Update deps; update qmail-remote's doc for tls

3 files changed, 20 insertions, 7 deletions

diff --git a/doc/index.html b/doc/index.html
index d2a3ef9..3121361 100644
--- a/doc/index.html
+++ b/doc/index.html
@@ -25,6 +25,14 @@
 inetd-like mail servers that do not already support it.
 </p>
 
+<p>
+ It comes with a chainloading binary implementing server-side
+STARTTLS, as well as a full-featured modern replacement for
+<a href="https://cr.yp.to/qmail.html">qmail</a>'s
+<a href="http://qmail.org/qmail-manual-html/man8/qmail-remote.html">qmail-remote</a>
+SMTP client.
+</p>
+
 <hr />
 
 <h2> Installation </h2>
@@ -44,7 +52,7 @@ library. </li>
 2.4.1.2 or later. It's a build-time requirement. It's also a run-time requirement
 if you link against the shared version of the s6-dns library. </li>
  <li> <a href="//skarnet.org/software/s6-networking/">s6-networking</a> version
-2.7.3.0 or later. It's a build-time and run-time requirement. </li>
+2.8.0.0 or later. It's a build-time and run-time requirement. </li>
 </ul>
 
 <h3> Licensing </h3>
diff --git a/doc/qmail-remote.html b/doc/qmail-remote.html
index fd8a395..cde8643 100644
--- a/doc/qmail-remote.html
+++ b/doc/qmail-remote.html
@@ -95,7 +95,9 @@ certificate validation. If the path ends with a slash, like <tt>/etc/ssl/certs/<
 then it is interpreted as a directory containing hashes to the certificates. If
 it does not, like <tt>/etc/ssl/cert.pem</tt>, then it is interpreted as a big
 PEM file containing all the trust anchors. If the file is nonexistent or empty,
-or only contains a newline, then STARTTLS is not attempted. </dd>
+or only contains a newline, then STARTTLS is not attempted. Note that the
+trust anchor list is only useful when <tt>tlsstrictness</tt> is 2 (see below),
+but you still need a non-empty list in order to attempt STARTTLS. </dd>
 
  <dt> <tt>clientcert</tt> </dt>
  <dd> If this file exists and is nonempty, it must contain the path to a client
@@ -118,7 +120,10 @@ STARTTLS command fails. <strong>1</strong> means that <tt>qmail-remote</tt> will
 attempt to find a server that supports STARTTLS in order to transmit its e-mail,
 but will fallback to cleartext if it cannot find any. <strong>2</strong> means that
 <tt>qmail-remote</tt> will flat out refuse to send e-mail to servers that do not
-support STARTTLS or fail to set it up. </dd>
+support STARTTLS or fail to set it up. It will also properly verify certificates,
+whereas a value lower than 2 doesn't care if the certificate chain does not begin
+with a trusted anchor (since it would eventually fall back on an insecure
+transport anyway). </dd>
 </dl>
 
 <h2 id="implementation"> Implementation notes </h2>
@@ -163,10 +168,10 @@ exchange is actually handled by a separate binary:
 shows a <tt>qmail-remote-io</tt> process under <tt>qmail-rspawn</tt> instead
 of the regular <tt>qmail-remote</tt>, that is normal, it means that
 <tt>qmail-remote</tt> has found a suitable server and is transmitting its
-data. If there is a
+data. If <tt>qmail-remote</tt> has a <a href="qmail-remote-io.html">qmail-remote-io</a>
+child that itself has a
 <a href="https://skarnet.org/software/s6-networking/s6-tlsc-io.html">s6-tlsc-io</a>
-process running as the child of <tt>qmail-remote-io</tt>, it means that the
-connection is happening under TLS. </li>
+child, it means that the transfer is happening under TLS. </li>
 </ul>
 
 </body>
diff --git a/doc/upgrade.html b/doc/upgrade.html
index 7ee8df0..6968ffa 100644
--- a/doc/upgrade.html
+++ b/doc/upgrade.html
@@ -29,7 +29,7 @@ dependency bumped to 2.15.0.0 </li>
 dependency bumped to 2.15.0.0 </li>
  <li> New dependency: <a href="//skarnet.org/software/s6-dns/">s6-dns</a> 2.4.1.2 </li>
  <li> <a href="//skarnet.org/software/s6-networking/">s6-networking</a>
-dependency bumped to 2.7.3.0 and made mandatory. </li>
+dependency bumped to 2.8.0.0 and made mandatory. </li>
 </ul>
 
 <h2> in 0.0.2.1 </h2>