The first three non-comment configuration lines are as follows:
.code
-domainlist local_domains = @
+domainlist local_domains = @
domainlist relay_to_domains =
hostlist relay_from_hosts = 127.0.0.1
.endd
fact authenticate until you complete the authenticator definitions.
.code
require message = relay not permitted
- domains = +local_domains : +relay_domains
+ domains = +local_domains : +relay_to_domains
.endd
This statement rejects the address if its domain is neither a local domain nor
one of the domains for which this host is a relay.
.endd
In a list, the syntax is similar. For example:
.code
-domainlist relay_domains = sqlite;/some/thing/sqlitedb \
+domainlist relay_to_domains = sqlite;/some/thing/sqlitedb \
select * from relays where ip='$sender_host_address';
.endd
The only character affected by the &%quote_sqlite%& operator is a single
subject having matched any of the patterns, it is in the set if the last item
was a negative one, but not if it was a positive one. For example, the list in
.code
-domainlist relay_domains = !a.b.c : *.b.c
+domainlist relay_to_domains = !a.b.c : *.b.c
.endd
matches any domain ending in &'.b.c'& except for &'a.b.c'&. Domains that match
neither &'a.b.c'& nor &'*.b.c'& do not match, because the last item in the
list is positive. However, if the setting were
.code
-domainlist relay_domains = !a.b.c
+domainlist relay_to_domains = !a.b.c
.endd
then all domains other than &'a.b.c'& would match because the last item in the
list is negative. In other words, a list that ends with a negative item behaves
respectively. Then there follows the name that you are defining, followed by an
equals sign and the list itself. For example:
.code
-hostlist relay_hosts = 192.168.23.0/24 : my.friend.example
+hostlist relay_from_hosts = 192.168.23.0/24 : my.friend.example
addresslist bad_senders = cdb;/etc/badsenders
.endd
A named list may refer to other named lists:
This item inserts &"basic"& header lines. It is described with the &%header%&
expansion item below.
+
+.vitem "&*${acl{*&<&'name'&>&*}{*&<&'arg'&>&*}...}*&"
+.cindex "expansion" "calling an acl"
+.cindex "&%acl%&" "call from expansion"
+The name and zero to nine argument strings are first expanded separately. The expanded
+arguments are assigned to the variables &$acl_arg1$& to &$acl_arg9$& in order.
+Any unused are made empty. The variable &$acl_narg$& is set to the number of
+arguments. The named ACL (see chapter &<<CHAPACL>>&) is called
+and may use the variables; if another acl expansion is used the values
+are overwritten. If the ACL sets
+a value using a "message =" modifier and returns accept or deny, the value becomes
+the result of the expansion.
+If no message was set and the ACL returned accept or deny
+the value is an empty string.
+If the ACL returned defer the result is a forced-fail. Otherwise the expansion fails.
+
+
.vitem "&*${dlfunc{*&<&'file'&>&*}{*&<&'function'&>&*}{*&<&'arg'&>&*}&&&
{*&<&'arg'&>&*}...}*&"
.cindex &%dlfunc%&
identifiers, base-36 digits. The number is converted to decimal and output as a
string.
+
.vitem &*${domain:*&<&'string'&>&*}*&
.cindex "domain" "extraction"
.cindex "expansion" "domain extraction"
when &%length%& is used as an operator.
+.vitem &*${listcount:*&<&'string'&>&*}*&
+.cindex "expansion" "list item count"
+.cindex "list" "item count"
+.cindex "list" "count of items"
+.cindex "&%listcount%& expansion item"
+The string is interpreted as a list and the number of items is returned.
+
+
+.vitem &*${listnamed:*&<&'name'&>&*}*&&~and&~&*${list_*&<&'type'&>&*name'&>&*}*&
+.cindex "expansion" "named list"
+.cindex "&%listnamed%& expansion item"
+The name is interpreted as a named list and the content of the list is returned,
+expanding any referenced lists, re-quoting as needed for colon-separation.
+If the optional type if given it must be one of "a", "d", "h" or "l"
+and selects address-, domain-, host- or localpart- lists to search among respectively.
+Otherwise all types are searched in an undefined order and the first
+matching list is returned.
+
+
.vitem &*${local_part:*&<&'string'&>&*}*&
.cindex "expansion" "local part extraction"
.cindex "&%local_part%& expansion item"
.endd
Note that the general negation operator provides for inequality testing. The
two strings must take the form of optionally signed decimal integers,
-optionally followed by one of the letters &"K"& or &"M"& (in either upper or
-lower case), signifying multiplication by 1024 or 1024*1024, respectively.
+optionally followed by one of the letters &"K"&, &"M"& or &"G"& (in either upper or
+lower case), signifying multiplication by 1024, 1024*1024 or 1024*1024*1024, respectively.
As a special case, the numerical value of an empty string is taken as
zero.
10M, not if 10M is larger than &$message_size$&.
+.vitem &*acl&~{{*&<&'name'&>&*}{*&<&'arg1'&>&*}&&&
+ {*&<&'arg2'&>&*}...}*&
+.cindex "expansion" "calling an acl"
+.cindex "&%acl%&" "expansion condition"
+The name and zero to nine argument strings are first expanded separately. The expanded
+arguments are assigned to the variables &$acl_arg1$& to &$acl_arg9$& in order.
+Any unused are made empty. The variable &$acl_narg$& is set to the number of
+arguments. The named ACL (see chapter &<<CHAPACL>>&) is called
+and may use the variables; if another acl expansion is used the values
+are overwritten. If the ACL sets
+a value using a "message =" modifier the variable $value becomes
+the result of the expansion, otherwise it is empty.
+If the ACL returns accept the condition is true; if deny, false.
+If the ACL returns defer the result is a forced-fail.
+
.vitem &*bool&~{*&<&'string'&>&*}*&
.cindex "expansion" "boolean parsing"
.cindex "&%bool%& expansion condition"
.section "TLS" "SECID108"
.table2
.row &%gnutls_compat_mode%& "use GnuTLS compatibility mode"
+.new
+.row &%gnutls_enable_pkcs11%& "allow GnuTLS to autoload PKCS11 modules"
+.wen
.row &%openssl_options%& "adjust OpenSSL compatibility options"
.row &%tls_advertise_hosts%& "advertise TLS to these hosts"
.row &%tls_certificate%& "location of server certificate"
server. This reduces security slightly, but improves interworking with older
implementations of TLS.
+
+.new
+option gnutls_enable_pkcs11 main boolean unset
+This option will let GnuTLS (2.12.0 or later) autoload PKCS11 modules with
+the p11-kit configuration files in &_/etc/pkcs11/modules/_&.
+
+See
+&url(http://www.gnu.org/software/gnutls/manual/gnutls.html#Smart-cards-and-HSMs)
+for documentation.
+.wen
+
+
+
.option headers_charset main string "see below"
This option sets a default character set for translating from encoded MIME
&"words"& in header lines, when referenced by an &$h_xxx$& expansion item. The
. Allow this long option name to split; give it unsplit as a fifth argument
. for the automatic .oindex that is generated by .option.
-.option "smtp_accept_max_per_ &~&~connection" main integer 1000 &&&
+.option "smtp_accept_max_per_connection" main integer 1000 &&&
smtp_accept_max_per_connection
.cindex "SMTP" "limiting incoming message count"
.cindex "limit" "messages per SMTP connection"
is what is wanted for subsequent tests.
+.new
+.vitem &*control&~=&~cutthrough_delivery*&
+.cindex "&ACL;" "cutthrough routing"
+This option requests delivery be attempted while the item is being received.
+It is usable in the RCPT ACL and valid only for single-recipient mails forwarded
+from one SMTP connection to another. If a recipient-verify callout connection is
+requested in the same ACL it is held open and used for the data, otherwise one is made
+after the ACL completes.
+
+Should the ultimate destination system positively accept or reject the mail,
+a corresponding indication is given to the source system and nothing is queued.
+If there is a temporary error the item is queued for later delivery in the
+usual fashion. If the item is successfully delivered in cutthrough mode the log line
+is tagged with ">>" rather than "=>" and appears before the acceptance "<="
+line.
+
+Delivery in this mode avoids the generation of a bounce mail to a (possibly faked)
+sender when the destination system is doing content-scan based rejection.
+.wen
+
+
.new
.vitem &*control&~=&~dscp/*&<&'value'&>
.cindex "&ACL;" "setting DSCP value"
.vitem &*acl&~=&~*&<&'name&~of&~acl&~or&~ACL&~string&~or&~file&~name&~'&>
.cindex "&ACL;" "nested"
.cindex "&ACL;" "indirect"
+.cindex "&ACL;" "arguments"
.cindex "&%acl%& ACL condition"
The possible values of the argument are the same as for the
&%acl_smtp_%&&'xxx'& options. The named or inline ACL is run. If it returns
condition false. This means that further processing of the &%warn%& verb
ceases, but processing of the ACL continues.
+If the argument is a named ACL, up to nine space-separated optional values
+can be appended; they appear in $acl_arg1 to $acl_arg9, and $acl_narg is set
+to the count of values. The name and values are expanded separately.
+
If the nested &%acl%& returns &"drop"& and the outer condition denies access,
the connection is dropped. If it returns &"discard"&, the verb must be
&%accept%& or &%discard%&, and the action is taken immediately &-- no further
In the main part of the configuration, you put the following definitions:
.code
-domainlist local_domains = my.dom1.example : my.dom2.example
-domainlist relay_domains = friend1.example : friend2.example
-hostlist relay_hosts = 192.168.45.0/24
+domainlist local_domains = my.dom1.example : my.dom2.example
+domainlist relay_to_domains = friend1.example : friend2.example
+hostlist relay_from_hosts = 192.168.45.0/24
.endd
Now you can use these definitions in the ACL that is run for every RCPT
command:
.code
acl_check_rcpt:
- accept domains = +local_domains : +relay_domains
- accept hosts = +relay_hosts
+ accept domains = +local_domains : +relay_to_domains
+ accept hosts = +relay_from_hosts
.endd
The first statement accepts any RCPT command that contains an address in
the local or relay domains. For any other domain, control passes to the second
If the remote server advertises support for the STARTTLS command, and Exim
was built to support TLS encryption, it tries to start a TLS session unless the
server matches &%hosts_avoid_tls%&. See chapter &<<CHAPTLS>>& for more details.
+Either a match in that or &%hosts_verify_avoid_tls%& apply when the transport
+is called for verification.
If the remote server advertises support for the AUTH command, Exim scans
the authenticators configuration for any suitable client settings, as described
git://git.exim.org / users / heiko / exim.git / blobdiff