.set ACL "access control lists (ACLs)"
.set I " "
+.set drivernamemax "64"
+
.macro copyyear
2020
.endmacro
.cindex "Solaris" "&'mail'& command"
.cindex "dot" "in incoming non-SMTP message"
This option, which has the same effect as &%-oi%&, specifies that a dot on a
-line by itself should not terminate an incoming, non-SMTP message. I can find
-no documentation for this option in Solaris 2.4 Sendmail, but the &'mailx'&
-command in Solaris 2.4 uses it. See also &%-ti%&.
+line by itself should not terminate an incoming, non-SMTP message.
+Solaris 2.4 (SunOS 5.4) Sendmail has a similar &%-i%& processing option
+&url(https://docs.oracle.com/cd/E19457-01/801-6680-1M/801-6680-1M.pdf),
+p. 1M-529), and therefore a &%-oi%& command line option, which both are used
+by its &'mailx'& command.
.vitem &%-L%&&~<&'tag'&>
.oindex "&%-L%&"
by Exim in conjunction with the &%-MC%& option. It signifies that a
remote host supports the ESMTP &_CHUNKING_& extension.
+.new
+.vitem &%-MCL%&
+.oindex "&%-MCL%&"
+This option is not intended for use by external callers. It is used internally
+by Exim in conjunction with the &%-MC%& option. It signifies that the server to
+which Exim is connected advertised limits on numbers of mails, recipients or
+recipient domains.
+The limits are given by the following three arguments.
+.wen
+
.vitem &%-MCP%&
.oindex "&%-MCP%&"
This option is not intended for use by external callers. It is used internally
by Exim in conjunction with the &%-MC%& option. It signifies that the server to
which Exim is connected supports pipelining.
+.new
+.vitem &%-MCp%&
+.oindex "&%-MCp%&"
+This option is not intended for use by external callers. It is used internally
+by Exim in conjunction with the &%-MC%& option. It signifies that the connection
+t a remote server is via a SOCKS proxy, using addresses and ports given by
+the following four arguments.
+.wen
+
.vitem &%-MCQ%&&~<&'process&~id'&>&~<&'pipe&~fd'&>
.oindex "&%-MCQ%&"
This option is not intended for use by external callers. It is used internally
.vitem &%-m%&
.oindex "&%-m%&"
-This is apparently a synonym for &%-om%& that is accepted by Sendmail, so Exim
-treats it that way too.
+This is a synonym for &%-om%& that is accepted by Sendmail
+(&url(https://docs.oracle.com/cd/E19457-01/801-6680-1M/801-6680-1M.pdf)
+p. 1M-258), so Exim treats it that way too.
.vitem &%-N%&
.oindex "&%-N%&"
contains two IP addresses, the IPv4 address 127.0.0.1 and the IPv6 address ::1.
&*Note*&: Although leading and trailing white space is ignored in individual
-list items, it is not ignored when parsing the list. The space after the first
-colon in the example above is necessary. If it were not there, the list would
+list items, it is not ignored when parsing the list. The spaces around the first
+colon in the example above are necessary. If they were not there, the list would
be interpreted as the two items 127.0.0.1:: and 1.
.section "Changing list separators" "SECTlistsepchange"
imposes a security risk (e.g. PATH). There are two lists:
&%keep_environment%& for the variables to import as they are, and
&%add_environment%& for variables we want to set to a fixed value.
-Note that TZ is handled separately, by the $%timezone%$ runtime
+Note that TZ is handled separately, by the &%timezone%& runtime
option and by the TIMEZONE_DEFAULT buildtime option.
.code
# keep_environment = ^LDAP
# request with your smarthost provider to get things fixed:
hosts_require_tls = *
tls_verify_hosts = *
- # As long as tls_verify_hosts is enabled, this won't matter, but if you
- # have to comment it out then this will at least log whether you succeed
- # or not:
+ # As long as tls_verify_hosts is enabled, this this will have no effect,
+ # but if you have to comment it out then this will at least log whether
+ # you succeed or not:
tls_try_verify_hosts = *
#
# The SNI name should match the name which we'll expect to verify;
.vitem domains
.new
A &%domains%& router option or &%domains%& ACL condition
-will store a result in the &$domain_data$& variable
+will store a result in the &$domain_data$& variable.
.wen
.vitem senders
A &%senders%& router option or &%senders%& ACL condition
.cindex "tainted data" "de-tainting"
The value will be untainted.
+.new
+&*Note*&: If the data result of the lookup (as opposed to the key)
+is empty, then this empty value is stored in &$domain_data$&.
+The option to return the key for the lookup, as the value,
+may be what is wanted.
+.wen
+
.next
Any of the single-key lookup type names may be preceded by
of either kind (single-key or query-style) it may be
followed by a comma and options,
The options are lookup-type specific and consist of a comma-separated list.
-Each item starts with a tag and and equals "=".
+Each item starts with a tag and and equals "=" sign.
.next
.cindex "domain list" "matching literal domain name"
.endd
.next
.cindex "CIDR notation"
-If the pattern is an IP address followed by a slash and a mask length (for
-example 10.11.42.0/24), it is matched against the IP address of the subject
-host under the given mask. This allows, an entire network of hosts to be
+If the pattern is an IP address followed by a slash and a mask length, for
+example
+.code
+10.11.42.0/24
+.endd
+, it is matched against the IP address of the subject
+host under the given mask. This allows an entire network of hosts to be
included (or excluded) by a single item. The mask uses CIDR notation; it
specifies the number of address bits that must match, starting from the most
significant end of the address.
Header lines that are added in a RCPT ACL (for example)
are saved until the message's incoming header lines are available, at which
point they are added.
-When any of the above ACLs ar
+When any of the above ACLs are
running, however, header lines added by earlier ACLs are visible.
Upper case and lower case letters are synonymous in header names. If the
name of the subroutine, is nine.
The return value of the subroutine is inserted into the expanded string, unless
-the return value is &%undef%&. In that case, the expansion fails in the same
-way as an explicit &"fail"& on a lookup item. The return value is a scalar.
-Whatever you return is evaluated in a scalar context. For example, if you
-return the name of a Perl vector, the return value is the size of the vector,
+the return value is &%undef%&. In that case, the entire expansion is
+forced to fail, in the same way as an explicit &"fail"& on a lookup item
+does (see section &<<SECTforexpfai>>&). Whatever you return is evaluated
+in a scalar context, thus the return value is a scalar. For example, if you
+return a Perl vector, the return value is the size of the vector,
not its contents.
If the subroutine exits by calling Perl's &%die%& function, the expansion fails
.cindex "expansion" "inserting an entire file"
.cindex "file" "inserting into expansion"
.cindex "&%readfile%& expansion item"
-The filename and end-of-line string are first expanded separately. The file is
+The filename and end-of-line (eol) string are first expanded separately. The file is
then read, and its contents replace the entire item. All newline characters in
the file are replaced by the end-of-line string if it is present. Otherwise,
newlines are left in the string.
Only a single host name may be given, but if looking it up yields more than
one IP address, they are each tried in turn until a connection is made. For
both kinds of socket, Exim makes a connection, writes the request string
-unless it is an empty string; and no terminating NUL is ever sent)
+(unless it is an empty string; no terminating NUL is ever sent)
and reads from the socket until an end-of-file
is read. A timeout of 5 seconds is applied. Additional, optional arguments
extend what can be done. Firstly, you can vary the timeout. For example:
.vitem &*${escape8bit:*&<&'string'&>&*}*&
.cindex "expansion" "escaping 8-bit characters"
.cindex "&%escape8bit%& expansion item"
-If the string contains and characters with the most significant bit set,
+If the string contains any characters with the most significant bit set,
they are converted to escape sequences starting with a backslash.
Backslashes and DEL characters are also converted.
and selects address-, domain-, host- or localpart- lists to search among respectively.
Otherwise all types are searched in an undefined order and the first
matching list is returned.
+.new
+&*Note*&: Neither string-expansion of lists referenced by named-list syntax elements,
+nor expansion of lookup elements, is done by the &%listnamed%& operator.
+.wen
.vitem &*${local_part:*&<&'string'&>&*}*&
.cindex "expansion" "string length"
.cindex "string" "length in expansion"
.cindex "&%strlen%& expansion item"
-The item is replace by the length of the expanded string, expressed as a
+The item is replaced by the length of the expanded string, expressed as a
decimal number. &*Note*&: Do not confuse &%strlen%& with &%length%&.
All measurement is done in bytes and is not UTF-8 aware.
.section "Miscellaneous" "SECID96"
.table2
+.row &%add_environment%& "environment variables"
.row &%bi_command%& "to run for &%-bi%& command line option"
.row &%debug_store%& "do extra internal checks"
.row &%disable_ipv6%& "do no IPv6 processing"
+.row &%keep_environment%& "environment variables"
.row &%keep_malformed%& "for broken files &-- should not happen"
.row &%localhost_number%& "for unique message ids in clusters"
.row &%message_body_newlines%& "retain newlines in &$message_body$&"
option was not set.
-.option recipients_max main integer 0
+.option recipients_max main integer 50000
.cindex "limit" "number of recipients"
.cindex "recipient" "maximum number"
If this option is set greater than zero, it specifies the maximum number of
. searchable. NM changed this occurrence for bug 1197 to no longer allow
. the option name to split.
-.option "smtp_accept_max_per_connection" main integer 1000 &&&
+.option "smtp_accept_max_per_connection" main integer&!! 1000 &&&
smtp_accept_max_per_connection
.cindex "SMTP" "limiting incoming message count"
.cindex "limit" "messages per SMTP connection"
response is given to subsequent MAIL commands. This limit is a safety
precaution against a client that goes mad (incidents of this type have been
seen).
+.new
+The option is expanded after the HELO or EHLO is received
+and may depend on values available at that time.
+An empty or zero value after expansion removes the limit.
+.wen
.option smtp_accept_max_per_host main string&!! unset
Server Name Indication extension, then this option and others documented in
&<<SECTtlssni>>& will be re-expanded.
-If this option is unset or empty a fresh self-signed certificate will be
-generated for every connection.
+If this option is unset or empty a self-signed certificate will be
+.new
+used.
+Under Linux this is generated at daemon startup; on other platforms it will be
+generated fresh for every connection.
+.wen
.option tls_crl main string&!! unset
.cindex "TLS" "server certificate revocation list"
provide data for a transport is: &%errors_to%&, &%headers_add%&,
&%headers_remove%&, &%transport%&.
+.new
+The name of a router is limited to be &drivernamemax; ASCII characters long;
+prior to Exim 4.95 names would be silently truncated at this length, but now
+it is enforced.
+.wen
.option address_data routers string&!! unset
.cindex "security" "MX lookup"
.cindex "DNS" "DNSSEC"
DNS lookups for domains matching &%dnssec_request_domains%& will be done with
-the dnssec request bit set.
+the DNSSEC request bit set.
This applies to all of the SRV, MX, AAAA, A lookup sequence.
.option dnssec_require_domains routers "domain list&!!" unset
.cindex "security" "MX lookup"
.cindex "DNS" "DNSSEC"
DNS lookups for domains matching &%dnssec_require_domains%& will be done with
-the dnssec request bit set. Any returns not having the Authenticated Data bit
+the DNSSEC request bit set. Any returns not having the Authenticated Data bit
(AD bit) set will be ignored and logged as a host-lookup failure.
This applies to all of the SRV, MX, AAAA, A lookup sequence.
.scindex IIDgenoptra1 "generic options" "transport"
.scindex IIDgenoptra2 "options" "generic; for transports"
.scindex IIDgenoptra3 "transport" "generic options for"
+.new
+The name of a transport is limited to be &drivernamemax; ASCII characters long;
+prior to Exim 4.95 names would be silently truncated at this length, but now
+it is enforced.
+.wen
+
The following generic options apply to all transports:
used to determine the file or directory name for the delivery. Normally, the
contents of &$address_file$& are used in some way in the string expansion.
.endlist
+If the &%create_file%& option is set to a path which
+matches (see the option definition below for details)
+a file or directory name
+for the delivery, that name becomes de-tainted.
+
.cindex "tainted data" "in filenames"
.cindex appendfile "tainted data"
Tainted data may not be used for a file or directory name.
delivery, it applies to the top level directory, not the maildir directories
beneath.
+.new
The option must be set to one of the words &"anywhere"&, &"inhome"&, or
-&"belowhome"&. In the second and third cases, a home directory must have been
-set for the transport. This option is not useful when an explicit filename is
+&"belowhome"&, or to an absolute path.
+.wen
+
+In the second and third cases, a home directory must have been
+set for the transport, and the file or directory being created must
+reside within it.
+The "belowhome" checking additionally checks for attempts to use "../"
+to evade the testing.
+This option is not useful when an explicit filename is
given for normal mailbox deliveries. It is intended for the case when filenames
are generated from users' &_.forward_& files. These are usually handled
by an &(appendfile)& transport called &%address_file%&. See also
&%file_must_exist%&.
+.new
+In the fourth case,
+the value given for this option must be an absolute path for an
+existing directory.
+The value is used for checking instead of a home directory;
+checking is done in "belowhome" mode.
+
+.cindex "tainted data" "de-tainting"
+If "belowhome" checking is used, the file or directory path
+becomes de-tainted.
+.wen
+
.option directory appendfile string&!! unset
This option is mutually exclusive with the &%file%& option, but one of &%file%&
(see &%maildir_format%& and &%mailstore_format%&), and see section
&<<SECTopdir>>& for further details of this form of delivery.
+.new
+The result of expansion must not be tainted, unless the &%create_file%& option
+specifies a path.
+.wen
+
.option directory_file appendfile string&!! "see below"
.cindex "base62"
&%use_fcntl_lock%&, &%use_flock_lock%&, or &%use_lockfile%& must be set with
&%file%&.
+.new
+The result of expansion must not be tainted, unless the &%create_file%& option
+specifies a path.
+.wen
+
.cindex "NFS" "lock file"
.cindex "locking files"
.cindex "lock files"
.cindex "security" "MX lookup"
.cindex "DNS" "DNSSEC"
DNS lookups for domains matching &%dnssec_request_domains%& will be done with
-the dnssec request bit set. Setting this transport option is only useful if the
+the DNSSEC request bit set. Setting this transport option is only useful if the
transport overrides or sets the host names. See the &%dnssec_request_domains%&
router option.
.cindex "security" "MX lookup"
.cindex "DNS" "DNSSEC"
DNS lookups for domains matching &%dnssec_require_domains%& will be done with
-the dnssec request bit set. Setting this transport option is only
+the DNSSEC request bit set. Setting this transport option is only
useful if the transport overrides or sets the host names. See the
&%dnssec_require_domains%& router option.
.cindex DANE "requiring for certain servers"
If built with DANE support, Exim will require that a DNSSEC-validated
TLSA record is present for any host matching the list,
-and that a DANE-verified TLS connection is made. See
-the &%dnssec_request_domains%& router and transport options.
+and that a DANE-verified TLS connection is made.
There will be no fallback to in-clear communication.
+See the &%dnssec_request_domains%& router and transport options.
See section &<<SECDANE>>&.
.option hosts_require_ocsp smtp "host list&!!" unset
.option hosts_try_dane smtp "host list&!!" *
.cindex DANE "transport options"
.cindex DANE "attempting for certain servers"
-If built with DANE support, Exim will require that a DNSSEC-validated
-TLSA record is present for any host matching the list,
-and that a DANE-verified TLS connection is made. See
-the &%dnssec_request_domains%& router and transport options.
-There will be no fallback to in-clear communication.
+.new
+If built with DANE support, Exim will look up a
+TLSA record for any host matching the list,
+If one is found and that lookup was DNSSEC-validated,
+then Exim requires that a DANE-verified TLS connection is made for that host;
+there will be no fallback to in-clear communication.
+.wen
+See the &%dnssec_request_domains%& router and transport options.
See section &<<SECDANE>>&.
.option hosts_try_fastopen smtp "host list&!!" *
This option limits the number of RCPT commands that are sent in a single
SMTP message transaction. Each set of addresses is treated independently, and
so can cause parallel connections to the same host if &%remote_max_parallel%&
-permits this.
+permits this. A value setting of zero disables the limit.
.new
transfer of mail between servers that have no managerial connection with each
other.
+.new
+The name of an authenticator is limited to be &drivernamemax; ASCII characters long;
+prior to Exim 4.95 names would be silently truncated at this length, but now
+it is enforced.
+.wen
+
.cindex "AUTH" "description of"
.cindex "ESMTP extensions" AUTH
Very briefly, the way SMTP authentication works is as follows:
option is passed. When authentication succeeds, the identity of the user
who authenticated is placed in &$auth1$&.
-The Dovecot configuration to match the above wil look
+The Dovecot configuration to match the above will look
something like:
.code
conf.d/10-master.conf :-
this authentication method on a secure (eg. under TLS) connection.
One possible use, compatible with the
-K-9 Mail Andoid client (&url(https://k9mail.github.io/)),
+K-9 Mail Android client (&url(https://k9mail.github.io/)),
is for using X509 client certificates.
It thus overlaps in function with the TLS authenticator
.section "Certificate chains" "SECID186"
-The file named by &%tls_certificate%& may contain more than one
+A file named by &%tls_certificate%& may contain more than one
certificate. This is useful in the case where the certificate that is being
sent is validated by an intermediate certificate which the other end does
not have. Multiple certificates must be in the correct order in the file.
DANE will only be usable if the target host has DNSSEC-secured MX, A and TLSA records.
-A TLSA lookup will be done if either of the above options match and the host-lookup succeeded using dnssec.
+A TLSA lookup will be done if either of the above options match and the host-lookup succeeded using DNSSEC.
If a TLSA lookup is done and succeeds, a DANE-verified TLS connection
will be required for the host. If it does not, the host will not
be used; there is no fallback to non-DANE or non-TLS.
different values. Some DNS lists may return more than one address record;
see section &<<SECThanmuldnsrec>>& for details of how they are checked.
+.new
+Values returned by a properly running DBSBL should be in the 127.0.0.0/8
+range. If a DNSBL operator loses control of the domain, lookups on it
+may start returning other addresses. Because of this, Exim now ignores
+returned values outside the 127/8 region.
+.wen
+
.section "Variables set from DNS lists" "SECID204"
.cindex "expansion" "variables, set from DNS list"
.endd
which is less clear, and harder to maintain.
+Negation can also be used with a bitwise-and restriction.
+The dnslists condition with only be trus if a result is returned
+by the lookup which, anded with the restriction, is all zeroes.
+For example:
+.code
+deny dnslists = zen.spamhaus.org!&0.255.255.0
+.endd
+
When Exim encounters an empty item in the list, it searches the list defined by
LOG_FILE_PATH, and uses the first item it finds that is neither empty nor
&"syslog"&. This means that an empty item in &%log_file_path%& can be used to
-mean &"use the path specified at build time"&. It no such item exists, log
+mean &"use the path specified at build time"&. If no such item exists, log
files are written in the &_log_& subdirectory of the spool directory. This is
equivalent to the setting:
.code
&` outgoing_port `& add remote port to => lines
&`*queue_run `& start and end queue runs
&` queue_time `& time on queue for one recipient
+&`*queue_time_exclusive `& exclude recieve time from QT times
&` queue_time_overall `& time on queue for whole message
&` pid `& Exim process id
&` pipelining `& PIPELINING use, on <= and => lines
.cindex "log" "queue time"
&%queue_time%&: The amount of time the message has been in the queue on the
local host is logged as QT=<&'time'&> on delivery (&`=>`&) lines, for example,
-&`QT=3m45s`&. The clock starts when Exim starts to receive the message, so it
-includes reception time as well as the delivery time for the current address.
-This means that it may be longer than the difference between the arrival and
-delivery log line times, because the arrival log line is not written until the
-message has been successfully received.
+&`QT=3m45s`&.
If millisecond logging is enabled, short times will be shown with greater
precision, eg. &`QT=1.578s`&.
.next
&%queue_time_overall%&: The amount of time the message has been in the queue on
the local host is logged as QT=<&'time'&> on &"Completed"& lines, for
-example, &`QT=3m45s`&. The clock starts when Exim starts to receive the
-message, so it includes reception time as well as the total delivery time.
+example, &`QT=3m45s`&.
.next
.cindex "log" "receive duration"
&%receive_time%&: For each message, the amount of real time it has taken to
.cindex "log" "frozen messages; skipped"
.cindex "frozen messages" "logging skipping"
&%skip_delivery%&: A log line is written whenever a message is skipped during a
-queue run because it is frozen or because another process is already delivering
-it.
+queue run because it another process is already delivering it or because
+it is frozen.
.cindex "&""spool file is locked""&"
-The message that is written is &"spool file is locked"&.
+.cindex "&""message is frozen""&"
+The message that is written is either &"spool file is locked"& or
+&"message is frozen"&.
.next
.cindex "log" "smtp confirmation"
.cindex "SMTP" "logging confirmation"
when TLS is in use. The item is &`CV=yes`& if the peer's certificate was
verified
using a CA trust anchor,
-&`CA=dane`& if using a DNS trust anchor,
+&`CV=dane`& if using a DNS trust anchor,
and &`CV=no`& if not.
.next
.cindex "log" "TLS cipher"
If the option is empty after expansion, DKIM signing is not done for this domain,
and no error will result even if &%dkim_strict%& is set.
+.new
+To do, for example, dual-signing with RSA and EC keys
+this could be be used:
+.code
+dkim_selector = ec_sel : rsa_sel
+dkim_private_key = KEYS_DIR/$dkim_selector
+.endd
+.wen
+
.option dkim_private_key smtp string&!! unset
This sets the private key to use.
You can use the &%$dkim_domain%& and