X-Git-Url: https://git.exim.org/users/jgh/exim.git/blobdiff_plain/8ccd00b14ecc7c3c806882a54a9216f531571716..9c8e326996b3dc623caade95922632d9c228120b:/doc/doc-docbook/spec.xfpt

diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 7c34bbbc7..46c83adf9 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -5557,16 +5557,21 @@ unreachable.
 The next two lines are concerned with &'ident'& callbacks, as defined by RFC
 1413 (hence their names):
 .code
-rfc1413_hosts = *
-rfc1413_query_timeout = 5s
+rfc1413_query_hosts = *
+rfc1413_query_timeout = 0s
+.endd
+These settings cause Exim to avoid ident callbacks for all incoming SMTP calls.
+Few hosts offer RFC1413 service these days; calls have to be
+terminated by a timeout and this needlessly delays the startup
+of an incoming SMTP connection.
+If you have hosts for which you trust RFC1413 and need this
+information, you can change this.
+
+This line enables an efficiency SMTP option.  It is negociated by clients
+and not expected to cause problems but can be disabled if needed.
+.code
+prdr_enable = true
 .endd
-These settings cause Exim to make ident callbacks for all incoming SMTP calls.
-You can limit the hosts to which these calls are made, or change the timeout
-that is used. If you set the timeout to zero, all ident calls are disabled.
-Although they are cheap and can provide useful information for tracing problem
-messages, some hosts and firewalls have problems with ident calls. This can
-result in a timeout instead of an immediate refused connection, leading to
-delays on starting up an incoming SMTP session.
 
 When Exim receives messages over SMTP connections, it expects all addresses to
 be fully qualified with a domain, as required by the SMTP definition. However,
@@ -6002,9 +6007,14 @@ One remote transport and four local transports are defined.
 .code
 remote_smtp:
   driver = smtp
+  hosts_try_prdr = *
 .endd
-This transport is used for delivering messages over SMTP connections. All its
-options are defaulted. The list of remote hosts comes from the router.
+This transport is used for delivering messages over SMTP connections.
+The list of remote hosts comes from the router.
+The &%hosts_try_prdr%& option enables an efficiency SMTP option.
+It is negotiated between client and server
+and not expected to cause problems but can be disabled if needed.
+All other options are defaulted.
 .code
 local_delivery:
   driver = appendfile
@@ -8887,10 +8897,10 @@ the certificate.  Supported fields are:
 .display
 &`version        `&
 &`serial_number  `&
-&`subject        `&
-&`issuer         `&
-&`notbefore      `&
-&`notafter       `&
+&`subject        `& RFC4514 DN
+&`issuer         `& RFC4514 DN
+&`notbefore      `& time
+&`notafter       `& time
 &`sig_algorithm  `&
 &`signature      `&
 &`subj_altname   `& tagged list
@@ -8909,6 +8919,22 @@ extracted is used.
 
 Some field names take optional modifiers, appended and separated by commas.
 
+The field selectors marked as "RFC4514" above
+output a Distinguished Name string which is
+not quite
+parseable by Exim as a comma-separated tagged list
+(the exceptions being elements containin commas).
+RDN elements of a single type may be selected by
+a modifier of the type label; if so the expansion
+result is a list (newline-separated by default).
+The separator may be changed by another modifer of
+a right angle-bracket followed immediately by the new separator.
+Recognised RDN type labels include "CN", "O", "OU" and "DC".
+
+The field selectors marked as "time" above
+may output a number of seconds since epoch
+if the modifier "int" is used.
+
 The field selectors marked as "list" above return a list,
 newline-separated by default,
 (embedded separator characters in elements are doubled).
@@ -8921,7 +8947,7 @@ Elements of only one type may be selected by a modifier
 which is one of "dns", "uri" or "mail";
 if so the elenment tags are omitted.
 
-Field values are generally presented in human-readable form.
+If not otherwise noted field values are presented in human-readable form.
 .wen
 
 .vitem "&*${dlfunc{*&<&'file'&>&*}{*&<&'function'&>&*}{*&<&'arg'&>&*}&&&
@@ -23256,6 +23282,11 @@ in clear.
 This option gives a list of hosts for which, on encrypted connections,
 certificate verification will be tried but need not succeed.
 The &%tls_verify_certificates%& option must also be set.
+Note that unless the host is in this list
+TLS connections will be denied to hosts using self-signed certificates
+when &%tls_verify_certificates%& is set.
+The &$tls_out_certificate_verified$& variable is set when
+certificate verification succeeds.
 
 
 .option tls_verify_certificates smtp string&!! unset
@@ -25342,7 +25373,7 @@ dovecot_plain:
   driver = dovecot
   public_name = PLAIN
   server_socket = /var/run/dovecot/auth-client
-  server_set_id = $auth2
+  server_set_id = $auth1
 
 dovecot_ntlm:
   driver = dovecot
@@ -26663,6 +26694,8 @@ See also the &%prdr_enable%& global option
 and the &%hosts_try_prdr%& smtp transport option.
 
 This ACL is evaluated after &%acl_smtp_dkim%& but before &%acl_smtp_data%&.
+If the ACL is not defined, processing completes as if
+the feature was not requested by the client.
 
 .section "The QUIT ACL" "SECTQUITACL"
 .cindex "QUIT, ACL for"