[patch] starttls.8

Sat, 10 Feb 2018 14:07:20 -0800 

Remove `sendmail' ism's from starttls.8


--- /usr/share/man/man8/starttls.8    Tue Oct  3 22:13:42 2017
+++ starttls.8    Sat Feb 10 15:57:06 2018
@@ -102,17 +102,6 @@
 .Pp
 .Dl # openssl x509 -in /etc/ssl/mail.example.com.crt -text
 .Pp
-If you don't intend to use TLS for authentication (and if you are using
-self-signed certificates you probably don't) you can simply link
-your new certificate to
-.Pa CAcert.pem .
-.Pp
-.Dl # ln -s /etc/ssl/mail.example.com.crt /etc/ssl/CAcert.pem
-.Pp
-If, on the other hand, you intend to use TLS for authentication
-you should install your certificate authority bundle as
-.Pa /etc/ssl/CAcert.pem .
-.Pp
 Because the private key files are unencrypted,
 MTAs
 can be picky about using tight permissions on those files.
@@ -196,36 +185,9 @@
 We can use this authentication to selectively relay clients, including
 other mail servers and mobile clients like laptops.
However, there have been some problems getting some mail clients to work using 
-certificate-based authentication.
-Note that your clients will have to generate certificates and have them
-signed (for trust validation) by a CA (certificate authority) you also trust, 
-if you configure your server to do client certificate checking.
-Two new entries are available for TLS options:
-.Bl -tag -width Ds -offset indent
-.It VERIFY
-contains the status of the level of verification (held in the macro {verify}) 
-.It ENCR
-the strength of the encryption (in the macro {cipher_bits})
-.El
-.Pp
-VERIFY can also accept the argument for {cipher_bits}.
-Here are a few example entries that illustrate these features, and
-the role based granularity as well:
-.Pp
-Require strong (256-bit) encryption for communication with this server:
-.Pp
-.Dl TLS_Srv:server1.example.net    ENCR:256
-.Pp
-For a TLS client,
-require verification and a minimum of 128-bit encryption:
-.Pp
-.Dl TLS_Clt:desktop.example.net VERIFY:128
-.Pp
-Much more complicated access maps are possible, and error conditions (such
-as permanent or temporary, PERM+ or TEMP+) can be set on the basis of
-various criteria.
-This allows you fine-grained control over the types of connections you
-can allow.
+certificate-based authentication. If you configure your server to do client
+certificate checking, your clients will have to generate certificates signed 
+by a CA you also trust.
 .Pp
 Note that it is unwise to force all SMTP clients to use TLS, as it is not
 yet widespread.

Reply via email to