-## $Cambridge: exim/doc/doc-src/FAQ.src,v 1.2 2004/10/12 09:54:44 ph10 Exp $
##
## This file is processed by Perl scripts to produce an ASCII and an HTML
## version. Lines starting with ## are omitted. The markup used with paragraphs
cluttered if I tried to list them all. Suggestions for corrections,
improvements, and additions are always welcome.
-This version of the FAQ applies to Exim 4.00 and later releases. It has been
-extensively revised, and material that was relevant only to earlier releases
-has been removed. As this caused some whole sections to disappear, I've taken
-the opportunity to re-arrange the sections and renumber everything except the
-configuration samples.
+This version of the FAQ applies to Exim 4.43 and later releases.
References of the form Cnnn, Fnnn, Lnnn, and Snnn are to the sample
configuration, filter, \^^local_scan()^^\, and ``useful script'' files. These
There are brief descriptions of these files at the end of this document.
Philip Hazel
-Last update: 12-October-2004
+Last update: 14-October-2004
The FAQ is divided into the following sections:
94. BSDI
95. IRIX
96. Linux
- 97. Sun sytems
+ 97. Sun systems
98. Configuration cookbook
99. List of sample configurations
release of Exim, in case the problem has already been fixed. The
techniques described below can also be useful in trying to pin down
exactly which circumstances caused the crash and what Exim was trying to
- do at the time. If the crash is reproducable (by a particular message,
+ do at the time. If the crash is reproducible (by a particular message,
say) keep a copy of that message.
Q0003: What does the error \*Child process of address_pipe transport returned
- 69 from command xxx*\ mean?
+ 127 from command xxx*\ mean?
A0003: It means that when a transport called \%address_pipe%\ was run to pass an
email message by means of a pipe to another process running the command
- xxx, the return code from that command was 69, which indicates some kind
+ xxx, the return code from that command was 127, which indicates some kind
of error (the success return code is 0).
- The most common meaning of exit code 69 is ``unavailable'', and this often
- means that when Exim tried to run the command \(xxx)\, it failed. One
- cause of this might be incorrect permissions on the file containing the
- command. See also Q0026.
+ The most common meaning of exit code 127 is that when Exim tried to run
+ the command \(xxx)\, it failed. One cause of this might be incorrect
+ permissions on the file containing the command. See also Q0026.
Q0004: My virtual domain setup isn't working. How can I debug it?
You can test the link using pings of large packets and see what works:
-==> ping -s host 2048
+==> ping -s host 2048
Try reducing the MTU on the sending host:
-==> ifconfig le0 mtu 1300
+==> ifconfig le0 mtu 1300
Alternatively, you can reduce the size of the buffer Exim uses for SMTP
output by putting something like
==> deny hosts = *.x.example
If at all possible, you should use IP addresses instead of host
- names in blocking lists in order to to avoid this problem.
+ names in blocking lists in order to avoid this problem.
You can use the \-bh-\ option to get more information about what is
happening at the start of a connection. However, note that the \-bh-\
Q0026: I'm trying to get Exim to connect an alias to a pipe, but it always
- gives error code 69, with the comment \*(could mean service or program
- unavailable)*\.
+ gives error code 127, with the comment \*(could mean unable to exec
+ or command does not exist)*\.
A0026: If your alias entry looks like this:
A0029: There is a problem using PAM with shadow passwords when the calling
program is not running as \/root/\. Exim is normally running as the
- Exim user when authenticating a remote host. See this posting for one
- way round the problem:
+ Exim user when authenticating a remote host.
- \?http://www.exim.org/mailman/htdig/exim-users/Week-of-Mon-20010917/030371.html?\
+ (1) One solution can be found at \?http://www.e-admin.de/pam_exim/?\.
- Another solution can be found at \?http://www.e-admin.de/pam_exim/?\.
+ (2) PAM 0.72 allows authorization as non-\/root/\, using setuid helper
+ programs. Furthermore, in \(/etc/pam.d/exim)\ you can explicitly
+ specify that this authorization (using setuid helpers) is only
+ permitted for certain users and groups.
- PAM 0.72 allows authorization as non-\/root/\, using setuid helper programs.
- Furthermore, in \(/etc/pam.d/exim)\ you can explicitelly specify that
- this authorization (using setuid helpers) is only permitted for certain
- users and groups.
+ (3) Another approach is to authenticate using the \^saslauthd^\ daemon,
+ which has its own interface to PAM. The daemon runs as root, so
+ there is no access problem.
+
+ (4) One suggested solution was to set
+
+==> exim_group=shadow
+
+ in the configuration file, or the equivalent at build time. This is
+ very strongly discouraged. Do not do it! It works, but it's a
+ potential security exposure. Exim is intended to run as a
+ non-privileged user for much of the time. This setting gives it have
+ privileged access to crucial security information all of the time,
+ simply for the purposes of authentication (which Exim will only
+ spend a tiny part of its total time doing). The result is that a
+ successful compromise of the Exim system can give someone direct
+ access to the system passwords.
Q0030: I'm trying to use a query-style lookup for hosts that are allowed to
second solution is used, users can empty their mailboxes by updating
them, but cannot delete them.
- If your problem involves mail to \/root/\, see also Q0507.
+ If your problem involves mail to \/root/\, see also Q0039.
Q0037: I am experiencing mailbox locking problems with Sun's \"mailtool"\ used
A0039: Most people set up \/root/\ as an alias for the manager of the host. If
you haven't done this, Exim will attempt to deliver to \/root/\ as if it
were a normal user. This isn't really a good idea because the delivery
- process would run as \/root/\. Exim has a trigger guard in the option
+ process would run as \/root/\. Exim has two trigger guards that stop
+ deliveries running as root. In the build-time configuration, there is a
+ setting called FIXED_NEVER_USERS, which defaults to \"root"\. This
+ setting cannot be overridden. In addition, the default runtime
+ configuration contains the option
==> never_users = root
- in the default configuration file. This prevents it from running as \/root/\
- when doing any deliveries. If you really want to run local deliveries as
- \/root/\, remove this line, but it would be better to create an alias for
- \/root/\ instead.
+ just to be on the safe side. If you really want to run local deliveries
+ as \/root/\, you must use a version of Exim that was built without the
+ FIXED_NEVER_USERS option, and remove the above line from the runtime
+ configuration, but it would be better to create an alias for \/root/\
+ instead.
Q0040: How can I stop undeliverable bounce messages (e.g. to routeable, but
If you are running Exim with an alternate configuration file using a
command such as \"exim -C altconfig..."\, remember that the use of -C
- takes away Exim's root privilege.
+ takes away Exim's root privilege, unless \\TRUSTED_CONFIG_LIST\\
+ is set in \(Local/Makefile)\ and the corresponding file contains a
+ prefix which matches the alternative configuration file being used.
Check that you have defined the spool directory correctly by running
==> /usr/lib/sendmail -bz
- in some start-up script (e.g. \(/etc/init.d/mail)\) immedately before
+ in some start-up script (e.g. \(/etc/init.d/mail)\) immediately before
==> /usr/lib/sendmail -bd -q15m
A0050: See \smtp_accept_max\, \smep_accept_max_per_host\ and \smtp_accept_reserve\.
-Q0051: When I try \"exim -bf"\ to test a system filter, I received the following
- error message: \*Filter error: unavailable filtering command "fail" near
- line 8 of filter file*\.
+Q0051: When I test my system filter with \-bf-\, I get the error \*filtering
+ command "fail" is disabled*\. Why is this?
A0051: Use the \-bF-\ option to test system filters. This gives you access to the
freeze and fail actions.
A0052: There has to be some limit to the length of a message's header lines,
because otherwise a malefactor could open an SMTP channel to your host,
start a message, and then just send characters continuously until your
- host ran out of memory. (Exim stores all the header lines in main
+ host runs out of memory. (Exim stores all the header lines in main
memory while processing a message). For this reason a limit is imposed
on the total amount of memory that can be used for header lines. The
default is 1MB, but this can be changed by setting \\HEADER_MAXSIZE\\ in
Q0057: We've got people complaining about attachments that don't show up
as attachments, but are included in the body of the message.
-A0057: These symptoms can be seen when some software passes a CRLF line
- terminated message via the command line to an MTA that expects lines to
- be terminated by LF only, and so preserves the CRs as data. If you can
- identify the software that is doing this, try setting the \-dropcr-\
- option on the command it uses to call Exim. Alternatively, you can set
- \drop_cr\ in the configuration file, but then that will apply to all
- input.
+A0057: In the past, these symptoms could be seen when some software passed a
+ CRLF line terminated message via the command line, because Exim expected
+ lines to be terminated by LF only, and so it preserved the CRs as data.
+ Modern versions of Exim (4.21 or later) use heuristics to try to do the
+ right thing with line endings.
Q0058: What does the error \*failed to open DB file \(/var/spool/exim/db/retry)\:
==> require_files = MAILMAN_HOME/lists/${lc:$local_part}/config.db
-A0060: The value of \"require_files"\ is a \*list*\ in which each item is
- separately expanded. You need either to double the colon, or switch to
- a different list separator.
+A0060: The value of \"require_files"\ is a list in which each item is
+ separately expanded. In other words, the splitting into items happens
+ before the string expansion. You need either to double the colon, or
+ switch to a different list separator.
Q0061: What does the error \*Too many ``Received'' headers - suspected mail
copies of all messages to be delivered on both of them.
-Q0062: When I try to start an Exim daemon it crashes. I ran a debugger and
- discovered that the crash is happening in the function \^^getservbyname()^^\.
- What's going on?
+Q0062: When I try to start an Exim daemon with \-bd-\ it crashes. I ran a
+ debugger and discovered that the crash is happening in the function
+ \^^getservbyname()^^\. What's going on?
A0062: What have you got in the file \(/etc/nsswitch.conf)\? If it contains this
line:
==> services: db files
- try removing the \"db"\. (Your system is trying to look in some kind of
- database before searching the file \(/etc/services)\.)
+ try removing the \"db"\. Your system is trying to look in some kind of
+ database before searching the file \(/etc/services)\, and there is an
+ incompatibility the is causing the function \^^getservbyname()^^\ crash.
+ This is an OS problem. See, for instance:
+
+ \?http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=129025?\
+
+ Another workaround in Exim is to set
+
+==> daemon_smtp_port = 25
+
+ in the configuration, to stop Exim calling \^^getservbyname()^^\.
Q0063: When I try to start an Exim daemon, nothing happens. There is no
trying to run an \%autoreply%\ transport. Why is this?
A0065: When Exim is called with -C, it passes on -C to any instances of itself
- that it calls (so that the whole sequence uses the same config file). If
- it's running as \/exim/\ when it does this, all is well. However, if it
- happens as a consequence of a non-privileged user running \%autoreply%\,
- the called Exim gives up its root privilege. Then it can't write to the
- spool.
-
- This means that you can't use -C (even as \/root/\) to run an instance of
- Exim that is going to try to run \%autoreply%\ from a process that is
- neither \/root/\ nor \/exim/\. Because of the architecture of Exim (using
- re-execs to regain privilege), there isn't any way round this
- restriction. Therefore, the only way you can make this scenario work is
- to run the \%autoreply%\ transport as \/exim/\ (that is, the user that
- owns the Exim spool files). This may be satisfactory for autoreplies
- that are essentially system-generated, but of course is no good for
- autoreplies from unprivileged users, where you want the \%autoreply%\
- transport to be run as the user. To get that to work with an alternate
- configuration, you'll have to use two Exim binaries, with different
- configuration file names in each. See S001 for a script that patches
- the configuration name in an Exim binary.
+ that it calls (so that the whole sequence uses the same config file).
+ However, Exim gives up its root privilege if any user except \/root\/
+ passes a -C option to use a non-default configuration file, and that
+ includes the case where Exim re-execs itself to regain root privilege.
+ Thus it can't write to the spool.
+
+ The fix for this is to use the \\TRUSTED_CONFIG_LIST\\ build-time
+ option. This defines a file containing a list of 'trusted' prefixes for
+ configuration files. Any configuration file specified with -C, if it
+ matches a prefix listed in that file, will be used without dropping root
+ privileges (as long as it is not writeable by a non-root user).
Q0066: What does the message \*unable to set gid=xxx or uid=xxx*\ mean?
by a \"mail.info"\ descriptor).
Test this by running the command:
-==> logger -p mail.notice test
+==> logger -p mail.notice test
- and seeing which logs it goes into.
+ and seeing which logs it goes into. From Exim release 4.31 it is
+ possible to disable the rejectlog by setting \write_rejectlog\ false.
Q0077: I've installed Exim and it is delivering mail just fine. However, when I
==> user_pref("mail.suppress_sender_header", true);
- Netscape \*must*\ be shutdown while doing this.
+ Netscape must be shut down while doing this.
Q0084: I want to set up an alias that pipes a message to \^gpg^\ and then pipes
malefactious clients who send a bunch of SMTP commands (usually to
transmit spam) without waiting for any replies.
- This error is also provoked if the client is trying to start up a TLS
- session immediately on connection, without using the STARTTLS command.
- See Q1707 for a discussion of this case.
+ This error is also provoked if a client unexpectedly tries to start up a
+ TLS session immediately on connection, without using the STARTTLS
+ command. See Q1707 for a discussion of this case.
Q0087: What does \*rejected after DATA: malformed address: xx@yy may not follow
- <xx@yy> : failing address in "from" header*\ mean? (I've obscured the
- real email addresses.)
+ <xx@yy> : failing address in "from" header*\ mean?
A0087: Your DATA ACL contains
Q0089: What does the error \*kernel: application bug: exim(12099) has SIGCHLD
set to SIG_IGN but calls wait()*\ mean?
-A0089: This was a bad interaction between a relatively recent change to the
- Linux kernel and some ``belt and braces'' programming in Exim. The
- following explanation is taken from Exim's change log:
+A0089: This was a bad interaction between a change to the Linux kernel and some
+ ``belt and braces'' programming in Exim. The following explanation is
+ taken from Exim's change log:
When Exim is receiving multiple messages on a single connection, and
spinning off delivery processess, it sets the SIGCHLD signal handling to
A0091: See Q0065.
-Q0092: Exim crashes when I try to start the daemon, but works fine otherwise.
-
-A0092: There was a known problem (a db incompatibility) that made the function
- \^^getservbyname()^^\ crash in some operating systems. See, for
- instance:
-
- \?http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=129025?\
-
- The workaround in Exim is to set
-
-==> daemon_smtp_port = 25
-
- in the configuration, to stop Exim calling the failing function.
-
-
-Q0093: The error message \*Program received signal SIGINT, Interrupt.*\ occurs
+Q0092: The error message \*Program received signal SIGINT, Interrupt.*\ occurs
when I try to use Exim with PostgreSQL.
-
-A0093: Check that you have not set
+
+A0092: Check that you have not set
==> log_statement=true
- in the PostgreSQL configuration file. It seems that this causes
- PostgreSQL to return logging information as the first row in a query
- result, which totally confuses Exim.
+ in the PostgreSQL configuration file. It seems that this causes
+ PostgreSQL to return logging information as the first row in a query
+ result, which totally confuses Exim.
can be done on a running system. All that should be necessary is to
install a new binary and then HUP the daemon.
+ \**Warning**\: If you have changed the release of your DBM library, so
+ that your new Exim is linked with a different release than the old one,
+ you may encounter errors when Exim attempts to access the old hints
+ databases. See Q0055.
+
Q0105: What does the error \*install-info: command not found*\ mean?
ensure that this happens throughout the build, it's best to export it in
your environment:
-==> MAKEFLAGS='-B'
- export MAKEFLAGS
- make
+==> MAKEFLAGS='-B'
+ export MAKEFLAGS
+ make
Q0116: I have tried to build Exim with Berkeley DB 3 and 4, but I always get
of BDB installed on the same host, is that the header files and library
files for BDB are not in a standard place. You therefore need to tell
Exim where they are, by setting INCLUDE and DBMLIB in your
- \(Local/Makefile)\. For example, I use this on my workstation when
- I want to build with DB 4.1:
+ \(Local/Makefile)\. For example, you could use this when you want to
+ build with DB 4.1:
-==> INCLUDE=-I/opt/local/include/db-4.1
- DBMLIB=/opt/local/lib/db-4.1/libdb.a
+==> INCLUDE=-I/usr/local/include/db-4.1
+ DBMLIB=/usr/local/lib/db-4.1/libdb.a
Specifying the complete library file like this will cause it to be
statically linked with Exim. You'll have to check to see where these
==> adduser exim
- (3) Now you can prepare to build Exim. Go to \?http://www.exim.org?\ or
+ (3) Now you can prepare to build Exim. Go to \?https://www.exim.org?\ or
one of its mirrors, or the master ftp site
\?ftp://ftp.csx.cam.ac.uk/pub/software/email/exim/exim4?\, and download
\(exim-4.20.tar.gz)\ or whatever the current release is. Then:
==> make install
- You \*must*\ be \/root/\ to do this. You do not have to be root for any of
+ You must be \/root/\ to do this. You do not have to be root for any of
the previous building activity.
(6) Run some tests on Exim; see if it will do local and remote
can be found at \?http://www.timj.co.uk/linux/exim.php?\.
+Q0120: I'm trying to compile with LOOKUP_WHOSON, but I keep getting \*In
+ function `whoson_find': undefined reference to `wso_query'*\.
+
+A0120: Try adding \"-lwhoson"\ to your LOOKUP_LIBS setting in \(Local/Makefile)\.
+
+
2. ROUTING IN GENERAL
sent out in the RCPT command is always the original local part.
+Q0208: I can't get a lookup to work in a domain list. I'm trying this:
+
+==> domainlist local_domains = @:localhost:${lookup pgsql{SELECT ...
+
+A0208: Does the lookup return a colon separated list of domains? If not, you
+ are using the wrong kind of lookup. The most common way of using a
+ lookup in a domain list is something like this:
+
+==> domainlist local_domains = @:localhost:pgsql;SELECT ...
+
+ Using that syntax, if the query succeeds, the domain is considered to be
+ in the list. The value that is returned is not relevant.
+
+
3. ROUTING TO REMOTE HOSTS
with MX records pointing to \"localhost"\ (or other names with A records
that specify 127.0.0.1), which causes this behaviour. You can use the
\ignore_target_hosts\ option to get Exim to ignore these records. The
- default contiguration does this. For more discussion, see Q0319. For
+ default configuration does this. For more discussion, see Q0319. For
other cases:
(1) If the domain is meant to be handled as a local domain, there
==> route_list = foo $domain; bar $domain
Note the semicolon separator. This is because the second thing in each
- item can itself be a list - of hosts.
+ item can itself be a colon-separated list of hosts.
Q0308: I have a domain for which some local parts must be delivered locally,
ignore_target_hosts = 127.0.0.0/8
no_more
- Then add a second router which handles the local parts that are not to
+ Then add a second router to handle the local parts that are not to
be delivered locally:
==> special_remote:
Q0311: When a DNS lookup for MX records fails to complete, why doesn't Exim
- send the messsage to the host defined by the A record?
+ send the message to the host defined by the A record?
A0311: The RFCs are quite clear on this. Only if it is known that there are no
MX records is an MTA allowed to make use of the A record. When an MX
==> # Don't allow domains whose single MX (or A) record is a
# "special-use IPv4 address", as listed in RFC 3330.
ignore_target_hosts = \
- # Hosts on "this network"; RFC 1700 (page 4) states that these
- # are only allowed as source addresses
- 0.0.0.0/8 : \
- # Private networks, RFC 1918
- 10.0.0.0/8 : 172.16.0.0/12 : 192.168.0.0/16 : \
- # Internet host loopback address, RFC 1700 (page 5)
- 127.0.0.0/8 : \
- # "Link local" block
- 169.254.0.0/16 : \
- # "TEST-NET" - should not appear on the public Internet
- 192.0.2.0/24 : \
- # 6to4 relay anycast addresses, RFC 3068
- 192.88.99.0/24 : \
- # Network interconnect device benchmark testing, RFC 2544
- 198.18.0.0/15 : \
- # Multicast addresses, RFC 3171
- 224.0.0.0/4 : \
- # Reserved for future use, RFC 1700 (page 4)
- 240.0.0.0/4
+ # Hosts on "this network"; RFC 1700 (page 4) states that these
+ # are only allowed as source addresses
+ 0.0.0.0/8 : \
+ # Private networks, RFC 1918
+ 10.0.0.0/8 : 172.16.0.0/12 : 192.168.0.0/16 : \
+ # Internet host loopback address, RFC 1700 (page 5)
+ 127.0.0.0/8 : \
+ # "Link local" block
+ 169.254.0.0/16 : \
+ # "TEST-NET" - should not appear on the public Internet
+ 192.0.2.0/24 : \
+ # 6to4 relay anycast addresses, RFC 3068
+ 192.88.99.0/24 : \
+ # Network interconnect device benchmark testing, RFC 2544
+ 198.18.0.0/15 : \
+ # Multicast addresses, RFC 3171
+ 224.0.0.0/4 : \
+ # Reserved for future use, RFC 1700 (page 4)
+ 240.0.0.0/4
Q0320: How can I arrange for all mail to \*user@some.domain*\ to be forwarded
Q0409: I want mail for any local part at certain virtual domains to go
to a single address for each domain.
-A0409: One way to to this is
+A0409: One way to do this is
==> virtual:
driver = redirect
driver = accept
check_local_user
transport = local_delivery
- prefix = real-
+ local_part_prefix = real-
before the \%redirect%\ router that handles \(.forward)\ files. This will
do an ordinary local delivery without \(.forward)\ processing, if the
This should be placed before any router that makes any use of NIS,
typically at the start of your local routers. How does it work? If
your NIS server is reachable, the lookup will take place, and whether it
- succeeds or fails, the result is an empty strting. This causes the
+ succeeds or fails, the result is an empty string. This causes the
router to decline, and the address is passed to the following routers.
If your NIS server is down, the lookup defers, and this causes the
router to defer. A verification of an incoming address gets a temporary
rejection, and a delivery is deferred till later.
-Q0433: How can I arrange for a single address to be processed by \*both*\
- \%redirect%\ \*and*\ \%accept%\?
+Q0433: How can I arrange for a single address to be processed by both
+ \%redirect%\ and \%accept%\?
A0433: Check out the \unseen\ option.
Q0434: How can I redirect all local parts that are not in my system aliases to
a single address? I tried using an asterisk in the system alias file
- with an \"lsearch*"\ lookup, but that send \*all*\ messages to the
+ with an \"lsearch*"\ lookup, but that sent all messages to the
default address.
A0434: If your alias file generates addresses in the local domain, they are
to scan email messages at SMTP time. \^elspy^\ also includes a small
Python library with common mail-scanning tools, including an interface
to SpamAssassin and a simple but effective virus detector. You can
- optain \^elspy^\ from \?http://elspy.sourceforge.net/?\.
+ obtain \^elspy^\ from \?http://elspy.sourceforge.net/?\.
Q0511: Whenever my system filter uses a \mail\ command to send a message, I get
``delivery'') the transport runs as the same user, unless it has a
\user\ setting of its own. Normally, deliveries are not allowed to run
as \/root/\ as a security precaution; this is implemented by the
- \never_users\ option.
+ \never_users\ option (see Q0039).
The easiest solution is to add this to your configuration:
==> majordomo: |/local/mail/majordomo ...
then Exim has to be told what uid/gid to use for the delivery. This can
- be done either on the routerr that handles the address, or on the
+ be done either on the router that handles the address, or on the
transport that actually does the delivery. If a pipe is going to run a
setuid program, then it doesn't matter what uid Exim starts it out with,
and so the most straightforward thing is to put
Q0604: I want to use MMDF-style mailboxes. How can I get Exim to append the
- ctrl-A characters that separate indvidual emails?
+ ctrl-A characters that separate individual emails?
A0604: Set the \message_suffix\ option in the \%appendfile%\ transport. In fact,
for MMDF mailboxes you need a prefix as well as a suffix to get it
\use_crlf\ option on the \%pipe%\ transport (tmail prefers \"@\r@\n"\
terminations) message bodies started to vanish.
-A0606: You need to unset the \mesage_prefix\ option, or change it so that its
+A0606: You need to unset the \message_prefix\ option, or change it so that its
default \"@\n"\ terminator becomes \"@\r@\n"\. For example, the
transport could be:
==> local_delivery_mbx:
- driver = pipe
- command = /usr/local/bin/tmail $local_part
- user = exim
- current_directory = /
+ driver = pipe
+ command = /usr/local/bin/tmail $local_part
+ user = exim
+ current_directory = /
use_crlf
message_prefix =
The setting of \redirect_router\ causes processing of the rewritten
address to start at the next router, instead of the first router. See
- also Q0630, and C045 for a more complete Cyrus configuration.
+ also Q0630 and Q0414, and see C045 for a more complete Cyrus
+ configuration.
Q0627: Is there a command I can send to Exim to retry all queued messages
Q0629: I'm having trouble with quotas and Courier, because Exim is not handling
maildirsize files.
-A0629: You will do better to move the quota handling to Courier. Use \^maildrop^\
- as your MDA rather than direct Exim delivery. This also has the
- advantage that if you give web access to the mail spool (over \^sqwebmail^\)
- you can then use the web front end to edit \^maildrop^\ filter files.
+A0629: You must be using an old version of Exim; it has supported maildirsize
+ files since release 4.30.
Q0630: How can I configure Exim to deliver to a Cyrus message store?
Q0631: I would like to choose a retry rule based on on the sender rather than
the recipient address. Is this possible?
-A0631: Yes. The address part of a retry rule is matched as a single-item
- address list. Such lists are always expanded, so you can use something
- like this:
+A0631: Yes. In release 4.43 and later releases, you can do this directly by
+ adding a third item to a retry rule of the form "senders=<address
+ list>". The retry timings themselves then become the fourth item. For
+ example:
+
+==> * * senders=: F,1h,30m
+
+ would match all bounce messages. If the address list contains white
+ space, it must be enclosed in quotes. For example:
+
+==> a.domain timeout senders="x@b.dom : y@c.dom" G,8h,10m,1.5
+
+ If you are using an earlier release of Exim, you can still achieve the
+ effect, but in a more complicated way. The address part of a retry rule
+ is matched as a single-item address list. Such lists are always
+ expanded, so you can use something like this:
==> "${if eq{$sender_address}{xxx}{*@*}{no@no}}" quota F,1h,10m; ...
If, after inspection, you decide not to deliver the message, it is
safest to discard it, using the \-Mrm-\ option. Use of the \-Mg-\ option
to force a bounce carries the risk of ``collateral spam'' if the sender
- address is faked.
+ address is faked (as it usually is in spam).
Q0703: How can I test that my spam blocks are working?
bounce message).
-Q0704: How can I test that Exim is correctly configured to use the Realtime
- Blackhole List (RBL)?
+Q0704: How can I test that Exim is correctly configured to use a DNS black list
+ such as the Realtime Blackhole List (RBL)?
A0704: The \-bh-\ option allows you to run a testing SMTP session as if from a
given address. The \^exim_checkaccess^\ utility provides a more packaged
Q0706: How can I get POP-auth-before-relay (aka POP-before-SMTP) support in
Exim?
-A0706: Exim 4 supports the ``whoson'' (\?http://whoson.sourceforge.net?\)
+A0706: A cleaner way of authentication is to use the SMTP AUTH facility, which
+ does not require a prior use of POP. However, it is possible to do what
+ you have asked for:
+
+ Exim 4 supports the ``whoson'' (\?http://whoson.sourceforge.net?\)
facility for doing this. If you set this up, you can do the check in an
Exim ACL by a statement like this:
==> deny message = ${lookup{$sender_address=>$local_part@$domain}\
lsearch{/that/file}}
condition = ${lookup{$sender_address=>$local_part@$domain}\
- lsearch{/that/file}}{yes}{no}}
+ lsearch{/that/file}{yes}{no}}
The condition is tested first. If the lookup succeeds, the condition
succeeds so access is denied. The message is then expanded, but the
{eq {$sender_host_address}{127.0.0.1}}}\
{0}{1}}
- One problem is that this approach scans the message for each recipient,
- not just once per message.
+ One problem is that this approach, by default, scans the message for
+ each recipient, not just once per message. However, you can set the
+ \batch_max\ option on the transport to allow it to send a single copy
+ for multiple recipients.
The virus_scan transport should be set up to pipe the message to a
suitable checking program or script which runs as a trusted user. This
can then re-submit the message to Exim, using \-oMr-\ to set the received
- protocol to \"scanned-ok"\, and the \-f-\ option to set the correct envelope
- sender address. \**Warning:**\ If you forget to make the resubmitting process
- run as a trusted user, the received protocol does not get set, and you
- are likely to generate a loop.
+ protocol to \"scanned-ok"\. It is probably easiest to use the Batch SMTP
+ (BSMTP) facilities for passing the sender address and the recipient
+ addresses to the checker and then back to Exim (using the \-bS-\
+ command line option). \**Warning:**\ If you forget to make the
+ resubmitting process run as a trusted user, the sender address will be
+ incorrect and what is worse, the received protocol does not get set, and
+ you are likely to generate a loop.
Q0714: Is there a way to configure Exim to reject mail to a certain local host?
==> server_prompts = :
- This is missing in the examples in all but the most recent Exim
- documentation, because it was not realized that PLAIN authentication
- could be requested by a client without sending the data with the
- request. If the data is not sent, an empty prompt is expected.
+ This is missing in the examples in early Exim documentation, because it
+ was not realized that PLAIN authentication could be requested by a
+ client without sending the data with the request. If the data is not
+ sent, an empty prompt is expected.
Q0724: I have used \":fail:"\ in some aliases; when one of these addresses is
do not block legitimate mail. With that proviso, you can do it using
something like this in an ACL:
-==> drop message = HELO doesn't look like a hostname
- log_message = Not a hostname
- condition = ${if match{$sender_helo_name} \
- {\N^[^.].*\.[^.]+$\N}{no}{yes}}
+==> drop message = HELO doesn't look like a hostname
+ log_message = Not a hostname
+ condition = ${if match{$sender_helo_name} \
+ {\N^[^.].*\.[^.]+$\N}{no}{yes}}
This means: Drop the HELO unless it contains a dot somewhere in the HELO
string, but the string may not begin or end with a dot. Thus, the
A0739: An Exim ACL can be used. See \?http://spf.pobox.com/downloads.html?\.
+Q0740: How can I change the MAIL FROM address that is used for callouts?
+
+A0740: It depends on which type of callout you are using.
+
+ (1) For envelope sender verification callouts, you cannot make any
+ change. My view is that an envelope sender verification is testing
+ whether Exim could send a bounce to that address. Therefore, it must
+ use \"MAIL FROM:<>"\ because that is what it would do if it were
+ sending a bounce message. If \"MAIL FROM:<>"\ is rejected, it means
+ Exim could not send a bounce. Therefore the callout fails.
+
+ (2) For verifying addresses in the ::From::, ::Sender::, or ::Reply-to::
+ header lines (the \"verify = header_sender"\ condition), it is
+ possible to make a change, on the grounds that these addresses are
+ not necessarily ones that must accept bounce messages. You can do
+ this by adding a \"mailfrom"\ option, like this:
+
+==> require verify = header_sender/callout=mailfrom=abcd@x.y.z
+
+ (3) It is also possible to make a change for the postmaster verification
+ option, also on the grounds that a postmaster address need not
+ accept bounces if it is never used as an envelope sender. Instead of
+ just \"postmaster"\, \"postmaster_mailfrom"\ is used, like this:
+
+==> require verify = sender/callout=postmaster_mailfrom=abcd@x.y.z
+
+ (4) For recipient verification, there are three possibilities. The
+ default is to use \"MAIL FROM:<>"\. If the \use_postmaster\ option
+ is given, for example:
+
+==> require verify = recipient/callout=use_postmaster
+
+ then the address for MAIL FROM is made up from the local part
+ \"postmaster"\ and the contents of \$qualify_domain$\.
+
+ Alternatively, if the \use_sender\ option is given, the sender
+ address of the incoming message is used. You should use this option
+ only when you know that the receiving host makes use of the sender
+ address when verifying. The reason is that the callout cache is much
+ less effective in this case, causing many more callouts to be
+ performed.
+
+ In all cases when you configure Exim to use a non-empty address in MAIL
+ FROM during callout processing, you should think carefully about what
+ might happen if this causes the called host to make its own callout back
+ to your host. Make sure that callout loops cannot happen.
+
+
+Q0741: How can I get Outlook Express to use TLS when authenticating?
+
+A0741: If you check \"auth required"\ in OE, it will authenticate as soon as
+ it sees AUTH LOGIN, in preference to STARTTLS. The trick is to
+ advertise things to OE in a certain order. The first EHLO should
+ advertise STARTTLS but not AUTH, and only the second EHLO (after TLS
+ starts) should advert AUTH. One way of achieving this is to put, in
+ the main section of your Exim configuration:
+
+==> auth_advertise_hosts = ${if eq{$tls_cipher}{}{127.0.0.1}{*}}
+
+ This means that the only host to which AUTH is advertised is 127.0.0.1
+ when the session is not encrypted (that is, before TLS has started). The
+ idea here is that there's no need for encryption for anything coming via
+ the loopback interface. For an encrypted session, however, AUTH is
+ advertised to all hosts.
+
+ You can also block the AUTH command itself for unencrypted connections,
+ by creating an ACL for \acl_smtp_auth\ that is something like this:
+
+==> accept encrypted = *
+ accept hosts = 127.0.0.1
+ deny message = TLS encryption required before AUTH
+
+
8. REWRITING ADDRESSES
names, but if mail comes in for an upper case login name, it doesn't
get rewritten.
-==> *@my.domain ${lookup{$1}dbm{/usr/lib/exim/longforms}\
- {$value}fail}@my.domain bcfrtFT
+==> *@my.domain ${lookup{$1}dbm{/usr/lib/exim/longforms}\
+ {$value}fail}@my.domain bcfrtFT
The longforms database has entries of the form:
are rewriting. If you are rewriting recipient addresses for your local
domain, you can do:
-==> *@dom.ain ${lookup{$1}dbm{/wher/ever}{$value}{failaddr}} Ehq
+==> *@dom.ain ${lookup{$1}dbm{/wher/ever}{$value}{failaddr}} Ehq
and in your alias file put something like
-==> failaddr: :fail: Rewriting failed
+==> failaddr: :fail: Rewriting failed
This fails a single recipient - others are processed independently.
but it is important to some people - especially if by some unfortunate
accident the lowercased word is something indecent.
- You can trivally force lower casing by means of the \"${lc:"\ operator.
+ You can trivially force lower casing by means of the \"${lc:"\ operator.
Instead of \"$domain"\ write \"${lc:$domain}"\.
==> headers add "New-Subject: SPAM: $h_subject:"
headers remove subject
- neaders add "Subject: $h_new-subject:"
+ headers add "Subject: $h_new-subject:"
headers remove new-subject
This trick works only in system filters, where the commands are obeyed
delivered very quickly, and the queue is always less than, say, a few
hundred messages, there isn't any need to do this. With larger queues,
there is a definite performance benefit to splitting the spool. It shows
- up earlier on some types of filing system, compared with others.
+ up earlier on some types of file system, compared with others.
Exim was not designed for handling large queues. If you are in an
enviroment where lots of messages remain on the queue for long periods
to enable my clients to use TLS. However, clients other than Exim
refuse to accept this certificate. What's wrong?
-A1701: It seems that some clients require that the certificate presented by
- the server be a user (also called ``leaf'' or ``site'') certificate, and not
- a self-signed certificate. In this situation, the self-signed
- certificate must be installed on the client as a trusted root
- \*certification authority*\ (CA), and the certificate used by the server
- must be a user certificate signed with that self-signed certificate.
-
- For information on creating self-signed CA certificates and using them
- to sign user certificates, see the \*General implementation overview*\
- chapter of the Open-source PKI book, available online at
- \?http://ospkibook.sourceforge.net/?\. Here is a quick overview. First,
- read this message:
-
- \?http://www.FreeBSD.org/cgi/mid.cgi?id=3C3F3A93.C1ECF9B0%40mindspring.com?\
-
- Then, follow the instructions found on these two (consecutive) pages:
-
- \?http://ospkibook.sourceforge.net/docs/OSPKI-2.4.6/OSPKI/initialisation.htm?\
- \?http://ospkibook.sourceforge.net/docs/OSPKI-2.4.6/OSPKI/keygensign.htm?\
-
- Two points on the PKI Book literature:
-
- (1) It's assumed that it's okay to use a passphrase-protected key to
- encrypt the user/site/leaf certificate. If this isn't acceptable,
- you seem to be able to strip out the passphrase as follows:
+A1701: Don't use a self-signed certificate today. Use a certificate from a
+ certificate authority, whether your own private certificate authority or
+ a free CA such as Let's Encrypt.
-==> openssl rsa -in user.key -our user.key.new
- mv user.key.new
-
- This should be done immediately after \(user.key)\ is created.
-
- (2) The \*sign.sh*\ script is available in the \*mod_ssl*\ distribution,
- available at \?http://www.modssl.org/source/?\.
-
- Having followed the instructions, you end up with the following files:
-
- (a) \(ca.crt)\
-
- This file should be installed into the client software as a trusted
- root certification authority. In Windows XP, this can be done as follows:
-
- \#\#Call the file \(ca_cert.cer)\
- [[br]]
- \#\#Double-click on the file
- [[br]]
- \#\#"Install Certificate";
- [[br]]
- \#\#"Next"
- [[br]]
- \#\#"Place all certificates in the following store"
- [[br]]
- \#\#"Browse..."
- [[br]]
- \#\#"Trusted Root Certification Authorities"
- [[br]]
- \#\#"OK"
- [[br]]
- \#\#"Next"
- [[br]]
- \#\#"Finish"
- [[br]]
- \#\#"Yes"
- [[br]]
- \#\#"OK"
-
- (b) \(user.crt)\ and \(user.key)\
-
- These files should be installed into the server software. In Exim, this
- can be done by adding these lines to the configuration file:
-
-==> tls_certificate = /usr/local/etc/exim/tls_cert
- tls_privatekey = /usr/local/etc/exim/tls_key
-
- Then install \(user.crt)\ and \(user.key)\ under the names \(tls_cert)\
- and \(tls_key)\ in the appropriate directory.
+ The exim.org setup uses Let's Encrypt, using the lego tooling and a small
+ shell wrapper to let the certificates be automatically renewed via cron.
+ \?https://github.com/xenolf/lego?\
Q1702: How can I arrange for Exim to advertise support for SMTP authentication
only when the session is encrypted?
negotiate a TLS session automatically on connection to the ssmtp port
(465). Can Exim handle this?
-A1703: The \-tls-on-connect-\ option is available to handle this. You need to
- run two instances of an Exim listener, listening on different ports, one
- of which is started with \-tls-on-connect-\. You can either use two
- daemons, or a single daemon, with the other listenever using \^inetd^\.
- For example, here are commands to start two daemons:
+A1703: If you are using release 4.43 or later, you can set
+
+==> tls_on_connect_ports = 465
+
+ and then arrange for your daemon to listen on both port 25 and port 465
+ by setting \daemon_smtp_ports\ or \local_interfaces\ or the \-X-\
+ command line option. Or use \(inetd)\ to listen on port 465.
+
+ If you are using an earlier release of Exim, you need to run two
+ Exim listeners, on different ports, one of which is started with the
+ \-tls-on-connect-\ option (which makes all ports act this way). You can
+ either use two daemons, or a single daemon, with the other listener
+ using \^inetd^\. For example, here are commands to start two daemons:
==> exim -bd -q15m
exim -bd -oX '[0.0.0.0]::465' -tls-on-connect
A1707: See Q0086 for a general explanation of the error. In this case, it
probably means that Evolution is trying to negotiate a TLS session
immediately it connects, without first using the STARTTLS command. This
- was an older way of starting up TLS, before STARTTLS was defined. You
- will have to run a separate instance of Exim using the
- \-tls-on-connect-\ command line option to cater for this usage, and
- listening on a different port. For example:
-
-==> exim -bd -oX 465 -tls-on-connect
-
- 465 is the ``smtps'' port which is an unofficial standard for this kind
- of SMTP server.
+ was an older way of starting up TLS, before STARTTLS was defined. See
+ Q1703 for how to deal with this.
Q1708: I trying to use TLS with Outlook as a client on a box that is running
Q5006: Why aren't there any man pages for Exim? I don't always carry my printed
documentation.
-A5006: A single man page which lists the command line options is provided in
+A5006: A single man page that lists the command line options is provided in
file \(doc/exim.8)\ in the Exim distribution. Several other forms of
online documentation are available. As well as plain ASCII text, the
there are two forms - Texinfo and HTML - which have a certain amount of
A5021: Yes. Exim provides MTA functionality. That is, it delivers mail. POP and
IMAP are two of several ways of reading previously-delivered mail. Exim
does not provide that functionality. You need to install POP and/or IMAP
- daemons; there are several to choose from. There is a mailing list at
- //pop-imap@exim.org// for the discussion of POP/IMAP issues.
+ daemons; there are several to choose from.
Q5022: Is there an easy way of removing all queued messages at once in a safe
You can add other conditions as well, of course.
+Q5035: Does Exim run with different permissions between \-bt-\ and \-bh-\, or
+ between verifying and actual sending?
+
+A5035: Yes. For \-bt-\ it runs as root, as it would when delivering a message.
+ For \-bh-\, \-bv-\, and when actually receiving a message, it runs as
+ the Exim user.
+
+
91. MAC OS X
==> # Now System is up, Modify kernel parameters for max open etc.
==> if [ -f /proc/sys/kernel/file-max ]; then
- echo 16384 >> /proc/sys/kernel/file-max
+ echo 16384 >> /proc/sys/kernel/file-max
fi
if [ -f /proc/sys/kernel/inode-max ]; then
- echo 24576 >> /proc/sys/kernel/inode-max
+ echo 24576 >> /proc/sys/kernel/inode-max
fi
if [ -f /proc/sys/kernel/file-nr ]; then
- echo 2160 >> /proc/sys/kernel/file-nr
+ echo 2160 >> /proc/sys/kernel/file-nr
fi
By echoing the value you want for file-max to the file \(file-max)\ etc.,
This fits very well into the Debian system of configuration file
management and is a great ease for the automatic configuration with
- Debconf. However, it is \*very*\ different from the normal way Exim 4 is
+ Debconf. However, it is very different from the normal way Exim 4 is
configured. Non-Debian users on the Exim mailing list will probably have
difficulty in trying to answer specific questions about it. You may have
to find a Debian expert.
(1) The exim4 package installs easily, and the exim (3.38) package
uninstalls at the same time.
- (2) Exim runs from \^inetd^\. Exim4 runs from \^/etc/init.d^\. \*Much*\ nicer!
+ (2) Exim runs from \^inetd^\. Exim4 runs from \^/etc/init.d^\. Much nicer!
(3) The exim conffile lives in \(/etc/exim/exim.conf)\. The exim4 conffile
lives in \(/var/lib/exim4/config.autogenerated)\. It is, as the name
which does the rebuild and also tells Exim to reread the changed
configuration.]
- (6) In my experience, you need to \*carefully*\ check the generated
+ (6) In my experience, you need to carefully check the generated
configs. eg, it did not generate a system filter file reference in the
\(config.autogenerated)\. I didn't bother too much, since this is a home
setup.
Q9701: Exim builds fine with \^gcc^\ on SunOS 4 but crashes inside \^^sscanf()^^\.
-A9701: Make sure you are liking with the GNU \^ld^\ linker and not the system
+A9701: Make sure you are linking with the GNU \^ld^\ linker and not the system
version of \^ld^\.
-Q9702: How can I get rid of spurious \"^M"\ characters in messages sent from
- CDE \^dtmail^\?
+Q9702: How can I get rid of spurious \"^M"\ (carriage return) characters in
+ messages sent from CDE \^dtmail^\?
A9702: CDE \^dtmail^\ passes messages to Exim via the command line interface with
- lines terminated by CRLF, instead of the Unix convention of just LF. As
- Exim is an 8-bit clean program it treats the CR as just another data
- character. Exim has a command line option called \-dropcr-\ which causes
- it to ignore all CR characters in an incoming non-SMTP message. You
- should configure \^dtmail^\ to add this option to the command it uses to
- call Exim (using the path \(/usr/lib/sendmail)\). However, it has been
- reported that it isn't possible to change this call from \^dtmail^\ by any
- official means. An alternative approach is to replace \(/usr/lib/sendmail)\
- by a filtering script which removes the spurious CRs from the input
- before passing it to Exim.
+ lines terminated by CRLF, instead of the Unix convention of just LF.
+ This should not be a problem if you are using Exim release 4.21 or
+ later, as changes were made to detect CRLF line endings.
+
+ In earlier versions of Exim, CR would be treated as just another data
+ character. There was, however, a command line option called
+ \-dropcr-\ which caused Exim to ignore all CR characters in an incoming
+ non-SMTP message. (This option is a no-op in current releases.)
+
+ If you are using a pre-4.21 version of Exim, you should configure
+ \^dtmail^\ to add this option to the command it uses to call Exim (using
+ the path \(/usr/lib/sendmail)\). However, it has been reported that it
+ isn't possible to change this call from \^dtmail^\ by any official
+ means. An alternative approach is to replace \(/usr/lib/sendmail)\ by a
+ filtering script that removes the spurious CRs from the input before
+ passing it to Exim.
Q9703: On SunOS 4 Exim crashes when looking up domains in the DNS that have
==> #define LOAD_AVG_FIELD value.ui32
and change \"ui32"\ to \"ul"\ (that's u followed by the letter ell, not
- the digit one). Solaris 2.5.1 is getting \*very*\ old now...
+ the digit one). Solaris 2.5.1 is getting very old now...
${lookup{${mask:$sender_host_address/24}}lsearch*{/path/to/file}}\
}}
- Note that the first lookup does \*not*\ have an asterisk on the search
+ Note that the first lookup does not have an asterisk on the search
type. If you have blocks of different sizes (/24, /26, etc) you have to
configure it to do a separate lookup for each size, with just the final
one using a default.
C042: ``Since the Exim 4 configuration needed to get Mailman to work differs a
little bit from Exim 3 and since I still haven't seen a recipe for
Mailman with Exim 4, I'm providing my configuration (based heavily on
- \?http://www.exim.org/howto/mailman.html?\).''
+ \?https://www.exim.org/howto/mailman21.html?\).''
C043: ``Attached is an Exim 4 config file which is designed for an Exim server
that is put in front of an Exchange 5.5 system but which verifies the