsp$& +.vindex "&$tls_in_ocsp$&" +When a message is received from a remote client connection +the result of any OCSP request from the client is encoded in this variable: +.code +0 OCSP proof was not requested (default value) +1 No response to request +2 Response not verified +3 Verification failed +4 Verification succeeded +.endd + +.vitem &$tls_out_ocsp$& +.vindex "&$tls_out_ocsp$&" +When a message is sent to a remote host connection +the result of any OCSP request made is encoded in this variable. +See &$tls_in_ocsp$& for values. +.wen + .vitem &$tls_in_peerdn$& .vindex "&$tls_in_peerdn$&" .vindex "&$tls_peerdn$&" @@ -25376,6 +25398,9 @@ but it is present in many binary distributions. .scindex IIDdcotauth2 "authenticators" "&(dovecot)&" This authenticator is an interface to the authentication facility of the Dovecot POP/IMAP server, which can support a number of authentication methods. +.new +Note that Dovecot must be configured to use auth-client not auth-userdb. +.wen If you are using Dovecot to authenticate POP/IMAP clients, it might be helpful to use the same mechanisms for SMTP authentication. This is a server authenticator only. There is only one option: @@ -26244,6 +26269,10 @@ file named by &%tls_ocsp_file%&. Note that the proof only covers the terminal server certificate, not any of the chain from CA to it. +.new +There is no current way to staple a proof for a client certificate. +.wen + .code A helper script "ocsp_fetch.pl" for fetching a proof from a CA OCSP server is supplied. The server URL may be included in the