Age | Commit message (Collapse) | Author |
|
config.
Mostly commented-out and with dummy lookups since we do not know what sorts
of filtering may be employed.
(cherry picked from commit b220576b3ba5396af6b3e0f45739f269079f8fc5)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Work around the `$host` vs CNAME issue for now by re-specifying the
`tls_sni` value on the example `smarthost_smtp` transport, using the
same macro which we use to turn on use of a smarthost.
Uncomment both dnslookup and smarthost routers by default and let the
macro choose between them.
Bring the documentation of the default configuration closer to
up-to-date, on this issue and others which I spotted while in there.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Patch from Matthias, with additional code indentation tweaks from JGH
|
|
I've created a homebrew tap with sdop and xfpt in it, so I can install
those more easily on macOS in the future, and now have bothered actually
building the docs. `.url()` should have been `&url()` in two places.
The `make spec.pdf` pipeline yields a document where those are not
clickable links, but if i use `make spec.ps` and let macOS auto-convert
to PDF upon open, those are proper clickable hyperlinks. So this switch
is definitely for the better.
|
|
|
|
I got a cookie-cutter email from folks noting the modssl.org doc links
were broken and asking us to use their site instead, which was both
helpful and a rather heavy page with advertising on it, so not something
I want our docs to link to.
Fixed the modssl link to point to the correct current Apache docs, since
mod_ssl has not been a separate project for … a very long time.
Audited every `http:` link in the Spec, replacing with https if
available, updating URLs as needed, or trimming deadwood as appropriate.
This did edit one license text, but in a way which I believe is
reasonable and in the license holder's best interests.
* Use comments with a datestamp for any remaining http: URLs, showing
when they were last audited
* Suggest migrating away from Berkeley DB.
* Drop mention of a patched `pam_unix` module which is no longer available.
* In revamping the CDB tools links, add my own tools.
* Redo the intro text for the mod_ssl stuff (first person voice of PH).
* Rescorla's book's online examples appear to be gone; drop mention of
them and point to Ristić's more recent book too.
* Point to wikipedia list of DNSxL services as an overview, in part
because I dropped the reference to the defunct rfc-ignorant.org and
there was no good candidate as an exemplar for domain-based lists.
* Note that mksd is a candidate for removal from Exim since mks_vir
is dead.
* Drop LogReport/lire reference (dead/gone and can't find it).
* Redo proxy protocol spec-linking text.
* Replace FAQ A1701 with text saying "don't do that" (self-signed certs)
and just telling people to use a CA instead, pointing strongly to
Let's Encrypt. We did nobody any favors with that old text still
being present today (it was entirely appropriate when written).
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
While technically an implementation can choose to use a public TA from
DNS or elsewhere to populate a missing TA from the chain, that creates
interoperability issues and the OpenSSL integration code, at least,
doesn't support that and after a bit of work drilling through layers of
abstraction, I've not figured out what GnuTLS does and I've decided I
don't care.
So I'm heeding Viktor's advice and changing the docs to just say to
publish the TA in the chain sent by the server.
|
|
|
|
Very few domains are using SHA-1 in EE certs issued from a CA used in
DANE-TA anchoring, but some are. Meanwhile apparently GnuTLS now
defaults to disabling SHA-1 in chains. Which is eminently reasonable.
I do not believe that Exim should re-enable use of SHA-1 here. Let it
die. Document with warnings that folks using a private CA for certs to
be publicly trusted via DANE-TA should follow decent operational
issuance practices.
Also update my Channel Binding docs for GSASL to warn that Channel
Binding is Broken™.
|
|
Following discussions on the exim-user mailinglist it seems that the conclusion
that the interface was nonfunctioning was unwarranted.
|
|
|
|
This reverts commit c5f280e20a8e3ecd5f016b8fb34a436588915ed2.
|
|
|
|
|
|
|
|
Wishlist item (#2280) is created for INET connections.
See https://bugs.exim.org/show_bug.cgi?id=2280
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|