. Update the Copyright year (only) when changing content.
. /////////////////////////////////////////////////////////////////////////////
-.set previousversion "4.87"
+.set previousversion "4.89"
.include ./local_params
.set ACL "access control lists (ACLs)"
.set I " "
.macro copyyear
-2016
+2017
.endmacro
. /////////////////////////////////////////////////////////////////////////////
.row &_filter.txt_& "specification of the filter language"
.row &_Exim3.upgrade_& "upgrade notes from release 2 to release 3"
.row &_Exim4.upgrade_& "upgrade notes from release 3 to release 4"
+.row &_openssl.txt_& "installing a current OpenSSL release"
.endtable
The main specification and the specification of the filtering language are also
examples, tips, and know-how that have been contributed by Exim users.
.cindex Bugzilla
-An Exim Bugzilla exists at &url(http://bugs.exim.org). You can use
+An Exim Bugzilla exists at &url(https://bugs.exim.org). You can use
this to report bugs, and also to add items to the wish list. Please search
first to check that you are not duplicating a previous entry.
Please ask Debian-specific questions on this list and not on the general Exim
lists.
-.section "Exim training" "SECID4"
-.cindex "training courses"
-Training courses in Cambridge (UK) used to be run annually by the author of
-Exim, before he retired. At the time of writing, there are no plans to run
-further Exim courses in Cambridge. However, if that changes, relevant
-information will be posted at &url(http://www-tus.csx.cam.ac.uk/courses/exim/).
-
.section "Bug reports" "SECID5"
.cindex "bug reports"
.cindex "reporting bugs"
Reports of obvious bugs can be emailed to &'bugs@exim.org'& or reported
-via the Bugzilla (&url(http://bugs.exim.org)). However, if you are unsure
+via the Bugzilla (&url(https://bugs.exim.org)). However, if you are unsure
whether some behaviour is a bug or not, the best thing to do is to post a
message to the &'exim-dev'& mailing list and have it discussed.
.cindex "distribution" "ftp site"
The master ftp site for the Exim distribution is
.display
-&*ftp://ftp.csx.cam.ac.uk/pub/software/email/exim*&
-.endd
-This is mirrored by
-.display
&*ftp://ftp.exim.org/pub/exim*&
.endd
The file references that follow are relative to the &_exim_& directories at
by Exim in conjunction with the &%-MC%& option. It signifies that the
remote host supports the ESMTP &_DSN_& extension.
-.new
-.vitem &%-MCG%&
+.vitem &%-MCG%&&~<&'queue&~name'&>
.oindex "&%-MCG%&"
This option is not intended for use by external callers. It is used internally
by Exim in conjunction with the &%-MC%& option. It signifies that an
-alternate queue is used, named by the following option.
-.wen
+alternate queue is used, named by the following argument.
+
+.vitem &%-MCK%&
+.oindex "&%-MCK%&"
+This option is not intended for use by external callers. It is used internally
+by Exim in conjunction with the &%-MC%& option. It signifies that an
+remote host supports the ESMTP &_CHUNKING_& extension.
.vitem &%-MCP%&
.oindex "&%-MCP%&"
by Exim in conjunction with the &%-MC%& option, and passes on the fact that the
host to which Exim is connected supports TLS encryption.
+.new
+.vitem &%-MCt%&&~<&'IP&~address'&>&~<&'port'&>&~<&'cipher'&>
+.oindex "&%-MCt%&"
+This option is not intended for use by external callers. It is used internally
+by Exim in conjunction with the &%-MC%& option, and passes on the fact that the
+connection is being proxied by a parent process for handling TLS encryption.
+The arguments give the local address and port being proxied, and the TLS cipher.
+.wen
+
.vitem &%-Mc%&&~<&'message&~id'&>&~<&'message&~id'&>&~...
.oindex "&%-Mc%&"
.cindex "hints database" "not overridden by &%-Mc%&"
and &%-S%& options).
.cindex "queue runner" "description of operation"
-.new
If other commandline options do not specify an action,
-.wen
the &%-q%& option starts one queue runner process. This scans the queue of
waiting messages, and runs a delivery process for each one in turn. It waits
for each delivery process to finish before starting the next one. A delivery
be done. If a message requires any remote deliveries, it remains on the queue
for later delivery.
-.new
.vitem &%-q[q][i][f[f]][l][G<name>[/<time>]]]%&
.oindex "&%-qG%&"
.cindex queue named
For a periodic queue run (see below)
append to the name a slash and a time value.
-If other commandline options speicify an action, a &'-qG<name>'& option
+If other commandline options specify an action, a &'-qG<name>'& option
will specify a queue to operate on.
For example:
.code
exim -bp -qGquarantine
-mailq -qGquarantime
+mailq -qGquarantine
exim -qGoffpeak -Rf @special.domain.example
.endd
-.wen
.vitem &%-q%&<&'qflags'&>&~<&'start&~id'&>&~<&'end&~id'&>
When scanning the queue, Exim can be made to skip over messages whose ids are
.endd
on a line by itself. Double quotes round the file name are optional. If you use
the first form, a configuration error occurs if the file does not exist; the
-second form does nothing for non-existent files. In all cases, an absolute file
+second form does nothing for non-existent files.
+The first form allows a relative name. It is resolved relative to
+the directory of the including file. For the second form an absolute file
name is required.
Includes may be nested to any depth, but remember that Exim reads its
section &<<SECTnamedlists>>&.
+.section "Builtin macros" "SECTbuiltinmacros"
+Exim defines some macros depending on facilities available, which may
+differ due to build-time definitions and from one release to another.
+All of these macros start with an underscore.
+They can be used to conditionally include parts of a configuration
+(see below).
+
+The following classes of macros are defined:
+.display
+&` _HAVE_* `& build-time defines
+&` _DRIVER_ROUTER_* `& router drivers
+&` _DRIVER_TRANSPORT_* `& transport drivers
+&` _DRIVER_AUTHENTICATOR_* `& authenticator drivers
+&` _OPT_MAIN_* `& main config options
+&` _OPT_ROUTERS_* `& generic router options
+&` _OPT_TRANSPORTS_* `& generic transport options
+&` _OPT_AUTHENTICATORS_* `& generic authenticator options
+&` _OPT_ROUTER_*_* `& private router options
+&` _OPT_TRANSPORT_*_* `& private transport options
+&` _OPT_AUTHENTICATOR_*_* `& private authenticator options
+.endd
+
+Use an &"exim -bP macros"& command to get the list of macros.
+
+
.section "Conditional skips in the configuration file" "SECID46"
.cindex "configuration file" "conditional skips"
.cindex "&`.ifdef`&"
If an integer value is followed by the letter K, it is multiplied by 1024; if
it is followed by the letter M, it is multiplied by 1024x1024;
-.new
if by the letter G, 1024x1024x1024.
-.wen
When the values
of integer option settings are output, values which are an exact multiple of
1024 or 1024x1024 are sometimes, but not always, printed using the letters K
uses the PCRE regular expression library; this provides regular expression
matching that is compatible with Perl 5. The syntax and semantics of
regular expressions is discussed in
-.new
online Perl manpages, in
-.wen
many Perl reference books, and also in
Jeffrey Friedl's &'Mastering Regular Expressions'&, which is published by
O'Reilly (see &url(http://www.oreilly.com/catalog/regex2/)).
.next
.cindex "Redis lookup type"
.cindex lookup Redis
-&(redis)&: The format of the query is an SQL statement that is passed to a
-Redis database. See section &<<SECTsql>>&.
+&(redis)&: The format of the query is either a simple get or simple set,
+passed to a Redis database. See section &<<SECTsql>>&.
.next
.cindex "sqlite lookup type"
The form if &"retry_VAL"& where VAL is an integer.
The default count is set by the main configuration option &%dns_retry%&.
-.cindex cacheing "of dns lookup"
+.cindex caching "of dns lookup"
.cindex TTL "of dns lookup"
.cindex DNS TTL
Dnsdb lookup results are cached within a single process (and its children).
waits for the lock to be released. In Exim, the default timeout is set
to 5 seconds, but it can be changed by means of the &%sqlite_lock_timeout%&
option.
+
+.section "More about Redis" "SECTredis"
+.cindex "lookup" "Redis"
+.cindex "redis lookup type"
+Redis is a non-SQL database. Commands are simple get and set.
+Examples:
+.code
+${lookup redis{set keyname ${quote_redis:objvalue plus}}}
+${lookup redis{get keyname}}
+.endd
+
.ecindex IIDfidalo1
.ecindex IIDfidalo2
.cindex "expansion" "of lists"
Each list is expanded as a single string before it is used.
-.new
&'Exception: the router headers_remove option, where list-item
splitting is done before string-expansion.'&
-.wen
The result of
expansion must be a list, possibly containing empty items, which is split up
.vitem "&*${certextract{*&<&'field'&>&*}{*&<&'certificate'&>&*}&&&
{*&<&'string2'&>&*}{*&<&'string3'&>&*}}*&"
-.cindex "expansion" "extracting cerificate fields"
+.cindex "expansion" "extracting certificate fields"
.cindex "&%certextract%&" "certificate fields"
.cindex "certificate" "extracting fields"
The <&'certificate'&> must be a variable of type certificate.
filter. Header lines that are added to a particular copy of a message by a
router or transport are not accessible.
-For incoming SMTP messages, no header lines are visible in ACLs that are obeyed
-before the DATA ACL, because the header structure is not set up until the
-message is received. Header lines that are added in a RCPT ACL (for example)
+For incoming SMTP messages, no header lines are visible in
+ACLs that are obeyed before the data phase completes,
+because the header structure is not set up until the message is received.
+They are visible in DKIM, PRDR and DATA ACLs.
+Header lines that are added in a RCPT ACL (for example)
are saved until the message's incoming header lines are available, at which
-point they are added. When a DATA ACL is running, however, header lines added
-by earlier ACLs are visible.
+point they are added.
+When any of the above ACLs ar
+running, however, header lines added by earlier ACLs are visible.
Upper case and lower case letters are synonymous in header names. If the
following character is white space, the terminating colon may be omitted, but
.vitem "&*${readsocket{*&<&'name'&>&*}{*&<&'request'&>&*}&&&
- {*&<&'timeout'&>&*}{*&<&'eol&~string'&>&*}{*&<&'fail&~string'&>&*}}*&"
+ {*&<&'options'&>&*}{*&<&'eol&~string'&>&*}{*&<&'fail&~string'&>&*}}*&"
.cindex "expansion" "inserting from a socket"
.cindex "socket, use of in expansion"
.cindex "&%readsocket%& expansion item"
.code
${readsocket{/socket/name}{request string}{3s}}
.endd
+The third argument is a list of options, of which the first element is the timeout
+and must be present if the argument is given.
+Further elements are options of form &'name=value'&.
+One option type is currently recognised, defining whether (the default)
+or not a shutdown is done on the connection after sending the request.
+Example, to not do so (preferred, eg. by some webservers):
+.code
+${readsocket{/socket/name}{request string}{3s:shutdown=no}}
+.endd
A fourth argument allows you to change any newlines that are in the data
that is read, in the same way as for &%readfile%& (see above). This example
turns them into spaces:
user@example.com
.endd
-.new
.vitem &*${base32:*&<&'digits'&>&*}*&
.cindex "&%base32%& expansion item"
.cindex "expansion" "conversion to base 32"
.cindex "expansion" "conversion to base 32"
The string must consist entirely of base-32 digits.
The number is converted to decimal and output as a string.
-.wen
.vitem &*${base62:*&<&'digits'&>&*}*&
.cindex "&%base62%& expansion item"
significant bit set (so-called &"8-bit characters"&) count as printing or not
is controlled by the &%print_topbitchars%& option.
-.new
.vitem &*${escape8bit:*&<&'string'&>&*}*&
.cindex "expansion" "escaping 8-bit characters"
.cindex "&%escape8bit%& expansion item"
If the string contains and characters with the most significant bit set,
they are converted to escape sequences starting with a backslash.
Backslashes and DEL characters are also converted.
-.wen
.vitem &*${eval:*&<&'string'&>&*}*&&~and&~&*${eval10:*&<&'string'&>&*}*&
.cindex certificate fingerprint
.cindex "expansion" "SHA-256 hashing"
.cindex "&%sha256%& expansion item"
-.new
The &%sha256%& operator computes the SHA-256 hash value of the string
and returns
it as a 64-digit hexadecimal number, in which any letters are in upper case.
-.wen
If the string is a single variable of type certificate,
returns the SHA-256 hash fingerprint of the certificate.
-.new
.vitem &*${sha3:*&<&'string'&>&*}*& &&&
&*${sha3_<n>:*&<&'string'&>&*}*&
.cindex "SHA3 hash"
The &%sha3%& expansion item is only supported if Exim has been
compiled with GnuTLS 3.5.0 or later.
-.wen
.vitem &*${stat:*&<&'string'&>&*}*&
hexadecimal digits. There may be fewer than eight components if an empty
component (adjacent colons) is present. Only one empty component is permitted.
-&*Note*&: The checks are just on the form of the address; actual numerical
-values are not considered. Thus, for example, 999.999.999.999 passes the IPv4
-check. The main use of these tests is to distinguish between IP addresses and
+.new
+&*Note*&: The checks used to be just on the form of the address; actual numerical
+values were not considered. Thus, for example, 999.999.999.999 passed the IPv4
+check.
+This is no longer the case.
+.wen
+
+The main use of these tests is to distinguish between IP addresses and
host names, or between IPv4 and IPv6 addresses. For example, you could use
.code
${if isip4{$sender_host_address}...
.cindex "uid (user id)" "of originating user"
.cindex "sender" "uid"
.vindex "&$caller_uid$&"
-.vindex "&$originaltor_uid$&"
+.vindex "&$originator_uid$&"
The value of &$caller_uid$& that was set when the message was received. For
messages received via the command line, this is the uid of the sending user.
For messages received by SMTP over TCP/IP, this is normally the uid of the Exim
qualified host name. See also &$smtp_active_hostname$&.
-.new
.vitem &$proxy_external_address$& &&&
&$proxy_external_port$& &&&
&$proxy_local_address$& &&&
&$proxy_local_port$& &&&
&$proxy_session$&
These variables are only available when built with Proxy Protocol
-or Socks5 support
+or SOCKS5 support.
For details see chapter &<<SECTproxyInbound>>&.
-.wen
.vitem &$prdr_requested$&
.cindex "PRDR" "variable for"
The value set for the &%qualify_recipient%& option in the configuration file,
or if not set, the value of &$qualify_domain$&.
-.new
.vitem &$queue_name$&
.vindex &$queue_name$&
.cindex "named queues"
.cindex queues named
The name of the spool queue in use; empty for the default queue.
-.wen
.vitem &$rcpt_count$&
.vindex "&$rcpt_count$&"
If you have changed &%host_lookup_order%& so that &`bydns`& is not the first
mechanism in the list, then this variable will be false.
+This requires that your system resolver library support EDNS0 (and that
+DNSSEC flags exist in the system headers). If the resolver silently drops
+all EDNS0 options, then this will have no effect. OpenBSD's asr resolver
+is known to currently ignore EDNS0, documented in CAVEATS of asr_run(3).
+
.vitem &$sender_host_name$&
.vindex "&$sender_host_name$&"
.vitem &$tls_in_ourcert$&
.vindex "&$tls_in_ourcert$&"
-.cindex certificate veriables
+.cindex certificate variables
This variable refers to the certificate presented to the peer of an
inbound connection when the message was received.
It is only useful as the argument of a
There is also a command line option &%-pd%& (for delay) which suppresses the
initial startup, even if &%perl_at_start%& is set.
-.new
.ilist
.oindex "&%perl_taintmode%&"
.cindex "Perl" "taintmode"
To provide more security executing Perl code via the embedded Perl
-interpeter, the &%perl_taintmode%& option can be set. This enables the
+interpreter, the &%perl_taintmode%& option can be set. This enables the
taint mode of the Perl interpreter. You are encouraged to set this
option to a true value. To avoid breaking existing installations, it
defaults to false.
-.wen
.section "Calling Perl subroutines" "SECID86"
.section "Miscellaneous" "SECID96"
.table2
.row &%bi_command%& "to run for &%-bi%& command line option"
+.row &%debug_store%& "do extra internal checks"
.row &%disable_ipv6%& "do no IPv6 processing"
.row &%keep_malformed%& "for broken files &-- should not happen"
.row &%localhost_number%& "for unique message ids in clusters"
.row &%slow_lookup_log%& "control logging of slow DNS lookups"
.row &%syslog_duplication%& "controls duplicate log lines on syslog"
.row &%syslog_facility%& "set syslog &""facility""& field"
+.row &%syslog_pid%& "pid in syslog lines"
.row &%syslog_processname%& "set syslog &""ident""& field"
.row &%syslog_timestamp%& "timestamp syslog lines"
.row &%write_rejectlog%& "control use of message log"
.option acl_smtp_dkim main string&!! unset
.cindex DKIM "ACL for"
This option defines the ACL that is run for each DKIM signature
+(by default, or as specified in the dkim_verify_signers option)
of a received message.
See chapter &<<CHAPdkim>>& for further details.
See section &<<CALLaddparcall>>& for details of how this value is used.
-.new
.option check_log_inodes main integer 100
-.wen
See &%check_spool_space%& below.
-.new
.option check_log_space main integer 10M
-.wen
See &%check_spool_space%& below.
.oindex "&%check_rfc2047_length%&"
set false, Exim recognizes encoded words of any length.
-.new
.option check_spool_inodes main integer 100
-.wen
See &%check_spool_space%& below.
-.new
.option check_spool_space main integer 10M
-.wen
.cindex "checking disk space"
.cindex "disk space, checking"
.cindex "spool directory" "checking space"
failure a message is written to stderr and Exim exits with a non-zero code, as
it obviously cannot send an error message of any kind.
-.new
There is a slight performance penalty for these checks.
Versions of Exim preceding 4.88 had these disabled by default;
-high-rate intallations confident they will never run out of resources
+high-rate installations confident they will never run out of resources
may wish to deliberately disable them.
-.wen
-.new
.option chunking_advertise_hosts main "host list&!!" *
.cindex CHUNKING advertisement
.cindex "RFC 3030" "CHUNKING"
The CHUNKING extension (RFC3030) will be advertised in the EHLO message to
these hosts.
Hosts may use the BDAT command as an alternate to DATA.
-.wen
+
+.option debug_store main boolean &`false`&
+.cindex debugging "memory corruption"
+.cindex memory debugging
+This option, when true, enables extra checking in Exim's internal memory
+management. For use when a memory corruption issue is being investigated,
+it should normally be left as default.
.option daemon_smtp_ports main string &`smtp`&
.cindex "port" "for daemon"
.option dns_use_edns0 main integer -1
.cindex "DNS" "resolver options"
.cindex "DNS" "EDNS0"
+.cindex "DNS" "OpenBSD
If this option is set to a non-negative number then Exim will initialise the
DNS resolver library to either use or not use EDNS0 extensions, overriding
the system default. A value of 0 coerces EDNS0 off, a value of 1 coerces EDNS0
If the resolver library does not support EDNS0 then this option has no effect.
+OpenBSD's asr resolver routines are known to ignore the EDNS0 option; this
+means that DNSSEC will not work with Exim on that platform either, unless Exim
+is linked against an alternative DNS client library.
+
.option drop_cr main boolean false
This is an obsolete option that is now a no-op. It used to affect the way Exim
.option event_action main string&!! unset
.cindex events
This option declares a string to be expanded for Exim's events mechanism.
-For details see &<<CHAPevents>>&.
+For details see chapter &<<CHAPevents>>&.
.option exim_group main string "compile-time configured"
.option hosts_proxy main "host list&!!" unset
.cindex proxy "proxy protocol"
This option enables use of Proxy Protocol proxies for incoming
-connections. For details see &<<SECTproxyInbound>>&.
+connections. For details see section &<<SECTproxyInbound>>&.
.option hosts_treat_as_local main "domain list&!!" unset
of SSL-on-connect.
In the event of failure to negotiate TLS, the action taken is controlled
by &%ldap_require_cert%&.
+This option is ignored for &`ldapi`& connections.
.option ldap_version main integer unset
transport driver.
-.option openssl_options main "string list" "+no_sslv2 +single_dh_use"
+.option openssl_options main "string list" "+no_sslv2 +single_dh_use +no_ticket"
.cindex "OpenSSL "compatibility options"
This option allows an administrator to adjust the SSL options applied
by OpenSSL to connections. It is given as a space-separated list of items,
run. If you do not want queue runs to occur, omit the &%-q%&&'xx'& setting on
the daemon's command line.
-.new
.cindex queues named
.cindex "named queues"
To set limits for different named queues use
an expansion depending on the &$queue_name$& variable.
-.wen
.option queue_smtp_domains main "domain list&!!" unset
.cindex "queueing incoming messages"
.option smtputf8_advertise_hosts main "host list&!!" *
.cindex "SMTPUTF8" "advertising"
When Exim is built with support for internationalised mail names,
-the availability therof is advertised in
+the availability thereof is advertised in
response to EHLO only to those client hosts that match this option. See
chapter &<<CHAPi18n>>& for details of Exim's support for internationalisation.
details of Exim's logging.
+.option syslog_pid main boolean true
+.cindex "syslog" "pid"
+If &%syslog_pid%& is set false, the PID on Exim's log lines are
+omitted when these lines are sent to syslog. (Syslog normally prefixes
+the log lines with the PID of the logging process automatically.) You need
+to enable the &`+pid`& log selector item, if you want Exim to write it's PID
+into the logs.) See chapter &<<CHAPlog>>& for details of Exim's logging.
+
+
.option syslog_processname main string &`exim`&
.cindex "syslog" "process name; setting"
appropriate &%system_filter_..._transport%& option(s) must be set, to define
which transports are to be used. Details of this facility are given in chapter
&<<CHAPsystemfilter>>&.
+A forced expansion failure results in no filter operation.
.option system_filter_directory_transport main string&!! unset
Server Name Indication extension, then this option and others documented in
&<<SECTtlssni>>& will be re-expanded.
-.new
If this option is unset or empty a fresh self-signed certificate will be
generated for every connection.
-.wen
.option tls_crl main string&!! unset
.cindex "TLS" "server certificate revocation list"
The value of this option is expanded and indicates the source of DH parameters
to be used by Exim.
-If it is a filename starting with a &`/`&, then it names a file from which DH
+&*Note: The Exim Maintainers strongly recommend using a filename with site-generated
+local DH parameters*&, which has been supported across all versions of Exim. The
+other specific constants available are a fallback so that even when
+"unconfigured", Exim can offer Perfect Forward Secrecy in older ciphersuites in TLS.
+
+If &%tls_dhparam%& is a filename starting with a &`/`&,
+then it names a file from which DH
parameters should be loaded. If the file exists, it should hold a PEM-encoded
PKCS#3 representation of the DH prime. If the file does not exist, for
OpenSSL it is an error. For GnuTLS, Exim will attempt to create the file and
See section &<<SECTgnutlsparam>>& for further details.
If Exim is using OpenSSL and this option is empty or unset, then Exim will load
-a default DH prime; the default is the 2048 bit prime described in section
+a default DH prime; the default is Exim-specific but lacks verifiable provenance.
+
+In older versions of Exim the default was the 2048 bit prime described in section
2.2 of RFC 5114, "2048-bit MODP Group with 224-bit Prime Order Subgroup", which
in IKE is assigned number 23.
Otherwise, the option must expand to the name used by Exim for any of a number
-of DH primes specified in RFC 2409, RFC 3526 and RFC 5114. As names, Exim uses
-"ike" followed by the number used by IKE, or "default" which corresponds to
-"ike23".
+of DH primes specified in RFC 2409, RFC 3526, RFC 5114, RFC 7919, or from other
+sources. As names, Exim uses a standard specified name, else "ike" followed by
+the number used by IKE, or "default" which corresponds to
+&`exim.dev.20160529.3`&.
-The available primes are:
+The available standard primes are:
+&`ffdhe2048`&, &`ffdhe3072`&, &`ffdhe4096`&, &`ffdhe6144`&, &`ffdhe8192`&,
&`ike1`&, &`ike2`&, &`ike5`&,
&`ike14`&, &`ike15`&, &`ike16`&, &`ike17`&, &`ike18`&,
-&`ike22`&, &`ike23`& (aka &`default`&) and &`ike24`&.
+&`ike22`&, &`ike23`& and &`ike24`&.
+
+The available additional primes are:
+&`exim.dev.20160529.1`&, &`exim.dev.20160529.2`& and &`exim.dev.20160529.3`&.
Some of these will be too small to be accepted by clients.
Some may be too large to be accepted by clients.
+The open cryptographic community has suspicions about the integrity of some
+of the later IKE values, which led into RFC7919 providing new fixed constants
+(the "ffdhe" identifiers).
+
+At this point, all of the "ike" values should be considered obsolete;
+they're still in Exim to avoid breaking unusual configurations, but are
+candidates for removal the next time we have backwards-incompatible changes.
The TLS protocol does not negotiate an acceptable size for this; clients tend
to hard-drop connections if what is offered by the server is unacceptable,
acceptable bound from 1024 to 2048.
-.option tls_eccurve main string&!! prime256v1
+.option tls_eccurve main string&!! &`auto`&
.cindex TLS "EC cryptography"
-If built with a recent-enough version of OpenSSL,
-this option selects a EC curve for use by Exim.
+This option selects a EC curve for use by Exim when used with OpenSSL.
+It has no effect when Exim is used with GnuTLS.
+
+After expansion it must contain a valid EC curve parameter, such as
+&`prime256v1`&, &`secp384r1`&, or &`P-512`&. Consult your OpenSSL manual
+for valid selections.
-Curve names of the form &'prime256v1'& are accepted.
-For even more-recent library versions, names of the form &'P-512'&
-are also accepted, plus the special value &'auto'&
-which tells the library to choose.
+For OpenSSL versions before (and not including) 1.0.2, the string
+&`auto`& selects &`prime256v1`&. For more recent OpenSSL versions
+&`auto`& tells the library to choose.
-If the option is set to an empty string, no EC curves will be enabled.
+If the option expands to an empty string, no EC curves will be enabled.
.option tls_ocsp_file main string&!! unset
.option event_action transports string&!! unset
.cindex events
This option declares a string to be expanded for Exim's events mechanism.
-For details see &<<CHAPevents>>&.
+For details see chapter &<<CHAPevents>>&.
.option group transports string&!! "Exim group"
.cindex "hints database" "transport concurrency control"
Exim implements this control by means of a hints database in which a record is
-incremented whenever a transport process is beaing created. The record
+incremented whenever a transport process is being created. The record
is decremented and possibly removed when the process terminates.
Obviously there is scope for
records to get left lying around if there is a system or program crash. To
&`\n`& to &`\r\n`& in &%message_suffix%&.
-.option path pipe string "see below"
-This option specifies the string that is set up in the PATH environment
-variable of the subprocess. The default is:
-.code
-/bin:/usr/bin
-.endd
+.option path pipe string&!! "/bin:/usr/bin"
+This option is expanded and
+specifies the string that is set up in the PATH environment
+variable of the subprocess.
If the &%command%& option does not yield an absolute path name, the command is
sought in the PATH directories, in the usual way. &*Warning*&: This does not
apply to a command specified as a transport filter.
.option dkim_canon smtp string&!! unset
.option dkim_strict smtp string&!! unset
.option dkim_sign_headers smtp string&!! unset
-DKIM signing options. For details see &<<SECDKIMSIGN>>&.
+DKIM signing options. For details see section &<<SECDKIMSIGN>>&.
.option delay_after_cutoff smtp boolean true
message on the same connection. See section &<<SECTmulmessam>>& for an
explanation of when this might be needed.
+.new
+.option hosts_noproxy_tls smtp "host list&!!" *
+.cindex "TLS" "passing connection"
+.cindex "multiple SMTP deliveries"
+.cindex "TLS" "multiple message deliveries"
+For any host that matches this list, a TLS session which has
+been started will not be passed to a new delivery process for sending another
+message on the same session.
+
+The traditional implementation closes down TLS and re-starts it in the new
+process, on the same open TCP connection, for each successive message
+sent. If permitted by this option a pipe to to the new process is set up
+instead, and the original process maintains the TLS connection and proxies
+the SMTP connection from and to the new process and any subsequents.
+The new process has no access to TLS information, so cannot include it in
+logging.
+.wen
+
+
.option hosts_override smtp boolean false
If this option is set and the &%hosts%& option is also set, any hosts that are
unauthenticated. See also &%hosts_require_auth%&, and chapter
&<<CHAPSMTPAUTH>>& for details of authentication.
-.new
.option hosts_try_chunking smtp "host list&!!" *
.cindex CHUNKING "enabling, in client"
.cindex BDAT "SMTP command"
.cindex "RFC 3030" "CHUNKING"
-This option provides a list of server to which, provided they announce
+This option provides a list of servers to which, provided they announce
CHUNKING support, Exim will attempt to use BDAT commands rather than DATA.
-BDAT will not be used in conjuction with a transport filter.
-.wen
+BDAT will not be used in conjunction with a transport filter.
+
+.option hosts_try_fastopen smtp "host list!!" unset
+.cindex "fast open, TCP" "enabling, in client"
+.cindex "TCP Fast Open" "enabling, in client"
+.cindex "RFC 7413" "TCP Fast Open"
+This option provides a list of servers to which, provided
+the facility is supported by this system, Exim will attempt to
+perform a TCP Fast Open.
+No data is sent on the SYN segment but, if the remote server also
+supports the facility, it can send its SMTP banner immediately after
+the SYN,ACK segment. This can save up to one round-trip time.
+
+The facility is only active for previously-contacted servers,
+as the initiator must present a cookie in the SYN segment.
+
+On (at least some) current Linux distributions the facility must be enabled
+in the kernel by the sysadmin before the support is usable.
.option hosts_try_prdr smtp "host list&!!" *
.cindex "PRDR" "enabling, optional in client"
.option socks_proxy smtp string&!! unset
.cindex proxy SOCKS
This option enables use of SOCKS proxies for connections made by the
-transport. For details see &<<SECTproxySOCKS>>&.
+transport. For details see section &<<SECTproxySOCKS>>&.
.option tls_certificate smtp string&!! unset
deliver the message unauthenticated.
.endlist
+Note that the hostlist test for whether to do authentication can be
+confused if name-IP lookups change between the time the peer is decided
+on and the transport running. For example, with a manualroute
+router given a host name, and DNS "round-robin" use by that name: if
+the local resolver cache times out between the router and the transport
+running, the transport may get an IP for the name for its authentication
+check which does not match the connection peer IP.
+No authentication will then be done, despite the names being identical.
+
+For such cases use a separate transport which always authenticates.
+
.cindex "AUTH" "on MAIL command"
When Exim has authenticated itself to a remote server, it adds the AUTH
parameter to the MAIL commands it sends, if it has an authenticated sender for
.endd
This accepts a client certificate that is verifiable against any
of your configured trust-anchors
-which usually means the full set of public CAs)
+(which usually means the full set of public CAs)
and which has a SAN with a good account name.
Note that the client cert is on the wire in-clear, including the SAN,
whereas a plaintext SMTP AUTH done inside TLS is not.
.cindex "TLS" "configuring an Exim server"
When Exim has been built with TLS support, it advertises the availability of
the STARTTLS command to client hosts that match &%tls_advertise_hosts%&,
-but not to any others. The default value of this option is unset, which means
-that STARTTLS is not advertised at all. This default is chosen because you
-need to set some other options in order to make TLS available, and also it is
-sensible for systems that want to use TLS only as a client.
+but not to any others. The default value of this option is *, which means
+that STARTTLS is alway advertised. Set it to blank to never advertise;
+this is reasonble for systems that want to use TLS only as a client.
+
+If STARTTLS is to be used you
+need to set some other options in order to make TLS available.
If a client issues a STARTTLS command and there is some configuration
problem in the server, the command is rejected with a 454 error. If the client
To enable TLS operations on a server, the &%tls_advertise_hosts%& option
must be set to match some hosts. The default is * which matches all hosts.
-.new
If this is all you do, TLS encryption will be enabled but not authentication -
meaning that the peer has no assurance it is actually you he is talking to.
You gain protection from a passive sniffer listening on the wire but not
from someone able to intercept the communication.
-.wen
Further protection requires some further configuration at the server end.
Great care should be taken to deal with matters of case, various injection
attacks in the string (&`../`& or SQL), and ensuring that a valid filename
-can always be referenced; it is important to remember that &$tls_sni$& is
+can always be referenced; it is important to remember that &$tls_in_sni$& is
arbitrary unverified data provided prior to authentication.
+Further, the initial certificate is loaded before SNI is arrived, so
+an expansion for &%tls_certificate%& must have a default which is used
+when &$tls_in_sni$& is empty.
The Exim developers are proceeding cautiously and so far no other TLS options
are re-expanded.
the ACL specified by &%acl_smtp_data%&, which is the second ACL that is
associated with the DATA command.
-.new
.cindex CHUNKING "BDAT command"
.cindex BDAT "SMTP command"
.cindex "RFC 3030" CHUNKING
. XXX why not? It should be possible, for the first BDAT.
The &%acl_smtp_data%& is run after the last BDAT command and all of
the data specified is received.
-.wen
For both of these ACLs, it is not possible to reject individual recipients. An
error response rejects the entire message. Unfortunately, it is known that some
remaining recipients. The &"discard"& return is not permitted for the
&%acl_smtp_predata%& ACL.
+If the ACL for VRFY returns &"accept"&, a recipient verify (without callout)
+is done on the address and the result determines the SMTP response.
+
.cindex "&[local_scan()]& function" "when all recipients discarded"
The &[local_scan()]& function is always run, even if there are no remaining
effect.
-.new
.vitem &*queue*&&~=&~<&'text'&>
This modifier specifies the use of a named queue for spool files
for the message.
of traffic, or for quarantine of messages.
Separate queue-runner processes will be needed for named queues.
If the text after expansion is empty, the default queue is used.
-.wen
.vitem &*remove_header*&&~=&~<&'text'&>
Cutthrough delivery is not supported via transport-filters or when DKIM signing
of outgoing messages is done, because it sends data to the ultimate destination
before the entire message has been received from the source.
-It is not supported for messages received with the SMTP PRDR option in use.
+It is not supported for messages received with the SMTP PRDR
+or CHUNKING
+options in use.
Should the ultimate destination system positively accept or reject the mail,
a corresponding indication is given to the source system and nothing is queued.
the delivery log lines are tagged with ">>" rather than "=>" and appear
before the acceptance "<=" line.
-.new
If there is a temporary error the item is queued for later delivery in the
usual fashion.
This behaviour can be adjusted by appending the option &*defer=*&<&'value'&>
to the control; the default value is &"spool"& and the alternate value
&"pass"& copies an SMTP defer response from the target back to the initiator
and does not queue the message.
-Note that this is independent of any receipient verify conditions in the ACL.
-.wen
+Note that this is independent of any recipient verify conditions in the ACL.
Delivery in this mode avoids the generation of a bounce mail to a
(possibly faked)
.cindex "&ACL;" "enabling debug logging"
.cindex "debugging" "enabling from an ACL"
This control turns on debug logging, almost as though Exim had been invoked
-with &`-d`&, with the output going to a new logfile, by default called
-&'debuglog'&. The filename can be adjusted with the &'tag'& option, which
+with &`-d`&, with the output going to a new logfile in the usual logs directory,
+by default called &'debuglog'&.
+The filename can be adjusted with the &'tag'& option, which
may access any variables already defined. The logging may be adjusted with
the &'opts'& option, which takes the same values as the &`-d`& command-line
option.
-.new
-Logging may be stopped, and the file removed, with the &'kill'& option.
-.wen
+Logging started this way may be stopped, and the file removed,
+with the &'kill'& option.
Some examples (which depend on variables that don't exist in all
contexts):
.code
.vitem &*control&~=&~utf8_downconvert*&
This control enables conversion of UTF-8 in message addresses
to a-label form.
-For details see &<<SECTi18nMTA>>&.
+For details see section &<<SECTi18nMTA>>&.
.endlist vlist
.cindex "&%verify%& ACL condition"
This is a variation of the previous option, in which a modified address is
verified as a sender.
+
+Note that '/' is legal in local-parts; if the address may have such
+(eg. is generated from the received message)
+they must be protected from the options parsing by doubling:
+.code
+verify = sender=${sg{${address:$h_sender:}}{/}{//}}
+.endd
.endlist
warn message = X-Warn: sending host is on dialups list
dnslists = dialups.mail-abuse.org
.endd
-.cindex cacheing "of dns lookup"
+.cindex caching "of dns lookup"
.cindex DNS TTL
DNS list lookups are cached by Exim for the duration of the SMTP session
(but limited by the DNS return TTL value),
and the outer dnsdb lookup finds the IP addresses for these hosts. The result
of expanding the condition might be something like this:
.code
-dnslists = sbl.spahmaus.org/<|192.168.2.3|192.168.5.6|...
+dnslists = sbl.spamhaus.org/<|192.168.2.3|192.168.5.6|...
.endd
Thus, this example checks whether or not the IP addresses of the sender
domain's mail servers are on the Spamhaus black list.
need to use this option unless you know that the called hosts make use of the
sender when checking recipients. If used indiscriminately, it reduces the
usefulness of callout caching.
+
+.new
+.vitem &*hold*&
+This option applies to recipient callouts only. For example:
+.code
+require verify = recipient/callout=use_sender,hold
+.endd
+It causes the connection to be helod open and used for any further recipients
+and for eventual delivery (should that be done quickly).
+Doing this saves on TCP and SMTP startup costs, and TLS costs also
+when that is used for the connections.
+The advantage is only gained if there are no callout cache hits
+(which could be enforced by the no_cache option),
+if the use_sender option is used,
+if neither the random nor the use_postmaster option is used,
+and if no other callouts intervene.
+.wen
.endlist
If you use any of the parameters that set a non-empty sender for the MAIL
.endd
If you omit the argument, the default values show above are used.
+.new
+.vitem &%f-prot6d%&
+.cindex "virus scanners" "f-prot6d"
+The f-prot6d scanner is accessed using the FPSCAND protocol over TCP.
+One argument is taken, being a space-separated hostname and port number.
+For example:
+.code
+av_scanner = f-prot6d:localhost 10200
+.endd
+If you omit the argument, the default values show above are used.
+.wen
+
.vitem &%fsecure%&
.cindex "virus scanners" "F-Secure"
The F-Secure daemon scanner (&url(http://www.f-secure.com)) takes one
.code
spamd_address = 192.168.99.45 387
.endd
+The SpamAssassin protocol relies on a TCP half-close from the client.
+If your SpamAssassin client side is running a Linux system with an
+iptables firewall, consider setting
+&%net.netfilter.nf_conntrack_tcp_timeout_close_wait%& to at least the
+timeout, Exim uses when waiting for a response from the SpamAssassin
+server (currently defaulting to 120s). With a lower value the Linux
+connection tracking may consider your half-closed connection as dead too
+soon.
+
To use Rspamd (which by default listens on all local addresses
on TCP port 11333)
A multiline text table, containing the full SpamAssassin report for the
message. Useful for inclusion in headers or reject messages.
This variable is only usable in a DATA-time ACL.
-.new
Beware that SpamAssassin may return non-ASCII characters, especially
when running in country-specific locales, which are not legal
unencoded in headers.
-.wen
.vitem &$spam_action$&
For SpamAssassin either 'reject' or 'no action' depending on the
flagged with &`->`& instead of &`=>`&. When two or more messages are delivered
down a single SMTP connection, an asterisk follows the IP address in the log
lines for the second and subsequent messages.
+.new
+When two or more messages are delivered down a single TLS connection, the
+DNS and some TLS-related information logged for the first message delivered
+will not be present in the log lines for the second and subsequent messages.
+TLS cipher information is still available.
+.wen
.cindex "delivery" "cutthrough; logging"
.cindex "cutthrough" "logging"
&%proxy%&: The internal (closest to the system running Exim) IP address
of the proxy, tagged by PRX=, on the &"<="& line for a message accepted
on a proxied connection
-or the &"=>"& line for a message delivered on a proxied connection..
+or the &"=>"& line for a message delivered on a proxied connection.
See &<<SECTproxyInbound>>& for more information.
.next
.cindex "log" "incoming remote port"
.next
.cindex "log" "outgoing remote port"
.cindex "port" "logging outgoint remote"
-.cindex "TCP/IP" "logging ougtoing remote port"
+.cindex "TCP/IP" "logging outgoing remote port"
&%outgoing_port%&: The remote port number is added to delivery log lines (those
containing => tags) following the IP address.
The local port is also added if &%incoming_interface%& and
.cindex "&'exipick'&"
John Jetmore's &'exipick'& utility is included in the Exim distribution. It
lists messages from the queue according to a variety of criteria. For details
-of &'exipick'&'s facilities, visit the web page at
-&url(http://www.exim.org/eximwiki/ToolExipickManPage) or run &'exipick'& with
+of &'exipick'&'s facilities, run &'exipick'& with
the &%--help%& option.
.next
.vindex "&$body_linecount$&"
If you change the number of lines in the file, the value of
-&$body_linecount$&, which is stored in the -H file, will be incorrect. At
-present, this value is not used by Exim, but there is no guarantee that this
-will always be the case.
+&$body_linecount$&, which is stored in the -H file, will be incorrect and can
+cause incomplete transmission of messages or undeliverable messages.
.next
If the message is in MIME format, you must take care not to break it.
.next
MANDATORY:
The domain you want to sign with. The result of this expanded
option is put into the &%$dkim_domain%& expansion variable.
+If it is empty after expansion, DKIM signing is not done.
.option dkim_selector smtp string&!! unset
MANDATORY:
.vitem &%$dkim_copiedheaders%&
A transcript of headers and their values which are included in the signature
(copied from the 'z=' tag of the signature).
-.new
Note that RFC6376 requires that verification fail if the From: header is
not included in the signature. Exim does not enforce this; sites wishing
strict enforcement should code the check explicitly.
-.wen
.vitem &%$dkim_bodylength%&
The number of signed body bytes. If zero ("0"), the body is unsigned. If no
dkim_status = none
.endd
-.new
Note that the above does not check for a total lack of DKIM signing;
for that check for empty &$h_DKIM-Signature:$& in the data ACL.
-.wen
.vitem &%dkim_status%&
ACL condition that checks a colon-separated list of possible DKIM verification
in Local/Makefile.
It was built on specifications from:
-http://haproxy.1wt.eu/download/1.5/doc/proxy-protocol.txt
+(&url(http://haproxy.1wt.eu/download/1.5/doc/proxy-protocol.txt)).
That URL was revised in May 2014 to version 2 spec:
-http://git.1wt.eu/web?p=haproxy.git;a=commitdiff;h=afb768340c9d7e50d8e
+(&url(http://git.1wt.eu/web?p=haproxy.git;a=commitdiff;h=afb768340c9d7e50d8e)).
The purpose of this facility is so that an application load balancer,
such as HAProxy, can sit in front of several Exim servers
Use of a proxy is enabled by setting the &%hosts_proxy%&
main configuration option to a hostlist; connections from these
hosts will use Proxy Protocol.
+Exim supports both version 1 and version 2 of the Proxy Protocol and
+automatically determines which version is in use.
+
+The Proxy Protocol header is the first data received on a TCP connection
+and is inserted before any TLS-on-connect handshake from the client; Exim
+negotiates TLS between Exim-as-server and the remote client, not between
+Exim and the proxy server.
-.new
The following expansion variables are usable
(&"internal"& and &"external"& here refer to the interfaces
of the proxy):
.display
&'proxy_external_address '& IP of host being proxied or IP of remote interface of proxy
&'proxy_external_port '& Port of host being proxied or Port on remote interface of proxy
-&'proxy_local_address '& IP of proxy server inbound or IP of local interface of proxy
-&'proxy_local_port '& Port of proxy server inbound or Port on local interface of proxy
-&'proxy_session '& boolean: SMTP connection via proxy
+&'proxy_local_address '& IP of proxy server inbound or IP of local interface of proxy
+&'proxy_local_port '& Port of proxy server inbound or Port on local interface of proxy
+&'proxy_session '& boolean: SMTP connection via proxy
.endd
If &$proxy_session$& is set but &$proxy_external_address$& is empty
there was a protocol error.
-.wen
Since the real connections are all coming from the proxy, and the
per host connection tracking is done before Proxy Protocol is
To include this it must be built with SUPPORT_I18N and the libidn library.
Standards supported are RFCs 2060, 5890, 6530 and 6533.
+If Exim is built with SUPPORT_I18N_2008 (in addition to SUPPORT_I18N, not
+instead of it) then IDNA2008 is supported; this adds an extra library
+requirement, upon libidn2.
+
.section "MTA operations" SECTi18nMTA
.cindex SMTPUTF8 "ESMTP option"
The main configuration option &%smtputf8_advertise_hosts%& specifies
.cindex events
The events mechanism in Exim can be used to intercept processing at a number
-of points. It was originally invented to giave a way to do customised logging
+of points. It was originally invented to give a way to do customised logging
actions (for example, to a database) but can also be used to modify some
processing actions.
&`msg:rcpt:host:defer after transport `& per recipient per host
&`msg:rcpt:defer after transport `& per recipient
&`msg:host:defer after transport `& per attempt
-&`msg:fail:delivery after main `& per recipient
+&`msg:fail:delivery after transport `& per recipient
&`msg:fail:internal after main `& per recipient
&`tcp:connect before transport `& per connection
&`tcp:close after transport `& per connection
before or after the action is associates with. Those which fire before
can be used to affect that action (more on this below).
+.new
+The third column in the table above says what section of the configumration
+should define the event action.
+.wen
+
An additional variable, &$event_data$&, is filled with information varying
with the event type:
.display
-&`msg:delivery `& smtp confirmation mssage
+&`msg:delivery `& smtp confirmation message
&`msg:rcpt:host:defer `& error string
&`msg:rcpt:defer `& error string
&`msg:host:defer `& error string
The :defer events populate one extra variable: &$event_defer_errno$&.
For complex operations an ACL expansion can be used in &%event_action%&
-however due to the multiple contextx that Exim operates in during
+however due to the multiple contexts that Exim operates in during
the course of its processing:
.ilist
variables set in transport events will not be visible outside that