aboutsummaryrefslogtreecommitdiffstats
path: root/doc/pullimap.1.md
diff options
context:
space:
mode:
Diffstat (limited to 'doc/pullimap.1.md')
-rw-r--r--doc/pullimap.1.md33
1 files changed, 23 insertions, 10 deletions
diff --git a/doc/pullimap.1.md b/doc/pullimap.1.md
index 98ec2ef..c9500e0 100644
--- a/doc/pullimap.1.md
+++ b/doc/pullimap.1.md
@@ -139,7 +139,9 @@ Valid options are:
*host*
-: Server hostname, for `type=imap` and `type=imaps`.
+: Server hostname or IP address, for `type=imap` and `type=imaps`.
+ The value can optionally be enclosed in square brackets to force its
+ interpretation as an IP literal (hence skip name resolution).
(Default: `localhost`.)
*port*
@@ -149,8 +151,8 @@ Valid options are:
*proxy*
-: An optional SOCKS proxy to use for TCP connections to the IMAP
- server (`type=imap` and `type=imaps` only), formatted as
+: Optional SOCKS proxy to use for TCP connections to the IMAP server
+ (`type=imap` and `type=imaps` only), formatted as
`PROTOCOL://[USER:PASSWORD@]PROXYHOST[:PROXYPORT]`.
If `PROXYPORT` is omitted, it is assumed at port 1080.
Only [SOCKSv5][RFC 1928] is supported (with optional
@@ -237,15 +239,19 @@ Valid options are:
*SSL_verify*
-: Whether to verify the server certificate chain.
+: Whether to verify the server certificate chain, and match its
+ Subject Alternative Name (SAN) or Subject CommonName (CN) against
+ the value of the *host* option.
+ (Default: `YES`.)
+
Note that using *SSL_fingerprint* to specify the fingerprint of the
server certificate provides an independent server authentication
- measure as it ignores the CA chain.
- (Default: `YES`.)
+ measure as it pins directly its key material and ignore its chain of
+ trust.
*SSL_CApath*
-: Directory to use for server certificate verification if
+: Directory to use for server certificate verification when
`SSL_verify=YES`.
This directory must be in “hash format”, see [`verify`(1ssl)] for
more information.
@@ -253,7 +259,14 @@ Valid options are:
*SSL_CAfile*
: File containing trusted certificates to use during server
- certificate verification if `SSL_verify=YES`.
+ certificate verification when `SSL_verify=YES`.
+
+*SSL_hostname*
+
+: Name to use for the TLS SNI (Server Name Indication) extension. The
+ default value is taken from the *host* option when it is a hostname,
+ and to the empty string when it is an IP literal.
+ Setting *SSL_hostname* to the empty string explicitly disables SNI.
Control flow {#control-flow}
============
@@ -378,5 +391,5 @@ Standards
[`fetchmail`(1)]: https://www.fetchmail.info/
[`getmail`(1)]: http://pyropus.ca/software/getmail/
[`write`(2)]: https://man7.org/linux/man-pages/man2/write.2.html
-[`ciphers`(1ssl)]: https://www.openssl.org/docs/manmaster/apps/ciphers.html
-[`verify`(1ssl)]: https://www.openssl.org/docs/manmaster/apps/verify.html
+[`ciphers`(1ssl)]: https://www.openssl.org/docs/manmaster/man1/openssl-ciphers.html
+[`verify`(1ssl)]: https://www.openssl.org/docs/manmaster/man1/openssl-verify.html