&<<CHAPlocalscan>>&)
&`lookup `& general lookup code and all lookups
&`memory `& memory handling
-&`pid `& add pid to debug output lines
+&`noutf8 `& modifier: avoid UTF-8 line-drawing
+&`pid `& modifier: add pid to debug output lines
&`process_info `& setting info for the process log
&`queue_run `& queue runs
&`receive `& general message reception logic
&`retry `& retry handling
&`rewrite `& address rewriting
&`route `& address routing
-&`timestamp `& add timestamp to debug output lines
+&`timestamp `& modifier: add timestamp to debug output lines
&`tls `& TLS logic
&`transport `& transports
&`uid `& changes of uid/gid and looking up uid/gid
of all debug output lines. This can be useful when trying to track down delays
in processing.
+.new
+.cindex debugging "UTF-8 in"
+.cindex UTF-8 "in debug output"
+The &`noutf8`& selector disables the use of
+UTF-8 line-drawing characters to group related information.
+When disabled. ascii-art is used instead.
+Using the &`+all`& option does not set this modifier,
+.wen
+
If the &%debug_print%& option is set in any driver, it produces output whenever
any debugging is selected, or if &%-v%& is used.
This forces an expansion failure (see section &<<SECTforexpfai>>&);
{<&'string2'&>} must be present for &"fail"& to be recognized.
+.new
+.vitem "&*${extract json{*&<&'key'&>&*}{*&<&'string1'&>&*}{*&<&'string2'&>&*}&&&
+ {*&<&'string3'&>&*}}*&"
+.cindex "expansion" "extracting from JSON object"
+.cindex JSON expansions
+The key and <&'string1'&> are first expanded separately. Leading and trailing
+white space is removed from the key (but not from any of the strings). The key
+must not be empty and must not consist entirely of digits.
+The expanded <&'string1'&> must be of the form:
+.display
+{ <&'"key1"'&> : <&'value1'&> , <&'"key2"'&> , <&'value2'&> ... }
+.endd
+.vindex "&$value$&"
+The braces, commas and colons, and the quoting of the member name are required;
+the spaces are optional.
+Matching of the key against the member names is done case-sensitively.
+. XXX should be a UTF-8 compare
+
+The results of matching are handled as above.
+.wen
+
.vitem "&*${extract{*&<&'number'&>&*}{*&<&'separators'&>&*}&&&
{*&<&'string1'&>&*}{*&<&'string2'&>&*}{*&<&'string3'&>&*}}*&"
empty (for example, the fifth field above).
+.new
+.vitem "&*${extract json{*&<&'number'&>&*}}&&&
+ {*&<&'string1'&>&*}{*&<&'string2'&>&*}{*&<&'string3'&>&*}}*&"
+.cindex "expansion" "extracting from JSON array"
+.cindex JSON expansions
+The <&'number'&> argument must consist entirely of decimal digits,
+apart from leading and trailing white space, which is ignored.
+
+Field selection and result handling is as above;
+there is no choice of field separator.
+.wen
+
+
.vitem &*${filter{*&<&'string'&>&*}{*&<&'condition'&>&*}}*&
.cindex "list" "selecting by condition"
.cindex "expansion" "selecting from list by condition"
.vitem &*$rheader_*&<&'header&~name'&>&*:*&&~or&~&*$rh_*&<&'header&~name'&>&*:*&
This item inserts &"raw"& header lines. It is described with the &%header%&
-expansion item above.
+expansion item in section &<<SECTexpansionitems>>& above.
.vitem "&*${run{*&<&'command'&>&*&~*&<&'args'&>&*}{*&<&'string1'&>&*}&&&
{*&<&'string2'&>&*}}*&"
the value of &$authenticated_id$& is normally the login name of the calling
process. However, a trusted user can override this by means of the &%-oMai%&
command line option.
-This second case also sets up inforamtion used by the
+This second case also sets up information used by the
&$authresults$& expansion item.
.vitem &$authenticated_fail_id$&
inserting the message header line with the given name. Note that the name must
be terminated by colon or white space, because it may contain a wide variety of
characters. Note also that braces must &'not'& be used.
+See the full description in section &<<SECTexpansionitems>>& above.
.vitem &$headers_added$&
.vindex "&$headers_added$&"
A list of hosts, whether obtained via &%route_data%& or &%route_list%&, is
always separately expanded before use. If the expansion fails, the router
declines. The result of the expansion must be a colon-separated list of names
-and/or IP addresses, optionally also including ports. The format of each item
+and/or IP addresses, optionally also including ports.
+If the list is written with spaces, it must be protected with quotes.
+The format of each item
in the list is described in the next section. The list separator can be changed
as described in section &<<SECTlistconstruct>>&.
.option delay_after_cutoff smtp boolean true
+.cindex "final cutoff" "retries, controlling"
+.cindex retry "final cutoff"
This option controls what happens when all remote IP addresses for a given
domain have been inaccessible for so long that they have passed their retry
cutoff times.
If the value of this option begins with a digit it is taken as a port number;
otherwise it is looked up using &[getservbyname()]&. The default value is
-normally &"smtp"&, but if &%protocol%& is set to &"lmtp"&, the default is
-&"lmtp"&. If the expansion fails, or if a port number cannot be found, delivery
+normally &"smtp"&,
+but if &%protocol%& is set to &"lmtp"& the default is &"lmtp"&
+and if &%protocol%& is set to &"smtps"& the default is &"smtps"&.
+If the expansion fails, or if a port number cannot be found, delivery
is deferred.
+.new
+Note that at least one Linux distribution has been seen failing
+to put &"smtps"& in its &"/etc/services"& file, resulting is such deferrals.
+.wen
+
.option protocol smtp string smtp
If this option is set to &"smtps"&, the default value for the &%port%& option
changes to &"smtps"&, and the transport initiates TLS immediately after
connecting, as an outbound SSL-on-connect, instead of using STARTTLS to upgrade.
-The Internet standards bodies strongly discourage use of this mode.
+.new
+The Internet standards bodies used to strongly discourage use of this mode,
+but as of RFC 8314 it is perferred over STARTTLS for message submission
+(as distinct from MTA-MTA communication).
+.wen
.option retry_include_ip_address smtp boolean&!! true
messages. If this delivery fails, the address fails immediately. The
post-cutoff retry time is not used.
+.cindex "final cutoff" "retries, controlling"
+.cindex retry "final cutoff"
If the delivery is remote, there are two possibilities, controlled by the
.oindex "&%delay_after_cutoff%&"
&%delay_after_cutoff%& option of the &(smtp)& transport. The option is true by
-default. Until the post-cutoff retry time for one of the IP addresses is
+default. Until the post-cutoff retry time for one of the IP addresses,
+as set by the &%retry_data_expire%& option, is
reached, the failing email address is bounced immediately, without a delivery
attempt taking place. After that time, one new delivery attempt is made to
those IP addresses that are past their retry times, and if that still fails,
.option server_set_id authenticators string&!! unset
.vindex "&$authenticated_id$&"
+.vindex "&$authenticated_fail_id$&"
When an Exim server successfully authenticates a client, this string is
expanded using data from the authentication, and preserved for any incoming
messages in the variable &$authenticated_id$&. It is also included in the log
lines for incoming messages. For example, a user/password authenticator
configuration might preserve the user name that was used to authenticate, and
refer to it subsequently during delivery of the message.
+On a failing authentication the expansion result is instead saved in
+the &$authenticated_fail_id$& variable.
If expansion fails, the option is ignored.
apply to all TLS connections. For any host that matches one of these options,
Exim requests a certificate as part of the setup of the TLS session. The
contents of the certificate are verified by comparing it with a list of
-expected certificates.
+expected trust-anchors or certificates.
These may be the system default set (depending on library version),
an explicit file or,
depending on library version, a directory, identified by
.endd
where &_/cert/file_& contains a single certificate.
+There is no checking of names of the client against the certificate
+Subject Name or Subject Alternate Names.
+
The difference between &%tls_verify_hosts%& and &%tls_try_verify_hosts%& is
what happens if the client does not supply a certificate, or if the certificate
does not match any of the certificates in the collection named by
certificate verification to the listed servers. Verification either must
or need not succeed respectively.
+The &%tls_verify_cert_hostnames%& option lists hosts for which additional
+checks are made: that the host name (the one in the DNS A record)
+is valid for the certificate.
+The option defaults to always checking.
+
The &(smtp)& transport has two OCSP-related options:
&%hosts_require_ocsp%&; a host-list for which a Certificate Status
is requested and required for the connection to proceed. The default
DANE-TA usage is effectively declaring a specific CA to be used; this might be a private CA or a public,
well-known one.
A private CA at simplest is just a self-signed certificate (with certain
-attributes) which is used to sign cerver certificates, but running one securely
+attributes) which is used to sign server certificates, but running one securely
does require careful arrangement.
With DANE-TA, as implemented in Exim and commonly in other MTAs,
the server TLS handshake must transmit the entire certificate chain from CA to server-certificate.
&%pipelining%&: A field is added to delivery and accept
log lines when the ESMTP PIPELINING extension was used.
The field is a single "L".
+
On accept lines, where PIPELINING was offered but not used by the client,
the field has a minus appended.
.next