diff options
Diffstat (limited to 'doc')
-rw-r--r-- | doc/doc-docbook/spec.xfpt | 28 | ||||
-rw-r--r-- | doc/doc-txt/ChangeLog | 2 | ||||
-rw-r--r-- | doc/doc-txt/NewStuff | 5 |
3 files changed, 35 insertions, 0 deletions
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index edb577a11..748f5c9dc 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -23018,6 +23018,14 @@ unknown state), opens a new one to the same host, and then tries the delivery in clear. +.option tls_try_verify_hosts smtp "host list&!! unset +.cindex "TLS" "server certificate verification" +.cindex "certificate" "verification of server" +For OpenSSL only, this option gives a list of hosts for which +certificate verification will be tried but need not succeed. +The &%tls_verify_certificates%& option must also be set. + + .option tls_verify_certificates smtp string&!! unset .cindex "TLS" "server certificate verification" .cindex "certificate" "verification of server" @@ -23032,6 +23040,20 @@ single file if you are using GnuTLS. The values of &$host$& and &$host_address$& are set to the name and address of the server during the expansion of this option. See chapter &<<CHAPTLS>>& for details of TLS. +For back-compatability, or when GnuTLS is used, +if neither tls_verify_hosts nor tls_try_verify_hosts are set +and certificate verification fails the TLS connection is closed. + + +.option tls_verify_hosts smtp "host list&!! unset +.cindex "TLS" "server certificate verification" +.cindex "certificate" "verification of server" +For OpenSSL only, this option gives a list of hosts for which +certificate verification must succeed. +The &%tls_verify_certificates%& option must also be set. +If both this option and &%tls_try_verify_hosts%& are unset +operation is as if this option selected all hosts. + @@ -25933,6 +25955,12 @@ for OpenSSL only (not GnuTLS), a directory, that contains a collection of expected server certificates. The client verifies the server's certificate against this collection, taking into account any revoked certificates that are in the list defined by &%tls_crl%&. +Failure to verify fails the TLS connection unless either of the +&%tls_verify_hosts%& or &%tls_try_verify_hosts%& options are set. + +The &%tls_verify_hosts%& and &%tls_try_verify_hosts%& options restrict +certificate verification to the listed servers. Verification either must +or need not succeed respectively. If &%tls_require_ciphers%& is set on the &(smtp)& transport, it must contain a diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index d5c09f4c5..c1640f73a 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -32,6 +32,8 @@ JH/02 Add ${listextract {number}{list}{success}{fail}}. TL/03 Bugzilla 1433: Fix DMARC SEGV with specific From header contents. Properly escape header and check for NULL return. +JH/03 Add tls_{,try_}verify_hosts to smtp transport. OpenSSL only. + Exim version 4.82 ----------------- diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff index 11cfcffa0..e4f2e29a1 100644 --- a/doc/doc-txt/NewStuff +++ b/doc/doc-txt/NewStuff @@ -14,6 +14,11 @@ Version 4.83 actual external source IP:host be used in exim instead of the IP of the proxy that is connecting to it. + 2. When built with OpenSSL the smtp transport now supports options + "tls_verify_hosts" and "tls_try_verify_hosts". If either is set the + certificate verification is split from the encryption operation. The + default remains that a failed verification cancels the encryption. + Version 4.82 ------------ |