1 $Cambridge: exim/doc/doc-txt/NewStuff,v 1.1 2004/10/07 15:04:35 ph10 Exp $
6 This file contains descriptions of new features that have been added to Exim,
7 but have not yet made it into the main manual (which is most conveniently
8 updated when there is a relatively large batch of changes). The doc/ChangeLog
9 file contains a listing of all changes, including bug fixes.
15 1. There is a new Boolean global option called mua_wrapper, defaulting false.
16 This causes Exim to run an a restricted mode, in order to provide a very
19 Background: On a personal computer, it is a common requirement for all
20 email to be sent to a smarthost. There are plenty of MUAs that can be
21 configured to operate that way, for all the popular operating systems.
22 However, there are MUAs for Unix-like systems that cannot be so configured:
23 they submit messages using the command line interface of
24 /usr/sbin/sendmail. In addition, utility programs such as cron submit
27 Requirement: The requirement is for something that can provide the
28 /usr/sbin/sendmail interface and deliver messages to a smarthost, but not
29 provide any queueing or retrying facilities. Furthermore, the delivery to
30 the smarthost should be synchronous, so that if it fails, the sending MUA
31 is immediately informed. In other words, we want something that in effect
32 converts a command-line MUA into a TCP/SMTP MUA.
34 Solutions: There are a number of applications (for example, ssmtp) that do
35 this job. However, people have found them to be lacking in various ways.
36 For instance, some sites want to allow aliasing and forwarding before
37 sending to the smarthost.
39 Using Exim: Exim already had the necessary infrastructure for doing this
40 job. Just a few tweaks were needed to make it behave as required, though it
41 is somewhat of an overkill to use a fully-featured MTA for this purpose.
43 Setting mua_wrapper=true causes Exim to run in a special mode where it
44 assumes that it is being used to "wrap" a command-line MUA in the manner
47 If you set mua_wrapper=true, you also need to provide a compatible router
48 and transport configuration. Typically there will be just one router and
49 one transport, sending everything to a smarthost.
51 When run in MUA wrapping mode, the behaviour of Exim changes in the
54 (a) A daemon cannot be run, nor will Exim accept incoming messages from
55 inetd. In other words, the only way to submit messages is via the
58 (b) Each message is synchonously delivered as soon as it is received (-odi
59 is assumed). All queueing options (queue_only, queue_smtp_domains,
60 control=queue, control=freeze in an ACL etc.) are quietly ignored. The
61 Exim reception process does not finish until the delivery attempt is
62 complete. If the delivery was successful, a zero return code is given.
64 (c) Address redirection is permitted, but the final routing for all
65 addresses must be to the same remote transport, and to the same list of
66 hosts. Furthermore, the return_address must be the same for all
67 recipients, as must any added or deleted header lines. In other words,
68 it must be possible to deliver the message in a single SMTP
69 transaction, however many recipients there are.
71 (d) If the conditions in (c) are not met, or if routing any address results
72 in a failure or defer status, or if Exim is unable to deliver all the
73 recipients successfully to one of the hosts immediately, delivery of
74 the entire message fails.
76 (e) Because no queueing is allowed, all failures are treated as permanent;
77 there is no distinction between 4xx and 5xx SMTP response codes from
78 the smarthost. Furthermore, because only a single yes/no response can
79 be given to the caller, it is not possible to deliver to some
80 recipients and not others. If there is an error (temporary or
81 permanent) for any recipient, all are failed.
83 (f) If more than one host is listed, Exim will try another host after a
84 connection failure or a timeout, in the normal way. However, if this
85 kind of failure happens for all the hosts, the delivery fails.
87 (g) When delivery fails, an error message is written to the standard error
88 stream (as well as to Exim's log), and Exim exits to the caller with a
89 return code value 1. The message is expunged from Exim's spool files.
90 No bounce messages are ever generated.
92 (h) No retry data is maintained, and any retry rules are ignored.
94 (i) A number of Exim options are overridden: deliver_drop_privilege is
95 forced true, max_rcpt in the smtp transport is forced to "unlimited",
96 remote_max_parallel is forced to one, and fallback hosts are ignored.
98 The overall effect is that Exim makes a single synchronous attempt to
99 deliver the message, failing if there is any kind of problem. Because no
100 local deliveries are done and no daemon can be run, Exim does not need root
101 privilege. It should be possible to run it setuid=exim instead of
102 setuid=root. See section 48.3 in the 4.40 manual for a general discussion
103 about the advantages and disadvantages of running without root privilege.
105 2. There have been problems with DNS servers when SRV records are looked up.
106 Some mis-behaving servers return a DNS error or timeout when a non-existent
107 SRV record is sought. Similar problems have in the past been reported for
108 MX records. The global dns_again_means_nonexist option can help with this
109 problem, but it is heavy-handed because it is a global option. There are
110 now two new options for the dnslookup router. They are called
111 srv_fail_domains and mx_fail_domains. In each case, the value is a domain
112 list. If an attempt to look up an SRV or MX record results in a DNS failure
113 or "try again" response, and the domain matches the relevant list, Exim
114 behaves as if the DNS had responded "no such record". In the case of an SRV
115 lookup, this means that the router proceeds to look for MX records; in the
116 case of an MX lookup, it proceeds to look for A or AAAA records, unless the
117 domain matches mx_domains.
119 3. The following functions are now available in the local_scan() API:
121 (a) void header_remove(int occurrence, uschar *name)
123 This function removes header lines. If "occurrence" is zero or negative,
124 all occurrences of the header are removed. If occurrence is greater
125 than zero, that particular instance of the header is removed. If no
126 header(s) can be found that match the specification, the function does
129 (b) BOOL header_testname(header_line *hdr, uschar *name, int length,
132 This function tests whether the given header has the given name. It
133 is not just a string comparison, because whitespace is permitted
134 between the name and the colon. If the "notdel" argument is TRUE, a
135 FALSE return is forced for all "deleted" headers; otherwise they are
136 not treated specially. For example:
138 if (header_testname(h, US"X-Spam", 6, TRUE)) ...
140 (c) void header_add_at_position(BOOL after, uschar *name, BOOL topnot,
141 int type, char *format, ...)
143 This function adds a new header line at a specified point in the header
144 chain. If "name" is NULL, the new header is added at the end of the
145 chain if "after" is TRUE, or at the start if "after" is FALSE. If
146 "name" is not NULL, the headers are searched for the first non-deleted
147 header that matches the name. If one is found, the new header is added
148 before it if "after" is FALSE. If "after" is true, the new header is
149 added after the found header and any adjacent subsequent ones with the
150 same name (even if marked "deleted"). If no matching non-deleted header
151 is found, the "topnot" option controls where the header is added. If it
152 is TRUE, addition is at the top; otherwise at the bottom. Thus, to add
153 a header after all the Received: headers, or at the top if there are no
154 Received: headers, you could use
156 header_add_at_position(TRUE, US"Received", TRUE, ' ', "X-xxx: ...");
158 Normally, there is always at least one non-deleted Received: header,
159 but there may not be if received_header_text expands to an empty
162 (d) BOOL receive_remove_recipient(uschar *recipient)
164 This is a convenience function to remove a named recipient from the
165 list of recipients. It returns TRUE if a recipient was removed, and
166 FALSE if no matching recipient could be found. The argument must be a
167 complete email address.
169 4. When an ACL "warn" statement adds one or more header lines to a message,
170 they are added at the end of the existing header lines by default. It is
171 now possible to specify that any particular header line should be added
172 right at the start (before all the Received: lines) or immediately after
173 the first block of Received: lines in the message. This is done by
174 specifying :at_start: or :after_received: (or, for completeness, :at_end:)
175 before the text of the header line. (Header text cannot start with a colon,
176 as there has to be a header name first.) For example:
178 warn message = :after_received:X-My-Header: something or other...
180 If more than one header is supplied in a single warn statement, each one is
181 treated independently and can therefore be placed differently. If you add
182 more than one line at the start, or after the Received: block, they will
183 end up in reverse order.
185 Warning: This facility currently applies only to header lines that are
186 added in an ACL. It does NOT work for header lines that are added in a
187 system filter or in a router or transport.
189 5. There is now a new error code that can be used in retry rules. Its name is
190 "rcpt_4xx", and there are three forms. A literal "rcpt_4xx" matches any 4xx
191 error received for an outgoing SMTP RCPT command; alternatively, either the
192 first or both of the x's can be given as digits, for example: "rcpt_45x" or
193 "rcpt_436". If you want (say) to recognize 452 errors given to RCPT
194 commands by a particular host, and have only a one-hour retry for them, you
195 can set up a retry rule of this form:
197 the.host.name rcpt_452 F,1h,10m
199 Naturally, this rule must come before any others that would match.
201 These new errors apply to both outgoing SMTP (the smtp transport) and
202 outgoing LMTP (either the lmtp transport, or the smtp transport in LMTP
203 mode). Note, however, that they apply only to responses to RCPT commands.
205 6. The "postmaster" option of the callout feature of address verification has
206 been extended to make it possible to use a non-empty MAIL FROM address when
207 checking a postmaster address. The new suboption is called "postmaster_
208 mailfrom", and you use it like this:
210 require verify = sender/callout=postmaster_mailfrom=abc@x.y.z
212 Providing this suboption causes the postmaster check to be done using the
213 given address. The original "postmaster" option is equivalent to
215 require verify = sender/callout=postmaster_mailfrom=
217 If both suboptions are present, the rightmost one overrides.
221 (1) If you use a non-empty sender address for postmaster checking, there is
222 the likelihood that the remote host will itself initiate a callout
223 check back to your host to check that address. As this is a "normal"
224 callout check, the sender will most probably be empty, thus avoiding
225 possible callout loops. However, to be on the safe side it would be
226 best to set up your own ACLs so that they do not do sender verification
227 checks when the recipient is the address you use for postmaster callout
230 (2) The caching arrangements for postmaster checking do NOT take account of
231 the sender address. It is assumed that either the empty address, or a
232 fixed non-empty address will be used. All that Exim remembers is that
233 the postmaster check for the domain succeeded or failed.
235 7. When verifying addresses in header lines using the verify=header_sender
236 option, Exim behaves by default as if the addresses are envelope sender
237 addresses from a message. Callout verification therefore tests to see
238 whether a bounce message could be delivered, by using an empty address in
239 the MAIL FROM command. However, it is arguable that these addresses might
240 never be used as envelope senders, and could therefore justifiably reject
241 bounce messages (empty senders). There is now an additional callout option
242 for verify=header_sender that allows you to specify what address to use in
243 the MAIL FROM command. You use it as in this example:
245 require verify = header_sender/callout=mailfrom=abcd@x.y.z
249 (1) As in the case of postmaster_mailfrom (see above), you should think
250 about possible loops.
252 (2) In this case, as in the case of recipient callouts with non-empty
253 senders (the use_sender option), caching is done on the basis of a
254 recipient/sender pair.
256 8. If you build Exim with USE_READLINE=yes in Local/Makefile, it will try to
257 load libreadline dynamically whenever the -be (test expansion) option is
258 used without command line arguments. If successful, it will then use
259 readline() for reading the test data. A line history is supported. By the
260 time Exim does this, it is running as the calling user, so this should not
261 cause any security problems. Security is the reason why this is NOT
262 supported for -bt or -bv, when Exim is running as root or exim,
263 respectively. Note that this option adds to the size of the Exim binary,
264 because the dynamic loading library is not otherwise included. On my
265 desktop it adds about 2.5K. You may need to add -ldl to EXTRA_LIBS when you
266 set USE_READLINE=yes.
268 9. Added ${str2b64:<string>} to the expansion operators. This operator
269 converts an arbitrary string into one that is base64 encoded.
271 10. A new authenticator, called cyrus_sasl, has been added. This requires
272 the presence of the Cyrus SASL library; it authenticates by calling this
273 library, which supports a number of authentication mechanisms, including
274 PLAIN and LOGIN, but also several others that Exim does not support
275 directly. The code for this authenticator was provided by Matthew
276 Byng-Maddick of A L Digital Ltd (http://www.aldigital.co.uk). Here follows
279 xx. THE CYRUS_SASL AUTHENTICATOR
281 The cyrus_sasl authenticator provides server support for the Cyrus library
282 Implementation of the RFC 2222 "Simple Authentication and Security Layer".
283 It provides a gatewaying mechanism directly to the Cyrus interface, so if
284 your Cyrus library can do, for example, CRAM-MD5, then so can the
285 cyrus_sasl authenticator. By default it uses the public name of the driver
286 to determine which mechanism to support.
288 Where access to some kind of secret file is required, for example in GSSAPI
289 or CRAM-MD5, it is worth noting that the authenticator runs as the exim
290 user, and that the Cyrus SASL library has no way of escalating privileges
291 by default. You may also find you need to set environment variables,
292 depending on the driver you are using.
294 xx.1 Using cyrus_sasl as a server
296 The cyrus_sasl authenticator has four private options. It puts the username
297 (on a successful authentication) into $1.
299 server_hostname Type: string* Default: $primary_hostname
301 This option selects the hostname that is used when communicating with
302 the library. It is up to the underlying SASL plug-in what it does with
305 server_mech Type: string Default: public_name
307 This option selects the authentication mechanism this driver should
308 use. It allows you to use a different underlying mechanism from the
309 advertised name. For example:
313 public_name = X-ANYTHING
314 server_mech = CRAM-MD5
317 server_realm Type: string Default: unset
319 This is the SASL realm that the server is claiming to be in.
321 server_service Type: string Default: "smtp"
323 This is the SASL service that the server claims to implement.
325 For straigthforward cases, you do not need to set any of the
326 authenticator's private options. All you need to do is to specify an
327 appropriate mechanism as the public name. Thus, if you have a SASL library
328 that supports CRAM-MD5 and PLAIN, you might have two authenticators as
333 public_name = CRAM-MD5
341 11. There is a new global option called tls_on_connect_ports. Its value must be
342 a list of port numbers; the most common use is expected to be
344 tls_on_connect_ports = 465
346 Setting this option has the same effect as -tls-on-connect on the command
347 line, but only for the specified ports. It applies to all connections, both
348 via the daemon and via inetd. You still need to specify all the ports for
349 the daemon (using daemon_smtp_ports or local_interfaces or the -X command
350 line option) because this option does not add an extra port -- rather, it
351 specifies different behaviour on a port that is defined elsewhere. The
352 -tls-on-connect command line option overrides tls_on_connect_ports, and
353 forces tls-on-connect for all ports.
355 12. There is a new ACL that is run when a DATA command is received, before the
356 data itself is received. The ACL is defined by acl_smtp_predata. (Compare
357 acl_smtp_data, which is run after the data has been received.)
358 This new ACL allows a negative response to be given to the DATA command
359 itself. Header lines added by MAIL or RCPT ACLs are not visible at this
360 time, but any that are defined here are visible when the acl_smtp_data ACL
363 13. The "control=submission" ACL modifier has an option "/domain=xxx" which
364 specifies the domain to be used when creating From: or Sender: lines using
365 the authenticated id as a local part. If the option is supplied with an
366 empty domain, that is, just "/domain=", Exim assumes that the authenticated
367 id is a complete email address, and it uses it as is when creating From:
370 14. It is now possible to make retry rules that apply only when the failing
371 message has a specific sender. In particular, this can be used to define
372 retry rules that apply only to bounce messages. The syntax is to add a new
373 third item to a retry rule, of the form "senders=<address list>". The retry
374 timings themselves then become the fourth item. For example:
376 * * senders=: F,1h,30m
378 would match all bounce messages. If the address list contains white space,
379 it must be enclosed in quotes. For example:
381 a.domain timeout senders="x@b.dom : y@c.dom" G,8h,10m,1.5
383 When testing retry rules using -brt, you can supply a sender using the -f
384 command line option, like this:
386 exim -f "" -brt user@dom.ain
388 If you do not set -f with -brt, a retry rule that contains a senders list
389 will never be matched.
391 15. Two new control modifiers have been added to ACLs: "control = enforce_sync"
392 and "control = no_enforce_sync". This makes it possible to be selective
393 about when SMTP synchronization is enforced. The global option
394 smtp_enforce_sync now specifies the default state of the switch. These
395 controls can appear in any ACL, but the most obvious place to put them is
396 in the ACL defined by acl_smtp_connect, which is run at the start of an
397 incoming SMTP connection, before the first synchronization check.
399 16. Another two new control modifiers are "control = caseful_local_part" and
400 "control = caselower_local_part". These are permitted only in the ACL
401 specified by acl_smtp_rcpt (i.e. during RCPT processing). By default, the
402 contents of $local_part are lower cased before ACL processing.
403 After "control = caseful_local_part", any uppercase letters in the original
404 local part are restored in $local_part for the rest of the ACL, or until
405 "control = caselower_local_part" is encountered. However, this applies only
406 to local part handling that takes place directly in the ACL (for example,
407 as a key in lookups). If a "verify = recipient" test is obeyed, the
408 case-related handling of the local part during the verification is
409 controlled by the router configuration (see the caseful_local_part generic
412 This facility could be used, for example, to add a spam score to local
413 parts containing upper case letters. For example, using $acl_m4 to
414 accumulate the spam score:
416 warn control = caseful_local_part
417 set acl_m4 = ${eval:\
419 ${if match{$local_part}{[A-Z]}{1}{0}}\
421 control = caselower_local_part
423 Notice that we put back the lower cased version afterwards, assuming that
424 is what is wanted for subsequent tests.
426 17. The option hosts_connection_nolog is provided so that certain hosts can be
427 excepted from logging when the +smtp_connection log selector is set. For
428 example, you might want not to log SMTP connections from local processes,
429 or from 127.0.0.1, or from your local LAN. The option is a host list with
430 an unset default. Because it is consulted in the main loop of the daemon,
431 you should strive to restrict its value to a short inline list of IP
432 addresses and networks. To disable logging SMTP connections from local
433 processes, you must create a host list with an empty item. For example:
435 hosts_connection_nolog = :
437 If the +smtp_connection log selector is not set, this option has no effect.
439 18. There is now an acl called acl_smtp_quit, which is run for the QUIT
440 command. The outcome of the ACL does not affect the response code to QUIT,
441 which is always 221. Thus, the ACL does not in fact control any access.
442 For this reason, the only verbs that are permitted are "accept" and "warn".
444 The ACL can be used for tasks such as custom logging at the end of an SMTP
445 session. For example, you can use ACL variables in other ACLs to count
446 messages, recipients, etc., and log the totals at QUIT time using one or
447 more "logwrite" modifiers on a "warn" command.
449 You do not need to have a final "accept", but if you do, you can use a
450 "message" modifier to specify custom text that is sent as part of the 221
453 This ACL is run only for a "normal" QUIT. For certain kinds of disastrous
454 failure (for example, failure to open a log file, or when Exim is bombing
455 out because it has detected an unrecoverable error), all SMTP commands
456 from the client are given temporary error responses until QUIT is received
457 or the connection is closed. In these special cases, the ACL is not run.
459 19. The appendfile transport has two new options, mailbox_size and mailbox_
460 filecount. If either these options are set, it is expanded, and the result
461 is taken as the current size of the mailbox or the number of files in the
462 mailbox, respectively. This makes it possible to use some external means of
463 maintaining the data about the size of a mailbox for enforcing quota
464 limits. The result of expanding these option values must be a decimal
465 number, optionally followed by "K" or "M".
467 20. It seems that there are broken clients in use that cannot handle multiline
468 SMTP responses. Can't people who implement these braindead programs read?
469 RFC 821 mentions multiline responses, and it is over 20 years old. They
470 must handle multiline responses for EHLO, or do they still use HELO?
471 Anyway, here is YAWFAB (yet another workaround for asinine brokenness).
472 There's a new ACL switch that can be set by
474 control = no_multiline_responses
476 If this is set, it suppresses multiline SMTP responses from ACL rejections.
477 One way of doing this would have been just to put out these responses as
478 one long line. However, RFC 2821 specifies a maximum of 512 bytes per
479 response ("use multiline responses for more" it says), and some of the
480 responses might get close to that. So I have implemented this by doing two
483 (1) Extra information that is normally output as part of a rejection
484 caused by sender verification failure is omitted. Only the final line
485 (typically "sender verification failed") is now sent.
487 (2) If a "message" modifier supplies a multiline response, only the first
490 The setting of the switch can, of course, be made conditional on the
493 21. There is now support for the libradius library that comes with FreeBSD.
494 This is an alternative to the radiusclient library that Exim already
495 supports. To use the FreeBSD library, you need to set
497 RADIUS_LIB_TYPE=RADLIB
499 in Local/Makefile, in addition to RADIUS_CONFIGURE_FILE, and you probably
500 also need -libradius in EXTRALIBS.
506 1. The "personal" filter test is brought up-to-date with recommendations from
507 the Sieve specification: (a) The list of non-personal From: addresses now
508 includes "listserv", "majordomo", and "*-request"; (b) If the message
509 contains any header line starting with "List=-" it is treated as
512 2. The Sieve functionality has been extended to support the "copy" and
513 "vacation" extensions, and comparison tests.
515 3. There is now an overall timeout for performing a callout verification. It
516 defaults to 4 times the callout timeout, which applies to individual SMTP
517 commands during the callout. The overall timeout applies when there is more
518 than one host that can be tried. The timeout is checked before trying the
519 next host. This prevents very long delays if there are a large number of
520 hosts and all are timing out (e.g. when the network connections are timing
521 out). The value of the overall timeout can be changed by specifying an
522 additional sub-option for "callout", called "maxwait". For example:
524 verify = sender/callout=5s,maxwait=20s
526 4. Changes to the "personal" filter test:
528 (1) The list of non-personal local parts in From: addresses has been
529 extended to include "listserv", "majordomo", "*-request", and "owner-*",
530 taken from the Sieve specification recommendations.
532 (2) If the message contains any header line starting with "List-" it is
533 treated as non-personal.
535 (3) The test for "circular" in the Subject: header line has been removed
536 because it now seems ill-conceived.
538 5. The autoreply transport has a new option called never_mail. This is an
539 address list. If any run of the transport creates a message with a
540 recipient that matches any item in the list, that recipient is quietly
541 discarded. If all recipients are discarded, no message is created.
547 The documentation is up-to-date for the 4.40 release. What follows here is a
548 brief list of the new features that have been added since 4.30.
550 1. log_incoming_interface affects more log lines.
552 2. New ACL modifier "control = submission".
554 3. CONFIGURE_OWNER can be set at build time to define an alternative owner for
555 the configuration file, in addition to root and exim.
557 4. Added expansion variables $body_zerocount, $recipient_data, and
560 5. The time of last modification of the "new" subdirectory is now used as the
561 "mailbox time last read" when there is a quota error for a maildir
564 6. The special item "+ignore_unknown" may now appear in host lists.
566 7. The special domain-matching patterns @mx_any, @mx_primary, and
567 @mx_secondary can now be followed by "/ignore=<ip list>".
569 8. New expansion conditions: match_domain, match_address, match_local_part,
570 lt, lti, le, lei, gt, gti, ge, and new expansion operators time_interval,
573 9. New lookup type called "iplsearch".
575 10. New log selectors ident_timeout, tls_certificate_verified, queue_time,
576 deliver_time, outgoing_port, return_path_on_delivery.
578 11. New global options smtp_active_hostname and tls_require_ciphers.
580 12. Exinext has -C and -D options.
582 13. "domainlist_cache" forces caching of an apparently variable list.
584 14. For compatibility with Sendmail, the command line option -prval:sval
585 is equivalent to -oMr rval -oMs sval.
587 15. New callout options use_sender and use_postmaster for use when verifying
590 16. John Jetmore's "exipick" utility has been added to the distribution.
592 17. The TLS code now supports CRLs.
594 18. The dnslookup router and the dnsdb lookup type now support the use of SRV
597 19. The redirect router has a new option called qualify_domain.
599 20. exigrep's output now also includes lines that are not related to any
600 particular message, but which do match the pattern.
602 21. New global option write_rejectlog. If it is set false, Exim no longer
603 writes anything to the reject log.