From 3e160e27e4686620d16477a9ea9cf00141e52ce7 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Sat, 13 Apr 2024 10:41:51 +0200 Subject: Adding upstream version 3.9.0. Signed-off-by: Daniel Baumann --- html/posttls-finger.1.html | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) (limited to 'html/posttls-finger.1.html') diff --git a/html/posttls-finger.1.html b/html/posttls-finger.1.html index 2ed629a..a1475ca 100644 --- a/html/posttls-finger.1.html +++ b/html/posttls-finger.1.html @@ -112,7 +112,7 @@ POSTTLS-FINGER(1) POSTTLS-FINGER(1) ified in the DNS). In Postfix versions prior to 3.6, the default value was "md5". - -f Lookup the associated DANE TLSA RRset even when a hostname is + -f Look up the associated DANE TLSA RRset even when a hostname is not an alias and its address records lie in an unsigned zone. See smtp_tls_force_insecure_host_tlsa_lookup for details. @@ -302,6 +302,16 @@ POSTTLS-FINGER(1) POSTTLS-FINGER(1) protocol. The destination domain:port must of course provide such a service. + -x Prefer RFC7250 non-X.509 raw public key (RPK) server creden- + tials. By default only X.509 certificates are accepted. This + is analogous to setting smtp_tls_enable_rpk = yes in the smtp(8) + client. At the fingerprint security level, when raw public keys + are enabled, only public key (and not certificate) fingerprints + will be compared against the specified list of match arguments. + Certificate fingerprints are fragile when raw public keys are + solicited, the server may at some point in time start returning + only the public key. + -X Enable tlsproxy(8) mode. This is an unsupported mode, for pro- gram development only. -- cgit v1.2.3