X-Git-Url: https://vcs.fsf.org/?a=blobdiff_plain;f=doc%2Fdoc-docbook%2Fspec.xfpt;h=9c011a989fb691b6cbfbbcbbc81d6672ce137c7b;hb=dc9c8f8b52cbf2e8424f5e98f63d29aa7fb81fe7;hp=1a7a7baa638558da5b2c2485912d485bb6f6cec2;hpb=cc55f4208e997ee8cdd87bf2a141be0c615488f9;p=exim.git diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 1a7a7baa6..9c011a989 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -17133,8 +17133,14 @@ use when sending messages as a client, you must set the &%tls_certificate%& option in the relevant &(smtp)& transport. .new +&*Note*&: If you use filenames based on IP addresses, change the list +separator in the usual way to avoid confusion under IPv6. + &*Note*&: Under current versions of OpenSSL, when a list of more than one file is used, the &$tls_in_ourcert$& veriable is unreliable. + +&*Note*&: OCSP stapling is not usable under OpenSSL +when a list of more than one file is used. .wen If the option contains &$tls_out_sni$& and Exim is built against OpenSSL, then @@ -17149,7 +17155,15 @@ generated for every connection. .cindex "TLS" "server certificate revocation list" .cindex "certificate" "revocation list for server" This option specifies a certificate revocation list. The expanded value must -be the name of a file that contains a CRL in PEM format. +be the name of a file that contains CRLs in PEM format. + +.new +Under OpenSSL the option can specify a directory with CRL files. + +&*Note: Under OpenSSL the option must, if given, supply a CRL +for each signing element of the certificate chain (i.e. all but the leaf). +For the file variant this can be multiple PEM blocks in the one file. +.wen See &<>& for discussion of when this option might be re-expanded. @@ -17276,6 +17290,12 @@ Certificate Authority. Usable for GnuTLS 3.4.4 or 3.3.17 or OpenSSL 1.1.0 (or later). +.new +For GnuTLS 3.5.6 or later the expanded value of this option can be a list +of files, to match a list given for the &%tls_certificate%& option. +The ordering of the two lists must match. +.wen + .option tls_on_connect_ports main "string list" unset .cindex SSMTP @@ -27137,7 +27157,7 @@ let the Exim Maintainers know and we'll likely use it). .next .new With GnuTLS, if an explicit list is used for the &%tls_privatekey%& main option -main option, it must be ordered to match the %&tls_certificate%& list. +main option, it must be ordered to match the &%tls_certificate%& list. .wen .next Some other recently added features may only be available in one or the other. @@ -31327,6 +31347,7 @@ address and some time-based randomizing information. The &%prvs%& expansion item creates a signed address, and the &%prvscheck%& expansion item checks one. The syntax of these expansion items is described in section &<>&. +The validity period on signed addresses is seven days. As an example, suppose the secret per-address keys are stored in an MySQL database. A query to look up the key for an address could be defined as a macro @@ -38708,6 +38729,11 @@ dkim_verify_signers = $sender_address_domain:$dkim_signers If a domain or identity is listed several times in the (expanded) value of &%dkim_verify_signers%&, the ACL is only called once for that domain or identity. +.new +If multiple signatures match a domain (or identity), the ACL is called once +for each matching signature. +.wen + Inside the &%acl_smtp_dkim%&, the following expansion variables are available (from most to least important):