-. $Cambridge: exim/doc/doc-docbook/spec.xfpt,v 1.2 2006/04/04 14:03:49 ph10 Exp $
+. $Cambridge: exim/doc/doc-docbook/spec.xfpt,v 1.13 2006/12/19 12:28:35 ph10 Exp $
.
. /////////////////////////////////////////////////////////////////////////////
. This is the primary source of the Exim Manual. It is an xfpt document that is
. /////////////////////////////////////////////////////////////////////////////
.set ACL "access control lists (ACLs)"
-.set previousversion "4.60"
-.set version "4.61"
+.set previousversion "4.63"
+.set version "4.64"
+
+
+. /////////////////////////////////////////////////////////////////////////////
+. These lines are processing instructions for the Simple DocBook Processor that
+. Philip Hazel is developing in odd moments as a less cumbersome way of making
+. PostScript and PDFs than using xmlto and fop. They will be ignored by all
+. other XML processors.
+. /////////////////////////////////////////////////////////////////////////////
+
+.literal xml
+<?sdop
+ toc_chapter_blanks="yes,yes"
+ table_warn_soft_overflow="no"
+?>
+.literal off
. /////////////////////////////////////////////////////////////////////////////
. --- table with four columns.
.macro option
-.oindex "$1"
+.oindex "&%$1%&"
.itable all 0 0 4 8* left 5* center 5* center 6* right
.row "&%$1%&" "Use: &'$2'&" "Type: &'$3'&" "Default: &'$4'&"
.endtable
. --- is suitable for the many tables at the start of the main options chapter;
. --- the small number of other 2-column tables override it.
-.macro table2 190pt 260pt
+.macro table2 196pt 254pt
.itable none 0 0 2 $1 left $2 left
.endmacro
<bookinfo>
<title>Specification of the Exim Mail Transfer Agent</title>
<titleabbrev>The Exim MTA</titleabbrev>
-<date>22 March 2006</date>
+<date>11 December 2006</date>
<author><firstname>Philip</firstname><surname>Hazel</surname></author>
<authorinitials>PH</authorinitials>
<affiliation><orgname>University of Cambridge Computing Service</orgname></affiliation>
<address>New Museums Site, Pembroke Street, Cambridge CB2 3QH, England</address>
<revhistory><revision>
- <revnumber>4.61</revnumber>
- <date>22 March 2006</date>
+ <revnumber>4.64</revnumber>
+ <date>11 December 2006</date>
<authorinitials>PH</authorinitials>
</revision></revhistory>
<copyright><year>2006</year><holder>University of Cambridge</holder></copyright>
or search the archives via the mailing lists link on the Exim home page.
.cindex "Debian" "mailing list for"
If you are using a Debian distribution of Exim, you may wish to subscribe to
-the Debian-specific mailing list &'pkg-exim4-users@lists.alioth.debian.org'&.
+the Debian-specific mailing list &'pkg-exim4-users@lists.alioth.debian.org'&
+via this web page:
+.display
+&url(http://lists.alioth.debian.org/mailman/listinfo/pkg-exim4-users)
+.endd
+Please ask Debian-specific questions on this list and not on the general Exim
+lists.
.section "Exim training"
.cindex "training courses"
.section "Wish list"
.cindex "wish list"
A wish list is maintained, containing ideas for new features that have been
-submitted. From time to time the file is exported to the ftp site into the file
-&_exim4/WishList_&. Items are removed from the list if they get implemented.
-
+submitted. This used to be a single file that from time to time was exported to
+the ftp site into the file &_exim4/WishList_&. However, it has now been
+imported into Exim's Bugzilla data.
.section "Contributed material"
.cindex "spool directory" "&_input_& sub-directory"
By default all these message files are held in a single directory called
&_input_& inside the general Exim spool directory. Some operating systems do
-not perform very well if the number of files in a directory gets very large; to
+not perform very well if the number of files in a directory gets large; to
improve performance in such cases, the &%split_spool_directory%& option can be
used. This causes Exim to split up the input files into 62 sub-directories
-whose names are single letters or digits.
+whose names are single letters or digits. When this is done, the queue is
+processed one sub-directory at a time instead of all at once, which can improve
+overall performance even when there are not enough files in each directory to
+affect file system performance.
The envelope information consists of the address of the message's sender and
the addresses of the recipients. This information is entirely separate from
.section "Duplicate addresses"
.cindex "case of local parts"
.cindex "address duplicate" "discarding"
+.cindex "duplicate addresses"
Once routing is complete, Exim scans the addresses that are assigned to local
and remote transports, and discards any duplicates that it finds. During this
-check, local parts are treated as case-sensitive.
+check, local parts are treated as case-sensitive. This happens only when
+actually delivering a message; when testing routers with &%-bt%&, all the
+routed addresses are shown.
+
.section "Router preconditions" "SECTrouprecon"
.cindex "&_Local/eximon.conf_&"
-.cindex "_exim_monitor/EDITME_"
+.cindex "&_exim_monitor/EDITME_&"
If you are going to build the Exim monitor, a similar configuration process is
required. The file &_exim_monitor/EDITME_& must be edited appropriately for
your installation and saved under the name &_Local/eximon.conf_&. If you are
.endd
The value of FULLECHO defaults to &"@"&, the flag character that suppresses
command reflection in &'make'&. When you ask for the full output, it is
-given in addition to the the short output.
+given in addition to the short output.
.section "Command line options"
-The command options are described in alphabetical order below.
+Exim's command line options are described in alphabetical order below. If none
+of the options that specifies a specific action (such as starting the daemon or
+a queue runner, or testing an address, or receiving a message in a specific
+format, or listing the queue) are present, and there is at least one argument
+on the command line, &%-bm%& (accept a local message on the standard input,
+with the arguments specifying the recipients) is assumed. Otherwise, Exim
+outputs a brief message about itself and exits.
. ////////////////////////////////////////////////////////////////////////////
. Insert a stylized XML comment here, to identify the start of the command line
The SIGHUP signal
.cindex "SIGHUP"
-can be used to cause the daemon to re-exec itself. This should be done whenever
-Exim's configuration file, or any file that is incorporated into it by means of
-the &%.include%& facility, is changed, and also whenever a new version of Exim
-is installed. It is not necessary to do this when other files that are
+.cindex "daemon" "restarting"
+can be used to cause the daemon to re-execute itself. This should be done
+whenever Exim's configuration file, or any file that is incorporated into it by
+means of the &%.include%& facility, is changed, and also whenever a new version
+of Exim is installed. It is not necessary to do this when other files that are
referenced from the configuration (for example, alias files) are changed,
because these are reread each time they are used.
continuation lines is ignored. Each argument or data line is passed through the
string expansion mechanism, and the result is output. Variable values from the
configuration file (for example, &$qualify_domain$&) are available, but no
-message-specific values (such as &$domain$&) are set, because no message is
-being processed.
+message-specific values (such as &$sender_domain$&) are set, because no message
+is being processed &new("(but see &%-bem%& and &%-Mset%&)").
&*Note*&: If you use this mechanism to test lookups, and you change the data
files or databases you are using, you must exit and restart Exim before trying
the same lookup again. Otherwise, because each Exim process caches the results
of lookups, you will just get the same result as before.
+.new
+.vitem &%-bem%&&~<&'filename'&>
+.oindex "&%-bem%&"
+.cindex "testing" "string expansion"
+.cindex "expansion" "testing"
+This option operates like &%-be%& except that it must be followed by the name
+of a file. For example:
+.code
+exim -bem /tmp/testmessage
+.endd
+The file is read as a message (as if receiving a locally-submitted non-SMTP
+message) before any of the test expansions are done. Thus, message-specific
+variables such as &$message_size$& and &$header_from:$& are available. However,
+no &'Received:'& header is added to the message. If the &%-t%& option is set,
+recipients are read from the headers in the normal way, and are shown in the
+&$recipients$& variable. Note that recipients cannot be given on the command
+line, because further arguments are taken as strings to expand (just like
+&%-be%&).
+.wen
+
.vitem &%-bF%&&~<&'filename'&>
.oindex "&%-bF%&"
.cindex "system filter" "testing"
&*Warning 1*&:
.cindex "RFC 1413"
-You cannot test features of the configuration that rely on
-ident (RFC 1413) callouts. These cannot be done when testing using
-&%-bh%& because there is no incoming SMTP connection.
+You can test features of the configuration that rely on ident (RFC 1413)
+information by using the &%-oMt%& option. However, Exim cannot actually perform
+an ident callout when testing using &%-bh%& because there is no incoming SMTP
+connection.
&*Warning 2*&: Address verification callouts (see section &<<SECTcallver>>&)
are also skipped when testing using &%-bh%&. If you want these callouts to
Messages supplied during the testing session are discarded, and nothing is
written to any of the real log files. There may be pauses when DNS (and other)
lookups are taking place, and of course these may time out. The &%-oMi%& option
-can be used to specify a specific IP interface and port if this is important.
+can be used to specify a specific IP interface and port if this is important,
+and &%-oMaa%& and &%-oMai%& can be used to set parameters as if the SMTP
+session were authenticated.
The &'exim_checkaccess'& utility is a &"packaged"& version of &%-bh%& whose
output just states whether a given recipient address from a given host is
acceptable or not. See section &<<SECTcheckaccess>>&.
+.new
+Features such as authentication and encryption, where the client input is not
+plain text, are most easily tested using specialized SMTP test programs such as
+&url(http://jetmore.org/john/code/#swaks,swaks).
+.wen
+
.vitem &%-bhc%&&~<&'IP&~address'&>
.oindex "&%-bhc%&"
This option operates in the same way as &%-bh%&, except that address
exim -brt bach.comp.mus.example
Retry rule: *.comp.mus.example F,2h,15m; F,4d,30m;
.endd
-.new
See chapter &<<CHAPretry>>& for a description of Exim's retry rules. The first
argument, which is required, can be a complete address in the form
&'local_part@domain'&, or it can be just a domain name. If the second argument
exim -brt haydn.comp.mus.example quota_3d
Retry rule: *@haydn.comp.mus.example quota_3d F,1h,15m
.endd
-.wen
.vitem &%-brw%&
.oindex "&%-brw%&"
failed outright but at least one could not be resolved for some reason. Return
code 0 is given only when all addresses succeed.
+.cindex "duplicate addresses"
+&*Note*&: When actually delivering a message, Exim removes duplicate recipient
+addresses after routing is complete, so that only one delivery takes place.
+This does not happen when testing with &%-bt%&; the full results of routing are
+always shown.
+
&*Warning*&: &%-bt%& can only do relatively simple testing. If any of the
routers in the configuration makes any tests on the sender address of a
message,
.cindex "verifying address" "using &%-bv%&"
.cindex "address" "verification"
This option runs Exim in address verification mode, in which each argument is
-taken as an address to be verified. During normal operation, verification
-happens mostly as a consequence processing a &%verify%& condition in an ACL
-(see chapter &<<CHAPACL>>&). If you want to test an entire ACL, see the &%-bh%&
-option.
+taken as an address to be verified by the routers. (This does not involve any
+verification callouts). During normal operation, verification happens mostly as
+a consequence processing a &%verify%& condition in an ACL (see chapter
+&<<CHAPACL>>&). If you want to test an entire ACL, possibly including callouts,
+see the &%-bh%& and &%-bhc%& options.
If verification fails, and the caller is not an admin user, no details of the
failure are output, because these might contain sensitive information such as
verified as a recipient if &%-bv%& is used; to test verification for a sender
address, &%-bvs%& should be used.
+.new
If the &%-v%& option is not set, the output consists of a single line for each
address, stating whether it was verified or not, and giving a reason in the
-latter case. Otherwise, more details are given of how the address has been
-handled, and in the case of address redirection, all the generated addresses
-are also considered. Without &%-v%&, generating more than one address by
-redirection causes verification to end successfully.
+latter case. Without &%-v%&, generating more than one address by redirection
+causes verification to end successfully, without considering the generated
+addresses. However, if just one address is generated, processing continues,
+and the generated address must verify successfully for the overall verification
+to succeed.
+
+When &%-v%& is set, more details are given of how the address has been handled,
+and in the case of address redirection, all the generated addresses are also
+considered. Verification may succeed for some and fail for others.
+.wen
The
.cindex "return code" "for &%-bv%&"
This option causes debugging information to be written to the standard
error stream. It is restricted to admin users because debugging output may show
database queries that contain password information. Also, the details of users'
-filter files should be protected. When &%-d%& is used, &%-v%& is assumed. If
-&%-d%& is given on its own, a lot of standard debugging data is output. This
-can be reduced, or increased to include some more rarely needed information, by
-directly following &%-d%& with a string made up of names preceded by plus or
-minus characters. These add or remove sets of debugging data, respectively. For
-example, &%-d+filter%& adds filter debugging, whereas &%-d-all+filter%& selects
-only filter debugging. Note that no spaces are allowed in the debug setting.
-The available debugging categories are:
+filter files should be protected. &new("If a non-admin user uses &%-d%&, Exim
+writes an error message to the standard error stream and exits with a non-zero
+return code.")
+
+When &%-d%& is used, &%-v%& is assumed. If &%-d%& is given on its own, a lot of
+standard debugging data is output. This can be reduced, or increased to include
+some more rarely needed information, by directly following &%-d%& with a string
+made up of names preceded by plus or minus characters. These add or remove sets
+of debugging data, respectively. For example, &%-d+filter%& adds filter
+debugging, whereas &%-d-all+filter%& selects only filter debugging. Note that
+no spaces are allowed in the debug setting. The available debugging categories
+are:
.display
&`acl `& ACL interpretation
&`auth `& authenticators
only by an admin user or by the user who originally caused the message to be
placed on the queue.
+.new
+.vitem &%-Mset%&&~<&'message&~id'&>
+.oindex "&%-Mset%&
+.cindex "testing" "string expansion"
+.cindex "expansion" "testing"
+This option is useful only in conjunction with &%-be%& (that is, when testing
+string expansions). Exim loads the given message from its spool before doing
+the test expansions, thus setting message-specific variables such as
+&$message_size$& and the header variables. The &$recipients$& variable is made
+available. This feature is provided to make it easier to test expansions that
+make use of these variables. However, this option can be used only by an admin
+user. See also &%-bem%&.
+.wen
+
.vitem &%-Mt%&&~<&'message&~id'&>&~<&'message&~id'&>&~...
.oindex "&%-Mt%&"
.cindex "thawing messages"
exim -bs -oMa [10.9.8.7]:1234
.endd
The IP address is placed in the &$sender_host_address$& variable, and the
-port, if present, in &$sender_host_port$&.
+port, if present, in &$sender_host_port$&. If both &%-oMa%& and &%-bh%&
+are present on the command line, the sender host IP address is taken from
+whichever one is last.
.vitem &%-oMaa%&&~<&'name'&>
.oindex "&%-oMaa%&"
See &%-oMa%& above for general remarks about the &%-oM%& options. The &%-oMaa%&
option sets the value of &$sender_host_authenticated$& (the authenticator
name). See chapter &<<CHAPSMTPAUTH>>& for a discussion of SMTP authentication.
+This option can be used with &%-bh%& and &%-bs%& to set up an
+authenticated SMTP session without actually using the SMTP AUTH command.
.vitem &%-oMai%&&~<&'string'&>
.oindex "&%-oMai%&"
.cindex "authentication id" "specifying for local message"
See &%-oMa%& above for general remarks about the &%-oM%& options. The &%-oMai%&
option sets the value of &$authenticated_id$& (the id that was authenticated).
-This overrides the default value (the caller's login id) for messages from
-local sources. See chapter &<<CHAPSMTPAUTH>>& for a discussion of authenticated
-ids.
+This overrides the default value (the caller's login id, except with &%-bh%&,
+where there is no default) for messages from local sources. See chapter
+&<<CHAPSMTPAUTH>>& for a discussion of authenticated ids.
.vitem &%-oMas%&&~<&'address'&>
.oindex "&%-oMas%&"
See &%-oMa%& above for general remarks about the &%-oM%& options. The &%-oMas%&
option sets the authenticated sender value in &$authenticated_sender$&. It
overrides the sender address that is created from the caller's login id for
-messages from local sources. See chapter &<<CHAPSMTPAUTH>>& for a discussion of
-authenticated senders.
+messages from local sources, except when &%-bh%& is used, when there is no
+default. For both &%-bh%& and &%-bs%&, an authenticated sender that is
+specified on a MAIL command overrides this value. See chapter
+&<<CHAPSMTPAUTH>>& for a discussion of authenticated senders.
.vitem &%-oMi%&&~<&'interface&~address'&>
.oindex "&%-oMi%&"
.cindex "interface address" "specifying for local message"
+.new
See &%-oMa%& above for general remarks about the &%-oM%& options. The &%-oMi%&
option sets the IP interface address value. A port number may be included,
using the same syntax as for &%-oMa%&. The interface address is placed in
-&$interface_address$& and the port number, if present, in &$interface_port$&.
+&$received_ip_address$& and the port number, if present, in &$received_port$&.
+.wen
.vitem &%-oMr%&&~<&'protocol&~name'&>
.oindex "&%-oMr%&"
.cindex "&$received_protocol$&"
See &%-oMa%& above for general remarks about the &%-oM%& options. The &%-oMr%&
option sets the received protocol value that is stored in
-&$received_protocol$&. However, this applies only when &%-bs%& is not used. For
-interactive SMTP input (&%-bs%&), the protocol is always &"local-"& followed by
-one of the standard SMTP protocol names (see the description of
-&$received_protocol$& in section &<<SECTexpvar>>&). For &%-bS%& (batch SMTP)
-however, the protocol can be set by &%-oMr%&.
+&$received_protocol$&. However, it does not apply (and is ignored) when &%-bh%&
+or &%-bs%& is used. For &%-bh%&, the protocol is forced to one of the standard
+SMTP protocol names (see the description of &$received_protocol$& in section
+&<<SECTexpvar>>&). For &%-bs%&, the protocol is always &"local-"& followed by
+one of those same names. For &%-bS%& (batched SMTP) however, the protocol can
+be set by &%-oMr%&.
.vitem &%-oMs%&&~<&'host&~name'&>
.oindex "&%-oMs%&"
.cindex "sender ident string" "specifying for local message"
See &%-oMa%& above for general remarks about the &%-oM%& options. The &%-oMt%&
option sets the sender ident value in &$sender_ident$&. The default setting for
-local callers is the login id of the calling process.
+local callers is the login id of the calling process, except when &%-bh%& is
+used, when there is no default.
.vitem &%-om%&
.oindex "&%-om%&"
way. If the <&'rsflags'&> start with &'r'&, <&'string'&> is interpreted as a
regular expression; otherwise it is a literal string.
-Once a message is selected, all its addresses are processed. For the first
-selected message, Exim overrides any retry information and forces a delivery
-attempt for each undelivered address. This means that if delivery of any
-address in the first message is successful, any existing retry information is
-deleted, and so delivery attempts for that address in subsequently selected
-messages (which are processed without forcing) will run. However, if delivery
-of any address does not succeed, the retry information is updated, and in
-subsequently selected messages, the failing address will be skipped.
+.new
+If you want to do periodic queue runs for messages with specific recipients,
+you can combine &%-R%& with &%-q%& and a time value. For example:
+.code
+exim -q25m -R @special.domain.example
+.endd
+This example does a queue run for messages with recipients in the given domain
+every 25 minutes. Any additional flags that are specified with &%-q%& are
+applied to each queue run.
+.wen
+
+Once a message is selected for delivery by this mechanism, all its addresses
+are processed. For the first selected message, Exim overrides any retry
+information and forces a delivery attempt for each undelivered address. This
+means that if delivery of any address in the first message is successful, any
+existing retry information is deleted, and so delivery attempts for that
+address in subsequently selected messages (which are processed without forcing)
+will run. However, if delivery of any address does not succeed, the retry
+information is updated, and in subsequently selected messages, the failing
+address will be skipped.
.cindex "frozen messages" "forcing delivery"
If the <&'rsflags'&> contain &'f'& or &'ff'&, the delivery forcing applies to
&`.include`& <&'file name'&>
&`.include_if_exists`& <&'file name'&>
.endd
-.new
on a line by itself. Double quotes round the file name are optional. If you use
the first form, a configuration error occurs if the file does not exist; the
second form does nothing for non-existent files. In all cases, an absolute file
name is required.
-.wen
Includes may be nested to any depth, but remember that Exim reads its
configuration file often, so it is a good idea to keep them to a minimum.
-.section "Main configuration settings"
+.section "Main configuration settings" "SECTdefconfmain"
The main (global) configuration option settings must always come first in the
file. The first thing you'll see in the file, after some initial comments, is
the line
scanner, and the second specifies the interface to SpamAssassin. Further
details are given in chapter &<<CHAPexiscan>>&.
+Three more commented-out option settings follow:
+.code
+# tls_advertise_hosts = *
+# tls_certificate = /etc/ssl/exim.crt
+# tls_privatekey = /etc/ssl/exim.pem
+.endd
+These are example settings that can be used when Exim is compiled with
+support for TLS (aka SSL) as described in section &<<SECTinctlsssl>>&. The
+first one specifies the list of clients that are allowed to use TLS when
+connecting to this server; in this case the wildcard means all clients. The
+other options specify where Exim should find its TLS certificate and private
+key, which together prove the server's identity to any clients that connect.
+More details are given in chapter &<<CHAPTLS>>&.
+
+Another two commented-out option settings follow:
+.code
+# daemon_smtp_ports = 25 : 465 : 587
+# tls_on_connect_ports = 465
+.endd
+.cindex "port" "465 and 587"
+.cindex "port" "for message submission"
+.cindex "message" "submission, ports for"
+.cindex "ssmtp protocol"
+.cindex "smtps protocol"
+.cindex "SMTP" "ssmtp protocol"
+.cindex "SMTP" "smtps protocol"
+These options provide better support for roaming users who wish to use this
+server for message submission. They are not much use unless you have turned on
+TLS (as described in the previous paragraph) and authentication (about which
+more in section &<<SECTdefconfauth>>&). The usual SMTP port 25 is often blocked
+on end-user networks, so RFC 4409 specifies that message submission should use
+port 587 instead. However some software (notably Microsoft Outlook) cannot be
+configured to use port 587 correctly, so these settings also enable the
+non-standard &"smtps"& (aka &"ssmtp"&) port 465 (see section
+&<<SECTsupobssmt>>&).
+
Two more commented-out options settings follow:
.code
# qualify_domain =
1413 (hence their names):
.code
rfc1413_hosts = *
-rfc1413_query_timeout = 30s
+rfc1413_query_timeout = 5s
.endd
These settings cause Exim to make ident callbacks for all incoming SMTP calls.
You can limit the hosts to which these calls are made, or change the timeout
This statement accepts the address if the client host has authenticated itself.
Submission mode is again specified, on the grounds that such messages are most
likely to come from MUAs. The default configuration does not define any
-authenticators, which means that no client can in fact authenticate. You will
-need to add authenticator definitions if you want to make use of this ACL
-statement.
+authenticators, though it does include some nearly complete commented-out
+examples described in &<<SECTdefconfauth>>&. This means that no client can in
+fact authenticate until you complete the authenticator definitions.
+.code
+require message = relay not permitted
+ domains = +local_domains : +relay_domains
+.endd
+This statement rejects the address if its domain is neither a local domain nor
+one of the domains for which this host is a relay.
+.code
+require verify = recipient
+.endd
+This statement requires the recipient address to be verified; if verification
+fails, the address is rejected.
.code
# deny message = rejected because $sender_host_address \
# is in a black list at $dnslist_domain\n\
# $dnslist_text
# dnslists = black.list.example
#
-# warn message = X-Warning: $sender_host_address is \
-# in a black list at $dnslist_domain
+# warn dnslists = black.list.example
+# add_header = X-Warning: $sender_host_address is in \
+# a black list at $dnslist_domain
# log_message = found in $dnslist_domain
-# dnslists = black.list.example
.endd
These commented-out lines are examples of how you could configure Exim to check
sending hosts against a DNS black list. The first statement rejects messages
-from blacklisted hosts, whereas the second merely inserts a warning header
+from blacklisted hosts, whereas the second just inserts a warning header
line.
.code
-accept domains = +local_domains
- endpass
- verify = recipient
+# require verify = csa
.endd
-This statement accepts the incoming recipient address if its domain is one of
-the local domains, but only if the address can be verified. Verification of
-local addresses normally checks both the local part and the domain. The
-&%endpass%& line needs some explanation: if the condition above &%endpass%&
-fails, that is, if the address is not in a local domain, control is passed to
-the next ACL statement. However, if the condition below &%endpass%& fails, that
-is, if a recipient in a local domain cannot be verified, access is denied and
-the recipient is rejected.
-.code
-accept domains = +relay_to_domains
- endpass
- verify = recipient
-.endd
-This statement accepts the incoming recipient address if its domain is one of
-the domains for which this host is a relay, but again, only if the address can
-be verified.
+This commented-out line is an example of how you could turn on client SMTP
+authorization (CSA) checking. Such checks do DNS lookups for special SRV
+records.
.code
-deny message = relay not permitted
+accept
.endd
-The final statement denies access, giving a specific error message. Reaching
-the end of the ACL also causes access to be denied, but with the generic
-message &"administrative prohibition"&.
+The final statement in the first ACL unconditionally accepts any recipient
+address that has successfully passed all the previous tests.
.code
acl_check_data:
.endd
-.section "Authenticators configuration"
+.section "Authenticators configuration" "SECTdefconfauth"
.cindex "AUTH" "configuration"
The authenticators section of the configuration, introduced by
.code
begin authenticators
.endd
-defines mechanisms for the use of the SMTP AUTH command. No authenticators
-are specified in the default configuration file.
+defines mechanisms for the use of the SMTP AUTH command. The default
+configuration file contains two commented-out example authenticators
+which support plaintext username/password authentication using the
+standard PLAIN mechanism and the traditional but non-standard LOGIN
+mechanism, with Exim acting as the server. PLAIN and LOGIN are enough
+to support most MUA software.
+
+The example PLAIN authenticator looks like this:
+.code
+#PLAIN:
+# driver = plaintext
+# server_set_id = $auth2
+# server_prompts = :
+# server_condition = Authentication is not yet configured
+# server_advertise_condition = ${if def:tls_cipher }
+.endd
+And the example LOGIN authenticator looks like this:
+.code
+#LOGIN:
+# driver = plaintext
+# server_set_id = $auth1
+# server_prompts = <| Username: | Password:
+# server_condition = Authentication is not yet configured
+# server_advertise_condition = ${if def:tls_cipher }
+.endd
+
+The &%server_set_id%& option makes Exim remember the authenticated username
+in &$authenticated_id$&, which can be used later in ACLs or routers. The
+&%server_prompts%& option configures the &(plaintext)& authenticator so
+that it implements the details of the specific authentication mechanism,
+i.e. PLAIN or LOGIN. The &%server_advertise_condition%& setting controls
+when Exim offers authentication to clients; in the examples, this is only
+when TLS or SSL has been started, so to enable the authenticators you also
+need to add support for TLS as described in &<<SECTdefconfmain>>&.
+
+The &%server_condition%& setting defines how to verify that the username and
+password are correct. In the examples it just produces an error message.
+To make the authenticators work, you can use a string expansion
+expression like one of the examples in &<<CHAPplaintext>>&.
+
.ecindex IIDconfiwal
&*Warning 2*&: In a host list, you must always use &(net-iplsearch)& so that
the implicit key is the host's IP address rather than its name (see section
&<<SECThoslispatsikey>>&).
-
.next
.cindex "linear search"
.cindex "lookup" "lsearch"
.cindex "lsearch lookup type"
+.cindex "case sensitivity" "in lsearch lookup"
&(lsearch)&: The given file is a text file that is searched linearly for a
line beginning with the search key, terminated by a colon or white space or the
-end of the line. The first occurrence that is found in the file is used. White
-space between the key and the colon is permitted. The remainder of the line,
-with leading and trailing white space removed, is the data. This can be
+end of the line. The search is case-insensitive; that is, upper and lower case
+letters are treated as the same. The first occurrence of the key that is found
+in the file is used.
+
+White space between the key and the colon is permitted. The remainder of the
+line, with leading and trailing white space removed, is the data. This can be
continued onto subsequent lines by starting them with any amount of white
space, but only a single space character is included in the data at such a
junction. If the data begins with a colon, the key must be terminated by a
that for &(wildlsearch)&, each key in the file is string-expanded before being
used, whereas for &(nwildlsearch)&, no expansion takes place.
-Like &(lsearch)&, the testing is done case-insensitively. The following forms
-of wildcard are recognized:
+.cindex "case sensitivity" "in (n)wildlsearch lookup"
+Like &(lsearch)&, the testing is done case-insensitively. However, keys in the
+file that are regular expressions can be made case-sensitive by the use of
+&`(-i)`& within the pattern. The following forms of wildcard are recognized:
. ==== As this is a nested list, any displays it contains must be indented
. ==== as otherwise they are too far to the left.
.code
^\d+\.a\.b data for <digits>.a.b
.endd
+The case-insensitive flag is set at the start of compiling the regular
+expression, but it can be turned off by using &`(-i)`& at an appropriate point.
+For example, to make the entire pattern case-sensitive:
+.code
+ ^(?-i)\d+\.a\.b data for <digits>.a.b
+.endd
+
If the regular expression contains white space or colon characters, you must
either quote it (see &(lsearch)& above), or represent these characters in other
ways. For example, &`\s`& can be used for white space and &`\x3A`& for a
are given in the supplied query. The resulting data is the contents of the
records. See section &<<SECTdnsdb>>&.
.next
-.cindex "Interbase lookup type"
-.cindex "lookup" "Interbase"
-&(ibase)&: This does a lookup in an Interbase database.
+.cindex "InterBase lookup type"
+.cindex "lookup" "InterBase"
+&(ibase)&: This does a lookup in an InterBase database.
.next
.cindex "LDAP" "lookup type"
.cindex "lookup" "LDAP"
In this context, a &"default value"& is a value specified by the administrator
that is to be used if a lookup fails.
+.new
+&*Note:*& This section applies only to single-key lookups. For query-style
+lookups, the facilities of the query language must be used. An attempt to
+specify a default for a query-style lookup provokes an error.
+.wen
+
If &"*"& is added to a single-key lookup type (for example, &%lsearch*%&)
and the initial lookup fails, the key &"*"& is looked up in the file to
provide a default value. See also the section on partial matching below.
${lookup dnsdb{mx=a.b.example}{$value}fail}
.endd
If the lookup succeeds, the result is placed in &$value$&, which in this case
-is used on its own as the result. If the lookup succeeds, the &`fail`& keyword
-causes a &'forced expansion failure'& &-- see section &<<SECTforexpfai>>& for
-an explanation of what this means.
+is used on its own as the result. If the lookup does not succeed, the
+&`fail`& keyword causes a &'forced expansion failure'& &-- see section
+&<<SECTforexpfai>>& for an explanation of what this means.
The supported DNS record types are A, CNAME, MX, NS, PTR, SRV, and TXT, and,
when Exim is compiled with IPv6 support, AAAA (and A6 if that is also
&`NETTIME `& set a timeout for a network operation
&`USER `& set the DN, for authenticating the LDAP bind
&`PASS `& set the password, likewise
+&`REFERRALS `& set the referrals parameter
&`SIZE `& set the limit for the number of entries returned
&`TIME `& set the maximum waiting time for a query
.endd
The value of the DEREFERENCE parameter must be one of the words &"never"&,
-&"searching"&, &"finding"&, or &"always"&.
+&"searching"&, &"finding"&, or &"always"&. The value of the REFERRALS parameter
+must be &"follow"& (the default) or &"nofollow"&. The latter stops the LDAP
+library from trying to follow referrals issued by the LDAP server.
The name CONNECT is an obsolete name for NETTIME, retained for
backwards compatibility. This timeout (specified as a number of seconds) is
.section "SQL lookups" "SECTsql"
.cindex "SQL lookup types"
-Exim can support lookups in Interbase, MySQL, Oracle, PostgreSQL, and SQLite
+Exim can support lookups in InterBase, MySQL, Oracle, PostgreSQL, and SQLite
databases. Queries for these databases contain SQL statements, so an example
might be
.code
with a newline between the data for each row.
-.section "More about MySQL, PostgreSQL, Oracle, and Interbase"
+.section "More about MySQL, PostgreSQL, Oracle, and InterBase"
.cindex "MySQL" "lookup type"
.cindex "PostgreSQL lookup type"
.cindex "lookup" "MySQL"
.cindex "lookup" "PostgreSQL"
.cindex "Oracle" "lookup type"
.cindex "lookup" "Oracle"
-.cindex "Interbase lookup type"
-.cindex "lookup" "Interbase"
-If any MySQL, PostgreSQL, Oracle, or Interbase lookups are used, the
+.cindex "InterBase lookup type"
+.cindex "lookup" "InterBase"
+If any MySQL, PostgreSQL, Oracle, or InterBase lookups are used, the
&%mysql_servers%&, &%pgsql_servers%&, &%oracle_servers%&, or &%ibase_servers%&
option (as appropriate) must be set to a colon-separated list of server
information. Each item in the list is a slash-separated list of four items:
If you want to use a file to contain wild-card patterns that form part of a
list, just give the file name on its own, without a search type, as described
-in the previous section.
+in the previous section. You could also use the &(wildlsearch)& or
+&(nwildlsearch)&, but there is no advantage in doing this.
list. The effect of each one lasts until the next, or until the end of the
list.
-.new
&*Note*&: This section applies to permanent lookup failures. It does &'not'&
apply to temporary DNS errors. They always cause a defer action (except when
&%dns_again_means_nonexist%& converts them into permanent errors).
-.wen
detected by a regular expression that matches an empty string,
and by a query-style lookup that succeeds when &$sender_address$& is empty.
-.new
Non-empty items in an address list can be straightforward email addresses. For
example:
.code
.endd
The &`\N`& sequences are removed by the expansion, so these items do indeed
start with &"^"& by the time they are being interpreted as address patterns.
-.wen
.next
.cindex "address list" "lookup for complete address"
instead runs under the uid and gid it was called with, to prevent users from
using &%-be%& for reading files to which they do not have access.
+.new
+.cindex "&%-bem%& option"
+If you want to test expansions that include variables whose values are taken
+from a message, there are two other options that can be used. The &%-bem%&
+option is like &%-be%& except that it is followed by a file name. The file is
+read as a message before doing the test expansions. For example:
+.code
+exim -bem /tmp/test.message '$h_subject:'
+.endd
+The &%-Mset%& option is used in conjunction with &%-be%& and is followed by an
+Exim message identifier. For example:
+.code
+exim -be -Mset 1GrA8W-0004WS-LQ '$recipients'
+.endd
+This loads the message from Exim's spool before doing the test expansions, and
+is therefore restricted to admin users.
+.wen
.section "Forced expansion failure" "SECTforexpfai"
&'do not'& terminate header names, and should not be used to enclose them as
if they were variables. Attempting to do so causes a syntax error.
+.new
Only header lines that are common to all copies of a message are visible to
this mechanism. These are the original header lines that are received with the
-message, and any that are added by an ACL &%warn%& statement or by a system
+message, and any that are added by an ACL statement or by a system
filter. Header lines that are added to a particular copy of a message by a
router or transport are not accessible.
For incoming SMTP messages, no header lines are visible in ACLs that are obeyed
before the DATA ACL, because the header structure is not set up until the
-message is received. Header lines that are added by &%warn%& statements in a
-RCPT ACL (for example) are saved until the message's incoming header lines
-are available, at which point they are added. When a DATA ACL is running,
-however, header lines added by earlier ACLs are visible.
+message is received. Header lines that are added in a RCPT ACL (for example)
+are saved until the message's incoming header lines are available, at which
+point they are added. When a DATA ACL is running, however, header lines added
+by earlier ACLs are visible.
+.wen
Upper case and lower case letters are synonymous in header names. If the
following character is white space, the terminating colon may be omitted, but
replaced by an empty string. (See the &%def%& condition in section
&<<SECTexpcond>>& for a means of testing for the existence of a header.)
-If there is more than one header with the same name, they are all
-concatenated to form the substitution string, up to a maximum length of 64K. A
-newline character is inserted between each line. For the &%header%& expansion,
-for those headers that contain lists of addresses, a comma is also inserted at
-the junctions between lines. This does not happen for the &%rheader%&
-expansion.
+.new
+If there is more than one header with the same name, they are all concatenated
+to form the substitution string, up to a maximum length of 64K. Unless
+&%rheader%& is being used, leading and trailing white space is removed from
+each header before concatenation, and a completely empty header is ignored. A
+newline character is then inserted between non-empty headers, but there is no
+newline at the very end. For the &%header%& and &%bheader%& expansion, for
+those headers that contain lists of addresses, a comma is also inserted at the
+junctions between headers. This does not happen for the &%rheader%& expansion.
+.wen
.vitem &*${hmac{*&<&'hashname'&>&*}{*&<&'secret'&>&*}{*&<&'string'&>&*}}*&
.cindex "expansion" "inserting from a socket"
.cindex "socket" "use of in expansion"
.cindex "&%readsocket%& expansion item"
-This item inserts data that is read from a Unix domain socket into the expanded
-string. The minimal way of using it uses just two arguments:
+This item inserts data from a Unix domain or Internet socket into the expanded
+string. The minimal way of using it uses just two arguments, as in these
+examples:
.code
${readsocket{/socket/name}{request string}}
+${readsocket{inet:some.host:1234}{request string}}
.endd
-Exim connects to the socket, writes the request string (unless it is an
-empty string) and reads from the socket until an end-of-file is read. A timeout
-of 5 seconds is applied. Additional, optional arguments extend what can be
-done. Firstly, you can vary the timeout. For example:
+For a Unix domain socket, the first substring must be the path to the socket.
+For an Internet socket, the first substring must contain &`inet:`& followed by
+a host name or IP address, followed by a colon and a port, which can be a
+number or the name of a TCP port in &_/etc/services_&. An IP address may
+optionally be enclosed in square brackets. This is best for IPv6 addresses. For
+example:
+.code
+${readsocket{inet:[::1]:1234}{request string}}
+.endd
+Only a single host name may be given, but if looking it up yields more than
+one IP address, they are each tried in turn until a connection is made. For
+both kinds of socket, Exim makes a connection, writes the request string
+(unless it is an empty string) and reads from the socket until an end-of-file
+is read. A timeout of 5 seconds is applied. Additional, optional arguments
+extend what can be done. Firstly, you can vary the timeout. For example:
.code
-${readsocket{/socket/name}{request-string}{3s}}
+${readsocket{/socket/name}{request string}{3s}}
.endd
A fourth argument allows you to change any newlines that are in the data
that is read, in the same way as for &%readfile%& (see above). This example
turns them into spaces:
.code
-${readsocket{/socket/name}{request-string}{3s}{ }}
+${readsocket{inet:127.0.0.1:3294}{request string}{3s}{ }}
.endd
As with all expansions, the substrings are expanded before the processing
happens. Errors in these sub-expansions cause the expansion to fail. In
.next
Failure to connect the socket;
.next
-Failure to write the request-string;
+Failure to write the request string;
.next
Timeout on reading from the socket.
.endlist
you supply a fifth substring, it is expanded and used when any of the above
errors occurs. For example:
.code
-${readsocket{/socket/name}{request-string}{3s}{\n}\
+${readsocket{/socket/name}{request string}{3s}{\n}\
{socket failure}}
.endd
-You can test for the existence of the socket by wrapping this expansion in
-&`${if exists`&, but there is a race condition between that test and the
-actual opening of the socket, so it is safer to use the fifth argument if you
-want to be absolutely sure of avoiding an expansion error for a non-existent
-socket.
+You can test for the existence of a Unix domain socket by wrapping this
+expansion in &`${if exists`&, but there is a race condition between that test
+and the actual opening of the socket, so it is safer to use the fifth argument
+if you want to be absolutely sure of avoiding an expansion error for a
+non-existent Unix domain socket, or a failure to connect to an Internet socket.
The &(redirect)& router has an option called &%forbid_filter_readsocket%& which
locks out the use of this expansion item in filter files.
other command executions from Exim, a shell is not used by default. If you want
a shell, you must explicitly code it.
+.new
+The standard input for the command exists, but is empty. The standard output
+and standard error are set to the same file descriptor.
.cindex "return code" "from &%run%& expansion"
.cindex "&$value$&"
If the command succeeds (gives a zero return code) <&'string1'&> is expanded
-and replaces the entire item; during this expansion, the standard output from
-the command is in the variable &$value$&. If the command fails, <&'string2'&>,
-if present, is expanded and used. Once again, during the expansion, the
-standard output from the command is in the variable &$value$&. If <&'string2'&>
-is absent, the result is empty. Alternatively, <&'string2'&> can be the word
-&"fail"& (not in braces) to force expansion failure if the command does not
-succeed. If both strings are omitted, the result is contents of the standard
-output on success, and nothing on failure.
+and replaces the entire item; during this expansion, the standard output/error
+from the command is in the variable &$value$&. If the command fails,
+<&'string2'&>, if present, is expanded and used. Once again, during the
+expansion, the standard output/error from the command is in the variable
+&$value$&.
+
+If <&'string2'&> is absent, the result is empty. Alternatively, <&'string2'&>
+can be the word &"fail"& (not in braces) to force expansion failure if the
+command does not succeed. If both strings are omitted, the result is contents
+of the standard output/error on success, and nothing on failure.
+.wen
.cindex "&$runrc$&"
The return code from the command is put in the variable &$runrc$&, and this
.cindex "expansion" "expression evaluation"
.cindex "expansion" "arithmetic expression"
.cindex "&%eval%& expansion item"
-These items supports simple arithmetic in expansion strings. The string (after
-expansion) must be a conventional arithmetic expression, but it is limited to
-five basic operators (plus, minus, times, divide, remainder) and parentheses.
-All operations are carried out using integer arithmetic. Plus and minus have a
-lower priority than times, divide, and remainder; operators with the same
-priority are evaluated from left to right.
+.new
+These items supports simple arithmetic and bitwise logical operations in
+expansion strings. The string (after expansion) must be a conventional
+arithmetic expression, but it is limited to basic arithmetic operators, bitwise
+logical operators, and parentheses. All operations are carried out using
+integer arithmetic. The operator priorities are as follows (the same as in the
+C programming language):
+.table2 90pt 300pt
+.row &~&~&~&~&~&~&~&~&'highest:'& "not (~), negate (-)"
+.row "" "multiply (*), divide (/), remainder (%)"
+.row "" "plus (+), minus (-)"
+.row "" "shift-left (<<), shift-right (>>)"
+.row "" "and (&&)"
+.row "" "xor (^)"
+.row &~&~&~&~&~&~&~&~&'lowest:'& "or (|)"
+.endtable
+Binary operators with the same priority are evaluated from left to right. White
+space is permitted before or after operators.
For &%eval%&, numbers may be decimal, octal (starting with &"0"&) or
hexadecimal (starting with &"0x"&). For &%eval10%&, all numbers are taken as
-decimal, even if they start with a leading zero. This can be useful when
-processing numbers extracted from dates or times, which often do have leading
-zeros.
+decimal, even if they start with a leading zero; hexadecimal numbers are not
+permitted. This can be useful when processing numbers extracted from dates or
+times, which often do have leading zeros.
A number may be followed by &"K"& or &"M"& to multiply it by 1024 or 1024*1024,
respectively. Negative numbers are supported. The result of the computation is
a decimal representation of the answer (without &"K"& or &"M"&). For example:
.display
-&`${eval:1+1} `& yields 2
-&`${eval:1+2*3} `& yields 7
-&`${eval:(1+2)*3} `& yields 9
-&`${eval:2+42%5} `& yields 4
+&`${eval:1+1} `& yields 2
+&`${eval:1+2*3} `& yields 7
+&`${eval:(1+2)*3} `& yields 9
+&`${eval:2+42%5} `& yields 4
+&`${eval:0xc&5} `& yields 4
+&`${eval:0xc|5} `& yields 13
+&`${eval:0xc^5} `& yields 9
+&`${eval:0xc>>1} `& yields 6
+&`${eval:0xc<<1} `& yields 24
+&`${eval:~255&0x1234} `& yields 4608
+&`${eval:-(~255&0x1234)} `& yields -4608
.endd
+.wen
As a more realistic example, in an ACL you might have
.code
yields an unchanged string.
-.vitem &*${rxquote:*&<&'string'&>&*}*&
-.cindex "quoting" "in regular expressions"
-.cindex "regular expressions" "quoting"
-.cindex "&%rxquote%& expansion item"
-The &%rxquote%& operator inserts a backslash before any non-alphanumeric
-characters in its argument. This is useful when substituting the values of
-variables or headers inside regular expressions.
-
-
.vitem &*${rfc2047:*&<&'string'&>&*}*&
.cindex "expansion" "RFC 2047"
.cindex "RFC 2047" "expansion operator"
+.vitem &*${rxquote:*&<&'string'&>&*}*&
+.cindex "quoting" "in regular expressions"
+.cindex "regular expressions" "quoting"
+.cindex "&%rxquote%& expansion item"
+The &%rxquote%& operator inserts a backslash before any non-alphanumeric
+characters in its argument. This is useful when substituting the values of
+variables or headers inside regular expressions.
+
+
.vitem &*${sha1:*&<&'string'&>&*}*&
.cindex "SHA-1 hash"
.cindex "expansion" "SHA-1 hashing"
See the description of the general &%substr%& item above for details. The
abbreviation &%s%& can be used when &%substr%& is used as an operator.
-.new
.vitem &*${time_eval:*&<&'string'&>&*}*&
.cindex "&%time_eval%& expansion item"
.cindex "time interval" "decoding"
This item converts an Exim time interval such as &`2d4h5m`& into a number of
seconds.
-.wen
.vitem &*${time_interval:*&<&'string'&>&*}*&
.cindex "&%time_interval%& expansion item"
.section "Expansion conditions" "SECTexpcond"
-.cindex "expansion" "conditions"
+.scindex IIDexpcond "expansion" "conditions"
The following conditions are available for testing by the &%${if%& construct
while expanding strings:
only the first eight characters of the password. However, in modern operating
systems this is no longer true, and in many cases the entire password is used,
whatever its length.
+
.next
+.new
.cindex "&[crypt16()]&"
-&%{crypt16}%& calls the &[crypt16()]& function (also known as &[bigcrypt()]&),
-which was orginally created to use up to 16 characters of the password. Again,
-in modern operating systems, more characters may be used.
+&%{crypt16}%& calls the &[crypt16()]& function, which was orginally created to
+use up to 16 characters of the password in some operating systems. Again, in
+modern operating systems, more characters may be used.
.endlist
-
-Exim has its own version of &[crypt16()]& (which is just a double call to
-&[crypt()]&). For operating systems that have their own version, setting
+Exim has its own version of &[crypt16()]&, which is just a double call to
+&[crypt()]&. For operating systems that have their own version, setting
HAVE_CRYPT16 in &_Local/Makefile_& when building Exim causes it to use the
operating system version instead of its own. This option is set by default in
the OS-dependent &_Makefile_& for those operating systems that are known to
support &[crypt16()]&.
-If you do not put any curly bracket encryption type in a &%crypteq%&
-comparison, the default is either &`{crypt}`& or &`{crypt16}`&, as determined
-by the setting of DEFAULT_CRYPT in &_Local/Makefile_&. The default default is
-&`{crypt}`&. Whatever the default, you can always use either function by
-specifying it explicitly in curly brackets.
-
-Note that if a password is no longer than 8 characters, the results of
-encrypting it with &[crypt()]& and &[crypt16()]& are identical. That means that
-&[crypt16()]& is backwards compatible, as long as nobody feeds it a password
-longer than 8 characters.
+Some years after Exim's &[crypt16()]& was implemented, a user discovered that
+it was not using the same algorithm as some operating systems' versions. It
+turns out that as well as &[crypt16()]& there is a function called
+&[bigcrypt()]& in some operating systems. This may or may not use the same
+algorithm, and both of them may be different to Exim's built-in &[crypt16()]&.
+
+However, since there is now a move away from the traditional &[crypt()]&
+functions towards using SHA1 and other algorithms, tidying up this area of
+Exim is seen as very low priority.
+
+If you do not put a encryption type (in curly brackets) in a &%crypteq%&
+comparison, the default is usually either &`{crypt}`& or &`{crypt16}`&, as
+determined by the setting of DEFAULT_CRYPT in &_Local/Makefile_&. The default
+default is &`{crypt}`&. Whatever the default, you can always use either
+function by specifying it explicitly in curly brackets.
+.wen
.vitem &*def:*&<&'variable&~name'&>
.cindex "expansion" "checking for empty variable"
${if match_ip{$sender_host_address}{net-lsearch;/some/file}...
.endd
You do need to specify the &`net-`& prefix if you want to specify a
-specific address mask, for example, by using &`net24-`&.
+specific address mask, for example, by using &`net24-`&. However, unless you
+are combining a &%match_ip%& condition with others, it is usually neater to use
+an expansion lookup such as:
+.code
+ ${lookup{${mask:$sender_host_address/24}}lsearch{/some/file}...
+.endd
.endlist ilist
Consult section &<<SECThoslispatip>>& for further details of these patterns.
item can be used to double any existing colons. For example, the configuration
of a LOGIN authenticator might contain this setting:
.code
-server_condition = ${if pam{$1:${sg{$2}{:}{::}}}{yes}{no}}
+server_condition = ${if pam{$auth1:${sg{$auth2}{:}{::}}}}
.endd
For a PLAIN authenticator you could use:
.code
-server_condition = ${if pam{$2:${sg{$3}{:}{::}}}{yes}{no}}
+server_condition = ${if pam{$auth2:${sg{$auth3}{:}{::}}}}
.endd
In some operating systems, PAM authentication can be done only from a process
running as root. Since Exim is running as the Exim user when receiving
password, separated by a colon. For example, in a LOGIN authenticator
configuration, you might have this:
.code
-server_condition = ${if pwcheck{$1:$2}{1}{0}}
+server_condition = ${if pwcheck{$auth1:$auth2}}
.endd
.vitem &*queue_running*&
.cindex "queue runner" "detecting when delivering from"
.vitem &*radius&~{*&<&'authentication&~string'&>&*}*&
.cindex "Radius"
.cindex "expansion" "Radius authentication"
-.cindex "&%radiu%& expansion condition"
+.cindex "&%radius%& expansion condition"
Radius authentication (RFC 2865) is supported in a similar way to PAM. You must
set RADIUS_CONFIG_FILE in &_Local/Makefile_& to specify the location of
the Radius client configuration file in order to build Exim with Radius
Radius client library, which calls the Radius server. The condition is true if
the authentication is successful. For example:
.code
-server_condition = ${if radius{<arguments>}{yes}{no}}
+server_condition = ${if radius{<arguments>}}
.endd
Up to four arguments can be supplied to the &%saslauthd%& condition, but only
two are mandatory. For example:
.code
-server_condition = ${if saslauthd{{$1}{$2}}{1}{0}}
+server_condition = ${if saslauthd{{$auth1}{$auth2}}}
.endd
The service and the realm are optional (which is why the arguments are enclosed
in their own set of braces). For details of the meaning of the service and
the last one. When a false sub-condition is found, the following ones are
parsed but not evaluated.
.endlist
+.ecindex IIDexpcond
.vitem "&$acl_c0$& &-- &$acl_c19$&"
Values can be placed in these variables by the &%set%& modifier in an ACL. The
values persist throughout the lifetime of an SMTP connection. They can be used
-to pass information between ACLs and different invocations of the same ACL.
-When a message is received, the values of these variables are saved with the
-message, and can be accessed by filters, routers, and transports during
+to pass information between ACLs and between different invocations of the same
+ACL. When a message is received, the values of these variables are saved with
+the message, and can be accessed by filters, routers, and transports during
subsequent delivery.
.vitem "&$acl_m0$& &-- &$acl_m19$&"
When, as a result of aliasing or forwarding, a message is directed to a pipe,
this variable holds the pipe command when the transport is running.
-.new
.vitem "&$auth1$& &-- &$auth3$&"
.cindex "&$auth1$&, &$auth2$&, etc"
These variables are used in SMTP authenticators (see chapters
&<<CHAPplaintext>>&&--&<<CHAPspa>>&). Elsewhere, they are empty.
-.wen
.vitem &$authenticated_id$&
.cindex "authentication" "id"
&$authenticated_id$& (see chapter &<<CHAPSMTPAUTH>>&). For example, a
user/password authenticator configuration might preserve the user name for use
in the routers. Note that this is not the same information that is saved in
-&$sender_host_authenticated$&. When a message is submitted locally (that is,
-not over a TCP connection), the value of &$authenticated_id$& is the login name
-of the calling process.
+&$sender_host_authenticated$&.
+When a message is submitted locally (that is, not over a TCP connection)
+the value of &$authenticated_id$& is normally the login name of the calling
+process. However, a trusted user can override this by means of the &%-oMai%&
+command line option.
+
+
+
.vitem &$authenticated_sender$&
.cindex "sender" "authenticated"
.cindex "&$qualify_domain$&"
When a message is submitted locally (that is, not over a TCP connection), the
value of &$authenticated_sender$& is an address constructed from the login
-name of the calling process and &$qualify_domain$&.
+name of the calling process and &$qualify_domain$&, except that a trusted user
+can override this by means of the &%-oMas%& command line option.
.vitem &$authentication_failed$&
separated.
.vitem &$domain$&
+.new
.cindex "&$domain$&"
When an address is being routed, or delivered on its own, this variable
-contains the domain. Global address rewriting happens when a message is
-received, so the value of &$domain$& during routing and delivery is the value
-after rewriting. &$domain$& is set during user filtering, but not during system
-filtering, because a message may have many recipients and the system filter is
-called just once.
+contains the domain. Uppercase letters in the domain are converted into lower
+case for &$domain$&.
+.wen
+
+Global address rewriting happens when a message is received, so the value of
+&$domain$& during routing and delivery is the value after rewriting. &$domain$&
+is set during user filtering, but not during system filtering, because a
+message may have many recipients and the system filter is called just once.
When more than one address is being delivered at once (for example, several
RCPT commands in one SMTP delivery), &$domain$& is set only if they all
.vitem &$host$&
.cindex "&$host$&"
-When the &(smtp)& transport is expanding its options for encryption using TLS,
-&$host$& contains the name of the host to which it is connected. Likewise, when
-used in the client part of an authenticator configuration (see chapter
-&<<CHAPSMTPAUTH>>&), &$host$& contains the name of the server to which the
-client is connected.
+If a router assigns an address to a transport (any transport), and passes a
+list of hosts with the address, the value of &$host$& when the transport starts
+to run is the name of the first host on the list. Note that this applies both
+to local and remote transports.
.cindex "transport" "filter"
.cindex "filter" "transport filter"
-When used in a transport filter (see chapter &<<CHAPtransportgeneric>>&)
-&$host$& refers to the host involved in the current connection. When a local
-transport is run as a result of a router that sets up a host list, &$host$&
-contains the name of the first host.
+For the &(smtp)& transport, if there is more than one host, the value of
+&$host$& changes as the transport works its way through the list. In
+particular, when the &(smtp)& transport is expanding its options for encryption
+using TLS, or for specifying a transport filter (see chapter
+&<<CHAPtransportgeneric>>&), &$host$& contains the name of the host to which it
+is connected.
+
+When used in the client part of an authenticator configuration (see chapter
+&<<CHAPSMTPAUTH>>&), &$host$& contains the name of the server to which the
+client is connected.
+
.vitem &$host_address$&
.cindex "&$host_address$&"
of the temporary file which is about to be renamed. It can be used to construct
a unique name for the file.
+.new
.vitem &$interface_address$&
.cindex "&$interface_address$&"
-As soon as a server starts processing a TCP/IP connection, this variable is set
-to the address of the local IP interface, and &$interface_port$& is set to the
-port number. These values are therefore available for use in the &"connect"&
-ACL. See also the &%-oMi%& command line option. As well as being used in ACLs,
-these variable could be used, for example, to make the file name for a TLS
-certificate depend on which interface and/or port is being used.
+This is an obsolete name for &$received_ip_address$&.
.vitem &$interface_port$&
.cindex "&$interface_port$&"
-See &$interface_address$&.
+This is an obsolete name for &$received_port$&.
+.wen
.vitem &$ldap_dn$&
.cindex "&$ldap_dn$&"
&`1BXTIK-0001yO-VA`&.
.vitem &$message_headers$&
+.new
+.cindex &$message_headers$&
This variable contains a concatenation of all the header lines when a message
is being processed, except for lines added by routers or transports. The header
-lines are separated by newline characters.
+lines are separated by newline characters. Their contents are decoded in the
+same way as a header line that is inserted by &%bheader%&.
+
+.vitem &$message_headers_raw$&
+.cindex &$message_headers_raw$&
+This variable is like &$message_headers$& except that no processing of the
+contents of header lines is done.
+.wen
.vitem &$message_id$&
This is an old name for &$message_exim_id$&, which is now deprecated.
When a top-level address is being processed for delivery, this contains the
same value as &$domain$&. However, if a &"child"& address (for example,
generated by an alias, forward, or filter file) is being processed, this
-variable contains the domain of the original address. This differs from
-&$parent_domain$& only when there is more than one level of aliasing or
-forwarding. When more than one address is being delivered in a single transport
-run, &$original_domain$& is not set.
+variable contains the domain of the original address (lower cased). This
+differs from &$parent_domain$& only when there is more than one level of
+aliasing or forwarding. When more than one address is being delivered in a
+single transport run, &$original_domain$& is not set.
If a new address is created by means of a &%deliver%& command in a system
filter, it is set up with an artificial &"parent"& address. This has the local
.cindex "transport" "filter"
.cindex "&$pipe_addresses$&"
This is not an expansion variable, but is mentioned here because the string
-&"$pipe_addresses"& is handled specially in the command specification for the
+&`$pipe_addresses`& is handled specially in the command specification for the
&(pipe)& transport (chapter &<<CHAPpipetransport>>&) and in transport filters
(described under &%transport_filter%& in chapter &<<CHAPtransportgeneric>>&).
It cannot be used in general expansion strings, and provokes an &"unknown
.vitem &$rcpt_defer_count$&
.cindex "&$rcpt_defer_count$&"
+.cindex "4&'xx'& responses" "count of"
When a message is being received by SMTP, this variable contains the number of
RCPT commands in the current message that have previously been rejected with a
temporary (4&'xx'&) response.
built. The value is copied after recipient rewriting has happened, but before
the &[local_scan()]& function is run.
+.new
+.vitem &$received_ip_address$&
+.cindex "&$received_ip_address$&"
+As soon as an Exim server starts processing an incoming TCP/IP connection, this
+variable is set to the address of the local IP interface, and &$received_port$&
+is set to the local port number. (The remote IP address and port are in
+&$sender_host_address$& and &$sender_host_port$&.) When testing with &%-bh%&,
+the port value is -1 unless it has been set using the &%-oMi%& command line
+option.
+
+As well as being useful in ACLs (including the &"connect"& ACL), these variable
+could be used, for example, to make the file name for a TLS certificate depend
+on which interface and/or port is being used for the incoming connection. The
+values of &$received_ip_address$& and &$received_port$& are saved with any
+messages that are received, thus making these variables available at delivery
+time.
+
+&*Note:*& There are no equivalent variables for outgoing connections, because
+the values are unknown (unless they are explicitly set by options of the
+&(smtp)& transport).
+
+.vitem &$received_port$&
+.cindex "&$received_port$&"
+See &$received_ip_address$&.
+.wen
+
.vitem &$received_protocol$&
.cindex "&$received_protocol$&"
When a message is being processed, this variable contains the name of the
.olist
In a system filter file.
.next
-In the ACLs associated with the DATA command, that is, the ACLs defined by
-&%acl_smtp_predata%& and &%acl_smtp_data%&.
+In the ACLs associated with the DATA command and with non-SMTP messages, that
+is, the ACLs defined by &%acl_smtp_predata%&, &%acl_smtp_data%&,
+&%acl_smtp_mime%&, &%acl_not_smtp_start%&, &%acl_not_smtp%&, and
+&%acl_not_smtp_mime%&.
.endlist
from the count. While a message is being received over SMTP, the number
increases for each accepted recipient. It can be referenced in an ACL.
+
+.vitem &$regex_match_string$&
+.cindex "&$regex_match_string$&"
+This variable is set to contain the matching regular expression after a
+&%regex%& ACL condition has matched (see section &<<SECTscanregex>>&).
+
+
.vitem &$reply_address$&
.cindex "&$reply_address$&"
When a message is being processed, this variable contains the contents of the
&'Reply-To:'& header line if one exists and it is not empty, or otherwise the
-contents of the &'From:'& header line. &new("Apart from the removal of leading
+contents of the &'From:'& header line. Apart from the removal of leading
white space, the value is not processed in any way. In particular, no RFC 2047
-decoding or character code translation takes place.")
+decoding or character code translation takes place.
.vitem &$return_path$&
.cindex "&$return_path$&"
original router encountered. In other circumstances its contents are null.
.vitem &$sender_address$&
+.new
.cindex "&$sender_address$&"
When a message is being processed, this variable contains the sender's address
-that was received in the message's envelope. For bounce messages, the value of
-this variable is the empty string. See also &$return_path$&.
+that was received in the message's envelope. The case of letters in the address
+is retained, in both the local part and the domain. For bounce messages, the
+value of this variable is the empty string. See also &$return_path$&.
+.wen
.vitem &$sender_address_data$&
.cindex "&$address_data$&"
the verified host name or to the host's IP address in square brackets.
.vitem &$sender_helo_name$&
-.cindex "&$sender_hslo_name$&"
+.cindex "&$sender_helo_name$&"
When a message is received from a remote host that has issued a HELO or EHLO
command, the argument of that command is placed in this variable. It is also
set if HELO or EHLO is used when a message is received using SMTP locally via
Once &$host_lookup_failed$& is set to &"1"&, Exim does not try to look up the
host name again if there is a subsequent reference to &$sender_host_name$&
-in the same Exim process, but it does try again if &$sender_host_deferred$&
+in the same Exim process, but it does try again if &$host_lookup_deferred$&
is set to &"1"&.
Exim does not automatically look up every calling host's name. If you want
.vitem &$smtp_active_hostname$&
.cindex "&$smtp_active_hostname$&"
-During an SMTP session, this variable contains the value of the active host
-name, as specified by the &%smtp_active_hostname%& option. The value of
+During an incoming SMTP session, this variable contains the value of the active
+host name, as specified by the &%smtp_active_hostname%& option. The value of
&$smtp_active_hostname$& is saved with any message that is received, so its
value can be consulted during routing and delivery.
options that can be used to influence Exim's behaviour. The rest of this
chapter describes how they operate.
+.new
When a message is received over TCP/IP, the interface and port that were
-actually used are set in &$interface_address$& and &$interface_port$&.
+actually used are set in &$received_ip_address$& and &$received_port$&.
+.wen
function.) Of course, this means that the additional functionality of
&[getaddrinfo()]& &-- recognizing scoped addresses &-- is lost.
-.new
.section "Disabling IPv6"
.cindex "IPv6" "disabling"
Sometimes it happens that an Exim binary that was compiled with IPv6 support is
option to globally suppress the lookup of AAAA records for specified domains,
and you can use the &%ignore_target_hosts%& generic router option to ignore
IPv6 addresses in an individual router.
-.wen
.row &%queue_run_max%& "maximum simultaneous queue runners"
.row &%remote_max_parallel%& "parallel SMTP delivery per message"
.row &%smtp_accept_max%& "simultaneous incoming connections"
-.row &%smtp_accept_max_nommail%& "non-mail commands"
+.row &%smtp_accept_max_nonmail%& "non-mail commands"
.row &%smtp_accept_max_nonmail_hosts%& "hosts to which the limit applies"
.row &%smtp_accept_max_per_connection%& "messages per connection"
.row &%smtp_accept_max_per_host%& "connections from one host"
.table2
.row &%acl_not_smtp%& "ACL for non-SMTP messages"
.row &%acl_not_smtp_mime%& "ACL for non-SMTP MIME parts"
+.row &%acl_not_smtp_start%& "ACL for start of non-SMTP message"
.row &%acl_smtp_auth%& "ACL for AUTH"
.row &%acl_smtp_connect%& "ACL for connection"
.row &%acl_smtp_data%& "ACL for DATA"
.row &%message_size_limit%& "for all messages"
.row &%percent_hack_domains%& "recognize %-hack for these domains"
.row &%spamd_address%& "set interface to SpamAssassin"
+.row &%strict_acl_vars%& "object to unset ACL variables"
.endtable
.row &%check_rfc2047_length%& "check length of RFC 2047 &""encoded &&&
words""&"
.row &%delivery_date_remove%& "from incoming messages"
-.row &%envelope_to_remote%& "from incoming messages"
+.row &%envelope_to_remove%& "from incoming messages"
.row &%extract_addresses_remove_arguments%& "affects &%-t%& processing"
.row &%headers_charset%& "default for translations"
.row &%qualify_domain%& "default for senders"
.option acl_not_smtp main string&!! unset
.cindex "&ACL;" "for non-SMTP messages"
.cindex "non-SMTP messages" "ACLs for"
-This option defines the ACL that is run when a non-SMTP message is on the point
-of being accepted. See chapter &<<CHAPACL>>& for further details.
+This option defines the ACL that is run when a non-SMTP message has been
+read and is on the point of being accepted. See chapter &<<CHAPACL>>& for
+further details.
.option acl_not_smtp_mime main string&!! unset
This option defines the ACL that is run for individual MIME parts of non-SMTP
messages. It operates in exactly the same way as &%acl_smtp_mime%& operates for
SMTP messages.
+.option acl_not_smtp_start main string&!! unset
+.cindex "&ACL;" "at start of non-SMTP message"
+.cindex "non-SMTP messages" "ACLs for"
+This option defines the ACL that is run before Exim starts reading a
+non-SMTP message. See chapter &<<CHAPACL>>& for further details.
+
.option acl_smtp_auth main string&!! unset
.cindex "&ACL;" "setting up for SMTP commands"
.cindex "AUTH" "ACL for"
.option bounce_return_body main boolean true
.cindex "bounce message" "including body"
-.new
This option controls whether the body of an incoming message is included in a
bounce message when &%bounce_return_message%& is true. The default setting
causes the entire message, both header and body, to be returned (subject to the
error that is detected during reception, only those header lines preceding the
point at which the error was detected are returned.
.cindex "bounce message" "including original"
-.wen
.option bounce_return_message main boolean true
-.new
If this option is set false, none of the original message is included in
bounce messages generated by Exim. See also &%bounce_return_size_limit%& and
&%bounce_return_body%&.
-.wen
.option bounce_return_size_limit main integer 100K
.cindex "&$spool_space$&"
When any of these options are set, they apply to all incoming messages. If you
want to apply different checks to different kinds of message, you can do so by
-testing the the variables &$log_inodes$&, &$log_space$&, &$spool_inodes$&, and
+testing the variables &$log_inodes$&, &$log_space$&, &$spool_inodes$&, and
&$spool_space$& in an ACL with appropriate additional conditions.
expansion. Otherwise &$domain$& is empty. If the result of the expansion is a
forced failure, an empty string, or a string matching any of &"0"&, &"no"& or
&"false"& (the comparison being done caselessly) then the warning message is
-not sent. The default is
+not sent. The default is:
.code
-delay_warning_condition = \
- ${if match{$h_precedence:}{(?i)bulk|list|junk}{no}{yes}}
+delay_warning_condition = ${if or {\
+ { !eq{$h_list-id:$h_list-post:$h_list-subscribe:}{} }\
+ { match{$h_precedence:}{(?i)bulk|list|junk} }\
+ { match{$h_auto-submitted:}{(?i)auto-generated|auto-replied} }\
+ } {no}{yes}}
.endd
-which suppresses the sending of warnings about messages that have &"bulk"&,
-&"list"& or &"junk"& in a &'Precedence:'& header.
+This suppresses the sending of warnings for messages that contain &'List-ID:'&,
+&'List-Post:'&, or &'List-Subscribe:'& headers, or have &"bulk"&, &"list"& or
+&"junk"& in a &'Precedence:'& header, or have &"auto-generated"& or
+&"auto-replied"& in an &'Auto-Submitted:'& header.
.option deliver_drop_privilege main boolean false
.cindex "unprivileged delivery"
occur when a delivered message is subsequently sent on to some other recipient.
-.new
.option disable_ipv6 main boolean false
.cindex "IPv6" "disabling"
If this option is set true, even if the Exim binary has IPv6 support, no IPv6
that are listed in &%local_interfaces%&, data for the &%manualroute%& router,
etc. are ignored. If IP literals are enabled, the &(ipliteral)& router declines
to handle IPv6 literal addresses.
-.wen
.option dns_again_means_nonexist main "domain list&!!" unset
.code
dns_again_means_nonexist = *.in-addr.arpa
.endd
-.new
This option applies to all DNS lookups that Exim does. It also applies when the
&[gethostbyname()]& or &[getipnodebyname()]& functions give temporary errors,
since these are most likely to be caused by DNS lookup problems. The
&(dnslookup)& router has some options of its own for controlling what happens
when lookups for MX or SRV records give temporary errors. These more specific
options are applied after this global option.
-.wen
.option dns_check_names_pattern main string "see below"
.cindex "DNS" "pre-check of name syntax"
-.new
When this option is set to a non-empty string, it causes Exim to check domain
names for characters that are not allowed in host names before handing them to
the DNS resolver, because some resolvers give temporary errors for names that
accessed in Exim by using a &%dnsdb%& lookup). If you set
&%allow_utf8_domains%&, you must modify this pattern, or set the option to an
empty string.
-.wen
.option dns_csa_search_limit main integer 5
This option controls the depth of parental searching for CSA SRV records in the
.option dns_ipv4_lookup main "domain list&!!" unset
.cindex "IPv6" "DNS lookup for AAAA records"
.cindex "DNS" "IPv6 lookup for AAAA records"
-.new
When Exim is compiled with IPv6 support and &%disable_ipv6%& is not set, it
looks for IPv6 address records (AAAA records) as well as IPv4 address records
(A records) when trying to find IP addresses for hosts, unless the host's
This is a fudge to help with name servers that give big delays or otherwise do
not work for the AAAA record type. In due course, when the world's name
servers have all been upgraded, there should be no need for this option.
-.wen
.option dns_retrans main time 0s
.option errors_reply_to main string unset
.cindex "bounce message" "&'Reply-to:'& in"
-.new
By default, Exim's bounce and delivery warning messages contain the header line
.display
&`From: Mail Delivery System <Mailer-Daemon@`&&'qualify-domain'&&`>`&
&%quota_warn_message%& option in an &(appendfile)& transport contain its
own &'Reply-To:'& header line, the value of the &%errors_reply_to%& option is
not used.
-.wen
.option exim_group main string "compile-time configured"
is set, code values of 128 and above are also considered to be printing
characters.
+This option also affects the header syntax checks performed by the
+&(autoreply)& transport, and whether Exim uses RFC 2047 encoding of
+the user's full name when constructing From: and Sender: addresses (as
+described in section &<<SECTconstr>>&). Setting this option can cause
+Exim to generate eight bit message headers that do not conform to the
+standards.
+
.option process_log_path main string unset
.cindex "process log path"
If this option is set, queue runs happen in order of message arrival instead of
in an arbitrary order. For this to happen, a complete list of the entire queue
must be set up before the deliveries start. When the queue is all held in a
-single directory (the default),
-
-a single list is created for both the ordered and the non-ordered cases.
-However, if &%split_spool_directory%& is set, a single list is not created when
-&%queue_run_in_order%& is false. In this case, the sub-directories are
-processed one at a time (in a random order), and this avoids setting up one
-huge list for the whole queue. Thus, setting &%queue_run_in_order%& with
-&%split_spool_directory%& may degrade performance when the queue is large,
-because of the extra work in setting up the single, large list. In most
-situations, &%queue_run_in_order%& should not be set.
+single directory (the default), a single list is created for both the ordered
+and the non-ordered cases. However, if &%split_spool_directory%& is set, a
+single list is not created when &%queue_run_in_order%& is false. In this case,
+the sub-directories are processed one at a time (in a random order), and this
+avoids setting up one huge list for the whole queue. Thus, setting
+&%queue_run_in_order%& with &%split_spool_directory%& may degrade performance
+when the queue is large, because of the extra work in setting up the single,
+large list. In most situations, &%queue_run_in_order%& should not be set.
.option retry_interval_max main time 24h
.cindex "retry" "limit on interval"
.cindex "limit" "on retry interval"
-.new
Chapter &<<CHAPretry>>& describes Exim's mechanisms for controlling the
intervals between delivery attempts for messages that cannot be delivered
straight away. This option sets an overall limit to the length of time between
retries. It cannot be set greater than 24 hours; any attempt to do so forces
the default value.
-.wen
.option return_path_remove main boolean true
RFC 1413 identification calls are made to any client host which matches an item
in the list.
-.new
.option rfc1413_query_timeout main time 5s
-.wen
.cindex "RFC 1413" "query timeout"
.cindex "timeout" "for RFC 1413 call"
This sets the timeout on RFC 1413 identification calls. If it is set to zero,
.option smtp_active_hostname main string&!! unset
+.new
.cindex "host" "name in SMTP responses"
.cindex "SMTP" "host name in responses"
.cindex "&$primary_hostname$&"
This option is provided for multi-homed servers that want to masquerade as
-several different hosts. At the start of an SMTP connection, its value is
-expanded and used instead of the value of &$primary_hostname$& in SMTP
+several different hosts. At the start of an incoming SMTP connection, its value
+is expanded and used instead of the value of &$primary_hostname$& in SMTP
responses. For example, it is used as domain name in the response to an
incoming HELO or EHLO command.
.cindex "&$smtp_active_hostname$&"
-It is also used in HELO commands for callout verification. The active hostname
-is placed in the &$smtp_active_hostname$& variable, which is saved with any
-messages that are received. It is therefore available for use in routers and
-transports when the message is later delivered.
+The active hostname is placed in the &$smtp_active_hostname$& variable, which
+is saved with any messages that are received. It is therefore available for use
+in routers and transports when the message is later delivered.
If this option is unset, or if its expansion is forced to fail, or if the
expansion results in an empty string, the value of &$primary_hostname$& is
value of &%smtp_active_hostname%& depends on the incoming interface address.
For example:
.code
-smtp_active_hostname = ${if eq{$interface_address}{10.0.0.1}\
+smtp_active_hostname = ${if eq{$received_ip_address}{10.0.0.1}\
{cox.mydomain}{box.mydomain}}
.endd
+Although &$smtp_active_hostname$& is primarily concerned with incoming
+messages, it is also used as the default for HELO commands in callout
+verification if there is no remote transport from which to obtain a
+&%helo_data%& value.
+.wen
+
.option smtp_banner main string&!! "see below"
.cindex "SMTP" "welcome banner"
.cindex "banner for SMTP"
This option controls the timeout that the &(sqlite)& lookup uses when trying to
access an SQLite database. See section &<<SECTsqlite>>& for more details.
+.new
+.option strict_acl_vars main boolean false
+.cindex "ACL variables" "handling unset"
+This option controls what happens if a syntactically valid but undefined ACL
+variable is referenced. If it is false (the default), an empty string
+is substituted; if it is true, an error is generated. See section
+&<<SECTaclvariables>>& for details of ACL variables.
+.wen
+
.option strip_excess_angle_brackets main boolean false
.cindex "angle brackets" "excess"
If this option is set, redundant pairs of angle brackets round &"route-addr"&
.cindex "frozen messages" "timing out"
.cindex "timeout" "frozen messages"
If &%timeout_frozen_after%& is set to a time greater than zero, a frozen
-message of any kind that has been on the queue for longer than the given
-time is automatically cancelled at the next queue run. If it is a bounce
-message, it is just discarded; otherwise, a bounce is sent to the sender, in a
-similar manner to cancellation by the &%-Mg%& command line option. If you want
-to timeout frozen bounce messages earlier than other kinds of frozen message,
-see &%ignore_bounce_errors_after%&.
+message of any kind that has been on the queue for longer than the given time
+is automatically cancelled at the next queue run. If the frozen message is a
+bounce message, it is just discarded; otherwise, a bounce is sent to the
+sender, in a similar manner to cancellation by the &%-Mg%& command line option.
+If you want to timeout frozen bounce messages earlier than other kinds of
+frozen message, see &%ignore_bounce_errors_after%&.
+
+.new
+&*Note:*& the default value of zero means no timeouts; with this setting,
+frozen messages remain on the queue forever (except for any frozen bounce
+messages that are released by &%ignore_bounce_errors_after%&).
+.wen
.option timezone main string unset
.option tls_privatekey main string&!! unset
.cindex "TLS" "server private key; location of"
-.new
The value of this option is expanded, and must then be the absolute path to a
file which contains the server's private key. If this option is unset, or if
the expansion is forced to fail, or the result is an empty string, the private
key is assumed to be in the same file as the server's certificates. See chapter
&<<CHAPTLS>>& for further details.
-.wen
.option tls_remember_esmtp main boolean false
While the router is running, &%router_home_directory%& overrides the value of
&$home$& that came from &%check_local_user%&.
-.new
When a router accepts an address and assigns it to a local transport (including
the cases when a &(redirect)& router generates a pipe, file, or autoreply
delivery), the home directory setting for the transport is taken from the first
of these values that is set:
-.wen
.ilist
The &%home_directory%& option on the transport;
.code
root@[192.168.1.1]
.endd
-.new
by setting up delivery to the host with that IP address. IPv4 domain literals
consist of an IPv4 address enclosed in square brackets. IPv6 domain literals
are similar, but the address is preceded by &`ipv6:`&. For example:
.endd
Exim allows &`ipv4:`& before IPv4 addresses, for consistency, and on the
grounds that sooner or later somebody will try it.
-.wen
.cindex "&%self%& option" "in &(ipliteral)& router"
If the IP address matches something in &%ignore_target_hosts%&, the router
.option command_group queryprogram string unset
.cindex "gid (group id)" "in &(queryprogram)& router"
-.new
This option specifies a gid to be set when running the command while routing an
address for deliver. It must be set if &%command_user%& specifies a numerical
uid. If it begins with a digit, it is interpreted as the numerical value of the
gid. Otherwise it is looked up using &[getgrnam()]&.
-.wen
.option command_user queryprogram string unset
.cindex "uid (user id)" "for &(queryprogram)&"
-.new
This option must be set. It specifies the uid which is set when running the
command while routing an address for delivery. If the value begins with a digit,
it is interpreted as the numerical value of the uid. Otherwise, it is looked up
is called from a non-root process, Exim cannot change uid or gid before running
the command. In this circumstance the command runs under the current uid and
gid.
-.wen
.option current_directory queryprogram string /
.ilist
When Exim is receiving an incoming SMTP message from a remote host, it is
-running under the Exim uid, not as root.
-No additional groups are set up, even if the Exim uid is a member of other
-groups (that is, the &[initgroups()]& function is not run).
-Exim is unable to change uid to read the file as the user, and it may not be
-able to read it as the Exim user. So in practice the router may not be able to
-operate.
+running under the Exim uid, not as root. Exim is unable to change uid to read
+the file as the user, and it may not be able to read it as the Exim user. So in
+practice the router may not be able to operate.
.next
However, even when the router can operate, the existence of a &_.forward_& file
is unimportant when verifying an address. What should be checked is whether the
VRFY command, the text is included in the SMTP error response by
default.
.cindex "EXPN error text" "display of"
-The text is not included in the response to an EXPN command.
+The text is not included in the response to an EXPN command. In non-SMTP cases
+the text is included in the error message that Exim generates.
+
+.cindex "SMTP" "error codes"
+By default, Exim sends a 451 SMTP code for a &':defer:'&, and 550 for
+&':fail:'&. However, if the message starts with three digits followed by a
+space, optionally followed by an extended code of the form &'n.n.n'&, also
+followed by a space, and the very first digit is the same as the default error
+code, the code from the message is used instead. If the very first digit is
+incorrect, a panic error is logged, and the default code is used. You can
+suppress the use of the supplied code in a redirect router by setting the
+&%forbid_smtp_code%& option true. In this case, any SMTP code is quietly
+ignored.
.cindex "&$acl_verify_message$&"
In an ACL, an explicitly provided message overrides the default, but the
default message is available in the variable &$acl_verify_message$& and can
-therefore be included in a custom message if this is desired. Exim sends a 451
-SMTP code for a &':defer:'&, and 550 for &':fail:'&. In non-SMTP cases the text
-is included in the error message that Exim generates.
+therefore be included in a custom message if this is desired.
Normally the error text is the rest of the redirection list &-- a comma does
not terminate it &-- but a newline does act as a terminator. Newlines are not
it is running, the file name is in &$address_file$&.
+.option filter_prepend_home redirect boolean true
+When this option is true, if a &(save)& command in an Exim filter specifies a
+relative path, and &$home$& is defined, it is automatically prepended to the
+relative path. If this option is set false, this action does not happen. The
+relative path is then passed to the transport unmodified.
+
+
.option forbid_blackhole redirect boolean false
If this option is true, the &':blackhole:'& item may not appear in a
redirection list.
&%allow_filter%& is true.
+.cindex "SMTP" "error codes"
+.option forbid_smtp_code redirect boolean false
+If this option is set true, any SMTP error codes that are present at the start
+of messages specified for &`:defer:`& or &`:fail:`& are quietly ignored, and
+the default codes (451 and 550, respectively) are always used.
+
+
.option hide_child_in_errmsg redirect boolean false
.option qualify_domain redirect string&!! unset
.cindex "&$qualify_recipient$&"
-.new
If this option is set, and an unqualified address (one without a domain) is
generated, and that address would normally be qualified by the global setting
in &%qualify_recipient%&, it is instead qualified with the domain specified by
but for traditional &_.forward_& files, it applies only to addresses that are
not preceded by a backslash. Sieve filters cannot generate unqualified
addresses.
-.wen
.option qualify_preserve_domain redirect boolean false
.cindex "domain" "in redirection; preserving"
.cindex "preserving domain in redirection"
.cindex "address redirection" "domain; preserving"
-.new
If this option is set, the router's local &%qualify_domain%& option must not be
set (a configuration error occurs if it is). If an unqualified address (one
without a domain) is generated, it is qualified with the domain of the parent
address (the immediately preceding ancestor) instead of the global
&%qualify_recipient%& value. In the case of a traditional &_.forward_& file,
this applies whether or not the address is preceded by a backslash.
-.wen
.option repeat_use redirect boolean true
.option home_directory transports string&!! unset
.cindex "transport" "home directory for"
.cindex "&$home$&"
-This option specifies a home directory setting for &new("a local") transport,
+This option specifies a home directory setting for a local transport,
overriding any value that may be set by the router. The home directory is
placed in &$home$& while expanding the transport's private options. It is also
used as the current directory if no current directory is set by the
only effect is to change the address that is placed in the &'Return-path:'&
header line, if one is added to the message (see the next option).
+&*Note:*& A changed return path is not logged unless you add
+&%return_path_on_delivery%& to the log selector.
+
.cindex "&$return_path$&"
The expansion can refer to the existing value via &$return_path$&. This is
either the message's envelope sender, or an address set by the
option can be used to support VERP (Variable Envelope Return Paths) &-- see
section &<<SECTverp>>&.
-.new
&*Note*&: If a delivery error is detected locally, including the case when a
remote server rejects a message at SMTP time, the bounce message is not sent to
the value of this option. It is sent to the previously set errors address.
This defaults to the incoming sender address, but can be changed by setting
&%errors_to%& in a router.
-.wen
$host $host_address $sender_address $pipe_addresses
.endd
-.new
Two problems arise if you want to use more complicated expansion items to
generate transport filter commands, both of which due to the fact that the
command is split up &'before'& expansion.
{$value}{/bin/cat}}
.endd
.endlist
-.wen
The filter process is run under the same uid and gid as the normal delivery.
For remote deliveries this is the Exim uid/gid by default. The command should
acceptable.
.endlist
-The three local transports (&(appendfile)&, &(lmtp)&, and &(pipe)&) all have
-the same options for controlling multiple (&"batched"&) deliveries, namely
-&%batch_max%& and &%batch_id%&. To save repeating the information for each
-transport, these options are described here.
+These three local transports all have the same options for controlling multiple
+(&"batched"&) deliveries, namely &%batch_max%& and &%batch_id%&. To save
+repeating the information for each transport, these options are described here.
The &%batch_max%& option specifies the maximum number of addresses that can be
-delivered together in a single run of the transport. Its default value is one.
-When more than one address is routed to a transport that has a &%batch_max%&
-value greater than one, the addresses are delivered in a batch (that is, in a
-single run of the transport), subject to certain conditions:
+delivered together in a single run of the transport. Its default value is one
+(no batching). When more than one address is routed to a transport that has a
+&%batch_max%& value greater than one, the addresses are delivered in a batch
+(that is, in a single run of the transport with multiple recipients), subject
+to certain conditions:
.ilist
.cindex "&$local_part$&"
.cindex "customizing" "batching condition"
If &%batch_id%& is set, it is expanded for each address, and only those
addresses with the same expanded value are batched. This allows you to specify
-customized batching conditions.
-Failure of the expansion for any reason, including forced failure, disables
-batching, but it does not stop the delivery from taking place.
+customized batching conditions. Failure of the expansion for any reason,
+including forced failure, disables batching, but it does not stop the delivery
+from taking place.
.next
Batched addresses must also have the same errors address (where to send
delivery errors), the same header additions and removals, the same user and
be the same.
.endlist
-.cindex "&'Envelope-to:'& header line"
-If the generic &%envelope_to_add%& option is set for the transport, the
-&'Envelope-to:'& header that is added to the message contains all the addresses
-that are batched together.
-
-The &(appendfile)& and &(pipe)& transports have an option called &%use_bsmtp%&,
-which causes them to deliver the message in &"batched SMTP"& format, with the
-envelope represented as SMTP commands. The &%check_string%& and
-&%escape_string%& options are forced to the values
+In the case of the &(appendfile)& and &(pipe)& transports, batching applies
+both when the file or pipe command is specified in the transport, and when it
+is specified by a &(redirect)& router, but all the batched addresses must of
+course be routed to the same file or pipe command. These two transports have an
+option called &%use_bsmtp%&, which causes them to deliver the message in
+&"batched SMTP"& format, with the envelope represented as SMTP commands. The
+&%check_string%& and &%escape_string%& options are forced to the values
.code
check_string = "."
escape_string = ".."
given in section &<<SECTbatchSMTP>>&. The &(lmtp)& transport does not have a
&%use_bsmtp%& option, because it always delivers using the SMTP protocol.
+.cindex "&'Envelope-to:'& header line"
+If the generic &%envelope_to_add%& option is set for a batching transport, the
+&'Envelope-to:'& header that is added to the message contains all the addresses
+that are being processed together. If you are using a batching &(appendfile)&
+transport without &%use_bsmtp%&, the only way to preserve the recipient
+addresses is to set the &%envelope_to_add%& option.
+
.cindex "&(pipe)& transport" "with multiple addresses"
.cindex "&$pipe_addresses$&"
-If you are not using BSMTP, but are using a &(pipe)& transport, you can include
-&$pipe_addresses$& as part of the command. This is not a true variable; it is
-a bit of magic that causes each of the recipient addresses to be inserted into
-the command as a separate argument. This provides a way of accessing all the
-addresses that are being delivered in the batch.
+If you are using a &(pipe)& transport without BSMTP, and setting the
+transport's &%command%& option, you can include &$pipe_addresses$& as part of
+the command. This is not a true variable; it is a bit of magic that causes each
+of the recipient addresses to be inserted into the command as a separate
+argument. This provides a way of accessing all the addresses that are being
+delivered in the batch. &*Note:*& This is not possible for pipe commands that
+are specififed by a &(redirect)& router.
-If you are using a batching &(appendfile)& transport without &%use_bsmtp%&, the
-only way to preserve the recipient addresses is to set the &%envelope_to_add%&
-option. This causes an &'Envelope-to:'& header line to be added to the message,
-containing all the recipients.
.option file_must_exist appendfile boolean false
-If this option is true, the file specified by the &%file%& option must exist,
-and an error occurs if it does not. Otherwise, it is created if it does not
-exist.
+If this option is true, the file specified by the &%file%& option must exist.
+A temporary error occurs if it does not, causing delivery to be deferred.
+If this option is false, the file is created if it does not exist.
.option lock_fcntl_timeout appendfile time 0s
.option lockfile_mode appendfile "octal integer" 0600
This specifies the mode of the created lock file, when a lock file is being
-used (see &%use_lockfile%&).
+used (see &%use_lockfile%& and &%use_mbx_lock%&).
.option lockfile_timeout appendfile time 30m
.cindex "maildir format" "quota; directories included in"
.cindex "quota" "maildir; directories included in"
This option is relevant only when &%maildir_use_size_file%& is set. It defines
-a regular expression for specifying directories that should be included in the
-quota calculation. The default value is
+a regular expression for specifying directories, relative to the quota
+directory (see &%quota_directory%&), that should be included in the quota
+calculation. The default value is:
.code
maildir_quota_directory_regex = ^(?:cur|new|\..*)$
.endd
-which includes the &_cur_& and &_new_& directories, and any maildir++ folders
+This includes the &_cur_& and &_new_& directories, and any maildir++ folders
(directories whose names begin with a dot). If you want to exclude the
&_Trash_&
folder from the count (as some sites do), you need to change this setting to
maildir_quota_directory_regex = ^(?:cur|new|\.(?!Trash).*)$
.endd
This uses a negative lookahead in the regular expression to exclude the
-directory whose name is &_.Trash_&.
+directory whose name is &_.Trash_&. When a directory is excluded from quota
+calculations, quota processing is bypassed for any messages that are delivered
+directly into that directory.
.option maildir_retries appendfile integer 10
Setting this option true enables support for &_maildirsize_& files. Exim
creates a &_maildirsize_& file in a maildir if one does not exist, taking the
quota from the &%quota%& option of the transport. If &%quota%& is unset, the
-value is zero. See section &<<SECTmaildirdelivery>>& below for further details.
+value is zero. See &%maildir_quota_directory_regex%& above and section
+&<<SECTmaildirdelivery>>& below for further details.
+
+.option maildirfolder_create_regex appendfile string unset
+.cindex "maildir format" "&_maildirfolder_& file"
+.cindex "&_maildirfolder_&, creating"
+The value of this option is a regular expression. If it is unset, it has no
+effect. Otherwise, before a maildir delivery takes place, the pattern is
+matched against the name of the maildir directory, that is, the directory
+containing the &_new_& and &_tmp_& subdirectories that will be used for the
+delivery. If there is a match, Exim checks for the existence of a file called
+&_maildirfolder_& in the directory, and creates it if it does not exist.
+See section &<<SECTmaildirdelivery>>& for more details.
.option mailstore_format appendfile boolean false
.option quota_filecount appendfile string&!! 0
-.new
This option applies when the &%directory%& option is set. It limits the total
number of files in the directory (compare the inode limit in system quotas). It
can only be used if &%quota%& is also set. The value is expanded; an expansion
failure causes delivery to be deferred. A value of zero is interpreted as
&"no quota"&.
-.wen
.option quota_is_inclusive appendfile boolean true
If &%quota%& is not set, a setting of &%quota_warn_threshold%& that ends with a
percent sign is ignored.
-.new
The warning message itself is specified by the &%quota_warn_message%& option,
and it must start with a &'To:'& header line containing the recipient(s) of the
warning message. These do not necessarily have to include the recipient(s) of
.oindex &%errors_reply_to%&
If you supply a &'Reply-To:'& line, it overrides the global &%errors_reply_to%&
option.
-.wen
The &%quota%& option does not have to be set in order to use this option; they
are independent of one another except when the threshold is specified as a
/tmp/.<device-number>.<inode-number>
.endd
using the device and inode numbers of the open mailbox file, in accordance with
-the MBX locking rules.
+the MBX locking rules. This file is created with a mode that is specified by
+the &%lockfile_mode%& option.
If Exim fails to lock the file, there are two possible courses of action,
depending on the value of the locking timeout. This is obtained from
.cindex "maildir format" "description of"
If the &%maildir_format%& option is true, Exim delivers each message by writing
it to a file whose name is &_tmp/<stime>.H<mtime>P<pid>.<host>_& in the
-given directory. If the delivery is successful, the file is renamed into the
+directory that is defined by the &%directory%& option (the &"delivery
+directory"&). If the delivery is successful, the file is renamed into the
&_new_& subdirectory.
In the file name, <&'stime'&> is the current time of day in seconds, and
opening it. If any response other than ENOENT (does not exist) is given,
Exim waits 2 seconds and tries again, up to &%maildir_retries%& times.
+Before Exim carries out a maildir delivery, it ensures that subdirectories
+called &_new_&, &_cur_&, and &_tmp_& exist in the delivery directory. If they
+do not exist, Exim tries to create them and any superior directories in their
+path, subject to the &%create_directory%& and &%create_file%& options. If the
+&%maildirfolder_create_regex%& option is set, and the regular expression it
+contains matches the delivery directory, Exim also ensures that a file called
+&_maildirfolder_& exists in the delivery directory. If a missing directory or
+&_maildirfolder_& file cannot be created, delivery is deferred.
+
+These features make it possible to use Exim to create all the necessary files
+and directories in a maildir mailbox, including subdirectories for maildir++
+folders. Consider this example:
+.code
+maildir_format = true
+directory = /var/mail/$local_part\
+ ${if eq{$local_part_suffix}{}{}\
+ {/.${substr_1:$local_part_suffix}}}
+maildirfolder_create_regex = /\.[^/]+$
+.endd
+If &$local_part_suffix$& is empty (there was no suffix for the local part),
+delivery is into a toplevel maildir with a name like &_/var/mail/pimbo_& (for
+the user called &'pimbo'&). The pattern in &%maildirfolder_create_regex%& does
+not match this name, so Exim will not look for or create the file
+&_/var/mail/pimbo/maildirfolder_&, though it will create
+&_/var/mail/pimbo/{cur,new,tmp}_& if necessary.
+
+However, if &$local_part_suffix$& contains &`-eximusers`& (for example),
+delivery is into the maildir++ folder &_/var/mail/pimbo/.eximusers_&, which
+does match &%maildirfolder_create_regex%&. In this case, Exim will create
+&_/var/mail/pimbo/.eximusers/maildirfolder_& as well as the three maildir
+directories &_/var/mail/pimbo/.eximusers/{cur,new,tmp}_&.
+
+&*Warning:*& Take care when setting &%maildirfolder_create_regex%& that it does
+not inadvertently match the toplevel maildir directory, because a
+&_maildirfolder_& file at top level would completely break quota calculations.
+
.cindex "quota" "in maildir delivery"
.cindex "maildir++"
If Exim is required to check a &%quota%& setting before a maildir delivery, and
.cindex "maildir format" "&_maildirsize_& file"
If &%maildir_use_size_file%& is true, Exim implements the maildir++ rules for
storing quota and message size information in a file called &_maildirsize_&
-within the maildir directory. If this file does not exist, Exim creates it,
-setting the quota from the &%quota%& option of the transport. If the maildir
-directory itself does not exist, it is created before any attempt to write a
-&_maildirsize_& file.
+within the toplevel maildir directory. If this file does not exist, Exim
+creates it, setting the quota from the &%quota%& option of the transport. If
+the maildir directory itself does not exist, it is created before any attempt
+to write a &_maildirsize_& file.
The &_maildirsize_& file is used to hold information about the sizes of
messages in the maildir, thus speeding up quota calculations. The quota value
file is maintained (with a zero quota setting), but no quota is imposed.
A regular expression is available for controlling which directories in the
-maildir participate in quota calculations. See the description of the
-&%maildir_quota_directory_regex%& option above for details.
-
+maildir participate in quota calculations when a &_maildirsizefile_& is in use.
+See the description of the &%maildir_quota_directory_regex%& option above for
+details.
.section "Mailstore delivery"
.chapter "The autoreply transport"
.scindex IIDauttra1 "transports" "&(autoreply)&"
.scindex IIDauttra2 "&(autoreply)& transport"
-.new
The &(autoreply)& transport is not a true transport in that it does not cause
the message to be transmitted. Instead, it generates a new mail message as an
automatic reply to the incoming message. &'References:'& and
&'Auto-Submitted:'& header lines are included. These are constructed according
to the rules in RFCs 2822 and 3834, respectively.
-.wen
If the router that passes the message to this transport does not have the
&%unseen%& option set, the original message (for the current recipient) is not
.option never_mail autoreply "address list&!!" unset
If any run of the transport creates a message with a recipient that matches any
item in the list, that recipient is quietly discarded. If all recipients are
-discarded, no message is created.
+discarded, no message is created. This applies both when the recipients are
+generated by a filter and when they are specified in the transport.
is specified by the &%command%& option on the transport.
.next
.cindex "&$pipe_addresses$&"
-If the &%batch_max%& option is set greater than 1 (the default), the transport
-can be called upon to handle more than one address in a single run. In this
-case, &$local_part$& is not set (because it is not unique). However, the
-pseudo-variable &$pipe_addresses$& (described in section
-&<<SECThowcommandrun>>& below) contains all the addresses that are being
-handled.
+If the &%batch_max%& option is set greater than 1 (the default is 1), the
+transport can handle more than one address in a single run. In this case, when
+more than one address is routed to the transport, &$local_part$& is not set
+(because it is not unique). However, the pseudo-variable &$pipe_addresses$&
+(described in section &<<SECThowcommandrun>>& below) contains all the addresses
+that are routed to the transport.
.next
.cindex "&$address_pipe$&"
A router redirects an address directly to a pipe command (for example, from an
-alias or forward file). In this case, &$local_part$& contains the local part
-that was redirected, and &$address_pipe$& contains the text of the pipe
-command itself. The &%command%& option on the transport is ignored.
+alias or forward file). In this case, &$address_pipe$& contains the text of the
+pipe command, and the &%command%& option on the transport is ignored. If only
+one address is being transported (&%batch_max%& is not greater than one, or
+only one address was redirected to this pipe command), &$local_part$& contains
+the local part that was redirected.
.endlist
other cases, the uid and gid have to be specified explicitly, either on the
transport or on the router that handles the address. Current and &"home"&
directories are also controllable. See chapter &<<CHAPenvironment>>& for
-details of the local delivery environment.
-
+details of the local delivery environment and chapter &<<CHAPbatching>>&
+for a discussion of local delivery batching.
.section "Concurrent delivery"
.code
command = /some/path "${if eq{$local_part}{postmaster}{xx}{yy}}"
.endd
-.new
to ensure that it is all in one argument. The expansion is done in this way,
argument by argument, so that the number of arguments cannot be changed as a
result of expansion, and quotes or backslashes in inserted variables do not
.code
command = /bin/sh -c ${lookup{$local_part}lsearch{/some/file}}
.endd
-.wen
.cindex "transport" "filter"
.cindex "filter" "transport filter"
you can do so by setting the &%message_prefix%& option. See section
&<<SECTbatchSMTP>>& for details of batch SMTP.
-.new
.option use_classresources pipe boolean false
.cindex "class resources (BSD)"
This option is available only when Exim is running on FreeBSD, NetBSD, or
resource limits when a &(pipe)& transport is run to perform a delivery. The
limits for the uid under which the pipe is to run are obtained from the login
class database.
-.wen
.option use_crlf pipe boolean false
The private options of the &(smtp)& transport are as follows:
+.new
+.option address_retry_include_sender smtp boolean true
+.cindex "4&'xx'& responses" "retrying after"
+When an address is delayed because of a 4&'xx'& response to a RCPT command, it
+is the combination of sender and recipient that is delayed in subsequent queue
+runs until the retry time is reached. You can delay the recipient without
+reference to the sender (which is what earlier versions of Exim did), by
+setting &%address_retry_include_sender%& false. However, this can lead to
+problems with servers that regularly issue 4&'xx'& responses to RCPT commands.
+.wen
+
.option allow_localhost smtp boolean false
.cindex "local host" "sending to"
.cindex "fallback" "hosts specified on transport"
.option authenticated_sender smtp string&!! unset
.cindex "Cyrus"
-.new
When Exim has authenticated as a client, or if &%authenticated_sender_force%&
is true, this option sets a value for the AUTH= item on outgoing MAIL commands,
overriding any existing authenticated sender value. If the string expansion is
&%authenticated_sender%& still happens (and can cause the delivery to be
deferred if it fails), but no AUTH= item is added to MAIL commands
unless &%authenticated_sender_force%& is true.
-.wen
This option allows you to use the &(smtp)& transport in LMTP mode to
deliver mail to Cyrus IMAP and provide the proper local part as the
value.
-.new
.option authenticated_sender_force smtp boolean false
If this option is set true, the &%authenticated_sender%& option's value
is used for the AUTH= item on outgoing MAIL commands, even if Exim has not
authenticated as a client.
-.wen
.option command_timeout smtp time 5m
.option helo_data smtp string&!! &`$primary_hostname`&
.cindex "HELO argument" "setting"
.cindex "EHLO argument" "setting"
-The value of this option is expanded, and used as the argument for the EHLO or
-HELO command that starts the outgoing SMTP session. The variables &$host$& and
-&$host_address$& are set to the identity of the remote host, and can be used to
-generate different values for different servers.
+.cindex "LHLO argument" "setting"
+The value of this option is expanded, and used as the argument for the EHLO,
+HELO, or LHLO command that starts the outgoing SMTP or LMTP session. The
+variables &$host$& and &$host_address$& are set to the identity of the remote
+host, and can be used to generate different values for different servers.
.option hosts smtp "string list&!!" unset
Hosts are associated with an address by a router such as &(dnslookup)&, which
&<<CHAPSMTPAUTH>>& for details of authentication.
.option interface smtp "string list&!!" unset
+.new
.cindex "bind IP address"
.cindex "IP address" "binding"
.cindex "&$host$&"
.cindex "&$host_address$&"
This option specifies which interface to bind to when making an outgoing SMTP
-call. The variables &$host$& and &$host_address$& refer to the host to which a
-connection is about to be made during the expansion of the string. Forced
-expansion failure, or an empty string result causes the option to be ignored.
-Otherwise, after expansion,
-the string must be a list of IP addresses, colon-separated by default, but the
-separator can be changed in the usual way.
-For example:
+call. &*Note:*& Do not confuse this with the interface address that was used
+when a message was received, which is in &$received_ip_address$&, formerly
+known as &$interface_address$&. The name was changed to minimize confusion with
+the outgoing interface address. There is no variable that contains an outgoing
+interface address because, unless it is set by this option, its value is
+unknown.
+.wen
+
+During the expansion of the &%interface%& option the variables &$host$& and
+&$host_address$& refer to the host to which a connection is about to be made
+during the expansion of the string. Forced expansion failure, or an empty
+string result causes the option to be ignored. Otherwise, after expansion, the
+string must be a list of IP addresses, colon-separated by default, but the
+separator can be changed in the usual way. For example:
.code
interface = <; 192.168.123.123 ; 3ffe:ffff:836f::fe86:a061
.endd
.option port smtp string&!! "see below"
+.new
.cindex "port" "sending TCP/IP"
.cindex "TCP/IP" "setting outgoing port"
-This option specifies the TCP/IP port on the server to which Exim connects. If
-it begins with a digit it is taken as a port number; otherwise it is looked up
-using &[getservbyname()]&. The default value is normally &"smtp"&, but if
-&%protocol%& is set to &"lmtp"&, the default is &"lmtp"&.
-If the expansion fails, or if a port number cannot be found, delivery is
-deferred.
+This option specifies the TCP/IP port on the server to which Exim connects.
+&*Note:*& Do not confuse this with the port that was used when a message was
+received, which is in &$received_port$&, formerly known as &$interface_port$&.
+The name was changed to minimize confusion with the outgoing port. There is no
+variable that contains an outgoing port.
+.wen
+
+If the value of this option begins with a digit it is taken as a port number;
+otherwise it is looked up using &[getservbyname()]&. The default value is
+normally &"smtp"&, but if &%protocol%& is set to &"lmtp"&, the default is
+&"lmtp"&. If the expansion fails, or if a port number cannot be found, delivery
+is deferred.
.cindex "TLS client private key" "location of"
.cindex "&$host$&"
.cindex "&$host_address$&"
-.new
The value of this option must be the absolute path to a file which contains the
client's private key. This is used when sending a message over an encrypted
connection using a client certificate. The values of &$host$& and
expansion. If this option is unset, or the expansion is forced to fail, or the
result is an empty string, the private key is assumed to be in the same file as
the certificate. See chapter &<<CHAPTLS>>& for details of TLS.
-.wen
.option tls_require_ciphers smtp string&!! unset
.option tls_tempfail_tryclear smtp boolean true
+.cindex "4&'xx'& responses" "to STARTTLS"
When the server host is not in &%hosts_require_tls%&, and there is a problem in
setting up a TLS session, this option determines whether or not Exim should try
to deliver the message unencrypted. If it is set false, delivery to the
addresses and addresses in header lines. Each rule specifies the types of
address to which it applies.
-Rewriting of addresses in header lines applies only to those headers that
-were received with the message, and, in the case of transport rewriting, those
-that were added by a system filter. That is, it applies only to those headers
-that are common to all copies of the message. Header lines that are added by
-individual routers or transports (and which are therefore specific to
-individual recipient addresses) are not rewritten.
+Whether or not addresses in header lines are rewritten depends on the origin of
+the headers and the type of rewriting. Global rewriting, that is, rewriting
+rules from the rewrite section of the configuration file, is applied only to
+those headers that were received with the message. Header lines that are added
+by ACLs or by a system filter or by individual routers or transports (which
+are specific to individual recipient addresses) are not rewritten by the global
+rules.
+
+Rewriting at transport time, by means of the &%headers_rewrite%& option,
+applies all headers except those added by routers and transports. That is, as
+well as the headers that were received with the message, it also applies to
+headers that were added by an ACL or a system filter.
+
In general, rewriting addresses from your own system or domain has some
legitimacy. Rewriting other addresses should be done only with great care and
as they were before (that is, they contain the unrewritten &-- except for
SMTP-time rewriting &-- address).
-.new
As soon as a message's header lines have been received, all the envelope
recipient addresses are permanently rewritten, and rewriting is also applied to
the addresses in the header lines (if configured). This happens before adding
any header lines that were specified in MAIL or RCPT ACLs, and
.cindex "&[local_scan()]& function" "address rewriting; timing of"
before the DATA ACL and &[local_scan()]& functions are run.
-.wen
When an address is being routed, either for delivery or for verification,
rewriting is applied immediately to child addresses that are generated by
redirection, unless &%no_rewrite%& is set on the router.
-.new
.cindex "envelope sender" "rewriting at transport time"
.cindex "rewriting" "at transport time"
.cindex "header lines" "rewriting at transport time"
The outgoing envelope sender can be rewritten by means of the &%return_path%&
transport option. However, it is not possible to rewrite envelope recipients at
transport time.
-.wen
subsequent delivery attempts from queue runs occur only when the retry time for
the local address is reached.
+.section "Changing retry rules"
+If you change the retry rules in your configuration, you should consider
+whether or not to delete the retry data that is stored in Exim's spool area in
+files with names like &_db/retry_&. Deleting any of Exim's hints files is
+always safe; that is why they are called &"hints"&.
+
+The hints retry data contains suggested retry times based on the previous
+rules. In the case of a long-running problem with a remote host, it might
+record the fact that the host has timed out. If your new rules increase the
+timeout time for such a host, you should definitely remove the old retry data
+and let Exim recreate it, based on the new rules. Otherwise Exim might bounce
+messages that it should now be retaining.
-.section "Retry rules"
+
+.section "Format of retry rules"
.cindex "retry" "rules"
Each retry rule occupies one line and consists of three or four parts,
separated by white space: a pattern, an error name, an optional list of sender
The pattern is any single item that may appear in an address list (see section
&<<SECTaddresslist>>&). It is in fact processed as a one-item address list,
which means that it is expanded before being tested against the address that
-has been delayed. Address list processing treats a plain domain name as if it
-were preceded by &"*@"&, which makes it possible for many retry rules to start
-with just a domain. For example,
+has been delayed. A negated address list item is permitted. Address
+list processing treats a plain domain name as if it were preceded by &"*@"&,
+which makes it possible for many retry rules to start with just a domain. For
+example,
.code
lookingglass.fict.example * F,24h,30m;
.endd
local transports).
.new
+.cindex "4&'xx'& responses" "retry rules for"
However, when Exim is looking for a retry rule after a remote delivery attempt
suffers an address error (a 4&'xx'& SMTP response for a recipient address), the
whole address is always used as the key when searching the retry rules. The
-rule that is found is used to create a retry time for the failing address.
+rule that is found is used to create a retry time for the combination of the
+failing address and the message's sender. It is the combination of sender and
+recipient that is delayed in subsequent queue runs until its retry time is
+reached. You can delay the recipient without regard to the sender by setting
+&%address_retry_include_sender%& false in the &(smtp)& transport but this can
+lead to problems with servers that regularly issue 4&'xx'& responses to RCPT
+commands.
.wen
+
.section "Choosing which retry rule to use for host and message errors"
For a temporary error that is not related to an individual address (for
example, a connection timeout), each line in the retry configuration is checked
Authentication failed when trying to send to a host in the
&%hosts_require_auth%& list in an &(smtp)& transport.
-.new
.vitem &%data_4xx%&
A 4&'xx'& error was received for an outgoing DATA command, either immediately
after the command, or after sending the message's data.
.endd
These errors apply to both outgoing SMTP (the &(smtp)& transport) and outgoing
LMTP (either the &(lmtp)& transport, or the &(smtp)& transport in LMTP mode).
-.wen
.vlist
-.new
.vitem &%lost_connection%&
A server unexpectedly closed the SMTP connection. There may, of course,
legitimate reasons for this (host died, network died), but if it repeats a lot
for the same host, it indicates something odd.
-.wen
.vitem &%refused_MX%&
A connection to a host obtained from an MX record was refused.
.vitem &%timeout%&
There was a timeout while connecting or during an SMTP session.
-.new
.vitem &%tls_required%&
The server was required to use TLS (it matched &%hosts_require_tls%& in the
&(smtp)& transport), but either did not offer TLS, or it responded with 4&'xx'&
to STARTTLS, or there was a problem setting up the TLS connection.
-.wen
.vitem &%quota%&
A mailbox quota was exceeded in a local delivery by the &(appendfile)&
.code
* rcpt_4xx senders=: F,1h,30m
.endd
-.new
matches recipient 4&'xx'& errors for bounce messages sent to any address at any
host. If the address list contains white space, it must be enclosed in quotes.
For example:
.code
a.domain rcpt_452 senders="xb.dom : yc.dom" G,8h,10m,1.5
.endd
-.wen
&*Warning*&: This facility can be unhelpful if it is used for host errors
(which do not depend on the recipient). The reason is that the sender is used
only to match the retry rule. Once the rule has been found for a host error,
.cindex "limit" "retry interval"
.cindex "retry interval" "maximum"
.cindex "&%retry_interval_max%&"
-&%retry_interval_max%& limits the maximum interval between retries. &new("It
-cannot be set greater than &`24h`&, which is its default value.")
+&%retry_interval_max%& limits the maximum interval between retries. It
+cannot be set greater than &`24h`&, which is its default value.
A single remote domain may have a number of hosts associated with it, and each
host may have more than one IP address. Retry algorithms are selected on the
down all the time, which is not a justified assumption.
If a host really is permanently dead, this behaviour causes a burst of retries
-every now and again, but only if messages routed to it are rare. It there is a
+every now and again, but only if messages routed to it are rare. If there is a
message at least once every 7 days the retry data never expires.
deliver to permanently failing IP addresses than when &%delay_after_cutoff%& is
true.
-.new
.section "Deliveries that work intermittently"
.cindex "retry" "intermittently working deliveries"
Some additional logic is needed to cope with cases where a host is
intermittently available, or when a message has some attribute that prevents
its delivery when others to the same address get through. In this situation,
because some messages are successfully delivered, the &"retry clock"& for the
-host or address keeps getting restarted, and so a message could remain on the
-queue for ever because the cutoff time is never reached.
-
-Two exceptional actions are applied to prevent this happening. Firstly, if a
-message's arrival time is earlier than the &"first failed"& time for a host or
-address, the earlier time is used when scanning the retry rules.
-
-Secondly, if a message has been on the queue for longer than the cutoff time of
-any applicable retry rule for a given address, a delivery is attempted for that
-address, even if it is not yet time, and if this delivery fails, the address is
-timed out. A new retry time is not computed in this case, so that other
-messages for the same address are considered immediately.
-
-These two actions are probably equivalent; the fact that they both exist is a
-a historical accident. The second was implemented first, and was left in place
-when the first was added on the grounds that this was harmless, whereas
-removing it might have broken something in this rather tricky area.
+host or address keeps getting reset by the successful deliveries, and so
+failing messages remain on the queue for ever because the cutoff time is never
+reached.
+
+Two exceptional actions are applied to prevent this happening. The first
+applies to errors that are related to a message rather than a remote host.
+Section &<<SECToutSMTPerr>>& has a discussion of the different kinds of error;
+examples of message-related errors are 4&'xx'& responses to MAIL or DATA
+commands, and quota failures. For this type of error, if a message's arrival
+time is earlier than the &"first failed"& time for the error, the earlier time
+is used when scanning the retry rules to decide when to try next and when to
+time out the address.
+
+The exceptional second action applies in all cases. If a message has been on
+the queue for longer than the cutoff time of any applicable retry rule for a
+given address, a delivery is attempted for that address, even if it is not yet
+time, and if this delivery fails, the address is timed out. A new retry time is
+not computed in this case, so that other messages for the same address are
+considered immediately.
.ecindex IIDretconf1
.ecindex IIDregconf2
-.wen
See section &<<SECTauthexiser>>& below for further discussion.
+.new
+.option server_condition authenticators string&!! unset
+This option must be set for a &%plaintext%& server authenticator, where it
+is used directly to control authentication. See section &<<SECTplainserver>>&
+for details.
+
+For the other authenticators, &%server_condition%& can be used as an additional
+authentication or authorization mechanism that is applied after the other
+authenticator conditions succeed. If it is set, it is expanded when the
+authenticator would otherwise return a success code. If the expansion is forced
+to fail, authentication fails. Any other expansion failure causes a temporary
+error code to be returned. If the result of a successful expansion is an empty
+string, &"0"&, &"no"&, or &"false"&, authentication fails. If the result of the
+expansion is &"1"&, &"yes"&, or &"true"&, authentication succeeds. For any
+other result, a temporary error code is returned, with the expanded string as
+the error text.
+.wen
+
+
.option server_debug_print authenticators string&!! unset
If this option is set and authentication debugging is enabled (see the &%-d%&
command line option), the string is expanded and included in the debugging
.chapter "The plaintext authenticator" "CHAPplaintext"
.scindex IIDplaiauth1 "&(plaintext)& authenticator"
.scindex IIDplaiauth2 "authenticators" "&(plaintext)&"
-.new
The &(plaintext)& authenticator can be configured to support the PLAIN and
LOGIN authentication mechanisms, both of which transfer authentication data as
plain (unencrypted) text (though base64 encoded). The use of plain text is a
(see chapter &<<CHAPTLS>>&) if you use the PLAIN or LOGIN mechanisms. If you do
use unencrypted plain text, you should not use the same passwords for SMTP
connections as you do for login accounts.
-.wen
-.section "Using plaintext in a server"
+.new
+.section "Plaintext options"
.cindex "options" "&(plaintext)& authenticator (server)"
-When running as a server, &(plaintext)& performs the authentication test by
-expanding a string. It has the following options:
+When configured as a server, &(plaintext)& uses the following options:
+
+.option server_condition authenticators string&!! unset
+This is actually a global authentication option, but it must be set in order to
+configure the &(plaintext)& driver as a server. Its use is described below.
+.wen
.option server_prompts plaintext string&!! unset
The contents of this option, after expansion, must be a colon-separated list of
prompt strings. If expansion fails, a temporary authentication rejection is
given.
-.option server_condition plaintext string&!! unset
-This option must be set in order to configure the driver as a server. Its use
-is described below.
-
+.section "Using plaintext in a server" "SECTplainserver"
.cindex "AUTH" "in &(plaintext)& authenticator"
.cindex "binary zero" "in &(plaintext)& authenticator"
.cindex "numerical variables (&$1$& &$2$& etc)" &&&
"in &(plaintext)& authenticator"
.cindex "&$auth1$&, &$auth2$&, etc"
.cindex "base64 encoding" "in &(plaintext)& authenticator"
-.new
-The data sent by the client with the AUTH command, or in response to
-subsequent prompts, is base64 encoded, and so may contain any byte values
-when decoded. If any data is supplied with the command, it is treated as a
-list of strings, separated by NULs (binary zeros), the first three of which are
-placed in the expansion variables &$auth1$&, &$auth2$&, and &$auth3$& (neither
-LOGIN nor PLAIN uses more than three strings).
+
+When running as a server, &(plaintext)& performs the authentication test by
+expanding a string. The data sent by the client with the AUTH command, or in
+response to subsequent prompts, is base64 encoded, and so may contain any byte
+values when decoded. If any data is supplied with the command, it is treated as
+a list of strings, separated by NULs (binary zeros), the first three of which
+are placed in the expansion variables &$auth1$&, &$auth2$&, and &$auth3$&
+(neither LOGIN nor PLAIN uses more than three strings).
For compatibility with previous releases of Exim, the values are also placed in
the expansion variables &$1$&, &$2$&, and &$3$&. However, the use of these
variables for this purpose is now deprecated, as it can lead to confusion in
string expansions that also use them for other things.
-.wen
If there are more strings in &%server_prompts%& than the number of strings
supplied with the AUTH command, the remaining prompts are used to obtain more
The second and third strings are a user name and a corresponding password.
Using a single fixed user name and password as an example, this could be
configured as follows:
-.new
.code
fixed_plain:
driver = plaintext
public_name = PLAIN
server_prompts = :
server_condition = \
- ${if and {{eq{$auth2}{username}}{eq{$auth3}{mysecret}}}\
- {yes}{no}}
+ ${if and {{eq{$auth2}{username}}{eq{$auth3}{mysecret}}}}
server_set_id = $auth2
.endd
+Note that the default result strings from &%if%& (&"true"& or an empty string)
+are exactly what we want here, so they need not be specified. Obviously, if the
+password contains expansion-significant characters such as dollar, backslash,
+or closing brace, they have to be escaped.
+
The &%server_prompts%& setting specifies a single, empty prompt (empty items at
the end of a string list are ignored). If all the data comes as part of the
AUTH command, as is commonly the case, the prompt is not used. This
realistic, though for a small organization with only a handful of
authenticating clients it could make sense.
-.new
A more sophisticated instance of this authenticator could use the user name in
&$auth2$& to look up a password in a file or database, and maybe do an encrypted
comparison (see &%crypteq%& in chapter &<<CHAPexpand>>&). Here is a example of
This is an incorrect example:
.code
server_condition = \
- ${if eq{$auth3}{${lookup{$auth2}dbm{/etc/authpwd}}}{yes}{no}}
+ ${if eq{$auth3}{${lookup{$auth2}dbm{/etc/authpwd}}}}
.endd
The expansion uses the user name (&$auth2$&) as the key to look up a password,
which it then compares to the supplied password (&$auth3$&). Why is this example
name and an empty password. The correct way of writing this test is:
.code
server_condition = ${lookup{$auth2}dbm{/etc/authpwd}\
- {${if eq{$value}{$auth3}{yes}{no}}}{no}}
+ {${if eq{$value}{$auth3}}} {false}}
.endd
-.wen
In this case, if the lookup succeeds, the result is checked; if the lookup
-fails, authentication fails. If &%crypteq%& is being used instead of &%eq%&,
-the first example is in fact safe, because &%crypteq%& always fails if its
-second argument is empty. However, the second way of writing the test makes the
-logic clearer.
-
+fails, &"false"& is returned and authentication fails. If &%crypteq%& is being
+used instead of &%eq%&, the first example is in fact safe, because &%crypteq%&
+always fails if its second argument is empty. However, the second way of
+writing the test makes the logic clearer.
.section "The LOGIN authentication mechanism"
in a number of programs. No data is sent with the AUTH command. Instead, a
user name and password are supplied separately, in response to prompts. The
plaintext authenticator can be configured to support this as in this example:
-.new
.code
fixed_login:
driver = plaintext
public_name = LOGIN
server_prompts = User Name : Password
server_condition = \
- ${if and {{eq{$auth1}{username}}{eq{$auth2}{mysecret}}}\
- {yes}{no}}
+ ${if and {{eq{$auth1}{username}}{eq{$auth2}{mysecret}}}}
server_set_id = $auth1
.endd
-.wen
Because of the way plaintext operates, this authenticator accepts data supplied
with the AUTH command (in contravention of the specification of LOGIN), but
if the client does not supply it (as is the case for LOGIN clients), the prompt
&"Password:"&. Here is an example of a LOGIN authenticator that uses those
strings. It uses the &%ldapauth%& expansion condition to check the user
name and password by binding to an LDAP server:
-.new
.code
login:
driver = plaintext
server_condition = ${if ldapauth \
{user="cn=${quote_ldap_dn:$auth1},ou=people,o=example.org" \
pass=${quote:$auth2} \
- ldap://ldap.example.org/}{yes}{no}}
+ ldap://ldap.example.org/}}
server_set_id = uid=$auth1,ou=people,o=example.org
.endd
-.wen
Note the use of the &%quote_ldap_dn%& operator to correctly quote the DN for
authentication. However, the basic &%quote%& operator, rather than any of the
LDAP quoting operators, is the correct one to use for the password, because
.cindex "options" "&(plaintext)& authenticator (client)"
The &(plaintext)& authenticator has two client options:
-.new
.option client_ignore_invalid_base64 plaintext boolean false
If the client receives a server prompt that is not a valid base64 string,
authentication is abandoned by default. However, if this option is set true,
the error in the challenge is ignored and the client sends the response as
usual.
-.wen
.option client_send plaintext string&!! unset
-.new
The string is a colon-separated list of authentication data strings. Each
string is independently expanded before being sent to the server. The first
string is sent with the AUTH command; any more strings are sent in response
so on. If an invalid base64 string is received when
&%client_ignore_invalid_base64%& is set, an empty string is put in the
&$auth$&<&'n'&> variable.
-.wen
&*Note*&: You cannot use expansion to create multiple strings, because
splitting takes priority and happens first.
.option server_secret cram_md5 string&!! unset
.cindex "numerical variables (&$1$& &$2$& etc)" "in &(cram_md5)& authenticator"
When the server receives the client's response, the user name is placed in
-the expansion variable &new("&$auth1$&"), and &%server_secret%& is expanded to
+the expansion variable &$auth1$&, and &%server_secret%& is expanded to
obtain the password for that user. The server then computes the CRAM-MD5 digest
that the client should have sent, and checks that it received the correct
string. If the expansion of &%server_secret%& is forced to fail, authentication
fails. If the expansion fails for some other reason, a temporary error code is
returned to the client.
-.new
For compatibility with previous releases of Exim, the user name is also placed
in &$1$&. However, the use of this variables for this purpose is now
deprecated, as it can lead to confusion in string expansions that also use
numeric variables for other things.
-.wen
For example, the following authenticator checks that the user name given by the
client is &"ph10"&, and if so, uses &"secret"& as the password. For any other
user name, authentication fails.
-.new
.code
fixed_cram:
driver = cram_md5
server_secret = ${if eq{$auth1}{ph10}{secret}fail}
server_set_id = $auth1
.endd
-.wen
.cindex "&$authenticated_id$&"
If authentication succeeds, the setting of &%server_set_id%& preserves the user
name in &$authenticated_id$&. A more tyical configuration might look up the
secret string in a file, using the user name as the key. For example:
-.new
.code
lookup_cram:
driver = cram_md5
server_secret = ${lookup{$auth1}lsearch{/etc/authpwd}{$value}fail}
server_set_id = $auth1
.endd
-.wen
Note that this expansion explicitly forces failure if the lookup fails
because &$1$& contains an unknown user name.
.scindex IIDcyrauth1 "&(cyrus_sasl)& authenticator"
.scindex IIDcyrauth2 "authenticators" "&(cyrus_sasl)&"
.cindex "Cyrus" "SASL library"
+.cindex "Kerberos"
The code for this authenticator was provided by Matthew Byng-Maddick of A L
Digital Ltd (&url(http://www.aldigital.co.uk)).
by default. You may also find you need to set environment variables,
depending on the driver you are using.
+.new
+The application name provided by Exim is &"exim"&, so various SASL options may
+be set in &_exim.conf_& in your SASL directory. If you are using GSSAPI for
+Kerberos, note that because of limitations in the GSSAPI interface,
+changing the server keytab might need to be communicated down to the Kerberos
+layer independently. The mechanism for doing so is dependent upon the Kerberos
+implementation. For example, for Heimdal, the environment variable KRB5_KTNAME
+may be set to point to an alternative keytab file. Exim will pass this
+variable through from its own inherited environment when started as root or the
+Exim user. The keytab file needs to be readable by the Exim user.
+.wen
+
.section "Using cyrus_sasl as a server"
-.new
The &(cyrus_sasl)& authenticator has four private options. It puts the username
(on a successful authentication) into &$auth1$&. For compatibility with
previous releases of Exim, the username is also placed in &$1$&. However, the
use of this variable for this purpose is now deprecated, as it can lead to
confusion in string expansions that also use numeric variables for other
things.
-.wen
.option server_hostname cyrus_sasl string&!! &`$primary_hostname`&
This option selects the authentication mechanism this driver should
use. It allows you to use a different underlying mechanism from the
advertised name. For example:
-.new
.code
sasl:
driver = cyrus_sasl
server_mech = CRAM-MD5
server_set_id = $auth1
.endd
-.wen
.option server_realm cyrus_sasl string unset
This specifies the SASL realm that the server claims to be in.
private options. All you need to do is to specify an appropriate mechanism as
the public name. Thus, if you have a SASL library that supports CRAM-MD5 and
PLAIN, you could have two authenticators as follows:
-.new
.code
sasl_cram_md5:
driver = cyrus_sasl
public_name = PLAIN
server_set_id = $auth1
.endd
-.wen
Cyrus SASL does implement the LOGIN authentication method, even though it is
not a standard method. It is disabled by default in the source distribution,
but it is present in many binary distributions.
+. ////////////////////////////////////////////////////////////////////////////
+. ////////////////////////////////////////////////////////////////////////////
+.new
+.chapter "The dovecot authenticator" "CHAPdovecot"
+.scindex IIDdcotauth1 "&(dovecot)& authenticator"
+.scindex IIDdcotauth2 "authenticators" "&(dovecot)&"
+This authenticator is an interface to the authentication facility of the
+Dovecot POP/IMAP server, which can support a number of authentication methods.
+If you are using Dovecot to authenticate POP/IMAP clients, it might be helpful
+to use the same mechanisms for SMTP authentication. This is a server
+authenticator only. There is only one option:
+
+.option server_socket dovecot string unset
+
+This option must specify the socket that is the interface to Dovecot
+authentication. The &%public_name%& option must specify an authentication
+mechanism that Dovecot is configured to support. You can have several
+authenticators for different mechanisms. For example:
+.code
+dovecot_plain:
+ driver = dovecot
+ public_name = PLAIN
+ server_socket = /var/run/dovecot/auth-client
+ server_setid = $auth1
+
+dovecot_ntlm:
+ driver = dovecot
+ public_name = NTLM
+ server_socket = /var/run/dovecot/auth-client
+ server_setid = $auth1
+.endd
+If the SMTP connection is encrypted, or if &$sender_host_address$& is equal to
+&$received_ip_address$& (that is, the connection is local), the &"secured"&
+option is passed in the Dovecot authentication command. If, for a TLS
+connection, a client certificate has been verified, the &"valid-client-cert"&
+option is passed.
+.ecindex IIDdcotauth1
+.ecindex IIDdcotauth2
+.wen
+
+
. ////////////////////////////////////////////////////////////////////////////
. ////////////////////////////////////////////////////////////////////////////
.option server_password spa string&!! unset
.cindex "numerical variables (&$1$& &$2$& etc)" "in &(spa)& authenticator"
-.new
This option is expanded, and the result must be the cleartext password for the
authenticating user, whose name is at this point in &$auth1$&. For
compatibility with previous releases of Exim, the user name is also placed in
server_password = \
${lookup{$auth1}lsearch{/etc/exim/spa_clearpass}{$value}fail}
.endd
-.wen
If the expansion is forced to fail, authentication fails. Any other expansion
failure causes a temporary error code to be returned.
.section "GnuTLS parameter computation"
-GnuTLS uses RSA and D-H parameters that take a substantial amount of time to
-compute. It is unreasonable to re-compute them for every TLS session.
+GnuTLS uses RSA and D-H parameters that may take a substantial amount of time
+to compute. It is unreasonable to re-compute them for every TLS session.
Therefore, Exim keeps this data in a file in its spool directory, called
&_gnutls-params_&. The file is owned by the Exim user and is readable only by
its owner. Every Exim process that start up GnuTLS reads the RSA and D-H
tls_certificate = /some/file/name
tls_privatekey = /some/file/name
.endd
-.new
These options are, in fact, expanded strings, so you can make them depend on
the identity of the client that is connected if you wish. The first file
contains the server's X509 certificate, and the second contains the private key
is assumed to be the case. The certificate file may also contain intermediate
certificates that need to be sent to the client to enable it to authenticate
the server's certificate.
-.wen
If you do not understand about certificates and keys, please try to find a
source of this background information, which is not Exim-specific. (There are a
few comments below in section &<<SECTcerandall>>&.)
-.new
&*Note*&: These options do not apply when Exim is operating as a client &--
they apply only in the case of a server. If you need to use a certificate in an
Exim client, you must set the options of the same names in an &(smtp)&
With just these options, an Exim server will be able to use TLS. It does not
require the client to have a certificate (but see below for how to insist on
this). There is one other option that may be needed in other situations. If
-.wen
.code
tls_dhparam = /some/file/name
.endd
.cindex "STARTTLS" "ACL for"
.cindex "VRFY" "ACL for"
.cindex "SMTP connection" "ACL for"
-.cindex "non-smtp message" "ACL for"
+.cindex "non-smtp message" "ACLs for"
+.cindex "MIME parts" "ACL for"
.table2 140pt
.row &~&%acl_not_smtp%& "ACL for non-SMTP messages"
+.row &~&%acl_not_smtp_mime%& "ACL for non-SMTP MIME parts"
+.row &~&%acl_not_smtp_start%& "ACL at start of non-SMTP message"
.row &~&%acl_smtp_auth%& "ACL for AUTH"
.row &~&%acl_smtp_connect%& "ACL for start of SMTP connection"
.row &~&%acl_smtp_data%& "ACL after DATA is complete"
testing as possible at RCPT time.
-.section "The non-SMTP ACL"
-.cindex "non-smtp message" "ACL for"
-The non-SMTP ACL applies to all non-interactive incoming messages, that is, it
-applies to batch SMTP as well as to non-SMTP messages. (Batch SMTP is not
-really SMTP.) This ACL is run just before the &[local_scan()]& function. Any
+.section "The non-SMTP ACLs"
+.cindex "non-smtp message" "ACLs for"
+The non-SMTP ACLs apply to all non-interactive incoming messages, that is, they
+apply to batched SMTP as well as to non-SMTP messages. (Batched SMTP is not
+really SMTP.) Many of the ACL conditions (for example, host tests, and tests on
+the state of the SMTP connection such as encryption and authentication) are not
+relevant and are forbidden in these ACLs. However, the sender and recipients
+are known, so the &%senders%& and &%sender_domains%& conditions and the
+&$sender_address$& and &$recipients$& variables can be used. Variables such as
+&$authenticated_sender$& are also available. You can specify added header lines
+in any of these ACLs.
+
+The &%acl_not_smtp_start%& ACL is run right at the start of receiving a
+non-SMTP message, before any of the message has been read. (This is the
+analogue of the &%acl_smtp_predata%& ACL for SMTP input.) The result of this
+ACL is ignored; it cannot be used to reject a message. If you really need to,
+you could set a value in an ACL variable here and reject based on that in the
+&%acl_not_smtp%& ACL. However, this ACL can be used to set controls, and in
+particular, it can be used to set
+.code
+control = suppress_local_fixups
+.endd
+This cannot be used in the other non-SMTP ACLs because by the time they are
+run, it is too late.
+
+The &%acl_not_smtp_mime%& ACL is available only when Exim is compiled with the
+content-scanning extension. For details, see chapter &<<CHAPexiscan>>&.
+
+The &%acl_not_smtp%& ACL is run just before the &[local_scan()]& function. Any
kind of rejection is treated as permanent, because there is no way of sending a
-temporary error for these kinds of message. Many of the ACL conditions (for
-example, host tests, and tests on the state of the SMTP connection such as
-encryption and authentication) are not relevant and are forbidden in this ACL.
+temporary error for these kinds of message.
-.section "The connect ACL"
+.section "The SMTP connect ACL"
+.new
.cindex "SMTP connection" "ACL for"
-The ACL test specified by &%acl_smtp_connect%& happens after the test specified
-by &%host_reject_connection%& (which is now an anomaly) and any TCP Wrappers
-testing (if configured).
+.cindex &%smtp_banner%&
+The ACL test specified by &%acl_smtp_connect%& happens at the start of an SMTP
+session, after the test specified by &%host_reject_connection%& (which is now
+an anomaly) and any TCP Wrappers testing (if configured). If the connection is
+accepted by an &%accept%& verb that has a &%message%& modifier, the contents of
+the message override the banner message that is otherwise specified by the
+&%smtp_banner%& option.
+
+
+.section "The EHLO/HELO ACL"
+.cindex "EHLO" "ACL for"
+.cindex "HELO" "ACL for"
+The ACL test specified by &%acl_smtp_helo%& happens when the client issues an
+EHLO or HELO command, after the tests specified by &%helo_accept_junk_hosts%&,
+&%helo_allow_chars%&, &%helo_verify_hosts%&, and &%helo_try_verify_hosts%&.
+Note that a client may issue more than one EHLO or HELO command in an SMTP
+session, and indeed is required to issue a new EHLO or HELO after successfully
+setting up encryption following a STARTTLS command.
+
+If the command is accepted by an &%accept%& verb that has a &%message%&
+modifier, the message may not contain more than one line (it will be truncated
+at the first newline and a panic logged if it does). Such a message cannot
+affect the EHLO options that are listed on the second and subsequent lines of
+an EHLO response.
+.wen
.section "The DATA ACLs"
your resources.
-.section "The MIME ACL"
+.section "The SMTP MIME ACL"
The &%acl_smtp_mime%& option is available only when Exim is compiled with the
content-scanning extension. For details, see chapter &<<CHAPexiscan>>&.
.section "Finding an ACL to use"
.cindex "&ACL;" "finding which to use"
-The value of an &%acl_smtp_%&&'xxx'& option is expanded before use, so you can
-use different ACLs in different circumstances. The resulting string does not
-have to be the name of an ACL in the configuration file; there are other
-possibilities. Having expanded the string, Exim searches for an ACL as follows:
+The value of an &%acl_smtp_%&&'xxx'& option is expanded before use, so
+you can use different ACLs in different circumstances. For example,
+.code
+acl_smtp_rcpt = ${if ={25}{$interface_port} \
+ {acl_check_rcpt} {acl_check_rcpt_submit} }
+.endd
+In the default configuration file there are some example settings for
+providing an RFC 4409 message submission service on port 587 and a
+non-standard &"smtps"& service on port 465. You can use a string
+expansion like this to choose an ACL for MUAs on these ports which is
+more appropriate for this purpose than the default ACL on port 25.
+
+The expanded string does not have to be the name of an ACL in the
+configuration file; there are other possibilities. Having expanded the
+string, Exim searches for an ACL as follows:
.ilist
If the string begins with a slash, Exim uses it as a file name, and reads its
not defined at all. For any defined ACL, the default action when control
reaches the end of the ACL statements is &"deny"&.
+For &%acl_smtp_quit%& and &%acl_not_smtp_start%& there is no default because
+these two are ACLs that are used only for their side effects. They cannot be
+used to accept or reject anything.
+
For &%acl_not_smtp%&, &%acl_smtp_auth%&, &%acl_smtp_connect%&,
&%acl_smtp_data%&, &%acl_smtp_helo%&, &%acl_smtp_mail%&, &%acl_smtp_mailauth%&,
-&%acl_smtp_mime%&, &%acl_smtp_predata%&, &%acl_smtp_quit%&, and
-&%acl_smtp_starttls%&, the action when the ACL is not defined is &"accept"&.
+&%acl_smtp_mime%&, &%acl_smtp_predata%&, and &%acl_smtp_starttls%&, the action
+when the ACL is not defined is &"accept"&.
For the others (&%acl_smtp_etrn%&, &%acl_smtp_expn%&, &%acl_smtp_rcpt%&, and
&%acl_smtp_vrfy%&), the action when the ACL is not defined is &"deny"&.
fails, the ACL yields &"deny"&, because the failing condition is after
&%endpass%&.
+.new
+The &%endpass%& feature has turned out to be confusing to many people, so its
+use is not recommended nowadays. It is always possible to rewrite an ACL so
+that &%endpass%& is not needed, and it is no longer used in the default
+configuration.
+
+.cindex "&%message%&" "ACL modifier, with &%accept%&"
+If a &%message%& modifier appears on an &%accept%& statement, its action
+depends on whether or not &%endpass%& is present. In the absence of &%endpass%&
+(when an &%accept%& verb either accepts or passes control to the next
+statement), &%message%& can be used to vary the message that is sent when an
+SMTP command is accepted. For example, in a RCPT ACL you could have:
+.display
+&`accept `&<&'some conditions'&>
+&` message = OK, I'll allow you through today`&
+.endd
+You can specify an SMTP response code, optionally followed by an &"extended
+response code"& at the start of the message, but the first digit must be the
+same as would be sent by default, which is 2 for an &%accept%& verb.
+
+If &%endpass%& is present in an &%accept%& statement, &%message%& specifies
+an error message that is used when access is denied. This behaviour is retained
+for backward compatibility, but current &"best practice"& is to avoid the use
+of &%endpass%&.
+.wen
+
+
.next
.cindex "&%defer%&" "ACL verb"
-&%defer%&: If all the conditions are met, the ACL returns &"defer"& which, in
+&%defer%&: If all the conditions are true, the ACL returns &"defer"& which, in
an SMTP session, causes a 4&'xx'& response to be given. For a non-SMTP ACL,
&%defer%& is the same as &%deny%&, because there is no way of sending a
temporary error. For a RCPT command, &%defer%& is much the same as using a
&(redirect)& router and &`:defer:`& while verifying, but the &%defer%& verb can
be used in any ACL, and even for a recipient it might be a simpler approach.
+
+
.next
.cindex "&%deny%&" "ACL verb"
&%deny%&: If all the conditions are met, the ACL returns &"deny"&. If any of
.endd
rejects commands from hosts that are on a DNS black list.
+
.next
+.new
.cindex "&%discard%&" "ACL verb"
&%discard%&: This verb behaves like &%accept%&, except that it returns
&"discard"& from the ACL instead of &"accept"&. It is permitted only on ACLs
-that are concerned with receiving messages, and it causes recipients to be
-discarded. If the &%log_message%& modifier is set when &%discard%& operates,
+that are concerned with receiving messages. When all the conditions are true,
+the sending entity receives a &"success"& response. However, &%discard%& causes
+recipients to be discarded. If it is used in an ACL for RCPT, just the one
+recipient is discarded; if used for MAIL, DATA or in the non-SMTP ACL, all the
+message's recipients are discarded. Recipients that are discarded before DATA
+do not appear in the log line when the &%log_recipients%& log selector is set.
+
+If the &%log_message%& modifier is set when &%discard%& operates,
its contents are added to the line that is automatically written to the log.
+The &%message%& modifier operates exactly as it does for &%accept%&.
+.wen
+
-If &%discard%& is used in an ACL for RCPT, just the one recipient is
-discarded; if used for MAIL, DATA or in the non-SMTP ACL, all the
-message's recipients are discarded. Recipients that are discarded before
-DATA do not appear in the log line when the &%log_recipients%& log selector
-is set.
.next
.cindex "&%drop%&" "ACL verb"
&%drop%&: This verb behaves like &%deny%&, except that an SMTP connection is
.next
.cindex "&%warn%&" "ACL verb"
-&%warn%&: If all the conditions are met, a header line is added to an incoming
-message and/or a line is written to Exim's main log. In all cases, control
-passes to the next ACL statement. The text of the added header line and the log
-line are specified by modifiers; if they are not present, a &%warn%& verb just
-checks its conditions and obeys any &"immediate"& modifiers such as &%set%& and
-&%logwrite%&. There is more about adding header lines in section
+&%warn%&: If all the conditions are true, a line specified by the
+&%log_message%& modifier is written to Exim's main log. Control always passes
+to the next ACL statement. If any condition is false, the log line is not
+written. If an identical log line is requested several times in the same
+message, only one copy is actually written to the log. If you want to force
+duplicates to be written, use the &%logwrite%& modifier instead.
+
+If &%log_message%& is not present, a &%warn%& verb just checks its conditions
+and obeys any &"immediate"& modifiers (such as &%control%&, &%set%&,
+&%logwrite%&, and &%add_header%&) that appear before the first failing
+condition. There is more about adding header lines in section
&<<SECTaddheadacl>>&.
If any condition on a &%warn%& statement cannot be completed (that is, there is
-some sort of defer), no header lines are added and the configured log line is
-not written. No further conditions or modifiers in the &%warn%& statement are
-processed. The incident is logged, but the ACL continues to be processed, from
-the next statement onwards.
-
-If a &%message%& modifier is present on a &%warn%& verb in an ACL that is not
-testing an incoming message, it is ignored, and the incident is logged.
+some sort of defer), the log line specified by &%log_message%& is not written.
+&new("This does not include the case of a forced failure from a lookup, which
+is considered to be a successful completion. After a defer,") no further
+conditions or modifiers in the &%warn%& statement are processed. The incident
+is logged, and the ACL continues to be processed, from the next statement
+onwards.
-A &%warn%& statement may use the &%log_message%& modifier to cause a line to be
-written to the main log when the statement's conditions are true.
-If an identical log line is requested several times in the same message, only
-one copy is actually written to the log. If you want to force duplicates to be
-written, use the &%logwrite%& modifier instead.
.cindex "&$acl_verify_message$&"
When one of the &%warn%& conditions is an address verification that fails, the
.section "ACL variables" "SECTaclvariables"
+.new
.cindex "&ACL;" "variables"
There are some special variables that can be set during ACL processing. They
can be used to pass information between different ACLs, different invocations
of the same ACL in the same SMTP connection, and between ACLs and the routers,
-transports, and filters that are used to deliver a message. There are two sets
-of these variables:
-
+transports, and filters that are used to deliver a message. The names of these
+variables must begin with &$acl_c$& or &$acl_m$&, followed either by a digit or
+an underscore, but the remainder of the name can be any sequence of
+alphanumeric characters and underscores that you choose. There is no limit on
+the number of ACL variables. The two sets act as follows:
.ilist
-The values of &$acl_c0$& to &new(&$acl_c19$&) persist throughout an SMTP
-connection. They are never reset. Thus, a value that is set while receiving one
-message is still available when receiving the next message on the same SMTP
-connection.
-.next
-The values of &$acl_m0$& to &new(&$acl_m19$&) persist only while a message is
-being received. They are reset afterwards. They are also reset by MAIL, RSET,
-EHLO, HELO, and after starting up a TLS session.
+The values of those variables whose names begin with &$acl_c$& persist
+throughout an SMTP connection. They are never reset. Thus, a value that is set
+while receiving one message is still available when receiving the next message
+on the same SMTP connection.
+.next
+The values of those variables whose names beging with &$acl_m$& persist only
+while a message is being received. They are reset afterwards. They are also
+reset by MAIL, RSET, EHLO, HELO, and after starting up a TLS session.
.endlist
When a message is accepted, the current values of all the ACL variables are
preserved with the message and are subsequently made available at delivery
-time. The ACL variables are set by modifier called &%set%&. For example:
+time. The ACL variables are set by a modifier called &%set%&. For example:
.code
accept hosts = whatever
set acl_m4 = some value
+accept authenticated = *
+ set acl_c_auth = yes
.endd
&*Note*&: A leading dollar sign is not used when naming a variable that is to
be set. If you want to set a variable without taking any action, you can use a
&%warn%& verb without any other modifiers or conditions.
+.oindex &%strict_acl_vars%&
+What happens if a syntactically valid but undefined ACL variable is
+referenced depends on the setting of the &%strict_acl_vars%& option. If it is
+false (the default), an empty string is substituted; if it is true, an
+error is generated.
+
+Versions of Exim before 4.64 have a limited set of numbered variables, but
+their names are compatible, so there is no problem with upgrading.
+.wen
.section "Condition and modifier processing"
The ACL modifiers are as follows:
.vlist
-.new
.vitem &*add_header*&&~=&~<&'text'&>
-This modifier specifies one of more header lines that are to be added to an
+This modifier specifies one or more header lines that are to be added to an
incoming message, assuming, of course, that the message is ultimately
accepted. For details, see section &<<SECTaddheadacl>>&.
-.wen
.vitem &*control*&&~=&~<&'text'&>
.cindex "&%control%&" "ACL modifier"
accept ...
.endd
+.new
.vitem &*endpass*&
.cindex "&%endpass%&" "ACL modifier"
-This modifier, which has no argument, is recognized only in &%accept%&
-statements. It marks the boundary between the conditions whose failure causes
-control to pass to the next statement, and the conditions whose failure causes
-the ACL to return &"deny"&. See the description of &%accept%& above.
+This modifier, which has no argument, is recognized only in &%accept%& and
+&%discard%& statements. It marks the boundary between the conditions whose
+failure causes control to pass to the next statement, and the conditions whose
+failure causes the ACL to return &"deny"&. This concept has proved to be
+confusing to some people, so the use of &%endpass%& is no longer recommended as
+&"best practice"&. See the description of &%accept%& above for more details.
+.wen
+
.vitem &*log_message*&&~=&~<&'text'&>
.cindex "&%log_message%&" "ACL modifier"
require log_message = wrong cipher suite $tls_cipher
encrypted = DES-CBC3-SHA
.endd
-&%log_message%& adds to any underlying error message that may exist because of
-the condition failure. For example, while verifying a recipient address, a
-&':fail:'& redirection might have already set up a message. Although the
-message is usually defined before the conditions to which it applies, the
-expansion does not happen until Exim decides that access is to be denied. This
-means that any variables that are set by the condition are available for
-inclusion in the message. For example, the &$dnslist_$&<&'xxx'&> variables are
-set after a DNS black list lookup succeeds. If the expansion of &%log_message%&
-fails, or if the result is an empty string, the modifier is ignored.
+.new
+&%log_message%& is also used when recipients are discarded by &%discard%&. For
+example:
+.display
+&`discard `&<&'some conditions'&>
+&` log_message = Discarded $local_part@$domain because...`&
+.endd
+When access is denied, &%log_message%& adds to any underlying error message
+that may exist because of a condition failure. For example, while verifying a
+recipient address, a &':fail:'& redirection might have already set up a
+message.
+
+The message may be defined before the conditions to which it applies, because
+the string expansion does not happen until Exim decides that access is to be
+denied. This means that any variables that are set by the condition are
+available for inclusion in the message. For example, the &$dnslist_$&<&'xxx'&>
+variables are set after a DNS black list lookup succeeds. If the expansion of
+&%log_message%& fails, or if the result is an empty string, the modifier is
+ignored.
+.wen
.cindex "&$acl_verify_message$&"
If you want to use a &%warn%& statement to log the result of an address
both &%log_message%& and &%message%&, a default built-in message is used for
logging rejections.
+
+.new
+.vitem "&*log_reject_target*&&~=&~<&'log name list'&>"
+.cindex "&%log_reject_target%&" "ACL modifier"
+.cindex "logging in ACL" "specifying which log"
+This modifier makes it possible to specify which logs are used for messages
+about ACL rejections. Its argument is a colon-separated list of words that can
+be &"main"&, &"reject"&, or &"panic"&. The default is &`main:reject`&. The list
+may be empty, in which case a rejection is not logged at all. For example, this
+ACL fragment writes no logging information when access is denied:
+.display
+&`deny `&<&'some conditions'&>
+&` log_reject_target =`&
+.endd
+This modifier can be used in SMTP and non-SMTP ACLs. It applies to both
+permanent and temporary rejections.
+.wen
+
+
.vitem &*logwrite*&&~=&~<&'text'&>
.cindex "&%logwrite%&" "ACL modifier"
.cindex "logging in ACL" "immediate"
This modifier writes a message to a log file as soon as it is encountered when
processing an ACL. (Compare &%log_message%&, which, except in the case of
-&%warn%&, is used only if the ACL statement denies access.) The &%logwrite%&
-modifier can be used to log special incidents in ACLs. For example:
+&%warn%& &new("and &%discard%&"), is used only if the ACL statement denies
+access.) The &%logwrite%& modifier can be used to log special incidents in
+ACLs. For example:
.display
&`accept `&<&'some special conditions'&>
&` control = freeze`&
logwrite = :panic: text for panic log only
.endd
+
.vitem &*message*&&~=&~<&'text'&>
+.new
.cindex "&%message%&" "ACL modifier"
-This modifier sets up a text string that is expanded and used as an error
-message if the current statement causes the ACL to deny access. The expansion
-happens at the time Exim decides that access is to be denied, not at the time
-it processes &%message%&. If the expansion fails, or generates an empty string,
-the modifier is ignored. For ACLs that are triggered by SMTP commands, the
-message is returned as part of the SMTP error response.
-
-The text is literal; any quotes are taken as literals, but because the string
-is expanded, backslash escapes are processed anyway. If the message contains
-newlines, this gives rise to a multi-line SMTP response. Like &%log_message%&,
-the contents of &%message%& are not expanded until after a condition has
-failed.
+This modifier sets up a text string that is expanded and used as a response
+message when an ACL statement terminates the ACL with an &"accept"&, &"deny"&,
+or &"defer"& response. (In the case of the &%accept%& and &%discard%& verbs,
+there is some complication if &%endpass%& is involved; see the description of
+&%accept%& for details.)
+
+The expansion of the message happens at the time Exim decides that the ACL is
+to end, not at the time it processes &%message%&. If the expansion fails, or
+generates an empty string, the modifier is ignored. Here is an example where
+&%message%& must be specified first, because the ACL ends with a rejection if
+the &%hosts%& condition fails:
+.code
+require message = Host not recognized
+ hosts = 10.0.0.0/8
+.endd
+(Once a condition has failed, no further conditions or modifiers are
+processed.)
+
+.cindex "SMTP" "error codes"
+.cindex "&%smtp_banner%&
+For ACLs that are triggered by SMTP commands, the message is returned as part
+of the SMTP response. The use of &%message%& with &%accept%& (or &%discard%&)
+is meaningful only for SMTP, as no message is returned when a non-SMTP message
+is accepted. In the case of the connect ACL, accepting with a message modifier
+overrides the value of &%smtp_banner%&. For the EHLO/HELO ACL, a customized
+accept message may not contain more than one line (otherwise it will be
+truncated at the first newline and a panic logged), and it cannot affect the
+EHLO options.
+
+When SMTP is involved, the message may begin with an overriding response code,
+consisting of three digits optionally followed by an &"extended response code"&
+of the form &'n.n.n'&, each code being followed by a space. For example:
+.code
+deny message = 599 1.2.3 Host not welcome
+ hosts = 192.168.34.0/24
+.endd
+The first digit of the supplied response code must be the same as would be sent
+by default. A panic occurs if it is not. Exim uses a 550 code when it denies
+access, but for the predata ACL, note that the default success code is 354, not
+2&'xx'&.
+
+Notwithstanding the previous paragraph, for the QUIT ACL, unlike the others,
+the message modifier cannot override the 221 response code.
+
+The text in a &%message%& modifier is literal; any quotes are taken as
+literals, but because the string is expanded, backslash escapes are processed
+anyway. If the message contains newlines, this gives rise to a multi-line SMTP
+response.
+.wen
.cindex "&$acl_verify_message$&"
If &%message%& is used on a statement that verifies an address, the message
routers to be passed back as part of the SMTP response, you should either not
use a &%message%& modifier, or make use of &$acl_verify_message$&.
-.new
For compatibility with previous releases of Exim, a &%message%& modifier that
is used with a &%warn%& verb behaves in a similar way to the &%add_header%&
modifier, but this usage is now deprecated. However, &%message%& acts only when
&%add_header%& acts as soon as it is encountered. If &%message%& is used with
&%warn%& in an ACL that is not concerned with receiving a message, it has no
effect.
-.wen
+
.vitem &*set*&&~<&'acl_name'&>&~=&~<&'value'&>
.cindex "&%set%&" "ACL modifier"
The &%control%& modifier supports the following settings:
.vlist
-.new
.vitem &*control&~=&~allow_auth_unadvertised*&
This modifier allows a client host to use the SMTP AUTH command even when it
has not been advertised in response to EHLO. Furthermore, because there are
matches an advertised mechanism. When this control is set, the check that a
mechanism has been advertised is bypassed. Any configured mechanism can be used
by the client. This control is permitted only in the connection and HELO ACLs.
-.wen
.vitem &*control&~=&~caseful_local_part*&
current message, not to any subsequent ones that may be received in the same
SMTP connection.
-.new
This modifier can optionally be followed by &`/no_tell`&. If the global option
&%freeze_tell%& is set, it is ignored for the current message (that is, nobody
is told about the freezing), provided all the &*control=freeze*& modifiers that
are obeyed for the current message have the &`/no_tell`& option.
-.wen
.vitem &*control&~=&~no_mbox_unspool*&
There is no check that &'From:'& corresponds to the actual sender.
.endlist ilist
-This feature may be useful when a remotely-originated message is accepted,
-passed to some scanning program, and then re-submitted for delivery.
+This control may be useful when a remotely-originated message is accepted,
+passed to some scanning program, and then re-submitted for delivery. It can be
+used only in the &%acl_smtp_mail%&, &%acl_smtp_rcpt%&, &%acl_smtp_predata%&,
+and &%acl_not_smtp_start%& ACLs, because it has to be set before the message's
+data is read.
.endlist vlist
All four possibilities for message fixups can be specified:
-.new
.section "Adding header lines in ACLs" "SECTaddheadacl"
.cindex "header lines" "adding in an ACL"
.cindex "header lines" "position of added lines"
with duplicates suppressed. Thus, it is possible to add two identical header
lines to an SMTP message, but only if one is added before DATA and one after.
In the case of non-SMTP messages, new headers are accumulated during the
-non-SMTP ACL, and added to the message at the end. If a message is rejected
-after DATA or by the non-SMTP ACL, all added header lines are included in the
-entry that is written to the reject log.
+non-SMTP ACLs, and are added to the message after all the ACLs have run. If a
+message is rejected after DATA or by the non-SMTP ACL, all added header lines
+are included in the entry that is written to the reject log.
.cindex "header lines" "added; visibility of"
Header lines are not visible in string expansions until they are added to the
&*Warning*&: This facility currently applies only to header lines that are
added in an ACL. It does NOT work for header lines that are added in a
system filter or in a router or transport.
-.wen
expanding the string is an empty string, the number zero, or one of the strings
&"no"& or &"false"&, the condition is false. If the result is any non-zero
number, or one of the strings &"yes"& or &"true"&, the condition is true. For
-any other values, some error is assumed to have occurred, and the ACL returns
-&"defer"&.
+any other value, some error is assumed to have occurred, and the ACL returns
+&"defer"&. However, if the expansion is forced to fail, the condition is
+ignored. The effect is to treat it as true, whether it is positive or
+negative.
.vitem &*decode&~=&~*&<&'location'&>
.cindex "&%decode%&" "ACL condition"
This condition is available only when Exim is compiled with the
-content-scanning extension, and it is allowed only the the ACL defined by
+content-scanning extension, and it is allowed only in the ACL defined by
&%acl_smtp_mime%&. It causes the current MIME part to be decoded into a file.
For details, see chapter &<<CHAPexiscan>>&.
lookup, the result of the lookup is placed in &$domain_data$& until the next
&%domains%& test.
+.new
+&*Note carefully*& (because many people seem to fall foul of this): you cannot
+use &%domains%& in a DATA ACL.
+.wen
+
+
.vitem &*encrypted&~=&~*&<&'string&~list'&>
.cindex "&%encrypted%&" "ACL condition"
.cindex "encryption" "checking in an ACL"
encrypted = *
.endd
+
.vitem &*hosts&~=&~*&<&'&~host&~list'&>
.cindex "&%hosts%&" "ACL condition"
.cindex "host" "ACL checking"
.code
accept hosts = 10.9.8.7 : dbm;/etc/friendly/hosts
.endd
-The reason for this lies in the left-to-right way that Exim processes lists.
-It can test IP addresses without doing any DNS lookups, but when it reaches an
-item that requires a host name, it fails if it cannot find a host name to
-compare with the pattern. If the above list is given in the opposite order, the
-&%accept%& statement fails for a host whose name cannot be found, even if its
-IP address is 10.9.8.7.
+.new
+The lookup in this example uses the host name for its key. This is implied by
+the lookup type &"dbm"&. (For a host address lookup you would use &"net-dbm"&
+and it wouldn't matter which way round you had these two items.)
+.wen
+
+The reason for the problem with host names lies in the left-to-right way that
+Exim processes lists. It can test IP addresses without doing any DNS lookups,
+but when it reaches an item that requires a host name, it fails if it cannot
+find a host name to compare with the pattern. If the above list is given in the
+opposite order, the &%accept%& statement fails for a host whose name cannot be
+found, even if its IP address is 10.9.8.7.
If you really do want to do the name check first, and still recognize the IP
address even if the name lookup fails, you can rewrite the ACL like this:
.cindex "&%mime_regex%&" "ACL condition"
.cindex "&ACL;" "testing by regex matching"
This condition is available only when Exim is compiled with the
-content-scanning extension, and it is allowed only the the ACL defined by
+content-scanning extension, and it is allowed only in the ACL defined by
&%acl_smtp_mime%&. It causes the current MIME part to be scanned for a match
with any of the regular expressions. For details, see chapter
&<<CHAPexiscan>>&.
.cindex "verifying" "EHLO"
.cindex "verifying" "HELO"
This condition is true if a HELO or EHLO command has been received from the
-client host, and its contents have been verified. It there has been no previous
-attempt to verify the the HELO/EHLO contents, it is carried out when this
+client host, and its contents have been verified. If there has been no previous
+attempt to verify the HELO/EHLO contents, it is carried out when this
condition is encountered. See the description of the &%helo_verify_hosts%& and
&%helo_try_verify_hosts%& options for details of how to request verification
independently of this condition.
+.new
+For SMTP input that does not come over TCP/IP (the &%-bs%& command line
+option), this condition is always true.
+.wen
+
+
.vitem &*verify&~=&~not_blind*&
.cindex "verifying" "not blind"
.cindex "bcc recipients" "verifying none"
127.1.0.6 RSS and DUL
127.1.0.7 RSS and DUL and RBL
.endd
-Some DNS lists may return more than one address record.
-
+.new
+Section &<<SECTaddmatcon>>& below describes how you can distinguish between
+different values. Some DNS lists may return more than one address record; they
+are all checked.
+.wen
.section "Variables set from DNS lists"
+.new
.cindex "DNS list" "variables set from"
.cindex "&$dnslist_domain$&"
.cindex "&$dnslist_text$&"
.cindex "&$dnslist_value$&"
When an entry is found in a DNS list, the variable &$dnslist_domain$&
-contains the name of the domain that matched, &$dnslist_value$& contains the
-data from the entry, and &$dnslist_text$& contains the contents of any
-associated TXT record. If more than one address record is returned by the DNS
+contains the name of the domain that matched, and &$dnslist_value$& contains
+the data from the entry. If more than one address record is returned by the DNS
lookup, all the IP addresses are included in &$dnslist_value$&, separated by
-commas and spaces.
+commas and spaces. The variable &$dnslist_text$& contains the contents of any
+associated TXT record. For lists such as RBL+ the TXT record for a merged entry
+is often not very meaningful. See section &<<SECTmordetinf>>& for a way of
+obtaining more information.
+.wen
-You can use these variables in &%message%& or &%log_message%& modifiers &--
-although these appear before the condition in the ACL, they are not expanded
-until after it has failed. For example:
+You can use the DNS list variables in &%message%& or &%log_message%& modifiers
+&-- although these appear before the condition in the ACL, they are not
+expanded until after it has failed. For example:
.code
deny hosts = !+local_networks
message = $sender_host_address is listed \
which is less clear, and harder to maintain.
+.new
+.section "Detailed information from merged DNS lists" "SECTmordetinf"
+.cindex "DNS list" "information from merged"
+When the facility for restricting the matching IP values in a DNS list is used,
+the text from the TXT record that is set in &$dnslist_text$& may not reflect
+the true reason for rejection. This happens when lists are merged and the IP
+address in the A record is used to distinguish them; unfortunately there is
+only one TXT record. One way round this is not to use merged lists, but that
+can be inefficient because it requires multiple DNS lookups where one would do
+in the vast majority of cases when the host of interest is not on any of the
+lists.
+
+A less inefficient way of solving this problem is available. If
+two domain names, comma-separated, are given, the second is used first to
+do an initial check, making use of any IP value restrictions that are set.
+If there is a match, the first domain is used, without any IP value
+restrictions, to get the TXT record. As a byproduct of this, there is also
+a check that the IP being tested is indeed on the first list. The first
+domain is the one that is put in &$dnslist_domain$&. For example:
+.code
+reject message = \
+ rejected because $sender_ip_address is blacklisted \
+ at $dnslist_domain\n$dnslist_text
+ dnslists = \
+ sbl.spamhaus.org,sbl-xbl.spamhaus.org=127.0.0.2 : \
+ dul.dnsbl.sorbs.net,dnsbl.sorbs.net=127.0.0.10
+.endd
+For the first blacklist item, this starts by doing a lookup in
+&'sbl-xbl.spamhaus.org'& and testing for a 127.0.0.2 return. If there is a
+match, it then looks in &'sbl.spamhaus.org'&, without checking the return
+value, and as long as something is found, it looks for the corresponding TXT
+record. If there is no match in &'sbl-xbl.spamhaus.org'&, nothing more is done.
+The second blacklist item is processed similarly.
+
+If you are interested in more than one merged list, the same list must be
+given several times, but because the results of the DNS lookups are cached,
+the DNS calls themselves are not repeated. For example:
+.code
+reject dnslists = \
+ http.dnsbl.sorbs.net,dnsbl.sorbs.net=127.0.0.2 : \
+ socks.dnsbl.sorbs.net,dnsbl.sorbs.net=127.0.0.3 : \
+ misc.dnsbl.sorbs.net,dnsbl.sorbs.net=127.0.0.4 : \
+ dul.dnsbl.sorbs.net,dnsbl.sorbs.net=127.0.0.10
+.endd
+In this case there is one lookup in &'dnsbl.sorbs.net'&, and if none of the IP
+values matches (or if no record is found), this is the only lookup that is
+done. Only if there is a match is one of the more specific lists consulted.
+.wen
+
.section "DNS lists and IPv6" "SECTmorednslistslast"
.section "Rate limiting senders" "SECTratelimiting"
.cindex "rate limiting" "client sending"
.cindex "limiting client sending rates"
-.oindex "&%smpt_ratelimit_*%&"
+.oindex "&%smtp_ratelimit_*%&"
The &%ratelimit%& ACL condition can be used to measure and control the rate at
which clients can send email. This is more powerful than the
&%smtp_ratelimit_*%& options, because those options control the rate of
user, independent of the computer they are sending from, set the key to
&$authenticated_id$&. You must ensure that the lookup key is meaningful; for
example, &$authenticated_id$& is only meaningful if the client has
-authenticated, and you can check with with the &%authenticated%& ACL condition.
+authenticated, and you can check with the &%authenticated%& ACL condition.
Internally, Exim includes the smoothing constant &'p'& and the options in the
lookup key because they alter the meaning of the stored data. This is not true
The &%leaky%& option means that the client's recorded rate is not updated if it
is above the limit. The effect of this is that Exim measures the client's
average rate of successfully sent email, which cannot be greater than the
-maximum. If the client is over the limit it will suffer some counter-measures,
-but it will still be able to send email at the configured maximum rate,
-whatever the rate of its attempts. This is generally the better choice if you
-have clients that retry automatically.
+maximum. If the client is over the limit it &new("may suffer some
+counter-measures (as specified in the ACL)"), but it will still be able to send
+email at the configured maximum rate, whatever the rate of its attempts. This
+is generally the better choice if you have clients that retry automatically.
Exim's other ACL facilities are used to define what counter-measures are taken
when the rate limit is exceeded. This might be anything from logging a warning
message. For example:
.code
# Log all senders' rates
-warn
- ratelimit = 0 / 1h / strict
- log_message = Sender rate $sender_rate / $sender_rate_period
+warn ratelimit = 0 / 1h / strict
+ log_message = Sender rate $sender_rate / $sender_rate_period
# Slow down fast senders; note the need to truncate $sender_rate
# at the decimal point.
-warn
- ratelimit = 100 / 1h / per_rcpt / strict
- delay = ${eval: ${sg{$sender_rate}{[.].*}{}} - \
- $sender_rate_limit }s
+warn ratelimit = 100 / 1h / per_rcpt / strict
+ delay = ${eval: ${sg{$sender_rate}{[.].*}{}} - \
+ $sender_rate_limit }s
# Keep authenticated users under control
-deny
- authenticated = *
- ratelimit = 100 / 1d / strict / $authenticated_id
+deny authenticated = *
+ ratelimit = 100 / 1d / strict / $authenticated_id
# System-wide rate limit
-defer
- message = Sorry, too busy. Try again later.
- ratelimit = 10 / 1s / $primary_hostname
+defer message = Sorry, too busy. Try again later.
+ ratelimit = 10 / 1s / $primary_hostname
# Restrict incoming rate from each host, with a default
# set using a macro and special cases looked up in a table.
-defer
- message = Sender rate exceeds $sender_rate_limit \
- messages per $sender_rate_period
- ratelimit = ${lookup {$sender_host_address} \
- cdb {DB/ratelimits.cdb} \
- {$value} {RATELIMIT} }
+defer message = Sender rate exceeds $sender_rate_limit \
+ messages per $sender_rate_period
+ ratelimit = ${lookup {$sender_host_address} \
+ cdb {DB/ratelimits.cdb} \
+ {$value} {RATELIMIT} }
.endd
&*Warning*&: If you have a busy server with a lot of &%ratelimit%& tests,
especially with the &%per_rcpt%& option, you may suffer from a performance
.cindex "verifying address" "options for"
.cindex "policy control" "address verification"
Several of the &%verify%& conditions described in section
-&<<SECTaclconditions>>& cause addresses to be verified. These conditions can be
-followed by options that modify the verification process. The options are
-separated from the keyword and from each other by slashes, and some of them
-contain parameters. For example:
+&<<SECTaclconditions>>& cause addresses to be verified. Section
+&<<SECTsenaddver>>& discusses the reporting of sender verification failures.
+The verification conditions can be followed by options that modify the
+verification process. The options are separated from the keyword and from each
+other by slashes, and some of them contain parameters. For example:
.code
verify = sender/callout
verify = recipient/defer_ok/callout=10s,defer_ok
&%hosts_override%& set, its hosts are always used, whether or not the router
supplies a host list.
+.new
The port that is used is taken from the transport, if it is specified and is a
remote transport. (For routers that do verification only, no transport need be
specified.) Otherwise, the default SMTP port is used. If a remote transport
specifies an outgoing interface, this is used; otherwise the interface is not
-specified.
+specified. Likewise, the text that is used for the HELO command is taken from
+the transport's &%helo_data%& option; if there is no transport, the value of
+&$smtp_active_hostname$& is used.
For a sender callout check, Exim makes SMTP connections to the remote hosts, to
test whether a bounce message could be delivered to the sender address. The
following SMTP commands are sent:
.display
-&`HELO `&<&'smtp active host name'&>
+&`HELO `&<&'local host name'&>
&`MAIL FROM:<>`&
&`RCPT TO:`&<&'the address to be tested'&>
&`QUIT`&
.endd
+.wen
LHLO is used instead of HELO if the transport's &%protocol%& option is
set to &"lmtp"&.
.section "Sender address verification reporting" "SECTsenaddver"
.cindex "verifying" "suppressing error details"
-When sender verification fails in an ACL, the details of the failure are
-given as additional output lines before the 550 response to the relevant
-SMTP command (RCPT or DATA). For example, if sender callout is in use,
+See section &<<SECTaddressverification>>& for a general discussion of
+verification. When sender verification fails in an ACL, the details of the
+failure are given as additional output lines before the 550 response to the
+relevant SMTP command (RCPT or DATA). For example, if sender callout is in use,
you might see:
.code
MAIL FROM:<xyz@abc.example>
In this example, verification succeeds if a router generates a new address, and
the callout does not occur, because no address was routed to a remote host.
+.new
+When verification is being tested via the &%-bv%& option, the treatment of
+redirections is as just described, unless the &%-v%& or any debugging option is
+also specified. In that case, full verification is done for every generated
+address and a report is output for each of them.
+.wen
There are two expansion items to help with the implementation of the BATV
&"prvs"& (private signature) scheme in an Exim configuration. This scheme signs
-the original envelope sender address by using a simple shared key to add a hash
-of the address and some time-based randomizing information. The &%prvs%&
-expansion item creates a signed address, and the &%prvscheck%& expansion item
-checks one. The syntax of these expansion items is described in section
+the original envelope sender address by using a simple key to add a hash of the
+address and some time-based randomizing information. The &%prvs%& expansion
+item creates a signed address, and the &%prvscheck%& expansion item checks one.
+The syntax of these expansion items is described in section
&<<SECTexpansionitems>>&.
As an example, suppose the secret per-address keys are stored in an MySQL
timeout checks succeed. The &$prvscheck_result$& variable contains the result
of the checks (empty for failure, &"1"& for success).
-.new
There are two more issues you must consider when implementing prvs-signing.
Firstly, you need to ensure that prvs-signed addresses are not blocked by your
ACLs. A prvs-signed address contains a slash character, but the default Exim
.endd
This is a conservative rule that blocks local parts that contain slashes. You
should remove the slash in the last line.
-.wen
Secondly, you have to ensure that the routers accept prvs-signed addresses and
deliver them correctly. The easiest way to handle this is to use a &(redirect)&
.code
Virus 'W32/Magistr-B' found in file ./those.bat
.endd
-For the trigger expression, we can just match the word &"found"&. For the name
-expression, we want to extract the W32/Magistr-B string, so we can match for
-the single quotes left and right of it. Altogether, this makes the
+.new
+For the trigger expression, we can match the phrase &"found in file"&. For the
+name expression, we want to extract the W32/Magistr-B string, so we can match
+for the single quotes left and right of it. Altogether, this makes the
configuration setting:
.code
av_scanner = cmdline:\
- /path/to/sweep -all -rec -archive %s:\
- found:'(.+)'
+ /path/to/sweep -ss -all -rec -archive %s:\
+ found in file:'(.+)'
.endd
.vitem &%drweb%&
.cindex "virus scanners" "DrWeb"
.vitem &%sophie%&
.cindex "virus scanners" "Sophos and Sophie"
Sophie is a daemon that uses Sophos' &%libsavi%& library to scan for viruses.
-You can get Sophie at &url(http://www.vanja.com/tools/sophie/). The only
-option for this scanner type is the path to the UNIX socket that Sophie uses
-for client communication. For example:
+You can get Sophie at &url(http://www.clanfield.info/sophie/). The only option
+for this scanner type is the path to the UNIX socket that Sophie uses for
+client communication. For example:
.code
av_scanner = sophie:/tmp/sophie
.endd
The condition succeeds if a virus was found, and fail otherwise. This is the
recommended usage.
.next
-&"false"& or &"0"&, in which case no scanning is done and the condition fails
-immediately.
+&"false"& or &"0"& or an empty string, in which case no scanning is done and
+the condition fails immediately.
.next
A regular expression, in which case the message is scanned for viruses. The
condition succeeds if a virus is found and its name matches the regular
.endlist
You can append &`/defer_ok`& to the &%malware%& condition to accept messages
-even if there is a problem with the virus scanner.
+even if there is a problem with the virus scanner. Otherwise, such a problem
+causes the ACL to defer.
.cindex "&$malware_name$&"
When a virus is found, the condition sets up an expansion variable called
deny message = This message was classified as SPAM
spam = joe
.endd
-The right-hand side of the &%spam%& condition specifies the username that
-SpamAssassin should scan for. If you do not want to scan for a particular user,
-but rather use the SpamAssassin system-wide default profile, you can scan for
-an unknown user, or simply use &"nobody"&. However, you must put something on
-the right-hand side.
+.new
+The right-hand side of the &%spam%& condition specifies a name. This is
+relevant if you have set up multiple SpamAssassin profiles. If you do not want
+to scan using a specific profile, but rather use the SpamAssassin system-wide
+default profile, you can scan for an unknown name, or simply use &"nobody"&.
+However, you must put something on the right-hand side.
+
+The name allows you to use per-domain or per-user antispam profiles in
+principle, but this is not straightforward in practice, because a message may
+have multiple recipients, not necessarily all in the same domain. Because the
+&%spam%& condition has to be called from a DATA ACL in order to be able to
+read the contents of the message, the variables &$local_part$& and &$domain$&
+are not set.
+
+The right-hand side of the &%spam%& condition is expanded before being used, so
+you can put lookups or conditions there. When the right-hand side evaluates to
+&"0"& or &"false"&, no scanning is done and the condition fails immediately.
+.wen
-The username allows you to use per-domain or per-user antispam profiles. The
-right-hand side is expanded before being used, so you can put lookups or
-conditions there. When the right-hand side evaluates to &"0"& or &"false"&, no
-scanning is done and the condition fails immediately.
Scanning with SpamAssassin uses a lot of resources. If you scan every message,
large ones may cause significant performance degredation. As most spam messages
it always return &"true"& by appending &`:true`& to the username.
.cindex "spam scanning" "returned variables"
-When the &%spam%& condition is run, it sets up the following expansion
-variables:
+When the &%spam%& condition is run, it sets up a number of expansion
+variables. With the exception of &$spam_score_int$&, these are usable only
+within ACLs; their values are not retained with the message and so cannot be
+used at delivery time.
.vlist
.vitem &$spam_score$&
.vitem &$spam_score_int$&
The spam score of the message, multiplied by ten, as an integer value. For
example &"34"& or &"305"&. This is useful for numeric comparisons in
-conditions. This variable is special; it is saved with the message, and written
-to Exim's spool file. This means that it can be used during the whole life of
-the message on your Exim system, in particular, in routers or transports during
-the later delivery phase.
+conditions. This variable is special; its value is saved with the message, and
+written to Exim's spool file. This means that it can be used during the whole
+life of the message on your Exim system, in particular, in routers or
+transports during the later delivery phase.
.vitem &$spam_bar$&
A string consisting of a number of &"+"& or &"-"& characters, representing the
condition:
.code
# put headers in all messages (no matter if spam or not)
-warn message = X-Spam-Score: $spam_score ($spam_bar)
- spam = nobody:true
-warn message = X-Spam-Report: $spam_report
- spam = nobody:true
+warn spam = nobody:true
+ add_header = X-Spam-Score: $spam_score ($spam_bar)
+ add_header = X-Spam-Report: $spam_report
# add second subject line with *SPAM* marker when message
# is over threshold
-warn message = Subject: *SPAM* $h_Subject:
- spam = nobody
+warn spam = nobody
+ add_header = Subject: *SPAM* $h_Subject:
# reject spam at high scores (> 12)
deny message = This message scored $spam_score spam points.
.cindex "content scanning" "MIME parts"
.cindex "MIME content scanning"
.cindex "&%acl_smtp_mime%&"
+.cindex "&%acl_not_smtp_mime%&"
The &%acl_smtp_mime%& global option specifies an ACL that is called once for
each MIME part of an SMTP message, including multipart types, in the sequence
of their position in the message. Similarly, the &%acl_not_smtp_mime%& option
options may both refer to the same ACL if you want the same processing in both
cases.
-These ACLs are called (possibly many times) just before the &%acl_smtp_data%&
-ACL in the case of an SMTP message, or just before a non-SMTP message is
-accepted. However, a MIME ACL is called only if the message contains a
-&'MIME-Version:'& header line. When a call to a MIME ACL does not yield
-&"accept"&, ACL processing is aborted and the appropriate result code is sent
-to the client. In the case of an SMTP message, the &%acl_smtp_data%& ACL is not
-called when this happens.
+These ACLs are called (possibly many times) just before the
+&%acl_smtp_data%& ACL in the case of an SMTP message, or just before the
+&%acl_not_smtp%& ACL in the case of a non-SMTP message. However, a MIME ACL
+is called only if the message contains a &'MIME-Version:'& header line. When a
+call to a MIME ACL does not yield &"accept"&, ACL processing is aborted and the
+appropriate result code is sent to the client. In the case of an SMTP message,
+the &%acl_smtp_data%& ACL is not called when this happens.
You cannot use the &%malware%& or &%spam%& conditions in a MIME ACL; these can
only be used in the DATA or non-SMTP ACLs. However, you can use the &%regex%&
is NULL for locally submitted messages.
.vitem &*int&~interface_port*&
-The port on which this message was received.
+.new
+The port on which this message was received. When testing with the &%-bh%&
+command line option, the value of this variable is -1 unless a port has been
+specified via the &%-oMi%& option.
+.wen
.vitem &*uschar&~*message_id*&
This variable contains Exim's message id for the incoming message (the value of
addresses, you should get a return code of zero.
-.new
.vitem &*pid_t&~child_open_exim2(int&~*fd,&~uschar&~*sender,&~uschar&~&&&
*sender_authentication)*&
This function is a more sophisticated version of &'child_open()'&. The command
&`exim -t -oem -oi -f `&&'sender'&&` -oMas `&&'sender_authentication'&
.endd
The third argument may be NULL, in which case the &%-oMas%& option is omitted.
-.wen
.vitem &*void&~debug_printf(char&~*,&~...)*&
the addition of that field to the structure. However, it is easy to add such a
value afterwards. For example:
.code
-receive_add_recipient(US"monitor@mydom.example", -1);
-recipients_list[recipients_count-1].errors_to =
-US"postmaster@mydom.example";
+ receive_add_recipient(US"monitor@mydom.example", -1);
+ recipients_list[recipients_count-1].errors_to =
+ US"postmaster@mydom.example";
.endd
.vitem &*BOOL&~receive_remove_recipient(uschar&~*recipient)*&
.section "The Auto-Submitted: header line"
-.new
Whenever Exim generates an autoreply, a bounce, or a delay warning message, it
includes the header line:
-.wen
.code
Auto-Submitted: auto-replied
.endd
&$authenticated_id$& and the domain is &$qualify_domain$&.
.next
If a non-empty domain is specified by the submission control, the local
-part is &$authenticated_id$&, and the the domain is the specified domain.
+part is &$authenticated_id$&, and the domain is the specified domain.
.next
If an empty domain is specified by the submission control,
&$authenticated_id$& is assumed to be the complete address.
-H spool file is written) the earliest time at which delivery could start.
-.new
.section "The References: header line"
.cindex "&'References:'& header line"
Messages created by the &(autoreply)& transport include a &'References:'&
than 12 message IDs are copied from the &'References:'& header line in the
incoming message. If there are more than 12, the first one and then the final
11 are copied, before adding the message ID of the incoming message.
-.wen
&$authenticated_id$& and the domain is &$qualify_domain$&.
.next
If a non-empty domain is specified by the submission control, the local part
-is &$authenticated_id$&, and the the domain is the specified domain.
+is &$authenticated_id$&, and the domain is the specified domain.
.next
If an empty domain is specified by the submission control,
&$authenticated_id$& is assumed to be the complete address.
<$sender_address>
}}could not be delivered to all of its recipients.
-The following address(es) failed:
+This is a permanent error. The following address(es) failed:
****
The following text was generated during the delivery attempt(s):
****
-.new
.section "Variable Envelope Return Paths (VERP)" "SECTverp"
.cindex "VERP"
.cindex "Variable Envelope Return Paths"
max_rcpt = 1
return_path = \
${if match {$return_path}{^(.+?)-request@your.dom.example\$}\
- {$1-request=$local_part%$domain@your.dom.example}fail}
+ {$1-request+$local_part=$domain@your.dom.example}fail}
.endd
This has the effect of rewriting the return path (envelope sender) on outgoing
SMTP messages, if the local part of the original return path ends in
&'subscriber@other.dom.example'&. In the transport, the return path is
rewritten as
.code
-somelist-request=subscriber%other.dom.example@your.dom.example
+somelist-request+subscriber=other.dom.example@your.dom.example
.endd
.cindex "&$local_part$&"
-For this to work, you must also arrange for outgoing messages that have
-&"-request"& in their return paths to have just a single recipient. That is
+For this to work, you must tell Exim to send multiple copies of messages that
+have more than one recipient, so that each copy has just one recipient. This is
achieved by setting &%max_rcpt%& to 1. Without this, a single copy of a message
might be sent to several different recipients in the same domain, in which case
&$local_part$& is not available in the transport, because it is not unique.
Unless your host is doing nothing but mailing list deliveries, you should
probably use a separate transport for the VERP deliveries, so as not to use
-extra resources for the others. This can easily be done by expanding the
-&%transport%& option in the router:
+extra resources in making one-per-recipient copies for other deliveries. This
+can easily be done by expanding the &%transport%& option in the router:
.code
dnslookup:
driver = dnslookup
transport = remote_smtp
errors_to = \
${if match {$return_path}{^(.+?)-request@your.dom.example\$}}
- {$1-request=$local_part%$domain@your.dom.example}fail}
+ {$1-request+$local_part=$domain@your.dom.example}fail}
no_more
.endd
Before you start sending out messages with VERPed return paths, you must also
a separate copy of the message for each address may take substantially longer
than sending a single copy with many recipients (for which VERP cannot be
used).
-.wen
session was encrypted, there is an additional X field that records the cipher
suite that was used.
-The protocol is set to &"esmptsa"& or &"esmtpa"& for messages received from
+The protocol is set to &"esmtpsa"& or &"esmtpa"& for messages received from
hosts that have authenticated themselves using the SMTP AUTH command. The first
value is used when the SMTP connection was encrypted (&"secure"&). In this case
there is an additional item A= followed by the name of the authenticator that
&` received_sender `& sender on <= lines
&`*rejected_header `& header contents on reject log
&`*retry_defer `& &"retry time not reached"&
-&` return_path_on_delivery `& put return path on => and *\ lines
+&` return_path_on_delivery `& put return path on => and ** lines
&` sender_on_delivery `& add sender to => lines
&`*sender_verify_fail `& sender verification failures
&`*size_reject `& rejection because too big
.next
.cindex "log" "ETRN commands"
.cindex "ETRN" "logging"
-&%etrn%&: Every legal ETRN command that is received is logged, before the ACL
+&%etrn%&: Every valid ETRN command that is received is logged, before the ACL
is run to determine whether or not it is actually accepted. An invalid ETRN
command, or one received within a message transaction is not logged by this
selector (see &%smtp_syntax_error%& and &%smtp_protocol_error%&).
This is the original sender that was received with the message; it is not
necessarily the same as the outgoing return path.
.next
-.new
.cindex "log" "sender verify failure"
-&%sender_verify_failure%&: If this selector is unset, the separate log line
-that gives details of a sender verification failure is not written. Log lines
-for the rejection of SMTP commands contain just &"sender verify failed"&, so
-some detail is lost.
-.wen
+&%sender_verify_fail%&: If this selector is unset, the separate log line that
+gives details of a sender verification failure is not written. Log lines for
+the rejection of SMTP commands contain just &"sender verify failed"&, so some
+detail is lost.
.next
.cindex "log" "size rejection"
&%size_reject%&: A log line is written whenever a message is rejected because
.code
3 2322 74m 66m msn.com.example
.endd
-Each line lists the number of
-pending deliveries for a domain, their total volume, and the length of time
-that the oldest and the newest messages have been waiting. Note that the number
-of pending deliveries is greater than the number of messages when messages
-have more than one recipient.
+Each line lists the number of pending deliveries for a domain, their total
+volume, and the length of time that the oldest and the newest messages have
+been waiting. Note that the number of pending deliveries is greater than the
+number of messages when messages have more than one recipient.
+.new
A summary line is output at the end. By default the output is sorted on the
domain name, but &'exiqsumm'& has the options &%-a%& and &%-c%&, which cause
the output to be sorted by oldest message and by count of messages,
-respectively.
+respectively. There are also three options that split the messages for each
+domain into two or more subcounts: &%-b%& separates bounce messages, &%-f%&
+separates frozen messages, and &%-s%& separates messages according to their
+sender.
+.wen
The output of &'exim -bp'& contains the original addresses in the message, so
this also applies to the output from &'exiqsumm'&. No domains from addresses
.cindex "&'exipick'&"
John Jetmore's &'exipick'& utility is included in the Exim distribution. It
lists messages from the queue according to a variety of criteria. For details,
-run:
+visit &url(http://www.exim.org/eximwiki/ToolExipickManPage) or run:
.code
exipick --help
.endd
.section "Cycling log files (exicyclog)" "SECTcyclogfil"
-.new
.cindex "log" "cycling local files"
.cindex "cycling logs"
.cindex "&'exicyclog'&"
&_mainlog.02_& and so on, up to the limit that is set in the script or by the
&%-k%& option. Log files whose numbers exceed the limit are discarded. Reject
logs are handled similarly.
-.wen
If the limit is greater than 99, the script uses 3-digit numbers such as
&_mainlog.001_&, &_mainlog.002_&, etc. If you change from a number less than 99
.cindex "X-windows"
.cindex "&'eximon'&"
.cindex "Local/eximon.conf"
-.cindex "_exim_monitor/EDITME_"
+.cindex "&_exim_monitor/EDITME_&"
The Exim monitor is an application which displays in an X window information
about the state of Exim's queue and what Exim is doing. An admin user can
perform certain operations on messages from this GUI interface; however all
routing is no longer run as root, and the deliveries themselves cannot change
to any other uid.
+.cindex SIGHUP
+.cindex "daemon" "restarting"
Leaving the binary setuid to root, but setting &%deliver_drop_privilege%& means
that the daemon can still be started in the usual way, and it can respond
correctly to SIGHUP because the re-invocation regains root privilege.
An alternative approach is to make Exim setuid to the Exim user and also setgid
-to the Exim group.
-If you do this, the daemon must be started from a root process. (Calling
-Exim from a root process makes it behave in the way it does when it is setuid
-root.) However, the daemon cannot restart itself after a SIGHUP signal because
-it cannot regain privilege.
+to the Exim group. If you do this, the daemon must be started from a root
+process. (Calling Exim from a root process makes it behave in the way it does
+when it is setuid root.) However, the daemon cannot restart itself after a
+SIGHUP signal because it cannot regain privilege.
It is still useful to set &%deliver_drop_privilege%& in this case, because it
stops Exim from trying to re-invoke itself to do a delivery after a message has
order, and are omitted when not relevant:
.vlist
-.vitem "&%-acl%& <&'number'&> <&'length'&>"
-.new
+.vitem "&%-acl%&&~<&'number'&>&~<&'length'&>"
This item is obsolete, and is not generated from Exim release 4.61 onwards;
&%-aclc%& and &%-aclm%& are used instead. However, &%-acl%& is still
recognized, to provide backward compatibility. In the old format, a line of
the next line, and is followed by a newline character. It may contain internal
newlines.
-.vitem "&%-aclc%& <&'number'&> <&'length'&>"
-A line of this form is present for every ACL connection variable that is not
-empty. The number identifies the variable. The length is the length of the data
-string for the variable. The string itself starts at the beginning of the next
-line, and is followed by a newline character. It may contain internal newlines.
-
-.vitem "&%-aclm%& <&'number'&> <&'length'&>"
-A line of this form is present for every ACL message variable that is not
-empty. The number identifies the variable. The length is the length of the data
-string for the variable. The string itself starts at the beginning of the next
-line, and is followed by a newline character. It may contain internal newlines.
+.new
+.vitem "&%-aclc%&&~<&'rest-of-name'&>&~<&'length'&>"
+A line of this form is present for every ACL connection variable that is
+defined. Note that there is a space between &%-aclc%& and the rest of the name.
+The length is the length of the data string for the variable. The string itself
+starts at the beginning of the next line, and is followed by a newline
+character. It may contain internal newlines.
+
+.vitem "&%-aclm%&&~<&'rest-of-name'&>&~<&'length'&>"
+A line of this form is present for every ACL message variable that is defined.
+Note that there is a space between &%-aclm%& and the rest of the name. The
+length is the length of the data string for the variable. The string itself
+starts at the beginning of the next line, and is followed by a newline
+character. It may contain internal newlines.
.wen
-.vitem "&%-active_hostname%& <&'hostname'&>"
+.vitem "&%-active_hostname%&&~<&'hostname'&>"
This is present if, when the message was received over SMTP, the value of
&$smtp_active_hostname$& was different to the value of &$primary_hostname$&.
time). Local messages that were input using &%-bnq%& and remote messages from
hosts that match &%sender_unqualified_hosts%& set this flag.
-.vitem "&%-auth_id%& <&'text'&>"
+.vitem "&%-auth_id%&&~<&'text'&>"
The id information for a message received on an authenticated SMTP connection
&-- the value of the &$authenticated_id$& variable.
-.vitem "&%-auth_sender%& <&'address'&>"
+.vitem "&%-auth_sender%&&~<&'address'&>"
The address of an authenticated sender &-- the value of the
&$authenticated_sender$& variable.
-.vitem "&%-body_linecount%& <&'number'&>"
+.vitem "&%-body_linecount%&&~<&'number'&>"
This records the number of lines in the body of the message, and is always
present.
-.vitem "&%-body_zerocount%& <&'number'&>"
+.vitem "&%-body_zerocount%&&~<&'number'&>"
This records the number of binary zero bytes in the body of the message, and is
present if the number is greater than zero.
This is written when a new message is first added to the spool. When the spool
file is updated after a deferral, it is omitted.
-.vitem "&%-frozen%& <&'time'&>"
+.vitem "&%-frozen%&&~<&'time'&>"
.cindex "frozen messages" "spool data"
The message is frozen, and the freezing happened at <&'time'&>.
-.vitem "&%-helo_name%& <&'text'&>"
+.vitem "&%-helo_name%&&~<&'text'&>"
This records the host name as specified by a remote host in a HELO or EHLO
command.
-.vitem "&%-host_address%& <&'address'&>.<&'port'&>"
+.vitem "&%-host_address%&&~<&'address'&>.<&'port'&>"
This records the IP address of the host from which the message was received and
the remote port number that was used. It is omitted for locally generated
messages.
-.vitem "&%-host_auth%& <&'text'&>"
+.vitem "&%-host_auth%&&~<&'text'&>"
If the message was received on an authenticated SMTP connection, this records
the name of the authenticator &-- the value of the
&$sender_host_authenticated$& variable.
This is present if an attempt to look up the sending host's name from its IP
address failed. It corresponds to the &$host_lookup_failed$& variable.
-.vitem "&%-host_name%& <&'text'&>"
+.vitem "&%-host_name%&&~<&'text'&>"
.cindex "reverse DNS lookup"
.cindex "DNS" "reverse lookup"
This records the name of the remote host from which the message was received,
if the host name was looked up from the IP address when the message was being
received. It is not present if no reverse lookup was done.
-.vitem "&%-ident%& <&'text'&>"
+.vitem "&%-ident%&&~<&'text'&>"
For locally submitted messages, this records the login of the originating user,
unless it was a trusted user and the &%-oMt%& option was used to specify an
ident value. For messages received over TCP/IP, this records the ident string
supplied by the remote host, if any.
-.vitem "&%-interface_address%& <&'address'&>.<&'port'&>"
+.vitem "&%-interface_address%&&~<&'address'&>.<&'port'&>"
This records the IP address of the local interface and the port number through
which a message was received from a remote host. It is omitted for locally
generated messages.
.vitem &%-localerror%&
The message is a locally-generated bounce message.
-.vitem "&%-local_scan%& <&'string'&>"
+.vitem "&%-local_scan%&&~<&'string'&>"
This records the data string that was returned by the &[local_scan()]& function
when the message was received &-- the value of the &$local_scan_data$&
variable. It is omitted if no data was returned.
The envelope sender of this message was set by an untrusted local caller (used
to ensure that the caller is displayed in queue listings).
-.vitem "&%-spam_score_int%& <&'number'&>"
+.vitem "&%-spam_score_int%&&~<&'number'&>"
If a message was scanned by SpamAssassin, this is present. It records the value
of &$spam_score_int$&.
A TLS certificate was received from the client that sent this message, and the
certificate was verified by the server.
-.vitem "&%-tls_cipher%& <&'cipher name'&>"
+.vitem "&%-tls_cipher%&&~<&'cipher name'&>"
When the message was received over an encrypted connection, this records the
name of the cipher suite that was used.
-.vitem "&%-tls_peerdn%& <&'peer DN'&>"
+.vitem "&%-tls_peerdn%&&~<&'peer DN'&>"
When the message was received over an encrypted connection, and a certificate
was received from the client, this records the Distinguished Name from that
certificate.
git://git.exim.org / exim.git / blobdiff