diff options
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/doc-docbook/spec.xfpt | 28 | ||||
| -rw-r--r-- | doc/doc-txt/NewStuff | 4 | ||||
| -rw-r--r-- | doc/doc-txt/OptionLists.txt | 5 |
3 files changed, 31 insertions, 6 deletions
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 42a393558..eea304d64 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -27435,19 +27435,37 @@ auth_mechanisms = plain login ntlm .cindex "authentication" "DIGEST-MD5" .cindex "authentication" "CRAM-MD5" .cindex "authentication" "SCRAM-SHA-1" -The &(gsasl)& authenticator provides server integration for the GNU SASL +The &(gsasl)& authenticator provides integration for the GNU SASL library and the mechanisms it provides. This is new as of the 4.80 release and there are a few areas where the library does not let Exim smoothly scale to handle future authentication mechanisms, so no guarantee can be made that any particular new authentication mechanism will be supported without code changes in Exim. -Exim's &(gsasl)& authenticator does not have client-side support at this -time; only the server-side support is implemented. Patches welcome. +.new +.option client_authz gsasl string&!! unset +This option can be used to supply an &'authorization id'& +which is different to the &'authentication_id'& provided +by $%client_username%& option. +If unset or (after expansion) empty it is not used, +which is the common case. + +.option client_channelbinding gsasl boolean false +See $%server_channelbinding%& below. + +.option client_password gsasl string&!! unset +This option is exapanded before use, and should result in +the password to be used, in clear. + +.option client_username gsasl string&!! unset +This option is exapanded before use, and should result in +the account name to be used. +.wen .option server_channelbinding gsasl boolean false -Do not set this true without consulting a cryptographic engineer. +Do not set this true and rely on the properties +without consulting a cryptographic engineer. Some authentication mechanisms are able to use external context at both ends of the session to bind the authentication to that context, and fail the @@ -27469,7 +27487,7 @@ This defaults off to ensure smooth upgrade across Exim releases, in case this option causes some clients to start failing. Some future release of Exim might have switched the default to be true. -However, Channel Binding in TLS has proven to be broken in current versions. +However, Channel Binding in TLS has proven to be vulnerable in current versions. Do not plan to rely upon this feature for security, ever, without consulting with a subject matter expert (a cryptographic engineer). diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff index cd380a3f3..6b163b8b2 100644 --- a/doc/doc-txt/NewStuff +++ b/doc/doc-txt/NewStuff @@ -17,6 +17,10 @@ Version 4.94 3. A msg:defer event. + 4. Client-side support in the gsasl authenticator. Tested against the plaintext + driver for PLAIN; only against itself for SCRAM-SHA-1 and SCRAM-SHA-1-PLUS + methods. + Version 4.93 ------------ diff --git a/doc/doc-txt/OptionLists.txt b/doc/doc-txt/OptionLists.txt index 1618e4279..2978aed35 100644 --- a/doc/doc-txt/OptionLists.txt +++ b/doc/doc-txt/OptionLists.txt @@ -127,12 +127,15 @@ check_spool_space integer 0 main check_string string "From " appendfile 3.03 unset pipe 3.03 check_srv string* unset dnslookup 4.31 +client_authz string* unset gsasl 4.94 client_condition string* unset authenticators 4.68 client_ignore_invalid_base64 boolean false plaintext 4.61 client_name string* + cram_md5 3.10 +client_password string* unset gsasl 4.94 client_secret string* unset cram_md5 3.10 client_send string* unset plaintext 3.10 -client_send string* unset external (auth) 4.93 + unset external (auth) 4.93 +client_username string* unset gsasl 4.94 command string* unset lmtp 3.20 unset pipe unset queryprogram 4.00 |