-## $Cambridge: exim/doc/doc-src/FAQ.src,v 1.6 2005/02/15 09:27:45 ph10 Exp $
##
## This file is processed by Perl scripts to produce an ASCII and an HTML
## version. Lines starting with ## are omitted. The markup used with paragraphs
You can test the link using pings of large packets and see what works:
-==> ping -s host 2048
+==> ping -s host 2048
Try reducing the MTU on the sending host:
-==> ifconfig le0 mtu 1300
+==> ifconfig le0 mtu 1300
Alternatively, you can reduce the size of the buffer Exim uses for SMTP
output by putting something like
==> deny hosts = *.x.example
If at all possible, you should use IP addresses instead of host
- names in blocking lists in order to to avoid this problem.
+ names in blocking lists in order to avoid this problem.
You can use the \-bh-\ option to get more information about what is
happening at the start of a connection. However, note that the \-bh-\
second solution is used, users can empty their mailboxes by updating
them, but cannot delete them.
- If your problem involves mail to \/root/\, see also Q0507.
+ If your problem involves mail to \/root/\, see also Q0039.
Q0037: I am experiencing mailbox locking problems with Sun's \"mailtool"\ used
If you are running Exim with an alternate configuration file using a
command such as \"exim -C altconfig..."\, remember that the use of -C
- takes away Exim's root privilege.
+ takes away Exim's root privilege, unless \\TRUSTED_CONFIG_LIST\\
+ is set in \(Local/Makefile)\ and the corresponding file contains a
+ prefix which matches the alternative configuration file being used.
Check that you have defined the spool directory correctly by running
==> /usr/lib/sendmail -bz
- in some start-up script (e.g. \(/etc/init.d/mail)\) immedately before
+ in some start-up script (e.g. \(/etc/init.d/mail)\) immediately before
==> /usr/lib/sendmail -bd -q15m
trying to run an \%autoreply%\ transport. Why is this?
A0065: When Exim is called with -C, it passes on -C to any instances of itself
- that it calls (so that the whole sequence uses the same config file). If
- it's running as \/exim/\ when it does this, all is well. However, if it
- happens as a consequence of a non-privileged user running \%autoreply%\,
- the called Exim gives up its root privilege. Then it can't write to the
- spool.
-
- This means that you can't use -C (even as \/root/\) to run an instance of
- Exim that is going to try to run \%autoreply%\ from a process that is
- neither \/root/\ nor \/exim/\. Because of the architecture of Exim (using
- re-execs to regain privilege), there isn't any way round this
- restriction. Therefore, the only way you can make this scenario work is
- to run the \%autoreply%\ transport as \/exim/\ (that is, the user that
- owns the Exim spool files). This may be satisfactory for autoreplies
- that are essentially system-generated, but of course is no good for
- autoreplies from unprivileged users, where you want the \%autoreply%\
- transport to be run as the user. To get that to work with an alternate
- configuration, you'll have to use two Exim binaries, with different
- configuration file names in each. See S001 for a script that patches
- the configuration name in an Exim binary.
+ that it calls (so that the whole sequence uses the same config file).
+ However, Exim gives up its root privilege if any user except \/root\/
+ passes a -C option to use a non-default configuration file, and that
+ includes the case where Exim re-execs itself to regain root privilege.
+ Thus it can't write to the spool.
+
+ The fix for this is to use the \\TRUSTED_CONFIG_LIST\\ build-time
+ option. This defines a file containing a list of 'trusted' prefixes for
+ configuration files. Any configuration file specified with -C, if it
+ matches a prefix listed in that file, will be used without dropping root
+ privileges (as long as it is not writeable by a non-root user).
Q0066: What does the message \*unable to set gid=xxx or uid=xxx*\ mean?
by a \"mail.info"\ descriptor).
Test this by running the command:
-==> logger -p mail.notice test
+==> logger -p mail.notice test
and seeing which logs it goes into. From Exim release 4.31 it is
possible to disable the rejectlog by setting \write_rejectlog\ false.
ensure that this happens throughout the build, it's best to export it in
your environment:
-==> MAKEFLAGS='-B'
- export MAKEFLAGS
- make
+==> MAKEFLAGS='-B'
+ export MAKEFLAGS
+ make
Q0116: I have tried to build Exim with Berkeley DB 3 and 4, but I always get
==> adduser exim
- (3) Now you can prepare to build Exim. Go to \?http://www.exim.org?\ or
+ (3) Now you can prepare to build Exim. Go to \?https://www.exim.org?\ or
one of its mirrors, or the master ftp site
\?ftp://ftp.csx.cam.ac.uk/pub/software/email/exim/exim4?\, and download
\(exim-4.20.tar.gz)\ or whatever the current release is. Then:
with MX records pointing to \"localhost"\ (or other names with A records
that specify 127.0.0.1), which causes this behaviour. You can use the
\ignore_target_hosts\ option to get Exim to ignore these records. The
- default contiguration does this. For more discussion, see Q0319. For
+ default configuration does this. For more discussion, see Q0319. For
other cases:
(1) If the domain is meant to be handled as a local domain, there
Q0311: When a DNS lookup for MX records fails to complete, why doesn't Exim
- send the messsage to the host defined by the A record?
+ send the message to the host defined by the A record?
A0311: The RFCs are quite clear on this. Only if it is known that there are no
MX records is an MTA allowed to make use of the A record. When an MX
==> # Don't allow domains whose single MX (or A) record is a
# "special-use IPv4 address", as listed in RFC 3330.
ignore_target_hosts = \
- # Hosts on "this network"; RFC 1700 (page 4) states that these
- # are only allowed as source addresses
- 0.0.0.0/8 : \
- # Private networks, RFC 1918
- 10.0.0.0/8 : 172.16.0.0/12 : 192.168.0.0/16 : \
- # Internet host loopback address, RFC 1700 (page 5)
- 127.0.0.0/8 : \
- # "Link local" block
- 169.254.0.0/16 : \
- # "TEST-NET" - should not appear on the public Internet
- 192.0.2.0/24 : \
- # 6to4 relay anycast addresses, RFC 3068
- 192.88.99.0/24 : \
- # Network interconnect device benchmark testing, RFC 2544
- 198.18.0.0/15 : \
- # Multicast addresses, RFC 3171
- 224.0.0.0/4 : \
- # Reserved for future use, RFC 1700 (page 4)
- 240.0.0.0/4
+ # Hosts on "this network"; RFC 1700 (page 4) states that these
+ # are only allowed as source addresses
+ 0.0.0.0/8 : \
+ # Private networks, RFC 1918
+ 10.0.0.0/8 : 172.16.0.0/12 : 192.168.0.0/16 : \
+ # Internet host loopback address, RFC 1700 (page 5)
+ 127.0.0.0/8 : \
+ # "Link local" block
+ 169.254.0.0/16 : \
+ # "TEST-NET" - should not appear on the public Internet
+ 192.0.2.0/24 : \
+ # 6to4 relay anycast addresses, RFC 3068
+ 192.88.99.0/24 : \
+ # Network interconnect device benchmark testing, RFC 2544
+ 198.18.0.0/15 : \
+ # Multicast addresses, RFC 3171
+ 224.0.0.0/4 : \
+ # Reserved for future use, RFC 1700 (page 4)
+ 240.0.0.0/4
Q0320: How can I arrange for all mail to \*user@some.domain*\ to be forwarded
Q0409: I want mail for any local part at certain virtual domains to go
to a single address for each domain.
-A0409: One way to to this is
+A0409: One way to do this is
==> virtual:
driver = redirect
to scan email messages at SMTP time. \^elspy^\ also includes a small
Python library with common mail-scanning tools, including an interface
to SpamAssassin and a simple but effective virus detector. You can
- optain \^elspy^\ from \?http://elspy.sourceforge.net/?\.
+ obtain \^elspy^\ from \?http://elspy.sourceforge.net/?\.
Q0511: Whenever my system filter uses a \mail\ command to send a message, I get
==> majordomo: |/local/mail/majordomo ...
then Exim has to be told what uid/gid to use for the delivery. This can
- be done either on the routerr that handles the address, or on the
+ be done either on the router that handles the address, or on the
transport that actually does the delivery. If a pipe is going to run a
setuid program, then it doesn't matter what uid Exim starts it out with,
and so the most straightforward thing is to put
Q0604: I want to use MMDF-style mailboxes. How can I get Exim to append the
- ctrl-A characters that separate indvidual emails?
+ ctrl-A characters that separate individual emails?
A0604: Set the \message_suffix\ option in the \%appendfile%\ transport. In fact,
for MMDF mailboxes you need a prefix as well as a suffix to get it
\use_crlf\ option on the \%pipe%\ transport (tmail prefers \"@\r@\n"\
terminations) message bodies started to vanish.
-A0606: You need to unset the \mesage_prefix\ option, or change it so that its
+A0606: You need to unset the \message_prefix\ option, or change it so that its
default \"@\n"\ terminator becomes \"@\r@\n"\. For example, the
transport could be:
==> local_delivery_mbx:
- driver = pipe
- command = /usr/local/bin/tmail $local_part
- user = exim
- current_directory = /
+ driver = pipe
+ command = /usr/local/bin/tmail $local_part
+ user = exim
+ current_directory = /
use_crlf
message_prefix =
do not block legitimate mail. With that proviso, you can do it using
something like this in an ACL:
-==> drop message = HELO doesn't look like a hostname
- log_message = Not a hostname
- condition = ${if match{$sender_helo_name} \
- {\N^[^.].*\.[^.]+$\N}{no}{yes}}
+==> drop message = HELO doesn't look like a hostname
+ log_message = Not a hostname
+ condition = ${if match{$sender_helo_name} \
+ {\N^[^.].*\.[^.]+$\N}{no}{yes}}
This means: Drop the HELO unless it contains a dot somewhere in the HELO
string, but the string may not begin or end with a dot. Thus, the
names, but if mail comes in for an upper case login name, it doesn't
get rewritten.
-==> *@my.domain ${lookup{$1}dbm{/usr/lib/exim/longforms}\
- {$value}fail}@my.domain bcfrtFT
+==> *@my.domain ${lookup{$1}dbm{/usr/lib/exim/longforms}\
+ {$value}fail}@my.domain bcfrtFT
The longforms database has entries of the form:
are rewriting. If you are rewriting recipient addresses for your local
domain, you can do:
-==> *@dom.ain ${lookup{$1}dbm{/wher/ever}{$value}{failaddr}} Ehq
+==> *@dom.ain ${lookup{$1}dbm{/wher/ever}{$value}{failaddr}} Ehq
and in your alias file put something like
-==> failaddr: :fail: Rewriting failed
+==> failaddr: :fail: Rewriting failed
This fails a single recipient - others are processed independently.
but it is important to some people - especially if by some unfortunate
accident the lowercased word is something indecent.
- You can trivally force lower casing by means of the \"${lc:"\ operator.
+ You can trivially force lower casing by means of the \"${lc:"\ operator.
Instead of \"$domain"\ write \"${lc:$domain}"\.
==> headers add "New-Subject: SPAM: $h_subject:"
headers remove subject
- neaders add "Subject: $h_new-subject:"
+ headers add "Subject: $h_new-subject:"
headers remove new-subject
This trick works only in system filters, where the commands are obeyed
encrypt the user/site/leaf certificate. If this isn't acceptable,
you seem to be able to strip out the passphrase as follows:
-==> openssl rsa -in user.key -our user.key.new
- mv user.key.new
+==> openssl rsa -in user.key -our user.key.new
+ mv user.key.new
This should be done immediately after \(user.key)\ is created.
==> # Now System is up, Modify kernel parameters for max open etc.
==> if [ -f /proc/sys/kernel/file-max ]; then
- echo 16384 >> /proc/sys/kernel/file-max
+ echo 16384 >> /proc/sys/kernel/file-max
fi
if [ -f /proc/sys/kernel/inode-max ]; then
- echo 24576 >> /proc/sys/kernel/inode-max
+ echo 24576 >> /proc/sys/kernel/inode-max
fi
if [ -f /proc/sys/kernel/file-nr ]; then
- echo 2160 >> /proc/sys/kernel/file-nr
+ echo 2160 >> /proc/sys/kernel/file-nr
fi
By echoing the value you want for file-max to the file \(file-max)\ etc.,
C042: ``Since the Exim 4 configuration needed to get Mailman to work differs a
little bit from Exim 3 and since I still haven't seen a recipe for
Mailman with Exim 4, I'm providing my configuration (based heavily on
- \?http://www.exim.org/howto/mailman.html?\).''
+ \?https://www.exim.org/howto/mailman21.html?\).''
C043: ``Attached is an Exim 4 config file which is designed for an Exim server
that is put in front of an Exchange 5.5 system but which verifies the