X-Git-Url: https://git.exim.org/users/jgh/exim.git/blobdiff_plain/49d478067ba22d087c65b35a8bb9b782be1ee173..24c7087f56530d2d81a92d9955afef13b4f1462f:/doc/doc-docbook/spec.xfpt

diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index c57f1a23f..3bea313c1 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -8300,6 +8300,19 @@ domainlist  dom2 = !a.b : *.b
 where &'x.y'& does not match. It's best to avoid negation altogether in
 referenced lists if you can.
 
+.new
+.cindex "hiding named list values"
+.cindex "named lists" "hiding value of"
+Some named list definitions may contain sensitive data, for example, passwords for
+accessing databases. To stop non-admin users from using the &%-bP%& command
+line option to read these values, you can precede the definition with the
+word &"hide"&. For example:
+.code
+hide domainlist filter_for_domains = ldap;PASS=secret ldap::/// ...
+.endd
+.wen
+
+
 Named lists may have a performance advantage. When Exim is routing an
 address or checking an incoming message, it caches the result of tests on named
 lists. So, if you have a setting such as
@@ -9719,7 +9732,7 @@ letters appear. For example:
        "&*$bheader_*&<&'header&~name'&>&*:*&&~or&~&&&
         &*$bh_*&<&'header&~name'&>&*:*&" &&&
        "&*$lheader_*&<&'header&~name'&>&*:*&&~or&~&&&
-        &*$lh_*&<&'header&~name'&>&*:*&"
+        &*$lh_*&<&'header&~name'&>&*:*&" &&&
        "&*$rheader_*&<&'header&~name'&>&*:*&&~or&~&&&
         &*$rh_*&<&'header&~name'&>&*:*&"
 .cindex "expansion" "header insertion"
@@ -27556,7 +27569,7 @@ the account name to be used.
 .new
 .option client_spassword gsasl string&!! unset
 If a SCRAM mechanism is being used and this option is set
-it is used in preference to $%client_password%&.
+it is used in preference to &%client_password%&.
 The value after expansion should be
 a 40 (for SHA-1) or 64 (for SHA-256) character string
 with the PBKDF2-prepared password, hex-encoded.