.chapter "Incorporated code" "CHID2"
.cindex "incorporated code"
.cindex "regular expressions" "library"
-.cindex "PCRE"
+.cindex "PCRE2"
.cindex "OpenDMARC"
A number of pieces of external code are included in the Exim distribution.
.ilist
Regular expressions are supported in the main Exim program and in the
-Exim monitor using the freely-distributable PCRE library, copyright
-© University of Cambridge. The source to PCRE is no longer shipped with
-Exim, so you will need to use the version of PCRE shipped with your system,
+Exim monitor using the freely-distributable PCRE2 library, copyright
+© University of Cambridge. The source to PCRE2 is not longer shipped with
+Exim, so you will need to use the version of PCRE2 shipped with your system,
or obtain and install the full version of the library from
-&url(ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre).
+&url(https://github.com/PhilipHazel/pcre2/releases).
.next
.cindex "cdb" "acknowledgment"
Support for the cdb (Constant DataBase) lookup method is provided by code
A C99-capable compiler will be required for the build.
-.section "PCRE library" "SECTpcre"
-.cindex "PCRE library"
-Exim no longer has an embedded PCRE library as the vast majority of
-modern systems include PCRE as a system library, although you may need to
-install the PCRE package or the PCRE development package for your operating
-system. If your system has a normal PCRE installation the Exim build
+.section "PCRE2 library" "SECTpcre"
+.cindex "PCRE2 library"
+Exim no longer has an embedded regular-expression library as the vast majority of
+modern systems include PCRE2 as a system library, although you may need to
+install the PCRE2 package or the PCRE2 development package for your operating
+system. If your system has a normal PCRE2 installation the Exim build
process will need no further configuration. If the library or the
-headers are in an unusual location you will need to either set the PCRE_LIBS
+headers are in an unusual location you will need to either set the PCRE2_LIBS
and INCLUDE directives appropriately,
-or set PCRE_CONFIG=yes to use the installed &(pcre-config)& command.
+or set PCRE2_CONFIG=yes to use the installed &(pcre-config)& command.
If your operating system has no
-PCRE support then you will need to obtain and build the current PCRE
-from &url(ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/).
-More information on PCRE is available at &url(https://www.pcre.org/).
+PCRE2 support then you will need to obtain and build the current PCRE2
+from &url(https://github.com/PhilipHazel/pcre2/releases).
+More information on PCRE2 is available at &url(https://www.pcre.org/).
.section "DBM libraries" "SECTdb"
.cindex "DBM libraries" "discussion of"
.next
To complicate things further, there are several very different versions of the
Berkeley DB package. Version 1.85 was stable for a very long time, releases
-2.&'x'& and 3.&'x'& were current for a while, but the latest versions when Exim last revamped support were numbered 4.&'x'&.
-Maintenance of some of the earlier releases has ceased. All versions of
-Berkeley DB could be obtained from
+2.&'x'& and 3.&'x'& were current for a while,
+.new
+but the latest versions when Exim last revamped support were numbered 5.&'x'&.
+Maintenance of some of the earlier releases has ceased,
+and Exim no longer supports versions before 3.&'x'&.
+.wen
+All versions of Berkeley DB could be obtained from
&url(http://www.sleepycat.com/), which is now a redirect to their new owner's
page with far newer versions listed.
It is probably wise to plan to move your storage configurations away from
.endd
Similarly, for gdbm you set USE_GDBM, and for tdb you set USE_TDB. An
error is diagnosed if you set more than one of these.
+.new
+You can set USE_NDBM if needed to override an operating system default.
+.wen
At the lowest level, the build-time configuration sets none of these options,
thereby assuming an interface of type (1). However, some operating system
.code
DBMLIB = -ldb
DBMLIB = -ltdb
+DBMLIB = -lgdbm -lgdbm_compat
.endd
+.new
+The last of those was for a Linux having GDBM provide emulated NDBM facilities.
+.wen
Settings like that will work if the DBM library is installed in the standard
place. Sometimes it is not, and the library's header file may also not be in
the default path. You may need to set INCLUDE to specify where the header
+.section "Running the daemon" SECTdaemonLaunch
+The most common command line for launching the Exim daemon looks like
+.code
+exim -bd -q5m
+.endd
+This starts a daemon which
+.ilist
+listens for incoming smtp connections, launching handler processes for
+each new one
+.next
+starts a queue-runner process every five minutes, to inspect queued messages
+and run delivery attempts on any that have arrived at their retry time
+.endlist
+Should a queue run take longer than the time between queue-runner starts,
+they will run in parallel.
+Numbers of jobs of the various types are subject to policy controls
+defined in the configuration.
+
+
.section "Upgrading Exim" "SECID36"
.cindex "upgrading Exim"
If you are already running Exim on your host, building and installing a new
.chapter "Regular expressions" "CHAPregexp"
.cindex "regular expressions" "library"
-.cindex "PCRE"
+.cindex "PCRE2"
Exim supports the use of regular expressions in many of its options. It
-uses the PCRE regular expression library; this provides regular expression
+uses the PCRE2 regular expression library; this provides regular expression
matching that is compatible with Perl 5. The syntax and semantics of
regular expressions is discussed in
online Perl manpages, in
. --- to the old URL for now. 2018-09-07.
The documentation for the syntax and semantics of the regular expressions that
-are supported by PCRE is included in the PCRE distribution, and no further
-description is included here. The PCRE functions are called from Exim using
-the default option settings (that is, with no PCRE options set), except that
-the PCRE_CASELESS option is set when the matching is required to be
+are supported by PCRE2 is included in the PCRE2 distribution, and no further
+description is included here. The PCRE2 functions are called from Exim using
+the default option settings (that is, with no PCRE2 options set), except that
+the PCRE2_CASELESS option is set when the matching is required to be
case-insensitive.
In most cases, when a regular expression is required in an Exim configuration,
domains = lsearch;/some/file
.endd
The first uses a string expansion, the result of which must be a domain list.
+.new
+The key for an expansion-style lookup must be given explicitly.
+.wen
No strings have been specified for a successful or a failing lookup; the
defaults in this case are the looked-up data and an empty string, respectively.
The expansion takes place before the string is processed as a list, and the
Any data that follows the keys is not relevant when checking that the domain
matches the list item.
+.new
+The key for a list-style lookup is implicit, from the lookup context, if
+the lookup is a single-key type (see below).
+For query-style lookup types the key must be given explicitly.
+.wen
+
It is possible, though no doubt confusing, to use both kinds of lookup at once.
Consider a file containing lines like this:
.code
and a single key to search for. The key must be a non-empty string for the
lookup to succeed. The lookup type determines how the file is searched.
.cindex "tainted data" "single-key lookups"
-The file string may not be tainted
+The file string may not be tainted.
.cindex "tainted data" "de-tainting"
All single-key lookups support the option &"ret=key"&.
&*tls*&
Controls the use of TLS on the connection.
Values are &"yes"& or &"no"& (the default).
-If it is enabled, a shutdown as descripbed above is never done.
+If it is enabled, a shutdown as described above is never done.
.endlist
The parsing correctly handles SMTPUTF8 Unicode in the string.
-.vitem &*${mask:*&<&'IP&~address'&>&*/*&<&'bit&~count'&>&*}*&
+.vitem &*${mask:*&<&'IP&~address'&>&*/*&<&'bit&~count'&>&*}*& &&&
+ &*${mask_n:*&<&'IP&~address'&>&*/*&<&'bit&~count'&>&*}*&
.cindex "masked IP address"
.cindex "IP address" "masking"
.cindex "CIDR notation"
.code
${mask:10.111.131.206/28}
.endd
-returns the string &"10.111.131.192/28"&. Since this operation is expected to
-be mostly used for looking up masked addresses in files, the result for an IPv6
+returns the string &"10.111.131.192/28"&.
+
+Since this operation is expected to
+be mostly used for looking up masked addresses in files, the
+.new
+normal
+.wen
+result for an IPv6
address uses dots to separate components instead of colons, because colon
terminates a key string in lsearch files. So, for example,
.code
.code
3ffe.ffff.836f.0a00.000a.0800.2000.0000/99
.endd
+.new
+If the optional form &*mask_n*& is used, IPv6 address result are instead
+returned in normailsed form, using colons and with zero-compression.
+.wen
Letters in IPv6 addresses are always output in lower case.
.cindex "&%pam%& expansion condition"
&'Pluggable Authentication Modules'&
(&url(https://mirrors.edge.kernel.org/pub/linux/libs/pam/)) are a facility that is
-available in the latest releases of Solaris and in some GNU/Linux
-distributions. The Exim support, which is intended for use in conjunction with
+available in Solaris
+and in some GNU/Linux distributions.
+The Exim support, which is intended for use in conjunction with
the SMTP AUTH command, is available only if Exim is compiled with
.code
SUPPORT_PAM=yes
.cindex "ESMTP extensions" DSN
DSN extensions (RFC3461) will be advertised in the EHLO message to,
and accepted from, these hosts.
-Hosts may use the NOTIFY and ENVID options on RCPT TO commands,
-and RET and ORCPT options on MAIL FROM commands.
+Hosts may use the NOTIFY and ORCPT options on RCPT TO commands,
+and RET and ENVID options on MAIL FROM commands.
A NOTIFY=SUCCESS option requests success-DSN messages.
A NOTIFY= option with no argument requests that no delay or failure DSNs
are sent.
The value of this option is expanded and indicates the source of DH parameters
to be used by Exim.
-This option is ignored for GnuTLS version 3.6.0 and later.
-The library manages parameter negotiation internally.
-
-&*Note: The Exim Maintainers strongly recommend,
-for other TLS library versions,
-using a filename with site-generated
+&*Note: The Exim Maintainers strongly recommend using a filename with site-generated
local DH parameters*&, which has been supported across all versions of Exim. The
other specific constants available are a fallback so that even when
"unconfigured", Exim can offer Perfect Forward Secrecy in older ciphersuites in TLS.
(the "ffdhe" identifiers).
At this point, all of the "ike" values should be considered obsolete;
-they're still in Exim to avoid breaking unusual configurations, but are
+they are still in Exim to avoid breaking unusual configurations, but are
candidates for removal the next time we have backwards-incompatible changes.
+.new
+Two of them in particular (&`ike1`& and &`ike22`&) are called out by RFC 8247
+as MUST NOT use for IPSEC, and two more (&`ike23`& and &`ike24`&) as
+SHOULD NOT.
+Because of this, Exim regards them as deprecated; if either of the first pair
+are used, warnings will be logged in the paniclog, and if any are used then
+warnings will be logged in the mainlog.
+All four will be removed in a future Exim release.
+.wen
The TLS protocol does not negotiate an acceptable size for this; clients tend
to hard-drop connections if what is offered by the server is unacceptable,
Any client that matches &%tls_verify_hosts%& is constrained by
&%tls_verify_certificates%&. When the client initiates a TLS session, it must
present one of the listed certificates. If it does not, the connection is
-aborted. &*Warning*&: Including a host in &%tls_verify_hosts%& does not require
+aborted.
+&*Warning*&: Including a host in &%tls_verify_hosts%& does not require
the host to use TLS. It can still send SMTP commands through unencrypted
connections. Forcing a client to use TLS has to be done separately using an
ACL to reject inappropriate commands when the connection is not encrypted.
The &%tls_verify_certificates%& option must also be set.
If both this option and &%tls_try_verify_hosts%& are unset
operation is as if this option selected all hosts.
+&*Warning*&: Including a host in &%tls_verify_hosts%& does not require
+that connections use TLS.
+Fallback to in-clear communication will be done unless restricted by
+the &%hosts_require_tls%& option.
.option utf8_downconvert smtp integer&!! -1
.cindex utf8 "address downconversion"
the message override the banner message that is otherwise specified by the
&%smtp_banner%& option.
+.new
+For tls-on-connect connections, the ACL is run after the TLS connection
+is accepted (however, &%host_reject_connection%& is tested before).
+.wen
+
.section "The EHLO/HELO ACL" "SECID192"
.cindex "EHLO" "ACL for"
This control turns on debug logging, almost as though Exim had been invoked
with &`-d`&, with the output going to a new logfile in the usual logs directory,
by default called &'debuglog'&.
-The filename can be adjusted with the &'tag'& option, which
-may access any variables already defined. The logging may be adjusted with
-the &'opts'& option, which takes the same values as the &`-d`& command-line
-option.
-Logging started this way may be stopped, and the file removed,
-with the &'kill'& option.
+
+.new
+Options are a slash-separated list.
+If an option takes an argument, the option name and argument are separated by
+an equals character.
+Several options are supported:
+.wen
+.display
+tag=<&'suffix'&> The filename can be adjusted with thise option.
+ The argument, which may access any variables already defined,
+ is appended to the default name.
+
+opts=<&'debug&~options'&> The argument specififes what is to be logged,
+ using the same values as the &`-d`& command-line option.
+
+stop Logging started with this control may be
+ stopped by using this option.
+
+kill Logging started with this control may be
+ stopped by using this option.
+ Additionally the debug file will be removed,
+ providing one means for speculative debug tracing.
+
+pretrigger=<&'size'&> This option specifies a memory buffuer to be used
+ for pre-trigger debug capture.
+ Debug lines are recorded in the buffer until
+ and if) a trigger occurs; at which time they are
+ dumped to the debug file. Newer lines displace the
+ oldest if the buffer is full. After a trigger,
+ immediate writes to file are done as normal.
+
+trigger=<&'reason'&> This option selects cause for the pretrigger buffer
+ see above) to be copied to file. A reason of $*now*
+ take effect immediately; one of &*paniclog*& triggers
+ on a write to the panic log.
+.endd
+
Some examples (which depend on variables that don't exist in all
contexts):
.code
control = debug/opts=+expand+acl
control = debug/tag=.$message_exim_id/opts=+expand
control = debug/kill
+ control = debug/opts=+all/pretrigger=1024/trigger=paniclog
+ control = debug/trigger=now
.endd
non-SMTP ACLs. It causes the incoming message to be scanned for a match with
any of the regular expressions. For details, see chapter &<<CHAPexiscan>>&.
+.new
+.vitem &*seen&~=&~*&<&'parameters'&>
+.cindex "&%sseen%& ACL condition"
+This condition can be used to test if a situation has been previously met,
+for example for greylisting.
+Details are given in section &<<SECTseen>>&.
+.wen
+
.vitem &*sender_domains&~=&~*&<&'domain&~list'&>
.cindex "&%sender_domains%& ACL condition"
.cindex "sender" "ACL checking"
dnslists = <; dnsbl.example.com/<|$acl_m_addrslist
.endd
+
+.new
+.section "Previously seen user and hosts" "SECTseen"
+.cindex "&%sseen%& ACL condition"
+.cindex greylisting
+The &%seen%& ACL condition can be used to test whether a
+situation has been previously met.
+It uses a hints database to record a timestamp against a key.
+host. The syntax of the condition is:
+.display
+&`seen =`& <&'time interval'&> &`/`& <&'options'&>
+.endd
+
+For example,
+.code
+defer seen = -5m / key=${sender_host_address}_$local_part@$domain
+.endd
+in a RCPT ACL will implement simple greylisting.
+
+The parameters for the condition
+are an interval followed, slash-separated, by a list of options.
+The interval is taken as an offset before the current time,
+and used for the test.
+If the interval is preceded by a minus sign then the condition returns
+whether a record is found which is before the test time.
+Otherwise, the condition returns whether one is found which is since the
+test time.
+
+Options are read in order with later ones overriding earlier ones.
+
+The default key is &$sender_host_address$&.
+An explicit key can be set using a &%key=value%& option.
+
+If a &%readonly%& option is given then
+no record create or update is done.
+If a &%write%& option is given then
+a record create or update is always done.
+An update is done if the test is for &"since"&.
+
+Creates and updates are marked with the current time.
+
+Finally, a &"before"& test which succeeds, and for which the record
+is old enough, will be refreshed with a timestamp of the test time.
+This can prevent tidying of the database from removing the entry.
+The interval for this is, by default, 10 days.
+An explicit interval can be set using a
+&%refresh=value%& option.
+
+Note that &"seen"& should be added to the list of hints databases
+for maintenance if this ACL condition is used.
+.wen
+
+
.section "Rate limiting incoming messages" "SECTratelimiting"
.cindex "rate limiting" "client sending"
.cindex "limiting client sending rates"
.vitem &*header_line&~*header_last*&
A pointer to the last of the header lines.
-.vitem &*uschar&~*headers_charset*&
+.new
+.vitem &*const&~uschar&~*headers_charset*&
The value of the &%headers_charset%& configuration option.
+.wen
.vitem &*BOOL&~host_checking*&
This variable is TRUE during a host checking session that is initiated by the
.section "exim_dumpdb" "SECTdumpdb"
.cindex "&'exim_dumpdb'&"
The entire contents of a database are written to the standard output by the
-&'exim_dumpdb'& program, which has no options or arguments other than the
-spool and database names. For example, to dump the retry database:
+&'exim_dumpdb'& program,
+.new
+taking as arguments the spool and database names.
+An option &'-z'& may be given to regest times in UTC;
+otherwise times are in the local timezone.
+.wen
+For example, to dump the retry database:
.code
exim_dumpdb /var/spool/exim retry
.endd
-Two lines of output are produced for each entry:
+For the retry database
+two lines of output are produced for each entry:
.code
T:mail.ref.example:192.168.242.242 146 77 Connection refused
31-Oct-1995 12:00:12 02-Nov-1995 12:21:39 02-Nov-1995 20:21:39 *
.cindex "&'exim_fixdb'&"
The &'exim_fixdb'& program is a utility for interactively modifying databases.
Its main use is for testing Exim, but it might also be occasionally useful for
-getting round problems in a live system. It has no options, and its interface
+getting round problems in a live system. Its interface
is somewhat crude. On entry, it prompts for input with a right angle-bracket. A
key of a database record can then be entered, and the data for that record is
displayed.
sequence of digit pairs for year, month, day, hour, and minute. Colons can be
used as optional separators.
+.new
+Both displayed and input times are in the local timezone by default.
+If an option &'-z'& is used on the command line, displayed times
+are in UTC.
+.wen
+
.cindex "security" "data sources"
.cindex "security" "regular expressions"
.cindex "regular expressions" "security"
-.cindex "PCRE" "security"
+.cindex "PCRE2" "security"
If configuration data for Exim can come from untrustworthy sources, there
are some issues to be aware of:
Letting untrusted data provide a regular expression is unwise.
.next
Using &%${match...}%& to apply a fixed regular expression against untrusted
-data may result in pathological behaviour within PCRE. Be aware of what
+data may result in pathological behaviour within PCRE2. Be aware of what
"backtracking" means and consider options for being more strict with a regular
expression. Avenues to explore include limiting what can match (avoiding &`.`&
when &`[a-z0-9]`& or other character class will do), use of atomic grouping and
The name is placed in the variable &$event_name$& and the event action
expansion must check this, as it will be called for every possible event type.
+.new
The current list of events is:
.display
&`dane:fail after transport `& per connection
&`tcp:connect before transport `& per connection
&`tcp:close after transport `& per connection
&`tls:cert before both `& per certificate in verification chain
+&`tls:fail:connect after main `& per connection
&`smtp:connect after transport `& per connection
&`smtp:ehlo after transport `& per connection
.endd
+.wen
New event types may be added in future.
The event name is a colon-separated list, defining the type of
&`msg:rcpt:host:defer `& error string
&`msg:rcpt:defer `& error string
&`tls:cert `& verification chain depth
+&`tls:fail:connect `& error string
&`smtp:connect `& smtp banner
&`smtp:ehlo `& smtp ehlo response
.endd
git://git.exim.org / exim.git / blobdiff