.set I " "
.macro copyyear
-2016
+2017
.endmacro
. /////////////////////////////////////////////////////////////////////////////
.row &_filter.txt_& "specification of the filter language"
.row &_Exim3.upgrade_& "upgrade notes from release 2 to release 3"
.row &_Exim4.upgrade_& "upgrade notes from release 3 to release 4"
+.row &_openssl.txt_& "installing a current OpenSSL release"
.endtable
The main specification and the specification of the filtering language are also
For a periodic queue run (see below)
append to the name a slash and a time value.
-If other commandline options speicify an action, a &'-qG<name>'& option
+If other commandline options specify an action, a &'-qG<name>'& option
will specify a queue to operate on.
For example:
.code
exim -bp -qGquarantine
-mailq -qGquarantime
+mailq -qGquarantine
exim -qGoffpeak -Rf @special.domain.example
.endd
.endd
on a line by itself. Double quotes round the file name are optional. If you use
the first form, a configuration error occurs if the file does not exist; the
-second form does nothing for non-existent files. In all cases, an absolute file
+second form does nothing for non-existent files.
+.new
+The first form allows a relative name. It is resolved relative to
+the directory of the including file. For the second form an absolute file
name is required.
+.wen
Includes may be nested to any depth, but remember that Exim reads its
configuration file often, so it is a good idea to keep them to a minimum.
The form if &"retry_VAL"& where VAL is an integer.
The default count is set by the main configuration option &%dns_retry%&.
-.cindex cacheing "of dns lookup"
+.cindex caching "of dns lookup"
.cindex TTL "of dns lookup"
.cindex DNS TTL
Dnsdb lookup results are cached within a single process (and its children).
.vitem "&*${certextract{*&<&'field'&>&*}{*&<&'certificate'&>&*}&&&
{*&<&'string2'&>&*}{*&<&'string3'&>&*}}*&"
-.cindex "expansion" "extracting cerificate fields"
+.cindex "expansion" "extracting certificate fields"
.cindex "&%certextract%&" "certificate fields"
.cindex "certificate" "extracting fields"
The <&'certificate'&> must be a variable of type certificate.
filter. Header lines that are added to a particular copy of a message by a
router or transport are not accessible.
-For incoming SMTP messages, no header lines are visible in ACLs that are obeyed
-before the DATA ACL, because the header structure is not set up until the
-message is received. Header lines that are added in a RCPT ACL (for example)
+For incoming SMTP messages, no header lines are visible in
+.new
+ACLs that are obeyed before the data phase completes,
+.wen
+because the header structure is not set up until the message is received.
+They are visible in DKIM, PRDR and DATA ACLs.
+Header lines that are added in a RCPT ACL (for example)
are saved until the message's incoming header lines are available, at which
-point they are added. When a DATA ACL is running, however, header lines added
-by earlier ACLs are visible.
+point they are added.
+.new
+When any of the above ACLs ar
+.wen
+running, however, header lines added by earlier ACLs are visible.
Upper case and lower case letters are synonymous in header names. If the
following character is white space, the terminating colon may be omitted, but
.cindex "uid (user id)" "of originating user"
.cindex "sender" "uid"
.vindex "&$caller_uid$&"
-.vindex "&$originaltor_uid$&"
+.vindex "&$originator_uid$&"
The value of &$caller_uid$& that was set when the message was received. For
messages received via the command line, this is the uid of the sending user.
For messages received by SMTP over TCP/IP, this is normally the uid of the Exim
&$proxy_local_port$& &&&
&$proxy_session$&
These variables are only available when built with Proxy Protocol
-or Socks5 support
+or SOCKS5 support.
For details see chapter &<<SECTproxyInbound>>&.
.vitem &$prdr_requested$&
If you have changed &%host_lookup_order%& so that &`bydns`& is not the first
mechanism in the list, then this variable will be false.
+.new
+This requires that your system resolver library support EDNS0 (and that
+DNSSEC flags exist in the system headers). If the resolver silently drops
+all EDNS0 options, then this will have no effect. OpenBSD's asr resolver
+is known to currently ignore EDNS0, documented in CAVEATS of asr_run(3).
+.wen
+
.vitem &$sender_host_name$&
.vindex "&$sender_host_name$&"
.vitem &$tls_in_ourcert$&
.vindex "&$tls_in_ourcert$&"
-.cindex certificate veriables
+.cindex certificate variables
This variable refers to the certificate presented to the peer of an
inbound connection when the message was received.
It is only useful as the argument of a
.oindex "&%perl_taintmode%&"
.cindex "Perl" "taintmode"
To provide more security executing Perl code via the embedded Perl
-interpeter, the &%perl_taintmode%& option can be set. This enables the
+interpreter, the &%perl_taintmode%& option can be set. This enables the
taint mode of the Perl interpreter. You are encouraged to set this
option to a true value. To avoid breaking existing installations, it
defaults to false.
.option acl_smtp_dkim main string&!! unset
.cindex DKIM "ACL for"
This option defines the ACL that is run for each DKIM signature
+(by default, or as specified in the dkim_verify_signers option)
of a received message.
See chapter &<<CHAPdkim>>& for further details.
There is a slight performance penalty for these checks.
Versions of Exim preceding 4.88 had these disabled by default;
-high-rate intallations confident they will never run out of resources
+high-rate installations confident they will never run out of resources
may wish to deliberately disable them.
.option chunking_advertise_hosts main "host list&!!" *
.option dns_use_edns0 main integer -1
.cindex "DNS" "resolver options"
.cindex "DNS" "EDNS0"
+.cindex "DNS" "OpenBSD
If this option is set to a non-negative number then Exim will initialise the
DNS resolver library to either use or not use EDNS0 extensions, overriding
the system default. A value of 0 coerces EDNS0 off, a value of 1 coerces EDNS0
If the resolver library does not support EDNS0 then this option has no effect.
+.new
+OpenBSD's asr resolver routines are known to ignore the EDNS0 option; this
+means that DNSSEC will not work with Exim on that platform either, unless Exim
+is linked against an alternative DNS client library.
+.wen
+
.option drop_cr main boolean false
This is an obsolete option that is now a no-op. It used to affect the way Exim
.option event_action main string&!! unset
.cindex events
This option declares a string to be expanded for Exim's events mechanism.
-For details see &<<CHAPevents>>&.
+For details see chapter &<<CHAPevents>>&.
.option exim_group main string "compile-time configured"
.option hosts_proxy main "host list&!!" unset
.cindex proxy "proxy protocol"
This option enables use of Proxy Protocol proxies for incoming
-connections. For details see &<<SECTproxyInbound>>&.
+connections. For details see section &<<SECTproxyInbound>>&.
.option hosts_treat_as_local main "domain list&!!" unset
of SSL-on-connect.
In the event of failure to negotiate TLS, the action taken is controlled
by &%ldap_require_cert%&.
+.new
+This option is ignored for &`ldapi`& connections.
+.wen
.option ldap_version main integer unset
.option smtputf8_advertise_hosts main "host list&!!" *
.cindex "SMTPUTF8" "advertising"
When Exim is built with support for internationalised mail names,
-the availability therof is advertised in
+the availability thereof is advertised in
response to EHLO only to those client hosts that match this option. See
chapter &<<CHAPi18n>>& for details of Exim's support for internationalisation.
appropriate &%system_filter_..._transport%& option(s) must be set, to define
which transports are to be used. Details of this facility are given in chapter
&<<CHAPsystemfilter>>&.
+.new
+A forced expansion failure results in no filter operation.
+.wen
.option system_filter_directory_transport main string&!! unset
.option event_action transports string&!! unset
.cindex events
This option declares a string to be expanded for Exim's events mechanism.
-For details see &<<CHAPevents>>&.
+For details see chapter &<<CHAPevents>>&.
.option group transports string&!! "Exim group"
.cindex "hints database" "transport concurrency control"
Exim implements this control by means of a hints database in which a record is
-incremented whenever a transport process is beaing created. The record
+incremented whenever a transport process is being created. The record
is decremented and possibly removed when the process terminates.
Obviously there is scope for
records to get left lying around if there is a system or program crash. To
&`\n`& to &`\r\n`& in &%message_suffix%&.
-.option path pipe string "see below"
-This option specifies the string that is set up in the PATH environment
-variable of the subprocess. The default is:
-.code
-/bin:/usr/bin
-.endd
+.option path pipe string&!! "/bin:/usr/bin"
+.new
+This option is expanded and
+.wen
+specifies the string that is set up in the PATH environment
+variable of the subprocess.
If the &%command%& option does not yield an absolute path name, the command is
sought in the PATH directories, in the usual way. &*Warning*&: This does not
apply to a command specified as a transport filter.
.option dkim_canon smtp string&!! unset
.option dkim_strict smtp string&!! unset
.option dkim_sign_headers smtp string&!! unset
-DKIM signing options. For details see &<<SECDKIMSIGN>>&.
+DKIM signing options. For details see section &<<SECDKIMSIGN>>&.
.option delay_after_cutoff smtp boolean true
.cindex "RFC 3030" "CHUNKING"
This option provides a list of servers to which, provided they announce
CHUNKING support, Exim will attempt to use BDAT commands rather than DATA.
-BDAT will not be used in conjuction with a transport filter.
+BDAT will not be used in conjunction with a transport filter.
.option hosts_try_fastopen smtp "host list!!" unset
-.option "fast open, TCP" "enabling, in client"
-.option "TCP Fast Open" "enabling, in client"
-.option "RFC 7413" "TCP Fast Open"
+.cindex "fast open, TCP" "enabling, in client"
+.cindex "TCP Fast Open" "enabling, in client"
+.cindex "RFC 7413" "TCP Fast Open"
This option provides a list of servers to which, provided
the facility is supported by this system, Exim will attempt to
perform a TCP Fast Open.
.option socks_proxy smtp string&!! unset
.cindex proxy SOCKS
This option enables use of SOCKS proxies for connections made by the
-transport. For details see &<<SECTproxySOCKS>>&.
+transport. For details see section &<<SECTproxySOCKS>>&.
.option tls_certificate smtp string&!! unset
deliver the message unauthenticated.
.endlist
+.new
+Note that the hostlist test for whether to do authentication can be
+confused if name-IP lookups change between the time the peer is decided
+on and the transport running. For example, with a manualroute
+router given a host name, and DNS "round-robin" use by that name: if
+the local resolver cache times out between the router and the transport
+running, the transport may get an IP for the name for its authentication
+check which does not match the connection peer IP.
+No authentication will then be done, despite the names being identical.
+
+For such cases use a separate transport which always authenticates.
+.wen
+
.cindex "AUTH" "on MAIL command"
When Exim has authenticated itself to a remote server, it adds the AUTH
parameter to the MAIL commands it sends, if it has an authenticated sender for
attacks in the string (&`../`& or SQL), and ensuring that a valid filename
can always be referenced; it is important to remember that &$tls_in_sni$& is
arbitrary unverified data provided prior to authentication.
-Further, the initial cerificate is loaded before SNI is arrived, so
+Further, the initial certificate is loaded before SNI is arrived, so
an expansion for &%tls_certificate%& must have a default which is used
when &$tls_in_sni$& is empty.
remaining recipients. The &"discard"& return is not permitted for the
&%acl_smtp_predata%& ACL.
+.new
+If the ACL for VRFY returns &"accept"&, a recipient verify (without callout)
+is done on the address and the result determines the SMTP response.
+.wen
+
.cindex "&[local_scan()]& function" "when all recipients discarded"
The &[local_scan()]& function is always run, even if there are no remaining
Cutthrough delivery is not supported via transport-filters or when DKIM signing
of outgoing messages is done, because it sends data to the ultimate destination
before the entire message has been received from the source.
-It is not supported for messages received with the SMTP PRDR option in use.
+It is not supported for messages received with the SMTP PRDR
+.new
+or CHUNKING
+.wen
+options in use.
Should the ultimate destination system positively accept or reject the mail,
a corresponding indication is given to the source system and nothing is queued.
to the control; the default value is &"spool"& and the alternate value
&"pass"& copies an SMTP defer response from the target back to the initiator
and does not queue the message.
-Note that this is independent of any receipient verify conditions in the ACL.
+Note that this is independent of any recipient verify conditions in the ACL.
Delivery in this mode avoids the generation of a bounce mail to a
(possibly faked)
.vitem &*control&~=&~utf8_downconvert*&
This control enables conversion of UTF-8 in message addresses
to a-label form.
-For details see &<<SECTi18nMTA>>&.
+For details see section &<<SECTi18nMTA>>&.
.endlist vlist
.cindex "&%verify%& ACL condition"
This is a variation of the previous option, in which a modified address is
verified as a sender.
+
+.new
+Note that '/' is legal in local-parts; if the address may have such
+(eg. is generated from the received message)
+they must be protected from the options parsing by doubling:
+.code
+verify = sender=${sg{${address:$h_sender:}}{/}{//}}
+.endd
+.wen
.endlist
warn message = X-Warn: sending host is on dialups list
dnslists = dialups.mail-abuse.org
.endd
-.cindex cacheing "of dns lookup"
+.cindex caching "of dns lookup"
.cindex DNS TTL
DNS list lookups are cached by Exim for the duration of the SMTP session
(but limited by the DNS return TTL value),
and the outer dnsdb lookup finds the IP addresses for these hosts. The result
of expanding the condition might be something like this:
.code
-dnslists = sbl.spahmaus.org/<|192.168.2.3|192.168.5.6|...
+dnslists = sbl.spamhaus.org/<|192.168.2.3|192.168.5.6|...
.endd
Thus, this example checks whether or not the IP addresses of the sender
domain's mail servers are on the Spamhaus black list.
&%proxy%&: The internal (closest to the system running Exim) IP address
of the proxy, tagged by PRX=, on the &"<="& line for a message accepted
on a proxied connection
-or the &"=>"& line for a message delivered on a proxied connection..
+or the &"=>"& line for a message delivered on a proxied connection.
See &<<SECTproxyInbound>>& for more information.
.next
.cindex "log" "incoming remote port"
.next
.cindex "log" "outgoing remote port"
.cindex "port" "logging outgoint remote"
-.cindex "TCP/IP" "logging ougtoing remote port"
+.cindex "TCP/IP" "logging outgoing remote port"
&%outgoing_port%&: The remote port number is added to delivery log lines (those
containing => tags) following the IP address.
The local port is also added if &%incoming_interface%& and
.next
.vindex "&$body_linecount$&"
If you change the number of lines in the file, the value of
-&$body_linecount$&, which is stored in the -H file, will be incorrect. At
-present, this value is not used by Exim, but there is no guarantee that this
-will always be the case.
+&$body_linecount$&, which is stored in the -H file, will be incorrect and can
+cause incomplete transmission of messages or undeliverable messages.
.next
If the message is in MIME format, you must take care not to break it.
.next
in Local/Makefile.
It was built on specifications from:
-http://haproxy.1wt.eu/download/1.5/doc/proxy-protocol.txt
+(&url(http://haproxy.1wt.eu/download/1.5/doc/proxy-protocol.txt)).
That URL was revised in May 2014 to version 2 spec:
-http://git.1wt.eu/web?p=haproxy.git;a=commitdiff;h=afb768340c9d7e50d8e
+(&url(http://git.1wt.eu/web?p=haproxy.git;a=commitdiff;h=afb768340c9d7e50d8e)).
The purpose of this facility is so that an application load balancer,
such as HAProxy, can sit in front of several Exim servers
Use of a proxy is enabled by setting the &%hosts_proxy%&
main configuration option to a hostlist; connections from these
hosts will use Proxy Protocol.
+Exim supports both version 1 and version 2 of the Proxy Protocol and
+automatically determines which version is in use.
+
+The Proxy Protocol header is the first data received on a TCP connection
+and is inserted before any TLS-on-connect handshake from the client; Exim
+negotiates TLS between Exim-as-server and the remote client, not between
+Exim and the proxy server.
The following expansion variables are usable
(&"internal"& and &"external"& here refer to the interfaces
An additional variable, &$event_data$&, is filled with information varying
with the event type:
.display
-&`msg:delivery `& smtp confirmation mssage
+&`msg:delivery `& smtp confirmation message
&`msg:rcpt:host:defer `& error string
&`msg:rcpt:defer `& error string
&`msg:host:defer `& error string