. Update the Copyright year (only) when changing content.
. /////////////////////////////////////////////////////////////////////////////
-.set previousversion "4.95"
+.set previousversion "4.96"
.include ./local_params
.set ACL "access control lists (ACLs)"
. /////////////////////////////////////////////////////////////////////////////
-. This chunk of literal XML implements index entries of the form "x, see y" and
-. "x, see also y". However, the DocBook DTD doesn't allow <indexterm> entries
+. These implement index entries of the form "x, see y" and "x, see also y".
+. However, the DocBook DTD doesn't allow <indexterm> entries
. at the top level, so we have to put the .chapter directive first.
-
-. These do not turn up in the HTML output, unfortunately. The PDF does get them.
. /////////////////////////////////////////////////////////////////////////////
.chapter "Introduction" "CHID1"
-.literal xml
-<indexterm role="variable">
- <primary>$1, $2, etc.</primary>
- <see><emphasis>numerical variables</emphasis></see>
-</indexterm>
-<indexterm role="concept">
- <primary>address</primary>
- <secondary>rewriting</secondary>
- <see><emphasis>rewriting</emphasis></see>
-</indexterm>
-<indexterm role="concept">
- <primary>Bounce Address Tag Validation</primary>
- <see><emphasis>BATV</emphasis></see>
-</indexterm>
-<indexterm role="concept">
- <primary>Client SMTP Authorization</primary>
- <see><emphasis>CSA</emphasis></see>
-</indexterm>
-<indexterm role="concept">
- <primary>CR character</primary>
- <see><emphasis>carriage return</emphasis></see>
-</indexterm>
-<indexterm role="concept">
- <primary>CRL</primary>
- <see><emphasis>certificate revocation list</emphasis></see>
-</indexterm>
-<indexterm role="concept">
- <primary>delivery</primary>
- <secondary>failure report</secondary>
- <see><emphasis>bounce message</emphasis></see>
-</indexterm>
-<indexterm role="concept">
- <primary>dialup</primary>
- <see><emphasis>intermittently connected hosts</emphasis></see>
-</indexterm>
-<indexterm role="concept">
- <primary>exiscan</primary>
- <see><emphasis>content scanning</emphasis></see>
-</indexterm>
-<indexterm role="concept">
- <primary>failover</primary>
- <see><emphasis>fallback</emphasis></see>
-</indexterm>
-<indexterm role="concept">
- <primary>fallover</primary>
- <see><emphasis>fallback</emphasis></see>
-</indexterm>
-<indexterm role="concept">
- <primary>filter</primary>
- <secondary>Sieve</secondary>
- <see><emphasis>Sieve filter</emphasis></see>
-</indexterm>
-<indexterm role="concept">
- <primary>ident</primary>
- <see><emphasis>RFC 1413</emphasis></see>
-</indexterm>
-<indexterm role="concept">
- <primary>LF character</primary>
- <see><emphasis>linefeed</emphasis></see>
-</indexterm>
-<indexterm role="concept">
- <primary>maximum</primary>
- <seealso><emphasis>limit</emphasis></seealso>
-</indexterm>
-<indexterm role="concept">
- <primary>monitor</primary>
- <see><emphasis>Exim monitor</emphasis></see>
-</indexterm>
-<indexterm role="concept">
- <primary>no_<emphasis>xxx</emphasis></primary>
- <see>entry for xxx</see>
-</indexterm>
-<indexterm role="concept">
- <primary>NUL</primary>
- <see><emphasis>binary zero</emphasis></see>
-</indexterm>
-<indexterm role="concept">
- <primary>passwd file</primary>
- <see><emphasis>/etc/passwd</emphasis></see>
-</indexterm>
-<indexterm role="concept">
- <primary>process id</primary>
- <see><emphasis>pid</emphasis></see>
-</indexterm>
-<indexterm role="concept">
- <primary>RBL</primary>
- <see><emphasis>DNS list</emphasis></see>
-</indexterm>
-<indexterm role="concept">
- <primary>redirection</primary>
- <see><emphasis>address redirection</emphasis></see>
-</indexterm>
-<indexterm role="concept">
- <primary>return path</primary>
- <seealso><emphasis>envelope sender</emphasis></seealso>
-</indexterm>
-<indexterm role="concept">
- <primary>scanning</primary>
- <see><emphasis>content scanning</emphasis></see>
-</indexterm>
-<indexterm role="concept">
- <primary>SSL</primary>
- <see><emphasis>TLS</emphasis></see>
-</indexterm>
-<indexterm role="concept">
- <primary>string</primary>
- <secondary>expansion</secondary>
- <see><emphasis>expansion</emphasis></see>
-</indexterm>
-<indexterm role="concept">
- <primary>top bit</primary>
- <see><emphasis>8-bit characters</emphasis></see>
-</indexterm>
-<indexterm role="concept">
- <primary>variables</primary>
- <see><emphasis>expansion, variables</emphasis></see>
-</indexterm>
-<indexterm role="concept">
- <primary>zero, binary</primary>
- <see><emphasis>binary zero</emphasis></see>
-</indexterm>
-<indexterm role="concept">
- <primary>headers</primary>
- <see><emphasis>header lines</emphasis></see>
+.macro seeother
+.literal xml
+<indexterm role="$2">
+ <primary>$3</primary>
+.arg 5
+ <secondary>$5</secondary>
+.endarg
+ <$1><emphasis>$4</emphasis></$1>
</indexterm>
-
.literal off
+.endmacro
+
+. NB: for the 4-arg variant the ordering is awkward
+.macro see
+.seeother see "$1" "$2" "$3" "$4"
+.endmacro
+.macro seealso
+.seeother seealso "$1" "$2" "$3" "$4"
+.endmacro
+
+.see variable "<emphasis>$1</emphasis>, <emphasis>$2</emphasis>, etc." "numerical variables"
+.see concept address rewriting rewriting
+.see concept "Bounce Address Tag Validation" BATV
+.see concept "Client SMTP Authorization" CSA
+.see concept "CR character" "carriage return"
+.see concept CRL "certificate revocation list"
+.seealso concept de-tainting "tainted data"
+.see concept delivery "bounce message" "failure report"
+.see concept dialup "intermittently connected hosts"
+.see concept exiscan "content scanning"
+.see concept fallover fallback
+.see concept filter "Sieve filter" Sieve
+.see concept headers "header lines"
+.see concept ident "RFC 1413"
+.see concept "LF character" "linefeed"
+.seealso concept maximum limit
+.see concept monitor "Exim monitor"
+.see concept "no_<emphasis>xxx</emphasis>" "entry for xxx"
+.see concept NUL "binary zero"
+.see concept "passwd file" "/etc/passwd"
+.see concept "process id" pid
+.see concept RBL "DNS list"
+.see concept redirection "address redirection"
+.see concept "return path" "envelope sender"
+.see concept scanning "content scanning"
+.see concept SSL TLS
+.see concept string expansion expansion
+.see concept "top bit" "8-bit characters"
+.see concept variables "expansion, variables"
+.see concept "zero, binary" "binary zero"
. /////////////////////////////////////////////////////////////////////////////
If the &%domains%& option is set, the domain of the address must be in the set
of domains that it defines.
.cindex "tainted data" "de-tainting"
+.cindex "de-tainting" "using router domains option"
A match verifies the variable &$domain$& (which carries tainted data)
and assigns an untainted value to the &$domain_data$& variable.
Such an untainted value is often needed in the transport.
To complicate things further, there are several very different versions of the
Berkeley DB package. Version 1.85 was stable for a very long time, releases
2.&'x'& and 3.&'x'& were current for a while,
-.new
but the latest versions when Exim last revamped support were numbered 5.&'x'&.
Maintenance of some of the earlier releases has ceased,
and Exim no longer supports versions before 3.&'x'&.
-.wen
All versions of Berkeley DB could be obtained from
&url(http://www.sleepycat.com/), which is now a redirect to their new owner's
page with far newer versions listed.
.endd
Similarly, for gdbm you set USE_GDBM, and for tdb you set USE_TDB. An
error is diagnosed if you set more than one of these.
-.new
You can set USE_NDBM if needed to override an operating system default.
-.wen
At the lowest level, the build-time configuration sets none of these options,
thereby assuming an interface of type (1). However, some operating system
DBMLIB = -ltdb
DBMLIB = -lgdbm -lgdbm_compat
.endd
-.new
The last of those was for a Linux having GDBM provide emulated NDBM facilities.
-.wen
Settings like that will work if the DBM library is installed in the standard
place. Sometimes it is not, and the library's header file may also not be in
the default path. You may need to set INCLUDE to specify where the header
Because macros in the config file are often used for secrets, those are only
available to admin users.
+.new
+The word &"set"& at the start of a line, followed by a single space,
+is recognised specially as defining a value for a variable.
+The syntax is otherwise the same as the ACL modifier &"set ="&.
+.wen
+
.vitem &%-bem%&&~<&'filename'&>
.oindex "&%-bem%&"
.cindex "testing" "string expansion"
debugging, whereas &%-d-all+filter%& selects only filter debugging. Note that
no spaces are allowed in the debug setting. The available debugging categories
are:
-.display
-&`acl `& ACL interpretation
-&`auth `& authenticators
-&`deliver `& general delivery logic
-&`dns `& DNS lookups (see also resolver)
-&`dnsbl `& DNS black list (aka RBL) code
-&`exec `& arguments for &[execv()]& calls
-&`expand `& detailed debugging for string expansions
-&`filter `& filter handling
-&`hints_lookup `& hints data lookups
-&`host_lookup `& all types of name-to-IP address handling
-&`ident `& ident lookup
-&`interface `& lists of local interfaces
-&`lists `& matching things in lists
-&`load `& system load checks
-&`local_scan `& can be used by &[local_scan()]& (see chapter &&&
- &<<CHAPlocalscan>>&)
-&`lookup `& general lookup code and all lookups
-&`memory `& memory handling
-&`noutf8 `& modifier: avoid UTF-8 line-drawing
-&`pid `& modifier: add pid to debug output lines
-&`process_info `& setting info for the process log
-&`queue_run `& queue runs
-&`receive `& general message reception logic
-&`resolver `& turn on the DNS resolver's debugging output
-&`retry `& retry handling
-&`rewrite `& address rewriting
-&`route `& address routing
-&`timestamp `& modifier: add timestamp to debug output lines
-&`tls `& TLS logic
-&`transport `& transports
-&`uid `& changes of uid/gid and looking up uid/gid
-&`verify `& address verification logic
-&`all `& almost all of the above (see below), and also &%-v%&
-.endd
+.itable none 0 0 2 1pt left 1pt left
+.irow acl "ACL interpretation"
+.irow auth "authenticators"
+.irow deliver "general delivery logic"
+.irow dns "DNS lookups (see also resolver)"
+.irow dnsbl "DNS black list (aka RBL) code"
+.irow exec "arguments for &[execv()]& calls"
+.irow expand "detailed debugging for string expansions"
+.irow filter "filter handling"
+.irow hints_lookup "hints data lookups"
+.irow host_lookup "all types of name-to-IP address handling"
+.irow ident "ident lookup"
+.irow interface "lists of local interfaces"
+.irow lists "matching things in lists"
+.irow load "system load checks"
+.irow local_scan "can be used by &[local_scan()]& (see chapter &&&
+ &<<CHAPlocalscan>>&)"
+.irow lookup "general lookup code and all lookups"
+.irow memory "memory handling"
+.irow noutf8 "modifier: avoid UTF-8 line-drawing"
+.irow pid "modifier: add pid to debug output lines"
+.irow process_info "setting info for the process log"
+.irow queue_run "queue runs"
+.irow receive "general message reception logic"
+.irow resolver "turn on the DNS resolver's debugging output"
+.irow retry "retry handling"
+.irow rewrite "address rewriting""
+.irow route "address routing"
+.irow timestamp "modifier: add timestamp to debug output lines"
+.irow tls "TLS logic"
+.irow transport "transports"
+.irow uid "changes of uid/gid and looking up uid/gid"
+.irow verify "address verification logic"
+.irow all "almost all of the above (see below), and also &%-v%&"
+.endtable
The &`all`& option excludes &`memory`& when used as &`+all`&, but includes it
for &`-all`&. The reason for this is that &`+all`& is something that people
tend to use when generating debug output for Exim maintainers. If &`+memory`&
domains = lsearch;/some/file
.endd
The first uses a string expansion, the result of which must be a domain list.
-.new
The key for an expansion-style lookup must be given explicitly.
-.wen
No strings have been specified for a successful or a failing lookup; the
defaults in this case are the looked-up data and an empty string, respectively.
The expansion takes place before the string is processed as a list, and the
When the lookup succeeds, the result of the expansion is a list of domains (and
possibly other types of item that are allowed in domain lists).
.cindex "tainted data" "de-tainting"
+.cindex "de-tainting" "using a lookup expansion""
The result of the expansion is not tainted.
In the second example, the lookup is a single item in a domain list. It causes
Any data that follows the keys is not relevant when checking that the domain
matches the list item.
-.new
The key for a list-style lookup is implicit, from the lookup context, if
the lookup is a single-key type (see below).
For query-style lookup types the key must be given explicitly.
-.wen
It is possible, though no doubt confusing, to use both kinds of lookup at once.
Consider a file containing lines like this:
The file string may not be tainted.
.cindex "tainted data" "de-tainting"
+.cindex "de-tainting" "using a single-key lookup"
All single-key lookups support the option &"ret=key"&.
If this is given and the lookup
(either underlying implementation or cached value)
returns data, the result is replaced with a non-tainted
version of the lookup key.
-.cindex "tainted data" "de-tainting"
.next
.cindex "query-style lookup" "definition of"
The &'query-style'& type accepts a generalized database query. No particular
key value is assumed by Exim for query-style lookups. You can use whichever
Exim variables you need to construct the database query.
.cindex "tainted data" "quoting for lookups"
-.new
If tainted data is used in the query then it should be quuted by
using the &*${quote_*&<&'lookup-type'&>&*:*&<&'string'&>&*}*& expansion operator
appropriate for the lookup.
-.wen
.endlist
The code for each lookup type is in a separate source file that is included in
spaces. If a value contains spaces it must be enclosed in double quotes, and
when double quotes are used, backslash is interpreted in the usual way inside
them. The following names are recognized:
-.display
-&`DEREFERENCE`& set the dereferencing parameter
-&`NETTIME `& set a timeout for a network operation
-&`USER `& set the DN, for authenticating the LDAP bind
-&`PASS `& set the password, likewise
-&`REFERRALS `& set the referrals parameter
-&`SERVERS `& set alternate server list for this query only
-&`SIZE `& set the limit for the number of entries returned
-&`TIME `& set the maximum waiting time for a query
-.endd
+.itable none 0 0 2 1pt left 1pt left
+.irow DEREFERENCE "set the dereferencing parameter"
+.irow NETTIME "set a timeout for a network operation"
+.irow USER "set the DN, for authenticating the LDAP bind"
+.irow PASS "set the password, likewise"
+.irow REFERRALS "set the referrals parameter"
+.irow SERVERS "set alternate server list for this query only"
+.irow SIZE "set the limit for the number of entries returned"
+.irow TIME "set the maximum waiting time for a query"
+.endtable
The value of the DEREFERENCE parameter must be one of the words &"never"&,
&"searching"&, &"finding"&, or &"always"&. The value of the REFERRALS parameter
must be &"follow"& (the default) or &"nofollow"&. The latter stops the LDAP
&$domain_data$& variable and can be referred to in other router options or
other statements in the same ACL.
.cindex "tainted data" "de-tainting"
+.cindex "de-tainting" "using ACL domains condition"
The value will be untainted.
&*Note*&: If the data result of the lookup (as opposed to the key)
&%domains%& option on a router, the value is preserved in the &$domain_data$&
variable and can be referred to in other options.
.cindex "tainted data" "de-tainting"
+.cindex "de-tainting" "using router domains option"
The value will be untainted.
.next
.cindex "expansion" "running a command"
.cindex "&%run%& expansion item"
This item runs an external command, as a subprocess.
-.new
One option is supported after the word &'run'&, comma-separated.
If the option &'preexpand'& is not used,
a shell, you must explicitly code it.
The command name may not be tainted, but the remaining arguments can be.
+&*Note*&: if tainted arguments are used, they are supplied by a
+potential attacker;
+a careful assessment for security vulnerabilities should be done.
+
If the option &'preexpand'& is used,
-.wen
the command and its arguments are first expanded as one string. The result is
split apart into individual arguments by spaces, and then the command is run
as above.
around the command arguments. A possible guard against this is to wrap the
variable in the &%sg%& operator to change any quote marks to some other
character.
-.new
Neither the command nor any argument may be tainted.
-.wen
The standard input for the command exists, but is empty. The standard output
and standard error are set to the same file descriptor.
Since this operation is expected to
be mostly used for looking up masked addresses in files, the
-.new
normal
-.wen
result for an IPv6
address uses dots to separate components instead of colons, because colon
terminates a key string in lsearch files. So, for example,
.code
3ffe.ffff.836f.0a00.000a.0800.2000.0000/99
.endd
-.new
If the optional form &*mask_n*& is used, IPv6 address result are instead
returned in normailsed form, using colons and with zero-compression.
-.wen
Letters in IPv6 addresses are always output in lower case.
.cindex "expansion" "numeric comparison"
There are a number of symbolic operators for doing numeric comparisons. They
are:
-.display
-&`= `& equal
-&`== `& equal
-&`> `& greater
-&`>= `& greater or equal
-&`< `& less
-&`<= `& less or equal
-.endd
+.itable none 0 0 2 1pt left 1pt left
+.irow "= " "equal"
+.irow "== " "equal"
+.irow "> " "greater"
+.irow ">= " "greater or equal"
+.irow "< " "less"
+.irow "<= " "less or equal"
+.endtable
For example:
.code
${if >{$message_size}{10M} ...
${if forany{fOo:NeeDLE:bAr}{eqi{$item}{Needle}}}
.endd
-.new
The variable &$value$& will be set for a successful match and can be
used in the success clause of an &%if%& expansion item using the condition.
.cindex "tainted data" "de-tainting"
+.cindex "de-tainting" "using an inlist expansion condition"
It will have the same taint status as the list; expansions such as
.code
${if inlist {$h_mycode:} {0 : 1 : 42} {$value}}
.endd
can be used for de-tainting.
Any previous &$value$& is restored after the if.
-.wen
.vitem &*isip&~{*&<&'string'&>&*}*& &&&
have their local parts matched casefully. Domains are always matched
caselessly.
-.new
The variable &$value$& will be set for a successful match and can be
used in the success clause of an &%if%& expansion item using the condition.
.cindex "tainted data" "de-tainting"
+.cindex "de-tainting" "using a match_local_part expansion condition"
It will have the same taint status as the list; expansions such as
.code
${if match_local_part {$local_part} {alice : bill : charlotte : dave} {$value}}
.endd
can be used for de-tainting.
Any previous &$value$& is restored after the if.
-.wen
Note that <&'string2'&> is not itself subject to string expansion, unless
Exim was built with the EXPAND_LISTMATCH_RHS option.
This section contains an alphabetical list of all the expansion variables. Some
of them are available only when Exim is compiled with specific options such as
support for TLS or the content scanning extension.
-.new
.cindex "tainted data"
Variables marked as &'tainted'& are likely to carry data supplied by
a potential attacker.
Such variables should not be further expanded,
used as filenames
or used as command-line arguments for external commands.
-.wen
.vlist
.vitem "&$0$&, &$1$&, etc"
precedes the expansion of the string. For example, the commands available in
Exim filter files include an &%if%& command with its own regular expression
matching condition.
-.new
If the subject string was tainted then any captured substring will also be.
-.wen
.vitem "&$acl_arg1$&, &$acl_arg2$&, etc"
Within an acl condition, expansion condition or expansion item
possible to distinguish between &"did not try to authenticate"&
(&$sender_host_authenticated$& is empty and &$authentication_failed$& is set to
&"0"&) and &"tried to authenticate but failed"& (&$sender_host_authenticated$&
-is empty and &$authentication_failed$& is set to &"1"&). Failure includes any
-negative response to an AUTH command, including (for example) an attempt to use
-an undefined mechanism.
+is empty and &$authentication_failed$& is set to &"1"&).
+Failure includes cancellation of a authentication attempt,
+and any negative response to an AUTH command,
+(including, for example, an attempt to use an undefined mechanism).
.vitem &$av_failed$&
.cindex "content scanning" "AV scanner failure"
(described under &%transport_filter%& in chapter &<<CHAPtransportgeneric>>&).
It cannot be used in general expansion strings, and provokes an &"unknown
variable"& error if encountered.
+&*Note*&: This value permits data supplied by a potential attacker to
+be used in the command for a &(pipe)& transport.
+Such configurations should be carefully assessed for security vulnerbilities.
.vitem &$primary_hostname$&
.vindex "&$primary_hostname$&"
When a &%regex%& or &%mime_regex%& ACL condition succeeds,
these variables contain the
captured substrings identified by the regular expression.
-.new
If the subject string was tainted then so will any captured substring.
-.wen
.tvar &$reply_address$&
.row &%log_timezone%& "add timezone to log lines"
.row &%message_logs%& "create per-message logs"
.row &%preserve_message_logs%& "after message completion"
+.row &%panic_coredump%& "request coredump on fatal errors"
.row &%process_log_path%& "for SIGUSR1 and &'exiwhat'&"
.row &%slow_lookup_log%& "control logging of slow DNS lookups"
.row &%syslog_duplication%& "controls duplicate log lines on syslog"
.row &%gnutls_compat_mode%& "use GnuTLS compatibility mode"
.row &%gnutls_allow_auto_pkcs11%& "allow GnuTLS to autoload PKCS11 modules"
.row &%hosts_require_alpn%& "mandatory ALPN"
+.row &%hosts_require_helo%& "mandatory HELO/EHLO"
.row &%openssl_options%& "adjust OpenSSL compatibility options"
.row &%tls_advertise_hosts%& "advertise TLS to these hosts"
.row &%tls_alpn%& "acceptable protocol names"
.code
hosts_connection_nolog = :
.endd
-If the &%smtp_connection%& log selector is not set, this option has no effect.
+.new
+The hosts affected by this option also do not log "no MAIL in SMTP connection"
+lines, as may commonly be produced by a monitoring system.
+.wen
.option hosts_require_alpn main "host list&!!" unset
managed by this option, and should be done separately.
+.option hosts_require_helo main "host list&!!" *
+.cindex "HELO/EHLO" requiring
+Exim will require an accepted HELO or EHLO command from a host matching
+this list, before accepting a MAIL command.
+
+
.option hosts_proxy main "host list&!!" unset
.cindex proxy "proxy protocol"
This option enables use of Proxy Protocol proxies for incoming
The option is available only if Exim has been built with Oracle support.
+.new
+.option panic_coredump main boolean false
+This option is rarely needed but can help for some debugging investigations.
+If set, when an internal error is detected by Exim which is sufficient
+to terminate the process
+(all such are logged in the paniclog)
+then a coredump is requested.
+
+Note that most systems require additional administrative configuration
+to permit write a core file for a setuid program, which is Exim's
+common installed configuration.
+.wen
+
.option percent_hack_domains main "domain list&!!" unset
.cindex "&""percent hack""&"
.cindex "source routing" "in email address"
.option pipelining_connect_advertise_hosts main "host list&!!" *
.cindex "pipelining" "early connection"
-.cindex "pipelining" PIPE_CONNECT
-.cindex "ESMTP extensions" PIPE_CONNECT
-If Exim is built with the SUPPORT_PIPE_CONNECT build option
+.cindex "pipelining" PIPECONNECT
+.cindex "ESMTP extensions" PIPECONNECT
+If Exim is built without the DISABLE_PIPE_CONNECT build option
this option controls which hosts the facility is advertised to
and from which pipeline early-connection (before MAIL) SMTP
commands are acceptable.
See also the &%hosts_pipe_connect%& smtp transport option.
-The SMTP service extension keyword advertised is &"PIPE_CONNECT"&.
+The SMTP service extension keyword advertised is &"PIPECONNECT"&;
+it permits the client to pipeline
+TCP connection and hello command (inclear phase),
+or TLS-establishment and hello command (encrypted phase),
+on later connections to the same host.
.option prdr_enable main boolean false
next queue run. See also &%hold_domains%& and &%queue_smtp_domains%&.
-.option queue_fast_ramp main boolean false
+.option queue_fast_ramp main boolean true
.cindex "queue runner" "two phase"
.cindex "queue" "double scanning"
If set to true, two-phase queue runs, initiated using &%-qq%& on the
for the remaining recipients at a later time.
-.option remote_max_parallel main integer 2
+.option remote_max_parallel main integer 4
.cindex "delivery" "parallelism for remote"
This option controls parallel delivery of one message to a number of remote
hosts. If the value is less than 2, parallel delivery is disabled, and Exim
At this point, all of the "ike" values should be considered obsolete;
they are still in Exim to avoid breaking unusual configurations, but are
candidates for removal the next time we have backwards-incompatible changes.
-.new
Two of them in particular (&`ike1`& and &`ike22`&) are called out by RFC 8247
as MUST NOT use for IPSEC, and two more (&`ike23`& and &`ike24`&) as
SHOULD NOT.
are used, warnings will be logged in the paniclog, and if any are used then
warnings will be logged in the mainlog.
All four will be removed in a future Exim release.
-.wen
The TLS protocol does not negotiate an acceptable size for this; clients tend
to hard-drop connections if what is offered by the server is unacceptable,
holding password data (such as NIS) are supported. If the local part is a local
user,
.cindex "tainted data" "de-tainting"
+.cindex "de-tainting" "using router check_local_user option"
&$local_part_data$& is set to an untainted version of the local part and
&$home$& is set from the password data. The latter can be tested in other
preconditions that are evaluated after this one (the order of evaluation is
checking is done in "belowhome" mode.
.cindex "tainted data" "de-tainting"
+.cindex "de-tainting" "using appendfile create_file option"
If "belowhome" checking is used, the file or directory path
becomes de-tainted.
the &%environment%& option can be used to add additional variables to this
environment. The environment for the &(pipe)& transport is not subject
to the &%add_environment%& and &%keep_environment%& main config options.
+&*Note*&: Using enviroment variables loses track of tainted data.
+Writers of &(pipe)& transport commands should be wary of data supplied
+by potential attackers.
.display
&`DOMAIN `& the domain of the address
&`HOME `& the home directory, if set
Exim, and each argument is separately expanded, as described in section
&<<SECThowcommandrun>>& above.
-.new
.cindex "tainted data"
No part of the resulting command may be tainted.
-.wen
.option environment pipe string&!! unset
The use of &%helo_data%& applies both to sending messages and when doing
callouts.
-.new
.option host_name_extract smtp "string list&!!" "see below"
.cindex "load balancer" "hosts behind"
.cindex TLS resumption
expression for this option.
The smtp:ehlo event and the &$tls_out_resumption$& variable
will be useful for such work.
-.wen
.option hosts smtp "string list&!!" unset
Hosts are associated with an address by a router such as &(dnslookup)&, which
.option hosts_pipe_connect smtp "host list&!!" unset
.cindex "pipelining" "early connection"
-.cindex "pipelining" PIPE_CONNECT
+.cindex "pipelining" PIPECONNECT
If Exim is built with the SUPPORT_PIPE_CONNECT build option
this option controls which to hosts the facility watched for
and recorded, and used for subsequent connections.
See also the &%pipelining_connect_advertise_hosts%& main option.
Note:
-.new
When the facility is used, if the transport &%interface%& option is unset
the &%helo_data%& option
-.wen
will be expanded before the &$sending_ip_address$& variable
is filled in.
A check is made for the use of that variable, without the
See the &%dnssec_request_domains%& router and transport options.
See section &<<SECDANE>>&.
-.option hosts_require_helo smtp "host list&!!" *
-.cindex "HELO/EHLO" requiring
-Exim will require an accepted HELO or EHLO command from a host matching
-this list, before accepting a MAIL command.
-
.option hosts_require_ocsp smtp "host list&!!" unset
.cindex "TLS" "requiring for certain servers"
Exim will request, and check for a valid Certificate Status being given, on a
only point of caution. The &$tls_out_sni$& variable will be set to this string
for the lifetime of the client connection (including during authentication).
-.new
If DANE validated the connection attempt then the value of the &%tls_sni%& option
is forced to the name of the destination host, after any MX- or CNAME-following.
-.wen
Except during SMTP client sessions, if &$tls_in_sni$& is set then it is a string
received from a client.
the message override the banner message that is otherwise specified by the
&%smtp_banner%& option.
-.new
For tls-on-connect connections, the ACL is run after the TLS connection
is accepted (however, &%host_reject_connection%& is tested before).
-.wen
.section "The EHLO/HELO ACL" "SECID192"
with &`-d`&, with the output going to a new logfile in the usual logs directory,
by default called &'debuglog'&.
-.new
+Logging set up by the control will be maintained across spool residency.
+
Options are a slash-separated list.
If an option takes an argument, the option name and argument are separated by
an equals character.
Several options are supported:
-.wen
.display
tag=<&'suffix'&> The filename can be adjusted with thise option.
The argument, which may access any variables already defined,
.cindex "domain" "ACL checking"
.cindex "&ACL;" "testing a recipient domain"
.vindex "&$domain_data$&"
-This condition is relevant only after a RCPT command. It checks that the domain
+This condition is relevant only in a RCPT ACL. It checks that the domain
of the recipient address is in the domain list. If percent-hack processing is
enabled, it is done before this test is done. If the check succeeds with a
lookup, the result of the lookup is placed in &$domain_data$& until the next
.cindex "local part" "ACL checking"
.cindex "&ACL;" "testing a local part"
.vindex "&$local_part_data$&"
-This condition is relevant only after a RCPT command. It checks that the local
+This condition is relevant only in a RCPT ACL. It checks that the local
part of the recipient address is in the list. If percent-hack processing is
enabled, it is done before this test. If the check succeeds with a lookup, the
result of the lookup is placed in &$local_part_data$&, which remains set until
.cindex "&%recipients%& ACL condition"
.cindex "recipient" "ACL checking"
.cindex "&ACL;" "testing a recipient"
-This condition is relevant only after a RCPT command. It checks the entire
+This condition is relevant only in a RCPT ACL. It checks the entire
recipient address against a list of recipients.
.vitem &*regex&~=&~*&<&'list&~of&~regular&~expressions'&>
non-SMTP ACLs. It causes the incoming message to be scanned for a match with
any of the regular expressions. For details, see chapter &<<CHAPexiscan>>&.
-.new
.vitem &*seen&~=&~*&<&'parameters'&>
-.cindex "&%sseen%& ACL condition"
+.cindex "&%seen%& ACL condition"
This condition can be used to test if a situation has been previously met,
for example for greylisting.
Details are given in section &<<SECTseen>>&.
-.wen
.vitem &*sender_domains&~=&~*&<&'domain&~list'&>
.cindex "&%sender_domains%& ACL condition"
(which is the most common usage), because it prevents a DNS failure from
blocking mail. However, you can change this behaviour by putting one of the
following special items in the list:
-.display
-&`+include_unknown `& behave as if the item is on the list
-&`+exclude_unknown `& behave as if the item is not on the list (default)
-&`+defer_unknown `& give a temporary error
-.endd
+.itable none 0 0 2 1pt left 1pt left
+.irow "+include_unknown" "behave as if the item is on the list"
+.irow "+exclude_unknown" "behave as if the item is not on the list (default)"
+.irow "+defer_unknown " "give a temporary error"
+.endtable
.cindex "&`+include_unknown`&"
.cindex "&`+exclude_unknown`&"
.cindex "&`+defer_unknown`&"
just used the address 127.0.0.1 on the right hand side of each record, but the
RBL+ list and some other lists use a number of values with different meanings.
The values used on the RBL+ list are:
-.display
-127.1.0.1 RBL
-127.1.0.2 DUL
-127.1.0.3 DUL and RBL
-127.1.0.4 RSS
-127.1.0.5 RSS and RBL
-127.1.0.6 RSS and DUL
-127.1.0.7 RSS and DUL and RBL
-.endd
+.itable none 0 0 2 1pt left 1pt left
+.irow 127.1.0.1 "RBL"
+.irow 127.1.0.2 "DUL"
+.irow 127.1.0.3 "DUL and RBL"
+.irow 127.1.0.4 "RSS"
+.irow 127.1.0.5 "RSS and RBL"
+.irow 127.1.0.6 "RSS and DUL"
+.irow 127.1.0.7 "RSS and DUL and RBL"
+.endtable
Section &<<SECTaddmatcon>>& below describes how you can distinguish between
different values. Some DNS lists may return more than one address record;
see section &<<SECThanmuldnsrec>>& for details of how they are checked.
.endd
-.new
.section "Previously seen user and hosts" "SECTseen"
-.cindex "&%sseen%& ACL condition"
+.cindex "&%een%& ACL condition"
.cindex greylisting
The &%seen%& ACL condition can be used to test whether a
situation has been previously met.
Note that &"seen"& should be added to the list of hints databases
for maintenance if this ACL condition is used.
-.wen
.section "Rate limiting incoming messages" "SECTratelimiting"
clients when the SMTP PIPELINING extension is in use. The flushing can be
disabled by using a &%control%& modifier to set &%no_callout_flush%&.
+.cindex "tainted data" "de-tainting"
+.cindex "de-tainting" "using recipient verify"
+A recipient callout which gets a 2&'xx'& code
+will assign untainted values to the
+&$domain_data$& and &$local_part_data$& variables,
+corresponding to the domain and local parts of the recipient address.
+
.vitem &*header_line&~*header_last*&
A pointer to the last of the header lines.
-.new
.vitem &*const&~uschar&~*headers_charset*&
The value of the &%headers_charset%& configuration option.
-.wen
.vitem &*BOOL&~host_checking*&
This variable is TRUE during a host checking session that is initiated by the
.vitem &*int&~lss_match_domain(uschar&~*domain,&~uschar&~*list)*&
This function checks for a match in a domain list. Domains are always
matched caselessly. The return value is one of the following:
-.display
-&`OK `& match succeeded
-&`FAIL `& match failed
-&`DEFER `& match deferred
-.endd
+.itable none 0 0 2 1pt left 1pt left
+.irow &`OK`& "match succeeded"
+.irow &`FAIL`& "match failed"
+.irow &`DEFER`& "match deferred"
+.endtable
DEFER is usually caused by some kind of lookup defer, such as the
inability to contact a database.
&"syslog"&. This means that an empty item in &%log_file_path%& can be used to
mean &"use the path specified at build time"&. If no such item exists, log
files are written in the &_log_& subdirectory of the spool directory. This is
-equivalent to the setting:
+equivalent to the configuration file setting:
.code
log_file_path = $spool_directory/log/%slog
.endd
A log file path may also contain &`%D`& or &`%M`& if datestamped log filenames
are in use &-- see section &<<SECTdatlogfil>>& below.
-Here are some examples of possible settings:
+Here are some examples of possible Makefile settings:
.display
&`LOG_FILE_PATH=syslog `& syslog only
&`LOG_FILE_PATH=:syslog `& syslog and default path
successful, unsuccessful, and delayed delivery. These lines can readily be
picked out by the distinctive two-character flags that immediately follow the
timestamp. The flags are:
-.display
-&`<=`& message arrival
-&`(=`& message fakereject
-&`=>`& normal message delivery
-&`->`& additional address in same delivery
-&`>>`& cutthrough message delivery
-&`*>`& delivery suppressed by &%-N%&
-&`**`& delivery failed; address bounced
-&`==`& delivery deferred; temporary problem
-.endd
+.itable none 0 0 2 1pt left 1pt left
+.irow &%<=%& "message arrival"
+.irow &%(=%& "message fakereject"
+.irow &%=>%& "normal message delivery"
+.irow &%->%& "additional address in same delivery"
+.irow &%>>%& "cutthrough message delivery"
+.irow &%*>%& "delivery suppressed by &%-N%&"
+.irow &%**%& "delivery failed; address bounced"
+.irow &%==%& "delivery deferred; temporary problem"
+.endtable
.section "Logging message reception" "SECID251"
.endd
The list of optional log items is in the following table, with the default
selection marked by asterisks:
-.display
-&` 8bitmime `& received 8BITMIME status
-&`*acl_warn_skipped `& skipped &%warn%& statement in ACL
-&` address_rewrite `& address rewriting
-&` all_parents `& all parents in => lines
-&` arguments `& command line arguments
-&`*connection_reject `& connection rejections
-&`*delay_delivery `& immediate delivery delayed
-&` deliver_time `& time taken to attempt delivery
-&` delivery_size `& add &`S=`&&'nnn'& to => lines
-&`*dkim `& DKIM verified domain on <= lines
-&` dkim_verbose `& separate full DKIM verification result line, per signature
-&`*dnslist_defer `& defers of DNS list (aka RBL) lookups
-&` dnssec `& DNSSEC secured lookups
-&`*etrn `& ETRN commands
-&`*host_lookup_failed `& as it says
-&` ident_timeout `& timeout for ident connection
-&` incoming_interface `& local interface on <= and => lines
-&` incoming_port `& remote port on <= lines
-&`*lost_incoming_connection `& as it says (includes timeouts)
-&` millisec `& millisecond timestamps and RT,QT,DT,D times
-&`*msg_id `& on <= lines, Message-ID: header value
-&` msg_id_created `& on <= lines, Message-ID: header value when one had to be added
-&` outgoing_interface `& local interface on => lines
-&` outgoing_port `& add remote port to => lines
-&`*queue_run `& start and end queue runs
-&` queue_time `& time on queue for one recipient
-&`*queue_time_exclusive `& exclude recieve time from QT times
-&` queue_time_overall `& time on queue for whole message
-&` pid `& Exim process id
-&` pipelining `& PIPELINING use, on <= and => lines
-&` proxy `& proxy address on <= and => lines
-&` receive_time `& time taken to receive message
-&` received_recipients `& recipients on <= lines
-&` received_sender `& sender on <= lines
-&`*rejected_header `& header contents on reject log
-&`*retry_defer `& &"retry time not reached"&
-&` return_path_on_delivery `& put return path on => and ** lines
-&` sender_on_delivery `& add sender to => lines
-&`*sender_verify_fail `& sender verification failures
-&`*size_reject `& rejection because too big
-&`*skip_delivery `& delivery skipped in a queue run
-&`*smtp_confirmation `& SMTP confirmation on => lines
-&` smtp_connection `& incoming SMTP connections
-&` smtp_incomplete_transaction`& incomplete SMTP transactions
-&` smtp_mailauth `& AUTH argument to MAIL commands
-&` smtp_no_mail `& session with no MAIL commands
-&` smtp_protocol_error `& SMTP protocol errors
-&` smtp_syntax_error `& SMTP syntax errors
-&` subject `& contents of &'Subject:'& on <= lines
-&`*tls_certificate_verified `& certificate verification status
-&`*tls_cipher `& TLS cipher suite on <= and => lines
-&` tls_peerdn `& TLS peer DN on <= and => lines
-&` tls_resumption `& append * to cipher field
-&` tls_sni `& TLS SNI on <= lines
-&` unknown_in_list `& DNS lookup failed in list match
-
-&` all `& all of the above
-.endd
+.itable none 0 0 3 1pt left 10pt center 1pt left
+.irow &`8bitmime`& "received 8BITMIME status"
+.irow &`acl_warn_skipped`& * "skipped &%warn%& statement in ACL"
+.irow &`address_rewrite`& "address rewriting"
+.irow &`all_parents`& "all parents in => lines"
+.irow &`arguments`& "command line arguments"
+.irow &`connection_reject`& * "connection rejections"
+.irow &`delay_delivery`& * "immediate delivery delayed"
+.irow &`deliver_time`& "time taken to attempt delivery"
+.irow &`delivery_size`& "add &`S=`&&'nnn'& to => lines"
+.irow &`dkim`& * "DKIM verified domain on <= lines"
+.irow &`dkim_verbose`& "separate full DKIM verification result line, per signature"
+.irow &`dnslist_defer`& * "defers of DNS list (aka RBL) lookups"
+.irow &`dnssec`& "DNSSEC secured lookups"
+.irow &`etrn`& * "ETRN commands"
+.irow &`host_lookup_failed`& * "as it says"
+.irow &`ident_timeout`& "timeout for ident connection"
+.irow &`incoming_interface`& "local interface on <= and => lines"
+.irow &`incoming_port`& "remote port on <= lines"
+.irow &`lost_incoming_connection`& * "as it says (includes timeouts)"
+.irow &`millisec`& "millisecond timestamps and RT,QT,DT,D times"
+.irow &`msg_id`& * "on <= lines, Message-ID: header value"
+.irow &`msg_id_created`& "on <= lines, Message-ID: header value when one had to be added"
+.irow &`outgoing_interface`& "local interface on => lines"
+.irow &`outgoing_port`& "add remote port to => lines"
+.irow &`queue_run`& * "start and end queue runs"
+.irow &`queue_time`& "time on queue for one recipient"
+.irow &`queue_time_exclusive`& "exclude recieve time from QT times"
+.irow &`queue_time_overall`& "time on queue for whole message"
+.irow &`pid`& "Exim process id"
+.irow &`pipelining`& "PIPELINING use, on <= and => lines"
+.irow &`proxy`& "proxy address on <= and => lines"
+.irow &`receive_time`& "time taken to receive message"
+.irow &`received_recipients`& "recipients on <= lines"
+.irow &`received_sender`& "sender on <= lines"
+.irow &`rejected_header`& * "header contents on reject log"
+.irow &`retry_defer`& * "&<quote>&retry time not reached&</quote>&"
+.irow &`return_path_on_delivery`& "put return path on => and ** lines"
+.irow &`sender_on_delivery`& "add sender to => lines"
+.irow &`sender_verify_fail`& * "sender verification failures"
+.irow &`size_reject`& * "rejection because too big"
+.irow &`skip_delivery`& * "delivery skipped in a queue run"
+.irow &`smtp_confirmation`& * "SMTP confirmation on => lines"
+.irow &`smtp_connection`& "incoming SMTP connections"
+.irow &`smtp_incomplete_transaction`& "incomplete SMTP transactions"
+.irow &`smtp_mailauth`& "AUTH argument to MAIL commands"
+.irow &`smtp_no_mail`& "session with no MAIL commands"
+.irow &`smtp_protocol_error`& "SMTP protocol errors"
+.irow &`smtp_syntax_error`& "SMTP syntax errors"
+.irow &`subject`& "contents of &'Subject:'& on <= lines"
+.irow &`tls_certificate_verified`& * "certificate verification status"
+.irow &`tls_cipher`& * "TLS cipher suite on <= and => lines"
+.irow &`tls_peerdn`& "TLS peer DN on <= and => lines"
+.irow &`tls_resumption`& "append * to cipher field"
+.irow &`tls_sni`& "TLS SNI on <= lines"
+.irow &`unknown_in_list`& "DNS lookup failed in list match"
+.irow &`all`& "&*all of the above*&"
+.endtable
See also the &%slow_lookup_log%& main configuration option,
section &<<SECID99>>&
the field has a minus appended.
.cindex "pipelining" "early connection"
-If Exim is built with the SUPPORT_PIPE_CONNECT build option
+If Exim is built without the DISABLE_PIPE_CONNECT build option
accept "L" fields have a period appended if the feature was
offered but not used, or an asterisk appended if used.
Delivery "L" fields have an asterisk appended if used.
system configuration options that configure exactly how &'exiwhat'& works. If
it doesn't seem to be working for you, check the following compile-time
options:
-.display
-&`EXIWHAT_PS_CMD `& the command for running &'ps'&
-&`EXIWHAT_PS_ARG `& the argument for &'ps'&
-&`EXIWHAT_EGREP_ARG `& the argument for &'egrep'& to select from &'ps'& output
-&`EXIWHAT_KILL_ARG `& the argument for the &'kill'& command
-.endd
+.itable none 0 0 2 1pt left 1pt left
+.irow &`EXIWHAT_PS_CMD`& "the command for running &'ps'&"
+.irow &`EXIWHAT_PS_ARG`& "the argument for &'ps'&"
+.irow &`EXIWHAT_EGREP_ARG`& "the argument for &'egrep'& to select from &'ps'& output"
+.irow &`EXIWHAT_KILL_ARG`& "the argument for the &'kill'& command"
+.endtable
An example of typical output from &'exiwhat'& is
.code
164 daemon: -q1h, listening on port 25
.endlist
There is one more option, &%-h%&, which outputs a list of options.
-.new
At least one selection option, or either the &*-c*& or &*-h*& option, must be given.
-.wen
.cindex "&'exim_dumpdb'&"
The entire contents of a database are written to the standard output by the
&'exim_dumpdb'& program,
-.new
taking as arguments the spool and database names.
An option &'-z'& may be given to request times in UTC;
otherwise times are in the local timezone.
An option &'-k'& may be given to dump only the record keys.
-.wen
For example, to dump the retry database:
.code
exim_dumpdb /var/spool/exim retry
sequence of digit pairs for year, month, day, hour, and minute. Colons can be
used as optional separators.
-.new
Both displayed and input times are in the local timezone by default.
If an option &'-z'& is used on the command line, displayed times
are in UTC.
-.wen
start of the epoch. The second number is a count of the number of messages
warning of delayed delivery that have been sent to the sender.
-.new
There follow a number of lines starting with a hyphen.
These contain variables, can appear in any
order, and are omitted when not relevant.
The following word specifies a variable,
and the remainder of the item depends on the variable.
-.wen
.vlist
.vitem "&%-acl%&&~<&'number'&>&~<&'length'&>"
After expansion, this can be a list.
Each element in turn,
lowercased,
+.vindex "&$dkim_domain$&"
is put into the &%$dkim_domain%& expansion variable
while expanding the remaining signing options.
If it is empty after expansion, DKIM signing is not done,
This sets the key selector string.
After expansion, which can use &$dkim_domain$&, this can be a list.
Each element in turn is put in the expansion
+.vindex "&$dkim_selector$&"
variable &%$dkim_selector%& which may be used in the &%dkim_private_key%&
option along with &%$dkim_domain%&.
If the option is empty after expansion, DKIM signing is not done for this domain,
encoded.
The second argument should be given as the envelope sender address before this
encoding operation.
+If this value is empty the the expansion result will be empty.
The third argument should be the recipient domain of the message when
it arrived at this system.
.endlist
right-hand side. These strings describe recommended action based
on the DMARC check. To understand what the policy recommendations
mean, refer to the DMARC website above. Valid strings are:
-.display
-&'accept '& The DMARC check passed and the library recommends accepting the email.
-&'reject '& The DMARC check failed and the library recommends rejecting the email.
-&'quarantine '& The DMARC check failed and the library recommends keeping it for further inspection.
-&'none '& The DMARC check passed and the library recommends no specific action, neutral.
-&'norecord '& No policy section in the DMARC record for this RFC5322.From field
-&'nofrom '& Unable to determine the domain of the sender.
-&'temperror '& Library error or dns error.
-&'off '& The DMARC check was disabled for this email.
-.endd
+.itable none 0 0 2 1pt left 1pt left
+.irow &'accept'& "The DMARC check passed and the library recommends accepting the email"
+.irow &'reject'& "The DMARC check failed and the library recommends rejecting the email"
+.irow &'quarantine'& "The DMARC check failed and the library recommends keeping it for further inspection"
+.irow &'none'& "The DMARC check passed and the library recommends no specific action, neutral"
+.irow &'norecord'& "No policy section in the DMARC record for this RFC5322.From field"
+.irow &'nofrom'& "Unable to determine the domain of the sender"
+.irow &'temperror'& "Library error or dns error"
+.irow &'off'& "The DMARC check was disabled for this email"
+.endtable
You can prefix each string with an exclamation mark to invert its
meaning, for example "!accept" will match all results but
"accept". The string list is evaluated left-to-right in a
The following expansion variables are usable
(&"internal"& and &"external"& here refer to the interfaces
of the proxy):
-.display
-&'proxy_external_address '& IP of host being proxied or IP of remote interface of proxy
-&'proxy_external_port '& Port of host being proxied or Port on remote interface of proxy
-&'proxy_local_address '& IP of proxy server inbound or IP of local interface of proxy
-&'proxy_local_port '& Port of proxy server inbound or Port on local interface of proxy
-&'proxy_session '& boolean: SMTP connection via proxy
-.endd
+.itable none 0 0 2 1pt left 1pt left
+.irow $proxy_external_address "IP of host being proxied or IP of remote interface of proxy"
+.irow $proxy_external_port "Port of host being proxied or Port on remote interface of proxy"
+.irow $proxy_local_address "IP of proxy server inbound or IP of local interface of proxy"
+.irow $proxy_local_port "Port of proxy server inbound or Port on local interface of proxy"
+.irow $proxy_session "boolean: SMTP connection via proxy"
+.endtable
If &$proxy_session$& is set but &$proxy_external_address$& is empty
there was a protocol error.
The variables &$sender_host_address$& and &$sender_host_port$&
Options are a string <name>=<value>.
The list of options is in the following table:
-.display
-&'auth '& authentication method
-&'name '& authentication username
-&'pass '& authentication password
-&'port '& tcp port
-&'tmo '& connection timeout
-&'pri '& priority
-&'weight '& selection bias
-.endd
+.itable none 0 0 2 1pt left 1pt left
+.irow &'auth'& "authentication method"
+.irow &'name'& "authentication username"
+.irow &'pass'& "authentication password"
+.irow &'port'& "tcp port"
+.irow &'tmo'& "connection timeout"
+.irow &'pri'& "priority"
+.irow &'weight'& "selection bias"
+.endtable
More details on each of these options follows:
but could be used for any message.
If a value is appended it may be:
-.display
-&`1 `& mandatory downconversion
-&`0 `& no downconversion
-&`-1 `& if SMTPUTF8 not supported by destination host
-.endd
+.itable none 0 0 2 1pt right 1pt left
+.irow &`1`& "mandatory downconversion"
+.irow &`0`& "no downconversion"
+.irow &`-1`& "if SMTPUTF8 not supported by destination host"
+.endtable
If no value is given, 1 is used.
If mua_wrapper is set, the utf8_downconvert control
The name is placed in the variable &$event_name$& and the event action
expansion must check this, as it will be called for every possible event type.
-.new
The current list of events is:
-.display
-&`dane:fail after transport `& per connection
-&`msg:complete after main `& per message
-&`msg:defer after transport `& per message per delivery try
-&`msg:delivery after transport `& per recipient
-&`msg:rcpt:host:defer after transport `& per recipient per host
-&`msg:rcpt:defer after transport `& per recipient
-&`msg:host:defer after transport `& per host per delivery try; host errors
-&`msg:fail:delivery after transport `& per recipient
-&`msg:fail:internal after main `& per recipient
-&`tcp:connect before transport `& per connection
-&`tcp:close after transport `& per connection
-&`tls:cert before both `& per certificate in verification chain
-&`tls:fail:connect after main `& per connection
-&`smtp:connect after transport `& per connection
-&`smtp:ehlo after transport `& per connection
-.endd
-.wen
+.itable all 0 0 4 1pt left 1pt center 1pt center 1pt left
+.irow dane:fail after transport "per connection"
+.irow msg:complete after main "per message"
+.irow msg:defer after transport "per message per delivery try"
+.irow msg:delivery after transport "per recipient"
+.irow msg:rcpt:host:defer after transport "per recipient per host"
+.irow msg:rcpt:defer after transport "per recipient"
+.irow msg:host:defer after transport "per host per delivery try; host errors"
+.irow msg:fail:delivery after transport "per recipient"
+.irow msg:fail:internal after main "per recipient"
+.irow tcp:connect before transport "per connection"
+.irow tcp:close after transport "per connection"
+.irow tls:cert before both "per certificate in verification chain"
+.irow tls:fail:connect after main "per connection"
+.irow smtp:connect after transport "per connection"
+.irow smtp:ehlo after transport "per connection"
+.endtable
New event types may be added in future.
The event name is a colon-separated list, defining the type of
An additional variable, &$event_data$&, is filled with information varying
with the event type:
-.display
-&`dane:fail `& failure reason
-&`msg:defer `& error string
-&`msg:delivery `& smtp confirmation message
-&`msg:fail:internal `& failure reason
-&`msg:fail:delivery `& smtp error message
-&`msg:host:defer `& error string
-&`msg:rcpt:host:defer `& error string
-&`msg:rcpt:defer `& error string
-&`tls:cert `& verification chain depth
-&`tls:fail:connect `& error string
-&`smtp:connect `& smtp banner
-&`smtp:ehlo `& smtp ehlo response
-.endd
+.itable all 0 0 2 1pt left 1pt left
+.irow dane:fail "failure reason"
+.irow msg:defer "error string"
+.irow msg:delivery "smtp confirmation message"
+.irow msg:fail:internal "failure reason"
+.irow msg:fail:delivery "smtp error message"
+.irow msg:host:defer "error string"
+.irow msg:rcpt:host:defer "error string"
+.irow msg:rcpt:defer "error string"
+.irow tls:cert "verification chain depth"
+.irow tls:fail:connect "error string"
+.irow smtp:connect "smtp banner"
+.irow smtp:ehlo "smtp ehlo response"
+.endtable
The :defer events populate one extra variable: &$event_defer_errno$&.
-For complex operations an ACL expansion can be used in &%event_action%&
+For complex operations an ACL expansion can be used in &%event_action%&,
however due to the multiple contexts that Exim operates in during
the course of its processing:
.ilist
The expansion of the event_action option should normally
return an empty string. Should it return anything else the
following will be forced:
-.display
-&`tcp:connect `& do not connect
-&`tls:cert `& refuse verification
-&`smtp:connect `& close connection
-.endd
+.itable all 0 0 2 1pt left 1pt left
+.irow tcp:connect "do not connect"
+.irow tls:cert "refuse verification"
+.irow smtp:connect "close connection"
+.endtable
All other message types ignore the result string, and
no other use is made of it.