--- /dev/null
+## $Cambridge: exim/doc/doc-src/FAQ.src,v 1.1 2004/10/07 15:04:35 ph10 Exp $
+##
+## This file is processed by Perl scripts to produce an ASCII and an HTML
+## version. Lines starting with ## are omitted. The markup used with paragraphs
+## is as follows:
+##
+## Markup User for HTML Text
+## ------------------------------------------------------
+## \...\ option fixed-pitch "quoted"
+## \$...$\ variable $italic $plain
+## \*...*\ titles, quotes italic "quoted"
+## \(...)\ file name italic plain
+## \[...]\ replaceable <italic> <plain>
+## \?...?\ URL URL plain
+## \^...^\ Unix command italic plain
+## \%...%\ Exim driver bold "quoted"
+## \^^.^^\ C function bold plain
+## ::...:: header name italic: plain:
+## //...// domain italic plain
+## \/.../\ local part italic plain
+## \"..."\ literal fixed-pitch "quoted"
+## \\...\\ SMTP, build small caps caps
+## \**...**\ warn, item bold plain
+## \-...-\ cmd option -italic -plain
+## \# hard space space
+##
+## ``...'' quoted string “...” "..."
+##
+## @\ is used when a real backslash is required
+##
+## In addition, sequences of not blank lines that start with ==> are displayed
+## in fixed-pitch with no further interpretation. A line containing only [[br]]
+## is removed from the text version, but turned into <br> in the HTML version.
+##
+## The starts of sections and of questions and answers are automatically
+## detected by the scripts.
+##
+##
+THE EXIM FAQ
+------------
+
+This is the FAQ for the Exim Mail Transfer Agent. Many thanks to the many
+people who provided the original information. This file would be amazingly
+cluttered if I tried to list them all. Suggestions for corrections,
+improvements, and additions are always welcome.
+
+This version of the FAQ applies to Exim 4.00 and later releases. It has been
+extensively revised, and material that was relevant only to earlier releases
+has been removed. As this caused some whole sections to disappear, I've taken
+the opportunity to re-arrange the sections and renumber everything except the
+configuration samples.
+
+References of the form Cnnn, Fnnn, Lnnn, and Snnn are to the sample
+configuration, filter, \^^local_scan()^^\, and ``useful script'' files. These
+are hyperlinked from the HTML version of this FAQ. They can also be found in
+the separately distributed directory called \(config.samples)\. The primary
+location is
+
+\?ftp://ftp.csx.cam.ac.uk/pub/software/email/exim/exim4/config.samples.tar.gz?\
+\?ftp://ftp.csx.cam.ac.uk/pub/software/email/exim/exim4/config.samples.tar.bz2?\
+
+There are brief descriptions of these files at the end of this document.
+
+Philip Hazel
+Last update: 31-March-2004
+
+
+The FAQ is divided into the following sections:
+
+ 0. General Debugging
+ 1. Building and Installing
+ 2. Routing in general
+ 3. Routing to remote hosts
+ 4. Routing for local delivery
+ 5. Filtering
+ 6. Delivery
+ 7. Policy controls
+ 8. Rewriting addresses
+ 9. Headers
+ 10. Performance
+ 11. Majordomo
+ 12. Fetchmail
+ 13. Perl
+ 14. Dial-up and ISDN
+ 15. UUCP
+ 16. Modifying message bodies
+ 17. Encryption (TLS/SSL)
+ 20. Millennium
+ 50. Miscellaneous
+ 91. Mac OS X
+ 92. FreeBSD
+ 93. HP-UX
+ 94. BSDI
+ 95. IRIX
+ 96. Linux
+ 97. Sun sytems
+ 98. Configuration cookbook
+ 99. List of sample configurations
+
+
+
+0. GENERAL DEBUGGING
+
+Q0001: Exim is crashing. What is wrong?
+
+A0001: Exim should never crash. The author is always keen to know about
+ crashes, so that they can be diagnosed and fixed. However, before you
+ start sending me email, please check that you are running the latest
+ release of Exim, in case the problem has already been fixed. The
+ techniques described below can also be useful in trying to pin down
+ exactly which circumstances caused the crash and what Exim was trying to
+ do at the time. If the crash is reproducable (by a particular message,
+ say) keep a copy of that message.
+
+
+Q0002: Exim is not working. What is wrong? How can I check what it is doing?
+
+A0002: Exactly how is it not working? Check the more specific questions in the
+ other sections of this FAQ. Some general techniques for debugging are:
+
+ (1) Look for information in Exim's log files. These are in the \(log)\
+ directory in Exim's spool directory, unless you have configured a
+ different path for them. Serious operational problems are reported
+ in paniclog.
+
+ (2) If the problem involves the delivery of one or more messages, try
+ forcing a delivery with the \-M-\ option and also set the \-d-\
+ option, to cause Exim to output debugging information. For example:
+
+==> exim -d -M 0z6CXU-0005RR-00
+
+ The output is written to the standard error stream. You need to have
+ admin privileges to use \-M-\ and \-d-\.
+
+ (3) If the problem involves incoming SMTP mail, try using the \-bh-\
+ option to simulate an incoming connection from a specific host,
+ for example:
+
+==> exim -bh 10.9.8.7
+
+ This goes through the motions of an SMTP session, without actually
+ accepting a message. Information about various policy checks is
+ output. You will need to know how to pretend to be an SMTP client.
+
+ (4) If the problem involves lack of recognition or incorrect handling
+ of local addresses, try using the \-bt-\ option with debugging turned
+ on, to see how Exim is handling the address. For example,
+
+==> exim -d -bt z6abc
+
+ shows you how it would handle the local part \"z6abc"\.
+
+
+Q0003: What does the error \*Child process of address_pipe transport returned
+ 69 from command xxx*\ mean?
+
+A0003: It means that when a transport called \%address_pipe%\ was run to pass an
+ email message by means of a pipe to another process running the command
+ xxx, the return code from that command was 69, which indicates some kind
+ of error (the success return code is 0).
+
+ The most common meaning of exit code 69 is ``unavailable'', and this often
+ means that when Exim tried to run the command \(xxx)\, it failed. One
+ cause of this might be incorrect permissions on the file containing the
+ command. See also Q0026.
+
+
+Q0004: My virtual domain setup isn't working. How can I debug it?
+
+A0004: You can use an exim command with \-d-\ to get it to show you how it is
+ processing addresses. You don't actually need to send a message; use the
+ \-bt-\ option like this:
+
+==> exim -d -bt localpart@virtualhost
+
+ This will show you which routers it is using. If the problem appears
+ to be with the expansion of an option setting, you can use the
+ \debug_print\ option on a router to get Exim to output the expanded
+ string values as it goes along.
+
+
+Q0005: Why is Exim not rejecting incoming messages addressed to non-existent
+ users at SMTP time?
+
+A0005: This is controlled by the ACL that is run for each incoming RCPT
+ command. It is defined by the \acl_smtp_rcpt\ option. You can check this
+ part of your configuration by using the \-bh-\ option to run a simulated
+ SMTP session, during which Exim will tell you what things it is
+ checking.
+
+
+Q0006: I've put an entry for \"*.my.domain"\ in a DBM lookup file, but it isn't
+ getting recognized.
+
+A0006: You need to request ``partial matching'' by setting the search type to
+ \partial-dbm\ in order for this to work.
+
+
+Q0007: I've put the entry \"*@domain.com"\ in a lookup database, but it isn't
+ working. The expansion I'm using is:
+
+==> ${lookup{${lc:$sender_address}}dbm{/the/file} ...
+
+A0007: As no sender address will ever be //*@domain.com// this will indeed have
+ no effect as it stands. You need to tell Exim that you want it to look
+ for defaults after the normal lookup has failed. In this case, change the
+ search type from \"dbm"\ to \"dbm*@"\. See the section on \*Default values in
+ single-key lookups*\ in the chapter entitled \*File and database
+ lookups*\ in the Exim manual.
+
+
+Q0008: If I run \"./exim -d -bt user@domain"\ all seems well, but when I send
+ a message from my User Agent, it does not arrive at its destination.
+
+A0008: Try sending a message directly to Exim by typing this:
+
+==> exim -v user@domain
+ <some message, could be empty>
+ .
+
+ If the message gets delivered to a remote host, but never arrives at its
+ final destination, then the problem is at the remote host. If, however,
+ the message gets through correctly, then the problem may be between your
+ User Agent and Exim. Try setting Exim's \log_selector\ option to include
+ \"+arguments"\, to see with which arguments the UA is calling Exim.
+
+
+Q0009: What does \*no immediate delivery: too many messages received in one SMTP
+ connection*\ mean?
+
+A0009: An SMTP client may send any number of messages down a single SMTP
+ connection to a server. Initially, an Exim server starts up a delivery
+ process as soon as a message is received. However, in order not to start
+ up too many processes when lots of messages are arriving (typically
+ after a period of downtime), it stops doing immediate delivery after a
+ certain number of messages have arrived down the same connection. The
+ threshold is set by \smtp_accept_queue_per_connection\, and the default
+ value is 10. On large systems, the value should be increased. If you are
+ running a dial-in host and expecting to get all your mail down a single
+ SMTP connection, then you can disable the limit altogether by setting
+ the value to zero.
+
+
+Q0010: Exim puts \*for \[address]\*\ in the ::Received:: headers of some, but not all,
+ messages. Is this a bug?
+
+A0010: No. It is deliberate. Exim inserts a ``for'' phrase only if the incoming
+ message has precisely one recipient. If there is more than one
+ recipient, nothing is inserted. The reason for this is that not all
+ recipients appear in the ::To:: or ::Cc:: headers, and it is considered a
+ breach of privacy to expose such recipients to the others. A common
+ case is when a message has come from a mailing list.
+
+
+Q0011: Instead of \^exim_dbmbuild^\, I'm using a homegrown program to build DBM
+ (or cdb) files, but Exim doesn't seem to be able to use them.
+
+A0011: Exim expects there to be a binary zero value on the end of each key used
+ in a DBM file if you use the \"dbm"\ lookup type, but not for the \"dbmnz"\
+ lookup type or for the keys of a cdb file. Check that you haven't
+ slipped up in this regard.
+
+
+Q0012: Exim is unable to route to any remote domains. It doesn't seen to be
+ able to access the DNS.
+
+A0012: Try running \"exim -d+resolver -bt \[remote address]\"\. The \-d-\
+ options turns on debugging output, and the addition of \"+resolver"\
+ will make it show the resolver queries it is building and the results of
+ its DNS queries. If it appears unable to contact any name servers, check
+ the contents and permissions of \(/etc/resolv.conf)\.
+
+
+Q0013: What does the error message \*transport system_aliases: cannot find
+ transport driver "redirect" in line 92*\ mean?
+
+A0013: \%redirect%\ is a router, not a transport. You have put a configuration
+ for a router into the transports section of the configuration file.
+
+
+Q0014: Exim is timing out after receiving and responding to the DATA command
+ from one particular host, and yet the client host also claims to be
+ timing out. This seems to affect only certain messages.
+
+A0014: This kind of problem can have many different causes.
+
+ (1) This problem has been seen with a network that was dropping all
+ packets over a certain size, which mean that the first part of the SMTP
+ transaction worked, but when the body of a large message started
+ flowing, the main data bits never got through the network. See also
+ Q0017.
+
+ (2) This can also happen if a host has a broken TCP stack and won't
+ reassemble fragmented datagrams.
+
+ (3) A very few ISDN lines have been seen which failed when certain data
+ patterns were sent through them, and replacing the routers at both end
+ of the link did not fix things. One of them was triggered by more than 4
+ X's in a row in the data.
+
+
+Q0015: What does the message \*Socket bind() to port 25 for address (any)
+ failed: address already in use*\ mean?
+
+A0015: You are trying to run an Exim daemon when there is one already running -
+ or maybe some other MTA is running, or perhaps you have an SMTP line in
+ \(/etc/inetd.conf)\ which is causing \(inetd)\ to listen on port 25.
+
+
+Q0016: I've set \"verify = header_syntax"\ in my ACL, but this causes Exim to
+ complain about header lines like \"To: Work: Jim <jims@email>,
+ Home: Bob <bobs@email>"\ which look all right to me. Is this a bug?
+
+A0016: No. Header lines such as ::From::, ::To::, etc., which contain addresses, are
+ structured, and have to be in a specific format which is defined in RFC
+ 2822. Unquoted colons are not allowed in the ``phrase'' part of an email
+ address (they are OK in other headers such as ::Subject::). The correct
+ form for that header is
+
+==> To: "Work: Jim" <jims@email>, "Home: Bob" <bobs@email>
+
+ You will sometimes see unquoted colons in ::To:: and ::Cc:: headers, but only
+ in connection with name lists (called ``groups''), for example:
+
+==> To: My friends: X <x@y.x>, Y <y@w.z>;,
+ My enemies: A <a@b.c>, B <b@c.d>;
+
+ Each list must be terminated by a semicolon, as shown.
+
+
+Q0017: Whenever Exim tries to deliver a specific message to a particular
+ server, it fails, giving the error \*Remote end closed connection after
+ data*\ or \*Broken pipe*\ or a timeout. What's going on?
+
+A0017: \*Broken pipe*\ is the error you get on some OS when the remote host just
+ drops the connection. The alternative is \*connection reset by peer*\.
+ There are many potential causes. Here are some of them (see also Q0068):
+
+ (1) There are some firewalls that fall over on binary zero characters
+ in email. Have a look, e.g. with \"hexdump -c mymail | tail"\ to see if
+ your mail contains any binary zero characters.
+
+ (2) There are broken SMTP servers around that just drop the connection
+ after the data has been sent if they don't like the message for some
+ reason (e.g. it is too big) instead of sending a 5xx error code. Have
+ you tried sending a small message to the same address?
+
+ It has been reported that some releases of Novell servers running NIMS
+ are unable to handle lines longer than 1024 characters, and just close
+ the connection. This is an example of this behaviour.
+
+ (3) If the problem occurs right at the start of the mail, then it could
+ be a network problem with mishandling of large packets. Many emails are
+ small and thus appear to propagate correctly, but big emails will
+ generate big IP datagrams.
+
+ There have been problems when something in the middle of the network
+ mishandles large packets due to IP tunnelling. In a tunnelled link, your
+ IP datagrams gets wrapped in a larger datagram and sent over a network.
+ This is how virtual private networks (VPNs), and some ISP transit
+ circuits work. Since the datagrams going over the tunnel require a
+ larger packet size, the tunnel needs a bigger maximum transfer unit
+ (MTU) in the network handling the tunnelled packets. However, MTUs
+ are often fixed, so the tunnel will try to fragment the packets.
+
+ If the systems outside the tunnel are using path MTU discovery, (most
+ Sun Sparc Solaris machines do by default), and set the DF (don't
+ fragment) bit because they don't send packets larger than their \(local)\
+ MTU, then ICMP control messages will be sent by the routers at the
+ ends of the tunnel to tell them to reduce their MTU, since the tunnel
+ can't fragment the data, and has to throw it away. If this mechanism
+ stops working, e.g. a firewall blocks ICMP, then your host never
+ knows it has hit the maximum path MTU, but it has received no ACK on
+ the packet either, so it continues to resend the same packet and the
+ connection stalls, eventually timing out.
+
+ You can test the link using pings of large packets and see what works:
+
+==> ping -s host 2048
+
+ Try reducing the MTU on the sending host:
+
+==> ifconfig le0 mtu 1300
+
+ Alternatively, you can reduce the size of the buffer Exim uses for SMTP
+ output by putting something like
+
+==> DELIVER_OUT_BUFFER_SIZE=512
+
+ in your \(Local/Makefile)\ and rebuilding Exim (the default is 8192).
+ While this should not in principle have any effect on the size of
+ packets sent, in practice it does seem to have an effect on some OS.
+
+ You can also try disabling path MTU discovery on the sending host. On
+ Linux, try:
+
+==> echo 1 >/proc/sys/net/ipv4/ip_no_pmtu_disc
+
+ For a general discussion and information about other operating systems, see
+ \?http://www.netheaven.com/pmtu.html?\. If disabling path MTU discovery
+ fixes the problem, try to find the broken or misconfigured
+ router/firewall that swallows the ICMP-unreachable packets. Increasing
+ timeouts on the receiving host will not work around the problem.
+
+
+Q0018: Why do messages not get delivered down the same connection when I do
+ something like: \"exim -v -R @aol.com"\? For other domains, I do this and
+ I see the appropriate \*waiting for passed connections to get used*\
+ messages.
+
+A0018: Recall that Exim does not keep separate queues for each domain, but
+ operates in a distributed fashion. Messages get into its `waiting for
+ host x' hints database only when a delivery has been tried, and has had
+ a temporary error. Here are some possibilities:
+
+ (1) The messages to \(aol.com)\ got put in your queue, but no previous
+ delivery attempt occured before you did the \-R-\. This might have been
+ because of your settings of \queue_only_load\, \smtp_accept_queue\, or any
+ other option that caused no immediate delivery attempt on arrival. If
+ this is the case, you can try using \-qqR-\ instead of \-R-\.
+
+ (2) You have set \connection_max_messages\ on the smtp transport, and
+ that limit was reached. This would show as a sequence of messages
+ down one connection, then another sequence down a new connection, etc.
+
+ (3) Exim tried to pass on the SMTP connection to another message, but
+ that message was in the process of being delivered to \(aol.com)\ by some
+ other process (typically, a normal queue runner). This will break the
+ sequence, though the other delivery should pass its connection on to
+ other messages if there are any.
+
+ (4) The folk at \(aol.com)\ changed the MX records so the host names have
+ changed - or a new host has been added. I don't know how likely this is.
+
+ (5) Exim is not performing as it should in this regard, for some reason.
+ Next time you have mail queued up for \(aol.com)\, try running
+
+==> exim_dumpdb /var/spool/exim wait-remote_smtp
+
+ to see if those messages are listed among those waiting for the relevant
+ \(aol.com)\ hosts.
+
+
+Q0019: There seems to be a problem in the string expansion code: it doesn't
+ recognize references to headers such as \"${h_to}"\.
+
+A0019: The only valid syntax for header references is (for example) \"$h_to:"\
+ because header names are permitted by RFC 2822 to contain a very wide
+ range of characters. A colon (or white space) is required as the
+ terminator.
+
+
+Q0020: Why do connections to my machine's SMTP port take a long time to respond
+ with the banner, when connections to other ports respond instantly? The
+ delay is sometimes as long as 30 seconds.
+
+A0020: These kinds of delay are usually caused by some kind of network problem
+ that affects outgoing calls made by Exim at the start of an incoming
+ connection. Configuration options that cause outgoing calls are:
+
+ (1) \rfc1413_hosts\ and \rfc1413_query_timeout\ (for \*ident*\ calls).
+ Firewalls sometimes block ident connections so that they time out,
+ instead of refusing them immediately. This can cause this problem.
+ See Q5023 for a discussion of the usefulness of \*ident*\.
+
+ (2) The \host_lookup\ option, the \host_reject_connection\ option, or a
+ condition in the ACL that runs at connection time requires the
+ remote host's name to be looked up from its IP address. Sometimes
+ these DNS lookups time out. You can get this effect with ACL
+ statements like this:
+
+==> deny hosts = *.x.example
+
+ If at all possible, you should use IP addresses instead of host
+ names in blocking lists in order to to avoid this problem.
+
+ You can use the \-bh-\ option to get more information about what is
+ happening at the start of a connection. However, note that the \-bh-\
+ option does not provide a complete simulation. In particular, no
+ \*ident*\ checks are done, so it won't show up a delay problem that is
+ related to (1) above.
+
+
+Q0021: What does \*failed to create child process to send failure message*\ mean?
+ This is a busy mail server with \smtp_accept_max\ set to 500, but this
+ problem started to occur at about 300 incoming connections.
+
+A0021: Some message delivery failed, and when Exim wanted to send a bounce
+ message, it was unable to create a process in which to do so. Probably
+ the limit on the maximum number of simultaneously active processes has
+ been reached. Most OS have some means of increasing this limit, and in
+ some operating systems there is also a limit per uid which can be
+ varied.
+
+
+Q0022: What does \*No transport set by system filter*\ in a log line mean?
+
+A0022: Your system filter contains a \"pipe"\ or \"save"\ or \"mail"\ command,
+ but you have not set the corresponding option which specifies which
+ transport is to be used. You need to set whichever of
+ \system_filter_pipe_transport\, \system_filter_file_transport\ or
+ \system_filter_reply_transport\ is relevant.
+
+
+Q0023: Why is Exim refusing to relay, saying \*failed to find host name from IP
+ address*\ when I have the sender's IP address in an ACL condition? My
+ configuration contains this ACL statement:
+
+==> accept hosts = lsearch;/etc/mail/relaydomains:192.168.96.0/24
+
+A0023: When checking a host list, the items are tested in left-to-right
+ order. The first item in your list is a lookup on the incoming host's
+ name, so Exim has to determine the name from the incoming IP address in
+ order to perform the test. If it can't find the host name, it can't do
+ the check, so it gives up. You would have discovered what was going
+ on if you had run a test such as
+
+==> exim -bh 192.168.96.131
+
+ The solution is to put all explicit IP addresses first in the list.
+ Alternatively, you can split the ACL statement into two like this:
+
+==> accept hosts = lsearch;/etc/mail/relaydomains
+ accept hosts = 192.168.96.0/24
+
+ If the host lookup fails, the first \"accept"\ fails, but then the
+ second one is considered.
+
+
+Q0024: When I run \"exim -bd -q10m"\ I get \*PANIC LOG: exec of exim -q failed*\.
+
+A0024: This probably means that Exim doesn't know its own path so it can't
+ re-exec itself to do the first queue run. Check the output of
+
+==> exim -bP exim_path
+
+
+Q0025: I can't seem to get a pipe command to run when I include a \"${if"\
+ expansion in it. This fails:
+
+==> command = perl -T /usr/local/rt/bin/rtmux.pl \
+ rt-mailgate helpdesk \
+ ${if eq {$local_part}{rt} {correspond}{action}}
+
+A0025: You need some internal quoting in there. Exim expands each individual
+ argument separately. Because you have (necessarily) got spaces in your
+ \"${if"\ item, you have to quote that argument. Try
+
+==> command = perl -T /usr/local/rt/bin/rtmux.pl \
+ rt-mailgate helpdesk \
+ "${if eq {$local_part}{rt} {correspond}{action}}"
+
+ \**Warning:**\ If command starts with an item that requires quoting,
+ you cannot just put it in quotes, because a leading quote means that the
+ entire option setting is being quoted. What you have to do is to quote
+ the entire value, and use internally escaped quotes for the ones you
+ really want. For example:
+
+==> command = "\"${if ....}\" arg1 arg2"
+
+ Any backslashes in the expansion items will have to be doubled to stop
+ them being interpreted by the string reader.
+
+
+Q0026: I'm trying to get Exim to connect an alias to a pipe, but it always
+ gives error code 69, with the comment \*(could mean service or program
+ unavailable)*\.
+
+A0026: If your alias entry looks like this:
+
+==> alias: |"/some/command some parameters"
+
+ change it to look like this:
+
+==> alias: "|/some/command some parameters"
+
+
+Q0027: What does the error \*Spool file is locked*\ mean?
+
+A0027: This is not an error. All it means is that when an Exim delivery
+ process (probably started by a queue runner process) looked at a message
+ in order to start delivering it, it found that another Exim process was
+ already busy delivering it. On a busy system this is quite a common
+ occurrence. If you set \"-skip_delivery"\ in the \log_selector\ option,
+ these messages are omitted from the log.
+
+ The only time when this message might indicate a problem is if it is
+ repeated for the same message for a very long time. That would suggest
+ that the process that is delivering the message has somehow got stuck.
+
+
+Q0028: Exim is reporting IP addresses as 0.0.0.0 or 255.255.255.255 instead of
+ their correct values. What's going on?
+
+A0028: You are using a version of Exim built with gcc on an IRIX box.
+ See Q9502.
+
+
+Q0029: I can't seem to figure out why PAM support doesn't work correctly.
+
+A0029: There is a problem using PAM with shadow passwords when the calling
+ program is not running as \/root/\. Exim is normally running as the
+ Exim user when authenticating a remote host. See this posting for one
+ way round the problem:
+
+ \?http://www.exim.org/mailman/htdig/exim-users/Week-of-Mon-20010917/030371.html?\
+
+ Another solution can be found at \?http://www.e-admin.de/pam_exim/?\.
+
+ PAM 0.72 allows authorization as non-\/root/\, using setuid helper programs.
+ Furthermore, in \(/etc/pam.d/exim)\ you can explicitelly specify that
+ this authorization (using setuid helpers) is only permitted for certain
+ users and groups.
+
+
+Q0030: I'm trying to use a query-style lookup for hosts that are allowed to
+ relay, but it is giving really weird errors.
+
+A0030: Does your query contain a colon character? Remember that host lists are
+ colon-separated, so you need to double any colons in the query. This
+ applies even if the query is defined as a macro.
+
+
+Q0031: Exim is rejecting connections from hosts that have more than one IP
+ address, for no apparent reason.
+
+A0031: You are using Solaris 7 or earlier, and have \"nis dns files"\ in
+ \(/etc/nsswitch.conf)\. Change this to \"dns nis files"\ to avoid hitting Sun
+ bug 1154236 (a bad interaction between NIS and the DNS).
+
+
+Q0032: Exim is failing to find the MySQL library, even though is it present
+ within \\LD_LIBRARY_PATH\\. I'm getting this error:
+
+==> /usr/local/bin/exim: fatal: libmysqlclient.so.6: open failed:
+ No such file or directory
+
+A0032: Exim is suid, and \\LD_LIBRARY_PATH\\ is ignored for suid binaries on a
+ Solaris (and other?) systems. What you should be doing is adding
+ \"-R/local/lib/mysql"\ to the same place in the compilation that you added
+ \"-L/local/lib/mysql"\. This tells the binary where to look without
+ needing a path variable.
+
+
+Q0033: What does the error \*lookup of host "xx.xx.xx" failed in yyy router*\
+ mean?
+
+A0033: You configured a \%manualroute%\ router to send the message to xx.xx.xx. When
+ it tried to look up the IP address for that host, the lookup failed
+ with a permanent error. As this is a manual routing, this is a
+ considered to be a serious error which the postmaster needs to know
+ about (maybe you have a typo in your file), and there is little point
+ in keeping on trying. So it freezes the message.
+
+ (1) Don't set up routes to non-existent hosts.
+
+ (2) If you must set up routes to non-existent hosts, and don't want
+ freezing, set the \host_find_failed\ option on the router to do something
+ other than freeze.
+
+
+Q0034: Exim works fine on one host, but when I copied the binary to another
+ identical host, it stopped working (it could not resolve DNS names).
+
+A0034: Is the new host running exactly the same operating system? Most
+ importantly, are the versions of the dynamically loaded libraries
+ (files with names like \(libsocket.so.1)\) the same on both systems? If not,
+ that is probably the cause of the problem. Either arrange for the
+ libraries to be the same, or rebuild Exim from source on the new host.
+
+
+Q0035: I set a \"hosts"\ condition in an ACL to do a lookup in a file of IP
+ addresses, but it doesn't work.
+
+A0035: Did you remember to put \"net-"\ at the start of the the search type? If
+ you set something like this:
+
+==> accept hosts = lsearch;/some/file
+
+ Exim searches the file for the host name, not the IP address. You need
+ to set
+
+==> accept hosts = net-lsearch;/some/file
+
+ to make it use the IP address as the key to the lookup.
+
+
+Q0036: Why do I get the error \*Permission denied: creating lock file hitching
+ post*\ when Exim tries to do a local delivery?
+
+A0036: Your configuration specifies that local mailboxes are all held in
+ single directory, via configuration lines like these (taken from the
+ default configuration):
+
+==> local_delivery:
+ driver = appendfile
+ file = /var/mail/$local_part
+
+ and the permissions on the directory probably look like this:
+
+==> drwxrwxr-x 3 root mail 512 Jul 9 13:48 /var/mail/
+
+ Using the default configuration, Exim runs as the local user when doing
+ a local delivery, and it uses a lock file to prevent any other process
+ from updating the mailbox while it is writing to it. With those
+ permissions the delivery process, running as the user, is unable to
+ create a lock file in the \(/var/mail(\ directory. There are two solutions
+ to this problem:
+
+ (1) Set the \"write"\ and \"sticky bit"\ permissions on the directory, so
+ that it looks like this:
+
+==> drwxrwxrwt 3 root mail 512 Jul 9 13:48 /var/mail/
+
+ The \"w"\ allows any user to create new files in the directory, but
+ the \"t"\ bit means that only the creator of a file is able to remove
+ it. This is the same setting as is normally used with the \(/tmp)\
+ directory.
+
+ (2) Arrange to run the local_delivery transport under a specific group
+ by changing the configuration to read
+
+==> local_delivery:
+ driver = appendfile
+ file = /var/mail/${local_part}
+ group = mail
+
+ The delivery process still runs under the user's uid, but with the
+ group set to \"mail"\. The group permission on the directory allows
+ the process to create and remove the lock file.
+
+ The choice between (1) and (2) is up to the administrator. If the
+ second solution is used, users can empty their mailboxes by updating
+ them, but cannot delete them.
+
+ If your problem involves mail to \/root/\, see also Q0507.
+
+
+Q0037: I am experiencing mailbox locking problems with Sun's \"mailtool"\ used
+ over a network.
+
+A0037: See Q9705 in the Sun-specific section below.
+
+
+Q0038: What does the error message \*error in forward file (filtering not
+ enabled): missing or malformed local part*\ mean?
+
+A0038: If you are trying to use an Exim filter, you have forgotten to enable
+ the facility, which is disabled by default. In the \%redirect%\ router
+ (in the Exim run time configuration file) you need to set
+
+==> allow_filter = true
+
+ to allow a \(.forward)\ file to be used as an Exim filter. If you are not
+ trying to use an Exim filter, then you have put a malformed address in
+ the \(.forward)\ file.
+
+
+Q0039: I have installed Exim, but now I can't mail to \/root/\ any more. Why is
+ this?
+
+A0039: Most people set up \/root/\ as an alias for the manager of the host. If
+ you haven't done this, Exim will attempt to deliver to \/root/\ as if it
+ were a normal user. This isn't really a good idea because the delivery
+ process would run as \/root/\. Exim has a trigger guard in the option
+
+==> never_users = root
+
+ in the default configuration file. This prevents it from running as \/root/\
+ when doing any deliveries. If you really want to run local deliveries as
+ \/root/\, remove this line, but it would be better to create an alias for
+ \/root/\ instead.
+
+
+Q0040: How can I stop undeliverable bounce messages (e.g. to routeable, but
+ undeliverable, spammer senders) from clogging up the queue for days?
+
+A0040: If at all possible, you should try to avoid getting into this situation
+ in the first place, for example, by verifying recipients so that you
+ do not accept undeliverable messages that lead to these bounces.
+ You can, however, configure Exim to discard failing bounce messages
+ early. Just set \ignore_bounce_errors_after\ to specify a (short) time
+ to keep them for.
+
+
+Q0041: What does the message \*unable to set gid=ddd or uid=ddd (euid=ddd):
+ local delivery to ... transport=ttt*\ mean?
+
+A0041: Have you remembered to make Exim setuid \/root/\? It needs root privilege if
+ it is to do any local deliveries, because it does them ``as the user''.
+ Note also that the partition from which Exim is running (where the
+ binary is installed) must not have the \nosuid\ mount option set. You
+ can check this by looking at its \(/etc/fstab)\ entry (or \(/etc/vfstab)\,
+ depending on your OS).
+
+
+Q0042: My ISP's mail server is rejecting bounce messages from Exim, complaining
+ that they have no sender. The SMTP trace does indeed show that the
+ sender address is \"<>"\. Why is the Sender on the bounce message empty?
+
+A0042: Because the RFCs say it must be. Your ISP is at fault. Send them this
+ extract from RFC 2821 section 6.1 (\*Reliable Delivery and Replies by
+ Email*\):
+
+ If there is a delivery failure after acceptance of a message, the
+ receiver-SMTP MUST formulate and mail a notification message. This
+ notification MUST be sent using a null (\"<>"\) reverse path in the
+ envelope. The recipient of this notification MUST be the address
+ from the envelope return path (or the ::Return-Path:: header line).
+ However, if this address is null (\"<>"\), the receiver-SMTP MUST NOT
+ send a notification.
+
+ The reason that bounce messages have no sender is so that they
+ themselves cannot provoke further bounces, as this could lead to a
+ unending exchange of undeliverable messages.
+
+
+Q0043: What does the error \*Unable to get interface configuration: 22 Invalid
+ argument*\ mean?
+
+A0043: This is an error that occurs when Exim is trying to find out the all the
+ IP addresses on all of the local host's interfaces. If you have lots of
+ virtual interfaces, this can occur if there are more than around 250 of
+ them. The solution is to set the option \local_interfaces\ to list just
+ those IP addresses that you want to use for making and receiving SMTP
+ connections.
+
+
+Q0044: What does the error \*Failed to create spool file*\ mean?
+
+A0044: Exim has been unable to create a file in its spool area in which to
+ store an incoming message. This is most likely to be either a
+ permissions problem in the file hierarchy, or a problem with the uid
+ under which Exim is running, though it could be something more drastic
+ such as your disk being full.
+
+ If you are running Exim with an alternate configuration file using a
+ command such as \"exim -C altconfig..."\, remember that the use of -C
+ takes away Exim's root privilege.
+
+ Check that you have defined the spool directory correctly by running
+
+==> exim -bP spool_directory
+
+ and examining the output. Check the mode of this directory. It should
+ look like this, assuming you are running Exim as user \/exim/\:
+
+==> drwxr-x--- 6 exim exim 512 Jul 16 12:29 /var/spool/exim
+
+ If there are any subdirectories already in existence, they should have
+ the same permissions, owner, and group. Check also that you haven't got
+ incorrect permissions on superior directories (for example, \(/var/spool)\).
+ Check that you have set up the Exim binary to be setuid \/root/\. It should
+ look like this:
+
+==> -rwsr-xr-x 1 root xxx 502780 Jul 16 14:16 exim
+
+ Note that it is not just the owner that must be \/root/\, but also the third
+ permission must be \"s"\ rather than \"x"\.
+
+
+Q0045: I see entries in the log that mention two different IP addresses for the
+ same connection. Why is this? For example:
+
+==> H=tip-mp8-ncs-13.stanford.edu ([36.173.0.189]) [36.173.0.156]
+
+A0045: The actual IP address from which the call came is the final one.
+ Whenever there's something in parentheses in a host name, it is what the
+ host quoted as the domain part of an SMTP HELO or EHLO command. So in
+ this case, the client, despite being 36.173.0.156, issued the command
+
+==> EHLO [36.173.0.189]
+
+ when it sent your server the message. This is, of course, very
+ misleading.
+
+
+Q0046: A short time after I start Exim I see a defunct zombie process. What
+ is causing this?
+
+A0046: Your system must be lightly loaded as far as mail is concerned. The
+ daemon sets off a queue runner process when it is started, but it only
+ tidies up completed child processes when it wakes up for some other
+ reason. When there's nothing much going on, you occasionally see
+ defunct processes like this waiting to be dealt with. This is
+ perfectly normal.
+
+
+Q0047: On a reboot, or a restart of the mail system, I see the message \*Mailer
+ daemons: exim abandoned: unknown, malformed, or incomplete option
+ -bz sendmail*\. What does this mean?
+
+A0047: \-bz-\ is a Sendmail option requesting it to create a `configuration freeze
+ file'. Exim has no such concept and so does not support the option. You
+ probably have a line like
+
+==> /usr/lib/sendmail -bz
+
+ in some start-up script (e.g. \(/etc/init.d/mail)\) immedately before
+
+==> /usr/lib/sendmail -bd -q15m
+
+ The first of these lines should be commented out.
+
+
+Q0048: Whenever exim restarts it takes up to 3-5 minutes to start responding on
+ the SMTP port. Why is this?
+
+A0048: Something else is hanging onto port 25 and not releasing it. One place
+ to look is \(/etc/inetd.conf)\ in case for any reason an SMTP stream is
+ configured there.
+
+
+Q0049: What does the log message \*no immediate delivery: more than 10 messages
+ received in one connection*\ mean?
+
+A0049: A remote MTA sent a number of messages in a single SMTP session. Exim
+ limits the number of immediate delivery processes it creates as a
+ result of a single SMTP connection, in order to avoid creating a zillion
+ processes on systems that can have many incoming connections. If you are
+ dialing in to collect mail from your ISP, you should probably set
+ \smtp_accept_queue_per_connection\ to some number larger than 10, or
+ arrange to start a queue runner for local delivery (using \-ql-\)
+ immediately after collecting the mail.
+
+
+Q0050: I am getting complaints from a customer who uses my Exim server for
+ relaying that they are being blocked with a \*Too many connections*\
+ error.
+
+A0050: See \smtp_accept_max\, \smep_accept_max_per_host\ and \smtp_accept_reserve\.
+
+
+Q0051: When I try \"exim -bf"\ to test a system filter, I received the following
+ error message: \*Filter error: unavailable filtering command "fail" near
+ line 8 of filter file*\.
+
+A0051: Use the \-bF-\ option to test system filters. This gives you access to the
+ freeze and fail actions.
+
+
+Q0052: What does \*ridiculously long message header*\ in an error report mean?
+
+A0052: There has to be some limit to the length of a message's header lines,
+ because otherwise a malefactor could open an SMTP channel to your host,
+ start a message, and then just send characters continuously until your
+ host ran out of memory. (Exim stores all the header lines in main
+ memory while processing a message). For this reason a limit is imposed
+ on the total amount of memory that can be used for header lines. The
+ default is 1MB, but this can be changed by setting \\HEADER_MAXSIZE\\ in
+ \(Local/Makefile)\ before building Exim. Exceeding the limit provokes
+ the ``ridiculous'' error message.
+
+
+Q0053: Exim on my host responds to a connection with \"220 *****..."\ and
+ won't understand \\EHLO\\ commands.
+
+A0053: This is the sign of a Cisco Pix ``Mailguard'' sitting in front of your
+ MTA. Pix breaks ESMTP and only does SMTP. It is a nuisance when you have
+ a secure MTA running on your box. Something like ``no fixup protocol
+ smtp 25'' in the Pix configuration is needed. It may be possible to do
+ this by logging into the Pix (using \^telnet^\ or \^ssh^\) and typing
+ \"no fixup smtp"\ to its console. (You may need to use other commands
+ before or after to set up configuration mode and to activate a changed
+ configuration. Consult your Pix documentation or expert.) See also
+ Q0078.
+
+
+Q0054: I'm getting an Exim configuration error \*unknown rewrite flag
+ character (m) in line 386*\ but I haven't used any flags on my rewriting
+ rules.
+
+A0054: You have probably forgotten to quote a replacement string that contains
+ white space.
+
+
+Q0055: What does the error \*Failed to open wait-remote_smtp database: Invalid
+ argument*\ mean?
+
+A0055: This is something that happens if you have existing DBM hints files when
+ you install a new version of Exim that is compiled to use a different or
+ upgraded DBM library. The simplest thing to try is
+
+==> rm /var/spool/exim/db/*
+
+ This removes all the hints files. Exim will start afresh and build new
+ ones. If the symptom recurs, it suggests there is some problem with your
+ DBM library.
+
+
+Q0056: We are using Exim to send mail from our web server. However, whenever a
+ user sends an email it gets sent with the return path (envelope sender)
+ //apache@server_name.com// because the PHP script is running as
+ \/apache/\.
+
+A0056: You need to include \/apache/\ in the \trusted_users\ configuration option.
+ Only trusted users are permitted to specify senders when mail is passed
+ to Exim via the command line.
+
+
+Q0057: We've got people complaining about attachments that don't show up
+ as attachments, but are included in the body of the message.
+
+A0057: These symptoms can be seen when some software passes a CRLF line
+ terminated message via the command line to an MTA that expects lines to
+ be terminated by LF only, and so preserves the CRs as data. If you can
+ identify the software that is doing this, try setting the \-dropcr-\
+ option on the command it uses to call Exim. Alternatively, you can set
+ \drop_cr\ in the configuration file, but then that will apply to all
+ input.
+
+
+Q0058: What does the error \*failed to open DB file \(/var/spool/exim/db/retry)\:
+ File exists*\ mean?
+
+A0058: This error is most often caused when a hints file that was written with
+ one version of the Berkeley DB library is read by another version.
+ Sometimes this can happen if you change from a binary version of Exim to
+ a locally compiled version. Or it can happen if you compile and install
+ a new version of Exim after changing Berkeley DB versions. You can find
+ out which version your Exim is using by running:
+
+==> ldd /usr/sbin/exim
+
+ The solution to the problem is to delete all the files in the
+ \(/var/spool/exim/db)\ directory, and let Exim recreate them.
+
+
+Q0059: When my Outlook Express 6.0 client sends a STARTTLS command to begin a
+ TLS session, Exim doesn't seem to receive it. The Outlook log shows
+ this:
+
+==> SMTP: 14:19:27 [tx] STARTTLS
+ SMTP: 14:19:27 [rx] 500 Unsupported command.
+
+ but the Exim debugging output shows this:
+
+==> SMTP<< EHLO xxxx
+ SMTP>> 250-yyyy Hello xxxx [nnn.nnn.nnn.nnn]
+ 250-SIZE 52428800
+ 250-PIPELINING
+ 250-AUTH CRAM-MD5 PLAIN LOGIN
+ 250-STARTTLS
+ 250 HELP
+ SMTP<< QUIT
+
+A0059: Turn off scanning of outgoing email in Norton Antivirus. If you aren't
+ running Norton Antivirus, see if you are running some other kind of SMTP
+ proxying, either on the client or on a firewall between the client and
+ server. ``Unsupported command'' is not an Exim message.
+
+
+Q0060: Why am I getting the error \*failed to expand \"/data/lists/lists/${lc"\
+ for require_files: \"${lc"\ is not a known operator*\ for this setting:
+
+==> require_files = MAILMAN_HOME/lists/${lc:$local_part}/config.db
+
+A0060: The value of \"require_files"\ is a \*list*\ in which each item is
+ separately expanded. You need either to double the colon, or switch to
+ a different list separator.
+
+
+Q0061: What does the error \*Too many ``Received'' headers - suspected mail
+ loop*\ mean?
+
+A0061: Whenever a message passes through an MTA, a ::Received:: header gets
+ added. Exim counts the number of these headers in incoming messages. If
+ there are more than the value of \received_headers_max\ (default 30),
+ Exim assumes there is some kind of mail routing loop occurring. For
+ example, host A passes the message to host B, which immediately passes
+ it back to host A. Check the ::Received:: headers and the mail logs to
+ determine exactly what is going on.
+
+ One common cause of this problem is users with accounts on both systems
+ who set up each one to forward to the other, thinking that will cause
+ copies of all messages to be delivered on both of them.
+
+
+Q0062: When I try to start an Exim daemon it crashes. I ran a debugger and
+ discovered that the crash is happening in the function \^^getservbyname()^^\.
+ What's going on?
+
+A0062: What have you got in the file \(/etc/nsswitch.conf)\? If it contains this
+ line:
+
+==> services: db files
+
+ try removing the \"db"\. (Your system is trying to look in some kind of
+ database before searching the file \(/etc/services)\.)
+
+
+Q0063: When I try to start an Exim daemon, nothing happens. There is no
+ process, and nothing is written to the Exim log.
+
+A0063: Check to see if anything is written to \(syslog)\. This problem can be
+ caused by a permission problem that stops Exim from writing to its log
+ files, especially if you've specified that they should be written
+ somewhere other than under Exim's spool directory. You could also try
+ running the daemon with debugging turned on.
+
+
+Q0064: When I run \"exim -d test@domain"\ it delivers fine, but when I send a
+ message from the \^mail^\ command, I get \*User unknown*\ and the mail
+ is saved in \(dead.letter)\.
+
+A0064: It looks as if Exim isn't being called by \^mail^\; instead it is
+ calling some other program (probably Sendmail). Try running the command
+
+==> /usr/sbin/sendmail -bV
+
+ (If you get \*No such file or directory*\ or \*Command not found*\ you
+ are running Solaris or IRIX. Try again with \(/usr/lib/sendmail)\.) The
+ output should be something like this:
+
+==> Exim version 4.05 #1 built 13-Jun-2002 10:27:15
+ Copyright (c) University of Cambridge 2002
+
+ If you don't see this, your Exim installation isn't fully operational.
+ If you are running FreeBSD, see Q9201. For other systems, see Q0114.
+
+
+Q0065: When (as \/root/\) I use -C to run Exim with an alternate configuration
+ file, it gives an error about being unable to create a spool file when
+ trying to run an \%autoreply%\ transport. Why is this?
+
+A0065: When Exim is called with -C, it passes on -C to any instances of itself
+ that it calls (so that the whole sequence uses the same config file). If
+ it's running as \/exim/\ when it does this, all is well. However, if it
+ happens as a consequence of a non-privileged user running \%autoreply%\,
+ the called Exim gives up its root privilege. Then it can't write to the
+ spool.
+
+ This means that you can't use -C (even as \/root/\) to run an instance of
+ Exim that is going to try to run \%autoreply%\ from a process that is
+ neither \/root/\ nor \/exim/\. Because of the architecture of Exim (using
+ re-execs to regain privilege), there isn't any way round this
+ restriction. Therefore, the only way you can make this scenario work is
+ to run the \%autoreply%\ transport as \/exim/\ (that is, the user that
+ owns the Exim spool files). This may be satisfactory for autoreplies
+ that are essentially system-generated, but of course is no good for
+ autoreplies from unprivileged users, where you want the \%autoreply%\
+ transport to be run as the user. To get that to work with an alternate
+ configuration, you'll have to use two Exim binaries, with different
+ configuration file names in each. See S001 for a script that patches
+ the configuration name in an Exim binary.
+
+
+Q0066: What does the message \*unable to set gid=xxx or uid=xxx*\ mean?
+
+A0066: This message is given when an Exim process is unable to change uid or
+ gid when it needs to, because it does not have root privilege. This is a
+ serious problem that prevents Exim from carrying on with what it is
+ doing. The two most common situations where Exim needs to change uid/gid
+ are doing local deliveries and processing users' filter files. There are
+ two common causes of this error:
+
+ (1) You have forgotten to make the exim binary setuid to \/root/\. This
+ means that it can never change uid/gid in any situation. Also, the
+ setuid binary must reside on a disk partition that does not have the
+ \"nosuid"\ mount option set.
+
+ (2) The exim binary is setuid, but you have configured Exim so that,
+ while trying to verify an address at SMTP time, it runs a router
+ that needs to change uid/gid. Because Exim runs as \/exim/\ and not
+ \/root/\ while receiving messages, the router is unable to change
+ uid and therefore it cannot operate. The usual example of this is a
+ \%redirect%\ router for users' filter files.
+
+ Setting the \user\ or \check_local_user\ options on a \redirect\
+ router causes this to happen (except in the special case when the
+ redirection list is provided by the \data\ option and does not
+ contain \":include:"\).
+
+ The solution is to set \no_verify\ on the router that is causing the
+ problem. This means that it is skipped when an address is being
+ verified. In ``normal'' configurations where the router is indeed
+ handling users' filter files, this is quite acceptable, because you
+ do not usually need to process a filter file in order to verify that
+ the local part is valid. See, for example, the \%userforward%\
+ router in the default configuration.
+
+
+Q0067: What does the error \*too many unrecognized commands*\ mean?
+
+A0067: There have been instances of network abuse involving mail sent out by
+ web servers. In most cases, unrecognizable commands are sent as part of
+ the SMTP session. A real MTA never sends out such invalid commands. Exim
+ allows a few unrecognized commands in a session to permit humans who are
+ testing to make a few typos (it responds with a 5xx error). However, if
+ Exim receives too many such commands, it assumes that it is dealing with
+ an abuse of some kind, and so it drops the connection.
+
+
+Q0068: Exim times out when trying to connect to some hosts, though those hosts
+ are known to be up and running. What's the problem?
+
+A0068: There could be a number of reasons for this (see also Q0017). The
+ obvious one is that there is a networking problem between the hosts.
+ If you can ping between the hosts or connect in other ways, the problem
+ might be caused by ECN (Explicit Congestion Notification) being enabled
+ in your kernel. ECN uses TCP flags originally assigned to TOS - it's a
+ "new" invention, and some hosts and routers are known to be confused if
+ a client uses it. If you are running Linux, you can turn ECN off by
+ running this command:
+
+==> /bin/echo "0" > /proc/sys/net/ipv4/tcp_ecn
+
+ This has also been reported to cure web connection problems from Mozilla
+ and Netscape browsers in Linux when there were no problems with Windows
+ Netscape browsers.
+
+
+Q0069: What does the error \*SMTP data timeout (message abandoned) on connection
+ from...*\ mean?
+
+A0069: It means that there was a timeout while Exim was reading the contents of
+ a message on an incoming SMTP connection. That is, it had successfully
+ accepted a MAIL command, one or more RCPT commands, and a DATA command,
+ and was in the process of reading the data itself. The length of timeout
+ is controlled by the \smtp_receive_timeout\ option.
+
+ If you get this error regularly, the cause may be incorrect handling of
+ large packets by a router or firewall. The maximum size of a packet is
+ restricted on some links; routers should split packets that are larger.
+ There is a feature called ``path MTU discovery'' that enables a sender
+ to discover the maximum packet size over an entire path (multiple
+ Internet links). This can be broken by misconfigured firewalls and
+ routers. There is a good explanation at \?http://www.netheaven.com/pmtu.html?\.
+ Reducing the MTU on your local network can sometimes work round this
+ problem. See Q0017 (3) for further discussion.
+
+
+Q0070: What does the error \*SMTP command timeout on connection from...*\ mean?
+
+A0070: Exim was expecting to read an SMTP command from the client, but no
+ command was read within the \smtp_receive_timeout\ time limit.
+
+
+Q0071: What does the error \*failed to open DB file \(/var/spool/exim//db/retry)\:
+ Illegal argument*\ mean?
+
+A0071: See Q0058. The cause of this error is usually the same.
+
+
+Q0072: Exim will deliver to normal aliases, and aliases that are pipes or
+ files, but it objects to aliases that involve \":include:"\ items,
+ complaining that it can't change gid or uid. Why is this?
+
+A0072: See Q0066 for a general answer. The problem happens during verification
+ of an incoming SMTP message, not during delivery itself. In this
+ particular case, you must have set up your aliasing router with a \user\
+ setting. This causes Exim to change uid/gid when reading \":include:"\
+ files. If you do not need the detailed verification provided by the
+ router, the easy solution is to set \no_verify\ so that the router isn't
+ used during verification.
+
+ Otherwise, if you set \user\ on the router in order to provide a user
+ for delivery to pipes or files, one solution is to put the \user\
+ setting on the transports instead of on the router. You may need to
+ create some special transports just for this router. The alternative is
+ to supply two different routers, one with \user\ and \no_verify\, and
+ the with \verify_only\ but no \user\ setting.
+
+
+Q0073: I'm seeing log file corruption, with parts of log lines getting mangled
+ by other log entries.
+
+A0073: The only time this has been seen is when several servers were writing to
+ the same log files over NFS. Exim assumes that its log file is on local
+ disk, and using NFS, especially for more than one server, will not work.
+
+
+Q0074: What does the error message \*remote delivery process count got out of
+ step*\ mean?
+
+A0074: Exim uses subprocesses for remote deliveries; this error means that the
+ master process expected to have a child process running, but found there
+ were none. Prior to release 4.11, this error could be caused by running
+ Exim under \^strace^\ on a Linux system, because stracing causes
+ children to be ``stolen'' such that a parent that tries to wait for
+ ``any of my children'' is told that it has none. Current releases of
+ Exim have code to get round this problem.
+
+
+Q0075: I'm using LDAP, and some email addresses that contain special characters
+ are causing parsing errors in my LDAP lookups.
+
+A0075: You should be using \"${quote_ldap:$local_part}"\ instead of just
+ \"$local_part"\ in your lookups.
+
+
+Q0076: I've configured Exim to use \^syslog^\ for its logs, with the main and
+ reject logs sent to different files, but whenever a message is rejected,
+ I get one message on the reject log and two messages on the main log.
+
+A0076: You are probably putting your reject items into the main log as well;
+ remember \^syslog^\ levels are inclusive (for example, \"mail.info"\
+ includes all higher levels, so a \"mail.notice"\ message will be caught
+ by a \"mail.info"\ descriptor).
+ Test this by running the command:
+
+==> logger -p mail.notice test
+
+ and seeing which logs it goes into.
+
+
+Q0077: I've installed Exim and it is delivering mail just fine. However, when I
+ try to read mail from my PC I get \*connection rejected*\ or \*unable to
+ connect*\.
+
+A0077: See Q5021.
+
+
+Q0078: Exim is logging the unknown SMTP command \"XXXX"\ from my client hosts,
+ and they are unable to authenticate.
+
+A0078: This is a sign of a Cisco PIX firewall getting in the way. It does not
+ support ESMTP, and turns EHLO commands into XXXX. You should configure
+ the Pix to leave SMTP alone; see Q0053 for how to do this.
+
+
+Q0079: Our new PIX firewall is causing problems with incoming mail. How can
+ this be fixed?
+
+A0079: See Q0053 and Q0078. If some messages get through and others do not,
+ see also Q0017.
+
+
+Q0080: Am I to understand that the database lookups must only return one value?
+ They can not return a list of values? The documentation seems to
+ indicate that it's possible to return a list.
+
+A0080: Lookups can be used in two different situations, and what they return is
+ different in the two cases. (Be thankful Exim 3 is gone; there was yet
+ another case!)
+
+ (1) You can use a lookup in any expanded string. The syntax is
+
+==> ${lookup ..... }
+
+ In this case, whatever is looked up replaces the expansion item. It
+ may be one value or a list of values. Whether a single value or a
+ list is acceptable or not depends on where you are using the string
+ expansion. If it is for an option that expects just one value, then
+ only one value is allowed (for example).
+
+ (2) You can make use of the lookup mechanism to test whether something
+ (typically a host name or IP address) is in a list. For example,
+
+==> hosts = a : b : c
+
+ in an ACL tests whether the calling host's name matches ``a'', or
+ ``b'', or ``c''. Now, suppose you want to keep the list of names in
+ a database, or cdb file, or NIS map, or... By writing
+
+==> hosts = pgsql;select ....
+
+ you are saying to Exim: ``Run this lookup; if it succeeds, behave as
+ if the host is in the list; if it fails, the host is not in the
+ list.'' You are using the indexing mechanism of the database as a
+ fast way of checking a list. A simpler example is
+
+==> hosts = lsearch;/some/file
+
+ where the file contains the list of hosts to be searched.
+
+ The complication happens when a list is first expanded before being
+ interpreted as a list. This happens in a lot of cases. You can therefore
+ write either of these:
+
+==> hosts = cdb;/some/file
+ hosts = ${lookup{something}cdb{/some/file}}
+
+ but they have different meanings. The first means ``see if the host name
+ is in the list in this file''. The second means ``run this lookup and
+ use the result of the lookup as a list of host items to check''. In the
+ second case, the list could contain multiple values (colon separated),
+ and one of those values could even be ``cdb;/some/file''.
+
+ Flexibility does lead to complexity, I'm afraid.
+
+
+Q0081: What does \*error in redirect data: included file xxxx is too big*\
+ mean?
+
+A0081: You are trying to include a very large file in a redirection list, using
+ the \":include:"\ feature. Exim has a built-in limit on the size, as a
+ safety precaution. The default is 1 megabyte. If you want to increase
+ this, you have to rebuild Exim. In your \(Local/Makefile)\, put
+
+==> MAX_INCLUDE_SIZE = whatever
+
+ and then rebuild Exim. The value is a number of bytes, but you can give
+ it as a parenthesized arithmetic expression such as \"(3*1024*1024)"\.
+ However, an included file of more than a megabyte is likely to be quite
+ inefficient. How many addresses does yours contain? You get the best
+ performance out of Exim if you arrange to send mailing list messages
+ with no more than about 100 recipients (in order to get parallelism in
+ the routing).
+
+
+Q0082: What does \*relocation error: /lib/libnss_dns.so.2: symbol
+ __libc_res_nquery, version GLIBC_PRIVATE not defined in file
+ libresolv.so.2 with link time reference*\ mean?
+
+A0082: You have updated \^glibc^\ while an Exim daemon is running. Stop and
+ restart the daemon.
+
+
+Q0083: Netscape on Unix is sending messages containing an unqualified user name
+ in the ::Sender:: header line, which Exim is rejecting because I have
+ set \"verify = header_syntax"\. How can I fix this?
+
+A0083: The only thing you can do in Exim is to set the
+ \sender_unqualified_hosts\ option to allow unqualified sender addresses
+ form the relevant hosts; of course, this applies to all sender
+ addresses, not just the ::Sender:: header line.
+
+ Alternatively, you can configure Netscape not to include the header line
+ in the first place. Add the following line to the
+ \($HOME/.netscape/preferences.js)\ and \($HOME/.netscape/liprefs.js)\
+ files:
+
+==> user_pref("mail.suppress_sender_header", true);
+
+ Netscape \*must*\ be shutdown while doing this.
+
+
+Q0084: I want to set up an alias that pipes a message to \^gpg^\ and then pipes
+ the result to \^mailx^\ to resubmit the message, but when I use my
+ tested command in an alias file, I get an error from \^gpg^\.
+
+A0084: Probably you are using a shell command with two pipe symbols in it. An
+ alias like this:
+
+==> gpg-xxx: "|gpg <options> | mailx <options"
+
+ does not work, because Exim does not run pipes under a shell by default.
+ You must call a shell explicitly if you want to make use of the shell's
+ features for double-piping, either by piping to \"/bin/sh"\ with a
+ suitable \"-c"\ option, or by piping to a shell script.
+
+
+Q0085: I see a lot of \*rejected EHLO ... syntactically invalid argument(s)*\.
+ I know it's because of the underscore in the host name, but is there a
+ switch to allow Exim to accept mail from such hosts?
+
+A0085: Yes. Add this to your configuration:
+
+==> helo_allow_chars = _
+
+ For more seriously malformed host names, see \helo_accept_junk_hosts\.
+ See also Q0732.
+
+
+Q0086: What does \*SMTP protocol violation: synchronization error (next input
+ sent too soon)*\ mean?
+
+A0086: SMTP is a ``lock-step'' protocol, which means that, at certain points in
+ the protocol, the client must wait for the server to respond before
+ sending more data. Exim checks for correct behaviour, and issues this
+ error if the client sends data too soon. This protects against
+ malefactious clients who send a bunch of SMTP commands (usually to
+ transmit spam) without waiting for any replies.
+
+ This error is also provoked if the client is trying to start up a TLS
+ session immediately on connection, without using the STARTTLS command.
+ See Q1707 for a discussion of this case.
+
+
+Q0087: What does \*rejected after DATA: malformed address: xx@yy may not follow
+ <xx@yy> : failing address in "from" header*\ mean? (I've obscured the
+ real email addresses.)
+
+A0087: Your DATA ACL contains
+
+==> verify = header_syntax
+
+ and an incoming message contained the line
+
+==> From: xx@yy <xx@yy>
+
+ This is syntactically invalid. The contents of an address in a header
+ line are either just the address, or a ``phrase'' followed by an address
+ in angle brackets. In the latter case, the ``phrase'' must be quoted if
+ it contains special characters such as @. The following are valid
+ versions of the bad header:
+
+==> From: xx@yy
+ From: "xx@yy" <xx@yy>
+
+ though why on earth anything generates this kind of redundant nonsense I
+ can't think.
+
+
+Q0088: The Windows mailer SENDFILE.EXE sometimes hangs while trying to send a
+ message to Exim 4, and eventually times out. It worked flawlessly with
+ Exim 3. What has changed?
+
+A0088: Exim 4 sets an obscure TCP/IP parameter called TCP_NODELAY. This
+ disables the "Nagle algorithm" for the TCP/IP transmission. The Nagle
+ algorithm can improve network performance in interactive situations such
+ as a human typing at a keyboard, by buffering up outgoing data until the
+ previous packet has been acknowledged, and thereby reducing the number
+ of packets used. This is not relevant for mail transmission, which
+ mostly consists of quite large blocks of data; setting TCP_NODELAY
+ should improve performance. However, it seems that some Windows clients
+ do not function correctly if the server turns off the Nagle algorithm.
+ If you are using Exim 4.23 or later, you can set
+
+==> tcp_nodelay = false
+
+ This stops Exim setting TCP_NODELAY on the sockets created by the
+ listening daemon.
+
+
+Q0089: What does the error \*kernel: application bug: exim(12099) has SIGCHLD
+ set to SIG_IGN but calls wait()*\ mean?
+
+A0089: This was a bad interaction between a relatively recent change to the
+ Linux kernel and some ``belt and braces'' programming in Exim. The
+ following explanation is taken from Exim's change log:
+
+ When Exim is receiving multiple messages on a single connection, and
+ spinning off delivery processess, it sets the SIGCHLD signal handling to
+ SIG_IGN, because it doesn't want to wait for these processes. However,
+ because on some OS this didn't work, it also has a paranoid call to
+ \^waitpid()^\ in the loop to reap any children that have finished. Some
+ versions of Linux now complain (to the system log) about this
+ ``illogical'' call to \^waitpid()^\. I have therefore put it inside a
+ conditional compilation, and arranged for it to be omitted for Linux.
+
+ I am pretty sure I caught all the places in Exim where this happened.
+ However, there are still occasional reports of this error. I have not
+ heard of any resolutions, but my current belief is that they are caused
+ by something that Exim calls falling foul of the same check. There was
+ at one time a suspicion that the IPv6 stack was involved.
+
+
+Q0090: I can't seem to get a pipe command to run when I include a \"${lookup"\
+ expansion in it.
+
+A0090: See Q0025.
+
+
+Q0091: Why is Exim giving the error \*Failed to send message from address_reply
+ transport*\ when I run it using -C to specify an alternate
+ configuration?
+
+A0091: See Q0065.
+
+
+
+1. BUILDING AND INSTALLING
+
+Q0101: I'm having a problem with an Exim RPM.
+
+A0101: Normally the thing to do if you have a problem with an RPM package is
+ to contact the person who built the package first, not the person who
+ made the software that's in the package. You can usually find out who
+ made a package using the following command:
+
+==> rpm --query --package --queryformat '%{PACKAGER}\n' <rpm-package-file>
+
+ where \[rpm-package-file]\ is the actual file, e.g. \(exim-3.03-2.i386.rpm)\.
+ Or, if the package is installed on your system:
+
+==> rpm --query --queryformat '%{PACKAGER}\n' <package-name>
+
+ where \[package-name]\ is the name component of the package, e.g. \"exim"\.
+ If the packager is unable or unwilling to help, only then should you
+ contact the actual author or associated mailing list of the software.
+
+ If you discover through the querying process that you can't tell who
+ the person (or company or group) is who built the package, or that they
+ no longer exist at the given address, then you should reconsider
+ whether you want a package from an unknown source on your system.
+
+ If you discover through the querying process that you yourself are the
+ person who built the package, then you should either (a) contact the
+ author or associated mailing list, or (b) reconsider whether you ought
+ to be building and distributing RPM packages of software you don't
+ understand.
+
+ Similar rules of thumb govern other binary package formats, including
+ debs, tarballs, and POSIX packages.
+
+
+Q0102: I can't get Exim to compile with Berkeley DB version 2.x or 3.x.
+
+A0102: Have you set \"USE_DB=yes\" in \(Local/Makefile)\? This causes Exim to use the
+ native interface to the DBM library instead of the compatibility
+ interface, which needs a header called \(ndbm.h)\ that may not exist on your
+ system.
+
+
+Q0103: I'm getting an \*undefined symbol*\ error for \"hosts_ctl"\ when I try to
+ build Exim. (On some systems this error is \*undefined reference to
+ 'hosts_ctl'*\.)
+
+A0103: You should either remove the definition of \\USE_TCP_WRAPPERS\\ or add
+ \"-lwrap"\ to your \\EXTRALIBS\\ setting in Local/Makefile.
+
+
+Q0104: I'm about to upgrade to a new Exim release. Do I need to ensure the
+ spool is empty, or take any other special action?
+
+A0104: It depends on where you are coming from.
+
+ (1) If you are changing to release 4.00 or later from a release prior to
+ 4.00, you will need to make changes to the run time configuration file.
+ See the file \(doc/Exim4.upgrade)\ for details. If you are coming from
+ before release 3.00, you should also see \(doc/Exim3.upgrade)\.
+
+ (2) If you are upgrading from an Exim 4 release to a later release, you
+ do not need to take special action. New releases are made backwards
+ compatible with old spool files and hints databases, so that upgrading
+ can be done on a running system. All that should be necessary is to
+ install a new binary and then HUP the daemon.
+
+
+Q0105: What does the error \*install-info: command not found*\ mean?
+
+A0105: You have set \\INFO_DIRECTORY\\ in your \(Local/Makefile)\, and Exim is trying
+ to install the Texinfo documentation, but cannot find the command called
+ \(install-info)\. If you have a version of Texinfo prior to 3.9, you
+ should upgrade. Otherwise, check your installation of Texinfo to see why
+ the \(install-info)\ command is not available.
+
+
+Q0106: Exim doesn't seem to be recognizing my operating system type correctly,
+ and so is failing to build.
+
+A0106: Run the command \"scripts/os-type -generic"\. The output should be one of
+ the known OS types, and should correspond to your operating system. You
+ can see which OS are supported by obeying \"ls OS/Makefile-*"\ and looking
+ at the file name suffixes.
+
+ If there is a discrepancy, it means that the script is failing to
+ interpret the output from the \"uname"\ command correctly, or that the
+ output is wrong. Meanwhile, you can build Exim by obeying
+
+==> EXIM_OSTYPE=xxxx make
+
+ instead of just \"make"\, provided you are running a Bourne-compatible
+ shell, or otherwise by setting \\EXIM_OSTYPE\\ correctly in your
+ environment. It is probably best to start again from a clean
+ distribution, to avoid any wreckage left over from the failed attempt.
+
+
+Q0107: Exim fails to build, complaining about the absence of the \"killpg"\
+ function.
+
+A0107: This function should be present in all modern flavours of Unix. If you
+ are using an older version, you should be able to get round the problem
+ by inserting
+
+==> #define killpg(pgid,sig) kill(-(pgid),sig)
+
+ into the file called \(OS/os.h-xxx)\, where xxx identifies your operating
+ system, and is the output of the command \"scripts/os-type -generic"\.
+
+
+Q0108: I'm getting an unresolved symbol \"ldap_is_ldap_url"\ when trying to build
+ Exim.
+
+A0108: You must have specified \"LOOKUP_LDAP=yes"\ in the configuration. Have you
+ remembered to set \"-lldap"\ somewhere (e.g. in \\LOOKUP_LIBS\\)? You need that
+ in order to get the LDAP library scanned when linking.
+
+
+Q0109: I'm getting an unresolved symbol \"mysql_close"\ when trying to build Exim.
+
+A0109: You must have specified \"LOOKUP_MYSQL=yes"\ in the configuration. Have you
+ remembered to set \"-lmysqlclient"\ somewhere (e.g. in \\LOOKUP_LIBS\\)? You
+ need that in order to get the MySQL library scanned when linking.
+
+
+Q0110: I'm trying to build Exim with PAM support. I have included \"-lpam"\ in
+ \\EXTRALIBS\\, but I'm still getting a linking error:
+
+==> /lib/libpam.so: undefined reference to `dlerror'
+ /lib/libpam.so: undefined reference to `dlclose'
+ /lib/libpam.so: undefined reference to `dlopen'
+ /lib/libpam.so: undefined reference to `dlsym'
+
+A0110: Add \"-ldl"\ to \\EXTRALIBS\\. In some systems these dynamic loading functions
+ are in their own library.
+
+
+Q0111: I'm getting the error \*db.h: No such file or directory*\ when I try to
+ build Exim.
+
+A0111: This problem has been seen with RedHat 7.0, but could also happen in
+ other environments. If your system is using the DB library, you
+ need to install the DB development package in order to build Exim.
+ The package is called something like \"db3-devel-3.1.14-16.i386.rpm"\ for
+ Linux systems, but you should check which version of DB you have
+ installed (current releases are DB 4).
+
+
+Q0112: I'm getting the error \*/usr/bin/ld: cannot find -ldb*\ when I try to
+ build Exim.
+
+A0112: This is probably the same problem as Q0111.
+
+
+Q0113: I've compiled Exim and I've managed to start it but there was one
+ problem - it always complained that \(libmsqlclient.so.10)\ was not found,
+ even though this file is in \(/usr/local/lib/mysql/)\.
+
+A0113: Solaris: ensure you have this in your \(Local/Makefile)\:
+
+==> LOOKUP_LIBS=-L/usr/local/lib/mysql -R/usr/local/lib/mysql
+
+ Net/Open/FreeBSD: Run this command (or ensure it gets run automatically
+ at boot time):
+
+==> ldconfig -m /usr/local/lib/mysql
+
+ Linux: add \(/usr/local/lib/mysql)\ to \(/etc/ld.so.conf)\ and re-run \(ldconfig)\.
+ Alternatively, add
+
+==> -Wl,-rpath -Wl,/usr/local/lib/mysql
+
+ to EXTRA_LIBS and then re-link (this is similar to the Solaris solution
+ above). This will probably also work on other systems that use GNU
+ Binutils.
+
+
+Q0114: How can I remove Sendmail from my system? I've built Exim and run \"make
+ install"\, but it still doesn't seem to be fully operational.
+
+A0114: If you are running FreeBSD, see Q9201. Otherwise, you need to arrange
+ that whichever of the paths \(/usr/sbin/sendmail)\ or \(/usr/lib/sendmail)\
+ exists on your system is changed to refer to Exim. For example, you
+ could use these commands (as \/root/\):
+
+==> mv /usr/sbin/sendmail /usr/sbin/sendmail.original
+ chmod u-s /usr/sbin/sendmail.original
+ ln -s /path/to/exim /usr/sbin/sendmail
+
+ The second command removes the setuid privilege from the old MTA, as a
+ general safety precaution. In the third command, substitute the actual
+ path to the Exim binary for \(/path/to/exim)\.
+
+
+Q0115: What does \*Can't open \(../scripts/newer)\: No such file or directory*\
+ mean? I got it while trying to build Exim.
+
+A0115: You are using FreeBSD, or another OS that has a \^make^\ command which
+ tries to optimize the running of commands. Exim's \(Makefile)\ contains
+ targets with sequential commands like this:
+
+==> buildpcre:
+ @cd pcre; $(MAKE) SHELL=$(SHELL) AR="$(AR)" $(MFLAGS) CC="$(CC)" \
+ CFLAGS="$(CFLAGS) $(PCRE_CFLAGS)" \
+ RANLIB="$(RANLIB)" HDRS="$(PHDRS)" \
+ INCLUDE="$(INCLUDE) $(IPV6_INCLUDE) $(TLS_INCLUDE)"
+ @if $(SHELL) $(SCRIPTS)/newer pcre/libpcre.a exim; then \
+ /bin/rm -f exim eximon.bin; fi
+
+ The second command assumes that the \"cd pcre"\ in the first command is
+ no longer in effect. If you have \"-j3"\ in your default set of
+ \"MAKEFLAGS"\, FreeBSD \^make^\ tries to optimize, and ends up up with both
+ commands in the same shell process. The result is that \"$(SCRIPTS)"\
+ (which has a value of \"../scripts"\) is not found.
+
+ The simplest solution is to force \^make^\ to use backwards compatibility
+ mode with each command in its own shell, by using the \-B\ flag. To
+ ensure that this happens throughout the build, it's best to export it in
+ your environment:
+
+==> MAKEFLAGS='-B'
+ export MAKEFLAGS
+ make
+
+
+Q0116: I have tried to build Exim with Berkeley DB 3 and 4, but I always get
+ errors.
+
+A0116: One common problem, especially when you have several different versions
+ of BDB installed on the same host, is that the header files and library
+ files for BDB are not in a standard place. You therefore need to tell
+ Exim where they are, by setting INCLUDE and DBMLIB in your
+ \(Local/Makefile)\. For example, I use this on my workstation when
+ I want to build with DB 4.1:
+
+==> INCLUDE=-I/opt/local/include/db-4.1
+ DBMLIB=/opt/local/lib/db-4.1/libdb.a
+
+ Specifying the complete library file like this will cause it to be
+ statically linked with Exim. You'll have to check to see where these
+ files are on your system. For example, on FreeBSD 5, the header is in
+ \(/usr/local/include/db4)\ and the library is in \(/usr/local/lib)\ and
+ called \(libdb4)\. In that environment, you could use:
+
+==> INCLUDE=-I/usr/local/include/db4
+ DBMLIB=-L/usr/local/lib -ldb4
+
+ This time, DBMLIB is specifying the library directory (\(/usr/local/lib)\)
+ and the name of the library (\(db4)\) separately. The name of the actual
+ library file is \(/usr/local/lib/libdb4.something)\. If the library was
+ compiled for dynamic linking, that will be used.
+
+
+Q0117: Is there a quick walk-through of an Exim install from source anywhere?
+
+A0117: Here! This is a contribution from a RedHat user, somewhat edited. On
+ other operating systems things may be slightly different, but the
+ general approach is the same.
+
+ (1) Install the db needed for Exim. This needs to be done first if you
+ don't have a DBM library installed. Go to \?http://www.sleepycat.com?\
+ and download \(db-4.1.25.tar.gz)\, or whatever the current release is.
+ Then:
+
+==> gunzip db-4.1.25.tar.gz
+ tar -xvf db-4.1.25.tar
+ cd db-4.1.25
+ cd build_unix
+ ../dist/configure
+ make
+ make install
+
+ (2) Add a user for use by Exim, unless you want to use an existing user
+ such as \/mail/\:
+
+==> adduser exim
+
+ (3) Now you can prepare to build Exim. Go to \?http://www.exim.org?\ or
+ one of its mirrors, or the master ftp site
+ \?ftp://ftp.csx.cam.ac.uk/pub/software/email/exim/exim4?\, and download
+ \(exim-4.20.tar.gz)\ or whatever the current release is. Then:
+
+==> gunzip exim-4.20.tar.gz
+ tar -xvf exim-4.20.tar
+ cd exim-4.20
+ cp src/EDITME Local/Makefile
+ cp exim_monitor/EDITME Local/eximon.conf
+
+ (4) Edit \(Local/Makefile)\:
+
+ Comment out EXIM_MONITOR= unless you want to install the Exim
+ monitor (it requires X-windows).
+
+ Set the user you want Exim to use for itself:
+
+==> EXIM_USER=exim
+
+ If your DBM library is Berkeley DB, set up to use its native interface:
+
+==> USE_DB=yes
+
+ Make sure Exim's build can find the DBM library and its headers. If
+ you've installed Berkeley DB 4 you'll need to have settings like this
+ in \(Local/Makefile)\:
+
+==> INCLUDE=-I/usr/local/BerkeleyDB.4.1/include
+ DBMLIB=/usr/local/BerkeleyDB.4.1/lib/libdb.a
+
+ (Check that the first directory contains the db.h file and that the
+ second library exists.)
+
+ You don't need to change anything else, but you might want to review
+ the default settings in the ``must specify'' section.
+
+ (4) Build Exim by running the \/make/\ command.
+
+ (5) Install Exim by running, as \/root/\:
+
+==> make install
+
+ You \*must*\ be \/root/\ to do this. You do not have to be root for any of
+ the previous building activity.
+
+ (6) Run some tests on Exim; see if it will do local and remote
+ deliveries. Change the configuration if necessary (for example,
+ uncommenting \group\ on the \%local_delivery%\ transport if you don't
+ use a ``sticky bit'' directory).
+
+ (7) Change Sendmail to Exim (of course you need to have had Sendmail
+ installed to do this).
+
+==> /etc/init.d/sendmail stop
+ mv /usr/sbin/sendmail /usr/sbin/sendmail.org
+ ln -s /usr/exim/bin/exim /usr/sbin/sendmail
+ /etc/init.d/sendmail start
+
+ (8) Check the Exim log. Either use the Exim monitor, or:
+
+==> tail -f /var/spool/exim/log/mainlog
+
+
+Q0118: I've set \"LOOKUP_INCLUDE=-I/client/include"\ in Local/Makefile, but the
+ compilation of \^exim_dumpdb^\ is ignoring this option and failing. Why?
+
+A0118: LOOKUP_INCLUDE is the special include file for lookup modules in Exim
+ (e.g. mysql, LDAP). Confusingly, it doesn't apply to basic DBM code
+ which is used also for other things. Try setting INCLUDE and DBMLIB
+ instead. For example:
+
+==> USE_DB=yes
+ INCLUDE=-I/client/include
+ DBMLIB=/client/lib/libdb.a
+
+
+Q0119: I know there are some 3rd-party patches for Exim, for exiscan and
+ other things. Where are they?
+
+A0119: Exiscan is at \?http://duncanthrax.net/exiscan-acl/?\.
+[[br]]
+ Scanexi is at \?http://w1.231.telia.com/~u23107873/scanexi.html?\
+[[br]]
+ A sample \^^local_scan()^^\ function for interfacing to \^uvscan^\ is
+ at \?http://www.dcs.qmul.ac.uk/~mb/local_scan/?\.
+[[br]]
+ An interface to SpamAssassin at SMTP time is at
+ \?http://marc.merlins.org/linux/exim/sa.html?\.
+[[br]]
+ A mini-HOWTO (PDF file) about scanning and virus scanning, and some RPMs
+ can be found at \?http://www.timj.co.uk/linux/exim.php?\.
+
+
+
+2. ROUTING IN GENERAL
+
+Q0201: How can I arrange that messages larger than some limit are handled by
+ a special router?
+
+A0201: You can use a \condition\ option on the router line this:
+
+==> condition = ${if >{$message_size}{100K}{yes}{no}}
+
+
+Q0202: Can I specify a list of domains to explicitly reject?
+
+A0202: Set up a named domain list containing the domains in the first section
+ of the configuration, for example:
+
+==> domainlist reject_domains = list:of:domains:to:reject
+
+ You can use this list in an ACL to reject any SMTP recipients in those
+ domains. You can also give a customized error message, like this:
+
+==> deny message = The domain $domain is no longer supported
+ domains = +reject_domains
+
+ If you also want to reject these domains in messages that are submitted
+ from the command line (not using SMTP), you need to set up a router to
+ do it, like this:
+
+==> reject_domains:
+ driver = redirect
+ domains = +reject_domains
+ allow_fail
+ data = :fail: The domain $domain is no longer supported
+
+
+Q0203: How can I arrange to do my own qualification of non-fully-qualified
+ domains, and then pass them on to the next router?
+
+A0203: If you have some list of domains that you want to qualify, you can do
+ this using a redirect router. For example,
+
+==> qualify:
+ driver = redirect
+ domains = *.a.b
+ data = ${quote:$local_part}@$domain.c.com
+
+ This adds \".c.com"\ to any domain that matches \"*.a.b"\.
+ If you want to do this in conjunction with a \%dnslookup%\ router, the
+ \widen_domains\ option of that router may be another way of achieving
+ what you want.
+
+
+Q0204: Every system has a \"nobody"\ account under which httpd etc run. I would
+ like to know how to restrict mail which comes from that account to users
+ on that host only.
+
+A0204: Set up a first router like this:
+
+==> fail_nobody:
+ driver = redirect
+ senders = nobody@your.domain
+ domains = ! +local_domains
+ allow_fail
+ data = :fail: Nobody may not mail off-site
+
+ This assumes you have defined \+local_domains\ as in the default
+ configuration.
+
+
+Q0205: How can I get Exim to deliver to me locally and everyone else at the same
+ domain via SMTP to the MX record specified host?
+
+A0205: Create an \%accept%\ router to pick off the one address and pass it to
+ an appropriate transport. Put this router before the one that does MX
+ routing:
+
+==> me:
+ driver = accept
+ domains = dom.com
+ local_parts = me
+ transport = local_delivery
+
+ In the transport you will have to specify the \user\ option. An
+ alternative way of doing this is to add a condition to the router that
+ does MX lookups to make it skip your address. Subsequent routers can then
+ deliver your address locally. You'll need a condition like this:
+
+==> condition = \
+ ${if and {{eq{$domain}{dom.com}}{eq{$local_part}{me}}}{no}{yes}}
+
+
+Q0206: How can I get Exim to deliver certain domains to a different SMTP port
+ on my local host?
+
+A0206: You must set up a special \%smtp%\ transport, where you can specify the
+ \port\ option, and then set up a router to route the domains to that
+ transport. There are two possibilities for specifying the host:
+
+ (1) If you use a \%manualroute%\ router, you can specify the local host
+ in the router options. You must also set
+
+==> self = send
+
+ so that it does not object to sending to the local host.
+
+ (2) If you use a router that cannot specify hosts (for example, an
+ \%accept%\ router with appropriate conditions), you have to specify
+ the host using the \hosts\ option of the transport. In this case,
+ you must also set \allow_localhost\ on the transport.
+
+
+Q0207: Why does Exim lower-case the local-part of a non-local domain when
+ routing?
+
+A0207: Because \caseful_local_part\ is not set (in the default configuration)
+ for the \%dnslookup%\ router. This does not matter because the local
+ part takes no part in the routing, and the actual local part that is
+ sent out in the RCPT command is always the original local part.
+
+
+
+3. ROUTING TO REMOTE HOSTS
+
+Q0301: What do \*lowest numbered MX record points to local host*\ and \*remote
+ host address is the local host*\ mean?
+
+A0301: They mean exactly what they say. Exim expected to route an address to a
+ remote host, but the IP address it obtained from a router was for the
+ local host. If you really do want to send over TCP/IP to the local host
+ (to a different version of Exim or another MTA, for example), see Q0206.
+
+ More commonly, these errors arise when Exim thinks it is routing some
+ foreign domain. For example, the router configuration causes Exim to
+ look up the domain in the DNS, but when Exim examines the DNS output,
+ either the lowest numbered MX record points at the local host, or there
+ are no MX records, and the address record for the domain contains an
+ IP address that belongs to the local host.
+
+ There has been a rash of instances of domains being deliberately set up
+ with MX records pointing to \"localhost"\ (or other names with A records
+ that specify 127.0.0.1), which causes this behaviour. You can use the
+ \ignore_target_hosts\ option to get Exim to ignore these records. The
+ default contiguration does this. For more discussion, see Q0319. For
+ other cases:
+
+ (1) If the domain is meant to be handled as a local domain, there
+ is a problem with the configuration, because it should not then have
+ been looked up in the DNS. Check the \domains\ settings on your
+ routers.
+
+ (2) If the domain is one for which the local host is providing a
+ relaying service (called ``mail hubbing''), possibly as part of a
+ firewall, you need to set up a router to tell Exim where to send
+ messages addressed to this domain, because the DNS directs them to
+ the local host. You should put a router like this one before the one
+ that does DNS lookups:
+
+==> hubbed_hosts:
+ driver = manualroute
+ transport = remote_smtp
+ route_list = see discussion below
+
+ The contents of the \route_list\ option depend on how many hosts you
+ are hubbing for, and how their names are related to the domain name.
+ Suppose the local host is a firewall, and all the domains in
+ \(*.foo.bar)\ have MX records pointing to it, and each domain
+ corresponds to a host of the same name. Then the setting could be
+
+==> route_list = *.foo.bar $domain
+
+ If there isn't a convenient relationship between the domain names
+ and the host names, you either have to list each domain separately,
+ or use a lookup expansion to look up the host from the domain, or
+ put the routing information in a file and use the \route_data\
+ option with a lookup expansion.
+
+ (3) If neither (1) nor (2) is the case, the lowest numbered MX record or
+ the address record for the domain should not be pointing to your
+ host. You should arrange to get the DNS mended.
+
+
+Q0302: Why does Exim say \*all relevant MX records point to non-existent hosts*\
+ when MX records point to IP addresses?
+
+A0302: MX records cannot point to IP addresses. They are defined to point to
+ host names, so Exim always interprets them that way. (An IP address is a
+ syntactically valid host name.) The DNS for the domain you are having
+ problems with is misconfigured.
+
+ However, it appears that more and more DNS zones are breaking the rules
+ and putting IP addresses on the RHS of MX records. Exim follows the
+ rules and rejects this, but other MTAs do support it, so the
+ \allow_mx_to_ip\ was regretfully added at release 3.14 to permit this
+ heinous activity.
+
+
+Q0303: How do I configure Exim to send all messages to a central server? I
+ don't want to do any local deliveries at all on this host.
+
+A0303: Use this as your first and only router:
+
+==> send_to_gateway:
+ driver = manualroute
+ transport = remote_smtp
+ route_list = * central.server.host
+
+
+Q0304: How do I configure Exim to send all non-local mail to a gateway host?
+
+A0304: Replace the \%dnslookup%\ router in the default configuration with the
+ following:
+
+==> send_to_gateway:
+ driver = manualroute
+ domains = !+local_domains
+ transport = remote_smtp
+ route_list = * gate.way.host
+
+ If there are several hosts you can send to, you can specify them as a
+ colon-separated list.
+
+
+Q0305: How can I arrange for mail on my local network to be delivered directly
+ to the relevant hosts, but all other mail to be sent to my ISP's mail
+ server? The local hosts are all DNS-registered and behave like normal
+ Internet hosts.
+
+A0305: Set up a first router to pick off all the domains for your local
+ network. There are several ways you might do this. For example
+
+==> local_network:
+ driver = dnslookup
+ transport = remote_smtp
+ domains = *.mydomain.com
+
+ This does a perfectly conventional DNS routing operation, but only for
+ the domains that match \(*.mydomain.com)\. Follow this with a `smart
+ host' router:
+
+==> internet:
+ driver = manualroute
+ domains = !+local_domains
+ transport = remote_smtp
+ route_list = * mail.isp.net
+
+ This routes any other non-local domains to the smart host.
+
+
+Q0306: How do I configure Exim to send all non-local mail to a central server
+ if it cannot be immediately delivered by my host? I don't want to have
+ queued mail waiting on my host.
+
+A0306: Add to the \%remote_smtp%\ transport the following:
+
+==> fallback_hosts = central.server.name(s)
+
+ If there are several names, they must be separated by colons.
+
+
+Q0307: The \route_list\ setting \"^foo$:^bar$ $domain"\ in a \%manualroute%\
+ router does not work.
+
+A0307: The first thing in a \route_list\ item is a single pattern, not a list of
+ patterns. You need to write that as \"^(foo|bar)$ $domain"\.
+ Alternatively, you could use several items and write
+
+==> route_list = foo $domain; bar $domain
+
+ Note the semicolon separator. This is because the second thing in each
+ item can itself be a list - of hosts.
+
+
+Q0308: I have a domain for which some local parts must be delivered locally,
+ but the remainder are to be treated like any other remote addresses.
+
+A0308: One possible way of doing this is as follows: Assuming you are using a
+ configuration that is similar to the default one, first exclude your
+ domain from the first router by changing it to look like this:
+
+==> non_special_remote:
+ driver = dnslookup
+ domains = ! +local_domains : ! special.domain
+ transport = remote_smtp
+ ignore_target_hosts = 127.0.0.0/8
+ no_more
+
+ Then add a second router which handles the local parts that are not to
+ be delivered locally:
+
+==> special_remote:
+ driver = dnslookup
+ domains = special.domain
+ local_parts = ! lsearch;/list/of/special/localparts
+ transport = remote_smtp
+ ignore_target_hosts = 127.0.0.0/8
+ no_more
+
+ The remaining local parts will fall through to the remaining routers,
+ which can delivery them locally.
+
+
+Q0309: How can I configure Exim on a firewall machine so that if mail arrives
+ addressed to a domain whose MX points to the firewall, it is forwarded
+ to the internal mail server, without having to have a list of all the
+ domains involved?
+
+A0309: As your first router, have the standard \%dnslookup%\ router from the
+ default configuration, with the added option
+
+==> self = pass
+
+ This will handle all domains whose lowest numbered MX records do not
+ point to your host. Because of the \no_more\ setting, if it encounters
+ an unknown domain, routing will fail. However, if it hits a domain whose
+ lowest numbered MX points to your host, the \self\ option comes into
+ play, and overrides \no_more\. The \"pass"\ setting causes it to pass
+ the address on to the next router. (The default causes it to generate an
+ error.)
+
+ The only non-local domains that reach the second router are those with
+ MX records pointing to the local host. Set it up to send them to the
+ internal mail server like this:
+
+==> internal:
+ driver = manualroute
+ domains = ! +local_domains
+ transport = remote_smtp
+ route_list = * internal.server
+
+
+Q0310: If a DNS lookup returns no MX records why doesn't Exim just bin the
+ message?
+
+A0310: If a DNS lookup returns no MXs, Exim looks for an address record, in
+ accordance with the rules that are defined in the RFCs. If you want to
+ break the rules, you can set \mx_domains\ in the \%dnslookup%\ router, but
+ you will cut yourself off from those sites (and there still seem to be
+ plenty) who do not set up MX records.
+
+
+Q0311: When a DNS lookup for MX records fails to complete, why doesn't Exim
+ send the messsage to the host defined by the A record?
+
+A0311: The RFCs are quite clear on this. Only if it is known that there are no
+ MX records is an MTA allowed to make use of the A record. When an MX
+ lookup fails to complete, Exim does not know whether there are any MX
+ records or not. There seem to be some name servers (or some
+ configurations of some name servers) that give a ``server fail'' error when
+ asked for a non-existent MX record. Exim uses standard resolver calls,
+ which unfortunately do not distinguish between this case and a timeout,
+ so all Exim can do is try again later.
+
+
+Q0312: Is it possible to use a conditional expression for the host item in a
+ \route_list\ for \%manualroute%\ router? I tried the following, but it
+ doesn't work:
+
+==> route_list = * ${if match{$header_from:}{\N.*\.usa\.net$\N} \
+ {<smarthost1>}{<smarthost2>}
+
+A0312: The problem is that the second item in \route_list\ contains white
+ space, which means that it gets terminated prematurely. To avoid this,
+ you must put the second item in quotes:
+
+==> route_list = * "${if match{$header_from:}{\N.*\.usa\.net$\N} \
+ {<smarthost1>}{<smarthost2>}}"
+
+
+Q0313: I send all external mail to a smart host, but this means that bad
+ addresses also get passed to the smart host. Can I avoid this?
+
+A0313: Assuming you have DNS availability, set up a conventional \%dnslookup%\
+ router to do the routing, but in the \%remote_smtp%\ transport set this:
+
+==> hosts = your.smart.host
+ hosts_override
+
+ This will override the hosts that the router finds so that everything
+ goes to the smart host, but any non-existent domains will be failed by
+ the router.
+
+
+Q0314: I have a really annoying intermittent problem where attempts to mail to
+ valid sites are rejected with \*unknown mail domain*\. This only happens a
+ few times a day and there is no particular pattern to the sites it
+ rejects. If I try to lookup the same domain a few minutes later then it
+ is OK.
+
+A0314: This is almost certainly a problem with the DNS resolver or the the
+ domain's name servers.
+
+ (1) Have you linked Exim against the newest DNS resolver library that
+ comes with Bind? If you are using SunOS4 that may be your problem, as
+ the resolver that comes with that OS is known to be buggy and to give
+ intermittent false negatives.
+
+ (2) Effects like this are sometimes seen if a domain's name servers get
+ out of step with each other.
+
+
+Q0315: I'd like route all mail with addresses that can't be resolved (the DNS
+ lookup times out) to a relay machine.
+
+A0315: Set \pass_on_timeout\ on your \%dnslookup%\ router, and add below it a
+ \%manualroute%\ router that routes all relevant domains to the relay.
+
+
+Q0316: I would like to forward all incoming email for a particular domain to
+ another host via SMTP. Whereabouts would I configure that?
+
+A0316: Use this as your first router:
+
+==> special:
+ driver = manualroute
+ transport = remote_smtp
+ route_list = the.particular.domain the.other.host
+
+ You will also need to adjust the ACL for incoming SMTP so that this
+ domain is accepted for relaying. If you are using the default
+ configuration, there is a domain list called \relay_domains\ that is
+ set up for this.
+
+
+Q0317: What I'd like to do is have alternative smart hosts, where the one to be
+ used is determined by which ISP I'm connected to.
+
+A0317: The simplest way to do this is to arrange for the name of the smart host
+ du jour to be placed in a file when you connect, say \(/etc/smarthost)\.
+ Then you can read this file from a \%manualroute%\ router like this:
+
+==> smarthost:
+ driver = manualroute
+ transport = remote_smtp
+ route_list = * ${readfile{/etc/smarthost}{}}
+
+ The second argument of the \"readfile"\ item is a string that replaces
+ any newline characters in the file (in this case, with nothing).
+ By keeping the data out of the main configuration file, you avoid having
+ to HUP the daemon when it changes.
+
+
+Q0318: Exim won't route to a host with no MX record.
+
+A0318: More than one thing may cause this.
+
+ (1) Are you sure there really is no MX record? Sometimes a typo results
+ in a malformed MX record in the zone file, in which case some name
+ servers give a SERVFAIL error rather than NXDOMAIN. Exim has to treat
+ this as a temporary error, so it can't go on to look for address records.
+ You can check for this state using one of the DNS interrogation commands,
+ such as \(nslookup)\, \(host)\, or \(dig)\.
+
+ (2) Is there a wildcard MX record for \(your)\ domain? Is the
+ \search_parents\ option on in your \%dnslookup%\ router? If the answer to
+ both these questions is ``yes'', that is the cause of the problem. When
+ the DNS resolver fails to find the MX record, it tries adding on your
+ domain if \search_parents\ is true, and thereby finds your wildcard MX
+ record. For example:
+
+ . There is a wildcard MX record for \(*.a.b.c)\.
+
+ . There is a host called \(x.y.z)\ that has an A record and no MX record.
+
+ . Somebody on the host \(m.a.b.c)\ domain tries to mail to \(user@x.y.z)\.
+
+ . Exim calls the DNS to look for an MX record for \(x.y.z)\.
+
+ . The DNS doesn't find any MX record. Because \search_parents\ is true,
+ it then tries searching the current host's parent domain, so it
+ looks for \(x.y.z.a.b.c)\ and picks up the wildcard MX record.
+
+ Setting \search_parents\ false makes this case work while retaining the
+ wildcard MX record. However, anybody on the host \(m.a.b.c)\ who mails to
+ \(user@n.a)\ (expecting it to go to \(user@n.a.b.c)\) now has a problem. The
+ \widen_domains\ option of the \%dnslookup%\ router may be helpful in this
+ circumstance.
+
+
+Q0319: I have some mails on my queues that are sticking around longer than
+ the retry time indicates they should. They are all getting frozen
+ because some remote admin has set their MX record to 127.0.0.1.
+
+A0319: The admin in question is an idiot. Exim will always freeze such messages
+ because they are apparently routed to the local host. To bounce these
+ messages immediately, set
+
+==> ignore_target_hosts = 127.0.0.1
+
+ on the \%dnslookup%\ router. This causes Exim to completely ignore any hosts
+ with that IP address. In fact, there are quite a number of IP addresses
+ that should never be used. Here is a suggested configuration list for
+ the IPv4 ones:
+
+==> # Don't allow domains whose single MX (or A) record is a
+ # "special-use IPv4 address", as listed in RFC 3330.
+ ignore_target_hosts = \
+ # Hosts on "this network"; RFC 1700 (page 4) states that these
+ # are only allowed as source addresses
+ 0.0.0.0/8 : \
+ # Private networks, RFC 1918
+ 10.0.0.0/8 : 172.16.0.0/12 : 192.168.0.0/16 : \
+ # Internet host loopback address, RFC 1700 (page 5)
+ 127.0.0.0/8 : \
+ # "Link local" block
+ 169.254.0.0/16 : \
+ # "TEST-NET" - should not appear on the public Internet
+ 192.0.2.0/24 : \
+ # 6to4 relay anycast addresses, RFC 3068
+ 192.88.99.0/24 : \
+ # Network interconnect device benchmark testing, RFC 2544
+ 198.18.0.0/15 : \
+ # Multicast addresses, RFC 3171
+ 224.0.0.0/4 : \
+ # Reserved for future use, RFC 1700 (page 4)
+ 240.0.0.0/4
+
+
+Q0320: How can I arrange for all mail to \*user@some.domain*\ to be forwarded
+ to \*user@other.domain*\?
+
+A0320: Put this as your first router:
+
+==> forward:
+ driver = redirect
+ domains = some.domain
+ data = ${quote:$local_part}@other.domain
+
+
+Q0321: How can I tell an Exim router to use only IPv4 or only IPv6 addresses
+ when it finds both types in the DNS?
+
+A0321: You can do this by making it ignore the addresses you don't want. This
+ example ignores all IPv6 addresses and all IPv4 addresses in the 127
+ network:
+
+==> ignore_target_hosts = <; 0000::0000/0 ; 127.0.0.0/8
+
+ To ignore all IPv4 addresses, use
+
+==> ignore_target_hosts = 0.0.0.0/0
+
+ See Q0319 for a general discussion of \ignore_target_hosts\.
+
+
+Q0322: How can I reroute all messages bound for 192.168.10.0 and 10.0.0.0 to
+ a specific mail server?
+
+A0322: That is an odd requirement. However, there is an obscure feature in
+ Exim, originally implemented for packet radio people, that perhaps can
+ help. Check out the \translate_ip_address\ generic router option.
+
+
+
+4. ROUTING FOR LOCAL DELIVERY
+
+Q0401: I need to have any mail for \(virt.dom.ain)\ that doesn't match one of the
+ aliases in \(/usr/lib/aliases.virt)\ delivered to a particular address, for
+ example, \(postmaster@virt.dom.ain)\.
+
+A0401: Adding an asterisk to a search type causes Exim to look up ``*'' when the
+ normal lookup fails. So if your aliasing router is something like this:
+
+==> virtual:
+ driver = redirect
+ domains = virt.dom.ain
+ data = ${lookup{$local_part}lsearch{/usr/lib/aliases.virt}}
+ no_more
+
+ you should change \"lsearch"\ to \"lsearch*"\, and put this in the alias
+ file:
+
+==> *: postmaster@virt.dom.ain
+
+ This solution has the feature that if there are several unknown
+ addresses in the same message, only one copy gets sent to the
+ postmaster, because of Exim's normal de-duplication rules.
+
+ NOTE: This solution works only if there is also an entry for \(postmaster)\
+ in the alias file, ultimately resolving to an address that is not in
+ \(virt.dom.ain)\. See also Q0434.
+
+
+Q0402: How do I arrange for all incoming email for \(*@some.domain)\ to go into one
+ pop3 mail account? The customer doesn't want to add a list of specific
+ local parts to the system.
+
+A0402: Set up a special transport that writes to the mailbox like this:
+
+==> special_transport:
+ driver = appendfile
+ file = /pop/mailbox
+ envelope_to_add
+ return_path_add
+ delivery_date_add
+ user = exim
+
+ The file will be written as the user \"exim"\. Then arrange to route all
+ mail for that domain to that transport, with a router like this:
+
+==> special_router:
+ driver = accept
+ domains = some.domain
+ transport = special_transport
+
+
+Q0403: How do I configure Exim to send messages for unknown local users to a
+ central server?
+
+A0403: Assuming you are using something like the default configuration, where
+ local users are processed by the later routers, you should add the
+ following router at the end:
+
+==> unknown:
+ driver = manualroute
+ transport = remote_smtp
+ route_list = * server.host.name
+ no_verify
+
+ However, you should if possible try to verify that the user is known on
+ the central server before accepting the message in the first place. This
+ can be done by making use of Exim's ``call forward'' facility.
+
+
+Q0404: How can I arrange for messages submitted by (for example) Majordomo to
+ be handled specially?
+
+A0404: You can use the \condition\ option on a router, with a setting such as
+
+==> condition = ${if and {{eq {$sender_host_address}{}} \
+ {eq {$sender_ident}{majordom}}} {yes}{no}}
+
+ This first tests for a locally-submitted message, by ensuring there is
+ no sending host address, and then it checks the identity of the user
+ that ran the submitting process.
+
+
+Q0405: On a host that accepts mail for several domains, do I have to use fully
+ qualified addresses in \(/etc/aliases)\ or do I have to set up an alias
+ file for each domain?
+
+A0405: You can do it either way. The default aliasing router contains this line:
+
+==> data = ${lookup{$local_part}lsearch{/etc/aliases}}
+
+ which is what does the actual lookup. To make it look up the complete
+ address instead of just the local part, use
+
+==> data = ${lookup{$local_part@$domain}lsearch{/etc/aliases}}
+
+ If you want to use a separate file for each domain, use
+
+==> data = ${lookup{$local_part}lsearch{/etc/aliases/$domain}}
+
+
+Q0406: Some of my users are using the \(.forward)\ to pipe to a shell command which
+ appends to the user's INBOX. How can I forbid this?
+
+A0406: If you allow your users to run shells in pipes, you cannot control which
+ commands they run or which files they write to. However, you should point
+ out to them that writing to an INBOX by arbitrary commands is not
+ interlocked with the MTA and MUAs, and is liable to mess up the contents
+ of the file.
+
+ If a user simply wants to choose a specific file for the delivery of
+ messages, this can be done by putting a file name in a \(.forward)\ file
+ rather than using a pipe, or by using the \"save"\ command in an Exim
+ filter file.
+
+ You can set \forbid_pipe\ on the router, but that will prevent them from
+ running any pipe commands at all. Alternatively, you can restrict which
+ commands they may run in their pipes by setting the \allow_commands\
+ and/or \restrict_to_path\ options in the \%address_pipe%\ transport.
+
+
+Q0407: How can I arrange for a default value when using a query-style lookup
+ such as LDAP or NIS+ to handle aliases?
+
+A0407: Use a second query in the failure part of the original lookup, like
+ this:
+
+==> data = ${lookup ldap\
+ {ldap://x.y.z/l=yvr?aliasaddress?sub?(&(mail=$local_part@$domain))}\
+ {$value}\
+ {\
+ ${lookup ldap \
+ {ldap://x.y.z/l=yvr?aliasaddress?sub?(&(mail=default@$domain))}}\
+ }}
+
+ Of course, if the default is a fixed value you can just include it
+ directly.
+
+
+Q0408: If I don't fully qualify the addresses in a virtual domain's alias file
+ then mail to aliases which also match the local domain get delivered to
+ the local domain.
+
+A0408: Set the \qualify_preserve_domain\ option on the \%redirect%\ router.
+
+
+Q0409: I want mail for any local part at certain virtual domains to go
+ to a single address for each domain.
+
+A0409: One way to to this is
+
+==> virtual:
+ driver = redirect
+ data = ${lookup{$domain}lsearch{/etc/virtual}}
+
+ The \(/etc/virtual)\ file contains a list of domains and the addresses to
+ which their mail should be sent. For example:
+
+==> domain1: postmaster@some.where.else
+ domain2: joe@xyz.plc
+
+ If the number of domains is large, using a DBM or cdb file would be more
+ efficient. If the lookup fails to find the domain in the file, the value
+ of the \data\ option is empty, causing the router to decline.
+
+
+Q0410: How can I make Exim look in the alias NIS map instead of \(/etc/aliases)\?
+
+A0410: The default configuration does not use NIS (many hosts don't run it).
+ You need to change this line in the \%system_aliases%\ router:
+
+==> data = ${lookup{$local_part}lsearch{/etc/aliases}}
+
+ Change it to
+
+==> data = ${lookup{$local_part}nis{mail.aliases}}
+
+ If you want to use \(/etc/aliases)\ as well as NIS, put this router (with
+ a different name) before or after the default one, depending on which
+ data source you want to take precedence.
+
+
+Q0411: Why will Exim deliver a message locally to any username that is longer
+ than 8 characters as long as the first 8 characters match one of the
+ local usernames?
+
+A0411: The problem is in your operating system. Exim just calls the \^^getpwnam()^^\
+ function to test a local part for being a local login name. It does not
+ presume to guess the maximum length of user name for the underlying
+ operating system. Many operating systems correctly reject names that are
+ longer than the maximum length; yours is apparently deficient in this
+ regard. To cope with such systems, Exim has an option called
+ \max_user_name_length\ which you can set to the maximum allowed length.
+
+
+Q0412: Why am I seeing the error \*bad mode (100664) for /home/test/.forward*\?
+ I've looked through the documentation but can't see anything to suggest
+ that Exim has to do anything other than read the \(.forward)\ file.
+
+A0412: For security, Exim checks for mode bits that shouldn't be set, by
+ default 022. You can change this by setting the \modemask\ option of the
+ \%redirect%\ router that is handling \(.forward)\ files.
+
+
+Q0413: When a user's \(.forward)\ file is syntactially invalid, Exim defers
+ delivery of all messages to that user, which sometimes include the
+ user's own test messages. Can it be told to ignore the \(.forward)\ file
+ and/or inform the user of the error?
+
+A0413: Setting \skip_syntax_errors\ on the redirect router causes syntax
+ errors to be skipped. When dealing with users' \(.forward)\ files it is best
+ to combine this with a setting of \syntax_errors_to\ in order to send
+ a message about the error to the user. However, to avoid an infinite
+ cascade of messages, you have to be able to send to an address that
+ bypasses \(.forward)\ file processing. This can be done by including a
+ router like this one
+
+==> real_localuser:
+ driver = accept
+ check_local_user
+ transport = local_delivery
+ prefix = real-
+
+ before the \%redirect%\ router that handles \(.forward)\ files. This will
+ do an ordinary local delivery without \(.forward)\ processing, if the
+ local part is prefixed by \"real-"\. You can then set something like
+ the following options on the \%redirect%\ router:
+
+==> skip_syntax_errors
+ syntax_errors_to = real-$local_part@$domain
+ syntax_errors_text = "\
+ This is an automatically generated message. An error has been \
+ found\nin your .forward file. Details of the error are reported \
+ below. While\nthis error persists, messages addressed to you will \
+ get delivered into\nyour normal mailbox and you will receive a \
+ copy of this message for\neach one."
+
+ A final tidying setting to go with this is a rewriting rule that changes
+ \"real-username"\ into just \"username"\ in the headers of the message:
+
+==> \N^real-([^@]+)@your\.dom\.ain$\N $1@your.dom.ain h
+
+ This means that users won't ever see the \"real-"\ prefix, unless they
+ look at the ::Envelope-To:: header.
+
+
+Q0414: I have set \caseful_local_part\ on the routers that handle my local
+ domain because my users have upper case letters in their login names,
+ but incoming mail now has to use the correct case. Can I relax this
+ somehow?
+
+A0414: If you really have to live with caseful user names but want incoming
+ local parts to be caseless, then you have to maintain a file, indexed by
+ the lower case forms, that gives the correct case for each login, like
+ this:
+
+==> admin: Admin
+ steven: Steven
+ mcdonald: McDonald
+ lamanch: LaManche
+ ...
+
+ and at the start of the routers that handle your local domain, put one
+ like this:
+
+==> set_case_router:
+ driver = redirect
+ data = ${lookup{${lc:$local_part}}lsearch{/the/file}}
+ qualify_preserve_domain
+
+ For efficiency, you should also set the \redirect_router\ option to cause
+ processing of the changed address to begin at the next router. If you
+ are otherwise using the default configuration, the setting would be
+
+==> redirect_router = system_aliases
+
+ If there are lots of users, then a DBM or cdb file would be more
+ efficient than a linear search. If you are handling several domains,
+ you will have to extend this configuration to cope appropriately.
+
+
+Q0415: Can I use my existing alias files and forward files as well as procmail
+ and effectively drop in Exim in place of Sendmail ?
+
+A0415: Yes, as long as your alias and forward files don't assume that pipes are
+ going to run under a shell. If they do, you either have to change them,
+ or configure Exim to use a shell (which it doesn't by default).
+
+
+Q0416: What is quickest way to set up Exim so any message sent to a
+ non-existing user would bounce back with a different message, based
+ on the name of non-existing user?
+
+A0416: Place this router last, so that it catches any local addresses that
+ are not otherwise handled:
+
+==> non_exist:
+ driver = accept
+ transport = non_exist_reply
+ no_verify
+
+ Then add the following transport to the transports section:
+
+==> non_exist_reply:
+ driver = autoreply
+ user = exim
+ to = $sender_address
+ subject = User does not exist
+ text = You sent mail to $local_part. That's not a valid user here. \
+ The subject was: $subject.
+
+ If you want to pick up a message from a file, you can use the \file\
+ option (use \file_expand\ if you want its contents expanded).
+
+
+Q0417: What do I need to do to make Exim handle \(/usr/ucb/vacation)\ processing
+ automatically, so that people could just create a \(.vacation.msg)\ file in
+ their home directory and not have to edit their \(.forward)\ file?
+
+A0417: Add a new router like this, immediately before the normal \%localuser%\
+ router:
+
+==> vacation:
+ driver = accept
+ check_local_user
+ require_files = $home/.vacation.msg
+ transport = vacation_transport
+ unseen
+
+ and a matching new transport like this:
+
+==> vacation_transport:
+ driver = pipe
+ command = /usr/ucb/vacation $local_part
+
+ However, some versions of \(/usr/ucb/vacation)\ do not work properly unless
+ the DBM file(s) it uses are created in advance - it won't create them
+ itself. You also need a way of removing them when the vacation is over.
+
+ Another possibility is to use a fixed filter file which is run whenever
+ \(.vacation.msg)\ exists, for example:
+
+==> vacation:
+ driver = redirect
+ check_local_user
+ require_files = $home/.vacation.msg
+ file = /some/central/filter
+ allow_filter
+
+ The filter file should use the \"if personal"\ check before sending mail,
+ to avoid generating automatic responses to mailing lists. If sending a
+ message is all that it does, this doesn't count as a ``significant''
+ delivery, so the original message goes on to be delivered as normal.
+
+ Yet another possibility is to make use of Exim's \%autoreply%\ transport,
+ and not use \(/usr/ucb/vacation)\ at all.
+
+
+Q0418: I want to use a default entry in my alias file to handle unknown local
+ parts, but it picks up the local parts that the aliases generate. For
+ example, if the alias file is
+
+==> luke.skywalker: luke
+ ls: luke
+ *: postmaster
+
+ then messages addressed to \/luke.skywalker/\ end up at \/postmaster/\.
+
+A0418: The default mechanism works best with virtual domains, where the
+ generated address is not in the same domain. If you just want to pick up
+ all unknown local parts and send them to postmaster, an easier way to do
+ it is to put this as your last router:
+
+==> unknown:
+ driver = redirect
+ data = postmaster
+ no_verify
+
+ Another possibility is to put the redirect router for these aliases
+ after all the other routers, so that local parts which are user names
+ get picked off first. You will need to have two aliasing routers if
+ there are some local parts (e.g. \/root/\) which are login names, but which
+ you want to handle as aliases.
+
+
+Q0419: I have some obsolete domains which people have been warned not to use
+ any more. How can I arrange to delete any mail that is sent to them?
+
+A0419: To reject them at SMTP time, with a customized error message, place
+ statments like this in the ACL:
+
+==> deny message = The domain $domain is obsolete
+ domains = lsearch;/etc/exim/obsolete.domains
+
+ For messages that don't arrive over SMTP, you can use a router like
+ this to bounce them:
+
+==> obsolete:
+ driver = redirect
+ domains = lsearch;/etc/exim/obsolete.domains
+ allow_fail
+ data = :fail: the domain $domain is obsolete
+
+ If you just want to throw away mail to those domains, accept them at
+ SMTP time, and use a router like this:
+
+==> obsolete:
+ domains = lsearch;/etc/exim/obsolete.domains
+ data = :blackhole:
+
+
+Q0420: How can I arrange that mail addressed to \(anything@something.mydomain.com)\
+ gets delivered to \(something@mydomain.com)\?
+
+A0420: Set up a router like this:
+
+==> user_from_domain:
+ driver = redirect
+ data = ${if match{$domain}{\N^(.+)\.mydomain\.com$\N}\
+ {$1@mydomain.com}}
+
+
+Q0421: I can't get a regular expression to work in a \local_parts\ option on
+ one of my routers.
+
+A0421: Have you remembered to protect any backslash and dollar characters in
+ your regex from unwanted expansion? The easiest way is to use the
+ \"@\N"\ facility, like this:
+
+==> local_parts = \N^0740\d{6}\N
+
+
+Q0422: How can I arrange for all addresses in a group of domains \(*.example.com)\
+ to share the same alias file? I have a number of such groups.
+
+A0422: For a single group you could just hard wire the file name into a router
+ that had
+
+==> domains = *.example.com
+
+ set, to restrict it to the relevant domains. For a number of such groups
+ you can create a file containing the domains, like this:
+
+==> *.example1.com example1.com
+ *.example2.com example2.com
+ ...
+
+ Then create a router like this
+
+==> domain_aliases:
+ driver = redirect
+ domains = partial-lsearch;/that/file
+ data = ${lookup{$local_part}lsearch*{/etc/aliases.d/$domain_data}}
+
+ The variable \$domain_data$\ contains the data that was looked up when the
+ \domains\ option was matched, i.e. \"example1.com"\, \"example2.com"\, etc.
+ in this case.
+
+
+Q0423: Some of our users have no home directories; the field in the password
+ file contains \(/no/home/dir)\. This causes the error \*failed to stat
+ /no/home/dir (No such file or directory)*\ when Exim tries to look for a
+ \(.forward file)\, and the delivery is deferred.
+
+A0423: There are two issues involved here:
+
+ (1) With the default configuration, you are asking Exim to check for a
+ \(.forward)\ file in the user's home directory. If no file is found,
+ Exim tries to \^^stat()^^\ the home directory. This is so that it will
+ notice a missing NFS home directory, and not treat it as if the
+ \(.forward)\ file did not exist. This \^^stat()^^\ is failing when the
+ home directory really doesn't exist. You should arrange for the
+ \%userforward%\ router not to run for these special users, by adding
+ this line:
+
+==> condition = ${if eq {$home}{/no/home/dir}{no}{yes}}
+
+ (2) If you use \check_local_user\ on another router to route to a local
+ transport (again, this is what is in the default configuration), you
+ will also have to specify a current directory for the transport, because
+ by default it makes the home directory current. This is easily done by
+ adding
+
+==> current_directory = /
+
+ to the transport or
+
+==> transport_current_directory = /
+
+ to the router. Or you can add \home_directory\ to the transport, because
+ the current directory defaults to the home directory.
+
+
+Q0424: How can I disable Exim's de-duplication features? I want it to do two
+ deliveries if two different aliases expand to the same address.
+
+A0424: This is not possible. Duplication has other ramifications other than
+ just (in)convenience. Consider:
+
+ . Message is addressed to A and to B.
+
+ . Both A and B are aliased to C.
+
+ . Without de-duplication, two deliveries to C are scheduled.
+
+ . One delivery happens, Exim records that it has delivered the message
+ to C.
+
+ . The next delivery fails (C's mailbox is over quota, say).
+
+ Next time round, Exim wants to know if it has already delivered to C or
+ not, before scheduling a new delivery. Has it? Obviously, if duplicate
+ deliveries are supported, it has to remember not only that it has
+ delivered to C but also the ``history'' of how that delivery happened - in
+ effect an ancestry list back to the original envelope address. This it
+ does not do, and changing it to work in that way would be a lot of work
+ and a big upheaval.
+
+ The best way to get duplicate deliveries if you want them is not to use
+ aliases, but to route the addresses directly to a transport, e.g.
+
+==> duplicates:
+ driver = accept
+ local_parts = lsearch;/etc/list/of/special/local/parts
+ transport = local_delivery
+ user = exim
+
+
+Q0425: My users' mailboxes are distributed between several servers according to
+ the first letter of the user name. All the servers receive incoming mail
+ at random. I would like to have the same configuration file for all the
+ servers, which does local delivery for the mailboxes it holds, and sends
+ other addresses to the correct other server. Is this possible?
+
+A0425: It is easiest if you arrange for all the users to have password entries
+ on all the servers. This means that non-existent users can be detected
+ at the first server they reach. Set up a file containing a mapping from
+ the first letter of the user names to the servers where their mailboxes
+ are held. For example:
+
+==> a: server1
+ b: server1
+ c: server2
+ ...
+
+ Before the normal \%localuser%\ router, place the following router:
+
+==> mailbox_host:
+ driver = manualroute
+ check_local_user
+ transport = remote_smtp
+ route_list = * ${lookup{${substr_0_1:$local_part}}lsearch{/etc/mapfile}}
+ self = pass
+
+ This router checks for a local account, then looks up the host from the
+ first character of the local part. If the host is not the local host,
+ the address is routed to the \%remote_smtp%\ transport, and sent to the
+ correct host. If the host is the local host, the \self\ option causes
+ the router to pass the address to the next router, which does a local
+ delivery.
+
+ The router is skipped for local parts that are not the names of local
+ users, and so these addresses fail.
+
+
+Q0426: One of the things I want to set up is for \(anything@onedomain)\ to forward
+ to \(anything@anotherdomain)\. I tried adding \($local_part@anotherdomain)\ to
+ my aliases but it did not expand - it sent it to that literal address.
+
+A0426: If you want to do it that way, you can use the \"expand"\ operator on
+ the lookup used in the data option of the redirect router. For example:
+
+==> data = ${expand:${lookup{$local_part}lsearch*{/etc/aliases}}}
+
+ Another approach is to use a router like this:
+
+==> forwarddomain:
+ driver = redirect
+ domains = onedomain
+ data = $local_part@anotherdomain
+
+ The value of \data\ can, of course, be more complicated, involving
+ lookups etc. if you have lots of different cases.
+
+
+Q0427: How can I have an address looked up in two different alias files, and
+ delivered to all the addresses that are found?
+
+A0427: Use a router like this:
+
+==> multi_aliases:
+ driver = redirect
+ data = ${lookup{$local_part}lsearch{/etc/aliases1}\
+ {$value${lookup{$local_part}lsearch{/etc/aliases2}{,$value}}}\
+ {${lookup{$local_part}lsearch{/etc/aliases2}{$value}fail}}}\
+
+ If the first lookup succeeds, the result is its data, followed by the
+ data from the second lookup, if any, separated by a comma. If the first
+ lookup fails, the result is the data from the third lookup (which also
+ looks in the second file), but if this also fails, the entire expansion
+ is forced to fail, thereby causing the router to decline.
+
+ Another approach is to use two routers, with the first re-generating the
+ original local part when it succeeds. This won't get processed by the
+ same router again. For example:
+
+==> multi_aliases1:
+ driver = redirect
+ data = ${lookup{$local_part}lsearch{/etc/aliases1}{$value,$local_part}}
+
+==> multi_aliases2:
+ data = ${lookup{$local_part}lsearch{/etc/aliases2}}
+
+ This scales more easily to three or more alias files.
+
+
+Q0428: I've converted from Sendmail, and I notice that Exim doesn't make use
+ of the \"owner-"\ entries in my alias file to change the sender address in
+ outgoing messages to a mailing list.
+
+A0428: If you have an alias file with entries like this:
+
+==> somelist: a@b, c@d, ...
+ owner-somelist: postmaster
+
+ Sendmail assumes that the second entry specifies a new sender address
+ for the first. Exim does not make this assumption. However, you can make
+ it take the same action, by adding
+
+==> errors_to = owner-$local_part@whatever.domain
+
+ to the configuration for your aliasing router. This is fail-safe,
+ because Exim verifies a new sender address before using it. Thus, the
+ change of sender address occurs only when the owner entry exists.
+
+
+Q0429: I would like to deliver mail addressed to a given domain to local
+ mailboxes, but also to generate messages to the envelope senders.
+
+A0429: You can do this with an ``unseen'' router and an \%autoreply%\ transport,
+ along the following lines:
+
+==> # Router
+ auto_warning_r:
+ driver = accept
+ check_local_user
+ domains = <domains you want to do this for>
+ condition = ${if eq{$sender_address}{}{no}{yes}}
+ transport = warning_t
+ no_verify
+ unseen
+
+ Place this router immediately before the normal \%localuser%\ router. The
+ \unseen\ option means that the address is still passed on to the next
+ router. The transport is configured like this:
+
+==> # Transport
+ warning_t:
+ driver = autoreply
+ file = /usr/local/mail/warning.txt
+ file_expand
+ from = postmaster@your.domain
+ to = $sender_address
+ user = exim
+ subject = Re: Your mail to $local_part@$domain
+
+ Note the use of the \condition\ option to avoid attempting to send a
+ message when there is no sender (that is, when the incoming message is a
+ bounce message). You can of course extend this to include other
+ conditions. If you want to log the sending of messages, you can add
+
+==> log = /some/file
+
+ to the transport and also make use of the \once\ option if you want to
+ send only one message to each sender.
+
+
+Q0430: Whenever Exim tries to route a local address, it gives a permission
+ denied error for the \(.forward)\ file, like this:
+
+==> 1998-08-10 16:55:32 0z5y2W-0000B8-00 == xxxx@yyy.zzz <xxxx@yyy.zz>
+ D=userforward defer (-1): failed to open /home/xxxx/.forward
+ (userforward router): Permission denied (euid=1234 egid=101)
+
+A0430: Have you remembered to make Exim setuid \/root/\?
+
+
+Q0431: How do I configure Exim to allow arbitrary extensions in local parts, of
+ the form \/+extension/\?
+
+A0431: Add this pre-condition to the relevant router:
+
+==> local_part_suffix = +*
+
+ If you want the extensions to be optional, also add the option
+
+==> local_part_suffix_optional
+
+ When the router runs, \$local_part$\ contains the local part with the
+ extension removed, and the extension (if any) is in \$local_part_suffix$\.
+ If you have set \check_local_user\, the test is carried out after the
+ extension is removed.
+
+
+Q0432: I use NIS for my user data. How can I stop Exim rejecting mail when my
+ NIS servers are being restarted?
+
+A0432: Exim doesn't know that you are using NIS; it just calls the \^^getpwnam()^^\
+ function, which is routed by nsswitch. Unfortunately, \^^getpwnam()^^\
+ was never designed to be routed through NIS, and it returns NULL if the
+ entry is not found or if the connection to the NIS server fails. This
+ means that Exim cannot tell the difference between ``no such user'' and
+ ``NIS is down''.
+
+ Crutches to help with this problem are \finduser_retries\ in Exim, and
+ \^nscd^\ on the Unix side, but they are not perfect, and mail can still
+ be lost. However, Nico Erfurth pointed out that you can create a router
+ for Exim that tests for the availability of NIS, and force a defer if
+ NIS is not running:
+
+==> check_nis:
+ driver = redirect
+ data = ${lookup {$local_part} nis {passwd}{}}
+
+ This should be placed before any router that makes any use of NIS,
+ typically at the start of your local routers. How does it work? If
+ your NIS server is reachable, the lookup will take place, and whether it
+ succeeds or fails, the result is an empty strting. This causes the
+ router to decline, and the address is passed to the following routers.
+ If your NIS server is down, the lookup defers, and this causes the
+ router to defer. A verification of an incoming address gets a temporary
+ rejection, and a delivery is deferred till later.
+
+
+Q0433: How can I arrange for a single address to be processed by \*both*\
+ \%redirect%\ \*and*\ \%accept%\?
+
+A0433: Check out the \unseen\ option.
+
+
+Q0434: How can I redirect all local parts that are not in my system aliases to
+ a single address? I tried using an asterisk in the system alias file
+ with an \"lsearch*"\ lookup, but that send \*all*\ messages to the
+ default address.
+
+A0434: If your alias file generates addresses in the local domain, they are
+ also processed as a potential aliases. For example, suppose this is your
+ alias file:
+
+==> caesar: jc
+ anthony: ma
+ *: brutus
+
+ The local part \/caesar/\ is aliased to \/jc/\, but that address is then
+ reprocessed by the routers. As the address is in the local domain, the
+ alias file is again consulted, and this time the default matches. In
+ fact after the second aliasing, \/brutus/\ is also processed again from
+ the start, and is aliased to itself. However, this happens only once,
+ because the next time, Exim notices that the aliasing router has already
+ processed \/brutus/\, so the router is skipped in order to avoid
+ looping.
+
+ There are several ways of solving this problem; which one you use
+ depends on your aliasing data.
+
+ (1) If the result of aliasing is always a local user name, that is,
+ aliasing never generates another alias, you can use the
+ \redirect_router\ option on the router to specify that processing
+ the generated addresses must start at the next router. For example:
+
+==> redirect_router = userforward
+
+ assuming that the next router is called \%userforward%\. This
+ ensures that there is at most one pass through the aliasing router.
+
+ (2) If you cannot rely on aliases generating non-aliases, it is often
+ easier not to use a default alias, but instead to place a router
+ such as the one below after all the other local routers (for the
+ relevant domains):
+
+==> catch_unknown:
+ driver = redirect
+ domains = ...
+ data = brutus@$domain
+
+ Note that the default aliasing technique works more successfully for
+ virtual domains (see Q0401) because the generated address for the
+ default is not usually in the same virtual domain as the incoming
+ address.
+
+
+Q0435: My alias file contains fully qualified addresses as keys, and some
+ wildcard domains in the form @foo.bar. Can Exim handle these?
+
+A0435: You can handle fully qualified addresses with this router:
+
+==> qualified_aliases:
+ driver = redirect
+ data = ${lookup{$local_part@$domain}lsearch{/etc/aliases}}
+
+ (Add any other options you need for the \%redirect%\ router.) Place this
+ router either before or after the default aliases router that looks up
+ the local part only. (Or, if you have no unqualified aliases, replace
+ the default router.)
+
+ To handle wildcards in the form @foo.bar you will need yet another
+ router. (Wildcards of the form *@foo.bar can be handled by an lsearch*@
+ lookup.) Something like this:
+
+==> wildcard_aliases:
+ driver = redirect
+ data = ${lookup{@$domain}lsearch{/etc/aliases}}
+
+ Place this after the routers that handle the more specific aliases.
+
+
+
+5. FILTERING
+
+Q0501: My filter isn't working. How can I test it?
+
+A0501: Use the \-bf-\ option (\-bF-\ for a system filter) to test the basic operation
+ of your filter. You can request debugging information for filtering only
+ by adding \"-d-all+filter"\ to the command.
+
+
+Q0502: What I really need is the ability to obtain the result of a pipe
+ command so that I can filter externally and redirect internally. Is
+ this possible?
+
+A0502: The result of a pipe command is not available to a filter, because Exim
+ does not run any actual deliveries while filtering. It just sets up
+ deliveries at this time. They all actually happen later. If you want to
+ run pipes and examine their results, you need to set up a single
+ delivery to a delivery agent such as \^procmail^\ which provides this kind
+ of facility.
+
+ An possible alternative is to use the \"${run"\ expansion item to run an
+ external command while filtering. In this case, you can make use of some
+ of the results of the command.
+
+
+Q0503: I received a message with a ::Subject:: line that contained a non-printing
+ character (a carriage return). This messed up my filter file. Is there a
+ way to get round it?
+
+A0503: Instead of \"$h_subject:"\ use \"${escape:$h_subject:}"\
+
+
+Q0504: I want to search for \"$"\ in the subject line, but I can't seem to get
+ the syntax.
+
+A0504: Try one of these:
+
+==> if $h_subject: contains \$ then ...
+ if $h_subject: contains "\\$" then ...
+
+
+Q0505: My problem is that Exim replaces \$local_part$\ with an empty string in the
+ system filtering. What's wrong or what did I miss?
+
+A0505: A message may have many recipients. The system filter is run just once
+ at the start of a delivery attempt. Consequently, it does not make sense
+ to set \$local_part$\. Which recipient should it be set to? However, you
+ can access all the recipients from a system filter via the variable
+ called \$recipients$\.
+
+
+Q0506: Using \$recipients$\ in a system filter gives me another problem: how can
+ I do a string lookup if \$recipients$\ is a list of addresses?
+
+A0506: Check out the section of the filter specification called \*Testing a list of
+ addresses*\. If that doesn't help, you may have to resort to calling an
+ embedded Perl interpreter - but that is expensive.
+
+
+Q0507: What are the main differences between using an Exim filter and using
+ \^procmail^\?
+
+A0507: Exim filters and \^procmail^\ provide different facilities. Exim filters run
+ at routing time, before any deliveries are done. A filter is like a
+ ``\(.forward)\ file with conditions''. One of the benefits is de-duplication.
+ Another is that if you forward, you are forwarding the original message.
+
+ However, this does mean that pipes etc. are not run at filtering time,
+ nor can you change the headers, because the message may have other
+ recipients and Exim keeps only a single set of headers.
+
+ \^procmail^\ runs at delivery time. This is for one recipient only, and so
+ it can change headers, run pipes and check the results, etc. However, if
+ it wants to forward, it has to create a new message containing a copy
+ of the original message.
+
+ It's your choice as to which of these you use. You can of course use
+ both.
+
+
+Q0508: How can I allow the use of relative paths in users' filter files when
+ the directories concerned are not available from the password data?
+
+A0508: You need to be running Exim 4.11 or later. You can then specify a value
+ for \$home$\ by setting the router_home_directory option on the
+ \%redirect%\ router.
+
+ For earlier releases, there is no way to specify the value of \$home$\
+ for a \%redirect%\ router; it either comes from the password data as a
+ result of \check_local_user\, or is unset.
+
+
+Q0509: How can I set up a filter file to detect and block virus attachments?
+
+A0509: Exim's filter facilities aren't powerful enough to do much more than
+ very crude testing. Most people that want virus checking are nowadays
+ using one of the separate scanning programs such as \^exiscan^\ (see
+ \?http://duncanthrax.net/exiscan/?\). There is some further information
+ about scanning with Exim via \?http://www.timj.co.uk/linux/exim.php?\.
+
+
+Q0510: Is it possible to write code for scanning messages in Python?
+
+A0510: \^elspy^\ is a layer of glue code that enables you to write Python code
+ to scan email messages at SMTP time. \^elspy^\ also includes a small
+ Python library with common mail-scanning tools, including an interface
+ to SpamAssassin and a simple but effective virus detector. You can
+ optain \^elspy^\ from \?http://elspy.sourceforge.net/?\.
+
+
+Q0511: Whenever my system filter uses a \mail\ command to send a message, I get
+ the error \*User 0 set for address_reply transport is on the never_users
+ list*\. What does this mean?
+
+A0511: The system filter runs as \/root/\ in Exim 4, unless you set
+ \system_filter_user\ to specify otherwise. When you set up a delivery
+ direct from a system filter (an autoreply is a special kind of
+ ``delivery'') the transport runs as the same user, unless it has a
+ \user\ setting of its own. Normally, deliveries are not allowed to run
+ as \/root/\ as a security precaution; this is implemented by the
+ \never_users\ option.
+
+ The easiest solution is to add this to your configuration:
+
+==> system_filter_user = exim
+
+ The system filter then runs as \/exim/\ instead of \/root/\.
+ Alternatively, you can arrange for autoreplies from the system filter to
+ use a special transport of their own, and set the \user\ option on that
+ transport.
+
+
+Q0512: I'm trying to reference the ::Envelope-To:: header in my filter, but
+ \$h_envelope-to:$\ is always empty.
+
+A0512: ::Envelope-To:: is added at delivery time, by the transport. Therefore,
+ the header doesn't exist at filter time. In a user filter, the values
+ you probably want are in \$original_local_part$\ and
+ \$original_domain$\. In a system filter, the complete list of all
+ envelope recipients is in \$recipients$\.
+
+
+Q0513: I want my system filter to freeze all mails greater than 500K in size,
+ but to exclude those to a specific domain. However, I don't seem to be
+ able to use \$domain$\ in a system filter.
+
+A0513: You cannot do this in a system filter, because a single message may have
+ multiple recipients, some in the special domain, and some not. That is
+ also the reason why \$domain$\ is not set in a system filter.
+
+ If you want to take actions on a per-recipient basis, you have to do it
+ in a router. However, freezing is not appropriate, because freezing
+ stops all deliveries. You could, however, delay delivery to all but the
+ special domains by using something like this:
+
+==> delay_if_too_big:
+ driver = redirect
+ domains = !the.special.domain
+ condition = ${if >{$message_size}{500K}{yes}{no}}
+ allow_defer
+ data = :defer: message too big.
+
+ However, there isn't an easy way of ``releasing'' such messages at
+ present.
+
+
+Q0514: When I try to send to two addresses I get an error in the filter
+ file \*malformed address: , e@fgh.com may not follow a@bcd.com*\. What
+ is going on?
+
+A0514: Have you got
+
+==> deliver "a@bcd.com, e@fgh.com"
+
+ in your filter? If so, that is your problem. You should have
+
+==> deliver a@bcd.com
+ deliver e@fgh.com
+
+ Each \deliver\ command expects just one address.
+
+
+
+6. DELIVERY
+
+Q0601: What does the error \*Neither the xxx router nor the yyy transport set
+ a uid for local delivery of...*\ mean?
+
+A0601: Whenever Exim does a local delivery, it runs a process under a specific
+ user and group id (uid and gid). For deliveries into mailboxes, and to
+ pipes and files set up by forwarding, it normally picks up the uid/gid
+ of the receiving user. However, if an address is directed to a pipe or a
+ file by some other means, such an entry in the system alias file of the
+ form
+
+==> majordomo: |/local/mail/majordomo ...
+
+ then Exim has to be told what uid/gid to use for the delivery. This can
+ be done either on the routerr that handles the address, or on the
+ transport that actually does the delivery. If a pipe is going to run a
+ setuid program, then it doesn't matter what uid Exim starts it out with,
+ and so the most straightforward thing is to put
+
+==> user = exim
+
+ on either the router or the transport. A setting on the transport
+ overrides a setting on the router, so if the same transport is being
+ used with several routers, you should set the user on it only if you
+ want the same uid to be used in all cases.
+
+ In the default configuration, the transports used for file and pipe
+ deliveries are the ones called \address_file\ and \address_pipe\. You
+ can specify different transports by setting, for example,
+
+==> pipe_transport = special_pipe_transport
+
+ on the \%system_aliases%\ router. Then you can set up \%special_pipe_transport%\
+
+==> special_pipe_transport:
+ driver = pipe
+ user = ????
+
+ which will be used only for pipe deliveries from that one router.
+ What you put for the ???? is up to you, and depends on the particular
+ circumstances.
+
+
+Q0602: Exim keeps crashing with segmentation errors (signal 11 or 139) during
+ delivery. This seems to happen when it is about to contact a remote
+ host or when a delivery is deferred.
+
+A0602: This could be a problem with Exim's databases. Try running a delivery
+ with debugging turned on. If the last line of the debug output is
+ something like this:
+
+==> locked /var/spool/exim/db/retry.lockfile
+
+ the crash is happening inside the DBM library. Check that your DBM
+ library is correctly installed. In particular, if you have installed a
+ second DBM library onto a system that already had one, check that its
+ version of \(ndbm.h)\ is being seen first. For example, if the new
+ version is in \(/usr/local/include)\, check that there isn't another
+ version in \(/usr/include)\. If you are using Berkeley db, you can set
+
+==> USE_DB=yes
+
+ in your \(Local/Makefile)\ to avoid using \(ndbm.h)\ altogether. This is
+ particularly relevant for version 2 (or later) of Berkeley db, because
+ no \(ndbm.h)\ file is distributed with it. Another thing you can try is
+ to run
+
+==> exim_dumpdb /var/spool/exim retry
+
+ to see if it also crashes, or build the \^test_dbfn^\ tool and fiddle
+ around with it. If both fail, it is most almost certainly a problem with
+ your DBM library. You could try to update it, or force Exim to use
+ another library. See the file \(doc/dbm.discuss.txt)\ for hints about
+ this.
+
+
+Q0603: How can mails that are being routed through routers that do not set
+ \check_local_user\ be delivered under the uid of the recipient?
+
+A0603: Q0601 contains background information on this. If you are using, say, an
+ alias file to direct messages to specific mailboxes, you can use
+ the \user\ option on either the router or the transport to set the uid.
+ What you put in the setting depends on how the required uid is to be
+ found. It could be looked up in a file or computed somehow from the
+ local part, for example.
+
+
+Q0604: I want to use MMDF-style mailboxes. How can I get Exim to append the
+ ctrl-A characters that separate indvidual emails?
+
+A0604: Set the \message_suffix\ option in the \%appendfile%\ transport. In fact,
+ for MMDF mailboxes you need a prefix as well as a suffix to get it
+ working right, so your transport should contain these settings:
+
+==> message_prefix = "\1\1\1\1\n"
+ message_suffix = "\1\1\1\1\n"
+
+ Also, you need to change the \check_string\ and \escape_string\ settings so
+ that the escaping happens for lines in the message that happen to begin
+ with the MMDF prefix or suffix string, rather than ``From'' (the default):
+
+==> check_string = "\1\1\1\1\n"
+ escape_string = "\1\1\1\1 \n"
+
+ Adding a space to the line is sufficient to prevent it being taken as a
+ separator.
+
+
+Q0605: If a user's mailbox is over quota, is there a way for me to set it up so
+ that the mail bounces to the sender and is not stored in the mail queue?
+
+A0605: In the retry section of the configuration, put
+
+==> *@your.dom.ain quota
+
+ That is, provide no retry timings for over quota errors. They will then
+ bounce immediately. Alternatively, you can set up retries for a short
+ time only, or use something like this:
+
+==> *@your.dom.ain quota_7d
+ *@your.dom.ain quota F,2h,15m; F,3d,1h
+
+ which bounces immediately if the user's mailbox hasn't been read for 7
+ days, but otherwise tries for up to 3 days after the first quota
+ failure.
+
+
+Q0606: I'm using tmail to do local deliveries, but when I turned on the
+ \use_crlf\ option on the \%pipe%\ transport (tmail prefers \"@\r@\n"\
+ terminations) message bodies started to vanish.
+
+A0606: You need to unset the \mesage_prefix\ option, or change it so that its
+ default \"@\n"\ terminator becomes \"@\r@\n"\. For example, the
+ transport could be:
+
+==> local_delivery_mbx:
+ driver = pipe
+ command = /usr/local/bin/tmail $local_part
+ user = exim
+ current_directory = /
+ use_crlf
+ message_prefix =
+
+ The reason for this is as follows: tmail uses the line terminator on
+ the first line it sees to determine whether lines are terminated by
+ \"@\r@\n"\ or \"@\n"\. If the latter, it moans to stderr and changes subsequent
+ \"@\n"\ terminators to \"@\r@\n"\. The default setting of the \message_prefix\
+ option is \"From ...@\n"\, and this is unaffected by the \use_crlf\ option.
+ If you don't change this, tmail sees the first line terminated by
+ \"@\n"\ and prepends \"@\r"\ to the \"@\n"\ terminator on all subsequent
+ lines. However, if \use_crlf\ is set, Exim makes all other lines
+ \"@\r@\n"\ terminated, leading to doubled \"@\r@\r@\n"\ lines and
+ corrupt mbx mailboxes.
+
+
+Q0607: When I activate ``return receipt'' for example in Netscape Mailbox
+ sending options, then I get an error message from Exim... something
+ like \*not supported*\. Can I activate delivery confirmations?
+
+A0607: Exim does not support any kind of delivery notification.
+
+ (1) You can configure it to recognize headers such as
+ \Return-receipt-to:\ if you wish.
+
+ (2) Some people want MSN (message status notification). Such services
+ are implemented in MUAs, and don't impact on the MTA at all.
+
+ (3) I investigated the RFCs which describe the DSN (delivery status
+ notification) system. However, I was unable to specify any sensible way
+ of actually doing anything with the data. There were comments on the
+ mailing list at the time; many people, including me, conclude that DSN
+ is in practice unworkable. The killer problem is with forwarding and
+ aliasing. Do you propagate the DSN data with the generated addresses?
+ Do you send back a ``reached end of the DSN world'' or ``expanded'' message?
+ Do you do this differently for different kinds of aliasing/forwarding?
+ For a user who has a \(.forward)\ file with a single address in, this
+ might seem easy - just propagate the data. But what if there are several
+ forwardings? If you propagate the DSN data, the sender may get back
+ several DSN messages - and should the sender really know about the
+ detail of the receiver's forwarding arrangements? There isn't really
+ any way to distinguish between a \(.forward)\ file that is forwarding
+ and one that is a mini mailing list. And so on, and so on. There are so
+ many questions that don't have obvious answers.
+
+
+Q0608: What does the message \*retry time not reached [for any host]*\ on the log
+ mean? Why won't Exim try to deliver the message?
+
+A0608: That is not an error. It means exactly what it says. A previous attempt
+ to deliver to that address failed with a temporary error, and Exim
+ computed the earliest time at which to try again. This can apply to
+ local as well as to remote deliveries. For remote deliveries, each host
+ (if there are several) has its own retry time.
+
+ If you are running on a dial-up host, the rest of this answer probably
+ does not apply to you. Go and read Q1404 instead. If your host is
+ permanently online, read on...
+
+ Some MTAs have a retrying schedule for each message. Exim does not work
+ like this. Retry timing is normally host-based for remote deliveries and
+ address-based for local deliveries. (There are some exceptions for certain
+ kinds of remote failure - see \*Errors in outgoing SMTP*\ in the manual.)
+
+ If a new message arrives for a failing address and the retry time has
+ not yet arrived, Exim will log \*retry time not reached*\ and leave the
+ message on the queue, without attempting delivery. Similarly, if a queue
+ runner notices the message before the time to retry has arrived, it
+ writes the same log entry. When the retry time has past, Exim attempts
+ delivery at the next queue run. If you want to know when that will be,
+ run the exinext utility on the address, for example:
+
+==> exinext user@some.domain
+
+ You can suppress these messages on the log by including \"-retry_defer"\
+ in the setting of \log_selector\. You can force a delivery attempt on a
+ specific message (overriding the retry time) by means of the -M option:
+
+==> exim -M 10hCET-0000Bf-00
+
+ If you want to do this for the entire queue, use the \-qf-\ option.
+
+
+Q0609: Exim seems to be sending the same message twice, according to the log,
+ although there is a difference in capitalization of the local part of
+ the address.
+
+A0609: That is correct. The RFCs are explicit in stating that capitalization
+ matters for local parts. For remote domains, Exim is not entitled to
+ assume case independence of local parts. I know, it is utterly silly,
+ and it causes a lot of grief, but that's what the rules say. Here is a
+ quote from RFC 2821:
+
+ ... a command verb, an argument value other than a mailbox local-part,
+ and free form text MAY be encoded in upper case, lower case, or any
+ mixture of upper and lower case with no impact on its meaning. This
+ is NOT true of a mailbox local-part. The local-part of a mailbox
+ MUST BE treated as case sensitive. Therefore, SMTP implementations
+ MUST take care to preserve the case of mailbox local-parts. Mailbox
+ domains are not case sensitive. In particular, for some hosts the
+ user "smith" is different from the user "Smith". However, exploiting
+ the case sensitivity of mailbox local-parts impedes interoperability
+ and is discouraged.
+
+
+Q0610: How can I force the next retry time for a host to be now?
+
+A0610: You can change the retry time with the \^exim_fixdb^\ utility, but its
+ interface is very clumsy. If you have a message for the host on the
+ queue, the simplest thing to do is to force a delivery with the \-M-\
+ command line option. If delivery succeeds, the retry data will get
+ cleared. If the host is past the cutoff time, so that messages are
+ bouncing immediately without trying a delivery, you can use \-odq-\ to
+ put a message on the queue without a delivery attempt, and then use
+ \-M-\ on it.
+
+
+Q0611: I set up \"|/bin/grep Subject|/usr/bin/smbclient -M <netbiosname>"\ as an
+ alias but it doesn't work.
+
+A0611: That is a shell command line. Exim does not run pipe commands under a
+ shell by default (for added security - and it saves a process). You
+ need something like
+
+==> "|/bin/sh -c '/bin/grep Subject|/usr/bin/smbclient -M <netbiosname>'"
+
+
+Q0612: Why does the \%pipe%\ transport add a line starting with \">From"\ to
+ messages?
+
+A0612: Actually, it adds a line starting with \"From"\ followed by a space.
+ This is commonly referred to as the \"From_"\ line, to emphasize the
+ fact that \"From"\ is followed by a space and not a colon. This is a
+ pseudo-header line that contains the envelope sender address and the
+ time of delivery. It originated as a separator line in Berkeley format
+ mailboxes, but is also used in other contexts. (And yes, it is often
+ confused with the ::From:: header line, and this causes a lot of grief.
+ The use of \"From_"\ was one of the really bad email design decisions.)
+
+ Exim's \%pipe%\ transport adds this pseudo-header line by default
+ because \(/usr/ucb/vacation)\ needs it, and that is one of the the most
+ common uses of piping. The \^procmail^\ local delivery agent also makes
+ use of the \"From_"\ line. If you do not want it, change the setting of
+ \message_prefix\ on the \%pipe%\ transport. For example, to remove the
+ line altogether, use
+
+==> message_prefix =
+
+ If you are not piping to \(/usr/ucb/vacation)\ or \^procmail^\, it is
+ likely that you do not need a \"From_"\ line, and indeed it may cause
+ problems if it is present.
+
+ One user reported that this line gave trouble when a pipe was used to
+ send messages to Courier's \^deliverquota^\ program. The line was
+ retained with the message, and caused problems for MS Exchange 2000 when
+ retrieving messages with its built-in POP collector. Specifically, it
+ caused Exchange to not be able to recognise message attachments.
+
+
+Q0613: I have set \fallback_hosts\ on my \%smtp%\ transport, but after the error
+ \*sem@chat.ru cannot be resolved at this time*\ Exim isn't using them.
+
+A0613: \fallback_hosts\ works only if an attempt at delivery to the original
+ host(s) fails. In this case, Exim couldn't even resolve the domain
+ \(chat.ru)\ to discover what the original hosts were, so it never got as far
+ as the transport. However, see Q0315 for a possible solution.
+
+
+Q0614: After the holidays my ISP has always hundreds of e-mails waiting for me.
+ These are forced down Exim's throat in one go. Exim spawns a lot of
+ kids, but is there some limit to the number of processes it creates?
+
+A0614: Unless you have changed \smtp_accept_queue_per_connection\ it should
+ spawn only that many processes per connection (default 10). Your ISP
+ may be making many connections, of course. That is limited by
+ \smtp_accept_max\.
+
+
+Q0615: When a message in the queue got to 12h old, Exim wrote \*retry timeout
+ exceeded*\ and removed all messages in the queue to this host - even
+ recent messages. How I can avoid this behaviour? I only want to remove
+ messages that have exceeded the maximum retry time.
+
+A0615: Exim's retrying is host-based rather than message-based. The philosophy
+ is that if a host has been down for a very long time, there is no point
+ in keeping messages hanging around. However, you might like to check
+ out \delay_after_cutoff\ in the \%smtp%\ transport. It doesn't do what you
+ want, but it might help.
+
+
+Q0616: Can Exim add a ::Content-Length:: header to messages it delivers?
+
+A0616: You could include something like
+
+==> headers_remove = "content-length"
+ headers_add = "Content-Length: $message_body_size"
+
+ to the \%appendfile%\ transport. However, the use of ::Content-Length:: can
+ cause several problems, and is not recommended unless you really know
+ what you are doing. There is a discussion of the problems in
+ \?http://home.netscape.com/eng/mozilla/2.0/relnotes/demo/content-length.html?\.
+
+
+Q0617: Exim seems to be trying to deliver a message every 10 minutes, though
+ the retry rules specify longer times after a while, because it is
+ writing a log entry every time, like this:
+
+==> 1999-08-26 14:51:19 11IVsE-000MuP-00 == example@example.com T=smtp defer
+ (-34): some host address lookups failed and retry time not reached for
+ other hosts or connection limit reached
+
+A0617: It is looking at the message every 10 minutes, but it isn't actually
+ trying to deliver. It's looking up \(example.com)\ in the DNS and finding
+ this information:
+
+==> example.com. MX 10 example-com.isp.example.com.
+ example.com. MX 0 mail.example.com.
+ mail.example.com. A 202.77.183.45
+ A lookup for example-com.isp.example.com. yielded NXDOMAIN
+
+ The last line means that there is no address (A) record in the DNS for
+ \(example-com.isp.example.com)\. That accounts for \*some host address
+ lookups failed*\, but the retry time for \(mail.example.com)\ hasn't been
+ reached, which accounts for \*retry time not reached for other hosts*\.
+
+
+Q0618: I am trying to set exim up to have a automatic failover if it sees that
+ the system that it is sending all mail to is down.
+
+A0618: Add to the \%remote_smtp%\ transport the following:
+
+==> fallback_hosts = failover.server.name(s)
+
+ If there are several names, they must be separated by colons.
+
+
+Q0619: I can't get Exim to deliver over NFS. I get the error \*fcntl() failed:
+ No locks available*\, though the lock daemon is running on the NFS server
+ and other hosts are able to access it.
+
+A0619: Check that you have \(lockd)\ running on the NFS client. This is not
+ always running by default on some systems (Red Hat is believed to be one
+ such system).
+
+
+Q0620: Why does Exim bounce messages without even attempting delivery, giving
+ the error \*retry time not reached for any host after a long failure
+ period*\?
+
+A0620: This message means that all hosts to which the message could be sent
+ have been failing for so long that the end of the retry period
+ (typically 4 or 5 days) has been reached. In this situation, Exim still
+ computes a next time to retry, but any messages that arrive in the
+ meantime are bounced straight away. You can alter this behaviour by
+ unsetting the \delay_after_cutoff\ option on the smtp transport. Then Exim
+ will try most messages for those hosts once before giving up.
+
+
+Q0621: My \(.forward)\ file is \"|/usr/bin/procmail -f-"\ and mail gets delivered,
+ but there was a bounce to the sender, sending him the output of procmail.
+ How can I prevent this?
+
+A0621: Exim's default configuration is set up like this:
+
+==> address_pipe:
+ driver = pipe
+ return_output
+
+ The \return_output\ option requests that any output that the pipe
+ produces be returned to the sender. That is the safest default. If you
+ don't want this, you can either remove the option altogether, or change
+ it to \return_fail_output\, to return output only if the command fails.
+ Note that this will affect all pipes that users run, not just your
+ procmail one. It might be better to arrange for procmail not to produce
+ any output when it succeeds.
+
+
+Q0622: Can I write an ordinary file when I run a perl script as a transport
+ filter for the \%remote_smtp%\ and \%address_pipe%\ transports?
+
+A0622: Yes, provided the file is writeable by the uid under which the transport
+ runs (the Exim user in the case of the remote transport). However, if two
+ messages are being delivered at once, their data will get mixed up in
+ the file unless you implement your own locking scheme. If all you want
+ to do is to take a copy of the message, another approach that avoids
+ the locking problem is to use a system filter to set up an ``unseen''
+ delivery to a file. If you only want the message's headers, you can
+ set \message_filter_file_transport\ to point to a special \%appendfile%\
+ transport that has \headers_only\ set.
+
+
+Q0623: My \(/var/spool/mail)\ has grown drastically. Is there any possibility of
+ using two directories?
+
+A0623: You can use an expansion string to split mailboxes between two
+ directories. For example,
+
+==> file = /var/spool/mail${nhash_2:$local_part}/$local_part
+
+ which does a hash on the local part, producing either 0 or 1, thereby
+ using \(mail0) or \(mail1)\. But remember, the MUAs that read these mailboxes
+ also have to know where they are.
+
+
+Q0624: Sendmail has a program called \^smrsh^\ that restricts what binaries
+ can be run from sendmail aliases. Is there something like this in Exim ?
+
+A0624: Check out the \allow_commands\ option in the \%pipe%\ transport.
+
+
+Q0625: I wish to have large emails go out one at a time.
+
+A0625: One possibility is to set up a router that defers all large messages,
+ except in queue runs. Since queue runners deliver just one
+ message at a time, if you limited the number of simultaneous queue
+ runners to 1, you would get the effect you wanted. A suitable router
+ might be
+
+==> defer_if_large_unless_queue_run:
+ driver = redirect
+ condition = ${if or{{queue_running}{<{$message_size}{200K}}}{no}{yes}}
+ allow_defer
+ data = :defer: too large for immediate delivery
+ no_verify
+
+ Of course, this would always delay any large message until the next
+ queue runner, but if you run them fairly regularly, this shouldn't be a
+ huge problem, and may even be desirable. Note the use of \no_verify\ to
+ ensure that this router is not used when Exim is verifying addresses.
+
+
+Q0626: Exim can route local parts independent of their case, but the Cyrus LMTP
+ daemon requires the correct case. How can I fix this?
+
+A0626: You need to rewrite the local part to the correct case before running
+ the router that routes to Cyrus. For example, if you require all lower
+ case, and your router is called \local_user\, put this router in front
+ of it:
+
+==> lowercase_local:
+ driver = redirect
+ redirect_router = local_user
+ domains = +local_domains
+ data = ${lc:$local_part}@$domain
+
+ The setting of \redirect_router\ causes processing of the rewritten
+ address to start at the next router, instead of the first router. See
+ also Q0630, and C045 for a more complete Cyrus configuration.
+
+
+Q0627: Is there a command I can send to Exim to retry all queued messages
+ regardless of their retry schedule?
+
+A0627: The \-qff-\ option starts a queue runner that forces a delivery attempt
+ for all messages, including frozen ones. If you use \-qf-\, frozen
+ messages are skipped.
+
+
+Q0628: I have the default retry rule, which I thought meant that Exim should
+ keep trying for four days, but it seems to be bouncing some messages
+ immediately.
+
+A0628: See Q0615 and Q0620.
+
+
+Q0629: I'm having trouble with quotas and Courier, because Exim is not handling
+ maildirsize files.
+
+A0629: You will do better to move the quota handling to Courier. Use \^maildrop^\
+ as your MDA rather than direct Exim delivery. This also has the
+ advantage that if you give web access to the mail spool (over \^sqwebmail^\)
+ you can then use the web front end to edit \^maildrop^\ filter files.
+
+
+Q0630: How can I configure Exim to deliver to a Cyrus message store?
+
+A0630: (1) The reference manual contains an example that uses pipe delivery.
+
+ (2) Here is a transport that uses LMTP delivery, assuming that
+ \$local_part$\ contains the username:
+
+==> cyrus_inbox:
+ driver =lmtp
+ user = cyrus
+ socket = /var/cyrus/socket/lmtp
+
+ (3) This is a transport that delivers direct to a non-inbox mailbox:
+
+==> cyrus_mailbox:
+ driver = pipe
+ user = $local_part
+ message_prefix =
+ message_suffix =
+ log_fail_output
+ return_output
+ command = "/usr/cyrus/bin/deliver -a $local_part \
+ -m <mailbox-name> $local_part"
+
+ This delivers to the Cyrus mailbox \"user.$local_part.<mailbox-name>"\.
+ Using \"user = $local_part"\ and \"-a $local_part"\ makes it work
+ without needing an explicit `p' ACL set for `anyone' on the mailbox.
+
+
+Q0631: I would like to choose a retry rule based on on the sender rather than
+ the recipient address. Is this possible?
+
+A0631: Yes. The address part of a retry rule is matched as a single-item
+ address list. Such lists are always expanded, so you can use something
+ like this:
+
+==> "${if eq{$sender_address}{xxx}{*@*}{no@no}}" quota F,1h,10m; ...
+
+ If the sender address is ``xxx'', the pattern expands to ``*@*'', which
+ matches all recipient addresses; if you want to, you can make this a
+ more restrictive pattern. If the sender address is not ``xxx'', the
+ pattern expands to ``no@no'', which is assumed to be a recipient address
+ that can never match, so the retry rule is skipped.
+
+
+Q0632: What does the error \*User 1 set for local_mbx_delivery transport is on
+ the never_users list*\ mean?
+
+A0632: You have configured the \%local_mbx_delivery%\ to run as the user whose
+ id (uid) is 1. However, this user is on the list defined by the
+ \never_users\ runtime option, or the \\FIXED_NEVER_USERS\\ compile-time
+ option. These are ``safety catch'' lists; Exim refuses to deliver to any
+ user that is on them. The most common use of \never_users\ is to avoid
+ doing any deliveries as \/root/\, but it can contain other uids.
+
+
+Q0633: Why is \$domain$\ not set in the \%smtp%\ transport?
+
+A0633: The \%smtp%\ transport can handle several recipient addresses at once.
+ This happens by default if the host lists for the addresses are
+ identical. A single copy of the message is sent, using multiple \\RCPT\\
+ commands to transmit multiple envelope recipients. The \$domain$\
+ variable is set in the \%smtp%\ transport only if all the recipient
+ addresses have the same domain. You must have a case where several
+ addresses with different domains resolve to the same set of hosts.
+
+ If you want to restrict the transport so that it handles only a single
+ domain at once (but still possibly with more than one recipient), set
+
+==> multi_domain = false
+
+ If you want to restrict the transport so that it handles only a single
+ address at once, set
+
+==> max_rcpt = 1
+
+
+Q0634: How can I stop a local transport from trying to access the user's home
+ directory, even when the delivery is to a file that is elsewhere?
+
+A0634: See answer (2) for Q0423.
+
+
+Q0635: The log message \*error ignored*\ appears after some delivery failures.
+ What does it mean?
+
+A0635: This message is written when Exim fails to deliver a bounce message whose
+ age is greater than \ignore_bounce_errors_after\. It indicates that the
+ failing bounce message has been discarded.
+
+ The same message is written after failed deliveries when a filter file
+ uses the \noerror\ feature when setting up a delivery, or if a router
+ has the setting
+
+==> errors_to = <>
+
+ Both of these specify that delivery failures are to be discarded.
+
+
+
+7. POLICY CONTROLS
+
+Q0701: How do I block unwanted messages from outside my host?
+
+A0701: Exim uses Access Control Lists (ACLs) for controlling incoming mail from
+ other hosts. A whole chapter in the reference manual is devoted to
+ describing how they work. A wide variety of conditions can be imposed on
+ incoming messages.
+
+ The default Exim run time configuration contains an example of an ACL
+ which blocks all relaying, and messages whose senders cannot be
+ verified. This example is heavily commented and worth studying.
+
+
+Q0702: I don't want to block spam entirely; how can I inspect each message
+ before deciding whether or not to deliver it?
+
+A0702: Wherever possible, inspection and rejection is best done automatically
+ in an ACL, that is, before the message is accepted. If you want to
+ verify manually each message that is classified as spam by an automatic
+ check, you can arrange for a system filter to freeze such messages after
+ they have been accepted.
+
+ If, after inspection, you decide not to deliver the message, it is
+ safest to discard it, using the \-Mrm-\ option. Use of the \-Mg-\ option
+ to force a bounce carries the risk of ``collateral spam'' if the sender
+ address is faked.
+
+
+Q0703: How can I test that my spam blocks are working?
+
+A0703: The \-bh-\ option allows you to run a testing SMTP session as if from a
+ given IP address. For example,
+
+==> exim -bh 192.168.178.39
+
+ In addition to the normal SMTP replies, it outputs commentary about
+ which tests have succeeded or failed. If you are not interested in the
+ details, but just want to know if a particular sender at a particular IP
+ address is able to mail to a particular recipient, you can use the
+ \exim_checkaccess\ utility, which provides a ``packaged'' version of
+ \-bh-\. You call it like this:
+
+==> exim_checkaccess 192.168.53.23 recip@my.domain -f sender@some.domain
+
+ If you don't give a sender, \"<>"\ is used (that it, it acts like a
+ bounce message).
+
+
+Q0704: How can I test that Exim is correctly configured to use the Realtime
+ Blackhole List (RBL)?
+
+A0704: The \-bh-\ option allows you to run a testing SMTP session as if from a
+ given address. The \^exim_checkaccess^\ utility provides a more packaged
+ version of this facility. You need to know a blocked IP address with
+ which to test. Such a testing address is kindly provided by Russell
+ Nelson:
+
+==> linux.crynwr.com [192.203.178.39]
+
+ You can also send mail to \(nelson@linux.crynwr.com)\ from the server
+ whose RBL block you are testing. The robot that receives that email
+ will attempt to send a piece of test email in reply. If your RBL block
+ didn't work, you get a message to that effect. Regardless of whether the
+ RBL block succeeds or not, it emails you the results of the SMTP
+ conversation from a host that is not on the RBL, so you can see how your
+ server looks from the view of someone on the RBL.
+
+
+Q0705: How can I use tcpwrappers in conjunction with Exim?
+
+A0705: Exim's own control facilities can do all that tcpwrappers can do.
+ However, if you are already using tcpwrappers for other things it might
+ be convenient to include Exim controls in the same place.
+
+ First of all, ensure that Exim is built to call the tcpwrappers library,
+ by including \\USE_TCPWRAPPERS=yes\\ in \(Local/Makefile)\. You also need to
+ ensure that the header file \(tcpd.h)\ is available at compile time, and the
+ \(libwrap.a)\ library is available at link time, typically by including it in
+ \\EXTRALIBS\\. You may need to copy these two files from the tcpwrappers
+ build directory to, for example, \(/usr/local/include)\ and \(/usr/local/lib)\,
+ respectively. Then you could reference them by
+
+==> CFLAGS=-I/usr/local/include
+ EXTRALIBS=-L/usr/local/lib -lwrap
+
+ in \(Local/Makefile)\. There are two ways to make use of the functionality,
+ depending on how you have tcpwrappers set up. If you have it set up to
+ use only one file, you ought to have something like:
+
+==> /etc/hosts.allow:
+
+==> exim : <client_list> : <allow_or_deny>
+
+ For example:
+
+==> exim : LOCAL 192.168.0. .friendly.domain special.host : ALLOW
+ exim : ALL : DENY
+
+ This allows connections from local hosts (chiefly //localhost//), from
+ the subnet 192.168.0.0/24, from all hosts in \(*.friendly.domain)\, and
+ from a specific host called \(special.host)\. All other connections are
+ denied. If you have tcpwrappers set up to use two files, use the
+ following:
+
+==> /etc/hosts.allow:
+
+==> exim : <client_list>
+
+==> /etc/hosts.deny:
+
+==> exim : <client_list>
+
+ Read the \^hosts_access^\ man page for more ways of specifying clients,
+ including ports, etc., and on logging connections.
+
+
+Q0706: How can I get POP-auth-before-relay (aka POP-before-SMTP) support in
+ Exim?
+
+A0706: Exim 4 supports the ``whoson'' (\?http://whoson.sourceforge.net?\)
+ facility for doing this. If you set this up, you can do the check in an
+ Exim ACL by a statement like this:
+
+==> require condition = \
+ ${lookup whoson {$sender_host_address}{yes}{no}}
+
+ Otherwise you need to arrange for a list of permitted IP addresses to be
+ maintained in a file or database, and use this in a \hosts\ condition in
+ an ACL statement. An Exim user has published this recipe:
+
+ \#\#\#\#\?http://www.zeiss.cx/memo/computer/linux/email/exim-s-a-p.html?\
+
+ Another Exim user submitted the following idea:
+
+ Use a script to grab authenticated IP addresses from the log files of
+ the POP3 and IMAP4 daemons. These are used to create files in the
+ directory tree \(/var/db/popb4smtp)\. The existence of a file represents a
+ valid ``popped recently token'' for the IP address used as the filename.
+
+ Another script periodically removes stale files from the tree (after two
+ hours). There's a small race condition here; it's possible for a file
+ to be deleted just after it has been updated by the script that watches
+ the logs. For low-volume servers, the odds of hitting this window are
+ low.
+
+ A POPB4SMTP_CLIENT macro in the Exim configure file provides a reusable
+ ``has this sender popped recently?'' query:
+
+==> POPB4SMTP_SUBDIR = /var/db/popb4smtp/${substr_-1_1:$sender_host_address}
+ POPB4SMTP_CLIENT = ${if exists {POPB4SMTP_SUBDIR/$sender_host_address} \
+ {$sender_host_address} {0} }
+
+ Now you can use it just about anywhere, including in your ACLs. Simple
+ examples include:
+
+==> hostlist relay_hosts = 127.0.0.1/32 : ... : POPB4SMTP_CLIENT
+ host_lookup = !127.0.0.1/32 : ... : !POPB4SMTP_CLIENT
+ rfc1413_hosts = !127.0.0.1/32 : ... : !POPB4SMTP_CLIENT
+
+ The two scripts (and a FreeBSD startup script for them) are available
+ for download at:
+
+ \#\#\#\#\?http://people.FreeBSD.org/~sheldonh/popb4smtp-nodb.tar.gz?\
+
+
+Q0707: I have one or two cases where my host correctly rejects messages, but
+ the remote host is quite persistent, and keeps trying over and over.
+
+A0707: It is an unfortunate fact that a number of SMTP clients, in violation of
+ the SMTP RFC, do not treat a permanent error code that is given after
+ the DATA portion of the transaction as a permanent error. Consequently
+ they keep resending the message, and the worst offenders do so at very
+ short intervals.
+
+ The only way to stop such behaviour is to blacklist the IP address, or
+ the envelope sender, or both, in such a way that future messages get
+ rejected at RCPT time instead of at DATA time. You could also complain
+ to the remote host's administrators.
+
+
+Q0708: How can I run customized verification checks on incoming addresses?
+
+A0708: There are a number of possibilities:
+
+ (1) If you can implement your checks in Perl, you can use Exim's
+ facility for running an embedded Perl interpreter. For example, if you
+ want to run special checks on local addresses, you could use ACL
+ an statement like this:
+
+==> require domains = my.local.domain
+ condition = ${perl{verify}{$local_part}}
+
+ The result of the Perl function should be ``yes'' or ``no''.
+
+ (2) You could also run an external program in a similar way, by a
+ statement such as:
+
+==> require domains = my.local.domain
+ condition = ${run{/my/verifier $local_part}}
+
+ This requires the use of another process, so could prove more expensive
+ than Perl.
+
+ (3) If you are prepared to write C code, read the chapter in the manual
+ entitled \*Adding a local scan function to Exim*\.
+
+
+Q0709: Does Exim apply RBL checks to error messages, those with an envelope
+ sender of \"<>"\ ?
+
+A0709: This depends on the ACL configuration. You can test for bounce messages
+ (by looking for an empty sender address) and thereby exclude them from
+ RBL checking if you want. This ACL statement does that:
+
+==> deny senders = ! :
+ dnslist = blackholes.mail-abuse.org
+
+ However, some spam does come with an empty sender address, so this may
+ not be a good idea.
+
+
+Q0710: I want to reject certain sender-recipient combinations, with a specific
+ message for each such combination.
+
+A0710: Set up a file (or database) containing the messages, keyed by the
+ combination, for example:
+
+==> sender1@sdomain1=>recipient1@rdomain1: blocked because...
+ sender2@sdomain2=>recipient2@rdomain2: blocked because...
+
+ If you have lots of recipients for the same sender, it might be easier
+ to generate this file from more convenient data. In your ACL that is run
+ for each RCPT command, you can then put:
+
+==> deny message = ${lookup{$sender_address=>$local_part@$domain}\
+ lsearch{/that/file}}
+ condition = ${lookup{$sender_address=>$local_part@$domain}\
+ lsearch{/that/file}}{yes}{no}}
+
+ The condition is tested first. If the lookup succeeds, the condition
+ succeeds so access is denied. The message is then expanded, but the
+ lookup won't be repeated, because Exim will have cached the previous
+ result.
+
+ This approach blocks only incoming SMTP messages. If you need to do
+ similar blocks for messages that do not arrive over SMTP, you have to
+ set up a suitable \%redirect%\ router with a \:fail:\ setting.
+
+
+Q0711: Will Exim allow me to create a file of regexs and match incoming
+ external email to the list - and if a match is found file the offending
+ message into a special location? Also is it possible to make Exim only
+ filter parts of an incoming email - e.g. ignore large MIME attachments
+ for example and only process text/plain?
+
+A0711: You can do some of this in a system filter. For example:
+
+==> if $message_body matches <...some complicated regex...> or
+ $message_body matches <...some other regex...> or
+ $header_from: matches <...regex...> or
+ etc.
+ then
+ save /some/special/file
+ endif
+
+ or instead of \"save"\ you could have \"deliver"\ (to some address) or
+ \"pipe"\ (to some script).
+
+ There isn't any mechanism for ignoring attachments, but \$message_body$\
+ only looks at the first n bytes of the body, where n defaults to 500 but
+ can be changed.
+
+ A more expensive alternative would be to run a Perl subroutine using the
+ embedded Perl mechanism. If you passed over the message id, the Perl
+ code could read the message files on the spool and implement any
+ algorithm it liked for deciding what should be done.
+
+
+Q0712: I've hacked sendmail to make an ioctl call at the time of the SMTP RCPT
+ command, to check if a user has exceeded their email quota. If they have
+ I issue a temporary failure and a message - can I do this with Exim?
+
+A0712: If you can make this happen in Perl you can use the embedded Perl
+ facility, and use it from a \condition\ condition in an ACL statement.
+ You can also use the expansion facility to run an external program, but
+ this uses more resources because it uses another process.
+
+
+Q0713: I'd like to pass all messages through a virus-scanning system before
+ delivery. Can Exim do this?
+
+A0713: One way of achieving this is to deliver all messages via a pipe to a
+ checking program that resubmits them for delivery in some private way
+ that can be checked (e.g. on a specific SMTP port, or IP address). One
+ possibility is to use the `received protocol` field that can be set
+ for locally submitted mail via the \-oMr-\ command line option. This
+ router sends all messages that are not from the local host and whose
+ received protocol is not \"scanned-ok"\ to the \%virus_scan%\ transport:
+
+==> vircheck:
+ driver = accept
+ transport = virus_scan
+ condition = ${if or {{eq {$received_protocol}{scanned-ok}} \
+ {eq {$sender_host_address}{127.0.0.1}}}\
+ {0}{1}}
+
+ One problem is that this approach scans the message for each recipient,
+ not just once per message.
+
+ The virus_scan transport should be set up to pipe the message to a
+ suitable checking program or script which runs as a trusted user. This
+ can then re-submit the message to Exim, using \-oMr-\ to set the received
+ protocol to \"scanned-ok"\, and the \-f-\ option to set the correct envelope
+ sender address. \**Warning:**\ If you forget to make the resubmitting process
+ run as a trusted user, the received protocol does not get set, and you
+ are likely to generate a loop.
+
+
+Q0714: Is there a way to configure Exim to reject mail to a certain local host?
+
+A0714: No, only to certain domains. To reject at SMTP time, you can put a line
+ like this in your ACL:
+
+==> deny message = this domain is deliberately rejected
+ domains = a.certain.domain
+
+ To fail addresses in messages that do not arrive over SMTP, you can set
+ up a router like this:
+
+==> reject_a_certain_domain:
+ driver = redirect
+ domains = a.certain.domain
+ allow_fail
+ data = :fail: this domain is deliberately rejected
+
+
+Q0715: How can I get Exim to remove attachments from messages?
+
+A0715: Exim does not contain facilities for modifying messages. You must use
+ an external program if you want to do this. You can route messages that
+ have a ::Content-type:: header line via a pipe to a command that does
+ the job and then re-submits the message to Exim. Alternatively, you
+ could use a transport filter to do this job.
+
+
+Q0716: How can I arrange for each user to have a file listing the only sender
+ addresses from which she will accept mail? I want to do this so my
+ family members don't get any spam (or other inappropriate mail).
+
+A0716: Let's assume each user has a file called \(.acceptlist)\ in the home
+ directory. You can put in your ACL a line like this:
+
+==> require senders = /home/$local_part/.acceptlist
+
+ This will reject RCPT commands when the sender is not in the accept
+ list for the recipient. (Replace \(/home/$local_part)\ with whatever
+ the correct path to your user's home directories is.)
+
+ One problem with this is that it will block bounce messages, which have
+ empty senders. You can get round this, by changing the line to this:
+
+==> require senders = : /home/$local_part/.acceptlist
+
+ However, this will, of course, let in spam that has a null sender.
+
+
+Q0717: When using Nessus on a system that runs Exim, a number of security
+ issues are raised. Nessus complains that Exim answers to EXPN and/or
+ VRFY; sometimes it even complains that Exim allows relaying.
+
+A0717: Exim supports EXPN and VRFY only if you permit it to do so in the ACLs
+ defined by \acl_smtp_expn\ and \acl_smtp_vrfy\, respectively. Otherwise,
+ its responses are
+
+==> 550 Administrative prohibition
+ 252 Administrative prohibition
+
+ Maybe the use of 252 is the ``problem''. It is recommended that this be
+ done (by those that discuss these things) because there are stupid
+ clients that attempt VRFY before sending a message.
+
+
+Q0718: Could anyone points me to right rules to prevent sending/receiving
+ messages to/for domains which have one MX to localhost or only have
+ address 127.0.0.1 ?
+
+A0718: See Q0319.
+
+
+Q0719: I would like to have a per-user limit for the maximum size of messages
+ that can be sent.
+
+A0719: The simplest way to do this is to put something in a system filter along
+ these lines:
+
+==> if $message_size is above
+ "${lookup{$sender_address}lsearch{/some/file}{$value}{10M}}"
+ then
+ fail "Message is larger than $sender_address is allowed to send"
+ endif
+
+ In practice, an additional check that the message has arrived from your
+ local host or local network is probably wise because sender addresses
+ are easily forged.
+
+
+Q0720: I set \"accept hosts=192.168.122.96/32"\ in order to accept mail for
+ relaying from my local LAN, but it doesn't work. What's wrong?
+
+A0720: 192.168.122.96/32 is not a network, it is a single host. Exim uses CIDR
+ notation for specifying networks, where the number after the slash is
+ the number of bits in the IP address that must match. Your setting says
+ ``32 bits must match''. If you really mean to specify ``the next 32
+ IP addresses'', you need 192.168.122.96/27.
+
+
+Q0721: I have POP-before-SMTP set up on my Exim server, but some clients use
+ Outlook Express, which sends queued messages before checking the
+ mailbox, so it doesn't work.
+
+A0721: Implement SMTP authentication.
+
+
+Q0722: I installed Amavis and it is working, but bounces are simply vanishing.
+
+A0722: Check that you haven't inadvertently set up the transport like this:
+
+==> amavis:
+ driver = pipe
+ command = "/usr/sbin/amavis -f ${sender_address} -d ${pipe_addresses}"
+
+ The last line should be:
+
+==> command = /usr/sbin/amavis -f <$sender_address> -d $pipe_addresses
+
+ The important thing is the <> around the sender address; removal of
+ the unnecessary "" and {} is just tidying. See the amavis FAQ at
+ \?http://www.amavis.org/amavis-faq.php3?\.
+
+
+Q0723: I can't get Pine to work with PLAIN authentication; Exim keeps
+ responding "535 Incorrect authentication data".
+
+A0723: You need to have this setting in your PLAIN authenticator:
+
+==> server_prompts = :
+
+ This is missing in the examples in all but the most recent Exim
+ documentation, because it was not realized that PLAIN authentication
+ could be requested by a client without sending the data with the
+ request. If the data is not sent, an empty prompt is expected.
+
+
+Q0724: I have used \":fail:"\ in some aliases; when one of these addresses is
+ refused, I see the message on the log, but the response to the remote
+ user is ``unknown user'' instead of the message from the alias file.
+ How can I change this?
+
+A0724: Have you got a \message\ qualifier in the relevant ACL? Exim uses the
+ message line in the ACL in preference to the message returned by the
+ router. This is so you can restrict the amount of information that
+ ``escapes'' from your site via SMTP if you want to. Remove the \message\
+ line in the ACL entry that has \"verify = recipient"\ and your message
+ will get through.
+
+ Alternatively, if you are running Exim 4.10 or later, you can use the
+ \$acl_verify_message$\ variable in your message to include the message
+ from the router. See also Q0725.
+
+
+Q0725: I've set up some specific rejection messages for certain recipients, but
+ when I test them, the SMTP message is always \*550 5.1.1
+ <user@mydomain.com>... User unknown*\.
+
+A0725: That is not an Exim message (the ``5.1.1'' is a clue; Exim doesn't use
+ those extended codes). You are probably being defeated by software that
+ sees the 550 error code, and insists on putting in its own text. There
+ is stupid software that does this. You can test Exim by using \-bh-\ or
+ making a telnet call to the SMTP port. That way, there's no other
+ software intervening.
+
+
+Q0726: My SMTP authentication can be bypassed by sending an unknown user name
+ and an empty password. What is wrong with this condition in a PLAIN
+ authenticator?
+
+==> server_condition = ${if eq{$2} {${lookup mysql{SELECT password FROM \
+ accounts WHERE username='${local_part:$1}'}}}{1}{0}}
+
+A0726: Your lookup item returns an empty string when the user does not exist.
+ You should instead arrange for the lookup to fail:
+
+==> server_condition = ${if eq{$2} {${lookup mysql{SELECT password FROM \
+ accounts WHERE username='${local_part:$1}'}{$value}fail}}{1}{0}}
+
+
+Q0727: When a message has many recipients, how can I stop SpamAssassin from
+ being called for each of them? I'm running it from a pipe transport.
+
+A0727: In the transport configuration, set \batch_max\ to a value greater than
+ one.
+
+
+Q0728: How do I use Exiscan, SA-Exim, SpamAssassin, Clam Antivirus, Sophos
+ SAVI, or sophie with Exim?
+
+A0728: There's a mini-HOWTO about these available via
+ \?http://www.timj.co.uk/linux/exim.php?\.
+ See also sample configuration C047.
+
+
+Q0729: How can I screen out addresses that are neither valid usernames or
+ distribution lists on mail being forwarded to an internal Win2K server?
+
+A0729: A user suggested using a router like this to do the recipient
+ verification:
+
+==> verify_user_router:
+ driver = accept
+ domains = win2kdomain.com
+ local_parts=\
+ ldap;user="cn=ldap-guest,cn=Users,dc=win2kdomain,dc=com"\
+ pass=guest \
+ ldap:://win2kpdc/dc=win2kdomain,dc=com?mailNickname?\
+ sub?(&(mailNickname=$local_part)\
+ (showInAddressBook=*)(sAMAccountName=*))
+ verify_only
+
+ Set up ldap-guest as a normal domain user on the Win2K PDC.
+
+ Also, you need to set \no_verify\ on all the other routers that handle
+ that domain.
+
+
+Q0730: How can I use the same passwords for SMTP authentication as I use for
+ Courier IMAP access to my server?
+
+A0730: You can access the Courier authdaemon from an Exim authenticator. You
+ must arrange for the Exim user (often \/exim/\ but sometimes \/mail/\)
+ to be able to access \(/var/run/courier/authdaemon/socket)\. The
+ configuration is something of a hack, but it is reported to work. Here
+ is a LOGIN authenticator:
+
+==> login:
+ driver = plaintext
+ public_name = LOGIN
+ server_prompts = Username:: : Password::
+ server_condition = \
+ ${if eq {${readsocket{/var/run/courier/authdaemon/socket}\
+ {AUTH 76\n${length_76:exim\nlogin\n$1\n$2\
+ \n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\
+ \n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\
+ \n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n}}}}{FAIL\n} {no}{yes}}
+ server_set_id = $1
+
+ Here is a PLAIN authenticator:
+
+==> plain:
+ driver = plaintext
+ public_name = PLAIN
+ server_prompts = :
+ server_condition = \
+ ${if eq {${readsocket{/var/run/courier/authdaemon/socket}\
+ {AUTH 76\n${length_76:exim\nlogin\n$2\n$3\
+ \n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\
+ \n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\
+ \n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n}}}}{FAIL\n} {no}{yes}}
+ server_set_id = $2
+
+
+Q0731: Is there any defence I can use against spam sent through an open proxy?
+
+A0731: The \*ident*\ feature can be used in some cases. See the discussion in
+ Q5023.
+
+
+Q0732: I would like to either warn or deny when a host uses an underscore in
+ the EHLO command.
+
+A0732: First, set
+
+==> helo_allow_chars = _
+
+ This tells Exim not to reject the EHLO or HELO command immediately. Once
+ you have done that, you can test for the underscore in an ACL. For
+ example, to log a warning for hosts in your LAN, and reject for other
+ hosts, you could do something like this:
+
+==> deny message = Underscores are not valid in host names
+ hosts = ! +lan_hosts
+ condition = ${if match{$sender_helo_name}{_}{yes}{no}}
+
+==> warn log_message = Accepted underscore from [$sender_host_address]
+ condition = ${if match{$sender_helo_name}{_}{yes}{no}}
+
+
+Q0733: Is there any way to tell Exim not to lookup the IP address against any
+ DNS black list if the connection is over IPv6?
+
+A0733: Use this condition in your ACL:
+
+==> condition = ${if match{${mask:$sender_host_address/0}}\
+ {${mask:::0/0}}{no}{yes}}
+
+ From Exim 4.23 onwards, this can be simplified to
+
+==> condition = ${if isip6{$sender_host_address}{no}{yes}}
+
+
+Q0734: How do MailScanner and Exiscan compare? What are the pros and cons?
+
+A0734: The big advantage of Exiscan is that it can reject messages at SMTP time
+ before you have accepted responsibility for them, which means you don't
+ have to deal with bouncing messages and thereby becoming a collateral
+ spammer.
+
+ The big advantage of MailScanner is that it gives you much greater
+ control over the load on your machines. You configure it according to
+ the maximum processing capacity of your computer and it will not exceed
+ that; in fact because it deals with messages in batches the cost of
+ processing a message actually goes down slightly as the load increases,
+ because the per-batch costs are shared by more messages.
+
+ With Exiscan, you have to rely on Exim's load protection mechanisms,
+ which basically means that you have to stop accepting messages when your
+ machine gets too loaded. This is bad if the machine happens to be an
+ SMTP smarthost. You therefore need more overcapacity with Exiscan than
+ with MailScanner.
+
+
+Q0735: How can I block non-FQDNs in HELO/EHLOs?
+
+A0735: Many workstation clients send single-component names; take care that you
+ do not block legitimate mail. With that proviso, you can do it using
+ something like this in an ACL:
+
+==> drop message = HELO doesn't look like a hostname
+ log_message = Not a hostname
+ condition = ${if match{$sender_helo_name} \
+ {\N^[^.].*\.[^.]+$\N}{no}{yes}}
+
+ This means: Drop the HELO unless it contains a dot somewhere in the HELO
+ string, but the string may not begin or end with a dot. Thus, the
+ imposed minimum length is 3 characters.
+
+ The data for HELO/EHLO doesn't have to be a host name; it may
+ legitimately be an IP address literal instead. The above test succeeds
+ with an IPv4 address literal, but if you want also to accept IPv6
+ address literals, you will have to modify the regular expression.
+
+
+Q0736: Is it possible to tell exim to drop the connection after a server
+ attempts to send a message to a number of unknown users?
+
+A0736: Yes. Use \$rcpt_fail_count$\ and the \^drop^\ ACL command, as in this
+ example:
+
+==> drop message = Too many unknown users
+ condition = ${if >{$rcpt_fail_count}{15}{yes}{no}}
+
+
+Q0737: Is there some way to tell Exim not to consider 127.0.0.1 as a valid MX?
+
+A0737: See Q0319.
+
+
+Q0738: How can I configure Exim to delay the SMTP connection if more than 10
+ invalid recipients are received in one message?
+
+A0738: Put something like this in your RCPT ACL:
+
+==> deny message = Max $rcpt_fail_count failed recipients allowed
+ condition = ${if >{$rcpt_fail_count}{10} {1}}
+ ! verify = recipient
+ delay = ${eval: $rcpt_fail_count * 10}s
+ log_message = $rcpt_fail_count failed recipient attempts
+
+ This example increases the delay for each failed recipient.
+
+
+Q0739: Does Exim support SPF?
+
+A0739: An Exim ACL can be used. See \?http://spf.pobox.com/downloads.html?\.
+
+
+
+8. REWRITING ADDRESSES
+
+Q0801: How can I get Exim to strip the hostname from the sender's address?
+
+A0801: If you set up a rewriting rule in the following form:
+
+==> *@*.your.domain $1@your.domain
+
+ then Exim will rewrite all addresses in the envelope and the headers,
+ removing anything between \"@"\ and \"your.domain"\. This applies to all
+ messages that Exim processes. If you want to rewrite sender addresses
+ only, the the rule should be
+
+==> *@*.your.domain $1@your.domain Ffrs
+
+ This applies the rule only to the envelope sender address and to the
+ ::From::, ::Reply-to::, and ::Sender:: headers.
+
+
+Q0802: I have Exim configured to remove the hostname portion of the domain on
+ outgoing mail, and yet the hostname is present when the mail gets
+ delivered.
+
+A0802: Check the DNS record for your domain. If the MX record points to a CNAME
+ record instead of to an A record, some MTAs (not Exim) are liable to
+ rewrite addresses, changing your domain name to its ``canonical'' form,
+ as obtained from the CNAME record.
+
+
+Q0803: I want to rewrite local addresses in mail that goes to the outside
+ world, but not for messages that remain within the local intranet.
+
+A0803: You can use the \headers_rewrite\ option on a transport to do this.
+ The rewriting will then apply to just those copies of a message that
+ pass through the transport. The \return_path\ option can similarly be
+ used to rewrite the sender address. There is no way of rewriting
+ recipient addresses at transport time. However, as these are by
+ definition remote addresses, you probably don't want to rewrite them.
+
+ You have to set up the configuration so that it uses different SMTP
+ transports for internal and external mail. If you are using a single
+ router in both cases, you could configure it like this:
+
+==> dnslookup:
+ driver = dnslookup
+ transport = ${if match{$domain}{\N\.my\.domain$\N}{int_smtp}{ext_smtp}}
+
+ This example uses the \%int_smtp%\ transport for domains ending in
+ \(.my.domain)\, and \%ext_smtp%\ for everything else. The \%ext_smtp%\ transport
+ could be something like this:
+
+==> ext_smtp:
+ driver = smtp
+ headers_rewrite = *@*.my.domain \
+ ${lookup{$1}cdb{/etc/$2/mail.handles.cdb}{$value}fail}
+ return_path = \
+ ${if match{$return_path}{\N^([^@]+)@(.*)\.my\.domain$\N}\
+ {\
+ ${lookup{$1}cdb{/etc/$2/mail.handles.cdb}{$value}fail}\
+ }\
+ fail}
+
+ This example uses a separate file of local-to-external address
+ translations for each domain. This is not the only possibility, of
+ course. The \headers_rewrite\ and \return_path\ options apply the same
+ rewriting to the header lines and the envelope sender address,
+ respectively.
+
+
+Q0804: I'm using this rewriting rule to change login names into ``friendly''
+ names, but if mail comes in for an upper case login name, it doesn't
+ get rewritten.
+
+==> *@my.domain ${lookup{$1}dbm{/usr/lib/exim/longforms}\
+ {$value}fail}@my.domain bcfrtFT
+
+ The longforms database has entries of the form:
+
+==> ano23: A.N.Other
+
+A0804: Replace \"$1"\ in your rule by \"${lc:$1}"\ to force the local part to lower
+ case before it is used as a lookup key.
+
+
+Q0805: Is it possible to completely fail a message if the rewrite rules fail?
+
+A0805: It depends on what you mean by ``fail a message'' and what addresses you
+ are rewriting. If you are rewriting recipient addresses for your local
+ domain, you can do:
+
+==> *@dom.ain ${lookup{$1}dbm{/wher/ever}{$value}{failaddr}} Ehq
+
+ and in your alias file put something like
+
+==> failaddr: :fail: Rewriting failed
+
+ This fails a single recipient - others are processed independently.
+
+
+Q0806: I'm using \$domain$\ as the key for a lookup in a rewriting rule, but its
+ contents are not being lowercased. Aren't domains supposed to be handled
+ caselessly?
+
+A0806: The value of \$domain$\ is the actual domain that appears in the address.
+ It could of course be lower cased, but I know that would cause some
+ unhappiness, because some people have mixed-case domain names which look
+ silly if the case is changed. Thus, one wants to preserve the case in
+ rewrites such as
+
+==> *@*.TheRap.com something@$domain
+
+ because ``therap'' doesn't look like two words. I know it seems trivial,
+ but it is important to some people - especially if by some unfortunate
+ accident the lowercased word is something indecent.
+
+ You can trivally force lower casing by means of the \"${lc:"\ operator.
+ Instead of \"$domain"\ write \"${lc:$domain}"\.
+
+
+Q0807: I want to rewrite local sender addresses depending on the domain of the
+ recipient.
+
+A0807: In general, this is not possible, because a message may have more than
+ one recipient and Exim keeps just a single copy of each message. It may
+ also deliver one copy of a message with several recipient addresses.
+ You can do an incomplete job by using a regular expression match in a
+ rewrite rule to test, for example, the contents of the ::To:: header. This
+ would work except in cases of multiple recipients.
+
+
+
+9. HEADERS
+
+Q0901: I would like add some custom headers to selected outgoing mail based on
+ a specific domain and the subject line.
+
+A0901: To the remote_smtp transport, add something like
+
+==> headers_add = ${if and{\
+ {eq{$domain}{spec.dom}}\
+ {matches{$h_subject:}{whatever}}}\
+ {Content-Type: text/html; charset="us-ascii"} fail }
+
+ This example shows a ::Content-Type:: header, but you can have anything you
+ like, and multiple headers can be inserted by using \"@\n"\ to separate them.
+
+
+Q0902: Is it possible to have Exim add a header to only certain local parts of
+ outgoing mail?
+
+A0902: Only if you arrange for each such local part to receive its own private
+ copy of the mail. See \max_rcpt\ in the SMTP transport. If you set this
+ to 1, you could use conditions in an expansion string to add or not add
+ a header.
+
+
+Q0903: How can I remove some part of the ::Received:: header?
+
+A0903: Set \received_header_text\.
+
+
+Q0904: How I can insert the PGP header line using Exim filters?
+
+A0904: You can't insert headers in a user filter. A system filter can do so,
+ but the inserted lines then are included for all recipients.
+
+
+Q0905: I know I can use a system filter to replace certain headers in messages,
+ but how can I add text to existing headers? I want to add [SPAM] to
+ the subject line of messages that appear to be spam.
+
+A0905: You can only do this in a round about way, using filter commands like
+ this:
+
+==> headers add "New-Subject: SPAM: $h_subject:"
+ headers remove subject
+ neaders add "Subject: $h_new-subject:"
+ headers remove new-subject
+
+ This trick works only in system filters, where the commands are obeyed
+ in order, and affect the master list of headers that apply to the whole
+ message. You cannot do this with the \headers_add\ and \headers_remove\
+ options on drivers.
+
+
+
+10. PERFORMANCE
+
+Q1001: I'm running a large mail server. Should I set \split_spool_directory\ to
+ improve performance?
+
+A1001: Splitting the spool directory has most benefit if there are times when
+ there are a large number of messages on the queue. If all mail is
+ delivered very quickly, and the queue is always less than, say, a few
+ hundred messages, there isn't any need to do this. With larger queues,
+ there is a definite performance benefit to splitting the spool. It shows
+ up earlier on some types of filing system, compared with others.
+
+ Exim was not designed for handling large queues. If you are in an
+ enviroment where lots of messages remain on the queue for long periods
+ of time, consider implementing a back up host to which you pass these
+ messages, so that the main host's queue remains short. You can use
+ \fallback_hosts\ to do this, or a router that is conditional on
+ \$message_age$\.
+
+
+Q1002: How well does Exim scale?
+
+A1002: Although the author did not specifically set out to write a high-
+ performance MTA, Exim does seem to be fairly efficient. The biggest
+ server at the University of Cambridge (a large Sun box) goes over
+ 100,000 deliveries per day on busy days (it has over 20,000 users).
+ There was a report of a mailing list exploder that sometimes handles
+ over 100,000 deliveries a day on a big Linux box, the record being
+ 177,000 deliveries (791MB in total). Up to 13,000 deliveries an hour
+ have been reported.
+
+ These are quotes from some Exim users:
+
+ "... Canada's largest internet provider, uses Exim on all of our mail
+ machines, and we're absolutely delighted with it. It brought life back
+ into one of our machines plagued with backlogs and high load averages.
+ Here's just an example of how much email our largest mail server
+ (quad SS1000) is seeing ... " [230,911 deliveries in a day: 4,475MB]
+
+ "... Exim has to ... do gethostbyname()s and RBL lookups on all of the
+ incoming mail servers, and he runs from inetd (TCP Wrappers connected).
+ All the same, it seems to me that he runs as fast as lightning on our
+ SCO 5.0.4 box (1 Pentium 166) - far faster than MMDF which I (and many
+ customers) had before."
+
+ "On a PII 400 with 128M of RAM running Linux 2.2.5, I have achieved
+ 36656 messages per hour (outgoing unique messages and recipients). For
+ about a 5 minute period, I was able to achieve an average of 30 messages
+ per second (that would be 108000 m/hour)! We are using: (options that
+ make a difference):
+
+==> queue_only
+ split_spool_directory
+ queue_run_max = 1
+ remote_max_parallel = 1
+
+ We have a cron job hat runs every five minutes that spawns 5 \"exim -q"\ if
+ there are less that 120 exim processes currently running. We found
+ that by manually controlling the concurrency of \"exim -q"\ processes
+ contending for the spool for \%remote_smtp%\ delivery that we gained
+ considerable performance - 10000 m/hour."
+
+
+Q1003: We have a large password file. Can Exim use alternative lookups during
+ delivery to speed things up?
+
+A1003: If you are using FreeBSD, this problem should not arise, because it
+ automatically uses an indexed password file. In some other operating
+ systems you can arrange for this to happen too. On Linux, for example,
+ all you need to do is
+
+==> # cd /var/db
+ # make
+
+ and put \"db"\ before \"files"\ in any \(/etc/nsswitch.conf)\ lines you want to
+ use db for.
+
+ On systems that do not include support for indexed password files, you
+ can build one yourself, and reference it from the Exim configuration.
+ For example, for routing to local mailboxes you could use this:
+
+==> localuser:
+ driver = accept
+ condition = ${lookup{$local_part}cdb{/etc/passwd.cdb}{yes}{no}}
+ transport = local_delivery
+ user = ${extract{1}{:}{${lookup{$local_part}cdb{/etc/passwd.cdb}}}
+
+ This assumes a cdb version of the password file.
+
+
+Q1004: I just wondered if it might be helpful to put the hints database on a
+ RAM disk during regular operation. Did anybody try that yet?
+
+A1004: A user reported thus: ``I have found that this works great under Solaris.
+ Make a RAM disk partition and keep everything in the \(db)\ directory on
+ it. However, when I try the same thing on Linux, I don't see the same
+ boost. I think that Linux's file buffer cache works about the same.
+ Plus, this leave more room for processes to run.''
+
+ There have been other reports that Linux's delayed buffer write provides
+ better overall performance in general.
+
+ Apparently there is support in the Solaris kernel for a delayed writing,
+ as in Linux, but Sun's server policy is to have it disabled so that you
+ don't lose so much if the server crashes. There is a program called
+ \^fastfs^\ to enable and disable this support. You have to download and
+ compile it yourself; find it by looking for \"fastfs.c"\ in a search
+ engine. Solaris performance is reported to be much improved, but you
+ should take care to understand the potential hazards. In particular,
+ \^fsck^\ may be unable to ``fix'' disks automatically after a crash.
+
+
+Q1005: A lot of incoming mail is pushing up my system load too much, and there
+ are many Exim processes. How can I control this?
+
+A1005: Have you set any of the Exim configuration options that limit what it
+ does under high load? For example, queue_only_load, deliver_queue_load_max?
+ See the list in the section entitled \*Resource control*\ in the manual.
+
+ It sounds like a lot of simultaneous incoming mail pushes your system
+ into uncontrolled overload. The multiple Exim processes are probably
+ just multiple incoming messages. You can use the \^exiwhat^\ utility to
+ confirm this.
+
+
+
+11. MAJORDOMO
+
+Q1101: How do I set up Majordomo to work with Exim?
+
+A1101: Users have found several ways of setting up Exim for use with Majordomo.
+ One way has been documented at
+ \?http://www.averillpark.net/exim/majordomo.html?\.
+
+ Somewhere in the Majordomo docs or FAQ it mentions using batchmail or
+ other additional programs to improve the performance of large lists.
+ They are not needed with Exim, and their use can actually make things
+ worse. However, it's a good idea to set \remote_max_parallel\ to a value
+ greater than 1 in the Exim configuration.
+
+
+Q1102: I have set \$mailer$\ in \(majordomo.cf)\, but it still isn't setting the
+ sender correctly in the messages it sends.
+
+A1102: Make sure you have got the quoting correct in the \$mailer$\ setting. For
+ example,
+
+==> $mailer = "$sendmail_command -oi -oee -f$sender\@lists.mydomain.de";
+
+ is not correct. It needs three backslashes, not one, and the $ at the
+ start of \$sender$\ has to be escaped with a backslash.
+
+
+Q1103: I'm trying to set up majordomo, but I'm getting a wrong mode error
+ when I try to send it mail.
+
+A1103: Check the mode of \(/var/lib/majordomo/lists/lists.aliases)\ and compare it
+ with the setting of the \modemask\ option in the Majordomo aliases
+ router. This option specifies bits which must not be set for the alias
+ file, and it defaults to 022.
+
+
+Q1104: I'm getting return code 9 from \(/home/majordomo/majordomo-1.94.4/wrapper)\
+ when it is passed a message from Exim.
+
+A1104: A problem like this turned out to be the Perl version that came with
+ RedHat 5.2. Rebuilding Perl 5.005x solved it.
+
+
+Q1105: Exim is complaining about an invalid command line when Majordomo tries
+ to send it a message for delivery.
+
+A1105: Take a look at your \(majordomo.cf)\ file, It should have something that
+ looks like
+
+==> $sendmail_command = "/usr/lib/sendmail";
+
+ and another line like
+
+==> $mailer = "$sendmail_command -oi -oee -f\$sender";
+
+ If you have modified \^resend^\ (one of the majordomo programs) to use
+ \$sendmail_command$\ instead of \$mailer$\ you will be calling Exim with no
+ command line arguments.
+
+
+
+12. FETCHMAIL
+
+Q1201: When I run fetchmail, I get the error \*SMTP listener doesn't like
+ recipient address xxx@localhost*\.
+
+A1201: Make sure that //localhost// is recognized as a domain that is to be
+ delivered locally. If you are using the default Exim run time
+ configuration, you'll see a line near the top like this:
+
+==> domainlist local_domains = @
+
+ Change it to
+
+==> domainlist local_domains = @ : localhost
+
+
+Q1202: I'm currently using Exim with fetchmail and I'd like to use the RBL on
+ Exim, but will it work? Do I need to configure fetchmail any particular
+ way? As far as Exim knows, all mail is coming from 127.0.0.1. Will it
+ check the source address against RBL? Or will it check the ::From:: header?
+
+A1202: It will check 127.0.0.1 (not very useful). The point of the RBL is to
+ keep messages from black-listed hosts out of your machine. If you are
+ using fetchmail, you have got the messages into your machine before you
+ approach Exim. That kind of defeats the purpose of the RBL. The right
+ way to do this would be for the host from which you fetch your mail to
+ do the RBL checking and insert some kind of warning header for you to
+ test, as Exim does if you run RBL checks in warning mode.
+
+
+
+13. PERL
+
+Q1301: Exim built with Perl support exits with the error message \*./exim: can't
+ load library 'libperl.so'*\.
+
+A1301: If you are using BSDI, see Q9401.
+
+
+Q1302: Exim built with Perl support exits with several error messages of the
+ form \*undefined reference to `PL_stack_sp'*\.
+
+A1302: This has been seen on FreeBSD systems that had two different versions of
+ Perl installed, the older with an \^a.out^\ library and the newer with an
+ ELF library. Ensure that the older package is removed.
+
+
+
+14. DIAL-UP AND ISDN
+
+Q1401: When I'm not connected to the Internet, how can I arrange for mail to
+ other hosts on my local network to be delivered, while at the
+ same time mail to Internet hosts is queued without any delivery
+ attempts?
+
+A1401: Use the \queue_domains\ option to control which domains are held
+ on the queue for later delivery. For example,
+
+==> queue_domains = ! *.localnet
+
+ allows delivery to domains ending in \(.localnet)\, while queueing all the
+ others.
+
+
+Q1402: I have a dial-up machine, and I use the \queue_smtp_domains\ option so
+ that remote mail only goes out when I do a queue run. However, any email
+ I send with an address \(anything@aol.com)\ is returned within about 15
+ minutes saying \*retry time exceeded*\, and all addresses are affected.
+
+A1402: You should be using \queue_domains\ rather than \queue_smtp_domains\.
+ With the latter, Exim is trying to route the addresses, which involves a
+ DNS lookup. This is presumably timing out, causing a retry time to be
+ set for the domain, and somehow a valid lookup never happened before the
+ maximum retry time (default of 4 days) passed. Hence the bounce. The
+ fact that it is \(aol.com)\ is probably not relevant. You should probably
+ also be using \-qq-\ to do your queue run rather than \-q-\.
+
+
+Q1403: How should Exim be configured when it is acting as a temporary storage
+ system for a domain on a dial-up host?
+
+A1403: Exim isn't really designed for this, but... The lowest-numbered MX
+ record for the domain should be pointing to the dial-up host. A higher
+ numbered MX record (lower priority) should point to the Exim server that
+ is acting as a temporary storage system.
+
+ You should set a large retry time for the domain, so that Exim doesn't
+ keep trying to deliver when the host is offline. When the host comes
+ online, the waiting messages have to be kicked somehow. This can be done
+ by calling Exim with the \-R-\ option, or via the SMTP ETRN command.
+
+ This works provided the number of messages is low. If you are handling
+ lots of mail, keeping messages waiting for their host to connect and
+ those that are having delivery problems to remote hosts all in the same
+ queue doesn't work so well. It is better in this case to get Exim to
+ deliver the mail for the dial-in hosts into some local files which then
+ get transmitted by other software when the host connects. One tool for
+ doing this can be found at \?http://cr.yp.to/serialmail.html?\.
+
+ For further discussion, see section entitled \*Intermittently connected
+ hosts*\ in the manual, and also the section in the Exim book with the
+ same name.
+
+
+Q1404: I have \queue_domains\ or \queue_smtp_domains\ set, and use \-qf-\ to
+ force delivery of waiting mail when I dial in. How can I arrange for any
+ new messages that arrive while I'm connected to be delivered immediately?
+
+A1404: Instead of \queue_domains\ or \queue_smtp_domains\, use the \queue_only_file\
+ option. This causes messages to be queued if a particular file exists.
+ If you put the word ``smtp'' before the file name, the queueing applies
+ only to domains that are delivered by SMTP, thus not affecting local
+ deliveries:
+
+==> queue_only_file = smtp/etc/present/when/not/connected
+
+ Then, in the scripts which are run when you connect and disconnect,
+ arrange to remove the file after connection, and create it just before
+ disconnection.
+
+
+Q1405: I have an ISDN connection and would like a way of running the queue
+ automatically when it is up.
+
+A1405: The following shell commands test for the interface being up and then
+ run the queue:
+
+==> ifconfig ppp0 | fgrep UP >/dev/null
+ if [ $? -eq 0 ] ; then exim -q ; fi
+
+ You could put these commands into a script which runs them at regular
+ intervals. You might want to use \-qq-\ instead of \-q-\.
+
+ With Linux, the script \(/etc/ppp/ip-up)\ is run after a ISDN connection
+ or a more general PPP connection has been established. If you are using
+ Linux, you could put the call to Exim in that script.
+
+
+Q1406: When I dial up to collect mail from my ISP, only the first 10 messages
+ get delivered immediately; the remainder just sit on the queue until a
+ queue runner process finds them.
+
+A1406: See Q0049.
+
+
+Q1407: RFC 1985 specifies that the SMTP command \"ETRN host.domain"\ causes all
+ mail queued for that host, no matter what domain it's for, to be
+ delivered. Why doesn't Exim support this?
+
+A1407: Exim does not keep queues of mail for specific destinations. It just
+ keeps one pool of undelivered messages. What is more, once you start a
+ delivery of a message, it tries to deliver to all the addresses in the
+ message, not just the one you may be interested in. (Of course, this
+ doesn't usually do any harm.)
+
+ The only way it could be done within Exim would be, for every message
+ on the queue, to go through the motions of routing each undelivered
+ address and see if that resulted in a delivery to the host of interest.
+ This could be extremely expensive (e.g. 1,000 messages on the queue,
+ only 1 for the given host).
+
+ The bottom line is that Exim just wasn't designed for this kind of
+ operation, that is, holding messages for intermittently connected hosts.
+ The queueing arrangements are designed for handling delivery problems
+ that are not expected to be common.
+
+ A better way to do this is to implement the required queues separately.
+ After all, keeping such mail on an active queue (where Exim will keep
+ trying to deliver) is silly. If there is a lot of mail for these hosts,
+ it also masks genuine delivery problems when you inspect the queue.
+
+ Large ISPs who provide this kind of functionality do not usually leave
+ waiting mail on the MTA's queue. Instead, they get it delivered into
+ per-host directories, one message per file, in one of the special
+ formats (BSMTP, maildir, or mailstore) and when an ETRN arrives, it
+ kicks off some completely different program that establishes an SMTP
+ connection to the host and shovels the waiting mail down it. That seems
+ to me to be a much neater way of doing this. It means you can easily add
+ additional functionality such as archiving or throwing away uncollected
+ mail.
+
+ One program that has this functionality is \^ssmtp^\, which can be
+ found in \?ftp://metalab.unc.edu/pub/Linux/system/mail/mta/?\.
+ Alternatively, sample configuration C037 demonstrates an elegant way of
+ using Exim itself to deliver the saved messages when the client issues
+ an ETRN.
+
+
+Q1408: If email has been deferred to a member on a local mailing list
+ (implemented through forward files), and one of our ETRN clients is on
+ this mailing list, the \-R-\ won't flush the mailing list message for
+ that client.
+
+A1408: That is because \-R-\ matches only original recipient addresses, not those
+ produced as a result of expansion, because these are not (by default)
+ preserved from delivery to delivery. You can get round this by setting
+ \one_time\ on the forwarding router, but you are not allowed to have
+ expansions to pipes or files on routers that have \one_time\ set.
+ Therefore, you will have to have a separate router for mailing lists
+ (with \one_time\ set) to the one used for normal forward files that might
+ specify pipe or file deliveries. However, the problem will still be
+ present for any user who sets up a \(.forward)\ file to redirect to any of
+ the ETRN domains. See the last 3 paragraphs of Q1407 for a discussion of
+ an alternative approach.
+
+
+Q1409: I would like to have a separate queue per domain for hosts which dial
+ in to collect their mail.
+
+A1409: Exim isn't really designed for this kind of operation. The only way to
+ do this would be to cause it to send those messages to a differently
+ configured version of Exim with its own spool area. This could be done
+ via a pipe or SMTP to a private port. The main Exim, listening on port
+ 25, would then be configured to run an appropriate command to prod one
+ of the others when it received ETRN, by means of the \smtp_etrn_command\
+ option.
+
+ You could probably manage this with a single Exim binary and a number of
+ different configuration files, passed to the special versions using the
+ \-C-\ option. For this application they could all run as \^exim^\, since no
+ root privilege would be needed.
+
+ An alternative approach id to get Exim to deliver mail for such hosts
+ in batch SMTP format into some directory, and have the ETRN run
+ something to pass such messages to the dialled-in host. See also Q1403.
+
+
+
+15. UUCP
+
+Q1501: The MX records for some UUCP domains point to my local host. How do I
+ get it to pass the messages on to UUCP?
+
+A1501: The simplest way is to create a file containing a list of domains, and
+ the hosts to which their messages should be sent, like this:
+
+==> uucp1.domain.example: uucp1.host.example
+ uucp2.domain.example: uucp2.host.example
+ ....
+
+ Then you can use a router like this:
+
+==> uucp_router:
+ driver = accept
+ domains = lsearch;/etc/uucp/domains
+ transport = uucp_transport
+
+ and a transport like this:
+
+==> uucp_transport:
+ driver = pipe
+ user = nobody
+ command = /usr/local/bin/uux - -r $domain_data!rmail $local_part
+ return_fail_output
+
+ The \$domain_data$\ variable retains the value that is looked up when
+ the \domains\ option in the router is matched.
+
+
+Q1502: How can I get Exim to handle ``bang path'' addresses?
+
+A1502: In general, you can't (Exim is an Internet mailer and recognizes only
+ RFC 2822 domain-style addresses) but some restricted kinds of bang path
+ can be dealt with by appropriate rewriting - but please note the warning
+ below.
+
+ Exim treats a bang path address as an unqualified local part, and so
+ will qualify it with your domain. A rule such as
+
+==> \N^([^!]+)!(.+)@your\.domain$\N $2@$1
+
+ turns \(a!b@your.domain)\ into \(b@a)\. You can also use a repeating rule to
+ turn multi-component paths into the ``percent hack'' notation with a rule
+ such as
+
+==> \N^([^!]+)!([^@%]+)(.+)$\N $2%$1$3 R
+
+ which turns \(a!b@c)\ into \(b%a@c)\ and \(a!b!c@d)\ first into \(b!c%a@d)\ and then,
+ because of the R flag, into \(c%b%a@d)\. The R flag causes repetition up to
+ 10 times.
+
+ \**Warning:**\ If you install a general rewriting rule like the above, you are
+ opening yourself up to the possibility of unwanted relaying. A host that
+ is not permitted to relay through your system could send a message with
+ an SMTP command line such as
+
+==> RCPT TO:<victim-host!victim-user@your.domain>
+
+ and this would be accepted because it is addressed to your domain.
+ However, the rewriting then converts the address, and the message does
+ in fact get relayed. One way round this, if all your bang path messages
+ are passed to Exim via SMTP, is to use the \"S"\ rewriting flag. This
+ applies a rewriting rule to incoming SMTP addresses as soon as they are
+ received, before checking for qualification, relaying, etc. So a rule
+ such as
+
+==> \N^([^!]+)!(.+)$\N $2@$1 S
+
+ rewrites simple two-component bang paths before the result is checked
+ for relaying. However, this does not rewrite addresses in the headers of
+ the message.
+
+
+Q1503: We see something strange on our system in regards to mail coming in via
+ rmail from a UUCP link. The sender is being set to mailmaster instead of
+ the real sender, and a ::Sender:: header is being added to the message.
+
+A1503: If \(mailmaster)\ is the user that is running rmail, you need to include
+ that user in the \trusted_users\ configuration option. Only trusted users
+ are permitted to specify senders when mail is passed to Exim via the
+ command line.
+
+
+
+16. MODIFYING MESSAGE BODIES
+
+Q1601: How can I add a disclaimer or an advertisement to a message?
+
+A1601: There are a number of technical and potential legal problems that arise
+ in connection with message modification. Some of them are listed below.
+ Some comment on the legal position of email disclaimers in English law
+ can be found at \?http://www.weblaw.co.uk/artemail.htm?\.
+
+ See also \?http://www.goldmark.org/jeff/stupid-disclaimers/?\. There is
+ some discussion about the problems of actually adding disclaimers in
+ \?http://www.goldmark.org/jeff/stupid-disclaimers/apply.html?\.
+
+ In many cases, email disclaimers will make your company look ridiculous,
+ at the very least. At worst, they may interfere with the normal
+ processing of mail.
+
+ If, despite these considerations, you still want to modify messages, you
+ can do so using Exim, but not directly in Exim itself. It is not the job
+ of an MTA to modify messages, something that requires understanding of
+ their content and format.
+
+ Exim provides a hook called a ``transport filter'' that lets you pass
+ any outgoing message through a program or script of your choice. It
+ is the job of this script to make any changes to the message that you
+ require. By this means, you have full control over what changes are
+ made, and Exim does not need to know anything about message bodies.
+ However, using a transport filter requires additional resources, and may
+ slow down mail delivery.
+
+ You can use Exim's routers to arrange for those messages that you want
+ to modify to be delivered via a transport filter. For example, suppose
+ you want to do this for messages from addresses in your domain that are
+ being delivered to a remote host. First you need to set up a special
+ \%smtp%\ transport that uses a filter, like this:
+
+==> remote_smtp_filter:
+ driver = smtp
+ transport_filter = /your/filter/command
+
+ Then you need to modify the \%dnslookup%\ router to use this transport
+ when the conditions are right:
+
+==> dnslookup:
+ driver = dnslookup
+ domains = ! +local_domains
+ transport = ${if eq {$sender_address_domain}{your.domain}\
+ {remote_smtp_filter}{remote_smtp}}
+ ignore_target_hosts = 127.0.0.0/8
+ no_more
+
+ This is the standard \%dnslookup%\ router, but with a modified setting of
+ the \transport\ option. When the sender address is in your domain, it
+ routes to the special transport instead of the standard one.
+
+ The entire message is passed to your filter command on its standard
+ input. It must write the modified version to the standard output, taking
+ care not to break the RFC 2822 syntax. The command is run as the Exim
+ user.
+
+ There are a number of potential problems in doing this kind of
+ modification in an MTA. Many people believe that to attempt is it wrong,
+ because:
+
+ 1. It breaks digital signatures, which are becoming legally binding
+ in some countries. It may well also break encryption.
+
+ 2. It is likely to break MIME encoding, that is, it is likely to wreck
+ attachments, unless great care is taken. And what about the case of a
+ message containing only binary MIME parts?
+
+ 3. It is illegal under German and Dutch law to change the body of
+ a mail message in transit. It might potentially be illegal in
+ the UK under European law. This consideration applies to ISPs and
+ other ``common carriers''. It would presumably not apply in a corporate
+ environment where modification was done only to messages originating
+ from the employees, before they left the company's network. It might
+ also not apply if the senders have explicitly given their consent
+ (e.g. agreed to have advertisements added to their incoming mail).
+
+ 4. Since the delivered message body was produced by the MTA (not the
+ originator, because it was modified), the MTA operator could
+ potentially be sued for any content. This again applies to `common
+ carrier' MTAs. It's interesting that adding a disclaimer of liability
+ could be making you liable for the message, but this case seems
+ more likely to involve adding advertisements than disclaimers. After
+ all, no postal service in the world opens all the mail it carries to
+ add disclaimers.
+
+ 5. Some mail clients (old versions of MS outlook) crash if the message
+ body of an incoming MIME message has been tampered with.
+
+ There are also potential problems that could arise if a scheme to add
+ disclaimers goes wrong for some messages:
+
+ 1. False negatives: `Ah, this guy usually says he does not represent
+ their views, but in this message he doesn't have the disclaimer'.
+
+ 2. False positives: `This official announcement does not represent our
+ views, oh no'.
+
+ An alternative approach to the disclaimer problem would be to insist
+ that all relevant messages have the disclaimer appended by the MUA. The
+ MTA should refuse to accept any that do not. Again, however, the MTA
+ must understand the format of messages in order to do this. Simply
+ checking for appropriate wording at the end of the body is not good
+ enough. It would probably be necessary to run a Perl script from within
+ an Exim system filter, or write a \^^local_scan()^^\ function in order
+ to adopt this approach.
+
+ Finally, it's a trivial matter to add customized headers of the sort:
+
+==> X-Disclaimer: This is a standard disclaimer that says that the views
+ X-Disclaimer: contained within this message are somebody else's.
+
+ which is a much easier alternative to modifying message bodies.
+
+
+Q1602: How can I remove attachments from messages?
+
+A1602: The answer to this is essentially the same as for Q1601.
+
+
+
+17. ENCRYPTION (TLS/SSL)
+
+Q1701: I am trying to set up an Exim server that uses a self-signed certificate
+ to enable my clients to use TLS. However, clients other than Exim
+ refuse to accept this certificate. What's wrong?
+
+A1701: It seems that some clients require that the certificate presented by
+ the server be a user (also called ``leaf'' or ``site'') certificate, and not
+ a self-signed certificate. In this situation, the self-signed
+ certificate must be installed on the client as a trusted root
+ \*certification authority*\ (CA), and the certificate used by the server
+ must be a user certificate signed with that self-signed certificate.
+
+ For information on creating self-signed CA certificates and using them
+ to sign user certificates, see the \*General implementation overview*\
+ chapter of the Open-source PKI book, available online at
+ \?http://ospkibook.sourceforge.net/?\. Here is a quick overview. First,
+ read this message:
+
+ \?http://www.FreeBSD.org/cgi/mid.cgi?id=3C3F3A93.C1ECF9B0%40mindspring.com?\
+
+ Then, follow the instructions found on these two (consecutive) pages:
+
+ \?http://ospkibook.sourceforge.net/docs/OSPKI-2.4.6/OSPKI/initialisation.htm?\
+ \?http://ospkibook.sourceforge.net/docs/OSPKI-2.4.6/OSPKI/keygensign.htm?\
+
+ Two points on the PKI Book literature:
+
+ (1) It's assumed that it's okay to use a passphrase-protected key to
+ encrypt the user/site/leaf certificate. If this isn't acceptable,
+ you seem to be able to strip out the passphrase as follows:
+
+==> openssl rsa -in user.key -our user.key.new
+ mv user.key.new
+
+ This should be done immediately after \(user.key)\ is created.
+
+ (2) The \*sign.sh*\ script is available in the \*mod_ssl*\ distribution,
+ available at \?http://www.modssl.org/source/?\.
+
+ Having followed the instructions, you end up with the following files:
+
+ (a) \(ca.crt)\
+
+ This file should be installed into the client software as a trusted
+ root certification authority. In Windows XP, this can be done as follows:
+
+ \#\#Call the file \(ca_cert.cer)\
+ [[br]]
+ \#\#Double-click on the file
+ [[br]]
+ \#\#"Install Certificate";
+ [[br]]
+ \#\#"Next"
+ [[br]]
+ \#\#"Place all certificates in the following store"
+ [[br]]
+ \#\#"Browse..."
+ [[br]]
+ \#\#"Trusted Root Certification Authorities"
+ [[br]]
+ \#\#"OK"
+ [[br]]
+ \#\#"Next"
+ [[br]]
+ \#\#"Finish"
+ [[br]]
+ \#\#"Yes"
+ [[br]]
+ \#\#"OK"
+
+ (b) \(user.crt)\ and \(user.key)\
+
+ These files should be installed into the server software. In Exim, this
+ can be done by adding these lines to the configuration file:
+
+==> tls_certificate = /usr/local/etc/exim/tls_cert
+ tls_privatekey = /usr/local/etc/exim/tls_key
+
+ Then install \(user.crt)\ and \(user.key)\ under the names \(tls_cert)\
+ and \(tls_key)\ in the appropriate directory.
+
+
+Q1702: How can I arrange for Exim to advertise support for SMTP authentication
+ only when the session is encrypted?
+
+A1702: Use this setting:
+
+==> auth_advertise_hosts = ${if eq{$tls_cipher}{}{}{*}}
+
+
+Q1703: I have some legacy clients that don't use STARTTLS, but which expect to
+ negotiate a TLS session automatically on connection to the ssmtp port
+ (465). Can Exim handle this?
+
+A1703: The \-tls-on-connect-\ option is available to handle this. You need to
+ run two instances of an Exim listener, listening on different ports, one
+ of which is started with \-tls-on-connect-\. You can either use two
+ daemons, or a single daemon, with the other listenever using \^inetd^\.
+ For example, here are commands to start two daemons:
+
+==> exim -bd -q15m
+ exim -bd -oX '[0.0.0.0]::465' -tls-on-connect
+
+ The first is a ``normal'' daemon; the second listens on port 465 and
+ expects to negotiate a TLS session at the start of each connection.
+
+
+Q1704: When my Outlook Express 6.0 client sends a STARTTLS command to begin a
+ TLS session, Exim doesn't seem to receive it.
+
+A1704: See Q0059.
+
+
+Q1705: I have listed some hosts in \tls_try_verify_hosts\, but when they
+ connect, no data appears in \$tls_peerdn$\.
+
+A1705: This means that the clients have not sent certificates when asked by
+ the server to do so. If the clients are running Exim, check that
+ \tls_certificate\ is correctly set in their \%smtp%\ transports. Note
+ that this value is not automatically inherited from the global
+ \tls_certificate\ option.
+
+
+Q1706: I have listed some hosts in \tls_verify_hosts\ and provided them with
+ certificates, but their connections are always rejected.
+
+A1706: Make sure that the server file containing the expected certificates
+ (defined by \tls_verify_certificates\) is readable by the Exim user.
+ See also the answer to Q1705.
+
+
+Q1707: I am trying to use TLS with Evolution as a client, and keep seeing this
+ error: \*SMTP protocol violation: synchronization error (next input
+ sent too soon): rejected "\200F^A^C".*\ What does it mean?
+
+A1707: See Q0086 for a general explanation of the error. In this case, it
+ probably means that Evolution is trying to negotiate a TLS session
+ immediately it connects, without first using the STARTTLS command. This
+ was an older way of starting up TLS, before STARTTLS was defined. You
+ will have to run a separate instance of Exim using the
+ \-tls-on-connect-\ command line option to cater for this usage, and
+ listening on a different port. For example:
+
+==> exim -bd -oX 465 -tls-on-connect
+
+ 465 is the ``smtps'' port which is an unofficial standard for this kind
+ of SMTP server.
+
+
+Q1708: I trying to use TLS with Outlook as a client on a box that is running
+ Norton Antivirus, but all my email is being rejected with \*Unsupported
+ command*\ errors. Why?
+
+A1708: Norton Antivirus does not support TLS or AUTH. It puts a broken SMTP
+ proxy between you and the Exim server. You need to turn off outbound
+ scanning of email.
+
+
+
+20. MILLENNIUM
+
+Q2000: Are there any Y2K issues with Exim?
+
+A2000: The author of Exim believes that it is Y2K-compliant, as long as the
+ underlying operating system and C library are. Exim does not parse dates
+ or times at all. Internally, it makes some use of binary timestamps in
+ Unix format (number of seconds since 1-Jan-1970) and uses C library
+ services to convert these to printing forms (e.g. for logging). The
+ printing forms all use 4-digit years. Some people have tried various
+ tests. No problems have been reported, but details of what tests have
+ been done are not available.
+
+ Well, it's now November 2001, and no Y2K problems have been reported, so
+ it looks like I was right. This entry is retained as historical
+ nostalgia.
+
+
+
+50. MISCELLANEOUS
+
+Q5001: How can I arrange to allow a limited set of users to perform a limited
+ set of Exim administration functions? I don't want to put them all in
+ the //exim// group.
+
+A5001: See \?http://www.chiark.greenend.org.uk/~ian/userv/?\. Using \^userv^\ you can
+ arrange (for example) for certain users to be able to invoke \^mailq^\ or
+ \^runq^\ or other preset commands as \^exim^\ (or any other user, as configured)
+ with only \^userv^\ configuration. If you want to check the particular Exim
+ options available you can easily do it with shell or Perl scripts and
+ \^userv^\ configuration, and provided you know how to do argument
+ ``unparsing'' properly in shell or Perl it will be secure.
+
+
+Q5002: I want to ``tail'' the Exim log, but I have a number of other logs I also
+ want to ``tail'', and the number of tailing windows is getting to be a
+ nuisance.
+
+A5002: Look for a program called \^xtail^\ (despite its name, it's not an
+ X-windows application). It allows you to do multiple tails, even of
+ entire directories.
+
+ Alternately, get the GNU version of \^tail^\, from the GNU textutils
+ package (\?ftp://ftp.gnu.org/gnu/textutils/?\). GNU tail lets you run
+ \"tail -f\" on multiple files at the same time, although it doesn't work
+ on entire directories like \^xtail^\ can. If you are running Linux, you
+ probably already have a version of GNU \^tail^\ that can follow multiple
+ files.
+
+
+Q5003: How can I persuade Exim to accept ETRN commands without the leading
+ # character?
+
+A5003: Set the option
+
+==> smtp_etrn_command = /usr/lib/sendmail -R $domain
+
+ This causes Exim to run that command, with \$domain$\ replaced by the
+ argument of ETRN. The default action of Exim is to require the # sign
+ in order to be RFC-compliant, and to run the equivalent of
+
+==> smtp_etrn_command = /usr/lib/sendmail -R ${substr_1:$domain}
+
+ which uses the argument without the leading # as the value for the \-R-\
+ option. You aren't restricted to running Exim with the \-R-\ option, of
+ course. You can specify any command you like, with any number of
+ arguments. In particular, you can pass over the IP address of the caller
+ via \$sender_host_address$\. However, if you make use of expansion strings
+ in the arguments, each one must be entirely contained in a single
+ argument. For example, if you want to remove the first character of the
+ ETRN argument when it is @ or #, you could use
+
+==> smtp_etrn_command = "/usr/lib/sendmail -R \
+ \"${if match {$domain}{^[@#]}{${substr_1:$domain}}{$domain}}\""
+
+ The internal quotes are necessary because of the white space inside the
+ expansion string.
+
+
+Q5004: I've recently noticed that emails I send with a ::Bcc:: line are being
+ delivered to their final destination with the ::Bcc:: line still present.
+
+A5004: Exim removes ::Bcc:: lines only if you call it with the \-t-\ option (i.e.
+ when it is acting partly as an MUA). It does not remove ::Bcc:: lines that
+ are present in incoming SMTP mail or command-line mail that does not
+ use \-t-\. Indeed, it should not remove them, because only the
+ initiating software (i.e. the MUA) can tell what to do with ::Bcc::
+ lines; any MTA software has to leave them alone. This is what RFC 2822
+ has to say about ::Bcc::
+
+ \*The ::Bcc:: field (where the ``Bcc'' means ``Blind Carbon Copy'') contains
+ addresses of recipients of the message whose addresses are not to be
+ revealed to other recipients of the message. There are three ways in
+ which the ::Bcc:: field is used. In the first case, when a message
+ containing a ::Bcc:: field is prepared to be sent, the ::Bcc:: line is
+ removed even though all of the recipients (including those specified
+ in the ::Bcc:: field) are sent a copy of the message. In the second
+ case, recipients specified in the ::To:: and ::Cc:: lines each are sent
+ a copy of the message with the ::Bcc:: line removed as above, but the
+ recipients on the ::Bcc:: line get a separate copy of the message
+ containing a ::Bcc:: line. (When there are multiple recipient
+ addresses in the ::Bcc:: field, some implementations actually send a
+ separate copy of the message to each recipient with a ::Bcc::
+ containing only the address of that particular recipient.) Finally,
+ since a ::Bcc:: field may contain no addresses, a ::Bcc:: field can be
+ sent without any addresses indicating to the recipients that blind
+ copies were sent to someone. Which method to use with ::Bcc:: fields
+ is implementation dependent, but refer to the ``Security
+ Considerations'' section of this document for a discussion of each.*\
+
+
+Q5005: I used \^gv^\ 3.5.8 (\^ghostview^\) to try printing \(spec.ps)\. After every
+ printed page, the printer ejects a blank sheet. Is this something to do
+ with using ``letter'' rather than A4 paper?
+
+A5005: This seems to be an effect of using \^ghostview^\. Although the PostScript
+ is generated for A4 pages, the size of the page images is such that they
+ should fit on a letter page (they are shorter than would normally be
+ used on A4 paper). If the PostScript file is sent directly to a
+ PostScript printer, there is no problem. An alternative is to get hold
+ of the \^psutils^\ toolset, which is available from
+ \?ftp://ftp.dcs.ed.ac.uk/pub/psutils/psutils.tar.gz?\.
+ It contains utilities for extracting pages (which can be useful for
+ double-sided printing) and for resizing pages. If you resize from A4 to
+ letter the text shrinks a bit, but should then be printable via
+ \^ghostview^\.
+
+
+Q5006: Why aren't there any man pages for Exim? I don't always carry my printed
+ documentation.
+
+A5006: A single man page which lists the command line options is provided in
+ file \(doc/exim.8)\ in the Exim distribution. Several other forms of
+ online documentation are available. As well as plain ASCII text, the
+ there are two forms - Texinfo and HTML - which have a certain amount of
+ built-in indexing for ease of finding your way around. There are no man
+ pages apart from the command line one because the author of Exim hasn't
+ the time (or desire :-) to maintain yet another documentation format.
+ Besides, it is hard to know how to split the Exim manual up.
+
+
+Q5007: When I send a message using the \-t-\ command line option, Exim sends only
+ to the addresses within the message, not to those on the command line.
+
+A5007: There seems to be some confusion in the Sendmail community about the
+ interpretation of recipient addresses on the command line if the \-t-\
+ option is used. Some versions do one thing, and some another. Here is an
+ except from one version of the Sendmail documentation for \-t-\:
+
+ \*Read message for recipients. ::To::, ::Cc::, and ::Bcc:: lines will
+ be scanned for recipient addresses. The ::Bcc:: line will be
+ deleted before transmission. Any addresses in the argument
+ list will be suppressed, that is, they will not receive
+ copies even if listed in the message header.*\
+
+ By default Exim follows this specification, and interprets addresses on
+ the command line as addresses not to send to. You can set
+
+==> extract_addresses_remove_arguments = false
+
+ to change this behaviour so that command line addresses are added to the
+ addresses that are taken from the header lines.
+
+
+Q5008: If I set up a domain list to contain //*customer.com//, it matches
+ //customer.com// and //abc.customer.com// as required, but it also matches
+ //noncustomer.com//, which is wrong. How can I get round this?
+
+A5008: You have to specify two entries in the list:
+
+==> customer.com : *.customer.com
+
+ because * in a domain list matches any characters, including \"."\ and
+ including a null sequence.
+
+
+Q5009: I want to match all domains of the form //*.oyoy.org// but want a few
+ exceptions. For instance I don't want //foo.oyoy.org// or //bar.oyoy.org// to be
+ included. What is the best way to do this?
+
+A5009: Use negative items in the domain list, like this:
+
+==> domainlist local_domains = !foo.oyoy.org : !bar.oyoy.org : *.oyoy.org
+
+ If there are many exceptions, you can use a lookup instead of listing
+ them all inline. If there are a number of exceptions that match a
+ particular pattern, you could use a regular expression.
+
+
+Q5010: I can't seem to find a pre-built version of Exim anywhere. The machine
+ is a Sparc 5 running Solaris 2.6.
+
+A5010: The primary distribution is source-only. However, some people have built
+ and distributed RPMs and debs for Linux systems, and ports for FreeBSD.
+ I haven't heard of anyone doing this for Solaris. The main problem with
+ binary distributions is that there are a number of build-time options,
+ requiring the answers to questions like:
+
+ . Which DBM library do you have? (On Solaris probably ndbm, but no easy
+ default on some other systems.)
+
+ . Which uid/gid do you want to use for Exim?
+
+ . Where do you want the configuration file to be? (Many different
+ answers, even on the same OS, depending on local policy.)
+
+ . Ditto for the binaries.
+
+ . Which optional bits of Exim do you want to include?
+
+
+Q5011: Is there a version of Exim available that runs under Windows?
+
+A5011: A long time ago somebody took a copy of the Exim source with the aim of
+ trying to port it to Windows NT. However, I never heard anything more.
+ However, current versions of Exim can be made to run under Cygwin.
+
+
+Q5012: Does Exim support Delivery Status Notification (DSN), Message Status
+ Notification (MSN), or any other form of delivery acknowledgement?
+
+A5012: See Q0607.
+
+
+Q5013: What does ``Exim'' stand for?
+
+A5013: Originally, it was ``EXperimental Internet Mailer'', which was the best I
+ could come up with when I was starting out. At that point it was
+ experimental - I wanted to see if the ideas I had for extending Smail's
+ approach actually worked. Then somebody discovered about it and wanted
+ to start using it, and told other people about it...
+
+
+Q5014: Although I haven't set \check_spool_space\, Exim is still checking the
+ amount of space on the spool for incoming SMTP messages that use the
+ SIZE option. Can I suppress this?
+
+A5014: The RFC for the SIZE option says:
+
+ \*If the server currently lacks sufficient resources to accept a
+ message of the indicated size, but may be able to accept the
+ message at a later time, it responds with code ``452
+ insufficient system storage''.*\
+
+ and that is what Exim is trying to implement. This is entirely
+ independent from \check_spool_space\, which says \*don't accept any mail
+ if there is less than so much space in the spool partition*\, though the
+ code is optimised to do both checks at the same time if required.
+ However, you can suppress the SIZE check if you want to, by unsetting
+ \smtp_check_spool_space\.
+
+
+Q5015: I just noticed log entries that start off \"<= <>"\. Am I correct in
+ assuming that the \"<>"\ indicates that the envelope did not contain any
+ ``From'' data?
+
+A5015: Yes. This indicates a delivery failure report (aka a ``bounce message''),
+ as specified in RFC 2821. The reason for using empty sender addresses is
+ to identify bounce messages so that they themselves do not cause further
+ bounces. Empty senders are also used for other kinds of report which
+ should not themselves cause the generation of bounce messages. For
+ example, Exim uses them when sending out warnings about delivery delays.
+
+
+Q5016: I've received a message which does not have my address in the ::To::
+ line. It is a spam message with the same address in both the ::From:: and
+ the ::To:: headers. How can this happen, and why doesn't Exim reject it?
+
+A5016: There is an important distinction between the ``envelope'' from and to and
+ the ``header'' from and to. The former are sometimes called the ``sender''
+ and ``recipient''. An email message needs an ``envelope'' for the same
+ reason that paper mail does - the envelope tells the delivery mechanism
+ what to do with this copy of the message, whereas the ::To:: header lists
+ all the recipients, including those who have been sent different copies
+ of the message because their mailbox is on some other host.
+
+ An MTA such as Exim works entirely with the ``envelope'' addresses, not
+ with those in the header lines. Don't try to block mail where envelope
+ from and the header from differ. There are common legitimate cases where
+ this happens, for example, messages forwarded from mailing lists and
+ delivery failure reports.
+
+
+Q5017: Can (or will) Exim ever handle a message delivery purely in memory,
+ that is, it is handled without it ever hitting the disk?
+
+A5017: It doesn't, and never will. Accepting and delivering a message are two
+ entirely separate, independent processes, which communicate only by
+ writing/reading the message on the disk.
+
+
+Q5018: If I am using dbm files for data that Exim reads, can I rebuild them
+ on the fly, or do I need to restart Exim every time I make a change?
+
+A5018: Exim re-reads the file every time it consults it, so if you are using a
+ cdb or a DBM library that uses just a single file (i.e. not ndbm),
+ you can just build the new file with a temporary file name, and use
+ \^mv^\ to rename it into the correct place on the fly. If there are two
+ files to rename, there is a window of time during which the DBM database
+ is inconsistent. On lightly loaded systems this may not matter.
+
+
+Q5019: I need an option that is the opposite of \-bpa-\, that is, a listing of
+ those addresses generated from a top-level address that have not yet
+ been delivered.
+
+A5019: Exim does not keep this information. It saves only the top-level
+ addresses and the list of addresses that are finished with. At each
+ delivery attempt, generated addresses are recomputed from scratch. This
+ makes it possible to correct errors in redirection data that is
+ causing delivery delays. However, there is an option you can set on a
+ \redirect\ router that changes things. It is called \one_time\, and if
+ it is set, the list of generated addresses gets added to the top-level
+ list at the first delivery attempt, and is never regenerated. Because
+ top-level address lists must be real email addresses, this option cannot
+ be used if any of the generated addresses are pipes, files, or
+ autoreplies.
+
+
+Q5020: How can I make Exim receive incoming mail, queue it, but not attempt to
+ deliver it? I want to be in this state while moving some mailboxes.
+
+A5020: Set \queue_only\ in the Exim configuration. Then kill your daemon,
+ and restart it without the \-q-\ option (i.e. with just the \-bd-\ option),
+ so that it does not spawn any queue runners. This stops all deliveries,
+ remote as well as local.
+
+
+Q5021: What does Exim use for POP and IMAP as a default? Do I have to install
+ anything else?
+
+A5021: Yes. Exim provides MTA functionality. That is, it delivers mail. POP and
+ IMAP are two of several ways of reading previously-delivered mail. Exim
+ does not provide that functionality. You need to install POP and/or IMAP
+ daemons; there are several to choose from. There is a mailing list at
+ //pop-imap@exim.org// for the discussion of POP/IMAP issues.
+
+
+Q5022: Is there an easy way of removing all queued messages at once in a safe
+ way?
+
+A5022: Try this command:
+
+==> exim -bp | awk '/^ *[0-9]+[mhd]/{print "exim -Mrm " $3}' | sh
+
+
+Q5023: Why does Exim do \*ident*\ callbacks by default? Isn't this just a waste
+ of resources? I've been told this is an ancient way of authentication.
+ Is it obsolete?
+
+A5023: This is a common misunderstanding, at least partially resulting from the
+ incorrect naming of the protocol when it was first published.
+ The service on port 113 is an identification service, which allows a
+ target host to record information identifying the user responsible for
+ making a connection to it. The information may not be intelligible to
+ the recording host - it could, for example, be encrypted so that only
+ someone on the calling host can make sense of it. It is useful for
+ providing additional information in an audit trail.
+
+ At least one site has found \^ident^\ effective against two rather
+ prevalent kinds of open proxy (whether already blacklisted at the RBLs
+ or not). An ACL statement is used to reject mail from servers that
+ return \^ident^\ strings of \"squid"\ and \"CacheFlow Server"\.
+ Snippets such as this in the RCPT ACL do the trick:
+
+==> deny condition = ${if eq{$sender_ident}{CacheFlow Server}{1}{0}}
+ message = Rejected - appears to be an unsecured proxy: $sender_ident
+
+ The likelihood that a genuine mail process would return those specific
+ ident strings is vanishingly small.
+
+ The \^ident^\ data should not be used for authentication in any form
+ except on a closed secure network between cooperating hosts (probably
+ not even then). The information from the source host is only as reliable
+ as the host itself. If it's not under your control then you have to
+ treat the information as opaque data that can be used only by the
+ sysadmin of the source system to trace back connection data. Some
+ \^ident^\ implementations send out opaque cookies or DES encrypted
+ information. \^Ident^\ is hugely useful at times - especially for
+ checking back on connections from multiuser machines (as opposed to
+ one-person desktop boxes).
+
+ You can stop Exim making ident calls by adding
+
+==> rfc1413_query_timeout = 0s
+
+ to its configuration, but it is better to leave it active (reducing the
+ timeout to 10s or less if it is causing problems) - it costs very
+ little, and in cases of mail forgery from a multiuser system can track
+ the sinner concerned very quickly.
+
+
+Q5024: I often have the problem that a message gets stuck in the mail queue and
+ I want it to be bounced to a certain address.
+
+A5024: You can do this using a combination of four command line options, like
+ this:
+
+==> exim -Mf 14Fdlq-0003kM-00
+ exim -Mmad 14Fdlq-0003kM-00
+ exim -Mar 14Fdlq-0003kM-00 new@ddress
+ exim -M 14Fdlq-0003kM-00
+
+ The first command freezes the message so that a queue runner won't start
+ to deliver it while you are changing things. The second command marks
+ all existing recipients as delivered. The third command adds a new
+ recipient, and the fourth command forces a delivery of the message,
+ which will cause it to be delivered to the new address, and then
+ deleted.
+
+
+Q5025: What precautions should I take when editing Exim's run time
+ configuration file?
+
+A5025: Edit the file and save the result in a new file. Test the syntax of
+ the new file by running a command like this:
+
+==> exim -bV -C exim.conf.new
+
+ That will check for syntax errors without disturbing your running
+ configuration. If you are paranoid enough, run, as \/root/\,
+
+==> exim -C exim.conf.new <some address>
+ <some message>
+ .
+
+ and see if it delivers it. Carry on testing until happy. When happy,
+
+==> mv exim.conf.new exim.conf
+ kill -HUP `cat /var/spool/exim/exim-daemon.pid`
+
+ Then check the Exim log to be sure the daemon restarted OK. Watch the
+ log for a bit to see that mail is flowing.
+
+
+Q5026: Is exim able to use RFC 2645, \*On-demand Mail Relay*\ (ODMR)?
+
+A5026: No.
+
+
+Q5027: Is there any way I can send bounces to the postmaster, and nobody else?
+ Basically, I want to receive them, and I don't want the reply/from
+ person to get them. If I think they need it I will forward it myself.
+
+A5027: Put \"errors_to=postmaster"\ on every router.
+
+
+Q5028: When I HUP the Exim daemon, the name shown in the process table changes
+ from \(/usr/lib/sendmail)\ (which is a symlink) to the real binary name.
+ Can I change this?
+
+A5028: Add this to your Exim configuration:
+
+==> exim_path = /usr/lib/sendmail
+
+
+Q5029: A message with a recipient address that contains a non-printing character
+ is stuck on my mail queue. How can I remove this address?
+
+A5029: You can use the \-Mmd-\ command line option to mark a recipient address
+ ``delivered'', which effectively removes it. If you are using the Bash
+ shell, you can enter non-printing characters using an escape sequence.
+ For example:
+
+==> exim -Mmd 15HKvU-00013Q-00 $'\240'abc@x.y.z
+
+ In this example, the first character of the local part has a code value
+ of 240. If you are using a shell that does not support this, create the
+ command in a file and run it as a shell script.
+
+
+Q5030: I am using exim in a two queues scenario, with two different
+ configuration files. How can I run a second copy of \^eximon^\ to
+ inspect and modify the alternate queue?
+
+A5030: Use these commands (or put them in a script):
+
+==> EXIMON_EXIM_CONFIG=/your/path/exim/configure.alternate
+ export EXIMON_EXIM_CONFIG
+ /your/path/exim/bin/eximon
+
+
+Q5031: Why is there no sender address on bounce messages? It shows up as "<>".
+
+A5031: See the answer to Q0042.
+
+
+Q5032: Are there any Exim web-based administration scripts?
+
+A5032: No (as far as is known). It seems likely that producing one that is
+ generic enough would be a difficult task.
+
+
+Q5033: How can I send a copy of all outgoing messages to another mailbox?
+
+A5033: The most straightforward way is to set up a system filter, and include
+ a command such as:
+
+==> unseen deliver mailbox@whatever.domain
+
+ This sends a copy of every message to //mailbox@whatever.domain//
+ (unless the message already has that recipient - Exim never does
+ duplicate deliveries).
+
+ To save only ``outgoing'' messages, you need to come up with a
+ definition of what ``outgoing'' means. Typically, this might be a check
+ on the sender address and/or on the originating host. Here is an
+ example:
+
+==> if $sender_address_domain is mydomain.com and
+ ${mask:$sender_host_address/24} is 192.168.324.0/24
+ then
+ unseen deliver mailbox@whatever.domain
+ endif
+
+
+Q5034: Is there any way to make the \queue_only\ option conditional? I would
+ like the ability to queue messages from external sources while deliver
+ locally generated email as normal.
+
+A5034: There is no direct way of doing this. However, you can achieve the
+ effect. In one of your ACLs that checks incoming mail from external
+ sources, put
+
+==> warn control = queue_only
+
+ You can add other conditions as well, of course.
+
+
+
+91. MAC OS X
+
+Q9101: How can I install Exim on Mac OS X?
+
+A9101: (1) There is useful advice on this web page:
+ \?http://www.afp548.com/Articles/Jaguar/exim410.html?\.
+
+ (2) There is a package installer available at this URL:
+ \?ftp://members.aol.com/AFP548dotcom/EximInstaller.sit?\.
+
+ (3) There is another package installer for the combination of MySQL,
+ Exim, Exiscan, CourierIMAP, and SpamAssassin at this URL:
+ \?http://maxo.captainnet.net/installs/mail-install.html?\.
+
+
+
+92. FREEBSD
+
+Q9201: On FreeBSD, \(/usr/sbin/sendmail)\ is a symbolic link to
+ \(/usr/sbin/mailwrapper)\; it doesn't contain the Sendmail binary. How
+ should I replace Sendmail with Exim on FreeBSD?
+
+A9201: There is a file called \(/etc/mail/mailer.conf)\ which selects what to
+ run for various MTA calls. Instead of changing \(/usr/sbin/sendmail)\,
+ you should edit this file instead, to read something like this:
+
+==> sendmail /usr/exim/bin/exim
+ send-mail /usr/exim/bin/exim
+ mailq /usr/exim/bin/exim -bp
+ newaliases /usr/bin/true
+
+ You probably also need to edit \(/etc/periodic.conf)\; see Q9202.
+
+
+Q9202: A script that FreeBSD runs nightly uses \^mailq^\ with the \-Ac-\
+ parameter. Why doesn't Exim recognize this?
+
+A9202: \-Ac-\ is a Sendmail option that requests that mailq ``Show the mail
+ submission queue specified in \(/etc/mail/submit.cf)\ instead of the
+ MTA queue specified in \(/etc/mail/sendmail.cf)\''. Exim doesn't have
+ the concept of a ``submission queue''. You can disable this feature
+ of the nightly script by adding the line
+
+==> daily_status_include_submit_mailq="NO" # No separate 'submit' queue
+
+ to the file \(/etc/periodic.conf)\.
+
+
+Q9203: How can I use Exim for authenticated SMTP using Cyrus on FreeBSD?
+
+A9203: This web page may help: \?http://www.munk.nu/exim/exim-freebsd-asmtp.php?\.
+
+
+
+93. HP-UX
+
+Q9301: I'm trying to compile on an HP machine and I don't have \^gcc^\ there. So I
+ put \"CC=cc"\ in the \(Local/Makefile)\, but I got this error:
+
+==> (Bundled) cc: "buildconfig.c", line 54: error 1705: Function prototypes
+ are an ANSI feature.
+
+A9301: The bundled compiler is not an ANSI C compiler. You either have to get a
+ copy of \^gcc^\ from the HPUX Software Porting Archives or buy the ANSI cc
+ from HP. The advice given by one user of HP systems on the Exim
+ mailing list was as follows:
+
+ \*Personally, I wouldn't use anything but the ANSI C compiler. gcc
+ works for compilation, but it doesn't know squat about PA-RISC chips
+ past the 1.0 rev. Since then, HP has come out with PA-RISC 1.1, 2.0,
+ and 2.1, each with better features. gcc will compile for them, but it
+ doesn't produce anywhere near the optimization that HP's compiler
+ does.*\
+
+ \*I took the gcc road when we moved from FreeBSD to HP-UX because I was
+ familiar with it. After 6 months, I had to go and re-port everything
+ over when we realized that gcc wasn't going to do it for us long-term.
+ If I could give advice to any new HP-UX admin: don't use gcc if you
+ can afford the ANSI C compiler. Based on the cost of even the lowest
+ HP workstation, that usually isn't a problem.*\
+
+
+
+94. BSDI
+
+Q9401: On BSDI 4.0, Exim built with Perl support exits with the error message
+
+==> ./exim: can't load library 'libperl.so'
+
+A9401: You probably compiled perl5 yourself, without looking into
+
+==> /usr/src/contrib/perl5/perl5.004_02/hints/bsdos.sh
+
+ first. The problem is that the command
+
+==> perl5 -MExtUtils::Embed -e ldopts
+
+ doesn't give you sufficient flags to link something with libperl.
+ Since 5.004_02 the \(hints/bsdos.sh)\ file has changed to adapt to the
+ changes between BSDI 3.1 and 4.0, but it is still not entirely right.
+
+ The solution is, when you compile perl, change the \ccdlflags\
+ variable in config.sh to:
+
+==> -rdynamic -Wl,-rpath,/usr/local/lib/perl5/5.00502/i386-bsdos/CORE
+
+ (or something similar). Alternatively, you can run \(./Configure)\ and
+ answering the question \*Any special flags to pass to cc to use dynamic
+ loading?*\ with the above line. It is not known what \-rdynamic-\ means
+ (it's not apparently documented in any man page), but that's what BSDI
+ guys did to compile perl5 which comes with BSDI 4.0 distribution.
+
+
+
+95. IRIX
+
+Q9501: The IP addresses for incoming calls are all being given as
+ 255.255.255.255 or 0.0.0.0.
+
+A9501: This problem should no longer occur because a workaround has been
+ installed in Exim.
+
+
+
+96. LINUX
+
+Q9601: Exim is mysteriously crashing, usually when forking to send a delivery
+ error message.
+
+A9601: This has been seen in cases where Exim has been incorrectly built with
+ a muddled combination of an \(ndbm.h)\ include file and a non-matching
+ DBM library.
+
+ Faults like this have also been seen on systems with faulty motherboards.
+ You could try to compile the Linux kernel 10 times - if the compile
+ process stops with signal 11, your hardware is to blame.
+
+
+Q9602: I want to use \^logrotate^\ which is standard with RH5.2 Linux to rotate
+ my mail logs. Anyone worked out the \^logrotate^\ config file that will
+ do this?
+
+A9602: Here's one suggestion:
+
+==> /var/log/exim/main.log {
+ create 644 exim exim
+ rotate 4
+ compress
+ delaycompress
+ }
+
+ The sleep is added to allow things to close the log file prior to
+ compression. You also need similar entries for the panic log and the
+ reject log, of course.
+
+
+Q9603: I'm seeing the message \*inetd[334]: imap/tcp server failing (looping),
+ service terminated*\ on a RedHat 5.2 system, causing \^imap^\ connections to
+ be refused. The \^imapd^\ in use is Washington Univers 12.250. Could this
+ be anything to do with Exim?
+
+A9603: No, it's nothing to do with Exim, but here's the answer anyway: there
+ is a maximum connection rate for \^inetd^\. If connections come in faster
+ than that, it thinks a caller is looping. The default setting on RedHat
+ 5.2 is 40 calls in any one minute before \^inetd^\ thinks there's a problem
+ and suspends further calls for 10 mins. This default setting is very
+ conservative. You should probably increase it by a factor of 10 or 20.
+ For example:
+
+==> imap stream tcp nowait.400 root /usr/sbin/tcpd /usr/local/etc/imapd
+
+ The rate setting is the number following ``nowait''. This syntax seems to
+ be specific to the Linux version of \^inetd^\. Other operating systems
+ provide similar functionality, but in different ways.
+
+
+Q9604: I get the \*too many open files*\ error especially when a lot of messages
+ land for Majordomo at the same time.
+
+A9604: The problem appears to be the number of open files the system can
+ handle. This is changable by using the proc filesystem. To your
+ \(/etc/rc.d/rc.local)\ file append something like the following:
+
+==> # Now System is up, Modify kernel parameters for max open etc.
+
+==> if [ -f /proc/sys/kernel/file-max ]; then
+ echo 16384 >> /proc/sys/kernel/file-max
+ fi
+ if [ -f /proc/sys/kernel/inode-max ]; then
+ echo 24576 >> /proc/sys/kernel/inode-max
+ fi
+ if [ -f /proc/sys/kernel/file-nr ]; then
+ echo 2160 >> /proc/sys/kernel/file-nr
+ fi
+
+ By echoing the value you want for file-max to the file \(file-max)\ etc.,
+ you actually change the kernel parameters.
+
+
+Q9605: I installed debian 2.2 linux on a small 325mb 486 laptop. When I try
+ to test the Mail program, I get the following error: \*Failed to open
+ configuration file /etc/exim.conf*\.
+
+A9605: The Debian installation should have given you \(/usr/sbin/eximconfig)\,
+ which asks you some questions and then sets up the configuration file
+ in \(/etc/exim.conf)\. Try running that (you'll probably need \/root/\) and see
+ how it goes. In any case you get a thoroughly commented conf file at
+ the end, which will give you a sample from which to work if you need
+ further modification.
+
+ The Exim docs in the Debian package are in \(/usr/doc/exim)\ where the full
+ reference manual is \(spec.txt.gz)\.
+
+
+Q9606: I'm having trouble configuring Exim 4 on a Debian system. How does
+ \(/etc/exim4/conf.d)\ work?
+
+A9606: The Debian Exim 4 package uses a quite uncommon, but elegant,
+ method of configuration where the ``real'' Exim configuration file is
+ assembled from a tree of snippets by a script invoked just before the
+ daemon is started (see Q9608).
+
+ This fits very well into the Debian system of configuration file
+ management and is a great ease for the automatic configuration with
+ Debconf. However, it is \*very*\ different from the normal way Exim 4 is
+ configured. Non-Debian users on the Exim mailing list will probably have
+ difficulty in trying to answer specific questions about it. You may have
+ to find a Debian expert.
+
+
+Q9607: I'm having difficulties trying to make Exim 4 with Redhat 9 and Berkeley
+ DB 4.
+
+A9607: Have you remembered to install the db4-devel package?
+
+
+Q9608: I'm running Exim 3 under Debian, and want to upgrade to Exim 4. How
+ difficult is it?
+
+A9608: A user who did this, using the Debian Exim 4 package, reported as
+ follows:
+
+ (1) The exim4 package installs easily, and the exim (3.38) package
+ uninstalls at the same time.
+
+ (2) Exim runs from \^inetd^\. Exim4 runs from \^/etc/init.d^\. \*Much*\ nicer!
+
+ (3) The exim conffile lives in \(/etc/exim/exim.conf)\. The exim4 conffile
+ lives in \(/var/lib/exim4/config.autogenerated)\. It is, as the name
+ suggests, autogenerated.
+
+ (4) A new directory is created called \(/etc/exim4)\. This contains the
+ conffiles to generate the above config. You make changes here.
+
+ (5) Once you have made changes to the files in \(/etc/exim4)\ you run the
+ script \^update-exim4.conf^\ which generates a replacement
+ \(config.autogenerated)\.
+
+ [Added comment by the Debian maintainer, slightly edited:
+ You also need to tell the Exim daemon to reread the changed
+ configuration. You can do this using SIGHUP by hand. Alternatively,
+ instead of running \^update-exim4.conf^\ you can use
+
+==> invoke-rc.d exim4 reload
+
+ which does the rebuild and also tells Exim to reread the changed
+ configuration.]
+
+ (6) In my experience, you need to \*carefully*\ check the generated
+ configs. eg, it did not generate a system filter file reference in the
+ \(config.autogenerated)\. I didn't bother too much, since this is a home
+ setup.
+
+ (7) All of this may be in the docs. I've read some of them, obviously,
+ but didn't come across an actual upgrade guide.
+
+ [The Debian maintainer says:
+ \(/usr/share/doc/exim4-base/README.Debian.gz)\ and \^update-exim4.conf(8)^\
+ should answer most of the questions.]
+
+ (8) I've still got some minor things to tweak to get back to where I
+ was before with Exim 3. But overall, it's no drama.
+
+
+Q9609: Why do some servers refuse SMTP connections from my Linux box, but accept
+ connections from hosts running other operating systems?
+
+A9609: If you are sure this isn't a policy issue (that is, your box isn't
+ administratively blocked for some reason), this may be because your
+ Linux box has ECN (Explicit Congestion Notification) enabled in its
+ TCP/IP stack. There are many broken firewalls that refuse connections
+ from ECN-enabled hosts. You can check the state of your box by running
+
+==> cat /proc/sys/net/ipv4/tcp_ecn
+
+ If the value is "1", you have ECN enabled. You can turn it off by
+ running this command:
+
+==> echo "0" > /proc/sys/net/ipv4/tcp_ecn
+
+
+
+97. SUN SYSTEMS
+
+Q9701: Exim builds fine with \^gcc^\ on SunOS 4 but crashes inside \^^sscanf()^^\.
+
+A9701: Make sure you are liking with the GNU \^ld^\ linker and not the system
+ version of \^ld^\.
+
+
+Q9702: How can I get rid of spurious \"^M"\ characters in messages sent from
+ CDE \^dtmail^\?
+
+A9702: CDE \^dtmail^\ passes messages to Exim via the command line interface with
+ lines terminated by CRLF, instead of the Unix convention of just LF. As
+ Exim is an 8-bit clean program it treats the CR as just another data
+ character. Exim has a command line option called \-dropcr-\ which causes
+ it to ignore all CR characters in an incoming non-SMTP message. You
+ should configure \^dtmail^\ to add this option to the command it uses to
+ call Exim (using the path \(/usr/lib/sendmail)\). However, it has been
+ reported that it isn't possible to change this call from \^dtmail^\ by any
+ official means. An alternative approach is to replace \(/usr/lib/sendmail)\
+ by a filtering script which removes the spurious CRs from the input
+ before passing it to Exim.
+
+
+Q9703: On SunOS 4 Exim crashes when looking up domains in the DNS that have
+ more than 10 A records.
+
+A9703: There are Sun library patches to fix this. It is not Exim's problem.
+ For 4.13_U1 the patch is 101558-xx; for 4.1.3 the patch is 100891-xx.
+ From the README: \*1054748 ftp, ping dump core when connecting to a host
+ with multiple DNS A records.*\ An alternative is to build another
+ resolver library - such as the ones that are part of the \^bind^\
+ distribution - and explicitly link against those.
+
+
+Q9704: I am experiencing mailbox locking problems with Sun's \^mailtool^\ used
+ over a network.
+
+A9704: Under the \"Expert"\ settings of \^mailtool^\ is a option to turn on \*Use
+ network aware mail file locking*\. By default \^dtmail^\ has this set, but
+ \^mailtool^\ doesn't. You should set it. The help info on \^dtmail^\ has this
+ to say about it:
+
+ \*Mailer tries to prevent two different instances of itself from opening
+ the same mail file at the same time through a technique that detects
+ this access when both instances of Mailer and the file are all on the
+ same machine. A network-aware mail file locking protocol is available
+ that uses ToolTalk to coordinate instances of Mailer running from more
+ than one machine, or mail files accessed over the network. Mailer can
+ only change this option when first opening a mail file.*\
+
+ If you are using the SunOS4 version of \^mailtool^\, this apparently
+ doesn't work. The only thing which does seem to work it getting the user
+ to hit the \"done"\ button to make it release the lock.
+
+
+Q9705: Exim has been crashing on my Solaris x86 system, apparently while
+ running DBM functions.
+
+A9705: The use of \^ndbm^\ with \^gcc^\ has caused problems on x86 Solaris systems.
+ Try changing one or the other; using either DB with gcc, or Sun's
+ WS compiler with \^ndbm^\, has fixed this in the past.
+
+
+Q9706: The \^exiwhat^\ utility isn't working for me on a Solaris 2 system.
+
+A9706: Have you got \(/usr/ucb)\ on your path? If so, it is probably picking up the
+ wrong version of the \^ps^\ command. The \^exiwhat^\ script is built on
+ Solaris to expect the normal Solaris version of \^ps^\.
+
+
+Q9707: How do I stop Sun's \^dtcm^\ from hanging?
+
+A9707: From qmail's FAQ: \*There is a novice programming error in dtcm, known as
+ ``failure to close the output side of the pipe in the child.'' Sun has,
+ at the time of this writing, not yet provided a patch.*\
+
+
+Q9708: I want Exim to use only the resolver (i.e. ignore \(/etc/hosts)\), but don't
+ want to alter the \(nsswitch.conf)\ file in Solaris 2.
+
+A9708: You need to rebuild Exim after fiddling with \(OS/os.h-SunOS5)\:
+
+==> #define gethostbyaddr res_gethostbyaddr
+ #define gethostbyname res_gethostbyname
+ #define endhostent res_endhostent
+ #define endnetent res_endnetent
+ #define gethostent res_gethostent
+ #define getnetbyaddr res_getnetbyaddr
+ #define getnetbyname res_getnetbyname
+ #define getnetent res_getnetent
+ #define sethostent res_sethostent
+ #define setnetent res_setnetent
+
+ Note that \-lnsl-\ is still needed in the Makefile as it
+ contains code used by the NIS lookup and also the \^^inet_addr()^^\ function
+ that Exim uses.
+
+
+Q9709: When I try to compile Exim 4.x on Solaris 2.5.1 I get an error along the
+ lines of \*no such field in struct as 'value.ui32'*\.
+
+A9709: Look in the Exim file \(OS/os.h-SunOS5.h)\ for the line
+
+==> #define LOAD_AVG_FIELD value.ui32
+
+ and change \"ui32"\ to \"ul"\ (that's u followed by the letter ell, not
+ the digit one). Solaris 2.5.1 is getting \*very*\ old now...
+
+
+
+98. CONFIGURATION COOKBOOK
+
+Q9801: How do I configure Exim as part of TPC (\?http://www.tpc.int?\)?
+
+A9801: Suppose you want to accept faxes destined for 1(801)539-*. These are
+ addressed to the domain //9.3.5.1.0.8.1.tpc.int//. Set up a transport to
+ handle the delivery:
+
+==> tpc:
+ driver = pipe
+ command = /usr/local/tpc/tpcmailer.pl $local_part@$domain \
+ $sender_address
+ pipe_as_creator
+
+ \(/usr/local/tpc/tpcmailer.pl)\ is the mail processing script that can
+ be obtained from the TPC distribution. Create a router to route mail
+ for the TPC domain to that transport. This must be placed before your
+ other routers:
+
+==> tpc_router:
+ driver = accept
+ transport = tpc
+ domains = *.9.3.5.1.0.8.1.tpc.int
+
+ Of course, there are other things to do as well before your system is
+ a functioning TPC server.
+
+
+Q9802: How do I configure Exim so that it sends mail to the outside world only
+ from a restricted list of our local users?
+
+A9802: You will need to have a convenient way of checking the list. If it is
+ only a handful of users, you could just list them inline. Otherwise, you
+ need to put them in a file or database. Let's suppose you've just got a
+ list in a file. Put this as your first router:
+
+==> check_outgoing:
+ driver = redirect
+ domains = ! +local_domains
+ senders = ! : ! lsearch;/etc/permitted/senders
+ allow_fail
+ data = :fail: you are not allowed to send outside
+
+ The senders should be listed as complete addresses, with both a local
+ part and a domain. For a large list, use a DBM or cdb file instead, or
+ a database. The first item in the \senders\ list is empty, to match the
+ empty sender. This is necessary because bounce messages have null
+ senders.
+
+
+Q9803: A site for which I provide secondary MX is down for some time. Is there
+ a way to run the queue for that destination separately from the main
+ queue?
+
+A9803: No, because Exim does not have the concept of ``the queue for that
+ destination''. It simply has a single pool of messages awaiting delivery
+ (and some of them may have several destinations). The best approach to
+ this is to arrange for all messages for the site to be saved somewhere
+ other than the main spool, either on a separate dedicated MTA, or in
+ BSMTP files.
+
+
+Q9804: We want to be able to temporarily lock out a user by disabling the
+ password and moving the home directory to another place. How can we
+ arrange to reject mail for users in this state?
+
+A9804: Change the home directory pointer in the passwd file to something
+ distinctive. For example, we use \(/home/CANCELLED)\ for cancelled users.
+ Then you can pick up such users with this router, which is placed
+ immediately after \%system_aliases%\:
+
+==> cancelled_users:
+ driver = redirect
+ check_local_user
+ condition = ${if eq {$home}{/home/CANCELLED}{yes}{no}}
+ allow_fail
+ data = :fail: this account is cancelled
+
+
+Q9805: How can I configure Exim so that all mails addressed to
+ //something@username.domain.net// get delivered to
+ \(/var/spool/mail/username)\?
+
+A9805: Assuming that you have set up //username// as a normal user, with
+ conventional routing for //username@domain.net// to that mailbox, all
+ you need to do is set up a redirection, using a router like this:
+
+==> user_in_domain:
+ driver = redirect
+ data = ${if match{$domain}{\N^(.*)\.domain\.net$\N}\
+ {$1}fail}@domain.net
+
+ If you set \envelope_to\ in the \%appendfile%\ transport, the original
+ envelope address is preserved in the message in an ::Envelope-to::
+ header line.
+
+
+Q9806: How do I get exim not to add a ::Sender:: header to locally originated
+ mail?
+
+A9806: It adds it only if the ::From:: header doesn't correspond to the user
+ sending the message. You can suppress this by setting
+ \no_local_from_check\. If your real question is \*How do I submit mail
+ from UUCP without it adding ::Sender::?*\, see Q1503.
+
+
+Q9807: Is there any way to have messages sent to a specific local address
+ delayed by - say - 24 hours?
+
+A9807: Set up a router like this:
+
+==> delay:
+ driver = redirect
+ domains = the.domain
+ local_parts = thelocalpart
+ condition = ${if < {$message_age}{86400}{yes}{no}}
+ allow_defer
+ data = :defer: message not old enough
+ no_verify
+
+ Of course, this will also have the effect of setting a retry time for
+ the address. You may want to set a special retry rule for it. Note the
+ use of \no_verify\ to ensure that this router is not used when Exim is
+ verifying addresses.
+
+
+Q9808: I have a mailing list exploder on one host, and three other hosts where
+ I want to do the actual deliveries from. How can I get Exim to split
+ a message into groups of recipients between the three hosts?
+
+A9808: Set up a router that routes all remote addresses to a specific
+ transport, with a list of your three hosts. For example:
+
+==> send_to_three:
+ driver = manualroute
+ transport = to_three_smtp
+ route_list = !+local_domains hostA:hostB:hostC
+
+ The transport looks like this:
+
+==> to_three_smtp:
+ driver = smtp
+ hosts_randomize
+
+ By setting \hosts_randomize\, you request that the host list be sorted
+ randomly each time the transport is called, in order to spread the load.
+ The number of times the transport is called for each message depends on
+ the setting of the global option \remote_max_parallel\. If it is set to
+ 1, the transport is called only once for each message, so only one host
+ is used, but different messages use different hosts because of the
+ randomizing.
+
+ The \max_rcpt\ option (default 100) controls the number of addresses
+ sent in each copy of the message - several copies are sent over the
+ same connection if necessary.
+
+ If you want individual messages to be split between the three hosts, you
+ must set the global option \remote_max_parallel\ to 3. This allows Exim
+ to run 3 separate instances of the transport at once. It will pass
+ one-third of all the addresses to each instance. Because the host list
+ is randomized, not round-robinned, there is no guarantee that a single
+ message will use all three hosts, but on average it should.
+
+
+Q9809: Can I configure Exim so that my gateway host sends a copy of each
+ incoming message to each of two internal hosts?
+
+A9809: The easiest way to do this is to make use of the \unseen\ router option,
+ and set up two separate routers. You need to be able to identify
+ incoming messages somehow. Typically this can be done by testing the
+ domain of the recipient address, in which case the configuration should
+ contain something like this:
+
+==> r1:
+ driver = manualroute
+ domains = ! *.your.domain.example
+ route_data = * host1.your.domain.example
+ transport = remote_smtp
+ unseen
+
+==> r2:
+ driver = manualroute
+ domains = ! *.your.domain.example
+ route_data = * host2.your.domain.example
+ transport = remote_smtp
+
+ The \unseen\ setting on \%r1%\ means that after it has accepted an
+ address, the address is also passed on to \%r2%\, and so two deliveries
+ occur.
+
+
+Q9810: How can I implement ``SMTP-after-POP'' with Exim?
+
+A9810: See Q0706.
+
+
+Q9811: I would like to ``tap off'' a proportion of real mail traffic from my
+ live mail server to use in tests of a new server. I want to preserve the
+ envelope contents, but to suppress any error notifications to the
+ original sender.
+
+A9811: See C046.
+
+
+Q9812: How can I lookup data from a single file using both single IP addresses
+ and IP address blocks as keys? I want to set \smtp_accept_max_per_host\
+ by this means, and also include a default.
+
+A9812: You cannot do this in a single lookup, because you need separate lookups
+ for individual addresses and address blocks. However, these lookups can
+ be nested in a single expansion string. For example, suppose you are
+ using an lsearch file with entries like this:
+
+==> 192.168.34.35: 4
+ 192.168.34.0/24: 2
+ *: 1
+
+ You can use this setting:
+
+==> smtp_accept_max_per_host = \
+ ${lookup{$sender_host_address}lsearch{/path/to/file}\
+ {$value}\
+ {\
+ ${lookup{${mask:$sender_host_address/24}}lsearch*{/path/to/file}}\
+ }}
+
+ Note that the first lookup does \*not*\ have an asterisk on the search
+ type. If you have blocks of different sizes (/24, /26, etc) you have to
+ configure it to do a separate lookup for each size, with just the final
+ one using a default.
+
+
+
+99. LIST OF SAMPLE CONFIGURATIONS
+
+As well as being hyperlinked from the HTML version of this document, each
+sample configuration is also available as a file in the \(config.samples)\
+directory, which can be independently downloaded.
+
+Samples whose names are of the form Cnnn are Exim configurations; those with
+names of the form Fnnn are filter file fragments; those with names of the form
+Lnnn are sample \^^local_scan()^^\ functions, and those with names of thf form
+Snnn are scripts of various kinds. There are other examples of
+\^^local_scan()^^\ functions at a number of web sites (for example,
+\?http://marc.merlins.org/linux/exim/sa.html?\).
+
+There are gaps in the C and F numbers because I have omitted the Exim 3 samples
+that have not been converted for Exim 4.
+
+C002: ``Although exim not intended for use in UUCP environment (it doesn't
+ know anything about bang!path addresses), I'm successfully using it for
+ delivering mail to UUCP clients.''
+
+C006: ``This is how I have configured a PP-inspired vacationnote, there is
+ (was?) such a feature in PP. The user makes a file \(tripnote)\ in his/her
+ home directory, the message is passed to the sender once with a short
+ leading text.''
+
+C022: ``This is the Exim configuration file of a machine which delivers mail to
+ several local domains where the mail is delivered locally, several hairy
+ domains, handled as described below, and a half-virtual domain, which is
+ first processed by its special alias file, then processed as other local
+ domains (including the processing by the global alias file).''
+
+C037: An elegant way of using ETRN, which does immediate delivery if the host
+ is online, but saves mail in a BSMTP file after some time on the queue.
+ ETRN then re-injects the mail.
+
+C042: ``Since the Exim 4 configuration needed to get Mailman to work differs a
+ little bit from Exim 3 and since I still haven't seen a recipe for
+ Mailman with Exim 4, I'm providing my configuration (based heavily on
+ \?http://www.exim.org/howto/mailman.html?\).''
+
+C043: ``Attached is an Exim 4 config file which is designed for an Exim server
+ that is put in front of an Exchange 5.5 system but which verifies the
+ valid addresses that are stored in Exchange via LDAP lookups against the
+ Exchange server.''
+
+C044: ``I thought I'd submit this as an example of an authenticated mail hub
+ configuration. Several people have asked for it so I thought it
+ might be of interest.''
+
+C045: ``Here it is, for Exim 4.10 and Cyrus IMAPD 2.1.5 using db3/db4-format
+ mailbox database. This configuration delivers the messages to Cyrus
+ IMAPD using LMTP over a TCP/IP socket.''
+
+C046: ``Deliver a duplicate of some proportion of all messages to a special
+ machine specified in the file \(/MAIL_TAP_HOST)\, if it exists.''
+
+C047: A sample configuration for calling Spamassassin directly from Exim.
+
+C049: ``I've been seeing a whole bunch of IPs that send me spam or virus mail
+ and HELOing as one of my own IPs, or as HELO one.of.my.own.domains (or
+ maybe HELO \primary_hostname\).''
+
+C050: A configuration that uses the DNS to implement virtual domains.
+
+C051: ``I've been working quite hard to come up with a config that reasonably
+ matches the qmail-ldap setup, without the warts.''
+
+F001: ``I thought that the rest of the list may be interested in reviewing our
+ filter as a starting point for their own system message filter.''
+
+F002: ``... program which refused mail from unknown addresses until they mailed
+ me promising not to spam me ... since I'd already thought through how
+ to do it in Exim, and knew it'd be slightly easier than falling out of
+ bed, I went ahead and did it.''
+
+F003: ``Here's four checks installed in our system wide filter that knock out
+ a lot of otherwise hard to detect rubbish.''
+
+F004: ``This is an Exim filter snippet to change locally-generated ::Message-Id::
+ and ::Resent-Message-Id:: headers to world-unique values.''
+
+L001: A \^^local_scan()^^\ function for Exim that calls \^uvscan^\.
+
+S001: A Perl script for patching the name of the configuration file in an
+ Exim binary.
+
+S002: ``When I moved from smail to exim I built a program that took individual
+ config pieces, stripped all the comments, and built a config file.''
+
+*** End of Exim FAQ ***
git://git.exim.org / exim.git / blobdiff