The SIGHUP signal
.cindex "SIGHUP"
.cindex "daemon" "restarting"
+.cindex signal "to reload configuration"
+.cindex daemon "reload configuration"
can be used to cause the daemon to re-execute itself. This should be done
whenever Exim's configuration file, or any file that is incorporated into it by
means of the &%.include%& facility, is changed, and also whenever a new version
.new
&*Warning 3*&: Do not use an IPv4-mapped IPv6 address for a key; use the
-IPv4. Such addresses being searched for are converted to IPv4.
+IPv4, in dotted-quad form. (Exim converts IPv4-mapped IPv6 addresses to this
+notation before executing the lookup.)
.wen
.next
.new
them are expanded every time they are used; others are expanded only once.
When a string is being expanded it is copied verbatim from left to right except
+.cindex expansion "string concatenation"
when a dollar or backslash character is encountered. A dollar specifies the
start of a portion of the string that is interpreted and replaced as described
below in section &<<SECTexpansionitems>>& onwards. Backslash is used as an
returns the SHA-1 hash fingerprint of the certificate.
-.vitem &*${sha256:*&<&'string'&>&*}*&
+.vitem &*${sha256:*&<&'string'&>&*}*& &&&
+ &*${sha2:*&<&'string'&>&*}*& &&&
+ &*${sha2_<n>:*&<&'string'&>&*}*&
.cindex "SHA-256 hash"
+.cindex "SHA-2 hash"
.cindex certificate fingerprint
.cindex "expansion" "SHA-256 hashing"
.cindex "&%sha256%& expansion item"
+.cindex "&%sha2%& expansion item"
The &%sha256%& operator computes the SHA-256 hash value of the string
and returns
it as a 64-digit hexadecimal number, in which any letters are in upper case.
If the string is a single variable of type certificate,
returns the SHA-256 hash fingerprint of the certificate.
+.new
+The operator can also be spelled &%sha2%& and does the same as &%sha256%&
+(except for certificates, which are not supported).
+Finally, if an underbar
+and a number is appended it specifies the output length, selecting a
+member of the SHA-2 family of hash functions.
+Values of 256, 384 and 512 are accepted, with 256 being the default.
+.wen
+
.vitem &*${sha3:*&<&'string'&>&*}*& &&&
&*${sha3_<n>:*&<&'string'&>&*}*&
The first character is a major version number, currently 4.
Then after a dot, the next group of digits is a minor version number.
There may be other characters following the minor version.
+This value may be overridden by the &%exim_version%& main config option.
.vitem &$header_$&<&'name'&>
This is not strictly an expansion variable. It is expansion syntax for
.vitem &$version_number$&
.vindex "&$version_number$&"
-The version number of Exim.
+The version number of Exim. Same as &$exim_version$&, may be overridden
+by the &%exim_version%& main config option.
.vitem &$warn_message_delay$&
.vindex "&$warn_message_delay$&"
used. See chapter &<<CHAPsecurity>>& for a discussion of security issues.
+.option exim_version main string "current version"
+.cindex "Exim version"
+.cindex customizing "version number"
+.cindex "version number of Exim" override
+This option allows to override the &$version_number$&/&$exim_version$& Exim reports in
+various places. Use with care, this may fool stupid security scanners.
+
+
.option extra_local_interfaces main "string list" unset
This option defines network interfaces that are to be considered local when
routing, but which are not used for listening by the daemon. See section
transport driver.
-.option openssl_options main "string list" "+no_sslv2 +single_dh_use +no_ticket"
+.option openssl_options main "string list" "+no_sslv2 +no_sslv3 +single_dh_use +no_ticket"
.cindex "OpenSSL "compatibility options"
This option allows an administrator to adjust the SSL options applied
by OpenSSL to connections. It is given as a space-separated list of items,
option in the relevant &(smtp)& transport.
&*Note*&: If you use filenames based on IP addresses, change the list
-separator in the usual way (&<<SECTlistsepchange>>&) >to avoid confusion under IPv6.
+separator in the usual way (&<<SECTlistsepchange>>&) to avoid confusion under IPv6.
&*Note*&: Under versions of OpenSSL preceding 1.1.1,
when a list of more than one
message on the same connection. See section &<<SECTmulmessam>>& for an
explanation of when this might be needed.
-.option hosts_noproxy_tls smtp "host list&!!" *
+.new
+.option hosts_noproxy_tls smtp "host list&!!" unset
.cindex "TLS" "passing connection"
.cindex "multiple SMTP deliveries"
.cindex "TLS" "multiple message deliveries"
For any host that matches this list, a TLS session which has
been started will not be passed to a new delivery process for sending another
message on the same session.
+.wen
The traditional implementation closes down TLS and re-starts it in the new
process, on the same open TCP connection, for each successive message
CHUNKING support, Exim will attempt to use BDAT commands rather than DATA.
BDAT will not be used in conjunction with a transport filter.
-.option hosts_try_dane smtp "host list&!!" unset
+.option hosts_try_dane smtp "host list&!!" *
.cindex DANE "transport options"
.cindex DANE "attempting for certain servers"
If built with DANE support, Exim will lookup a
there will be no fallback to in-clear communication.
See section &<<SECDANE>>&.
-.option hosts_try_fastopen smtp "host list&!!" unset
+.option hosts_try_fastopen smtp "host list&!!" *
.cindex "fast open, TCP" "enabling, in client"
.cindex "TCP Fast Open" "enabling, in client"
.cindex "RFC 7413" "TCP Fast Open"
-.section "Configuring an Exim client to use TLS" "SECID185"
+.section "Configuring an Exim client to use TLS" "SECTclientTLS"
.cindex "cipher" "logging"
.cindex "log" "TLS cipher"
.cindex "log" "distinguished name"
option), this condition is always true.
-.vitem &*verify&~=&~not_blind*&
+.vitem &*verify&~=&~not_blind/*&<&'options'&>
.cindex "verifying" "not blind"
.cindex "bcc recipients, verifying none"
This condition checks that there are no blind (bcc) recipients in the message.
&'Resent-Cc:'& header lines exist, they are also checked. This condition can be
used only in a DATA or non-SMTP ACL.
+.new
+There is one possible option, &`case_insensitive`&. If this is present then
+local parts are checked case-insensitively.
+.wen
+
There are, of course, many legitimate messages that make use of blind (bcc)
recipients. This check should not be used on its own for blocking messages.
.vitem &*-x*&
Match only non-frozen messages.
+
+.new
+.vitem &*-G*&&~<&'queuename'&>
+Match only messages in the given queue. Without this, the default queue is searched.
+.wen
.endlist
The following options control the format of the output: