X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/b08b24c880b30c34f3ed5f4c59a286fdefb1c0f5..fd4c285cd86a1c06acaa34c33cb898c057208ec5:/src/src/EDITME diff --git a/src/src/EDITME b/src/src/EDITME index 93cca9351..866987c25 100644 --- a/src/src/EDITME +++ b/src/src/EDITME @@ -1,5 +1,3 @@ -# $Cambridge: exim/src/src/EDITME,v 1.7 2005/01/25 14:16:33 ph10 Exp $ - ################################################## # The Exim mail transport agent # ################################################## @@ -131,8 +129,7 @@ CONFIGURE_FILE=/usr/exim/configure # group that is used for Exim processes when they no longer need to be root. In # particular, this applies when receiving messages and when doing remote # deliveries. (Local deliveries run as various non-root users, typically as the -# owner of a local mailbox.) Specifying these values as root is very strongly -# discouraged. +# owner of a local mailbox.) Specifying these values as root is not supported. EXIM_USER= @@ -184,6 +181,12 @@ SPOOL_DIRECTORY=/var/spool/exim # THESE ARE THINGS YOU PROBABLY WANT TO SPECIFY # ############################################################################### +# If you need extra header file search paths on all compiles, put the -I +# options in INCLUDE. If you want the extra searches only for certain +# parts of the build, see more specific xxx_INCLUDE variables below. + +# INCLUDE=-I/example/include + # You need to specify some routers and transports if you want the Exim that you # are building to be capable of delivering mail. You almost certainly need at # least one type of lookup. You should consider whether you want to build @@ -243,6 +246,27 @@ TRANSPORT_SMTP=yes # SUPPORT_MBX=yes +#------------------------------------------------------------------------------ +# See below for dynamic lookup modules. +# +# If not using package management but using this anyway, then think about how +# you perform upgrades and revert them. You should consider the benefit of +# embedding the Exim version number into LOOKUP_MODULE_DIR, so that you can +# maintain two concurrent sets of modules. +# +# *BEWARE*: ability to modify the files in LOOKUP_MODULE_DIR is equivalent to +# the ability to modify the Exim binary, which is often setuid root! The Exim +# developers only intend this functionality be used by OS software packagers +# and we suggest that such packagings' integrity checks should be paranoid +# about the permissions of the directory and the files within. + +# LOOKUP_MODULE_DIR=/usr/lib/exim/lookups/ + +# To build a module dynamically, you'll need to define CFLAGS_DYNAMIC for +# your platform. Eg: +# CFLAGS_DYNAMIC=-shared -rdynamic +# CFLAGS_DYNAMIC=-shared -rdynamic -fPIC + #------------------------------------------------------------------------------ # These settings determine which file and database lookup methods are included # in the binary. See the manual chapter entitled "File and database lookups" @@ -251,12 +275,28 @@ TRANSPORT_SMTP=yes # LOOKUP_DNSDB does *not* refer to general mail routing using the DNS. It is # for the specialist case of using the DNS as a general database facility (not # common). +# If set to "2" instead of "yes" then the corresponding lookup will be +# built as a module and must be installed into LOOKUP_MODULE_DIR. You need to +# add -export-dynamic -rdynamic to EXTRALIBS. You may also need to add -ldl to +# EXTRALIBS so that dlopen() is available to Exim. You need to define +# LOOKUP_MODULE_DIR above so the exim binary actually loads dynamic lookup +# modules. +# Also, instead of adding all the libraries/includes to LOOKUP_INCLUDE and +# LOOKUP_LIBS, add them to the respective LOOKUP_*_INCLUDE and LOOKUP_*_LIBS +# (where * is the name as given here in this list). That ensures that only +# the dynamic library and not the exim binary will be linked against the +# library. +# NOTE: LDAP cannot be built as a module! +# +# If your system has pkg-config then the _INCLUDE/_LIBS setting can be +# handled for you automatically by also defining the _PC variable to reference +# the name of the pkg-config package, if such is available. LOOKUP_DBM=yes LOOKUP_LSEARCH=yes +LOOKUP_DNSDB=yes # LOOKUP_CDB=yes -# LOOKUP_DNSDB=yes # LOOKUP_DSEARCH=yes # LOOKUP_IBASE=yes # LOOKUP_LDAP=yes @@ -266,6 +306,8 @@ LOOKUP_LSEARCH=yes # LOOKUP_ORACLE=yes # LOOKUP_PASSWD=yes # LOOKUP_PGSQL=yes +# LOOKUP_SQLITE=yes +# LOOKUP_SQLITE_PC=sqlite3 # LOOKUP_WHOSON=yes # These two settings are obsolete; all three lookups are compiled when @@ -293,16 +335,35 @@ LOOKUP_LSEARCH=yes # Michigan (OpenLDAP 1) library. +#------------------------------------------------------------------------------ +# The PCRE library is required for exim. There is no longer an embedded +# version of the PCRE library included with the source code, instead you +# must use a system library or build your own copy of PCRE. +# In either case you must specify the library link info here. If the +# PCRE header files are not in the standard search path you must also +# modify the INCLUDE path (above) +# +# Use PCRE_CONFIG to query the pcre-config command (first found in $PATH) +# to find the include files and libraries, else use PCRE_LIBS and set INCLUDE +# too if needed. + +PCRE_CONFIG=yes +# PCRE_LIBS=-lpcre + + #------------------------------------------------------------------------------ # Additional libraries and include directories may be required for some # lookup styles (e.g. LDAP, MYSQL or PGSQL). LOOKUP_LIBS is included only on # the command for linking Exim itself, not on any auxiliary programs. You # don't need to set LOOKUP_INCLUDE if the relevant directories are already # specified in INCLUDE. The settings below are just examples; -lpq is for -# PostgreSQL, -lgds is for Interbase. +# PostgreSQL, -lgds is for Interbase, -lsqlite3 is for SQLite. +# +# You do not need to use this for any lookup information added via pkg-config. # LOOKUP_INCLUDE=-I /usr/local/ldap/include -I /usr/local/mysql/include -I /usr/local/pgsql/include -# LOOKUP_LIBS=-L/usr/local/lib -lldap -llber -lmysqlclient -lpq -lgds +# LOOKUP_LIBS=-L/usr/local/lib -lldap -llber -lmysqlclient -lpq -lgds -lsqlite3 + #------------------------------------------------------------------------------ # Compiling the Exim monitor: If you want to compile the Exim monitor, a @@ -314,6 +375,7 @@ LOOKUP_LSEARCH=yes EXIM_MONITOR=eximon.bin + #------------------------------------------------------------------------------ # Compiling Exim with content scanning support: If you want to compile Exim # with support for message body content scanning, set WITH_CONTENT_SCAN to @@ -330,11 +392,54 @@ EXIM_MONITOR=eximon.bin # WITH_OLD_DEMIME=yes +# If you're using ClamAV and are backporting fixes to an old version, instead +# of staying current (which is the more usual approach) then you may need to +# use an older API which uses a STREAM command, now deprecated, instead of +# zINSTREAM. If you need to set this, please let the Exim developers know, as +# if nobody reports a need for it, we'll remove this option and clean up the +# code. zINSTREAM was introduced with ClamAV 0.95. +# +# WITH_OLD_CLAMAV_STREAM=yes + +#------------------------------------------------------------------------------ +# By default Exim includes code to support DKIM (DomainKeys Identified +# Mail, RFC4871) signing and verification. Verification of signatures is +# turned on by default. See the spec for information on conditionally +# disabling it. To disable the inclusion of the entire feature, set +# DISABLE_DKIM to "yes" + +# DISABLE_DKIM=yes + +#------------------------------------------------------------------------------ +# Uncomment the following line to remove Per-Recipient-Data-Response support. + +# DISABLE_PRDR=yes + +#------------------------------------------------------------------------------ +# Uncomment the following line to remove OCSP stapling support in TLS, +# from Exim. Note it can only be supported when built with +# GnuTLS 3.1.3 or later, or OpenSSL + +# DISABLE_OCSP=yes + +#------------------------------------------------------------------------------ +# By default, Exim has support for checking the AD bit in a DNS response, to +# determine if DNSSEC validation was successful. If your system libraries +# do not support that bit, then set DISABLE_DNSSEC to "yes" + +# DISABLE_DNSSEC=yes + + #------------------------------------------------------------------------------ # Compiling Exim with experimental features. These are documented in # experimental-spec.txt. "Experimental" means that the way these features are # implemented may still change. Backward compatibility is not guaranteed. +# Uncomment the following line to add support for talking to dccifd. This +# defaults the socket path to /usr/local/dcc/var/dccifd. + +# EXPERIMENTAL_DCC=yes + # Uncomment the following lines to add SPF support. You need to have libspf2 # installed on your system (www.libspf2.org). Depending on where it is installed # you may have to edit the CFLAGS and LDFLAGS lines. @@ -359,9 +464,43 @@ EXIM_MONITOR=eximon.bin # EXPERIMENTAL_BRIGHTMAIL=yes # CFLAGS += -I/opt/brightmail/bsdk-6.0/include -# LDFLAGS += -lxml2 -lbmiclient_single -L/opt/brightmail/bsdk-6.0/lib +# LDFLAGS += -lxml2_single -lbmiclient_single -L/opt/brightmail/bsdk-6.0/lib + +# Uncomment the following line to add DMARC checking capability, implemented +# using libopendmarc libraries. +# EXPERIMENTAL_DMARC=yes +# CFLAGS += -I/usr/local/include +# LDFLAGS += -lopendmarc + + +# Uncomment the following line to support Events, +# eg. for logging to a database. +# EXPERIMENTAL_EVENT=yes +# Uncomment the following line to add Redis lookup support +# You need to have hiredis installed on your system (https://github.com/redis/hiredis). +# Depending on where it is installed you may have to edit the CFLAGS and LDFLAGS lines. +# EXPERIMENTAL_REDIS=yes +# CFLAGS += -I/usr/local/include +# LDFLAGS += -lhiredis +# Uncomment the following line to enable Experimental Proxy Protocol +# EXPERIMENTAL_PROXY=yes + +# Uncomment the following line to enable support for checking certiticate +# ownership +# EXPERIMENTAL_CERTNAMES=yes + +# Uncomment the following line to add DANE support +# EXPERIMENTAL_DANE=yes + +# Uncomment the following line to add SOCKS support +# EXPERIMENTAL_SOCKS=yes + +# Uncomment the following to add Internationalisation features. You need to +# have the IDN library installed. +#EXPERIMENTAL_INTERNATIONAL=yes +#LDFLAGS += -lidn ############################################################################### # THESE ARE THINGS YOU MIGHT WANT TO SPECIFY # @@ -390,14 +529,13 @@ FIXED_NEVER_USERS=root #------------------------------------------------------------------------------ -# By default, Exim insists that its configuration file be owned either by root -# or by the Exim user. You can specify one additional permitted owner here. +# By default, Exim insists that its configuration file be owned by root. You +# can specify one additional permitted owner here. # CONFIGURE_OWNER= # If the configuration file is group-writeable, Exim insists by default that it -# is owned by root or the Exim user. You can specify one additional permitted -# group owner here. +# is owned by root. You can specify one additional permitted group owner here. # CONFIGURE_GROUP= @@ -419,32 +557,31 @@ FIXED_NEVER_USERS=root #------------------------------------------------------------------------------ # The -C option allows Exim to be run with an alternate runtime configuration -# file. When this is used by root or the Exim user, root privilege is retained -# by the binary (for any other caller, it is dropped). You can restrict the -# location of alternate configurations by defining a prefix below. Any file -# used with -C must then start with this prefix (except that /dev/null is also -# permitted if the caller is root, because that is used in the install script). -# If the prefix specifies a directory that is owned by root, a compromise of -# the Exim account does not permit arbitrary alternate configurations to be -# used. The prefix can be more restrictive than just a directory (the second -# example). +# file. When this is used by root, root privilege is retained by the binary +# (for any other caller including the Exim user, it is dropped). You can +# restrict the location of alternate configurations by defining a prefix below. +# Any file used with -C must then start with this prefix (except that /dev/null +# is also permitted if the caller is root, because that is used in the install +# script). If the prefix specifies a directory that is owned by root, a +# compromise of the Exim account does not permit arbitrary alternate +# configurations to be used. The prefix can be more restrictive than just a +# directory (the second example). # ALT_CONFIG_PREFIX=/some/directory/ # ALT_CONFIG_PREFIX=/some/directory/exim.conf- #------------------------------------------------------------------------------ -# If you uncomment the following line, only root may use the -C or -D options -# without losing root privilege. The -C option specifies an alternate runtime -# configuration file, and the -D option changes macro values in the runtime -# configuration. Uncommenting this line restricts what can be done with these -# options. A call to receive a message (either one-off or via a daemon) cannot -# successfully continue to deliver it, because the re-exec of Exim to regain -# root privilege will fail, owing to the use of -C or -D by the Exim user. -# However, you can still use -C for testing (as root) if you do separate Exim -# calls for receiving a message and subsequently delivering it. +# When a user other than root uses the -C option to override the configuration +# file (including the Exim user when re-executing Exim to regain root +# privileges for local message delivery), this will normally cause Exim to +# drop root privileges. The TRUSTED_CONFIG_LIST option, specifies a file which +# contains a list of trusted configuration filenames, one per line. If the -C +# option is used by the Exim user or by the user specified in the +# CONFIGURE_OWNER setting, to specify a configuration file which is listed in +# the TRUSTED_CONFIG_LIST file, then root privileges are not dropped by Exim. -# ALT_CONFIG_ROOT_ONLY=yes +# TRUSTED_CONFIG_LIST=/usr/exim/trusted_configs #------------------------------------------------------------------------------ @@ -455,6 +592,31 @@ FIXED_NEVER_USERS=root # DISABLE_D_OPTION=yes +#------------------------------------------------------------------------------ +# By contrast, you might be maintaining a system which relies upon the ability +# to override values with -D and assumes that these will be passed through to +# the delivery processes. As of Exim 4.73, this is no longer the case by +# default. Going forward, we strongly recommend that you use a shim Exim +# configuration file owned by root stored under TRUSTED_CONFIG_LIST. +# That shim can set macros before .include'ing your main configuration file. +# +# As a strictly transient measure to ease migration to 4.73, the +# WHITELIST_D_MACROS value definies a colon-separated list of macro-names +# which are permitted to be overridden from the command-line which will be +# honoured by the Exim user. So these are macros that can persist to delivery +# time. +# Examples might be -DTLS or -DSPOOL=/some/dir. The values on the +# command-line are filtered to only permit: [A-Za-z0-9_/.-]* +# +# This option is highly likely to be removed in a future release. It exists +# only to make 4.73 as easy as possible to migrate to. If you use it, we +# encourage you to schedule time to rework your configuration to not depend +# upon it. Most people should not need to use this. +# +# By default, no macros are whitelisted for -D usage. + +# WHITELIST_D_MACROS=TLS:SPOOL + #------------------------------------------------------------------------------ # Exim has support for the AUTH (authentication) extension of the SMTP # protocol, as defined by RFC 2554. If you don't know what SMTP authentication @@ -466,6 +628,11 @@ FIXED_NEVER_USERS=root # AUTH_CRAM_MD5=yes # AUTH_CYRUS_SASL=yes +# AUTH_DOVECOT=yes +# AUTH_GSASL=yes +# AUTH_GSASL_PC=libgsasl +# AUTH_HEIMDAL_GSSAPI=yes +# AUTH_HEIMDAL_GSSAPI_PC=heimdal-gssapi # AUTH_PLAINTEXT=yes # AUTH_SPA=yes @@ -473,9 +640,13 @@ FIXED_NEVER_USERS=root #------------------------------------------------------------------------------ # If you specified AUTH_CYRUS_SASL above, you should ensure that you have the # Cyrus SASL library installed before trying to build Exim, and you probably -# want to uncomment the following line: +# want to uncomment the first line below. +# Similarly for GNU SASL, unless pkg-config is used via AUTH_GSASL_PC. +# Ditto for AUTH_HEIMDAL_GSSAPI(_PC). # AUTH_LIBS=-lsasl2 +# AUTH_LIBS=-lgsasl +# AUTH_LIBS=-lgssapi -lheimntlm -lkrb5 -lhx509 -lcom_err -lhcrypto -lasn1 -lwind -lroken -lcrypt #------------------------------------------------------------------------------ @@ -526,7 +697,7 @@ HEADERS_CHARSET="ISO-8859-1" # configuration of an authenticator for use with SMTP AUTH.) At least one # operating system has an extended function called crypt16(), which uses up to # 16 characters of a password (the normal crypt() uses only the first 8). Exim -# supports the use of crypt16() as well as crypt(). +# supports the use of crypt16() as well as crypt() but note the warning below. # You can always indicate a crypt16-encrypted password by preceding it with # "{crypt16}". If you want the default handling (without any preceding @@ -538,10 +709,23 @@ HEADERS_CHARSET="ISO-8859-1" # an encrypted password with "{crypt}". For more details, see the description # of the "crypteq" condition in the manual chapter on string expansions. -# Since most operating systems do not include a crypt16() function (yet?), Exim -# has one of its own, which it uses unless HAVE_CRYPT16 is defined. Normally, -# that will be set in an OS-specific Makefile for the OS that have such a -# function, so you should not need to bother with it. +# Some operating systems do not include a crypt16() function, so Exim has one +# of its own, which it uses unless HAVE_CRYPT16 is defined. Normally, that will +# be set in an OS-specific Makefile for the OS that have such a function, so +# you should not need to bother with it. + +# *** WARNING *** WARNING *** WARNING *** WARNING *** WARNING *** +# It turns out that the above is not entirely accurate. As well as crypt16() +# there is a function called bigcrypt() that some operating systems have. This +# may or may not use the same algorithm, and both of them may be different to +# Exim's built-in crypt16() that is used unless HAVE_CRYPT16 is defined. +# +# However, since there is now a move away from the traditional crypt() +# functions towards using SHA1 and other algorithms, tidying up this area of +# Exim is seen as very low priority. In practice, if you need to, you can +# define DEFAULT_CRYPT to the name of any function that has the same interface +# as the traditional crypt() function. +# *** WARNING *** WARNING *** WARNING *** WARNING *** WARNING *** #------------------------------------------------------------------------------ @@ -555,13 +739,23 @@ HEADERS_CHARSET="ISO-8859-1" # This setting is required for any TLS support (either OpenSSL or GnuTLS) # SUPPORT_TLS=yes -# Uncomment this setting if you are using OpenSSL +# Uncomment one of these settings if you are using OpenSSL; pkg-config vs not +# USE_OPENSSL_PC=openssl # TLS_LIBS=-lssl -lcrypto -# Uncomment these settings if you are using GnuTLS +# Uncomment the first and either the second or the third of these if you +# are using GnuTLS. If you have pkg-config, then the second, else the third. # USE_GNUTLS=yes +# USE_GNUTLS_PC=gnutls # TLS_LIBS=-lgnutls -ltasn1 -lgcrypt +# The security fix we provide with the gnutls_allow_auto_pkcs11 option +# (4.82 PP/09) introduces a compatibility regression. The symbol is +# not available if GnuTLS is build without p11-kit (--without-p11-kit +# configure option). In this case use AVOID_GNUTLS_PKCS11=yes when +# building Exim. +# AVOID_GNUTLS_PKCS11=yes + # If you are running Exim as a server, note that just building it with TLS # support is not all you need to do. You also need to set up a suitable # certificate, and tell Exim about it by means of the tls_certificate @@ -570,6 +764,11 @@ HEADERS_CHARSET="ISO-8859-1" # if you are running Exim only as a client, building it with TLS support # is all you need to do. +# If you are using pkg-config then you should not need to worry where the +# libraries and headers are installed, as the pkg-config .pc specification +# should include all -L/-I information necessary. If not using pkg-config +# then you might need to specify the locations too. + # Additional libraries and include files are required for both OpenSSL and # GnuTLS. The TLS_LIBS settings above assume that the libraries are installed # with all your other libraries. If they are in a special directory, you may @@ -677,9 +876,15 @@ COMPRESS_SUFFIX=gz # If the exigrep utility is fed compressed log files, it tries to uncompress # them using this command. +# Leave it empty to enforce autodetection at runtime: +# ZCAT_COMMAND= +# +# Omit the path if you want to use your system's PATH: +# ZCAT_COMMAND=zcat +# +# Or specify the full pathname: ZCAT_COMMAND=/usr/bin/zcat - #------------------------------------------------------------------------------ # Compiling in support for embedded Perl: If you want to be able to # use Perl code in Exim's string manipulation language and you have Perl @@ -689,6 +894,16 @@ ZCAT_COMMAND=/usr/bin/zcat # EXIM_PERL=perl.o +#------------------------------------------------------------------------------ +# Support for dynamically-loaded string expansion functions via ${dlfunc. If +# you are using gcc the dynamically-loaded object must be compiled with the +# -shared option, and you will need to add -export-dynamic to EXTRALIBS so +# that the local_scan API is made available by the linker. You may also need +# to add -ldl to EXTRALIBS so that dlopen() is available to Exim. + +# EXPAND_DLFUNC=yes + + #------------------------------------------------------------------------------ # Exim has support for PAM (Pluggable Authentication Modules), a facility # which is available in the latest releases of Solaris and in some GNU/Linux @@ -713,17 +928,24 @@ ZCAT_COMMAND=/usr/bin/zcat # If you have set RADIUS_CONFIG_FILE, you should also set one of these to # indicate which RADIUS library is used: -# -# RADIUSCLIENT is the radiusclient library; you probably need to add -# -libradiusclient to EXTRALIBS -# -# RADLIB is the Radius library that comes with FreeBSD (the header file is -# called radlib.h); you probably need to add -lradius to EXTRALIBS # RADIUS_LIB_TYPE=RADIUSCLIENT +# RADIUS_LIB_TYPE=RADIUSCLIENTNEW # RADIUS_LIB_TYPE=RADLIB -# If you don't set one of these, Exim assumes the radiusclient library. +# RADIUSCLIENT is the radiusclient library; you probably need to add +# -lradiusclient to EXTRALIBS. +# +# The API for the radiusclient library was changed at release 0.4.0. +# Unfortunately, the header file does not define a version number that clients +# can use to support both the old and new APIs. If you are using version 0.4.0 +# or later of the radiusclient library, you should use RADIUSCLIENTNEW. +# +# RADLIB is the Radius library that comes with FreeBSD (the header file is +# called radlib.h); you probably need to add -lradius to EXTRALIBS. +# +# If you do not set RADIUS_LIB_TYPE, Exim assumes the radiusclient library, +# using the original API. #------------------------------------------------------------------------------ @@ -776,6 +998,13 @@ ZCAT_COMMAND=/usr/bin/zcat # # but of course there may need to be other things in CFLAGS and EXTRALIBS_EXIM # as well. +# +# To use a name other than exim in the tcpwrappers config file, +# e.g. if you're running multiple daemons with different access lists, +# or multiple MTAs with the same access list, define +# TCP_WRAPPERS_DAEMON_NAME accordingly +# +# TCP_WRAPPERS_DAEMON_NAME="exim" #------------------------------------------------------------------------------ @@ -819,11 +1048,15 @@ SYSTEM_ALIASES_FILE=/etc/aliases # USE_READLINE=yes -# You may need to add -ldl to EXTRA_LIBS when you set USE_READLINE=yes. +# You may need to add -ldl to EXTRALIBS when you set USE_READLINE=yes. # Note that this option adds to the size of the Exim binary, because the # dynamic loading library is not otherwise included. +#------------------------------------------------------------------------------ +# Uncomment this setting to include IPv6 support. + +# HAVE_IPV6=yes ############################################################################### # THINGS YOU ALMOST NEVER NEED TO MENTION # @@ -846,8 +1079,10 @@ SYSTEM_ALIASES_FILE=/etc/aliases # CHOWN_COMMAND=/usr/bin/chown # CHGRP_COMMAND=/usr/bin/chgrp +# CHMOD_COMMAND=/usr/bin/chmod # MV_COMMAND=/bin/mv # RM_COMMAND=/bin/rm +# TOUCH_COMMAND=/usr/bin/touch # PERL_COMMAND=/usr/bin/perl @@ -1037,6 +1272,12 @@ TMPDIR="/tmp" # PERL_LIBS= +#------------------------------------------------------------------------------ +# If you wish to disable valgrind in the binary, define NVALGRIND=1. +# This should not be needed. + +# NVALGRIND=1 + #------------------------------------------------------------------------------ # Identifying the daemon: When an Exim daemon starts up, it writes its pid # (process id) to a file so that it can easily be identified. The path of the @@ -1077,4 +1318,40 @@ TMPDIR="/tmp" # SUPPORT_MOVE_FROZEN_MESSAGES=yes + +#------------------------------------------------------------------------------ +# Expanding match_* second paramters: BE CAREFUL IF ENABLING THIS! +# It has proven too easy in practice for administrators to configure security +# problems into their Exim install, by treating match_domain{}{} and friends +# as a form of string comparison, where the second string comes from untrusted +# data. Because these options take lists, which can include lookup;LOOKUPDATA +# style elements, a foe can then cause Exim to, eg, execute an arbitrary MySQL +# query, dropping tables. +# From Exim 4.77 onwards, the second parameter is not expanded; it can still +# be a list literal, or a macro, or a named list reference. There is also +# the new expansion condition "inlisti" which does expand the second parameter, +# but treats it as a list of strings; also, there's "eqi" which is probably +# what is normally wanted. +# +# If you really need to have the old behaviour, know what you are doing and +# will not complain if your system is compromised as a result of doing so, then +# uncomment this option to get the old behaviour back. + +# EXPAND_LISTMATCH_RHS=yes + +#------------------------------------------------------------------------------ +# Disabling the use of fsync(): DO NOT UNCOMMENT THE FOLLOWING LINE unless you +# really, really, really know what you are doing. And even then, think again. +# You should never uncomment this when compiling a binary for distribution. +# Use it only when compiling Exim for your own use. +# +# Uncommenting this line enables the use of a runtime option called +# disable_fsync, which can be used to stop Exim using fsync() to ensure that +# files are written to disc before proceeding. When this is disabled, crashes +# and hardware problems such as power outages can cause data to be lost. This +# feature should only be used in very exceptional circumstances. YOU HAVE BEEN +# WARNED. + +# ENABLE_DISABLE_FSYNC=yes + # End of EDITME for Exim 4.