. Update the Copyright year (only) when changing content.
. /////////////////////////////////////////////////////////////////////////////
-.set previousversion "4.94"
+.set previousversion "4.95"
.include ./local_params
.set ACL "access control lists (ACLs)"
.set I " "
+.set drivernamemax "64"
+
.macro copyyear
-2020
+2021
.endmacro
. /////////////////////////////////////////////////////////////////////////////
.macro index
.echo "** Don't use .index; use .cindex or .oindex or .vindex"
.endmacro
+
+
+. use this for a concept-index entry for a header line
+.macro chindex
+.cindex "&'$1'& header line"
+.cindex "header lines" $1
+.endmacro
. ////////////////////////////////////////////////////////////////////////////
</revision></revhistory>
<copyright><year>
.copyyear
- </year><holder>University of Cambridge</holder></copyright>
+ </year><holder>The Exim Maintainers</holder></copyright>
</bookinfo>
.literal off
. This chunk of literal XML implements index entries of the form "x, see y" and
. "x, see also y". However, the DocBook DTD doesn't allow <indexterm> entries
. at the top level, so we have to put the .chapter directive first.
+
+. These do not turn up in the HTML output, unfortunately. The PDF does get them.
. /////////////////////////////////////////////////////////////////////////////
.chapter "Introduction" "CHID1"
<secondary>failure report</secondary>
<see><emphasis>bounce message</emphasis></see>
</indexterm>
+<indexterm role="concept">
+ <primary>de-tainting</primary>
+ <see><emphasis>tainting, de-tainting</emphasis></see>
+</indexterm>
+<indexterm role="concept">
+ <primary>detainting</primary>
+ <see><emphasis>tainting, de-tainting</emphasis></see>
+</indexterm>
<indexterm role="concept">
<primary>dialup</primary>
<see><emphasis>intermittently connected hosts</emphasis></see>
<primary>zero, binary</primary>
<see><emphasis>binary zero</emphasis></see>
</indexterm>
+<indexterm role="concept">
+ <primary>headers</primary>
+ <see><emphasis>header lines</emphasis></see>
+</indexterm>
.literal off
.chapter "Incorporated code" "CHID2"
.cindex "incorporated code"
.cindex "regular expressions" "library"
-.cindex "PCRE"
+.cindex "PCRE2"
.cindex "OpenDMARC"
A number of pieces of external code are included in the Exim distribution.
.ilist
Regular expressions are supported in the main Exim program and in the
-Exim monitor using the freely-distributable PCRE library, copyright
-© University of Cambridge. The source to PCRE is no longer shipped with
-Exim, so you will need to use the version of PCRE shipped with your system,
+Exim monitor using the freely-distributable PCRE2 library, copyright
+© University of Cambridge. The source to PCRE2 is not longer shipped with
+Exim, so you will need to use the version of PCRE2 shipped with your system,
or obtain and install the full version of the library from
-&url(ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre).
+&url(https://github.com/PhilipHazel/pcre2/releases).
.next
.cindex "cdb" "acknowledgment"
Support for the cdb (Constant DataBase) lookup method is provided by code
.next
Individual routers can be explicitly skipped when running the routers to
check an address given in the SMTP EXPN command (see the &%expn%& option).
+
.next
If the &%domains%& option is set, the domain of the address must be in the set
of domains that it defines.
+.cindex "tainted data" "de-tainting"
+A match verifies the variable &$domain$& (which carries tainted data)
+and assigns an untainted value to the &$domain_data$& variable.
+Such an untainted value is often needed in the transport.
+For specifics of the matching operation and the resulting untainted value,
+refer to section &<<SECTdomainlist>>&.
+
+When an untainted value is wanted, use this option
+rather than the generic &%condition%& option.
+
.next
.vindex "&$local_part_prefix$&"
.vindex "&$local_part_prefix_v$&"
.vindex "&$local_part_suffix_v$&"
.cindex affix "router precondition"
If the &%local_parts%& option is set, the local part of the address must be in
-the set of local parts that it defines. If &%local_part_prefix%& or
+the set of local parts that it defines.
+A match verifies the variable &$local_part$& (which carries tainted data)
+and assigns an untainted value to the &$local_part_data$& variable.
+Such an untainted value is often needed in the transport.
+For specifics of the matching operation and the resulting untainted value,
+refer to section &<<SECTlocparlis>>&.
+
+When an untainted value is wanted, use this option
+rather than the generic &%condition%& option.
+
+If &%local_part_prefix%& or
&%local_part_suffix%& is in use, the prefix or suffix is removed from the local
part before this check. If you want to do precondition tests on local parts
that include affixes, you can do so by using a &%condition%& option (see below)
that uses the variables &$local_part$&, &$local_part_prefix$&,
&$local_part_prefix_v$&, &$local_part_suffix$&
and &$local_part_suffix_v$& as necessary.
+
.next
.vindex "&$local_user_uid$&"
.vindex "&$local_user_gid$&"
local user are placed in &$local_user_uid$& and &$local_user_gid$& and the
user's home directory is placed in &$home$&; these values can be used in the
remaining preconditions.
+
.next
If the &%router_home_directory%& option is set, it is expanded at this point,
because it overrides the value of &$home$&. If this expansion were left till
later, the value of &$home$& as set by &%check_local_user%& would be used in
subsequent tests. Having two different values of &$home$& in the same router
could lead to confusion.
+
.next
If the &%senders%& option is set, the envelope sender address must be in the
set of addresses that it defines.
+
.next
If the &%require_files%& option is set, the existence or non-existence of
specified files is tested.
+
.next
.cindex "customizing" "precondition"
If the &%condition%& option is set, it is evaluated and tested. This option
uses an expanded string to allow you to set up your own custom preconditions.
Expanded strings are described in chapter &<<CHAPexpand>>&.
+
+Note that while using
+this option for address matching technically works,
+it does not set any de-tainted values.
+Such values are often needed, either for router-specific options or
+for transport options.
+Using the &%domains%& and &%local_parts%& options is usually the most
+convenient way to obtain them.
.endlist
A C99-capable compiler will be required for the build.
-.section "PCRE library" "SECTpcre"
-.cindex "PCRE library"
-Exim no longer has an embedded PCRE library as the vast majority of
-modern systems include PCRE as a system library, although you may need to
-install the PCRE package or the PCRE development package for your operating
-system. If your system has a normal PCRE installation the Exim build
+.section "PCRE2 library" "SECTpcre"
+.cindex "PCRE2 library"
+Exim no longer has an embedded regular-expression library as the vast majority of
+modern systems include PCRE2 as a system library, although you may need to
+install the PCRE2 package or the PCRE2 development package for your operating
+system. If your system has a normal PCRE2 installation the Exim build
process will need no further configuration. If the library or the
-headers are in an unusual location you will need to either set the PCRE_LIBS
+headers are in an unusual location you will need to either set the PCRE2_LIBS
and INCLUDE directives appropriately,
-or set PCRE_CONFIG=yes to use the installed &(pcre-config)& command.
+or set PCRE2_CONFIG=yes to use the installed &(pcre-config)& command.
If your operating system has no
-PCRE support then you will need to obtain and build the current PCRE
-from &url(ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/).
-More information on PCRE is available at &url(https://www.pcre.org/).
+PCRE2 support then you will need to obtain and build the current PCRE
+from &url(https://github.com/PhilipHazel/pcre2/releases).
+More information on PCRE2 is available at &url(https://www.pcre.org/).
.section "DBM libraries" "SECTdb"
.cindex "DBM libraries" "discussion of"
+.section "Running the daemon" SECTdaemonLaunch
+The most common command line for launching the Exim daemon looks like
+.code
+exim -bd -q5m
+.endd
+This starts a daemon which
+.ilist
+listens for incoming smtp connections, launching handler processes for
+each new one
+.next
+starts a queue-runner process every five minutes, to inspect queued messages
+and run delivery attempts on any that have arrived at their retry time
+.endlist
+Should a queue run take longer than the time between queue-runner starts,
+they will run in parallel.
+Numbers of jobs of the various types are subject to policy controls
+defined in the configuration.
+
+
.section "Upgrading Exim" "SECID36"
.cindex "upgrading Exim"
If you are already running Exim on your host, building and installing a new
See the &%untrusted_set_sender%& option for a way of permitting non-trusted
users to set envelope senders.
-.cindex "&'From:'& header line"
-.cindex "&'Sender:'& header line"
-.cindex "header lines" "From:"
-.cindex "header lines" "Sender:"
+.chindex From:
+.chindex Sender:
For a trusted user, there is never any check on the contents of the &'From:'&
header line, and a &'Sender:'& line is never added. Furthermore, any existing
&'Sender:'& line in incoming local (non-TCP/IP) messages is not removed.
.cindex "Solaris" "&'mail'& command"
.cindex "dot" "in incoming non-SMTP message"
This option, which has the same effect as &%-oi%&, specifies that a dot on a
-line by itself should not terminate an incoming, non-SMTP message. I can find
-no documentation for this option in Solaris 2.4 Sendmail, but the &'mailx'&
-command in Solaris 2.4 uses it. See also &%-ti%&.
+line by itself should not terminate an incoming, non-SMTP message.
+Solaris 2.4 (SunOS 5.4) Sendmail has a similar &%-i%& processing option
+&url(https://docs.oracle.com/cd/E19457-01/801-6680-1M/801-6680-1M.pdf),
+p. 1M-529), and therefore a &%-oi%& command line option, which both are used
+by its &'mailx'& command.
.vitem &%-L%&&~<&'tag'&>
.oindex "&%-L%&"
active (in the middle of a delivery attempt), it is not altered. This option
can be used only by an admin user.
-.vitem "&%-MC%&&~<&'transport'&>&~<&'hostname'&>&~<&'sequence&~number'&>&&&
+.vitem "&%-MC%&&~<&'transport'&>&~<&'hostname'&>&&&
+ &~<&'host&~IP'&>&&&
+ &~<&'sequence&~number'&>&&&
&~<&'message&~id'&>"
.oindex "&%-MC%&"
.cindex "SMTP" "passed connection"
by Exim in conjunction with the &%-MC%& option. It signifies that a
remote host supports the ESMTP &_CHUNKING_& extension.
+.vitem &%-MCL%&
+.oindex "&%-MCL%&"
+This option is not intended for use by external callers. It is used internally
+by Exim in conjunction with the &%-MC%& option. It signifies that the server to
+which Exim is connected advertised limits on numbers of mails, recipients or
+recipient domains.
+The limits are given by the following three arguments.
+
.vitem &%-MCP%&
.oindex "&%-MCP%&"
This option is not intended for use by external callers. It is used internally
by Exim in conjunction with the &%-MC%& option. It signifies that the server to
which Exim is connected supports pipelining.
+.vitem &%-MCp%&
+.oindex "&%-MCp%&"
+This option is not intended for use by external callers. It is used internally
+by Exim in conjunction with the &%-MC%& option. It signifies that the connection
+t a remote server is via a SOCKS proxy, using addresses and ports given by
+the following four arguments.
+
.vitem &%-MCQ%&&~<&'process&~id'&>&~<&'pipe&~fd'&>
.oindex "&%-MCQ%&"
This option is not intended for use by external callers. It is used internally
signals the final completion of the sequence of processes that are passing
messages through the same SMTP connection.
-.new
.vitem &%-MCq%&&~<&'recipient&~address'&>&~<&'size'&>
.oindex "&%-MCq%&"
This option is not intended for use by external callers. It is used internally
by Exim to implement quota checking for local users.
-.wen
.vitem &%-MCS%&
.oindex "&%-MCS%&"
by Exim in conjunction with the &%-MC%& option, and passes on the fact that the
host to which Exim is connected supports TLS encryption.
+.vitem &%-MCr%&&~<&'SNI'&> &&&
+ &%-MCs%&&~<&'SNI'&>
+.oindex "&%-MCs%&"
+.oindex "&%-MCr%&"
+These options are not intended for use by external callers. It is used internally
+by Exim in conjunction with the &%-MCt%& option, and passes on the fact that
+a TLS Server Name Indication was sent as part of the channel establishment.
+The argument gives the SNI string.
+The "r" variant indicates a DANE-verified connection.
+
.vitem &%-MCt%&&~<&'IP&~address'&>&~<&'port'&>&~<&'cipher'&>
.oindex "&%-MCt%&"
This option is not intended for use by external callers. It is used internally
.vitem &%-m%&
.oindex "&%-m%&"
-This is apparently a synonym for &%-om%& that is accepted by Sendmail, so Exim
-treats it that way too.
+This is a synonym for &%-om%& that is accepted by Sendmail
+(&url(https://docs.oracle.com/cd/E19457-01/801-6680-1M/801-6680-1M.pdf)
+p. 1M-258), so Exim treats it that way too.
.vitem &%-N%&
.oindex "&%-N%&"
in chapter &<<CHAPinterfaces>>&. When &%-oX%& is used to start a daemon, no pid
file is written unless &%-oP%& is also present to specify a pid filename.
+.vitem &%-oY%&
+.oindex &%-oY%&
+.cindex "daemon notifier socket"
+This option controls the creation of an inter-process communications endpoint
+by the Exim daemon.
+It is only relevant when the &%-bd%& (start listening daemon) option is also
+given.
+Normally the daemon creates this socket, unless a &%-oX%& and &*no*& &%-oP%&
+option is also present.
+If this option is given then the socket will not be created. This could be
+required if the system is running multiple daemons.
+
+The socket is currently used for
+.ilist
+fast ramp-up of queue runner processes
+.next
+obtaining a current queue size
+.endlist
+
.vitem &%-pd%&
.oindex "&%-pd%&"
.cindex "Perl" "starting the interpreter"
.vitem &%-t%&
.oindex "&%-t%&"
.cindex "recipient" "extracting from header lines"
-.cindex "&'Bcc:'& header line"
-.cindex "&'Cc:'& header line"
-.cindex "&'To:'& header line"
+.chindex Bcc:
+.chindex Cc:
+.chindex To:
When Exim is receiving a locally-generated, non-SMTP message on its standard
input, the &%-t%& option causes the recipients of the message to be obtained
from the &'To:'&, &'Cc:'&, and &'Bcc:'& header lines in the message instead of
contains two IP addresses, the IPv4 address 127.0.0.1 and the IPv6 address ::1.
&*Note*&: Although leading and trailing white space is ignored in individual
-list items, it is not ignored when parsing the list. The space after the first
-colon in the example above is necessary. If it were not there, the list would
+list items, it is not ignored when parsing the list. The spaces around the first
+colon in the example above are necessary. If they were not there, the list would
be interpreted as the two items 127.0.0.1:: and 1.
.section "Changing list separators" "SECTlistsepchange"
imposes a security risk (e.g. PATH). There are two lists:
&%keep_environment%& for the variables to import as they are, and
&%add_environment%& for variables we want to set to a fixed value.
-Note that TZ is handled separately, by the $%timezone%$ runtime
+Note that TZ is handled separately, by the &%timezone%& runtime
option and by the TIMEZONE_DEFAULT buildtime option.
.code
# keep_environment = ^LDAP
# request with your smarthost provider to get things fixed:
hosts_require_tls = *
tls_verify_hosts = *
- # As long as tls_verify_hosts is enabled, this won't matter, but if you
- # have to comment it out then this will at least log whether you succeed
- # or not:
+ # As long as tls_verify_hosts is enabled, this this will have no effect,
+ # but if you have to comment it out then this will at least log whether
+ # you succeed or not:
tls_try_verify_hosts = *
#
# The SNI name should match the name which we'll expect to verify;
.chapter "Regular expressions" "CHAPregexp"
.cindex "regular expressions" "library"
-.cindex "PCRE"
+.cindex "PCRE2"
Exim supports the use of regular expressions in many of its options. It
-uses the PCRE regular expression library; this provides regular expression
+uses the PCRE2 regular expression library; this provides regular expression
matching that is compatible with Perl 5. The syntax and semantics of
regular expressions is discussed in
online Perl manpages, in
. --- to the old URL for now. 2018-09-07.
The documentation for the syntax and semantics of the regular expressions that
-are supported by PCRE is included in the PCRE distribution, and no further
-description is included here. The PCRE functions are called from Exim using
-the default option settings (that is, with no PCRE options set), except that
-the PCRE_CASELESS option is set when the matching is required to be
+are supported by PCRE2 is included in the PCRE2 distribution, and no further
+description is included here. The PCRE2 functions are called from Exim using
+the default option settings (that is, with no PCRE2 options set), except that
+the PCRE2_CASELESS option is set when the matching is required to be
case-insensitive.
In most cases, when a regular expression is required in an Exim configuration,
first &%domains%& setting above generates the second setting, which therefore
causes a second lookup to occur.
-.new
The lookup type may optionally be followed by a comma
and a comma-separated list of options.
Each option is a &"name=value"& pair.
-Whether an option is meaningful depands on the lookup type.
+Whether an option is meaningful depends on the lookup type.
All lookups support the option &"cache=no_rd"&.
If this is given then the cache that Exim manages for lookup results
-is not checked before diong the lookup.
+is not checked before doing the lookup.
The result of the lookup is still written to the cache.
-.wen
The rest of this chapter describes the different lookup types that are
available. Any of them can be used in any part of the configuration where a
&*Warning 3*&: Do not use an IPv4-mapped IPv6 address for a key; use the
IPv4, in dotted-quad form. (Exim converts IPv4-mapped IPv6 addresses to this
notation before executing the lookup.)
+
+One option is supported, "ret=full", to request the return of the entire line
+rather than omitting the key porttion.
+Note however that the key portion will have been de-quoted.
+
.next
.cindex lookup json
.cindex json "lookup type"
For elements of type string, the returned value is de-quoted.
-.new
.next
.cindex LMDB
.cindex lookup lmdb
You will need to separately create the LMDB database file,
possibly using the &"mdb_load"& utility.
-.wen
.next
of independent, short-lived processes, this caching applies only within a
single Exim process. There is no inter-process lookup caching facility.
+If an option &"cache=no_rd"& is used on the lookup then
+the cache is only written to, cached data is not used for the operation
+and a real lookup is done.
+
For single-key lookups, Exim keeps the relevant files open in case there is
another lookup that needs them. In some types of configuration this can lead to
many files being kept open for messages with many recipients. To avoid hitting
addition to the SQL query. An SQLite database is a single file, and there is no
daemon as in the other SQL databases.
-.new
.oindex &%sqlite_dbfile%&
There are two ways of
specifying the file.
lookup type word. The option is the word &"file"&, then an equals,
then the filename.
The filename in this case cannot contain whitespace or open-brace charachters.
-.wen
A deprecated method is available, prefixing the query with the filename
separated by white space.
will store a result in the &$local_part_data$& variable.
.vitem domains
A &%domains%& router option or &%domains%& ACL condition
+will store a result in the &$domain_data$& variable.
.vitem senders
A &%senders%& router option or &%senders%& ACL condition
will store a result in the &$sender_data$& variable.
.cindex "tainted data" "de-tainting"
The value will be untainted.
+&*Note*&: If the data result of the lookup (as opposed to the key)
+is empty, then this empty value is stored in &$domain_data$&.
+The option to return the key for the lookup, as the value,
+may be what is wanted.
+
.next
Any of the single-key lookup type names may be preceded by
of either kind (single-key or query-style) it may be
followed by a comma and options,
The options are lookup-type specific and consist of a comma-separated list.
-Each item starts with a tag and and equals "=".
+Each item starts with a tag and and equals "=" sign.
.next
.cindex "domain list" "matching literal domain name"
.cindex "tainted data" "de-tainting"
Note that this is commonly untainted
(depending on the way the list was created).
+Specifically, explicit text in the configuration file in not tainted.
This is a useful way of obtaining an untainted equivalent to
the domain, for later operations.
+
+However if the list (including one-element lists)
+is created by expanding a variable containing tainted data,
+it is tainted and so will the match value be.
.endlist
.endd
.next
.cindex "CIDR notation"
-If the pattern is an IP address followed by a slash and a mask length (for
-example 10.11.42.0/24), it is matched against the IP address of the subject
-host under the given mask. This allows, an entire network of hosts to be
+If the pattern is an IP address followed by a slash and a mask length, for
+example
+.code
+10.11.42.0/24
+.endd
+, it is matched against the IP address of the subject
+host under the given mask. This allows an entire network of hosts to be
included (or excluded) by a single item. The mask uses CIDR notation; it
specifies the number of address bits that must match, starting from the most
significant end of the address.
.section "Local part lists" "SECTlocparlis"
.cindex "list" "local part list"
.cindex "local part" "list"
+These behave in the same way as domain and host lists, with the following
+changes:
+
Case-sensitivity in local part lists is handled in the same way as for address
lists, as just described. The &"+caseful"& item can be used if required. In a
setting of the &%local_parts%& option in a router with &%caseful_local_part%&
.cindex "tainted data" definition
.cindex expansion "tainted data"
and expansion of data deriving from the sender (&"tainted data"&)
-is not permitted.
+is not permitted (including acessing a file using a tainted name).
+The main config option &%allow_insecure_tainted_data%& can be used as
+mitigation during uprades to more secure configurations.
-.new
Common ways of obtaining untainted equivalents of variables with
tainted values
.cindex "tainted data" "de-tainting"
or the password file,
or accessed via a DBMS.
Specific methods are indexed under &"de-tainting"&.
-.wen
.vitem "&*${authresults{*&<&'authserv-id'&>&*}}*&"
.cindex authentication "results header"
-.cindex headers "authentication-results:"
+.chindex Authentication-Results:
.cindex authentication "expansion item"
This item returns a string suitable for insertion as an
&'Authentication-Results:'&
Header lines that are added in a RCPT ACL (for example)
are saved until the message's incoming header lines are available, at which
point they are added.
-When any of the above ACLs ar
+When any of the above ACLs are
running, however, header lines added by earlier ACLs are visible.
Upper case and lower case letters are synonymous in header names. If the
those headers that contain lists of addresses, a comma is also inserted at the
junctions between headers. This does not happen for the &%rheader%& expansion.
-.cindex "tainted data"
+.cindex "tainted data" "message headers"
When the headers are from an incoming message,
the result of expanding any of these variables is tainted.
You can use &`fail`& instead of {<&'string3'&>} as in a string extract.
-.new
.vitem &*${listquote{*&<&'separator'&>&*}{*&<&'string'&>&*}}*&
.cindex quoting "for list"
.cindex list quoting
An empty string is replaced with a single space.
This converts the string into a safe form for use as a list element,
in a list using the given separator.
-.wen
.vitem "&*${lookup&~{*&<&'key'&>&*}&~*&<&'search&~type'&>&*&~&&&
name of the subroutine, is nine.
The return value of the subroutine is inserted into the expanded string, unless
-the return value is &%undef%&. In that case, the expansion fails in the same
-way as an explicit &"fail"& on a lookup item. The return value is a scalar.
-Whatever you return is evaluated in a scalar context. For example, if you
-return the name of a Perl vector, the return value is the size of the vector,
+the return value is &%undef%&. In that case, the entire expansion is
+forced to fail, in the same way as an explicit &"fail"& on a lookup item
+does (see section &<<SECTforexpfai>>&). Whatever you return is evaluated
+in a scalar context, thus the return value is a scalar. For example, if you
+return a Perl vector, the return value is the size of the vector,
not its contents.
If the subroutine exits by calling Perl's &%die%& function, the expansion fails
.cindex "expansion" "inserting an entire file"
.cindex "file" "inserting into expansion"
.cindex "&%readfile%& expansion item"
-The filename and end-of-line string are first expanded separately. The file is
+The filename and end-of-line (eol) string are first expanded separately. The file is
then read, and its contents replace the entire item. All newline characters in
the file are replaced by the end-of-line string if it is present. Otherwise,
newlines are left in the string.
Only a single host name may be given, but if looking it up yields more than
one IP address, they are each tried in turn until a connection is made. For
both kinds of socket, Exim makes a connection, writes the request string
-unless it is an empty string; and no terminating NUL is ever sent)
+(unless it is an empty string; no terminating NUL is ever sent)
and reads from the socket until an end-of-file
is read. A timeout of 5 seconds is applied. Additional, optional arguments
extend what can be done. Firstly, you can vary the timeout. For example:
-.new
.vitem &*${srs_encode&~{*&<&'secret'&>&*}{*&<&'return&~path'&>&*}{*&<&'original&~domain'&>&*}}*&
SRS encoding. See SECT &<<SECTSRS>>& for details.
-.wen
.vitem &*${escape8bit:*&<&'string'&>&*}*&
.cindex "expansion" "escaping 8-bit characters"
.cindex "&%escape8bit%& expansion item"
-If the string contains and characters with the most significant bit set,
+If the string contains any characters with the most significant bit set,
they are converted to escape sequences starting with a backslash.
Backslashes and DEL characters are also converted.
and selects address-, domain-, host- or localpart- lists to search among respectively.
Otherwise all types are searched in an undefined order and the first
matching list is returned.
+&*Note*&: Neither string-expansion of lists referenced by named-list syntax elements,
+nor expansion of lookup elements, is done by the &%listnamed%& operator.
.vitem &*${local_part:*&<&'string'&>&*}*&
The parsing correctly handles SMTPUTF8 Unicode in the string.
-.vitem &*${mask:*&<&'IP&~address'&>&*/*&<&'bit&~count'&>&*}*&
+.vitem &*${mask:*&<&'IP&~address'&>&*/*&<&'bit&~count'&>&*}*& &&&
+ &*${mask_n:*&<&'IP&~address'&>&*/*&<&'bit&~count'&>&*}*&
.cindex "masked IP address"
.cindex "IP address" "masking"
.cindex "CIDR notation"
.code
${mask:10.111.131.206/28}
.endd
-returns the string &"10.111.131.192/28"&. Since this operation is expected to
-be mostly used for looking up masked addresses in files, the result for an IPv6
+returns the string &"10.111.131.192/28"&.
+
+Since this operation is expected to
+be mostly used for looking up masked addresses in files, the
+.new
+normal
+.wen
+result for an IPv6
address uses dots to separate components instead of colons, because colon
terminates a key string in lsearch files. So, for example,
.code
.code
3ffe.ffff.836f.0a00.000a.0800.2000.0000/99
.endd
+.new
+If the optional form &*mask_n*& is used, IPv6 address result are instead
+returned in normailsed form, using colons and with zero-compression.
+.wen
Letters in IPv6 addresses are always output in lower case.
.cindex "expansion" "string length"
.cindex "string" "length in expansion"
.cindex "&%strlen%& expansion item"
-The item is replace by the length of the expanded string, expressed as a
+The item is replaced by the length of the expanded string, expressed as a
decimal number. &*Note*&: Do not confuse &%strlen%& with &%length%&.
All measurement is done in bytes and is not UTF-8 aware.
is done by calling the &[stat()]& function. The use of the &%exists%& test in
users' filter files may be locked out by the system administrator.
+&*Note:*& Testing a path using this condition is not a sufficient way of
+de-tainting it.
+Consider using a dsearch lookup.
+
.vitem &*first_delivery*&
.cindex "delivery" "first"
.cindex "first delivery"
Case and collation order are defined per the system C locale.
-.new
.vitem &*inbound_srs&~{*&<&'local&~part'&>&*}{*&<&'secret'&>&*}*&
SRS decode. See SECT &<<SECTSRS>>& for details.
-.wen
.vitem &*inlist&~{*&<&'string1'&>&*}{*&<&'string2'&>&*}*& &&&
.vitem &$acl_verify_message$&
.vindex "&$acl_verify_message$&"
After an address verification has failed, this variable contains the failure
-message. It retains its value for use in subsequent modifiers. The message can
-be preserved by coding like this:
+message. It retains its value for use in subsequent modifiers of the verb.
+The message can be preserved by coding like this:
.code
warn !verify = sender
set acl_m0 = $acl_verify_message
You can use &$acl_verify_message$& during the expansion of the &%message%& or
&%log_message%& modifiers, to include information about the verification
failure.
+&*Note*&: The variable is cleared at the end of processing the ACL verb.
.vitem &$address_data$&
.vindex "&$address_data$&"
When, as a result of aliasing or forwarding, a message is directed to a pipe,
this variable holds the pipe command when the transport is running.
-.vitem "&$auth1$& &-- &$auth3$&"
+.vitem "&$auth1$& &-- &$auth4$&"
.vindex "&$auth1$&, &$auth2$&, etc"
These variables are used in SMTP authenticators (see chapters
&<<CHAPplaintext>>&&--&<<CHAPtlsauth>>&). Elsewhere, they are empty.
.cindex "tainted data"
If the origin of the data is an incoming message,
-the result of expanding this variable is tainted.
+the result of expanding this variable is tainted and may not
+be further expanded or used as a filename.
When an untainted version is needed, one should be obtained from
looking up the value in a local (therefore trusted) database.
Often &$domain_data$& is usable in this role.
.vitem &$domain_data$&
.vindex "&$domain_data$&"
-When the &%domains%& option on a router matches a domain by
-means of a lookup, the data read by the lookup is available during the running
-of the router as &$domain_data$&. In addition, if the driver routes the
+When the &%domains%& condition on a router
+or an ACL
+matches a domain
+against a list, the match value is copied to &$domain_data$&.
+This is an enhancement over previous versions of Exim, when it only
+applied to the data read by a lookup.
+For details on match values see section &<<SECTlistresults>>& et. al.
+
+If the router routes the
address to a transport, the value is available in that transport. If the
transport is handling multiple addresses, the value from the first address is
used.
-&$domain_data$& is also set when the &%domains%& condition in an ACL matches a
-domain by means of a lookup. The data read by the lookup is available during
-the rest of the ACL statement. In all other situations, this variable expands
-to nothing.
+&$domain_data$& set in an ACL is available during
+the rest of the ACL statement.
.vitem &$exim_gid$&
.vindex "&$exim_gid$&"
of the temporary file which is about to be renamed. It can be used to construct
a unique name for the file.
-.vitem &$interface_address$&
+.vitem &$interface_address$& &&&
+ &$interface_port$&
.vindex "&$interface_address$&"
-This is an obsolete name for &$received_ip_address$&.
-
-.vitem &$interface_port$&
.vindex "&$interface_port$&"
-This is an obsolete name for &$received_port$&.
+These are obsolete names for &$received_ip_address$& and &$received_port$&.
.vitem &$item$&
.vindex "&$item$&"
.cindex "tainted data"
If the origin of the data is an incoming message,
-the result of expanding this variable is tainted.
+the result of expanding this variable is tainted and
+may not be further expanded or used as a filename.
&*Warning*&: the content of this variable is usually provided by a potential
attacker.
.vitem &$local_part_data$&
.vindex "&$local_part_data$&"
-When the &%local_parts%& option on a router matches a local part by means of a
-lookup, the data read by the lookup is available during the running of the
-router as &$local_part_data$&. In addition, if the driver routes the address
-to a transport, the value is available in that transport. If the transport is
-handling multiple addresses, the value from the first address is used.
+When the &%local_parts%& condition on a router or ACL
+matches a local part list
+the match value is copied to &$local_part_data$&.
+This is an enhancement over previous versions of Exim, when it only
+applied to the data read by a lookup.
+For details on match values see section &<<SECTlistresults>>& et. al.
The &%check_local_user%& router option also sets this variable.
-&$local_part_data$& is also set when the &%local_parts%& condition in an ACL
-matches a local part by means of a lookup. The data read by the lookup is
-available during the rest of the ACL statement. In all other situations, this
-variable expands to nothing.
-
.vindex &$local_part_prefix$& &&&
&$local_part_prefix_v$& &&&
&$local_part_suffix$& &&&
This variable contains the number of bytes in the longest line that was
received as part of the message, not counting the line termination
character(s).
-It is not valid if the &%spool_files_wireformat%& option is used.
+It is not valid if the &%spool_wireformat%& option is used.
.vitem &$message_age$&
.cindex "message" "age of"
also &$message_size$&, &$body_linecount$&, and &$body_zerocount$&.
If the spool file is wireformat
-(see the &%spool_files_wireformat%& main option)
+(see the &%spool_wireformat%& main option)
the CRLF line-terminators are included in the count.
.vitem &$message_exim_id$&
In the MAIL and RCPT ACLs, the value is zero because at that stage the
message has not yet been received.
-This variable is not valid if the &%spool_files_wireformat%& option is used.
+This variable is not valid if the &%spool_wireformat%& option is used.
.vitem &$message_size$&
.cindex "size" "of message"
contains the size supplied on the MAIL command, or -1 if no size was given. The
value may not, of course, be truthful.
-.vitem &$mime_$&&'xxx'&
+.vitem &$mime_anomaly_level$& &&&
+ &$mime_anomaly_text$& &&&
+ &$mime_boundary$& &&&
+ &$mime_charset$& &&&
+ &$mime_content_description$& &&&
+ &$mime_content_disposition$& &&&
+ &$mime_content_id$& &&&
+ &$mime_content_size$& &&&
+ &$mime_content_transfer_encoding$& &&&
+ &$mime_content_type$& &&&
+ &$mime_decoded_filename$& &&&
+ &$mime_filename$& &&&
+ &$mime_is_coverletter$& &&&
+ &$mime_is_multipart$& &&&
+ &$mime_is_rfc822$& &&&
+ &$mime_part_count$&
A number of variables whose names start with &$mime$& are
available when Exim is compiled with the content-scanning extension. For
details, see section &<<SECTscanmimepart>>&.
This variable is set to &"yes"& if PRDR was requested by the client for the
current message, otherwise &"no"&.
-.vitem &$prvscheck_address$&
-This variable is used in conjunction with the &%prvscheck%& expansion item,
-which is described in sections &<<SECTexpansionitems>>& and
-&<<SECTverifyPRVS>>&.
-
-.vitem &$prvscheck_keynum$&
-This variable is used in conjunction with the &%prvscheck%& expansion item,
-which is described in sections &<<SECTexpansionitems>>& and
-&<<SECTverifyPRVS>>&.
-
-.vitem &$prvscheck_result$&
-This variable is used in conjunction with the &%prvscheck%& expansion item,
+.vitem &$prvscheck_address$& &&&
+ &$prvscheck_keynum$& &&&
+ &$prvscheck_result$&
+These variables are used in conjunction with the &%prvscheck%& expansion item,
which is described in sections &<<SECTexpansionitems>>& and
&<<SECTverifyPRVS>>&.
.cindex "spool" "number of messages"
This variable contains the number of messages queued.
It is evaluated on demand, but no more often than once every minute.
+If there is no daemon notifier socket open, the value will be
+an empty string.
.vitem &$r_...$&
.vindex &$r_...$&
built. The value is copied after recipient rewriting has happened, but before
the &[local_scan()]& function is run.
-.vitem &$received_ip_address$&
+.vitem &$received_ip_address$& &&&
+ &$received_port$&
.vindex "&$received_ip_address$&"
-As soon as an Exim server starts processing an incoming TCP/IP connection, this
-variable is set to the address of the local IP interface, and &$received_port$&
-is set to the local port number. (The remote IP address and port are in
+.vindex "&$received_port$&"
+As soon as an Exim server starts processing an incoming TCP/IP connection, these
+variables are set to the address and port on the local IP interface.
+(The remote IP address and port are in
&$sender_host_address$& and &$sender_host_port$&.) When testing with &%-bh%&,
the port value is -1 unless it has been set using the &%-oMi%& command line
option.
time.
For outbound connections see &$sending_ip_address$&.
-.vitem &$received_port$&
-.vindex "&$received_port$&"
-See &$received_ip_address$&.
-
.vitem &$received_protocol$&
.vindex "&$received_protocol$&"
When a message is being processed, this variable contains the name of the
example, a system filter could set a value indicating how likely it is that a
message is junk mail.
-.vitem &$spam_$&&'xxx'&
+.vitem &$spam_score$& &&&
+ &$spam_score_int$& &&&
+ &$spam_bar$& &&&
+ &$spam_report$& &&&
+ &$spam_action$&
A number of variables whose names start with &$spam$& are available when Exim
is compiled with the content-scanning extension. For details, see section
&<<SECTscanspamass>>&.
which is not the leaf.
-.new
.vitem &$tls_in_resumption$& &&&
&$tls_out_resumption$&
.vindex &$tls_in_resumption$&
.vindex &$tls_out_resumption$&
.cindex TLS resumption
Observability for TLS session resumption. See &<<SECTresumption>>& for details.
-.wen
.vitem &$tls_in_sni$&
option to a true value. To avoid breaking existing installations, it
defaults to false.
+&*Note*&: This is entirely separate from Exim's tainted-data tracking.
+
.section "Calling Perl subroutines" "SECID86"
When the configuration file includes a &%perl_startup%& option you can make use
.section "Miscellaneous" "SECID96"
.table2
+.row &%add_environment%& "environment variables"
+.row &%allow_insecure_tainted_data%& "turn taint errors into warnings"
.row &%bi_command%& "to run for &%-bi%& command line option"
.row &%debug_store%& "do extra internal checks"
.row &%disable_ipv6%& "do no IPv6 processing"
+.row &%keep_environment%& "environment variables"
.row &%keep_malformed%& "for broken files &-- should not happen"
.row &%localhost_number%& "for unique message ids in clusters"
.row &%message_body_newlines%& "retain newlines in &$message_body$&"
.row &%notifier_socket%& "override compiled-in value"
.row &%pid_file_path%& "override compiled-in value"
.row &%queue_run_max%& "maximum simultaneous queue runners"
+.row &%smtp_backlog_monitor%& "level to log listen backlog"
.endtable
.row &%local_scan_timeout%& "timeout for &[local_scan()]&"
.row &%message_size_limit%& "for all messages"
.row &%percent_hack_domains%& "recognize %-hack for these domains"
+.row &%proxy_protocol_timeout%& "timeout for proxy protocol negotiation"
.row &%spamd_address%& "set interface to SpamAssassin"
.row &%strict_acl_vars%& "object to unset ACL variables"
.row &%spf_smtp_comment_template%& "template for &$spf_smtp_comment$&"
.table2
.row &%gnutls_compat_mode%& "use GnuTLS compatibility mode"
.row &%gnutls_allow_auto_pkcs11%& "allow GnuTLS to autoload PKCS11 modules"
+.row &%hosts_require_alpn%& "mandatory ALPN"
.row &%openssl_options%& "adjust OpenSSL compatibility options"
.row &%tls_advertise_hosts%& "advertise TLS to these hosts"
+.row &%tls_alpn%& "acceptable protocol names"
.row &%tls_certificate%& "location of server certificate"
.row &%tls_crl%& "certificate revocation list"
.row &%tls_dh_max_bits%& "clamp D-H bit count suggestion"
configuration). This &"magic string"& matches the domain literal form of all
the local host's IP addresses.
+.option allow_insecure_tainted_data main boolean false
+.cindex "de-tainting"
+.oindex "allow_insecure_tainted_data"
+The handling of tainted data may break older (pre 4.94) configurations.
+Setting this option to "true" turns taint errors (which result in a temporary
+message rejection) into warnings. This option is meant as mitigation only
+and deprecated already today. Future releases of Exim may ignore it.
+The &%taint%& log selector can be used to suppress even the warnings.
+
+
.option allow_mx_to_ip main boolean false
.cindex "MX record" "pointing to IP address"
If the &%smtp_connection%& log selector is not set, this option has no effect.
+.option hosts_require_alpn main "host list&!!" unset
+.cindex ALPN "require negotiation in server"
+.cindex TLS ALPN
+.cindex TLS "Application Layer Protocol Names"
+If the TLS library supports ALPN
+then a successful negotiation of ALPN will be required for any client
+matching the list, for TLS to be used.
+See also the &%tls_alpn%& option.
+
+&*Note*&: prevention of fallback to in-clear connection is not
+managed by this option, and should be done separately.
+
.option hosts_proxy main "host list&!!" unset
.cindex proxy "proxy protocol"
The option is expanded before use.
If the platform supports Linux-style abstract socket names, the result
is used with a nul byte prefixed.
-Otherwise, it should be a full path name and use a directory accessible
+Otherwise,
+it should be a full path name and use a directory accessible
to Exim.
-If the Exim command line uses a &%-oX%& option and does not use &%-oP%&
+If this option is set as empty,
+or the command line &%-oY%& option is used, or
+the command line uses a &%-oX%& option and does not use &%-oP%&,
then a notifier socket is not created.
.option pipelining_connect_advertise_hosts main "host list&!!" *
.cindex "pipelining" "early connection"
.cindex "pipelining" PIPE_CONNECT
-.cindex "ESMTP extensions" X_PIPE_CONNECT
+.cindex "ESMTP extensions" PIPE_CONNECT
If Exim is built with the SUPPORT_PIPE_CONNECT build option
this option controls which hosts the facility is advertised to
and from which pipeline early-connection (before MAIL) SMTP
See also the &%hosts_pipe_connect%& smtp transport option.
-Currently the option name &"X_PIPE_CONNECT"& is used.
+The SMTP service extension keyword advertised is &"PIPE_CONNECT"&.
.option prdr_enable main boolean false
&%queue_list_requires_admin%& and &%commandline_checks_require_admin%&.
+.option proxy_protocol_timeout main time 3s
+.cindex proxy "proxy protocol"
+This option sets the timeout for proxy protocol negotiation.
+For details see section &<<SECTproxyInbound>>&.
+
+
.option qualify_domain main string "see below"
.cindex "domain" "for qualifying addresses"
.cindex "address" "qualification"
next queue run. See also &%hold_domains%& and &%queue_smtp_domains%&.
-.new
.option queue_fast_ramp main boolean false
.cindex "queue runner" "two phase"
.cindex "queue" "double scanning"
command line, may start parallel delivery processes during their first
phase. This will be done when a threshold number of messages have been
routed for a single host.
-.wen
.option queue_list_requires_admin main boolean true
option was not set.
-.option recipients_max main integer 0
+.option recipients_max main integer 50000
.cindex "limit" "number of recipients"
.cindex "recipient" "maximum number"
If this option is set greater than zero, it specifies the maximum number of
deliveries if the configuration allows a delivery attempt as soon as a message
is received.
+See also the &%max_parallel%& generic transport option,
+and the &%serialize_hosts%& smtp transport option.
+
.cindex "number of deliveries"
.cindex "delivery" "maximum number of"
If you want to control the total number of deliveries on the system, you
. searchable. NM changed this occurrence for bug 1197 to no longer allow
. the option name to split.
-.option "smtp_accept_max_per_connection" main integer 1000 &&&
+.option "smtp_accept_max_per_connection" main integer&!! 1000 &&&
smtp_accept_max_per_connection
.cindex "SMTP" "limiting incoming message count"
.cindex "limit" "messages per SMTP connection"
response is given to subsequent MAIL commands. This limit is a safety
precaution against a client that goes mad (incidents of this type have been
seen).
+The option is expanded after the HELO or EHLO is received
+and may depend on values available at that time.
+An empty or zero value after expansion removes the limit.
.option smtp_accept_max_per_host main string&!! unset
verification if there is no remote transport from which to obtain a
&%helo_data%& value.
+.option smtp_backlog_monitor main integer 0
+.cindex "connection backlog" monitoring
+If this option is set to greater than zero, and the backlog of available
+TCP connections on a socket listening for SMTP is larger than it, a line
+is logged giving the value and the socket address and port.
+The value is retrived jsut before an accept call.
+This facility is only available on Linux.
+
.option smtp_banner main string&!! "see below"
.cindex "SMTP" "welcome banner"
.cindex "banner for SMTP"
.option smtp_connect_backlog main integer 20
-.cindex "connection backlog"
+.cindex "connection backlog" "set maximum"
.cindex "SMTP" "connection backlog"
.cindex "backlog of connections"
This option specifies a maximum number of waiting SMTP connections. Exim passes
is not required the &%tls_advertise_hosts%& option should be set empty.
-.option tls_certificate main string list&!! unset
+.option tls_alpn main "string list&!!" "smtp : esmtp"
+.cindex TLS "Application Layer Protocol Names"
+.cindex TLS ALPN
+.cindex ALPN "set acceptable names for server"
+If this option is set,
+the TLS library supports ALPN,
+and the client offers either more than
+ALPN name or a name which does not match the list,
+the TLS connection is declined.
+
+
+.option tls_certificate main "string list&!!" unset
.cindex "TLS" "server certificate; location of"
.cindex "certificate" "server, location of"
The value of this option is expanded, and must then be a list of absolute paths to
Server Name Indication extension, then this option and others documented in
&<<SECTtlssni>>& will be re-expanded.
-If this option is unset or empty a fresh self-signed certificate will be
-generated for every connection.
+If this option is unset or empty a self-signed certificate will be
+used.
+Under Linux this is generated at daemon startup; on other platforms it will be
+generated fresh for every connection.
.option tls_crl main string&!! unset
.cindex "TLS" "server certificate revocation list"
-.option tls_privatekey main string list&!! unset
+.option tls_privatekey main "string list&!!" unset
.cindex "TLS" "server private key; location of"
The value of this option is expanded, and must then be a list of absolute paths to
files which contains the server's private keys.
&<<SECTreqciphssl>>& and &<<SECTreqciphgnu>>&.
-.new
.option tls_resumption_hosts main "host list&!!" unset
.cindex TLS resumption
This option controls which connections to offer the TLS resumption feature.
See &<<SECTresumption>>& for details.
-.wen
.option tls_try_verify_hosts main "host list&!!" unset
the value is a file then the certificates are sent by Exim as a server to
connecting clients, defining the list of accepted certificate authorities.
Thus the values defined should be considered public data. To avoid this,
-use the explicit directory version.
+use the explicit directory version. (If your peer is Exim up to 4.85,
+using GnuTLS, you may need to send the CAs (thus using the file
+variant). Otherwise the peer doesn't send its certificate.)
See &<<SECTtlssni>>& for discussion of when this option might be re-expanded.
provide data for a transport is: &%errors_to%&, &%headers_add%&,
&%headers_remove%&, &%transport%&.
+The name of a router is limited to be &drivernamemax; ASCII characters long;
+prior to Exim 4.95 names would be silently truncated at this length, but now
+it is enforced.
.option address_data routers string&!! unset
local system. The check is done by calling the &[getpwnam()]& function rather
than trying to read &_/etc/passwd_& directly. This means that other methods of
holding password data (such as NIS) are supported. If the local part is a local
-user, &$home$& is set from the password data, and can be tested in other
+user,
+.cindex "tainted data" "de-tainting"
+&$local_part_data$& is set to an untainted version of the local part and
+&$home$& is set from the password data. The latter can be tested in other
preconditions that are evaluated after this one (the order of evaluation is
given in section &<<SECTrouprecon>>&). However, the value of &$home$& can be
overridden by &%router_home_directory%&. If the local part is not a local user,
.cindex "security" "MX lookup"
.cindex "DNS" "DNSSEC"
DNS lookups for domains matching &%dnssec_request_domains%& will be done with
-the dnssec request bit set.
+the DNSSEC request bit set.
This applies to all of the SRV, MX, AAAA, A lookup sequence.
.option dnssec_require_domains routers "domain list&!!" unset
.cindex "security" "MX lookup"
.cindex "DNS" "DNSSEC"
DNS lookups for domains matching &%dnssec_require_domains%& will be done with
-the dnssec request bit set. Any returns not having the Authenticated Data bit
+the DNSSEC request bit set. Any returns not having the Authenticated Data bit
(AD bit) set will be ignored and logged as a host-lookup failure.
This applies to all of the SRV, MX, AAAA, A lookup sequence.
If this option is set, the router is skipped unless the current domain matches
the list. If the match is achieved by means of a file lookup, the data that the
lookup returned for the domain is placed in &$domain_data$& for use in string
-expansions of the driver's private options. See section &<<SECTrouprecon>>& for
+expansions of the driver's private options and in the transport.
+See section &<<SECTrouprecon>>& for
a list of the order in which preconditions are evaluated.
string is expanded, it is possible to make it depend on the domain, for
example:
.code
-local_parts = dbm;/usr/local/specials/$domain
+local_parts = dbm;/usr/local/specials/$domain_data
.endd
.vindex "&$local_part_data$&"
If the match is achieved by a lookup, the data that the lookup returned
for the local part is placed in the variable &$local_part_data$& for use in
-expansions of the router's private options. You might use this option, for
+expansions of the router's private options or in the transport.
+You might use this option, for
example, if you have a large number of local virtual domains, and you want to
send all postmaster mail to the same place without having to set up an alias in
each virtual domain:
When a router runs, the strings are evaluated in order,
to create variables which are added to the set associated with
the address.
+This is done immediately after all the preconditions, before the
+evaluation of the &%address_data%& option.
The variable is set with the expansion of the value.
The variables can be used by the router options
(not including any preconditions)
the text is included in the error message that Exim generates.
.cindex "SMTP" "error codes"
-By default, Exim sends a 451 SMTP code for a &':defer:'&, and 550 for
+By default for verify, Exim sends a 451 SMTP code for a &':defer:'&, and 550 for
&':fail:'&. However, if the message starts with three digits followed by a
space, optionally followed by an extended code of the form &'n.n.n'&, also
followed by a space, and the very first digit is the same as the default error
.scindex IIDgenoptra1 "generic options" "transport"
.scindex IIDgenoptra2 "options" "generic; for transports"
.scindex IIDgenoptra3 "transport" "generic options for"
+The name of a transport is limited to be &drivernamemax; ASCII characters long;
+prior to Exim 4.95 names would be silently truncated at this length, but now
+it is enforced.
+
The following generic options apply to all transports:
its removal from incoming messages, so that delivered messages can safely be
resent to other recipients.
+&*Note:*& If used on a transport handling multiple recipients
+(the smtp transport unless &%rcpt_max%& is 1, the appendfile, pipe or lmtp
+transport if &%batch_max%& is greater than 1)
+then information about Bcc recipients will be leaked.
+Doing so is generally not advised.
+
.option event_action transports string&!! unset
.cindex events
.option return_path_add transports boolean false
-.cindex "&'Return-path:'& header line"
+.chindex Return-path:
If this option is true, a &'Return-path:'& header is added to the message.
Although the return path is normally available in the prefix line of BSD
mailboxes, this is commonly not displayed by MUAs, and so the user does not
used to determine the file or directory name for the delivery. Normally, the
contents of &$address_file$& are used in some way in the string expansion.
.endlist
+If the &%create_file%& option is set to a path which
+matches (see the option definition below for details)
+a file or directory name
+for the delivery, that name becomes de-tainted.
+
.cindex "tainted data" "in filenames"
.cindex appendfile "tainted data"
Tainted data may not be used for a file or directory name.
beneath.
The option must be set to one of the words &"anywhere"&, &"inhome"&, or
-&"belowhome"&. In the second and third cases, a home directory must have been
-set for the transport. This option is not useful when an explicit filename is
+&"belowhome"&, or to an absolute path.
+
+In the second and third cases, a home directory must have been
+set for the transport, and the file or directory being created must
+reside within it.
+The "belowhome" checking additionally checks for attempts to use "../"
+to evade the testing.
+This option is not useful when an explicit filename is
given for normal mailbox deliveries. It is intended for the case when filenames
are generated from users' &_.forward_& files. These are usually handled
by an &(appendfile)& transport called &%address_file%&. See also
&%file_must_exist%&.
+In the fourth case,
+the value given for this option must be an absolute path for an
+existing directory.
+The value is used for checking instead of a home directory;
+checking is done in "belowhome" mode.
+
+.cindex "tainted data" "de-tainting"
+If "belowhome" checking is used, the file or directory path
+becomes de-tainted.
+
.option directory appendfile string&!! unset
This option is mutually exclusive with the &%file%& option, but one of &%file%&
(see &%maildir_format%& and &%mailstore_format%&), and see section
&<<SECTopdir>>& for further details of this form of delivery.
+The result of expansion must not be tainted, unless the &%create_file%& option
+specifies a path.
+
.option directory_file appendfile string&!! "see below"
.cindex "base62"
&%use_fcntl_lock%&, &%use_flock_lock%&, or &%use_lockfile%& must be set with
&%file%&.
+The result of expansion must not be tainted, unless the &%create_file%& option
+specifies a path.
+
.cindex "NFS" "lock file"
.cindex "locking files"
.cindex "lock files"
.option command_timeout smtp time 5m
+.cindex timeout "smtp transport command"
This sets a timeout for receiving a response to an SMTP command that has been
sent out. It is also used when waiting for the initial banner line from the
remote host. Its value must not be zero.
.option connect_timeout smtp time 5m
+.cindex timeout "smtp transport connect"
This sets a timeout for the &[connect()]& function, which sets up a TCP/IP call
to a remote host. A setting of zero allows the system timeout (typically
several minutes) to act. To have any effect, the value of this option must be
.option data_timeout smtp time 5m
+.cindex timeout "for transmitted SMTP data blocks"
This sets a timeout for the transmission of each block in the data portion of
the message. As a result, the overall timeout for a message depends on the size
of the message. Its value must not be zero. See also &%final_timeout%&.
.option dkim_canon smtp string&!! unset
DKIM signing option. For details see section &<<SECDKIMSIGN>>&.
-.option dkim_domain smtp string list&!! unset
+.option dkim_domain smtp "string list&!!" unset
DKIM signing option. For details see section &<<SECDKIMSIGN>>&.
.option dkim_hash smtp string&!! sha256
DKIM signing option. For details see section &<<SECDKIMSIGN>>&.
.cindex "security" "MX lookup"
.cindex "DNS" "DNSSEC"
DNS lookups for domains matching &%dnssec_request_domains%& will be done with
-the dnssec request bit set. Setting this transport option is only useful if the
+the DNSSEC request bit set. Setting this transport option is only useful if the
transport overrides or sets the host names. See the &%dnssec_request_domains%&
router option.
.cindex "security" "MX lookup"
.cindex "DNS" "DNSSEC"
DNS lookups for domains matching &%dnssec_require_domains%& will be done with
-the dnssec request bit set. Setting this transport option is only
+the DNSSEC request bit set. Setting this transport option is only
useful if the transport overrides or sets the host names. See the
&%dnssec_require_domains%& router option.
.option final_timeout smtp time 10m
+.cindex timeout "for transmitted SMTP data accept"
This is the timeout that applies while waiting for the response to the final
line containing just &"."& that terminates a message. Its value must not be
zero.
TLS session for any host that matches this list.
&%tls_verify_certificates%& should also be set for the transport.
+.option hosts_require_alpn smtp "host list&!!" unset
+.cindex ALPN "require negotiation in client"
+.cindex TLS ALPN
+.cindex TLS "Application Layer Protocol Names"
+If the TLS library supports ALPN
+then a successful negotiation of ALPN will be required for any host
+matching the list, for TLS to be used.
+See also the &%tls_alpn%& option.
+
+&*Note*&: prevention of fallback to in-clear connection is not
+managed by this option; see &%hosts_require_tls%&.
+
.option hosts_require_dane smtp "host list&!!" unset
.cindex DANE "transport options"
.cindex DANE "requiring for certain servers"
If built with DANE support, Exim will require that a DNSSEC-validated
TLSA record is present for any host matching the list,
-and that a DANE-verified TLS connection is made. See
-the &%dnssec_request_domains%& router and transport options.
+and that a DANE-verified TLS connection is made.
There will be no fallback to in-clear communication.
+See the &%dnssec_request_domains%& router and transport options.
See section &<<SECDANE>>&.
+.option hosts_require_helo smtp "host list&!!" *
+.cindex "HELO/EHLO" requiring
+Exim will require an accepted HELO or EHLO command from a host matching
+this list, before accepting a MAIL command.
+
.option hosts_require_ocsp smtp "host list&!!" unset
.cindex "TLS" "requiring for certain servers"
Exim will request, and check for a valid Certificate Status being given, on a
.cindex "authentication" "optional in client"
This option provides a list of servers to which, provided they announce
authentication support, Exim will attempt to authenticate as a client when it
-connects. If authentication fails, Exim will try to transfer the message
-unauthenticated. See also &%hosts_require_auth%&, and chapter
-&<<CHAPSMTPAUTH>>& for details of authentication.
+connects. If authentication fails
+and &%hosts_require_auth%& permits,
+Exim will try to transfer the message unauthenticated.
+See also chapter &<<CHAPSMTPAUTH>>& for details of authentication.
.option hosts_try_chunking smtp "host list&!!" *
.cindex CHUNKING "enabling, in client"
.option hosts_try_dane smtp "host list&!!" *
.cindex DANE "transport options"
.cindex DANE "attempting for certain servers"
-If built with DANE support, Exim will require that a DNSSEC-validated
-TLSA record is present for any host matching the list,
-and that a DANE-verified TLS connection is made. See
-the &%dnssec_request_domains%& router and transport options.
-There will be no fallback to in-clear communication.
+If built with DANE support, Exim will look up a
+TLSA record for any host matching the list,
+If one is found and that lookup was DNSSEC-validated,
+then Exim requires that a DANE-verified TLS connection is made for that host;
+there will be no fallback to in-clear communication.
+See the &%dnssec_request_domains%& router and transport options.
See section &<<SECDANE>>&.
.option hosts_try_fastopen smtp "host list&!!" *
This option limits the number of RCPT commands that are sent in a single
SMTP message transaction. Each set of addresses is treated independently, and
so can cause parallel connections to the same host if &%remote_max_parallel%&
-permits this.
+permits this. A value setting of zero disables the limit.
-.new
.option message_linelength_limit smtp integer 998
.cindex "line length" limit
This option sets the maximum line length, in bytes, that the transport
It is generally wise to also check in the data ACL so that messages
received via SMTP can be refused without producing a bounce.
-.wen
.option multi_domain smtp boolean&!! true
&$address_data$&, &$domain_data$&, &$local_part_data$&,
&$host$&, &$host_address$& and &$host_port$&.
+If the connection is DANE-enabled then this option is ignored;
+only messages having the domain used for the DANE TLSA lookup are
+sent on the connection.
+
.option port smtp string&!! "see below"
.cindex "port" "sending TCP/IP"
.cindex "TCP/IP" "setting outgoing port"
changes to &"smtps"&, and the transport initiates TLS immediately after
connecting, as an outbound SSL-on-connect, instead of using STARTTLS to upgrade.
The Internet standards bodies used to strongly discourage use of this mode,
-but as of RFC 8314 it is perferred over STARTTLS for message submission
+but as of RFC 8314 it is preferred over STARTTLS for message submission
(as distinct from MTA-MTA communication).
transport. For details see section &<<SECTproxySOCKS>>&.
+.option tls_alpn smtp string&!! unset
+.cindex TLS "Application Layer Protocol Names"
+.cindex TLS ALPN
+.cindex ALPN "set name in client"
+If this option is set
+and the TLS library supports ALPN,
+the value given is used.
+
+As of writing no value has been standardised for email use.
+The authors suggest using &"smtp"&.
+
+
+
.option tls_certificate smtp string&!! unset
.cindex "TLS" "client certificate, location of"
.cindex "certificate" "client, location of"
ciphers is a preference order.
-.new
.option tls_resumption_hosts smtp "host list&!!" unset
.cindex TLS resumption
This option controls which connections to use the TLS resumption feature.
See &<<SECTresumption>>& for details.
-.wen
.cindex "TLS" SNI
.cindex SNI "setting in client"
.vindex "&$tls_sni$&"
-If this option is set then it sets the $tls_out_sni variable and causes any
+If this option is set
+and the connection is not DANE-validated
+then it sets the $tls_out_sni variable and causes any
TLS session to pass this value as the Server Name Indication extension to
the remote side, which can be used by the remote side to select an appropriate
certificate and private key for the session.
transfer of mail between servers that have no managerial connection with each
other.
+The name of an authenticator is limited to be &drivernamemax; ASCII characters long;
+prior to Exim 4.95 names would be silently truncated at this length, but now
+it is enforced.
+
.cindex "AUTH" "description of"
.cindex "ESMTP extensions" AUTH
Very briefly, the way SMTP authentication works is as follows:
.ilist
The client host must match &%auth_advertise_hosts%& (default *).
.next
-It the &%server_advertise_condition%& option is set, its expansion must not
+If the &%server_advertise_condition%& option is set, its expansion must not
yield the empty string, &"0"&, &"no"&, or &"false"&.
.endlist
.endd
gives an incorrect answer because of the unescaped &"@"& and &"$"& characters.
-If you have the &%mimencode%& command installed, another way to do produce
+If you have the &%mimencode%& command installed, another way to produce
base64-encoded strings is to run the command
.code
echo -e -n `\0user\0password' | mimencode
client_send = ^username^mysecret
.endd
The lack of colons means that the entire text is sent with the AUTH
-command, with the circumflex characters converted to NULs. A similar example
+command, with the circumflex characters converted to NULs.
+Note that due to the ambiguity of parsing three consectutive circumflex characters
+there is no way to provide a password having a leading circumflex.
+
+
+A similar example
that uses the LOGIN mechanism is:
.code
fixed_login:
option is passed. When authentication succeeds, the identity of the user
who authenticated is placed in &$auth1$&.
-The Dovecot configuration to match the above wil look
+The Dovecot configuration to match the above will look
something like:
.code
conf.d/10-master.conf :-
The macro _HAVE_AUTH_GSASL_SCRAM_SHA_256 will be defined
when this happens.
+To see the list of mechanisms supported by the library run Exim with "auth" debug
+enabled and look for a line containing "GNU SASL supports".
+Note however that some may not have been tested from Exim.
+
.option client_authz gsasl string&!! unset
This option can be used to supply an &'authorization id'&
This option is exapanded before use, and should result in
the account name to be used.
+
.option client_spassword gsasl string&!! unset
+This option is only supported for library versions 1.9.1 and greater.
+The macro _HAVE_AUTH_GSASL_SCRAM_S_KEY will be defined when this is so.
+
If a SCRAM mechanism is being used and this option is set
+and correctly sized
it is used in preference to &%client_password%&.
The value after expansion should be
a 40 (for SHA-1) or 64 (for SHA-256) character string
with the PBKDF2-prepared password, hex-encoded.
+
Note that this value will depend on the salt and iteration-count
supplied by the server.
+The option is expanded before use.
+During the expansion &$auth1$& is set with the client username,
+&$auth2$& with the iteration count, and
+&$auth3$& with the salt.
+The intent of this option
+is to support clients that can cache thes salted password
+to save on recalculation costs.
+The cache lookup should return an unusable value
+(eg. an empty string)
+if the salt or iteration count has changed
+If the authentication succeeds then the above variables are set,
+.vindex "&$auth4$&"
+plus the calculated salted password value value in &$auth4$&,
+during the expansion of the &%client_set_id%& option.
+A side-effect of this expansion can be used to prime the cache.
-.option server_channelbinding gsasl boolean false
-Do not set this true and rely on the properties
-without consulting a cryptographic engineer.
+.option server_channelbinding gsasl boolean false
Some authentication mechanisms are able to use external context at both ends
of the session to bind the authentication to that context, and fail the
authentication process if that context differs. Specifically, some TLS
this option causes some clients to start failing. Some future release
of Exim might have switched the default to be true.
-However, Channel Binding in TLS has proven to be vulnerable in current versions.
-Do not plan to rely upon this feature for security, ever, without consulting
-with a subject matter expert (a cryptographic engineer).
+. However, Channel Binding in TLS has proven to be vulnerable in current versions.
+. Do not plan to rely upon this feature for security, ever, without consulting
+. with a subject matter expert (a cryptographic engineer).
+
+This option was deprecated in previous releases due to doubts over
+the "Triple Handshake" vulnerability.
+Exim takes suitable precausions (requiring Extended Master Secret if TLS
+Session Resumption was used) for safety.
.option server_hostname gsasl string&!! "see below"
this authentication method on a secure (eg. under TLS) connection.
One possible use, compatible with the
-K-9 Mail Andoid client (&url(https://k9mail.github.io/)),
+K-9 Mail Android client (&url(https://k9mail.github.io/)),
is for using X509 client certificates.
It thus overlaps in function with the TLS authenticator
This should be documented with the feature. If the documentation does not
explicitly state that the feature is infeasible in the other TLS
implementation, then patches are welcome.
+.next
+The output from "exim -bV" will show which (if any) support was included
+in the build.
+Also, the macro "_HAVE_OPENSSL" or "_HAVE_GNUTLS" will be defined.
.endlist
.endd
+.section "Caching of static server configuration items" "SECTserverTLScache"
+.cindex certificate caching
+.cindex privatekey caching
+.cindex crl caching
+.cindex ocsp caching
+.cindex ciphers caching
+.cindex "CA bundle" caching
+.cindex "certificate authorities" caching
+.cindex tls_certificate caching
+.cindex tls_privatekey caching
+.cindex tls_crl caching
+.cindex tls_ocsp_file caching
+.cindex tls_require_ciphers caching
+.cindex tls_verify_certificate caching
+.cindex caching certificate
+.cindex caching privatekey
+.cindex caching crl
+.cindex caching ocsp
+.cindex caching ciphers
+.cindex caching "certificate authorities
+If any of the main configuration options &%tls_certificate%&, &%tls_privatekey%&,
+&%tls_crl%& and &%tls_ocsp_file%& have values with no
+expandable elements,
+then the associated information is loaded at daemon startup.
+It is made available
+to child processes forked for handling received SMTP connections.
+
+This caching is currently only supported under Linux and FreeBSD.
+
+If caching is not possible, for example if an item has to be dependent
+on the peer host so contains a &$sender_host_name$& expansion, the load
+of the associated information is done at the startup of the TLS connection.
+
+The cache is invalidated and reloaded after any changes to the directories
+containing files specified by these options.
+
+The information specified by the main option &%tls_verify_certificates%&
+is similarly cached so long as it specifies files explicitly
+or (under GnuTLS) is the string &"system,cache"&.
+The latter case is not automatically invalidated;
+it is the operator's responsibility to arrange for a daemon restart
+any time the system certificate authority bundle is updated.
+A HUP signal is sufficient for this.
+The value &"system"& results in no caching under GnuTLS.
+
+The macro _HAVE_TLS_CA_CACHE will be defined if the suffix for "system"
+is acceptable in configurations for the Exim executavble.
+
+Caching of the system Certificate Authorities bundle can
+save siginificant time and processing on every TLS connection
+accepted by Exim.
+
+
.section "Configuring an Exim client to use TLS" "SECTclientTLS"
The &%tls_certificate%& and &%tls_privatekey%& options of the &(smtp)&
transport provide the client with a certificate, which is passed to the server
-if it requests it. If the server is Exim, it will request a certificate only if
+if it requests it.
+This is an optional thing for TLS connections, although either end
+may insist on it.
+If the server is Exim, it will request a certificate only if
&%tls_verify_hosts%& or &%tls_try_verify_hosts%& matches the client.
&*Note*&: Do not use a certificate which has the OCSP-must-staple extension,
The &%tls_verify_cert_hostnames%& option lists hosts for which additional
name checks are made on the server certificate.
-.new
The match against this list is, as per other Exim usage, the
IP for the host. That is most closely associated with the
name on the DNS A (or AAAA) record for the host.
However, the name that needs to be in the certificate
is the one at the head of any CNAME chain leading to the A record.
-.wen
The option defaults to always checking.
The &(smtp)& transport has two OCSP-related options:
+.section "Caching of static client configuration items" "SECTclientTLScache"
+.cindex certificate caching
+.cindex privatekey caching
+.cindex crl caching
+.cindex ciphers caching
+.cindex "CA bundle" caching
+.cindex "certificate authorities" caching
+.cindex tls_certificate caching
+.cindex tls_privatekey caching
+.cindex tls_crl caching
+.cindex tls_require_ciphers caching
+.cindex tls_verify_certificate caching
+.cindex caching certificate
+.cindex caching privatekey
+.cindex caching crl
+.cindex caching ciphers
+.cindex caching "certificate authorities
+If any of the transport configuration options &%tls_certificate%&, &%tls_privatekey%&
+and &%tls_crl%& have values with no
+expandable elements,
+then the associated information is loaded per smtp transport
+at daemon startup, at the start of a queue run, or on a
+command-line specified message delivery.
+It is made available
+to child processes forked for handling making SMTP connections.
+
+This caching is currently only supported under Linux.
+
+If caching is not possible, the load
+of the associated information is done at the startup of the TLS connection.
+
+The cache is invalidated in the daemon
+and reloaded after any changes to the directories
+containing files specified by these options.
+
+The information specified by the main option &%tls_verify_certificates%&
+is similarly cached so long as it specifies files explicitly
+or (under GnuTLS) is the string &"system,cache"&.
+The latter case is not automatically invaludated;
+it is the operator's responsibility to arrange for a daemon restart
+any time the system certificate authority bundle is updated.
+A HUP signal is sufficient for this.
+The value &"system"& results in no caching under GnuTLS.
+
+The macro _HAVE_TLS_CA_CACHE will be defined if the suffix for "system"
+is acceptable in configurations for the Exim executavble.
+
+Caching of the system Certificate Authorities bundle can
+save siginificant time and processing on every TLS connection
+initiated by Exim.
+
+
+
+
.section "Use of TLS Server Name Indication" "SECTtlssni"
.cindex "TLS" "Server Name Indication"
.cindex "TLS" SNI
only point of caution. The &$tls_out_sni$& variable will be set to this string
for the lifetime of the client connection (including during authentication).
+If DANE validated the connection attempt then the value of the &%tls_sni%& option
+is forced to the domain part of the recipient address.
+
Except during SMTP client sessions, if &$tls_in_sni$& is set then it is a string
received from a client.
It can be logged with the &%log_selector%& item &`+tls_sni`&.
0.5.10. (Its presence predates the current API which Exim uses, so if Exim
built, then you have SNI support).
+.cindex TLS ALPN
+.cindex ALPN "general information"
+.cindex TLS "Application Layer Protocol Names"
+There is a TLS feature related to SNI
+called Application Layer Protocol Name (ALPN).
+This is intended to declare, or select, what protocol layer will be using a TLS
+connection.
+The client for the connection proposes a set of protocol names, and
+the server responds with a selected one.
+It is not, as of 2021, commonly used for SMTP connections.
+However, to guard against misirected or malicious use of web clients
+(which often do use ALPN) against MTA ports, Exim by default check that
+there is no incompatible ALPN specified by a client for a TLS connection.
+If there is, the connection is rejected.
+
+As a client Exim does not supply ALPN by default.
+The behaviour of both client and server can be configured using the options
+&%tls_alpn%& and &%hosts_require_alpn%&.
+There are no variables providing observability.
+Some feature-specific logging may appear on denied connections, but this
+depends on the behavious of the peer
+(not all peers can send a feature-specific TLS Alert).
+
+This feature is available when Exim is built with
+OpenSSL 1.1.0 or later or GnuTLS 3.2.0 or later;
+the macro _HAVE_TLS_ALPN will be defined when this is so.
+
.section "Multiple messages on the same encrypted TCP/IP connection" &&&
.section "Certificate chains" "SECID186"
-The file named by &%tls_certificate%& may contain more than one
+A file named by &%tls_certificate%& may contain more than one
certificate. This is useful in the case where the certificate that is being
sent is validated by an intermediate certificate which the other end does
not have. Multiple certificates must be in the correct order in the file.
.ecindex IIDencsmtp2
-.new
.section "TLS Resumption" "SECTresumption"
.cindex TLS resumption
TLS Session Resumption for TLS 1.2 and TLS 1.3 connections can be used (defined
.endlist
.endlist
-.wen
.section DANE "SECDANE"
It also allows the server to declare (implicitly) that connections to it should use TLS. An MITM could simply
fail to pass on a server's STARTTLS.
-DANE scales better than having to maintain (and side-channel communicate) copies of server certificates
+DANE scales better than having to maintain (and communicate via side-channel) copies of server certificates
for every possible target server. It also scales (slightly) better than having to maintain on an SMTP
client a copy of the standard CAs bundle. It also means not having to pay a CA for certificates.
DANE will only be usable if the target host has DNSSEC-secured MX, A and TLSA records.
-A TLSA lookup will be done if either of the above options match and the host-lookup succeeded using dnssec.
+A TLSA lookup will be done if either of the above options match and the host-lookup succeeded using DNSSEC.
If a TLSA lookup is done and succeeds, a DANE-verified TLS connection
will be required for the host. If it does not, the host will not
be used; there is no fallback to non-DANE or non-TLS.
tls_verify_certificates
tls_crl
tls_verify_cert_hostnames
+ tls_sni
.endd
If DANE is not usable, whether requested or not, and CA-anchored
response.
.vindex "&$acl_verify_message$&"
-For ACLs that are called by an &%acl =%& ACL condition, the message is
-stored in &$acl_verify_message$&, from which the calling ACL may use it.
+While the text is being expanded, the &$acl_verify_message$& variable
+contains any message previously set.
+Afterwards, &$acl_verify_message$& is cleared.
If &%message%& is used on a statement that verifies an address, the message
specified overrides any message that is generated by the verification process.
non-SMTP ACLs. It causes the incoming message to be scanned for a match with
any of the regular expressions. For details, see chapter &<<CHAPexiscan>>&.
+.new
+.vitem &*seen&~=&~*&<&'parameters'&>
+.cindex "&%sseen%& ACL condition"
+This condition can be used to test if a situation has been previously met,
+for example for greylisting.
+Details are given in section &<<SECTseen>>&.
+.wen
+
.vitem &*sender_domains&~=&~*&<&'domain&~list'&>
.cindex "&%sender_domains%& ACL condition"
.cindex "sender" "ACL checking"
different values. Some DNS lists may return more than one address record;
see section &<<SECThanmuldnsrec>>& for details of how they are checked.
+Values returned by a properly running DBSBL should be in the 127.0.0.0/8
+range. If a DNSBL operator loses control of the domain, lookups on it
+may start returning other addresses. Because of this, Exim now ignores
+returned values outside the 127/8 region.
+
.section "Variables set from DNS lists" "SECID204"
.cindex "expansion" "variables, set from DNS list"
.endd
which is less clear, and harder to maintain.
+Negation can also be used with a bitwise-and restriction.
+The dnslists condition with only be trus if a result is returned
+by the lookup which, anded with the restriction, is all zeroes.
+For example:
+.code
+deny dnslists = zen.spamhaus.org!&0.255.255.0
+.endd
+
dnslists = <; dnsbl.example.com/<|$acl_m_addrslist
.endd
+
+.new
+.section "Previously seen user and hosts" "SECTseen"
+.cindex "&%sseen%& ACL condition"
+.cindex greylisting
+The &%seen%& ACL condition can be used to test whether a
+situation has been previously met.
+It uses a hints database to record a timestamp against a key.
+host. The syntax of the condition is:
+.display
+&`seen =`& <&'time interval'&> &`/`& <&'options'&>
+.endd
+
+For example,
+.code
+defer seen = -5m / key=${sender_host_address}_$local_part@$domain
+.endd
+in a RCPT ACL will implement simple greylisting.
+
+The parameters for the condition
+are an interval followed, slash-separated, by a list of options.
+The interval is taken as an offset before the current time,
+and used for the test.
+If the interval is preceded by a minus sign then the condition returns
+whether a record is found which is before the test time.
+Otherwise, the condition returns whether one is found which is since the
+test time.
+
+Options are read in order with later ones overriding earlier ones.
+
+The default key is &$sender_host_address$&.
+An explicit key can be set using a &%key=value%& option.
+
+If a &%readonly%& option is given then
+no record create or update is done.
+If a &%write%& option is given then
+a record create or update is always done.
+An update is done if the test is for &"since"&.
+
+Creates and updates are marked with the current time.
+
+Finally, a &"before"& test which succeeds, and for which the record
+is old enough, will be refreshed with a timestamp of the test time.
+This can prevent tidying of the database from removing the entry.
+The interval for this is, by default, 10 days.
+An explicit interval can be set using a
+&%refresh=value%& option.
+
+Note that &"seen"& should be added to the list of hints databases
+for maintenance if this ACL condition is used.
+.wen
+
+
.section "Rate limiting incoming messages" "SECTratelimiting"
.cindex "rate limiting" "client sending"
.cindex "limiting client sending rates"
The &%per_rcpt%& option causes Exim to limit the rate at which recipients are
accepted. It can be used in the &%acl_smtp_rcpt%&, &%acl_smtp_predata%&,
-&%acl_smtp_mime%&, &%acl_smtp_data%&, or &%acl_smtp_rcpt%& ACLs. In
+&%acl_smtp_mime%&, or &%acl_smtp_data%& ACLs. In
&%acl_smtp_rcpt%& the rate is updated one recipient at a time; in the other
ACLs the rate is updated with the total (accepted) recipient count in one go. Note that
in either case the rate limiting engine will see a message with many
immediately after a successful redirection. By default, if a redirection
generates just one address, that address is also verified. See further
discussion in section &<<SECTredirwhilveri>>&.
-.new
.next
If the &%quota%& option is specified for recipient verify,
successful routing to an appendfile transport is followed by a call into
No actual delivery is done, but verification will succeed if the quota
is sufficient for the message (if the sender gave a message size) or
not already exceeded (otherwise).
-.wen
.endlist
.cindex "verifying address" "differentiating failures"
If you are writing your own custom rejection message or log message when
denying access, you can use this variable to include information about the
verification failure.
+This variable is cleared at the end of processing the ACL verb.
In addition, &$sender_verify_failure$& or &$recipient_verify_failure$& (as
appropriate) contains one of the following words:
&%recipient%&: The RCPT command in a callout was rejected.
.next
&%postmaster%&: The postmaster check in a callout was rejected.
-.new
.next
&%quota%&: The quota check for a local recipient did non pass.
.endlist
-.new
.section "Quota caching" "SECTquotacache"
.cindex "hints database" "quota cache"
.cindex "quota" "cache, description of"
.vitem &*no_cache*&
Set both positive and negative lifetimes to zero.
-.wen
.section "Sender address verification reporting" "SECTsenaddver"
.cindex "verifying" "suppressing error details"
.vlist
.vitem &*int&~body_linecount*&
This variable contains the number of lines in the message's body.
-It is not valid if the &%spool_files_wireformat%& option is used.
+It is not valid if the &%spool_wireformat%& option is used.
.vitem &*int&~body_zerocount*&
This variable contains the number of binary zero bytes in the message's body.
-It is not valid if the &%spool_files_wireformat%& option is used.
+It is not valid if the &%spool_wireformat%& option is used.
.vitem &*unsigned&~int&~debug_selector*&
This variable is set to zero when no debugging is taking place. Otherwise, it
.vitem &*header_line&~*header_last*&
A pointer to the last of the header lines.
-.vitem &*uschar&~*headers_charset*&
+.new
+.vitem &*const&~uschar&~*headers_charset*&
The value of the &%headers_charset%& configuration option.
+.wen
.vitem &*BOOL&~host_checking*&
This variable is TRUE during a host checking session that is initiated by the
.section "Per-address filtering" "SECTperaddfil"
-.vindex "&$domain$&"
-.vindex "&$local_part$&"
+.vindex "&$domain_data$&"
+.vindex "&$local_part_data$&"
In contrast to the system filter, which is run just once per message for each
delivery attempt, it is also possible to set up a system-wide filtering
operation that runs once for each recipient address. In this case, variables
-such as &$local_part$& and &$domain$& can be used, and indeed, the choice of
-filter file could be made dependent on them. This is an example of a router
-which implements such a filter:
+such as &$local_part_data$& and &$domain_data$& can be used,
+and indeed, the choice of filter file could be made dependent on them.
+This is an example of a router which implements such a filter:
.code
central_filter:
check_local_user
.section "Resent- header lines" "SECID220"
-.cindex "&%Resent-%& header lines"
-.cindex "header lines" "Resent-"
+.chindex Resent-
RFC 2822 makes provision for sets of header lines starting with the string
&`Resent-`& to be added to a message when it is resent by the original
recipient to somebody else. These headers are &'Resent-Date:'&,
.section "The Date: header line" "SECID223"
-.cindex "&'Date:'& header line"
-.cindex "header lines" "Date:"
+.cindex Date:
If a locally-generated or submission-mode message has no &'Date:'& header line,
Exim adds one, using the current date and time, unless the
&%suppress_local_fixups%& control has been specified.
.section "The Envelope-to: header line" "SECID225"
-.cindex "&'Envelope-to:'& header line"
-.cindex "header lines" "Envelope-to:"
+.chindex Envelope-to:
.oindex "&%envelope_to_remove%&"
&'Envelope-to:'& header lines are not part of the standard RFC 2822 header set.
Exim can be configured to add them to the final delivery of messages. (See the
.section "The From: header line" "SECTthefrohea"
-.cindex "&'From:'& header line"
-.cindex "header lines" "From:"
+.chindex From:
.cindex "Sendmail compatibility" "&""From""& line"
.cindex "message" "submission"
.cindex "submission mode"
.section "The Message-ID: header line" "SECID226"
-.cindex "&'Message-ID:'& header line"
-.cindex "header lines" "Message-ID:"
+.chindex Message-ID:
.cindex "message" "submission"
.oindex "&%message_id_header_text%&"
If a locally-generated or submission-mode incoming message does not contain a
.section "The Received: header line" "SECID227"
-.cindex "&'Received:'& header line"
-.cindex "header lines" "Received:"
+.chindex Received:
A &'Received:'& header line is added at the start of every message. The
contents are defined by the &%received_header_text%& configuration option, and
Exim automatically adds a semicolon and a timestamp to the configured string.
.section "The References: header line" "SECID228"
-.cindex "&'References:'& header line"
-.cindex "header lines" "References:"
+.chindex References:
Messages created by the &(autoreply)& transport include a &'References:'&
header line. This is constructed according to the rules that are described in
section 3.64 of RFC 2822 (which states that replies should contain such a
.section "The Return-path: header line" "SECID229"
-.cindex "&'Return-path:'& header line"
-.cindex "header lines" "Return-path:"
+.chindex Return-path:
.oindex "&%return_path_remove%&"
&'Return-path:'& header lines are defined as something an MTA may insert when
it does the final delivery of messages. (See the generic &%return_path_add%&
.section "The Sender: header line" "SECTthesenhea"
.cindex "&'Sender:'& header line"
.cindex "message" "submission"
-.cindex "header lines" "Sender:"
+.chindex Sender:
For a locally-originated message from an untrusted user, Exim may remove an
existing &'Sender:'& header line, and it may add a new one. You can modify
these actions by setting the &%local_sender_retain%& option true, the
lists_post:
driver = redirect
domains = lists.example
- senders = ${if exists {/usr/lists/$local_part}\
- {lsearch;/usr/lists/$local_part}{*}}
+ local_parts = ${lookup {$local_part} dsearch,filter=file,ret=full {/usr/lists}}
+ senders = ${if exists {$local_part_data} {lsearch;$local_part_data}{*}}
file = ${lookup {$local_part} dsearch,ret=full {/usr/lists}}
forbid_pipe
forbid_file
.code
my_mailboxes:
driver = appendfile
- file = /var/mail/$domain/$local_part_data
+ file = /var/mail/$domain_data/$local_part_data
user = mail
.endd
This uses a directory of mailboxes for each domain. The &%user%& setting is
cases by testing the variable &$local_part_suffix$&. For example:
.code
if $local_part_suffix contains -special then
-save /home/$local_part/Mail/special
+save /home/$local_part_data/Mail/special
endif
.endd
If the filter file does not exist, or does not deal with such addresses, they
When Exim encounters an empty item in the list, it searches the list defined by
LOG_FILE_PATH, and uses the first item it finds that is neither empty nor
&"syslog"&. This means that an empty item in &%log_file_path%& can be used to
-mean &"use the path specified at build time"&. It no such item exists, log
+mean &"use the path specified at build time"&. If no such item exists, log
files are written in the &_log_& subdirectory of the spool directory. This is
equivalent to the setting:
.code
If SMTP AUTH was used for the delivery there is an additional item A=
followed by the name of the authenticator that was used.
If an authenticated identification was set up by the authenticator's &%client_set_id%&
-option, this is logged too, separated by a colon from the authenticator name.
+option, this is logged too, as a second colon-separated list item.
+Optionally (see the &%smtp_mailauth%& &%log_selector%&) there may be a third list item.
If a shadow transport was run after a successful local delivery, the log line
for the successful delivery has an item added on the end, of the form
When more than one address is included in a single delivery (for example, two
SMTP RCPT commands in one transaction) the second and subsequent addresses are
flagged with &`->`& instead of &`=>`&. When two or more messages are delivered
-down a single SMTP connection, an asterisk follows the IP address in the log
-lines for the second and subsequent messages.
+down a single SMTP connection, an asterisk follows the
+remote IP address (and port if enabled)
+in the log lines for the second and subsequent messages.
When two or more messages are delivered down a single TLS connection, the
DNS and some TLS-related information logged for the first message delivered
will not be present in the log lines for the second and subsequent messages.
&` outgoing_port `& add remote port to => lines
&`*queue_run `& start and end queue runs
&` queue_time `& time on queue for one recipient
+&`*queue_time_exclusive `& exclude recieve time from QT times
&` queue_time_overall `& time on queue for whole message
&` pid `& Exim process id
&` pipelining `& PIPELINING use, on <= and => lines
&` smtp_protocol_error `& SMTP protocol errors
&` smtp_syntax_error `& SMTP syntax errors
&` subject `& contents of &'Subject:'& on <= lines
+&`*taint `& taint errors or warnings
&`*tls_certificate_verified `& certificate verification status
&`*tls_cipher `& TLS cipher suite on <= and => lines
&` tls_peerdn `& TLS peer DN on <= and => lines
client's ident port times out.
.next
.cindex "log" "incoming interface"
+.cindex "log" "outgoing interface"
.cindex "log" "local interface"
.cindex "log" "local address and port"
.cindex "TCP/IP" "logging local address and port"
to the &"<="& line as an IP address in square brackets, tagged by I= and
followed by a colon and the port number. The local interface and port are also
added to other SMTP log lines, for example, &"SMTP connection from"&, to
-rejection lines, and (despite the name) to outgoing &"=>"& and &"->"& lines.
+rejection lines, and (despite the name) to outgoing
+&"=>"&, &"->"&, &"=="& and &"**"& lines.
The latter can be disabled by turning off the &%outgoing_interface%& option.
.next
.cindex log "incoming proxy address"
.cindex "log" "queue time"
&%queue_time%&: The amount of time the message has been in the queue on the
local host is logged as QT=<&'time'&> on delivery (&`=>`&) lines, for example,
-&`QT=3m45s`&. The clock starts when Exim starts to receive the message, so it
-includes reception time as well as the delivery time for the current address.
-This means that it may be longer than the difference between the arrival and
-delivery log line times, because the arrival log line is not written until the
-message has been successfully received.
+&`QT=3m45s`&.
If millisecond logging is enabled, short times will be shown with greater
precision, eg. &`QT=1.578s`&.
.next
&%queue_time_overall%&: The amount of time the message has been in the queue on
the local host is logged as QT=<&'time'&> on &"Completed"& lines, for
-example, &`QT=3m45s`&. The clock starts when Exim starts to receive the
-message, so it includes reception time as well as the total delivery time.
+example, &`QT=3m45s`&.
.next
.cindex "log" "receive duration"
&%receive_time%&: For each message, the amount of real time it has taken to
.cindex "log" "frozen messages; skipped"
.cindex "frozen messages" "logging skipping"
&%skip_delivery%&: A log line is written whenever a message is skipped during a
-queue run because it is frozen or because another process is already delivering
-it.
+queue run because it another process is already delivering it or because
+it is frozen.
.cindex "&""spool file is locked""&"
-The message that is written is &"spool file is locked"&.
+.cindex "&""message is frozen""&"
+The message that is written is either &"spool file is locked"& or
+&"message is frozen"&.
.next
.cindex "log" "smtp confirmation"
.cindex "SMTP" "logging confirmation"
when TLS is in use. The item is &`CV=yes`& if the peer's certificate was
verified
using a CA trust anchor,
-&`CA=dane`& if using a DNS trust anchor,
+&`CV=dane`& if using a DNS trust anchor,
and &`CV=no`& if not.
.next
+.cindex "log" "Taint warnings"
+&%taint%&: Log warnings about tainted data. This selector can't be
+turned of if &%allow_insecure_tainted_data%& is false (which is the
+default).
+.next
.cindex "log" "TLS cipher"
.cindex "TLS" "logging cipher"
&%tls_cipher%&: When a message is sent or received over an encrypted
.next
.cindex "log" "TLS resumption"
.cindex "TLS" "logging session resumption"
-.new
&%tls_resumption%&: When a message is sent or received over an encrypted
connection and the TLS session resumed one used on a previous TCP connection,
an asterisk is appended to the X= cipher field in the log line.
-.wen
.next
.cindex "log" "TLS SNI"
.cindex "TLS" "logging SNI"
"check address acceptance from given IP"
.irow &<<SECTdbmbuild>>& &'exim_dbmbuild'& "build a DBM file"
.irow &<<SECTfinindret>>& &'exinext'& "extract retry information"
-.irow &<<SECThindatmai>>& &'exim_dumpdb'& "dump a hints database"
-.irow &<<SECThindatmai>>& &'exim_tidydb'& "clean up a hints database"
-.irow &<<SECThindatmai>>& &'exim_fixdb'& "patch a hints database"
+.irow &<<SECTdumpdb>>& &'exim_dumpdb'& "dump a hints database"
+.irow &<<SECTtidydb>>& &'exim_tidydb'& "clean up a hints database"
+.irow &<<SECTfixdb>>& &'exim_fixdb'& "patch a hints database"
.irow &<<SECTmailboxmaint>>& &'exim_lock'& "lock a mailbox file"
.endtable
.next
&'ratelimit'&: the data for implementing the ratelimit ACL condition
.next
-.new
&'tls'&: TLS session resumption data
-.wen
.next
&'misc'&: other hints data
.endlist
-.section "exim_dumpdb" "SECID261"
+.section "exim_dumpdb" "SECTdumpdb"
.cindex "&'exim_dumpdb'&"
The entire contents of a database are written to the standard output by the
-&'exim_dumpdb'& program, which has no options or arguments other than the
-spool and database names. For example, to dump the retry database:
+&'exim_dumpdb'& program,
+.new
+taking as arguments the spool and database names.
+An option &'-z'& may be given to regest times in UTC;
+otherwise times are in the local timezone.
+.wen
+For example, to dump the retry database:
.code
exim_dumpdb /var/spool/exim retry
.endd
-.section "exim_tidydb" "SECID262"
+.section "exim_tidydb" "SECTtidydb"
.cindex "&'exim_tidydb'&"
The &'exim_tidydb'& utility program is used to tidy up the contents of a hints
database. If run with no options, it removes all records that are more than 30
-.section "exim_fixdb" "SECID263"
+.section "exim_fixdb" "SECTfixdb"
.cindex "&'exim_fixdb'&"
The &'exim_fixdb'& program is a utility for interactively modifying databases.
Its main use is for testing Exim, but it might also be occasionally useful for
-getting round problems in a live system. It has no options, and its interface
+getting round problems in a live system. Its interface
is somewhat crude. On entry, it prompts for input with a right angle-bracket. A
key of a database record can then be entered, and the data for that record is
displayed.
sequence of digit pairs for year, month, day, hour, and minute. Colons can be
used as optional separators.
+.new
+Both displayed and input times are in the local timezone by default.
+If an option &'-z'& is used on the command line, displayed times
+are in UTC.
+.wen
+
.cindex "security" "data sources"
.cindex "security" "regular expressions"
.cindex "regular expressions" "security"
-.cindex "PCRE" "security"
+.cindex "PCRE2" "security"
If configuration data for Exim can come from untrustworthy sources, there
are some issues to be aware of:
Letting untrusted data provide a regular expression is unwise.
.next
Using &%${match...}%& to apply a fixed regular expression against untrusted
-data may result in pathological behaviour within PCRE. Be aware of what
+data may result in pathological behaviour within PCRE2. Be aware of what
"backtracking" means and consider options for being more strict with a regular
expression. Avenues to explore include limiting what can match (avoiding &`.`&
when &`[a-z0-9]`& or other character class will do), use of atomic grouping and
Signing is enabled by setting private options on the SMTP transport.
These options take (expandable) strings as arguments.
-.option dkim_domain smtp string list&!! unset
+.option dkim_domain smtp "string list&!!" unset
The domain(s) you want to sign with.
After expansion, this can be a list.
Each element in turn,
If it is empty after expansion, DKIM signing is not done,
and no error will result even if &%dkim_strict%& is set.
-.option dkim_selector smtp string list&!! unset
+.option dkim_selector smtp "string list&!!" unset
This sets the key selector string.
After expansion, which can use &$dkim_domain$&, this can be a list.
Each element in turn is put in the expansion
If the option is empty after expansion, DKIM signing is not done for this domain,
and no error will result even if &%dkim_strict%& is set.
+To do, for example, dual-signing with RSA and EC keys
+this could be be used:
+.code
+dkim_selector = ec_sel : rsa_sel
+dkim_private_key = KEYS_DIR/$dkim_selector
+.endd
+
.option dkim_private_key smtp string&!! unset
This sets the private key to use.
You can use the &%$dkim_domain%& and
.vitem &%temperror%&
This indicates a temporary error during all processing, including Exim's
SPF processing. You may defer messages when this occurs.
+
+.vitem &%invalid%&
+There was an error during processing of the SPF lookup
.endlist
You can prefix each string with an exclamation mark to invert
.vitem &$spf_received$&
.vindex &$spf_received$&
- This contains a complete Received-SPF: header that can be
- added to the message. Please note that according to the SPF
- draft, this header must be added at the top of the header
- list. Please see section 10 on how you can do this.
+ This contains a complete Received-SPF: header (name and
+ content) that can be added to the message. Please note that
+ according to the SPF draft, this header must be added at the
+ top of the header list, i.e. with
+.code
+add_header = :at_start:$spf_received
+.endd
+ See section &<<SECTaddheadacl>>& for further details.
Note: in case of "Best-guess" (see below), the convention is
to put this string in a header called X-SPF-Guess: instead.
.vitem &$spf_result$&
.vindex &$spf_result$&
This contains the outcome of the SPF check in string form,
- one of pass, fail, softfail, none, neutral, permerror or
- temperror.
+ currently one of pass, fail, softfail, none, neutral, permerror,
+ temperror, or &"(invalid)"&.
.vitem &$spf_result_guessed$&
.vindex &$spf_result_guessed$&
.section "SRS (Sender Rewriting Scheme)" SECTSRS
.cindex SRS "sender rewriting scheme"
-.new
SRS can be used to modify sender addresses when forwarding so that
SPF verification does not object to them.
It operates by encoding the original envelope sender in a new
.code
#macro
SRS_SECRET = <pick something unique for your site for this. Use on all MXs.>
-
+
#routers
outbound:
transport = ${if eq {$local_part@$domain} \
{$original_local_part@$original_domain} \
{remote_smtp} {remote_forwarded_smtp}}
-
+
inbound_srs:
driver = redirect
senders = :
# detect inbound bounces which are SRS'd, and decode them
condition = ${if inbound_srs {$local_part} {SRS_SECRET}}
data = $srs_recipient
-
+
inbound_srs_failure:
driver = redirect
senders = :
#... further routers here
-
+
# transport; should look like the non-forward outbound
# one, plus the max_rcpt and return_path options
remote_forwarded_smtp:
.endd
-.wen
&'reject '& The DMARC check failed and the library recommends rejecting the email.
&'quarantine '& The DMARC check failed and the library recommends keeping it for further inspection.
&'none '& The DMARC check passed and the library recommends no specific action, neutral.
-&'norecord '& No policy section in the DMARC record for this sender domain.
+&'norecord '& No policy section in the DMARC record for this RFC5322.From field
&'nofrom '& Unable to determine the domain of the sender.
&'temperror '& Library error or dns error.
&'off '& The DMARC check was disabled for this email.
The Proxy Protocol header is the first data received on a TCP connection
and is inserted before any TLS-on-connect handshake from the client; Exim
negotiates TLS between Exim-as-server and the remote client, not between
-Exim and the proxy server.
+Exim and the proxy server. The Proxy Protocol header must be received
+within &%proxy_protocol_timeout%&, which defaults to 3s.
The following expansion variables are usable
(&"internal"& and &"external"& here refer to the interfaces