summaryrefslogtreecommitdiffstats
path: root/html/posttls-finger.1.html
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--html/posttls-finger.1.html12
1 files changed, 11 insertions, 1 deletions
diff --git a/html/posttls-finger.1.html b/html/posttls-finger.1.html
index 2ed629a..a1475ca 100644
--- a/html/posttls-finger.1.html
+++ b/html/posttls-finger.1.html
@@ -112,7 +112,7 @@ POSTTLS-FINGER(1) POSTTLS-FINGER(1)
ified in the DNS). In Postfix versions prior to 3.6, the
default value was "md5".
- <b>-f</b> Lookup the associated DANE TLSA RRset even when a hostname is
+ <b>-f</b> Look up the associated DANE TLSA RRset even when a hostname is
not an alias and its address records lie in an unsigned zone.
See <a href="postconf.5.html#smtp_tls_force_insecure_host_tlsa_lookup">smtp_tls_force_insecure_host_tlsa_lookup</a> for details.
@@ -302,6 +302,16 @@ POSTTLS-FINGER(1) POSTTLS-FINGER(1)
protocol. The destination <i>domain</i>:<i>port</i> must of course provide
such a service.
+ <b>-x</b> Prefer <a href="https://tools.ietf.org/html/rfc7250">RFC7250</a> non-X.509 raw public key (RPK) server creden-
+ tials. By default only X.509 certificates are accepted. This
+ is analogous to setting <b><a href="postconf.5.html#smtp_tls_enable_rpk">smtp_tls_enable_rpk</a> = yes</b> in the <a href="smtp.8.html">smtp(8)</a>
+ client. At the fingerprint security level, when raw public keys
+ are enabled, only public key (and not certificate) fingerprints
+ will be compared against the specified list of <i>match</i> arguments.
+ Certificate fingerprints are fragile when raw public keys are
+ solicited, the server may at some point in time start returning
+ only the public key.
+
<b>-X</b> Enable <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> mode. This is an unsupported mode, for pro-
gram development only.