X-Git-Url: https://git.exim.org/users/jgh/exim.git/blobdiff_plain/446415f5cd613d69abc8cd3324c06cb4695785f6..7495ef81389e682f08d57d40df1b7e852d4cdcc8:/doc/doc-docbook/spec.xfpt diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 9cb1e4972..ce64fd405 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -17139,17 +17139,19 @@ prior to the 4.80 release, as Debian used to patch Exim to raise the minimum acceptable bound from 1024 to 2048. -.option tls_eccurve main string&!! prime256v1 +.option tls_eccurve main string&!! &`auto`& .cindex TLS "EC cryptography" -If built with a recent-enough version of OpenSSL, -this option selects a EC curve for use by Exim. +This option selects a EC curve for use by Exim. -Curve names of the form &'prime256v1'& are accepted. -For even more-recent library versions, names of the form &'P-512'& -are also accepted, plus the special value &'auto'& -which tells the library to choose. +After expansion it must contain a valid EC curve parameter, such as +&`prime256v1`&, &`secp384r1`&, or &`P-512`&. Consult your OpenSSL manual +for valid selections. -If the option is set to an empty string, no EC curves will be enabled. +For OpenSSL versions before (and not including) 1.0.2, the string +&`auto`& selects &`prime256v1`&. For more recent OpenSSL versions +&`auto`& tells the library to choose. + +If the option expands to an empty string, no EC curves will be enabled. .option tls_ocsp_file main string&!! unset @@ -31668,6 +31670,15 @@ configuration as follows (example): .code spamd_address = 192.168.99.45 387 .endd +The SpamAssassin protocol relies on a TCP half-close from the client. +If your SpamAssassin client side is running a Linux system with an +iptables firewall, consider setting +&%net.netfilter.nf_conntrack_tcp_timeout_close_wait%& to at least the +timeout, Exim uses when waiting for a response from the SpamAssassin +server (currently defaulting to 120s). With a lower value the Linux +connection tracking may consider your half-closed connection as dead too +soon. + To use Rspamd (which by default listens on all local addresses on TCP port 11333)