. /////////////////////////////////////////////////////////////////////////////
. This is the primary source of the Exim Manual. It is an xfpt document that is
-. converted into DocBook XML for subsequent conversion into printing and online
+. converted into DocBook XML for subsequent conversion into printable and online
. formats. The markup used herein is "standard" xfpt markup, with some extras.
. The markup is summarized in a file called Markup.txt.
.
.literal off
. /////////////////////////////////////////////////////////////////////////////
-. This generate the outermost <book> element that wraps then entire document.
+. This generates the outermost <book> element that wraps the entire document.
. /////////////////////////////////////////////////////////////////////////////
.book
. /////////////////////////////////////////////////////////////////////////////
-. These definitions set some parameters and save some typing. Remember that
-. the <bookinfo> element must also be updated for each new edition.
+. These definitions set some parameters and save some typing.
+. Update the Copyright year (only) when changing content.
. /////////////////////////////////////////////////////////////////////////////
-.set previousversion "4.75"
-.set version "4.77"
+.set previousversion "4.91"
+.include ./local_params
.set ACL "access control lists (ACLs)"
.set I " "
+.macro copyyear
+2018
+.endmacro
. /////////////////////////////////////////////////////////////////////////////
. Additional xfpt markup used by this document, over and above the default
. provided in the xfpt library.
. /////////////////////////////////////////////////////////////////////////////
-. --- Override the &$ flag to automatically insert a $ with the variable name
+. --- Override the &$ flag to automatically insert a $ with the variable name.
.flag &$ $& "<varname>$" "</varname>"
. --- Short flags for daggers in option headings. They will always be inside
-. --- an italic string, but we want the daggers to be roman.
+. --- an italic string, but we want the daggers to be in Roman.
.flag &!! "</emphasis>†<emphasis>"
.flag &!? "</emphasis>‡<emphasis>"
. --- A macro for the common 2-column tables. The width of the first column
. --- is suitable for the many tables at the start of the main options chapter;
-. --- the small number of other 2-column tables override it.
+. --- a small number of other 2-column tables override it.
.macro table2 196pt 254pt
.itable none 0 0 2 $1 left $2 left
. ////////////////////////////////////////////////////////////////////////////
-. The <bookinfo> element is removed from the XML before processing for Ascii
+. The <bookinfo> element is removed from the XML before processing for ASCII
. output formats.
. ////////////////////////////////////////////////////////////////////////////
<bookinfo>
<title>Specification of the Exim Mail Transfer Agent</title>
<titleabbrev>The Exim MTA</titleabbrev>
-<date>06 May 2011</date>
+<date>
+.fulldate
+</date>
<author><firstname>Exim</firstname><surname>Maintainers</surname></author>
<authorinitials>EM</authorinitials>
<revhistory><revision>
- <revnumber>4.77</revnumber>
- <date>10 Oct 2011</date>
+.versiondatexml
<authorinitials>EM</authorinitials>
</revision></revhistory>
-<copyright><year>2011</year><holder>University of Cambridge</holder></copyright>
+<copyright><year>
+.copyyear
+ </year><holder>University of Cambridge</holder></copyright>
</bookinfo>
.literal off
BSD/OS (aka BSDI), Darwin (Mac OS X), DGUX, Dragonfly, FreeBSD, GNU/Hurd,
GNU/Linux, HI-OSF (Hitachi), HI-UX, HP-UX, IRIX, MIPS RISCOS, NetBSD, OpenBSD,
OpenUNIX, QNX, SCO, SCO SVR4.2 (aka UNIX-SV), Solaris (aka SunOS5), SunOS4,
-Tru64-Unix (formerly Digital UNIX, formerly DEC-OSF1), Ultrix, and Unixware.
+Tru64-Unix (formerly Digital UNIX, formerly DEC-OSF1), Ultrix, and UnixWare.
Some of these operating systems are no longer current and cannot easily be
tested, so the configuration files may no longer work in practice.
the file &_NOTICE_&. Exim is distributed under the terms of the GNU General
Public Licence, a copy of which may be found in the file &_LICENCE_&.
-The use, supply or promotion of Exim for the purpose of sending bulk,
-unsolicited electronic mail is incompatible with the basic aims of the program,
+The use, supply, or promotion of Exim for the purpose of sending bulk,
+unsolicited electronic mail is incompatible with the basic aims of Exim,
which revolve around the free provision of a service that enhances the quality
of personal communications. The author of Exim regards indiscriminate
mass-mailing as an antisocial, irresponsible abuse of the Internet.
.new
.cindex "documentation"
-This edition of the Exim specification applies to version &version; of Exim.
+This edition of the Exim specification applies to version &version() of Exim.
Substantive changes from the &previousversion; edition are marked in some
-renditions of the document; this paragraph is so marked if the rendition is
+renditions of this document; this paragraph is so marked if the rendition is
capable of showing a change indicator.
.wen
with general Unix system administration. Although there are some discussions
and examples in places, the information is mostly organized in a way that makes
it easy to look up, rather than in a natural order for sequential reading.
-Furthermore, the manual aims to cover every aspect of Exim in detail, including
+Furthermore, this manual aims to cover every aspect of Exim in detail, including
a number of rarely-used, special-purpose features that are unlikely to be of
very wide interest.
An &"easier"& discussion of Exim which provides more in-depth explanatory,
introductory, and tutorial material can be found in a book entitled &'The Exim
SMTP Mail Server'& (second edition, 2007), published by UIT Cambridge
-(&url(http://www.uit.co.uk/exim-book/)).
+(&url(https://www.uit.co.uk/exim-book/)).
-This book also contains a chapter that gives a general introduction to SMTP and
+The book also contains a chapter that gives a general introduction to SMTP and
Internet mail. Inevitably, however, the book is unlikely to be fully up-to-date
with the latest release of Exim. (Note that the earlier book about Exim,
published by O'Reilly, covers Exim 3, and many things have changed in Exim 4.)
.cindex "&_doc/NewStuff_&"
.cindex "&_doc/ChangeLog_&"
.cindex "change log"
-As the program develops, there may be features in newer versions that have not
+As Exim develops, there may be features in newer versions that have not
yet made it into this document, which is updated only when the most significant
digit of the fractional part of the version number changes. Specifications of
new features that are not yet in this manual are placed in the file
they are not documented in this manual. Information about experimental features
can be found in the file &_doc/experimental.txt_&.
-All changes to the program (whether new features, bug fixes, or other kinds of
+All changes to Exim (whether new features, bug fixes, or other kinds of
change) are noted briefly in the file called &_doc/ChangeLog_&.
.cindex "&_doc/spec.txt_&"
.row &_filter.txt_& "specification of the filter language"
.row &_Exim3.upgrade_& "upgrade notes from release 2 to release 3"
.row &_Exim4.upgrade_& "upgrade notes from release 3 to release 4"
+.row &_openssl.txt_& "installing a current OpenSSL release"
.endtable
The main specification and the specification of the filtering language are also
-.section "FTP and web sites" "SECID2"
-.cindex "web site"
+.section "FTP site and websites" "SECID2"
+.cindex "website"
.cindex "FTP site"
-The primary site for Exim source distributions is currently the University of
-Cambridge's FTP site, whose contents are described in &'Where to find the Exim
-distribution'& below. In addition, there is a web site and an FTP site at
-&%exim.org%&. These are now also hosted at the University of Cambridge. The
-&%exim.org%& site was previously hosted for a number of years by Energis
-Squared, formerly Planet Online Ltd, whose support I gratefully acknowledge.
+The primary site for Exim source distributions is the &%exim.org%& FTP site,
+available over HTTPS, HTTP and FTP. These services, and the &%exim.org%&
+website, are hosted at the University of Cambridge.
.cindex "wiki"
.cindex "FAQ"
-As well as Exim distribution tar files, the Exim web site contains a number of
+As well as Exim distribution tar files, the Exim website contains a number of
differently formatted versions of the documentation. A recent addition to the
-online information is the Exim wiki (&url(http://wiki.exim.org)),
+online information is the Exim wiki (&url(https://wiki.exim.org)),
which contains what used to be a separate FAQ, as well as various other
examples, tips, and know-how that have been contributed by Exim users.
+The wiki site should always redirect to the correct place, which is currently
+provided by GitHub, and is open to editing by anyone with a GitHub account.
.cindex Bugzilla
-An Exim Bugzilla exists at &url(http://bugs.exim.org). You can use
+An Exim Bugzilla exists at &url(https://bugs.exim.org). You can use
this to report bugs, and also to add items to the wish list. Please search
first to check that you are not duplicating a previous entry.
-
+Please do not ask for configuration help in the bug-tracker.
.section "Mailing lists" "SECID3"
the Debian-specific mailing list &'pkg-exim4-users@lists.alioth.debian.org'&
via this web page:
.display
-&url(http://lists.alioth.debian.org/mailman/listinfo/pkg-exim4-users)
+&url(https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-exim4-users)
.endd
-Please ask Debian-specific questions on this list and not on the general Exim
+Please ask Debian-specific questions on that list and not on the general Exim
lists.
-.section "Exim training" "SECID4"
-.cindex "training courses"
-Training courses in Cambridge (UK) used to be run annually by the author of
-Exim, before he retired. At the time of writing, there are no plans to run
-further Exim courses in Cambridge. However, if that changes, relevant
-information will be posted at &url(http://www-tus.csx.cam.ac.uk/courses/exim/).
-
.section "Bug reports" "SECID5"
.cindex "bug reports"
.cindex "reporting bugs"
Reports of obvious bugs can be emailed to &'bugs@exim.org'& or reported
-via the Bugzilla (&url(http://bugs.exim.org)). However, if you are unsure
+via the Bugzilla (&url(https://bugs.exim.org)). However, if you are unsure
whether some behaviour is a bug or not, the best thing to do is to post a
message to the &'exim-dev'& mailing list and have it discussed.
.section "Where to find the Exim distribution" "SECTavail"
.cindex "FTP site"
-.cindex "distribution" "ftp site"
-The master ftp site for the Exim distribution is
-.display
-&*ftp://ftp.csx.cam.ac.uk/pub/software/email/exim*&
-.endd
-This is mirrored by
+.cindex "HTTPS download site"
+.cindex "distribution" "FTP site"
+.cindex "distribution" "https site"
+The master distribution site for the Exim distribution is
.display
-&*ftp://ftp.exim.org/pub/exim*&
+&url(https://downloads.exim.org/)
.endd
-The file references that follow are relative to the &_exim_& directories at
-these sites. There are now quite a number of independent mirror sites around
+The service is available over HTTPS, HTTP and FTP.
+We encourage people to migrate to HTTPS.
+
+The content served at &url(https://downloads.exim.org/) is identical to the
+content served at &url(https://ftp.exim.org/pub/exim) and
+&url(ftp://ftp.exim.org/pub/exim).
+
+If accessing via a hostname containing &'ftp'&, then the file references that
+follow are relative to the &_exim_& directories at these sites.
+If accessing via the hostname &'downloads'& then the subdirectories described
+here are top-level directories.
+
+There are now quite a number of independent mirror sites around
the world. Those that I know about are listed in the file called &_Mirrors_&.
-Within the &_exim_& directory there are subdirectories called &_exim3_& (for
+Within the top exim directory there are subdirectories called &_exim3_& (for
previous Exim 3 distributions), &_exim4_& (for the latest Exim 4
distributions), and &_Testing_& for testing versions. In the &_exim4_&
subdirectory, the current release can always be found in files called
.display
+&_exim-n.nn.tar.xz_&
&_exim-n.nn.tar.gz_&
&_exim-n.nn.tar.bz2_&
.endd
-where &'n.nn'& is the highest such version number in the directory. The two
+where &'n.nn'& is the highest such version number in the directory. The three
files contain identical data; the only difference is the type of compression.
-The &_.bz2_& file is usually a lot smaller than the &_.gz_& file.
+The &_.xz_& file is usually the smallest, while the &_.gz_& file is the
+most portable to old systems.
.cindex "distribution" "signing details"
.cindex "distribution" "public key"
.cindex "public key for signed distribution"
-The distributions are currently signed with Nigel Metheringham's GPG key. The
-corresponding public key is available from a number of keyservers, and there is
-also a copy in the file &_nigel-pubkey.asc_&. The signatures for the tar bundles are
-in:
+The distributions will be PGP signed by an individual key of the Release
+Coordinator. This key will have a uid containing an email address in the
+&'exim.org'& domain and will have signatures from other people, including
+other Exim maintainers. We expect that the key will be in the "strong set" of
+PGP keys. There should be a trust path to that key from the Exim Maintainer's
+PGP keys, a version of which can be found in the release directory in the file
+&_Exim-Maintainers-Keyring.asc_&. All keys used will be available in public keyserver pools,
+such as &'pool.sks-keyservers.net'&.
+
+At the time of the last update, releases were being made by Jeremy Harris and signed
+with key &'0xBCE58C8CE41F32DF'&. Other recent keys used for signing are those
+of Heiko Schlittermann, &'0x26101B62F69376CE'&,
+and of Phil Pennock, &'0x4D1E900E14C1CC04'&.
+
+The signatures for the tar bundles are in:
.display
+&_exim-n.nn.tar.xz.asc_&
&_exim-n.nn.tar.gz.asc_&
&_exim-n.nn.tar.bz2.asc_&
.endd
-For each released version, the log of changes is made separately available in a
+For each released version, the log of changes is made available in a
separate file in the directory &_ChangeLogs_& so that it is possible to
find out what has changed without having to download the entire distribution.
&_exim-texinfo-n.nn.tar.gz_&
.endd
These tar files contain only the &_doc_& directory, not the complete
-distribution, and are also available in &_.bz2_& as well as &_.gz_& forms.
+distribution, and are also available in &_.bz2_& and &_.xz_& forms.
.section "Limitations" "SECID6"
.endlist
-.section "Run time configuration" "SECID7"
-Exim's run time configuration is held in a single text file that is divided
+.section "Runtime configuration" "SECID7"
+Exim's runtime configuration is held in a single text file that is divided
into a number of sections. The entries in this file consist of keywords and
values, in the style of Smail 3 configuration files. A default configuration
file which is suitable for simple online installations is provided in the
&_/usr/sbin/sendmail_& when sending mail, but you do not need to know anything
about Sendmail in order to run Exim. For actions other than sending messages,
Sendmail-compatible options also exist, but those that produce output (for
-example, &%-bp%&, which lists the messages on the queue) do so in Exim's own
+example, &%-bp%&, which lists the messages in the queue) do so in Exim's own
format. There are also some additional options that are compatible with Smail
3, and some further options that are new to Exim. Chapter &<<CHAPcommandline>>&
documents all Exim's command line options. This information is automatically
made into the man page that forms part of the Exim distribution.
-Control of messages on the queue can be done via certain privileged command
+Control of messages in the queue can be done via certain privileged command
line options. There is also an optional monitor program called &'eximon'&,
which displays current information in an X window, and which contains a menu
interface to Exim's command line administration options.
.cindex "terminology definitions"
.cindex "body of message" "definition of"
The &'body'& of a message is the actual data that the sender wants to transmit.
-It is the last part of a message, and is separated from the &'header'& (see
+It is the last part of a message and is separated from the &'header'& (see
below) by a blank line.
.cindex "bounce message" "definition of"
.cindex "local part" "definition of"
.cindex "domain" "definition of"
-The term &'local part'&, which is taken from RFC 2822, is used to refer to that
+The term &'local part'&, which is taken from RFC 2822, is used to refer to the
part of an email address that precedes the @ sign. The part that follows the
@ sign is called the &'domain'& or &'mail domain'&.
message's envelope.
.cindex "queue" "definition of"
-The term &'queue'& is used to refer to the set of messages awaiting delivery,
+The term &'queue'& is used to refer to the set of messages awaiting delivery
because this term is in widespread use in the context of MTAs. However, in
-Exim's case the reality is more like a pool than a queue, because there is
+Exim's case, the reality is more like a pool than a queue, because there is
normally no ordering of waiting messages.
.cindex "queue runner" "definition of"
The term &'queue runner'& is used to describe a process that scans the queue
and attempts to deliver those messages whose retry times have come. This term
-is used by other MTAs, and also relates to the command &%runq%&, but in Exim
+is used by other MTAs and also relates to the command &%runq%&, but in Exim
the waiting messages are normally processed in an unpredictable order.
.cindex "spool directory" "definition of"
The term &'spool directory'& is used for a directory in which Exim keeps the
-messages on its queue &-- that is, those that it is in the process of
+messages in its queue &-- that is, those that it is in the process of
delivering. This should not be confused with the directory in which local
mailboxes are stored, which is called a &"spool directory"& by some people. In
the Exim documentation, &"spool"& is always used in the first sense.
.cindex "incorporated code"
.cindex "regular expressions" "library"
.cindex "PCRE"
+.cindex "OpenDMARC"
A number of pieces of external code are included in the Exim distribution.
.ilist
version.
This code implements Dan Bernstein's Constant DataBase (cdb) spec. Information,
the spec and sample code for cdb can be obtained from
-&url(http://www.pobox.com/~djb/cdb.html). This implementation borrows
+&url(https://cr.yp.to/cdb.html). This implementation borrows
some code from Dan Bernstein's implementation (which has no license
restrictions applied to it).
.endblockquote
acknowledgment:
&"This product includes software developed by Computing Services
-at Carnegie Mellon University (&url(http://www.cmu.edu/computing/)."&
+at Carnegie Mellon University (&url(https://www.cmu.edu/computing/)."&
CARNEGIE MELLON UNIVERSITY DISCLAIMS ALL WARRANTIES WITH REGARD TO
THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
SOFTWARE.
.endblockquote
+.next
+.cindex "opendmarc" "acknowledgment"
+The DMARC implementation uses the OpenDMARC library which is Copyrighted by
+The Trusted Domain Project. Portions of Exim source which use OpenDMARC
+derived code are indicated in the respective source files. The full OpenDMARC
+license is provided in the LICENSE.opendmarc file contained in the distributed
+source code.
+
.next
Many people have contributed code fragments, some large, some small, that were
-not covered by any specific licence requirements. It is assumed that the
+not covered by any specific license requirements. It is assumed that the
contributors are happy to see their code incorporated into Exim under the GPL.
.endlist
.section "Policy control" "SECID11"
.cindex "policy control" "overview"
Policy controls are now an important feature of MTAs that are connected to the
-Internet. Perhaps their most important job is to stop MTAs being abused as
+Internet. Perhaps their most important job is to stop MTAs from being abused as
&"open relays"& by misguided individuals who send out vast amounts of
-unsolicited junk, and want to disguise its source. Exim provides flexible
+unsolicited junk and want to disguise its source. Exim provides flexible
facilities for specifying policy controls on incoming mail:
.ilist
normally encoding numbers in base 62. However, in the Darwin operating
system (Mac OS X) and when Exim is compiled to run under Cygwin, base 36
(avoiding the use of lower case letters) is used instead, because the message
-id is used to construct file names, and the names of files in those systems are
+id is used to construct filenames, and the names of files in those systems are
not always case-sensitive.
.cindex "pid (process id)" "re-use of"
If the process runs Exim with the &%-bS%& option, the message is also read
non-interactively, but in this case the recipients are listed at the start of
the message in a series of SMTP RCPT commands, terminated by a DATA
-command. This is so-called &"batch SMTP"& format,
+command. This is called &"batch SMTP"& format,
but it isn't really SMTP. The SMTP commands are just another way of passing
envelope addresses in a non-interactive submission.
.next
qualification domain (which can be set by the &%qualify_domain%& configuration
option). For local or batch SMTP, a sender address that is passed using the
SMTP MAIL command is ignored. However, the system administrator may allow
-certain users (&"trusted users"&) to specify a different sender address
+certain users (&"trusted users"&) to specify a different sender addresses
unconditionally, or all users to specify certain forms of different sender
address. The &%-f%& option or the SMTP MAIL command is used to specify these
different addresses. See section &<<SECTtrustedadmin>>& for details of trusted
users to change sender addresses.
Messages received by either of the non-interactive mechanisms are subject to
-checking by the non-SMTP ACL, if one is defined. Messages received using SMTP
-(either over TCP/IP, or interacting with a local process) can be checked by a
+checking by the non-SMTP ACL if one is defined. Messages received using SMTP
+(either over TCP/IP or interacting with a local process) can be checked by a
number of ACLs that operate at different times during the SMTP session. Either
-individual recipients, or the entire message, can be rejected if local policy
+individual recipients or the entire message can be rejected if local policy
requirements are not met. The &[local_scan()]& function (see chapter
&<<CHAPlocalscan>>&) is run for all incoming messages.
file containing the envelope and header, and &`-D`& for the data file.
.cindex "spool directory" "&_input_& sub-directory"
-By default all these message files are held in a single directory called
+By default, all these message files are held in a single directory called
&_input_& inside the general Exim spool directory. Some operating systems do
not perform very well if the number of files in a directory gets large; to
improve performance in such cases, the &%split_spool_directory%& option can be
A message remains in the spool directory until it is completely delivered to
its recipients or to an error address, or until it is deleted by an
administrator or by the user who originally created it. In cases when delivery
-cannot proceed &-- for example, when a message can neither be delivered to its
+cannot proceed &-- for example when a message can neither be delivered to its
recipients nor returned to its sender, the message is marked &"frozen"& on the
spool, and no more deliveries are attempted.
.oindex "&%ignore_bounce_errors_after%&"
There are options called &%ignore_bounce_errors_after%& and
&%timeout_frozen_after%&, which discard frozen messages after a certain time.
-The first applies only to frozen bounces, the second to any frozen messages.
+The first applies only to frozen bounces, the second to all frozen messages.
.cindex "message" "log file for"
.cindex "log" "file for each message"
attempt to its main log file. This includes successful, unsuccessful, and
delayed deliveries for each recipient (see chapter &<<CHAPlog>>&). The log
lines are also written to a separate &'message log'& file for each message.
-These logs are solely for the benefit of the administrator, and are normally
+These logs are solely for the benefit of the administrator and are normally
deleted along with the spool files when processing of a message is complete.
The use of individual message logs can be disabled by setting
&%no_message_logs%&; this might give an improvement in performance on very busy
Updating the spool file is done by writing a new file and renaming it, to
minimize the possibility of data loss.
-Should the system or the program crash after a successful delivery but before
+Should the system or Exim crash after a successful delivery but before
the spool file has been updated, the journal is left lying around. The next
time Exim attempts to deliver the message, it reads the journal file and
updates the spool file before proceeding. This minimizes the chances of double
The main delivery processing elements of Exim are called &'routers'& and
&'transports'&, and collectively these are known as &'drivers'&. Code for a
number of them is provided in the source distribution, and compile-time options
-specify which ones are included in the binary. Run time options specify which
+specify which ones are included in the binary. Runtime options specify which
ones are actually used for delivering messages.
.cindex "drivers" "instance definition"
-Each driver that is specified in the run time configuration is an &'instance'&
+Each driver that is specified in the runtime configuration is an &'instance'&
of that particular driver type. Multiple instances are allowed; for example,
you can set up several different &(smtp)& transports, each with different
option values that might specify different ports or different timeouts. Each
configuration.
The first router that is specified in a configuration is often one that handles
-addresses in domains that are not recognized specially by the local host. These
-are typically addresses for arbitrary domains on the Internet. A precondition
+addresses in domains that are not recognized specifically by the local host.
+Typically these are addresses for arbitrary domains on the Internet. A precondition
is set up which looks for the special domains known to the host (for example,
its own domain name), and the router is run for addresses that do &'not'&
match. Typically, this is a router that looks up domains in the DNS in order to
does not affect the way the routers work, but it is a state that can be
detected. By this means, a router can be skipped or made to behave differently
when verifying. A common example is a configuration in which the first router
-sends all messages to a message-scanning program, unless they have been
+sends all messages to a message-scanning program unless they have been
previously scanned. Thus, the first router accepts all addresses without any
checking, making it useless for verifying. Normally, the &%no_verify%& option
would be set for such a router, causing it to be skipped in verify mode.
.ilist
&'accept'&: The router accepts the address, and either assigns it to a
-transport, or generates one or more &"child"& addresses. Processing the
-original address ceases,
+transport or generates one or more &"child"& addresses. Processing the
+original address ceases
.oindex "&%unseen%&"
unless the &%unseen%& option is set on the router. This option
can be used to set up multiple deliveries with different routing (for example,
&%redirect_router%& may be anywhere in the router configuration.
.next
&'pass'&: The router recognizes the address, but cannot handle it itself. It
-requests that the address be passed to another router. By default the address
+requests that the address be passed to another router. By default, the address
is passed to the next router, but this can be changed by setting the
&%pass_router%& option. However, (unlike &%redirect_router%&) the named router
must be below the current router (to avoid loops).
.cindex "address duplicate, discarding"
.cindex "duplicate addresses"
Once routing is complete, Exim scans the addresses that are assigned to local
-and remote transports, and discards any duplicates that it finds. During this
-check, local parts are treated as case-sensitive. This happens only when
+and remote transports and discards any duplicates that it finds. During this
+check, local parts are treated case-sensitively. This happens only when
actually delivering a message; when testing routers with &%-bt%&, all the
routed addresses are shown.
described in more detail in chapter &<<CHAProutergeneric>>&.
.ilist
+.cindex affix "router precondition"
The &%local_part_prefix%& and &%local_part_suffix%& options can specify that
the local parts handled by the router may or must have certain prefixes and/or
suffixes. If a mandatory affix (prefix or suffix) is not present, the router is
&%verify_recipient%&, which independently control the use of the router for
sender and recipient verification. You can set these options directly if
you want a router to be used for only one type of verification.
+Note that cutthrough delivery is classed as a recipient verification for this purpose.
.next
If the &%address_test%& option is set false, the router is skipped when Exim is
run with the &%-bt%& option to test an address routing. This can be helpful
.next
Routers can be designated for use only when verifying an address, as
opposed to routing it for delivery. The &%verify_only%& option controls this.
+Again, cutthrough delivery counts as a verification.
.next
Individual routers can be explicitly skipped when running the routers to
check an address given in the SMTP EXPN command (see the &%expn%& option).
.vindex "&$local_part_prefix$&"
.vindex "&$local_part$&"
.vindex "&$local_part_suffix$&"
+.cindex affix "router precondition"
If the &%local_parts%& option is set, the local part of the address must be in
the set of local parts that it defines. If &%local_part_prefix%& or
&%local_part_suffix%& is in use, the prefix or suffix is removed from the local
condition &%first_delivery%& can be used to detect the first run of the system
filter.
.next
-Each recipient address is offered to each configured router in turn, subject to
+Each recipient address is offered to each configured router, in turn, subject to
its preconditions, until one is able to handle it. If no router can handle the
address, that is, if they all decline, the address is failed. Because routers
can be targeted at particular domains, several locally handled domains can be
Exim's mechanism for retrying messages that fail to get delivered at the first
attempt is the queue runner process. You must either run an Exim daemon that
uses the &%-q%& option with a time interval to start queue runners at regular
-intervals, or use some other means (such as &'cron'&) to start them. If you do
+intervals or use some other means (such as &'cron'&) to start them. If you do
not arrange for queue runners to be run, messages that fail temporarily at the
-first attempt will remain on your queue for ever. A queue runner process works
+first attempt will remain in your queue forever. A queue runner process works
its way through the queue, one message at a time, trying each delivery that has
passed its retry time.
You can run several queue runners at once.
waiting for it by the time it recovers, and sending them in a single SMTP
connection is clearly beneficial. Whenever a delivery to a remote host is
deferred,
-.cindex "hints database"
+.cindex "hints database" "deferred deliveries"
Exim makes a note in its hints database, and whenever a successful
SMTP delivery has happened, it looks to see if any other messages are waiting
for the same host. If any are found, they are sent over the same SMTP
.section "Failures to deliver bounce messages" "SECID22"
.cindex "bounce message" "failure to deliver"
If a bounce message (either locally generated or received from a remote host)
-itself suffers a permanent delivery failure, the message is left on the queue,
+itself suffers a permanent delivery failure, the message is left in the queue,
but it is frozen, awaiting the attention of an administrator. There are options
that can be used to make Exim discard such failed messages, or to keep them
for only a short time (see &%timeout_frozen_after%& and
.section "Unpacking" "SECID23"
Exim is distributed as a gzipped or bzipped tar file which, when unpacked,
creates a directory with the name of the current release (for example,
-&_exim-&version;_&) into which the following files are placed:
+&_exim-&version()_&) into which the following files are placed:
.table2 140pt
.irow &_ACKNOWLEDGMENTS_& "contains some acknowledgments"
.irow &_util_& "independent utilities"
.endtable
-The main utility programs are contained in the &_src_& directory, and are built
+The main utility programs are contained in the &_src_& directory and are built
with the Exim binary. The &_util_& directory contains a few optional scripts
that may be useful to some sites.
the actual building takes place. In most cases, Exim can discover the machine
architecture and operating system for itself, but the defaults can be
overridden if necessary.
+.cindex compiler requirements
+.cindex compiler version
+A C99-capable compiler will be required for the build.
-.new
.section "PCRE library" "SECTpcre"
.cindex "PCRE library"
Exim no longer has an embedded PCRE library as the vast majority of
-modern systems include PCRE as a system library, although you may need
-to install the PCRE or PCRE development package for your operating
+modern systems include PCRE as a system library, although you may need to
+install the PCRE package or the PCRE development package for your operating
system. If your system has a normal PCRE installation the Exim build
process will need no further configuration. If the library or the
headers are in an unusual location you will need to either set the PCRE_LIBS
If your operating system has no
PCRE support then you will need to obtain and build the current PCRE
from &url(ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/).
-More information on PCRE is available at &url(http://www.pcre.org/).
-.wen
+More information on PCRE is available at &url(https://www.pcre.org/).
.section "DBM libraries" "SECTdb"
.cindex "DBM libraries" "discussion of"
The GNU library, &'gdbm'&, operates on a single file. If used via its &'ndbm'&
compatibility interface it makes two different hard links to it with names
&_dbmfile.dir_& and &_dbmfile.pag_&, but if used via its native interface, the
-file name is used unmodified.
+filename is used unmodified.
.next
.cindex "Berkeley DB library"
The Berkeley DB package, if called via its &'ndbm'& compatibility interface,
.next
To complicate things further, there are several very different versions of the
Berkeley DB package. Version 1.85 was stable for a very long time, releases
-2.&'x'& and 3.&'x'& were current for a while, but the latest versions are now
-numbered 4.&'x'&. Maintenance of some of the earlier releases has ceased. All
-versions of Berkeley DB can be obtained from
-&url(http://www.sleepycat.com/).
+2.&'x'& and 3.&'x'& were current for a while, but the latest versions when Exim last revamped support were numbered 4.&'x'&.
+Maintenance of some of the earlier releases has ceased. All versions of
+Berkeley DB could be obtained from
+&url(http://www.sleepycat.com/), which is now a redirect to their new owner's
+page with far newer versions listed.
+It is probably wise to plan to move your storage configurations away from
+Berkeley DB format, as today there are smaller and simpler alternatives more
+suited to Exim's usage model.
.next
.cindex "&'tdb'& DBM library"
Yet another DBM library, called &'tdb'&, is available from
-&url(http://download.sourceforge.net/tdb). It has its own interface, and also
+&url(https://sourceforge.net/projects/tdb/files/). It has its own interface, and also
operates on a single file.
.endlist
&_src/EDITME_& to &_Local/Makefile_&, then read it and edit it appropriately.
There are three settings that you must supply, because Exim will not build
-without them. They are the location of the run time configuration file
+without them. They are the location of the runtime configuration file
(CONFIGURE_FILE), the directory in which Exim binaries will be installed
(BIN_DIRECTORY), and the identity of the Exim user (EXIM_USER and
maybe EXIM_GROUP as well). The value of CONFIGURE_FILE can in fact be
-a colon-separated list of file names; Exim uses the first of them that exists.
+a colon-separated list of filenames; Exim uses the first of them that exists.
There are a few other parameters that can be specified either at build time or
-at run time, to enable the same binary to be used on a number of different
+at runtime, to enable the same binary to be used on a number of different
machines. However, if the locations of Exim's spool directory and log file
directory (if not within the spool directory) are fixed, it is recommended that
-you specify them in &_Local/Makefile_& instead of at run time, so that errors
+you specify them in &_Local/Makefile_& instead of at runtime, so that errors
detected early in Exim's execution (such as a malformed configuration file) can
be logged.
This is all the configuration that is needed in straightforward cases for known
operating systems. However, the building process is set up so that it is easy
to override options that are set by default or by operating-system-specific
-configuration files, for example to change the name of the C compiler, which
+configuration files, for example, to change the C compiler, which
defaults to &%gcc%&. See section &<<SECToverride>>& below for details of how to
do this.
in the ASCII character set, and to label them as being in a particular
character set. When Exim is inspecting header lines by means of the &%$h_%&
mechanism, it decodes them, and translates them into a specified character set
-(default ISO-8859-1). The translation is possible only if the operating system
+(default is set at build time). The translation is possible only if the operating system
supports the &[iconv()]& function.
However, some of the operating systems that supply &[iconv()]& do not support
very many conversions. The GNU &%libiconv%& library (available from
-&url(http://www.gnu.org/software/libiconv/)) can be installed on such
+&url(https://www.gnu.org/software/libiconv/)) can be installed on such
systems to remedy this deficiency, as well as on systems that do not supply
&[iconv()]& at all. After installing &%libiconv%&, you should add
.code
TLS_LIBS=-L/usr/local/openssl/lib -lssl -lcrypto
TLS_INCLUDE=-I/usr/local/openssl/include/
.endd
-.new
.cindex "pkg-config" "OpenSSL"
If you have &'pkg-config'& available, then instead you can just use:
.code
SUPPORT_TLS=yes
USE_OPENSSL_PC=openssl
.endd
-.wen
.cindex "USE_GNUTLS"
If GnuTLS is installed, you should set
.code
TLS_LIBS=-L/usr/gnu/lib -lgnutls -ltasn1 -lgcrypt
TLS_INCLUDE=-I/usr/gnu/include
.endd
-.new
.cindex "pkg-config" "GnuTLS"
If you have &'pkg-config'& available, then instead you can just use:
.code
USE_GNUTLS=yes
USE_GNUTLS_PC=gnutls
.endd
-.wen
You do not need to set TLS_INCLUDE if the relevant directory is already
specified in INCLUDE. Details of how to configure Exim to make use of TLS are
the subnet 192.168.1.0/24, and from all hosts in &'friendly.domain.example'&.
All other connections are denied. The daemon name used by &'tcpwrappers'&
can be changed at build time by setting TCP_WRAPPERS_DAEMON_NAME in
-in &_Local/Makefile_&, or by setting tcp_wrappers_daemon_name in the
+&_Local/Makefile_&, or by setting tcp_wrappers_daemon_name in the
configure file. Consult the &'tcpwrappers'& documentation for
further details.
defined. AAAA records (analogous to A records for IPv4) are in use, and are
currently seen as the mainstream. Another record type called A6 was proposed
as better than AAAA because it had more flexibility. However, it was felt to be
-over-complex, and its status was reduced to &"experimental"&. It is not known
-if anyone is actually using A6 records. Exim has support for A6 records, but
-this is included only if you set &`SUPPORT_A6=YES`& in &_Local/Makefile_&. The
-support has not been tested for some time.
+over-complex, and its status was reduced to &"experimental"&.
+Exim used to
+have a compile option for including A6 record support but this has now been
+withdrawn.
.cindex "symbolic link" "to source files"
Symbolic links to relevant source files are installed in the build directory.
-&*Warning*&: The &%-j%& (parallel) flag must not be used with &'make'&; the
-building process fails if it is set.
-
If this is the first time &'make'& has been run, it calls a script that builds
a make file inside the build directory, using the configuration files from the
&_Local_& directory. The new make file is then passed to another instance of
However, there are some optional lookup types (such as cdb) for which
the code is entirely contained within Exim, and no external include
files or libraries are required. When a lookup type is not included in the
-binary, attempts to configure Exim to use it cause run time configuration
+binary, attempts to configure Exim to use it cause runtime configuration
errors.
-.new
.cindex "pkg-config" "lookups"
.cindex "pkg-config" "authenticators"
Many systems now use a tool called &'pkg-config'& to encapsulate information
AUTH_HEIMDAL_GSSAPI=yes
AUTH_HEIMDAL_GSSAPI_PC=heimdal-gssapi
.endd
-.wen
.cindex "Perl" "including support for"
Exim can be linked with an embedded Perl interpreter, allowing Perl
&_OS/eximon.conf-Default_& can be overridden dynamically by setting environment
variables of the same name, preceded by EXIMON_. For example, setting
EXIMON_LOG_DEPTH in the environment overrides the value of
-LOG_DEPTH at run time.
+LOG_DEPTH at runtime.
.ecindex IIDbuex
chapter &<<CHAPsecurity>>& for details).
.cindex "CONFIGURE_FILE"
-Exim's run time configuration file is named by the CONFIGURE_FILE setting
+Exim's runtime configuration file is named by the CONFIGURE_FILE setting
in &_Local/Makefile_&. If this names a single file, and the file does not
exist, the default configuration file &_src/configure.default_& is copied there
-by the installation script. If a run time configuration file already exists, it
+by the installation script. If a runtime configuration file already exists, it
is left alone. If CONFIGURE_FILE is a colon-separated list, naming several
alternative files, no default is installed.
For the utility programs, old versions are renamed by adding the suffix &_.O_&
to their names. The Exim binary itself, however, is handled differently. It is
installed under a name that includes the version number and the compile number,
-for example &_exim-&version;-1_&. The script then arranges for a symbolic link
+for example, &_exim-&version()-1_&. The script then arranges for a symbolic link
called &_exim_& to point to the binary. If you are updating a previous version
of Exim, the script takes care to ensure that the name &_exim_& is never absent
from the directory (as seen by other processes).
.cindex "installing Exim" "&'info'& documentation"
Not all systems use the GNU &'info'& system for documentation, and for this
reason, the Texinfo source of Exim's documentation is not included in the main
-distribution. Instead it is available separately from the ftp site (see section
+distribution. Instead it is available separately from the FTP site (see section
&<<SECTavail>>&).
If you have defined INFO_DIRECTORY in &_Local/Makefile_& and the Texinfo
.section "Testing" "SECID34"
.cindex "testing" "installation"
-Having installed Exim, you can check that the run time configuration file is
+Having installed Exim, you can check that the runtime configuration file is
syntactically valid by running the following command, which assumes that the
Exim binary directory is within your PATH environment variable:
.code
Testing a new version on a system that is already running Exim can most easily
be done by building a binary with a different CONFIGURE_FILE setting. From
-within the run time configuration, all other file and directory names
+within the runtime configuration, all other file and directory names
that Exim uses can be altered, in order to keep it entirely clear of the
production version.
.cindex "&'From:'& header line"
.cindex "&'Sender:'& header line"
+.cindex "header lines" "From:"
+.cindex "header lines" "Sender:"
For a trusted user, there is never any check on the contents of the &'From:'&
header line, and a &'Sender:'& line is never added. Furthermore, any existing
&'Sender:'& line in incoming local (non-TCP/IP) messages is not removed.
This option is an alias for &%-bV%& and causes version information to be
displayed.
+.vitem &%-Ac%& &&&
+ &%-Am%&
+.oindex "&%-Ac%&"
+.oindex "&%-Am%&"
+These options are used by Sendmail for selecting configuration files and are
+ignored by Exim.
+
.vitem &%-B%&<&'type'&>
.oindex "&%-B%&"
.cindex "8-bit characters"
test data. A line history is supported.
Long expansion expressions can be split over several lines by using backslash
-continuations. As in Exim's run time configuration, white space at the start of
+continuations. As in Exim's runtime configuration, white space at the start of
continuation lines is ignored. Each argument or data line is passed through the
string expansion mechanism, and the result is output. Variable values from the
configuration file (for example, &$qualify_domain$&) are available, but no
-message-specific values (such as &$sender_domain$&) are set, because no message
+message-specific values (such as &$message_exim_id$&) are set, because no message
is being processed (but see &%-bem%& and &%-Mset%&).
&*Note*&: If you use this mechanism to test lookups, and you change the data
the same lookup again. Otherwise, because each Exim process caches the results
of lookups, you will just get the same result as before.
+Macro processing is done on lines before string-expansion: new macros can be
+defined and macros will be expanded.
+Because macros in the config file are often used for secrets, those are only
+available to admin users.
+
.vitem &%-bem%&&~<&'filename'&>
.oindex "&%-bem%&"
.cindex "testing" "string expansion"
.vitem &%-bfp%&&~<&'prefix'&>
.oindex "&%-bfp%&"
+.cindex affix "filter testing"
This sets the prefix of the local part of the recipient address when a filter
file is being tested by means of the &%-bf%& option. The default is an empty
prefix.
.vitem &%-bfs%&&~<&'suffix'&>
.oindex "&%-bfs%&"
+.cindex affix "filter testing"
This sets the suffix of the local part of the recipient address when a filter
file is being tested by means of the &%-bf%& option. The default is an empty
suffix.
Features such as authentication and encryption, where the client input is not
plain text, cannot easily be tested with &%-bh%&. Instead, you should use a
specialized SMTP test program such as
-&url(http://jetmore.org/john/code/#swaks,swaks).
+&url(https://www.jetmore.org/john/code/swaks/,swaks).
.vitem &%-bhc%&&~<&'IP&~address'&>
.oindex "&%-bhc%&"
if this is required. If the &%bi_command%& option is not set, calling Exim with
&%-bi%& is a no-op.
+. // Keep :help first, then the rest in alphabetical order
+.vitem &%-bI:help%&
+.oindex "&%-bI:help%&"
+.cindex "querying exim information"
+We shall provide various options starting &`-bI:`& for querying Exim for
+information. The output of many of these will be intended for machine
+consumption. This one is not. The &%-bI:help%& option asks Exim for a
+synopsis of supported options beginning &`-bI:`&. Use of any of these
+options shall cause Exim to exit after producing the requested output.
+
+.vitem &%-bI:dscp%&
+.oindex "&%-bI:dscp%&"
+.cindex "DSCP" "values"
+This option causes Exim to emit an alphabetically sorted list of all
+recognised DSCP names.
+
+.vitem &%-bI:sieve%&
+.oindex "&%-bI:sieve%&"
+.cindex "Sieve filter" "capabilities"
+This option causes Exim to emit an alphabetically sorted list of all supported
+Sieve protocol extensions on stdout, one per line. This is anticipated to be
+useful for ManageSieve (RFC 5804) implementations, in providing that protocol's
+&`SIEVE`& capability response line. As the precise list may depend upon
+compile-time build options, which this option will adapt to, this is the only
+way to guarantee a correct response.
+
.vitem &%-bm%&
.oindex "&%-bm%&"
.cindex "local message reception"
This option runs an Exim receiving process that accepts an incoming,
-locally-generated message on the current input. The recipients are given as the
+locally-generated message on the standard input. The recipients are given as the
command arguments (except when &%-t%& is also present &-- see below). Each
argument can be a comma-separated list of RFC 2822 addresses. This is the
default option for selecting the overall action of an Exim call; it is assumed
preference to the address taken from the message. The caller of Exim must be a
trusted user for the sender of a message to be set in this way.
+.vitem &%-bmalware%&&~<&'filename'&>
+.oindex "&%-bmalware%&"
+.cindex "testing", "malware"
+.cindex "malware scan test"
+This debugging option causes Exim to scan the given file or directory
+(depending on the used scanner interface),
+using the malware scanning framework. The option of &%av_scanner%& influences
+this option, so if &%av_scanner%&'s value is dependent upon an expansion then
+the expansion should have defaults which apply to this invocation. ACLs are
+not invoked, so if &%av_scanner%& references an ACL variable then that variable
+will never be populated and &%-bmalware%& will fail.
+
+Exim will have changed working directory before resolving the filename, so
+using fully qualified pathnames is advisable. Exim will be running as the Exim
+user when it tries to open the file, rather than as the invoking user.
+This option requires admin privileges.
+
+The &%-bmalware%& option will not be extended to be more generally useful,
+there are better tools for file-scanning. This option exists to help
+administrators verify their Exim and AV scanner configuration.
+
.vitem &%-bnq%&
.oindex "&%-bnq%&"
.cindex "address qualification, suppressing"
.code
mysql_servers = <value not displayable>
.endd
-If &%configure_file%& is given as an argument, the name of the run time
-configuration file is output.
+If &%config%& is given as an argument, the config is
+output, as it was parsed, any include file resolved, any comment removed.
+
+If &%config_file%& is given as an argument, the name of the runtime
+configuration file is output. (&%configure_file%& works too, for
+backward compatibility.)
If a list of configuration files was supplied, the value that is output here
is the name of the file that was actually used.
+.cindex "options" "hiding name of"
+If the &%-n%& flag is given, then for most modes of &%-bP%& operation the
+name will not be output.
+
.cindex "daemon" "process id (pid)"
.cindex "pid (process id)" "of daemon"
If &%log_file_path%& or &%pid_file_path%& are given, the names of the
settings can be obtained by using &%routers%&, &%transports%&, or
&%authenticators%&.
+.cindex "environment"
+If &%environment%& is given as an argument, the set of environment
+variables is output, line by line. Using the &%-n%& flag suppresses the value of the
+variables.
+
.cindex "options" "macro &-- extracting"
If invoked by an admin user, then &%macro%&, &%macro_list%& and &%macros%&
are available, similarly to the drivers. Because macros are sometimes used
for storing passwords, this option is restricted.
The output format is one item per line.
+For the "-bP macro <name>" form, if no such macro is found
+the exit status will be nonzero.
.vitem &%-bp%&
.oindex "&%-bp%&"
-.cindex "queue" "listing messages on"
-.cindex "listing" "messages on the queue"
+.cindex "queue" "listing messages in"
+.cindex "listing" "messages in the queue"
This option requests a listing of the contents of the mail queue on the
standard output. If the &%-bp%& option is followed by a list of message ids,
just those messages are listed. By default, this option can be used only by an
admin user. However, the &%queue_list_requires_admin%& option can be set false
to allow any user to see the queue.
-Each message on the queue is displayed as in the following example:
+Each message in the queue is displayed as in the following example:
.code
25m 2.9K 0t5C6f-0000c8-00 <alice@wonderland.fict.example>
red.king@looking-glass.fict.example
.endd
.cindex "message" "size in queue listing"
.cindex "size" "of message"
-The first line contains the length of time the message has been on the queue
+The first line contains the length of time the message has been in the queue
(in this case 25 minutes), the size of the message (2.9K), the unique local
identifier for the message, and the message sender, as contained in the
envelope. For bounce messages, the sender address is empty, and appears as
.vitem &%-bpc%&
.oindex "&%-bpc%&"
.cindex "queue" "count of messages on"
-This option counts the number of messages on the queue, and writes the total
+This option counts the number of messages in the queue, and writes the total
to the standard output. It is restricted to admin users, unless
&%queue_list_requires_admin%& is set false.
.oindex "&%-bpr%&"
This option operates like &%-bp%&, but the output is not sorted into
chronological order of message arrival. This can speed it up when there are
-lots of messages on the queue, and is particularly useful if the output is
+lots of messages in the queue, and is particularly useful if the output is
going to be post-processed in a way that doesn't need the sorting.
.vitem &%-bpra%&
Exim behaves in exactly the same way as it does when receiving a message via
the listening daemon.
-.vitem &%-bmalware%&&~<&'filename'&>
-.oindex "&%-bmalware%&"
-.cindex "testing", "malware"
-.cindex "malware scan test"
-This debugging option causes Exim to scan the given file,
-using the malware scanning framework. The option of &%av_scanner%& influences
-this option, so if &%av_scanner%&'s value is dependent upon an expansion then
-the expansion should have defaults which apply to this invocation. ACLs are
-not invoked, so if &%av_scanner%& references an ACL variable then that variable
-will never be populated and &%-bmalware%& will fail.
-
-Exim will have changed working directory before resolving the filename, so
-using fully qualified pathnames is advisable. Exim will be running as the Exim
-user when it tries to open the file, rather than as the invoking user.
-This option requires admin privileges.
-
-The &%-bmalware%& option will not be extended to be more generally useful,
-there are better tools for file-scanning. This option exists to help
-administrators verify their Exim and AV scanner configuration.
-
.vitem &%-bt%&
.oindex "&%-bt%&"
.cindex "testing" "addresses"
number, and compilation date of the &'exim'& binary to the standard output.
It also lists the DBM library that is being used, the optional modules (such as
specific lookup types), the drivers that are included in the binary, and the
-name of the run time configuration file that is in use.
+name of the runtime configuration file that is in use.
As part of its operation, &%-bV%& causes Exim to read and syntax check its
configuration file. However, this is a static check only. It cannot check
.cindex "configuration file" "alternate"
.cindex "CONFIGURE_FILE"
.cindex "alternate configuration file"
-This option causes Exim to find the run time configuration file from the given
+This option causes Exim to find the runtime configuration file from the given
list instead of from the list specified by the CONFIGURE_FILE
-compile-time setting. Usually, the list will consist of just a single file
-name, but it can be a colon-separated list of names. In this case, the first
+compile-time setting. Usually, the list will consist of just a single filename,
+but it can be a colon-separated list of names. In this case, the first
file that exists is used. Failure to open an existing file stops Exim from
proceeding any further along the list, and an error is generated.
running as the Exim user, so when it re-executes to regain privilege for the
delivery, the use of &%-C%& causes privilege to be lost. However, root can
test reception and delivery using two separate commands (one to put a message
-on the queue, using &%-odq%&, and another to do the delivery, using &%-M%&).
+in the queue, using &%-odq%&, and another to do the delivery, using &%-M%&).
If ALT_CONFIG_PREFIX is defined &_in Local/Makefile_&, it specifies a
prefix string with which any file named in a &%-C%& command line option
-must start. In addition, the file name must not contain the sequence &`/../`&.
+must start. In addition, the filename must not contain the sequence &`/../`&.
However, if the value of the &%-C%& option is identical to the value of
CONFIGURE_FILE in &_Local/Makefile_&, Exim ignores &%-C%& and proceeds as
usual. There is no default setting for ALT_CONFIG_PREFIX; when it is
-unset, any file name can be used with &%-C%&.
+unset, any filename can be used with &%-C%&.
ALT_CONFIG_PREFIX can be used to confine alternative configuration files
to a directory to which only root has access. This prevents someone who has
exim '-D ABC = something' ...
.endd
&%-D%& may be repeated up to 10 times on a command line.
+Only macro names up to 22 letters long can be set.
.vitem &%-d%&<&'debug&~options'&>
&<<CHAPlocalscan>>&)
&`lookup `& general lookup code and all lookups
&`memory `& memory handling
-&`pid `& add pid to debug output lines
+&`noutf8 `& modifier: avoid UTF-8 line-drawing
+&`pid `& modifier: add pid to debug output lines
&`process_info `& setting info for the process log
&`queue_run `& queue runs
&`receive `& general message reception logic
&`retry `& retry handling
&`rewrite `& address rewriting
&`route `& address routing
-&`timestamp `& add timestamp to debug output lines
+&`timestamp `& modifier: add timestamp to debug output lines
&`tls `& TLS logic
&`transport `& transports
&`uid `& changes of uid/gid and looking up uid/gid
of all debug output lines. This can be useful when trying to track down delays
in processing.
+.new
+.cindex debugging "UTF-8 in"
+.cindex UTF-8 "in debug output"
+The &`noutf8`& selector disables the use of
+UTF-8 line-drawing characters to group related information.
+When disabled. ascii-art is used instead.
+Using the &`+all`& option does not set this modifier,
+.wen
+
If the &%debug_print%& option is set in any driver, it produces output whenever
any debugging is selected, or if &%-v%& is used.
.vitem &%-G%&
.oindex "&%-G%&"
-.cindex "Sendmail compatibility" "&%-G%& option ignored"
-This is a Sendmail option which is ignored by Exim.
+.cindex "submission fixups, suppressing (command-line)"
+This option is equivalent to an ACL applying:
+.code
+control = suppress_local_fixups
+.endd
+for every message received. Note that Sendmail will complain about such
+bad formatting, where Exim silently just does not fix it up. This may change
+in future.
+
+As this affects audit information, the caller must be a trusted user to use
+this option.
.vitem &%-h%&&~<&'number'&>
.oindex "&%-h%&"
no documentation for this option in Solaris 2.4 Sendmail, but the &'mailx'&
command in Solaris 2.4 uses it. See also &%-ti%&.
+.vitem &%-L%&&~<&'tag'&>
+.oindex "&%-L%&"
+.cindex "syslog" "process name; set with flag"
+This option is equivalent to setting &%syslog_processname%& in the config
+file and setting &%log_file_path%& to &`syslog`&.
+Its use is restricted to administrators. The configuration file has to be
+read and parsed, to determine access rights, before this is set and takes
+effect, so early configuration file errors will not honour this flag.
+
+The tag should not be longer than 32 characters.
+
.vitem &%-M%&&~<&'message&~id'&>&~<&'message&~id'&>&~...
.oindex "&%-M%&"
.cindex "forcing delivery"
by Exim in conjunction with the &%-MC%& option. It signifies that the
connection to the remote host has been authenticated.
+.vitem &%-MCD%&
+.oindex "&%-MCD%&"
+This option is not intended for use by external callers. It is used internally
+by Exim in conjunction with the &%-MC%& option. It signifies that the
+remote host supports the ESMTP &_DSN_& extension.
+
+.vitem &%-MCG%&&~<&'queue&~name'&>
+.oindex "&%-MCG%&"
+This option is not intended for use by external callers. It is used internally
+by Exim in conjunction with the &%-MC%& option. It signifies that an
+alternate queue is used, named by the following argument.
+
+.vitem &%-MCK%&
+.oindex "&%-MCK%&"
+This option is not intended for use by external callers. It is used internally
+by Exim in conjunction with the &%-MC%& option. It signifies that a
+remote host supports the ESMTP &_CHUNKING_& extension.
+
.vitem &%-MCP%&
.oindex "&%-MCP%&"
This option is not intended for use by external callers. It is used internally
by Exim in conjunction with the &%-MC%& option, and passes on the fact that the
host to which Exim is connected supports TLS encryption.
+.vitem &%-MCt%&&~<&'IP&~address'&>&~<&'port'&>&~<&'cipher'&>
+.oindex "&%-MCt%&"
+This option is not intended for use by external callers. It is used internally
+by Exim in conjunction with the &%-MC%& option, and passes on the fact that the
+connection is being proxied by a parent process for handling TLS encryption.
+The arguments give the local address and port being proxied, and the TLS cipher.
+
.vitem &%-Mc%&&~<&'message&~id'&>&~<&'message&~id'&>&~...
.oindex "&%-Mc%&"
.cindex "hints database" "not overridden by &%-Mc%&"
.cindex "delivery" "manually started &-- not forced"
-This option requests Exim to run a delivery attempt on each message in turn,
+This option requests Exim to run a delivery attempt on each message, in turn,
but unlike the &%-M%& option, it does check for retry hints, and respects any
that are found. This option is not very useful to external callers. It is
provided mainly for internal use by Exim when it needs to re-invoke itself in
bounce messages are sent; each message is simply forgotten. However, if any of
the messages are active, their status is not altered. This option can be used
only by an admin user or by the user who originally caused the message to be
-placed on the queue.
+placed in the queue.
+
+. .new
+. .vitem &%-MS%&
+. .oindex "&%-MS%&"
+. .cindex REQUIRETLS
+. This option is used to request REQUIRETLS processing on the message.
+. It is used internally by Exim in conjunction with -E when generating
+. a bounce message.
+. .wen
.vitem &%-Mset%&&~<&'message&~id'&>
-.oindex "&%-Mset%&
+.oindex "&%-Mset%&"
.cindex "testing" "string expansion"
.cindex "expansion" "testing"
This option is useful only in conjunction with &%-be%& (that is, when testing
.vitem &%-n%&
.oindex "&%-n%&"
-.cindex "Sendmail compatibility" "&%-n%& option ignored"
-This option is interpreted by Sendmail to mean &"no aliasing"&. It is ignored
-by Exim.
+This option is interpreted by Sendmail to mean &"no aliasing"&.
+For normal modes of operation, it is ignored by Exim.
+When combined with &%-bP%& it makes the output more terse (suppresses
+option names, environment values and config pretty printing).
.vitem &%-O%&&~<&'data'&>
.oindex "&%-O%&"
.oindex "&%-oA%&"
.cindex "Sendmail compatibility" "&%-oA%& option"
This option is used by Sendmail in conjunction with &%-bi%& to specify an
-alternative alias file name. Exim handles &%-bi%& differently; see the
+alternative alias filename. Exim handles &%-bi%& differently; see the
description above.
.vitem &%-oB%&&~<&'n'&>
false and one of the queueing options in the configuration file is in effect.
If there is a temporary delivery error during foreground delivery, the
-message is left on the queue for later delivery, and the original reception
+message is left in the queue for later delivery, and the original reception
process exits. See chapter &<<CHAPnonqueueing>>& for a way of setting up a
restricted configuration that never queues messages.
This option applies to all modes in which Exim accepts incoming messages,
including the listening daemon. It specifies that the accepting process should
not automatically start a delivery process for each message received. Messages
-are placed on the queue, and remain there until a subsequent queue runner
+are placed in the queue, and remain there until a subsequent queue runner
process encounters them. There are several configuration options (such as
&%queue_only%&) that can be used to queue incoming messages under certain
conditions. This option overrides all of them and also &%-odqs%&. It always
message, in the background by default, but in the foreground if &%-odi%& is
also present. The recipient addresses are routed, and local deliveries are done
in the normal way. However, if any SMTP deliveries are required, they are not
-done at this time, so the message remains on the queue until a subsequent queue
+done at this time, so the message remains in the queue until a subsequent queue
runner process encounters it. Because routing was done, Exim knows which
messages are waiting for which hosts, and so a number of messages for the same
host can be sent in a single SMTP connection. The &%queue_smtp_domains%&
Provided
this error message is successfully sent, the Exim receiving process
exits with a return code of zero. If not, the return code is 2 if the problem
-is that the original message has no recipients, or 1 any other error. This is
-the default &%-oe%&&'x'& option if Exim is called as &'rmail'&.
+is that the original message has no recipients, or 1 for any other error.
+This is the default &%-oe%&&'x'& option if Exim is called as &'rmail'&.
.vitem &%-oem%&
.oindex "&%-oem%&"
using the same syntax as for &%-oMa%&. The interface address is placed in
&$received_ip_address$& and the port number, if present, in &$received_port$&.
+.vitem &%-oMm%&&~<&'message&~reference'&>
+.oindex "&%-oMm%&"
+.cindex "message reference" "message reference, specifying for local message"
+See &%-oMa%& above for general remarks about the &%-oM%& options. The &%-oMm%&
+option sets the message reference, e.g. message-id, and is logged during
+delivery. This is useful when some kind of audit trail is required to tie
+messages together. The format of the message reference is checked and will
+abort if the format is invalid. The option will only be accepted if exim is
+running in trusted mode, not as any regular user.
+
+The best example of a message reference is when Exim sends a bounce message.
+The message reference is the message-id of the original message for which Exim
+is sending the bounce.
+
.vitem &%-oMr%&&~<&'protocol&~name'&>
.oindex "&%-oMr%&"
.cindex "protocol, specifying for local message"
SMTP protocol names (see the description of &$received_protocol$& in section
&<<SECTexpvar>>&). For &%-bs%&, the protocol is always &"local-"& followed by
one of those same names. For &%-bS%& (batched SMTP) however, the protocol can
-be set by &%-oMr%&.
+be set by &%-oMr%&. Repeated use of this option is not supported.
.vitem &%-oMs%&&~<&'host&~name'&>
.oindex "&%-oMs%&"
is also given. It controls which ports and interfaces the daemon uses. Details
of the syntax, and how it interacts with configuration file options, are given
in chapter &<<CHAPinterfaces>>&. When &%-oX%& is used to start a daemon, no pid
-file is written unless &%-oP%& is also present to specify a pid file name.
+file is written unless &%-oP%& is also present to specify a pid filename.
.vitem &%-pd%&
.oindex "&%-pd%&"
It sets the incoming protocol and host name (for trusted callers). The
host name and its colon can be omitted when only the protocol is to be set.
Note the Exim already has two private options, &%-pd%& and &%-ps%&, that refer
-to embedded Perl. It is therefore impossible to set a protocol value of &`p`&
+to embedded Perl. It is therefore impossible to set a protocol value of &`d`&
or &`s`& using this option (but that does not seem a real limitation).
+Repeated use of this option is not supported.
.vitem &%-q%&
.oindex "&%-q%&"
and &%-S%& options).
.cindex "queue runner" "description of operation"
-The &%-q%& option starts one queue runner process. This scans the queue of
+If other commandline options do not specify an action,
+the &%-q%& option starts one queue runner process. This scans the queue of
waiting messages, and runs a delivery process for each one in turn. It waits
for each delivery process to finish before starting the next one. A delivery
process may not actually do any deliveries if the retry times for the addresses
.cindex "queue" "initial delivery"
If the &'i'& flag is present, the queue runner runs delivery processes only for
those messages that haven't previously been tried. (&'i'& stands for &"initial
-delivery"&.) This can be helpful if you are putting messages on the queue using
+delivery"&.) This can be helpful if you are putting messages in the queue using
&%-odq%& and want a queue runner just to process the new messages.
.vitem &%-q[q][i]f...%&
.oindex "&%-ql%&"
.cindex "queue" "local deliveries only"
The &'l'& (the letter &"ell"&) flag specifies that only local deliveries are to
-be done. If a message requires any remote deliveries, it remains on the queue
+be done. If a message requires any remote deliveries, it remains in the queue
for later delivery.
-.vitem &%-q%&<&'qflags'&>&~<&'start&~id'&>&~<&'end&~id'&>
+.vitem &%-q[q][i][f[f]][l][G<name>[/<time>]]]%&
+.oindex "&%-qG%&"
+.cindex queue named
+.cindex "named queues"
.cindex "queue" "delivering specific messages"
+If the &'G'& flag and a name is present, the queue runner operates on the
+queue with the given name rather than the default queue.
+The name should not contain a &'/'& character.
+For a periodic queue run (see below)
+append to the name a slash and a time value.
+
+If other commandline options specify an action, a &'-qG<name>'& option
+will specify a queue to operate on.
+For example:
+.code
+exim -bp -qGquarantine
+mailq -qGquarantine
+exim -qGoffpeak -Rf @special.domain.example
+.endd
+
+.vitem &%-q%&<&'qflags'&>&~<&'start&~id'&>&~<&'end&~id'&>
When scanning the queue, Exim can be made to skip over messages whose ids are
lexically less than a given value by following the &%-q%& option with a
starting message id. For example:
.vitem &%-Tqt%&&~<&'times'&>
.oindex "&%-Tqt%&"
-This an option that is exclusively for use by the Exim testing suite. It is not
+This is an option that is exclusively for use by the Exim testing suite. It is not
recognized when Exim is run normally. It allows for the setting up of explicit
&"queue times"& so that various warning/retry features can be tested.
National Language Support extended characters in the body of the mail item"&).
It sets &%-x%& when calling the MTA from its &%mail%& command. Exim ignores
this option.
+
+.vitem &%-X%&&~<&'logfile'&>
+.oindex "&%-X%&"
+This option is interpreted by Sendmail to cause debug information to be sent
+to the named file. It is ignored by Exim.
+
+.vitem &%-z%&&~<&'log-line'&>
+.oindex "&%-z%&"
+This option writes its argument to Exim's logfile.
+Use is restricted to administrators; the intent is for operational notes.
+Quotes should be used to maintain a multi-word item as a single argument,
+under most shells.
.endlist
.ecindex IIDclo1
. ////////////////////////////////////////////////////////////////////////////
-.chapter "The Exim run time configuration file" "CHAPconf" &&&
+.chapter "The Exim runtime configuration file" "CHAPconf" &&&
"The runtime configuration file"
-.cindex "run time configuration"
+.cindex "runtime configuration"
.cindex "configuration file" "general description"
.cindex "CONFIGURE_FILE"
.cindex "configuration file" "errors in"
.cindex "error" "in configuration file"
.cindex "return code" "for bad configuration"
-Exim uses a single run time configuration file that is read whenever an Exim
+Exim uses a single runtime configuration file that is read whenever an Exim
binary is executed. Note that in normal operation, this happens frequently,
because Exim is designed to operate in a distributed manner, without central
control.
The name of the configuration file is compiled into the binary for security
reasons, and is specified by the CONFIGURE_FILE compilation option. In
most configurations, this specifies a single file. However, it is permitted to
-give a colon-separated list of file names, in which case Exim uses the first
+give a colon-separated list of filenames, in which case Exim uses the first
existing file in the list.
.cindex "EXIM_USER"
.cindex "CONFIGURE_GROUP"
.cindex "configuration file" "ownership"
.cindex "ownership" "configuration file"
-The run time configuration file must be owned by root or by the user that is
+The runtime configuration file must be owned by root or by the user that is
specified at compile time by the CONFIGURE_OWNER option (if set). The
configuration file must not be world-writeable, or group-writeable unless its
group is the root group or the one specified at compile time by the
CONFIGURE_GROUP option.
&*Warning*&: In a conventional configuration, where the Exim binary is setuid
-to root, anybody who is able to edit the run time configuration file has an
+to root, anybody who is able to edit the runtime configuration file has an
easy way to run commands as root. If you specify a user or group in the
CONFIGURE_OWNER or CONFIGURE_GROUP options, then that user and/or any users
who are members of that group will trivially be able to obtain root privileges.
-Up to Exim version 4.72, the run time configuration file was also permitted to
+Up to Exim version 4.72, the runtime configuration file was also permitted to
be writeable by the Exim user and/or group. That has been changed in Exim 4.73
since it offered a simple privilege escalation for any attacker who managed to
compromise the Exim user account.
A default configuration file, which will work correctly in simple situations,
is provided in the file &_src/configure.default_&. If CONFIGURE_FILE
-defines just one file name, the installation process copies the default
+defines just one filename, the installation process copies the default
configuration to a new file of that name if it did not previously exist. If
CONFIGURE_FILE is a list, no default is automatically installed. Chapter
&<<CHAPdefconfil>>& is a &"walk-through"& discussion of the default
Exim is running as the Exim user, so when it re-execs to regain privilege for
the delivery, the use of &%-C%& causes privilege to be lost. However, root
can test reception and delivery using two separate commands (one to put a
-message on the queue, using &%-odq%&, and another to do the delivery, using
+message in the queue, using &%-odq%&, and another to do the delivery, using
&%-M%&).
If ALT_CONFIG_PREFIX is defined &_in Local/Makefile_&, it specifies a
prefix string with which any file named in a &%-C%& command line option must
-start. In addition, the file name must not contain the sequence &"&`/../`&"&.
-There is no default setting for ALT_CONFIG_PREFIX; when it is unset, any file
-name can be used with &%-C%&.
+start. In addition, the filename must not contain the sequence &"&`/../`&"&.
+There is no default setting for ALT_CONFIG_PREFIX; when it is unset, any
+filename can be used with &%-C%&.
One-off changes to a configuration can be specified by the &%-D%& command line
option, which defines and overrides values for macros used inside the
Some sites may wish to use the same Exim binary on different machines that
share a file system, but to use different configuration files on each machine.
If CONFIGURE_FILE_USE_NODE is defined in &_Local/Makefile_&, Exim first
-looks for a file whose name is the configuration file name followed by a dot
+looks for a file whose name is the configuration filename followed by a dot
and the machine's node name, as obtained from the &[uname()]& function. If this
file does not exist, the standard name is tried. This processing occurs for
-each file name in the list given by CONFIGURE_FILE or &%-C%&.
+each filename in the list given by CONFIGURE_FILE or &%-C%&.
In some esoteric situations different versions of Exim may be run under
different effective uids and the CONFIGURE_FILE_USE_EUID is defined to
Exim's configuration file is divided into a number of different parts. General
option settings must always appear at the start of the file. The other parts
are all optional, and may appear in any order. Each part other than the first
-is introduced by the word &"begin"& followed by the name of the part. The
-optional parts are:
+is introduced by the word &"begin"& followed by at least one literal
+space, and the name of the part. The optional parts are:
.ilist
&'ACL'&: Access control lists for controlling incoming SMTP mail (see chapter
.cindex "configuration file" "including other files"
.cindex "&`.include`& in configuration file"
.cindex "&`.include_if_exists`& in configuration file"
-You can include other files inside Exim's run time configuration file by
+You can include other files inside Exim's runtime configuration file by
using this syntax:
.display
-&`.include`& <&'file name'&>
-&`.include_if_exists`& <&'file name'&>
+&`.include`& <&'filename'&>
+&`.include_if_exists`& <&'filename'&>
.endd
-on a line by itself. Double quotes round the file name are optional. If you use
+on a line by itself. Double quotes round the filename are optional. If you use
the first form, a configuration error occurs if the file does not exist; the
-second form does nothing for non-existent files. In all cases, an absolute file
-name is required.
+second form does nothing for non-existent files.
+The first form allows a relative name. It is resolved relative to
+the directory of the including file. For the second form an absolute filename
+is required.
Includes may be nested to any depth, but remember that Exim reads its
configuration file often, so it is a good idea to keep them to a minimum.
.section "Macro substitution" "SECID42"
Once a macro is defined, all subsequent lines in the file (and any included
files) are scanned for the macro name; if there are several macros, the line is
-scanned for each in turn, in the order in which the macros are defined. The
+scanned for each, in turn, in the order in which the macros are defined. The
replacement text is not re-scanned for the current macro, though it is scanned
for subsequently defined macros. For this reason, a macro name may not contain
the name of a previously defined macro as a substring. You could, for example,
section &<<SECTnamedlists>>&.
+.section "Builtin macros" "SECTbuiltinmacros"
+Exim defines some macros depending on facilities available, which may
+differ due to build-time definitions and from one release to another.
+All of these macros start with an underscore.
+They can be used to conditionally include parts of a configuration
+(see below).
+
+The following classes of macros are defined:
+.display
+&` _HAVE_* `& build-time defines
+&` _DRIVER_ROUTER_* `& router drivers
+&` _DRIVER_TRANSPORT_* `& transport drivers
+&` _DRIVER_AUTHENTICATOR_* `& authenticator drivers
+&` _LOG_* `& log_selector values
+&` _OPT_MAIN_* `& main config options
+&` _OPT_ROUTERS_* `& generic router options
+&` _OPT_TRANSPORTS_* `& generic transport options
+&` _OPT_AUTHENTICATORS_* `& generic authenticator options
+&` _OPT_ROUTER_*_* `& private router options
+&` _OPT_TRANSPORT_*_* `& private transport options
+&` _OPT_AUTHENTICATOR_*_* `& private authenticator options
+.endd
+
+Use an &"exim -bP macros"& command to get the list of macros.
+
+
.section "Conditional skips in the configuration file" "SECID46"
.cindex "configuration file" "conditional skips"
.cindex "&`.ifdef`&"
message_size_limit = 100M
.endif
.endd
-sets a message size limit of 50M if the macro &`AAA`& is defined, and 100M
+sets a message size limit of 50M if the macro &`AAA`& is defined
+(or &`A`& or &`AA`&), and 100M
otherwise. If there is more than one macro named on the line, the condition
is true if any of them are defined. That is, it is an &"or"& condition. To
obtain an &"and"& condition, you need to use nested &`.ifdef`&s.
hexadecimal number.
If an integer value is followed by the letter K, it is multiplied by 1024; if
-it is followed by the letter M, it is multiplied by 1024x1024. When the values
+it is followed by the letter M, it is multiplied by 1024x1024;
+if by the letter G, 1024x1024x1024.
+When the values
of integer option settings are output, values which are an exact multiple of
1024 or 1024x1024 are sometimes, but not always, printed using the letters K
and M. The printing style is independent of the actual input format that was
colon in the example above is necessary. If it were not there, the list would
be interpreted as the two items 127.0.0.1:: and 1.
-.section "Changing list separators" "SECID53"
+.section "Changing list separators" "SECTlistsepchange"
.cindex "list separator" "changing"
.cindex "IPv6" "addresses in lists"
Doubling colons in IPv6 addresses is an unwelcome chore, so a mechanism was
+.section "Macros" "SECTdefconfmacros"
+All macros should be defined before any options.
+
+One macro is specified, but commented out, in the default configuration:
+.code
+# ROUTER_SMARTHOST=MAIL.HOSTNAME.FOR.CENTRAL.SERVER.EXAMPLE
+.endd
+If all off-site mail is expected to be delivered to a "smarthost", then set the
+hostname here and uncomment the macro. This will affect which router is used
+later on. If this is left commented out, then Exim will perform direct-to-MX
+deliveries using a &(dnslookup)& router.
+
+In addition to macros defined here, Exim includes a number of built-in macros
+to enable configuration to be guarded by a binary built with support for a
+given feature. See section &<<SECTbuiltinmacros>>& for more details.
+
+
.section "Main configuration settings" "SECTdefconfmain"
-The main (global) configuration option settings must always come first in the
-file. The first thing you'll see in the file, after some initial comments, is
-the line
+The main (global) configuration option settings section must always come first
+in the file, after the macros.
+The first thing you'll see in the file, after some initial comments, is the line
.code
# primary_hostname =
.endd
The first three non-comment configuration lines are as follows:
.code
-domainlist local_domains = @
+domainlist local_domains = @
domainlist relay_to_domains =
hostlist relay_from_hosts = 127.0.0.1
.endd
These are example settings that can be used when Exim is compiled with
support for TLS (aka SSL) as described in section &<<SECTinctlsssl>>&. The
first one specifies the list of clients that are allowed to use TLS when
-connecting to this server; in this case the wildcard means all clients. The
+connecting to this server; in this case, the wildcard means all clients. The
other options specify where Exim should find its TLS certificate and private
key, which together prove the server's identity to any clients that connect.
More details are given in chapter &<<CHAPTLS>>&.
.cindex "port" "465 and 587"
.cindex "port" "for message submission"
.cindex "message" "submission, ports for"
-.cindex "ssmtp protocol"
+.cindex "submissions protocol"
.cindex "smtps protocol"
+.cindex "ssmtp protocol"
+.cindex "SMTP" "submissions protocol"
.cindex "SMTP" "ssmtp protocol"
.cindex "SMTP" "smtps protocol"
These options provide better support for roaming users who wish to use this
server for message submission. They are not much use unless you have turned on
TLS (as described in the previous paragraph) and authentication (about which
-more in section &<<SECTdefconfauth>>&). The usual SMTP port 25 is often blocked
-on end-user networks, so RFC 4409 specifies that message submission should use
-port 587 instead. However some software (notably Microsoft Outlook) cannot be
-configured to use port 587 correctly, so these settings also enable the
-non-standard &"smtps"& (aka &"ssmtp"&) port 465 (see section
-&<<SECTsupobssmt>>&).
+more in section &<<SECTdefconfauth>>&).
+Mail submission from mail clients (MUAs) should be separate from inbound mail
+to your domain (MX delivery) for various good reasons (eg, ability to impose
+much saner TLS protocol and ciphersuite requirements without unintended
+consequences).
+RFC 6409 (previously 4409) specifies use of port 587 for SMTP Submission,
+which uses STARTTLS, so this is the &"submission"& port.
+RFC 8314 specifies use of port 465 as the &"submissions"& protocol,
+which should be used in preference to 587.
+You should also consider deploying SRV records to help clients find
+these ports.
+Older names for &"submissions"& are &"smtps"& and &"ssmtp"&.
Two more commented-out options settings follow:
.code
1413 (hence their names):
.code
rfc1413_hosts = *
-rfc1413_query_timeout = 5s
+rfc1413_query_timeout = 0s
+.endd
+These settings cause Exim to avoid ident callbacks for all incoming SMTP calls.
+Few hosts offer RFC1413 service these days; calls have to be
+terminated by a timeout and this needlessly delays the startup
+of an incoming SMTP connection.
+If you have hosts for which you trust RFC1413 and need this
+information, you can change this.
+
+This line enables an efficiency SMTP option. It is negotiated by clients
+and not expected to cause problems but can be disabled if needed.
+.code
+prdr_enable = true
.endd
-These settings cause Exim to make ident callbacks for all incoming SMTP calls.
-You can limit the hosts to which these calls are made, or change the timeout
-that is used. If you set the timeout to zero, all ident calls are disabled.
-Although they are cheap and can provide useful information for tracing problem
-messages, some hosts and firewalls have problems with ident calls. This can
-result in a timeout instead of an immediate refused connection, leading to
-delays on starting up an incoming SMTP session.
When Exim receives messages over SMTP connections, it expects all addresses to
be fully qualified with a domain, as required by the SMTP definition. However,
show how you can specify hosts that are permitted to send unqualified sender
and recipient addresses, respectively.
+The &%log_selector%& option is used to increase the detail of logging
+over the default:
+.code
+log_selector = +smtp_protocol_error +smtp_syntax_error \
+ +tls_certificate_verified
+.endd
+
The &%percent_hack_domains%& option is also commented out:
.code
# percent_hack_domains =
This is an almost obsolete form of explicit email routing. If you do not know
anything about it, you can safely ignore this topic.
-The last two settings in the main part of the default configuration are
+The next two settings in the main part of the default configuration are
concerned with messages that have been &"frozen"& on Exim's queue. When a
message is frozen, Exim no longer continues to try to deliver it. Freezing
occurs when a bounce message encounters a permanent failure because the sender
timeout_frozen_after = 7d
.endd
The first of these options specifies that failing bounce messages are to be
-discarded after 2 days on the queue. The second specifies that any frozen
+discarded after 2 days in the queue. The second specifies that any frozen
message (whether a bounce message or not) is to be timed out (and discarded)
after a week. In this configuration, the first setting ensures that no failing
bounce message ever lasts a week.
+Exim queues it's messages in a spool directory. If you expect to have
+large queues, you may consider using this option. It splits the spool
+directory into subdirectories to avoid file system degradation from
+many files in a single directory, resulting in better performance.
+Manual manipulation of queued messages becomes more complex (though fortunately
+not often needed).
+.code
+# split_spool_directory = true
+.endd
+
+In an ideal world everybody follows the standards. For non-ASCII
+messages RFC 2047 is a standard, allowing a maximum line length of 76
+characters. Exim adheres that standard and won't process messages which
+violate this standard. (Even ${rfc2047:...} expansions will fail.)
+In particular, the Exim maintainers have had multiple reports of
+problems from Russian administrators of issues until they disable this
+check, because of some popular, yet buggy, mail composition software.
+.code
+# check_rfc2047_length = false
+.endd
+
+If you need to be strictly RFC compliant you may wish to disable the
+8BITMIME advertisement. Use this, if you exchange mails with systems
+that are not 8-bit clean.
+.code
+# accept_8bitmime = false
+.endd
+
+Libraries you use may depend on specific environment settings. This
+imposes a security risk (e.g. PATH). There are two lists:
+&%keep_environment%& for the variables to import as they are, and
+&%add_environment%& for variables we want to set to a fixed value.
+Note that TZ is handled separately, by the $%timezone%$ runtime
+option and by the TIMEZONE_DEFAULT buildtime option.
+.code
+# keep_environment = ^LDAP
+# add_environment = PATH=/usr/bin::/bin
+.endd
.section "ACL configuration" "SECID54"
&"&'first-initial.second-initial.family-name'&"& when applied to someone like
the author of Exim, who has no second initial.) However, a local part starting
with a dot or containing &"/../"& can cause trouble if it is used as part of a
-file name (for example, for a mailing list). This is also true for local parts
+filename (for example, for a mailing list). This is also true for local parts
that contain slashes. A pipe symbol can also be troublesome if the local part
is incorporated unthinkingly into a shell command line.
fact authenticate until you complete the authenticator definitions.
.code
require message = relay not permitted
- domains = +local_domains : +relay_domains
+ domains = +local_domains : +relay_to_domains
.endd
This statement rejects the address if its domain is neither a local domain nor
one of the domains for which this host is a relay.
begin routers
.endd
Routers are the modules in Exim that make decisions about where to send
-messages. An address is passed to each router in turn, until it is either
+messages. An address is passed to each router, in turn, until it is either
accepted, or failed. This means that the order in which you define the routers
matters. Each router is fully described in its own chapter later in this
manual. Here we give only brief overviews.
support domain literal addresses (those of the form &'user@[10.9.8.7]'&). If
you uncomment this router, you also need to uncomment the setting of
&%allow_domain_literals%& in the main part of the configuration.
+
+Which router is used next depends upon whether or not the ROUTER_SMARTHOST
+macro has been defined, per
.code
+.ifdef ROUTER_SMARTHOST
+smarthost:
+#...
+.else
dnslookup:
- driver = dnslookup
+#...
+.endif
+.endd
+
+If ROUTER_SMARTHOST has been defined, either at the top of the file or on the
+command-line, then we route all non-local mail to that smarthost; otherwise, we'll
+perform DNS lookups for direct-to-MX lookup. Any mail which is to a local domain will
+skip these routers because of the &%domains%& option.
+
+.code
+smarthost:
+ driver = manualroute
domains = ! +local_domains
- transport = remote_smtp
- ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
+ transport = smarthost_smtp
+ route_data = ROUTER_SMARTHOST
+ ignore_target_hosts = <; 0.0.0.0 ; 127.0.0.0/8 ; ::1
no_more
.endd
-The first uncommented router handles addresses that do not involve any local
-domains. This is specified by the line
+This router only handles mail which is not to any local domains; this is
+specified by the line
.code
domains = ! +local_domains
.endd
indicates that it is referring to a named list. Addresses in other domains are
passed on to the following routers.
+The name of the router driver is &(manualroute)& because we are manually
+specifying how mail should be routed onwards, instead of using DNS MX.
+While the name of this router instance is arbitrary, the &%driver%& option must
+be one of the driver modules that is in the Exim binary.
+
+With no pre-conditions other than &%domains%&, all mail for non-local domains
+will be handled by this router, and the &%no_more%& setting will ensure that no
+other routers will be used for messages matching the pre-conditions. See
+&<<SECTrouprecon>>& for more on how the pre-conditions apply. For messages which
+are handled by this router, we provide a hostname to deliver to in &%route_data%&
+and the macro supplies the value; the address is then queued for the
+&(smarthost_smtp)& transport.
+
+.code
+dnslookup:
+ driver = dnslookup
+ domains = ! +local_domains
+ transport = remote_smtp
+ ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
+ no_more
+.endd
+The &%domains%& option behaves as per smarthost, above.
+
The name of the router driver is &(dnslookup)&,
and is specified by the &%driver%& option. Do not be confused by the fact that
the name of this router instance is the same as the name of the driver. The
.code
begin transports
.endd
-One remote transport and four local transports are defined.
+Two remote transports and four local transports are defined.
.code
remote_smtp:
driver = smtp
+ message_size_limit = ${if > {$max_received_linelength}{998} {1}{0}}
+.ifdef _HAVE_DANE
+ dnssec_request_domains = *
+ hosts_try_dane = *
+.endif
+.ifdef _HAVE_PRDR
+ hosts_try_prdr = *
+.endif
+.endd
+This transport is used for delivering messages over SMTP connections.
+The list of remote hosts comes from the router.
+The &%message_size_limit%& usage is a hack to avoid sending on messages
+with over-long lines. The built-in macro _HAVE_DANE guards configuration
+to try to use DNSSEC for all queries and to use DANE for delivery;
+see section &<<SECDANE>>& for more details.
+
+The &%hosts_try_prdr%& option enables an efficiency SMTP option. It is
+negotiated between client and server and not expected to cause problems
+but can be disabled if needed. The built-in macro _HAVE_PRDR guards the
+use of the &%hosts_try_prdr%& configuration option.
+
+The other remote transport is used when delivering to a specific smarthost
+with whom there must be some kind of existing relationship, instead of the
+usual federated system.
+
+.code
+smarthost_smtp:
+ driver = smtp
+ message_size_limit = ${if > {$max_received_linelength}{998} {1}{0}}
+ multi_domain
+ #
+.ifdef _HAVE_TLS
+ # Comment out any of these which you have to, then file a Support
+ # request with your smarthost provider to get things fixed:
+ hosts_require_tls = *
+ tls_verify_hosts = *
+ # As long as tls_verify_hosts is enabled, this won't matter, but if you
+ # have to comment it out then this will at least log whether you succeed
+ # or not:
+ tls_try_verify_hosts = *
+ #
+ # The SNI name should match the name which we'll expect to verify;
+ # many mail systems don't use SNI and this doesn't matter, but if it does,
+ # we need to send a name which the remote site will recognize.
+ # This _should_ be the name which the smarthost operators specified as
+ # the hostname for sending your mail to.
+ tls_sni = ROUTER_SMARTHOST
+ #
+.ifdef _HAVE_OPENSSL
+ tls_require_ciphers = HIGH:!aNULL:@STRENGTH
+.endif
+.ifdef _HAVE_GNUTLS
+ tls_require_ciphers = SECURE192:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1
+.endif
+.endif
+.ifdef _HAVE_PRDR
+ hosts_try_prdr = *
+.endif
.endd
-This transport is used for delivering messages over SMTP connections. All its
-options are defaulted. The list of remote hosts comes from the router.
+After the same &%message_size_limit%& hack, we then specify that this Transport
+can handle messages to multiple domains in one run. The assumption here is
+that you're routing all non-local mail to the same place and that place is
+happy to take all messages from you as quickly as possible.
+All other options depend upon built-in macros; if Exim was built without TLS support
+then no other options are defined.
+If TLS is available, then we configure "stronger than default" TLS ciphersuites
+and versions using the &%tls_require_ciphers%& option, where the value to be
+used depends upon the library providing TLS.
+Beyond that, the options adopt the stance that you should have TLS support available
+from your smarthost on today's Internet, so we turn on requiring TLS for the
+mail to be delivered, and requiring that the certificate be valid, and match
+the expected hostname. The &%tls_sni%& option can be used by service providers
+to select an appropriate certificate to present to you and here we re-use the
+ROUTER_SMARTHOST macro, because that is unaffected by CNAMEs present in DNS.
+You want to specify the hostname which you'll expect to validate for, and that
+should not be subject to insecure tampering via DNS results.
+
+For the &%hosts_try_prdr%& option see the previous transport.
+
+All other options are defaulted.
.code
local_delivery:
driver = appendfile
.endd
This transport is used for handling deliveries to pipes that are generated by
redirection (aliasing or users' &_.forward_& files). The &%return_output%&
-option specifies that any output generated by the pipe is to be returned to the
-sender.
+option specifies that any output on stdout or stderr generated by the pipe is to
+be returned to the sender.
.code
address_file:
driver = appendfile
This causes any temporarily failing address to be retried every 15 minutes for
2 hours, then at intervals starting at one hour and increasing by a factor of
1.5 until 16 hours have passed, then every 6 hours up to 4 days. If an address
-is not delivered after 4 days of temporary failure, it is bounced.
+is not delivered after 4 days of temporary failure, it is bounced. The time is
+measured from first failure, not from the time the message was received.
If the retry section is removed from the configuration, or is empty (that is,
if no retry rules are defined), Exim will not retry deliveries. This turns
# server_set_id = $auth2
# server_prompts = :
# server_condition = Authentication is not yet configured
-# server_advertise_condition = ${if def:tls_cipher }
+# server_advertise_condition = ${if def:tls_in_cipher }
.endd
And the example LOGIN authenticator looks like this:
.code
# server_set_id = $auth1
# server_prompts = <| Username: | Password:
# server_condition = Authentication is not yet configured
-# server_advertise_condition = ${if def:tls_cipher }
+# server_advertise_condition = ${if def:tls_in_cipher }
.endd
The &%server_set_id%& option makes Exim remember the authenticated username
i.e. PLAIN or LOGIN. The &%server_advertise_condition%& setting controls
when Exim offers authentication to clients; in the examples, this is only
when TLS or SSL has been started, so to enable the authenticators you also
-need to add support for TLS as described in &<<SECTdefconfmain>>&.
+need to add support for TLS as described in section &<<SECTdefconfmain>>&.
The &%server_condition%& setting defines how to verify that the username and
password are correct. In the examples it just produces an error message.
To make the authenticators work, you can use a string expansion
-expression like one of the examples in &<<CHAPplaintext>>&.
+expression like one of the examples in chapter &<<CHAPplaintext>>&.
Beware that the sequence of the parameters to PLAIN and LOGIN differ; the
-usercode and password are in different positions. &<<CHAPplaintext>>&
-covers both.
+usercode and password are in different positions.
+Chapter &<<CHAPplaintext>>& covers both.
.ecindex IIDconfiwal
Exim supports the use of regular expressions in many of its options. It
uses the PCRE regular expression library; this provides regular expression
matching that is compatible with Perl 5. The syntax and semantics of
-regular expressions is discussed in many Perl reference books, and also in
+regular expressions is discussed in
+online Perl manpages, in
+many Perl reference books, and also in
Jeffrey Friedl's &'Mastering Regular Expressions'&, which is published by
O'Reilly (see &url(http://www.oreilly.com/catalog/regex2/)).
+. --- the http: URL here redirects to another page with the ISBN in the URL
+. --- where trying to use https: just redirects back to http:, so sticking
+. --- to the old URL for now. 2018-09-07.
The documentation for the syntax and semantics of the regular expressions that
are supported by PCRE is included in the PCRE distribution, and no further
lookup. Lookups of this type are conditional expansion items. Different results
can be defined for the cases of lookup success and failure. See chapter
&<<CHAPexpand>>&, where string expansions are described in detail.
+The key for the lookup is specified as part of the string expansion.
.next
Lists of domains, hosts, and email addresses can contain lookup requests as a
way of avoiding excessively long linear lists. In this case, the data that is
returned by the lookup is often (but not always) discarded; whether the lookup
succeeds or fails is what really counts. These kinds of list are described in
chapter &<<CHAPdomhosaddlists>>&.
+The key for the lookup is given by the context in which the list is expanded.
.endlist
String expansions, lists, and lookups interact with each other in such a way
string without a terminating binary zero. The cdb format is designed for
indexed files that are read frequently and never updated, except by total
re-creation. As such, it is particularly suitable for large files containing
-aliases or other indexed data referenced by an MTA. Information about cdb can
-be found in several places:
+aliases or other indexed data referenced by an MTA. Information about cdb and
+tools for building the files can be found in several places:
.display
-&url(http://www.pobox.com/~djb/cdb.html)
-&url(ftp://ftp.corpit.ru/pub/tinycdb/)
-&url(http://packages.debian.org/stable/utils/freecdb.html)
+&url(https://cr.yp.to/cdb.html)
+&url(http://www.corpit.ru/mjt/tinycdb.html)
+&url(https://packages.debian.org/stable/utils/freecdb)
+&url(https://github.com/philpennock/cdbtools) (in Go)
.endd
+. --- 2018-09-07: corpit.ru http:-only
A cdb distribution is not needed in order to build Exim with cdb support,
because the code for reading cdb files is included directly in Exim itself.
However, no means of building or testing cdb files is provided with Exim, so
the DB_UNKNOWN option. This enables it to handle any of the types of database
that the library supports, and can be useful for accessing DBM files created by
other applications. (For earlier DB versions, DB_HASH is always used.)
-.new
.next
.cindex "lookup" "dbmjz"
.cindex "lookup" "dbm &-- embedded NULs"
authenticate incoming SMTP calls using the passwords from Cyrus SASL's
&_/etc/sasldb2_& file with the &(gsasl)& authenticator or Exim's own
&(cram_md5)& authenticator.
-.wen
.next
.cindex "lookup" "dbmnz"
.cindex "lookup" "dbm &-- terminating zero"
&*Warning 2*&: In a host list, you must always use &(net-iplsearch)& so that
the implicit key is the host's IP address rather than its name (see section
&<<SECThoslispatsikey>>&).
+
+.new
+&*Warning 3*&: Do not use an IPv4-mapped IPv6 address for a key; use the
+IPv4. Such addresses being searched for are converted to IPv4.
+.wen
.next
.cindex "linear search"
.cindex "lookup" "lsearch"
&*Warning*&: Unlike most other single-key lookup types, a file of data for
&((n)wildlsearch)& can &'not'& be turned into a DBM or cdb file, because those
lookup types support only literal keys.
+
+.next
+.cindex "lookup" "spf"
+If Exim is built with SPF support, manual lookups can be done
+(as opposed to the standard ACL condition method.
+For details see section &<<SECSPF>>&.
.endlist ilist
-.section "Query-style lookup types" "SECID62"
+.section "Query-style lookup types" "SECTquerystylelookups"
.cindex "lookup" "query-style types"
.cindex "query-style lookup" "list of types"
The supported query-style lookup types are listed below. Further details about
&(pgsql)&: The format of the query is an SQL statement that is passed to a
PostgreSQL database. See section &<<SECTsql>>&.
+.next
+.cindex "Redis lookup type"
+.cindex lookup Redis
+&(redis)&: The format of the query is either a simple get or simple set,
+passed to a Redis database. See section &<<SECTsql>>&.
+
.next
.cindex "sqlite lookup type"
.cindex "lookup" "sqlite"
-&(sqlite)&: The format of the query is a file name followed by an SQL statement
+&(sqlite)&: The format of the query is a filename followed by an SQL statement
that is passed to an SQLite database. See section &<<SECTsqlite>>&.
.next
.next
.cindex "whoson lookup type"
.cindex "lookup" "whoson"
+. --- still http:-only, 2018-09-07
&(whoson)&: &'Whoson'& (&url(http://whoson.sourceforge.net)) is a protocol that
allows a server to check whether a particular (dynamically allocated) IP
address is currently allocated to a known (trusted) user and, optionally, to
&`fail`& keyword causes a &'forced expansion failure'& &-- see section
&<<SECTforexpfai>>& for an explanation of what this means.
-The supported DNS record types are A, CNAME, MX, NS, PTR, SRV, and TXT, and,
-when Exim is compiled with IPv6 support, AAAA (and A6 if that is also
-configured). If no type is given, TXT is assumed. When the type is PTR,
+The supported DNS record types are A, CNAME, MX, NS, PTR, SOA, SPF, SRV, TLSA
+and TXT, and, when Exim is compiled with IPv6 support, AAAA.
+If no type is given, TXT is assumed.
+
+For any record type, if multiple records are found, the data is returned as a
+concatenation, with newline as the default separator. The order, of course,
+depends on the DNS resolver. You can specify a different separator character
+between multiple records by putting a right angle-bracket followed immediately
+by the new separator at the start of the query. For example:
+.code
+${lookup dnsdb{>: a=host1.example}}
+.endd
+It is permitted to specify a space as the separator character. Further
+white space is ignored.
+For lookup types that return multiple fields per record,
+an alternate field separator can be specified using a comma after the main
+separator character, followed immediately by the field separator.
+
+.cindex "PTR record" "in &(dnsdb)& lookup"
+When the type is PTR,
the data can be an IP address, written as normal; inversion and the addition of
&%in-addr.arpa%& or &%ip6.arpa%& happens automatically. For example:
.code
For an MX lookup, both the preference value and the host name are returned for
each record, separated by a space. For an SRV lookup, the priority, weight,
port, and host name are returned for each record, separated by spaces.
-
-For any record type, if multiple records are found (or, for A6 lookups, if a
-single record leads to multiple addresses), the data is returned as a
-concatenation, with newline as the default separator. The order, of course,
-depends on the DNS resolver. You can specify a different separator character
-between multiple records by putting a right angle-bracket followed immediately
-by the new separator at the start of the query. For example:
-.code
-${lookup dnsdb{>: a=host1.example}}
-.endd
-It is permitted to specify a space as the separator character. Further
-white space is ignored.
+The field separator can be modified as above.
.cindex "TXT record" "in &(dnsdb)& lookup"
+.cindex "SPF record" "in &(dnsdb)& lookup"
For TXT records with multiple items of data, only the first item is returned,
-unless a separator for them is specified using a comma after the separator
-character followed immediately by the TXT record item separator. To concatenate
-items without a separator, use a semicolon instead.
+unless a field separator is specified.
+To concatenate items without a separator, use a semicolon instead.
+For SPF records the
+default behaviour is to concatenate multiple items without using a separator.
.code
${lookup dnsdb{>\n,: txt=a.b.example}}
${lookup dnsdb{>\n; txt=a.b.example}}
+${lookup dnsdb{spf=example.org}}
.endd
It is permitted to specify a space as the separator character. Further
white space is ignored.
+.cindex "SOA record" "in &(dnsdb)& lookup"
+For an SOA lookup, while no result is obtained the lookup is redone with
+successively more leading components dropped from the given domain.
+Only the primary-nameserver field is returned unless a field separator is
+specified.
+.code
+${lookup dnsdb{>:,; soa=a.b.example.com}}
+.endd
+
+.section "Dnsdb lookup modifiers" "SECTdnsdb_mod"
+.cindex "dnsdb modifiers"
+.cindex "modifiers" "dnsdb"
+.cindex "options" "dnsdb"
+Modifiers for &(dnsdb)& lookups are given by optional keywords,
+each followed by a comma,
+that may appear before the record type.
+
+The &(dnsdb)& lookup fails only if all the DNS lookups fail. If there is a
+temporary DNS error for any of them, the behaviour is controlled by
+a defer-option modifier.
+The possible keywords are
+&"defer_strict"&, &"defer_never"&, and &"defer_lax"&.
+With &"strict"& behaviour, any temporary DNS error causes the
+whole lookup to defer. With &"never"& behaviour, a temporary DNS error is
+ignored, and the behaviour is as if the DNS lookup failed to find anything.
+With &"lax"& behaviour, all the queries are attempted, but a temporary DNS
+error causes the whole lookup to defer only if none of the other lookups
+succeed. The default is &"lax"&, so the following lookups are equivalent:
+.code
+${lookup dnsdb{defer_lax,a=one.host.com:two.host.com}}
+${lookup dnsdb{a=one.host.com:two.host.com}}
+.endd
+Thus, in the default case, as long as at least one of the DNS lookups
+yields some data, the lookup succeeds.
+
+.cindex "DNSSEC" "dns lookup"
+Use of &(DNSSEC)& is controlled by a dnssec modifier.
+The possible keywords are
+&"dnssec_strict"&, &"dnssec_lax"&, and &"dnssec_never"&.
+With &"strict"& or &"lax"& DNSSEC information is requested
+with the lookup.
+With &"strict"& a response from the DNS resolver that
+is not labelled as authenticated data
+is treated as equivalent to a temporary DNS error.
+The default is &"never"&.
+
+See also the &$lookup_dnssec_authenticated$& variable.
+
+.cindex timeout "dns lookup"
+.cindex "DNS" timeout
+Timeout for the dnsdb lookup can be controlled by a retrans modifier.
+The form is &"retrans_VAL"& where VAL is an Exim time specification
+(e.g. &"5s"&).
+The default value is set by the main configuration option &%dns_retrans%&.
+
+Retries for the dnsdb lookup can be controlled by a retry modifier.
+The form if &"retry_VAL"& where VAL is an integer.
+The default count is set by the main configuration option &%dns_retry%&.
+
+.cindex caching "of dns lookup"
+.cindex TTL "of dns lookup"
+.cindex DNS TTL
+Dnsdb lookup results are cached within a single process (and its children).
+The cache entry lifetime is limited to the smallest time-to-live (TTL)
+value of the set of returned DNS records.
+
+
.section "Pseudo dnsdb record types" "SECID66"
.cindex "MX record" "in &(dnsdb)& lookup"
By default, both the preference value and the host name are returned for
The authorization code can be &"Y"& for yes, &"N"& for no, &"X"& for explicit
authorization required but absent, or &"?"& for unknown.
+.cindex "A+" "in &(dnsdb)& lookup"
+The pseudo-type A+ performs an AAAA
+and then an A lookup. All results are returned; defer processing
+(see below) is handled separately for each lookup. Example:
+.code
+${lookup dnsdb {>; a+=$sender_helo_name}}
+.endd
+
.section "Multiple dnsdb lookups" "SECID67"
In the previous sections, &(dnsdb)& lookups for a single domain are described.
in the same way that multiple DNS records for a single item are handled. A
different separator can be specified, as described above.
-The &(dnsdb)& lookup fails only if all the DNS lookups fail. If there is a
-temporary DNS error for any of them, the behaviour is controlled by
-an optional keyword followed by a comma that may appear before the record
-type. The possible keywords are &"defer_strict"&, &"defer_never"&, and
-&"defer_lax"&. With &"strict"& behaviour, any temporary DNS error causes the
-whole lookup to defer. With &"never"& behaviour, a temporary DNS error is
-ignored, and the behaviour is as if the DNS lookup failed to find anything.
-With &"lax"& behaviour, all the queries are attempted, but a temporary DNS
-error causes the whole lookup to defer only if none of the other lookups
-succeed. The default is &"lax"&, so the following lookups are equivalent:
-.code
-${lookup dnsdb{defer_lax,a=one.host.com:two.host.com}}
-${lookup dnsdb{a=one.host.com:two.host.com}}
-.endd
-Thus, in the default case, as long as at least one of the DNS lookups
-yields some data, the lookup succeeds.
-
LDAP connections, rather than the SSL-on-connect &`ldaps`&.
See the &%ldap_start_tls%& option.
+Starting with Exim 4.83, the initialization of LDAP with TLS is more tightly
+controlled. Every part of the TLS configuration can be configured by settings in
+&_exim.conf_&. Depending on the version of the client libraries installed on
+your system, some of the initialization may have required setting options in
+&_/etc/ldap.conf_& or &_~/.ldaprc_& to get TLS working with self-signed
+certificates. This revealed a nuance where the current UID that exim was
+running as could affect which config files it read. With Exim 4.83, these
+methods become optional, only taking effect if not specifically set in
+&_exim.conf_&.
+
.section "LDAP quoting" "SECID68"
.cindex "LDAP" "quoting"
&`USER `& set the DN, for authenticating the LDAP bind
&`PASS `& set the password, likewise
&`REFERRALS `& set the referrals parameter
+&`SERVERS `& set alternate server list for this query only
&`SIZE `& set the limit for the number of entries returned
&`TIME `& set the maximum waiting time for a query
.endd
must be &"follow"& (the default) or &"nofollow"&. The latter stops the LDAP
library from trying to follow referrals issued by the LDAP server.
+.cindex LDAP timeout
+.cindex timeout "LDAP lookup"
The name CONNECT is an obsolete name for NETTIME, retained for
backwards compatibility. This timeout (specified as a number of seconds) is
enforced from the client end for operations that can be carried out over a
The TIME parameter (also a number of seconds) is passed to the server to
set a server-side limit on the time taken to complete a search.
+The SERVERS parameter allows you to specify an alternate list of ldap servers
+to use for an individual lookup. The global &%ldap_default_servers%& option provides a
+default list of ldap servers, and a single lookup can specify a single ldap
+server to use. But when you need to do a lookup with a list of servers that is
+different than the default list (maybe different order, maybe a completely
+different set of servers), the SERVERS parameter allows you to specify this
+alternate list (colon-separated).
Here is an example of an LDAP query in an Exim lookup that uses some of these
values. This is a single line, folded to fit on the page:
The &(ldapdn)& lookup type returns the Distinguished Name from a single entry
as a sequence of values, for example
.code
-cn=manager, o=University of Cambridge, c=UK
+cn=manager,o=University of Cambridge,c=UK
.endd
The &(ldap)& lookup type generates an error if more than one entry matches the
search filter, whereas &(ldapm)& permits this case, and inserts a newline in
In the common case where you specify a single attribute in your LDAP query, the
result is not quoted, and does not contain the attribute name. If the attribute
-has multiple values, they are separated by commas.
+has multiple values, they are separated by commas. Any comma that is
+part of an attribute's value is doubled.
If you specify multiple attributes, the result contains space-separated, quoted
strings, each preceded by the attribute name and an equals sign. Within the
quotes, the quote character, backslash, and newline are escaped with
backslashes, and commas are used to separate multiple values for the attribute.
+Any commas in attribute values are doubled
+(permitting treatment of the values as a comma-separated list).
Apart from the escaping, the string within quotes takes the same form as the
output when a single attribute is requested. Specifying no attributes is the
same as specifying all of an entry's attributes.
Here are some examples of the output format. The first line of each pair is an
LDAP query, and the second is the data that is returned. The attribute called
-&%attr1%& has two values, whereas &%attr2%& has only one value:
+&%attr1%& has two values, one of them with an embedded comma, whereas
+&%attr2%& has only one value. Both attributes are derived from &%attr%&
+(they have SUP &%attr%& in their schema definitions).
+
.code
ldap:///o=base?attr1?sub?(uid=fred)
-value1.1, value1.2
+value1.1,value1,,2
ldap:///o=base?attr2?sub?(uid=fred)
value two
+ldap:///o=base?attr?sub?(uid=fred)
+value1.1,value1,,2,value two
+
ldap:///o=base?attr1,attr2?sub?(uid=fred)
-attr1="value1.1, value1.2" attr2="value two"
+attr1="value1.1,value1,,2" attr2="value two"
ldap:///o=base??sub?(uid=fred)
-objectClass="top" attr1="value1.1, value1.2" attr2="value two"
+objectClass="top" attr1="value1.1,value1,,2" attr2="value two"
.endd
-The &%extract%& operator in string expansions can be used to pick out
-individual fields from data that consists of &'key'&=&'value'& pairs. You can
+You can
make use of Exim's &%-be%& option to run expansion tests and thereby check the
results of LDAP lookups.
+The &%extract%& operator in string expansions can be used to pick out
+individual fields from data that consists of &'key'&=&'value'& pairs.
+The &%listextract%& operator should be used to pick out individual values
+of attributes, even when only a single value is expected.
+The doubling of embedded commas allows you to use the returned data as a
+comma separated list (using the "<," syntax for changing the input list separator).
.cindex "lookup" "Oracle"
.cindex "InterBase lookup type"
.cindex "lookup" "InterBase"
-Exim can support lookups in InterBase, MySQL, Oracle, PostgreSQL, and SQLite
+.cindex "Redis lookup type"
+.cindex lookup Redis
+Exim can support lookups in InterBase, MySQL, Oracle, PostgreSQL, Redis,
+and SQLite
databases. Queries for these databases contain SQL statements, so an example
might be
.code
with a newline between the data for each row.
-.section "More about MySQL, PostgreSQL, Oracle, and InterBase" "SECID72"
+.section "More about MySQL, PostgreSQL, Oracle, InterBase, and Redis" "SECID72"
.cindex "MySQL" "lookup type"
.cindex "PostgreSQL lookup type"
.cindex "lookup" "MySQL"
.cindex "lookup" "Oracle"
.cindex "InterBase lookup type"
.cindex "lookup" "InterBase"
-If any MySQL, PostgreSQL, Oracle, or InterBase lookups are used, the
-&%mysql_servers%&, &%pgsql_servers%&, &%oracle_servers%&, or &%ibase_servers%&
+.cindex "Redis lookup type"
+.cindex lookup Redis
+If any MySQL, PostgreSQL, Oracle, InterBase or Redis lookups are used, the
+&%mysql_servers%&, &%pgsql_servers%&, &%oracle_servers%&, &%ibase_servers%&,
+or &%redis_servers%&
option (as appropriate) must be set to a colon-separated list of server
information.
-(For MySQL and PostgreSQL only, the global option need not be set if all
+(For MySQL and PostgreSQL, the global option need not be set if all
queries contain their own server information &-- see section
-&<<SECTspeserque>>&.) Each item in the list is a slash-separated list of four
+&<<SECTspeserque>>&.)
+For all but Redis
+each item in the list is a slash-separated list of four
items: host name, database name, user name, and password. In the case of
Oracle, the host name field is used for the &"service name"&, and the database
name field is not used and should be empty. For example:
found, but that is still a successful query. In other words, the list of
servers provides a backup facility, not a list of different places to look.
+For Redis the global option need not be specified if all queries contain their
+own server information &-- see section &<<SECTspeserque>>&.
+If specified, the option must be set to a colon-separated list of server
+information.
+Each item in the list is a slash-separated list of three items:
+host, database number, and password.
+.olist
+The host is required and may be either an IPv4 address and optional
+port number (separated by a colon, which needs doubling due to the
+higher-level list), or a Unix socket pathname enclosed in parentheses
+.next
+The database number is optional; if present that number is selected in the backend
+.next
+The password is optional; if present it is used to authenticate to the backend
+.endlist
+
The &%quote_mysql%&, &%quote_pgsql%&, and &%quote_oracle%& expansion operators
convert newline, tab, carriage return, and backspace to \n, \t, \r, and \b
respectively, and the characters single-quote, double-quote, and backslash
-itself are escaped with backslashes. The &%quote_pgsql%& expansion operator, in
-addition, escapes the percent and underscore characters. This cannot be done
-for MySQL because these escapes are not recognized in contexts where these
-characters are not special.
+itself are escaped with backslashes.
+
+The &%quote_redis%& expansion operator
+escapes whitespace and backslash characters with a backslash.
.section "Specifying the server in the query" "SECTspeserque"
-For MySQL and PostgreSQL lookups (but not currently for Oracle and InterBase),
+For MySQL, PostgreSQL and Redis lookups (but not currently for Oracle and InterBase),
it is possible to specify a list of servers with an individual query. This is
done by starting the query with
.display
.section "Special MySQL features" "SECID73"
For MySQL, an empty host name or the use of &"localhost"& in &%mysql_servers%&
causes a connection to the server on the local host by means of a Unix domain
-socket. An alternate socket can be specified in parentheses. The full syntax of
-each item in &%mysql_servers%& is:
+socket. An alternate socket can be specified in parentheses.
+An option group name for MySQL option files can be specified in square brackets;
+the default value is &"exim"&.
+The full syntax of each item in &%mysql_servers%& is:
.display
-<&'hostname'&>::<&'port'&>(<&'socket name'&>)/<&'database'&>/&&&
- <&'user'&>/<&'password'&>
+<&'hostname'&>::<&'port'&>(<&'socket name'&>)[<&'option group'&>]/&&&
+ <&'database'&>/<&'user'&>/<&'password'&>
.endd
-Any of the three sub-parts of the first field can be omitted. For normal use on
+Any of the four sub-parts of the first field can be omitted. For normal use on
the local host it can be left blank or set to just &"localhost"&.
No database need be supplied &-- but if it is absent here, it must be given in
.section "More about SQLite" "SECTsqlite"
.cindex "lookup" "SQLite"
.cindex "sqlite lookup type"
-SQLite is different to the other SQL lookups because a file name is required in
+SQLite is different to the other SQL lookups because a filename is required in
addition to the SQL query. An SQLite database is a single file, and there is no
daemon as in the other SQL databases. The interface to Exim requires the name
of the file, as an absolute path, to be given at the start of the query. It is
.endd
In a list, the syntax is similar. For example:
.code
-domainlist relay_domains = sqlite;/some/thing/sqlitedb \
+domainlist relay_to_domains = sqlite;/some/thing/sqlitedb \
select * from relays where ip='$sender_host_address';
.endd
The only character affected by the &%quote_sqlite%& operator is a single
quote, which it doubles.
+.cindex timeout SQLite
+.cindex sqlite "lookup timeout"
The SQLite library handles multiple simultaneous accesses to the database
internally. Multiple readers are permitted, but only one process can
update at once. Attempts to access the database while it is being updated
waits for the lock to be released. In Exim, the default timeout is set
to 5 seconds, but it can be changed by means of the &%sqlite_lock_timeout%&
option.
+
+.section "More about Redis" "SECTredis"
+.cindex "lookup" "Redis"
+.cindex "redis lookup type"
+Redis is a non-SQL database. Commands are simple get and set.
+Examples:
+.code
+${lookup redis{set keyname ${quote_redis:objvalue plus}}}
+${lookup redis{get keyname}}
+.endd
+
+As of release 4.91, "lightweight" support for Redis Cluster is available.
+Requires &%redis_servers%& list to contain all the servers in the cluster, all
+of which must be reachable from the running exim instance. If the cluster has
+master/slave replication, the list must contain all the master and slave
+servers.
+
+When the Redis Cluster returns a "MOVED" response to a query, Exim does not
+immediately follow the redirection but treats the response as a DEFER, moving on
+to the next server in the &%redis_servers%& list until the correct server is
+reached.
+
.ecindex IIDfidalo1
.ecindex IIDfidalo2
different types of pattern for each case are described, but first we cover some
general facilities that apply to all four kinds of list.
+Note that other parts of Exim use a &'string list'& which does not
+support all the complexity available in
+domain, host, address and local part lists.
-.section "Expansion of lists" "SECID75"
+
+.section "Expansion of lists" "SECTlistexpand"
.cindex "expansion" "of lists"
-Each list is expanded as a single string before it is used. The result of
+Each list is expanded as a single string before it is used.
+
+&'Exception: the router headers_remove option, where list-item
+splitting is done before string-expansion.'&
+
+The result of
expansion must be a list, possibly containing empty items, which is split up
into separate items for matching. By default, colon is the separator character,
but this can be varied if necessary. See sections &<<SECTlistconstruct>>& and
subject having matched any of the patterns, it is in the set if the last item
was a negative one, but not if it was a positive one. For example, the list in
.code
-domainlist relay_domains = !a.b.c : *.b.c
+domainlist relay_to_domains = !a.b.c : *.b.c
.endd
matches any domain ending in &'.b.c'& except for &'a.b.c'&. Domains that match
neither &'a.b.c'& nor &'*.b.c'& do not match, because the last item in the
list is positive. However, if the setting were
.code
-domainlist relay_domains = !a.b.c
+domainlist relay_to_domains = !a.b.c
.endd
then all domains other than &'a.b.c'& would match because the last item in the
list is negative. In other words, a list that ends with a negative item behaves
.section "File names in lists" "SECTfilnamlis"
-.cindex "list" "file name in"
-If an item in a domain, host, address, or local part list is an absolute file
-name (beginning with a slash character), each line of the file is read and
+.cindex "list" "filename in"
+If an item in a domain, host, address, or local part list is an absolute
+filename (beginning with a slash character), each line of the file is read and
processed as if it were an independent item in the list, except that further
-file names are not allowed,
+filenames are not allowed,
and no expansion of the data from the file takes place.
Empty lines in the file are ignored, and the file may also contain comment
lines:
.endd
.endlist
-Putting a file name in a list has the same effect as inserting each line of the
+Putting a filename in a list has the same effect as inserting each line of the
file as an item in the list (blank lines and comments excepted). However, there
is one important difference: the file is read each time the list is processed,
so if its contents vary over time, Exim's behaviour changes.
-If a file name is preceded by an exclamation mark, the sense of any match
+If a filename is preceded by an exclamation mark, the sense of any match
within the file is inverted. For example, if
.code
hold_domains = !/etc/nohold-domains
always fixed strings, just as for any other single-key lookup type.
If you want to use a file to contain wild-card patterns that form part of a
-list, just give the file name on its own, without a search type, as described
+list, just give the filename on its own, without a search type, as described
in the previous section. You could also use the &(wildlsearch)& or
&(nwildlsearch)&, but there is no advantage in doing this.
respectively. Then there follows the name that you are defining, followed by an
equals sign and the list itself. For example:
.code
-hostlist relay_hosts = 192.168.23.0/24 : my.friend.example
+hostlist relay_from_hosts = 192.168.23.0/24 : my.friend.example
addresslist bad_senders = cdb;/etc/badsenders
.endd
A named list may refer to other named lists:
.cindex "domain list" "matching by lookup"
If a pattern starts with the name of a single-key lookup type followed by a
semicolon (for example, &"dbm;"& or &"lsearch;"&), the remainder of the pattern
-must be a file name in a suitable format for the lookup type. For example, for
+must be a filename in a suitable format for the lookup type. For example, for
&"cdb;"& it must be an absolute path:
.code
domains = cdb;/etc/mail/local_domains.cdb
recently implemented &(iplsearch)& files do require colons in IPv6 keys
(notated using the quoting facility) so as to distinguish them from IPv4 keys.
For this reason, when the lookup type is &(iplsearch)&, IPv6 addresses are
-converted using colons and not dots. In all cases, full, unabbreviated IPv6
+converted using colons and not dots.
+.new
+In all cases except IPv4-mapped IPv6, full, unabbreviated IPv6
addresses are always used.
+The latter are converted to IPv4 addresses, in dotted-quad form.
+.wen
Ideally, it would be nice to tidy up this anomalous situation by changing to
colons in all cases, given that quoting is now available for &(lsearch)&.
There are several types of pattern that require Exim to know the name of the
remote host. These are either wildcard patterns or lookups by name. (If a
complete hostname is given without any wildcarding, it is used to find an IP
-address to match against, as described in the section &<<SECThoslispatip>>&
+address to match against, as described in section &<<SECThoslispatip>>&
above.)
If the remote host name is not already known when Exim encounters one of these
.cindex "&`+include_unknown`&"
.cindex "&`+ignore_unknown`&"
-By default, Exim behaves as if the host does not match the list. This may not
-always be what you want to happen. To change Exim's behaviour, the special
-items &`+include_unknown`& or &`+ignore_unknown`& may appear in the list (at
-top level &-- they are not recognized in an indirected file).
+Exim parses a host list from left to right. If it encounters a permanent
+lookup failure in any item in the host list before it has found a match,
+Exim treats it as a failure and the default behavior is as if the host
+does not match the list. This may not always be what you want to happen.
+To change Exim's behaviour, the special items &`+include_unknown`& or
+&`+ignore_unknown`& may appear in the list (at top level &-- they are
+not recognized in an indirected file).
.ilist
If any item that follows &`+include_unknown`& requires information that
list. The effect of each one lasts until the next, or until the end of the
list.
+.section "Mixing wildcarded host names and addresses in host lists" &&&
+ "SECTmixwilhos"
+.cindex "host list" "mixing names and addresses in"
+
+This section explains the host/ip processing logic with the same concepts
+as the previous section, but specifically addresses what happens when a
+wildcarded hostname is one of the items in the hostlist.
+
+.ilist
+If you have name lookups or wildcarded host names and
+IP addresses in the same host list, you should normally put the IP
+addresses first. For example, in an ACL you could have:
+.code
+accept hosts = 10.9.8.7 : *.friend.example
+.endd
+The reason you normally would order it this way lies in the
+left-to-right way that Exim processes lists. It can test IP addresses
+without doing any DNS lookups, but when it reaches an item that requires
+a host name, it fails if it cannot find a host name to compare with the
+pattern. If the above list is given in the opposite order, the
+&%accept%& statement fails for a host whose name cannot be found, even
+if its IP address is 10.9.8.7.
+
+.next
+If you really do want to do the name check first, and still recognize the IP
+address, you can rewrite the ACL like this:
+.code
+accept hosts = *.friend.example
+accept hosts = 10.9.8.7
+.endd
+If the first &%accept%& fails, Exim goes on to try the second one. See chapter
+&<<CHAPACL>>& for details of ACLs. Alternatively, you can use
+&`+ignore_unknown`&, which was discussed in depth in the first example in
+this section.
+.endlist
+
.section "Temporary DNS errors when looking up host information" &&&
"SECTtemdnserr"
.cindex "&`+ignore_defer`&"
A temporary DNS lookup failure normally causes a defer action (except when
&%dns_again_means_nonexist%& converts it into a permanent error). However,
-host lists can include &`+ignore_defer`& and &`+include_defer`&, analagous to
+host lists can include &`+ignore_defer`& and &`+include_defer`&, analogous to
&`+ignore_unknown`& and &`+include_unknown`&, as described in the previous
section. These options should be used with care, probably only in non-critical
host lists such as whitelists.
operator.
If the query contains a reference to &$sender_host_name$&, Exim automatically
-looks up the host name if has not already done so. (See section
+looks up the host name if it has not already done so. (See section
&<<SECThoslispatnam>>& for comments on finding host names.)
Historical note: prior to release 4.30, Exim would always attempt to find a
-.section "Mixing wildcarded host names and addresses in host lists" &&&
- "SECTmixwilhos"
-.cindex "host list" "mixing names and addresses in"
-If you have name lookups or wildcarded host names and IP addresses in the same
-host list, you should normally put the IP addresses first. For example, in an
-ACL you could have:
-.code
-accept hosts = 10.9.8.7 : *.friend.example
-.endd
-The reason for this lies in the left-to-right way that Exim processes lists.
-It can test IP addresses without doing any DNS lookups, but when it reaches an
-item that requires a host name, it fails if it cannot find a host name to
-compare with the pattern. If the above list is given in the opposite order, the
-&%accept%& statement fails for a host whose name cannot be found, even if its
-IP address is 10.9.8.7.
-
-If you really do want to do the name check first, and still recognize the IP
-address, you can rewrite the ACL like this:
-.code
-accept hosts = *.friend.example
-accept hosts = 10.9.8.7
-.endd
-If the first &%accept%& fails, Exim goes on to try the second one. See chapter
-&<<CHAPACL>>& for details of ACLs.
-
-
-
.section "Address lists" "SECTaddresslist"
surrounding the colons is ignored. For example:
.code
aol.com: spammer1 : spammer2 : ^[0-9]+$ :
-spammer3 : spammer4
+ spammer3 : spammer4
.endd
As in all colon-separated lists in Exim, a colon can be included in an item by
doubling.
The domain portion of an address is always lowercased before matching it to an
address list. The local part is lowercased by default, and any string
comparisons that take place are done caselessly. This means that the data in
-the address list itself, in files included as plain file names, and in any file
+the address list itself, in files included as plain filenames, and in any file
that is looked up using the &"@@"& mechanism, can be in any case. However, the
keys in files that are looked up by a search type other than &(lsearch)& (which
works caselessly) must be in lower case, because these lookups are not
.chapter "String expansions" "CHAPexpand"
.scindex IIDstrexp "expansion" "of strings"
-Many strings in Exim's run time configuration are expanded before use. Some of
+Many strings in Exim's runtime configuration are expanded before use. Some of
them are expanded every time they are used; others are expanded only once.
When a string is being expanded it is copied verbatim from left to right except
.oindex "&%-bem%&"
If you want to test expansions that include variables whose values are taken
from a message, there are two other options that can be used. The &%-bem%&
-option is like &%-be%& except that it is followed by a file name. The file is
+option is like &%-be%& except that it is followed by a filename. The file is
read as a message before doing the test expansions. For example:
.code
exim -bem /tmp/test.message '$h_subject:'
This item inserts &"basic"& header lines. It is described with the &%header%&
expansion item below.
+
+.vitem "&*${acl{*&<&'name'&>&*}{*&<&'arg'&>&*}...}*&"
+.cindex "expansion" "calling an acl"
+.cindex "&%acl%&" "call from expansion"
+The name and zero to nine argument strings are first expanded separately. The expanded
+arguments are assigned to the variables &$acl_arg1$& to &$acl_arg9$& in order.
+Any unused are made empty. The variable &$acl_narg$& is set to the number of
+arguments. The named ACL (see chapter &<<CHAPACL>>&) is called
+and may use the variables; if another acl expansion is used the values
+are restored after it returns. If the ACL sets
+a value using a "message =" modifier and returns accept or deny, the value becomes
+the result of the expansion.
+If no message is set and the ACL returns accept or deny
+the expansion result is an empty string.
+If the ACL returns defer the result is a forced-fail. Otherwise the expansion fails.
+
+
+.vitem "&*${authresults{*&<&'authserv-id'&>&*}}*&"
+.cindex authentication "results header"
+.cindex headers "authentication-results:"
+.cindex authentication "expansion item"
+This item returns a string suitable for insertion as an
+&'Authentication-Results"'&
+header line.
+The given <&'authserv-id'&> is included in the result; typically this
+will be a domain name identifying the system performing the authentications.
+Methods that might be present in the result include:
+.code
+none
+iprev
+auth
+spf
+dkim
+.endd
+
+Example use (as an ACL modifier):
+.code
+ add_header = :at_start:${authresults {$primary_hostname}}
+.endd
+This is safe even if no authentication results are available.
+
+
+.vitem "&*${certextract{*&<&'field'&>&*}{*&<&'certificate'&>&*}&&&
+ {*&<&'string2'&>&*}{*&<&'string3'&>&*}}*&"
+.cindex "expansion" "extracting certificate fields"
+.cindex "&%certextract%&" "certificate fields"
+.cindex "certificate" "extracting fields"
+The <&'certificate'&> must be a variable of type certificate.
+The field name is expanded and used to retrieve the relevant field from
+the certificate. Supported fields are:
+.display
+&`version `&
+&`serial_number `&
+&`subject `& RFC4514 DN
+&`issuer `& RFC4514 DN
+&`notbefore `& time
+&`notafter `& time
+&`sig_algorithm `&
+&`signature `&
+&`subj_altname `& tagged list
+&`ocsp_uri `& list
+&`crl_uri `& list
+.endd
+If the field is found,
+<&'string2'&> is expanded, and replaces the whole item;
+otherwise <&'string3'&> is used. During the expansion of <&'string2'&> the
+variable &$value$& contains the value that has been extracted. Afterwards, it
+is restored to any previous value it might have had.
+
+If {<&'string3'&>} is omitted, the item is replaced by an empty string if the
+key is not found. If {<&'string2'&>} is also omitted, the value that was
+extracted is used.
+
+Some field names take optional modifiers, appended and separated by commas.
+
+The field selectors marked as "RFC4514" above
+output a Distinguished Name string which is
+not quite
+parseable by Exim as a comma-separated tagged list
+(the exceptions being elements containing commas).
+RDN elements of a single type may be selected by
+a modifier of the type label; if so the expansion
+result is a list (newline-separated by default).
+The separator may be changed by another modifier of
+a right angle-bracket followed immediately by the new separator.
+Recognised RDN type labels include "CN", "O", "OU" and "DC".
+
+The field selectors marked as "time" above
+take an optional modifier of "int"
+for which the result is the number of seconds since epoch.
+Otherwise the result is a human-readable string
+in the timezone selected by the main "timezone" option.
+
+The field selectors marked as "list" above return a list,
+newline-separated by default,
+(embedded separator characters in elements are doubled).
+The separator may be changed by a modifier of
+a right angle-bracket followed immediately by the new separator.
+
+The field selectors marked as "tagged" above
+prefix each list element with a type string and an equals sign.
+Elements of only one type may be selected by a modifier
+which is one of "dns", "uri" or "mail";
+if so the element tags are omitted.
+
+If not otherwise noted field values are presented in human-readable form.
+
.vitem "&*${dlfunc{*&<&'file'&>&*}{*&<&'function'&>&*}{*&<&'arg'&>&*}&&&
{*&<&'arg'&>&*}...}*&"
.cindex &%dlfunc%&
you need to add &%-shared%& to the gcc command. Also, in the Exim build-time
configuration, you must add &%-export-dynamic%& to EXTRALIBS.
+
+.vitem "&*${env{*&<&'key'&>&*}{*&<&'string1'&>&*}{*&<&'string2'&>&*}}*&"
+.cindex "expansion" "extracting value from environment"
+.cindex "environment" "values from"
+The key is first expanded separately, and leading and trailing white space
+removed.
+This is then searched for as a name in the environment.
+If a variable is found then its value is placed in &$value$&
+and <&'string1'&> is expanded, otherwise <&'string2'&> is expanded.
+
+Instead of {<&'string2'&>} the word &"fail"& (not in curly brackets) can
+appear, for example:
+.code
+${env{USER}{$value} fail }
+.endd
+This forces an expansion failure (see section &<<SECTforexpfai>>&);
+{<&'string1'&>} must be present for &"fail"& to be recognized.
+
+If {<&'string2'&>} is omitted an empty string is substituted on
+search failure.
+If {<&'string1'&>} is omitted the search result is substituted on
+search success.
+
+The environment is adjusted by the &%keep_environment%& and
+&%add_environment%& main section options.
+
+
.vitem "&*${extract{*&<&'key'&>&*}{*&<&'string1'&>&*}{*&<&'string2'&>&*}&&&
{*&<&'string3'&>&*}}*&"
.cindex "expansion" "extracting substrings by key"
.cindex "&%extract%&" "substrings by key"
The key and <&'string1'&> are first expanded separately. Leading and trailing
white space is removed from the key (but not from any of the strings). The key
-must not consist entirely of digits. The expanded <&'string1'&> must be of the
-form:
+must not be empty and must not consist entirely of digits.
+The expanded <&'string1'&> must be of the form:
.display
<&'key1'&> = <&'value1'&> <&'key2'&> = <&'value2'&> ...
.endd
This forces an expansion failure (see section &<<SECTforexpfai>>&);
{<&'string2'&>} must be present for &"fail"& to be recognized.
+.new
+.vitem "&*${extract json{*&<&'key'&>&*}{*&<&'string1'&>&*}{*&<&'string2'&>&*}&&&
+ {*&<&'string3'&>&*}}*&"
+.cindex "expansion" "extracting from JSON object"
+.cindex JSON expansions
+The key and <&'string1'&> are first expanded separately. Leading and trailing
+white space is removed from the key (but not from any of the strings). The key
+must not be empty and must not consist entirely of digits.
+The expanded <&'string1'&> must be of the form:
+.display
+{ <&'"key1"'&> : <&'value1'&> , <&'"key2"'&> , <&'value2'&> ... }
+.endd
+.vindex "&$value$&"
+The braces, commas and colons, and the quoting of the member name are required;
+the spaces are optional.
+Matching of the key against the member names is done case-sensitively.
+If a returned value is a JSON string, it retains its leading and
+trailing quotes.
+. XXX should be a UTF-8 compare
+
+The results of matching are handled as above.
+.wen
+
.vitem "&*${extract{*&<&'number'&>&*}{*&<&'separators'&>&*}&&&
{*&<&'string1'&>&*}{*&<&'string2'&>&*}{*&<&'string3'&>&*}}*&"
empty (for example, the fifth field above).
+.new
+.vitem "&*${extract json{*&<&'number'&>&*}}&&&
+ {*&<&'string1'&>&*}{*&<&'string2'&>&*}{*&<&'string3'&>&*}}*&"
+.cindex "expansion" "extracting from JSON array"
+.cindex JSON expansions
+The <&'number'&> argument must consist entirely of decimal digits,
+apart from leading and trailing white space, which is ignored.
+
+Field selection and result handling is as above;
+there is no choice of field separator.
+If a returned value is a JSON string, it retains its leading and
+trailing quotes.
+.wen
+
+
.vitem &*${filter{*&<&'string'&>&*}{*&<&'condition'&>&*}}*&
.cindex "list" "selecting by condition"
.cindex "expansion" "selecting from list by condition"
.vindex "&$item$&"
After expansion, <&'string'&> is interpreted as a list, colon-separated by
-default, but the separator can be changed in the usual way. For each item
+default, but the separator can be changed in the usual way (&<<SECTlistsepchange>>&).
+For each item
in this list, its value is place in &$item$&, and then the condition is
evaluated. If the condition is true, &$item$& is added to the output as an
item in a new list; if the condition is false, the item is discarded. The
separator used for the output list is the same as the one used for the
input, but a separator setting is not included in the output. For example:
.code
-${filter{a:b:c}{!eq{$item}{b}}
+${filter{a:b:c}{!eq{$item}{b}}}
.endd
yields &`a:c`&. At the end of the expansion, the value of &$item$& is restored
to what it was before. See also the &*map*& and &*reduce*& expansion items.
&*$h_*&<&'header&~name'&>&*:*&" &&&
"&*$bheader_*&<&'header&~name'&>&*:*&&~or&~&&&
&*$bh_*&<&'header&~name'&>&*:*&" &&&
+ "&*$lheader_*&<&'header&~name'&>&*:*&&~or&~&&&
+ &*$lh_*&<&'header&~name'&>&*:*&"
"&*$rheader_*&<&'header&~name'&>&*:*&&~or&~&&&
&*$rh_*&<&'header&~name'&>&*:*&"
.cindex "expansion" "header insertion"
.vindex "&$header_$&"
.vindex "&$bheader_$&"
+.vindex "&$lheader_$&"
.vindex "&$rheader_$&"
.cindex "header lines" "in expansion strings"
.cindex "header lines" "character sets"
internal newlines (caused by splitting the header line over several physical
lines) may be present.
-The difference between &%rheader%&, &%bheader%&, and &%header%& is in the way
+The difference between the four pairs of expansions is in the way
the data in the header line is interpreted.
.ilist
&%rheader%& gives the original &"raw"& content of the header line, with no
processing at all, and without the removal of leading and trailing white space.
+.next
+.cindex "list" "of header lines"
+&%lheader%& gives a colon-separated list, one element per header when there
+are multiple headers with a given name.
+Any embedded colon characters within an element are doubled, so normal Exim
+list-processing facilities can be used.
+The terminating newline of each element is removed; in other respects
+the content is &"raw"&.
+
.next
.cindex "base64 encoding" "in header lines"
&%bheader%& removes leading and trailing white space, and then decodes base64
filter. Header lines that are added to a particular copy of a message by a
router or transport are not accessible.
-For incoming SMTP messages, no header lines are visible in ACLs that are obeyed
-before the DATA ACL, because the header structure is not set up until the
-message is received. Header lines that are added in a RCPT ACL (for example)
+For incoming SMTP messages, no header lines are visible in
+ACLs that are obeyed before the data phase completes,
+because the header structure is not set up until the message is received.
+They are visible in DKIM, PRDR and DATA ACLs.
+Header lines that are added in a RCPT ACL (for example)
are saved until the message's incoming header lines are available, at which
-point they are added. When a DATA ACL is running, however, header lines added
-by earlier ACLs are visible.
+point they are added.
+When any of the above ACLs ar
+running, however, header lines added by earlier ACLs are visible.
Upper case and lower case letters are synonymous in header names. If the
following character is white space, the terminating colon may be omitted, but
this is not recommended, because you may then forget it when it is needed. When
-white space terminates the header name, it is included in the expanded string.
-If the message does not contain the given header, the expansion item is
-replaced by an empty string. (See the &%def%& condition in section
-&<<SECTexpcond>>& for a means of testing for the existence of a header.)
+white space terminates the header name, this white space is included in the
+expanded string. If the message does not contain the given header, the
+expansion item is replaced by an empty string. (See the &%def%& condition in
+section &<<SECTexpcond>>& for a means of testing for the existence of a
+header.)
If there is more than one header with the same name, they are all concatenated
to form the substitution string, up to a maximum length of 64K. Unless
&'X-Spam-Scanned:'& header line. If you know the secret, you can check that
this header line is authentic by recomputing the authentication code from the
host name, message ID and the &'Message-id:'& header line. This can be done
-using Exim's &%-be%& option, or by other means, for example by using the
+using Exim's &%-be%& option, or by other means, for example, by using the
&'hmac_md5_hex()'& function in Perl.
condition = ${if >{$acl_m4}{3}}
.endd
+
+
+.vitem &*${imapfolder{*&<&'foldername'&>&*}}*&
+.cindex expansion "imap folder"
+.cindex "&%imapfolder%& expansion item"
+This item converts a (possibly multilevel, or with non-ASCII characters)
+folder specification to a Maildir name for filesystem use.
+For information on internationalisation support see &<<SECTi18nMDA>>&.
+
+
+
.vitem &*${length{*&<&'string1'&>&*}{*&<&'string2'&>&*}}*&
.cindex "expansion" "string truncation"
.cindex "&%length%& expansion item"
.code
${length_<n>:<string>}
.endd
-The result of this item is either the first <&'n'&> characters or the whole
+The result of this item is either the first <&'n'&> bytes or the whole
of <&'string2'&>, whichever is the shorter. Do not confuse &%length%& with
&%strlen%&, which gives the length of a string.
+All measurement is done in bytes and is not UTF-8 aware.
+
+
+.vitem "&*${listextract{*&<&'number'&>&*}&&&
+ {*&<&'string1'&>&*}{*&<&'string2'&>&*}{*&<&'string3'&>&*}}*&"
+.cindex "expansion" "extracting list elements by number"
+.cindex "&%listextract%&" "extract list elements by number"
+.cindex "list" "extracting elements by number"
+The <&'number'&> argument must consist entirely of decimal digits,
+apart from an optional leading minus,
+and leading and trailing white space (which is ignored).
+
+After expansion, <&'string1'&> is interpreted as a list, colon-separated by
+default, but the separator can be changed in the usual way (&<<SECTlistsepchange>>&).
+
+The first field of the list is numbered one.
+If the number is negative, the fields are
+counted from the end of the list, with the rightmost one numbered -1.
+The numbered element of the list is extracted and placed in &$value$&,
+then <&'string2'&> is expanded as the result.
+
+If the modulus of the
+number is zero or greater than the number of fields in the string,
+the result is the expansion of <&'string3'&>.
+
+For example:
+.code
+${listextract{2}{x:42:99}}
+.endd
+yields &"42"&, and
+.code
+${listextract{-3}{<, x,42,99,& Mailer,,/bin/bash}{result: $value}}
+.endd
+yields &"result: 42"&.
+
+If {<&'string3'&>} is omitted, an empty string is used for string3.
+If {<&'string2'&>} is also omitted, the value that was
+extracted is used.
+You can use &`fail`& instead of {<&'string3'&>} as in a string extract.
.vitem "&*${lookup{*&<&'key'&>&*}&~*&<&'search&~type'&>&*&~&&&
.cindex "expansion" "list creation"
.vindex "&$item$&"
After expansion, <&'string1'&> is interpreted as a list, colon-separated by
-default, but the separator can be changed in the usual way. For each item
+default, but the separator can be changed in the usual way (&<<SECTlistsepchange>>&).
+For each item
in this list, its value is place in &$item$&, and then <&'string2'&> is
expanded and added to the output as an item in a new list. The separator used
for the output list is the same as the one used for the input, but a separator
.cindex "expansion" "inserting an entire file"
.cindex "file" "inserting into expansion"
.cindex "&%readfile%& expansion item"
-The file name and end-of-line string are first expanded separately. The file is
+The filename and end-of-line string are first expanded separately. The file is
then read, and its contents replace the entire item. All newline characters in
the file are replaced by the end-of-line string if it is present. Otherwise,
newlines are left in the string.
.vitem "&*${readsocket{*&<&'name'&>&*}{*&<&'request'&>&*}&&&
- {*&<&'timeout'&>&*}{*&<&'eol&~string'&>&*}{*&<&'fail&~string'&>&*}}*&"
+ {*&<&'options'&>&*}{*&<&'eol&~string'&>&*}{*&<&'fail&~string'&>&*}}*&"
.cindex "expansion" "inserting from a socket"
.cindex "socket, use of in expansion"
.cindex "&%readsocket%& expansion item"
-This item inserts data from a Unix domain or Internet socket into the expanded
+This item inserts data from a Unix domain or TCP socket into the expanded
string. The minimal way of using it uses just two arguments, as in these
examples:
.code
Only a single host name may be given, but if looking it up yields more than
one IP address, they are each tried in turn until a connection is made. For
both kinds of socket, Exim makes a connection, writes the request string
-(unless it is an empty string) and reads from the socket until an end-of-file
+unless it is an empty string; and no terminating NUL is ever sent)
+and reads from the socket until an end-of-file
is read. A timeout of 5 seconds is applied. Additional, optional arguments
extend what can be done. Firstly, you can vary the timeout. For example:
.code
${readsocket{/socket/name}{request string}{3s}}
.endd
+
+The third argument is a list of options, of which the first element is the timeout
+and must be present if the argument is given.
+Further elements are options of form &'name=value'&.
+Two option types is currently recognised: shutdown and tls.
+The first defines whether (the default)
+or not a shutdown is done on the connection after sending the request.
+Example, to not do so (preferred, eg. by some webservers):
+.code
+${readsocket{/socket/name}{request string}{3s:shutdown=no}}
+.endd
+.new
+The second, tls, controls the use of TLS on the connection. Example:
+.code
+${readsocket{/socket/name}{request string}{3s:tls=yes}}
+.endd
+The default is to not use TLS.
+If it is enabled, a shutdown as descripbed above is never done.
+.wen
+
A fourth argument allows you to change any newlines that are in the data
that is read, in the same way as for &%readfile%& (see above). This example
turns them into spaces:
.vindex "&$item$&"
This operation reduces a list to a single, scalar string. After expansion,
<&'string1'&> is interpreted as a list, colon-separated by default, but the
-separator can be changed in the usual way. Then <&'string2'&> is expanded and
+separator can be changed in the usual way (&<<SECTlistsepchange>>&).
+Then <&'string2'&> is expanded and
assigned to the &$value$& variable. After this, each item in the <&'string1'&>
-list is assigned to &$item$& in turn, and <&'string3'&> is expanded for each of
+list is assigned to &$item$&, in turn, and <&'string3'&> is expanded for each of
them. The result of that expansion is assigned to &$value$& before the next
iteration. When the end of the list is reached, the final value of &$value$& is
added to the expansion output. The &*reduce*& expansion item can be used in a
.vitem &*$rheader_*&<&'header&~name'&>&*:*&&~or&~&*$rh_*&<&'header&~name'&>&*:*&
This item inserts &"raw"& header lines. It is described with the &%header%&
-expansion item above.
+expansion item in section &<<SECTexpansionitems>>& above.
.vitem "&*${run{*&<&'command'&>&*&~*&<&'args'&>&*}{*&<&'string1'&>&*}&&&
{*&<&'string2'&>&*}}*&"
.cindex "expansion" "running a command"
.cindex "&%run%& expansion item"
-The command and its arguments are first expanded separately, and then the
-command is run in a separate process, but under the same uid and gid. As in
-other command executions from Exim, a shell is not used by default. If you want
+The command and its arguments are first expanded as one string. The string is
+split apart into individual arguments by spaces, and then the command is run
+in a separate process, but under the same uid and gid. As in other command
+executions from Exim, a shell is not used by default. If the command requires
a shell, you must explicitly code it.
+Since the arguments are split by spaces, when there is a variable expansion
+which has an empty result, it will cause the situation that the argument will
+simply be omitted when the program is actually executed by Exim. If the
+script/program requires a specific number of arguments and the expanded
+variable could possibly result in this empty expansion, the variable must be
+quoted. This is more difficult if the expanded variable itself could result
+in a string containing quotes, because it would interfere with the quotes
+around the command arguments. A possible guard against this is to wrap the
+variable in the &%sg%& operator to change any quote marks to some other
+character.
+
The standard input for the command exists, but is empty. The standard output
and standard error are set to the same file descriptor.
.cindex "return code" "from &%run%& expansion"
command does not succeed. If both strings are omitted, the result is contents
of the standard output/error on success, and nothing on failure.
+.vindex "&$run_in_acl$&"
+The standard output/error of the command is put in the variable &$value$&.
+In this ACL example, the output of a command is logged for the admin to
+troubleshoot:
+.code
+warn condition = ${run{/usr/bin/id}{yes}{no}}
+ log_message = Output of id: $value
+.endd
+If the command requires shell idioms, such as the > redirect operator, the
+shell must be invoked directly, such as with:
+.code
+${run{/bin/bash -c "/usr/bin/id >/tmp/id"}{yes}{yes}}
+.endd
+
.vindex "&$runrc$&"
The return code from the command is put in the variable &$runrc$&, and this
remains set afterwards, so in a filter file you can do things like this:
${sg{abcdefabcdef}{abc}{xyz}}
.endd
yields &"xyzdefxyzdef"&. Because all three arguments are expanded before use,
-if any $ or \ characters are required in the regular expression or in the
+if any $, } or \ characters are required in the regular expression or in the
substitution string, they have to be escaped. For example:
.code
${sg{abcdef}{^(...)(...)\$}{\$2\$1}}
yields &"K1=A K4=D K3=C"&. Note the use of &`\N`& to protect the contents of
the regular expression from string expansion.
+The regular expression is compiled in 8-bit mode, working against bytes
+rather than any Unicode-aware character handling.
+
+
+.vitem &*${sort{*&<&'string'&>&*}{*&<&'comparator'&>&*}{*&<&'extractor'&>&*}}*&
+.cindex sorting "a list"
+.cindex list sorting
+.cindex expansion "list sorting"
+After expansion, <&'string'&> is interpreted as a list, colon-separated by
+default, but the separator can be changed in the usual way (&<<SECTlistsepchange>>&).
+The <&'comparator'&> argument is interpreted as the operator
+of a two-argument expansion condition.
+The numeric operators plus ge, gt, le, lt (and ~i variants) are supported.
+The comparison should return true when applied to two values
+if the first value should sort before the second value.
+The <&'extractor'&> expansion is applied repeatedly to elements of the list,
+the element being placed in &$item$&,
+to give values for comparison.
+
+The item result is a sorted list,
+with the original list separator,
+of the list elements (in full) of the original.
+
+Examples:
+.code
+${sort{3:2:1:4}{<}{$item}}
+.endd
+sorts a list of numbers, and
+.code
+${sort {${lookup dnsdb{>:,,mx=example.com}}} {<} {${listextract{1}{<,$item}}}}
+.endd
+will sort an MX lookup into priority order.
.vitem &*${substr{*&<&'string1'&>&*}{*&<&'string2'&>&*}{*&<&'string3'&>&*}}*&
If the starting offset is greater than the string length the result is the
null string; if the length plus starting offset is greater than the string
length, the result is the right-hand part of the string, starting from the
-given offset. The first character in the string has offset zero.
+given offset. The first byte (character) in the string has offset zero.
The &%substr%& expansion item can take negative offset values to count
-from the right-hand end of its operand. The last character is offset -1, the
-second-last is offset -2, and so on. Thus, for example,
+from the right-hand end of its operand. The last byte (character) is offset -1,
+the second-last is offset -2, and so on. Thus, for example,
.code
${substr{-5}{2}{1234567}}
.endd
yields &"1"&.
When the second number is omitted from &%substr%&, the remainder of the string
-is taken if the offset is positive. If it is negative, all characters in the
+is taken if the offset is positive. If it is negative, all bytes (characters) in the
string preceding the offset point are taken. For example, an offset of -1 and
no length, as in these semantically identical examples:
.code
.endd
yields all but the last character of the string, that is, &"abcd"&.
+All measurement is done in bytes and is not UTF-8 aware.
+
.vitem "&*${tr{*&<&'subject'&>&*}{*&<&'characters'&>&*}&&&
{*&<&'replacements'&>&*}}*&"
.cindex "expansion" "character translation"
.cindex "&%tr%& expansion item"
-This item does single-character translation on its subject string. The second
+This item does single-character (in bytes) translation on its subject string. The second
argument is a list of characters to be translated in the subject string. Each
matching character is replaced by the corresponding character from the
replacement list. For example
last occurrence is used. If the third string is shorter than the second, its
last character is replicated. However, if it is empty, no translation takes
place.
+
+All character handling is done in bytes and is not UTF-8 aware.
+
.endlist
header line, and the effective address is extracted from it. If the string does
not parse successfully, the result is empty.
+The parsing correctly handles SMTPUTF8 Unicode in the string.
+
.vitem &*${addresses:*&<&'string'&>&*}*&
.cindex "expansion" "RFC 2822 address handling"
.code
${addresses:>& Chief <ceo@up.stairs>, sec@base.ment (dogsbody)}
.endd
-expands to &`ceo@up.stairs&&sec@base.ment`&. Compare the &*address*& (singular)
+expands to &`ceo@up.stairs&&sec@base.ment`&. The string is expanded
+first, so if the expanded string starts with >, it may change the output
+separator unintentionally. This can be avoided by setting the output
+separator explicitly:
+.code
+${addresses:>:$h_from:}
+.endd
+
+Compare the &*address*& (singular)
expansion item, which extracts the working address from a single RFC2822
address. See the &*filter*&, &*map*&, and &*reduce*& items for ways of
processing lists.
+To clarify "list of addresses in RFC 2822 format" mentioned above, Exim follows
+a strict interpretation of header line formatting. Exim parses the bare,
+unquoted portion of an email address and if it finds a comma, treats it as an
+email address separator. For the example header line:
+.code
+From: =?iso-8859-2?Q?Last=2C_First?= <user@example.com>
+.endd
+The first example below demonstrates that Q-encoded email addresses are parsed
+properly if it is given the raw header (in this example, &`$rheader_from:`&).
+It does not see the comma because it's still encoded as "=2C". The second
+example below is passed the contents of &`$header_from:`&, meaning it gets
+de-mimed. Exim sees the decoded "," so it treats it as &*two*& email addresses.
+The third example shows that the presence of a comma is skipped when it is
+quoted. The fourth example shows SMTPUTF8 handling.
+.code
+# exim -be '${addresses:From: \
+=?iso-8859-2?Q?Last=2C_First?= <user@example.com>}'
+user@example.com
+# exim -be '${addresses:From: Last, First <user@example.com>}'
+Last:user@example.com
+# exim -be '${addresses:From: "Last, First" <user@example.com>}'
+user@example.com
+# exim -be '${addresses:フィル <フィリップ@example.jp>}'
+フィリップ@example.jp
+.endd
+
+.vitem &*${base32:*&<&'digits'&>&*}*&
+.cindex "&%base32%& expansion item"
+.cindex "expansion" "conversion to base 32"
+The string must consist entirely of decimal digits. The number is converted to
+base 32 and output as a (empty, for zero) string of characters.
+Only lowercase letters are used.
+
+.vitem &*${base32d:*&<&'base-32&~digits'&>&*}*&
+.cindex "&%base32d%& expansion item"
+.cindex "expansion" "conversion to base 32"
+The string must consist entirely of base-32 digits.
+The number is converted to decimal and output as a string.
.vitem &*${base62:*&<&'digits'&>&*}*&
.cindex "&%base62%& expansion item"
The string must consist entirely of decimal digits. The number is converted to
base 62 and output as a string of six characters, including leading zeros. In
the few operating environments where Exim uses base 36 instead of base 62 for
-its message identifiers (because those systems do not have case-sensitive file
-names), base 36 is used by this operator, despite its name. &*Note*&: Just to
-be absolutely clear: this is &'not'& base64 encoding.
+its message identifiers (because those systems do not have case-sensitive
+filenames), base 36 is used by this operator, despite its name. &*Note*&: Just
+to be absolutely clear: this is &'not'& base64 encoding.
.vitem &*${base62d:*&<&'base-62&~digits'&>&*}*&
.cindex "&%base62d%& expansion item"
identifiers, base-36 digits. The number is converted to decimal and output as a
string.
+.vitem &*${base64:*&<&'string'&>&*}*&
+.cindex "expansion" "base64 encoding"
+.cindex "base64 encoding" "in string expansion"
+.cindex "&%base64%& expansion item"
+.cindex certificate "base64 of DER"
+This operator converts a string into one that is base64 encoded.
+
+If the string is a single variable of type certificate,
+returns the base64 encoding of the DER form of the certificate.
+
+
+.vitem &*${base64d:*&<&'string'&>&*}*&
+.cindex "expansion" "base64 decoding"
+.cindex "base64 decoding" "in string expansion"
+.cindex "&%base64d%& expansion item"
+This operator converts a base64-encoded string into the un-coded form.
+
+
.vitem &*${domain:*&<&'string'&>&*}*&
.cindex "domain" "extraction"
.cindex "expansion" "domain extraction"
significant bit set (so-called &"8-bit characters"&) count as printing or not
is controlled by the &%print_topbitchars%& option.
+.vitem &*${escape8bit:*&<&'string'&>&*}*&
+.cindex "expansion" "escaping 8-bit characters"
+.cindex "&%escape8bit%& expansion item"
+If the string contains and characters with the most significant bit set,
+they are converted to escape sequences starting with a backslash.
+Backslashes and DEL characters are also converted.
+
.vitem &*${eval:*&<&'string'&>&*}*&&~and&~&*${eval10:*&<&'string'&>&*}*&
.cindex "expansion" "expression evaluation"
.cindex "expansion" "hex to base64"
.cindex "&%hex2b64%& expansion item"
This operator converts a hex string into one that is base64 encoded. This can
-be useful for processing the output of the MD5 and SHA-1 hashing functions.
+be useful for processing the output of the various hashing functions.
+
+
+
+.vitem &*${hexquote:*&<&'string'&>&*}*&
+.cindex "quoting" "hex-encoded unprintable characters"
+.cindex "&%hexquote%& expansion item"
+This operator converts non-printable characters in a string into a hex
+escape form. Byte values between 33 (!) and 126 (~) inclusive are left
+as is, and other byte values are converted to &`\xNN`&, for example, a
+byte value 127 is converted to &`\x7f`&.
+
+
+.vitem &*${ipv6denorm:*&<&'string'&>&*}*&
+.cindex "&%ipv6denorm%& expansion item"
+.cindex "IP address" normalisation
+This expands an IPv6 address to a full eight-element colon-separated set
+of hex digits including leading zeroes.
+A trailing ipv4-style dotted-decimal set is converted to hex.
+Pure IPv4 addresses are converted to IPv4-mapped IPv6.
+
+.vitem &*${ipv6norm:*&<&'string'&>&*}*&
+.cindex "&%ipv6norm%& expansion item"
+.cindex "IP address" normalisation
+.cindex "IP address" "canonical form"
+This converts an IPv6 address to canonical form.
+Leading zeroes of groups are omitted, and the longest
+set of zero-valued groups is replaced with a double colon.
+A trailing ipv4-style dotted-decimal set is converted to hex.
+Pure IPv4 addresses are converted to IPv4-mapped IPv6.
.vitem &*${lc:*&<&'string'&>&*}*&
.code
${lc:$local_part}
.endd
+Case is defined per the system C locale.
.vitem &*${length_*&<&'number'&>&*:*&<&'string'&>&*}*&
.cindex "expansion" "string truncation"
See the description of the general &%length%& item above for details. Note that
&%length%& is not the same as &%strlen%&. The abbreviation &%l%& can be used
when &%length%& is used as an operator.
+All measurement is done in bytes and is not UTF-8 aware.
+
+
+.vitem &*${listcount:*&<&'string'&>&*}*&
+.cindex "expansion" "list item count"
+.cindex "list" "item count"
+.cindex "list" "count of items"
+.cindex "&%listcount%& expansion item"
+The string is interpreted as a list and the number of items is returned.
+
+
+.vitem &*${listnamed:*&<&'name'&>&*}*&&~and&~&*${listnamed_*&<&'type'&>&*:*&<&'name'&>&*}*&
+.cindex "expansion" "named list"
+.cindex "&%listnamed%& expansion item"
+The name is interpreted as a named list and the content of the list is returned,
+expanding any referenced lists, re-quoting as needed for colon-separation.
+If the optional type is given it must be one of "a", "d", "h" or "l"
+and selects address-, domain-, host- or localpart- lists to search among respectively.
+Otherwise all types are searched in an undefined order and the first
+matching list is returned.
.vitem &*${local_part:*&<&'string'&>&*}*&
The string is interpreted as an RFC 2822 address and the local part is
extracted from it. If the string does not parse successfully, the result is
empty.
+The parsing correctly handles SMTPUTF8 Unicode in the string.
.vitem &*${mask:*&<&'IP&~address'&>&*/*&<&'bit&~count'&>&*}*&
.vitem &*${md5:*&<&'string'&>&*}*&
.cindex "MD5 hash"
.cindex "expansion" "MD5 hash"
+.cindex certificate fingerprint
.cindex "&%md5%& expansion item"
The &%md5%& operator computes the MD5 hash value of the string, and returns it
as a 32-digit hexadecimal number, in which any letters are in lower case.
+If the string is a single variable of type certificate,
+returns the MD5 hash fingerprint of the certificate.
+
.vitem &*${nhash_*&<&'n'&>&*_*&<&'m'&>&*:*&<&'string'&>&*}*&
.cindex "expansion" "numeric hash"
If you are creating a new email address from the contents of &$local_part$&
(or any other unknown data), you should always use this operator.
+This quoting determination is not SMTPUTF8-aware, thus quoting non-ASCII data
+will likely use the quoting form.
+Thus &'${quote_local_part:フィル}'& will always become &'"フィル"'&.
+
.vitem &*${quote_*&<&'lookup-type'&>&*:*&<&'string'&>&*}*&
.cindex "quoting" "lookup-specific"
supplied number and is at least 0. The quality of this randomness depends
on how Exim was built; the values are not suitable for keying material.
If Exim is linked against OpenSSL then RAND_pseudo_bytes() is used.
+If Exim is linked against GnuTLS then gnutls_rnd(GNUTLS_RND_NONCE) is used,
+for versions of GnuTLS with that function.
Otherwise, the implementation may be arc4random(), random() seeded by
srandomdev() or srandom(), or a custom implementation even weaker than
random().
.vitem &*${reverse_ip:*&<&'ipaddr'&>&*}*&
.cindex "expansion" "IP address"
This operator reverses an IP address; for IPv4 addresses, the result is in
-dotted-quad decimal form, while for IPv6 addreses the result is in
+dotted-quad decimal form, while for IPv6 addresses the result is in
dotted-nibble hexadecimal form. In both cases, this is the "natural" form
for DNS. For example,
.code
${reverse_ip:192.0.2.4}
-${reverse_ip:2001:0db8:c42:9:1:abcd:192.0.2.3}
+${reverse_ip:2001:0db8:c42:9:1:abcd:192.0.2.127}
.endd
returns
.code
4.2.0.192
-3.0.2.0.0.0.0.c.d.c.b.a.1.0.0.0.9.0.0.0.2.4.c.0.8.b.d.0.1.0.0.2
+f.7.2.0.0.0.0.c.d.c.b.a.1.0.0.0.9.0.0.0.2.4.c.0.8.b.d.0.1.0.0.2
.endd
This operator encodes text according to the rules of RFC 2047. This is an
encoding that is used in header lines to encode non-ASCII characters. It is
assumed that the input string is in the encoding specified by the
-&%headers_charset%& option, which defaults to ISO-8859-1. If the string
+&%headers_charset%& option, which gets its default at build time. If the string
contains only characters in the range 33&--126, and no instances of the
characters
.code
.vitem &*${sha1:*&<&'string'&>&*}*&
.cindex "SHA-1 hash"
.cindex "expansion" "SHA-1 hashing"
-.cindex "&%sha2%& expansion item"
+.cindex certificate fingerprint
+.cindex "&%sha1%& expansion item"
The &%sha1%& operator computes the SHA-1 hash value of the string, and returns
it as a 40-digit hexadecimal number, in which any letters are in upper case.
+If the string is a single variable of type certificate,
+returns the SHA-1 hash fingerprint of the certificate.
+
+
+.vitem &*${sha256:*&<&'string'&>&*}*&
+.cindex "SHA-256 hash"
+.cindex certificate fingerprint
+.cindex "expansion" "SHA-256 hashing"
+.cindex "&%sha256%& expansion item"
+The &%sha256%& operator computes the SHA-256 hash value of the string
+and returns
+it as a 64-digit hexadecimal number, in which any letters are in upper case.
+
+If the string is a single variable of type certificate,
+returns the SHA-256 hash fingerprint of the certificate.
+
+
+.vitem &*${sha3:*&<&'string'&>&*}*& &&&
+ &*${sha3_<n>:*&<&'string'&>&*}*&
+.cindex "SHA3 hash"
+.cindex "expansion" "SHA3 hashing"
+.cindex "&%sha3%& expansion item"
+The &%sha3%& operator computes the SHA3-256 hash value of the string
+and returns
+it as a 64-digit hexadecimal number, in which any letters are in upper case.
+
+If a number is appended, separated by an underbar, it specifies
+the output length. Values of 224, 256, 384 and 512 are accepted;
+with 256 being the default.
+
+The &%sha3%& expansion item is only supported if Exim has been
+compiled with GnuTLS 3.5.0 or later,
+or OpenSSL 1.1.1 or later.
+The macro "_CRYPTO_HASH_SHA3" will be defined if it is supported.
+
.vitem &*${stat:*&<&'string'&>&*}*&
.cindex "expansion" "statting a file"
systems for files larger than 2GB.
.vitem &*${str2b64:*&<&'string'&>&*}*&
-.cindex "expansion" "base64 encoding"
-.cindex "base64 encoding" "in string expansion"
.cindex "&%str2b64%& expansion item"
-This operator converts a string into one that is base64 encoded.
+Now deprecated, a synonym for the &%base64%& expansion operator.
.cindex "&%strlen%& expansion item"
The item is replace by the length of the expanded string, expressed as a
decimal number. &*Note*&: Do not confuse &%strlen%& with &%length%&.
+All measurement is done in bytes and is not UTF-8 aware.
.vitem &*${substr_*&<&'start'&>&*_*&<&'length'&>&*:*&<&'string'&>&*}*&
.endd
See the description of the general &%substr%& item above for details. The
abbreviation &%s%& can be used when &%substr%& is used as an operator.
+All measurement is done in bytes and is not UTF-8 aware.
.vitem &*${time_eval:*&<&'string'&>&*}*&
.cindex "&%time_eval%& expansion item"
.cindex "expansion" "case forcing"
.cindex "&%uc%& expansion item"
This forces the letters in the string into upper-case.
+Case is defined per the system C locale.
+
+.vitem &*${utf8clean:*&<&'string'&>&*}*&
+.cindex "correction of invalid utf-8 sequences in strings"
+.cindex "utf-8" "utf-8 sequences"
+.cindex "incorrect utf-8"
+.cindex "expansion" "utf-8 forcing"
+.cindex "&%utf8clean%& expansion item"
+This replaces any invalid utf-8 sequence in the string by the character &`?`&.
+.new
+In versions of Exim before 4.92, this did not correctly do so for a truncated
+final codepoint's encoding, and the character would be silently dropped.
+If you must handle detection of this scenario across both sets of Exim behavior,
+the complexity will depend upon the task.
+For instance, to detect if the first character is multibyte and a 1-byte
+extraction can be successfully used as a path component (as is common for
+dividing up delivery folders), you might use:
+.code
+condition = ${if inlist{${utf8clean:${length_1:$local_part}}}{:?}{yes}{no}}
+.endd
+(which will false-positive if the first character of the local part is a
+literal question mark).
+.wen
+
+.vitem "&*${utf8_domain_to_alabel:*&<&'string'&>&*}*&" &&&
+ "&*${utf8_domain_from_alabel:*&<&'string'&>&*}*&" &&&
+ "&*${utf8_localpart_to_alabel:*&<&'string'&>&*}*&" &&&
+ "&*${utf8_localpart_from_alabel:*&<&'string'&>&*}*&"
+.cindex expansion UTF-8
+.cindex UTF-8 expansion
+.cindex EAI
+.cindex internationalisation
+.cindex "&%utf8_domain_to_alabel%& expansion item"
+.cindex "&%utf8_domain_from_alabel%& expansion item"
+.cindex "&%utf8_localpart_to_alabel%& expansion item"
+.cindex "&%utf8_localpart_from_alabel%& expansion item"
+These convert EAI mail name components between UTF-8 and a-label forms.
+For information on internationalisation support see &<<SECTi18nMTA>>&.
.endlist
.endd
Note that the general negation operator provides for inequality testing. The
two strings must take the form of optionally signed decimal integers,
-optionally followed by one of the letters &"K"& or &"M"& (in either upper or
-lower case), signifying multiplication by 1024 or 1024*1024, respectively.
+optionally followed by one of the letters &"K"&, &"M"& or &"G"& (in either upper or
+lower case), signifying multiplication by 1024, 1024*1024 or 1024*1024*1024, respectively.
As a special case, the numerical value of an empty string is taken as
zero.
10M, not if 10M is larger than &$message_size$&.
+.vitem &*acl&~{{*&<&'name'&>&*}{*&<&'arg1'&>&*}&&&
+ {*&<&'arg2'&>&*}...}*&
+.cindex "expansion" "calling an acl"
+.cindex "&%acl%&" "expansion condition"
+The name and zero to nine argument strings are first expanded separately. The expanded
+arguments are assigned to the variables &$acl_arg1$& to &$acl_arg9$& in order.
+Any unused are made empty. The variable &$acl_narg$& is set to the number of
+arguments. The named ACL (see chapter &<<CHAPACL>>&) is called
+and may use the variables; if another acl expansion is used the values
+are restored after it returns. If the ACL sets
+a value using a "message =" modifier the variable $value becomes
+the result of the expansion, otherwise it is empty.
+If the ACL returns accept the condition is true; if deny, false.
+If the ACL returns defer the result is a forced-fail.
+
.vitem &*bool&~{*&<&'string'&>&*}*&
.cindex "expansion" "boolean parsing"
.cindex "&%bool%& expansion condition"
This condition turns a string holding a true or false representation into
a boolean state. It parses &"true"&, &"false"&, &"yes"& and &"no"&
-(case-insensitively); also positive integer numbers map to true if non-zero,
+(case-insensitively); also integer numbers map to true if non-zero,
false if zero.
An empty string is treated as false.
Leading and trailing whitespace is ignored;
.cindex "&%eqi%& expansion condition"
The two substrings are first expanded. The condition is true if the two
resulting strings are identical. For &%eq%& the comparison includes the case of
-letters, whereas for &%eqi%& the comparison is case-independent.
+letters, whereas for &%eqi%& the comparison is case-independent, where
+case is defined per the system C locale.
.vitem &*exists&~{*&<&'file&~name'&>&*}*&
.cindex "expansion" "file existence test"
.vindex "&$item$&"
These conditions iterate over a list. The first argument is expanded to form
the list. By default, the list separator is a colon, but it can be changed by
-the normal method. The second argument is interpreted as a condition that is to
+the normal method (&<<SECTlistsepchange>>&).
+The second argument is interpreted as a condition that is to
be applied to each item in the list in turn. During the interpretation of the
condition, the current list item is placed in a variable called &$item$&.
.ilist
The value of &$item$& is saved and restored while &*forany*& or &*forall*& is
being processed, to enable these expansion items to be nested.
+To scan a named list, expand it with the &*listnamed*& operator.
+
.vitem &*ge&~{*&<&'string1'&>&*}{*&<&'string2'&>&*}*& &&&
&*gei&~{*&<&'string1'&>&*}{*&<&'string2'&>&*}*&
string is lexically greater than or equal to the second string. For &%ge%& the
comparison includes the case of letters, whereas for &%gei%& the comparison is
case-independent.
+Case and collation order are defined per the system C locale.
.vitem &*gt&~{*&<&'string1'&>&*}{*&<&'string2'&>&*}*& &&&
&*gti&~{*&<&'string1'&>&*}{*&<&'string2'&>&*}*&
string is lexically greater than the second string. For &%gt%& the comparison
includes the case of letters, whereas for &%gti%& the comparison is
case-independent.
+Case and collation order are defined per the system C locale.
-.new
.vitem &*inlist&~{*&<&'string1'&>&*}{*&<&'string2'&>&*}*& &&&
&*inlisti&~{*&<&'string1'&>&*}{*&<&'string2'&>&*}*&
.cindex "string" "comparison"
Both strings are expanded; the second string is treated as a list of simple
strings; if the first string is a member of the second, then the condition
is true.
+For the case-independent &%inlisti%& condition, case is defined per the system C locale.
These are simpler to use versions of the more powerful &*forany*& condition.
Examples, and the &*forany*& equivalents:
${if inlisti{Needle}{fOo:NeeDLE:bAr}}
${if forany{fOo:NeeDLE:bAr}{eqi{$item}{Needle}}}
.endd
-.wen
.vitem &*isip&~{*&<&'string'&>&*}*& &&&
&*isip4&~{*&<&'string'&>&*}*& &&&
hexadecimal digits. There may be fewer than eight components if an empty
component (adjacent colons) is present. Only one empty component is permitted.
-&*Note*&: The checks are just on the form of the address; actual numerical
-values are not considered. Thus, for example, 999.999.999.999 passes the IPv4
-check. The main use of these tests is to distinguish between IP addresses and
+&*Note*&: The checks used to be just on the form of the address; actual numerical
+values were not considered. Thus, for example, 999.999.999.999 passed the IPv4
+check.
+This is no longer the case.
+
+The main use of these tests is to distinguish between IP addresses and
host names, or between IPv4 and IPv6 addresses. For example, you could use
.code
${if isip4{$sender_host_address}...
string is lexically less than or equal to the second string. For &%le%& the
comparison includes the case of letters, whereas for &%lei%& the comparison is
case-independent.
+Case and collation order are defined per the system C locale.
.vitem &*lt&~{*&<&'string1'&>&*}{*&<&'string2'&>&*}*& &&&
&*lti&~{*&<&'string1'&>&*}{*&<&'string2'&>&*}*&
string is lexically less than the second string. For &%lt%& the comparison
includes the case of letters, whereas for &%lti%& the comparison is
case-independent.
+Case and collation order are defined per the system C locale.
.vitem &*match&~{*&<&'string1'&>&*}{*&<&'string2'&>&*}*&
and it may match anywhere in the subject, not just at the start. If you want
the pattern to match at the end of the subject, you must include the &`$`&
metacharacter at an appropriate point.
+All character handling is done in bytes and is not UTF-8 aware,
+but we might change this in a future Exim release.
.cindex "numerical variables (&$1$& &$2$& etc)" "in &%if%& expansion"
At the start of an &%if%& expansion the values of the numeric variable
.vitem &*match_ip&~{*&<&'string1'&>&*}{*&<&'string2'&>&*}*&
.cindex "&%match_ip%& expansion condition"
-.new
This condition matches an IP address to a list of IP address patterns. It must
be followed by two argument strings. The first (after expansion) must be an IP
address or an empty string. The second (not expanded) is a restricted host
list that can match only an IP address, not a host name. For example:
-.wen
.code
${if match_ip{$sender_host_address}{1.2.3.4:5.6.7.8}{...}{...}}
.endd
.endd
.endlist ilist
-.new
Note that <&'string2'&> is not itself subject to string expansion, unless
Exim was built with the EXPAND_LISTMATCH_RHS option.
-.wen
Consult section &<<SECThoslispatip>>& for further details of these patterns.
${if match_domain{a.b.c}{x.y.z:a.b.c:p.q.r}{yes}{no}}
.endd
In each case, the second argument may contain any of the allowable items for a
-list of the appropriate type. Also, because the second argument (after
-expansion) is a standard form of list, it is possible to refer to a named list.
+list of the appropriate type. Also, because the second argument
+is a standard form of list, it is possible to refer to a named list.
Thus, you can use conditions like this:
.code
${if match_domain{$domain}{+local_domains}{...
have their local parts matched casefully. Domains are always matched
caselessly.
-.new
Note that <&'string2'&> is not itself subject to string expansion, unless
Exim was built with the EXPAND_LISTMATCH_RHS option.
-.wen
&*Note*&: Host lists are &'not'& supported in this way. This is because
hosts have two identities: a name and an IP address, and it is not clear
.cindex "expansion" "PAM authentication test"
.cindex "&%pam%& expansion condition"
&'Pluggable Authentication Modules'&
-(&url(http://www.kernel.org/pub/linux/libs/pam/)) are a facility that is
+(&url(https://mirrors.edge.kernel.org/pub/linux/libs/pam/)) are a facility that is
available in the latest releases of Solaris and in some GNU/Linux
distributions. The Exim support, which is intended for use in conjunction with
the SMTP AUTH command, is available only if Exim is compiled with
In some operating systems, PAM authentication can be done only from a process
running as root. Since Exim is running as the Exim user when receiving
messages, this means that PAM cannot be used directly in those systems.
-A patched version of the &'pam_unix'& module that comes with the
-Linux PAM package is available from &url(http://www.e-admin.de/pam_exim/).
-The patched module allows one special uid/gid combination, in addition to root,
-to authenticate. If you build the patched module to allow the Exim user and
-group, PAM can then be used from an Exim authenticator.
+. --- 2018-09-07: the pam_exim modified variant has gone, removed claims re using Exim via that
.vitem &*pwcheck&~{*&<&'string1'&>&*:*&<&'string2'&>&*}*&
When a &%match%& expansion condition succeeds, these variables contain the
captured substrings identified by the regular expression during subsequent
processing of the success string of the containing &%if%& expansion item.
-However, they do not retain their values afterwards; in fact, their previous
+In the expansion condition case
+they do not retain their values afterwards; in fact, their previous
values are restored at the end of processing an &%if%& item. The numerical
variables may also be set externally by some other matching process which
precedes the expansion of the string. For example, the commands available in
Exim filter files include an &%if%& command with its own regular expression
matching condition.
+.vitem "&$acl_arg1$&, &$acl_arg2$&, etc"
+Within an acl condition, expansion condition or expansion item
+any arguments are copied to these variables,
+any unused variables being made empty.
+
.vitem "&$acl_c...$&"
Values can be placed in these variables by the &%set%& modifier in an ACL. They
can be given any name that starts with &$acl_c$& and is at least six characters
and can be accessed by filters, routers, and transports during subsequent
delivery.
+.vitem &$acl_narg$&
+Within an acl condition, expansion condition or expansion item
+this variable has the number of arguments.
+
.vitem &$acl_verify_message$&
.vindex "&$acl_verify_message$&"
After an address verification has failed, this variable contains the failure
.vitem "&$auth1$& &-- &$auth3$&"
.vindex "&$auth1$&, &$auth2$&, etc"
These variables are used in SMTP authenticators (see chapters
-&<<CHAPplaintext>>&&--&<<CHAPspa>>&). Elsewhere, they are empty.
+&<<CHAPplaintext>>&&--&<<CHAPtlsauth>>&). Elsewhere, they are empty.
.vitem &$authenticated_id$&
.cindex "authentication" "id"
user/password authenticator configuration might preserve the user name for use
in the routers. Note that this is not the same information that is saved in
&$sender_host_authenticated$&.
+
When a message is submitted locally (that is, not over a TCP connection)
the value of &$authenticated_id$& is normally the login name of the calling
process. However, a trusted user can override this by means of the &%-oMai%&
command line option.
+This second case also sets up information used by the
+&$authresults$& expansion item.
-
+.vitem &$authenticated_fail_id$&
+.cindex "authentication" "fail" "id"
+.vindex "&$authenticated_fail_id$&"
+When an authentication attempt fails, the variable &$authenticated_fail_id$&
+will contain the failed authentication id. If more than one authentication
+id is attempted, it will contain only the last one. The variable is
+available for processing in the ACL's, generally the quit or notquit ACL.
+A message to a local recipient could still be accepted without requiring
+authentication, which means this variable could also be visible in all of
+the ACL's as well.
.vitem &$authenticated_sender$&
negative response to an AUTH command, including (for example) an attempt to use
an undefined mechanism.
-.new
.vitem &$av_failed$&
.cindex "content scanning" "AV scanner failure"
This variable is available when Exim is compiled with the content-scanning
extension. It is set to &"0"& by default, but will be set to &"1"& if any
problem occurs with the virus scanner (specified by &%av_scanner%&) during
the ACL malware condition.
-.wen
.vitem &$body_linecount$&
.cindex "message body" "line count"
&$originator_uid$&). If Exim re-execs itself, this variable in the new
incarnation normally contains the Exim uid.
-.vitem &$compile_date$&
-.vindex "&$compile_date$&"
-The date on which the Exim binary was compiled.
+.vitem &$callout_address$&
+.vindex "&$callout_address$&"
+After a callout for verification, spamd or malware daemon service, the
+address that was connected to.
.vitem &$compile_number$&
.vindex "&$compile_number$&"
The building process for Exim keeps a count of the number
of times it has been compiled. This serves to distinguish different
-compilations of the same version of the program.
-
-.vitem &$demime_errorlevel$&
-.vindex "&$demime_errorlevel$&"
-This variable is available when Exim is compiled with
-the content-scanning extension and the obsolete &%demime%& condition. For
-details, see section &<<SECTdemimecond>>&.
-
-.vitem &$demime_reason$&
-.vindex "&$demime_reason$&"
-This variable is available when Exim is compiled with the
-content-scanning extension and the obsolete &%demime%& condition. For details,
-see section &<<SECTdemimecond>>&.
+compilations of the same version of Exim.
+
+.vitem &$config_dir$&
+.vindex "&$config_dir$&"
+The directory name of the main configuration file. That is, the content of
+&$config_file$& with the last component stripped. The value does not
+contain the trailing slash. If &$config_file$& does not contain a slash,
+&$config_dir$& is ".".
+
+.vitem &$config_file$&
+.vindex "&$config_file$&"
+The name of the main configuration file Exim is using.
+
+.vitem &$dkim_verify_status$&
+Results of DKIM verification.
+For details see section &<<SECDKIMVFY>>&.
+
+.vitem &$dkim_cur_signer$& &&&
+ &$dkim_verify_reason$& &&&
+ &$dkim_domain$& &&&
+ &$dkim_identity$& &&&
+ &$dkim_selector$& &&&
+ &$dkim_algo$& &&&
+ &$dkim_canon_body$& &&&
+ &$dkim_canon_headers$& &&&
+ &$dkim_copiedheaders$& &&&
+ &$dkim_bodylength$& &&&
+ &$dkim_created$& &&&
+ &$dkim_expires$& &&&
+ &$dkim_headernames$& &&&
+ &$dkim_key_testing$& &&&
+ &$dkim_key_nosubdomains$& &&&
+ &$dkim_key_srvtype$& &&&
+ &$dkim_key_granularity$& &&&
+ &$dkim_key_notes$& &&&
+ &$dkim_key_length$&
+These variables are only available within the DKIM ACL.
+For details see section &<<SECDKIMVFY>>&.
+
+.vitem &$dkim_signers$&
+.vindex &$dkim_signers$&
+When a message has been received this variable contains
+a colon-separated list of signer domains and identities for the message.
+For details see section &<<SECDKIMVFY>>&.
.vitem &$dnslist_domain$& &&&
&$dnslist_matched$& &&&
.vindex "&$exim_uid$&"
This variable contains the numerical value of the Exim user id.
-.vitem &$found_extension$&
-.vindex "&$found_extension$&"
-This variable is available when Exim is compiled with the
-content-scanning extension and the obsolete &%demime%& condition. For details,
-see section &<<SECTdemimecond>>&.
+.vitem &$exim_version$&
+.vindex "&$exim_version$&"
+This variable contains the version string of the Exim build.
+The first character is a major version number, currently 4.
+Then after a dot, the next group of digits is a minor version number.
+There may be other characters following the minor version.
.vitem &$header_$&<&'name'&>
This is not strictly an expansion variable. It is expansion syntax for
inserting the message header line with the given name. Note that the name must
be terminated by colon or white space, because it may contain a wide variety of
characters. Note also that braces must &'not'& be used.
+See the full description in section &<<SECTexpansionitems>>& above.
+
+.vitem &$headers_added$&
+.vindex "&$headers_added$&"
+Within an ACL this variable contains the headers added so far by
+the ACL modifier add_header (section &<<SECTaddheadacl>>&).
+The headers are a newline-separated list.
.vitem &$home$&
.vindex "&$home$&"
by a setting on the transport itself.
When running a filter test via the &%-bf%& option, &$home$& is set to the value
-of the environment variable HOME.
+of the environment variable HOME, which is subject to the
+&%keep_environment%& and &%add_environment%& main config options.
.vitem &$host$&
.vindex "&$host$&"
the result, the name is not accepted, and &$host_lookup_deferred$& is set to
&"1"&. See also &$sender_host_name$&.
+.cindex authentication "expansion item"
+Performing these checks sets up information used by the
+&$authresults$& expansion item.
+
+
.vitem &$host_lookup_failed$&
.vindex "&$host_lookup_failed$&"
See &$host_lookup_deferred$&.
+.vitem &$host_port$&
+.vindex "&$host_port$&"
+This variable is set to the remote host's TCP port whenever &$host$& is set
+for an outbound connection.
+
+.vitem &$initial_cwd$&
+.vindex "&$initial_cwd$&
+This variable contains the full path name of the initial working
+directory of the current Exim process. This may differ from the current
+working directory, as Exim changes this to "/" during early startup, and
+to &$spool_directory$& later.
.vitem &$inode$&
.vindex "&$inode$&"
.vindex "&$local_part_prefix$&"
.vindex "&$local_part_suffix$&"
+.cindex affix variables
If a local part prefix or suffix has been recognized, it is not included in the
value of &$local_part$& during routing and subsequent delivery. The values of
any prefix or suffix are in &$local_part_prefix$& and
When a message is being delivered to a file, pipe, or autoreply transport as a
result of aliasing or forwarding, &$local_part$& is set to the local part of
-the parent address, not to the file name or command (see &$address_file$& and
+the parent address, not to the filename or command (see &$address_file$& and
&$address_pipe$&).
When an ACL is running for a RCPT command, &$local_part$& contains the
.vitem &$local_part_prefix$&
.vindex "&$local_part_prefix$&"
+.cindex affix variables
When an address is being routed or delivered, and a
specific prefix for the local part was recognized, it is available in this
variable, having been removed from &$local_part$&.
the space value is -1. See also the &%check_log_space%& option.
+.vitem &$lookup_dnssec_authenticated$&
+.vindex "&$lookup_dnssec_authenticated$&"
+This variable is set after a DNS lookup done by
+a dnsdb lookup expansion, dnslookup router or smtp transport.
+.cindex "DNS" "DNSSEC"
+It will be empty if &(DNSSEC)& was not requested,
+&"no"& if the result was not labelled as authenticated data
+and &"yes"& if it was.
+Results that are labelled as authoritative answer that match
+the &%dns_trust_aa%& configuration variable count also
+as authenticated data.
+
.vitem &$mailstore_basename$&
.vindex "&$mailstore_basename$&"
This variable is set only when doing deliveries in &"mailstore"& format in the
This variable contains the number of bytes in the longest line that was
received as part of the message, not counting the line termination
character(s).
+It is not valid if the &%spool_files_wireformat%& option is used.
.vitem &$message_age$&
.cindex "message" "age of"
separates the body from the header. Newlines are included in the count. See
also &$message_size$&, &$body_linecount$&, and &$body_zerocount$&.
+If the spool file is wireformat
+(see the &%spool_files_wireformat%& main option)
+the CRLF line-terminators are included in the count.
+
.vitem &$message_exim_id$&
.vindex "&$message_exim_id$&"
When a message is being received or delivered, this variable contains the
contents of header lines is done.
.vitem &$message_id$&
-This is an old name for &$message_exim_id$&, which is now deprecated.
+This is an old name for &$message_exim_id$&. It is now deprecated.
.vitem &$message_linecount$&
.vindex "&$message_linecount$&"
In the MAIL and RCPT ACLs, the value is zero because at that stage the
message has not yet been received.
+This variable is not valid if the &%spool_files_wireformat%& option is used.
+
.vitem &$message_size$&
.cindex "size" "of message"
.cindex "message" "size"
.cindex "uid (user id)" "of originating user"
.cindex "sender" "uid"
.vindex "&$caller_uid$&"
-.vindex "&$originaltor_uid$&"
+.vindex "&$originator_uid$&"
The value of &$caller_uid$& that was set when the message was received. For
messages received via the command line, this is the uid of the sending user.
For messages received by SMTP over TCP/IP, this is normally the uid of the Exim
qualified host name. See also &$smtp_active_hostname$&.
+.vitem &$proxy_external_address$& &&&
+ &$proxy_external_port$& &&&
+ &$proxy_local_address$& &&&
+ &$proxy_local_port$& &&&
+ &$proxy_session$&
+These variables are only available when built with Proxy Protocol
+or SOCKS5 support.
+For details see chapter &<<SECTproxyInbound>>&.
+
+.vitem &$prdr_requested$&
+.cindex "PRDR" "variable for"
+This variable is set to &"yes"& if PRDR was requested by the client for the
+current message, otherwise &"no"&.
+
.vitem &$prvscheck_address$&
This variable is used in conjunction with the &%prvscheck%& expansion item,
which is described in sections &<<SECTexpansionitems>>& and
The value set for the &%qualify_recipient%& option in the configuration file,
or if not set, the value of &$qualify_domain$&.
+.vitem &$queue_name$&
+.vindex &$queue_name$&
+.cindex "named queues"
+.cindex queues named
+The name of the spool queue in use; empty for the default queue.
+
.vitem &$rcpt_count$&
.vindex "&$rcpt_count$&"
When a message is being received by SMTP, this variable contains the number of
option.
As well as being useful in ACLs (including the &"connect"& ACL), these variable
-could be used, for example, to make the file name for a TLS certificate depend
+could be used, for example, to make the filename for a TLS certificate depend
on which interface and/or port is being used for the incoming connection. The
values of &$received_ip_address$& and &$received_port$& are saved with any
messages that are received, thus making these variables available at delivery
time.
-
-&*Note:*& There are no equivalent variables for outgoing connections, because
-the values are unknown (unless they are explicitly set by options of the
-&(smtp)& transport).
+For outbound connections see &$sending_ip_address$&.
.vitem &$received_port$&
.vindex "&$received_port$&"
This variable is set to contain the matching regular expression after a
&%regex%& ACL condition has matched (see section &<<SECTscanregex>>&).
+.vitem "&$regex1$&, &$regex2$&, etc"
+.cindex "regex submatch variables (&$1regex$& &$2regex$& etc)"
+When a &%regex%& or &%mime_regex%& ACL condition succeeds,
+these variables contain the
+captured substrings identified by the regular expression.
+
.vitem &$reply_address$&
.vindex "&$reply_address$&"
.vindex "&$return_size_limit$&"
This is an obsolete name for &$bounce_return_size_limit$&.
+.vitem &$router_name$&
+.cindex "router" "name"
+.cindex "name" "of router"
+.vindex "&$router_name$&"
+During the running of a router this variable contains its name.
+
.vitem &$runrc$&
.cindex "return code" "from &%run%& expansion"
.vindex "&$runrc$&"
the argument of a HELO or EHLO command. This is omitted if it is identical to
the verified host name or to the host's IP address in square brackets.
+.vitem &$sender_helo_dnssec$&
+.vindex "&$sender_helo_dnssec$&"
+This boolean variable is true if a successful HELO verification was
+.cindex "DNS" "DNSSEC"
+done using DNS information the resolver library stated was authenticated data.
+
.vitem &$sender_helo_name$&
.vindex "&$sender_helo_name$&"
When a message is received from a remote host that has issued a HELO or EHLO
.vitem &$sender_host_address$&
.vindex "&$sender_host_address$&"
-When a message is received from a remote host, this variable contains that
-host's IP address. For locally submitted messages, it is empty.
+When a message is received from a remote host using SMTP,
+this variable contains that
+host's IP address. For locally non-SMTP submitted messages, it is empty.
.vitem &$sender_host_authenticated$&
.vindex "&$sender_host_authenticated$&"
received. It is empty if there was no successful authentication. See also
&$authenticated_id$&.
+.vitem &$sender_host_dnssec$&
+.vindex "&$sender_host_dnssec$&"
+If an attempt to populate &$sender_host_name$& has been made
+(by reference, &%hosts_lookup%& or
+otherwise) then this boolean will have been set true if, and only if, the
+resolver library states that both
+the reverse and forward DNS were authenticated data. At all
+other times, this variable is false.
+
+.cindex "DNS" "DNSSEC"
+It is likely that you will need to coerce DNSSEC support on in the resolver
+library, by setting:
+.code
+dns_dnssec_ok = 1
+.endd
+
+Exim does not perform DNSSEC validation itself, instead leaving that to a
+validating resolver (e.g. unbound, or bind with suitable configuration).
+
+If you have changed &%host_lookup_order%& so that &`bydns`& is not the first
+mechanism in the list, then this variable will be false.
+
+This requires that your system resolver library support EDNS0 (and that
+DNSSEC flags exist in the system headers). If the resolver silently drops
+all EDNS0 options, then this will have no effect. OpenBSD's asr resolver
+is known to currently ignore EDNS0, documented in CAVEATS of asr_run(3).
+
+
.vitem &$sender_host_name$&
.vindex "&$sender_host_name$&"
When a message is received from a remote host, this variable contains the
space removed. Following the introduction of &$smtp_command$&, this variable is
somewhat redundant, but is retained for backwards compatibility.
+.vitem &$smtp_command_history$&
+.cindex SMTP "command history"
+.vindex "&$smtp_command_history$&"
+A comma-separated list (with no whitespace) of the most-recent SMTP commands
+received, in time-order left to right. Only a limited number of commands
+are remembered.
+
.vitem &$smtp_count_at_connection_start$&
.vindex "&$smtp_count_at_connection_start$&"
This variable is set greater than zero only in processes spawned by the Exim
is compiled with the content-scanning extension. For details, see section
&<<SECTscanspamass>>&.
+.vitem &$spf_header_comment$& &&&
+ &$spf_received$& &&&
+ &$spf_result$& &&&
+ &$spf_result_guessed$& &&&
+ &$spf_smtp_comment$&
+These variables are only available if Exim is built with SPF support.
+For details see section &<<SECSPF>>&.
.vitem &$spool_directory$&
.vindex "&$spool_directory$&"
command, which can be found in the separate document entitled &'Exim's
interfaces to mail filtering'&.
-.new
-.vitem &$tls_bits$&
-.vindex "&$tls_bits$&"
-Contains an approximation of the TLS cipher's bit-strength; the meaning of
+.vitem &$tls_in_bits$&
+.vindex "&$tls_in_bits$&"
+Contains an approximation of the TLS cipher's bit-strength
+on the inbound connection; the meaning of
this depends upon the TLS implementation used.
If TLS has not been negotiated, the value will be 0.
The value of this is automatically fed into the Cyrus SASL authenticator
when acting as a server, to specify the "external SSF" (a SASL term).
-.wen
-.vitem &$tls_certificate_verified$&
-.vindex "&$tls_certificate_verified$&"
+The deprecated &$tls_bits$& variable refers to the inbound side
+except when used in the context of an outbound SMTP delivery, when it refers to
+the outbound.
+
+.vitem &$tls_out_bits$&
+.vindex "&$tls_out_bits$&"
+Contains an approximation of the TLS cipher's bit-strength
+on an outbound SMTP connection; the meaning of
+this depends upon the TLS implementation used.
+If TLS has not been negotiated, the value will be 0.
+
+.vitem &$tls_in_ourcert$&
+.vindex "&$tls_in_ourcert$&"
+.cindex certificate variables
+This variable refers to the certificate presented to the peer of an
+inbound connection when the message was received.
+It is only useful as the argument of a
+&%certextract%& expansion item, &%md5%&, &%sha1%& or &%sha256%& operator,
+or a &%def%& condition.
+
+&*Note*&: Under versions of OpenSSL preceding 1.1.1,
+when a list of more than one
+file is used for &%tls_certificate%&, this variable is not reliable.
+
+.vitem &$tls_in_peercert$&
+.vindex "&$tls_in_peercert$&"
+This variable refers to the certificate presented by the peer of an
+inbound connection when the message was received.
+It is only useful as the argument of a
+&%certextract%& expansion item, &%md5%&, &%sha1%& or &%sha256%& operator,
+or a &%def%& condition.
+If certificate verification fails it may refer to a failing chain element
+which is not the leaf.
+
+.vitem &$tls_out_ourcert$&
+.vindex "&$tls_out_ourcert$&"
+This variable refers to the certificate presented to the peer of an
+outbound connection. It is only useful as the argument of a
+&%certextract%& expansion item, &%md5%&, &%sha1%& or &%sha256%& operator,
+or a &%def%& condition.
+
+.vitem &$tls_out_peercert$&
+.vindex "&$tls_out_peercert$&"
+This variable refers to the certificate presented by the peer of an
+outbound connection. It is only useful as the argument of a
+&%certextract%& expansion item, &%md5%&, &%sha1%& or &%sha256%& operator,
+or a &%def%& condition.
+If certificate verification fails it may refer to a failing chain element
+which is not the leaf.
+
+.vitem &$tls_in_certificate_verified$&
+.vindex "&$tls_in_certificate_verified$&"
This variable is set to &"1"& if a TLS certificate was verified when the
message was received, and &"0"& otherwise.
-.vitem &$tls_cipher$&
+The deprecated &$tls_certificate_verified$& variable refers to the inbound side
+except when used in the context of an outbound SMTP delivery, when it refers to
+the outbound.
+
+.vitem &$tls_out_certificate_verified$&
+.vindex "&$tls_out_certificate_verified$&"
+This variable is set to &"1"& if a TLS certificate was verified when an
+outbound SMTP connection was made,
+and &"0"& otherwise.
+
+.vitem &$tls_in_cipher$&
+.vindex "&$tls_in_cipher$&"
.vindex "&$tls_cipher$&"
When a message is received from a remote host over an encrypted SMTP
connection, this variable is set to the cipher suite that was negotiated, for
example DES-CBC3-SHA. In other circumstances, in particular, for message
received over unencrypted connections, the variable is empty. Testing
-&$tls_cipher$& for emptiness is one way of distinguishing between encrypted and
+&$tls_in_cipher$& for emptiness is one way of distinguishing between encrypted and
non-encrypted connections during ACL processing.
-The &$tls_cipher$& variable retains its value during message delivery, except
-when an outward SMTP delivery takes place via the &(smtp)& transport. In this
-case, &$tls_cipher$& is cleared before any outgoing SMTP connection is made,
+The deprecated &$tls_cipher$& variable is the same as &$tls_in_cipher$& during message reception,
+but in the context of an outward SMTP delivery taking place via the &(smtp)& transport
+becomes the same as &$tls_out_cipher$&.
+
+.vitem &$tls_out_cipher$&
+.vindex "&$tls_out_cipher$&"
+This variable is
+cleared before any outgoing SMTP connection is made,
and then set to the outgoing cipher suite if one is negotiated. See chapter
&<<CHAPTLS>>& for details of TLS support and chapter &<<CHAPsmtptrans>>& for
details of the &(smtp)& transport.
-.vitem &$tls_peerdn$&
+.vitem &$tls_out_dane$&
+.vindex &$tls_out_dane$&
+DANE active status. See section &<<SECDANE>>&.
+
+.vitem &$tls_in_ocsp$&
+.vindex "&$tls_in_ocsp$&"
+When a message is received from a remote client connection
+the result of any OCSP request from the client is encoded in this variable:
+.code
+0 OCSP proof was not requested (default value)
+1 No response to request
+2 Response not verified
+3 Verification failed
+4 Verification succeeded
+.endd
+
+.vitem &$tls_out_ocsp$&
+.vindex "&$tls_out_ocsp$&"
+When a message is sent to a remote host connection
+the result of any OCSP request made is encoded in this variable.
+See &$tls_in_ocsp$& for values.
+
+.vitem &$tls_in_peerdn$&
+.vindex "&$tls_in_peerdn$&"
.vindex "&$tls_peerdn$&"
+.cindex certificate "extracting fields"
When a message is received from a remote host over an encrypted SMTP
connection, and Exim is configured to request a certificate from the client,
the value of the Distinguished Name of the certificate is made available in the
-&$tls_peerdn$& during subsequent processing. Like &$tls_cipher$&, the
-value is retained during message delivery, except during outbound SMTP
-deliveries.
+&$tls_in_peerdn$& during subsequent processing.
+If certificate verification fails it may refer to a failing chain element
+which is not the leaf.
+
+The deprecated &$tls_peerdn$& variable refers to the inbound side
+except when used in the context of an outbound SMTP delivery, when it refers to
+the outbound.
+
+.vitem &$tls_out_peerdn$&
+.vindex "&$tls_out_peerdn$&"
+When a message is being delivered to a remote host over an encrypted SMTP
+connection, and Exim is configured to request a certificate from the server,
+the value of the Distinguished Name of the certificate is made available in the
+&$tls_out_peerdn$& during subsequent processing.
+If certificate verification fails it may refer to a failing chain element
+which is not the leaf.
-.new
-.vitem &$tls_sni$&
+.vitem &$tls_in_sni$&
+.vindex "&$tls_in_sni$&"
.vindex "&$tls_sni$&"
.cindex "TLS" "Server Name Indication"
When a TLS session is being established, if the client sends the Server
a different certificate to be presented (and optionally a different key to be
used) to the client, based upon the value of the SNI extension.
-The value will be retained for the lifetime of the message. During outbound
-SMTP deliveries, it reflects the value of the &%tls_sni%& option on
+The deprecated &$tls_sni$& variable refers to the inbound side
+except when used in the context of an outbound SMTP delivery, when it refers to
+the outbound.
+
+.vitem &$tls_out_sni$&
+.vindex "&$tls_out_sni$&"
+.cindex "TLS" "Server Name Indication"
+During outbound
+SMTP deliveries, this variable reflects the value of the &%tls_sni%& option on
the transport.
-This is currently only available when using OpenSSL, built with support for
-SNI.
-.wen
+.vitem &$tls_out_tlsa_usage$&
+.vindex &$tls_out_tlsa_usage$&
+Bitfield of TLSA record types found. See section &<<SECDANE>>&.
.vitem &$tod_bsdinbox$&
.vindex "&$tod_bsdinbox$&"
.vindex "&$tod_epoch$&"
The time and date as a number of seconds since the start of the Unix epoch.
+.vitem &$tod_epoch_l$&
+.vindex "&$tod_epoch_l$&"
+The time and date as a number of microseconds since the start of the Unix epoch.
+
.vitem &$tod_full$&
.vindex "&$tod_full$&"
A full version of the time and date, for example: Wed, 16 Oct 1995 09:51:40
This variable contains the UTC date and time in &"Zulu"& format, as specified
by ISO 8601, for example: 20030221154023Z.
+.vitem &$transport_name$&
+.cindex "transport" "name"
+.cindex "name" "of transport"
+.vindex "&$transport_name$&"
+During the running of a transport, this variable contains its name.
+
.vitem &$value$&
.vindex "&$value$&"
This variable contains the result of an expansion lookup, extraction operation,
or external command, as described above. It is also used during a
&*reduce*& expansion.
+.vitem &$verify_mode$&
+.vindex "&$verify_mode$&"
+While a router or transport is being run in verify mode or for cutthrough delivery,
+contains "S" for sender-verification or "R" for recipient-verification.
+Otherwise, empty.
+
.vitem &$version_number$&
.vindex "&$version_number$&"
The version number of Exim.
There is also a command line option &%-pd%& (for delay) which suppresses the
initial startup, even if &%perl_at_start%& is set.
+.ilist
+.oindex "&%perl_taintmode%&"
+.cindex "Perl" "taintmode"
+To provide more security executing Perl code via the embedded Perl
+interpreter, the &%perl_taintmode%& option can be set. This enables the
+taint mode of the Perl interpreter. You are encouraged to set this
+option to a true value. To avoid breaking existing installations, it
+defaults to false.
+
.section "Calling Perl subroutines" "SECID86"
When the configuration file includes a &%perl_startup%& option you can make use
following options:
.ilist
-&%daemon_smtp_ports%& contains a list of default ports. (For backward
-compatibility, this option can also be specified in the singular.)
+&%daemon_smtp_ports%& contains a list of default ports
+or service names.
+(For backward compatibility, this option can also be specified in the singular.)
.next
&%local_interfaces%& contains list of interface IP addresses on which to
listen. Each item may optionally also specify a port.
.endlist
The default list separator in both cases is a colon, but this can be changed as
-described in section &<<SECTlistconstruct>>&. When IPv6 addresses are involved,
+described in section &<<SECTlistsepchange>>&. When IPv6 addresses are involved,
it is usually best to change the separator to avoid having to double all the
colons. For example:
.code
exim.
The value of &%-oX%& is a list of items. The default colon separator can be
-changed in the usual way if required. If there are any items that do not
+changed in the usual way (&<<SECTlistsepchange>>&) if required.
+If there are any items that do not
contain dots or colons (that is, are not IP addresses), the value of
&%daemon_smtp_ports%& is replaced by the list of those items. If there are any
items that do contain dots or colons, the value of &%local_interfaces%& is
-.section "Support for the obsolete SSMTP (or SMTPS) protocol" "SECTsupobssmt"
+.section "Support for the submissions (aka SSMTP or SMTPS) protocol" "SECTsupobssmt"
+.cindex "submissions protocol"
.cindex "ssmtp protocol"
.cindex "smtps protocol"
.cindex "SMTP" "ssmtp protocol"
.cindex "SMTP" "smtps protocol"
-Exim supports the obsolete SSMTP protocol (also known as SMTPS) that was used
-before the STARTTLS command was standardized for SMTP. Some legacy clients
-still use this protocol. If the &%tls_on_connect_ports%& option is set to a
-list of port numbers, connections to those ports must use SSMTP. The most
-common use of this option is expected to be
+Exim supports the use of TLS-on-connect, used by mail clients in the
+&"submissions"& protocol, historically also known as SMTPS or SSMTP.
+For some years, IETF Standards Track documents only blessed the
+STARTTLS-based Submission service (port 587) while common practice was to support
+the same feature set on port 465, but using TLS-on-connect.
+If your installation needs to provide service to mail clients
+(Mail User Agents, MUAs) then you should provide service on both the 587 and
+the 465 TCP ports.
+
+If the &%tls_on_connect_ports%& option is set to a list of port numbers or
+service names, connections to those ports must first establish TLS, before
+proceeding to the application layer use of the SMTP protocol.
+
+The common use of this option is expected to be
.code
tls_on_connect_ports = 465
.endd
-because 465 is the usual port number used by the legacy clients. There is also
-a command line option &%-tls-on-connect%&, which forces all ports to behave in
-this way when a daemon is started.
+per RFC 8314.
+There is also a command line option &%-tls-on-connect%&, which forces all ports
+to behave in this way when a daemon is started.
&*Warning*&: Setting &%tls_on_connect_ports%& does not of itself cause the
daemon to listen on those ports. You must still specify them in
.endd
To specify listening on the default port on specific interfaces only:
.code
-local_interfaces = 192.168.34.67 : 192.168.34.67
+local_interfaces = 10.0.0.67 : 192.168.34.67
.endd
&*Warning*&: Such a setting excludes listening on the loopback interfaces.
.chapter "Main configuration" "CHAPmainconfig"
.scindex IIDconfima "configuration file" "main section"
.scindex IIDmaiconf "main configuration"
-The first part of the run time configuration file contains three types of item:
+The first part of the runtime configuration file contains three types of item:
.ilist
Macro definitions: These lines start with an upper case letter. See section
.section "Miscellaneous" "SECID96"
.table2
.row &%bi_command%& "to run for &%-bi%& command line option"
+.row &%debug_store%& "do extra internal checks"
.row &%disable_ipv6%& "do no IPv6 processing"
.row &%keep_malformed%& "for broken files &-- should not happen"
.row &%localhost_number%& "for unique message ids in clusters"
.row &%message_body_visible%& "how much to show in &$message_body$&"
.row &%mua_wrapper%& "run in &""MUA wrapper""& mode"
.row &%print_topbitchars%& "top-bit characters are printing"
+.row &%spool_wireformat%& "use wire-format spool data files when possible"
.row &%timezone%& "force time zone"
.endtable
.section "Privilege controls" "SECID98"
.table2
.row &%admin_groups%& "groups that are Exim admin users"
+.row &%commandline_checks_require_admin%& "require admin for various checks"
.row &%deliver_drop_privilege%& "drop root for delivery processes"
.row &%local_from_check%& "insert &'Sender:'& if necessary"
.row &%local_from_prefix%& "for testing &'From:'& for local sender"
.section "Logging" "SECID99"
.table2
+.row &%event_action%& "custom logging"
.row &%hosts_connection_nolog%& "exemption from connect logging"
.row &%log_file_path%& "override compiled-in value"
.row &%log_selector%& "set/unset optional logging"
.row &%message_logs%& "create per-message logs"
.row &%preserve_message_logs%& "after message completion"
.row &%process_log_path%& "for SIGUSR1 and &'exiwhat'&"
+.row &%slow_lookup_log%& "control logging of slow DNS lookups"
.row &%syslog_duplication%& "controls duplicate log lines on syslog"
.row &%syslog_facility%& "set syslog &""facility""& field"
+.row &%syslog_pid%& "pid in syslog lines"
.row &%syslog_processname%& "set syslog &""ident""& field"
.row &%syslog_timestamp%& "timestamp syslog lines"
.row &%write_rejectlog%& "control use of message log"
.table2
.row &%perl_at_start%& "always start the interpreter"
.row &%perl_startup%& "code to obey when starting Perl"
+.row &%perl_taintmode%& "enable taint mode in Perl"
.endtable
.row &%acl_smtp_auth%& "ACL for AUTH"
.row &%acl_smtp_connect%& "ACL for connection"
.row &%acl_smtp_data%& "ACL for DATA"
+.row &%acl_smtp_data_prdr%& "ACL for DATA, per-recipient"
.row &%acl_smtp_dkim%& "ACL for DKIM verification"
.row &%acl_smtp_etrn%& "ACL for ETRN"
.row &%acl_smtp_expn%& "ACL for EXPN"
.row &%acl_smtp_mail%& "ACL for MAIL"
.row &%acl_smtp_mailauth%& "ACL for AUTH on MAIL command"
.row &%acl_smtp_mime%& "ACL for MIME parts"
+.row &%acl_smtp_notquit%& "ACL for non-QUIT terminations"
.row &%acl_smtp_predata%& "ACL for start of data"
.row &%acl_smtp_quit%& "ACL for QUIT"
.row &%acl_smtp_rcpt%& "ACL for RCPT"
.row &%av_scanner%& "specify virus scanner"
.row &%check_rfc2047_length%& "check length of RFC 2047 &""encoded &&&
words""&"
+.row &%dns_cname_loops%& "follow CNAMEs returned by resolver"
.row &%dns_csa_search_limit%& "control CSA parent search depth"
.row &%dns_csa_use_reverse%& "en/disable CSA IP reverse search"
.row &%header_maxsize%& "total size of message header"
.row &%helo_verify_hosts%& "HELO hard-checked for these hosts"
.row &%host_lookup%& "host name looked up for these hosts"
.row &%host_lookup_order%& "order of DNS and local name lookups"
+.row &%hosts_proxy%& "use proxy protocol for these hosts"
.row &%host_reject_connection%& "reject connection from these hosts"
.row &%hosts_treat_as_local%& "useful in some cluster configurations"
.row &%local_scan_timeout%& "timeout for &[local_scan()]&"
.section "TLS" "SECID108"
.table2
-.row &%gnutls_require_kx%& "control GnuTLS key exchanges"
-.row &%gnutls_require_mac%& "control GnuTLS MAC algorithms"
-.row &%gnutls_require_protocols%& "control GnuTLS protocols"
.row &%gnutls_compat_mode%& "use GnuTLS compatibility mode"
+.row &%gnutls_allow_auto_pkcs11%& "allow GnuTLS to autoload PKCS11 modules"
.row &%openssl_options%& "adjust OpenSSL compatibility options"
.row &%tls_advertise_hosts%& "advertise TLS to these hosts"
.row &%tls_certificate%& "location of server certificate"
.row &%tls_crl%& "certificate revocation list"
+.row &%tls_dh_max_bits%& "clamp D-H bit count suggestion"
.row &%tls_dhparam%& "DH parameters for server"
+.row &%tls_eccurve%& "EC curve selection for server"
+.row &%tls_ocsp_file%& "location of server certificate status proof"
.row &%tls_on_connect_ports%& "specify SSMTP (SMTPS) ports"
.row &%tls_privatekey%& "location of server private key"
.row &%tls_remember_esmtp%& "don't reset after starting TLS"
See also the &'Policy controls'& section above.
.table2
+.row &%dkim_verify_signers%& "DKIM domain for which DKIM ACL is run"
.row &%host_lookup%& "host name looked up for these hosts"
.row &%host_lookup_order%& "order of DNS and local name lookups"
.row &%recipient_unqualified_hosts%& "may send unqualified recipients"
.table2
.row &%accept_8bitmime%& "advertise 8BITMIME"
.row &%auth_advertise_hosts%& "advertise AUTH to these hosts"
+.row &%chunking_advertise_hosts%& "advertise CHUNKING to these hosts"
+.row &%dsn_advertise_hosts%& "advertise DSN extensions to these hosts"
.row &%ignore_fromline_hosts%& "allow &""From ""& from these hosts"
.row &%ignore_fromline_local%& "allow &""From ""& from local SMTP"
.row &%pipelining_advertise_hosts%& "advertise pipelining to these hosts"
+.row &%prdr_enable%& "advertise PRDR to all hosts"
+.row &%smtputf8_advertise_hosts%& "advertise SMTPUTF8 to these hosts"
.row &%tls_advertise_hosts%& "advertise TLS to these hosts"
.endtable
.row &%disable_ipv6%& "do no IPv6 processing"
.row &%dns_again_means_nonexist%& "for broken domains"
.row &%dns_check_names_pattern%& "pre-DNS syntax check"
+.row &%dns_dnssec_ok%& "parameter for resolver"
.row &%dns_ipv4_lookup%& "only v4 lookup for these domains"
.row &%dns_retrans%& "parameter for resolver"
.row &%dns_retry%& "parameter for resolver"
+.row &%dns_trust_aa%& "DNS zones trusted as authentic"
.row &%dns_use_edns0%& "parameter for resolver"
.row &%hold_domains%& "hold delivery for these domains"
.row &%local_interfaces%& "for routing checks"
.row &%bounce_message_file%& "content of bounce"
.row &%bounce_message_text%& "content of bounce"
.row &%bounce_return_body%& "include body if returning message"
+.row &%bounce_return_linesize_limit%& "limit on returned message line length"
.row &%bounce_return_message%& "include original message in bounce"
.row &%bounce_return_size_limit%& "limit on returned message"
.row &%bounce_sender_authentication%& "send authenticated sender with bounce"
Those options that undergo string expansion before use are marked with
†.
-.new
.option accept_8bitmime main boolean true
.cindex "8BITMIME"
.cindex "8-bit characters"
+.cindex "log" "selectors"
+.cindex "log" "8BITMIME"
This option causes Exim to send 8BITMIME in its response to an SMTP
EHLO command, and to accept the BODY= parameter on MAIL commands.
However, though Exim is 8-bit clean, it is not a protocol converter, and it
It now defaults to true.
A more detailed analysis of the issues is provided by Dan Bernstein:
.display
-&url(http://cr.yp.to/smtp/8bitmime.html)
+&url(https://cr.yp.to/smtp/8bitmime.html)
+.endd
+
+To log received 8BITMIME status use
+.code
+log_selector = +8bitmime
.endd
-.wen
.option acl_not_smtp main string&!! unset
.cindex "&ACL;" "for non-SMTP messages"
processed and the message itself has been received, but before the final
acknowledgment is sent. See chapter &<<CHAPACL>>& for further details.
+.option acl_smtp_data_prdr main string&!! accept
+.cindex "PRDR" "ACL for"
+.cindex "DATA" "PRDR ACL for"
+.cindex "&ACL;" "PRDR-related"
+.cindex "&ACL;" "per-user data processing"
+This option defines the ACL that,
+if the PRDR feature has been negotiated,
+is run for each recipient after an SMTP DATA command has been
+processed and the message itself has been received, but before the
+acknowledgment is sent. See chapter &<<CHAPACL>>& for further details.
+
+.option acl_smtp_dkim main string&!! unset
+.cindex DKIM "ACL for"
+This option defines the ACL that is run for each DKIM signature
+(by default, or as specified in the dkim_verify_signers option)
+of a received message.
+See section &<<SECDKIMVFY>>& for further details.
+
.option acl_smtp_etrn main string&!! unset
.cindex "ETRN" "ACL for"
This option defines the ACL that is run when an SMTP ETRN command is
extension. It defines the ACL that is run for each MIME part in a message. See
section &<<SECTscanmimepart>>& for details.
+.option acl_smtp_notquit main string&!! unset
+.cindex "not-QUIT, ACL for"
+This option defines the ACL that is run when an SMTP session
+ends without a QUIT command being received.
+See chapter &<<CHAPACL>>& for further details.
+
.option acl_smtp_predata main string&!! unset
This option defines the ACL that is run when an SMTP DATA command is
received, before the message itself is received. See chapter &<<CHAPACL>>& for
This option defines the ACL that is run when an SMTP VRFY command is
received. See chapter &<<CHAPACL>>& for further details.
+.option add_environment main "string list" empty
+.cindex "environment" "set values"
+This option allows to set individual environment variables that the
+currently linked libraries and programs in child processes use.
+See &<<SECTpipeenv>>& for the environment of &(pipe)& transports.
+
.option admin_groups main "string list&!!" unset
.cindex "admin user"
This option is expanded just once, at the start of Exim's processing. If the
It appears that more and more DNS zone administrators are breaking the rules
and putting domain names that look like IP addresses on the right hand side of
MX records. Exim follows the rules and rejects this, giving an error message
-that explains the mis-configuration. However, some other MTAs support this
+that explains the misconfiguration. However, some other MTAs support this
practice, so to avoid &"Why can't Exim do this?"& complaints,
&%allow_mx_to_ip%& exists, in order to enable this heinous activity. It is not
recommended, except when you have no other choice.
is encrypted using TLS, you can make use of the fact that the value of this
option is expanded, with a setting like this:
.code
-auth_advertise_hosts = ${if eq{$tls_cipher}{}{}{*}}
+auth_advertise_hosts = ${if eq{$tls_in_cipher}{}{}{*}}
.endd
-.vindex "&$tls_cipher$&"
-If &$tls_cipher$& is empty, the session is not encrypted, and the result of
+.vindex "&$tls_in_cipher$&"
+If &$tls_in_cipher$& is empty, the session is not encrypted, and the result of
the expansion is empty, thus matching no hosts. Otherwise, the result of the
expansion is *, which matches all hosts.
point at which the error was detected are returned.
.cindex "bounce message" "including original"
+.option bounce_return_linesize_limit main integer 998
+.cindex "size" "of bounce lines, limit"
+.cindex "bounce message" "line length limit"
+.cindex "limit" "bounce message line length"
+This option sets a limit in bytes on the line length of messages
+that are returned to senders due to delivery problems,
+when &%bounce_return_message%& is true.
+The default value corresponds to RFC limits.
+If the message being returned has lines longer than this value it is
+treated as if the &%bounce_return_size_limit%& (below) restriction was exceeded.
+
+The option also applies to bounces returned when an error is detected
+during reception of a message.
+In this case lines from the original are truncated.
+
+The option does not apply to messages generated by an &(autoreply)& transport.
+
+
.option bounce_return_message main boolean true
If this option is set false, none of the original message is included in
bounce messages generated by Exim. See also &%bounce_return_size_limit%& and
See section &<<CALLaddparcall>>& for details of how this value is used.
-.option check_log_inodes main integer 0
+.option check_log_inodes main integer 100
See &%check_spool_space%& below.
-.option check_log_space main integer 0
+.option check_log_space main integer 10M
See &%check_spool_space%& below.
.oindex "&%check_rfc2047_length%&"
set false, Exim recognizes encoded words of any length.
-.option check_spool_inodes main integer 0
+.option check_spool_inodes main integer 100
See &%check_spool_space%& below.
-.option check_spool_space main integer 0
+.option check_spool_space main integer 10M
.cindex "checking disk space"
.cindex "disk space, checking"
.cindex "spool directory" "checking space"
.vindex "&$log_space$&"
.vindex "&$spool_inodes$&"
.vindex "&$spool_space$&"
-When any of these options are set, they apply to all incoming messages. If you
+When any of these options are nonzero, they apply to all incoming messages. If you
want to apply different checks to different kinds of message, you can do so by
testing the variables &$log_inodes$&, &$log_space$&, &$spool_inodes$&, and
&$spool_space$& in an ACL with appropriate additional conditions.
&%check_spool_space%& and &%check_spool_inodes%& check the spool partition if
either value is greater than zero, for example:
.code
-check_spool_space = 10M
+check_spool_space = 100M
check_spool_inodes = 100
.endd
The spool partition is the one that contains the directory defined by
&%check_spool_space%& is zero, unless &%no_smtp_check_spool_space%& is set.
The values for &%check_spool_space%& and &%check_log_space%& are held as a
-number of kilobytes. If a non-multiple of 1024 is specified, it is rounded up.
+number of kilobytes (though specified in bytes).
+If a non-multiple of 1024 is specified, it is rounded up.
For non-SMTP input and for batched SMTP input, the test is done at start-up; on
failure a message is written to stderr and Exim exits with a non-zero code, as
it obviously cannot send an error message of any kind.
+There is a slight performance penalty for these checks.
+Versions of Exim preceding 4.88 had these disabled by default;
+high-rate installations confident they will never run out of resources
+may wish to deliberately disable them.
+
+.option chunking_advertise_hosts main "host list&!!" *
+.cindex CHUNKING advertisement
+.cindex "RFC 3030" "CHUNKING"
+The CHUNKING extension (RFC3030) will be advertised in the EHLO message to
+these hosts.
+Hosts may use the BDAT command as an alternate to DATA.
+
+.option commandline_checks_require_admin main boolean &`false`&
+.cindex "restricting access to features"
+This option restricts various basic checking features to require an
+administrative user.
+This affects most of the &%-b*%& options, such as &%-be%&.
+
+.option debug_store main boolean &`false`&
+.cindex debugging "memory corruption"
+.cindex memory debugging
+This option, when true, enables extra checking in Exim's internal memory
+management. For use when a memory corruption issue is being investigated,
+it should normally be left as default.
+
.option daemon_smtp_ports main string &`smtp`&
.cindex "port" "for daemon"
.cindex "TCP/IP" "setting listening ports"
.option delay_warning main "time list" 24h
.cindex "warning of delay"
.cindex "delay warning, specifying"
+.cindex "queue" "delay warning"
When a message is delayed, Exim sends a warning message to the sender at
intervals specified by this option. The data is a colon-separated list of times
after which to send warning messages. If the value of the option is an empty
string or a zero time, no warnings are sent. Up to 10 times may be given. If a
-message has been on the queue for longer than the last time, the last interval
+message has been in the queue for longer than the last time, the last interval
between the times is used to compute subsequent warning times. For example,
with
.code
.code
delay_warning = 2h:12h:99d
.endd
+Note that the option is only evaluated at the time a delivery attempt fails,
+which depends on retry and queue-runner configuration.
+Typically retries will be configured more frequently than warning messages.
.option delay_warning_condition main string&!! "see below"
.vindex "&$domain$&"
to handle IPv6 literal addresses.
+.option dkim_verify_signers main "domain list&!!" $dkim_signers
+.cindex DKIM "controlling calls to the ACL"
+This option gives a list of DKIM domains for which the DKIM ACL is run.
+It is expanded after the message is received; by default it runs
+the ACL once for each signature in the message.
+See section &<<SECDKIMVFY>>&.
+
+
.option dns_again_means_nonexist main "domain list&!!" unset
.cindex "DNS" "&""try again""& response; overriding"
DNS lookups give a &"try again"& response for the DNS errors
reversed and looked up in the reverse DNS, as described in more detail in
section &<<SECTverifyCSA>>&.
+.new
+.option dns_cname_loops main integer 1
+.cindex DNS "CNAME following"
+This option controls the following of CNAME chains, needed if the resolver does
+not do it internally.
+As of 2018 most should, and the default can be left.
+If you have an ancient one, a value of 10 is likely needed.
+
+The default value of one CNAME-follow is needed
+thanks to the observed return for an MX request,
+given no MX presence but a CNAME to an A, of the CNAME.
+.wen
+
+
+.option dns_dnssec_ok main integer -1
+.cindex "DNS" "resolver options"
+.cindex "DNS" "DNSSEC"
+If this option is set to a non-negative number then Exim will initialise the
+DNS resolver library to either use or not use DNSSEC, overriding the system
+default. A value of 0 coerces DNSSEC off, a value of 1 coerces DNSSEC on.
+
+If the resolver library does not support DNSSEC then this option has no effect.
+
+
.option dns_ipv4_lookup main "domain list&!!" unset
.cindex "IPv6" "DNS lookup for AAAA records"
.cindex "DNS" "IPv6 lookup for AAAA records"
+.cindex DNS "IPv6 disabling"
When Exim is compiled with IPv6 support and &%disable_ipv6%& is not set, it
looks for IPv6 address records (AAAA records) as well as IPv4 address records
(A records) when trying to find IP addresses for hosts, unless the host's
.option dns_retrans main time 0s
.cindex "DNS" "resolver options"
+.cindex timeout "dns lookup"
+.cindex "DNS" timeout
The options &%dns_retrans%& and &%dns_retry%& can be used to set the
retransmission and retry parameters for DNS lookups. Values of zero (the
defaults) leave the system default settings unchanged. The first value is the
parameter values are available in the external resolver interface structure,
but nowhere does it seem to describe how they are used or what you might want
to set in them.
+See also the &%slow_lookup_log%& option.
.option dns_retry main integer 0
See &%dns_retrans%& above.
-.new
+.option dns_trust_aa main "domain list&!!" unset
+.cindex "DNS" "resolver options"
+.cindex "DNS" "DNSSEC"
+If this option is set then lookup results marked with the AA bit
+(Authoritative Answer) are trusted the same way as if they were
+DNSSEC-verified. The authority section's name of the answer must
+match with this expanded domain list.
+
+Use this option only if you talk directly to a resolver that is
+authoritative for some zones and does not set the AD (Authentic Data)
+bit in the answer. Some DNS servers may have an configuration option to
+mark the answers from their own zones as verified (they set the AD bit).
+Others do not have this option. It is considered as poor practice using
+a resolver that is an authoritative server for some zones.
+
+Use this option only if you really have to (e.g. if you want
+to use DANE for remote delivery to a server that is listed in the DNS
+zones that your resolver is authoritative for).
+
+If the DNS answer packet has the AA bit set and contains resource record
+in the answer section, the name of the first NS record appearing in the
+authority section is compared against the list. If the answer packet is
+authoritative but the answer section is empty, the name of the first SOA
+record in the authoritative section is used instead.
+
+.cindex "DNS" "resolver options"
.option dns_use_edns0 main integer -1
.cindex "DNS" "resolver options"
.cindex "DNS" "EDNS0"
+.cindex "DNS" "OpenBSD
If this option is set to a non-negative number then Exim will initialise the
DNS resolver library to either use or not use EDNS0 extensions, overriding
the system default. A value of 0 coerces EDNS0 off, a value of 1 coerces EDNS0
on.
If the resolver library does not support EDNS0 then this option has no effect.
-.wen
+
+OpenBSD's asr resolver routines are known to ignore the EDNS0 option; this
+means that DNSSEC will not work with Exim on that platform either, unless Exim
+is linked against an alternative DNS client library.
.option drop_cr main boolean false
handled CR and LF characters in incoming messages. What happens now is
described in section &<<SECTlineendings>>&.
+.option dsn_advertise_hosts main "host list&!!" unset
+.cindex "bounce messages" "success"
+.cindex "DSN" "success"
+.cindex "Delivery Status Notification" "success"
+DSN extensions (RFC3461) will be advertised in the EHLO message to,
+and accepted from, these hosts.
+Hosts may use the NOTIFY and ENVID options on RCPT TO commands,
+and RET and ORCPT options on MAIL FROM commands.
+A NOTIFY=SUCCESS option requests success-DSN messages.
+A NOTIFY= option with no argument requests that no delay or failure DSNs
+are sent.
+
.option dsn_from main "string&!!" "see below"
.cindex "&'From:'& header line" "in bounces"
.cindex "bounce messages" "&'From:'& line, specifying"
Exim's transports have an option for adding an &'Envelope-to:'& header to a
message when it is delivered, in exactly the same way as &'Return-path:'& is
handled. &'Envelope-to:'& records the original recipient address from the
-messages's envelope that caused the delivery to happen. Such headers should not
+message's envelope that caused the delivery to happen. Such headers should not
be present in incoming messages, and this option causes them to be removed at
the time the message is received, to avoid any problems that might occur when a
delivered message is subsequently sent on to some other recipient.
not used.
+.option event_action main string&!! unset
+.cindex events
+This option declares a string to be expanded for Exim's events mechanism.
+For details see chapter &<<CHAPevents>>&.
+
+
.option exim_group main string "compile-time configured"
.cindex "gid (group id)" "Exim's own"
.cindex "Exim group"
. Allow this long option name to split; give it unsplit as a fifth argument
. for the automatic .oindex that is generated by .option.
-.option "extract_addresses_remove_ &~&~arguments" main boolean true &&&
+.option "extract_addresses_remove_arguments" main boolean true &&&
extract_addresses_remove_arguments
.oindex "&%-t%&"
.cindex "command line" "addresses with &%-t%&"
See &%gecos_name%& above.
-.option gnutls_require_kx main string unset
-This option controls the key exchange mechanisms when GnuTLS is used in an Exim
-server. For details, see section &<<SECTreqciphgnu>>&.
-
-.option gnutls_require_mac main string unset
-This option controls the MAC algorithms when GnuTLS is used in an Exim
-server. For details, see section &<<SECTreqciphgnu>>&.
-
-.option gnutls_require_protocols main string unset
-This option controls the protocols when GnuTLS is used in an Exim
-server. For details, see section &<<SECTreqciphgnu>>&.
-
.option gnutls_compat_mode main boolean unset
This option controls whether GnuTLS is used in compatibility mode in an Exim
server. This reduces security slightly, but improves interworking with older
implementations of TLS.
+
+.option gnutls_allow_auto_pkcs11 main boolean unset
+This option will let GnuTLS (2.12.0 or later) autoload PKCS11 modules with
+the p11-kit configuration files in &_/etc/pkcs11/modules/_&.
+
+See
+&url(https://www.gnutls.org/manual/gnutls.html#Smart-cards-and-HSMs)
+for documentation.
+
+
+
.option headers_charset main string "see below"
This option sets a default character set for translating from encoded MIME
&"words"& in header lines, when referenced by an &$h_xxx$& expansion item. The
matches the host name that Exim obtains by doing a reverse lookup of the
calling host address, or
.next
-when looked up using &[gethostbyname()]& (or &[getipnodebyname()]& when
-available) yields the calling host address.
+when looked up in DNS yields the calling host address.
.endlist
However, the EHLO or HELO command is not rejected if any of the checks
fail. Processing continues, but the result of the check is remembered, and can
be detected later in an ACL by the &`verify = helo`& condition.
+If DNS was used for successful verification, the variable
+.cindex "DNS" "DNSSEC"
+&$helo_verify_dnssec$& records the DNSSEC status of the lookups.
+
.option helo_verify_hosts main "host list&!!" unset
.cindex "HELO verifying" "mandatory"
.cindex "EHLO" "verifying, mandatory"
.option hold_domains main "domain list&!!" unset
.cindex "domain" "delaying delivery"
.cindex "delivery" "delaying certain domains"
-This option allows mail for particular domains to be held on the queue
+This option allows mail for particular domains to be held in the queue
manually. The option is overridden if a message delivery is forced with the
&%-M%&, &%-qf%&, &%-Rf%& or &%-Sf%& options, and also while testing or
verifying addresses using &%-bt%& or &%-bv%&. Otherwise, if a domain matches an
+.option hosts_proxy main "host list&!!" unset
+.cindex proxy "proxy protocol"
+This option enables use of Proxy Protocol proxies for incoming
+connections. For details see section &<<SECTproxyInbound>>&.
+
+
.option hosts_treat_as_local main "domain list&!!" unset
.cindex "local host" "domains treated as"
.cindex "host" "treated as local"
After a permanent delivery failure, bounce messages are frozen,
because there is no sender to whom they can be returned. When a frozen bounce
-message has been on the queue for more than the given time, it is unfrozen at
+message has been in the queue for more than the given time, it is unfrozen at
the next queue run, and a further delivery is attempted. If delivery fails
again, the bounce message is discarded. This makes it possible to keep failed
bounce messages around for a shorter time than the normal maximum retry time
.option ignore_fromline_local main boolean false
See &%ignore_fromline_hosts%& above.
+.option keep_environment main "string list" unset
+.cindex "environment" "values from"
+This option contains a string list of environment variables to keep.
+You have to trust these variables or you have to be sure that
+these variables do not impose any security risk. Keep in mind that
+during the startup phase Exim is running with an effective UID 0 in most
+installations. As the default value is an empty list, the default
+environment for using libraries, running embedded Perl code, or running
+external binaries is empty, and does not not even contain PATH or HOME.
+
+Actually the list is interpreted as a list of patterns
+(&<<SECTlistexpand>>&), except that it is not expanded first.
+
+WARNING: Macro substitution is still done first, so having a macro
+FOO and having FOO_HOME in your &%keep_environment%& option may have
+unexpected results. You may work around this using a regular expression
+that does not match the macro name: ^[F]OO_HOME$.
+
+Current versions of Exim issue a warning during startup if you do not mention
+&%keep_environment%& in your runtime configuration file and if your
+current environment is not empty. Future versions may not issue that warning
+anymore.
+
+See the &%add_environment%& main config option for a way to set
+environment variables to a fixed value. The environment for &(pipe)&
+transports is handled separately, see section &<<SECTpipeenv>>& for
+details.
+
.option keep_malformed main time 4d
This option specifies the length of time to keep messages whose spool files
.option ldap_ca_cert_dir main string unset
.cindex "LDAP", "TLS CA certificate directory"
+.cindex certificate "directory for LDAP"
This option indicates which directory contains CA certificates for verifying
a TLS certificate presented by an LDAP server.
While Exim does not provide a default value, your SSL library may.
.option ldap_ca_cert_file main string unset
.cindex "LDAP", "TLS CA certificate file"
+.cindex certificate "file for LDAP"
This option indicates which file contains CA certificates for verifying
a TLS certificate presented by an LDAP server.
While Exim does not provide a default value, your SSL library may.
.option ldap_cert_file main string unset
.cindex "LDAP" "TLS client certificate file"
+.cindex certificate "file for LDAP"
This option indicates which file contains an TLS client certificate which
Exim should present to the LDAP server during TLS negotiation.
Should be used together with &%ldap_cert_key%&.
.option ldap_cert_key main string unset
.cindex "LDAP" "TLS client key file"
+.cindex certificate "key for LDAP"
This option indicates which file contains the secret/private key to use
to prove identity to the LDAP server during TLS negotiation.
Should be used together with &%ldap_cert_file%&, which contains the
of SSL-on-connect.
In the event of failure to negotiate TLS, the action taken is controlled
by &%ldap_require_cert%&.
+This option is ignored for &`ldapi`& connections.
.option ldap_version main integer unset
This option sets the path which is used to determine the names of Exim's log
files, or indicates that logging is to be to syslog, or both. It is expanded
when Exim is entered, so it can, for example, contain a reference to the host
-name. If no specific path is set for the log files at compile or run time, they
-are written in a sub-directory called &_log_& in Exim's spool directory.
+name. If no specific path is set for the log files at compile or runtime,
+or if the option is unset at runtime (i.e. &`log_file_path = `&)
+they are written in a sub-directory called &_log_& in Exim's spool directory.
Chapter &<<CHAPlog>>& contains further details about Exim's logging, and
section &<<SECTwhelogwri>>& describes how the contents of &%log_file_path%& are
used. If this string is fixed at your installation (contains no expansion
maximum size that your virus-scanner is configured to support, you may get
failures triggered by large mails. The right size to configure for the
virus-scanner depends upon what data is passed and the options in use but it's
-probably safest to just set it to a little larger than this value. Eg, with a
+probably safest to just set it to a little larger than this value. E.g., with a
default Exim message size of 50M and a default ClamAV StreamMaxLength of 10M,
some problems may result.
transport driver.
-.option openssl_options main "string list" unset
+.option openssl_options main "string list" "+no_sslv2 +single_dh_use +no_ticket"
.cindex "OpenSSL "compatibility options"
This option allows an administrator to adjust the SSL options applied
by OpenSSL to connections. It is given as a space-separated list of items,
adjusted lightly. An unrecognised item will be detected at startup, by
invoking Exim with the &%-bV%& flag.
-.new
-Historical note: prior to release 4.78, Exim defaulted this value to
+The option affects Exim operating both as a server and as a client.
+
+Historical note: prior to release 4.80, Exim defaulted this value to
"+dont_insert_empty_fragments", which may still be needed for compatibility
with some clients, but which lowers security by increasing exposure to
some now infamous attacks.
-.wen
-An example:
+Examples:
.code
# Make both old MS and old Eudora happy:
openssl_options = -all +microsoft_big_sslv3_buffer \
+dont_insert_empty_fragments
+
+# Disable older protocol versions:
+openssl_options = +no_sslv2 +no_sslv3
.endd
Possible options may include:
.next
&`no_tlsv1_2`&
.next
+&`safari_ecdhe_ecdsa_bug`&
+.next
&`single_dh_use`&
.next
&`single_ecdh_use`&
&`tls_rollback_bug`&
.endlist
+As an aside, the &`safari_ecdhe_ecdsa_bug`& item is a misnomer and affects
+all clients connecting using the MacOS SecureTransport TLS facility prior
+to MacOS 10.8.4, including email clients. If you see old MacOS clients failing
+to negotiate TLS then this option value might help, provided that your OpenSSL
+release is new enough to contain this work-around. This may be a situation
+where you have to upgrade OpenSSL to get buggy clients working.
+
.option oracle_servers main "string list" unset
.cindex "Oracle" "server list"
.option perl_at_start main boolean false
+.cindex "Perl"
This option is available only when Exim is built with an embedded Perl
interpreter. See chapter &<<CHAPperl>>& for details of its use.
.option perl_startup main string unset
+.cindex "Perl"
This option is available only when Exim is built with an embedded Perl
interpreter. See chapter &<<CHAPperl>>& for details of its use.
+.option perl_startup main boolean false
+.cindex "Perl"
+This Option enables the taint mode of the embedded Perl interpreter.
+
.option pgsql_servers main "string list" unset
.cindex "PostgreSQL lookup type" "server list"
not count as protocol errors (see &%smtp_max_synprot_errors%&).
+.option prdr_enable main boolean false
+.cindex "PRDR" "enabling on server"
+This option can be used to enable the Per-Recipient Data Response extension
+to SMTP, defined by Eric Hall.
+If the option is set, PRDR is advertised by Exim when operating as a server.
+If the client requests PRDR, and more than one recipient, for a message
+an additional ACL is called for each recipient after the message content
+is received. See section &<<SECTPRDRACL>>&.
+
.option preserve_message_logs main boolean false
.cindex "message logs" "preserving"
If this option is set, message log files are not deleted when messages are
.option prod_requires_admin main boolean true
+.cindex "restricting access to features"
.oindex "&%-M%&"
.oindex "&%-R%&"
.oindex "&%-q%&"
The &%-M%&, &%-R%&, and &%-q%& command-line options require the caller to be an
admin user unless &%prod_requires_admin%& is set false. See also
-&%queue_list_requires_admin%&.
+&%queue_list_requires_admin%& and &%commandline_checks_require_admin%&.
.option qualify_domain main string "see below"
.option queue_list_requires_admin main boolean true
+.cindex "restricting access to features"
.oindex "&%-bp%&"
The &%-bp%& command-line option, which lists the messages that are on the
queue, requires the caller to be an admin user unless
-&%queue_list_requires_admin%& is set false. See also &%prod_requires_admin%&.
+&%queue_list_requires_admin%& is set false.
+See also &%prod_requires_admin%& and &%commandline_checks_require_admin%&.
.option queue_only main boolean false
.cindex "queueing incoming messages"
.cindex "message" "queueing unconditionally"
If &%queue_only%& is set, a delivery process is not automatically started
-whenever a message is received. Instead, the message waits on the queue for the
+whenever a message is received. Instead, the message waits in the queue for the
next queue run. Even if &%queue_only%& is false, incoming messages may not get
delivered immediately when certain conditions (such as heavy load) occur.
-.option queue_run_max main integer 5
+.option queue_run_max main integer&!! 5
.cindex "queue runner" "maximum number of"
This controls the maximum number of queue runner processes that an Exim daemon
can run simultaneously. This does not mean that it starts them all at once,
run. If you do not want queue runs to occur, omit the &%-q%&&'xx'& setting on
the daemon's command line.
+.cindex queues named
+.cindex "named queues"
+To set limits for different named queues use
+an expansion depending on the &$queue_name$& variable.
+
.option queue_smtp_domains main "domain list&!!" unset
.cindex "queueing incoming messages"
.cindex "message" "queueing remote deliveries"
received, routing is performed, and local deliveries take place.
However, if any SMTP deliveries are required for domains that match
&%queue_smtp_domains%&, they are not immediately delivered, but instead the
-message waits on the queue for the next queue run. Since routing of the message
+message waits in the queue for the next queue run. Since routing of the message
has taken place, Exim knows to which remote hosts it must be delivered, and so
when the queue run happens, multiple messages for the same host are delivered
over a single SMTP connection. The &%-odqs%& command line option causes all
.cindex "timeout" "for non-SMTP input"
This option sets the timeout for accepting a non-SMTP message, that is, the
maximum time that Exim waits when reading a message on the standard input. If
-the value is zero, it will wait for ever. This setting is overridden by the
+the value is zero, it will wait forever. This setting is overridden by the
&%-or%& command line option. The timeout for incoming SMTP messages is
controlled by &%smtp_receive_timeout%&.
${if def:sender_helo_name {(helo=$sender_helo_name)\n\t}}}}\
by $primary_hostname \
${if def:received_protocol {with $received_protocol}} \
- ${if def:tls_cipher {($tls_cipher)\n\t}}\
+ ${if def:tls_in_cipher {($tls_in_cipher)\n\t}}\
(Exim $version_number)\n\t\
${if def:sender_address \
{(envelope-from <$sender_address>)\n\t}}\
This option is an obsolete synonym for &%bounce_return_size_limit%&.
-.option rfc1413_hosts main "host list&!!" *
+.option rfc1413_hosts main "host list&!!" @[]
.cindex "RFC 1413"
.cindex "host" "for RFC 1413 calls"
-RFC 1413 identification calls are made to any client host which matches an item
-in the list.
+RFC 1413 identification calls are made to any client host which matches
+an item in the list.
+The default value specifies just this host, being any local interface
+for the system.
-.option rfc1413_query_timeout main time 5s
+.option rfc1413_query_timeout main time 0s
.cindex "RFC 1413" "query timeout"
.cindex "timeout" "for RFC 1413 call"
This sets the timeout on RFC 1413 identification calls. If it is set to zero,
&%sender_unqualified_hosts%&, or if the message was submitted locally (not
using TCP/IP), and the &%-bnq%& option was not set.
+.option set_environment main "string list" empty
+.cindex "environment"
+This option allows to set individual environment variables that the
+currently linked libraries and programs in child processes use. The
+default list is empty,
+
+
+.option slow_lookup_log main integer 0
+.cindex "logging" "slow lookups"
+.cindex "dns" "logging slow lookups"
+This option controls logging of slow lookups.
+If the value is nonzero it is taken as a number of milliseconds
+and lookups taking longer than this are logged.
+Currently this applies only to DNS lookups.
+
+
.option smtp_accept_keepalive main boolean true
.cindex "keepalive" "on incoming connection"
. Allow this long option name to split; give it unsplit as a fifth argument
. for the automatic .oindex that is generated by .option.
-
-.option "smtp_accept_max_per_ &~&~connection" main integer 1000 &&&
+. We insert " &~&~" which is both pretty nasty visually and results in
+. non-searchable text. HowItWorks.txt mentions an option for inserting
+. zero-width-space, which would be nicer visually and results in (at least)
+. html that Firefox will split on when it's forced to reflow (rather than
+. inserting a horizontal scrollbar). However, the text is still not
+. searchable. NM changed this occurrence for bug 1197 to no longer allow
+. the option name to split.
+
+.option "smtp_accept_max_per_connection" main integer 1000 &&&
smtp_accept_max_per_connection
.cindex "SMTP" "limiting incoming message count"
.cindex "limit" "messages per SMTP connection"
.cindex "message" "queueing by SMTP connection count"
If the number of simultaneous incoming SMTP connections being handled via the
listening daemon exceeds this value, messages received by SMTP are just placed
-on the queue; no delivery processes are started automatically. The count is
+in the queue; no delivery processes are started automatically. The count is
fixed at the start of an SMTP connection. It cannot be updated in the
subprocess that receives messages, and so the queueing or not queueing applies
to all messages received in the same connection.
various &%-od%&&'x'& command line options.
-. Allow this long option name to split; give it unsplit as a fifth argument
-. for the automatic .oindex that is generated by .option.
+. See the comment on smtp_accept_max_per_connection
-.option "smtp_accept_queue_per_ &~&~connection" main integer 10 &&&
+.option "smtp_accept_queue_per_connection" main integer 10 &&&
smtp_accept_queue_per_connection
.cindex "queueing incoming messages"
.cindex "message" "queueing by message count"
automatically when receiving messages via SMTP, whether via the daemon or by
the use of &%-bs%& or &%-bS%&. If the value of the option is greater than zero,
and the number of messages received in a single SMTP session exceeds this
-number, subsequent messages are placed on the queue, but no delivery processes
+number, subsequent messages are placed in the queue, but no delivery processes
are started. This helps to limit the number of Exim processes when a server
restarts after downtime and there is a lot of mail waiting for it on other
systems. On large systems, the default should probably be increased, and on
See &%smtp_ratelimit_hosts%& above.
-.option smtp_receive_timeout main time 5m
+.option smtp_receive_timeout main time&!! 5m
.cindex "timeout" "for SMTP input"
.cindex "SMTP" "input timeout"
This sets a timeout value for SMTP reception. It applies to all forms of SMTP
The former means that Exim was expecting to read an SMTP command; the latter
means that it was in the DATA phase, reading the contents of a message.
+If the first character of the option is a &"$"& the option is
+expanded before use and may depend on
+&$sender_host_name$&, &$sender_host_address$& and &$sender_host_port$&.
+
.oindex "&%-os%&"
The value set by this option can be overridden by the
550 failing address in "From" header is: <user@dom.ain
.endd
-.option spamd_address main string "see below"
+
+.option smtputf8_advertise_hosts main "host list&!!" *
+.cindex "SMTPUTF8" "advertising"
+When Exim is built with support for internationalised mail names,
+the availability thereof is advertised in
+response to EHLO only to those client hosts that match this option. See
+chapter &<<CHAPi18n>>& for details of Exim's support for internationalisation.
+
+
+.option spamd_address main string "127.0.0.1 783"
This option is available when Exim is compiled with the content-scanning
extension. It specifies how Exim connects to SpamAssassin's &%spamd%& daemon.
-The default value is
-.code
-127.0.0.1 783
-.endd
See section &<<SECTscanspamass>>& for more details.
+.option spf_guess main string "v=spf1 a/24 mx/24 ptr ?all"
+This option is available when Exim is compiled with SPF support.
+See section &<<SECSPF>>& for more details.
+
+
+
.option split_spool_directory main boolean false
.cindex "multiple spool directories"
.cindex "spool directory" "split"
When &%split_spool_directory%& is set, the behaviour of queue runner processes
changes. Instead of creating a list of all messages in the queue, and then
-trying to deliver each one in turn, it constructs a list of those in one
+trying to deliver each one, in turn, it constructs a list of those in one
sub-directory and tries to deliver them, before moving on to the next
sub-directory. The sub-directories are processed in a random order. This
spreads out the scanning of the input directories, and uses less memory. It is
-particularly beneficial when there are lots of messages on the queue. However,
+particularly beneficial when there are lots of messages in the queue. However,
if &%queue_run_in_order%& is set, none of this new processing happens. The
entire queue has to be scanned and sorted before any deliveries can start.
By using this option to override the compiled-in path, it is possible to run
tests of Exim without using the standard spool.
+.option spool_wireformat main boolean false
+.cindex "spool directory" "file formats"
+If this option is set, Exim may for some messages use an alternative format
+for data-files in the spool which matches the wire format.
+Doing this permits more efficient message reception and transmission.
+Currently it is only done for messages received using the ESMTP CHUNKING
+option.
+
+The following variables will not have useful values:
+.code
+$max_received_linelength
+$body_linecount
+$body_zerocount
+.endd
+
+Users of the local_scan() API (see &<<CHAPlocalscan>>&),
+and any external programs which are passed a reference to a message data file
+(except via the &"regex"&, &"malware"& or &"spam"&) ACL conditions)
+will need to be aware of the different formats potentially available.
+
+Using any of the ACL conditions noted will negate the reception benefit
+(as a Unix-mbox-format file is constructed for them).
+The transmission benefit is maintained.
+
.option sqlite_lock_timeout main time 5s
.cindex "sqlite lookup type" "lock timeout"
This option controls the timeout that the &(sqlite)& lookup uses when trying to
details of Exim's logging.
+.option syslog_pid main boolean true
+.cindex "syslog" "pid"
+If &%syslog_pid%& is set false, the PID on Exim's log lines are
+omitted when these lines are sent to syslog. (Syslog normally prefixes
+the log lines with the PID of the logging process automatically.) You need
+to enable the &`+pid`& log selector item, if you want Exim to write it's PID
+into the logs.) See chapter &<<CHAPlog>>& for details of Exim's logging.
+
+
.option syslog_processname main string &`exim`&
.cindex "syslog" "process name; setting"
appropriate &%system_filter_..._transport%& option(s) must be set, to define
which transports are to be used. Details of this facility are given in chapter
&<<CHAPsystemfilter>>&.
+A forced expansion failure results in no filter operation.
.option system_filter_directory_transport main string&!! unset
.cindex "frozen messages" "timing out"
.cindex "timeout" "frozen messages"
If &%timeout_frozen_after%& is set to a time greater than zero, a frozen
-message of any kind that has been on the queue for longer than the given time
+message of any kind that has been in the queue for longer than the given time
is automatically cancelled at the next queue run. If the frozen message is a
bounce message, it is just discarded; otherwise, a bounce is sent to the
sender, in a similar manner to cancellation by the &%-Mg%& command line option.
frozen message, see &%ignore_bounce_errors_after%&.
&*Note:*& the default value of zero means no timeouts; with this setting,
-frozen messages remain on the queue forever (except for any frozen bounce
+frozen messages remain in the queue forever (except for any frozen bounce
messages that are released by &%ignore_bounce_errors_after%&).
.option timezone main string unset
.cindex "timezone, setting"
+.cindex "environment" "values from"
The value of &%timezone%& is used to set the environment variable TZ while
running Exim (if it is different on entry). This ensures that all timestamps
created by Exim are in the required timezone. If you want all your timestamps
unfortunately not all, operating systems.
-.option tls_advertise_hosts main "host list&!!" unset
+.option tls_advertise_hosts main "host list&!!" *
.cindex "TLS" "advertising"
.cindex "encryption" "on SMTP connection"
.cindex "SMTP" "encrypted connection"
of the STARTTLS command to set up an encrypted session is advertised in
response to EHLO only to those client hosts that match this option. See
chapter &<<CHAPTLS>>& for details of Exim's support for TLS.
+Note that the default value requires that a certificate be supplied
+using the &%tls_certificate%& option. If TLS support for incoming connections
+is not required the &%tls_advertise_hosts%& option should be set empty.
-.option tls_certificate main string&!! unset
+.option tls_certificate main string list&!! unset
.cindex "TLS" "server certificate; location of"
.cindex "certificate" "server, location of"
-The value of this option is expanded, and must then be the absolute path to a
-file which contains the server's certificates. The server's private key is also
+The value of this option is expanded, and must then be a list of absolute paths to
+files which contains the server's certificates. Commonly only one file is
+needed.
+The server's private key is also
assumed to be in this file if &%tls_privatekey%& is unset. See chapter
&<<CHAPTLS>>& for further details.
use when sending messages as a client, you must set the &%tls_certificate%&
option in the relevant &(smtp)& transport.
-.new
-If the option contains &$tls_sni$& and Exim is built against OpenSSL, then
+&*Note*&: If you use filenames based on IP addresses, change the list
+separator in the usual way (&<<SECTlistsepchange>>&) >to avoid confusion under IPv6.
+
+&*Note*&: Under versions of OpenSSL preceding 1.1.1,
+when a list of more than one
+file is used, the &$tls_in_ourcert$& variable is unreliable.
+
+&*Note*&: OCSP stapling is not usable under OpenSSL
+when a list of more than one file is used.
+
+If the option contains &$tls_out_sni$& and Exim is built against OpenSSL, then
if the OpenSSL build supports TLS extensions and the TLS client sends the
Server Name Indication extension, then this option and others documented in
&<<SECTtlssni>>& will be re-expanded.
-.wen
+
+If this option is unset or empty a fresh self-signed certificate will be
+generated for every connection.
.option tls_crl main string&!! unset
.cindex "TLS" "server certificate revocation list"
.cindex "certificate" "revocation list for server"
This option specifies a certificate revocation list. The expanded value must
-be the name of a file that contains a CRL in PEM format.
+be the name of a file that contains CRLs in PEM format.
+
+Under OpenSSL the option can specify a directory with CRL files.
+
+&*Note:*& Under OpenSSL the option must, if given, supply a CRL
+for each signing element of the certificate chain (i.e. all but the leaf).
+For the file variant this can be multiple PEM blocks in the one file.
-.new
See &<<SECTtlssni>>& for discussion of when this option might be re-expanded.
-.wen
+
+
+.option tls_dh_max_bits main integer 2236
+.cindex "TLS" "D-H bit count"
+The number of bits used for Diffie-Hellman key-exchange may be suggested by
+the chosen TLS library. That value might prove to be too high for
+interoperability. This option provides a maximum clamp on the value
+suggested, trading off security for interoperability.
+
+The value must be at least 1024.
+
+The value 2236 was chosen because, at time of adding the option, it was the
+hard-coded maximum value supported by the NSS cryptographic library, as used
+by Thunderbird, while GnuTLS was suggesting 2432 bits as normal.
+
+If you prefer more security and are willing to break some clients, raise this
+number.
+
+Note that the value passed to GnuTLS for *generating* a new prime may be a
+little less than this figure, because GnuTLS is inexact and may produce a
+larger prime than requested.
.option tls_dhparam main string&!! unset
.cindex "TLS" "D-H parameters for server"
-The value of this option is expanded, and must then be the absolute path to
-a file which contains the server's DH parameter values.
-This is used only for OpenSSL. When Exim is linked with GnuTLS, this option is
-ignored. See section &<<SECTopenvsgnu>>& for further details.
+The value of this option is expanded and indicates the source of DH parameters
+to be used by Exim.
+
+&*Note: The Exim Maintainers strongly recommend using a filename with site-generated
+local DH parameters*&, which has been supported across all versions of Exim. The
+other specific constants available are a fallback so that even when
+"unconfigured", Exim can offer Perfect Forward Secrecy in older ciphersuites in TLS.
+
+If &%tls_dhparam%& is a filename starting with a &`/`&,
+then it names a file from which DH
+parameters should be loaded. If the file exists, it should hold a PEM-encoded
+PKCS#3 representation of the DH prime. If the file does not exist, for
+OpenSSL it is an error. For GnuTLS, Exim will attempt to create the file and
+fill it with a generated DH prime. For OpenSSL, if the DH bit-count from
+loading the file is greater than &%tls_dh_max_bits%& then it will be ignored,
+and treated as though the &%tls_dhparam%& were set to "none".
+
+If this option expands to the string "none", then no DH parameters will be
+loaded by Exim.
+
+If this option expands to the string "historic" and Exim is using GnuTLS, then
+Exim will attempt to load a file from inside the spool directory. If the file
+does not exist, Exim will attempt to create it.
+See section &<<SECTgnutlsparam>>& for further details.
+
+If Exim is using OpenSSL and this option is empty or unset, then Exim will load
+a default DH prime; the default is Exim-specific but lacks verifiable provenance.
+
+In older versions of Exim the default was the 2048 bit prime described in section
+2.2 of RFC 5114, "2048-bit MODP Group with 224-bit Prime Order Subgroup", which
+in IKE is assigned number 23.
+
+Otherwise, the option must expand to the name used by Exim for any of a number
+of DH primes specified in RFC 2409, RFC 3526, RFC 5114, RFC 7919, or from other
+sources. As names, Exim uses a standard specified name, else "ike" followed by
+the number used by IKE, or "default" which corresponds to
+&`exim.dev.20160529.3`&.
+
+The available standard primes are:
+&`ffdhe2048`&, &`ffdhe3072`&, &`ffdhe4096`&, &`ffdhe6144`&, &`ffdhe8192`&,
+&`ike1`&, &`ike2`&, &`ike5`&,
+&`ike14`&, &`ike15`&, &`ike16`&, &`ike17`&, &`ike18`&,
+&`ike22`&, &`ike23`& and &`ike24`&.
+
+The available additional primes are:
+&`exim.dev.20160529.1`&, &`exim.dev.20160529.2`& and &`exim.dev.20160529.3`&.
+
+Some of these will be too small to be accepted by clients.
+Some may be too large to be accepted by clients.
+The open cryptographic community has suspicions about the integrity of some
+of the later IKE values, which led into RFC7919 providing new fixed constants
+(the "ffdhe" identifiers).
+
+At this point, all of the "ike" values should be considered obsolete;
+they're still in Exim to avoid breaking unusual configurations, but are
+candidates for removal the next time we have backwards-incompatible changes.
+
+The TLS protocol does not negotiate an acceptable size for this; clients tend
+to hard-drop connections if what is offered by the server is unacceptable,
+whether too large or too small, and there's no provision for the client to
+tell the server what these constraints are. Thus, as a server operator, you
+need to make an educated guess as to what is most likely to work for your
+userbase.
+
+Some known size constraints suggest that a bit-size in the range 2048 to 2236
+is most likely to maximise interoperability. The upper bound comes from
+applications using the Mozilla Network Security Services (NSS) library, which
+used to set its &`DH_MAX_P_BITS`& upper-bound to 2236. This affects many
+mail user agents (MUAs). The lower bound comes from Debian installs of Exim4
+prior to the 4.80 release, as Debian used to patch Exim to raise the minimum
+acceptable bound from 1024 to 2048.
+
+
+.option tls_eccurve main string&!! &`auto`&
+.cindex TLS "EC cryptography"
+This option selects a EC curve for use by Exim when used with OpenSSL.
+It has no effect when Exim is used with GnuTLS.
+
+After expansion it must contain a valid EC curve parameter, such as
+&`prime256v1`&, &`secp384r1`&, or &`P-512`&. Consult your OpenSSL manual
+for valid selections.
+
+For OpenSSL versions before (and not including) 1.0.2, the string
+&`auto`& selects &`prime256v1`&. For more recent OpenSSL versions
+&`auto`& tells the library to choose.
+
+If the option expands to an empty string, no EC curves will be enabled.
+
+
+.option tls_ocsp_file main string&!! unset
+.cindex TLS "certificate status"
+.cindex TLS "OCSP proof file"
+This option
+must if set expand to the absolute path to a file which contains a current
+status proof for the server's certificate, as obtained from the
+Certificate Authority.
+
+Usable for GnuTLS 3.4.4 or 3.3.17 or OpenSSL 1.1.0 (or later).
+
+For GnuTLS 3.5.6 or later the expanded value of this option can be a list
+of files, to match a list given for the &%tls_certificate%& option.
+The ordering of the two lists must match.
.option tls_on_connect_ports main "string list" unset
+.cindex SSMTP
+.cindex SMTPS
This option specifies a list of incoming SSMTP (aka SMTPS) ports that should
-operate the obsolete SSMTP (SMTPS) protocol, where a TLS session is immediately
+operate the SSMTP (SMTPS) protocol, where a TLS session is immediately
set up without waiting for the client to issue a STARTTLS command. For
further details, see section &<<SECTsupobssmt>>&.
-.option tls_privatekey main string&!! unset
+.option tls_privatekey main string list&!! unset
.cindex "TLS" "server private key; location of"
-The value of this option is expanded, and must then be the absolute path to a
-file which contains the server's private key. If this option is unset, or if
+The value of this option is expanded, and must then be a list of absolute paths to
+files which contains the server's private keys.
+If this option is unset, or if
the expansion is forced to fail, or the result is an empty string, the private
key is assumed to be in the same file as the server's certificates. See chapter
&<<CHAPTLS>>& for further details.
-.new
See &<<SECTtlssni>>& for discussion of when this option might be re-expanded.
-.wen
.option tls_remember_esmtp main boolean false
See &%tls_verify_hosts%& below.
-.option tls_verify_certificates main string&!! unset
+.option tls_verify_certificates main string&!! system
.cindex "TLS" "client certificate verification"
.cindex "certificate" "verification of client"
-The value of this option is expanded, and must then be the absolute path to
-a file containing permitted certificates for clients that
-match &%tls_verify_hosts%& or &%tls_try_verify_hosts%&. Alternatively, if you
-are using OpenSSL, you can set &%tls_verify_certificates%& to the name of a
-directory containing certificate files. This does not work with GnuTLS; the
-option must be set to the name of a single file if you are using GnuTLS.
+The value of this option is expanded, and must then be either the
+word "system"
+or the absolute path to
+a file or directory containing permitted certificates for clients that
+match &%tls_verify_hosts%& or &%tls_try_verify_hosts%&.
+
+The "system" value for the option will use a
+system default location compiled into the SSL library.
+This is not available for GnuTLS versions preceding 3.0.20,
+and will be taken as empty; an explicit location
+must be specified.
+
+The use of a directory for the option value is not available for GnuTLS versions
+preceding 3.3.6 and a single file must be used.
+
+With OpenSSL the certificates specified
+explicitly
+either by file or directory
+are added to those given by the system default location.
These certificates should be for the certificate authorities trusted, rather
than the public cert of individual clients. With both OpenSSL and GnuTLS, if
the value is a file then the certificates are sent by Exim as a server to
connecting clients, defining the list of accepted certificate authorities.
Thus the values defined should be considered public data. To avoid this,
-use OpenSSL with a directory.
+use the explicit directory version.
-.new
See &<<SECTtlssni>>& for discussion of when this option might be re-expanded.
-.wen
+
+A forced expansion failure or setting to an empty string is equivalent to
+being unset.
.option tls_verify_hosts main "host list&!!" unset
.cindex "customizing" "warning message"
This option defines a template file containing paragraphs of text to be used
for constructing the warning message which is sent by Exim when a message has
-been on the queue for a specified amount of time, as specified by
+been in the queue for a specified amount of time, as specified by
&%delay_warning%&. Details of the file's contents are given in chapter
&<<CHAPemsgcust>>&. See also &%bounce_message_file%&.
If the result is any other value, the router is run (as this is the last
precondition to be evaluated, all the other preconditions must be true).
-This option is unique in that multiple &%condition%& options may be present.
+This option is unusual in that multiple &%condition%& options may be present.
All &%condition%& options must succeed.
The &%condition%& option provides a means of applying custom conditions to the
of the other precondition options are common special cases that could in fact
be specified using &%condition%&.
+Historical note: We have &%condition%& on ACLs and on Routers. Routers
+are far older, and use one set of semantics. ACLs are newer and when
+they were created, the ACL &%condition%& process was given far stricter
+parse semantics. The &%bool{}%& expansion condition uses the same rules as
+ACLs. The &%bool_lax{}%& expansion condition uses the same rules as
+Routers. More pointedly, the &%bool_lax{}%& was written to match the existing
+Router rules processing behavior.
+
+This is best illustrated in an example:
+.code
+# If used in an ACL condition will fail with a syntax error, but
+# in a router condition any extra characters are treated as a string
+
+$ exim -be '${if eq {${lc:GOOGLE.com}} {google.com}} {yes} {no}}'
+true {yes} {no}}
+
+$ exim -be '${if eq {${lc:WHOIS.com}} {google.com}} {yes} {no}}'
+ {yes} {no}}
+.endd
+In each example above, the &%if%& statement actually ends after
+&"{google.com}}"&. Since no true or false braces were defined, the
+default &%if%& behavior is to return a boolean true or a null answer
+(which evaluates to false). The rest of the line is then treated as a
+string. So the first example resulted in the boolean answer &"true"&
+with the string &" {yes} {no}}"& appended to it. The second example
+resulted in the null output (indicating false) with the string
+&" {yes} {no}}"& appended to it.
+
+In fact you can put excess forward braces in too. In the router
+&%condition%&, Exim's parser only looks for &"{"& symbols when they
+mean something, like after a &"$"& or when required as part of a
+conditional. But otherwise &"{"& and &"}"& are treated as ordinary
+string characters.
+
+Thus, in a Router, the above expansion strings will both always evaluate
+true, as the result of expansion is a non-empty string which doesn't
+match an explicit false value. This can be tricky to debug. By
+contrast, in an ACL either of those strings will always result in an
+expansion error because the result doesn't look sufficiently boolean.
+
.option debug_print routers string&!! unset
.cindex "testing" "variables in drivers"
If this option is set and debugging is enabled (see the &%-d%& command line
-option), the string is expanded and included in the debugging output.
+option) or in address-testing mode (see the &%-bt%& command line option),
+the string is expanded and included in the debugging output.
If expansion of the string fails, the error message is written to the debugging
output, and Exim carries on processing.
This option is provided to help with checking out the values of variables and
variables it references. The output happens after checks for &%domains%&,
&%local_parts%&, and &%check_local_user%& but before any other preconditions
are tested. A newline is added to the text if it does not end with one.
+The variable &$router_name$& contains the name of the router.
unless you really, really know what you are doing. See also the generic
transport option of the same name.
+.option dnssec_request_domains routers "domain list&!!" unset
+.cindex "MX record" "security"
+.cindex "DNSSEC" "MX lookup"
+.cindex "security" "MX lookup"
+.cindex "DNS" "DNSSEC"
+DNS lookups for domains matching &%dnssec_request_domains%& will be done with
+the dnssec request bit set.
+This applies to all of the SRV, MX, AAAA, A lookup sequence.
+
+.option dnssec_require_domains routers "domain list&!!" unset
+.cindex "MX record" "security"
+.cindex "DNSSEC" "MX lookup"
+.cindex "security" "MX lookup"
+.cindex "DNS" "DNSSEC"
+DNS lookups for domains matching &%dnssec_require_domains%& will be done with
+the dnssec request bit set. Any returns not having the Authenticated Data bit
+(AD bit) set will be ignored and logged as a host-lookup failure.
+This applies to all of the SRV, MX, AAAA, A lookup sequence.
+
.option domains routers&!? "domain list&!!" unset
.cindex "router" "restricting to specific domains"
to be used.
+.option dsn_lasthop routers boolean false
+.cindex "DSN" "success"
+.cindex "Delivery Status Notification" "success"
+If this option is set true, and extended DSN (RFC3461) processing is in effect,
+Exim will not pass on DSN requests to downstream DSN-aware hosts but will
+instead send a success DSN as if the next hop does not support DSN.
+Not effective on redirect routers.
+
+
.option errors_to routers string&!! unset
.cindex "envelope sender"
.cindex "fallback" "hosts specified on router"
String expansion is not applied to this option. The argument must be a
colon-separated list of host names or IP addresses. The list separator can be
-changed (see section &<<SECTlistconstruct>>&), and a port can be specified with
+changed (see section &<<SECTlistsepchange>>&), and a port can be specified with
each name or address. In fact, the format of each item is exactly the same as
defined for the list of hosts in a &(manualroute)& router (see section
&<<SECTformatonehostitem>>&).
-.option headers_add routers string&!! unset
+.option headers_add routers list&!! unset
.cindex "header lines" "adding"
.cindex "router" "adding header lines"
-This option specifies a string of text that is expanded at routing time, and
-associated with any addresses that are accepted by the router. However, this
+This option specifies a list of text headers,
+newline-separated (by default, changeable in the usual way &<<SECTlistsepchange>>&),
+that is associated with any addresses that are accepted by the router.
+Each item is separately expanded, at routing time. However, this
option has no effect when an address is just being verified. The way in which
the text is used to add header lines at transport time is described in section
&<<SECTheadersaddrem>>&. New header lines are not actually added until the
&"see"& the added header lines.
The &%headers_add%& option is expanded after &%errors_to%&, but before
-&%headers_remove%& and &%transport%&. If the expanded string is empty, or if
-the expansion is forced to fail, the option has no effect. Other expansion
+&%headers_remove%& and &%transport%&. If an item is empty, or if
+an item expansion is forced to fail, the item has no effect. Other expansion
failures are treated as configuration errors.
+Unlike most options, &%headers_add%& can be specified multiple times
+for a router; all listed headers are added.
+
&*Warning 1*&: The &%headers_add%& option cannot be used for a &(redirect)&
router that has the &%one_time%& option set.
-.option headers_remove routers string&!! unset
+.option headers_remove routers list&!! unset
.cindex "header lines" "removing"
.cindex "router" "removing header lines"
-This option specifies a string of text that is expanded at routing time, and
-associated with any addresses that are accepted by the router. However, this
+This option specifies a list of text headers,
+colon-separated (by default, changeable in the usual way &<<SECTlistsepchange>>&),
+that is associated with any addresses that are accepted by the router.
+Each item is separately expanded, at routing time. However, this
option has no effect when an address is just being verified. The way in which
the text is used to remove header lines at transport time is described in
section &<<SECTheadersaddrem>>&. Header lines are not actually removed until
&"see"& the original header lines.
The &%headers_remove%& option is expanded after &%errors_to%& and
-&%headers_add%&, but before &%transport%&. If the expansion is forced to fail,
-the option has no effect. Other expansion failures are treated as configuration
+&%headers_add%&, but before &%transport%&. If an item expansion is forced to fail,
+the item has no effect. Other expansion failures are treated as configuration
errors.
+Unlike most options, &%headers_remove%& can be specified multiple times
+for a router; all listed headers are removed.
+
&*Warning 1*&: The &%headers_remove%& option cannot be used for a &(redirect)&
router that has the &%one_time%& option set.
routers, and this can lead to problems with duplicates -- see the similar
warning for &%headers_add%& above.
+&*Warning 3*&: Because of the separate expansion of the list items,
+items that contain a list separator must have it doubled.
+To avoid this, change the list separator (&<<SECTlistsepchange>>&).
+
+
.option ignore_target_hosts routers "host list&!!" unset
.cindex "IP address" "discarding"
.option local_part_prefix routers&!? "string list" unset
+.cindex affix "router precondition"
.cindex "router" "prefix for local part"
.cindex "prefix" "for local part, used in router"
If this option is set, the router is skipped unless the local part starts with
through the &%require_files%& list, expanding each item separately.
Because the list is split before expansion, any colons in expansion items must
-be doubled, or the facility for using a different list separator must be used.
+be doubled, or the facility for using a different list separator must be used
+(&<<SECTlistsepchange>>&).
If any expansion is forced to fail, the item is ignored. Other expansion
failures cause routing of the address to be deferred.
these options are all expanded, you can use the &%exists%& expansion condition
to make such tests. The &%require_files%& option is intended for checking files
that the router may be going to use internally, or which are needed by a
-transport (for example &_.procmailrc_&).
+transport (e.g., &_.procmailrc_&).
During delivery, the &[stat()]& function is run as root, but there is a
facility for some checking of the accessibility of a file by another user.
be caused by a configuration error, and routing is deferred because the
existence or non-existence of the file cannot be determined. However, in some
circumstances it may be desirable to treat this condition as if the file did
-not exist. If the file name (or the exclamation mark that precedes the file
-name for non-existence) is preceded by a plus sign, the EACCES error is treated
+not exist. If the filename (or the exclamation mark that precedes the filename
+for non-existence) is preceded by a plus sign, the EACCES error is treated
as if the file did not exist. For example:
.code
require_files = +/some/file
.cindex "EXPN" "with &%verify_only%&"
.oindex "&%-bv%&"
.cindex "router" "used only when verifying"
-If this option is set, the router is used only when verifying an address or
+If this option is set, the router is used only when verifying an address,
+delivering in cutthrough mode or
testing with the &%-bv%& option, not when actually doing a delivery, testing
with the &%-bt%& option, or running the SMTP EXPN command. It can be further
restricted to verifying only senders or recipients by means of
.option verify_recipient routers&!? boolean true
If this option is false, the router is skipped when verifying recipient
-addresses
+addresses,
+delivering in cutthrough mode
or testing recipient verification using &%-bv%&.
See section &<<SECTrouprecon>>& for a list of the order in which preconditions
are evaluated.
+See also the &$verify_mode$& variable.
.option verify_sender routers&!? boolean true
or testing sender verification using &%-bvs%&.
See section &<<SECTrouprecon>>& for a list of the order in which preconditions
are evaluated.
+See also the &$verify_mode$& variable.
.ecindex IIDgenoprou1
.ecindex IIDgenoprou2
MX records of equal priority are sorted by Exim into a random order. Exim then
looks for address records for the host names obtained from MX or SRV records.
When a host has more than one IP address, they are sorted into a random order,
-except that IPv6 addresses are always sorted before IPv4 addresses. If all the
+except that IPv6 addresses are sorted before IPv4 addresses. If all the
IP addresses found are discarded by a setting of the &%ignore_target_hosts%&
generic option, the router declines.
.section "Problems with DNS lookups" "SECTprowitdnsloo"
There have been problems with DNS servers when SRV records are looked up.
-Some mis-behaving servers return a DNS error or timeout when a non-existent
+Some misbehaving servers return a DNS error or timeout when a non-existent
SRV record is sought. Similar problems have in the past been reported for
MX records. The global &%dns_again_means_nonexist%& option can help with this
problem, but it is heavy-handed because it is a global option.
case routing fails.
+.section "Declining addresses by dnslookup" "SECTdnslookupdecline"
+.cindex "&(dnslookup)& router" "declines"
+There are a few cases where a &(dnslookup)& router will decline to accept
+an address; if such a router is expected to handle "all remaining non-local
+domains", then it is important to set &%no_more%&.
+
+The router will defer rather than decline if the domain
+is found in the &%fail_defer_domains%& router option.
+
+Reasons for a &(dnslookup)& router to decline currently include:
+.ilist
+The domain does not exist in DNS
+.next
+The domain exists but the MX record's host part is just "."; this is a common
+convention (borrowed from SRV) used to indicate that there is no such service
+for this domain and to not fall back to trying A/AAAA records.
+.next
+Ditto, but for SRV records, when &%check_srv%& is set on this router.
+.next
+MX record points to a non-existent host.
+.next
+MX record points to an IP address and the main section option
+&%allow_mx_to_ip%& is not set.
+.next
+MX records exist and point to valid hosts, but all hosts resolve only to
+addresses blocked by the &%ignore_target_hosts%& generic option on this router.
+.next
+The domain is not syntactically valid (see also &%allow_utf8_domains%& and
+&%dns_check_names_pattern%& for handling one variant of this)
+.next
+&%check_secondary_mx%& is set on this router but the local host can
+not be found in the MX records (see below)
+.endlist
+
+
.section "Private options for dnslookup" "SECID118"
+
+.option fail_defer_domains dnslookup "domain list&!!" unset
+.cindex "MX record" "not found"
+DNS lookups for domains matching &%fail_defer_domains%&
+which find no matching record will cause the router to defer
+rather than the default behaviour of decline.
+This maybe be useful for queueing messages for a newly created
+domain while the DNS configuration is not ready.
+However, it will result in any message with mistyped domains
+also being queued.
+
+
+.option ipv4_only "string&!!" unset
+.cindex IPv6 disabling
+.cindex DNS "IPv6 disabling"
+The string is expanded, and if the result is anything but a forced failure,
+or an empty string, or one of the strings “0” or “no” or “false”
+(checked without regard to the case of the letters),
+only A records are used.
+
+.option ipv4_prefer "string&!!" unset
+.cindex IPv4 preference
+.cindex DNS "IPv4 preference"
+The string is expanded, and if the result is anything but a forced failure,
+or an empty string, or one of the strings “0” or “no” or “false”
+(checked without regard to the case of the letters),
+A records are sorted before AAAA records (inverting the default).
+
.option mx_domains dnslookup "domain list&!!" unset
.cindex "MX record" "required to exist"
.cindex "SRV record" "required to exist"
A list of hosts, whether obtained via &%route_data%& or &%route_list%&, is
always separately expanded before use. If the expansion fails, the router
declines. The result of the expansion must be a colon-separated list of names
-and/or IP addresses, optionally also including ports. The format of each item
+and/or IP addresses, optionally also including ports.
+If the list is written with spaces, it must be protected with quotes.
+The format of each item
in the list is described in the next section. The list separator can be changed
-as described in section &<<SECTlistconstruct>>&.
+as described in section &<<SECTlistsepchange>>&.
If the list of hosts was obtained from a &%route_list%& item, the following
variables are set during its expansion:
.section "How the options are used" "SECThowoptused"
-The options are a sequence of words; in practice no more than three are ever
-present. One of the words can be the name of a transport; this overrides the
+The options are a sequence of words, space-separated.
+One of the words can be the name of a transport; this overrides the
&%transport%& option on the router for this particular routing rule only. The
other words (if present) control randomization of the list of hosts on a
per-rule basis, and how the IP addresses of the hosts are to be found when
&%bydns%&: look up address records for the hosts directly in the DNS; fail if
no address records are found. If there is a temporary DNS error (such as a
timeout), delivery is deferred.
+.next
+&%ipv4_only%&: in direct DNS lookups, look up only A records.
+.next
+&%ipv4_prefer%&: in direct DNS lookups, sort A records before AAAA records.
.endlist
For example:
lookup first. Only if that gives a definite &"no such host"& is the local
function called.
+&*Compatibility*&: From Exim 4.85 until fixed for 4.90, there was an
+inadvertent constraint that a transport name as an option had to be the last
+option specified.
+
If no IP address for a host can be found, what happens is controlled by the
files and pipes, and for generating autoreplies. See the &%file_transport%&,
&%pipe_transport%& and &%reply_transport%& descriptions below.
+If success DSNs have been requested
+.cindex "DSN" "success"
+.cindex "Delivery Status Notification" "success"
+redirection triggers one and the DSN options are not passed any further.
+
.section "Redirection data" "SECID124"
described in the next section.
.endlist
-When a message is redirected to a file (a &"mail folder"&), the file name given
+When a message is redirected to a file (a &"mail folder"&), the filename given
in a non-filter redirection list must always be an absolute path. A filter may
generate a relative path &-- how this is handled depends on the transport's
configuration. See section &<<SECTfildiropt>>& for a discussion of this issue
.cindex "address redirection" "non-filter list items"
When the redirection data is not an Exim or Sieve filter, for example, if it
comes from a conventional alias or forward file, it consists of a list of
-addresses, file names, pipe commands, or certain special items (see section
+addresses, filenames, pipe commands, or certain special items (see section
&<<SECTspecitredli>>& below). The special items can be individually enabled or
disabled by means of options whose names begin with &%allow_%& or &%forbid_%&,
depending on their default values. The items in the list are separated by
.endd
is interpreted as a pipe with a rather strange command name, and no arguments.
+Note that the above example assumes that the text comes from a lookup source
+of some sort, so that the quotes are part of the data. If composing a
+redirect router with a &%data%& option directly specifying this command, the
+quotes will be used by the configuration parser to define the extent of one
+string, but will not be passed down into the redirect router itself. There
+are two main approaches to get around this: escape quotes to be part of the
+data itself, or avoid using this mechanism and instead create a custom
+transport with the &%command%& option set and reference that transport from
+an &%accept%& router.
+
.next
.cindex "file" "in redirection list"
.cindex "address redirection" "to file"
.code
/home/world/minbari
.endd
-is treated as a file name, but
+is treated as a filename, but
.code
/s=molari/o=babylon/@x400gate.way
.endd
-is treated as an address. For a file name, a transport must be specified using
+is treated as an address. For a filename, a transport must be specified using
the &%file_transport%& option. However, if the generated path name ends with a
forward slash character, it is interpreted as a directory name rather than a
-file name, and &%directory_transport%& is used instead.
+filename, and &%directory_transport%& is used instead.
Normally, either the router or the transport specifies a user and a group under
which to run the delivery. The default is to use the Exim user and group.
.endd
.next
.cindex "address redirection" "to black hole"
-Sometimes you want to throw away mail to a particular local part. Making the
-&%data%& option expand to an empty string does not work, because that causes
-the router to decline. Instead, the alias item
+.cindex "delivery" "discard"
+.cindex "delivery" "blackhole"
.cindex "black hole"
.cindex "abandoning mail"
-&':blackhole:'& can be used. It does what its name implies. No delivery is
-done, and no error message is generated. This has the same effect as specifing
+Sometimes you want to throw away mail to a particular local part. Making the
+&%data%& option expand to an empty string does not work, because that causes
+the router to decline. Instead, the alias item
+.code
+:blackhole:
+.endd
+can be used. It does what its name implies. No delivery is
+done, and no error message is generated. This has the same effect as specifying
&_/dev/null_& as a destination, but it can be independently disabled.
&*Warning*&: If &':blackhole:'& appears anywhere in a redirection list, no
During routing for message delivery (as opposed to verification), a redirection
containing &':fail:'& causes an immediate failure of the incoming address,
-whereas &':defer:'& causes the message to remain on the queue so that a
+whereas &':defer:'& causes the message to remain in the queue so that a
subsequent delivery attempt can happen at a later time. If an address is
deferred for too long, it will ultimately fail, because the normal retry
rules still apply.
ending in a slash is specified as a new &"address"&. The transport used is
specified by this option, which, after expansion, must be the name of a
configured transport. This should normally be an &(appendfile)& transport. When
-it is running, the file name is in &$address_file$&.
+it is running, the filename is in &$address_file$&.
.option filter_prepend_home redirect boolean true
.option forbid_blackhole redirect boolean false
+.cindex "restricting access to features"
+.cindex "filter" "locking out certain features"
If this option is true, the &':blackhole:'& item may not appear in a
redirection list.
.option forbid_exim_filter redirect boolean false
+.cindex "restricting access to features"
+.cindex "filter" "locking out certain features"
If this option is set true, only Sieve filters are permitted when
&%allow_filter%& is true.
.option forbid_file redirect boolean false
+.cindex "restricting access to features"
.cindex "delivery" "to file; forbidding"
+.cindex "filter" "locking out certain features"
.cindex "Sieve filter" "forbidding delivery to a file"
.cindex "Sieve filter" "&""keep""& facility; disabling"
If this option is true, this router may not generate a new address that
.option forbid_filter_dlfunc redirect boolean false
+.cindex "restricting access to features"
.cindex "filter" "locking out certain features"
If this option is true, string expansions in Exim filters are not allowed to
make use of the &%dlfunc%& expansion facility to run dynamically loaded
functions.
.option forbid_filter_existstest redirect boolean false
+.cindex "restricting access to features"
+.cindex "filter" "locking out certain features"
.cindex "expansion" "statting a file"
If this option is true, string expansions in Exim filters are not allowed to
make use of the &%exists%& condition or the &%stat%& expansion item.
.option forbid_filter_logwrite redirect boolean false
+.cindex "restricting access to features"
+.cindex "filter" "locking out certain features"
If this option is true, use of the logging facility in Exim filters is not
permitted. Logging is in any case available only if the filter is being run
under some unprivileged uid (which is normally the case for ordinary users'
.option forbid_filter_lookup redirect boolean false
+.cindex "restricting access to features"
+.cindex "filter" "locking out certain features"
If this option is true, string expansions in Exim filter files are not allowed
to make use of &%lookup%& items.
.option forbid_filter_perl redirect boolean false
+.cindex "restricting access to features"
+.cindex "filter" "locking out certain features"
This option has an effect only if Exim is built with embedded Perl support. If
it is true, string expansions in Exim filter files are not allowed to make use
of the embedded Perl support.
.option forbid_filter_readfile redirect boolean false
+.cindex "restricting access to features"
+.cindex "filter" "locking out certain features"
If this option is true, string expansions in Exim filter files are not allowed
to make use of &%readfile%& items.
.option forbid_filter_readsocket redirect boolean false
+.cindex "restricting access to features"
+.cindex "filter" "locking out certain features"
If this option is true, string expansions in Exim filter files are not allowed
to make use of &%readsocket%& items.
.option forbid_filter_reply redirect boolean false
+.cindex "restricting access to features"
+.cindex "filter" "locking out certain features"
If this option is true, this router may not generate an automatic reply
message. Automatic replies can be generated only from Exim or Sieve filter
files, not from traditional forward files. This option is forced to be true if
.option forbid_filter_run redirect boolean false
+.cindex "restricting access to features"
+.cindex "filter" "locking out certain features"
If this option is true, string expansions in Exim filter files are not allowed
to make use of &%run%& items.
.option forbid_include redirect boolean false
+.cindex "restricting access to features"
+.cindex "filter" "locking out certain features"
If this option is true, items of the form
.code
:include:<path name>
.option forbid_pipe redirect boolean false
+.cindex "restricting access to features"
+.cindex "filter" "locking out certain features"
.cindex "delivery" "to pipe; forbidding"
If this option is true, this router may not generate a new address which
specifies delivery to a pipe, either from an Exim filter or from a conventional
.option forbid_sieve_filter redirect boolean false
+.cindex "restricting access to features"
+.cindex "filter" "locking out certain features"
If this option is set true, only Exim filters are permitted when
&%allow_filter%& is true.
.chapter "Environment for running local transports" "CHAPenvironment" &&&
"Environment for local transports"
.scindex IIDenvlotra1 "local transports" "environment for"
-.scindex IIDenvlotra2 "environment for local transports"
+.scindex IIDenvlotra2 "environment" "local transports"
.scindex IIDenvlotra3 "transport" "local; environment for"
Local transports handle deliveries to files and pipes. (The &(autoreply)&
transport can be thought of as similar to a pipe.) Exim always runs transports
option is not working properly, &%debug_print%& could be used to output the
variables it references. A newline is added to the text if it does not end with
one.
-
+The variables &$transport_name$& and &$router_name$& contain the name of the
+transport and the router that called it.
.option delivery_date_add transports boolean false
.cindex "&'Delivery-date:'& header line"
resent to other recipients.
+.option event_action transports string&!! unset
+.cindex events
+This option declares a string to be expanded for Exim's events mechanism.
+For details see chapter &<<CHAPevents>>&.
+
+
.option group transports string&!! "Exim group"
.cindex "transport" "group; specifying"
This option specifies a gid for running the transport process, overriding any
&%user%& (see below).
-.option headers_add transports string&!! unset
+.option headers_add transports list&!! unset
.cindex "header lines" "adding in transport"
.cindex "transport" "header lines; adding"
-This option specifies a string of text that is expanded and added to the header
+This option specifies a list of text headers,
+newline-separated (by default, changeable in the usual way &<<SECTlistsepchange>>&),
+which are (separately) expanded and added to the header
portion of a message as it is transported, as described in section
&<<SECTheadersaddrem>>&. Additional header lines can also be specified by
routers. If the result of the expansion is an empty string, or if the expansion
is forced to fail, no action is taken. Other expansion failures are treated as
errors and cause the delivery to be deferred.
+Unlike most options, &%headers_add%& can be specified multiple times
+for a transport; all listed headers are added.
.option headers_only transports boolean false
checked, since this option does not automatically suppress them.
-.option headers_remove transports string&!! unset
+.option headers_remove transports list&!! unset
.cindex "header lines" "removing"
.cindex "transport" "header lines; removing"
-This option specifies a string that is expanded into a list of header names;
+This option specifies a list of header names,
+colon-separated (by default, changeable in the usual way &<<SECTlistsepchange>>&);
these headers are omitted from the message as it is transported, as described
in section &<<SECTheadersaddrem>>&. Header removal can also be specified by
-routers. If the result of the expansion is an empty string, or if the expansion
+routers.
+Each list item is separately expanded.
+If the result of the expansion is an empty string, or if the expansion
is forced to fail, no action is taken. Other expansion failures are treated as
errors and cause the delivery to be deferred.
+Unlike most options, &%headers_remove%& can be specified multiple times
+for a transport; all listed headers are removed.
+
+&*Warning*&: Because of the separate expansion of the list items,
+items that contain a list separator must have it doubled.
+To avoid this, change the list separator (&<<SECTlistsepchange>>&).
+
.option headers_rewrite transports string unset
to ensure that any additional groups associated with the uid are set up.
+.option max_parallel transports integer&!! unset
+.cindex limit "transport parallelism"
+.cindex transport "parallel processes"
+.cindex transport "concurrency limit"
+.cindex "delivery" "parallelism for transport"
+If this option is set and expands to an integer greater than zero
+it limits the number of concurrent runs of the transport.
+The control does not apply to shadow transports.
+
+.cindex "hints database" "transport concurrency control"
+Exim implements this control by means of a hints database in which a record is
+incremented whenever a transport process is being created. The record
+is decremented and possibly removed when the process terminates.
+Obviously there is scope for
+records to get left lying around if there is a system or program crash. To
+guard against this, Exim ignores any records that are more than six hours old.
+
+If you use this option, you should also arrange to delete the
+relevant hints database whenever your system reboots. The names of the files
+start with &_misc_& and they are kept in the &_spool/db_& directory. There
+may be one or two files, depending on the type of DBM in use. The same files
+are used for ETRN and smtp transport serialization.
+
+
.option message_size_limit transports string&!! 0
.cindex "limit" "message size per transport"
.cindex "size" "of message, limit"
This option sets up a filtering (in the Unix shell sense) process for messages
at transport time. It should not be confused with mail filtering as set up by
individual users or via a system filter.
+If unset, or expanding to an empty string, no filtering is done.
When the message is about to be written out, the command specified by
&%transport_filter%& is started up in a separate, parallel process, and
.option transport_filter_timeout transports time 5m
.cindex "transport" "filter, timeout"
-When Exim is reading the output of a transport filter, it a applies a timeout
+When Exim is reading the output of a transport filter, it applies a timeout
that can be set by this option. Exceeding the timeout is normally treated as a
temporary delivery failure. However, if a transport filter is used with a
&(pipe)& transport, a timeout in the transport filter is treated in the same
fileinto "folder23";
.endd
In this situation, the expansion of &%file%& or &%directory%& in the transport
-must transform the relative path into an appropriate absolute file name. In the
+must transform the relative path into an appropriate absolute filename. In the
case of Sieve filters, the name &'inbox'& must be handled. It is the name that
is used as a result of a &"keep"& action in the filter. This example shows one
way of handling this requirement:
The option must be set to one of the words &"anywhere"&, &"inhome"&, or
&"belowhome"&. In the second and third cases, a home directory must have been
-set for the transport. This option is not useful when an explicit file name is
-given for normal mailbox deliveries. It is intended for the case when file
-names are generated from users' &_.forward_& files. These are usually handled
+set for the transport. This option is not useful when an explicit filename is
+given for normal mailbox deliveries. It is intended for the case when filenames
+are generated from users' &_.forward_& files. These are usually handled
by an &(appendfile)& transport called &%address_file%&. See also
&%file_must_exist%&.
section &<<SECTmaildirdelivery>>& below.
-.new
.option maildir_use_size_file appendfile&!! boolean false
.cindex "maildir format" "&_maildirsize_& file"
The result of string expansion for this option must be a valid boolean value.
quota from the &%quota%& option of the transport. If &%quota%& is unset, the
value is zero. See &%maildir_quota_directory_regex%& above and section
&<<SECTmaildirdelivery>>& below for further details.
-.wen
.option maildirfolder_create_regex appendfile string unset
.cindex "maildir format" "&_maildirfolder_& file"
The value of the option is expanded, and must then be a numerical value
(decimal point allowed), optionally followed by one of the letters K, M, or G,
-for kilobytes, megabytes, or gigabytes. If Exim is running on a system with
+for kilobytes, megabytes, or gigabytes, optionally followed by a slash
+and further option modifiers. If Exim is running on a system with
large file support (Linux and FreeBSD have this), mailboxes larger than 2G can
be handled.
+The option modifier &%no_check%& can be used to force delivery even if the over
+quota condition is met. The quota gets updated as usual.
+
&*Note*&: A value of zero is interpreted as &"no quota"&.
The expansion happens while Exim is running as root, before it changes uid for
failure causes delivery to be deferred. A value of zero is interpreted as
&"no quota"&.
+The option modifier &%no_check%& can be used to force delivery even if the over
+quota condition is met. The quota gets updated as usual.
.option quota_is_inclusive appendfile boolean true
See &%quota%& above.
This option applies when one of the delivery modes that writes a separate file
for each message is being used. When Exim wants to find the size of one of
these files in order to test the quota, it first checks &%quota_size_regex%&.
-If this is set to a regular expression that matches the file name, and it
+If this is set to a regular expression that matches the filename, and it
captures one string, that string is interpreted as a representation of the
file's size. The value of &%quota_size_regex%& is not expanded.
This feature is useful only when users have no shell access to their mailboxes
&-- otherwise they could defeat the quota simply by renaming the files. This
facility can be used with maildir deliveries, by setting &%maildir_tag%& to add
-the file length to the file name. For example:
+the file length to the filename. For example:
.code
maildir_tag = ,S=$message_size
quota_size_regex = ,S=(\d+)
number of lines in the message.
The regular expression should not assume that the length is at the end of the
-file name (even though &%maildir_tag%& puts it there) because maildir MUAs
-sometimes add other information onto the ends of message file names.
+filename (even though &%maildir_tag%& puts it there) because maildir MUAs
+sometimes add other information onto the ends of message filenames.
Section &<<SECID136>>& contains further information.
current time, primary host name, and process id added, by opening for writing
as a new file. If this fails with an access error, delivery is deferred.
.next
-Close the hitching post file, and hard link it to the lock file name.
+Close the hitching post file, and hard link it to the lock filename.
.next
If the call to &[link()]& succeeds, creation of the lock file has succeeded.
Unlink the hitching post name.
directory"&). If the delivery is successful, the file is renamed into the
&_new_& subdirectory.
-In the file name, <&'stime'&> is the current time of day in seconds, and
+In the filename, <&'stime'&> is the current time of day in seconds, and
<&'mtime'&> is the microsecond fraction of the time. After a maildir delivery,
Exim checks that the time-of-day clock has moved on by at least one microsecond
before terminating the delivery process. This guarantees uniqueness for the
-file name. However, as a precaution, Exim calls &[stat()]& for the file before
+filename. However, as a precaution, Exim calls &[stat()]& for the file before
opening it. If any response other than ENOENT (does not exist) is given,
Exim waits 2 seconds and tries again, up to &%maildir_retries%& times.
This does not apply to &'Cc:'& or &'Bcc:'& recipients.
If &%once%& is unset, or is set to an empty string, the message is always sent.
-By default, if &%once%& is set to a non-empty file name, the message
+By default, if &%once%& is set to a non-empty filename, the message
is not sent if a potential recipient is already listed in the database.
However, if the &%once_repeat%& option specifies a time greater than zero, the
message is sent if that much time has elapsed since a message was last sent to
.vindex "&$address_pipe$&"
A router redirects an address directly to a pipe command (for example, from an
alias or forward file). In this case, &$address_pipe$& contains the text of the
-pipe command, and the &%command%& option on the transport is ignored. If only
-one address is being transported (&%batch_max%& is not greater than one, or
-only one address was redirected to this pipe command), &$local_part$& contains
-the local part that was redirected.
+pipe command, and the &%command%& option on the transport is ignored unless
+&%force_command%& is set. If only one address is being transported
+(&%batch_max%& is not greater than one, or only one address was redirected to
+this pipe command), &$local_part$& contains the local part that was redirected.
.endlist
delivery, the two pipe transports may be run concurrently. You must ensure that
any pipe commands you set up are robust against this happening. If the commands
write to a file, the &%exim_lock%& utility might be of use.
+Alternatively the &%max_parallel%& option could be used with a value
+of "1" to enforce serialization.
.cindex "filter" "transport filter"
.vindex "&$pipe_addresses$&"
Special handling takes place when an argument consists of precisely the text
-&`$pipe_addresses`&. This is not a general expansion variable; the only
+&`$pipe_addresses`& (no quotes).
+This is not a general expansion variable; the only
place this string is recognized is when it appears as an argument for a pipe or
transport filter command. It causes each address that is being handled to be
inserted in the argument list at that point &'as a separate argument'&. This
avoids any problems with spaces or shell metacharacters, and is of use when a
&(pipe)& transport is handling groups of addresses in a batch.
+If &%force_command%& is enabled on the transport, Special handling takes place
+for an argument that consists of precisely the text &`$address_pipe`&. It
+is handled similarly to &$pipe_addresses$& above. It is expanded and each
+argument is inserted in the argument list at that point
+&'as a separate argument'&. The &`$address_pipe`& item does not need to be
+the only item in the argument; in fact, if it were then &%force_command%&
+should behave as a no-op. Rather, it should be used to adjust the command
+run while preserving the argument vector separation.
+
After splitting up into arguments and expansion, the resulting command is run
in a subprocess directly from the transport, &'not'& under a shell. The
message that is being delivered is supplied on the standard input, and the
.section "Environment variables" "SECTpipeenv"
.cindex "&(pipe)& transport" "environment for command"
-.cindex "environment for pipe transport"
+.cindex "environment" "&(pipe)& transport"
The environment variables listed below are set up when the command is invoked.
This list is a compromise for maximum compatibility with other MTAs. Note that
the &%environment%& option can be used to add additional variables to this
-environment.
+environment. The environment for the &(pipe)& transport is not subject
+to the &%add_environment%& and &%keep_environment%& main config options.
.display
&`DOMAIN `& the domain of the address
&`HOME `& the home directory, if set
.option environment pipe string&!! unset
.cindex "&(pipe)& transport" "environment for command"
-.cindex "environment for &(pipe)& transport"
+.cindex "environment" "&(pipe)& transport"
This option is used to add additional variables to the environment in which the
command runs (see section &<<SECTpipeenv>>& for the default list). Its value is
a string which is expanded, and then interpreted as a colon-separated list of
frozen in Exim's queue instead.
+.option force_command pipe boolean false
+.cindex "force command"
+.cindex "&(pipe)& transport", "force command"
+Normally when a router redirects an address directly to a pipe command
+the &%command%& option on the transport is ignored. If &%force_command%&
+is set, the &%command%& option will used. This is especially
+useful for forcing a wrapper or additional argument to be added to the
+command. For example:
+.code
+command = /usr/bin/remote_exec myhost -- $address_pipe
+force_command
+.endd
+
+Note that &$address_pipe$& is handled specially in &%command%& when
+&%force_command%& is set, expanding out to the original argument vector as
+separate items, similarly to a Unix shell &`"$@"`& construct.
+
+
.option ignore_status pipe boolean false
If this option is true, the status returned by the subprocess that is set up to
run the command is ignored, and Exim behaves as if zero had been returned.
&*Note*&: This option does not apply to timeouts, which do not return a status.
See the &%timeout_defer%& option for how timeouts are handled.
+
.option log_defer_output pipe boolean false
.cindex "&(pipe)& transport" "logging output"
If this option is set, and the status returned by the command is
one of the codes listed in &%temp_errors%& (that is, delivery was deferred),
-and any output was produced, the first line of it is written to the main log.
+and any output was produced on stdout or stderr, the first line of it is
+written to the main log.
.option log_fail_output pipe boolean false
-If this option is set, and the command returns any output, and also ends with a
-return code that is neither zero nor one of the return codes listed in
-&%temp_errors%& (that is, the delivery failed), the first line of output is
-written to the main log. This option and &%log_output%& are mutually exclusive.
-Only one of them may be set.
-
+If this option is set, and the command returns any output on stdout or
+stderr, and also ends with a return code that is neither zero nor one of
+the return codes listed in &%temp_errors%& (that is, the delivery
+failed), the first line of output is written to the main log. This
+option and &%log_output%& are mutually exclusive. Only one of them may
+be set.
.option log_output pipe boolean false
-If this option is set and the command returns any output, the first line of
-output is written to the main log, whatever the return code. This option and
-&%log_fail_output%& are mutually exclusive. Only one of them may be set.
-
+If this option is set and the command returns any output on stdout or
+stderr, the first line of output is written to the main log, whatever
+the return code. This option and &%log_fail_output%& are mutually
+exclusive. Only one of them may be set.
.option max_output pipe integer 20K
&`\n`& to &`\r\n`& in &%message_suffix%&.
-.option path pipe string "see below"
-This option specifies the string that is set up in the PATH environment
-variable of the subprocess. The default is:
-.code
-/bin:/usr/bin
-.endd
+.option path pipe string&!! "/bin:/usr/bin"
+This option is expanded and
+specifies the string that is set up in the PATH environment
+variable of the subprocess.
If the &%command%& option does not yield an absolute path name, the command is
sought in the PATH directories, in the usual way. &*Warning*&: This does not
apply to a command specified as a transport filter.
are in force when any authenticators are run and when the
&%authenticated_sender%& option is expanded.
+These variables are deprecated in favour of &$tls_in_cipher$& et. al.
+and will be removed in a future release.
+
.section "Private options for smtp" "SECID146"
.cindex "options" "&(smtp)& transport"
The expansion happens after the outgoing connection has been made and TLS
started, if required. This means that the &$host$&, &$host_address$&,
-&$tls_cipher$&, and &$tls_peerdn$& variables are set according to the
+&$tls_out_cipher$&, and &$tls_out_peerdn$& variables are set according to the
particular connection.
If the SMTP session is not authenticated, the expansion of
option.
+.option dane_require_tls_ciphers smtp string&!! unset
+.cindex "TLS" "requiring specific ciphers for DANE"
+.cindex "cipher" "requiring specific"
+.cindex DANE "TLS ciphers"
+This option may be used to override &%tls_require_ciphers%& for connections
+where DANE has been determined to be in effect.
+If not set, then &%tls_require_ciphers%& will be used.
+Normal SMTP delivery is not able to make strong demands of TLS cipher
+configuration, because delivery will fall back to plaintext. Once DANE has
+been determined to be in effect, there is no plaintext fallback and making the
+TLS cipherlist configuration stronger will increase security, rather than
+counter-intuitively decreasing it.
+If the option expands to be empty or is forced to fail, then it will
+be treated as unset and &%tls_require_ciphers%& will be used instead.
+
+
.option data_timeout smtp time 5m
This sets a timeout for the transmission of each block in the data portion of
the message. As a result, the overall timeout for a message depends on the size
of the message. Its value must not be zero. See also &%final_timeout%&.
+.option dkim_canon smtp string&!! unset
+.option dkim_domain smtp string list&!! unset
+.option dkim_hash smtp string&!! sha256
+.option dkim_identity smtp string&!! unset
+.option dkim_private_key smtp string&!! unset
+.option dkim_selector smtp string&!! unset
+.option dkim_strict smtp string&!! unset
+.option dkim_sign_headers smtp string&!! "per RFC"
+.option dkim_timestamps smtp string&!! unset
+DKIM signing options. For details see section &<<SECDKIMSIGN>>&.
+
+
.option delay_after_cutoff smtp boolean true
+.cindex "final cutoff" "retries, controlling"
+.cindex retry "final cutoff"
This option controls what happens when all remote IP addresses for a given
domain have been inaccessible for so long that they have passed their retry
cutoff times.
details.
+.option dnssec_request_domains smtp "domain list&!!" unset
+.cindex "MX record" "security"
+.cindex "DNSSEC" "MX lookup"
+.cindex "security" "MX lookup"
+.cindex "DNS" "DNSSEC"
+DNS lookups for domains matching &%dnssec_request_domains%& will be done with
+the dnssec request bit set.
+This applies to all of the SRV, MX, AAAA, A lookup sequence.
+
+
+
+.option dnssec_require_domains smtp "domain list&!!" unset
+.cindex "MX record" "security"
+.cindex "DNSSEC" "MX lookup"
+.cindex "security" "MX lookup"
+.cindex "DNS" "DNSSEC"
+DNS lookups for domains matching &%dnssec_require_domains%& will be done with
+the dnssec request bit set. Any returns not having the Authenticated Data bit
+(AD bit) set will be ignored and logged as a host-lookup failure.
+This applies to all of the SRV, MX, AAAA, A lookup sequence.
+
+
+
+.option dscp smtp string&!! unset
+.cindex "DCSP" "outbound"
+This option causes the DSCP value associated with a socket to be set to one
+of a number of fixed strings or to numeric value.
+The &%-bI:dscp%& option may be used to ask Exim which names it knows of.
+Common values include &`throughput`&, &`mincost`&, and on newer systems
+&`ef`&, &`af41`&, etc. Numeric values may be in the range 0 to 0x3F.
+
+The outbound packets from Exim will be marked with this value in the header
+(for IPv4, the TOS field; for IPv6, the TCLASS field); there is no guarantee
+that these values will have any effect, not be stripped by networking
+equipment, or do much of anything without cooperation with your Network
+Engineer and those of all network operators between the source and destination.
+
.option fallback_hosts smtp "string list" unset
.cindex "fallback" "hosts specified on transport"
instead of using the DNS. Of course, that function may in fact use the DNS, but
it may also consult other sources of information such as &_/etc/hosts_&.
-.option gnutls_require_kx smtp string unset
-This option controls the key exchange mechanisms when GnuTLS is used in an Exim
-client. For details, see section &<<SECTreqciphgnu>>&.
-
-.option gnutls_require_mac smtp string unset
-This option controls the MAC algorithms when GnuTLS is used in an Exim
-client. For details, see section &<<SECTreqciphgnu>>&.
-
-.option gnutls_require_protocols smtp string unset
-This option controls the protocols when GnuTLS is used in an Exim
-client. For details, see section &<<SECTreqciphgnu>>&.
-
.option gnutls_compat_mode smtp boolean unset
This option controls whether GnuTLS is used in compatibility mode in an Exim
server. This reduces security slightly, but improves interworking with older
Exim will not try to start a TLS session when delivering to any host that
matches this list. See chapter &<<CHAPTLS>>& for details of TLS.
+.option hosts_verify_avoid_tls smtp "host list&!!" unset
+.cindex "TLS" "avoiding for certain hosts"
+Exim will not try to start a TLS session for a verify callout,
+or when delivering in cutthrough mode,
+to any host that matches this list.
+
.option hosts_max_try smtp integer 5
.cindex "host" "maximum number to try"
message on the same connection. See section &<<SECTmulmessam>>& for an
explanation of when this might be needed.
+.option hosts_noproxy_tls smtp "host list&!!" *
+.cindex "TLS" "passing connection"
+.cindex "multiple SMTP deliveries"
+.cindex "TLS" "multiple message deliveries"
+For any host that matches this list, a TLS session which has
+been started will not be passed to a new delivery process for sending another
+message on the same session.
+
+The traditional implementation closes down TLS and re-starts it in the new
+process, on the same open TCP connection, for each successive message
+sent. If permitted by this option a pipe to to the new process is set up
+instead, and the original process maintains the TLS connection and proxies
+the SMTP connection from and to the new process and any subsequents.
+The new process has no access to TLS information, so cannot include it in
+logging.
+
+
.option hosts_override smtp boolean false
If this option is set and the &%hosts%& option is also set, any hosts that are
&<<CHAPSMTPAUTH>>& for details of authentication.
+.option hosts_request_ocsp smtp "host list&!!" *
+.cindex "TLS" "requiring for certain servers"
+Exim will request a Certificate Status on a
+TLS session for any host that matches this list.
+&%tls_verify_certificates%& should also be set for the transport.
+
+.option hosts_require_dane smtp "host list&!!" unset
+.cindex DANE "transport options"
+.cindex DANE "requiring for certain servers"
+If built with DANE support, Exim will require that a DNSSEC-validated
+TLSA record is present for any host matching the list,
+and that a DANE-verified TLS connection is made.
+There will be no fallback to in-clear communication.
+See section &<<SECDANE>>&.
+
+.option hosts_require_ocsp smtp "host list&!!" unset
+.cindex "TLS" "requiring for certain servers"
+Exim will request, and check for a valid Certificate Status being given, on a
+TLS session for any host that matches this list.
+&%tls_verify_certificates%& should also be set for the transport.
+
.option hosts_require_tls smtp "host list&!!" unset
.cindex "TLS" "requiring for certain servers"
Exim will insist on using a TLS session when delivering to any host that
unauthenticated. See also &%hosts_require_auth%&, and chapter
&<<CHAPSMTPAUTH>>& for details of authentication.
+.option hosts_try_chunking smtp "host list&!!" *
+.cindex CHUNKING "enabling, in client"
+.cindex BDAT "SMTP command"
+.cindex "RFC 3030" "CHUNKING"
+This option provides a list of servers to which, provided they announce
+CHUNKING support, Exim will attempt to use BDAT commands rather than DATA.
+BDAT will not be used in conjunction with a transport filter.
+
+.option hosts_try_dane smtp "host list&!!" unset
+.cindex DANE "transport options"
+.cindex DANE "attempting for certain servers"
+If built with DANE support, Exim will lookup a
+TLSA record for any host matching the list.
+If found and verified by DNSSEC,
+a DANE-verified TLS connection is made to that host;
+there will be no fallback to in-clear communication.
+See section &<<SECDANE>>&.
+
+.option hosts_try_fastopen smtp "host list&!!" unset
+.cindex "fast open, TCP" "enabling, in client"
+.cindex "TCP Fast Open" "enabling, in client"
+.cindex "RFC 7413" "TCP Fast Open"
+This option provides a list of servers to which, provided
+the facility is supported by this system, Exim will attempt to
+perform a TCP Fast Open.
+No data is sent on the SYN segment but, if the remote server also
+supports the facility, it can send its SMTP banner immediately after
+the SYN,ACK segment. This can save up to one round-trip time.
+
+The facility is only active for previously-contacted servers,
+as the initiator must present a cookie in the SYN segment.
+
+On (at least some) current Linux distributions the facility must be enabled
+in the kernel by the sysadmin before the support is usable.
+There is no option for control of the server side; if the system supports
+it it is always enabled. Note that lengthy operations in the connect ACL,
+such as DNSBL lookups, will still delay the emission of the SMTP banner.
+
+.option hosts_try_prdr smtp "host list&!!" *
+.cindex "PRDR" "enabling, optional in client"
+This option provides a list of servers to which, provided they announce
+PRDR support, Exim will attempt to negotiate PRDR
+for multi-recipient messages.
+The option can usually be left as default.
+
.option interface smtp "string list&!!" unset
.cindex "bind IP address"
.cindex "IP address" "binding"
during the expansion of the string. Forced expansion failure, or an empty
string result causes the option to be ignored. Otherwise, after expansion, the
string must be a list of IP addresses, colon-separated by default, but the
-separator can be changed in the usual way. For example:
+separator can be changed in the usual way (&<<SECTlistsepchange>>&).
+For example:
.code
interface = <; 192.168.123.123 ; 3ffe:ffff:836f::fe86:a061
.endd
permits this.
-.option multi_domain smtp boolean true
+.option multi_domain smtp boolean&!! true
.vindex "&$domain$&"
When this option is set, the &(smtp)& transport can handle a number of
addresses containing a mixture of different domains provided they all resolve
&$domain$& in an expansion for the transport, because it is set only when there
is a single domain involved in a remote delivery.
+It is expanded per-address and can depend on any of
+&$address_data$&, &$domain_data$&, &$local_part_data$&,
+&$host$&, &$host_address$& and &$host_port$&.
.option port smtp string&!! "see below"
.cindex "port" "sending TCP/IP"
If the value of this option begins with a digit it is taken as a port number;
otherwise it is looked up using &[getservbyname()]&. The default value is
-normally &"smtp"&, but if &%protocol%& is set to &"lmtp"&, the default is
-&"lmtp"&. If the expansion fails, or if a port number cannot be found, delivery
+normally &"smtp"&,
+but if &%protocol%& is set to &"lmtp"& the default is &"lmtp"&
+and if &%protocol%& is set to &"smtps"& the default is &"smtps"&.
+If the expansion fails, or if a port number cannot be found, delivery
is deferred.
+.new
+Note that at least one Linux distribution has been seen failing
+to put &"smtps"& in its &"/etc/services"& file, resulting is such deferrals.
+.wen
+
.option protocol smtp string smtp
deliveries into closed message stores. Exim also has support for running LMTP
over a pipe to a local process &-- see chapter &<<CHAPLMTP>>&.
-.new
-If this option is set to &"smtps"&, the default vaule for the &%port%& option
+If this option is set to &"smtps"&, the default value for the &%port%& option
changes to &"smtps"&, and the transport initiates TLS immediately after
connecting, as an outbound SSL-on-connect, instead of using STARTTLS to upgrade.
-The Internet standards bodies strongly discourage use of this mode.
+.new
+The Internet standards bodies used to strongly discourage use of this mode,
+but as of RFC 8314 it is perferred over STARTTLS for message submission
+(as distinct from MTA-MTA communication).
.wen
-.option retry_include_ip_address smtp boolean true
+.option retry_include_ip_address smtp boolean&!! true
Exim normally includes both the host name and the IP address in the key it
constructs for indexing retry data after a temporary delivery failure. This
means that when one of several IP addresses for a host is failing, it gets
However, in some dialup environments hosts are assigned a different IP address
each time they connect. In this situation the use of the IP address as part of
the retry key leads to undesirable behaviour. Setting this option false causes
-Exim to use only the host name. This should normally be done on a separate
-instance of the &(smtp)& transport, set up specially to handle the dialup
-hosts.
+Exim to use only the host name.
+Since it is expanded it can be made to depend on the host or domain.
.option serialize_hosts smtp "host list&!!" unset
may be one or two files, depending on the type of DBM in use. The same files
are used for ETRN serialization.
+See also the &%max_parallel%& generic transport option.
+
.option size_addition smtp integer 1024
.cindex "SMTP" "SIZE"
the use of the SIZE option altogether.
+.option socks_proxy smtp string&!! unset
+.cindex proxy SOCKS
+This option enables use of SOCKS proxies for connections made by the
+transport. For details see section &<<SECTproxySOCKS>>&.
+
+
.option tls_certificate smtp string&!! unset
.cindex "TLS" "client certificate, location of"
.cindex "certificate" "client, location of"
be the name of a file that contains a CRL in PEM format.
+.option tls_dh_min_bits smtp integer 1024
+.cindex "TLS" "Diffie-Hellman minimum acceptable size"
+When establishing a TLS session, if a ciphersuite which uses Diffie-Hellman
+key agreement is negotiated, the server will provide a large prime number
+for use. This option establishes the minimum acceptable size of that number.
+If the parameter offered by the server is too small, then the TLS handshake
+will fail.
+
+Only supported when using GnuTLS.
+
+
.option tls_privatekey smtp string&!! unset
.cindex "TLS" "client private key, location of"
.vindex "&$host$&"
-.new
.option tls_sni smtp string&!! unset
.cindex "TLS" "Server Name Indication"
.vindex "&$tls_sni$&"
-If this option is set then it sets the $tls_sni variable and causes any
+If this option is set then it sets the $tls_out_sni variable and causes any
TLS session to pass this value as the Server Name Indication extension to
the remote side, which can be used by the remote side to select an appropriate
certificate and private key for the session.
See &<<SECTtlssni>>& for more information.
-OpenSSL only, also requiring a build of OpenSSL that supports TLS extensions.
-.wen
+Note that for OpenSSL, this feature requires a build of OpenSSL that supports
+TLS extensions.
+
in clear.
-.option tls_verify_certificates smtp string&!! unset
+.option tls_try_verify_hosts smtp "host list&!!" *
+.cindex "TLS" "server certificate verification"
+.cindex "certificate" "verification of server"
+This option gives a list of hosts for which, on encrypted connections,
+certificate verification will be tried but need not succeed.
+The &%tls_verify_certificates%& option must also be set.
+Note that unless the host is in this list
+TLS connections will be denied to hosts using self-signed certificates
+when &%tls_verify_certificates%& is matched.
+The &$tls_out_certificate_verified$& variable is set when
+certificate verification succeeds.
+
+
+.option tls_verify_cert_hostnames smtp "host list&!!" *
+.cindex "TLS" "server certificate hostname verification"
+.cindex "certificate" "verification of server"
+This option give a list of hosts for which,
+while verifying the server certificate,
+checks will be included on the host name
+(note that this will generally be the result of a DNS MX lookup)
+versus Subject and Subject-Alternate-Name fields. Wildcard names are permitted
+limited to being the initial component of a 3-or-more component FQDN.
+
+There is no equivalent checking on client certificates.
+
+
+.option tls_verify_certificates smtp string&!! system
.cindex "TLS" "server certificate verification"
.cindex "certificate" "verification of server"
.vindex "&$host$&"
.vindex "&$host_address$&"
-The value of this option must be the absolute path to a file containing
-permitted server certificates, for use when setting up an encrypted connection.
-Alternatively, if you are using OpenSSL, you can set
-&%tls_verify_certificates%& to the name of a directory containing certificate
-files. This does not work with GnuTLS; the option must be set to the name of a
-single file if you are using GnuTLS. The values of &$host$& and
+The value of this option must be either the
+word "system"
+or the absolute path to
+a file or directory containing permitted certificates for servers,
+for use when setting up an encrypted connection.
+
+The "system" value for the option will use a location compiled into the SSL library.
+This is not available for GnuTLS versions preceding 3.0.20; a value of "system"
+is taken as empty and an explicit location
+must be specified.
+
+The use of a directory for the option value is not available for GnuTLS versions
+preceding 3.3.6 and a single file must be used.
+
+With OpenSSL the certificates specified
+explicitly
+either by file or directory
+are added to those given by the system default location.
+
+The values of &$host$& and
&$host_address$& are set to the name and address of the server during the
expansion of this option. See chapter &<<CHAPTLS>>& for details of TLS.
+For back-compatibility,
+if neither tls_verify_hosts nor tls_try_verify_hosts are set
+(a single-colon empty list counts as being set)
+and certificate verification fails the TLS connection is closed.
+
+
+.option tls_verify_hosts smtp "host list&!!" unset
+.cindex "TLS" "server certificate verification"
+.cindex "certificate" "verification of server"
+This option gives a list of hosts for which, on encrypted connections,
+certificate verification must succeed.
+The &%tls_verify_certificates%& option must also be set.
+If both this option and &%tls_try_verify_hosts%& are unset
+operation is as if this option selected all hosts.
+
+.new
+.option utf8_downconvert smtp integer!! unset
+.cindex utf8 "address downconversion"
+.cindex i18n "utf8 address downconversion"
+If built with internationalization support,
+this option controls conversion of UTF-8 in message addresses
+to a-label form.
+For details see section &<<SECTi18nMTA>>&.
+.wen
+
.section "Testing the rewriting rules that apply on input" "SECID149"
.cindex "rewriting" "testing"
.cindex "testing" "rewriting"
-Exim's input rewriting configuration appears in a part of the run time
+Exim's input rewriting configuration appears in a part of the runtime
configuration file headed by &"begin rewrite"&. It can be tested by the
&%-brw%& command line option. This takes an address (which can be a full RFC
2822 address) as its argument. The output is a list of how the address would be
2822 address, including the angle brackets if necessary. If text outside angle
brackets contains a character whose value is greater than 126 or less than 32
(except for tab), the text is encoded according to RFC 2047. The character set
-is taken from &%headers_charset%&, which defaults to ISO-8859-1.
+is taken from &%headers_charset%&, which gets its default at build time.
When the &"w"& flag is set on a rule that causes an envelope address to be
rewritten, all but the working part of the replacement address is discarded.
part.
.cindex "regular expressions" "in retry rules"
-&*Warning*&: If you use a regular expression in a routing rule pattern, it
+&*Warning*&: If you use a regular expression in a retry rule pattern, it
must match a complete address, not just a domain, because that is how regular
expressions work in address lists.
.display
legitimate reasons for this (host died, network died), but if it repeats a lot
for the same host, it indicates something odd.
+.vitem &%lookup%&
+A DNS lookup for a host failed.
+Note that a &%dnslookup%& router will need to have matched
+its &%fail_defer_domains%& option for this retry type to be usable.
+Also note that a &%manualroute%& router will probably need
+its &%host_find_failed%& option set to &%defer%&.
+
.vitem &%refused_MX%&
A connection to a host obtained from an MX record was refused.
messages. If this delivery fails, the address fails immediately. The
post-cutoff retry time is not used.
+.cindex "final cutoff" "retries, controlling"
+.cindex retry "final cutoff"
If the delivery is remote, there are two possibilities, controlled by the
.oindex "&%delay_after_cutoff%&"
&%delay_after_cutoff%& option of the &(smtp)& transport. The option is true by
-default. Until the post-cutoff retry time for one of the IP addresses is
+default. Until the post-cutoff retry time for one of the IP addresses,
+as set by the &%retry_data_expire%& option, is
reached, the failing email address is bounced immediately, without a delivery
attempt taking place. After that time, one new delivery attempt is made to
those IP addresses that are past their retry times, and if that still fails,
its delivery when others to the same address get through. In this situation,
because some messages are successfully delivered, the &"retry clock"& for the
host or address keeps getting reset by the successful deliveries, and so
-failing messages remain on the queue for ever because the cutoff time is never
+failing messages remain in the queue for ever because the cutoff time is never
reached.
Two exceptional actions are applied to prevent this happening. The first
.chapter "SMTP authentication" "CHAPSMTPAUTH"
.scindex IIDauthconf1 "SMTP" "authentication configuration"
.scindex IIDauthconf2 "authentication"
-The &"authenticators"& section of Exim's run time configuration is concerned
+The &"authenticators"& section of Exim's runtime configuration is concerned
with SMTP authentication. This facility is an extension to the SMTP protocol,
described in RFC 2554, which allows a client SMTP host to authenticate itself
to a server. This is a common way for a server to recognize clients that are
.code
AUTH_CRAM_MD5=yes
AUTH_CYRUS_SASL=yes
-.new
AUTH_DOVECOT=yes
AUTH_GSASL=yes
AUTH_HEIMDAL_GSSAPI=yes
-.wen
AUTH_PLAINTEXT=yes
AUTH_SPA=yes
+AUTH_TLS=yes
.endd
in &_Local/Makefile_&, respectively. The first of these supports the CRAM-MD5
authentication mechanism (RFC 2195), and the second provides an interface to
the Cyrus SASL authentication library.
-.new
The third is an interface to Dovecot's authentication system, delegating the
work via a socket interface.
The fourth provides an interface to the GNU SASL authentication library, which
the PLAIN authentication mechanism (RFC 2595) or the LOGIN mechanism, which is
not formally documented, but used by several MUAs. The seventh authenticator
supports Microsoft's &'Secure Password Authentication'& mechanism.
-.wen
+The eighth is an Exim authenticator but not an SMTP one;
+instead it can use information from a TLS negotiation.
The authenticators are configured using the same syntax as other drivers (see
section &<<SECTfordricon>>&). If no authenticators are required, no
authenticators, followed by general discussion of the way authentication works
in Exim.
-.new
&*Beware:*& the meaning of &$auth1$&, &$auth2$&, ... varies on a per-driver and
per-mechanism basis. Please read carefully to determine which variables hold
account labels such as usercodes and which hold passwords or other
to a client to help it select an account and credentials to use. In some
mechanisms, the client and server provably agree on the realm, but clients
typically can not treat the realm as secure data to be blindly trusted.
-.wen
used, for example, to skip plain text authenticators when the connection is not
encrypted by a setting such as:
.code
-client_condition = ${if !eq{$tls_cipher}{}}
+client_condition = ${if !eq{$tls_out_cipher}{}}
.endd
-(Older documentation incorrectly states that &$tls_cipher$& contains the cipher
-used for incoming messages. In fact, during SMTP delivery, it contains the
-cipher used for the delivery.)
+
+
+.option client_set_id authenticators string&!! unset
+When client authentication succeeds, this condition is expanded; the
+result is used in the log lines for outbound messages.
+Typically it will be the user name used for authentication.
.option driver authenticators string unset
is used directly to control authentication. See section &<<SECTplainserver>>&
for details.
-.new
For the &(gsasl)& authenticator, this option is required for various
mechanisms; see chapter &<<CHAPgsasl>>& for details.
-.wen
For the other authenticators, &%server_condition%& can be used as an additional
authentication or authorization mechanism that is applied after the other
.option server_set_id authenticators string&!! unset
.vindex "&$authenticated_id$&"
+.vindex "&$authenticated_fail_id$&"
When an Exim server successfully authenticates a client, this string is
expanded using data from the authentication, and preserved for any incoming
messages in the variable &$authenticated_id$&. It is also included in the log
lines for incoming messages. For example, a user/password authenticator
configuration might preserve the user name that was used to authenticate, and
refer to it subsequently during delivery of the message.
+On a failing authentication the expansion result is instead saved in
+the &$authenticated_fail_id$& variable.
If expansion fails, the option is ignored.
advertisement of a particular mechanism to encrypted connections, by a setting
such as:
.code
-server_advertise_condition = ${if eq{$tls_cipher}{}{no}{yes}}
+server_advertise_condition = ${if eq{$tls_in_cipher}{}{no}{yes}}
.endd
-.vindex "&$tls_cipher$&"
-If the session is encrypted, &$tls_cipher$& is not empty, and so the expansion
+.vindex "&$tls_in_cipher$&"
+If the session is encrypted, &$tls_in_cipher$& is not empty, and so the expansion
yields &"yes"&, which allows the advertisement to happen.
When an Exim server receives an AUTH command from a client, it rejects it
client from which the message was received. This variable is empty if there was
no successful authentication.
+.cindex authentication "expansion item"
+Successful authentication sets up information used by the
+&$authresults$& expansion item.
+
deliver the message unauthenticated.
.endlist
+Note that the hostlist test for whether to do authentication can be
+confused if name-IP lookups change between the time the peer is decided
+upon and the time that the transport runs. For example, with a manualroute
+router given a host name, and with DNS "round-robin" used by that name: if
+the local resolver cache times out between the router and the transport
+running, the transport may get an IP for the name for its authentication
+check which does not match the connection peer IP.
+No authentication will then be done, despite the names being identical.
+
+For such cases use a separate transport which always authenticates.
+
.cindex "AUTH" "on MAIL command"
When Exim has authenticated itself to a remote server, it adds the AUTH
parameter to the MAIL commands it sends, if it has an authenticated sender for
Note that this expansion explicitly forces failure if the lookup fails
because &$auth1$& contains an unknown user name.
-.new
As another example, if you wish to re-use a Cyrus SASL sasldb2 file without
using the relevant libraries, you need to know the realm to specify in the
lookup and then ask for the &"userPassword"& attribute for that user in that
driver = cram_md5
public_name = CRAM-MD5
server_secret = ${lookup{$auth1:mail.example.org:userPassword}\
- dbmjz{/etc/sasldb2}}
+ dbmjz{/etc/sasldb2}{$value}fail}
server_set_id = $auth1
.endd
-.wen
.section "Using cram_md5 as a client" "SECID177"
.cindex "options" "&(cram_md5)& authenticator (client)"
.scindex IIDcyrauth2 "authenticators" "&(cyrus_sasl)&"
.cindex "Cyrus" "SASL library"
.cindex "Kerberos"
-The code for this authenticator was provided by Matthew Byng-Maddick of A L
-Digital Ltd (&url(http://www.aldigital.co.uk)).
+The code for this authenticator was provided by Matthew Byng-Maddick while
+at A L Digital Ltd.
The &(cyrus_sasl)& authenticator provides server support for the Cyrus SASL
library implementation of the RFC 2222 (&"Simple Authentication and Security
then so can the &(cyrus_sasl)& authenticator. By default it uses the public
name of the driver to determine which mechanism to support.
-Where access to some kind of secret file is required, for example in GSSAPI
+Where access to some kind of secret file is required, for example, in GSSAPI
or CRAM-MD5, it is worth noting that the authenticator runs as the Exim
user, and that the Cyrus SASL library has no way of escalating privileges
by default. You may also find you need to set environment variables,
changing the server keytab might need to be communicated down to the Kerberos
layer independently. The mechanism for doing so is dependent upon the Kerberos
implementation.
-.new
+
For example, for older releases of Heimdal, the environment variable KRB5_KTNAME
may be set to point to an alternative keytab file. Exim will pass this
variable through from its own inherited environment when started as root or the
environment variable. In practice, for those releases, the Cyrus authenticator
is not a suitable interface for GSSAPI (Kerberos) support. Instead, consider
the &(heimdal_gssapi)& authenticator, described in chapter &<<CHAPheimdalgss>>&
-.wen
.section "Using cyrus_sasl as a server" "SECID178"
server_set_id = $auth1
.endd
-.new
.option server_realm cyrus_sasl string&!! unset
This specifies the SASL realm that the server claims to be in.
-.wen
.option server_service cyrus_sasl string &`smtp`&
.scindex IIDdcotauth2 "authenticators" "&(dovecot)&"
This authenticator is an interface to the authentication facility of the
Dovecot POP/IMAP server, which can support a number of authentication methods.
+Note that Dovecot must be configured to use auth-client not auth-userdb.
If you are using Dovecot to authenticate POP/IMAP clients, it might be helpful
to use the same mechanisms for SMTP authentication. This is a server
authenticator only. There is only one option:
.option server_socket dovecot string unset
-This option must specify the socket that is the interface to Dovecot
+This option must specify the UNIX socket that is the interface to Dovecot
authentication. The &%public_name%& option must specify an authentication
mechanism that Dovecot is configured to support. You can have several
authenticators for different mechanisms. For example:
driver = dovecot
public_name = PLAIN
server_socket = /var/run/dovecot/auth-client
- server_set_id = $auth2
+ server_set_id = $auth1
dovecot_ntlm:
driver = dovecot
. ////////////////////////////////////////////////////////////////////////////
. ////////////////////////////////////////////////////////////////////////////
-.new
.chapter "The gsasl authenticator" "CHAPgsasl"
.scindex IIDgsaslauth1 "&(gsasl)& authenticator"
.scindex IIDgsaslauth2 "authenticators" "&(gsasl)&"
.cindex "authentication" "CRAM-MD5"
.cindex "authentication" "SCRAM-SHA-1"
The &(gsasl)& authenticator provides server integration for the GNU SASL
-library and the mechanisms it provides. This is new as of the 4.78 release
+library and the mechanisms it provides. This is new as of the 4.80 release
and there are a few areas where the library does not let Exim smoothly
scale to handle future authentication mechanisms, so no guarantee can be
made that any particular new authentication mechanism will be supported
without code changes in Exim.
+Exim's &(gsasl)& authenticator does not have client-side support at this
+time; only the server-side support is implemented. Patches welcome.
+
+
+.option server_channelbinding gsasl boolean false
+Do not set this true without consulting a cryptographic engineer.
-.option server_channelbinding gsasl bool false
Some authentication mechanisms are able to use external context at both ends
of the session to bind the authentication to that context, and fail the
authentication process if that context differs. Specifically, some TLS
ciphersuites can provide identifying information about the cryptographic
context.
-This means that certificate identity and verification becomes a non-issue,
-as a man-in-the-middle attack will cause the correct client and server to
-see different identifiers and authentication will fail.
+This should have meant that certificate identity and verification becomes a
+non-issue, as a man-in-the-middle attack will cause the correct client and
+server to see different identifiers and authentication will fail.
This is currently only supported when using the GnuTLS library. This is
only usable by mechanisms which support "channel binding"; at time of
This defaults off to ensure smooth upgrade across Exim releases, in case
this option causes some clients to start failing. Some future release
-of Exim may switch the default to be true.
+of Exim might have switched the default to be true.
+
+However, Channel Binding in TLS has proven to be broken in current versions.
+Do not plan to rely upon this feature for security, ever, without consulting
+with a subject matter expert (a cryptographic engineer).
.option server_hostname gsasl string&!! "see below"
server_condition = yes
.endd
-.wen
. ////////////////////////////////////////////////////////////////////////////
. ////////////////////////////////////////////////////////////////////////////
-.new
.chapter "The heimdal_gssapi authenticator" "CHAPheimdalgss"
.scindex IIDheimdalgssauth1 "&(heimdal_gssapi)& authenticator"
.scindex IIDheimdalgssauth2 "authenticators" "&(heimdal_gssapi)&"
.option server_service heimdal_gssapi string&!! "smtp"
This option specifies the service identifier used, in conjunction with
-&%server_hostname%&, for building the identifer for finding credentials
+&%server_hostname%&, for building the identifier for finding credentials
from the keytab.
GSS Display Name.
.endlist
-.wen
. ////////////////////////////////////////////////////////////////////////////
. ////////////////////////////////////////////////////////////////////////////
Password Authentication'& mechanism,
which is also sometimes known as NTLM (NT LanMan). The code for client side of
this authenticator was contributed by Marc Prud'hommeaux, and much of it is
-taken from the Samba project (&url(http://www.samba.org)). The code for the
+taken from the Samba project (&url(https://www.samba.org/)). The code for the
server side was subsequently contributed by Tom Kistner. The mechanism works as
follows:
+. ////////////////////////////////////////////////////////////////////////////
+. ////////////////////////////////////////////////////////////////////////////
+
+.chapter "The tls authenticator" "CHAPtlsauth"
+.scindex IIDtlsauth1 "&(tls)& authenticator"
+.scindex IIDtlsauth2 "authenticators" "&(tls)&"
+.cindex "authentication" "Client Certificate"
+.cindex "authentication" "X509"
+.cindex "Certificate-based authentication"
+The &(tls)& authenticator provides server support for
+authentication based on client certificates.
+
+It is not an SMTP authentication mechanism and is not
+advertised by the server as part of the SMTP EHLO response.
+It is an Exim authenticator in the sense that it affects
+the protocol element of the log line, can be tested for
+by the &%authenticated%& ACL condition, and can set
+the &$authenticated_id$& variable.
+
+The client must present a verifiable certificate,
+for which it must have been requested via the
+&%tls_verify_hosts%& or &%tls_try_verify_hosts%& main options
+(see &<<CHAPTLS>>&).
+
+If an authenticator of this type is configured it is
+run before any SMTP-level communication is done,
+and can authenticate the connection.
+If it does, SMTP authentication is not offered.
+
+A maximum of one authenticator of this type may be present.
+
+
+.cindex "options" "&(tls)& authenticator (server)"
+The &(tls)& authenticator has three server options:
+
+.option server_param1 tls string&!! unset
+.cindex "variables (&$auth1$& &$auth2$& etc)" "in &(tls)& authenticator"
+This option is expanded after the TLS negotiation and
+the result is placed in &$auth1$&.
+If the expansion is forced to fail, authentication fails. Any other expansion
+failure causes a temporary error code to be returned.
+
+.option server_param2 tls string&!! unset
+.option server_param3 tls string&!! unset
+As above, for &$auth2$& and &$auth3$&.
+
+&%server_param1%& may also be spelled &%server_param%&.
+
+
+Example:
+.code
+tls:
+ driver = tls
+ server_param1 = ${certextract {subj_altname,mail,>:} \
+ {$tls_in_peercert}}
+ server_condition = ${if and { {eq{$tls_in_certificate_verified}{1}} \
+ {forany {$auth1} \
+ {!= {0} \
+ {${lookup ldap{ldap:///\
+ mailname=${quote_ldap_dn:${lc:$item}},\
+ ou=users,LDAP_DC?mailid} {$value}{0} \
+ } } } }}}
+ server_set_id = ${if = {1}{${listcount:$auth1}} {$auth1}{}}
+.endd
+This accepts a client certificate that is verifiable against any
+of your configured trust-anchors
+(which usually means the full set of public CAs)
+and which has a SAN with a good account name.
+
+Note that, up to TLS1.2, the client cert is on the wire in-clear, including the SAN,
+The account name is therefore guessable by an opponent.
+TLS 1.3 protects both server and client certificates, and is not vulnerable
+in this way.
+Likewise, a traditional plaintext SMTP AUTH done inside TLS is not.
+
+. An alternative might use
+. .code
+. server_param1 = ${sha256:$tls_in_peercert}
+. .endd
+. to require one of a set of specific certs that define a given account
+. (the verification is still required, but mostly irrelevant).
+. This would help for per-device use.
+.
+. However, for the future we really need support for checking a
+. user cert in LDAP - which probably wants a base-64 DER.
+
+.ecindex IIDtlsauth1
+.ecindex IIDtlsauth2
+
+
+Note that because authentication is traditionally an SMTP operation,
+the &%authenticated%& ACL condition cannot be used in
+a connect- or helo-ACL.
+
+
+
. ////////////////////////////////////////////////////////////////////////////
. ////////////////////////////////////////////////////////////////////////////
-.section "Support for the legacy &""ssmtp""& (aka &""smtps""&) protocol" &&&
+.section "Support for the &""submissions""& (aka &""ssmtp""& and &""smtps""&) protocol" &&&
"SECID284"
+.cindex "submissions protocol"
.cindex "ssmtp protocol"
.cindex "smtps protocol"
+.cindex "SMTP" "submissions protocol"
.cindex "SMTP" "ssmtp protocol"
.cindex "SMTP" "smtps protocol"
-Early implementations of encrypted SMTP used a different TCP port from normal
-SMTP, and expected an encryption negotiation to start immediately, instead of
-waiting for a STARTTLS command from the client using the standard SMTP
-port. The protocol was called &"ssmtp"& or &"smtps"&, and port 465 was
-allocated for this purpose.
-
-This approach was abandoned when encrypted SMTP was standardized, but there are
-still some legacy clients that use it. Exim supports these clients by means of
-the &%tls_on_connect_ports%& global option. Its value must be a list of port
-numbers; the most common use is expected to be:
+The history of port numbers for TLS in SMTP is a little messy and has been
+contentious. As of RFC 8314, the common practice of using the historically
+allocated port 465 for "email submission but with TLS immediately upon connect
+instead of using STARTTLS" is officially blessed by the IETF, and recommended
+by them in preference to STARTTLS.
+
+The name originally assigned to the port was &"ssmtp"& or &"smtps"&, but as
+clarity emerged over the dual roles of SMTP, for MX delivery and Email
+Submission, nomenclature has shifted. The modern name is now &"submissions"&.
+
+This approach was, for a while, officially abandoned when encrypted SMTP was
+standardized, but many clients kept using it, even as the TCP port number was
+reassigned for other use.
+Thus you may encounter guidance claiming that you shouldn't enable use of
+this port.
+In practice, a number of mail-clients have only ever supported submissions,
+not submission with STARTTLS upgrade.
+Ideally, offer both submission (587) and submissions (465) service.
+
+Exim supports TLS-on-connect by means of the &%tls_on_connect_ports%&
+global option. Its value must be a list of port numbers;
+the most common use is expected to be:
.code
tls_on_connect_ports = 465
.endd
defined elsewhere.
There is also a &%-tls-on-connect%& command line option. This overrides
-&%tls_on_connect_ports%&; it forces the legacy behaviour for all ports.
+&%tls_on_connect_ports%&; it forces the TLS-only behaviour for all ports.
There are some differences in usage when using GnuTLS instead of OpenSSL:
.ilist
-The &%tls_verify_certificates%& option must contain the name of a file, not the
-name of a directory (for OpenSSL it can be either).
+The &%tls_verify_certificates%& option
+cannot be the path of a directory
+for GnuTLS versions before 3.3.6
+(for later versions, or OpenSSL, it can be either).
.next
-The &%tls_dhparam%& option is ignored, because early versions of GnuTLS had no
-facility for varying its Diffie-Hellman parameters. I understand that this has
-changed, but Exim has not been updated to provide this facility.
+The default value for &%tls_dhparam%& differs for historical reasons.
.next
-.vindex "&$tls_peerdn$&"
+.vindex "&$tls_in_peerdn$&"
+.vindex "&$tls_out_peerdn$&"
Distinguished Name (DN) strings reported by the OpenSSL library use a slash for
separating fields; GnuTLS uses commas, in accordance with RFC 2253. This
-affects the value of the &$tls_peerdn$& variable.
+affects the value of the &$tls_in_peerdn$& and &$tls_out_peerdn$& variables.
.next
OpenSSL identifies cipher suites using hyphens as separators, for example:
-DES-CBC3-SHA. GnuTLS uses underscores, for example: RSA_ARCFOUR_SHA. What is
-more, OpenSSL complains if underscores are present in a cipher list. To make
-life simpler, Exim changes underscores to hyphens for OpenSSL and hyphens to
-underscores for GnuTLS when processing lists of cipher suites in the
+DES-CBC3-SHA. GnuTLS historically used underscores, for example:
+RSA_ARCFOUR_SHA. What is more, OpenSSL complains if underscores are present
+in a cipher list. To make life simpler, Exim changes underscores to hyphens
+for OpenSSL and passes the string unchanged to GnuTLS (expecting the library
+to handle its own older variants) when processing lists of cipher suites in the
&%tls_require_ciphers%& options (the global option and the &(smtp)& transport
option).
.next
The &%tls_require_ciphers%& options operate differently, as described in the
sections &<<SECTreqciphssl>>& and &<<SECTreqciphgnu>>&.
-.new
+.next
+The &%tls_dh_min_bits%& SMTP transport option is only honoured by GnuTLS.
+When using OpenSSL, this option is ignored.
+(If an API is found to let OpenSSL be configured in this way,
+let the Exim Maintainers know and we'll likely use it).
+.next
+With GnuTLS, if an explicit list is used for the &%tls_privatekey%& main option
+main option, it must be ordered to match the &%tls_certificate%& list.
.next
Some other recently added features may only be available in one or the other.
This should be documented with the feature. If the documentation does not
explicitly state that the feature is infeasible in the other TLS
implementation, then patches are welcome.
-.wen
.endlist
-.section "GnuTLS parameter computation" "SECID181"
+.section "GnuTLS parameter computation" "SECTgnutlsparam"
+This section only applies if &%tls_dhparam%& is set to &`historic`& or to
+an explicit path; if the latter, then the text about generation still applies,
+but not the chosen filename.
+By default, as of Exim 4.80 a hard-coded D-H prime is used.
+See the documentation of &%tls_dhparam%& for more information.
+
GnuTLS uses D-H parameters that may take a substantial amount of time
to compute. It is unreasonable to re-compute them for every TLS session.
Therefore, Exim keeps this data in a file in its spool directory, called
-&_gnutls-params_&. The file is owned by the Exim user and is readable only by
+&_gnutls-params-NNNN_& for some value of NNNN, corresponding to the number
+of bits requested.
+The file is owned by the Exim user and is readable only by
its owner. Every Exim process that start up GnuTLS reads the D-H
parameters from this file. If the file does not exist, the first Exim process
that needs it computes the data and writes it to a temporary file which is
For maximum security, the parameters that are stored in this file should be
recalculated periodically, the frequency depending on your paranoia level.
+If you are avoiding using the fixed D-H primes published in RFCs, then you
+are concerned about some advanced attacks and will wish to do this; if you do
+not regenerate then you might as well stick to the standard primes.
+
Arranging this is easy in principle; just delete the file when you want new
values to be computed. However, there may be a problem. The calculation of new
parameters needs random numbers, and these are obtained from &_/dev/random_&.
a substantial amount of time, causing timeouts on incoming connections.
The solution is to generate the parameters externally to Exim. They are stored
-in &_gnutls-params_& in PEM format, which means that they can be generated
-externally using the &(certtool)& command that is part of GnuTLS.
+in &_gnutls-params-N_& in PEM format, which means that they can be
+generated externally using the &(certtool)& command that is part of GnuTLS.
To replace the parameters with new ones, instead of deleting the file
and letting Exim re-create it, you can generate new parameters using
&(certtool)& and, when this has been done, replace Exim's cache file by
renaming. The relevant commands are something like this:
.code
+# ls
+[ look for file; assume gnutls-params-2236 is the most recent ]
# rm -f new-params
# touch new-params
# chown exim:exim new-params
+# chmod 0600 new-params
+# certtool --generate-dh-params --bits 2236 >>new-params
+# openssl dhparam -noout -text -in new-params | head
+[ check the first line, make sure it's not more than 2236;
+ if it is, then go back to the start ("rm") and repeat
+ until the size generated is at most the size requested ]
# chmod 0400 new-params
-# certtool --generate-privkey --bits 512 >new-params
-# echo "" >>new-params
-# certtool --generate-dh-params --bits 1024 >> new-params
-# mv new-params gnutls-params
+# mv new-params gnutls-params-2236
.endd
If Exim never has to generate the parameters itself, the possibility of
stalling is removed.
+The filename changed in Exim 4.80, to gain the -bits suffix. The value which
+Exim will choose depends upon the version of GnuTLS in use. For older GnuTLS,
+the value remains hard-coded in Exim as 1024. As of GnuTLS 2.12.x, there is
+a way for Exim to ask for the "normal" number of bits for D-H public-key usage,
+and Exim does so. This attempt to remove Exim from TLS policy decisions
+failed, as GnuTLS 2.12 returns a value higher than the current hard-coded limit
+of the NSS library. Thus Exim gains the &%tls_dh_max_bits%& global option,
+which applies to all D-H usage, client or server. If the value returned by
+GnuTLS is greater than &%tls_dh_max_bits%& then the value will be clamped down
+to &%tls_dh_max_bits%&. The default value has been set at the current NSS
+limit, which is still much higher than Exim historically used.
+
+The filename and bits used will change as the GnuTLS maintainers change the
+value for their parameter &`GNUTLS_SEC_PARAM_NORMAL`&, as clamped by
+&%tls_dh_max_bits%&. At the time of writing (mid 2012), GnuTLS 2.12 recommends
+2432 bits, while NSS is limited to 2236 bits.
+
+In fact, the requested value will be *lower* than &%tls_dh_max_bits%&, to
+increase the chance of the generated prime actually being within acceptable
+bounds, as GnuTLS has been observed to overshoot. Note the check step in the
+procedure above. There is no sane procedure available to Exim to double-check
+the size of the generated prime, so it might still be too large.
+
.section "Requiring specific ciphers in OpenSSL" "SECTreqciphssl"
.cindex "TLS" "requiring specific ciphers (OpenSSL)"
.oindex "&%tls_require_ciphers%&" "OpenSSL"
There is a function in the OpenSSL library that can be passed a list of cipher
suites before the cipher negotiation takes place. This specifies which ciphers
-are acceptable. The list is colon separated and may contain names like
+.new
+are acceptable for TLS versions prior to 1.3.
+.wen
+The list is colon separated and may contain names like
DES-CBC3-SHA. Exim passes the expanded value of &%tls_require_ciphers%&
-directly to this function call. The following quotation from the OpenSSL
+directly to this function call.
+Many systems will install the OpenSSL manual-pages, so you may have
+&'ciphers(1)'& available to you.
+The following quotation from the OpenSSL
documentation specifies what forms of item are allowed in the cipher string:
.ilist
not be moved to the end of the list.
.endlist
+The OpenSSL &'ciphers(1)'& command may be used to test the results of a given
+string:
+.code
+# note single-quotes to get ! past any shell history expansion
+$ openssl ciphers 'HIGH:!MD5:!SHA1'
+.endd
+
+This example will let the library defaults be permitted on the MX port, where
+there's probably no identity verification anyway, but ups the ante on the
+submission ports where the administrator might have some influence on the
+choice of clients used:
+.code
+# OpenSSL variant; see man ciphers(1)
+tls_require_ciphers = ${if =={$received_port}{25}\
+ {DEFAULT}\
+ {HIGH:!MD5:!SHA1}}
+.endd
+
+This example will prefer ECDSA-authenticated ciphers over RSA ones:
+.code
+tls_require_ciphers = ECDSA:RSA:!COMPLEMENTOFDEFAULT
+.endd
+
+.new
+For TLS version 1.3 the control available is less fine-grained
+and Exim does not provide access to it at present.
+The value of the &%tls_require_ciphers%& option is ignored when
+TLS version 1.3 is negotiated.
+
+As of writing the library default cipher suite list for TLSv1.3 is
+.code
+TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
+.endd
+.wen
.section "Requiring specific ciphers or other parameters in GnuTLS" &&&
.cindex "TLS" "specifying key exchange methods (GnuTLS)"
.cindex "TLS" "specifying MAC algorithms (GnuTLS)"
.cindex "TLS" "specifying protocols (GnuTLS)"
+.cindex "TLS" "specifying priority string (GnuTLS)"
.oindex "&%tls_require_ciphers%&" "GnuTLS"
-The GnuTLS library allows the caller to specify separate lists of permitted key
-exchange methods, main cipher algorithms, MAC algorithms, and protocols.
-Unfortunately, these lists are numerical, and the library does not have a
-function for turning names into numbers. Consequently, lists of recognized
-names have to be built into the application. The permitted key exchange
-methods, ciphers, and MAC algorithms may be used in any combination to form a
-cipher suite. This is unlike OpenSSL, where complete cipher suite names are
-passed to its control function.
-
-For compatibility with OpenSSL, the &%tls_require_ciphers%& option can be set
-to complete cipher suite names such as RSA_ARCFOUR_SHA, but for GnuTLS this
-option controls only the cipher algorithms. Exim searches each item in the
-list for the name of an available algorithm. For example, if the list
-contains RSA_AES_SHA, then AES is recognized, and the behaviour is exactly
-the same as if just AES were given.
-
-.oindex "&%gnutls_require_kx%&"
-.oindex "&%gnutls_require_mac%&"
-.oindex "&%gnutls_require_protocols%&"
-There are additional options called &%gnutls_require_kx%&,
-&%gnutls_require_mac%&, and &%gnutls_require_protocols%& that can be used to
-restrict the key exchange methods, MAC algorithms, and protocols, respectively.
-These options are ignored if OpenSSL is in use.
-
-All four options are available as global options, controlling how Exim
-behaves as a server, and also as options of the &(smtp)& transport, controlling
-how Exim behaves as a client. All the values are string expanded. After
-expansion, the values must be colon-separated lists, though the separator
-can be changed in the usual way.
-
-Each of the four lists starts out with a default set of algorithms. If the
-first item in a list does &'not'& start with an exclamation mark, all the
-default items are deleted. In this case, only those that are explicitly
-specified can be used. If the first item in a list &'does'& start with an
-exclamation mark, the defaults are left on the list.
-
-Then, any item that starts with an exclamation mark causes the relevant
-entry to be removed from the list, and any item that does not start with an
-exclamation mark causes a new entry to be added to the list. Unrecognized
-items in the list are ignored. Thus:
-.code
-tls_require_ciphers = !ARCFOUR
-.endd
-allows all the defaults except ARCFOUR, whereas
-.code
-tls_require_ciphers = AES : 3DES
-.endd
-allows only cipher suites that use AES or 3DES.
-
-For &%tls_require_ciphers%& the recognized names are AES_256, AES_128, AES
-(both of the preceding), 3DES, ARCFOUR_128, ARCFOUR_40, and ARCFOUR (both of
-the preceding). The default list does not contain all of these; it just has
-AES_256, AES_128, 3DES, and ARCFOUR_128.
-
-For &%gnutls_require_kx%&, the recognized names are DHE_RSA, RSA (which
-includes DHE_RSA), DHE_DSS, and DHE (which includes both DHE_RSA and
-DHE_DSS). The default list contains RSA, DHE_DSS, DHE_RSA.
-
-For &%gnutls_require_mac%&, the recognized names are SHA (synonym SHA1), and
-MD5. The default list contains SHA, MD5.
+The GnuTLS library allows the caller to provide a "priority string", documented
+as part of the &[gnutls_priority_init]& function. This is very similar to the
+ciphersuite specification in OpenSSL.
+
+The &%tls_require_ciphers%& option is treated as the GnuTLS priority string
+and controls both protocols and ciphers.
+
+The &%tls_require_ciphers%& option is available both as an global option,
+controlling how Exim behaves as a server, and also as an option of the
+&(smtp)& transport, controlling how Exim behaves as a client. In both cases
+the value is string expanded. The resulting string is not an Exim list and
+the string is given to the GnuTLS library, so that Exim does not need to be
+aware of future feature enhancements of GnuTLS.
+
+Documentation of the strings accepted may be found in the GnuTLS manual, under
+"Priority strings". This is online as
+&url(https://www.gnutls.org/manual/html_node/Priority-Strings.html),
+but beware that this relates to GnuTLS 3, which may be newer than the version
+installed on your system. If you are using GnuTLS 3,
+then the example code
+&url(https://www.gnutls.org/manual/gnutls.html#Listing-the-ciphersuites-in-a-priority-string)
+on that site can be used to test a given string.
-.new
-For &%gnutls_require_protocols%&, the recognized names are TLS1.2, TLS1.1,
-TLS1.0, (TLS1) and SSL3.
-The default list contains TLS1.2, TLS1.1, TLS1.0, SSL3.
-TLS1 is an alias for TLS1.0, for backwards compatibility.
-For sufficiently old versions of the GnuTLS library, TLS1.2 or TLS1.1 might
-not be supported and will not be recognised by Exim.
-.wen
+For example:
+.code
+# Disable older versions of protocols
+tls_require_ciphers = NORMAL:%LATEST_RECORD_VERSION:-VERS-SSL3.0
+.endd
-In a server, the order of items in these lists is unimportant. The server
-advertises the availability of all the relevant cipher suites. However, in a
-client, the order in the &%tls_require_ciphers%& list specifies a preference
-order for the cipher algorithms. The first one in the client's list that is
-also advertised by the server is tried first. The default order is as listed
-above.
+Prior to Exim 4.80, an older API of GnuTLS was used, and Exim supported three
+additional options, "&%gnutls_require_kx%&", "&%gnutls_require_mac%&" and
+"&%gnutls_require_protocols%&". &%tls_require_ciphers%& was an Exim list.
+This example will let the library defaults be permitted on the MX port, where
+there's probably no identity verification anyway, and lowers security further
+by increasing compatibility; but this ups the ante on the submission ports
+where the administrator might have some influence on the choice of clients
+used:
+.code
+# GnuTLS variant
+tls_require_ciphers = ${if =={$received_port}{25}\
+ {NORMAL:%COMPAT}\
+ {SECURE128}}
+.endd
.section "Configuring an Exim server to use TLS" "SECID182"
.cindex "TLS" "configuring an Exim server"
When Exim has been built with TLS support, it advertises the availability of
the STARTTLS command to client hosts that match &%tls_advertise_hosts%&,
-but not to any others. The default value of this option is unset, which means
-that STARTTLS is not advertised at all. This default is chosen because you
-need to set some other options in order to make TLS available, and also it is
-sensible for systems that want to use TLS only as a client.
+but not to any others. The default value of this option is *, which means
+that STARTTLS is always advertised. Set it to blank to never advertise;
+this is reasonable for systems that want to use TLS only as a client.
+
+If STARTTLS is to be used you
+need to set some other options in order to make TLS available.
If a client issues a STARTTLS command and there is some configuration
problem in the server, the command is rejected with a 454 error. If the client
If a STARTTLS command is issued within an existing TLS session, it is
rejected with a 554 error code.
-To enable TLS operations on a server, you must set &%tls_advertise_hosts%& to
-match some hosts. You can, of course, set it to * to match all hosts.
-However, this is not all you need to do. TLS sessions to a server won't work
-without some further configuration at the server end.
+To enable TLS operations on a server, the &%tls_advertise_hosts%& option
+must be set to match some hosts. The default is * which matches all hosts.
-It is rumoured that all existing clients that support TLS/SSL use RSA
-encryption. To make this work you need to set, in the server,
+If this is all you do, TLS encryption will be enabled but not authentication -
+meaning that the peer has no assurance it is actually you he is talking to.
+You gain protection from a passive sniffer listening on the wire but not
+from someone able to intercept the communication.
+
+Further protection requires some further configuration at the server end.
+
+To make TLS work you need to set, in the server,
.code
tls_certificate = /some/file/name
tls_privatekey = /some/file/name
These options are, in fact, expanded strings, so you can make them depend on
the identity of the client that is connected if you wish. The first file
contains the server's X509 certificate, and the second contains the private key
-that goes with it. These files need to be readable by the Exim user, and must
-always be given as full path names. They can be the same file if both the
+that goes with it. These files need to be
+PEM format and readable by the Exim user, and must
+always be given as full path names.
+The key must not be password-protected.
+They can be the same file if both the
certificate and the key are contained within it. If &%tls_privatekey%& is not
set, or if its expansion is forced to fail or results in an empty string, this
is assumed to be the case. The certificate file may also contain intermediate
certificates that need to be sent to the client to enable it to authenticate
the server's certificate.
+For dual-stack (eg. RSA and ECDSA) configurations, these options can be
+colon-separated lists of file paths. Ciphers using given authentication
+algorithms require the presence of a suitable certificate to supply the
+public-key. The server selects among the certificates to present to the
+client depending on the selected cipher, hence the priority ordering for
+ciphers will affect which certificate is used.
+
If you do not understand about certificates and keys, please try to find a
source of this background information, which is not Exim-specific. (There are a
few comments below in section &<<SECTcerandall>>&.)
tls_dhparam = /some/file/name
.endd
is set, the SSL library is initialized for the use of Diffie-Hellman ciphers
-with the parameters contained in the file. This increases the set of cipher
-suites that the server supports. See the command
+with the parameters contained in the file.
+Set this to &`none`& to disable use of DH entirely, by making no prime
+available:
+.code
+tls_dhparam = none
+.endd
+This may also be set to a string identifying a standard prime to be used for
+DH; if it is set to &`default`& or, for OpenSSL, is unset, then the prime
+used is &`ike23`&. There are a few standard primes available, see the
+documentation for &%tls_dhparam%& for the complete list.
+
+See the command
.code
openssl dhparam
.endd
-for a way of generating this data. At present, &%tls_dhparam%& is used only
-when Exim is linked with OpenSSL. It is ignored if GnuTLS is being used.
+for a way of generating file data.
The strings supplied for these three options are expanded every time a client
host connects. It is therefore possible to use different certificates and keys
.cindex "cipher" "logging"
.cindex "log" "TLS cipher"
-.vindex "&$tls_cipher$&"
-The variable &$tls_cipher$& is set to the cipher suite that was negotiated for
+.vindex "&$tls_in_cipher$&"
+The variable &$tls_in_cipher$& is set to the cipher suite that was negotiated for
an incoming TLS connection. It is included in the &'Received:'& header of an
incoming message (by default &-- you can, of course, change this), and it is
also included in the log line that records a message's arrival, keyed by
&"X="&, unless the &%tls_cipher%& log selector is turned off. The &%encrypted%&
condition can be used to test for specific cipher suites in ACLs.
-(For outgoing SMTP deliveries, &$tls_cipher$& is reset &-- see section
-&<<SECID185>>&.)
Once TLS has been established, the ACLs that run for subsequent SMTP commands
can check the name of the cipher suite and vary their actions accordingly. The
contexts is known as TLS_RSA_WITH_3DES_EDE_CBC_SHA. Check the OpenSSL or GnuTLS
documentation for more details.
+For outgoing SMTP deliveries, &$tls_out_cipher$& is used and logged
+(again depending on the &%tls_cipher%& log selector).
+
.section "Requesting and verifying client certificates" "SECID183"
.cindex "certificate" "verification of client"
apply to all TLS connections. For any host that matches one of these options,
Exim requests a certificate as part of the setup of the TLS session. The
contents of the certificate are verified by comparing it with a list of
-expected certificates. These must be available in a file or,
-for OpenSSL only (not GnuTLS), a directory, identified by
+expected trust-anchors or certificates.
+These may be the system default set (depending on library version),
+an explicit file or,
+depending on library version, a directory, identified by
&%tls_verify_certificates%&.
A file can contain multiple certificates, concatenated end to end. If a
.endd
where &_/cert/file_& contains a single certificate.
+There is no checking of names of the client against the certificate
+Subject Name or Subject Alternate Names.
+
The difference between &%tls_verify_hosts%& and &%tls_try_verify_hosts%& is
what happens if the client does not supply a certificate, or if the certificate
does not match any of the certificates in the collection named by
example, you can insist on a certificate before accepting a message for
relaying, but not when the message is destined for local delivery.
-.vindex "&$tls_peerdn$&"
+.vindex "&$tls_in_peerdn$&"
When a client supplies a certificate (whether it verifies or not), the value of
the Distinguished Name of the certificate is made available in the variable
-&$tls_peerdn$& during subsequent processing of the message.
+&$tls_in_peerdn$& during subsequent processing of the message.
.cindex "log" "distinguished name"
Because it is often a long text string, it is not included in the log line or
&'Received:'& header by default. You can arrange for it to be logged, keyed by
&"DN="&, by setting the &%tls_peerdn%& log selector, and you can use
&%received_header_text%& to change the &'Received:'& header. When no
-certificate is supplied, &$tls_peerdn$& is empty.
+certificate is supplied, &$tls_in_peerdn$& is empty.
.section "Revoked certificates" "SECID184"
.cindex "TLS" "revoked certificates"
.cindex "revocation list"
.cindex "certificate" "revocation list"
+.cindex "OCSP" "stapling"
Certificate issuing authorities issue Certificate Revocation Lists (CRLs) when
certificates are revoked. If you have such a list, you can pass it to an Exim
server using the global option called &%tls_crl%& and to an Exim client using
an identically named option for the &(smtp)& transport. In each case, the value
of the option is expanded and must then be the name of a file that contains a
CRL in PEM format.
+The downside is that clients have to periodically re-download a potentially huge
+file from every certificate authority they know of.
+
+The way with most moving parts at query time is Online Certificate
+Status Protocol (OCSP), where the client verifies the certificate
+against an OCSP server run by the CA. This lets the CA track all
+usage of the certs. It requires running software with access to the
+private key of the CA, to sign the responses to the OCSP queries. OCSP
+is based on HTTP and can be proxied accordingly.
+
+The only widespread OCSP server implementation (known to this writer)
+comes as part of OpenSSL and aborts on an invalid request, such as
+connecting to the port and then disconnecting. This requires
+re-entering the passphrase each time some random client does this.
+
+The third way is OCSP Stapling; in this, the server using a certificate
+issued by the CA periodically requests an OCSP proof of validity from
+the OCSP server, then serves it up inline as part of the TLS
+negotiation. This approach adds no extra round trips, does not let the
+CA track users, scales well with number of certs issued by the CA and is
+resilient to temporary OCSP server failures, as long as the server
+starts retrying to fetch an OCSP proof some time before its current
+proof expires. The downside is that it requires server support.
+
+Unless Exim is built with the support disabled,
+or with GnuTLS earlier than version 3.3.16 / 3.4.8
+support for OCSP stapling is included.
+
+There is a global option called &%tls_ocsp_file%&.
+The file specified therein is expected to be in DER format, and contain
+an OCSP proof. Exim will serve it as part of the TLS handshake. This
+option will be re-expanded for SNI, if the &%tls_certificate%& option
+contains &`tls_in_sni`&, as per other TLS options.
+
+Exim does not at this time implement any support for fetching a new OCSP
+proof. The burden is on the administrator to handle this, outside of
+Exim. The file specified should be replaced atomically, so that the
+contents are always valid. Exim will expand the &%tls_ocsp_file%& option
+on each connection, so a new file will be handled transparently on the
+next connection.
+
+When built with OpenSSL Exim will check for a valid next update timestamp
+in the OCSP proof; if not present, or if the proof has expired, it will be
+ignored.
+
+For the client to be able to verify the stapled OCSP the server must
+also supply, in its stapled information, any intermediate
+certificates for the chain leading to the OCSP proof from the signer
+of the server certificate. There may be zero or one such. These
+intermediate certificates should be added to the server OCSP stapling
+file named by &%tls_ocsp_file%&.
+
+Note that the proof only covers the terminal server certificate,
+not any of the chain from CA to it.
+
+There is no current way to staple a proof for a client certificate.
+
+.code
+ A helper script "ocsp_fetch.pl" for fetching a proof from a CA
+ OCSP server is supplied. The server URL may be included in the
+ server certificate, if the CA is helpful.
+
+ One failure mode seen was the OCSP Signer cert expiring before the end
+ of validity of the OCSP proof. The checking done by Exim/OpenSSL
+ noted this as invalid overall, but the re-fetch script did not.
+.endd
+
+
.section "Configuring an Exim client to use TLS" "SECID185"
&%tls_verify_hosts%& or &%tls_try_verify_hosts%& matches the client.
If the &%tls_verify_certificates%& option is set on the &(smtp)& transport, it
-must name a file or,
-for OpenSSL only (not GnuTLS), a directory, that contains a collection of
-expected server certificates. The client verifies the server's certificate
+specifies a collection of expected server certificates.
+These may be
+the system default set (depending on library version),
+a file,
+or (depending on library version) a directory.
+The client verifies the server's certificate
against this collection, taking into account any revoked certificates that are
in the list defined by &%tls_crl%&.
+Failure to verify fails the TLS connection unless either of the
+&%tls_verify_hosts%& or &%tls_try_verify_hosts%& options are set.
+
+The &%tls_verify_hosts%& and &%tls_try_verify_hosts%& options restrict
+certificate verification to the listed servers. Verification either must
+or need not succeed respectively.
+
+The &%tls_verify_cert_hostnames%& option lists hosts for which additional
+checks are made: that the host name (the one in the DNS A record)
+is valid for the certificate.
+The option defaults to always checking.
+
+The &(smtp)& transport has two OCSP-related options:
+&%hosts_require_ocsp%&; a host-list for which a Certificate Status
+is requested and required for the connection to proceed. The default
+value is empty.
+&%hosts_request_ocsp%&; a host-list for which (additionally)
+a Certificate Status is requested (but not necessarily verified). The default
+value is "*" meaning that requests are made unless configured
+otherwise.
+
+The host(s) should also be in &%hosts_require_tls%&, and
+&%tls_verify_certificates%& configured for the transport,
+for OCSP to be relevant.
If
&%tls_require_ciphers%& is set on the &(smtp)& transport, it must contain a
which the client is connected. Forced failure of an expansion causes Exim to
behave as if the relevant option were unset.
-.vindex &$tls_bits$&
-.vindex &$tls_cipher$&
-.vindex &$tls_peerdn$&
-.vindex &$tls_sni$&
+.vindex &$tls_out_bits$&
+.vindex &$tls_out_cipher$&
+.vindex &$tls_out_peerdn$&
+.vindex &$tls_out_sni$&
Before an SMTP connection is established, the
-&$tls_bits$&, &$tls_cipher$&, &$tls_peerdn$& and &$tls_sni$&
+&$tls_out_bits$&, &$tls_out_cipher$&, &$tls_out_peerdn$& and &$tls_out_sni$&
variables are emptied. (Until the first connection, they contain the values
that were set when the message was received.) If STARTTLS is subsequently
successfully obeyed, these variables are set to the relevant values for the
-.new
.section "Use of TLS Server Name Indication" "SECTtlssni"
.cindex "TLS" "Server Name Indication"
-.vindex "&$tls_sni$&"
-.oindex "&%tls_sni%&"
+.vindex "&$tls_in_sni$&"
+.oindex "&%tls_in_sni%&"
With TLS1.0 or above, there is an extension mechanism by which extra
information can be included at various points in the protocol. One of these
extensions, documented in RFC 6066 (and before that RFC 4366) is
within and possibly choose to use different certificates and keys (and more)
for this session.
-This is analagous to HTTP's &"Host:"& header, and is the main mechanism by
+This is analogous to HTTP's &"Host:"& header, and is the main mechanism by
which HTTPS-enabled web-sites can be virtual-hosted, many sites to one IP
address.
The &%tls_sni%& option on an SMTP transport is an expanded string; the result,
if not empty, will be sent on a TLS session as part of the handshake. There's
nothing more to it. Choosing a sensible value not derived insecurely is the
-only point of caution. The &$tls_sni$& variable will be set to this string
+only point of caution. The &$tls_out_sni$& variable will be set to this string
for the lifetime of the client connection (including during authentication).
-Except during SMTP client sessions, if &$tls_sni$& is set then it is a string
+Except during SMTP client sessions, if &$tls_in_sni$& is set then it is a string
received from a client.
It can be logged with the &%log_selector%& item &`+tls_sni`&.
-If the string &`tls_sni`& appears in the main section's &%tls_certificate%&
+If the string &`tls_in_sni`& appears in the main section's &%tls_certificate%&
option (prior to expansion) then the following options will be re-expanded
during TLS session handshake, to permit alternative values to be chosen:
.ilist
-.vindex "&%tls_certificate%&"
&%tls_certificate%&
.next
-.vindex "&%tls_crl%&"
&%tls_crl%&
.next
-.vindex "&%tls_privatekey%&"
&%tls_privatekey%&
.next
-.vindex "&%tls_verify_certificates%&"
&%tls_verify_certificates%&
+.next
+&%tls_ocsp_file%&
.endlist
Great care should be taken to deal with matters of case, various injection
attacks in the string (&`../`& or SQL), and ensuring that a valid filename
-can always be referenced; it is important to remember that &$tls_sni$& is
+can always be referenced; it is important to remember that &$tls_in_sni$& is
arbitrary unverified data provided prior to authentication.
+Further, the initial certificate is loaded before SNI is arrived, so
+an expansion for &%tls_certificate%& must have a default which is used
+when &$tls_in_sni$& is empty.
The Exim developers are proceeding cautiously and so far no other TLS options
are re-expanded.
-Currently SNI support is only available if using OpenSSL, with TLS Extensions
-support enabled therein.
-.wen
+When Exim is built against OpenSSL, OpenSSL must have been built with support
+for TLS Extensions. This holds true for OpenSSL 1.0.0+ and 0.9.8+ with
+enable-tlsext in EXTRACONFIGURE. If you invoke &(openssl s_client -h)& and
+see &`-servername`& in the output, then OpenSSL has support.
+
+When Exim is built against GnuTLS, SNI support is available as of GnuTLS
+0.5.10. (Its presence predates the current API which Exim uses, so if Exim
+built, then you have SNI support).
one process to the next. This implementation does not fit well with the use
of TLS, because there is quite a lot of state information associated with a TLS
connection, not just a socket identification. Passing all the state information
-to a new process is not feasible. Consequently, Exim shuts down an existing TLS
-session before passing the socket to a new process. The new process may then
+to a new process is not feasible. Consequently, for sending using TLS Exim
+starts an additional proxy process for handling the encryption, piping the
+unencrypted data stream from and to the delivery processes.
+
+An older mode of operation can be enabled on a per-host basis by the
+&%hosts_noproxy_tls%& option on the &(smtp)& transport. If the host matches
+this list the proxy process described above is not used; instead Exim
+shuts down an existing TLS session being run by the delivery process
+before passing the socket to a new process. The new process may then
try to start a new TLS session, and if successful, may try to re-authenticate
if AUTH is in use, before sending the next message.
.section "Certificates and all that" "SECTcerandall"
.cindex "certificate" "references to discussion"
In order to understand fully how TLS works, you need to know about
-certificates, certificate signing, and certificate authorities. This is not the
-place to give a tutorial, especially as I do not know very much about it
-myself. Some helpful introduction can be found in the FAQ for the SSL addition
-to Apache, currently at
+certificates, certificate signing, and certificate authorities.
+This is a large topic and an introductory guide is unsuitable for the Exim
+reference manual, so instead we provide pointers to existing documentation.
+
+The Apache web-server was for a long time the canonical guide, so their
+documentation is a good place to start; their SSL module's Introduction
+document is currently at
.display
-&url(http://www.modssl.org/docs/2.7/ssl_faq.html#ToC24)
+&url(https://httpd.apache.org/docs/current/ssl/ssl_intro.html)
.endd
-Other parts of the &'modssl'& documentation are also helpful, and have
-links to further files.
-Eric Rescorla's book, &'SSL and TLS'&, published by Addison-Wesley (ISBN
-0-201-61598-3), contains both introductory and more in-depth descriptions.
-Some sample programs taken from the book are available from
+and their FAQ is at
.display
-&url(http://www.rtfm.com/openssl-examples/)
+&url(https://httpd.apache.org/docs/current/ssl/ssl_faq.html)
.endd
+Eric Rescorla's book, &'SSL and TLS'&, published by Addison-Wesley (ISBN
+0-201-61598-3) in 2001, contains both introductory and more in-depth
+descriptions.
+More recently Ivan Ristić's book &'Bulletproof SSL and TLS'&,
+published by Feisty Duck (ISBN 978-1907117046) in 2013 is good.
+Ivan is the author of the popular TLS testing tools at
+&url(https://www.ssllabs.com/).
+
.section "Certificate chains" "SECID186"
The file named by &%tls_certificate%& may contain more than one
root certificate along with the rest makes it available for the user to
install if the receiving end is a client MUA that can interact with a user.
+Note that certificates using MD5 are unlikely to work on today's Internet;
+even if your libraries allow loading them for use in Exim when acting as a
+server, increasingly clients will not accept such certificates. The error
+diagnostics in such a case can be frustratingly vague.
+
+
.section "Self-signed certificates" "SECID187"
.cindex "certificate" "self-signed"
You can create a self-signed certificate using the &'req'& command provided
with OpenSSL, like this:
+. ==== Do not shorten the duration here without reading and considering
+. ==== the text below. Please leave it at 9999 days.
.code
openssl req -x509 -newkey rsa:1024 -keyout file1 -out file2 \
-days 9999 -nodes
prompting for the passphrase. This is not helpful if you are going to use
this certificate and key in an MTA, where prompting is not possible.
+. ==== I expect to still be working 26 years from now. The less technical
+. ==== debt I create, in terms of storing up trouble for my later years, the
+. ==== happier I will be then. We really have reached the point where we
+. ==== should start, at the very least, provoking thought and making folks
+. ==== pause before proceeding, instead of leaving all the fixes until two
+. ==== years before 2^31 seconds after the 1970 Unix epoch.
+. ==== -pdp, 2012
+NB: we are now past the point where 9999 days takes us past the 32-bit Unix
+epoch. If your system uses unsigned time_t (most do) and is 32-bit, then
+the above command might produce a date in the past. Think carefully about
+the lifetime of the systems you're deploying, and either reduce the duration
+of the certificate or reconsider your platform deployment. (At time of
+writing, reducing the duration is the most likely choice, but the inexorable
+progression of time takes us steadily towards an era where this will not
+be a sensible resolution).
+
A self-signed certificate made in this way is sufficient for testing, and
may be adequate for all your requirements if you are mainly interested in
encrypting transfers, and not in secure identification.
For information on creating self-signed CA certificates and using them to sign
user certificates, see the &'General implementation overview'& chapter of the
Open-source PKI book, available online at
-&url(http://ospkibook.sourceforge.net/).
+&url(https://sourceforge.net/projects/ospkibook/).
.ecindex IIDencsmtp1
.ecindex IIDencsmtp2
+.section DANE "SECDANE"
+.cindex DANE
+DNS-based Authentication of Named Entities, as applied to SMTP over TLS, provides assurance to a client that
+it is actually talking to the server it wants to rather than some attacker operating a Man In The Middle (MITM)
+operation. The latter can terminate the TLS connection you make, and make another one to the server (so both
+you and the server still think you have an encrypted connection) and, if one of the "well known" set of
+Certificate Authorities has been suborned - something which *has* been seen already (2014), a verifiable
+certificate (if you're using normal root CAs, eg. the Mozilla set, as your trust anchors).
+
+What DANE does is replace the CAs with the DNS as the trust anchor. The assurance is limited to a) the possibility
+that the DNS has been suborned, b) mistakes made by the admins of the target server. The attack surface presented
+by (a) is thought to be smaller than that of the set of root CAs.
+
+It also allows the server to declare (implicitly) that connections to it should use TLS. An MITM could simply
+fail to pass on a server's STARTTLS.
+
+DANE scales better than having to maintain (and side-channel communicate) copies of server certificates
+for every possible target server. It also scales (slightly) better than having to maintain on an SMTP
+client a copy of the standard CAs bundle. It also means not having to pay a CA for certificates.
+
+DANE requires a server operator to do three things: 1) run DNSSEC. This provides assurance to clients
+that DNS lookups they do for the server have not been tampered with. The domain MX record applying
+to this server, its A record, its TLSA record and any associated CNAME records must all be covered by
+DNSSEC.
+2) add TLSA DNS records. These say what the server certificate for a TLS connection should be.
+3) offer a server certificate, or certificate chain, in TLS connections which is is anchored by one of the TLSA records.
+
+There are no changes to Exim specific to server-side operation of DANE.
+Support for client-side operation of DANE can be included at compile time by defining SUPPORT_DANE=yes
+in &_Local/Makefile_&.
+If it has been included, the macro "_HAVE_DANE" will be defined.
+
+The TLSA record for the server may have "certificate usage" of DANE-TA(2) or DANE-EE(3).
+These are the "Trust Anchor" and "End Entity" variants.
+The latter specifies the End Entity directly, i.e. the certificate involved is that of the server
+(and if only DANE-EE is used then it should be the sole one transmitted during the TLS handshake);
+this is appropriate for a single system, using a self-signed certificate.
+DANE-TA usage is effectively declaring a specific CA to be used; this might be a private CA or a public,
+well-known one.
+A private CA at simplest is just a self-signed certificate (with certain
+attributes) which is used to sign server certificates, but running one securely
+does require careful arrangement.
+With DANE-TA, as implemented in Exim and commonly in other MTAs,
+the server TLS handshake must transmit the entire certificate chain from CA to server-certificate.
+DANE-TA is commonly used for several services and/or servers, each having a TLSA query-domain CNAME record,
+all of which point to a single TLSA record.
+DANE-TA and DANE-EE can both be used together.
+
+.new
+Our recommendation is to use DANE with a certificate from a public CA,
+because this enables a variety of strategies for remote clients to verify
+your certificate.
+You can then publish information both via DANE and another technology,
+"MTA-STS", described below.
+
+When you use DANE-TA to publish trust anchor information, you ask entities
+outside your administrative control to trust the Certificate Authority for
+connections to you.
+If using a private CA then you should expect others to still apply the
+technical criteria they'd use for a public CA to your certificates.
+In particular, you should probably try to follow current best practices for CA
+operation around hash algorithms and key sizes.
+Do not expect other organizations to lower their security expectations just
+because a particular profile might be reasonable for your own internal use.
+
+When this text was last updated, this in practice means to avoid use of SHA-1
+and MD5; if using RSA to use key sizes of at least 2048 bits (and no larger
+than 4096, for interoperability); to use keyUsage fields correctly; to use
+random serial numbers.
+The list of requirements is subject to change as best practices evolve.
+If you're not already using a private CA, or it doesn't meet these
+requirements, then we encourage you to avoid all these issues and use a public
+CA such as &url(https://letsencrypt.org/,Let's Encrypt) instead.
+.wen
+
+The TLSA record should have a Selector field of SPKI(1) and a Matching Type field of SHA2-512(2).
+
+At the time of writing, &url(https://www.huque.com/bin/gen_tlsa)
+is useful for quickly generating TLSA records; and commands like
+
+.code
+ openssl x509 -in -pubkey -noout <certificate.pem \
+ | openssl rsa -outform der -pubin 2>/dev/null \
+ | openssl sha512 \
+ | awk '{print $2}'
+.endd
+
+are workable for 4th-field hashes.
+
+For use with the DANE-TA model, server certificates must have a correct name (SubjectName or SubjectAltName).
+
+.new
+The Certificate issued by the CA published in the DANE-TA model should be
+issued using a strong hash algorithm.
+Exim, and importantly various other MTAs sending to you, will not
+re-enable hash algorithms which have been disabled by default in TLS
+libraries.
+This means no MD5 and no SHA-1. SHA2-256 is the minimum for reliable
+interoperability (and probably the maximum too, in 2018).
+.wen
+
+The use of OCSP-stapling should be considered, allowing for fast revocation of certificates (which would otherwise
+be limited by the DNS TTL on the TLSA records). However, this is likely to only be usable with DANE-TA. NOTE: the
+default of requesting OCSP for all hosts is modified iff DANE is in use, to:
+
+.code
+ hosts_request_ocsp = ${if or { {= {0}{$tls_out_tlsa_usage}} \
+ {= {4}{$tls_out_tlsa_usage}} } \
+ {*}{}}
+.endd
+
+The (new) variable &$tls_out_tlsa_usage$& is a bitfield with numbered bits set for TLSA record usage codes.
+The zero above means DANE was not in use, the four means that only DANE-TA usage TLSA records were
+found. If the definition of &%hosts_request_ocsp%& includes the
+string "tls_out_tlsa_usage", they are re-expanded in time to
+control the OCSP request.
+
+This modification of hosts_request_ocsp is only done if it has the default value of "*". Admins who change it, and
+those who use &%hosts_require_ocsp%&, should consider the interaction with DANE in their OCSP settings.
+
+
+For client-side DANE there are three new smtp transport options, &%hosts_try_dane%&, &%hosts_require_dane%&
+and &%dane_require_tls_ciphers%&.
+The require variant will result in failure if the target host is not DNSSEC-secured.
+
+DANE will only be usable if the target host has DNSSEC-secured MX, A and TLSA records.
+
+A TLSA lookup will be done if either of the above options match and the host-lookup succeeded using dnssec.
+If a TLSA lookup is done and succeeds, a DANE-verified TLS connection
+will be required for the host. If it does not, the host will not
+be used; there is no fallback to non-DANE or non-TLS.
+
+If DANE is requested and usable, then the TLS cipher list configuration
+prefers to use the option &%dane_require_tls_ciphers%& and falls
+back to &%tls_require_ciphers%& only if that is unset.
+This lets you configure "decent crypto" for DANE and "better than nothing
+crypto" as the default. Note though that while GnuTLS lets the string control
+which versions of TLS/SSL will be negotiated, OpenSSL does not and you're
+limited to ciphersuite constraints.
+
+If DANE is requested and useable (see above) the following transport options are ignored:
+.code
+ hosts_require_tls
+ tls_verify_hosts
+ tls_try_verify_hosts
+ tls_verify_certificates
+ tls_crl
+ tls_verify_cert_hostnames
+.endd
+
+If DANE is not usable, whether requested or not, and CA-anchored
+verification evaluation is wanted, the above variables should be set appropriately.
+
+Currently the &%dnssec_request_domains%& must be active and &%dnssec_require_domains%& is ignored.
+
+If verification was successful using DANE then the "CV" item in the delivery log line will show as "CV=dane".
+
+There is a new variable &$tls_out_dane$& which will have "yes" if
+verification succeeded using DANE and "no" otherwise (only useful
+in combination with events; see &<<CHAPevents>>&),
+and a new variable &$tls_out_tlsa_usage$& (detailed above).
+
+.cindex DANE reporting
+An event (see &<<CHAPevents>>&) of type "dane:fail" will be raised on failures
+to achieve DANE-verified connection, if one was either requested and offered, or
+required. This is intended to support TLS-reporting as defined in
+&url(https://tools.ietf.org/html/draft-ietf-uta-smtp-tlsrpt-17).
+The &$event_data$& will be one of the Result Types defined in
+Section 4.3 of that document.
+
+Under GnuTLS, DANE is only supported from version 3.0.0 onwards.
+
+DANE is specified in published RFCs and decouples certificate authority trust
+selection from a "race to the bottom" of "you must trust everything for mail
+to get through". There is an alternative technology called MTA-STS, which
+instead publishes MX trust anchor information on an HTTPS website. At the
+time this text was last updated, MTA-STS was still a draft, not yet an RFC.
+Exim has no support for MTA-STS as a client, but Exim mail server operators
+can choose to publish information describing their TLS configuration using
+MTA-STS to let those clients who do use that protocol derive trust
+information.
+
+The MTA-STS design requires a certificate from a public Certificate Authority
+which is recognized by clients sending to you.
+That selection of which CAs are trusted by others is outside your control.
+
+The most interoperable course of action is probably to use
+&url(https://letsencrypt.org/,Let's Encrypt), with automated certificate
+renewal; to publish the anchor information in DNSSEC-secured DNS via TLSA
+records for DANE clients (such as Exim and Postfix) and to publish anchor
+information for MTA-STS as well. This is what is done for the &'exim.org'&
+domain itself (with caveats around occasionally broken MTA-STS because of
+incompatible specification changes prior to reaching RFC status).
+
+
+
. ////////////////////////////////////////////////////////////////////////////
. ////////////////////////////////////////////////////////////////////////////
.cindex "control of incoming mail"
.cindex "message" "controlling incoming"
.cindex "policy control" "access control lists"
-Access Control Lists (ACLs) are defined in a separate section of the run time
+Access Control Lists (ACLs) are defined in a separate section of the runtime
configuration file, headed by &"begin acl"&. Each ACL definition starts with a
name, terminated by a colon. Here is a complete ACL section that contains just
one very small ACL:
.section "Testing ACLs" "SECID188"
The &%-bh%& command line option provides a way of testing your ACL
configuration locally by running a fake SMTP session with which you interact.
-The host &'relay-test.mail-abuse.org'& provides a service for checking your
-relaying configuration (see section &<<SECTcheralcon>>& for more details).
-
.section "Specifying when ACLs are used" "SECID189"
.cindex "EXPN" "ACL for"
.cindex "HELO" "ACL for"
.cindex "EHLO" "ACL for"
+.cindex "DKIM" "ACL for"
.cindex "MAIL" "ACL for"
.cindex "QUIT, ACL for"
.cindex "RCPT" "ACL for"
.cindex "SMTP" "connection, ACL for"
.cindex "non-SMTP messages" "ACLs for"
.cindex "MIME content scanning" "ACL for"
+.cindex "PRDR" "ACL for"
.table2 140pt
.irow &%acl_not_smtp%& "ACL for non-SMTP messages"
.irow &%acl_smtp_auth%& "ACL for AUTH"
.irow &%acl_smtp_connect%& "ACL for start of SMTP connection"
.irow &%acl_smtp_data%& "ACL after DATA is complete"
+.irow &%acl_smtp_data_prdr%& "ACL for each recipient, after DATA is complete"
+.irow &%acl_smtp_dkim%& "ACL for each DKIM signer"
.irow &%acl_smtp_etrn%& "ACL for ETRN"
.irow &%acl_smtp_expn%& "ACL for EXPN"
.irow &%acl_smtp_helo%& "ACL for HELO or EHLO"
session, and indeed is required to issue a new EHLO or HELO after successfully
setting up encryption following a STARTTLS command.
+Note also that a deny neither forces the client to go away nor means that
+mail will be refused on the connection. Consider checking for
+&$sender_helo_name$& being defined in a MAIL or RCPT ACL to do that.
+
If the command is accepted by an &%accept%& verb that has a &%message%&
modifier, the message may not contain more than one line (it will be truncated
at the first newline and a panic logged if it does). Such a message cannot
the ACL specified by &%acl_smtp_data%&, which is the second ACL that is
associated with the DATA command.
+.cindex CHUNKING "BDAT command"
+.cindex BDAT "SMTP command"
+.cindex "RFC 3030" CHUNKING
+If CHUNKING was advertised and a BDAT command sequence is received,
+the &%acl_smtp_predata%& ACL is not run.
+. XXX why not? It should be possible, for the first BDAT.
+The &%acl_smtp_data%& is run after the last BDAT command and all of
+the data specified is received.
+
For both of these ACLs, it is not possible to reject individual recipients. An
error response rejects the entire message. Unfortunately, it is known that some
MTAs do not treat hard (5&'xx'&) responses to the DATA command (either
and try again later, but that is their problem, though it does waste some of
your resources.
+The &%acl_smtp_data%& ACL is run after
+the &%acl_smtp_data_prdr%&,
+the &%acl_smtp_dkim%&
+and the &%acl_smtp_mime%& ACLs.
.section "The SMTP DKIM ACL" "SECTDKIMACL"
The &%acl_smtp_dkim%& ACL is available only when Exim is compiled with DKIM support
received, and is executed for each DKIM signature found in a message. If not
otherwise specified, the default action is to accept.
-For details on the operation of DKIM, see chapter &<<CHID12>>&.
+This ACL is evaluated before &%acl_smtp_mime%& and &%acl_smtp_data%&.
+
+For details on the operation of DKIM, see section &<<SECDKIM>>&.
.section "The SMTP MIME ACL" "SECID194"
The &%acl_smtp_mime%& option is available only when Exim is compiled with the
content-scanning extension. For details, see chapter &<<CHAPexiscan>>&.
+This ACL is evaluated after &%acl_smtp_dkim%& but before &%acl_smtp_data%&.
+
+
+.section "The SMTP PRDR ACL" "SECTPRDRACL"
+.cindex "PRDR" "ACL for"
+.oindex "&%prdr_enable%&"
+The &%acl_smtp_data_prdr%& ACL is available only when Exim is compiled
+with PRDR support enabled (which is the default).
+It becomes active only when the PRDR feature is negotiated between
+client and server for a message, and more than one recipient
+has been accepted.
+
+The ACL test specified by &%acl_smtp_data_prdr%& happens after a message
+has been received, and is executed once for each recipient of the message
+with &$local_part$& and &$domain$& valid.
+The test may accept, defer or deny for individual recipients.
+The &%acl_smtp_data%& will still be called after this ACL and
+can reject the message overall, even if this ACL has accepted it
+for some or all recipients.
+
+PRDR may be used to support per-user content filtering. Without it
+one must defer any recipient after the first that has a different
+content-filter configuration. With PRDR, the RCPT-time check
+.cindex "PRDR" "variable for"
+for this can be disabled when the variable &$prdr_requested$&
+is &"yes"&.
+Any required difference in behaviour of the main DATA-time
+ACL should however depend on the PRDR-time ACL having run, as Exim
+will avoid doing so in some situations (e.g. single-recipient mails).
+
+See also the &%prdr_enable%& global option
+and the &%hosts_try_prdr%& smtp transport option.
+
+This ACL is evaluated after &%acl_smtp_dkim%& but before &%acl_smtp_data%&.
+If the ACL is not defined, processing completes as if
+the feature was not requested by the client.
.section "The QUIT ACL" "SECTQUITACL"
.cindex "QUIT, ACL for"
The ACL for the SMTP QUIT command is anomalous, in that the outcome of the ACL
does not affect the response code to QUIT, which is always 221. Thus, the ACL
-does not in fact control any access. For this reason, the only verbs that are
-permitted are &%accept%& and &%warn%&.
+does not in fact control any access.
+For this reason, it may only accept
+or warn as its final result.
This ACL can be used for tasks such as custom logging at the end of an SMTP
session. For example, you can use ACL variables in other ACLs to count
.section "The not-QUIT ACL" "SECTNOTQUITACL"
.vindex &$acl_smtp_notquit$&
The not-QUIT ACL, specified by &%acl_smtp_notquit%&, is run in most cases when
-an SMTP session ends without sending QUIT. However, when Exim itself is is bad
+an SMTP session ends without sending QUIT. However, when Exim itself is in bad
trouble, such as being unable to write to its log files, this ACL is not run,
because it might try to do things (such as write to log files) that make the
situation even worse.
{acl_check_rcpt} {acl_check_rcpt_submit} }
.endd
In the default configuration file there are some example settings for
-providing an RFC 4409 message submission service on port 587 and a
-non-standard &"smtps"& service on port 465. You can use a string
+providing an RFC 4409 message &"submission"& service on port 587 and
+an RFC 8314 &"submissions"& service on port 465. You can use a string
expansion like this to choose an ACL for MUAs on these ports which is
more appropriate for this purpose than the default ACL on port 25.
string, Exim searches for an ACL as follows:
.ilist
-If the string begins with a slash, Exim uses it as a file name, and reads its
+If the string begins with a slash, Exim uses it as a filename, and reads its
contents as an ACL. The lines are processed in the same way as lines in the
Exim configuration file. In particular, continuation lines are supported, blank
lines are ignored, as are lines whose first non-whitespace character is &"#"&.
remaining recipients. The &"discard"& return is not permitted for the
&%acl_smtp_predata%& ACL.
+If the ACL for VRFY returns &"accept"&, a recipient verify (without callout)
+is done on the address and the result determines the SMTP response.
+
.cindex "&[local_scan()]& function" "when all recipients discarded"
The &[local_scan()]& function is always run, even if there are no remaining
example:
.code
deny dnslists = list1.example
-dnslists = list2.example
+ dnslists = list2.example
.endd
If there are no conditions, the verb is always obeyed. Exim stops evaluating
the conditions and modifiers when it reaches a condition that fails. What
check a RCPT command:
.code
accept domains = +local_domains
-endpass
-verify = recipient
+ endpass
+ verify = recipient
.endd
If the recipient domain does not match the &%domains%& condition, control
passes to the next statement. If it does match, the recipient is verified, and
If &%log_message%& is not present, a &%warn%& verb just checks its conditions
and obeys any &"immediate"& modifiers (such as &%control%&, &%set%&,
-&%logwrite%&, and &%add_header%&) that appear before the first failing
-condition. There is more about adding header lines in section
+&%logwrite%&, &%add_header%&, and &%remove_header%&) that appear before the
+first failing condition. There is more about adding header lines in section
&<<SECTaddheadacl>>&.
If any condition on a &%warn%& statement cannot be completed (that is, there is
warning is generated. The &%control%& modifier affects the way an incoming
message is handled.
-The positioning of the modifiers in an ACL statement important, because the
+The positioning of the modifiers in an ACL statement is important, because the
processing of a verb ceases as soon as its outcome is known. Only those
modifiers that have already been encountered will take effect. For example,
consider this use of the &%message%& modifier:
.vitem &*delay*&&~=&~<&'time'&>
.cindex "&%delay%& ACL modifier"
.oindex "&%-bh%&"
-This modifier may appear in any ACL. It causes Exim to wait for the time
-interval before proceeding. However, when testing Exim using the &%-bh%&
-option, the delay is not actually imposed (an appropriate message is output
-instead). The time is given in the usual Exim notation, and the delay happens
-as soon as the modifier is processed. In an SMTP session, pending output is
-flushed before the delay is imposed.
+This modifier may appear in any ACL except notquit. It causes Exim to wait for
+the time interval before proceeding. However, when testing Exim using the
+&%-bh%& option, the delay is not actually imposed (an appropriate message is
+output instead). The time is given in the usual Exim notation, and the delay
+happens as soon as the modifier is processed. In an SMTP session, pending
+output is flushed before the delay is imposed.
Like &%control%&, &%delay%& can be used with &%accept%& or &%deny%&, for
example:
This modifier sets up a message that is used as part of the log message if the
ACL denies access or a &%warn%& statement's conditions are true. For example:
.code
-require log_message = wrong cipher suite $tls_cipher
+require log_message = wrong cipher suite $tls_in_cipher
encrypted = DES-CBC3-SHA
.endd
&%log_message%& is also used when recipients are discarded by &%discard%&. For
response.
.vindex "&$acl_verify_message$&"
+For ACLs that are called by an &%acl =%& ACL condition, the message is
+stored in &$acl_verify_message$&, from which the calling ACL may use it.
+
If &%message%& is used on a statement that verifies an address, the message
specified overrides any message that is generated by the verification process.
However, the original message is available in the variable
effect.
+.vitem &*queue*&&~=&~<&'text'&>
+.cindex "&%queue%& ACL modifier"
+.cindex "named queues" "selecting in ACL"
+This modifier specifies the use of a named queue for spool files
+for the message.
+It can only be used before the message is received (i.e. not in
+the DATA ACL).
+This could be used, for example, for known high-volume burst sources
+of traffic, or for quarantine of messages.
+Separate queue-runner processes will be needed for named queues.
+If the text after expansion is empty, the default queue is used.
+
+
+.vitem &*remove_header*&&~=&~<&'text'&>
+This modifier specifies one or more header names in a colon-separated list
+ that are to be removed from an incoming message, assuming, of course, that
+the message is ultimately accepted. For details, see section &<<SECTremoveheadacl>>&.
+
+
.vitem &*set*&&~<&'acl_name'&>&~=&~<&'value'&>
.cindex "&%set%& ACL modifier"
This modifier puts a value into one of the ACL variables (see section
&<<SECTaclvariables>>&).
-.endlist
+.vitem &*udpsend*&&~=&~<&'parameters'&>
+.cindex "UDP communications"
+This modifier sends a UDP packet, for purposes such as statistics
+collection or behaviour monitoring. The parameters are expanded, and
+the result of the expansion must be a colon-separated list consisting
+of a destination server, port number, and the packet contents. The
+server can be specified as a host name or IPv4 or IPv6 address. The
+separator can be changed with the usual angle bracket syntax. For
+example, you might want to collect information on which hosts connect
+when:
+.code
+udpsend = <; 2001:dB8::dead:beef ; 1234 ;\
+ $tod_zulu $sender_host_address
+.endd
+.endlist
+
is what is wanted for subsequent tests.
+.vitem &*control&~=&~cutthrough_delivery/*&<&'options'&>
+.cindex "&ACL;" "cutthrough routing"
+.cindex "cutthrough" "requesting"
+This option requests delivery be attempted while the item is being received.
+
+The option is usable in the RCPT ACL.
+If enabled for a message received via smtp and routed to an smtp transport,
+and only one transport, interface, destination host and port combination
+is used for all recipients of the message,
+then the delivery connection is made while the receiving connection is open
+and data is copied from one to the other.
+
+An attempt to set this option for any recipient but the first
+for a mail will be quietly ignored.
+If a recipient-verify callout
+(with use_sender)
+connection is subsequently
+requested in the same ACL it is held open and used for
+any subsequent recipients and the data,
+otherwise one is made after the initial RCPT ACL completes.
+
+Note that routers are used in verify mode,
+and cannot depend on content of received headers.
+Note also that headers cannot be
+modified by any of the post-data ACLs (DATA, MIME and DKIM).
+Headers may be modified by routers (subject to the above) and transports.
+The &'Received-By:'& header is generated as soon as the body reception starts,
+rather than the traditional time after the full message is received;
+this will affect the timestamp.
+
+All the usual ACLs are called; if one results in the message being
+rejected, all effort spent in delivery (including the costs on
+the ultimate destination) will be wasted.
+Note that in the case of data-time ACLs this includes the entire
+message body.
+
+Cutthrough delivery is not supported via transport-filters or when DKIM signing
+of outgoing messages is done, because it sends data to the ultimate destination
+before the entire message has been received from the source.
+It is not supported for messages received with the SMTP PRDR
+or CHUNKING
+options in use.
+
+Should the ultimate destination system positively accept or reject the mail,
+a corresponding indication is given to the source system and nothing is queued.
+If the item is successfully delivered in cutthrough mode
+the delivery log lines are tagged with ">>" rather than "=>" and appear
+before the acceptance "<=" line.
+
+If there is a temporary error the item is queued for later delivery in the
+usual fashion.
+This behaviour can be adjusted by appending the option &*defer=*&<&'value'&>
+to the control; the default value is &"spool"& and the alternate value
+&"pass"& copies an SMTP defer response from the target back to the initiator
+and does not queue the message.
+Note that this is independent of any recipient verify conditions in the ACL.
+
+Delivery in this mode avoids the generation of a bounce mail to a
+(possibly faked)
+sender when the destination system is doing content-scan based rejection.
+
+
.vitem &*control&~=&~debug/*&<&'options'&>
.cindex "&ACL;" "enabling debug logging"
.cindex "debugging" "enabling from an ACL"
This control turns on debug logging, almost as though Exim had been invoked
-with &`-d`&, with the output going to a new logfile, by default called
-&'debuglog'&. The filename can be adjusted with the &'tag'& option, which
+with &`-d`&, with the output going to a new logfile in the usual logs directory,
+by default called &'debuglog'&.
+The filename can be adjusted with the &'tag'& option, which
may access any variables already defined. The logging may be adjusted with
the &'opts'& option, which takes the same values as the &`-d`& command-line
-option. Some examples (which depend on variables that don't exist in all
+option.
+Logging started this way may be stopped, and the file removed,
+with the &'kill'& option.
+Some examples (which depend on variables that don't exist in all
contexts):
.code
control = debug
control = debug/tag=.$sender_host_address
control = debug/opts=+expand+acl
control = debug/tag=.$message_exim_id/opts=+expand
+ control = debug/kill
.endd
+.vitem &*control&~=&~dkim_disable_verify*&
+.cindex "disable DKIM verify"
+.cindex "DKIM" "disable verify"
+This control turns off DKIM verification processing entirely. For details on
+the operation and configuration of DKIM, see section &<<SECDKIM>>&.
+
+
+.vitem &*control&~=&~dscp/*&<&'value'&>
+.cindex "&ACL;" "setting DSCP value"
+.cindex "DSCP" "inbound"
+This option causes the DSCP value associated with the socket for the inbound
+connection to be adjusted to a given value, given as one of a number of fixed
+strings or to numeric value.
+The &%-bI:dscp%& option may be used to ask Exim which names it knows of.
+Common values include &`throughput`&, &`mincost`&, and on newer systems
+&`ef`&, &`af41`&, etc. Numeric values may be in the range 0 to 0x3F.
+
+The outbound packets from Exim will be marked with this value in the header
+(for IPv4, the TOS field; for IPv6, the TCLASS field); there is no guarantee
+that these values will have any effect, not be stripped by networking
+equipment, or do much of anything without cooperation with your Network
+Engineer and those of all network operators between the source and destination.
+
+
.vitem &*control&~=&~enforce_sync*& &&&
&*control&~=&~no_enforce_sync*&
.cindex "SMTP" "synchronization checking"
&*Note:*& This control applies only to the current message, not to any others
that are being submitted at the same time using &%-bs%& or &%-bS%&.
+
+.vitem &*control&~=&~utf8_downconvert*&
+This control enables conversion of UTF-8 in message addresses
+to a-label form.
+For details see section &<<SECTi18nMTA>>&.
.endlist vlist
.section "Adding header lines in ACLs" "SECTaddheadacl"
.cindex "header lines" "adding in an ACL"
.cindex "header lines" "position of added lines"
-.cindex "&%message%& ACL modifier"
+.cindex "&%add_header%& ACL modifier"
The &%add_header%& modifier can be used to add one or more extra header lines
to an incoming message, as in this example:
.code
add_header = X-blacklisted-at: $dnslist_domain
.endd
The &%add_header%& modifier is permitted in the MAIL, RCPT, PREDATA, DATA,
-MIME, and non-SMTP ACLs (in other words, those that are concerned with
+MIME, DKIM, and non-SMTP ACLs (in other words, those that are concerned with
receiving a message). The message must ultimately be accepted for
&%add_header%& to have any significant effect. You can use &%add_header%& with
any ACL verb, including &%deny%& (though this is potentially useful only in a
RCPT ACL).
-If the data for the &%add_header%& modifier contains one or more newlines that
+Headers will not be added to the message if the modifier is used in
+DATA, MIME or DKIM ACLs for a message delivered by cutthrough routing.
+
+Leading and trailing newlines are removed from
+the data for the &%add_header%& modifier; if it then
+contains one or more newlines that
are not followed by a space or a tab, it is assumed to contain multiple header
lines. Each one is checked for valid syntax; &`X-ACL-Warn:`& is added to the
front of any line that is not a valid header line.
are included in the entry that is written to the reject log.
.cindex "header lines" "added; visibility of"
-Header lines are not visible in string expansions until they are added to the
+Header lines are not visible in string expansions
+of message headers
+until they are added to the
message. It follows that header lines defined in the MAIL, RCPT, and predata
ACLs are not visible until the DATA ACL and MIME ACLs are run. Similarly,
header lines that are added by the DATA or MIME ACLs are not visible in those
this, you can use ACL variables, as described in section
&<<SECTaclvariables>>&.
-The &%add_header%& modifier acts immediately it is encountered during the
+The list of headers yet to be added is given by the &%$headers_added%& variable.
+
+The &%add_header%& modifier acts immediately as it is encountered during the
processing of an ACL. Notice the difference between these two cases:
.display
&`accept add_header = ADDED: some text`&
+.section "Removing header lines in ACLs" "SECTremoveheadacl"
+.cindex "header lines" "removing in an ACL"
+.cindex "header lines" "position of removed lines"
+.cindex "&%remove_header%& ACL modifier"
+The &%remove_header%& modifier can be used to remove one or more header lines
+from an incoming message, as in this example:
+.code
+warn message = Remove internal headers
+ remove_header = x-route-mail1 : x-route-mail2
+.endd
+The &%remove_header%& modifier is permitted in the MAIL, RCPT, PREDATA, DATA,
+MIME, DKIM, and non-SMTP ACLs (in other words, those that are concerned with
+receiving a message). The message must ultimately be accepted for
+&%remove_header%& to have any significant effect. You can use &%remove_header%&
+with any ACL verb, including &%deny%&, though this is really not useful for
+any verb that doesn't result in a delivered message.
+
+Headers will not be removed from the message if the modifier is used in
+DATA, MIME or DKIM ACLs for a message delivered by cutthrough routing.
+
+More than one header can be removed at the same time by using a colon separated
+list of header names. The header matching is case insensitive. Wildcards are
+not permitted, nor is list expansion performed, so you cannot use hostlists to
+create a list of headers, however both connection and message variable expansion
+are performed (&%$acl_c_*%& and &%$acl_m_*%&), illustrated in this example:
+.code
+warn hosts = +internal_hosts
+ set acl_c_ihdrs = x-route-mail1 : x-route-mail2
+warn message = Remove internal headers
+ remove_header = $acl_c_ihdrs
+.endd
+Header names for removal are accumulated during the MAIL, RCPT, and predata ACLs.
+Matching header lines are removed from the message before processing the DATA and MIME ACLs.
+If multiple header lines match, all are removed.
+There is no harm in attempting to remove the same header twice nor in removing
+a non-existent header. Further header lines to be removed may be accumulated
+during the DATA and MIME ACLs, after which they are removed from the message,
+if present. In the case of non-SMTP messages, headers to be removed are
+accumulated during the non-SMTP ACLs, and are removed from the message after
+all the ACLs have run. If a message is rejected after DATA or by the non-SMTP
+ACL, there really is no effect because there is no logging of what headers
+would have been removed.
+
+.cindex "header lines" "removed; visibility of"
+Header lines are not visible in string expansions until the DATA phase when it
+is received. Any header lines removed in the MAIL, RCPT, and predata ACLs are
+not visible in the DATA ACL and MIME ACLs. Similarly, header lines that are
+removed by the DATA or MIME ACLs are still visible in those ACLs. Because of
+this restriction, you cannot use header lines as a way of controlling data
+passed between (for example) the MAIL and RCPT ACLs. If you want to do this,
+you should instead use ACL variables, as described in section
+&<<SECTaclvariables>>&.
+
+The &%remove_header%& modifier acts immediately as it is encountered during the
+processing of an ACL. Notice the difference between these two cases:
+.display
+&`accept remove_header = X-Internal`&
+&` `&<&'some condition'&>
+
+&`accept `&<&'some condition'&>
+&` remove_header = X-Internal`&
+.endd
+In the first case, the header line is always removed, whether or not the
+condition is true. In the second case, the header line is removed only if the
+condition is true. Multiple occurrences of &%remove_header%& may occur in the
+same ACL statement. All those that are encountered before a condition fails
+are honoured.
+
+&*Warning*&: This facility currently applies only to header lines that are
+present during ACL processing. It does NOT remove header lines that are added
+in a system filter or in a router or transport.
+
+
+
.section "ACL conditions" "SECTaclconditions"
.cindex "&ACL;" "conditions; list of"
-Some of conditions listed in this section are available only when Exim is
+Some of the conditions listed in this section are available only when Exim is
compiled with the content-scanning extension. They are included here briefly
for completeness. More detailed descriptions can be found in the discussion on
content scanning in chapter &<<CHAPexiscan>>&.
.vitem &*acl&~=&~*&<&'name&~of&~acl&~or&~ACL&~string&~or&~file&~name&~'&>
.cindex "&ACL;" "nested"
.cindex "&ACL;" "indirect"
+.cindex "&ACL;" "arguments"
.cindex "&%acl%& ACL condition"
The possible values of the argument are the same as for the
&%acl_smtp_%&&'xxx'& options. The named or inline ACL is run. If it returns
condition false. This means that further processing of the &%warn%& verb
ceases, but processing of the ACL continues.
+If the argument is a named ACL, up to nine space-separated optional values
+can be appended; they appear within the called ACL in $acl_arg1 to $acl_arg9,
+and $acl_narg is set to the count of values.
+Previous values of these variables are restored after the call returns.
+The name and values are expanded separately.
+Note that spaces in complex expansions which are used as arguments
+will act as argument separators.
+
If the nested &%acl%& returns &"drop"& and the outer condition denies access,
the connection is dropped. If it returns &"discard"&, the verb must be
&%accept%& or &%discard%&, and the action is taken immediately &-- no further
problems such as a syntax error or a memory shortage. For more details, see
chapter &<<CHAPexiscan>>&.
-.vitem &*demime&~=&~*&<&'extension&~list'&>
-.cindex "&%demime%& ACL condition"
-This condition is available only when Exim is compiled with the
-content-scanning extension. Its use is described in section
-&<<SECTdemimecond>>&.
-
.vitem &*dnslists&~=&~*&<&'list&~of&~domain&~names&~and&~other&~data'&>
.cindex "&%dnslists%& ACL condition"
.cindex "DNS list" "in ACL"
.endd
-.vitem &*hosts&~=&~*&<&'&~host&~list'&>
+.vitem &*hosts&~=&~*&<&'host&~list'&>
.cindex "&%hosts%& ACL condition"
.cindex "host" "ACL checking"
.cindex "&ACL;" "testing the client host"
send email. Details of how this works are given in section
&<<SECTverifyCSA>>&.
+.vitem &*verify&~=&~header_names_ascii*&
+.cindex "&%verify%& ACL condition"
+.cindex "&ACL;" "verifying header names only ASCII"
+.cindex "header lines" "verifying header names only ASCII"
+.cindex "verifying" "header names only ASCII"
+This condition is relevant only in an ACL that is run after a message has been
+received, that is, in an ACL specified by &%acl_smtp_data%& or
+&%acl_not_smtp%&. It checks all header names (not the content) to make sure
+there are no non-ASCII characters, also excluding control characters. The
+allowable characters are decimal ASCII values 33 through 126.
+
+Exim itself will handle headers with non-ASCII characters, but it can cause
+problems for downstream applications, so this option will allow their
+detection and rejection in the DATA ACL's.
+
.vitem &*verify&~=&~header_sender/*&<&'options'&>
.cindex "&%verify%& ACL condition"
.cindex "&ACL;" "verifying sender in the header"
received, that is, in an ACL specified by &%acl_smtp_data%& or
&%acl_not_smtp%&. It checks the syntax of all header lines that can contain
lists of addresses (&'Sender:'&, &'From:'&, &'Reply-To:'&, &'To:'&, &'Cc:'&,
-and &'Bcc:'&). Unqualified addresses (local parts without domains) are
+and &'Bcc:'&), returning true if there are no problems.
+Unqualified addresses (local parts without domains) are
permitted only in locally generated messages and from hosts that match
&%sender_unqualified_hosts%& or &%recipient_unqualified_hosts%&, as
appropriate.
address, and in that case, the subsequent value of &$address_data$& is the
value for the child address.
-.vitem &*verify&~=&~reverse_host_lookup*&
+.vitem &*verify&~=&~reverse_host_lookup/*&<&'options'&>
.cindex "&%verify%& ACL condition"
.cindex "&ACL;" "verifying host reverse lookup"
.cindex "host" "verifying reverse lookup"
one of its aliases, does, when it is itself looked up in the DNS, yield the
original IP address.
+There is one possible option, &`defer_ok`&. If this is present and a
+DNS operation returns a temporary error, the verify condition succeeds.
+
If this condition is used for a locally generated message (that is, when there
is no client host involved), it always succeeds.
.cindex "&%verify%& ACL condition"
This is a variation of the previous option, in which a modified address is
verified as a sender.
+
+Note that '/' is legal in local-parts; if the address may have such
+(eg. is generated from the received message)
+they must be protected from the options parsing by doubling:
+.code
+verify = sender=${sg{${address:$h_sender:}}{/}{//}}
+.endd
.endlist
warn message = X-Warn: sending host is on dialups list
dnslists = dialups.mail-abuse.org
.endd
-DNS list lookups are cached by Exim for the duration of the SMTP session,
+.cindex caching "of dns lookup"
+.cindex DNS TTL
+DNS list lookups are cached by Exim for the duration of the SMTP session
+(but limited by the DNS return TTL value),
so a lookup based on the IP address is done at most once for any incoming
-connection. Exim does not share information between multiple incoming
+connection (assuming long-enough TTL).
+Exim does not share information between multiple incoming
connections (but your local name server cache should be active).
+There are a number of DNS lists to choose from, some commercial, some free,
+or free for small deployments. An overview can be found at
+&url(https://en.wikipedia.org/wiki/Comparison_of_DNS_blacklists).
+
.section "Specifying the IP address for a DNS list lookup" "SECID201"
.section "DNS lists keyed on domain names" "SECID202"
.cindex "DNS list" "keyed by domain name"
There are some lists that are keyed on domain names rather than inverted IP
-addresses (see for example the &'domain based zones'& link at
+addresses (see, e.g., the &'domain based zones'& link at
&url(http://www.rfc-ignorant.org/)). No reversing of components is used
with these lists. You can change the name that is looked up in a DNS list by
listing it after the domain name, introduced by a slash. For example,
and the outer dnsdb lookup finds the IP addresses for these hosts. The result
of expanding the condition might be something like this:
.code
-dnslists = sbl.spahmaus.org/<|192.168.2.3|192.168.5.6|...
+dnslists = sbl.spamhaus.org/<|192.168.2.3|192.168.5.6|...
.endd
Thus, this example checks whether or not the IP addresses of the sender
domain's mail servers are on the Spamhaus black list.
If the DNS lookup yields both 127.0.0.1 and 127.0.0.2, the condition is
false because 127.0.0.1 matches.
.next
-If &`!==`& or &`!=&&`& is used, the condition is true there is at least one
+If &`!==`& or &`!=&&`& is used, the condition is true if there is at least one
looked up IP address that does not match. Consider:
.code
dnslists = a.b.c!=&0.0.0.1
a check that the IP being tested is indeed on the first list. The first
domain is the one that is put in &$dnslist_domain$&. For example:
.code
-reject message = \
+deny message = \
rejected because $sender_host_address is blacklisted \
at $dnslist_domain\n$dnslist_text
dnslists = \
given several times, but because the results of the DNS lookups are cached,
the DNS calls themselves are not repeated. For example:
.code
-reject dnslists = \
+deny dnslists = \
http.dnsbl.sorbs.net,dnsbl.sorbs.net=127.0.0.2 : \
socks.dnsbl.sorbs.net,dnsbl.sorbs.net=127.0.0.3 : \
misc.dnsbl.sorbs.net,dnsbl.sorbs.net=127.0.0.4 : \
dnslists = some.list.example
.endd
+If an explicit key is being used for a DNS lookup and it may be an IPv6
+address you should specify alternate list separators for both the outer
+(DNS list name) list and inner (lookup keys) list:
+.code
+ dnslists = <; dnsbl.example.com/<|$acl_m_addrslist
+.endd
+
.section "Rate limiting incoming messages" "SECTratelimiting"
.cindex "rate limiting" "client sending"
.cindex "limiting client sending rates"
ACL.
Each &%ratelimit%& condition can have up to four options. A &%per_*%& option
-specifies what Exim measures the rate of, for example messages or recipients
+specifies what Exim measures the rate of, for example, messages or recipients
or bytes. You can adjust the measurement using the &%unique=%& and/or
&%count=%& options. You can also control when Exim updates the recorded rate
using a &%strict%&, &%leaky%&, or &%readonly%& option. The options are
accepted. It can be used in the &%acl_smtp_rcpt%&, &%acl_smtp_predata%&,
&%acl_smtp_mime%&, &%acl_smtp_data%&, or &%acl_smtp_rcpt%& ACLs. In
&%acl_smtp_rcpt%& the rate is updated one recipient at a time; in the other
-ACLs the rate is updated with the total recipient count in one go. Note that
+ACLs the rate is updated with the total (accepted) recipient count in one go. Note that
in either case the rate limiting engine will see a message with many
recipients as a large high-speed burst.
The &%leaky%& (default) option means that the client's recorded rate is not
updated if it is above the limit. The effect of this is that Exim measures the
-client's average rate of successfully sent email, which cannot be greater than
-the maximum allowed. If the client is over the limit it may suffer some
-counter-measures (as specified in the ACL), but it will still be able to send
-email at the configured maximum rate, whatever the rate of its attempts. This
+client's average rate of successfully sent email,
+.new
+up to the given limit.
+This is appropriate if the countermeasure when the condition is true
+consists of refusing the message, and
is generally the better choice if you have clients that retry automatically.
-For example, it does not prevent a sender with an over-aggressive retry rate
-from getting any email through.
+If the action when true is anything more complex then this option is
+likely not what is wanted.
+.wen
The &%strict%& option means that the client's recorded rate is always
updated. The effect of this is that Exim measures the client's average rate
The main use of these variables is expected to be to distinguish between
rejections of MAIL and rejections of RCPT in callouts.
+.new
+The above variables may also be set after a &*successful*&
+address verification to:
+
+.ilist
+&%random%&: A random local-part callout succeeded
+.endlist
+.wen
+
&%hosts%& setting, the transport's hosts are used. If an &(smtp)& transport has
&%hosts_override%& set, its hosts are always used, whether or not the router
supplies a host list.
+Callouts are only supported on &(smtp)& transports.
The port that is used is taken from the transport, if it is specified and is a
remote transport. (For routers that do verification only, no transport need be
LHLO is used instead of HELO if the transport's &%protocol%& option is
set to &"lmtp"&.
+The callout may use EHLO, AUTH and/or STARTTLS given appropriate option
+settings.
+
A recipient callout check is similar. By default, it also uses an empty address
for the sender. This default is chosen because most hosts do not make use of
the sender address when verifying a recipient. Using the same address means
need to use this option unless you know that the called hosts make use of the
sender when checking recipients. If used indiscriminately, it reduces the
usefulness of callout caching.
+
+.vitem &*hold*&
+This option applies to recipient callouts only. For example:
+.code
+require verify = recipient/callout=use_sender,hold
+.endd
+It causes the connection to be held open and used for any further recipients
+and for eventual delivery (should that be done quickly).
+Doing this saves on TCP and SMTP startup costs, and TLS costs also
+when that is used for the connections.
+The advantage is only gained if there are no callout cache hits
+(which could be enforced by the no_cache option),
+if the use_sender option is used,
+if neither the random nor the use_postmaster option is used,
+and if no other callouts intervene.
.endlist
If you use any of the parameters that set a non-empty sender for the MAIL
item creates a signed address, and the &%prvscheck%& expansion item checks one.
The syntax of these expansion items is described in section
&<<SECTexpansionitems>>&.
+The validity period on signed addresses is seven days.
As an example, suppose the secret per-address keys are stored in an MySQL
database. A query to look up the key for an address could be defined as a macro
In the main part of the configuration, you put the following definitions:
.code
-domainlist local_domains = my.dom1.example : my.dom2.example
-domainlist relay_domains = friend1.example : friend2.example
-hostlist relay_hosts = 192.168.45.0/24
+domainlist local_domains = my.dom1.example : my.dom2.example
+domainlist relay_to_domains = friend1.example : friend2.example
+hostlist relay_from_hosts = 192.168.45.0/24
.endd
Now you can use these definitions in the ACL that is run for every RCPT
command:
.code
acl_check_rcpt:
- accept domains = +local_domains : +relay_domains
- accept hosts = +relay_hosts
+ accept domains = +local_domains : +relay_to_domains
+ accept hosts = +relay_from_hosts
.endd
The first statement accepts any RCPT command that contains an address in
the local or relay domains. For any other domain, control passes to the second
You can check the relay characteristics of your configuration in the same way
that you can test any ACL behaviour for an incoming SMTP connection, by using
the &%-bh%& option to run a fake SMTP session with which you interact.
-
-For specifically testing for unwanted relaying, the host
-&'relay-test.mail-abuse.org'& provides a useful service. If you telnet to this
-host from the host on which Exim is running, using the normal telnet port, you
-will see a normal telnet connection message and then quite a long delay. Be
-patient. The remote host is making an SMTP connection back to your host, and
-trying a number of common probes to test for open relay vulnerability. The
-results of the tests will eventually appear on your terminal.
.ecindex IIDacl
Two new main configuration options: &%av_scanner%& and &%spamd_address%&.
.endlist
-There is another content-scanning configuration option for &_Local/Makefile_&,
-called WITH_OLD_DEMIME. If this is set, the old, deprecated &%demime%& ACL
-condition is compiled, in addition to all the other content-scanning features.
-
Content-scanning is continually evolving, and new features are still being
added. While such features are still unstable and liable to incompatible
changes, they are made available in Exim by setting options whose names begin
specialized interfaces for &"daemon"& type virus scanners, which are resident
in memory and thus are much faster.
+A timeout of 2 minutes is applied to a scanner call (by default);
+if it expires then a defer action is taken.
.oindex "&%av_scanner%&"
-You can set the &%av_scanner%& option in first part of the Exim configuration
-file to specify which scanner to use, together with any additional options that
+You can set the &%av_scanner%& option in the main part of the configuration
+to specify which scanner to use, together with any additional options that
are needed. The basic syntax is as follows:
.display
&`av_scanner = <`&&'scanner-type'&&`>:<`&&'option1'&&`>:<`&&'option2'&&`>:[...]`&
av_scanner = sophie:/var/run/sophie
.endd
If the value of &%av_scanner%& starts with a dollar character, it is expanded
-before use. The following scanner types are supported in this release:
+before use.
+The usual list-parsing of the content (see &<<SECTlistconstruct>>&) applies.
+The following scanner types are supported in this release,
+though individual ones can be included or not at build time:
.vlist
+.vitem &%avast%&
+.cindex "virus scanners" "avast"
+This is the scanner daemon of Avast. It has been tested with Avast Core
+Security (currently at version 2.2.0).
+You can get a trial version at &url(https://www.avast.com) or for Linux
+at &url(https://www.avast.com/linux-server-antivirus).
+This scanner type takes one option,
+which can be either a full path to a UNIX socket,
+or host and port specifiers separated by white space.
+The host may be a name or an IP address; the port is either a
+single number or a pair of numbers with a dash between.
+A list of options may follow. These options are interpreted on the
+Exim's side of the malware scanner, or are given on separate lines to
+the daemon as options before the main scan command.
+
+.cindex &`pass_unscanned`& "avast"
+If &`pass_unscanned`&
+is set, any files the Avast scanner can't scan (e.g.
+decompression bombs, or invalid archives) are considered clean. Use with
+care.
+
+For example:
+.code
+av_scanner = avast:/var/run/avast/scan.sock:FLAGS -fullfiles:SENSITIVITY -pup
+av_scanner = avast:/var/run/avast/scan.sock:pass_unscanned:FLAGS -fullfiles:SENSITIVITY -pup
+av_scanner = avast:192.168.2.22 5036
+.endd
+If you omit the argument, the default path
+&_/var/run/avast/scan.sock_&
+is used.
+If you use a remote host,
+you need to make Exim's spool directory available to it,
+as the scanner is passed a file path, not file contents.
+For information about available commands and their options you may use
+.code
+$ socat UNIX:/var/run/avast/scan.sock STDIO:
+ FLAGS
+ SENSITIVITY
+ PACK
+.endd
+
+If the scanner returns a temporary failure (e.g. license issues, or
+permission problems), the message is deferred and a paniclog entry is
+written. The usual &`defer_ok`& option is available.
+
.vitem &%aveserver%&
.cindex "virus scanners" "Kaspersky"
This is the scanner daemon of Kaspersky Version 5. You can get a trial version
-at &url(http://www.kaspersky.com). This scanner type takes one option,
+at &url(https://www.kaspersky.com/). This scanner type takes one option,
which is the path to the daemon's UNIX socket. The default is shown in this
example:
.code
.vitem &%clamd%&
.cindex "virus scanners" "clamd"
This daemon-type scanner is GPL and free. You can get it at
-&url(http://www.clamav.net/). Some older versions of clamd do not seem to
+&url(https://www.clamav.net/). Some older versions of clamd do not seem to
unpack MIME containers, so it used to be recommended to unpack MIME attachments
-in the MIME ACL. This no longer believed to be necessary. One option is
-required: either the path and name of a UNIX socket file, or a hostname or IP
-number, and a port, separated by space, as in the second of these examples:
+in the MIME ACL. This is no longer believed to be necessary.
+
+The options are a list of server specifiers, which may be
+a UNIX socket specification,
+a TCP socket specification,
+or a (global) option.
+
+A socket specification consists of a space-separated list.
+For a Unix socket the first element is a full path for the socket,
+for a TCP socket the first element is the IP address
+and the second a port number,
+Any further elements are per-server (non-global) options.
+These per-server options are supported:
+.code
+retry=<timespec> Retry on connect fail
+.endd
+
+The &`retry`& option specifies a time after which a single retry for
+a failed connect is made. The default is to not retry.
+
+If a Unix socket file is specified, only one server is supported.
+
+Examples:
.code
av_scanner = clamd:/opt/clamd/socket
av_scanner = clamd:192.0.2.3 1234
av_scanner = clamd:192.0.2.3 1234:local
+av_scanner = clamd:192.0.2.3 1234 retry=10s
+av_scanner = clamd:192.0.2.3 1234 : 192.0.2.4 1234
.endd
-If the value of av_scanner points to a UNIX socket file or contains the local
-keyword, then the ClamAV interface will pass a filename containing the data
-to be scanned, which will should normally result in less I/O happening and be
+If the value of av_scanner points to a UNIX socket file or contains the
+&`local`&
+option, then the ClamAV interface will pass a filename containing the data
+to be scanned, which should normally result in less I/O happening and be
more efficient. Normally in the TCP case, the data is streamed to ClamAV as
Exim does not assume that there is a common filesystem with the remote host.
-There is an option WITH_OLD_CLAMAV_STREAM in &_src/EDITME_& available, should
-you be running a version of ClamAV prior to 0.95.
+
+The final example shows that multiple TCP targets can be specified. Exim will
+randomly use one for each incoming email (i.e. it load balances them). Note
+that only TCP targets may be used if specifying a list of scanners; a UNIX
+socket cannot be mixed in with TCP targets. If one of the servers becomes
+unavailable, Exim will try the remaining one(s) until it finds one that works.
+When a clamd server becomes unreachable, Exim will log a message. Exim does
+not keep track of scanner state between multiple messages, and the scanner
+selection is random, so the message will get logged in the mainlog for each
+email that the down scanner gets chosen first (message wrapped to be readable):
+.code
+2013-10-09 14:30:39 1VTumd-0000Y8-BQ malware acl condition:
+ clamd: connection to localhost, port 3310 failed
+ (Connection refused)
+.endd
+
If the option is unset, the default is &_/tmp/clamd_&. Thanks to David Saez for
contributing the code for this scanner.
.endd
.vitem &%drweb%&
.cindex "virus scanners" "DrWeb"
-The DrWeb daemon scanner (&url(http://www.sald.com/)) interface takes one
-argument, either a full path to a UNIX socket, or an IP address and port
-separated by white space, as in these examples:
+The DrWeb daemon scanner (&url(https://www.sald.ru/)) interface
+takes one option,
+either a full path to a UNIX socket,
+or host and port specifiers separated by white space.
+The host may be a name or an IP address; the port is either a
+single number or a pair of numbers with a dash between.
+For example:
.code
av_scanner = drweb:/var/run/drwebd.sock
av_scanner = drweb:192.168.2.20 31337
If you omit the argument, the default path &_/usr/local/drweb/run/drwebd.sock_&
is used. Thanks to Alex Miller for contributing the code for this scanner.
+.vitem &%f-protd%&
+.cindex "virus scanners" "f-protd"
+The f-protd scanner is accessed via HTTP over TCP.
+One argument is taken, being a space-separated hostname and port number
+(or port-range).
+For example:
+.code
+av_scanner = f-protd:localhost 10200-10204
+.endd
+If you omit the argument, the default values shown above are used.
+
+.vitem &%f-prot6d%&
+.cindex "virus scanners" "f-prot6d"
+The f-prot6d scanner is accessed using the FPSCAND protocol over TCP.
+One argument is taken, being a space-separated hostname and port number.
+For example:
+.code
+av_scanner = f-prot6d:localhost 10200
+.endd
+If you omit the argument, the default values show above are used.
+
.vitem &%fsecure%&
.cindex "virus scanners" "F-Secure"
-The F-Secure daemon scanner (&url(http://www.f-secure.com)) takes one
+The F-Secure daemon scanner (&url(https://www.f-secure.com/)) takes one
argument which is the path to a UNIX socket. For example:
.code
av_scanner = fsecure:/path/to/.fsav
.vitem &%mksd%&
.cindex "virus scanners" "mksd"
-This is a daemon type scanner that is aimed mainly at Polish users, though some
-parts of documentation are now available in English. You can get it at
-&url(http://linux.mks.com.pl/). The only option for this scanner type is
+This was a daemon type scanner that is aimed mainly at Polish users,
+though some documentation was available in English.
+The history can be shown at &url(https://en.wikipedia.org/wiki/Mks_vir)
+and this appears to be a candidate for removal from Exim, unless
+we are informed of other virus scanners which use the same protocol
+to integrate.
+The only option for this scanner type is
the maximum number of processes used simultaneously to scan the attachments,
-provided that the demime facility is employed and also provided that mksd has
+provided that mksd has
been run with at least the same number of child processes. For example:
.code
av_scanner = mksd:2
.endd
You can safely omit this option (the default value is 1).
+.vitem &%sock%&
+.cindex "virus scanners" "simple socket-connected"
+This is a general-purpose way of talking to simple scanner daemons
+running on the local machine.
+There are four options:
+an address (which may be an IP address and port, or the path of a Unix socket),
+a commandline to send (may include a single %s which will be replaced with
+the path to the mail file to be scanned),
+an RE to trigger on from the returned data,
+and an RE to extract malware_name from the returned data.
+For example:
+.code
+av_scanner = sock:127.0.0.1 6001:%s:(SPAM|VIRUS):(.*)$
+.endd
+Note that surrounding whitespace is stripped from each option, meaning
+there is no way to specify a trailing newline.
+The socket specifier and both regular-expressions are required.
+Default for the commandline is &_%s\n_& (note this does have a trailing newline);
+specify an empty element to get this.
+
.vitem &%sophie%&
.cindex "virus scanners" "Sophos and Sophie"
Sophie is a daemon that uses Sophos' &%libsavi%& library to scan for viruses.
-You can get Sophie at &url(http://www.clanfield.info/sophie/). The only option
+You can get Sophie at &url(http://sophie.sourceforge.net/). The only option
for this scanner type is the path to the UNIX socket that Sophie uses for
client communication. For example:
.code
message.
The &%malware%& condition takes a right-hand argument that is expanded before
-use. It can then be one of
+use and taken as a list, slash-separated by default.
+The first element can then be one of
.ilist
&"true"&, &"*"&, or &"1"&, in which case the message is scanned for viruses.
A regular expression, in which case the message is scanned for viruses. The
condition succeeds if a virus is found and its name matches the regular
expression. This allows you to take special actions on certain types of virus.
+Note that &"/"& characters in the RE must be doubled due to the list-processing,
+unless the separator is changed (in the usual way &<<SECTlistsepchange>>&).
.endlist
-You can append &`/defer_ok`& to the &%malware%& condition to accept messages
-even if there is a problem with the virus scanner. Otherwise, such a problem
-causes the ACL to defer.
+You can append a &`defer_ok`& element to the &%malware%& argument list to accept
+messages even if there is a problem with the virus scanner.
+Otherwise, such a problem causes the ACL to defer.
+
+You can append a &`tmo=<val>`& element to the &%malware%& argument list to
+specify a non-default timeout. The default is two minutes.
+For example:
+.code
+malware = * / defer_ok / tmo=10s
+.endd
+A timeout causes the ACL to defer.
+
+.vindex "&$callout_address$&"
+When a connection is made to the scanner the expansion variable &$callout_address$&
+is set to record the actual address used.
.vindex "&$malware_name$&"
When a virus is found, the condition sets up an expansion variable called
&%message%& modifier that specifies the error returned to the sender, and/or in
logging data.
-If your virus scanner cannot unpack MIME and TNEF containers itself, you should
-use the &%demime%& condition (see section &<<SECTdemimecond>>&) before the
-&%malware%& condition.
-
Beware the interaction of Exim's &%message_size_limit%& with any size limits
imposed by your anti-virus scanner.
Here is a very simple scanning example:
.code
deny message = This message contains malware ($malware_name)
- demime = *
malware = *
.endd
The next example accepts messages when there is a problem with the scanner:
.code
deny message = This message contains malware ($malware_name)
- demime = *
malware = */defer_ok
.endd
The next example shows how to use an ACL variable to scan with both sophie and
.endd
-.section "Scanning with SpamAssassin" "SECTscanspamass"
+.section "Scanning with SpamAssassin and Rspamd" "SECTscanspamass"
.cindex "content scanning" "for spam"
.cindex "spam scanning"
.cindex "SpamAssassin"
+.cindex "Rspamd"
The &%spam%& ACL condition calls SpamAssassin's &%spamd%& daemon to get a spam
-score and a report for the message. You can get SpamAssassin at
-&url(http://www.spamassassin.org), or, if you have a working Perl
-installation, you can use CPAN by running:
+score and a report for the message.
+Support is also provided for Rspamd.
+
+For more information about installation and configuration of SpamAssassin or
+Rspamd refer to their respective websites at
+&url(https://spamassassin.apache.org/) and &url(https://www.rspamd.com/)
+
+SpamAssassin can be installed with CPAN by running:
.code
perl -MCPAN -e 'install Mail::SpamAssassin'
.endd
nicely, however.
.oindex "&%spamd_address%&"
-After having installed and configured SpamAssassin, start the &%spamd%& daemon.
-By default, it listens on 127.0.0.1, TCP port 783. If you use another host or
-port for &%spamd%&, you must set the &%spamd_address%& option in the global
-part of the Exim configuration as follows (example):
+By default, SpamAssassin listens on 127.0.0.1, TCP port 783 and if you
+intend to use an instance running on the local host you do not need to set
+&%spamd_address%&. If you intend to use another host or port for SpamAssassin,
+you must set the &%spamd_address%& option in the global part of the Exim
+configuration as follows (example):
.code
-spamd_address = 192.168.99.45 387
+spamd_address = 192.168.99.45 783
.endd
-You do not need to set this option if you use the default. As of version 2.60,
-&%spamd%& also supports communication over UNIX sockets. If you want to use
-these, supply &%spamd_address%& with an absolute file name instead of a
-address/port pair:
+The SpamAssassin protocol relies on a TCP half-close from the client.
+If your SpamAssassin client side is running a Linux system with an
+iptables firewall, consider setting
+&%net.netfilter.nf_conntrack_tcp_timeout_close_wait%& to at least the
+timeout, Exim uses when waiting for a response from the SpamAssassin
+server (currently defaulting to 120s). With a lower value the Linux
+connection tracking may consider your half-closed connection as dead too
+soon.
+
+
+To use Rspamd (which by default listens on all local addresses
+on TCP port 11333)
+you should add &%variant=rspamd%& after the address/port pair, for example:
+.code
+spamd_address = 127.0.0.1 11333 variant=rspamd
+.endd
+
+As of version 2.60, &%SpamAssassin%& also supports communication over UNIX
+sockets. If you want to us these, supply &%spamd_address%& with an absolute
+filename instead of an address/port pair:
.code
spamd_address = /var/run/spamd_socket
.endd
You can have multiple &%spamd%& servers to improve scalability. These can
reside on other hardware reachable over the network. To specify multiple
&%spamd%& servers, put multiple address/port pairs in the &%spamd_address%&
-option, separated with colons:
+option, separated with colons (the separator can be changed in the usual way &<<SECTlistsepchange>>&):
.code
spamd_address = 192.168.2.10 783 : \
192.168.2.11 783 : \
192.168.2.12 783
.endd
-Up to 32 &%spamd%& servers are supported. The servers are queried in a random
-fashion. When a server fails to respond to the connection attempt, all other
+Up to 32 &%spamd%& servers are supported.
+When a server fails to respond to the connection attempt, all other
servers are tried until one succeeds. If no server responds, the &%spam%&
condition defers.
-&*Warning*&: It is not possible to use the UNIX socket connection method with
-multiple &%spamd%& servers.
+Unix and TCP socket specifications may be mixed in any order.
+Each element of the list is a list itself, space-separated by default
+and changeable in the usual way (&<<SECTlistsepchange>>&);
+take care to not double the separator.
+
+For TCP socket specifications a host name or IP (v4 or v6, but
+subject to list-separator quoting rules) address can be used,
+and the port can be one or a dash-separated pair.
+In the latter case, the range is tried in strict order.
+
+Elements after the first for Unix sockets, or second for TCP socket,
+are options.
+The supported options are:
+.code
+pri=<priority> Selection priority
+weight=<value> Selection bias
+time=<start>-<end> Use only between these times of day
+retry=<timespec> Retry on connect fail
+tmo=<timespec> Connection time limit
+variant=rspamd Use Rspamd rather than SpamAssassin protocol
+.endd
+
+The &`pri`& option specifies a priority for the server within the list,
+higher values being tried first.
+The default priority is 1.
+
+The &`weight`& option specifies a selection bias.
+Within a priority set
+servers are queried in a random fashion, weighted by this value.
+The default value for selection bias is 1.
+
+Time specifications for the &`time`& option are <hour>.<minute>.<second>
+in the local time zone; each element being one or more digits.
+Either the seconds or both minutes and seconds, plus the leading &`.`&
+characters, may be omitted and will be taken as zero.
+
+Timeout specifications for the &`retry`& and &`tmo`& options
+are the usual Exim time interval standard, e.g. &`20s`& or &`1m`&.
+
+The &`tmo`& option specifies an overall timeout for communication.
+The default value is two minutes.
+
+The &`retry`& option specifies a time after which a single retry for
+a failed connect is made.
+The default is to not retry.
The &%spamd_address%& variable is expanded before use if it starts with
a dollar sign. In this case, the expansion may return a string that is
used as the list so that multiple spamd servers can be the result of an
expansion.
+.vindex "&$callout_address$&"
+When a connection is made to the server the expansion variable &$callout_address$&
+is set to record the actual address used.
+
.section "Calling SpamAssassin from an Exim ACL" "SECID206"
Here is a simple example of the use of the &%spam%& condition in a DATA ACL:
.code
relevant if you have set up multiple SpamAssassin profiles. If you do not want
to scan using a specific profile, but rather use the SpamAssassin system-wide
default profile, you can scan for an unknown name, or simply use &"nobody"&.
-However, you must put something on the right-hand side.
+Rspamd does not use this setting. However, you must put something on the
+right-hand side.
The name allows you to use per-domain or per-user antispam profiles in
principle, but this is not straightforward in practice, because a message may
have multiple recipients, not necessarily all in the same domain. Because the
-&%spam%& condition has to be called from a DATA ACL in order to be able to
+&%spam%& condition has to be called from a DATA-time ACL in order to be able to
read the contents of the message, the variables &$local_part$& and &$domain$&
are not set.
+Careful enforcement of single-recipient messages
+(e.g. by responding with defer in the recipient ACL for all recipients
+after the first),
+or the use of PRDR,
+.cindex "PRDR" "use for per-user SpamAssassin profiles"
+are needed to use this feature.
The right-hand side of the &%spam%& condition is expanded before being used, so
you can put lookups or conditions there. When the right-hand side evaluates to
.cindex "spam scanning" "returned variables"
When the &%spam%& condition is run, it sets up a number of expansion
-variables. These variables are saved with the received message, thus they are
+variables.
+Except for &$spam_report$&,
+these variables are saved with the received message so are
available for use at delivery time.
.vlist
.vitem &$spam_score$&
-The spam score of the message, for example &"3.4"& or &"30.5"&. This is useful
+The spam score of the message, for example, &"3.4"& or &"30.5"&. This is useful
for inclusion in log or reject messages.
.vitem &$spam_score_int$&
A string consisting of a number of &"+"& or &"-"& characters, representing the
integer part of the spam score value. A spam score of 4.4 would have a
&$spam_bar$& value of &"++++"&. This is useful for inclusion in warning
-headers, since MUAs can match on such strings.
+headers, since MUAs can match on such strings. The maximum length of the
+spam bar is 50 characters.
.vitem &$spam_report$&
A multiline text table, containing the full SpamAssassin report for the
message. Useful for inclusion in headers or reject messages.
+This variable is only usable in a DATA-time ACL.
+Beware that SpamAssassin may return non-ASCII characters, especially
+when running in country-specific locales, which are not legal
+unencoded in headers.
+
+.vitem &$spam_action$&
+For SpamAssassin either 'reject' or 'no action' depending on the
+spam score versus threshold.
+For Rspamd, the recommended action.
+
.endlist
The &%spam%& condition caches its results unless expansion in
.next
The string &"default"&. In that case, the file is put in the temporary
&"default"& directory <&'spool_directory'&>&_/scan/_&<&'message_id'&>&_/_& with
-a sequential file name consisting of the message id and a sequence number. The
+a sequential filename consisting of the message id and a sequence number. The
full path and name is available in &$mime_decoded_filename$& after decoding.
.next
A full path name starting with a slash. If the full name is an existing
directory, it is used as a replacement for the default directory. The filename
is then sequentially assigned. If the path does not exist, it is used as
-the full path and file name.
+the full path and filename.
.next
If the string does not start with a slash, it is used as the
filename, and the default path is then used.
.vitem &$mime_decoded_filename$&
This variable is set only after the &%decode%& modifier (see above) has been
-successfully run. It contains the full path and file name of the file
+successfully run. It contains the full path and filename of the file
containing the decoded data.
.endlist
This is perhaps the most important of the MIME variables. It contains a
proposed filename for an attachment, if one was found in either the
&'Content-Type:'& or &'Content-Disposition:'& headers. The filename will be
-RFC2047 decoded, but no additional sanity checks are done. If no filename was
+RFC2047
+or RFC2231
+decoded, but no additional sanity checks are done.
+ If no filename was
found, this variable contains the empty string.
.vitem &$mime_is_coverletter$&
As an example, the following will ban &"HTML mail"& (including that sent with
alternative plain text), while allowing HTML files to be attached. HTML
-coverletter mail attached to non-HMTL coverletter mail will also be allowed:
+coverletter mail attached to non-HTML coverletter mail will also be allowed:
.code
deny message = HTML mail is not accepted here
!condition = $mime_is_rfc822
.endd
.vitem &$mime_is_multipart$&
This variable has the value 1 (true) when the current part has the main type
-&"multipart"&, for example &"multipart/alternative"& or &"multipart/mixed"&.
+&"multipart"&, for example, &"multipart/alternative"& or &"multipart/mixed"&.
Since multipart entities only serve as containers for other parts, you may not
want to carry out specific actions on them.
The conditions returns true if any one of the regular expressions matches. The
&$regex_match_string$& expansion variable is then set up and contains the
matching regular expression.
+The expansion variables &$regex1$& &$regex2$& etc
+are set to any substrings captured by the regular expression.
&*Warning*&: With large messages, these conditions can be fairly
CPU-intensive.
-
-
-
-.section "The demime condition" "SECTdemimecond"
-.cindex "content scanning" "MIME checking"
-.cindex "MIME content scanning"
-The &%demime%& ACL condition provides MIME unpacking, sanity checking and file
-extension blocking. It is usable only in the DATA and non-SMTP ACLs. The
-&%demime%& condition uses a simpler interface to MIME decoding than the MIME
-ACL functionality, but provides no additional facilities. Please note that this
-condition is deprecated and kept only for backward compatibility. You must set
-the WITH_OLD_DEMIME option in &_Local/Makefile_& at build time to be able to
-use the &%demime%& condition.
-
-The &%demime%& condition unpacks MIME containers in the message. It detects
-errors in MIME containers and can match file extensions found in the message
-against a list. Using this facility produces files containing the unpacked MIME
-parts of the message in the temporary scan directory. If you do antivirus
-scanning, it is recommended that you use the &%demime%& condition before the
-antivirus (&%malware%&) condition.
-
-On the right-hand side of the &%demime%& condition you can pass a
-colon-separated list of file extensions that it should match against. For
-example:
-.code
-deny message = Found blacklisted file attachment
- demime = vbs:com:bat:pif:prf:lnk
-.endd
-If one of the file extensions is found, the condition is true, otherwise it is
-false. If there is a temporary error while demimeing (for example, &"disk
-full"&), the condition defers, and the message is temporarily rejected (unless
-the condition is on a &%warn%& verb).
-
-The right-hand side is expanded before being treated as a list, so you can have
-conditions and lookups there. If it expands to an empty string, &"false"&, or
-zero (&"0"&), no demimeing is done and the condition is false.
-
-The &%demime%& condition set the following variables:
-
-.vlist
-.vitem &$demime_errorlevel$&
-.vindex "&$demime_errorlevel$&"
-When an error is detected in a MIME container, this variable contains the
-severity of the error, as an integer number. The higher the value, the more
-severe the error (the current maximum value is 3). If this variable is unset or
-zero, no error occurred.
-
-.vitem &$demime_reason$&
-.vindex "&$demime_reason$&"
-When &$demime_errorlevel$& is greater than zero, this variable contains a
-human-readable text string describing the MIME error that occurred.
-.endlist
-
-.vlist
-.vitem &$found_extension$&
-.vindex "&$found_extension$&"
-When the &%demime%& condition is true, this variable contains the file
-extension it found.
-.endlist
-
-Both &$demime_errorlevel$& and &$demime_reason$& are set by the first call of
-the &%demime%& condition, and are not changed on subsequent calls.
-
-If you do not want to check for file extensions, but rather use the &%demime%&
-condition for unpacking or error checking purposes, pass &"*"& as the
-right-hand side value. Here is a more elaborate example of how to use this
-facility:
-.code
-# Reject messages with serious MIME container errors
-deny message = Found MIME error ($demime_reason).
- demime = *
- condition = ${if >{$demime_errorlevel}{2}{1}{0}}
-
-# Reject known virus spreading file extensions.
-# Accepting these is pretty much braindead.
-deny message = contains $found_extension file (blacklisted).
- demime = com:vbs:bat:pif:scr
-
-# Freeze .exe and .doc files. Postmaster can
-# examine them and eventually thaw them.
-deny log_message = Another $found_extension file.
- demime = exe:doc
- control = freeze
-.endd
.ecindex IIDcosca
.section "Building Exim to use a local scan function" "SECID207"
.cindex "&[local_scan()]& function" "building Exim to use"
To make use of the local scan function feature, you must tell Exim where your
-function is before building Exim, by setting LOCAL_SCAN_SOURCE in your
+function is before building Exim, by setting
+.new
+both HAVE_LOCAL_SCAN and
+.wen
+LOCAL_SCAN_SOURCE in your
&_Local/Makefile_&. A recommended place to put it is in the &_Local_&
directory, so you might set
.code
+HAVE_LOCAL_SCAN=yes
LOCAL_SCAN_SOURCE=Local/local_scan.c
.endd
for example. The function must be called &[local_scan()]&. It is called by
commented template function (that just accepts the message) in the file
_src/local_scan.c_.
-If you want to make use of Exim's run time configuration file to set options
+If you want to make use of Exim's runtime configuration file to set options
for your &[local_scan()]& function, you must also set
.code
LOCAL_SCAN_HAS_OPTIONS=yes
.section "API for local_scan()" "SECTapiforloc"
.cindex "&[local_scan()]& function" "API description"
+.cindex &%dlfunc%& "API description"
You must include this line near the start of your code:
.code
#include "local_scan.h"
.vlist
.vitem &*int&~body_linecount*&
This variable contains the number of lines in the message's body.
+It is not valid if the &%spool_files_wireformat%& option is used.
.vitem &*int&~body_zerocount*&
This variable contains the number of binary zero bytes in the message's body.
+It is not valid if the &%spool_files_wireformat%& option is used.
.vitem &*unsigned&~int&~debug_selector*&
This variable is set to zero when no debugging is taking place. Otherwise, it
.section "Resent- header lines" "SECID220"
.cindex "&%Resent-%& header lines"
+.cindex "header lines" "Resent-"
RFC 2822 makes provision for sets of header lines starting with the string
&`Resent-`& to be added to a message when it is resent by the original
recipient to somebody else. These headers are &'Resent-Date:'&,
.section "The Date: header line" "SECID223"
.cindex "&'Date:'& header line"
+.cindex "header lines" "Date:"
If a locally-generated or submission-mode message has no &'Date:'& header line,
Exim adds one, using the current date and time, unless the
&%suppress_local_fixups%& control has been specified.
.section "The Envelope-to: header line" "SECID225"
.cindex "&'Envelope-to:'& header line"
+.cindex "header lines" "Envelope-to:"
.oindex "&%envelope_to_remove%&"
&'Envelope-to:'& header lines are not part of the standard RFC 2822 header set.
Exim can be configured to add them to the final delivery of messages. (See the
.section "The From: header line" "SECTthefrohea"
.cindex "&'From:'& header line"
+.cindex "header lines" "From:"
.cindex "Sendmail compatibility" "&""From""& line"
.cindex "message" "submission"
.cindex "submission mode"
.section "The Message-ID: header line" "SECID226"
.cindex "&'Message-ID:'& header line"
+.cindex "header lines" "Message-ID:"
.cindex "message" "submission"
.oindex "&%message_id_header_text%&"
If a locally-generated or submission-mode incoming message does not contain a
.section "The Received: header line" "SECID227"
.cindex "&'Received:'& header line"
+.cindex "header lines" "Received:"
A &'Received:'& header line is added at the start of every message. The
contents are defined by the &%received_header_text%& configuration option, and
Exim automatically adds a semicolon and a timestamp to the configured string.
.section "The References: header line" "SECID228"
.cindex "&'References:'& header line"
+.cindex "header lines" "References:"
Messages created by the &(autoreply)& transport include a &'References:'&
header line. This is constructed according to the rules that are described in
section 3.64 of RFC 2822 (which states that replies should contain such a
.section "The Return-path: header line" "SECID229"
.cindex "&'Return-path:'& header line"
+.cindex "header lines" "Return-path:"
.oindex "&%return_path_remove%&"
&'Return-path:'& header lines are defined as something an MTA may insert when
it does the final delivery of messages. (See the generic &%return_path_add%&
.section "The Sender: header line" "SECTthesenhea"
.cindex "&'Sender:'& header line"
.cindex "message" "submission"
+.cindex "header lines" "Sender:"
For a locally-originated message from an untrusted user, Exim may remove an
existing &'Sender:'& header line, and it may add a new one. You can modify
these actions by setting the &%local_sender_retain%& option true, the
the transport cannot refer to the modified header lines, because such
expansions all occur before the message is actually transported.
-For both routers and transports, the result of expanding a &%headers_add%&
+For both routers and transports, the argument of a &%headers_add%&
option must be in the form of one or more RFC 2822 header lines, separated by
newlines (coded as &"\n"&). For example:
.code
.endd
Exim does not check the syntax of these added header lines.
-The result of expanding &%headers_remove%& must consist of a colon-separated
+Multiple &%headers_add%& options for a single router or transport can be
+specified; the values will append to a single list of header lines.
+Each header-line is separately expanded.
+
+The argument of a &%headers_remove%& option must consist of a colon-separated
list of header names. This is confusing, because header names themselves are
often terminated by colons. In this case, the colons are the list separators,
not part of the names. For example:
.code
headers_remove = return-receipt-to:acknowledge-to
.endd
-When &%headers_add%& or &%headers_remove%& is specified on a router, its value
-is expanded at routing time, and then associated with all addresses that are
+
+Multiple &%headers_remove%& options for a single router or transport can be
+specified; the arguments will append to a single header-names list.
+Each item is separately expanded.
+Note that colons in complex expansions which are used to
+form all or part of a &%headers_remove%& list
+will act as list separators.
+
+When &%headers_add%& or &%headers_remove%& is specified on a router,
+items are expanded at routing time,
+and then associated with all addresses that are
accepted by that router, and also with any new addresses that it generates. If
an address passes through several routers as a result of aliasing or
forwarding, the changes are cumulative.
If the remote server advertises support for the STARTTLS command, and Exim
was built to support TLS encryption, it tries to start a TLS session unless the
server matches &%hosts_avoid_tls%&. See chapter &<<CHAPTLS>>& for more details.
+Either a match in that or &%hosts_verify_avoid_tls%& apply when the transport
+is called for verification.
If the remote server advertises support for the AUTH command, Exim scans
the authenticators configuration for any suitable client settings, as described
When Exim receives a VRFY or EXPN command on a TCP/IP connection, it
runs the ACL specified by &%acl_smtp_vrfy%& or &%acl_smtp_expn%& (as
appropriate) in order to decide whether the command should be accepted or not.
-If no ACL is defined, the command is rejected.
.cindex "VRFY" "processing"
+When no ACL is defined for VRFY, or if it rejects without
+setting an explicit response code, the command is accepted
+(with a 252 SMTP response code)
+in order to support awkward clients that do a VRFY before every RCPT.
When VRFY is accepted, it runs exactly the same code as when Exim is
-called with the &%-bv%& option.
+called with the &%-bv%& option, and returns 250/451/550
+SMTP response codes.
.cindex "EXPN" "processing"
+If no ACL for EXPN is defined, the command is rejected.
When EXPN is accepted, a single-level expansion of the address is done.
EXPN is treated as an &"address test"& (similar to the &%-bt%& option) rather
than a verification (the &%-bv%& option). If an unqualified local part is given
.chapter "Customizing bounce and warning messages" "CHAPemsgcust" &&&
"Customizing messages"
-When a message fails to be delivered, or remains on the queue for more than a
+When a message fails to be delivered, or remains in the queue for more than a
configured amount of time, Exim sends a message to the original sender, or
to an alternative configured address. The text of these messages is built into
the code of Exim, but it is possible to change it, either by adding a single
The third item is used to introduce any text from pipe transports that is to be
returned to the sender. It is omitted if there is no such text.
.next
-The fourth item is used to introduce the copy of the message that is returned
-as part of the error report.
-.next
-The fifth item is added after the fourth one if the returned message is
-truncated because it is bigger than &%return_size_limit%&.
-.next
-The sixth item is added after the copy of the original message.
+The fourth, fifth and sixth items will be ignored and may be empty.
+The fields exist for back-compatibility
.endlist
The default state (&%bounce_message_file%& unset) is equivalent to the
<$sender_address>
}}has not been delivered to all of its recipients after
-more than $warn_message_delay on the queue on $primary_hostname.
+more than $warn_message_delay in the queue on $primary_hostname.
The message identifier is: $message_exim_id
The subject of the message is: $h_subject
routers are tried, and so the whole delivery fails.
The &%forbid_pipe%& and &%forbid_file%& options prevent a local part from being
-expanded into a file name or a pipe delivery, which is usually inappropriate in
+expanded into a filename or a pipe delivery, which is usually inappropriate in
a mailing list.
.oindex "&%errors_to%&"
.cindex "VERP"
.cindex "Variable Envelope Return Paths"
.cindex "envelope sender"
-Variable Envelope Return Paths &-- see &url(http://cr.yp.to/proto/verp.txt) &--
+Variable Envelope Return Paths &-- see &url(https://cr.yp.to/proto/verp.txt) &--
are a way of helping mailing list administrators discover which subscription
address is the cause of a particular delivery failure. The idea is to encode
the original recipient address in the outgoing envelope sender address, so that
setting ensures that if the lookup fails (leading to &%data%& being an empty
string), Exim gives up on the address without trying any subsequent routers.
-This one router can handle all the virtual domains because the alias file names
+This one router can handle all the virtual domains because the alias filenames
follow a fixed pattern. Permissions can be arranged so that appropriate people
can edit the different alias files. A successful aliasing operation results in
a new envelope recipient address, which is then routed from scratch.
.section "Exim on the upstream server host" "SECID247"
It is tempting to arrange for incoming mail for the intermittently connected
-host to remain on Exim's queue until the client connects. However, this
+host to remain in Exim's queue until the client connects. However, this
approach does not scale very well. Two different kinds of waiting message are
being mixed up in the same queue &-- those that cannot be delivered because of
some temporary problem, and those that are waiting for their destination host
Linux this has been seen to make syslog take 90% plus of CPU time.
The destination for Exim's logs is configured by setting LOG_FILE_PATH in
-&_Local/Makefile_& or by setting &%log_file_path%& in the run time
+&_Local/Makefile_& or by setting &%log_file_path%& in the runtime
configuration. This latter string is expanded, so it can contain, for example,
references to the host name:
.code
log_file_path = /var/log/$primary_hostname/exim_%slog
.endd
It is generally advisable, however, to set the string in &_Local/Makefile_&
-rather than at run time, because then the setting is available right from the
+rather than at runtime, because then the setting is available right from the
start of Exim's execution. Otherwise, if there's something it wants to log
before it has read the configuration file (for example, an error in the
configuration file) it will not use the path you want, and may not be able to
.code
log_file_path = $spool_directory/log/%slog
.endd
-If you do not specify anything at build time or run time, that is where the
-logs are written.
+If you do not specify anything at build time or runtime,
+or if you unset the option at runtime (i.e. &`log_file_path = `&),
+that is where the logs are written.
-A log file path may also contain &`%D`& or &`%M`& if datestamped log file names
+A log file path may also contain &`%D`& or &`%M`& if datestamped log filenames
are in use &-- see section &<<SECTdatlogfil>>& below.
Here are some examples of possible settings:
timestamp. The flags are:
.display
&`<=`& message arrival
+&`(=`& message fakereject
&`=>`& normal message delivery
&`->`& additional address in same delivery
+&`>>`& cutthrough message delivery
&`*>`& delivery suppressed by &%-N%&
&`**`& delivery failed; address bounced
&`==`& delivery deferred; temporary problem
session was encrypted, there is an additional X field that records the cipher
suite that was used.
+.cindex log protocol
The protocol is set to &"esmtpsa"& or &"esmtpa"& for messages received from
hosts that have authenticated themselves using the SMTP AUTH command. The first
value is used when the SMTP connection was encrypted (&"secure"&). In this case
.cindex "log" "delivery line"
The format of the single-line entry in the main log that is written for every
delivery is shown in one of the examples below, for local and remote
-deliveries, respectively. Each example has been split into two lines in order
+deliveries, respectively. Each example has been split into multiple lines in order
to fit it on the page:
.code
2002-10-31 08:59:13 16ZCW1-0005MB-00 => marv
last of these is given in parentheses after the final address. The R and T
fields record the router and transport that were used to process the address.
+If SMTP AUTH was used for the delivery there is an additional item A=
+followed by the name of the authenticator that was used.
+If an authenticated identification was set up by the authenticator's &%client_set_id%&
+option, this is logged too, separated by a colon from the authenticator name.
+
If a shadow transport was run after a successful local delivery, the log line
for the successful delivery has an item added on the end, of the form
.display
flagged with &`->`& instead of &`=>`&. When two or more messages are delivered
down a single SMTP connection, an asterisk follows the IP address in the log
lines for the second and subsequent messages.
+When two or more messages are delivered down a single TLS connection, the
+DNS and some TLS-related information logged for the first message delivered
+will not be present in the log lines for the second and subsequent messages.
+TLS cipher information is still available.
+
+.cindex "delivery" "cutthrough; logging"
+.cindex "cutthrough" "logging"
+When delivery is done in cutthrough mode it is flagged with &`>>`& and the log
+line precedes the reception line, since cutthrough waits for a possible
+rejection from the destination in case it can reject the sourced item.
The generation of a reply message by a filter file gets logged as a
&"delivery"& to the addressee, preceded by &">"&.
A summary of the field identifiers that are used in log lines is shown in
the following table:
.display
-&`A `& authenticator name (and optional id)
+&`A `& authenticator name (and optional id and sender)
&`C `& SMTP confirmation on delivery
&` `& command list for &"no mail in SMTP session"&
&`CV `& certificate verification status
&`D `& duration of &"no mail in SMTP session"&
+&`DKIM`& domain verified in incoming message
&`DN `& distinguished name from peer certificate
+&`DS `& DNSSEC secured lookups
&`DT `& on &`=>`& lines: time taken for a delivery
&`F `& sender address (on delivery lines)
&`H `& host name and IP address
&`I `& local interface used
&`id `& message id for incoming message
+&`K `& CHUNKING extension used
+&`L `& on &`<=`& and &`=>`& lines: PIPELINING extension used
+&`M8S `& 8BITMIME status for incoming message
&`P `& on &`<=`& lines: protocol used
&` `& on &`=>`& and &`**`& lines: return path
+&`PRDR`& PRDR extension used
+&`PRX `& on &`<=`& and &`=>`& lines: proxy address
+&`Q `& alternate queue name
&`QT `& on &`=>`& lines: time spent on queue so far
&` `& on &"Completed"& lines: time spent on queue
&`R `& on &`<=`& lines: reference for local bounce
-&` `& on &`=>`& &`**`& and &`==`& lines: router name
-&`S `& size of message
+&` `& on &`=>`& &`>>`& &`**`& and &`==`& lines: router name
+&`RT `& on &`<=`& lines: time taken for reception
+&`S `& size of message in bytes
+&`SNI `& server name indication from TLS client hello
&`ST `& shadow transport name
&`T `& on &`<=`& lines: message subject (topic)
+&`TFO `& connection took advantage of TCP Fast Open
&` `& on &`=>`& &`**`& and &`==`& lines: transport name
&`U `& local user or RFC 1413 identity
&`X `& TLS cipher suite
.endd
failed. The delivery was discarded.
.endlist olist
+.next
+.cindex DKIM "log line"
+&'DKIM: d='&&~&~Verbose results of a DKIM verification attempt, if enabled for
+logging and the message has a DKIM signature header.
.endlist ilist
The list of optional log items is in the following table, with the default
selection marked by asterisks:
.display
+&` 8bitmime `& received 8BITMIME status
&`*acl_warn_skipped `& skipped &%warn%& statement in ACL
&` address_rewrite `& address rewriting
&` all_parents `& all parents in => lines
&`*delay_delivery `& immediate delivery delayed
&` deliver_time `& time taken to perform delivery
&` delivery_size `& add &`S=`&&'nnn'& to => lines
+&`*dkim `& DKIM verified domain on <= lines
+&` dkim_verbose `& separate full DKIM verification result line, per signature
&`*dnslist_defer `& defers of DNS list (aka RBL) lookups
+&` dnssec `& DNSSEC secured lookups
&`*etrn `& ETRN commands
&`*host_lookup_failed `& as it says
&` ident_timeout `& timeout for ident connection
-&` incoming_interface `& incoming interface on <= lines
-&` incoming_port `& incoming port on <= lines
+&` incoming_interface `& local interface on <= and => lines
+&` incoming_port `& remote port on <= lines
&`*lost_incoming_connection `& as it says (includes timeouts)
+&` millisec `& millisecond timestamps and RT,QT,DT,D times
+&` outgoing_interface `& local interface on => lines
&` outgoing_port `& add remote port to => lines
&`*queue_run `& start and end queue runs
&` queue_time `& time on queue for one recipient
&` queue_time_overall `& time on queue for whole message
&` pid `& Exim process id
+&` pipelining `& PIPELINING use, on <= and => lines
+&` proxy `& proxy address on <= and => lines
+&` receive_time `& time taken to receive message
&` received_recipients `& recipients on <= lines
&` received_sender `& sender on <= lines
&`*rejected_header `& header contents on reject log
&`*sender_verify_fail `& sender verification failures
&`*size_reject `& rejection because too big
&`*skip_delivery `& delivery skipped in a queue run
-&` smtp_confirmation `& SMTP confirmation on => lines
-&` smtp_connection `& SMTP connections
+&`*smtp_confirmation `& SMTP confirmation on => lines
+&` smtp_connection `& incoming SMTP connections
&` smtp_incomplete_transaction`& incomplete SMTP transactions
+&` smtp_mailauth `& AUTH argument to MAIL commands
&` smtp_no_mail `& session with no MAIL commands
&` smtp_protocol_error `& SMTP protocol errors
&` smtp_syntax_error `& SMTP syntax errors
&` subject `& contents of &'Subject:'& on <= lines
-&` tls_certificate_verified `& certificate verification status
+&`*tls_certificate_verified `& certificate verification status
&`*tls_cipher `& TLS cipher suite on <= and => lines
&` tls_peerdn `& TLS peer DN on <= and => lines
&` tls_sni `& TLS SNI on <= lines
&` all `& all of the above
.endd
+See also the &%slow_lookup_log%& main configuration option,
+section &<<SECID99>>&
+
More details on each of these items follows:
.ilist
+.cindex "8BITMIME"
+.cindex "log" "8BITMIME"
+&%8bitmime%&: This causes Exim to log any 8BITMIME status of received messages,
+which may help in tracking down interoperability issues with ancient MTAs
+that are not 8bit clean. This is added to the &"<="& line, tagged with
+&`M8S=`& and a value of &`0`&, &`7`& or &`8`&, corresponding to "not given",
+&`7BIT`& and &`8BITMIME`& respectively.
+.next
.cindex "&%warn%& ACL verb" "log when skipping"
&%acl_warn_skipped%&: When an ACL &%warn%& statement is skipped because one of
its conditions cannot be evaluated, a log line to this effect is written if
.cindex "log" "delivery duration"
&%deliver_time%&: For each delivery, the amount of real time it has taken to
perform the actual delivery is logged as DT=<&'time'&>, for example, &`DT=1s`&.
+If millisecond logging is enabled, short times will be shown with greater
+precision, eg. &`DT=0.304s`&.
.next
.cindex "log" "message size on delivery"
.cindex "size" "of message"
&%delivery_size%&: For each delivery, the size of message delivered is added to
the &"=>"& line, tagged with S=.
.next
+.cindex log "DKIM verification"
+.cindex DKIM "verification logging"
+&%dkim%&: For message acceptance log lines, when an DKIM signature in the header
+verifies successfully a tag of DKIM is added, with one of the verified domains.
+.next
+.cindex log "DKIM verification"
+.cindex DKIM "verification logging"
+&%dkim_verbose%&: A log entry is written for each attempted DKIM verification.
+.next
.cindex "log" "dnslist defer"
.cindex "DNS list" "logging defer"
.cindex "black list (DNS)"
&%dnslist_defer%&: A log entry is written if an attempt to look up a host in a
DNS black list suffers a temporary error.
.next
+.cindex log dnssec
+.cindex dnssec logging
+&%dnssec%&: For message acceptance and (attempted) delivery log lines, when
+dns lookups gave secure results a tag of DS is added.
+For acceptance this covers the reverse and forward lookups for host name verification.
+It does not cover helo-name verification.
+For delivery this covers the SRV, MX, A and/or AAAA lookups.
+.next
.cindex "log" "ETRN commands"
.cindex "ETRN" "logging"
&%etrn%&: Every valid ETRN command that is received is logged, before the ACL
client's ident port times out.
.next
.cindex "log" "incoming interface"
+.cindex "log" "local interface"
+.cindex "log" "local address and port"
+.cindex "TCP/IP" "logging local address and port"
.cindex "interface" "logging"
&%incoming_interface%&: The interface on which a message was received is added
to the &"<="& line as an IP address in square brackets, tagged by I= and
followed by a colon and the port number. The local interface and port are also
-added to other SMTP log lines, for example &"SMTP connection from"&, and to
-rejection lines.
+added to other SMTP log lines, for example, &"SMTP connection from"&, to
+rejection lines, and (despite the name) to outgoing &"=>"& and &"->"& lines.
+The latter can be disabled by turning off the &%outgoing_interface%& option.
+.next
+.cindex log "incoming proxy address"
+.cindex proxy "logging proxy address"
+.cindex "TCP/IP" "logging proxy address"
+&%proxy%&: The internal (closest to the system running Exim) IP address
+of the proxy, tagged by PRX=, on the &"<="& line for a message accepted
+on a proxied connection
+or the &"=>"& line for a message delivered on a proxied connection.
+See &<<SECTproxyInbound>>& for more information.
.next
.cindex "log" "incoming remote port"
.cindex "port" "logging remote"
&%lost_incoming_connection%&: A log line is written when an incoming SMTP
connection is unexpectedly dropped.
.next
+.cindex "log" "millisecond timestamps"
+.cindex millisecond logging
+.cindex timestamps "millisecond, in logs"
+&%millisec%&: Timestamps have a period and three decimal places of finer granularity
+appended to the seconds value.
+.next
+.cindex "log" "outgoing interface"
+.cindex "log" "local interface"
+.cindex "log" "local address and port"
+.cindex "TCP/IP" "logging local address and port"
+.cindex "interface" "logging"
+&%outgoing_interface%&: If &%incoming_interface%& is turned on, then the
+interface on which a message was sent is added to delivery lines as an I= tag
+followed by IP address in square brackets. You can disable this by turning
+off the &%outgoing_interface%& option.
+.next
.cindex "log" "outgoing remote port"
-.cindex "port" "logging outgoint remote"
-.cindex "TCP/IP" "logging ougtoing remote port"
+.cindex "port" "logging outgoing remote"
+.cindex "TCP/IP" "logging outgoing remote port"
&%outgoing_port%&: The remote port number is added to delivery log lines (those
-containing => tags) following the IP address. This option is not included in
-the default setting, because for most ordinary configurations, the remote port
-number is always 25 (the SMTP port).
+containing => tags) following the IP address.
+The local port is also added if &%incoming_interface%& and
+&%outgoing_interface%& are both enabled.
+This option is not included in the default setting, because for most ordinary
+configurations, the remote port number is always 25 (the SMTP port), and the
+local port is a random ephemeral port.
.next
.cindex "log" "process ids in"
.cindex "pid (process id)" "in log lines"
&%pid%&: The current process id is added to every log line, in square brackets,
immediately after the time and date.
.next
+.new
+.cindex log pipelining
+.cindex pipelining "logging outgoing"
+&%pipelining%&: A field is added to delivery and accept
+log lines when the ESMTP PIPELINING extension was used.
+The field is a single "L".
+
+On accept lines, where PIPELINING was offered but not used by the client,
+the field has a minus appended.
+.next
.cindex "log" "queue run"
.cindex "queue runner" "logging"
&%queue_run%&: The start and end of every queue run are logged.
This means that it may be longer than the difference between the arrival and
delivery log line times, because the arrival log line is not written until the
message has been successfully received.
+If millisecond logging is enabled, short times will be shown with greater
+precision, eg. &`QT=1.578s`&.
.next
&%queue_time_overall%&: The amount of time the message has been in the queue on
the local host is logged as QT=<&'time'&> on &"Completed"& lines, for
example, &`QT=3m45s`&. The clock starts when Exim starts to receive the
message, so it includes reception time as well as the total delivery time.
.next
+.cindex "log" "receive duration"
+&%receive_time%&: For each message, the amount of real time it has taken to
+perform the reception is logged as RT=<&'time'&>, for example, &`RT=1s`&.
+If millisecond logging is enabled, short times will be shown with greater
+precision, eg. &`RT=0.204s`&.
+.next
.cindex "log" "recipients"
&%received_recipients%&: The recipients of a message are listed in the main log
as soon as the message is received. The list appears at the end of the log line
.next
.cindex "log" "smtp confirmation"
.cindex "SMTP" "logging confirmation"
-&%smtp_confirmation%&: The response to the final &"."& in the SMTP dialogue for
+.cindex "LMTP" "logging confirmation"
+&%smtp_confirmation%&: The response to the final &"."& in the SMTP or LMTP dialogue for
outgoing messages is added to delivery log lines in the form &`C=`&<&'text'&>.
A number of MTAs (including Exim) return an identifying string in this
response.
.next
.cindex "log" "SMTP connections"
.cindex "SMTP" "logging connections"
-&%smtp_connection%&: A log line is written whenever an SMTP connection is
+&%smtp_connection%&: A log line is written whenever an incoming SMTP connection is
established or closed, unless the connection is from a host that matches
&%hosts_connection_nolog%&. (In contrast, &%lost_incoming_connection%& applies
only when the closure is unexpected.) This applies to connections from local
shows that the client issued QUIT straight after EHLO. If there were fewer
than 20 commands, they are all listed. If there were more than 20 commands,
the last 20 are listed, preceded by &"..."&. However, with the default
-setting of 10 for &%smtp_accep_max_nonmail%&, the connection will in any case
+setting of 10 for &%smtp_accept_max_nonmail%&, the connection will in any case
have been aborted before 20 non-mail commands are processed.
.next
+&%smtp_mailauth%&: A third subfield with the authenticated sender,
+colon-separated, is appended to the A= item for a message arrival or delivery
+log line, if an AUTH argument to the SMTP MAIL command (see &<<SECTauthparamail>>&)
+was accepted or used.
+.next
.cindex "log" "SMTP protocol error"
.cindex "SMTP" "logging protocol error"
&%smtp_protocol_error%&: A log line is written for every SMTP protocol error
unchanged, or whether they should be rendered as escape sequences.
.next
.cindex "log" "certificate verification"
+.cindex log DANE
+.cindex DANE logging
&%tls_certificate_verified%&: An extra item is added to <= and => log lines
when TLS is in use. The item is &`CV=yes`& if the peer's certificate was
-verified, and &`CV=no`& if not.
+verified
+using a CA trust anchor,
+&`CA=dane`& if using a DNS trust anchor,
+and &`CV=no`& if not.
.next
.cindex "log" "TLS cipher"
.cindex "TLS" "logging cipher"
Another utility that might be of use to sites with many MTAs is Tom Kistner's
&'exilog'&. It provides log visualizations across multiple Exim servers. See
-&url(http://duncanthrax.net/exilog/) for details.
+&url(https://duncanthrax.net/exilog/) for details.
.code
exim -bpu
.endd
-to obtain a queue listing with undelivered recipients only, and then greps the
-output to select messages that match given criteria. The following selection
-options are available:
+or (in case &*-a*& switch is specified)
+.code
+exim -bp
+.endd
+The &*-C*& option is used to specify an alternate &_exim.conf_& which might
+contain alternate exim configuration the queue management might be using.
+
+to obtain a queue listing, and then greps the output to select messages
+that match given criteria. The following selection options are available:
.vlist
.vitem &*-f*&&~<&'regex'&>
-Match the sender address. The field that is tested is enclosed in angle
-brackets, so you can test for bounce messages with
+Match the sender address using a case-insensitive search. The field that is
+tested is enclosed in angle brackets, so you can test for bounce messages with
.code
exiqgrep -f '^<>$'
.endd
.vitem &*-r*&&~<&'regex'&>
-Match a recipient address. The field that is tested is not enclosed in angle
-brackets.
+Match a recipient address using a case-insensitive search. The field that is
+tested is not enclosed in angle brackets.
.vitem &*-s*&&~<&'regex'&>
Match against the size field.
.vitem &*-R*&
Display messages in reverse order.
+
+.vitem &*-a*&
+Include delivered recipients in queue listing.
.endlist
There is one more option, &%-h%&, which outputs a list of options.
.cindex "&'exiqsumm'&"
.cindex "queue" "summary"
The &'exiqsumm'& utility is a Perl script which reads the output of &`exim
--bp`& and produces a summary of the messages on the queue. Thus, you use it by
+-bp`& and produces a summary of the messages in the queue. Thus, you use it by
running a command such as
.code
exim -bp | exiqsumm
If a matching log line is not associated with a specific message, it is
included in &'exigrep'&'s output without any additional lines. The usage is:
.display
-&`exigrep [-t<`&&'n'&&`>] [-I] [-l] [-v] <`&&'pattern'&&`> [<`&&'log file'&&`>] ...`&
+&`exigrep [-t<`&&'n'&&`>] [-I] [-l] [-M] [-v] <`&&'pattern'&&`> [<`&&'log file'&&`>] ...`&
.endd
-If no log file names are given on the command line, the standard input is read.
+If no log filenames are given on the command line, the standard input is read.
The &%-t%& argument specifies a number of seconds. It adds an additional
condition for message selection. Messages that are complete are shown only if
-they spent more than <&'n'&> seconds on the queue.
+they spent more than <&'n'&> seconds in the queue.
By default, &'exigrep'& does case-insensitive matching. The &%-I%& option
makes it case-sensitive. This may give a performance improvement when searching
The &%-v%& option inverts the matching condition. That is, a line is selected
if it does &'not'& match the pattern.
+The &%-M%& options means &"related messages"&. &'exigrep'& will show messages
+that are generated as a result/response to a message that &'exigrep'& matched
+normally.
+
+Example of &%-M%&:
+user_a sends a message to user_b, which generates a bounce back to user_b. If
+&'exigrep'& is used to search for &"user_a"&, only the first message will be
+displayed. But if &'exigrep'& is used to search for &"user_b"&, the first and
+the second (bounce) message will be displayed. Using &%-M%& with &'exigrep'&
+when searching for &"user_a"& will show both messages since the bounce is
+&"related"& to or a &"result"& of the first message that was found by the
+search term.
+
If the location of a &'zcat'& command is known from the definition of
ZCAT_COMMAND in &_Local/Makefile_&, &'exigrep'& automatically passes any file
whose name ends in COMPRESS_SUFFIX through &'zcat'& as it searches it.
+If the ZCAT_COMMAND is not executable, &'exigrep'& tries to use
+autodetection of some well known compression extensions.
.section "Selecting messages by various criteria (exipick)" "SECTexipick"
.cindex "&'exipick'&"
John Jetmore's &'exipick'& utility is included in the Exim distribution. It
lists messages from the queue according to a variety of criteria. For details
-of &'exipick'&'s facilities, visit the web page at
-&url(http://www.exim.org/eximwiki/ToolExipickManPage) or run &'exipick'& with
+of &'exipick'&'s facilities, run &'exipick'& with
the &%--help%& option.
configuration.
.endlist
-Each time &'exicyclog'& is run the file names get &"shuffled down"& by one. If
-the main log file name is &_mainlog_& (the default) then when &'exicyclog'& is
+Each time &'exicyclog'& is run the filenames get &"shuffled down"& by one. If
+the main log filename is &_mainlog_& (the default) then when &'exicyclog'& is
run &_mainlog_& becomes &_mainlog.01_&, the previous &_mainlog.01_& becomes
&_mainlog.02_& and so on, up to the limit that is set in the script or by the
&%-k%& option. Log files whose numbers exceed the limit are discarded. Reject
.cindex "&'eximstats'&"
A Perl script called &'eximstats'& is provided for extracting statistical
information from log files. The output is either plain text, or HTML.
-Exim log files are also supported by the &'Lire'& system produced by the
-LogReport Foundation &url(http://www.logreport.org).
+. --- 2018-09-07: LogReport's Lire appears to be dead; website is a Yahoo Japan
+. --- 404 error and everything else points to that.
The &'eximstats'& script has been hacked about quite a bit over time. The
latest version is the result of some extensive revision by Steve Campbell. A
The remainder of the output is in sections that can be independently disabled
or modified by various options. It consists of a summary of deliveries by
transport, histograms of messages received and delivered per time interval
-(default per hour), information about the time messages spent on the queue,
+(default per hour), information about the time messages spent in the queue,
a list of relayed messages, lists of the top fifty sending hosts, local
senders, destination hosts, and destination local users by count and by volume,
and a list of delivery errors that occurred.
.cindex "USE_DB"
If the native DB interface is in use (USE_DB is set in a compile-time
-configuration file &-- this is common in free versions of Unix) the two file
-names must be different, because in this mode the Berkeley DB functions create
-a single output file using exactly the name given. For example,
+configuration file &-- this is common in free versions of Unix) the two
+filenames must be different, because in this mode the Berkeley DB functions
+create a single output file using exactly the name given. For example,
.code
exim_dbmbuild /etc/aliases /etc/aliases.db
.endd
environment, the suffixes are added to the second argument of
&'exim_dbmbuild'&, so it can be the same as the first. This is also the case
when the Berkeley functions are used in compatibility mode (though this is not
-recommended), because in that case it adds a &_.db_& suffix to the file name.
+recommended), because in that case it adds a &_.db_& suffix to the filename.
If a duplicate key is encountered, the program outputs a warning, and when it
finishes, its return code is 1 rather than zero, unless the &%-noduperr%&
.next
Serializing delivery to a specific host (when &%serialize_hosts%& is set in an
&(smtp)& transport)
+.next
+Limiting the concurrency of specific transports (when &%max_parallel%& is set
+in a transport)
.endlist
mailbox, which is the same as Exim's default. The use of &%-flock%& or
&%-fcntl%& requires that the file be writeable; the use of &%-lockfile%&
requires that the directory containing the file be writeable. Locking by lock
-file does not last for ever; Exim assumes that a lock file is expired if it is
+file does not last forever; Exim assumes that a lock file is expired if it is
more than 30 minutes old.
The &%-mbx%& option can be used with either or both of &%-fcntl%& or
End
.endd
.cindex "admin user"
-In order to see the contents of messages on the queue, and to operate on them,
+In order to see the contents of messages in the queue, and to operate on them,
&'eximon'& must either be run as root or by an admin user.
The command-line parameters of &'eximon'& are passed to &_eximon.bin_& and may
.section "The stripcharts" "SECID265"
.cindex "stripchart"
-The first stripchart is always a count of messages on the queue. Its name can
+The first stripchart is always a count of messages in the queue. Its name can
be configured by setting QUEUE_STRIPCHART_NAME in the
&_Local/eximon.conf_& file. The remaining stripcharts are defined in the
configuration script by regular expression matches on log file entries, making
.section "The queue display" "SECID268"
.cindex "queue" "display in monitor"
The bottom section of the monitor window contains a list of all messages that
-are on the queue, which includes those currently being received or delivered,
+are in the queue, which includes those currently being received or delivered,
as well as those awaiting delivery. The size of this subwindow is controlled by
parameters in the configuration file &_Local/eximon.conf_&, and the frequency
at which it is updated is controlled by another parameter in the same file &--
to force an update of the queue display at any time.
When a host is down for some time, a lot of pending mail can build up for it,
-and this can make it hard to deal with other messages on the queue. To help
+and this can make it hard to deal with other messages in the queue. To help
with this situation there is a button next to &"Update"& called &"Hide"&. If
pressed, a dialogue box called &"Hide addresses ending with"& is put up. If you
type anything in here and press &"Return"&, the text is added to a chain of
pressing the &"Hide"& button.
The queue display contains, for each unhidden queued message, the length of
-time it has been on the queue, the size of the message, the message id, the
+time it has been in the queue, the size of the message, the message id, the
message sender, and the first undelivered recipient, all on one line. If it is
a bounce message, the sender is shown as &"<>"&. If there is more than one
recipient to which the message has not yet been delivered, subsequent ones are
&'body'&: The contents of the spool file containing the body of the message are
displayed in a new text window. There is a default limit of 20,000 bytes to the
amount of data displayed. This can be changed by setting the BODY_MAX
-option at compile time, or the EXIMON_BODY_MAX option at run time.
+option at compile time, or the EXIMON_BODY_MAX option at runtime.
.next
&'deliver message'&: A call to Exim is made using the &%-M%& option to request
delivery of the message. This causes an automatic thaw if the message is
.ilist
ALT_CONFIG_PREFIX can be set to a string that is required to match the
-start of any file names used with the &%-C%& option. When it is set, these file
-names are also not allowed to contain the sequence &"/../"&. (However, if the
-value of the &%-C%& option is identical to the value of CONFIGURE_FILE in
+start of any filenames used with the &%-C%& option. When it is set, these
+filenames are also not allowed to contain the sequence &"/../"&. (However, if
+the value of the &%-C%& option is identical to the value of CONFIGURE_FILE in
&_Local/Makefile_&, Exim ignores &%-C%& and proceeds as usual.) There is no
default setting for &%ALT_CONFIG_PREFIX%&.
obviously more secure if Exim does not run as root except when necessary.
For this reason, a user and group for Exim to use must be defined in
&_Local/Makefile_&. These are known as &"the Exim user"& and &"the Exim
-group"&. Their values can be changed by the run time configuration, though this
+group"&. Their values can be changed by the runtime configuration, though this
is not recommended. Often a user called &'exim'& is used, but some sites use
&'mail'& or another user name altogether.
+.section "Running local commands" "SECTsecconslocalcmds"
+.cindex "security" "local commands"
+.cindex "security" "command injection attacks"
+There are a number of ways in which an administrator can configure Exim to run
+commands based upon received, untrustworthy, data. Further, in some
+configurations a user who can control a &_.forward_& file can also arrange to
+run commands. Configuration to check includes, but is not limited to:
+
+.ilist
+Use of &%use_shell%& in the pipe transport: various forms of shell command
+injection may be possible with this option present. It is dangerous and should
+be used only with considerable caution. Consider constraints which whitelist
+allowed characters in a variable which is to be used in a pipe transport that
+has &%use_shell%& enabled.
+.next
+A number of options such as &%forbid_filter_run%&, &%forbid_filter_perl%&,
+&%forbid_filter_dlfunc%& and so forth which restrict facilities available to
+&_.forward_& files in a redirect router. If Exim is running on a central mail
+hub to which ordinary users do not have shell access, but home directories are
+NFS mounted (for instance) then administrators should review the list of these
+forbid options available, and should bear in mind that the options that may
+need forbidding can change as new features are added between releases.
+.next
+The &%${run...}%& expansion item does not use a shell by default, but
+administrators can configure use of &_/bin/sh_& as part of the command.
+Such invocations should be viewed with prejudicial suspicion.
+.next
+Administrators who use embedded Perl are advised to explore how Perl's
+taint checking might apply to their usage.
+.next
+Use of &%${expand...}%& is somewhat analogous to shell's eval builtin and
+administrators are well advised to view its use with suspicion, in case (for
+instance) it allows a local-part to contain embedded Exim directives.
+.next
+Use of &%${match_local_part...}%& and friends becomes more dangerous if
+Exim was built with EXPAND_LISTMATCH_RHS defined: the second string in
+each can reference arbitrary lists and files, rather than just being a list
+of opaque strings.
+The EXPAND_LISTMATCH_RHS option was added and set false by default because of
+real-world security vulnerabilities caused by its use with untrustworthy data
+injected in, for SQL injection attacks.
+Consider the use of the &%inlisti%& expansion condition instead.
+.endlist
+
+
+
+
+.section "Trust in configuration data" "SECTsecconfdata"
+.cindex "security" "data sources"
+.cindex "security" "regular expressions"
+.cindex "regular expressions" "security"
+.cindex "PCRE" "security"
+If configuration data for Exim can come from untrustworthy sources, there
+are some issues to be aware of:
+
+.ilist
+Use of &%${expand...}%& may provide a path for shell injection attacks.
+.next
+Letting untrusted data provide a regular expression is unwise.
+.next
+Using &%${match...}%& to apply a fixed regular expression against untrusted
+data may result in pathological behaviour within PCRE. Be aware of what
+"backtracking" means and consider options for being more strict with a regular
+expression. Avenues to explore include limiting what can match (avoiding &`.`&
+when &`[a-z0-9]`& or other character class will do), use of atomic grouping and
+possessive quantifiers or just not using regular expressions against untrusted
+data.
+.next
+It can be important to correctly use &%${quote:...}%&,
+&%${quote_local_part:...}%& and &%${quote_%&<&'lookup-type'&>&%:...}%& expansion
+items to ensure that data is correctly constructed.
+.next
+Some lookups might return multiple results, even though normal usage is only
+expected to yield one result.
+.endlist
+
+
+
+
.section "IPv4 source routing" "SECID272"
.cindex "source routing" "in IP packets"
.cindex "IP source routing"
unprivileged), Exim must be built to allow group read access to its spool
files.
+By default, regular users are trusted to perform basic testing and
+introspection commands, as themselves. This setting can be tightened by
+setting the &%commandline_checks_require_admin%& option.
+This affects most of the checking options,
+such as &%-be%& and anything else &%-b*%&.
.section "Spool files" "SECID275"
is insurance against disk crashes where the directory is lost but the files
themselves are recoverable.
+.new
+The file formats may be changed, or new formats added, at any release.
+Spool files are not intended as an interface to other programs
+and should not be used as such.
+.wen
+
Some people are tempted into editing -D files in order to modify messages. You
need to be extremely careful if you do this; it is not recommended and you are
on your own if you do it. Here are some of the pitfalls:
.next
.vindex "&$body_linecount$&"
If you change the number of lines in the file, the value of
-&$body_linecount$&, which is stored in the -H file, will be incorrect. At
-present, this value is not used by Exim, but there is no guarantee that this
-will always be the case.
+&$body_linecount$&, which is stored in the -H file, will be incorrect and can
+cause incomplete transmission of messages or undeliverable messages.
.next
If the message is in MIME format, you must take care not to break it.
.next
-J file and uses it to update the -H file before starting the next delivery
attempt.
+Files whose names end with -K or .eml may also be seen in the spool.
+These are temporaries used for DKIM or malware processing, when that is used.
+They should be tidied up by normal operations; any old ones are probably
+relics of crashes and can be removed.
+
.section "Format of the -H file" "SECID282"
.cindex "uid (user id)" "in spool file"
.cindex "gid (group id)" "in spool file"
&$authenticated_sender$& variable.
.vitem "&%-body_linecount%&&~<&'number'&>"
-This records the number of lines in the body of the message, and is always
-present.
+This records the number of lines in the body of the message, and is
+present unless &%-spool_file_wireformat%& is.
.vitem "&%-body_zerocount%&&~<&'number'&>"
This records the number of binary zero bytes in the body of the message, and is
If a message was scanned by SpamAssassin, this is present. It records the value
of &$spam_score_int$&.
+.vitem &%-spool_file_wireformat%&
+The -D file for this message is in wire-format (for ESMTP CHUNKING)
+rather than Unix-format.
+The line-ending is CRLF rather than newline.
+There is still, however, no leading-dot-stuffing.
+
.vitem &%-tls_certificate_verified%&
A TLS certificate was received from the client that sent this message, and the
certificate was verified by the server.
.ecindex IIDforspo2
.ecindex IIDforspo3
+.section "Format of the -D file" "SECID282a"
+The data file is traditionally in Unix-standard format: lines are ended with
+an ASCII newline character.
+However, when the &%spool_wireformat%& main option is used some -D files
+can have an alternate format.
+This is flagged by a &%-spool_file_wireformat%& line in the corresponding -H file.
+The -D file lines (not including the first name-component line) are
+suitable for direct copying to the wire when transmitting using the
+ESMTP CHUNKING option, meaning lower processing overhead.
+Lines are terminated with an ASCII CRLF pair.
+There is no dot-stuffing (and no dot-termination).
+
. ////////////////////////////////////////////////////////////////////////////
. ////////////////////////////////////////////////////////////////////////////
-.chapter "Support for DKIM (DomainKeys Identified Mail)" "CHID12" &&&
- "DKIM Support"
+.chapter "DKIM and SPF" "CHAPdkim" &&&
+ "DKIM and SPF Support"
.cindex "DKIM"
+.section "DKIM (DomainKeys Identified Mail)" SECDKIM
+
DKIM is a mechanism by which messages sent by some entity can be provably
linked to a domain which that entity controls. It permits reputation to
be tracked on a per-domain basis, rather than merely upon source IP address.
-DKIM is documented in RFC 4871.
+DKIM is documented in RFC 6376.
-Since version 4.70, DKIM support is compiled into Exim by default. It can be
-disabled by setting DISABLE_DKIM=yes in Local/Makefile.
+As DKIM relies on the message being unchanged in transit, messages handled
+by a mailing-list (which traditionally adds to the message) will not match
+any original DKIM signature.
-Exim's DKIM implementation allows to
+DKIM support is compiled into Exim by default if TLS support is present.
+It can be disabled by setting DISABLE_DKIM=yes in &_Local/Makefile_&.
+
+Exim's DKIM implementation allows for
.olist
-Sign outgoing messages: This function is implemented in the SMTP transport.
-It can co-exist with all other Exim features, including transport filters.
+Signing outgoing messages: This function is implemented in the SMTP transport.
+It can co-exist with all other Exim features
+(including transport filters)
+except cutthrough delivery.
.next
-Verify signatures in incoming messages: This is implemented by an additional
+Verifying signatures in incoming messages: This is implemented by an additional
ACL (acl_smtp_dkim), which can be called several times per message, with
different signature contexts.
.endlist
Exim's standard controls.
Please note that verification of DKIM signatures in incoming mail is turned
-on by default for logging purposes. For each signature in incoming email,
+on by default for logging (in the <= line) purposes.
+
+Additional log detail can be enabled using the &%dkim_verbose%& log_selector.
+When set, for each signature in incoming email,
exim will log a line displaying the most important signature details, and the
signature status. Here is an example (with line-breaks added for clarity):
.code
c=relaxed/relaxed a=rsa-sha1
i=@facebookmail.com t=1252484542 [verification succeeded]
.endd
+
You might want to turn off DKIM verification processing entirely for internal
or relay mail sources. To do that, set the &%dkim_disable_verify%& ACL
control modifier. This should typically be done in the RCPT ACL, at points
senders).
-.section "Signing outgoing messages" "SECID513"
+.section "Signing outgoing messages" "SECDKIMSIGN"
.cindex "DKIM" "signing"
-Signing is implemented by setting private options on the SMTP transport.
-These options take (expandable) strings as arguments.
+For signing to be usable you must have published a DKIM record in DNS.
+Note that RFC 8301 says:
+.code
+rsa-sha1 MUST NOT be used for signing or verifying.
+
+Signers MUST use RSA keys of at least 1024 bits for all keys.
+Signers SHOULD use RSA keys of at least 2048 bits.
+.endd
-.option dkim_domain smtp string&!! unset
-MANDATORY:
-The domain you want to sign with. The result of this expanded
-option is put into the &%$dkim_domain%& expansion variable.
+Note also that the key content (the 'p=' field)
+in the DNS record is different between RSA and EC keys;
+for the former it is the base64 of the ASN.1 for the RSA public key
+(equivalent to the private-key .pem with the header/trailer stripped)
+but for EC keys it is the base64 of the pure key; no ASN.1 wrapping.
-.option dkim_selector smtp string&!! unset
-MANDATORY:
-This sets the key selector string. You can use the &%$dkim_domain%& expansion
-variable to look up a matching selector. The result is put in the expansion
-variable &%$dkim_selector%& which should be used in the &%dkim_private_key%&
+Signing is enabled by setting private options on the SMTP transport.
+These options take (expandable) strings as arguments.
+
+.option dkim_domain smtp string list&!! unset
+The domain(s) you want to sign with.
+After expansion, this can be a list.
+Each element in turn is put into the &%$dkim_domain%& expansion variable
+while expanding the remaining signing options.
+If it is empty after expansion, DKIM signing is not done,
+and no error will result even if &%dkim_strict%& is set.
+
+.option dkim_selector smtp string list&!! unset
+This sets the key selector string.
+After expansion, which can use &$dkim_domain$&, this can be a list.
+Each element in turn is put in the expansion
+variable &%$dkim_selector%& which may be used in the &%dkim_private_key%&
option along with &%$dkim_domain%&.
+If the option is empty after expansion, DKIM signing is not done for this domain,
+and no error will result even if &%dkim_strict%& is set.
.option dkim_private_key smtp string&!! unset
-MANDATORY:
-This sets the private key to use. You can use the &%$dkim_domain%& and
+This sets the private key to use.
+You can use the &%$dkim_domain%& and
&%$dkim_selector%& expansion variables to determine the private key to use.
The result can either
.ilist
-be a valid RSA private key in ASCII armor, including line breaks.
+be a valid RSA private key in ASCII armor (.pem file), including line breaks
+.next
+with GnuTLS 3.6.0 or OpenSSL 1.1.1 or later,
+be a valid Ed25519 private key (same format as above)
.next
start with a slash, in which case it is treated as a file that contains
-the private key.
+the private key
.next
be "0", "false" or the empty string, in which case the message will not
be signed. This case will not result in an error, even if &%dkim_strict%&
is set.
.endlist
+To generate keys under OpenSSL:
+.code
+openssl genrsa -out dkim_rsa.private 2048
+openssl rsa -in dkim_rsa.private -out /dev/stdout -pubout -outform PEM
+.endd
+Take the base-64 lines from the output of the second command, concatenated,
+for the DNS TXT record.
+See section 3.6 of RFC6376 for the record specification.
+
+Under GnuTLS:
+.code
+certtool --generate-privkey --rsa --bits=2048 --password='' -8 --outfile=dkim_rsa.private
+certtool --load-privkey=dkim_rsa.private --pubkey-info
+.endd
+
+Note that RFC 8301 says:
+.code
+Signers MUST use RSA keys of at least 1024 bits for all keys.
+Signers SHOULD use RSA keys of at least 2048 bits.
+.endd
+
+.new
+EC keys for DKIM are defined by RFC 8463.
+.wen
+They are considerably smaller than RSA keys for equivalent protection.
+As they are a recent development, users should consider dual-signing
+(by setting a list of selectors, and an expansion for this option)
+for some transition period.
+The "_CRYPTO_SIGN_ED25519" macro will be defined if support is present
+for EC keys.
+
+OpenSSL 1.1.1 and GnuTLS 3.6.0 can create Ed25519 private keys:
+.code
+openssl genpkey -algorithm ed25519 -out dkim_ed25519.private
+certtool --generate-privkey --key-type=ed25519 --outfile=dkim_ed25519.private
+.endd
+
+To produce the required public key value for a DNS record:
+.code
+openssl pkey -outform DER -pubout -in dkim_ed25519.private | tail -c +13 | base64
+certtool --load_privkey=dkim_ed25519.private --pubkey_info --outder | tail -c +13 | base64
+.endd
+
+.new
+Exim also supports an alternate format
+of Ed25519 keys in DNS which was a candidate during development
+of the standard, but not adopted.
+A future release will probably drop that support.
+.wen
+
+.option dkim_hash smtp string&!! sha256
+Can be set to any one of the supported hash methods, which are:
+.ilist
+&`sha1`& &-- should not be used, is old and insecure
+.next
+&`sha256`& &-- the default
+.next
+&`sha512`& &-- possibly more secure but less well supported
+.endlist
+
+Note that RFC 8301 says:
+.code
+rsa-sha1 MUST NOT be used for signing or verifying.
+.endd
+
+.option dkim_identity smtp string&!! unset
+If set after expansion, the value is used to set an "i=" tag in
+the signing header. The DKIM standards restrict the permissible
+syntax of this optional tag to a mail address, with possibly-empty
+local part, an @, and a domain identical to or subdomain of the "d="
+tag value. Note that Exim does not check the value.
+
.option dkim_canon smtp string&!! unset
-OPTIONAL:
This option sets the canonicalization method used when signing a message.
The DKIM RFC currently supports two methods: "simple" and "relaxed".
The option defaults to "relaxed" when unset. Note: the current implementation
-only supports using the same canonicalization method for both headers and body.
+only supports signing with the same canonicalization method for both headers and body.
.option dkim_strict smtp string&!! unset
-OPTIONAL:
This option defines how Exim behaves when signing a message that
should be signed fails for some reason. When the expansion evaluates to
either "1" or "true", Exim will defer. Otherwise Exim will send the message
unsigned. You can use the &%$dkim_domain%& and &%$dkim_selector%& expansion
variables here.
-.option dkim_sign_headers smtp string&!! unset
-OPTIONAL:
-When set, this option must expand to (or be specified as) a colon-separated
-list of header names. Headers with these names will be included in the message
-signature. When unspecified, the header names recommended in RFC4871 will be
-used.
+.option dkim_sign_headers smtp string&!! "see below"
+If set, this option must expand to a colon-separated
+list of header names.
+Headers with these names, or the absence or such a header, will be included
+in the message signature.
+When unspecified, the header names listed in RFC4871 will be used,
+whether or not each header is present in the message.
+The default list is available for the expansion in the macro
+"_DKIM_SIGN_HEADERS".
+
+If a name is repeated, multiple headers by that name (or the absence thereof)
+will be signed. The textually later headers in the headers part of the
+message are signed first, if there are multiples.
+
+A name can be prefixed with either an '=' or a '+' character.
+If an '=' prefix is used, all headers that are present with this name
+will be signed.
+If a '+' prefix if used, all headers that are present with this name
+will be signed, and one signature added for a missing header with the
+name will be appended.
+
+.new
+.option dkim_timestamps smtp integer&!! unset
+This option controls the inclusion of timestamp information in the signature.
+If not set, no such information will be included.
+Otherwise, must be an unsigned number giving an offset in seconds from the current time
+for the expiry tag
+(eg. 1209600 for two weeks);
+both creation (t=) and expiry (x=) tags will be included.
+
+RFC 6376 lists these tags as RECOMMENDED.
+.wen
-.section "Verifying DKIM signatures in incoming mail" "SECID514"
+.section "Verifying DKIM signatures in incoming mail" "SECDKIMVFY"
.cindex "DKIM" "verification"
-Verification of DKIM signatures in incoming email is implemented via the
-&%acl_smtp_dkim%& ACL. By default, this ACL is called once for each
+.new
+Verification of DKIM signatures in SMTP incoming email is done for all
+messages for which an ACL control &%dkim_disable_verify%& has not been set.
+.cindex authentication "expansion item"
+Performing verification sets up information used by the
+&$authresults$& expansion item.
+.wen
+
+.new The results of that verification are then made available to the
+&%acl_smtp_dkim%& ACL, &new(which can examine and modify them).
+By default, this ACL is called once for each
syntactically(!) correct signature in the incoming message.
+A missing ACL definition defaults to accept.
+If any ACL call does not accept, the message is not accepted.
+If a cutthrough delivery was in progress for the message, that is
+summarily dropped (having wasted the transmission effort).
-To evaluate the signature in the ACL a large number of expansion variables
+To evaluate the &new(verification result) in the ACL
+a large number of expansion variables
containing the signature status and its details are set up during the
runtime of the ACL.
If a domain or identity is listed several times in the (expanded) value of
&%dkim_verify_signers%&, the ACL is only called once for that domain or identity.
+If multiple signatures match a domain (or identity), the ACL is called once
+for each matching signature.
+
Inside the &%acl_smtp_dkim%&, the following expansion variables are
available (from most to least important):
The signer that is being evaluated in this ACL run. This can be a domain or
an identity. This is one of the list items from the expanded main option
&%dkim_verify_signers%& (see above).
+
.vitem &%$dkim_verify_status%&
-A string describing the general status of the signature. One of
+Within the DKIM ACL,
+a string describing the general status of the signature. One of
.ilist
&%none%&: There is no signature in the message for the current domain or
identity (as reflected by &%$dkim_cur_signer%&).
.next
&%pass%&: The signature passed verification. It is valid.
.endlist
+
+This variable can be overwritten using an ACL 'set' modifier.
+This might, for instance, be done to enforce a policy restriction on
+hash-method or key-size:
+.code
+ warn condition = ${if eq {$dkim_verify_status}{pass}}
+ condition = ${if eq {${length_3:$dkim_algo}}{rsa}}
+ condition = ${if or {{eq {$dkim_algo}{rsa-sha1}} \
+ {< {$dkim_key_length}{1024}}}}
+ logwrite = NOTE: forcing DKIM verify fail (was pass)
+ set dkim_verify_status = fail
+ set dkim_verify_reason = hash too weak or key too short
+.endd
+
+So long as a DKIM ACL is defined (it need do no more than accept),
+after all the DKIM ACL runs have completed, the value becomes a
+colon-separated list of the values after each run.
+This is maintained for the mime, prdr and data ACLs.
+
.vitem &%$dkim_verify_reason%&
-A string giving a litte bit more detail when &%$dkim_verify_status%& is either
+A string giving a little bit more detail when &%$dkim_verify_status%& is either
"fail" or "invalid". One of
.ilist
&%pubkey_unavailable%& (when &%$dkim_verify_status%&="invalid"): The public
re-written or otherwise changed in a way which is incompatible with
DKIM verification. It may of course also mean that the signature is forged.
.endlist
+
+This variable can be overwritten, with any value, using an ACL 'set' modifier.
+
.vitem &%$dkim_domain%&
The signing domain. IMPORTANT: This variable is only populated if there is
an actual signature in the message for the current domain or identity (as
reflected by &%$dkim_cur_signer%&).
+
.vitem &%$dkim_identity%&
The signing identity, if present. IMPORTANT: This variable is only populated
if there is an actual signature in the message for the current domain or
identity (as reflected by &%$dkim_cur_signer%&).
+
.vitem &%$dkim_selector%&
The key record selector string.
+
.vitem &%$dkim_algo%&
The algorithm used. One of 'rsa-sha1' or 'rsa-sha256'.
+If running under GnuTLS 3.6.0 or OpenSSL 1.1.1 or later,
+may also be 'ed25519-sha256'.
+The "_CRYPTO_SIGN_ED25519" macro will be defined if support is present
+for EC keys.
+
+Note that RFC 8301 says:
+.code
+rsa-sha1 MUST NOT be used for signing or verifying.
+
+DKIM signatures identified as having been signed with historic
+algorithms (currently, rsa-sha1) have permanently failed evaluation
+.endd
+
+To enforce this you must have a DKIM ACL which checks this variable
+and overwrites the &$dkim_verify_status$& variable as discussed above.
+
.vitem &%$dkim_canon_body%&
The body canonicalization method. One of 'relaxed' or 'simple'.
-.vitem &%dkim_canon_headers%&
+
+.vitem &%$dkim_canon_headers%&
The header canonicalization method. One of 'relaxed' or 'simple'.
+
.vitem &%$dkim_copiedheaders%&
A transcript of headers and their values which are included in the signature
(copied from the 'z=' tag of the signature).
+Note that RFC6376 requires that verification fail if the From: header is
+not included in the signature. Exim does not enforce this; sites wishing
+strict enforcement should code the check explicitly.
+
.vitem &%$dkim_bodylength%&
The number of signed body bytes. If zero ("0"), the body is unsigned. If no
limit was set by the signer, "9999999999999" is returned. This makes sure
that this variable always expands to an integer value.
+.new
+&*Note:*& The presence of the signature tag specifying a signing body length
+is one possible route to spoofing of valid DKIM signatures.
+A paranoid implementation might wish to regard signature where this variable
+shows less than the "no limit" return as being invalid.
+.wen
+
.vitem &%$dkim_created%&
UNIX timestamp reflecting the date and time when the signature was created.
When this was not specified by the signer, "0" is returned.
+
.vitem &%$dkim_expires%&
UNIX timestamp reflecting the date and time when the signer wants the
signature to be treated as "expired". When this was not specified by the
signer, "9999999999999" is returned. This makes it possible to do useful
integer size comparisons against this value.
+Note that Exim does not check this value.
+
.vitem &%$dkim_headernames%&
A colon-separated list of names of headers included in the signature.
+
.vitem &%$dkim_key_testing%&
"1" if the key record has the "testing" flag set, "0" if not.
-.vitem &%$nosubdomains%&
+
+.vitem &%$dkim_key_nosubdomains%&
"1" if the key record forbids subdomaining, "0" otherwise.
+
.vitem &%$dkim_key_srvtype%&
Service type (tag s=) from the key record. Defaults to "*" if not specified
in the key record.
+
.vitem &%$dkim_key_granularity%&
Key granularity (tag g=) from the key record. Defaults to "*" if not specified
in the key record.
+
.vitem &%$dkim_key_notes%&
Notes from the key record (tag n=).
+
+.vitem &%$dkim_key_length%&
+Number of bits in the key.
+
+Note that RFC 8301 says:
+.code
+Verifiers MUST NOT consider signatures using RSA keys of
+less than 1024 bits as valid signatures.
+.endd
+
+To enforce this you must have a DKIM ACL which checks this variable
+and overwrites the &$dkim_verify_status$& variable as discussed above.
+As EC keys are much smaller, the check should only do this for RSA keys.
+
.endlist
In addition, two ACL conditions are provided:
verb to a group of domains or identities. For example:
.code
-# Warn when Mail purportedly from GMail has no signature at all
-warn log_message = GMail sender without DKIM signature
+# Warn when Mail purportedly from GMail has no gmail signature
+warn log_message = GMail sender without gmail.com DKIM signature
sender_domains = gmail.com
dkim_signers = gmail.com
dkim_status = none
.endd
+Note that the above does not check for a total lack of DKIM signing;
+for that check for empty &$h_DKIM-Signature:$& in the data ACL.
+
.vitem &%dkim_status%&
ACL condition that checks a colon-separated list of possible DKIM verification
-results agains the actual result of verification. This is typically used
+results against the actual result of verification. This is typically used
to restrict an ACL verb to a list of verification outcomes, for example:
.code
for more information of what they mean.
.endlist
+
+
+
+.section "SPF (Sender Policy Framework)" SECSPF
+.cindex SPF verification
+
+SPF is a mechanism whereby a domain may assert which IP addresses may transmit
+messages with its domain in the envelope from, documented by RFC 7208.
+For more information on SPF see &url(http://www.openspf.org).
+. --- 2018-09-07: still not https
+
+Messages sent by a system not authorised will fail checking of such assertions.
+This includes retransmissions done by traditional forwarders.
+
+SPF verification support is built into Exim if SUPPORT_SPF=yes is set in
+&_Local/Makefile_&. The support uses the &_libspf2_& library
+&url(https://www.libspf2.org/).
+There is no Exim involvement in the transmission of messages;
+publishing certain DNS records is all that is required.
+
+For verification, an ACL condition and an expansion lookup are provided.
+.cindex authentication "expansion item"
+Performing verification sets up information used by the
+&$authresults$& expansion item.
+
+
+.cindex SPF "ACL condition"
+.cindex ACL "spf condition"
+The ACL condition "spf" can be used at or after the MAIL ACL.
+It takes as an argument a list of strings giving the outcome of the SPF check,
+and will succeed for any matching outcome.
+Valid strings are:
+.vlist
+.vitem &%pass%&
+The SPF check passed, the sending host is positively verified by SPF.
+
+.vitem &%fail%&
+The SPF check failed, the sending host is NOT allowed to send mail for the
+domain in the envelope-from address.
+
+.vitem &%softfail%&
+The SPF check failed, but the queried domain can't absolutely confirm that this
+is a forgery.
+
+.vitem &%none%&
+The queried domain does not publish SPF records.
+
+.vitem &%neutral%&
+The SPF check returned a "neutral" state. This means the queried domain has
+published a SPF record, but wants to allow outside servers to send mail under
+its domain as well. This should be treated like "none".
+
+.vitem &%permerror%&
+This indicates a syntax error in the SPF record of the queried domain.
+You may deny messages when this occurs.
+
+.vitem &%temperror%&
+This indicates a temporary error during all processing, including Exim's
+SPF processing. You may defer messages when this occurs.
+.endlist
+
+You can prefix each string with an exclamation mark to invert
+its meaning, for example "!fail" will match all results but
+"fail". The string list is evaluated left-to-right, in a
+short-circuit fashion.
+
+Example:
+.code
+deny spf = fail
+ message = $sender_host_address is not allowed to send mail from \
+ ${if def:sender_address_domain \
+ {$sender_address_domain}{$sender_helo_name}}. \
+ Please see http://www.openspf.org/Why?scope=\
+ ${if def:sender_address_domain {mfrom}{helo}};\
+ identity=${if def:sender_address_domain \
+ {$sender_address}{$sender_helo_name}};\
+ ip=$sender_host_address
+.endd
+
+When the spf condition has run, it sets up several expansion
+variables:
+
+.cindex SPF "verification variables"
+.vlist
+.vitem &$spf_header_comment$&
+.vindex &$spf_header_comment$&
+ This contains a human-readable string describing the outcome
+ of the SPF check. You can add it to a custom header or use
+ it for logging purposes.
+
+.vitem &$spf_received$&
+.vindex &$spf_received$&
+ This contains a complete Received-SPF: header that can be
+ added to the message. Please note that according to the SPF
+ draft, this header must be added at the top of the header
+ list. Please see section 10 on how you can do this.
+
+ Note: in case of "Best-guess" (see below), the convention is
+ to put this string in a header called X-SPF-Guess: instead.
+
+.vitem &$spf_result$&
+.vindex &$spf_result$&
+ This contains the outcome of the SPF check in string form,
+ one of pass, fail, softfail, none, neutral, permerror or
+ temperror.
+
+.vitem &$spf_result_guessed$&
+.vindex &$spf_result_guessed$&
+ This boolean is true only if a best-guess operation was used
+ and required in order to obtain a result.
+
+.vitem &$spf_smtp_comment$&
+.vindex &$spf_smtp_comment$&
+ This contains a string that can be used in a SMTP response
+ to the calling party. Useful for "fail".
+.endlist
+
+
+.cindex SPF "ACL condition"
+.cindex ACL "spf_guess condition"
+.cindex SPF "best guess"
+In addition to SPF, you can also perform checks for so-called
+"Best-guess". Strictly speaking, "Best-guess" is not standard
+SPF, but it is supported by the same framework that enables SPF
+capability.
+Refer to &url(http://www.openspf.org/FAQ/Best_guess_record)
+for a description of what it means.
+. --- 2018-09-07: still not https:
+
+To access this feature, simply use the spf_guess condition in place
+of the spf one. For example:
+
+.code
+deny spf_guess = fail
+ message = $sender_host_address doesn't look trustworthy to me
+.endd
+
+In case you decide to reject messages based on this check, you
+should note that although it uses the same framework, "Best-guess"
+is not SPF, and therefore you should not mention SPF at all in your
+reject message.
+
+When the spf_guess condition has run, it sets up the same expansion
+variables as when spf condition is run, described above.
+
+Additionally, since Best-guess is not standardized, you may redefine
+what "Best-guess" means to you by redefining the main configuration
+&%spf_guess%& option.
+For example, the following:
+
+.code
+spf_guess = v=spf1 a/16 mx/16 ptr ?all
+.endd
+
+would relax host matching rules to a broader network range.
+
+
+.cindex SPF "lookup expansion"
+.cindex lookup spf
+A lookup expansion is also available. It takes an email
+address as the key and an IP address as the database:
+
+.code
+ ${lookup {username@domain} spf {ip.ip.ip.ip}}
+.endd
+
+The lookup will return the same result strings as can appear in
+&$spf_result$& (pass,fail,softfail,neutral,none,err_perm,err_temp).
+Currently, only IPv4 addresses are supported.
+
+
+
+
+. ////////////////////////////////////////////////////////////////////////////
+. ////////////////////////////////////////////////////////////////////////////
+
+.chapter "Proxies" "CHAPproxies" &&&
+ "Proxy support"
+.cindex "proxy support"
+.cindex "proxy" "access via"
+
+A proxy is an intermediate system through which communication is passed.
+Proxies may provide a security, availability or load-distribution function.
+
+
+.section "Inbound proxies" SECTproxyInbound
+.cindex proxy inbound
+.cindex proxy "server side"
+.cindex proxy "Proxy protocol"
+.cindex "Proxy protocol" proxy
+
+Exim has support for receiving inbound SMTP connections via a proxy
+that uses &"Proxy Protocol"& to speak to it.
+To include this support, include &"SUPPORT_PROXY=yes"&
+in Local/Makefile.
+
+It was built on the HAProxy specification, found at
+&url(https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt).
+
+The purpose of this facility is so that an application load balancer,
+such as HAProxy, can sit in front of several Exim servers
+to distribute load.
+Exim uses the local protocol communication with the proxy to obtain
+the remote SMTP system IP address and port information.
+There is no logging if a host passes or
+fails Proxy Protocol negotiation, but it can easily be determined and
+recorded in an ACL (example is below).
+
+Use of a proxy is enabled by setting the &%hosts_proxy%&
+main configuration option to a hostlist; connections from these
+hosts will use Proxy Protocol.
+Exim supports both version 1 and version 2 of the Proxy Protocol and
+automatically determines which version is in use.
+
+The Proxy Protocol header is the first data received on a TCP connection
+and is inserted before any TLS-on-connect handshake from the client; Exim
+negotiates TLS between Exim-as-server and the remote client, not between
+Exim and the proxy server.
+
+The following expansion variables are usable
+(&"internal"& and &"external"& here refer to the interfaces
+of the proxy):
+.display
+&'proxy_external_address '& IP of host being proxied or IP of remote interface of proxy
+&'proxy_external_port '& Port of host being proxied or Port on remote interface of proxy
+&'proxy_local_address '& IP of proxy server inbound or IP of local interface of proxy
+&'proxy_local_port '& Port of proxy server inbound or Port on local interface of proxy
+&'proxy_session '& boolean: SMTP connection via proxy
+.endd
+If &$proxy_session$& is set but &$proxy_external_address$& is empty
+there was a protocol error.
+
+Since the real connections are all coming from the proxy, and the
+per host connection tracking is done before Proxy Protocol is
+evaluated, &%smtp_accept_max_per_host%& must be set high enough to
+handle all of the parallel volume you expect per inbound proxy.
+With the option set so high, you lose the ability
+to protect your server from many connections from one IP.
+In order to prevent your server from overload, you
+need to add a per connection ratelimit to your connect ACL.
+A possible solution is:
+.display
+ # Set max number of connections per host
+ LIMIT = 5
+ # Or do some kind of IP lookup in a flat file or database
+ # LIMIT = ${lookup{$sender_host_address}iplsearch{/etc/exim/proxy_limits}}
+
+ defer message = Too many connections from this IP right now
+ ratelimit = LIMIT / 5s / per_conn / strict
+.endd
+
+
+
+.section "Outbound proxies" SECTproxySOCKS
+.cindex proxy outbound
+.cindex proxy "client side"
+.cindex proxy SOCKS
+.cindex SOCKS proxy
+Exim has support for sending outbound SMTP via a proxy
+using a protocol called SOCKS5 (defined by RFC1928).
+The support can be optionally included by defining SUPPORT_SOCKS=yes in
+Local/Makefile.
+
+Use of a proxy is enabled by setting the &%socks_proxy%& option
+on an smtp transport.
+The option value is expanded and should then be a list
+(colon-separated by default) of proxy specifiers.
+Each proxy specifier is a list
+(space-separated by default) where the initial element
+is an IP address and any subsequent elements are options.
+
+Options are a string <name>=<value>.
+The list of options is in the following table:
+.display
+&'auth '& authentication method
+&'name '& authentication username
+&'pass '& authentication password
+&'port '& tcp port
+&'tmo '& connection timeout
+&'pri '& priority
+&'weight '& selection bias
+.endd
+
+More details on each of these options follows:
+
+.ilist
+.cindex authentication "to proxy"
+.cindex proxy authentication
+&%auth%&: Either &"none"& (default) or &"name"&.
+Using &"name"& selects username/password authentication per RFC 1929
+for access to the proxy.
+Default is &"none"&.
+.next
+&%name%&: sets the username for the &"name"& authentication method.
+Default is empty.
+.next
+&%pass%&: sets the password for the &"name"& authentication method.
+Default is empty.
+.next
+&%port%&: the TCP port number to use for the connection to the proxy.
+Default is 1080.
+.next
+&%tmo%&: sets a connection timeout in seconds for this proxy.
+Default is 5.
+.next
+&%pri%&: specifies a priority for the proxy within the list,
+higher values being tried first.
+The default priority is 1.
+.next
+&%weight%&: specifies a selection bias.
+Within a priority set servers are queried in a random fashion,
+weighted by this value.
+The default value for selection bias is 1.
+.endlist
+
+Proxies from the list are tried according to their priority
+and weight settings until one responds. The timeout for the
+overall connection applies to the set of proxied attempts.
+
+.section Logging SECTproxyLog
+To log the (local) IP of a proxy in the incoming or delivery logline,
+add &"+proxy"& to the &%log_selector%& option.
+This will add a component tagged with &"PRX="& to the line.
+
+. ////////////////////////////////////////////////////////////////////////////
+. ////////////////////////////////////////////////////////////////////////////
+
+.chapter "Internationalisation" "CHAPi18n" &&&
+ "Internationalisation""
+.cindex internationalisation "email address"
+.cindex EAI
+.cindex i18n
+.cindex utf8 "mail name handling"
+
+Exim has support for Internationalised mail names.
+To include this it must be built with SUPPORT_I18N and the libidn library.
+Standards supported are RFCs 2060, 5890, 6530 and 6533.
+
+If Exim is built with SUPPORT_I18N_2008 (in addition to SUPPORT_I18N, not
+instead of it) then IDNA2008 is supported; this adds an extra library
+requirement, upon libidn2.
+
+.section "MTA operations" SECTi18nMTA
+.cindex SMTPUTF8 "ESMTP option"
+The main configuration option &%smtputf8_advertise_hosts%& specifies
+a host list. If this matches the sending host and
+accept_8bitmime is true (the default) then the ESMTP option
+SMTPUTF8 will be advertised.
+
+If the sender specifies the SMTPUTF8 option on a MAIL command
+international handling for the message is enabled and
+the expansion variable &$message_smtputf8$& will have value TRUE.
+
+The option &%allow_utf8_domains%& is set to true for this
+message. All DNS lookups are converted to a-label form
+whatever the setting of &%allow_utf8_domains%&
+when Exim is built with SUPPORT_I18N.
+
+Both localparts and domain are maintained as the original
+UTF-8 form internally; any comparison or regular-expression use will
+require appropriate care. Filenames created, eg. by
+the appendfile transport, will have UTF-8 names.
+
+HELO names sent by the smtp transport will have any UTF-8
+components expanded to a-label form,
+and any certificate name checks will be done using the a-label
+form of the name.
+
+.cindex log protocol
+.cindex SMTPUTF8 logging
+.cindex i18n logging
+Log lines and Received-by: header lines will acquire a "utf8"
+prefix on the protocol element, eg. utf8esmtp.
+
+The following expansion operators can be used:
+.code
+${utf8_domain_to_alabel:str}
+${utf8_domain_from_alabel:str}
+${utf8_localpart_to_alabel:str}
+${utf8_localpart_from_alabel:str}
+.endd
+
+.cindex utf8 "address downconversion"
+.cindex i18n "utf8 address downconversion"
+The RCPT ACL
+may use the following modifier:
+.display
+control = utf8_downconvert
+control = utf8_downconvert/<value>
+.endd
+This sets a flag requiring that addresses are converted to
+a-label form before smtp delivery, for use in a
+Message Submission Agent context.
+If a value is appended it may be:
+.display
+&`1 `& (default) mandatory downconversion
+&`0 `& no downconversion
+&`-1 `& if SMTPUTF8 not supported by destination host
+.endd
+
+If mua_wrapper is set, the utf8_downconvert control
+is initially set to -1.
+
+.new
+The smtp transport has an option &%utf8_downconvert%&.
+If set it must expand to one of the three values described above,
+and it overrides any previously set value.
+.wen
+
+
+There is no explicit support for VRFY and EXPN.
+Configurations supporting these should inspect
+&$smtp_command_argument$& for an SMTPUTF8 argument.
+
+There is no support for LMTP on Unix sockets.
+Using the "lmtp" protocol option on an smtp transport,
+for LMTP over TCP, should work as expected.
+
+There is no support for DSN unitext handling,
+and no provision for converting logging from or to UTF-8.
+
+
+
+.section "MDA operations" SECTi18nMDA
+To aid in constructing names suitable for IMAP folders
+the following expansion operator can be used:
+.code
+${imapfolder {<string>} {<sep>} {<specials>}}
+.endd
+
+The string is converted from the charset specified by
+the "headers charset" command (in a filter file)
+or &%headers_charset%& main configuration option (otherwise),
+to the
+modified UTF-7 encoding specified by RFC 2060,
+with the following exception: All occurrences of <sep>
+(which has to be a single character)
+are replaced with periods ("."), and all periods and slashes that are not
+<sep> and are not in the <specials> string are BASE64 encoded.
+
+The third argument can be omitted, defaulting to an empty string.
+The second argument can be omitted, defaulting to "/".
+
+This is the encoding used by Courier for Maildir names on disk, and followed
+by many other IMAP servers.
+
+Examples:
+.display
+&`${imapfolder {Foo/Bar}} `& yields &`Foo.Bar`&
+&`${imapfolder {Foo/Bar}{.}{/}} `& yields &`Foo&&AC8-Bar`&
+&`${imapfolder {Räksmörgås}} `& yields &`R&&AOQ-ksm&&APY-rg&&AOU-s`&
+.endd
+
+Note that the source charset setting is vital, and also that characters
+must be representable in UTF-16.
+
+
+. ////////////////////////////////////////////////////////////////////////////
+. ////////////////////////////////////////////////////////////////////////////
+
+.chapter "Events" "CHAPevents" &&&
+ "Events"
+.cindex events
+
+The events mechanism in Exim can be used to intercept processing at a number
+of points. It was originally invented to give a way to do customised logging
+actions (for example, to a database) but can also be used to modify some
+processing actions.
+
+Most installations will never need to use Events.
+The support can be left out of a build by defining DISABLE_EVENT=yes
+in &_Local/Makefile_&.
+
+There are two major classes of events: main and transport.
+The main configuration option &%event_action%& controls reception events;
+a transport option &%event_action%& controls delivery events.
+
+Both options are a string which is expanded when the event fires.
+An example might look like:
+.cindex logging custom
+.code
+event_action = ${if eq {msg:delivery}{$event_name} \
+{${lookup pgsql {SELECT * FROM record_Delivery( \
+ '${quote_pgsql:$sender_address_domain}',\
+ '${quote_pgsql:${lc:$sender_address_local_part}}', \
+ '${quote_pgsql:$domain}', \
+ '${quote_pgsql:${lc:$local_part}}', \
+ '${quote_pgsql:$host_address}', \
+ '${quote_pgsql:${lc:$host}}', \
+ '${quote_pgsql:$message_exim_id}')}} \
+} {}}
+.endd
+
+Events have names which correspond to the point in process at which they fire.
+The name is placed in the variable &$event_name$& and the event action
+expansion must check this, as it will be called for every possible event type.
+
+The current list of events is:
+.display
+&`dane:fail after transport `& per connection
+&`msg:complete after main `& per message
+&`msg:delivery after transport `& per recipient
+&`msg:rcpt:host:defer after transport `& per recipient per host
+&`msg:rcpt:defer after transport `& per recipient
+&`msg:host:defer after transport `& per attempt
+&`msg:fail:delivery after transport `& per recipient
+&`msg:fail:internal after main `& per recipient
+&`tcp:connect before transport `& per connection
+&`tcp:close after transport `& per connection
+&`tls:cert before both `& per certificate in verification chain
+&`smtp:connect after transport `& per connection
+.endd
+New event types may be added in future.
+
+The event name is a colon-separated list, defining the type of
+event in a tree of possibilities. It may be used as a list
+or just matched on as a whole. There will be no spaces in the name.
+
+The second column in the table above describes whether the event fires
+before or after the action is associates with. Those which fire before
+can be used to affect that action (more on this below).
+
+The third column in the table above says what section of the configuration
+should define the event action.
+
+An additional variable, &$event_data$&, is filled with information varying
+with the event type:
+.display
+&`dane:fail `& failure reason
+&`msg:delivery `& smtp confirmation message
+&`msg:fail:internal `& failure reason
+&`msg:fail:delivery `& smtp error message
+&`msg:rcpt:host:defer `& error string
+&`msg:rcpt:defer `& error string
+&`msg:host:defer `& error string
+&`tls:cert `& verification chain depth
+&`smtp:connect `& smtp banner
+.endd
+
+The :defer events populate one extra variable: &$event_defer_errno$&.
+
+For complex operations an ACL expansion can be used in &%event_action%&
+however due to the multiple contexts that Exim operates in during
+the course of its processing:
+.ilist
+variables set in transport events will not be visible outside that
+transport call
+.next
+acl_m variables in a server context are lost on a new connection,
+and after smtp helo/ehlo/mail/starttls/rset commands
+.endlist
+Using an ACL expansion with the logwrite modifier can be
+a useful way of writing to the main log.
+
+The expansion of the event_action option should normally
+return an empty string. Should it return anything else the
+following will be forced:
+.display
+&`tcp:connect `& do not connect
+&`tls:cert `& refuse verification
+&`smtp:connect `& close connection
+.endd
+All other message types ignore the result string, and
+no other use is made of it.
+
+For a tcp:connect event, if the connection is being made to a proxy
+then the address and port variables will be that of the proxy and not
+the target system.
+
+For tls:cert events, if GnuTLS is in use this will trigger only per
+chain element received on the connection.
+For OpenSSL it will trigger for every chain element including those
+loaded locally.
+
. ////////////////////////////////////////////////////////////////////////////
. ////////////////////////////////////////////////////////////////////////////
Edit &_src/drtables.c_&, adding conditional code to pull in the private header
and create a table entry as is done for all the other drivers and lookup types.
.next
+Edit &_scripts/lookups-Makefile_& if this is a new lookup; there is a for-loop
+near the bottom, ranging the &`name_mod`& variable over a list of all lookups.
+Add your &`NEWDRIVER`& to that list.
+As long as the dynamic module would be named &_newdriver.so_&, you can use the
+simple form that most lookups have.
+.next
Edit &_Makefile_& in the appropriate sub-directory (&_src/routers_&,
&_src/transports_&, &_src/auths_&, or &_src/lookups_&); add a line for the new
driver or lookup type and add it to the definition of OBJ.
.next
+Edit &_OS/Makefile-Base_& adding a &_.o_& file for the predefined-macros, to the
+definition of OBJ_MACRO. Add a set of line to do the compile also.
+.next
Create &_newdriver.h_& and &_newdriver.c_& in the appropriate sub-directory of
&_src_&.
.next