diff options
Diffstat (limited to '')
-rw-r--r-- | html/posttls-finger.1.html | 12 |
1 files changed, 11 insertions, 1 deletions
diff --git a/html/posttls-finger.1.html b/html/posttls-finger.1.html index 2ed629a..a1475ca 100644 --- a/html/posttls-finger.1.html +++ b/html/posttls-finger.1.html @@ -112,7 +112,7 @@ POSTTLS-FINGER(1) POSTTLS-FINGER(1) ified in the DNS). In Postfix versions prior to 3.6, the default value was "md5". - <b>-f</b> Lookup the associated DANE TLSA RRset even when a hostname is + <b>-f</b> Look up the associated DANE TLSA RRset even when a hostname is not an alias and its address records lie in an unsigned zone. See <a href="postconf.5.html#smtp_tls_force_insecure_host_tlsa_lookup">smtp_tls_force_insecure_host_tlsa_lookup</a> for details. @@ -302,6 +302,16 @@ POSTTLS-FINGER(1) POSTTLS-FINGER(1) protocol. The destination <i>domain</i>:<i>port</i> must of course provide such a service. + <b>-x</b> Prefer <a href="https://tools.ietf.org/html/rfc7250">RFC7250</a> non-X.509 raw public key (RPK) server creden- + tials. By default only X.509 certificates are accepted. This + is analogous to setting <b><a href="postconf.5.html#smtp_tls_enable_rpk">smtp_tls_enable_rpk</a> = yes</b> in the <a href="smtp.8.html">smtp(8)</a> + client. At the fingerprint security level, when raw public keys + are enabled, only public key (and not certificate) fingerprints + will be compared against the specified list of <i>match</i> arguments. + Certificate fingerprints are fragile when raw public keys are + solicited, the server may at some point in time start returning + only the public key. + <b>-X</b> Enable <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> mode. This is an unsupported mode, for pro- gram development only. |