From 54c90be16587ca315041c964e251f07fc2bcf0e9 Mon Sep 17 00:00:00 2001 From: Phil Pennock Date: Fri, 1 Jun 2012 05:52:31 -0400 Subject: tls_dh_min_bits smtp transport option Could not find an API for use with OpenSSL, so GnuTLS only --- doc/doc-txt/ChangeLog | 3 +++ doc/doc-txt/NewStuff | 11 +++++++++++ doc/doc-txt/OptionLists.txt | 2 ++ 3 files changed, 16 insertions(+) (limited to 'doc/doc-txt') diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 533ce5035..635533fda 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -9,6 +9,9 @@ PP/01 Add -bI: framework, and -bI:sieve for querying sieve capabilities. PP/02 Make -n do something, by making it not do something. When combined with -bP, the name of an option is not output. +PP/03 Added tls_dh_min_bits SMTP transport driver option, only honoured + by GnuTLS. + Exim version 4.80 ----------------- diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff index 5088a24c4..be8285b67 100644 --- a/doc/doc-txt/NewStuff +++ b/doc/doc-txt/NewStuff @@ -20,6 +20,17 @@ Version 4.81 For instance, "exim -n -bP pid_file_path" should just emit a pathname followed by a newline, and no other text. + 3. When built with SUPPORT_TLS and USE_GNUTLS, the SMTP transport driver now + has a "tls_dh_min_bits" option, to set the minimum acceptable number of + bits in the Diffie-Hellman prime offered by a server (in DH ciphersuites) + acceptable for security. (Option accepted but ignored if using OpenSSL). + Defaults to 1024, the old value. May be lowered only to 512, or raised as + far as you like. Raising this may hinder TLS interoperability with other + sites and is not currently recommended. Lowering this will permit you to + establish a TLS session which is not as secure as you might like. + + Unless you really know what you are doing, leave it alone. + Version 4.80 ------------ diff --git a/doc/doc-txt/OptionLists.txt b/doc/doc-txt/OptionLists.txt index 45b7997d1..b8e8599ed 100644 --- a/doc/doc-txt/OptionLists.txt +++ b/doc/doc-txt/OptionLists.txt @@ -548,6 +548,7 @@ tls_advertise_hosts host list * main tls_certificate string* unset main 3.20 unset smtp 3.20 tls_dh_max_bits integer 2236 main 4.80 +tls_dh_min_bits integer 1024 smtp 4.81 tls_dhparam string* unset main 3.20 tls_on_connect_ports string unset main 4.43 tls_privatekey string* unset main 3.20 @@ -623,6 +624,7 @@ provide compatibility with Sendmail. -bh Test incoming SMTP call, omitting callouts -bhc Test incoming SMTP call, with callouts -bi * Run bi_command +-bI:help Show list of accepted -bI: options -bm Accept message on standard input -bmalware + Invoke configured malware scanning against supplied filename -bnq Don't qualify addresses in locally submitted messages -- cgit v1.2.3