X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/261dc43e32f6039781ca92535e56f5caaa68b809..3fb3231cf83c8a9328499ea17b3663c1618210dc:/doc/doc-src/FAQ.src diff --git a/doc/doc-src/FAQ.src b/doc/doc-src/FAQ.src index 461b1a608..47b810e5d 100644 --- a/doc/doc-src/FAQ.src +++ b/doc/doc-src/FAQ.src @@ -1,4 +1,3 @@ -## $Cambridge: exim/doc/doc-src/FAQ.src,v 1.8 2009/11/05 19:37:00 nm4 Exp $ ## ## This file is processed by Perl scripts to produce an ASCII and an HTML ## version. Lines starting with ## are omitted. The markup used with paragraphs @@ -851,7 +850,7 @@ A0044: Exim has been unable to create a file in its spool area in which to If you are running Exim with an alternate configuration file using a command such as \"exim -C altconfig..."\, remember that the use of -C - takes away Exim's root privilege, unless \\TRUSTED_CONFIG_PREFIX_FILE\\ + takes away Exim's root privilege, unless \\TRUSTED_CONFIG_LIST\\ is set in \(Local/Makefile)\ and the corresponding file contains a prefix which matches the alternative configuration file being used. @@ -913,7 +912,7 @@ A0047: \-bz-\ is a Sendmail option requesting it to create a `configuration free ==> /usr/lib/sendmail -bz - in some start-up script (e.g. \(/etc/init.d/mail)\) immedately before + in some start-up script (e.g. \(/etc/init.d/mail)\) immediately before ==> /usr/lib/sendmail -bd -q15m @@ -1155,7 +1154,7 @@ A0065: When Exim is called with -C, it passes on -C to any instances of itself includes the case where Exim re-execs itself to regain root privilege. Thus it can't write to the spool. - The fix for this is to use the \\TRUSTED_CONFIG_PREFIX_LIST\\ build-time + The fix for this is to use the \\TRUSTED_CONFIG_LIST\\ build-time option. This defines a file containing a list of 'trusted' prefixes for configuration files. Any configuration file specified with -C, if it matches a prefix listed in that file, will be used without dropping root @@ -1862,7 +1861,7 @@ A0117: Here! This is a contribution from a RedHat user, somewhat edited. On ==> adduser exim - (3) Now you can prepare to build Exim. Go to \?http://www.exim.org?\ or + (3) Now you can prepare to build Exim. Go to \?https://www.exim.org?\ or one of its mirrors, or the master ftp site \?ftp://ftp.csx.cam.ac.uk/pub/software/email/exim/exim4?\, and download \(exim-4.20.tar.gz)\ or whatever the current release is. Then: @@ -2118,7 +2117,7 @@ A0301: They mean exactly what they say. Exim expected to route an address to a with MX records pointing to \"localhost"\ (or other names with A records that specify 127.0.0.1), which causes this behaviour. You can use the \ignore_target_hosts\ option to get Exim to ignore these records. The - default contiguration does this. For more discussion, see Q0319. For + default configuration does this. For more discussion, see Q0319. For other cases: (1) If the domain is meant to be handled as a local domain, there @@ -2317,7 +2316,7 @@ A0310: If a DNS lookup returns no MXs, Exim looks for an address record, in Q0311: When a DNS lookup for MX records fails to complete, why doesn't Exim - send the messsage to the host defined by the A record? + send the message to the host defined by the A record? A0311: The RFCs are quite clear on this. Only if it is known that there are no MX records is an MTA allowed to make use of the A record. When an MX @@ -3453,7 +3452,7 @@ A0510: \^elspy^\ is a layer of glue code that enables you to write Python code to scan email messages at SMTP time. \^elspy^\ also includes a small Python library with common mail-scanning tools, including an interface to SpamAssassin and a simple but effective virus detector. You can - optain \^elspy^\ from \?http://elspy.sourceforge.net/?\. + obtain \^elspy^\ from \?http://elspy.sourceforge.net/?\. Q0511: Whenever my system filter uses a \mail\ command to send a message, I get @@ -3544,7 +3543,7 @@ A0601: Whenever Exim does a local delivery, it runs a process under a specific ==> majordomo: |/local/mail/majordomo ... then Exim has to be told what uid/gid to use for the delivery. This can - be done either on the routerr that handles the address, or on the + be done either on the router that handles the address, or on the transport that actually does the delivery. If a pipe is going to run a setuid program, then it doesn't matter what uid Exim starts it out with, and so the most straightforward thing is to put @@ -3618,7 +3617,7 @@ A0603: Q0601 contains background information on this. If you are using, say, an Q0604: I want to use MMDF-style mailboxes. How can I get Exim to append the - ctrl-A characters that separate indvidual emails? + ctrl-A characters that separate individual emails? A0604: Set the \message_suffix\ option in the \%appendfile%\ transport. In fact, for MMDF mailboxes you need a prefix as well as a suffix to get it @@ -3661,7 +3660,7 @@ Q0606: I'm using tmail to do local deliveries, but when I turned on the \use_crlf\ option on the \%pipe%\ transport (tmail prefers \"@\r@\n"\ terminations) message bodies started to vanish. -A0606: You need to unset the \mesage_prefix\ option, or change it so that its +A0606: You need to unset the \message_prefix\ option, or change it so that its default \"@\n"\ terminator becomes \"@\r@\n"\. For example, the transport could be: @@ -5039,7 +5038,7 @@ A0806: The value of \$domain$\ is the actual domain that appears in the address. but it is important to some people - especially if by some unfortunate accident the lowercased word is something indecent. - You can trivally force lower casing by means of the \"${lc:"\ operator. + You can trivially force lower casing by means of the \"${lc:"\ operator. Instead of \"$domain"\ write \"${lc:$domain}"\. @@ -5100,7 +5099,7 @@ A0905: You can only do this in a round about way, using filter commands like ==> headers add "New-Subject: SPAM: $h_subject:" headers remove subject - neaders add "Subject: $h_new-subject:" + headers add "Subject: $h_new-subject:" headers remove new-subject This trick works only in system filters, where the commands are obeyed @@ -5741,82 +5740,14 @@ Q1701: I am trying to set up an Exim server that uses a self-signed certificate to enable my clients to use TLS. However, clients other than Exim refuse to accept this certificate. What's wrong? -A1701: It seems that some clients require that the certificate presented by - the server be a user (also called ``leaf'' or ``site'') certificate, and not - a self-signed certificate. In this situation, the self-signed - certificate must be installed on the client as a trusted root - \*certification authority*\ (CA), and the certificate used by the server - must be a user certificate signed with that self-signed certificate. +A1701: Don't use a self-signed certificate today. Use a certificate from a + certificate authority, whether your own private certificate authority or + a free CA such as Let's Encrypt. - For information on creating self-signed CA certificates and using them - to sign user certificates, see the \*General implementation overview*\ - chapter of the Open-source PKI book, available online at - \?http://ospkibook.sourceforge.net/?\. Here is a quick overview. First, - read this message: - - \?http://www.FreeBSD.org/cgi/mid.cgi?id=3C3F3A93.C1ECF9B0%40mindspring.com?\ - - Then, follow the instructions found on these two (consecutive) pages: - - \?http://ospkibook.sourceforge.net/docs/OSPKI-2.4.6/OSPKI/initialisation.htm?\ - \?http://ospkibook.sourceforge.net/docs/OSPKI-2.4.6/OSPKI/keygensign.htm?\ - - Two points on the PKI Book literature: - - (1) It's assumed that it's okay to use a passphrase-protected key to - encrypt the user/site/leaf certificate. If this isn't acceptable, - you seem to be able to strip out the passphrase as follows: - -==> openssl rsa -in user.key -our user.key.new - mv user.key.new - - This should be done immediately after \(user.key)\ is created. - - (2) The \*sign.sh*\ script is available in the \*mod_ssl*\ distribution, - available at \?http://www.modssl.org/source/?\. - - Having followed the instructions, you end up with the following files: - - (a) \(ca.crt)\ - - This file should be installed into the client software as a trusted - root certification authority. In Windows XP, this can be done as follows: - - \#\#Call the file \(ca_cert.cer)\ - [[br]] - \#\#Double-click on the file - [[br]] - \#\#"Install Certificate"; - [[br]] - \#\#"Next" - [[br]] - \#\#"Place all certificates in the following store" - [[br]] - \#\#"Browse..." - [[br]] - \#\#"Trusted Root Certification Authorities" - [[br]] - \#\#"OK" - [[br]] - \#\#"Next" - [[br]] - \#\#"Finish" - [[br]] - \#\#"Yes" - [[br]] - \#\#"OK" - - (b) \(user.crt)\ and \(user.key)\ - - These files should be installed into the server software. In Exim, this - can be done by adding these lines to the configuration file: - -==> tls_certificate = /usr/local/etc/exim/tls_cert - tls_privatekey = /usr/local/etc/exim/tls_key - - Then install \(user.crt)\ and \(user.key)\ under the names \(tls_cert)\ - and \(tls_key)\ in the appropriate directory. + The exim.org setup uses Let's Encrypt, using the lego tooling and a small + shell wrapper to let the certificates be automatically renewed via cron. + \?https://github.com/xenolf/lego?\ Q1702: How can I arrange for Exim to advertise support for SMTP authentication only when the session is encrypted? @@ -7123,7 +7054,7 @@ C037: An elegant way of using ETRN, which does immediate delivery if the host C042: ``Since the Exim 4 configuration needed to get Mailman to work differs a little bit from Exim 3 and since I still haven't seen a recipe for Mailman with Exim 4, I'm providing my configuration (based heavily on - \?http://www.exim.org/howto/mailman.html?\).'' + \?https://www.exim.org/howto/mailman21.html?\).'' C043: ``Attached is an Exim 4 config file which is designed for an Exim server that is put in front of an Exchange 5.5 system but which verifies the