1 files changed, 22 insertions, 7 deletions

diff --git a/contrib/sendmail/cf/README b/contrib/sendmail/cf/README
index cfabe5eefe45..6191337ea625 100644
--- a/contrib/sendmail/cf/README
+++ b/contrib/sendmail/cf/README
@@ -1301,6 +1301,8 @@ dnsbl		Turns on rejection, discarding, or quarantining of hosts
 		definition from `host'.  Set the DNSBL_MAP_OPT mc option
 		to add additional options to the map specification used.
 
+		Note: currently only IPv4 addresses are checked.
+
 		Some DNS based rejection lists cause failures if asked
 		for AAAA records. If your sendmail version is compiled
 		with IPv6 support (NETINET6) and you experience this
@@ -1326,10 +1328,10 @@ enhdnsbl	Enhanced version of dnsbl (see above).  Further arguments
 		compared with the supplied argument(s), and only if a match
 		occurs an error is generated.  For example,
 
-		FEATURE(`enhdnsbl', `dnsbl.example.com', `', `t', `127.0.0.2.')
+		FEATURE(`enhdnsbl', `dnsbl.example.com', `', `t', `127.0.0.2')
 
 		will reject the e-mail if the lookup returns the value
-		``127.0.0.2.'', or generate a 451 response if the lookup
+		``127.0.0.2'', or generate a 451 response if the lookup
 		temporarily failed.  The arguments can contain metasymbols
 		as they are allowed in the LHS of rules.  As the example
 		shows, the default values are also used if an empty argument,
@@ -1616,6 +1618,12 @@ sts		Experimental support for Strict Transport Security
 		for the default value).
 		For more information see doc/op/op.me.
 
+fips3		Basic support for FIPS in OpenSSL 3 by setting
+		the environment variables OPENSSL_CONF and
+		OPENSSL_MODULES to the first and second argument,
+		respectively.  For details, see the file and
+		the OpenSSL documentation.
+
 +-------+
 | HACKS |
 +-------+
@@ -1688,6 +1696,7 @@ The macro LOCAL_UUCP can be used to add rules into the generated
 cf file at the place where MAILER(`uucp') inserts its rules.  This
 should only be used if really necessary.
 
+
 +--------------------+
 | USING UUCP MAILERS |
 +--------------------+
@@ -3183,8 +3192,8 @@ VERIFY:bits	verification must have succeeded and ${cipher_bits} must
 ENCR:bits	${cipher_bits} must be greater than or equal bits.
 
 The RHS can optionally be prefixed by TEMP+ or PERM+ to select a temporary
-or permanent error.  The default is a temporary error code (403 4.7.0)
-unless the macro TLS_PERM_ERR is set during generation of the .cf file.
+or permanent error.  The default is a temporary error code unless
+the macro TLS_PERM_ERR is set during generation of the .cf file.
 
 If a certain level of encryption is required, then it might also be
 possible that this level is provided by the security layer from a SASL
@@ -3256,9 +3265,10 @@ default TLS options are not modified.
 About 2): the rulesets try_tls, srv_features, and clt_features can
 be used together with the access map.  Entries for the access map
 must be tagged with Try_TLS, Srv_Features, Clt_Features and refer
-to the hostname or IP address of the connecting system.  A default
-case can be specified by using just the tag.  For example, the
-following entries in the access map:
+to the hostname or IP address of the connecting system (the latter
+is not available for clt_features).  A default case can be specified
+by using just the tag.  For example, the following entries in the
+access map:
 
 	Try_TLS:broken.server	NO
 	Srv_Features:my.domain	v
@@ -3376,6 +3386,7 @@ or FEATURE(`authinfo') must be used which provides a separate map.
 Notice: It is not checked whether the map is actually
 group/world-unreadable, this is left to the user.
 
+
 +--------------------------------+
 | ADDING NEW MAILERS OR RULESETS |
 +--------------------------------+
@@ -3461,6 +3472,7 @@ groups can be defined using the command:
 
 For details about queue groups, please see doc/op/op.{me,ps,txt}.
 
+
 +-------------------------------+
 | NON-SMTP BASED CONFIGURATIONS |
 +-------------------------------+
@@ -4406,6 +4418,9 @@ confCERT_FINGERPRINT_ALGORITHM	CertFingerprintAlgorithm
 confSSL_ENGINE		SSLEngine	[undefined] Name of SSLEngine.
 confSSL_ENGINE_PATH	SSLEnginePath	[undefined] Path to dynamic library
 					for SSLEngine.
+confOPENSSL_CNF				[/etc/mail/sendmail.ossl] Set the
+					environment variable OPENSSL_CONF.
+					An empty value disables setting it.
 confNICE_QUEUE_RUN	NiceQueueRun	[undefined]  If set, the priority of
 					queue runners is set the given value
 					(nice(3)).