-. $Cambridge: exim/doc/doc-docbook/spec.xfpt,v 1.77 2010/06/05 11:13:29 pdp Exp $
+. $Cambridge: exim/doc/doc-docbook/spec.xfpt,v 1.87 2010/06/12 15:21:25 jetmore Exp $
.
. /////////////////////////////////////////////////////////////////////////////
. This is the primary source of the Exim Manual. It is an xfpt document that is
.section "Use of tcpwrappers" "SECID27"
.cindex "tcpwrappers, building Exim to support"
.cindex "USE_TCP_WRAPPERS"
+.cindex "TCP_WRAPPERS_DAEMON_NAME"
+.cindex "tcp_wrappers_daemon_name"
Exim can be linked with the &'tcpwrappers'& library in order to check incoming
SMTP calls using the &'tcpwrappers'& control files. This may be a convenient
alternative to Exim's own checking facilities for installations that are
CFLAGS=-O -I/usr/local/include
EXTRALIBS_EXIM=-L/usr/local/lib -lwrap
.endd
-in &_Local/Makefile_&. The name to use in the &'tcpwrappers'& control files is
-&"exim"&. For example, the line
+in &_Local/Makefile_&. The daemon name to use in the &'tcpwrappers'& control
+files is &"exim"&. For example, the line
.code
exim : LOCAL 192.168.1. .friendly.domain.example
.endd
in your &_/etc/hosts.allow_& file allows connections from the local host, from
the subnet 192.168.1.0/24, and from all hosts in &'friendly.domain.example'&.
-All other connections are denied. Consult the &'tcpwrappers'& documentation for
+All other connections are denied. The daemon name used by &'tcpwrappers'&
+can be changed at build time by setting TCP_WRAPPERS_DAEMON_NAME in
+in &_Local/Makefile_&, or by setting tcp_wrappers_daemon_name in the
+configure file. Consult the &'tcpwrappers'& documentation for
further details.
The same output is generated if the Exim binary is called with no options and
no arguments.
+.vitem &%--version%&
+.oindex "&%--version%&"
+This option is an alias for &%-bV%& and causes version information to be
+displayed.
+
.vitem &%-B%&<&'type'&>
.oindex "&%-B%&"
.cindex "8-bit characters"
this option, so if av_scanner's value is dependent upon an expansion then
the expansion should have defaults which apply to this invocation. Exim will
have changed working directory before resolving the filename, so using fully
-qualified pathnames is advisable. This option requires admin privileges.
+qualified pathnames is advisable. Exim will be running as the Exim user
+when it tries to open the file, rather than as the invoking user.
+This option requires admin privileges.
+
+The &%-bmalware%& option will not be extended to be more generally useful,
+there are better tools for file-scanning. This option exists to help
+administrators verify their Exim and AV scanner configuration.
.vitem &%-bt%&
.oindex "&%-bt%&"
.vitem &%-Mvc%&&~<&'message&~id'&>
.oindex "&%-Mvc%&"
.cindex "message" "listing in RFC 2822 format"
-.cindex "listing" "message in RFC 2922 format"
+.cindex "listing" "message in RFC 2822 format"
This option causes a copy of the complete message (header lines plus body) to
be written to the standard output in RFC 2822 format. This option can be used
only by an admin user.
random().
+.vitem &*${reverse_ip:*&<&'ipaddr'&>&*}*&
+.cindex "expansion" "IP address"
+This operator reverses an IP address; for IPv4 addresses, the result is in
+dotted-quad decimal form, while for IPv6 addreses the result is in
+dotted-nibble hexadecimal form. In both cases, this is the "natural" form
+for DNS. For example,
+.code
+${reverse_ip:192.0.2.4} and ${reverse_ip:2001:0db8:c42:9:1:abcd:192.0.2.3}
+.endd
+returns
+.code
+4.2.0.192 and 3.0.2.0.0.0.0.c.d.c.b.a.1.0.0.0.9.0.0.0.2.4.c.0.8.b.d.0.1.0.0.2
+.endd
+
+
.vitem &*${rfc2047:*&<&'string'&>&*}*&
.cindex "expansion" "RFC 2047"
.cindex "RFC 2047" "expansion operator"
This condition turns a string holding a true or false representation into
a boolean state. It parses &"true"&, &"false"&, &"yes"& and &"no"&
(case-insensitively); also positive integer numbers map to true if non-zero,
-false if zero. Leading whitespace is ignored.
+false if zero. Leading and trailing whitespace is ignored.
All other string values will result in expansion failure.
When combined with ACL variables, this expansion condition will let you
make decisions in one place and act on those decisions in another place.
-For example,
+For example:
.code
${if bool{$acl_m_privileged_sender} ...
.endd
+.vitem &*bool_lax&~{*&<&'string'&>&*}*&
+.cindex "expansion" "boolean parsing"
+.cindex "&%bool_lax%& expansion condition"
+Like &%bool%&, this condition turns a string into a boolean state. But
+where &%bool%& accepts a strict set of strings, &%bool_lax%& uses the same
+loose definition that the Router &%condition%& option uses. The empty string
+and the values &"false"&, &"no"& and &"0"& map to false, all others map to
+true. Leading and trailing whitespace is ignored.
+
+Note that where &"bool{00}"& is false, &"bool_lax{00}"& is true.
+
.vitem &*crypteq&~{*&<&'string1'&>&*}{*&<&'string2'&>&*}*&
.cindex "expansion" "encrypted comparison"
.cindex "encrypted strings, comparing"
.row &%acl_smtp_auth%& "ACL for AUTH"
.row &%acl_smtp_connect%& "ACL for connection"
.row &%acl_smtp_data%& "ACL for DATA"
+.row &%acl_smtp_dkim%& "ACL for DKIM verification"
.row &%acl_smtp_etrn%& "ACL for ETRN"
.row &%acl_smtp_expn%& "ACL for EXPN"
.row &%acl_smtp_helo%& "ACL for EHLO or HELO"
.code
sophie:/var/run/sophie
.endd
-If the value of &%av_scanner%& starts with dollar character, it is expanded
+If the value of &%av_scanner%& starts with a dollar character, it is expanded
before use. See section &<<SECTscanvirus>>& for further details.
If the result is any other value, the router is run (as this is the last
precondition to be evaluated, all the other preconditions must be true).
+This option is unique in that multiple &%condition%& options may be present.
+All &%condition%& options must succeed.
+
The &%condition%& option provides a means of applying custom conditions to the
running of routers. Note that in the case of a simple conditional expansion,
the default expansion values are exactly what is wanted. For example:
.code
condition = ${if >{$message_age}{600}{true}{}}
.endd
+A multiple condition example, which succeeds:
+.code
+condition = ${if >{$message_age}{600}}
+condition = ${if !eq{${lc:$local_part}}{postmaster}}
+condition = foobar
+.endd
If the expansion fails (other than forced failure) delivery is deferred. Some
of the other precondition options are common special cases that could in fact
be specified using &%condition%&.
Notice that we put back the lower cased version afterwards, assuming that
is what is wanted for subsequent tests.
+.vitem &*control&~=&~debug/*&<&'options'&>
+.cindex "&ACL;" "enabling debug logging"
+.cindex "debugging" "enabling from an ACL"
+This control turns on debug logging, almost as though Exim had been invoked
+with &`-d`&, with the output going to a new logfile, by default called
+&'debuglog'&. The filename can be adjusted with the &'tag'& option, which
+may access any variables already defined. The logging may be adjusted with
+the &'opts'& option, which takes the same values as the &`-d`& command-line
+option. Some examples (which depend on variables that don't exist in all
+contexts):
+.code
+ control = debug
+ control = debug/tag=.$sender_host_address
+ control = debug/opts=+expand+acl
+ control = debug/tag=.$message_exim_id/opts=+expand
+.endd
+
.vitem &*control&~=&~enforce_sync*& &&&
&*control&~=&~no_enforce_sync*&
.cindex "SMTP" "synchronization checking"
.code
av_scanner = sophie:/var/run/sophie
.endd
-If the value of &%av_scanner%& starts with dollar character, it is expanded
+If the value of &%av_scanner%& starts with a dollar character, it is expanded
before use. The following scanner types are supported in this release:
.vlist
.cindex "spam scanning" "returned variables"
When the &%spam%& condition is run, it sets up a number of expansion
-variables. With the exception of &$spam_score_int$&, these are usable only
-within ACLs; their values are not retained with the message and so cannot be
-used at delivery time.
+variables. These variables are saved with the received message, thus they are
+available for use at delivery time.
.vlist
.vitem &$spam_score$&
The spam score of the message, multiplied by ten, as an integer value. For
example &"34"& or &"305"&. It may appear to disagree with &$spam_score$&
because &$spam_score$& is rounded and &$spam_score_int$& is truncated.
-The integer value is useful for numeric comparisons in
-conditions. This variable is special; its value is saved with the message, and
-written to Exim's spool file. This means that it can be used during the whole
-life of the message on your Exim system, in particular, in routers or
-transports during the later delivery phase.
+The integer value is useful for numeric comparisons in conditions.
+
.vitem &$spam_bar$&
A string consisting of a number of &"+"& or &"-"& characters, representing the
.next
Verify signatures in incoming messages: This is implemented by an additional
ACL (acl_smtp_dkim), which can be called several times per message, with
-different signature context.
+different signature contexts.
.endlist
In typical Exim style, the verification implementation does not include any
These options take (expandable) strings as arguments.
.option dkim_domain smtp string&!! unset
-MANDATORY
+MANDATORY:
The domain you want to sign with. The result of this expanded
option is put into the &%$dkim_domain%& expansion variable.
.option dkim_selector smtp string&!! unset
-MANDATORY
+MANDATORY:
This sets the key selector string. You can use the &%$dkim_domain%& expansion
variable to look up a matching selector. The result is put in the expansion
variable &%$dkim_selector%& which should be used in the &%dkim_private_key%&
option along with &%$dkim_domain%&.
.option dkim_private_key smtp string&!! unset
-MANDATORY
+MANDATORY:
This sets the private key to use. You can use the &%$dkim_domain%& and
&%$dkim_selector%& expansion variables to determine the private key to use.
The result can either
.endlist
.option dkim_canon smtp string&!! unset
-OPTIONAL
+OPTIONAL:
This option sets the canonicalization method used when signing a message.
The DKIM RFC currently supports two methods: "simple" and "relaxed".
The option defaults to "relaxed" when unset. Note: the current implementation
only supports using the same canonicalization method for both headers and body.
.option dkim_strict smtp string&!! unset
-OPTIONAL
+OPTIONAL:
This option defines how Exim behaves when signing a message that
should be signed fails for some reason. When the expansion evaluates to
either "1" or "true", Exim will defer. Otherwise Exim will send the message
variables here.
.option dkim_sign_headers smtp string&!! unset
-OPTIONAL
+OPTIONAL:
When set, this option must expand to (or be specified as) a colon-separated
list of header names. Headers with these names will be included in the message
signature. When unspecified, the header names recommended in RFC4871 will be
The global option &%dkim_verify_signers%& can be set to a colon-separated
list of DKIM domains or identities for which the ACL &%acl_smtp_dkim%& is
called. It is expanded when the message has been received. At this point,
-the expansion variable &%$dkim_signers%& already contains a colon-
-separated list of signer domains and identities for the message. When
+the expansion variable &%$dkim_signers%& already contains a colon-separated
+list of signer domains and identities for the message. When
&%dkim_verify_signers%& is not specified in the main configuration,
it defaults as:
.code
.endd
This would result in &%acl_smtp_dkim%& always being called for "paypal.com"
and "ebay.com", plus all domains and identities that have signatures in the message.
-You can also be more creative in constructing your policy. Example:
+You can also be more creative in constructing your policy. For example:
.code
dkim_verify_signers = $sender_address_domain:$dkim_signers
.endd
.vlist
.vitem &%$dkim_cur_signer%&
-The signer that is being evaluated in this ACL run. This can be domain or
+The signer that is being evaluated in this ACL run. This can be a domain or
an identity. This is one of the list items from the expanded main option
&%dkim_verify_signers%& (see above).
.vitem &%$dkim_verify_status%&
if there is an actual signature in the message for the current domain or
identity (as reflected by &%$dkim_cur_signer%&).
.vitem &%$dkim_selector%&
-The key record selector string
+The key record selector string.
.vitem &%$dkim_algo%&
The algorithm used. One of 'rsa-sha1' or 'rsa-sha256'.
.vitem &%$dkim_canon_body%&
Key granularity (tag g=) from the key record. Defaults to "*" if not specified
in the key record.
.vitem &%$dkim_key_notes%&
-Notes from the key record (tag n=)
+Notes from the key record (tag n=).
.endlist
In addition, two ACL conditions are provided:
ACL condition that checks a colon-separated list of domains or identities
for a match against the domain or identity that the ACL is currently verifying
(reflected by &%$dkim_cur_signer%&). This is typically used to restrict an ACL
-verb to a group of domains or identities, like:
+verb to a group of domains or identities. For example:
.code
# Warn when message apparently from GMail has no signature at all