X-Git-Url: https://git.exim.org/users/jgh/exim.git/blobdiff_plain/0756eb3cb50d73a77b486e47528f7cb1bffdb299..495ae4b01f36d0d8bb0e34a1d7263c2b8224aa4a:/doc/doc-src/FAQ.src diff --git a/doc/doc-src/FAQ.src b/doc/doc-src/FAQ.src new file mode 100644 index 000000000..9ad5cf94d --- /dev/null +++ b/doc/doc-src/FAQ.src @@ -0,0 +1,7015 @@ +## $Cambridge: exim/doc/doc-src/FAQ.src,v 1.1 2004/10/07 15:04:35 ph10 Exp $ +## +## This file is processed by Perl scripts to produce an ASCII and an HTML +## version. Lines starting with ## are omitted. The markup used with paragraphs +## is as follows: +## +## Markup User for HTML Text +## ------------------------------------------------------ +## \...\ option fixed-pitch "quoted" +## \$...$\ variable $italic $plain +## \*...*\ titles, quotes italic "quoted" +## \(...)\ file name italic plain +## \[...]\ replaceable +## \?...?\ URL URL plain +## \^...^\ Unix command italic plain +## \%...%\ Exim driver bold "quoted" +## \^^.^^\ C function bold plain +## ::...:: header name italic: plain: +## //...// domain italic plain +## \/.../\ local part italic plain +## \"..."\ literal fixed-pitch "quoted" +## \\...\\ SMTP, build small caps caps +## \**...**\ warn, item bold plain +## \-...-\ cmd option -italic -plain +## \# hard space   space +## +## ``...'' quoted string “...” "..." +## +## @\ is used when a real backslash is required +## +## In addition, sequences of not blank lines that start with ==> are displayed +## in fixed-pitch with no further interpretation. A line containing only [[br]] +## is removed from the text version, but turned into
in the HTML version. +## +## The starts of sections and of questions and answers are automatically +## detected by the scripts. +## +## +THE EXIM FAQ +------------ + +This is the FAQ for the Exim Mail Transfer Agent. Many thanks to the many +people who provided the original information. This file would be amazingly +cluttered if I tried to list them all. Suggestions for corrections, +improvements, and additions are always welcome. + +This version of the FAQ applies to Exim 4.00 and later releases. It has been +extensively revised, and material that was relevant only to earlier releases +has been removed. As this caused some whole sections to disappear, I've taken +the opportunity to re-arrange the sections and renumber everything except the +configuration samples. + +References of the form Cnnn, Fnnn, Lnnn, and Snnn are to the sample +configuration, filter, \^^local_scan()^^\, and ``useful script'' files. These +are hyperlinked from the HTML version of this FAQ. They can also be found in +the separately distributed directory called \(config.samples)\. The primary +location is + +\?ftp://ftp.csx.cam.ac.uk/pub/software/email/exim/exim4/config.samples.tar.gz?\ +\?ftp://ftp.csx.cam.ac.uk/pub/software/email/exim/exim4/config.samples.tar.bz2?\ + +There are brief descriptions of these files at the end of this document. + +Philip Hazel +Last update: 31-March-2004 + + +The FAQ is divided into the following sections: + + 0. General Debugging + 1. Building and Installing + 2. Routing in general + 3. Routing to remote hosts + 4. Routing for local delivery + 5. Filtering + 6. Delivery + 7. Policy controls + 8. Rewriting addresses + 9. Headers + 10. Performance + 11. Majordomo + 12. Fetchmail + 13. Perl + 14. Dial-up and ISDN + 15. UUCP + 16. Modifying message bodies + 17. Encryption (TLS/SSL) + 20. Millennium + 50. Miscellaneous + 91. Mac OS X + 92. FreeBSD + 93. HP-UX + 94. BSDI + 95. IRIX + 96. Linux + 97. Sun sytems + 98. Configuration cookbook + 99. List of sample configurations + + + +0. GENERAL DEBUGGING + +Q0001: Exim is crashing. What is wrong? + +A0001: Exim should never crash. The author is always keen to know about + crashes, so that they can be diagnosed and fixed. However, before you + start sending me email, please check that you are running the latest + release of Exim, in case the problem has already been fixed. The + techniques described below can also be useful in trying to pin down + exactly which circumstances caused the crash and what Exim was trying to + do at the time. If the crash is reproducable (by a particular message, + say) keep a copy of that message. + + +Q0002: Exim is not working. What is wrong? How can I check what it is doing? + +A0002: Exactly how is it not working? Check the more specific questions in the + other sections of this FAQ. Some general techniques for debugging are: + + (1) Look for information in Exim's log files. These are in the \(log)\ + directory in Exim's spool directory, unless you have configured a + different path for them. Serious operational problems are reported + in paniclog. + + (2) If the problem involves the delivery of one or more messages, try + forcing a delivery with the \-M-\ option and also set the \-d-\ + option, to cause Exim to output debugging information. For example: + +==> exim -d -M 0z6CXU-0005RR-00 + + The output is written to the standard error stream. You need to have + admin privileges to use \-M-\ and \-d-\. + + (3) If the problem involves incoming SMTP mail, try using the \-bh-\ + option to simulate an incoming connection from a specific host, + for example: + +==> exim -bh 10.9.8.7 + + This goes through the motions of an SMTP session, without actually + accepting a message. Information about various policy checks is + output. You will need to know how to pretend to be an SMTP client. + + (4) If the problem involves lack of recognition or incorrect handling + of local addresses, try using the \-bt-\ option with debugging turned + on, to see how Exim is handling the address. For example, + +==> exim -d -bt z6abc + + shows you how it would handle the local part \"z6abc"\. + + +Q0003: What does the error \*Child process of address_pipe transport returned + 69 from command xxx*\ mean? + +A0003: It means that when a transport called \%address_pipe%\ was run to pass an + email message by means of a pipe to another process running the command + xxx, the return code from that command was 69, which indicates some kind + of error (the success return code is 0). + + The most common meaning of exit code 69 is ``unavailable'', and this often + means that when Exim tried to run the command \(xxx)\, it failed. One + cause of this might be incorrect permissions on the file containing the + command. See also Q0026. + + +Q0004: My virtual domain setup isn't working. How can I debug it? + +A0004: You can use an exim command with \-d-\ to get it to show you how it is + processing addresses. You don't actually need to send a message; use the + \-bt-\ option like this: + +==> exim -d -bt localpart@virtualhost + + This will show you which routers it is using. If the problem appears + to be with the expansion of an option setting, you can use the + \debug_print\ option on a router to get Exim to output the expanded + string values as it goes along. + + +Q0005: Why is Exim not rejecting incoming messages addressed to non-existent + users at SMTP time? + +A0005: This is controlled by the ACL that is run for each incoming RCPT + command. It is defined by the \acl_smtp_rcpt\ option. You can check this + part of your configuration by using the \-bh-\ option to run a simulated + SMTP session, during which Exim will tell you what things it is + checking. + + +Q0006: I've put an entry for \"*.my.domain"\ in a DBM lookup file, but it isn't + getting recognized. + +A0006: You need to request ``partial matching'' by setting the search type to + \partial-dbm\ in order for this to work. + + +Q0007: I've put the entry \"*@domain.com"\ in a lookup database, but it isn't + working. The expansion I'm using is: + +==> ${lookup{${lc:$sender_address}}dbm{/the/file} ... + +A0007: As no sender address will ever be //*@domain.com// this will indeed have + no effect as it stands. You need to tell Exim that you want it to look + for defaults after the normal lookup has failed. In this case, change the + search type from \"dbm"\ to \"dbm*@"\. See the section on \*Default values in + single-key lookups*\ in the chapter entitled \*File and database + lookups*\ in the Exim manual. + + +Q0008: If I run \"./exim -d -bt user@domain"\ all seems well, but when I send + a message from my User Agent, it does not arrive at its destination. + +A0008: Try sending a message directly to Exim by typing this: + +==> exim -v user@domain + + . + + If the message gets delivered to a remote host, but never arrives at its + final destination, then the problem is at the remote host. If, however, + the message gets through correctly, then the problem may be between your + User Agent and Exim. Try setting Exim's \log_selector\ option to include + \"+arguments"\, to see with which arguments the UA is calling Exim. + + +Q0009: What does \*no immediate delivery: too many messages received in one SMTP + connection*\ mean? + +A0009: An SMTP client may send any number of messages down a single SMTP + connection to a server. Initially, an Exim server starts up a delivery + process as soon as a message is received. However, in order not to start + up too many processes when lots of messages are arriving (typically + after a period of downtime), it stops doing immediate delivery after a + certain number of messages have arrived down the same connection. The + threshold is set by \smtp_accept_queue_per_connection\, and the default + value is 10. On large systems, the value should be increased. If you are + running a dial-in host and expecting to get all your mail down a single + SMTP connection, then you can disable the limit altogether by setting + the value to zero. + + +Q0010: Exim puts \*for \[address]\*\ in the ::Received:: headers of some, but not all, + messages. Is this a bug? + +A0010: No. It is deliberate. Exim inserts a ``for'' phrase only if the incoming + message has precisely one recipient. If there is more than one + recipient, nothing is inserted. The reason for this is that not all + recipients appear in the ::To:: or ::Cc:: headers, and it is considered a + breach of privacy to expose such recipients to the others. A common + case is when a message has come from a mailing list. + + +Q0011: Instead of \^exim_dbmbuild^\, I'm using a homegrown program to build DBM + (or cdb) files, but Exim doesn't seem to be able to use them. + +A0011: Exim expects there to be a binary zero value on the end of each key used + in a DBM file if you use the \"dbm"\ lookup type, but not for the \"dbmnz"\ + lookup type or for the keys of a cdb file. Check that you haven't + slipped up in this regard. + + +Q0012: Exim is unable to route to any remote domains. It doesn't seen to be + able to access the DNS. + +A0012: Try running \"exim -d+resolver -bt \[remote address]\"\. The \-d-\ + options turns on debugging output, and the addition of \"+resolver"\ + will make it show the resolver queries it is building and the results of + its DNS queries. If it appears unable to contact any name servers, check + the contents and permissions of \(/etc/resolv.conf)\. + + +Q0013: What does the error message \*transport system_aliases: cannot find + transport driver "redirect" in line 92*\ mean? + +A0013: \%redirect%\ is a router, not a transport. You have put a configuration + for a router into the transports section of the configuration file. + + +Q0014: Exim is timing out after receiving and responding to the DATA command + from one particular host, and yet the client host also claims to be + timing out. This seems to affect only certain messages. + +A0014: This kind of problem can have many different causes. + + (1) This problem has been seen with a network that was dropping all + packets over a certain size, which mean that the first part of the SMTP + transaction worked, but when the body of a large message started + flowing, the main data bits never got through the network. See also + Q0017. + + (2) This can also happen if a host has a broken TCP stack and won't + reassemble fragmented datagrams. + + (3) A very few ISDN lines have been seen which failed when certain data + patterns were sent through them, and replacing the routers at both end + of the link did not fix things. One of them was triggered by more than 4 + X's in a row in the data. + + +Q0015: What does the message \*Socket bind() to port 25 for address (any) + failed: address already in use*\ mean? + +A0015: You are trying to run an Exim daemon when there is one already running - + or maybe some other MTA is running, or perhaps you have an SMTP line in + \(/etc/inetd.conf)\ which is causing \(inetd)\ to listen on port 25. + + +Q0016: I've set \"verify = header_syntax"\ in my ACL, but this causes Exim to + complain about header lines like \"To: Work: Jim , + Home: Bob "\ which look all right to me. Is this a bug? + +A0016: No. Header lines such as ::From::, ::To::, etc., which contain addresses, are + structured, and have to be in a specific format which is defined in RFC + 2822. Unquoted colons are not allowed in the ``phrase'' part of an email + address (they are OK in other headers such as ::Subject::). The correct + form for that header is + +==> To: "Work: Jim" , "Home: Bob" + + You will sometimes see unquoted colons in ::To:: and ::Cc:: headers, but only + in connection with name lists (called ``groups''), for example: + +==> To: My friends: X , Y ;, + My enemies: A , B ; + + Each list must be terminated by a semicolon, as shown. + + +Q0017: Whenever Exim tries to deliver a specific message to a particular + server, it fails, giving the error \*Remote end closed connection after + data*\ or \*Broken pipe*\ or a timeout. What's going on? + +A0017: \*Broken pipe*\ is the error you get on some OS when the remote host just + drops the connection. The alternative is \*connection reset by peer*\. + There are many potential causes. Here are some of them (see also Q0068): + + (1) There are some firewalls that fall over on binary zero characters + in email. Have a look, e.g. with \"hexdump -c mymail | tail"\ to see if + your mail contains any binary zero characters. + + (2) There are broken SMTP servers around that just drop the connection + after the data has been sent if they don't like the message for some + reason (e.g. it is too big) instead of sending a 5xx error code. Have + you tried sending a small message to the same address? + + It has been reported that some releases of Novell servers running NIMS + are unable to handle lines longer than 1024 characters, and just close + the connection. This is an example of this behaviour. + + (3) If the problem occurs right at the start of the mail, then it could + be a network problem with mishandling of large packets. Many emails are + small and thus appear to propagate correctly, but big emails will + generate big IP datagrams. + + There have been problems when something in the middle of the network + mishandles large packets due to IP tunnelling. In a tunnelled link, your + IP datagrams gets wrapped in a larger datagram and sent over a network. + This is how virtual private networks (VPNs), and some ISP transit + circuits work. Since the datagrams going over the tunnel require a + larger packet size, the tunnel needs a bigger maximum transfer unit + (MTU) in the network handling the tunnelled packets. However, MTUs + are often fixed, so the tunnel will try to fragment the packets. + + If the systems outside the tunnel are using path MTU discovery, (most + Sun Sparc Solaris machines do by default), and set the DF (don't + fragment) bit because they don't send packets larger than their \(local)\ + MTU, then ICMP control messages will be sent by the routers at the + ends of the tunnel to tell them to reduce their MTU, since the tunnel + can't fragment the data, and has to throw it away. If this mechanism + stops working, e.g. a firewall blocks ICMP, then your host never + knows it has hit the maximum path MTU, but it has received no ACK on + the packet either, so it continues to resend the same packet and the + connection stalls, eventually timing out. + + You can test the link using pings of large packets and see what works: + +==> ping -s host 2048 + + Try reducing the MTU on the sending host: + +==> ifconfig le0 mtu 1300 + + Alternatively, you can reduce the size of the buffer Exim uses for SMTP + output by putting something like + +==> DELIVER_OUT_BUFFER_SIZE=512 + + in your \(Local/Makefile)\ and rebuilding Exim (the default is 8192). + While this should not in principle have any effect on the size of + packets sent, in practice it does seem to have an effect on some OS. + + You can also try disabling path MTU discovery on the sending host. On + Linux, try: + +==> echo 1 >/proc/sys/net/ipv4/ip_no_pmtu_disc + + For a general discussion and information about other operating systems, see + \?http://www.netheaven.com/pmtu.html?\. If disabling path MTU discovery + fixes the problem, try to find the broken or misconfigured + router/firewall that swallows the ICMP-unreachable packets. Increasing + timeouts on the receiving host will not work around the problem. + + +Q0018: Why do messages not get delivered down the same connection when I do + something like: \"exim -v -R @aol.com"\? For other domains, I do this and + I see the appropriate \*waiting for passed connections to get used*\ + messages. + +A0018: Recall that Exim does not keep separate queues for each domain, but + operates in a distributed fashion. Messages get into its `waiting for + host x' hints database only when a delivery has been tried, and has had + a temporary error. Here are some possibilities: + + (1) The messages to \(aol.com)\ got put in your queue, but no previous + delivery attempt occured before you did the \-R-\. This might have been + because of your settings of \queue_only_load\, \smtp_accept_queue\, or any + other option that caused no immediate delivery attempt on arrival. If + this is the case, you can try using \-qqR-\ instead of \-R-\. + + (2) You have set \connection_max_messages\ on the smtp transport, and + that limit was reached. This would show as a sequence of messages + down one connection, then another sequence down a new connection, etc. + + (3) Exim tried to pass on the SMTP connection to another message, but + that message was in the process of being delivered to \(aol.com)\ by some + other process (typically, a normal queue runner). This will break the + sequence, though the other delivery should pass its connection on to + other messages if there are any. + + (4) The folk at \(aol.com)\ changed the MX records so the host names have + changed - or a new host has been added. I don't know how likely this is. + + (5) Exim is not performing as it should in this regard, for some reason. + Next time you have mail queued up for \(aol.com)\, try running + +==> exim_dumpdb /var/spool/exim wait-remote_smtp + + to see if those messages are listed among those waiting for the relevant + \(aol.com)\ hosts. + + +Q0019: There seems to be a problem in the string expansion code: it doesn't + recognize references to headers such as \"${h_to}"\. + +A0019: The only valid syntax for header references is (for example) \"$h_to:"\ + because header names are permitted by RFC 2822 to contain a very wide + range of characters. A colon (or white space) is required as the + terminator. + + +Q0020: Why do connections to my machine's SMTP port take a long time to respond + with the banner, when connections to other ports respond instantly? The + delay is sometimes as long as 30 seconds. + +A0020: These kinds of delay are usually caused by some kind of network problem + that affects outgoing calls made by Exim at the start of an incoming + connection. Configuration options that cause outgoing calls are: + + (1) \rfc1413_hosts\ and \rfc1413_query_timeout\ (for \*ident*\ calls). + Firewalls sometimes block ident connections so that they time out, + instead of refusing them immediately. This can cause this problem. + See Q5023 for a discussion of the usefulness of \*ident*\. + + (2) The \host_lookup\ option, the \host_reject_connection\ option, or a + condition in the ACL that runs at connection time requires the + remote host's name to be looked up from its IP address. Sometimes + these DNS lookups time out. You can get this effect with ACL + statements like this: + +==> deny hosts = *.x.example + + If at all possible, you should use IP addresses instead of host + names in blocking lists in order to to avoid this problem. + + You can use the \-bh-\ option to get more information about what is + happening at the start of a connection. However, note that the \-bh-\ + option does not provide a complete simulation. In particular, no + \*ident*\ checks are done, so it won't show up a delay problem that is + related to (1) above. + + +Q0021: What does \*failed to create child process to send failure message*\ mean? + This is a busy mail server with \smtp_accept_max\ set to 500, but this + problem started to occur at about 300 incoming connections. + +A0021: Some message delivery failed, and when Exim wanted to send a bounce + message, it was unable to create a process in which to do so. Probably + the limit on the maximum number of simultaneously active processes has + been reached. Most OS have some means of increasing this limit, and in + some operating systems there is also a limit per uid which can be + varied. + + +Q0022: What does \*No transport set by system filter*\ in a log line mean? + +A0022: Your system filter contains a \"pipe"\ or \"save"\ or \"mail"\ command, + but you have not set the corresponding option which specifies which + transport is to be used. You need to set whichever of + \system_filter_pipe_transport\, \system_filter_file_transport\ or + \system_filter_reply_transport\ is relevant. + + +Q0023: Why is Exim refusing to relay, saying \*failed to find host name from IP + address*\ when I have the sender's IP address in an ACL condition? My + configuration contains this ACL statement: + +==> accept hosts = lsearch;/etc/mail/relaydomains:192.168.96.0/24 + +A0023: When checking a host list, the items are tested in left-to-right + order. The first item in your list is a lookup on the incoming host's + name, so Exim has to determine the name from the incoming IP address in + order to perform the test. If it can't find the host name, it can't do + the check, so it gives up. You would have discovered what was going + on if you had run a test such as + +==> exim -bh 192.168.96.131 + + The solution is to put all explicit IP addresses first in the list. + Alternatively, you can split the ACL statement into two like this: + +==> accept hosts = lsearch;/etc/mail/relaydomains + accept hosts = 192.168.96.0/24 + + If the host lookup fails, the first \"accept"\ fails, but then the + second one is considered. + + +Q0024: When I run \"exim -bd -q10m"\ I get \*PANIC LOG: exec of exim -q failed*\. + +A0024: This probably means that Exim doesn't know its own path so it can't + re-exec itself to do the first queue run. Check the output of + +==> exim -bP exim_path + + +Q0025: I can't seem to get a pipe command to run when I include a \"${if"\ + expansion in it. This fails: + +==> command = perl -T /usr/local/rt/bin/rtmux.pl \ + rt-mailgate helpdesk \ + ${if eq {$local_part}{rt} {correspond}{action}} + +A0025: You need some internal quoting in there. Exim expands each individual + argument separately. Because you have (necessarily) got spaces in your + \"${if"\ item, you have to quote that argument. Try + +==> command = perl -T /usr/local/rt/bin/rtmux.pl \ + rt-mailgate helpdesk \ + "${if eq {$local_part}{rt} {correspond}{action}}" + + \**Warning:**\ If command starts with an item that requires quoting, + you cannot just put it in quotes, because a leading quote means that the + entire option setting is being quoted. What you have to do is to quote + the entire value, and use internally escaped quotes for the ones you + really want. For example: + +==> command = "\"${if ....}\" arg1 arg2" + + Any backslashes in the expansion items will have to be doubled to stop + them being interpreted by the string reader. + + +Q0026: I'm trying to get Exim to connect an alias to a pipe, but it always + gives error code 69, with the comment \*(could mean service or program + unavailable)*\. + +A0026: If your alias entry looks like this: + +==> alias: |"/some/command some parameters" + + change it to look like this: + +==> alias: "|/some/command some parameters" + + +Q0027: What does the error \*Spool file is locked*\ mean? + +A0027: This is not an error. All it means is that when an Exim delivery + process (probably started by a queue runner process) looked at a message + in order to start delivering it, it found that another Exim process was + already busy delivering it. On a busy system this is quite a common + occurrence. If you set \"-skip_delivery"\ in the \log_selector\ option, + these messages are omitted from the log. + + The only time when this message might indicate a problem is if it is + repeated for the same message for a very long time. That would suggest + that the process that is delivering the message has somehow got stuck. + + +Q0028: Exim is reporting IP addresses as 0.0.0.0 or 255.255.255.255 instead of + their correct values. What's going on? + +A0028: You are using a version of Exim built with gcc on an IRIX box. + See Q9502. + + +Q0029: I can't seem to figure out why PAM support doesn't work correctly. + +A0029: There is a problem using PAM with shadow passwords when the calling + program is not running as \/root/\. Exim is normally running as the + Exim user when authenticating a remote host. See this posting for one + way round the problem: + + \?http://www.exim.org/mailman/htdig/exim-users/Week-of-Mon-20010917/030371.html?\ + + Another solution can be found at \?http://www.e-admin.de/pam_exim/?\. + + PAM 0.72 allows authorization as non-\/root/\, using setuid helper programs. + Furthermore, in \(/etc/pam.d/exim)\ you can explicitelly specify that + this authorization (using setuid helpers) is only permitted for certain + users and groups. + + +Q0030: I'm trying to use a query-style lookup for hosts that are allowed to + relay, but it is giving really weird errors. + +A0030: Does your query contain a colon character? Remember that host lists are + colon-separated, so you need to double any colons in the query. This + applies even if the query is defined as a macro. + + +Q0031: Exim is rejecting connections from hosts that have more than one IP + address, for no apparent reason. + +A0031: You are using Solaris 7 or earlier, and have \"nis dns files"\ in + \(/etc/nsswitch.conf)\. Change this to \"dns nis files"\ to avoid hitting Sun + bug 1154236 (a bad interaction between NIS and the DNS). + + +Q0032: Exim is failing to find the MySQL library, even though is it present + within \\LD_LIBRARY_PATH\\. I'm getting this error: + +==> /usr/local/bin/exim: fatal: libmysqlclient.so.6: open failed: + No such file or directory + +A0032: Exim is suid, and \\LD_LIBRARY_PATH\\ is ignored for suid binaries on a + Solaris (and other?) systems. What you should be doing is adding + \"-R/local/lib/mysql"\ to the same place in the compilation that you added + \"-L/local/lib/mysql"\. This tells the binary where to look without + needing a path variable. + + +Q0033: What does the error \*lookup of host "xx.xx.xx" failed in yyy router*\ + mean? + +A0033: You configured a \%manualroute%\ router to send the message to xx.xx.xx. When + it tried to look up the IP address for that host, the lookup failed + with a permanent error. As this is a manual routing, this is a + considered to be a serious error which the postmaster needs to know + about (maybe you have a typo in your file), and there is little point + in keeping on trying. So it freezes the message. + + (1) Don't set up routes to non-existent hosts. + + (2) If you must set up routes to non-existent hosts, and don't want + freezing, set the \host_find_failed\ option on the router to do something + other than freeze. + + +Q0034: Exim works fine on one host, but when I copied the binary to another + identical host, it stopped working (it could not resolve DNS names). + +A0034: Is the new host running exactly the same operating system? Most + importantly, are the versions of the dynamically loaded libraries + (files with names like \(libsocket.so.1)\) the same on both systems? If not, + that is probably the cause of the problem. Either arrange for the + libraries to be the same, or rebuild Exim from source on the new host. + + +Q0035: I set a \"hosts"\ condition in an ACL to do a lookup in a file of IP + addresses, but it doesn't work. + +A0035: Did you remember to put \"net-"\ at the start of the the search type? If + you set something like this: + +==> accept hosts = lsearch;/some/file + + Exim searches the file for the host name, not the IP address. You need + to set + +==> accept hosts = net-lsearch;/some/file + + to make it use the IP address as the key to the lookup. + + +Q0036: Why do I get the error \*Permission denied: creating lock file hitching + post*\ when Exim tries to do a local delivery? + +A0036: Your configuration specifies that local mailboxes are all held in + single directory, via configuration lines like these (taken from the + default configuration): + +==> local_delivery: + driver = appendfile + file = /var/mail/$local_part + + and the permissions on the directory probably look like this: + +==> drwxrwxr-x 3 root mail 512 Jul 9 13:48 /var/mail/ + + Using the default configuration, Exim runs as the local user when doing + a local delivery, and it uses a lock file to prevent any other process + from updating the mailbox while it is writing to it. With those + permissions the delivery process, running as the user, is unable to + create a lock file in the \(/var/mail(\ directory. There are two solutions + to this problem: + + (1) Set the \"write"\ and \"sticky bit"\ permissions on the directory, so + that it looks like this: + +==> drwxrwxrwt 3 root mail 512 Jul 9 13:48 /var/mail/ + + The \"w"\ allows any user to create new files in the directory, but + the \"t"\ bit means that only the creator of a file is able to remove + it. This is the same setting as is normally used with the \(/tmp)\ + directory. + + (2) Arrange to run the local_delivery transport under a specific group + by changing the configuration to read + +==> local_delivery: + driver = appendfile + file = /var/mail/${local_part} + group = mail + + The delivery process still runs under the user's uid, but with the + group set to \"mail"\. The group permission on the directory allows + the process to create and remove the lock file. + + The choice between (1) and (2) is up to the administrator. If the + second solution is used, users can empty their mailboxes by updating + them, but cannot delete them. + + If your problem involves mail to \/root/\, see also Q0507. + + +Q0037: I am experiencing mailbox locking problems with Sun's \"mailtool"\ used + over a network. + +A0037: See Q9705 in the Sun-specific section below. + + +Q0038: What does the error message \*error in forward file (filtering not + enabled): missing or malformed local part*\ mean? + +A0038: If you are trying to use an Exim filter, you have forgotten to enable + the facility, which is disabled by default. In the \%redirect%\ router + (in the Exim run time configuration file) you need to set + +==> allow_filter = true + + to allow a \(.forward)\ file to be used as an Exim filter. If you are not + trying to use an Exim filter, then you have put a malformed address in + the \(.forward)\ file. + + +Q0039: I have installed Exim, but now I can't mail to \/root/\ any more. Why is + this? + +A0039: Most people set up \/root/\ as an alias for the manager of the host. If + you haven't done this, Exim will attempt to deliver to \/root/\ as if it + were a normal user. This isn't really a good idea because the delivery + process would run as \/root/\. Exim has a trigger guard in the option + +==> never_users = root + + in the default configuration file. This prevents it from running as \/root/\ + when doing any deliveries. If you really want to run local deliveries as + \/root/\, remove this line, but it would be better to create an alias for + \/root/\ instead. + + +Q0040: How can I stop undeliverable bounce messages (e.g. to routeable, but + undeliverable, spammer senders) from clogging up the queue for days? + +A0040: If at all possible, you should try to avoid getting into this situation + in the first place, for example, by verifying recipients so that you + do not accept undeliverable messages that lead to these bounces. + You can, however, configure Exim to discard failing bounce messages + early. Just set \ignore_bounce_errors_after\ to specify a (short) time + to keep them for. + + +Q0041: What does the message \*unable to set gid=ddd or uid=ddd (euid=ddd): + local delivery to ... transport=ttt*\ mean? + +A0041: Have you remembered to make Exim setuid \/root/\? It needs root privilege if + it is to do any local deliveries, because it does them ``as the user''. + Note also that the partition from which Exim is running (where the + binary is installed) must not have the \nosuid\ mount option set. You + can check this by looking at its \(/etc/fstab)\ entry (or \(/etc/vfstab)\, + depending on your OS). + + +Q0042: My ISP's mail server is rejecting bounce messages from Exim, complaining + that they have no sender. The SMTP trace does indeed show that the + sender address is \"<>"\. Why is the Sender on the bounce message empty? + +A0042: Because the RFCs say it must be. Your ISP is at fault. Send them this + extract from RFC 2821 section 6.1 (\*Reliable Delivery and Replies by + Email*\): + + If there is a delivery failure after acceptance of a message, the + receiver-SMTP MUST formulate and mail a notification message. This + notification MUST be sent using a null (\"<>"\) reverse path in the + envelope. The recipient of this notification MUST be the address + from the envelope return path (or the ::Return-Path:: header line). + However, if this address is null (\"<>"\), the receiver-SMTP MUST NOT + send a notification. + + The reason that bounce messages have no sender is so that they + themselves cannot provoke further bounces, as this could lead to a + unending exchange of undeliverable messages. + + +Q0043: What does the error \*Unable to get interface configuration: 22 Invalid + argument*\ mean? + +A0043: This is an error that occurs when Exim is trying to find out the all the + IP addresses on all of the local host's interfaces. If you have lots of + virtual interfaces, this can occur if there are more than around 250 of + them. The solution is to set the option \local_interfaces\ to list just + those IP addresses that you want to use for making and receiving SMTP + connections. + + +Q0044: What does the error \*Failed to create spool file*\ mean? + +A0044: Exim has been unable to create a file in its spool area in which to + store an incoming message. This is most likely to be either a + permissions problem in the file hierarchy, or a problem with the uid + under which Exim is running, though it could be something more drastic + such as your disk being full. + + If you are running Exim with an alternate configuration file using a + command such as \"exim -C altconfig..."\, remember that the use of -C + takes away Exim's root privilege. + + Check that you have defined the spool directory correctly by running + +==> exim -bP spool_directory + + and examining the output. Check the mode of this directory. It should + look like this, assuming you are running Exim as user \/exim/\: + +==> drwxr-x--- 6 exim exim 512 Jul 16 12:29 /var/spool/exim + + If there are any subdirectories already in existence, they should have + the same permissions, owner, and group. Check also that you haven't got + incorrect permissions on superior directories (for example, \(/var/spool)\). + Check that you have set up the Exim binary to be setuid \/root/\. It should + look like this: + +==> -rwsr-xr-x 1 root xxx 502780 Jul 16 14:16 exim + + Note that it is not just the owner that must be \/root/\, but also the third + permission must be \"s"\ rather than \"x"\. + + +Q0045: I see entries in the log that mention two different IP addresses for the + same connection. Why is this? For example: + +==> H=tip-mp8-ncs-13.stanford.edu ([36.173.0.189]) [36.173.0.156] + +A0045: The actual IP address from which the call came is the final one. + Whenever there's something in parentheses in a host name, it is what the + host quoted as the domain part of an SMTP HELO or EHLO command. So in + this case, the client, despite being 36.173.0.156, issued the command + +==> EHLO [36.173.0.189] + + when it sent your server the message. This is, of course, very + misleading. + + +Q0046: A short time after I start Exim I see a defunct zombie process. What + is causing this? + +A0046: Your system must be lightly loaded as far as mail is concerned. The + daemon sets off a queue runner process when it is started, but it only + tidies up completed child processes when it wakes up for some other + reason. When there's nothing much going on, you occasionally see + defunct processes like this waiting to be dealt with. This is + perfectly normal. + + +Q0047: On a reboot, or a restart of the mail system, I see the message \*Mailer + daemons: exim abandoned: unknown, malformed, or incomplete option + -bz sendmail*\. What does this mean? + +A0047: \-bz-\ is a Sendmail option requesting it to create a `configuration freeze + file'. Exim has no such concept and so does not support the option. You + probably have a line like + +==> /usr/lib/sendmail -bz + + in some start-up script (e.g. \(/etc/init.d/mail)\) immedately before + +==> /usr/lib/sendmail -bd -q15m + + The first of these lines should be commented out. + + +Q0048: Whenever exim restarts it takes up to 3-5 minutes to start responding on + the SMTP port. Why is this? + +A0048: Something else is hanging onto port 25 and not releasing it. One place + to look is \(/etc/inetd.conf)\ in case for any reason an SMTP stream is + configured there. + + +Q0049: What does the log message \*no immediate delivery: more than 10 messages + received in one connection*\ mean? + +A0049: A remote MTA sent a number of messages in a single SMTP session. Exim + limits the number of immediate delivery processes it creates as a + result of a single SMTP connection, in order to avoid creating a zillion + processes on systems that can have many incoming connections. If you are + dialing in to collect mail from your ISP, you should probably set + \smtp_accept_queue_per_connection\ to some number larger than 10, or + arrange to start a queue runner for local delivery (using \-ql-\) + immediately after collecting the mail. + + +Q0050: I am getting complaints from a customer who uses my Exim server for + relaying that they are being blocked with a \*Too many connections*\ + error. + +A0050: See \smtp_accept_max\, \smep_accept_max_per_host\ and \smtp_accept_reserve\. + + +Q0051: When I try \"exim -bf"\ to test a system filter, I received the following + error message: \*Filter error: unavailable filtering command "fail" near + line 8 of filter file*\. + +A0051: Use the \-bF-\ option to test system filters. This gives you access to the + freeze and fail actions. + + +Q0052: What does \*ridiculously long message header*\ in an error report mean? + +A0052: There has to be some limit to the length of a message's header lines, + because otherwise a malefactor could open an SMTP channel to your host, + start a message, and then just send characters continuously until your + host ran out of memory. (Exim stores all the header lines in main + memory while processing a message). For this reason a limit is imposed + on the total amount of memory that can be used for header lines. The + default is 1MB, but this can be changed by setting \\HEADER_MAXSIZE\\ in + \(Local/Makefile)\ before building Exim. Exceeding the limit provokes + the ``ridiculous'' error message. + + +Q0053: Exim on my host responds to a connection with \"220 *****..."\ and + won't understand \\EHLO\\ commands. + +A0053: This is the sign of a Cisco Pix ``Mailguard'' sitting in front of your + MTA. Pix breaks ESMTP and only does SMTP. It is a nuisance when you have + a secure MTA running on your box. Something like ``no fixup protocol + smtp 25'' in the Pix configuration is needed. It may be possible to do + this by logging into the Pix (using \^telnet^\ or \^ssh^\) and typing + \"no fixup smtp"\ to its console. (You may need to use other commands + before or after to set up configuration mode and to activate a changed + configuration. Consult your Pix documentation or expert.) See also + Q0078. + + +Q0054: I'm getting an Exim configuration error \*unknown rewrite flag + character (m) in line 386*\ but I haven't used any flags on my rewriting + rules. + +A0054: You have probably forgotten to quote a replacement string that contains + white space. + + +Q0055: What does the error \*Failed to open wait-remote_smtp database: Invalid + argument*\ mean? + +A0055: This is something that happens if you have existing DBM hints files when + you install a new version of Exim that is compiled to use a different or + upgraded DBM library. The simplest thing to try is + +==> rm /var/spool/exim/db/* + + This removes all the hints files. Exim will start afresh and build new + ones. If the symptom recurs, it suggests there is some problem with your + DBM library. + + +Q0056: We are using Exim to send mail from our web server. However, whenever a + user sends an email it gets sent with the return path (envelope sender) + //apache@server_name.com// because the PHP script is running as + \/apache/\. + +A0056: You need to include \/apache/\ in the \trusted_users\ configuration option. + Only trusted users are permitted to specify senders when mail is passed + to Exim via the command line. + + +Q0057: We've got people complaining about attachments that don't show up + as attachments, but are included in the body of the message. + +A0057: These symptoms can be seen when some software passes a CRLF line + terminated message via the command line to an MTA that expects lines to + be terminated by LF only, and so preserves the CRs as data. If you can + identify the software that is doing this, try setting the \-dropcr-\ + option on the command it uses to call Exim. Alternatively, you can set + \drop_cr\ in the configuration file, but then that will apply to all + input. + + +Q0058: What does the error \*failed to open DB file \(/var/spool/exim/db/retry)\: + File exists*\ mean? + +A0058: This error is most often caused when a hints file that was written with + one version of the Berkeley DB library is read by another version. + Sometimes this can happen if you change from a binary version of Exim to + a locally compiled version. Or it can happen if you compile and install + a new version of Exim after changing Berkeley DB versions. You can find + out which version your Exim is using by running: + +==> ldd /usr/sbin/exim + + The solution to the problem is to delete all the files in the + \(/var/spool/exim/db)\ directory, and let Exim recreate them. + + +Q0059: When my Outlook Express 6.0 client sends a STARTTLS command to begin a + TLS session, Exim doesn't seem to receive it. The Outlook log shows + this: + +==> SMTP: 14:19:27 [tx] STARTTLS + SMTP: 14:19:27 [rx] 500 Unsupported command. + + but the Exim debugging output shows this: + +==> SMTP<< EHLO xxxx + SMTP>> 250-yyyy Hello xxxx [nnn.nnn.nnn.nnn] + 250-SIZE 52428800 + 250-PIPELINING + 250-AUTH CRAM-MD5 PLAIN LOGIN + 250-STARTTLS + 250 HELP + SMTP<< QUIT + +A0059: Turn off scanning of outgoing email in Norton Antivirus. If you aren't + running Norton Antivirus, see if you are running some other kind of SMTP + proxying, either on the client or on a firewall between the client and + server. ``Unsupported command'' is not an Exim message. + + +Q0060: Why am I getting the error \*failed to expand \"/data/lists/lists/${lc"\ + for require_files: \"${lc"\ is not a known operator*\ for this setting: + +==> require_files = MAILMAN_HOME/lists/${lc:$local_part}/config.db + +A0060: The value of \"require_files"\ is a \*list*\ in which each item is + separately expanded. You need either to double the colon, or switch to + a different list separator. + + +Q0061: What does the error \*Too many ``Received'' headers - suspected mail + loop*\ mean? + +A0061: Whenever a message passes through an MTA, a ::Received:: header gets + added. Exim counts the number of these headers in incoming messages. If + there are more than the value of \received_headers_max\ (default 30), + Exim assumes there is some kind of mail routing loop occurring. For + example, host A passes the message to host B, which immediately passes + it back to host A. Check the ::Received:: headers and the mail logs to + determine exactly what is going on. + + One common cause of this problem is users with accounts on both systems + who set up each one to forward to the other, thinking that will cause + copies of all messages to be delivered on both of them. + + +Q0062: When I try to start an Exim daemon it crashes. I ran a debugger and + discovered that the crash is happening in the function \^^getservbyname()^^\. + What's going on? + +A0062: What have you got in the file \(/etc/nsswitch.conf)\? If it contains this + line: + +==> services: db files + + try removing the \"db"\. (Your system is trying to look in some kind of + database before searching the file \(/etc/services)\.) + + +Q0063: When I try to start an Exim daemon, nothing happens. There is no + process, and nothing is written to the Exim log. + +A0063: Check to see if anything is written to \(syslog)\. This problem can be + caused by a permission problem that stops Exim from writing to its log + files, especially if you've specified that they should be written + somewhere other than under Exim's spool directory. You could also try + running the daemon with debugging turned on. + + +Q0064: When I run \"exim -d test@domain"\ it delivers fine, but when I send a + message from the \^mail^\ command, I get \*User unknown*\ and the mail + is saved in \(dead.letter)\. + +A0064: It looks as if Exim isn't being called by \^mail^\; instead it is + calling some other program (probably Sendmail). Try running the command + +==> /usr/sbin/sendmail -bV + + (If you get \*No such file or directory*\ or \*Command not found*\ you + are running Solaris or IRIX. Try again with \(/usr/lib/sendmail)\.) The + output should be something like this: + +==> Exim version 4.05 #1 built 13-Jun-2002 10:27:15 + Copyright (c) University of Cambridge 2002 + + If you don't see this, your Exim installation isn't fully operational. + If you are running FreeBSD, see Q9201. For other systems, see Q0114. + + +Q0065: When (as \/root/\) I use -C to run Exim with an alternate configuration + file, it gives an error about being unable to create a spool file when + trying to run an \%autoreply%\ transport. Why is this? + +A0065: When Exim is called with -C, it passes on -C to any instances of itself + that it calls (so that the whole sequence uses the same config file). If + it's running as \/exim/\ when it does this, all is well. However, if it + happens as a consequence of a non-privileged user running \%autoreply%\, + the called Exim gives up its root privilege. Then it can't write to the + spool. + + This means that you can't use -C (even as \/root/\) to run an instance of + Exim that is going to try to run \%autoreply%\ from a process that is + neither \/root/\ nor \/exim/\. Because of the architecture of Exim (using + re-execs to regain privilege), there isn't any way round this + restriction. Therefore, the only way you can make this scenario work is + to run the \%autoreply%\ transport as \/exim/\ (that is, the user that + owns the Exim spool files). This may be satisfactory for autoreplies + that are essentially system-generated, but of course is no good for + autoreplies from unprivileged users, where you want the \%autoreply%\ + transport to be run as the user. To get that to work with an alternate + configuration, you'll have to use two Exim binaries, with different + configuration file names in each. See S001 for a script that patches + the configuration name in an Exim binary. + + +Q0066: What does the message \*unable to set gid=xxx or uid=xxx*\ mean? + +A0066: This message is given when an Exim process is unable to change uid or + gid when it needs to, because it does not have root privilege. This is a + serious problem that prevents Exim from carrying on with what it is + doing. The two most common situations where Exim needs to change uid/gid + are doing local deliveries and processing users' filter files. There are + two common causes of this error: + + (1) You have forgotten to make the exim binary setuid to \/root/\. This + means that it can never change uid/gid in any situation. Also, the + setuid binary must reside on a disk partition that does not have the + \"nosuid"\ mount option set. + + (2) The exim binary is setuid, but you have configured Exim so that, + while trying to verify an address at SMTP time, it runs a router + that needs to change uid/gid. Because Exim runs as \/exim/\ and not + \/root/\ while receiving messages, the router is unable to change + uid and therefore it cannot operate. The usual example of this is a + \%redirect%\ router for users' filter files. + + Setting the \user\ or \check_local_user\ options on a \redirect\ + router causes this to happen (except in the special case when the + redirection list is provided by the \data\ option and does not + contain \":include:"\). + + The solution is to set \no_verify\ on the router that is causing the + problem. This means that it is skipped when an address is being + verified. In ``normal'' configurations where the router is indeed + handling users' filter files, this is quite acceptable, because you + do not usually need to process a filter file in order to verify that + the local part is valid. See, for example, the \%userforward%\ + router in the default configuration. + + +Q0067: What does the error \*too many unrecognized commands*\ mean? + +A0067: There have been instances of network abuse involving mail sent out by + web servers. In most cases, unrecognizable commands are sent as part of + the SMTP session. A real MTA never sends out such invalid commands. Exim + allows a few unrecognized commands in a session to permit humans who are + testing to make a few typos (it responds with a 5xx error). However, if + Exim receives too many such commands, it assumes that it is dealing with + an abuse of some kind, and so it drops the connection. + + +Q0068: Exim times out when trying to connect to some hosts, though those hosts + are known to be up and running. What's the problem? + +A0068: There could be a number of reasons for this (see also Q0017). The + obvious one is that there is a networking problem between the hosts. + If you can ping between the hosts or connect in other ways, the problem + might be caused by ECN (Explicit Congestion Notification) being enabled + in your kernel. ECN uses TCP flags originally assigned to TOS - it's a + "new" invention, and some hosts and routers are known to be confused if + a client uses it. If you are running Linux, you can turn ECN off by + running this command: + +==> /bin/echo "0" > /proc/sys/net/ipv4/tcp_ecn + + This has also been reported to cure web connection problems from Mozilla + and Netscape browsers in Linux when there were no problems with Windows + Netscape browsers. + + +Q0069: What does the error \*SMTP data timeout (message abandoned) on connection + from...*\ mean? + +A0069: It means that there was a timeout while Exim was reading the contents of + a message on an incoming SMTP connection. That is, it had successfully + accepted a MAIL command, one or more RCPT commands, and a DATA command, + and was in the process of reading the data itself. The length of timeout + is controlled by the \smtp_receive_timeout\ option. + + If you get this error regularly, the cause may be incorrect handling of + large packets by a router or firewall. The maximum size of a packet is + restricted on some links; routers should split packets that are larger. + There is a feature called ``path MTU discovery'' that enables a sender + to discover the maximum packet size over an entire path (multiple + Internet links). This can be broken by misconfigured firewalls and + routers. There is a good explanation at \?http://www.netheaven.com/pmtu.html?\. + Reducing the MTU on your local network can sometimes work round this + problem. See Q0017 (3) for further discussion. + + +Q0070: What does the error \*SMTP command timeout on connection from...*\ mean? + +A0070: Exim was expecting to read an SMTP command from the client, but no + command was read within the \smtp_receive_timeout\ time limit. + + +Q0071: What does the error \*failed to open DB file \(/var/spool/exim//db/retry)\: + Illegal argument*\ mean? + +A0071: See Q0058. The cause of this error is usually the same. + + +Q0072: Exim will deliver to normal aliases, and aliases that are pipes or + files, but it objects to aliases that involve \":include:"\ items, + complaining that it can't change gid or uid. Why is this? + +A0072: See Q0066 for a general answer. The problem happens during verification + of an incoming SMTP message, not during delivery itself. In this + particular case, you must have set up your aliasing router with a \user\ + setting. This causes Exim to change uid/gid when reading \":include:"\ + files. If you do not need the detailed verification provided by the + router, the easy solution is to set \no_verify\ so that the router isn't + used during verification. + + Otherwise, if you set \user\ on the router in order to provide a user + for delivery to pipes or files, one solution is to put the \user\ + setting on the transports instead of on the router. You may need to + create some special transports just for this router. The alternative is + to supply two different routers, one with \user\ and \no_verify\, and + the with \verify_only\ but no \user\ setting. + + +Q0073: I'm seeing log file corruption, with parts of log lines getting mangled + by other log entries. + +A0073: The only time this has been seen is when several servers were writing to + the same log files over NFS. Exim assumes that its log file is on local + disk, and using NFS, especially for more than one server, will not work. + + +Q0074: What does the error message \*remote delivery process count got out of + step*\ mean? + +A0074: Exim uses subprocesses for remote deliveries; this error means that the + master process expected to have a child process running, but found there + were none. Prior to release 4.11, this error could be caused by running + Exim under \^strace^\ on a Linux system, because stracing causes + children to be ``stolen'' such that a parent that tries to wait for + ``any of my children'' is told that it has none. Current releases of + Exim have code to get round this problem. + + +Q0075: I'm using LDAP, and some email addresses that contain special characters + are causing parsing errors in my LDAP lookups. + +A0075: You should be using \"${quote_ldap:$local_part}"\ instead of just + \"$local_part"\ in your lookups. + + +Q0076: I've configured Exim to use \^syslog^\ for its logs, with the main and + reject logs sent to different files, but whenever a message is rejected, + I get one message on the reject log and two messages on the main log. + +A0076: You are probably putting your reject items into the main log as well; + remember \^syslog^\ levels are inclusive (for example, \"mail.info"\ + includes all higher levels, so a \"mail.notice"\ message will be caught + by a \"mail.info"\ descriptor). + Test this by running the command: + +==> logger -p mail.notice test + + and seeing which logs it goes into. + + +Q0077: I've installed Exim and it is delivering mail just fine. However, when I + try to read mail from my PC I get \*connection rejected*\ or \*unable to + connect*\. + +A0077: See Q5021. + + +Q0078: Exim is logging the unknown SMTP command \"XXXX"\ from my client hosts, + and they are unable to authenticate. + +A0078: This is a sign of a Cisco PIX firewall getting in the way. It does not + support ESMTP, and turns EHLO commands into XXXX. You should configure + the Pix to leave SMTP alone; see Q0053 for how to do this. + + +Q0079: Our new PIX firewall is causing problems with incoming mail. How can + this be fixed? + +A0079: See Q0053 and Q0078. If some messages get through and others do not, + see also Q0017. + + +Q0080: Am I to understand that the database lookups must only return one value? + They can not return a list of values? The documentation seems to + indicate that it's possible to return a list. + +A0080: Lookups can be used in two different situations, and what they return is + different in the two cases. (Be thankful Exim 3 is gone; there was yet + another case!) + + (1) You can use a lookup in any expanded string. The syntax is + +==> ${lookup ..... } + + In this case, whatever is looked up replaces the expansion item. It + may be one value or a list of values. Whether a single value or a + list is acceptable or not depends on where you are using the string + expansion. If it is for an option that expects just one value, then + only one value is allowed (for example). + + (2) You can make use of the lookup mechanism to test whether something + (typically a host name or IP address) is in a list. For example, + +==> hosts = a : b : c + + in an ACL tests whether the calling host's name matches ``a'', or + ``b'', or ``c''. Now, suppose you want to keep the list of names in + a database, or cdb file, or NIS map, or... By writing + +==> hosts = pgsql;select .... + + you are saying to Exim: ``Run this lookup; if it succeeds, behave as + if the host is in the list; if it fails, the host is not in the + list.'' You are using the indexing mechanism of the database as a + fast way of checking a list. A simpler example is + +==> hosts = lsearch;/some/file + + where the file contains the list of hosts to be searched. + + The complication happens when a list is first expanded before being + interpreted as a list. This happens in a lot of cases. You can therefore + write either of these: + +==> hosts = cdb;/some/file + hosts = ${lookup{something}cdb{/some/file}} + + but they have different meanings. The first means ``see if the host name + is in the list in this file''. The second means ``run this lookup and + use the result of the lookup as a list of host items to check''. In the + second case, the list could contain multiple values (colon separated), + and one of those values could even be ``cdb;/some/file''. + + Flexibility does lead to complexity, I'm afraid. + + +Q0081: What does \*error in redirect data: included file xxxx is too big*\ + mean? + +A0081: You are trying to include a very large file in a redirection list, using + the \":include:"\ feature. Exim has a built-in limit on the size, as a + safety precaution. The default is 1 megabyte. If you want to increase + this, you have to rebuild Exim. In your \(Local/Makefile)\, put + +==> MAX_INCLUDE_SIZE = whatever + + and then rebuild Exim. The value is a number of bytes, but you can give + it as a parenthesized arithmetic expression such as \"(3*1024*1024)"\. + However, an included file of more than a megabyte is likely to be quite + inefficient. How many addresses does yours contain? You get the best + performance out of Exim if you arrange to send mailing list messages + with no more than about 100 recipients (in order to get parallelism in + the routing). + + +Q0082: What does \*relocation error: /lib/libnss_dns.so.2: symbol + __libc_res_nquery, version GLIBC_PRIVATE not defined in file + libresolv.so.2 with link time reference*\ mean? + +A0082: You have updated \^glibc^\ while an Exim daemon is running. Stop and + restart the daemon. + + +Q0083: Netscape on Unix is sending messages containing an unqualified user name + in the ::Sender:: header line, which Exim is rejecting because I have + set \"verify = header_syntax"\. How can I fix this? + +A0083: The only thing you can do in Exim is to set the + \sender_unqualified_hosts\ option to allow unqualified sender addresses + form the relevant hosts; of course, this applies to all sender + addresses, not just the ::Sender:: header line. + + Alternatively, you can configure Netscape not to include the header line + in the first place. Add the following line to the + \($HOME/.netscape/preferences.js)\ and \($HOME/.netscape/liprefs.js)\ + files: + +==> user_pref("mail.suppress_sender_header", true); + + Netscape \*must*\ be shutdown while doing this. + + +Q0084: I want to set up an alias that pipes a message to \^gpg^\ and then pipes + the result to \^mailx^\ to resubmit the message, but when I use my + tested command in an alias file, I get an error from \^gpg^\. + +A0084: Probably you are using a shell command with two pipe symbols in it. An + alias like this: + +==> gpg-xxx: "|gpg | mailx helo_allow_chars = _ + + For more seriously malformed host names, see \helo_accept_junk_hosts\. + See also Q0732. + + +Q0086: What does \*SMTP protocol violation: synchronization error (next input + sent too soon)*\ mean? + +A0086: SMTP is a ``lock-step'' protocol, which means that, at certain points in + the protocol, the client must wait for the server to respond before + sending more data. Exim checks for correct behaviour, and issues this + error if the client sends data too soon. This protects against + malefactious clients who send a bunch of SMTP commands (usually to + transmit spam) without waiting for any replies. + + This error is also provoked if the client is trying to start up a TLS + session immediately on connection, without using the STARTTLS command. + See Q1707 for a discussion of this case. + + +Q0087: What does \*rejected after DATA: malformed address: xx@yy may not follow + : failing address in "from" header*\ mean? (I've obscured the + real email addresses.) + +A0087: Your DATA ACL contains + +==> verify = header_syntax + + and an incoming message contained the line + +==> From: xx@yy + + This is syntactically invalid. The contents of an address in a header + line are either just the address, or a ``phrase'' followed by an address + in angle brackets. In the latter case, the ``phrase'' must be quoted if + it contains special characters such as @. The following are valid + versions of the bad header: + +==> From: xx@yy + From: "xx@yy" + + though why on earth anything generates this kind of redundant nonsense I + can't think. + + +Q0088: The Windows mailer SENDFILE.EXE sometimes hangs while trying to send a + message to Exim 4, and eventually times out. It worked flawlessly with + Exim 3. What has changed? + +A0088: Exim 4 sets an obscure TCP/IP parameter called TCP_NODELAY. This + disables the "Nagle algorithm" for the TCP/IP transmission. The Nagle + algorithm can improve network performance in interactive situations such + as a human typing at a keyboard, by buffering up outgoing data until the + previous packet has been acknowledged, and thereby reducing the number + of packets used. This is not relevant for mail transmission, which + mostly consists of quite large blocks of data; setting TCP_NODELAY + should improve performance. However, it seems that some Windows clients + do not function correctly if the server turns off the Nagle algorithm. + If you are using Exim 4.23 or later, you can set + +==> tcp_nodelay = false + + This stops Exim setting TCP_NODELAY on the sockets created by the + listening daemon. + + +Q0089: What does the error \*kernel: application bug: exim(12099) has SIGCHLD + set to SIG_IGN but calls wait()*\ mean? + +A0089: This was a bad interaction between a relatively recent change to the + Linux kernel and some ``belt and braces'' programming in Exim. The + following explanation is taken from Exim's change log: + + When Exim is receiving multiple messages on a single connection, and + spinning off delivery processess, it sets the SIGCHLD signal handling to + SIG_IGN, because it doesn't want to wait for these processes. However, + because on some OS this didn't work, it also has a paranoid call to + \^waitpid()^\ in the loop to reap any children that have finished. Some + versions of Linux now complain (to the system log) about this + ``illogical'' call to \^waitpid()^\. I have therefore put it inside a + conditional compilation, and arranged for it to be omitted for Linux. + + I am pretty sure I caught all the places in Exim where this happened. + However, there are still occasional reports of this error. I have not + heard of any resolutions, but my current belief is that they are caused + by something that Exim calls falling foul of the same check. There was + at one time a suspicion that the IPv6 stack was involved. + + +Q0090: I can't seem to get a pipe command to run when I include a \"${lookup"\ + expansion in it. + +A0090: See Q0025. + + +Q0091: Why is Exim giving the error \*Failed to send message from address_reply + transport*\ when I run it using -C to specify an alternate + configuration? + +A0091: See Q0065. + + + +1. BUILDING AND INSTALLING + +Q0101: I'm having a problem with an Exim RPM. + +A0101: Normally the thing to do if you have a problem with an RPM package is + to contact the person who built the package first, not the person who + made the software that's in the package. You can usually find out who + made a package using the following command: + +==> rpm --query --package --queryformat '%{PACKAGER}\n' + + where \[rpm-package-file]\ is the actual file, e.g. \(exim-3.03-2.i386.rpm)\. + Or, if the package is installed on your system: + +==> rpm --query --queryformat '%{PACKAGER}\n' + + where \[package-name]\ is the name component of the package, e.g. \"exim"\. + If the packager is unable or unwilling to help, only then should you + contact the actual author or associated mailing list of the software. + + If you discover through the querying process that you can't tell who + the person (or company or group) is who built the package, or that they + no longer exist at the given address, then you should reconsider + whether you want a package from an unknown source on your system. + + If you discover through the querying process that you yourself are the + person who built the package, then you should either (a) contact the + author or associated mailing list, or (b) reconsider whether you ought + to be building and distributing RPM packages of software you don't + understand. + + Similar rules of thumb govern other binary package formats, including + debs, tarballs, and POSIX packages. + + +Q0102: I can't get Exim to compile with Berkeley DB version 2.x or 3.x. + +A0102: Have you set \"USE_DB=yes\" in \(Local/Makefile)\? This causes Exim to use the + native interface to the DBM library instead of the compatibility + interface, which needs a header called \(ndbm.h)\ that may not exist on your + system. + + +Q0103: I'm getting an \*undefined symbol*\ error for \"hosts_ctl"\ when I try to + build Exim. (On some systems this error is \*undefined reference to + 'hosts_ctl'*\.) + +A0103: You should either remove the definition of \\USE_TCP_WRAPPERS\\ or add + \"-lwrap"\ to your \\EXTRALIBS\\ setting in Local/Makefile. + + +Q0104: I'm about to upgrade to a new Exim release. Do I need to ensure the + spool is empty, or take any other special action? + +A0104: It depends on where you are coming from. + + (1) If you are changing to release 4.00 or later from a release prior to + 4.00, you will need to make changes to the run time configuration file. + See the file \(doc/Exim4.upgrade)\ for details. If you are coming from + before release 3.00, you should also see \(doc/Exim3.upgrade)\. + + (2) If you are upgrading from an Exim 4 release to a later release, you + do not need to take special action. New releases are made backwards + compatible with old spool files and hints databases, so that upgrading + can be done on a running system. All that should be necessary is to + install a new binary and then HUP the daemon. + + +Q0105: What does the error \*install-info: command not found*\ mean? + +A0105: You have set \\INFO_DIRECTORY\\ in your \(Local/Makefile)\, and Exim is trying + to install the Texinfo documentation, but cannot find the command called + \(install-info)\. If you have a version of Texinfo prior to 3.9, you + should upgrade. Otherwise, check your installation of Texinfo to see why + the \(install-info)\ command is not available. + + +Q0106: Exim doesn't seem to be recognizing my operating system type correctly, + and so is failing to build. + +A0106: Run the command \"scripts/os-type -generic"\. The output should be one of + the known OS types, and should correspond to your operating system. You + can see which OS are supported by obeying \"ls OS/Makefile-*"\ and looking + at the file name suffixes. + + If there is a discrepancy, it means that the script is failing to + interpret the output from the \"uname"\ command correctly, or that the + output is wrong. Meanwhile, you can build Exim by obeying + +==> EXIM_OSTYPE=xxxx make + + instead of just \"make"\, provided you are running a Bourne-compatible + shell, or otherwise by setting \\EXIM_OSTYPE\\ correctly in your + environment. It is probably best to start again from a clean + distribution, to avoid any wreckage left over from the failed attempt. + + +Q0107: Exim fails to build, complaining about the absence of the \"killpg"\ + function. + +A0107: This function should be present in all modern flavours of Unix. If you + are using an older version, you should be able to get round the problem + by inserting + +==> #define killpg(pgid,sig) kill(-(pgid),sig) + + into the file called \(OS/os.h-xxx)\, where xxx identifies your operating + system, and is the output of the command \"scripts/os-type -generic"\. + + +Q0108: I'm getting an unresolved symbol \"ldap_is_ldap_url"\ when trying to build + Exim. + +A0108: You must have specified \"LOOKUP_LDAP=yes"\ in the configuration. Have you + remembered to set \"-lldap"\ somewhere (e.g. in \\LOOKUP_LIBS\\)? You need that + in order to get the LDAP library scanned when linking. + + +Q0109: I'm getting an unresolved symbol \"mysql_close"\ when trying to build Exim. + +A0109: You must have specified \"LOOKUP_MYSQL=yes"\ in the configuration. Have you + remembered to set \"-lmysqlclient"\ somewhere (e.g. in \\LOOKUP_LIBS\\)? You + need that in order to get the MySQL library scanned when linking. + + +Q0110: I'm trying to build Exim with PAM support. I have included \"-lpam"\ in + \\EXTRALIBS\\, but I'm still getting a linking error: + +==> /lib/libpam.so: undefined reference to `dlerror' + /lib/libpam.so: undefined reference to `dlclose' + /lib/libpam.so: undefined reference to `dlopen' + /lib/libpam.so: undefined reference to `dlsym' + +A0110: Add \"-ldl"\ to \\EXTRALIBS\\. In some systems these dynamic loading functions + are in their own library. + + +Q0111: I'm getting the error \*db.h: No such file or directory*\ when I try to + build Exim. + +A0111: This problem has been seen with RedHat 7.0, but could also happen in + other environments. If your system is using the DB library, you + need to install the DB development package in order to build Exim. + The package is called something like \"db3-devel-3.1.14-16.i386.rpm"\ for + Linux systems, but you should check which version of DB you have + installed (current releases are DB 4). + + +Q0112: I'm getting the error \*/usr/bin/ld: cannot find -ldb*\ when I try to + build Exim. + +A0112: This is probably the same problem as Q0111. + + +Q0113: I've compiled Exim and I've managed to start it but there was one + problem - it always complained that \(libmsqlclient.so.10)\ was not found, + even though this file is in \(/usr/local/lib/mysql/)\. + +A0113: Solaris: ensure you have this in your \(Local/Makefile)\: + +==> LOOKUP_LIBS=-L/usr/local/lib/mysql -R/usr/local/lib/mysql + + Net/Open/FreeBSD: Run this command (or ensure it gets run automatically + at boot time): + +==> ldconfig -m /usr/local/lib/mysql + + Linux: add \(/usr/local/lib/mysql)\ to \(/etc/ld.so.conf)\ and re-run \(ldconfig)\. + Alternatively, add + +==> -Wl,-rpath -Wl,/usr/local/lib/mysql + + to EXTRA_LIBS and then re-link (this is similar to the Solaris solution + above). This will probably also work on other systems that use GNU + Binutils. + + +Q0114: How can I remove Sendmail from my system? I've built Exim and run \"make + install"\, but it still doesn't seem to be fully operational. + +A0114: If you are running FreeBSD, see Q9201. Otherwise, you need to arrange + that whichever of the paths \(/usr/sbin/sendmail)\ or \(/usr/lib/sendmail)\ + exists on your system is changed to refer to Exim. For example, you + could use these commands (as \/root/\): + +==> mv /usr/sbin/sendmail /usr/sbin/sendmail.original + chmod u-s /usr/sbin/sendmail.original + ln -s /path/to/exim /usr/sbin/sendmail + + The second command removes the setuid privilege from the old MTA, as a + general safety precaution. In the third command, substitute the actual + path to the Exim binary for \(/path/to/exim)\. + + +Q0115: What does \*Can't open \(../scripts/newer)\: No such file or directory*\ + mean? I got it while trying to build Exim. + +A0115: You are using FreeBSD, or another OS that has a \^make^\ command which + tries to optimize the running of commands. Exim's \(Makefile)\ contains + targets with sequential commands like this: + +==> buildpcre: + @cd pcre; $(MAKE) SHELL=$(SHELL) AR="$(AR)" $(MFLAGS) CC="$(CC)" \ + CFLAGS="$(CFLAGS) $(PCRE_CFLAGS)" \ + RANLIB="$(RANLIB)" HDRS="$(PHDRS)" \ + INCLUDE="$(INCLUDE) $(IPV6_INCLUDE) $(TLS_INCLUDE)" + @if $(SHELL) $(SCRIPTS)/newer pcre/libpcre.a exim; then \ + /bin/rm -f exim eximon.bin; fi + + The second command assumes that the \"cd pcre"\ in the first command is + no longer in effect. If you have \"-j3"\ in your default set of + \"MAKEFLAGS"\, FreeBSD \^make^\ tries to optimize, and ends up up with both + commands in the same shell process. The result is that \"$(SCRIPTS)"\ + (which has a value of \"../scripts"\) is not found. + + The simplest solution is to force \^make^\ to use backwards compatibility + mode with each command in its own shell, by using the \-B\ flag. To + ensure that this happens throughout the build, it's best to export it in + your environment: + +==> MAKEFLAGS='-B' + export MAKEFLAGS + make + + +Q0116: I have tried to build Exim with Berkeley DB 3 and 4, but I always get + errors. + +A0116: One common problem, especially when you have several different versions + of BDB installed on the same host, is that the header files and library + files for BDB are not in a standard place. You therefore need to tell + Exim where they are, by setting INCLUDE and DBMLIB in your + \(Local/Makefile)\. For example, I use this on my workstation when + I want to build with DB 4.1: + +==> INCLUDE=-I/opt/local/include/db-4.1 + DBMLIB=/opt/local/lib/db-4.1/libdb.a + + Specifying the complete library file like this will cause it to be + statically linked with Exim. You'll have to check to see where these + files are on your system. For example, on FreeBSD 5, the header is in + \(/usr/local/include/db4)\ and the library is in \(/usr/local/lib)\ and + called \(libdb4)\. In that environment, you could use: + +==> INCLUDE=-I/usr/local/include/db4 + DBMLIB=-L/usr/local/lib -ldb4 + + This time, DBMLIB is specifying the library directory (\(/usr/local/lib)\) + and the name of the library (\(db4)\) separately. The name of the actual + library file is \(/usr/local/lib/libdb4.something)\. If the library was + compiled for dynamic linking, that will be used. + + +Q0117: Is there a quick walk-through of an Exim install from source anywhere? + +A0117: Here! This is a contribution from a RedHat user, somewhat edited. On + other operating systems things may be slightly different, but the + general approach is the same. + + (1) Install the db needed for Exim. This needs to be done first if you + don't have a DBM library installed. Go to \?http://www.sleepycat.com?\ + and download \(db-4.1.25.tar.gz)\, or whatever the current release is. + Then: + +==> gunzip db-4.1.25.tar.gz + tar -xvf db-4.1.25.tar + cd db-4.1.25 + cd build_unix + ../dist/configure + make + make install + + (2) Add a user for use by Exim, unless you want to use an existing user + such as \/mail/\: + +==> adduser exim + + (3) Now you can prepare to build Exim. Go to \?http://www.exim.org?\ or + one of its mirrors, or the master ftp site + \?ftp://ftp.csx.cam.ac.uk/pub/software/email/exim/exim4?\, and download + \(exim-4.20.tar.gz)\ or whatever the current release is. Then: + +==> gunzip exim-4.20.tar.gz + tar -xvf exim-4.20.tar + cd exim-4.20 + cp src/EDITME Local/Makefile + cp exim_monitor/EDITME Local/eximon.conf + + (4) Edit \(Local/Makefile)\: + + Comment out EXIM_MONITOR= unless you want to install the Exim + monitor (it requires X-windows). + + Set the user you want Exim to use for itself: + +==> EXIM_USER=exim + + If your DBM library is Berkeley DB, set up to use its native interface: + +==> USE_DB=yes + + Make sure Exim's build can find the DBM library and its headers. If + you've installed Berkeley DB 4 you'll need to have settings like this + in \(Local/Makefile)\: + +==> INCLUDE=-I/usr/local/BerkeleyDB.4.1/include + DBMLIB=/usr/local/BerkeleyDB.4.1/lib/libdb.a + + (Check that the first directory contains the db.h file and that the + second library exists.) + + You don't need to change anything else, but you might want to review + the default settings in the ``must specify'' section. + + (4) Build Exim by running the \/make/\ command. + + (5) Install Exim by running, as \/root/\: + +==> make install + + You \*must*\ be \/root/\ to do this. You do not have to be root for any of + the previous building activity. + + (6) Run some tests on Exim; see if it will do local and remote + deliveries. Change the configuration if necessary (for example, + uncommenting \group\ on the \%local_delivery%\ transport if you don't + use a ``sticky bit'' directory). + + (7) Change Sendmail to Exim (of course you need to have had Sendmail + installed to do this). + +==> /etc/init.d/sendmail stop + mv /usr/sbin/sendmail /usr/sbin/sendmail.org + ln -s /usr/exim/bin/exim /usr/sbin/sendmail + /etc/init.d/sendmail start + + (8) Check the Exim log. Either use the Exim monitor, or: + +==> tail -f /var/spool/exim/log/mainlog + + +Q0118: I've set \"LOOKUP_INCLUDE=-I/client/include"\ in Local/Makefile, but the + compilation of \^exim_dumpdb^\ is ignoring this option and failing. Why? + +A0118: LOOKUP_INCLUDE is the special include file for lookup modules in Exim + (e.g. mysql, LDAP). Confusingly, it doesn't apply to basic DBM code + which is used also for other things. Try setting INCLUDE and DBMLIB + instead. For example: + +==> USE_DB=yes + INCLUDE=-I/client/include + DBMLIB=/client/lib/libdb.a + + +Q0119: I know there are some 3rd-party patches for Exim, for exiscan and + other things. Where are they? + +A0119: Exiscan is at \?http://duncanthrax.net/exiscan-acl/?\. +[[br]] + Scanexi is at \?http://w1.231.telia.com/~u23107873/scanexi.html?\ +[[br]] + A sample \^^local_scan()^^\ function for interfacing to \^uvscan^\ is + at \?http://www.dcs.qmul.ac.uk/~mb/local_scan/?\. +[[br]] + An interface to SpamAssassin at SMTP time is at + \?http://marc.merlins.org/linux/exim/sa.html?\. +[[br]] + A mini-HOWTO (PDF file) about scanning and virus scanning, and some RPMs + can be found at \?http://www.timj.co.uk/linux/exim.php?\. + + + +2. ROUTING IN GENERAL + +Q0201: How can I arrange that messages larger than some limit are handled by + a special router? + +A0201: You can use a \condition\ option on the router line this: + +==> condition = ${if >{$message_size}{100K}{yes}{no}} + + +Q0202: Can I specify a list of domains to explicitly reject? + +A0202: Set up a named domain list containing the domains in the first section + of the configuration, for example: + +==> domainlist reject_domains = list:of:domains:to:reject + + You can use this list in an ACL to reject any SMTP recipients in those + domains. You can also give a customized error message, like this: + +==> deny message = The domain $domain is no longer supported + domains = +reject_domains + + If you also want to reject these domains in messages that are submitted + from the command line (not using SMTP), you need to set up a router to + do it, like this: + +==> reject_domains: + driver = redirect + domains = +reject_domains + allow_fail + data = :fail: The domain $domain is no longer supported + + +Q0203: How can I arrange to do my own qualification of non-fully-qualified + domains, and then pass them on to the next router? + +A0203: If you have some list of domains that you want to qualify, you can do + this using a redirect router. For example, + +==> qualify: + driver = redirect + domains = *.a.b + data = ${quote:$local_part}@$domain.c.com + + This adds \".c.com"\ to any domain that matches \"*.a.b"\. + If you want to do this in conjunction with a \%dnslookup%\ router, the + \widen_domains\ option of that router may be another way of achieving + what you want. + + +Q0204: Every system has a \"nobody"\ account under which httpd etc run. I would + like to know how to restrict mail which comes from that account to users + on that host only. + +A0204: Set up a first router like this: + +==> fail_nobody: + driver = redirect + senders = nobody@your.domain + domains = ! +local_domains + allow_fail + data = :fail: Nobody may not mail off-site + + This assumes you have defined \+local_domains\ as in the default + configuration. + + +Q0205: How can I get Exim to deliver to me locally and everyone else at the same + domain via SMTP to the MX record specified host? + +A0205: Create an \%accept%\ router to pick off the one address and pass it to + an appropriate transport. Put this router before the one that does MX + routing: + +==> me: + driver = accept + domains = dom.com + local_parts = me + transport = local_delivery + + In the transport you will have to specify the \user\ option. An + alternative way of doing this is to add a condition to the router that + does MX lookups to make it skip your address. Subsequent routers can then + deliver your address locally. You'll need a condition like this: + +==> condition = \ + ${if and {{eq{$domain}{dom.com}}{eq{$local_part}{me}}}{no}{yes}} + + +Q0206: How can I get Exim to deliver certain domains to a different SMTP port + on my local host? + +A0206: You must set up a special \%smtp%\ transport, where you can specify the + \port\ option, and then set up a router to route the domains to that + transport. There are two possibilities for specifying the host: + + (1) If you use a \%manualroute%\ router, you can specify the local host + in the router options. You must also set + +==> self = send + + so that it does not object to sending to the local host. + + (2) If you use a router that cannot specify hosts (for example, an + \%accept%\ router with appropriate conditions), you have to specify + the host using the \hosts\ option of the transport. In this case, + you must also set \allow_localhost\ on the transport. + + +Q0207: Why does Exim lower-case the local-part of a non-local domain when + routing? + +A0207: Because \caseful_local_part\ is not set (in the default configuration) + for the \%dnslookup%\ router. This does not matter because the local + part takes no part in the routing, and the actual local part that is + sent out in the RCPT command is always the original local part. + + + +3. ROUTING TO REMOTE HOSTS + +Q0301: What do \*lowest numbered MX record points to local host*\ and \*remote + host address is the local host*\ mean? + +A0301: They mean exactly what they say. Exim expected to route an address to a + remote host, but the IP address it obtained from a router was for the + local host. If you really do want to send over TCP/IP to the local host + (to a different version of Exim or another MTA, for example), see Q0206. + + More commonly, these errors arise when Exim thinks it is routing some + foreign domain. For example, the router configuration causes Exim to + look up the domain in the DNS, but when Exim examines the DNS output, + either the lowest numbered MX record points at the local host, or there + are no MX records, and the address record for the domain contains an + IP address that belongs to the local host. + + There has been a rash of instances of domains being deliberately set up + with MX records pointing to \"localhost"\ (or other names with A records + that specify 127.0.0.1), which causes this behaviour. You can use the + \ignore_target_hosts\ option to get Exim to ignore these records. The + default contiguration does this. For more discussion, see Q0319. For + other cases: + + (1) If the domain is meant to be handled as a local domain, there + is a problem with the configuration, because it should not then have + been looked up in the DNS. Check the \domains\ settings on your + routers. + + (2) If the domain is one for which the local host is providing a + relaying service (called ``mail hubbing''), possibly as part of a + firewall, you need to set up a router to tell Exim where to send + messages addressed to this domain, because the DNS directs them to + the local host. You should put a router like this one before the one + that does DNS lookups: + +==> hubbed_hosts: + driver = manualroute + transport = remote_smtp + route_list = see discussion below + + The contents of the \route_list\ option depend on how many hosts you + are hubbing for, and how their names are related to the domain name. + Suppose the local host is a firewall, and all the domains in + \(*.foo.bar)\ have MX records pointing to it, and each domain + corresponds to a host of the same name. Then the setting could be + +==> route_list = *.foo.bar $domain + + If there isn't a convenient relationship between the domain names + and the host names, you either have to list each domain separately, + or use a lookup expansion to look up the host from the domain, or + put the routing information in a file and use the \route_data\ + option with a lookup expansion. + + (3) If neither (1) nor (2) is the case, the lowest numbered MX record or + the address record for the domain should not be pointing to your + host. You should arrange to get the DNS mended. + + +Q0302: Why does Exim say \*all relevant MX records point to non-existent hosts*\ + when MX records point to IP addresses? + +A0302: MX records cannot point to IP addresses. They are defined to point to + host names, so Exim always interprets them that way. (An IP address is a + syntactically valid host name.) The DNS for the domain you are having + problems with is misconfigured. + + However, it appears that more and more DNS zones are breaking the rules + and putting IP addresses on the RHS of MX records. Exim follows the + rules and rejects this, but other MTAs do support it, so the + \allow_mx_to_ip\ was regretfully added at release 3.14 to permit this + heinous activity. + + +Q0303: How do I configure Exim to send all messages to a central server? I + don't want to do any local deliveries at all on this host. + +A0303: Use this as your first and only router: + +==> send_to_gateway: + driver = manualroute + transport = remote_smtp + route_list = * central.server.host + + +Q0304: How do I configure Exim to send all non-local mail to a gateway host? + +A0304: Replace the \%dnslookup%\ router in the default configuration with the + following: + +==> send_to_gateway: + driver = manualroute + domains = !+local_domains + transport = remote_smtp + route_list = * gate.way.host + + If there are several hosts you can send to, you can specify them as a + colon-separated list. + + +Q0305: How can I arrange for mail on my local network to be delivered directly + to the relevant hosts, but all other mail to be sent to my ISP's mail + server? The local hosts are all DNS-registered and behave like normal + Internet hosts. + +A0305: Set up a first router to pick off all the domains for your local + network. There are several ways you might do this. For example + +==> local_network: + driver = dnslookup + transport = remote_smtp + domains = *.mydomain.com + + This does a perfectly conventional DNS routing operation, but only for + the domains that match \(*.mydomain.com)\. Follow this with a `smart + host' router: + +==> internet: + driver = manualroute + domains = !+local_domains + transport = remote_smtp + route_list = * mail.isp.net + + This routes any other non-local domains to the smart host. + + +Q0306: How do I configure Exim to send all non-local mail to a central server + if it cannot be immediately delivered by my host? I don't want to have + queued mail waiting on my host. + +A0306: Add to the \%remote_smtp%\ transport the following: + +==> fallback_hosts = central.server.name(s) + + If there are several names, they must be separated by colons. + + +Q0307: The \route_list\ setting \"^foo$:^bar$ $domain"\ in a \%manualroute%\ + router does not work. + +A0307: The first thing in a \route_list\ item is a single pattern, not a list of + patterns. You need to write that as \"^(foo|bar)$ $domain"\. + Alternatively, you could use several items and write + +==> route_list = foo $domain; bar $domain + + Note the semicolon separator. This is because the second thing in each + item can itself be a list - of hosts. + + +Q0308: I have a domain for which some local parts must be delivered locally, + but the remainder are to be treated like any other remote addresses. + +A0308: One possible way of doing this is as follows: Assuming you are using a + configuration that is similar to the default one, first exclude your + domain from the first router by changing it to look like this: + +==> non_special_remote: + driver = dnslookup + domains = ! +local_domains : ! special.domain + transport = remote_smtp + ignore_target_hosts = 127.0.0.0/8 + no_more + + Then add a second router which handles the local parts that are not to + be delivered locally: + +==> special_remote: + driver = dnslookup + domains = special.domain + local_parts = ! lsearch;/list/of/special/localparts + transport = remote_smtp + ignore_target_hosts = 127.0.0.0/8 + no_more + + The remaining local parts will fall through to the remaining routers, + which can delivery them locally. + + +Q0309: How can I configure Exim on a firewall machine so that if mail arrives + addressed to a domain whose MX points to the firewall, it is forwarded + to the internal mail server, without having to have a list of all the + domains involved? + +A0309: As your first router, have the standard \%dnslookup%\ router from the + default configuration, with the added option + +==> self = pass + + This will handle all domains whose lowest numbered MX records do not + point to your host. Because of the \no_more\ setting, if it encounters + an unknown domain, routing will fail. However, if it hits a domain whose + lowest numbered MX points to your host, the \self\ option comes into + play, and overrides \no_more\. The \"pass"\ setting causes it to pass + the address on to the next router. (The default causes it to generate an + error.) + + The only non-local domains that reach the second router are those with + MX records pointing to the local host. Set it up to send them to the + internal mail server like this: + +==> internal: + driver = manualroute + domains = ! +local_domains + transport = remote_smtp + route_list = * internal.server + + +Q0310: If a DNS lookup returns no MX records why doesn't Exim just bin the + message? + +A0310: If a DNS lookup returns no MXs, Exim looks for an address record, in + accordance with the rules that are defined in the RFCs. If you want to + break the rules, you can set \mx_domains\ in the \%dnslookup%\ router, but + you will cut yourself off from those sites (and there still seem to be + plenty) who do not set up MX records. + + +Q0311: When a DNS lookup for MX records fails to complete, why doesn't Exim + send the messsage to the host defined by the A record? + +A0311: The RFCs are quite clear on this. Only if it is known that there are no + MX records is an MTA allowed to make use of the A record. When an MX + lookup fails to complete, Exim does not know whether there are any MX + records or not. There seem to be some name servers (or some + configurations of some name servers) that give a ``server fail'' error when + asked for a non-existent MX record. Exim uses standard resolver calls, + which unfortunately do not distinguish between this case and a timeout, + so all Exim can do is try again later. + + +Q0312: Is it possible to use a conditional expression for the host item in a + \route_list\ for \%manualroute%\ router? I tried the following, but it + doesn't work: + +==> route_list = * ${if match{$header_from:}{\N.*\.usa\.net$\N} \ + {}{} + +A0312: The problem is that the second item in \route_list\ contains white + space, which means that it gets terminated prematurely. To avoid this, + you must put the second item in quotes: + +==> route_list = * "${if match{$header_from:}{\N.*\.usa\.net$\N} \ + {}{}}" + + +Q0313: I send all external mail to a smart host, but this means that bad + addresses also get passed to the smart host. Can I avoid this? + +A0313: Assuming you have DNS availability, set up a conventional \%dnslookup%\ + router to do the routing, but in the \%remote_smtp%\ transport set this: + +==> hosts = your.smart.host + hosts_override + + This will override the hosts that the router finds so that everything + goes to the smart host, but any non-existent domains will be failed by + the router. + + +Q0314: I have a really annoying intermittent problem where attempts to mail to + valid sites are rejected with \*unknown mail domain*\. This only happens a + few times a day and there is no particular pattern to the sites it + rejects. If I try to lookup the same domain a few minutes later then it + is OK. + +A0314: This is almost certainly a problem with the DNS resolver or the the + domain's name servers. + + (1) Have you linked Exim against the newest DNS resolver library that + comes with Bind? If you are using SunOS4 that may be your problem, as + the resolver that comes with that OS is known to be buggy and to give + intermittent false negatives. + + (2) Effects like this are sometimes seen if a domain's name servers get + out of step with each other. + + +Q0315: I'd like route all mail with addresses that can't be resolved (the DNS + lookup times out) to a relay machine. + +A0315: Set \pass_on_timeout\ on your \%dnslookup%\ router, and add below it a + \%manualroute%\ router that routes all relevant domains to the relay. + + +Q0316: I would like to forward all incoming email for a particular domain to + another host via SMTP. Whereabouts would I configure that? + +A0316: Use this as your first router: + +==> special: + driver = manualroute + transport = remote_smtp + route_list = the.particular.domain the.other.host + + You will also need to adjust the ACL for incoming SMTP so that this + domain is accepted for relaying. If you are using the default + configuration, there is a domain list called \relay_domains\ that is + set up for this. + + +Q0317: What I'd like to do is have alternative smart hosts, where the one to be + used is determined by which ISP I'm connected to. + +A0317: The simplest way to do this is to arrange for the name of the smart host + du jour to be placed in a file when you connect, say \(/etc/smarthost)\. + Then you can read this file from a \%manualroute%\ router like this: + +==> smarthost: + driver = manualroute + transport = remote_smtp + route_list = * ${readfile{/etc/smarthost}{}} + + The second argument of the \"readfile"\ item is a string that replaces + any newline characters in the file (in this case, with nothing). + By keeping the data out of the main configuration file, you avoid having + to HUP the daemon when it changes. + + +Q0318: Exim won't route to a host with no MX record. + +A0318: More than one thing may cause this. + + (1) Are you sure there really is no MX record? Sometimes a typo results + in a malformed MX record in the zone file, in which case some name + servers give a SERVFAIL error rather than NXDOMAIN. Exim has to treat + this as a temporary error, so it can't go on to look for address records. + You can check for this state using one of the DNS interrogation commands, + such as \(nslookup)\, \(host)\, or \(dig)\. + + (2) Is there a wildcard MX record for \(your)\ domain? Is the + \search_parents\ option on in your \%dnslookup%\ router? If the answer to + both these questions is ``yes'', that is the cause of the problem. When + the DNS resolver fails to find the MX record, it tries adding on your + domain if \search_parents\ is true, and thereby finds your wildcard MX + record. For example: + + . There is a wildcard MX record for \(*.a.b.c)\. + + . There is a host called \(x.y.z)\ that has an A record and no MX record. + + . Somebody on the host \(m.a.b.c)\ domain tries to mail to \(user@x.y.z)\. + + . Exim calls the DNS to look for an MX record for \(x.y.z)\. + + . The DNS doesn't find any MX record. Because \search_parents\ is true, + it then tries searching the current host's parent domain, so it + looks for \(x.y.z.a.b.c)\ and picks up the wildcard MX record. + + Setting \search_parents\ false makes this case work while retaining the + wildcard MX record. However, anybody on the host \(m.a.b.c)\ who mails to + \(user@n.a)\ (expecting it to go to \(user@n.a.b.c)\) now has a problem. The + \widen_domains\ option of the \%dnslookup%\ router may be helpful in this + circumstance. + + +Q0319: I have some mails on my queues that are sticking around longer than + the retry time indicates they should. They are all getting frozen + because some remote admin has set their MX record to 127.0.0.1. + +A0319: The admin in question is an idiot. Exim will always freeze such messages + because they are apparently routed to the local host. To bounce these + messages immediately, set + +==> ignore_target_hosts = 127.0.0.1 + + on the \%dnslookup%\ router. This causes Exim to completely ignore any hosts + with that IP address. In fact, there are quite a number of IP addresses + that should never be used. Here is a suggested configuration list for + the IPv4 ones: + +==> # Don't allow domains whose single MX (or A) record is a + # "special-use IPv4 address", as listed in RFC 3330. + ignore_target_hosts = \ + # Hosts on "this network"; RFC 1700 (page 4) states that these + # are only allowed as source addresses + 0.0.0.0/8 : \ + # Private networks, RFC 1918 + 10.0.0.0/8 : 172.16.0.0/12 : 192.168.0.0/16 : \ + # Internet host loopback address, RFC 1700 (page 5) + 127.0.0.0/8 : \ + # "Link local" block + 169.254.0.0/16 : \ + # "TEST-NET" - should not appear on the public Internet + 192.0.2.0/24 : \ + # 6to4 relay anycast addresses, RFC 3068 + 192.88.99.0/24 : \ + # Network interconnect device benchmark testing, RFC 2544 + 198.18.0.0/15 : \ + # Multicast addresses, RFC 3171 + 224.0.0.0/4 : \ + # Reserved for future use, RFC 1700 (page 4) + 240.0.0.0/4 + + +Q0320: How can I arrange for all mail to \*user@some.domain*\ to be forwarded + to \*user@other.domain*\? + +A0320: Put this as your first router: + +==> forward: + driver = redirect + domains = some.domain + data = ${quote:$local_part}@other.domain + + +Q0321: How can I tell an Exim router to use only IPv4 or only IPv6 addresses + when it finds both types in the DNS? + +A0321: You can do this by making it ignore the addresses you don't want. This + example ignores all IPv6 addresses and all IPv4 addresses in the 127 + network: + +==> ignore_target_hosts = <; 0000::0000/0 ; 127.0.0.0/8 + + To ignore all IPv4 addresses, use + +==> ignore_target_hosts = 0.0.0.0/0 + + See Q0319 for a general discussion of \ignore_target_hosts\. + + +Q0322: How can I reroute all messages bound for 192.168.10.0 and 10.0.0.0 to + a specific mail server? + +A0322: That is an odd requirement. However, there is an obscure feature in + Exim, originally implemented for packet radio people, that perhaps can + help. Check out the \translate_ip_address\ generic router option. + + + +4. ROUTING FOR LOCAL DELIVERY + +Q0401: I need to have any mail for \(virt.dom.ain)\ that doesn't match one of the + aliases in \(/usr/lib/aliases.virt)\ delivered to a particular address, for + example, \(postmaster@virt.dom.ain)\. + +A0401: Adding an asterisk to a search type causes Exim to look up ``*'' when the + normal lookup fails. So if your aliasing router is something like this: + +==> virtual: + driver = redirect + domains = virt.dom.ain + data = ${lookup{$local_part}lsearch{/usr/lib/aliases.virt}} + no_more + + you should change \"lsearch"\ to \"lsearch*"\, and put this in the alias + file: + +==> *: postmaster@virt.dom.ain + + This solution has the feature that if there are several unknown + addresses in the same message, only one copy gets sent to the + postmaster, because of Exim's normal de-duplication rules. + + NOTE: This solution works only if there is also an entry for \(postmaster)\ + in the alias file, ultimately resolving to an address that is not in + \(virt.dom.ain)\. See also Q0434. + + +Q0402: How do I arrange for all incoming email for \(*@some.domain)\ to go into one + pop3 mail account? The customer doesn't want to add a list of specific + local parts to the system. + +A0402: Set up a special transport that writes to the mailbox like this: + +==> special_transport: + driver = appendfile + file = /pop/mailbox + envelope_to_add + return_path_add + delivery_date_add + user = exim + + The file will be written as the user \"exim"\. Then arrange to route all + mail for that domain to that transport, with a router like this: + +==> special_router: + driver = accept + domains = some.domain + transport = special_transport + + +Q0403: How do I configure Exim to send messages for unknown local users to a + central server? + +A0403: Assuming you are using something like the default configuration, where + local users are processed by the later routers, you should add the + following router at the end: + +==> unknown: + driver = manualroute + transport = remote_smtp + route_list = * server.host.name + no_verify + + However, you should if possible try to verify that the user is known on + the central server before accepting the message in the first place. This + can be done by making use of Exim's ``call forward'' facility. + + +Q0404: How can I arrange for messages submitted by (for example) Majordomo to + be handled specially? + +A0404: You can use the \condition\ option on a router, with a setting such as + +==> condition = ${if and {{eq {$sender_host_address}{}} \ + {eq {$sender_ident}{majordom}}} {yes}{no}} + + This first tests for a locally-submitted message, by ensuring there is + no sending host address, and then it checks the identity of the user + that ran the submitting process. + + +Q0405: On a host that accepts mail for several domains, do I have to use fully + qualified addresses in \(/etc/aliases)\ or do I have to set up an alias + file for each domain? + +A0405: You can do it either way. The default aliasing router contains this line: + +==> data = ${lookup{$local_part}lsearch{/etc/aliases}} + + which is what does the actual lookup. To make it look up the complete + address instead of just the local part, use + +==> data = ${lookup{$local_part@$domain}lsearch{/etc/aliases}} + + If you want to use a separate file for each domain, use + +==> data = ${lookup{$local_part}lsearch{/etc/aliases/$domain}} + + +Q0406: Some of my users are using the \(.forward)\ to pipe to a shell command which + appends to the user's INBOX. How can I forbid this? + +A0406: If you allow your users to run shells in pipes, you cannot control which + commands they run or which files they write to. However, you should point + out to them that writing to an INBOX by arbitrary commands is not + interlocked with the MTA and MUAs, and is liable to mess up the contents + of the file. + + If a user simply wants to choose a specific file for the delivery of + messages, this can be done by putting a file name in a \(.forward)\ file + rather than using a pipe, or by using the \"save"\ command in an Exim + filter file. + + You can set \forbid_pipe\ on the router, but that will prevent them from + running any pipe commands at all. Alternatively, you can restrict which + commands they may run in their pipes by setting the \allow_commands\ + and/or \restrict_to_path\ options in the \%address_pipe%\ transport. + + +Q0407: How can I arrange for a default value when using a query-style lookup + such as LDAP or NIS+ to handle aliases? + +A0407: Use a second query in the failure part of the original lookup, like + this: + +==> data = ${lookup ldap\ + {ldap://x.y.z/l=yvr?aliasaddress?sub?(&(mail=$local_part@$domain))}\ + {$value}\ + {\ + ${lookup ldap \ + {ldap://x.y.z/l=yvr?aliasaddress?sub?(&(mail=default@$domain))}}\ + }} + + Of course, if the default is a fixed value you can just include it + directly. + + +Q0408: If I don't fully qualify the addresses in a virtual domain's alias file + then mail to aliases which also match the local domain get delivered to + the local domain. + +A0408: Set the \qualify_preserve_domain\ option on the \%redirect%\ router. + + +Q0409: I want mail for any local part at certain virtual domains to go + to a single address for each domain. + +A0409: One way to to this is + +==> virtual: + driver = redirect + data = ${lookup{$domain}lsearch{/etc/virtual}} + + The \(/etc/virtual)\ file contains a list of domains and the addresses to + which their mail should be sent. For example: + +==> domain1: postmaster@some.where.else + domain2: joe@xyz.plc + + If the number of domains is large, using a DBM or cdb file would be more + efficient. If the lookup fails to find the domain in the file, the value + of the \data\ option is empty, causing the router to decline. + + +Q0410: How can I make Exim look in the alias NIS map instead of \(/etc/aliases)\? + +A0410: The default configuration does not use NIS (many hosts don't run it). + You need to change this line in the \%system_aliases%\ router: + +==> data = ${lookup{$local_part}lsearch{/etc/aliases}} + + Change it to + +==> data = ${lookup{$local_part}nis{mail.aliases}} + + If you want to use \(/etc/aliases)\ as well as NIS, put this router (with + a different name) before or after the default one, depending on which + data source you want to take precedence. + + +Q0411: Why will Exim deliver a message locally to any username that is longer + than 8 characters as long as the first 8 characters match one of the + local usernames? + +A0411: The problem is in your operating system. Exim just calls the \^^getpwnam()^^\ + function to test a local part for being a local login name. It does not + presume to guess the maximum length of user name for the underlying + operating system. Many operating systems correctly reject names that are + longer than the maximum length; yours is apparently deficient in this + regard. To cope with such systems, Exim has an option called + \max_user_name_length\ which you can set to the maximum allowed length. + + +Q0412: Why am I seeing the error \*bad mode (100664) for /home/test/.forward*\? + I've looked through the documentation but can't see anything to suggest + that Exim has to do anything other than read the \(.forward)\ file. + +A0412: For security, Exim checks for mode bits that shouldn't be set, by + default 022. You can change this by setting the \modemask\ option of the + \%redirect%\ router that is handling \(.forward)\ files. + + +Q0413: When a user's \(.forward)\ file is syntactially invalid, Exim defers + delivery of all messages to that user, which sometimes include the + user's own test messages. Can it be told to ignore the \(.forward)\ file + and/or inform the user of the error? + +A0413: Setting \skip_syntax_errors\ on the redirect router causes syntax + errors to be skipped. When dealing with users' \(.forward)\ files it is best + to combine this with a setting of \syntax_errors_to\ in order to send + a message about the error to the user. However, to avoid an infinite + cascade of messages, you have to be able to send to an address that + bypasses \(.forward)\ file processing. This can be done by including a + router like this one + +==> real_localuser: + driver = accept + check_local_user + transport = local_delivery + prefix = real- + + before the \%redirect%\ router that handles \(.forward)\ files. This will + do an ordinary local delivery without \(.forward)\ processing, if the + local part is prefixed by \"real-"\. You can then set something like + the following options on the \%redirect%\ router: + +==> skip_syntax_errors + syntax_errors_to = real-$local_part@$domain + syntax_errors_text = "\ + This is an automatically generated message. An error has been \ + found\nin your .forward file. Details of the error are reported \ + below. While\nthis error persists, messages addressed to you will \ + get delivered into\nyour normal mailbox and you will receive a \ + copy of this message for\neach one." + + A final tidying setting to go with this is a rewriting rule that changes + \"real-username"\ into just \"username"\ in the headers of the message: + +==> \N^real-([^@]+)@your\.dom\.ain$\N $1@your.dom.ain h + + This means that users won't ever see the \"real-"\ prefix, unless they + look at the ::Envelope-To:: header. + + +Q0414: I have set \caseful_local_part\ on the routers that handle my local + domain because my users have upper case letters in their login names, + but incoming mail now has to use the correct case. Can I relax this + somehow? + +A0414: If you really have to live with caseful user names but want incoming + local parts to be caseless, then you have to maintain a file, indexed by + the lower case forms, that gives the correct case for each login, like + this: + +==> admin: Admin + steven: Steven + mcdonald: McDonald + lamanch: LaManche + ... + + and at the start of the routers that handle your local domain, put one + like this: + +==> set_case_router: + driver = redirect + data = ${lookup{${lc:$local_part}}lsearch{/the/file}} + qualify_preserve_domain + + For efficiency, you should also set the \redirect_router\ option to cause + processing of the changed address to begin at the next router. If you + are otherwise using the default configuration, the setting would be + +==> redirect_router = system_aliases + + If there are lots of users, then a DBM or cdb file would be more + efficient than a linear search. If you are handling several domains, + you will have to extend this configuration to cope appropriately. + + +Q0415: Can I use my existing alias files and forward files as well as procmail + and effectively drop in Exim in place of Sendmail ? + +A0415: Yes, as long as your alias and forward files don't assume that pipes are + going to run under a shell. If they do, you either have to change them, + or configure Exim to use a shell (which it doesn't by default). + + +Q0416: What is quickest way to set up Exim so any message sent to a + non-existing user would bounce back with a different message, based + on the name of non-existing user? + +A0416: Place this router last, so that it catches any local addresses that + are not otherwise handled: + +==> non_exist: + driver = accept + transport = non_exist_reply + no_verify + + Then add the following transport to the transports section: + +==> non_exist_reply: + driver = autoreply + user = exim + to = $sender_address + subject = User does not exist + text = You sent mail to $local_part. That's not a valid user here. \ + The subject was: $subject. + + If you want to pick up a message from a file, you can use the \file\ + option (use \file_expand\ if you want its contents expanded). + + +Q0417: What do I need to do to make Exim handle \(/usr/ucb/vacation)\ processing + automatically, so that people could just create a \(.vacation.msg)\ file in + their home directory and not have to edit their \(.forward)\ file? + +A0417: Add a new router like this, immediately before the normal \%localuser%\ + router: + +==> vacation: + driver = accept + check_local_user + require_files = $home/.vacation.msg + transport = vacation_transport + unseen + + and a matching new transport like this: + +==> vacation_transport: + driver = pipe + command = /usr/ucb/vacation $local_part + + However, some versions of \(/usr/ucb/vacation)\ do not work properly unless + the DBM file(s) it uses are created in advance - it won't create them + itself. You also need a way of removing them when the vacation is over. + + Another possibility is to use a fixed filter file which is run whenever + \(.vacation.msg)\ exists, for example: + +==> vacation: + driver = redirect + check_local_user + require_files = $home/.vacation.msg + file = /some/central/filter + allow_filter + + The filter file should use the \"if personal"\ check before sending mail, + to avoid generating automatic responses to mailing lists. If sending a + message is all that it does, this doesn't count as a ``significant'' + delivery, so the original message goes on to be delivered as normal. + + Yet another possibility is to make use of Exim's \%autoreply%\ transport, + and not use \(/usr/ucb/vacation)\ at all. + + +Q0418: I want to use a default entry in my alias file to handle unknown local + parts, but it picks up the local parts that the aliases generate. For + example, if the alias file is + +==> luke.skywalker: luke + ls: luke + *: postmaster + + then messages addressed to \/luke.skywalker/\ end up at \/postmaster/\. + +A0418: The default mechanism works best with virtual domains, where the + generated address is not in the same domain. If you just want to pick up + all unknown local parts and send them to postmaster, an easier way to do + it is to put this as your last router: + +==> unknown: + driver = redirect + data = postmaster + no_verify + + Another possibility is to put the redirect router for these aliases + after all the other routers, so that local parts which are user names + get picked off first. You will need to have two aliasing routers if + there are some local parts (e.g. \/root/\) which are login names, but which + you want to handle as aliases. + + +Q0419: I have some obsolete domains which people have been warned not to use + any more. How can I arrange to delete any mail that is sent to them? + +A0419: To reject them at SMTP time, with a customized error message, place + statments like this in the ACL: + +==> deny message = The domain $domain is obsolete + domains = lsearch;/etc/exim/obsolete.domains + + For messages that don't arrive over SMTP, you can use a router like + this to bounce them: + +==> obsolete: + driver = redirect + domains = lsearch;/etc/exim/obsolete.domains + allow_fail + data = :fail: the domain $domain is obsolete + + If you just want to throw away mail to those domains, accept them at + SMTP time, and use a router like this: + +==> obsolete: + domains = lsearch;/etc/exim/obsolete.domains + data = :blackhole: + + +Q0420: How can I arrange that mail addressed to \(anything@something.mydomain.com)\ + gets delivered to \(something@mydomain.com)\? + +A0420: Set up a router like this: + +==> user_from_domain: + driver = redirect + data = ${if match{$domain}{\N^(.+)\.mydomain\.com$\N}\ + {$1@mydomain.com}} + + +Q0421: I can't get a regular expression to work in a \local_parts\ option on + one of my routers. + +A0421: Have you remembered to protect any backslash and dollar characters in + your regex from unwanted expansion? The easiest way is to use the + \"@\N"\ facility, like this: + +==> local_parts = \N^0740\d{6}\N + + +Q0422: How can I arrange for all addresses in a group of domains \(*.example.com)\ + to share the same alias file? I have a number of such groups. + +A0422: For a single group you could just hard wire the file name into a router + that had + +==> domains = *.example.com + + set, to restrict it to the relevant domains. For a number of such groups + you can create a file containing the domains, like this: + +==> *.example1.com example1.com + *.example2.com example2.com + ... + + Then create a router like this + +==> domain_aliases: + driver = redirect + domains = partial-lsearch;/that/file + data = ${lookup{$local_part}lsearch*{/etc/aliases.d/$domain_data}} + + The variable \$domain_data$\ contains the data that was looked up when the + \domains\ option was matched, i.e. \"example1.com"\, \"example2.com"\, etc. + in this case. + + +Q0423: Some of our users have no home directories; the field in the password + file contains \(/no/home/dir)\. This causes the error \*failed to stat + /no/home/dir (No such file or directory)*\ when Exim tries to look for a + \(.forward file)\, and the delivery is deferred. + +A0423: There are two issues involved here: + + (1) With the default configuration, you are asking Exim to check for a + \(.forward)\ file in the user's home directory. If no file is found, + Exim tries to \^^stat()^^\ the home directory. This is so that it will + notice a missing NFS home directory, and not treat it as if the + \(.forward)\ file did not exist. This \^^stat()^^\ is failing when the + home directory really doesn't exist. You should arrange for the + \%userforward%\ router not to run for these special users, by adding + this line: + +==> condition = ${if eq {$home}{/no/home/dir}{no}{yes}} + + (2) If you use \check_local_user\ on another router to route to a local + transport (again, this is what is in the default configuration), you + will also have to specify a current directory for the transport, because + by default it makes the home directory current. This is easily done by + adding + +==> current_directory = / + + to the transport or + +==> transport_current_directory = / + + to the router. Or you can add \home_directory\ to the transport, because + the current directory defaults to the home directory. + + +Q0424: How can I disable Exim's de-duplication features? I want it to do two + deliveries if two different aliases expand to the same address. + +A0424: This is not possible. Duplication has other ramifications other than + just (in)convenience. Consider: + + . Message is addressed to A and to B. + + . Both A and B are aliased to C. + + . Without de-duplication, two deliveries to C are scheduled. + + . One delivery happens, Exim records that it has delivered the message + to C. + + . The next delivery fails (C's mailbox is over quota, say). + + Next time round, Exim wants to know if it has already delivered to C or + not, before scheduling a new delivery. Has it? Obviously, if duplicate + deliveries are supported, it has to remember not only that it has + delivered to C but also the ``history'' of how that delivery happened - in + effect an ancestry list back to the original envelope address. This it + does not do, and changing it to work in that way would be a lot of work + and a big upheaval. + + The best way to get duplicate deliveries if you want them is not to use + aliases, but to route the addresses directly to a transport, e.g. + +==> duplicates: + driver = accept + local_parts = lsearch;/etc/list/of/special/local/parts + transport = local_delivery + user = exim + + +Q0425: My users' mailboxes are distributed between several servers according to + the first letter of the user name. All the servers receive incoming mail + at random. I would like to have the same configuration file for all the + servers, which does local delivery for the mailboxes it holds, and sends + other addresses to the correct other server. Is this possible? + +A0425: It is easiest if you arrange for all the users to have password entries + on all the servers. This means that non-existent users can be detected + at the first server they reach. Set up a file containing a mapping from + the first letter of the user names to the servers where their mailboxes + are held. For example: + +==> a: server1 + b: server1 + c: server2 + ... + + Before the normal \%localuser%\ router, place the following router: + +==> mailbox_host: + driver = manualroute + check_local_user + transport = remote_smtp + route_list = * ${lookup{${substr_0_1:$local_part}}lsearch{/etc/mapfile}} + self = pass + + This router checks for a local account, then looks up the host from the + first character of the local part. If the host is not the local host, + the address is routed to the \%remote_smtp%\ transport, and sent to the + correct host. If the host is the local host, the \self\ option causes + the router to pass the address to the next router, which does a local + delivery. + + The router is skipped for local parts that are not the names of local + users, and so these addresses fail. + + +Q0426: One of the things I want to set up is for \(anything@onedomain)\ to forward + to \(anything@anotherdomain)\. I tried adding \($local_part@anotherdomain)\ to + my aliases but it did not expand - it sent it to that literal address. + +A0426: If you want to do it that way, you can use the \"expand"\ operator on + the lookup used in the data option of the redirect router. For example: + +==> data = ${expand:${lookup{$local_part}lsearch*{/etc/aliases}}} + + Another approach is to use a router like this: + +==> forwarddomain: + driver = redirect + domains = onedomain + data = $local_part@anotherdomain + + The value of \data\ can, of course, be more complicated, involving + lookups etc. if you have lots of different cases. + + +Q0427: How can I have an address looked up in two different alias files, and + delivered to all the addresses that are found? + +A0427: Use a router like this: + +==> multi_aliases: + driver = redirect + data = ${lookup{$local_part}lsearch{/etc/aliases1}\ + {$value${lookup{$local_part}lsearch{/etc/aliases2}{,$value}}}\ + {${lookup{$local_part}lsearch{/etc/aliases2}{$value}fail}}}\ + + If the first lookup succeeds, the result is its data, followed by the + data from the second lookup, if any, separated by a comma. If the first + lookup fails, the result is the data from the third lookup (which also + looks in the second file), but if this also fails, the entire expansion + is forced to fail, thereby causing the router to decline. + + Another approach is to use two routers, with the first re-generating the + original local part when it succeeds. This won't get processed by the + same router again. For example: + +==> multi_aliases1: + driver = redirect + data = ${lookup{$local_part}lsearch{/etc/aliases1}{$value,$local_part}} + +==> multi_aliases2: + data = ${lookup{$local_part}lsearch{/etc/aliases2}} + + This scales more easily to three or more alias files. + + +Q0428: I've converted from Sendmail, and I notice that Exim doesn't make use + of the \"owner-"\ entries in my alias file to change the sender address in + outgoing messages to a mailing list. + +A0428: If you have an alias file with entries like this: + +==> somelist: a@b, c@d, ... + owner-somelist: postmaster + + Sendmail assumes that the second entry specifies a new sender address + for the first. Exim does not make this assumption. However, you can make + it take the same action, by adding + +==> errors_to = owner-$local_part@whatever.domain + + to the configuration for your aliasing router. This is fail-safe, + because Exim verifies a new sender address before using it. Thus, the + change of sender address occurs only when the owner entry exists. + + +Q0429: I would like to deliver mail addressed to a given domain to local + mailboxes, but also to generate messages to the envelope senders. + +A0429: You can do this with an ``unseen'' router and an \%autoreply%\ transport, + along the following lines: + +==> # Router + auto_warning_r: + driver = accept + check_local_user + domains = + condition = ${if eq{$sender_address}{}{no}{yes}} + transport = warning_t + no_verify + unseen + + Place this router immediately before the normal \%localuser%\ router. The + \unseen\ option means that the address is still passed on to the next + router. The transport is configured like this: + +==> # Transport + warning_t: + driver = autoreply + file = /usr/local/mail/warning.txt + file_expand + from = postmaster@your.domain + to = $sender_address + user = exim + subject = Re: Your mail to $local_part@$domain + + Note the use of the \condition\ option to avoid attempting to send a + message when there is no sender (that is, when the incoming message is a + bounce message). You can of course extend this to include other + conditions. If you want to log the sending of messages, you can add + +==> log = /some/file + + to the transport and also make use of the \once\ option if you want to + send only one message to each sender. + + +Q0430: Whenever Exim tries to route a local address, it gives a permission + denied error for the \(.forward)\ file, like this: + +==> 1998-08-10 16:55:32 0z5y2W-0000B8-00 == xxxx@yyy.zzz + D=userforward defer (-1): failed to open /home/xxxx/.forward + (userforward router): Permission denied (euid=1234 egid=101) + +A0430: Have you remembered to make Exim setuid \/root/\? + + +Q0431: How do I configure Exim to allow arbitrary extensions in local parts, of + the form \/+extension/\? + +A0431: Add this pre-condition to the relevant router: + +==> local_part_suffix = +* + + If you want the extensions to be optional, also add the option + +==> local_part_suffix_optional + + When the router runs, \$local_part$\ contains the local part with the + extension removed, and the extension (if any) is in \$local_part_suffix$\. + If you have set \check_local_user\, the test is carried out after the + extension is removed. + + +Q0432: I use NIS for my user data. How can I stop Exim rejecting mail when my + NIS servers are being restarted? + +A0432: Exim doesn't know that you are using NIS; it just calls the \^^getpwnam()^^\ + function, which is routed by nsswitch. Unfortunately, \^^getpwnam()^^\ + was never designed to be routed through NIS, and it returns NULL if the + entry is not found or if the connection to the NIS server fails. This + means that Exim cannot tell the difference between ``no such user'' and + ``NIS is down''. + + Crutches to help with this problem are \finduser_retries\ in Exim, and + \^nscd^\ on the Unix side, but they are not perfect, and mail can still + be lost. However, Nico Erfurth pointed out that you can create a router + for Exim that tests for the availability of NIS, and force a defer if + NIS is not running: + +==> check_nis: + driver = redirect + data = ${lookup {$local_part} nis {passwd}{}} + + This should be placed before any router that makes any use of NIS, + typically at the start of your local routers. How does it work? If + your NIS server is reachable, the lookup will take place, and whether it + succeeds or fails, the result is an empty strting. This causes the + router to decline, and the address is passed to the following routers. + If your NIS server is down, the lookup defers, and this causes the + router to defer. A verification of an incoming address gets a temporary + rejection, and a delivery is deferred till later. + + +Q0433: How can I arrange for a single address to be processed by \*both*\ + \%redirect%\ \*and*\ \%accept%\? + +A0433: Check out the \unseen\ option. + + +Q0434: How can I redirect all local parts that are not in my system aliases to + a single address? I tried using an asterisk in the system alias file + with an \"lsearch*"\ lookup, but that send \*all*\ messages to the + default address. + +A0434: If your alias file generates addresses in the local domain, they are + also processed as a potential aliases. For example, suppose this is your + alias file: + +==> caesar: jc + anthony: ma + *: brutus + + The local part \/caesar/\ is aliased to \/jc/\, but that address is then + reprocessed by the routers. As the address is in the local domain, the + alias file is again consulted, and this time the default matches. In + fact after the second aliasing, \/brutus/\ is also processed again from + the start, and is aliased to itself. However, this happens only once, + because the next time, Exim notices that the aliasing router has already + processed \/brutus/\, so the router is skipped in order to avoid + looping. + + There are several ways of solving this problem; which one you use + depends on your aliasing data. + + (1) If the result of aliasing is always a local user name, that is, + aliasing never generates another alias, you can use the + \redirect_router\ option on the router to specify that processing + the generated addresses must start at the next router. For example: + +==> redirect_router = userforward + + assuming that the next router is called \%userforward%\. This + ensures that there is at most one pass through the aliasing router. + + (2) If you cannot rely on aliases generating non-aliases, it is often + easier not to use a default alias, but instead to place a router + such as the one below after all the other local routers (for the + relevant domains): + +==> catch_unknown: + driver = redirect + domains = ... + data = brutus@$domain + + Note that the default aliasing technique works more successfully for + virtual domains (see Q0401) because the generated address for the + default is not usually in the same virtual domain as the incoming + address. + + +Q0435: My alias file contains fully qualified addresses as keys, and some + wildcard domains in the form @foo.bar. Can Exim handle these? + +A0435: You can handle fully qualified addresses with this router: + +==> qualified_aliases: + driver = redirect + data = ${lookup{$local_part@$domain}lsearch{/etc/aliases}} + + (Add any other options you need for the \%redirect%\ router.) Place this + router either before or after the default aliases router that looks up + the local part only. (Or, if you have no unqualified aliases, replace + the default router.) + + To handle wildcards in the form @foo.bar you will need yet another + router. (Wildcards of the form *@foo.bar can be handled by an lsearch*@ + lookup.) Something like this: + +==> wildcard_aliases: + driver = redirect + data = ${lookup{@$domain}lsearch{/etc/aliases}} + + Place this after the routers that handle the more specific aliases. + + + +5. FILTERING + +Q0501: My filter isn't working. How can I test it? + +A0501: Use the \-bf-\ option (\-bF-\ for a system filter) to test the basic operation + of your filter. You can request debugging information for filtering only + by adding \"-d-all+filter"\ to the command. + + +Q0502: What I really need is the ability to obtain the result of a pipe + command so that I can filter externally and redirect internally. Is + this possible? + +A0502: The result of a pipe command is not available to a filter, because Exim + does not run any actual deliveries while filtering. It just sets up + deliveries at this time. They all actually happen later. If you want to + run pipes and examine their results, you need to set up a single + delivery to a delivery agent such as \^procmail^\ which provides this kind + of facility. + + An possible alternative is to use the \"${run"\ expansion item to run an + external command while filtering. In this case, you can make use of some + of the results of the command. + + +Q0503: I received a message with a ::Subject:: line that contained a non-printing + character (a carriage return). This messed up my filter file. Is there a + way to get round it? + +A0503: Instead of \"$h_subject:"\ use \"${escape:$h_subject:}"\ + + +Q0504: I want to search for \"$"\ in the subject line, but I can't seem to get + the syntax. + +A0504: Try one of these: + +==> if $h_subject: contains \$ then ... + if $h_subject: contains "\\$" then ... + + +Q0505: My problem is that Exim replaces \$local_part$\ with an empty string in the + system filtering. What's wrong or what did I miss? + +A0505: A message may have many recipients. The system filter is run just once + at the start of a delivery attempt. Consequently, it does not make sense + to set \$local_part$\. Which recipient should it be set to? However, you + can access all the recipients from a system filter via the variable + called \$recipients$\. + + +Q0506: Using \$recipients$\ in a system filter gives me another problem: how can + I do a string lookup if \$recipients$\ is a list of addresses? + +A0506: Check out the section of the filter specification called \*Testing a list of + addresses*\. If that doesn't help, you may have to resort to calling an + embedded Perl interpreter - but that is expensive. + + +Q0507: What are the main differences between using an Exim filter and using + \^procmail^\? + +A0507: Exim filters and \^procmail^\ provide different facilities. Exim filters run + at routing time, before any deliveries are done. A filter is like a + ``\(.forward)\ file with conditions''. One of the benefits is de-duplication. + Another is that if you forward, you are forwarding the original message. + + However, this does mean that pipes etc. are not run at filtering time, + nor can you change the headers, because the message may have other + recipients and Exim keeps only a single set of headers. + + \^procmail^\ runs at delivery time. This is for one recipient only, and so + it can change headers, run pipes and check the results, etc. However, if + it wants to forward, it has to create a new message containing a copy + of the original message. + + It's your choice as to which of these you use. You can of course use + both. + + +Q0508: How can I allow the use of relative paths in users' filter files when + the directories concerned are not available from the password data? + +A0508: You need to be running Exim 4.11 or later. You can then specify a value + for \$home$\ by setting the router_home_directory option on the + \%redirect%\ router. + + For earlier releases, there is no way to specify the value of \$home$\ + for a \%redirect%\ router; it either comes from the password data as a + result of \check_local_user\, or is unset. + + +Q0509: How can I set up a filter file to detect and block virus attachments? + +A0509: Exim's filter facilities aren't powerful enough to do much more than + very crude testing. Most people that want virus checking are nowadays + using one of the separate scanning programs such as \^exiscan^\ (see + \?http://duncanthrax.net/exiscan/?\). There is some further information + about scanning with Exim via \?http://www.timj.co.uk/linux/exim.php?\. + + +Q0510: Is it possible to write code for scanning messages in Python? + +A0510: \^elspy^\ is a layer of glue code that enables you to write Python code + to scan email messages at SMTP time. \^elspy^\ also includes a small + Python library with common mail-scanning tools, including an interface + to SpamAssassin and a simple but effective virus detector. You can + optain \^elspy^\ from \?http://elspy.sourceforge.net/?\. + + +Q0511: Whenever my system filter uses a \mail\ command to send a message, I get + the error \*User 0 set for address_reply transport is on the never_users + list*\. What does this mean? + +A0511: The system filter runs as \/root/\ in Exim 4, unless you set + \system_filter_user\ to specify otherwise. When you set up a delivery + direct from a system filter (an autoreply is a special kind of + ``delivery'') the transport runs as the same user, unless it has a + \user\ setting of its own. Normally, deliveries are not allowed to run + as \/root/\ as a security precaution; this is implemented by the + \never_users\ option. + + The easiest solution is to add this to your configuration: + +==> system_filter_user = exim + + The system filter then runs as \/exim/\ instead of \/root/\. + Alternatively, you can arrange for autoreplies from the system filter to + use a special transport of their own, and set the \user\ option on that + transport. + + +Q0512: I'm trying to reference the ::Envelope-To:: header in my filter, but + \$h_envelope-to:$\ is always empty. + +A0512: ::Envelope-To:: is added at delivery time, by the transport. Therefore, + the header doesn't exist at filter time. In a user filter, the values + you probably want are in \$original_local_part$\ and + \$original_domain$\. In a system filter, the complete list of all + envelope recipients is in \$recipients$\. + + +Q0513: I want my system filter to freeze all mails greater than 500K in size, + but to exclude those to a specific domain. However, I don't seem to be + able to use \$domain$\ in a system filter. + +A0513: You cannot do this in a system filter, because a single message may have + multiple recipients, some in the special domain, and some not. That is + also the reason why \$domain$\ is not set in a system filter. + + If you want to take actions on a per-recipient basis, you have to do it + in a router. However, freezing is not appropriate, because freezing + stops all deliveries. You could, however, delay delivery to all but the + special domains by using something like this: + +==> delay_if_too_big: + driver = redirect + domains = !the.special.domain + condition = ${if >{$message_size}{500K}{yes}{no}} + allow_defer + data = :defer: message too big. + + However, there isn't an easy way of ``releasing'' such messages at + present. + + +Q0514: When I try to send to two addresses I get an error in the filter + file \*malformed address: , e@fgh.com may not follow a@bcd.com*\. What + is going on? + +A0514: Have you got + +==> deliver "a@bcd.com, e@fgh.com" + + in your filter? If so, that is your problem. You should have + +==> deliver a@bcd.com + deliver e@fgh.com + + Each \deliver\ command expects just one address. + + + +6. DELIVERY + +Q0601: What does the error \*Neither the xxx router nor the yyy transport set + a uid for local delivery of...*\ mean? + +A0601: Whenever Exim does a local delivery, it runs a process under a specific + user and group id (uid and gid). For deliveries into mailboxes, and to + pipes and files set up by forwarding, it normally picks up the uid/gid + of the receiving user. However, if an address is directed to a pipe or a + file by some other means, such an entry in the system alias file of the + form + +==> majordomo: |/local/mail/majordomo ... + + then Exim has to be told what uid/gid to use for the delivery. This can + be done either on the routerr that handles the address, or on the + transport that actually does the delivery. If a pipe is going to run a + setuid program, then it doesn't matter what uid Exim starts it out with, + and so the most straightforward thing is to put + +==> user = exim + + on either the router or the transport. A setting on the transport + overrides a setting on the router, so if the same transport is being + used with several routers, you should set the user on it only if you + want the same uid to be used in all cases. + + In the default configuration, the transports used for file and pipe + deliveries are the ones called \address_file\ and \address_pipe\. You + can specify different transports by setting, for example, + +==> pipe_transport = special_pipe_transport + + on the \%system_aliases%\ router. Then you can set up \%special_pipe_transport%\ + +==> special_pipe_transport: + driver = pipe + user = ???? + + which will be used only for pipe deliveries from that one router. + What you put for the ???? is up to you, and depends on the particular + circumstances. + + +Q0602: Exim keeps crashing with segmentation errors (signal 11 or 139) during + delivery. This seems to happen when it is about to contact a remote + host or when a delivery is deferred. + +A0602: This could be a problem with Exim's databases. Try running a delivery + with debugging turned on. If the last line of the debug output is + something like this: + +==> locked /var/spool/exim/db/retry.lockfile + + the crash is happening inside the DBM library. Check that your DBM + library is correctly installed. In particular, if you have installed a + second DBM library onto a system that already had one, check that its + version of \(ndbm.h)\ is being seen first. For example, if the new + version is in \(/usr/local/include)\, check that there isn't another + version in \(/usr/include)\. If you are using Berkeley db, you can set + +==> USE_DB=yes + + in your \(Local/Makefile)\ to avoid using \(ndbm.h)\ altogether. This is + particularly relevant for version 2 (or later) of Berkeley db, because + no \(ndbm.h)\ file is distributed with it. Another thing you can try is + to run + +==> exim_dumpdb /var/spool/exim retry + + to see if it also crashes, or build the \^test_dbfn^\ tool and fiddle + around with it. If both fail, it is most almost certainly a problem with + your DBM library. You could try to update it, or force Exim to use + another library. See the file \(doc/dbm.discuss.txt)\ for hints about + this. + + +Q0603: How can mails that are being routed through routers that do not set + \check_local_user\ be delivered under the uid of the recipient? + +A0603: Q0601 contains background information on this. If you are using, say, an + alias file to direct messages to specific mailboxes, you can use + the \user\ option on either the router or the transport to set the uid. + What you put in the setting depends on how the required uid is to be + found. It could be looked up in a file or computed somehow from the + local part, for example. + + +Q0604: I want to use MMDF-style mailboxes. How can I get Exim to append the + ctrl-A characters that separate indvidual emails? + +A0604: Set the \message_suffix\ option in the \%appendfile%\ transport. In fact, + for MMDF mailboxes you need a prefix as well as a suffix to get it + working right, so your transport should contain these settings: + +==> message_prefix = "\1\1\1\1\n" + message_suffix = "\1\1\1\1\n" + + Also, you need to change the \check_string\ and \escape_string\ settings so + that the escaping happens for lines in the message that happen to begin + with the MMDF prefix or suffix string, rather than ``From'' (the default): + +==> check_string = "\1\1\1\1\n" + escape_string = "\1\1\1\1 \n" + + Adding a space to the line is sufficient to prevent it being taken as a + separator. + + +Q0605: If a user's mailbox is over quota, is there a way for me to set it up so + that the mail bounces to the sender and is not stored in the mail queue? + +A0605: In the retry section of the configuration, put + +==> *@your.dom.ain quota + + That is, provide no retry timings for over quota errors. They will then + bounce immediately. Alternatively, you can set up retries for a short + time only, or use something like this: + +==> *@your.dom.ain quota_7d + *@your.dom.ain quota F,2h,15m; F,3d,1h + + which bounces immediately if the user's mailbox hasn't been read for 7 + days, but otherwise tries for up to 3 days after the first quota + failure. + + +Q0606: I'm using tmail to do local deliveries, but when I turned on the + \use_crlf\ option on the \%pipe%\ transport (tmail prefers \"@\r@\n"\ + terminations) message bodies started to vanish. + +A0606: You need to unset the \mesage_prefix\ option, or change it so that its + default \"@\n"\ terminator becomes \"@\r@\n"\. For example, the + transport could be: + +==> local_delivery_mbx: + driver = pipe + command = /usr/local/bin/tmail $local_part + user = exim + current_directory = / + use_crlf + message_prefix = + + The reason for this is as follows: tmail uses the line terminator on + the first line it sees to determine whether lines are terminated by + \"@\r@\n"\ or \"@\n"\. If the latter, it moans to stderr and changes subsequent + \"@\n"\ terminators to \"@\r@\n"\. The default setting of the \message_prefix\ + option is \"From ...@\n"\, and this is unaffected by the \use_crlf\ option. + If you don't change this, tmail sees the first line terminated by + \"@\n"\ and prepends \"@\r"\ to the \"@\n"\ terminator on all subsequent + lines. However, if \use_crlf\ is set, Exim makes all other lines + \"@\r@\n"\ terminated, leading to doubled \"@\r@\r@\n"\ lines and + corrupt mbx mailboxes. + + +Q0607: When I activate ``return receipt'' for example in Netscape Mailbox + sending options, then I get an error message from Exim... something + like \*not supported*\. Can I activate delivery confirmations? + +A0607: Exim does not support any kind of delivery notification. + + (1) You can configure it to recognize headers such as + \Return-receipt-to:\ if you wish. + + (2) Some people want MSN (message status notification). Such services + are implemented in MUAs, and don't impact on the MTA at all. + + (3) I investigated the RFCs which describe the DSN (delivery status + notification) system. However, I was unable to specify any sensible way + of actually doing anything with the data. There were comments on the + mailing list at the time; many people, including me, conclude that DSN + is in practice unworkable. The killer problem is with forwarding and + aliasing. Do you propagate the DSN data with the generated addresses? + Do you send back a ``reached end of the DSN world'' or ``expanded'' message? + Do you do this differently for different kinds of aliasing/forwarding? + For a user who has a \(.forward)\ file with a single address in, this + might seem easy - just propagate the data. But what if there are several + forwardings? If you propagate the DSN data, the sender may get back + several DSN messages - and should the sender really know about the + detail of the receiver's forwarding arrangements? There isn't really + any way to distinguish between a \(.forward)\ file that is forwarding + and one that is a mini mailing list. And so on, and so on. There are so + many questions that don't have obvious answers. + + +Q0608: What does the message \*retry time not reached [for any host]*\ on the log + mean? Why won't Exim try to deliver the message? + +A0608: That is not an error. It means exactly what it says. A previous attempt + to deliver to that address failed with a temporary error, and Exim + computed the earliest time at which to try again. This can apply to + local as well as to remote deliveries. For remote deliveries, each host + (if there are several) has its own retry time. + + If you are running on a dial-up host, the rest of this answer probably + does not apply to you. Go and read Q1404 instead. If your host is + permanently online, read on... + + Some MTAs have a retrying schedule for each message. Exim does not work + like this. Retry timing is normally host-based for remote deliveries and + address-based for local deliveries. (There are some exceptions for certain + kinds of remote failure - see \*Errors in outgoing SMTP*\ in the manual.) + + If a new message arrives for a failing address and the retry time has + not yet arrived, Exim will log \*retry time not reached*\ and leave the + message on the queue, without attempting delivery. Similarly, if a queue + runner notices the message before the time to retry has arrived, it + writes the same log entry. When the retry time has past, Exim attempts + delivery at the next queue run. If you want to know when that will be, + run the exinext utility on the address, for example: + +==> exinext user@some.domain + + You can suppress these messages on the log by including \"-retry_defer"\ + in the setting of \log_selector\. You can force a delivery attempt on a + specific message (overriding the retry time) by means of the -M option: + +==> exim -M 10hCET-0000Bf-00 + + If you want to do this for the entire queue, use the \-qf-\ option. + + +Q0609: Exim seems to be sending the same message twice, according to the log, + although there is a difference in capitalization of the local part of + the address. + +A0609: That is correct. The RFCs are explicit in stating that capitalization + matters for local parts. For remote domains, Exim is not entitled to + assume case independence of local parts. I know, it is utterly silly, + and it causes a lot of grief, but that's what the rules say. Here is a + quote from RFC 2821: + + ... a command verb, an argument value other than a mailbox local-part, + and free form text MAY be encoded in upper case, lower case, or any + mixture of upper and lower case with no impact on its meaning. This + is NOT true of a mailbox local-part. The local-part of a mailbox + MUST BE treated as case sensitive. Therefore, SMTP implementations + MUST take care to preserve the case of mailbox local-parts. Mailbox + domains are not case sensitive. In particular, for some hosts the + user "smith" is different from the user "Smith". However, exploiting + the case sensitivity of mailbox local-parts impedes interoperability + and is discouraged. + + +Q0610: How can I force the next retry time for a host to be now? + +A0610: You can change the retry time with the \^exim_fixdb^\ utility, but its + interface is very clumsy. If you have a message for the host on the + queue, the simplest thing to do is to force a delivery with the \-M-\ + command line option. If delivery succeeds, the retry data will get + cleared. If the host is past the cutoff time, so that messages are + bouncing immediately without trying a delivery, you can use \-odq-\ to + put a message on the queue without a delivery attempt, and then use + \-M-\ on it. + + +Q0611: I set up \"|/bin/grep Subject|/usr/bin/smbclient -M "\ as an + alias but it doesn't work. + +A0611: That is a shell command line. Exim does not run pipe commands under a + shell by default (for added security - and it saves a process). You + need something like + +==> "|/bin/sh -c '/bin/grep Subject|/usr/bin/smbclient -M '" + + +Q0612: Why does the \%pipe%\ transport add a line starting with \">From"\ to + messages? + +A0612: Actually, it adds a line starting with \"From"\ followed by a space. + This is commonly referred to as the \"From_"\ line, to emphasize the + fact that \"From"\ is followed by a space and not a colon. This is a + pseudo-header line that contains the envelope sender address and the + time of delivery. It originated as a separator line in Berkeley format + mailboxes, but is also used in other contexts. (And yes, it is often + confused with the ::From:: header line, and this causes a lot of grief. + The use of \"From_"\ was one of the really bad email design decisions.) + + Exim's \%pipe%\ transport adds this pseudo-header line by default + because \(/usr/ucb/vacation)\ needs it, and that is one of the the most + common uses of piping. The \^procmail^\ local delivery agent also makes + use of the \"From_"\ line. If you do not want it, change the setting of + \message_prefix\ on the \%pipe%\ transport. For example, to remove the + line altogether, use + +==> message_prefix = + + If you are not piping to \(/usr/ucb/vacation)\ or \^procmail^\, it is + likely that you do not need a \"From_"\ line, and indeed it may cause + problems if it is present. + + One user reported that this line gave trouble when a pipe was used to + send messages to Courier's \^deliverquota^\ program. The line was + retained with the message, and caused problems for MS Exchange 2000 when + retrieving messages with its built-in POP collector. Specifically, it + caused Exchange to not be able to recognise message attachments. + + +Q0613: I have set \fallback_hosts\ on my \%smtp%\ transport, but after the error + \*sem@chat.ru cannot be resolved at this time*\ Exim isn't using them. + +A0613: \fallback_hosts\ works only if an attempt at delivery to the original + host(s) fails. In this case, Exim couldn't even resolve the domain + \(chat.ru)\ to discover what the original hosts were, so it never got as far + as the transport. However, see Q0315 for a possible solution. + + +Q0614: After the holidays my ISP has always hundreds of e-mails waiting for me. + These are forced down Exim's throat in one go. Exim spawns a lot of + kids, but is there some limit to the number of processes it creates? + +A0614: Unless you have changed \smtp_accept_queue_per_connection\ it should + spawn only that many processes per connection (default 10). Your ISP + may be making many connections, of course. That is limited by + \smtp_accept_max\. + + +Q0615: When a message in the queue got to 12h old, Exim wrote \*retry timeout + exceeded*\ and removed all messages in the queue to this host - even + recent messages. How I can avoid this behaviour? I only want to remove + messages that have exceeded the maximum retry time. + +A0615: Exim's retrying is host-based rather than message-based. The philosophy + is that if a host has been down for a very long time, there is no point + in keeping messages hanging around. However, you might like to check + out \delay_after_cutoff\ in the \%smtp%\ transport. It doesn't do what you + want, but it might help. + + +Q0616: Can Exim add a ::Content-Length:: header to messages it delivers? + +A0616: You could include something like + +==> headers_remove = "content-length" + headers_add = "Content-Length: $message_body_size" + + to the \%appendfile%\ transport. However, the use of ::Content-Length:: can + cause several problems, and is not recommended unless you really know + what you are doing. There is a discussion of the problems in + \?http://home.netscape.com/eng/mozilla/2.0/relnotes/demo/content-length.html?\. + + +Q0617: Exim seems to be trying to deliver a message every 10 minutes, though + the retry rules specify longer times after a while, because it is + writing a log entry every time, like this: + +==> 1999-08-26 14:51:19 11IVsE-000MuP-00 == example@example.com T=smtp defer + (-34): some host address lookups failed and retry time not reached for + other hosts or connection limit reached + +A0617: It is looking at the message every 10 minutes, but it isn't actually + trying to deliver. It's looking up \(example.com)\ in the DNS and finding + this information: + +==> example.com. MX 10 example-com.isp.example.com. + example.com. MX 0 mail.example.com. + mail.example.com. A 202.77.183.45 + A lookup for example-com.isp.example.com. yielded NXDOMAIN + + The last line means that there is no address (A) record in the DNS for + \(example-com.isp.example.com)\. That accounts for \*some host address + lookups failed*\, but the retry time for \(mail.example.com)\ hasn't been + reached, which accounts for \*retry time not reached for other hosts*\. + + +Q0618: I am trying to set exim up to have a automatic failover if it sees that + the system that it is sending all mail to is down. + +A0618: Add to the \%remote_smtp%\ transport the following: + +==> fallback_hosts = failover.server.name(s) + + If there are several names, they must be separated by colons. + + +Q0619: I can't get Exim to deliver over NFS. I get the error \*fcntl() failed: + No locks available*\, though the lock daemon is running on the NFS server + and other hosts are able to access it. + +A0619: Check that you have \(lockd)\ running on the NFS client. This is not + always running by default on some systems (Red Hat is believed to be one + such system). + + +Q0620: Why does Exim bounce messages without even attempting delivery, giving + the error \*retry time not reached for any host after a long failure + period*\? + +A0620: This message means that all hosts to which the message could be sent + have been failing for so long that the end of the retry period + (typically 4 or 5 days) has been reached. In this situation, Exim still + computes a next time to retry, but any messages that arrive in the + meantime are bounced straight away. You can alter this behaviour by + unsetting the \delay_after_cutoff\ option on the smtp transport. Then Exim + will try most messages for those hosts once before giving up. + + +Q0621: My \(.forward)\ file is \"|/usr/bin/procmail -f-"\ and mail gets delivered, + but there was a bounce to the sender, sending him the output of procmail. + How can I prevent this? + +A0621: Exim's default configuration is set up like this: + +==> address_pipe: + driver = pipe + return_output + + The \return_output\ option requests that any output that the pipe + produces be returned to the sender. That is the safest default. If you + don't want this, you can either remove the option altogether, or change + it to \return_fail_output\, to return output only if the command fails. + Note that this will affect all pipes that users run, not just your + procmail one. It might be better to arrange for procmail not to produce + any output when it succeeds. + + +Q0622: Can I write an ordinary file when I run a perl script as a transport + filter for the \%remote_smtp%\ and \%address_pipe%\ transports? + +A0622: Yes, provided the file is writeable by the uid under which the transport + runs (the Exim user in the case of the remote transport). However, if two + messages are being delivered at once, their data will get mixed up in + the file unless you implement your own locking scheme. If all you want + to do is to take a copy of the message, another approach that avoids + the locking problem is to use a system filter to set up an ``unseen'' + delivery to a file. If you only want the message's headers, you can + set \message_filter_file_transport\ to point to a special \%appendfile%\ + transport that has \headers_only\ set. + + +Q0623: My \(/var/spool/mail)\ has grown drastically. Is there any possibility of + using two directories? + +A0623: You can use an expansion string to split mailboxes between two + directories. For example, + +==> file = /var/spool/mail${nhash_2:$local_part}/$local_part + + which does a hash on the local part, producing either 0 or 1, thereby + using \(mail0) or \(mail1)\. But remember, the MUAs that read these mailboxes + also have to know where they are. + + +Q0624: Sendmail has a program called \^smrsh^\ that restricts what binaries + can be run from sendmail aliases. Is there something like this in Exim ? + +A0624: Check out the \allow_commands\ option in the \%pipe%\ transport. + + +Q0625: I wish to have large emails go out one at a time. + +A0625: One possibility is to set up a router that defers all large messages, + except in queue runs. Since queue runners deliver just one + message at a time, if you limited the number of simultaneous queue + runners to 1, you would get the effect you wanted. A suitable router + might be + +==> defer_if_large_unless_queue_run: + driver = redirect + condition = ${if or{{queue_running}{<{$message_size}{200K}}}{no}{yes}} + allow_defer + data = :defer: too large for immediate delivery + no_verify + + Of course, this would always delay any large message until the next + queue runner, but if you run them fairly regularly, this shouldn't be a + huge problem, and may even be desirable. Note the use of \no_verify\ to + ensure that this router is not used when Exim is verifying addresses. + + +Q0626: Exim can route local parts independent of their case, but the Cyrus LMTP + daemon requires the correct case. How can I fix this? + +A0626: You need to rewrite the local part to the correct case before running + the router that routes to Cyrus. For example, if you require all lower + case, and your router is called \local_user\, put this router in front + of it: + +==> lowercase_local: + driver = redirect + redirect_router = local_user + domains = +local_domains + data = ${lc:$local_part}@$domain + + The setting of \redirect_router\ causes processing of the rewritten + address to start at the next router, instead of the first router. See + also Q0630, and C045 for a more complete Cyrus configuration. + + +Q0627: Is there a command I can send to Exim to retry all queued messages + regardless of their retry schedule? + +A0627: The \-qff-\ option starts a queue runner that forces a delivery attempt + for all messages, including frozen ones. If you use \-qf-\, frozen + messages are skipped. + + +Q0628: I have the default retry rule, which I thought meant that Exim should + keep trying for four days, but it seems to be bouncing some messages + immediately. + +A0628: See Q0615 and Q0620. + + +Q0629: I'm having trouble with quotas and Courier, because Exim is not handling + maildirsize files. + +A0629: You will do better to move the quota handling to Courier. Use \^maildrop^\ + as your MDA rather than direct Exim delivery. This also has the + advantage that if you give web access to the mail spool (over \^sqwebmail^\) + you can then use the web front end to edit \^maildrop^\ filter files. + + +Q0630: How can I configure Exim to deliver to a Cyrus message store? + +A0630: (1) The reference manual contains an example that uses pipe delivery. + + (2) Here is a transport that uses LMTP delivery, assuming that + \$local_part$\ contains the username: + +==> cyrus_inbox: + driver =lmtp + user = cyrus + socket = /var/cyrus/socket/lmtp + + (3) This is a transport that delivers direct to a non-inbox mailbox: + +==> cyrus_mailbox: + driver = pipe + user = $local_part + message_prefix = + message_suffix = + log_fail_output + return_output + command = "/usr/cyrus/bin/deliver -a $local_part \ + -m $local_part" + + This delivers to the Cyrus mailbox \"user.$local_part."\. + Using \"user = $local_part"\ and \"-a $local_part"\ makes it work + without needing an explicit `p' ACL set for `anyone' on the mailbox. + + +Q0631: I would like to choose a retry rule based on on the sender rather than + the recipient address. Is this possible? + +A0631: Yes. The address part of a retry rule is matched as a single-item + address list. Such lists are always expanded, so you can use something + like this: + +==> "${if eq{$sender_address}{xxx}{*@*}{no@no}}" quota F,1h,10m; ... + + If the sender address is ``xxx'', the pattern expands to ``*@*'', which + matches all recipient addresses; if you want to, you can make this a + more restrictive pattern. If the sender address is not ``xxx'', the + pattern expands to ``no@no'', which is assumed to be a recipient address + that can never match, so the retry rule is skipped. + + +Q0632: What does the error \*User 1 set for local_mbx_delivery transport is on + the never_users list*\ mean? + +A0632: You have configured the \%local_mbx_delivery%\ to run as the user whose + id (uid) is 1. However, this user is on the list defined by the + \never_users\ runtime option, or the \\FIXED_NEVER_USERS\\ compile-time + option. These are ``safety catch'' lists; Exim refuses to deliver to any + user that is on them. The most common use of \never_users\ is to avoid + doing any deliveries as \/root/\, but it can contain other uids. + + +Q0633: Why is \$domain$\ not set in the \%smtp%\ transport? + +A0633: The \%smtp%\ transport can handle several recipient addresses at once. + This happens by default if the host lists for the addresses are + identical. A single copy of the message is sent, using multiple \\RCPT\\ + commands to transmit multiple envelope recipients. The \$domain$\ + variable is set in the \%smtp%\ transport only if all the recipient + addresses have the same domain. You must have a case where several + addresses with different domains resolve to the same set of hosts. + + If you want to restrict the transport so that it handles only a single + domain at once (but still possibly with more than one recipient), set + +==> multi_domain = false + + If you want to restrict the transport so that it handles only a single + address at once, set + +==> max_rcpt = 1 + + +Q0634: How can I stop a local transport from trying to access the user's home + directory, even when the delivery is to a file that is elsewhere? + +A0634: See answer (2) for Q0423. + + +Q0635: The log message \*error ignored*\ appears after some delivery failures. + What does it mean? + +A0635: This message is written when Exim fails to deliver a bounce message whose + age is greater than \ignore_bounce_errors_after\. It indicates that the + failing bounce message has been discarded. + + The same message is written after failed deliveries when a filter file + uses the \noerror\ feature when setting up a delivery, or if a router + has the setting + +==> errors_to = <> + + Both of these specify that delivery failures are to be discarded. + + + +7. POLICY CONTROLS + +Q0701: How do I block unwanted messages from outside my host? + +A0701: Exim uses Access Control Lists (ACLs) for controlling incoming mail from + other hosts. A whole chapter in the reference manual is devoted to + describing how they work. A wide variety of conditions can be imposed on + incoming messages. + + The default Exim run time configuration contains an example of an ACL + which blocks all relaying, and messages whose senders cannot be + verified. This example is heavily commented and worth studying. + + +Q0702: I don't want to block spam entirely; how can I inspect each message + before deciding whether or not to deliver it? + +A0702: Wherever possible, inspection and rejection is best done automatically + in an ACL, that is, before the message is accepted. If you want to + verify manually each message that is classified as spam by an automatic + check, you can arrange for a system filter to freeze such messages after + they have been accepted. + + If, after inspection, you decide not to deliver the message, it is + safest to discard it, using the \-Mrm-\ option. Use of the \-Mg-\ option + to force a bounce carries the risk of ``collateral spam'' if the sender + address is faked. + + +Q0703: How can I test that my spam blocks are working? + +A0703: The \-bh-\ option allows you to run a testing SMTP session as if from a + given IP address. For example, + +==> exim -bh 192.168.178.39 + + In addition to the normal SMTP replies, it outputs commentary about + which tests have succeeded or failed. If you are not interested in the + details, but just want to know if a particular sender at a particular IP + address is able to mail to a particular recipient, you can use the + \exim_checkaccess\ utility, which provides a ``packaged'' version of + \-bh-\. You call it like this: + +==> exim_checkaccess 192.168.53.23 recip@my.domain -f sender@some.domain + + If you don't give a sender, \"<>"\ is used (that it, it acts like a + bounce message). + + +Q0704: How can I test that Exim is correctly configured to use the Realtime + Blackhole List (RBL)? + +A0704: The \-bh-\ option allows you to run a testing SMTP session as if from a + given address. The \^exim_checkaccess^\ utility provides a more packaged + version of this facility. You need to know a blocked IP address with + which to test. Such a testing address is kindly provided by Russell + Nelson: + +==> linux.crynwr.com [192.203.178.39] + + You can also send mail to \(nelson@linux.crynwr.com)\ from the server + whose RBL block you are testing. The robot that receives that email + will attempt to send a piece of test email in reply. If your RBL block + didn't work, you get a message to that effect. Regardless of whether the + RBL block succeeds or not, it emails you the results of the SMTP + conversation from a host that is not on the RBL, so you can see how your + server looks from the view of someone on the RBL. + + +Q0705: How can I use tcpwrappers in conjunction with Exim? + +A0705: Exim's own control facilities can do all that tcpwrappers can do. + However, if you are already using tcpwrappers for other things it might + be convenient to include Exim controls in the same place. + + First of all, ensure that Exim is built to call the tcpwrappers library, + by including \\USE_TCPWRAPPERS=yes\\ in \(Local/Makefile)\. You also need to + ensure that the header file \(tcpd.h)\ is available at compile time, and the + \(libwrap.a)\ library is available at link time, typically by including it in + \\EXTRALIBS\\. You may need to copy these two files from the tcpwrappers + build directory to, for example, \(/usr/local/include)\ and \(/usr/local/lib)\, + respectively. Then you could reference them by + +==> CFLAGS=-I/usr/local/include + EXTRALIBS=-L/usr/local/lib -lwrap + + in \(Local/Makefile)\. There are two ways to make use of the functionality, + depending on how you have tcpwrappers set up. If you have it set up to + use only one file, you ought to have something like: + +==> /etc/hosts.allow: + +==> exim : : + + For example: + +==> exim : LOCAL 192.168.0. .friendly.domain special.host : ALLOW + exim : ALL : DENY + + This allows connections from local hosts (chiefly //localhost//), from + the subnet 192.168.0.0/24, from all hosts in \(*.friendly.domain)\, and + from a specific host called \(special.host)\. All other connections are + denied. If you have tcpwrappers set up to use two files, use the + following: + +==> /etc/hosts.allow: + +==> exim : + +==> /etc/hosts.deny: + +==> exim : + + Read the \^hosts_access^\ man page for more ways of specifying clients, + including ports, etc., and on logging connections. + + +Q0706: How can I get POP-auth-before-relay (aka POP-before-SMTP) support in + Exim? + +A0706: Exim 4 supports the ``whoson'' (\?http://whoson.sourceforge.net?\) + facility for doing this. If you set this up, you can do the check in an + Exim ACL by a statement like this: + +==> require condition = \ + ${lookup whoson {$sender_host_address}{yes}{no}} + + Otherwise you need to arrange for a list of permitted IP addresses to be + maintained in a file or database, and use this in a \hosts\ condition in + an ACL statement. An Exim user has published this recipe: + + \#\#\#\#\?http://www.zeiss.cx/memo/computer/linux/email/exim-s-a-p.html?\ + + Another Exim user submitted the following idea: + + Use a script to grab authenticated IP addresses from the log files of + the POP3 and IMAP4 daemons. These are used to create files in the + directory tree \(/var/db/popb4smtp)\. The existence of a file represents a + valid ``popped recently token'' for the IP address used as the filename. + + Another script periodically removes stale files from the tree (after two + hours). There's a small race condition here; it's possible for a file + to be deleted just after it has been updated by the script that watches + the logs. For low-volume servers, the odds of hitting this window are + low. + + A POPB4SMTP_CLIENT macro in the Exim configure file provides a reusable + ``has this sender popped recently?'' query: + +==> POPB4SMTP_SUBDIR = /var/db/popb4smtp/${substr_-1_1:$sender_host_address} + POPB4SMTP_CLIENT = ${if exists {POPB4SMTP_SUBDIR/$sender_host_address} \ + {$sender_host_address} {0} } + + Now you can use it just about anywhere, including in your ACLs. Simple + examples include: + +==> hostlist relay_hosts = 127.0.0.1/32 : ... : POPB4SMTP_CLIENT + host_lookup = !127.0.0.1/32 : ... : !POPB4SMTP_CLIENT + rfc1413_hosts = !127.0.0.1/32 : ... : !POPB4SMTP_CLIENT + + The two scripts (and a FreeBSD startup script for them) are available + for download at: + + \#\#\#\#\?http://people.FreeBSD.org/~sheldonh/popb4smtp-nodb.tar.gz?\ + + +Q0707: I have one or two cases where my host correctly rejects messages, but + the remote host is quite persistent, and keeps trying over and over. + +A0707: It is an unfortunate fact that a number of SMTP clients, in violation of + the SMTP RFC, do not treat a permanent error code that is given after + the DATA portion of the transaction as a permanent error. Consequently + they keep resending the message, and the worst offenders do so at very + short intervals. + + The only way to stop such behaviour is to blacklist the IP address, or + the envelope sender, or both, in such a way that future messages get + rejected at RCPT time instead of at DATA time. You could also complain + to the remote host's administrators. + + +Q0708: How can I run customized verification checks on incoming addresses? + +A0708: There are a number of possibilities: + + (1) If you can implement your checks in Perl, you can use Exim's + facility for running an embedded Perl interpreter. For example, if you + want to run special checks on local addresses, you could use ACL + an statement like this: + +==> require domains = my.local.domain + condition = ${perl{verify}{$local_part}} + + The result of the Perl function should be ``yes'' or ``no''. + + (2) You could also run an external program in a similar way, by a + statement such as: + +==> require domains = my.local.domain + condition = ${run{/my/verifier $local_part}} + + This requires the use of another process, so could prove more expensive + than Perl. + + (3) If you are prepared to write C code, read the chapter in the manual + entitled \*Adding a local scan function to Exim*\. + + +Q0709: Does Exim apply RBL checks to error messages, those with an envelope + sender of \"<>"\ ? + +A0709: This depends on the ACL configuration. You can test for bounce messages + (by looking for an empty sender address) and thereby exclude them from + RBL checking if you want. This ACL statement does that: + +==> deny senders = ! : + dnslist = blackholes.mail-abuse.org + + However, some spam does come with an empty sender address, so this may + not be a good idea. + + +Q0710: I want to reject certain sender-recipient combinations, with a specific + message for each such combination. + +A0710: Set up a file (or database) containing the messages, keyed by the + combination, for example: + +==> sender1@sdomain1=>recipient1@rdomain1: blocked because... + sender2@sdomain2=>recipient2@rdomain2: blocked because... + + If you have lots of recipients for the same sender, it might be easier + to generate this file from more convenient data. In your ACL that is run + for each RCPT command, you can then put: + +==> deny message = ${lookup{$sender_address=>$local_part@$domain}\ + lsearch{/that/file}} + condition = ${lookup{$sender_address=>$local_part@$domain}\ + lsearch{/that/file}}{yes}{no}} + + The condition is tested first. If the lookup succeeds, the condition + succeeds so access is denied. The message is then expanded, but the + lookup won't be repeated, because Exim will have cached the previous + result. + + This approach blocks only incoming SMTP messages. If you need to do + similar blocks for messages that do not arrive over SMTP, you have to + set up a suitable \%redirect%\ router with a \:fail:\ setting. + + +Q0711: Will Exim allow me to create a file of regexs and match incoming + external email to the list - and if a match is found file the offending + message into a special location? Also is it possible to make Exim only + filter parts of an incoming email - e.g. ignore large MIME attachments + for example and only process text/plain? + +A0711: You can do some of this in a system filter. For example: + +==> if $message_body matches <...some complicated regex...> or + $message_body matches <...some other regex...> or + $header_from: matches <...regex...> or + etc. + then + save /some/special/file + endif + + or instead of \"save"\ you could have \"deliver"\ (to some address) or + \"pipe"\ (to some script). + + There isn't any mechanism for ignoring attachments, but \$message_body$\ + only looks at the first n bytes of the body, where n defaults to 500 but + can be changed. + + A more expensive alternative would be to run a Perl subroutine using the + embedded Perl mechanism. If you passed over the message id, the Perl + code could read the message files on the spool and implement any + algorithm it liked for deciding what should be done. + + +Q0712: I've hacked sendmail to make an ioctl call at the time of the SMTP RCPT + command, to check if a user has exceeded their email quota. If they have + I issue a temporary failure and a message - can I do this with Exim? + +A0712: If you can make this happen in Perl you can use the embedded Perl + facility, and use it from a \condition\ condition in an ACL statement. + You can also use the expansion facility to run an external program, but + this uses more resources because it uses another process. + + +Q0713: I'd like to pass all messages through a virus-scanning system before + delivery. Can Exim do this? + +A0713: One way of achieving this is to deliver all messages via a pipe to a + checking program that resubmits them for delivery in some private way + that can be checked (e.g. on a specific SMTP port, or IP address). One + possibility is to use the `received protocol` field that can be set + for locally submitted mail via the \-oMr-\ command line option. This + router sends all messages that are not from the local host and whose + received protocol is not \"scanned-ok"\ to the \%virus_scan%\ transport: + +==> vircheck: + driver = accept + transport = virus_scan + condition = ${if or {{eq {$received_protocol}{scanned-ok}} \ + {eq {$sender_host_address}{127.0.0.1}}}\ + {0}{1}} + + One problem is that this approach scans the message for each recipient, + not just once per message. + + The virus_scan transport should be set up to pipe the message to a + suitable checking program or script which runs as a trusted user. This + can then re-submit the message to Exim, using \-oMr-\ to set the received + protocol to \"scanned-ok"\, and the \-f-\ option to set the correct envelope + sender address. \**Warning:**\ If you forget to make the resubmitting process + run as a trusted user, the received protocol does not get set, and you + are likely to generate a loop. + + +Q0714: Is there a way to configure Exim to reject mail to a certain local host? + +A0714: No, only to certain domains. To reject at SMTP time, you can put a line + like this in your ACL: + +==> deny message = this domain is deliberately rejected + domains = a.certain.domain + + To fail addresses in messages that do not arrive over SMTP, you can set + up a router like this: + +==> reject_a_certain_domain: + driver = redirect + domains = a.certain.domain + allow_fail + data = :fail: this domain is deliberately rejected + + +Q0715: How can I get Exim to remove attachments from messages? + +A0715: Exim does not contain facilities for modifying messages. You must use + an external program if you want to do this. You can route messages that + have a ::Content-type:: header line via a pipe to a command that does + the job and then re-submits the message to Exim. Alternatively, you + could use a transport filter to do this job. + + +Q0716: How can I arrange for each user to have a file listing the only sender + addresses from which she will accept mail? I want to do this so my + family members don't get any spam (or other inappropriate mail). + +A0716: Let's assume each user has a file called \(.acceptlist)\ in the home + directory. You can put in your ACL a line like this: + +==> require senders = /home/$local_part/.acceptlist + + This will reject RCPT commands when the sender is not in the accept + list for the recipient. (Replace \(/home/$local_part)\ with whatever + the correct path to your user's home directories is.) + + One problem with this is that it will block bounce messages, which have + empty senders. You can get round this, by changing the line to this: + +==> require senders = : /home/$local_part/.acceptlist + + However, this will, of course, let in spam that has a null sender. + + +Q0717: When using Nessus on a system that runs Exim, a number of security + issues are raised. Nessus complains that Exim answers to EXPN and/or + VRFY; sometimes it even complains that Exim allows relaying. + +A0717: Exim supports EXPN and VRFY only if you permit it to do so in the ACLs + defined by \acl_smtp_expn\ and \acl_smtp_vrfy\, respectively. Otherwise, + its responses are + +==> 550 Administrative prohibition + 252 Administrative prohibition + + Maybe the use of 252 is the ``problem''. It is recommended that this be + done (by those that discuss these things) because there are stupid + clients that attempt VRFY before sending a message. + + +Q0718: Could anyone points me to right rules to prevent sending/receiving + messages to/for domains which have one MX to localhost or only have + address 127.0.0.1 ? + +A0718: See Q0319. + + +Q0719: I would like to have a per-user limit for the maximum size of messages + that can be sent. + +A0719: The simplest way to do this is to put something in a system filter along + these lines: + +==> if $message_size is above + "${lookup{$sender_address}lsearch{/some/file}{$value}{10M}}" + then + fail "Message is larger than $sender_address is allowed to send" + endif + + In practice, an additional check that the message has arrived from your + local host or local network is probably wise because sender addresses + are easily forged. + + +Q0720: I set \"accept hosts=192.168.122.96/32"\ in order to accept mail for + relaying from my local LAN, but it doesn't work. What's wrong? + +A0720: 192.168.122.96/32 is not a network, it is a single host. Exim uses CIDR + notation for specifying networks, where the number after the slash is + the number of bits in the IP address that must match. Your setting says + ``32 bits must match''. If you really mean to specify ``the next 32 + IP addresses'', you need 192.168.122.96/27. + + +Q0721: I have POP-before-SMTP set up on my Exim server, but some clients use + Outlook Express, which sends queued messages before checking the + mailbox, so it doesn't work. + +A0721: Implement SMTP authentication. + + +Q0722: I installed Amavis and it is working, but bounces are simply vanishing. + +A0722: Check that you haven't inadvertently set up the transport like this: + +==> amavis: + driver = pipe + command = "/usr/sbin/amavis -f ${sender_address} -d ${pipe_addresses}" + + The last line should be: + +==> command = /usr/sbin/amavis -f <$sender_address> -d $pipe_addresses + + The important thing is the <> around the sender address; removal of + the unnecessary "" and {} is just tidying. See the amavis FAQ at + \?http://www.amavis.org/amavis-faq.php3?\. + + +Q0723: I can't get Pine to work with PLAIN authentication; Exim keeps + responding "535 Incorrect authentication data". + +A0723: You need to have this setting in your PLAIN authenticator: + +==> server_prompts = : + + This is missing in the examples in all but the most recent Exim + documentation, because it was not realized that PLAIN authentication + could be requested by a client without sending the data with the + request. If the data is not sent, an empty prompt is expected. + + +Q0724: I have used \":fail:"\ in some aliases; when one of these addresses is + refused, I see the message on the log, but the response to the remote + user is ``unknown user'' instead of the message from the alias file. + How can I change this? + +A0724: Have you got a \message\ qualifier in the relevant ACL? Exim uses the + message line in the ACL in preference to the message returned by the + router. This is so you can restrict the amount of information that + ``escapes'' from your site via SMTP if you want to. Remove the \message\ + line in the ACL entry that has \"verify = recipient"\ and your message + will get through. + + Alternatively, if you are running Exim 4.10 or later, you can use the + \$acl_verify_message$\ variable in your message to include the message + from the router. See also Q0725. + + +Q0725: I've set up some specific rejection messages for certain recipients, but + when I test them, the SMTP message is always \*550 5.1.1 + ... User unknown*\. + +A0725: That is not an Exim message (the ``5.1.1'' is a clue; Exim doesn't use + those extended codes). You are probably being defeated by software that + sees the 550 error code, and insists on putting in its own text. There + is stupid software that does this. You can test Exim by using \-bh-\ or + making a telnet call to the SMTP port. That way, there's no other + software intervening. + + +Q0726: My SMTP authentication can be bypassed by sending an unknown user name + and an empty password. What is wrong with this condition in a PLAIN + authenticator? + +==> server_condition = ${if eq{$2} {${lookup mysql{SELECT password FROM \ + accounts WHERE username='${local_part:$1}'}}}{1}{0}} + +A0726: Your lookup item returns an empty string when the user does not exist. + You should instead arrange for the lookup to fail: + +==> server_condition = ${if eq{$2} {${lookup mysql{SELECT password FROM \ + accounts WHERE username='${local_part:$1}'}{$value}fail}}{1}{0}} + + +Q0727: When a message has many recipients, how can I stop SpamAssassin from + being called for each of them? I'm running it from a pipe transport. + +A0727: In the transport configuration, set \batch_max\ to a value greater than + one. + + +Q0728: How do I use Exiscan, SA-Exim, SpamAssassin, Clam Antivirus, Sophos + SAVI, or sophie with Exim? + +A0728: There's a mini-HOWTO about these available via + \?http://www.timj.co.uk/linux/exim.php?\. + See also sample configuration C047. + + +Q0729: How can I screen out addresses that are neither valid usernames or + distribution lists on mail being forwarded to an internal Win2K server? + +A0729: A user suggested using a router like this to do the recipient + verification: + +==> verify_user_router: + driver = accept + domains = win2kdomain.com + local_parts=\ + ldap;user="cn=ldap-guest,cn=Users,dc=win2kdomain,dc=com"\ + pass=guest \ + ldap:://win2kpdc/dc=win2kdomain,dc=com?mailNickname?\ + sub?(&(mailNickname=$local_part)\ + (showInAddressBook=*)(sAMAccountName=*)) + verify_only + + Set up ldap-guest as a normal domain user on the Win2K PDC. + + Also, you need to set \no_verify\ on all the other routers that handle + that domain. + + +Q0730: How can I use the same passwords for SMTP authentication as I use for + Courier IMAP access to my server? + +A0730: You can access the Courier authdaemon from an Exim authenticator. You + must arrange for the Exim user (often \/exim/\ but sometimes \/mail/\) + to be able to access \(/var/run/courier/authdaemon/socket)\. The + configuration is something of a hack, but it is reported to work. Here + is a LOGIN authenticator: + +==> login: + driver = plaintext + public_name = LOGIN + server_prompts = Username:: : Password:: + server_condition = \ + ${if eq {${readsocket{/var/run/courier/authdaemon/socket}\ + {AUTH 76\n${length_76:exim\nlogin\n$1\n$2\ + \n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\ + \n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\ + \n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n}}}}{FAIL\n} {no}{yes}} + server_set_id = $1 + + Here is a PLAIN authenticator: + +==> plain: + driver = plaintext + public_name = PLAIN + server_prompts = : + server_condition = \ + ${if eq {${readsocket{/var/run/courier/authdaemon/socket}\ + {AUTH 76\n${length_76:exim\nlogin\n$2\n$3\ + \n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\ + \n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\ + \n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n}}}}{FAIL\n} {no}{yes}} + server_set_id = $2 + + +Q0731: Is there any defence I can use against spam sent through an open proxy? + +A0731: The \*ident*\ feature can be used in some cases. See the discussion in + Q5023. + + +Q0732: I would like to either warn or deny when a host uses an underscore in + the EHLO command. + +A0732: First, set + +==> helo_allow_chars = _ + + This tells Exim not to reject the EHLO or HELO command immediately. Once + you have done that, you can test for the underscore in an ACL. For + example, to log a warning for hosts in your LAN, and reject for other + hosts, you could do something like this: + +==> deny message = Underscores are not valid in host names + hosts = ! +lan_hosts + condition = ${if match{$sender_helo_name}{_}{yes}{no}} + +==> warn log_message = Accepted underscore from [$sender_host_address] + condition = ${if match{$sender_helo_name}{_}{yes}{no}} + + +Q0733: Is there any way to tell Exim not to lookup the IP address against any + DNS black list if the connection is over IPv6? + +A0733: Use this condition in your ACL: + +==> condition = ${if match{${mask:$sender_host_address/0}}\ + {${mask:::0/0}}{no}{yes}} + + From Exim 4.23 onwards, this can be simplified to + +==> condition = ${if isip6{$sender_host_address}{no}{yes}} + + +Q0734: How do MailScanner and Exiscan compare? What are the pros and cons? + +A0734: The big advantage of Exiscan is that it can reject messages at SMTP time + before you have accepted responsibility for them, which means you don't + have to deal with bouncing messages and thereby becoming a collateral + spammer. + + The big advantage of MailScanner is that it gives you much greater + control over the load on your machines. You configure it according to + the maximum processing capacity of your computer and it will not exceed + that; in fact because it deals with messages in batches the cost of + processing a message actually goes down slightly as the load increases, + because the per-batch costs are shared by more messages. + + With Exiscan, you have to rely on Exim's load protection mechanisms, + which basically means that you have to stop accepting messages when your + machine gets too loaded. This is bad if the machine happens to be an + SMTP smarthost. You therefore need more overcapacity with Exiscan than + with MailScanner. + + +Q0735: How can I block non-FQDNs in HELO/EHLOs? + +A0735: Many workstation clients send single-component names; take care that you + do not block legitimate mail. With that proviso, you can do it using + something like this in an ACL: + +==> drop message = HELO doesn't look like a hostname + log_message = Not a hostname + condition = ${if match{$sender_helo_name} \ + {\N^[^.].*\.[^.]+$\N}{no}{yes}} + + This means: Drop the HELO unless it contains a dot somewhere in the HELO + string, but the string may not begin or end with a dot. Thus, the + imposed minimum length is 3 characters. + + The data for HELO/EHLO doesn't have to be a host name; it may + legitimately be an IP address literal instead. The above test succeeds + with an IPv4 address literal, but if you want also to accept IPv6 + address literals, you will have to modify the regular expression. + + +Q0736: Is it possible to tell exim to drop the connection after a server + attempts to send a message to a number of unknown users? + +A0736: Yes. Use \$rcpt_fail_count$\ and the \^drop^\ ACL command, as in this + example: + +==> drop message = Too many unknown users + condition = ${if >{$rcpt_fail_count}{15}{yes}{no}} + + +Q0737: Is there some way to tell Exim not to consider 127.0.0.1 as a valid MX? + +A0737: See Q0319. + + +Q0738: How can I configure Exim to delay the SMTP connection if more than 10 + invalid recipients are received in one message? + +A0738: Put something like this in your RCPT ACL: + +==> deny message = Max $rcpt_fail_count failed recipients allowed + condition = ${if >{$rcpt_fail_count}{10} {1}} + ! verify = recipient + delay = ${eval: $rcpt_fail_count * 10}s + log_message = $rcpt_fail_count failed recipient attempts + + This example increases the delay for each failed recipient. + + +Q0739: Does Exim support SPF? + +A0739: An Exim ACL can be used. See \?http://spf.pobox.com/downloads.html?\. + + + +8. REWRITING ADDRESSES + +Q0801: How can I get Exim to strip the hostname from the sender's address? + +A0801: If you set up a rewriting rule in the following form: + +==> *@*.your.domain $1@your.domain + + then Exim will rewrite all addresses in the envelope and the headers, + removing anything between \"@"\ and \"your.domain"\. This applies to all + messages that Exim processes. If you want to rewrite sender addresses + only, the the rule should be + +==> *@*.your.domain $1@your.domain Ffrs + + This applies the rule only to the envelope sender address and to the + ::From::, ::Reply-to::, and ::Sender:: headers. + + +Q0802: I have Exim configured to remove the hostname portion of the domain on + outgoing mail, and yet the hostname is present when the mail gets + delivered. + +A0802: Check the DNS record for your domain. If the MX record points to a CNAME + record instead of to an A record, some MTAs (not Exim) are liable to + rewrite addresses, changing your domain name to its ``canonical'' form, + as obtained from the CNAME record. + + +Q0803: I want to rewrite local addresses in mail that goes to the outside + world, but not for messages that remain within the local intranet. + +A0803: You can use the \headers_rewrite\ option on a transport to do this. + The rewriting will then apply to just those copies of a message that + pass through the transport. The \return_path\ option can similarly be + used to rewrite the sender address. There is no way of rewriting + recipient addresses at transport time. However, as these are by + definition remote addresses, you probably don't want to rewrite them. + + You have to set up the configuration so that it uses different SMTP + transports for internal and external mail. If you are using a single + router in both cases, you could configure it like this: + +==> dnslookup: + driver = dnslookup + transport = ${if match{$domain}{\N\.my\.domain$\N}{int_smtp}{ext_smtp}} + + This example uses the \%int_smtp%\ transport for domains ending in + \(.my.domain)\, and \%ext_smtp%\ for everything else. The \%ext_smtp%\ transport + could be something like this: + +==> ext_smtp: + driver = smtp + headers_rewrite = *@*.my.domain \ + ${lookup{$1}cdb{/etc/$2/mail.handles.cdb}{$value}fail} + return_path = \ + ${if match{$return_path}{\N^([^@]+)@(.*)\.my\.domain$\N}\ + {\ + ${lookup{$1}cdb{/etc/$2/mail.handles.cdb}{$value}fail}\ + }\ + fail} + + This example uses a separate file of local-to-external address + translations for each domain. This is not the only possibility, of + course. The \headers_rewrite\ and \return_path\ options apply the same + rewriting to the header lines and the envelope sender address, + respectively. + + +Q0804: I'm using this rewriting rule to change login names into ``friendly'' + names, but if mail comes in for an upper case login name, it doesn't + get rewritten. + +==> *@my.domain ${lookup{$1}dbm{/usr/lib/exim/longforms}\ + {$value}fail}@my.domain bcfrtFT + + The longforms database has entries of the form: + +==> ano23: A.N.Other + +A0804: Replace \"$1"\ in your rule by \"${lc:$1}"\ to force the local part to lower + case before it is used as a lookup key. + + +Q0805: Is it possible to completely fail a message if the rewrite rules fail? + +A0805: It depends on what you mean by ``fail a message'' and what addresses you + are rewriting. If you are rewriting recipient addresses for your local + domain, you can do: + +==> *@dom.ain ${lookup{$1}dbm{/wher/ever}{$value}{failaddr}} Ehq + + and in your alias file put something like + +==> failaddr: :fail: Rewriting failed + + This fails a single recipient - others are processed independently. + + +Q0806: I'm using \$domain$\ as the key for a lookup in a rewriting rule, but its + contents are not being lowercased. Aren't domains supposed to be handled + caselessly? + +A0806: The value of \$domain$\ is the actual domain that appears in the address. + It could of course be lower cased, but I know that would cause some + unhappiness, because some people have mixed-case domain names which look + silly if the case is changed. Thus, one wants to preserve the case in + rewrites such as + +==> *@*.TheRap.com something@$domain + + because ``therap'' doesn't look like two words. I know it seems trivial, + but it is important to some people - especially if by some unfortunate + accident the lowercased word is something indecent. + + You can trivally force lower casing by means of the \"${lc:"\ operator. + Instead of \"$domain"\ write \"${lc:$domain}"\. + + +Q0807: I want to rewrite local sender addresses depending on the domain of the + recipient. + +A0807: In general, this is not possible, because a message may have more than + one recipient and Exim keeps just a single copy of each message. It may + also deliver one copy of a message with several recipient addresses. + You can do an incomplete job by using a regular expression match in a + rewrite rule to test, for example, the contents of the ::To:: header. This + would work except in cases of multiple recipients. + + + +9. HEADERS + +Q0901: I would like add some custom headers to selected outgoing mail based on + a specific domain and the subject line. + +A0901: To the remote_smtp transport, add something like + +==> headers_add = ${if and{\ + {eq{$domain}{spec.dom}}\ + {matches{$h_subject:}{whatever}}}\ + {Content-Type: text/html; charset="us-ascii"} fail } + + This example shows a ::Content-Type:: header, but you can have anything you + like, and multiple headers can be inserted by using \"@\n"\ to separate them. + + +Q0902: Is it possible to have Exim add a header to only certain local parts of + outgoing mail? + +A0902: Only if you arrange for each such local part to receive its own private + copy of the mail. See \max_rcpt\ in the SMTP transport. If you set this + to 1, you could use conditions in an expansion string to add or not add + a header. + + +Q0903: How can I remove some part of the ::Received:: header? + +A0903: Set \received_header_text\. + + +Q0904: How I can insert the PGP header line using Exim filters? + +A0904: You can't insert headers in a user filter. A system filter can do so, + but the inserted lines then are included for all recipients. + + +Q0905: I know I can use a system filter to replace certain headers in messages, + but how can I add text to existing headers? I want to add [SPAM] to + the subject line of messages that appear to be spam. + +A0905: You can only do this in a round about way, using filter commands like + this: + +==> headers add "New-Subject: SPAM: $h_subject:" + headers remove subject + neaders add "Subject: $h_new-subject:" + headers remove new-subject + + This trick works only in system filters, where the commands are obeyed + in order, and affect the master list of headers that apply to the whole + message. You cannot do this with the \headers_add\ and \headers_remove\ + options on drivers. + + + +10. PERFORMANCE + +Q1001: I'm running a large mail server. Should I set \split_spool_directory\ to + improve performance? + +A1001: Splitting the spool directory has most benefit if there are times when + there are a large number of messages on the queue. If all mail is + delivered very quickly, and the queue is always less than, say, a few + hundred messages, there isn't any need to do this. With larger queues, + there is a definite performance benefit to splitting the spool. It shows + up earlier on some types of filing system, compared with others. + + Exim was not designed for handling large queues. If you are in an + enviroment where lots of messages remain on the queue for long periods + of time, consider implementing a back up host to which you pass these + messages, so that the main host's queue remains short. You can use + \fallback_hosts\ to do this, or a router that is conditional on + \$message_age$\. + + +Q1002: How well does Exim scale? + +A1002: Although the author did not specifically set out to write a high- + performance MTA, Exim does seem to be fairly efficient. The biggest + server at the University of Cambridge (a large Sun box) goes over + 100,000 deliveries per day on busy days (it has over 20,000 users). + There was a report of a mailing list exploder that sometimes handles + over 100,000 deliveries a day on a big Linux box, the record being + 177,000 deliveries (791MB in total). Up to 13,000 deliveries an hour + have been reported. + + These are quotes from some Exim users: + + "... Canada's largest internet provider, uses Exim on all of our mail + machines, and we're absolutely delighted with it. It brought life back + into one of our machines plagued with backlogs and high load averages. + Here's just an example of how much email our largest mail server + (quad SS1000) is seeing ... " [230,911 deliveries in a day: 4,475MB] + + "... Exim has to ... do gethostbyname()s and RBL lookups on all of the + incoming mail servers, and he runs from inetd (TCP Wrappers connected). + All the same, it seems to me that he runs as fast as lightning on our + SCO 5.0.4 box (1 Pentium 166) - far faster than MMDF which I (and many + customers) had before." + + "On a PII 400 with 128M of RAM running Linux 2.2.5, I have achieved + 36656 messages per hour (outgoing unique messages and recipients). For + about a 5 minute period, I was able to achieve an average of 30 messages + per second (that would be 108000 m/hour)! We are using: (options that + make a difference): + +==> queue_only + split_spool_directory + queue_run_max = 1 + remote_max_parallel = 1 + + We have a cron job hat runs every five minutes that spawns 5 \"exim -q"\ if + there are less that 120 exim processes currently running. We found + that by manually controlling the concurrency of \"exim -q"\ processes + contending for the spool for \%remote_smtp%\ delivery that we gained + considerable performance - 10000 m/hour." + + +Q1003: We have a large password file. Can Exim use alternative lookups during + delivery to speed things up? + +A1003: If you are using FreeBSD, this problem should not arise, because it + automatically uses an indexed password file. In some other operating + systems you can arrange for this to happen too. On Linux, for example, + all you need to do is + +==> # cd /var/db + # make + + and put \"db"\ before \"files"\ in any \(/etc/nsswitch.conf)\ lines you want to + use db for. + + On systems that do not include support for indexed password files, you + can build one yourself, and reference it from the Exim configuration. + For example, for routing to local mailboxes you could use this: + +==> localuser: + driver = accept + condition = ${lookup{$local_part}cdb{/etc/passwd.cdb}{yes}{no}} + transport = local_delivery + user = ${extract{1}{:}{${lookup{$local_part}cdb{/etc/passwd.cdb}}} + + This assumes a cdb version of the password file. + + +Q1004: I just wondered if it might be helpful to put the hints database on a + RAM disk during regular operation. Did anybody try that yet? + +A1004: A user reported thus: ``I have found that this works great under Solaris. + Make a RAM disk partition and keep everything in the \(db)\ directory on + it. However, when I try the same thing on Linux, I don't see the same + boost. I think that Linux's file buffer cache works about the same. + Plus, this leave more room for processes to run.'' + + There have been other reports that Linux's delayed buffer write provides + better overall performance in general. + + Apparently there is support in the Solaris kernel for a delayed writing, + as in Linux, but Sun's server policy is to have it disabled so that you + don't lose so much if the server crashes. There is a program called + \^fastfs^\ to enable and disable this support. You have to download and + compile it yourself; find it by looking for \"fastfs.c"\ in a search + engine. Solaris performance is reported to be much improved, but you + should take care to understand the potential hazards. In particular, + \^fsck^\ may be unable to ``fix'' disks automatically after a crash. + + +Q1005: A lot of incoming mail is pushing up my system load too much, and there + are many Exim processes. How can I control this? + +A1005: Have you set any of the Exim configuration options that limit what it + does under high load? For example, queue_only_load, deliver_queue_load_max? + See the list in the section entitled \*Resource control*\ in the manual. + + It sounds like a lot of simultaneous incoming mail pushes your system + into uncontrolled overload. The multiple Exim processes are probably + just multiple incoming messages. You can use the \^exiwhat^\ utility to + confirm this. + + + +11. MAJORDOMO + +Q1101: How do I set up Majordomo to work with Exim? + +A1101: Users have found several ways of setting up Exim for use with Majordomo. + One way has been documented at + \?http://www.averillpark.net/exim/majordomo.html?\. + + Somewhere in the Majordomo docs or FAQ it mentions using batchmail or + other additional programs to improve the performance of large lists. + They are not needed with Exim, and their use can actually make things + worse. However, it's a good idea to set \remote_max_parallel\ to a value + greater than 1 in the Exim configuration. + + +Q1102: I have set \$mailer$\ in \(majordomo.cf)\, but it still isn't setting the + sender correctly in the messages it sends. + +A1102: Make sure you have got the quoting correct in the \$mailer$\ setting. For + example, + +==> $mailer = "$sendmail_command -oi -oee -f$sender\@lists.mydomain.de"; + + is not correct. It needs three backslashes, not one, and the $ at the + start of \$sender$\ has to be escaped with a backslash. + + +Q1103: I'm trying to set up majordomo, but I'm getting a wrong mode error + when I try to send it mail. + +A1103: Check the mode of \(/var/lib/majordomo/lists/lists.aliases)\ and compare it + with the setting of the \modemask\ option in the Majordomo aliases + router. This option specifies bits which must not be set for the alias + file, and it defaults to 022. + + +Q1104: I'm getting return code 9 from \(/home/majordomo/majordomo-1.94.4/wrapper)\ + when it is passed a message from Exim. + +A1104: A problem like this turned out to be the Perl version that came with + RedHat 5.2. Rebuilding Perl 5.005x solved it. + + +Q1105: Exim is complaining about an invalid command line when Majordomo tries + to send it a message for delivery. + +A1105: Take a look at your \(majordomo.cf)\ file, It should have something that + looks like + +==> $sendmail_command = "/usr/lib/sendmail"; + + and another line like + +==> $mailer = "$sendmail_command -oi -oee -f\$sender"; + + If you have modified \^resend^\ (one of the majordomo programs) to use + \$sendmail_command$\ instead of \$mailer$\ you will be calling Exim with no + command line arguments. + + + +12. FETCHMAIL + +Q1201: When I run fetchmail, I get the error \*SMTP listener doesn't like + recipient address xxx@localhost*\. + +A1201: Make sure that //localhost// is recognized as a domain that is to be + delivered locally. If you are using the default Exim run time + configuration, you'll see a line near the top like this: + +==> domainlist local_domains = @ + + Change it to + +==> domainlist local_domains = @ : localhost + + +Q1202: I'm currently using Exim with fetchmail and I'd like to use the RBL on + Exim, but will it work? Do I need to configure fetchmail any particular + way? As far as Exim knows, all mail is coming from 127.0.0.1. Will it + check the source address against RBL? Or will it check the ::From:: header? + +A1202: It will check 127.0.0.1 (not very useful). The point of the RBL is to + keep messages from black-listed hosts out of your machine. If you are + using fetchmail, you have got the messages into your machine before you + approach Exim. That kind of defeats the purpose of the RBL. The right + way to do this would be for the host from which you fetch your mail to + do the RBL checking and insert some kind of warning header for you to + test, as Exim does if you run RBL checks in warning mode. + + + +13. PERL + +Q1301: Exim built with Perl support exits with the error message \*./exim: can't + load library 'libperl.so'*\. + +A1301: If you are using BSDI, see Q9401. + + +Q1302: Exim built with Perl support exits with several error messages of the + form \*undefined reference to `PL_stack_sp'*\. + +A1302: This has been seen on FreeBSD systems that had two different versions of + Perl installed, the older with an \^a.out^\ library and the newer with an + ELF library. Ensure that the older package is removed. + + + +14. DIAL-UP AND ISDN + +Q1401: When I'm not connected to the Internet, how can I arrange for mail to + other hosts on my local network to be delivered, while at the + same time mail to Internet hosts is queued without any delivery + attempts? + +A1401: Use the \queue_domains\ option to control which domains are held + on the queue for later delivery. For example, + +==> queue_domains = ! *.localnet + + allows delivery to domains ending in \(.localnet)\, while queueing all the + others. + + +Q1402: I have a dial-up machine, and I use the \queue_smtp_domains\ option so + that remote mail only goes out when I do a queue run. However, any email + I send with an address \(anything@aol.com)\ is returned within about 15 + minutes saying \*retry time exceeded*\, and all addresses are affected. + +A1402: You should be using \queue_domains\ rather than \queue_smtp_domains\. + With the latter, Exim is trying to route the addresses, which involves a + DNS lookup. This is presumably timing out, causing a retry time to be + set for the domain, and somehow a valid lookup never happened before the + maximum retry time (default of 4 days) passed. Hence the bounce. The + fact that it is \(aol.com)\ is probably not relevant. You should probably + also be using \-qq-\ to do your queue run rather than \-q-\. + + +Q1403: How should Exim be configured when it is acting as a temporary storage + system for a domain on a dial-up host? + +A1403: Exim isn't really designed for this, but... The lowest-numbered MX + record for the domain should be pointing to the dial-up host. A higher + numbered MX record (lower priority) should point to the Exim server that + is acting as a temporary storage system. + + You should set a large retry time for the domain, so that Exim doesn't + keep trying to deliver when the host is offline. When the host comes + online, the waiting messages have to be kicked somehow. This can be done + by calling Exim with the \-R-\ option, or via the SMTP ETRN command. + + This works provided the number of messages is low. If you are handling + lots of mail, keeping messages waiting for their host to connect and + those that are having delivery problems to remote hosts all in the same + queue doesn't work so well. It is better in this case to get Exim to + deliver the mail for the dial-in hosts into some local files which then + get transmitted by other software when the host connects. One tool for + doing this can be found at \?http://cr.yp.to/serialmail.html?\. + + For further discussion, see section entitled \*Intermittently connected + hosts*\ in the manual, and also the section in the Exim book with the + same name. + + +Q1404: I have \queue_domains\ or \queue_smtp_domains\ set, and use \-qf-\ to + force delivery of waiting mail when I dial in. How can I arrange for any + new messages that arrive while I'm connected to be delivered immediately? + +A1404: Instead of \queue_domains\ or \queue_smtp_domains\, use the \queue_only_file\ + option. This causes messages to be queued if a particular file exists. + If you put the word ``smtp'' before the file name, the queueing applies + only to domains that are delivered by SMTP, thus not affecting local + deliveries: + +==> queue_only_file = smtp/etc/present/when/not/connected + + Then, in the scripts which are run when you connect and disconnect, + arrange to remove the file after connection, and create it just before + disconnection. + + +Q1405: I have an ISDN connection and would like a way of running the queue + automatically when it is up. + +A1405: The following shell commands test for the interface being up and then + run the queue: + +==> ifconfig ppp0 | fgrep UP >/dev/null + if [ $? -eq 0 ] ; then exim -q ; fi + + You could put these commands into a script which runs them at regular + intervals. You might want to use \-qq-\ instead of \-q-\. + + With Linux, the script \(/etc/ppp/ip-up)\ is run after a ISDN connection + or a more general PPP connection has been established. If you are using + Linux, you could put the call to Exim in that script. + + +Q1406: When I dial up to collect mail from my ISP, only the first 10 messages + get delivered immediately; the remainder just sit on the queue until a + queue runner process finds them. + +A1406: See Q0049. + + +Q1407: RFC 1985 specifies that the SMTP command \"ETRN host.domain"\ causes all + mail queued for that host, no matter what domain it's for, to be + delivered. Why doesn't Exim support this? + +A1407: Exim does not keep queues of mail for specific destinations. It just + keeps one pool of undelivered messages. What is more, once you start a + delivery of a message, it tries to deliver to all the addresses in the + message, not just the one you may be interested in. (Of course, this + doesn't usually do any harm.) + + The only way it could be done within Exim would be, for every message + on the queue, to go through the motions of routing each undelivered + address and see if that resulted in a delivery to the host of interest. + This could be extremely expensive (e.g. 1,000 messages on the queue, + only 1 for the given host). + + The bottom line is that Exim just wasn't designed for this kind of + operation, that is, holding messages for intermittently connected hosts. + The queueing arrangements are designed for handling delivery problems + that are not expected to be common. + + A better way to do this is to implement the required queues separately. + After all, keeping such mail on an active queue (where Exim will keep + trying to deliver) is silly. If there is a lot of mail for these hosts, + it also masks genuine delivery problems when you inspect the queue. + + Large ISPs who provide this kind of functionality do not usually leave + waiting mail on the MTA's queue. Instead, they get it delivered into + per-host directories, one message per file, in one of the special + formats (BSMTP, maildir, or mailstore) and when an ETRN arrives, it + kicks off some completely different program that establishes an SMTP + connection to the host and shovels the waiting mail down it. That seems + to me to be a much neater way of doing this. It means you can easily add + additional functionality such as archiving or throwing away uncollected + mail. + + One program that has this functionality is \^ssmtp^\, which can be + found in \?ftp://metalab.unc.edu/pub/Linux/system/mail/mta/?\. + Alternatively, sample configuration C037 demonstrates an elegant way of + using Exim itself to deliver the saved messages when the client issues + an ETRN. + + +Q1408: If email has been deferred to a member on a local mailing list + (implemented through forward files), and one of our ETRN clients is on + this mailing list, the \-R-\ won't flush the mailing list message for + that client. + +A1408: That is because \-R-\ matches only original recipient addresses, not those + produced as a result of expansion, because these are not (by default) + preserved from delivery to delivery. You can get round this by setting + \one_time\ on the forwarding router, but you are not allowed to have + expansions to pipes or files on routers that have \one_time\ set. + Therefore, you will have to have a separate router for mailing lists + (with \one_time\ set) to the one used for normal forward files that might + specify pipe or file deliveries. However, the problem will still be + present for any user who sets up a \(.forward)\ file to redirect to any of + the ETRN domains. See the last 3 paragraphs of Q1407 for a discussion of + an alternative approach. + + +Q1409: I would like to have a separate queue per domain for hosts which dial + in to collect their mail. + +A1409: Exim isn't really designed for this kind of operation. The only way to + do this would be to cause it to send those messages to a differently + configured version of Exim with its own spool area. This could be done + via a pipe or SMTP to a private port. The main Exim, listening on port + 25, would then be configured to run an appropriate command to prod one + of the others when it received ETRN, by means of the \smtp_etrn_command\ + option. + + You could probably manage this with a single Exim binary and a number of + different configuration files, passed to the special versions using the + \-C-\ option. For this application they could all run as \^exim^\, since no + root privilege would be needed. + + An alternative approach id to get Exim to deliver mail for such hosts + in batch SMTP format into some directory, and have the ETRN run + something to pass such messages to the dialled-in host. See also Q1403. + + + +15. UUCP + +Q1501: The MX records for some UUCP domains point to my local host. How do I + get it to pass the messages on to UUCP? + +A1501: The simplest way is to create a file containing a list of domains, and + the hosts to which their messages should be sent, like this: + +==> uucp1.domain.example: uucp1.host.example + uucp2.domain.example: uucp2.host.example + .... + + Then you can use a router like this: + +==> uucp_router: + driver = accept + domains = lsearch;/etc/uucp/domains + transport = uucp_transport + + and a transport like this: + +==> uucp_transport: + driver = pipe + user = nobody + command = /usr/local/bin/uux - -r $domain_data!rmail $local_part + return_fail_output + + The \$domain_data$\ variable retains the value that is looked up when + the \domains\ option in the router is matched. + + +Q1502: How can I get Exim to handle ``bang path'' addresses? + +A1502: In general, you can't (Exim is an Internet mailer and recognizes only + RFC 2822 domain-style addresses) but some restricted kinds of bang path + can be dealt with by appropriate rewriting - but please note the warning + below. + + Exim treats a bang path address as an unqualified local part, and so + will qualify it with your domain. A rule such as + +==> \N^([^!]+)!(.+)@your\.domain$\N $2@$1 + + turns \(a!b@your.domain)\ into \(b@a)\. You can also use a repeating rule to + turn multi-component paths into the ``percent hack'' notation with a rule + such as + +==> \N^([^!]+)!([^@%]+)(.+)$\N $2%$1$3 R + + which turns \(a!b@c)\ into \(b%a@c)\ and \(a!b!c@d)\ first into \(b!c%a@d)\ and then, + because of the R flag, into \(c%b%a@d)\. The R flag causes repetition up to + 10 times. + + \**Warning:**\ If you install a general rewriting rule like the above, you are + opening yourself up to the possibility of unwanted relaying. A host that + is not permitted to relay through your system could send a message with + an SMTP command line such as + +==> RCPT TO: + + and this would be accepted because it is addressed to your domain. + However, the rewriting then converts the address, and the message does + in fact get relayed. One way round this, if all your bang path messages + are passed to Exim via SMTP, is to use the \"S"\ rewriting flag. This + applies a rewriting rule to incoming SMTP addresses as soon as they are + received, before checking for qualification, relaying, etc. So a rule + such as + +==> \N^([^!]+)!(.+)$\N $2@$1 S + + rewrites simple two-component bang paths before the result is checked + for relaying. However, this does not rewrite addresses in the headers of + the message. + + +Q1503: We see something strange on our system in regards to mail coming in via + rmail from a UUCP link. The sender is being set to mailmaster instead of + the real sender, and a ::Sender:: header is being added to the message. + +A1503: If \(mailmaster)\ is the user that is running rmail, you need to include + that user in the \trusted_users\ configuration option. Only trusted users + are permitted to specify senders when mail is passed to Exim via the + command line. + + + +16. MODIFYING MESSAGE BODIES + +Q1601: How can I add a disclaimer or an advertisement to a message? + +A1601: There are a number of technical and potential legal problems that arise + in connection with message modification. Some of them are listed below. + Some comment on the legal position of email disclaimers in English law + can be found at \?http://www.weblaw.co.uk/artemail.htm?\. + + See also \?http://www.goldmark.org/jeff/stupid-disclaimers/?\. There is + some discussion about the problems of actually adding disclaimers in + \?http://www.goldmark.org/jeff/stupid-disclaimers/apply.html?\. + + In many cases, email disclaimers will make your company look ridiculous, + at the very least. At worst, they may interfere with the normal + processing of mail. + + If, despite these considerations, you still want to modify messages, you + can do so using Exim, but not directly in Exim itself. It is not the job + of an MTA to modify messages, something that requires understanding of + their content and format. + + Exim provides a hook called a ``transport filter'' that lets you pass + any outgoing message through a program or script of your choice. It + is the job of this script to make any changes to the message that you + require. By this means, you have full control over what changes are + made, and Exim does not need to know anything about message bodies. + However, using a transport filter requires additional resources, and may + slow down mail delivery. + + You can use Exim's routers to arrange for those messages that you want + to modify to be delivered via a transport filter. For example, suppose + you want to do this for messages from addresses in your domain that are + being delivered to a remote host. First you need to set up a special + \%smtp%\ transport that uses a filter, like this: + +==> remote_smtp_filter: + driver = smtp + transport_filter = /your/filter/command + + Then you need to modify the \%dnslookup%\ router to use this transport + when the conditions are right: + +==> dnslookup: + driver = dnslookup + domains = ! +local_domains + transport = ${if eq {$sender_address_domain}{your.domain}\ + {remote_smtp_filter}{remote_smtp}} + ignore_target_hosts = 127.0.0.0/8 + no_more + + This is the standard \%dnslookup%\ router, but with a modified setting of + the \transport\ option. When the sender address is in your domain, it + routes to the special transport instead of the standard one. + + The entire message is passed to your filter command on its standard + input. It must write the modified version to the standard output, taking + care not to break the RFC 2822 syntax. The command is run as the Exim + user. + + There are a number of potential problems in doing this kind of + modification in an MTA. Many people believe that to attempt is it wrong, + because: + + 1. It breaks digital signatures, which are becoming legally binding + in some countries. It may well also break encryption. + + 2. It is likely to break MIME encoding, that is, it is likely to wreck + attachments, unless great care is taken. And what about the case of a + message containing only binary MIME parts? + + 3. It is illegal under German and Dutch law to change the body of + a mail message in transit. It might potentially be illegal in + the UK under European law. This consideration applies to ISPs and + other ``common carriers''. It would presumably not apply in a corporate + environment where modification was done only to messages originating + from the employees, before they left the company's network. It might + also not apply if the senders have explicitly given their consent + (e.g. agreed to have advertisements added to their incoming mail). + + 4. Since the delivered message body was produced by the MTA (not the + originator, because it was modified), the MTA operator could + potentially be sued for any content. This again applies to `common + carrier' MTAs. It's interesting that adding a disclaimer of liability + could be making you liable for the message, but this case seems + more likely to involve adding advertisements than disclaimers. After + all, no postal service in the world opens all the mail it carries to + add disclaimers. + + 5. Some mail clients (old versions of MS outlook) crash if the message + body of an incoming MIME message has been tampered with. + + There are also potential problems that could arise if a scheme to add + disclaimers goes wrong for some messages: + + 1. False negatives: `Ah, this guy usually says he does not represent + their views, but in this message he doesn't have the disclaimer'. + + 2. False positives: `This official announcement does not represent our + views, oh no'. + + An alternative approach to the disclaimer problem would be to insist + that all relevant messages have the disclaimer appended by the MUA. The + MTA should refuse to accept any that do not. Again, however, the MTA + must understand the format of messages in order to do this. Simply + checking for appropriate wording at the end of the body is not good + enough. It would probably be necessary to run a Perl script from within + an Exim system filter, or write a \^^local_scan()^^\ function in order + to adopt this approach. + + Finally, it's a trivial matter to add customized headers of the sort: + +==> X-Disclaimer: This is a standard disclaimer that says that the views + X-Disclaimer: contained within this message are somebody else's. + + which is a much easier alternative to modifying message bodies. + + +Q1602: How can I remove attachments from messages? + +A1602: The answer to this is essentially the same as for Q1601. + + + +17. ENCRYPTION (TLS/SSL) + +Q1701: I am trying to set up an Exim server that uses a self-signed certificate + to enable my clients to use TLS. However, clients other than Exim + refuse to accept this certificate. What's wrong? + +A1701: It seems that some clients require that the certificate presented by + the server be a user (also called ``leaf'' or ``site'') certificate, and not + a self-signed certificate. In this situation, the self-signed + certificate must be installed on the client as a trusted root + \*certification authority*\ (CA), and the certificate used by the server + must be a user certificate signed with that self-signed certificate. + + For information on creating self-signed CA certificates and using them + to sign user certificates, see the \*General implementation overview*\ + chapter of the Open-source PKI book, available online at + \?http://ospkibook.sourceforge.net/?\. Here is a quick overview. First, + read this message: + + \?http://www.FreeBSD.org/cgi/mid.cgi?id=3C3F3A93.C1ECF9B0%40mindspring.com?\ + + Then, follow the instructions found on these two (consecutive) pages: + + \?http://ospkibook.sourceforge.net/docs/OSPKI-2.4.6/OSPKI/initialisation.htm?\ + \?http://ospkibook.sourceforge.net/docs/OSPKI-2.4.6/OSPKI/keygensign.htm?\ + + Two points on the PKI Book literature: + + (1) It's assumed that it's okay to use a passphrase-protected key to + encrypt the user/site/leaf certificate. If this isn't acceptable, + you seem to be able to strip out the passphrase as follows: + +==> openssl rsa -in user.key -our user.key.new + mv user.key.new + + This should be done immediately after \(user.key)\ is created. + + (2) The \*sign.sh*\ script is available in the \*mod_ssl*\ distribution, + available at \?http://www.modssl.org/source/?\. + + Having followed the instructions, you end up with the following files: + + (a) \(ca.crt)\ + + This file should be installed into the client software as a trusted + root certification authority. In Windows XP, this can be done as follows: + + \#\#Call the file \(ca_cert.cer)\ + [[br]] + \#\#Double-click on the file + [[br]] + \#\#"Install Certificate"; + [[br]] + \#\#"Next" + [[br]] + \#\#"Place all certificates in the following store" + [[br]] + \#\#"Browse..." + [[br]] + \#\#"Trusted Root Certification Authorities" + [[br]] + \#\#"OK" + [[br]] + \#\#"Next" + [[br]] + \#\#"Finish" + [[br]] + \#\#"Yes" + [[br]] + \#\#"OK" + + (b) \(user.crt)\ and \(user.key)\ + + These files should be installed into the server software. In Exim, this + can be done by adding these lines to the configuration file: + +==> tls_certificate = /usr/local/etc/exim/tls_cert + tls_privatekey = /usr/local/etc/exim/tls_key + + Then install \(user.crt)\ and \(user.key)\ under the names \(tls_cert)\ + and \(tls_key)\ in the appropriate directory. + + +Q1702: How can I arrange for Exim to advertise support for SMTP authentication + only when the session is encrypted? + +A1702: Use this setting: + +==> auth_advertise_hosts = ${if eq{$tls_cipher}{}{}{*}} + + +Q1703: I have some legacy clients that don't use STARTTLS, but which expect to + negotiate a TLS session automatically on connection to the ssmtp port + (465). Can Exim handle this? + +A1703: The \-tls-on-connect-\ option is available to handle this. You need to + run two instances of an Exim listener, listening on different ports, one + of which is started with \-tls-on-connect-\. You can either use two + daemons, or a single daemon, with the other listenever using \^inetd^\. + For example, here are commands to start two daemons: + +==> exim -bd -q15m + exim -bd -oX '[0.0.0.0]::465' -tls-on-connect + + The first is a ``normal'' daemon; the second listens on port 465 and + expects to negotiate a TLS session at the start of each connection. + + +Q1704: When my Outlook Express 6.0 client sends a STARTTLS command to begin a + TLS session, Exim doesn't seem to receive it. + +A1704: See Q0059. + + +Q1705: I have listed some hosts in \tls_try_verify_hosts\, but when they + connect, no data appears in \$tls_peerdn$\. + +A1705: This means that the clients have not sent certificates when asked by + the server to do so. If the clients are running Exim, check that + \tls_certificate\ is correctly set in their \%smtp%\ transports. Note + that this value is not automatically inherited from the global + \tls_certificate\ option. + + +Q1706: I have listed some hosts in \tls_verify_hosts\ and provided them with + certificates, but their connections are always rejected. + +A1706: Make sure that the server file containing the expected certificates + (defined by \tls_verify_certificates\) is readable by the Exim user. + See also the answer to Q1705. + + +Q1707: I am trying to use TLS with Evolution as a client, and keep seeing this + error: \*SMTP protocol violation: synchronization error (next input + sent too soon): rejected "\200F^A^C".*\ What does it mean? + +A1707: See Q0086 for a general explanation of the error. In this case, it + probably means that Evolution is trying to negotiate a TLS session + immediately it connects, without first using the STARTTLS command. This + was an older way of starting up TLS, before STARTTLS was defined. You + will have to run a separate instance of Exim using the + \-tls-on-connect-\ command line option to cater for this usage, and + listening on a different port. For example: + +==> exim -bd -oX 465 -tls-on-connect + + 465 is the ``smtps'' port which is an unofficial standard for this kind + of SMTP server. + + +Q1708: I trying to use TLS with Outlook as a client on a box that is running + Norton Antivirus, but all my email is being rejected with \*Unsupported + command*\ errors. Why? + +A1708: Norton Antivirus does not support TLS or AUTH. It puts a broken SMTP + proxy between you and the Exim server. You need to turn off outbound + scanning of email. + + + +20. MILLENNIUM + +Q2000: Are there any Y2K issues with Exim? + +A2000: The author of Exim believes that it is Y2K-compliant, as long as the + underlying operating system and C library are. Exim does not parse dates + or times at all. Internally, it makes some use of binary timestamps in + Unix format (number of seconds since 1-Jan-1970) and uses C library + services to convert these to printing forms (e.g. for logging). The + printing forms all use 4-digit years. Some people have tried various + tests. No problems have been reported, but details of what tests have + been done are not available. + + Well, it's now November 2001, and no Y2K problems have been reported, so + it looks like I was right. This entry is retained as historical + nostalgia. + + + +50. MISCELLANEOUS + +Q5001: How can I arrange to allow a limited set of users to perform a limited + set of Exim administration functions? I don't want to put them all in + the //exim// group. + +A5001: See \?http://www.chiark.greenend.org.uk/~ian/userv/?\. Using \^userv^\ you can + arrange (for example) for certain users to be able to invoke \^mailq^\ or + \^runq^\ or other preset commands as \^exim^\ (or any other user, as configured) + with only \^userv^\ configuration. If you want to check the particular Exim + options available you can easily do it with shell or Perl scripts and + \^userv^\ configuration, and provided you know how to do argument + ``unparsing'' properly in shell or Perl it will be secure. + + +Q5002: I want to ``tail'' the Exim log, but I have a number of other logs I also + want to ``tail'', and the number of tailing windows is getting to be a + nuisance. + +A5002: Look for a program called \^xtail^\ (despite its name, it's not an + X-windows application). It allows you to do multiple tails, even of + entire directories. + + Alternately, get the GNU version of \^tail^\, from the GNU textutils + package (\?ftp://ftp.gnu.org/gnu/textutils/?\). GNU tail lets you run + \"tail -f\" on multiple files at the same time, although it doesn't work + on entire directories like \^xtail^\ can. If you are running Linux, you + probably already have a version of GNU \^tail^\ that can follow multiple + files. + + +Q5003: How can I persuade Exim to accept ETRN commands without the leading + # character? + +A5003: Set the option + +==> smtp_etrn_command = /usr/lib/sendmail -R $domain + + This causes Exim to run that command, with \$domain$\ replaced by the + argument of ETRN. The default action of Exim is to require the # sign + in order to be RFC-compliant, and to run the equivalent of + +==> smtp_etrn_command = /usr/lib/sendmail -R ${substr_1:$domain} + + which uses the argument without the leading # as the value for the \-R-\ + option. You aren't restricted to running Exim with the \-R-\ option, of + course. You can specify any command you like, with any number of + arguments. In particular, you can pass over the IP address of the caller + via \$sender_host_address$\. However, if you make use of expansion strings + in the arguments, each one must be entirely contained in a single + argument. For example, if you want to remove the first character of the + ETRN argument when it is @ or #, you could use + +==> smtp_etrn_command = "/usr/lib/sendmail -R \ + \"${if match {$domain}{^[@#]}{${substr_1:$domain}}{$domain}}\"" + + The internal quotes are necessary because of the white space inside the + expansion string. + + +Q5004: I've recently noticed that emails I send with a ::Bcc:: line are being + delivered to their final destination with the ::Bcc:: line still present. + +A5004: Exim removes ::Bcc:: lines only if you call it with the \-t-\ option (i.e. + when it is acting partly as an MUA). It does not remove ::Bcc:: lines that + are present in incoming SMTP mail or command-line mail that does not + use \-t-\. Indeed, it should not remove them, because only the + initiating software (i.e. the MUA) can tell what to do with ::Bcc:: + lines; any MTA software has to leave them alone. This is what RFC 2822 + has to say about ::Bcc:: + + \*The ::Bcc:: field (where the ``Bcc'' means ``Blind Carbon Copy'') contains + addresses of recipients of the message whose addresses are not to be + revealed to other recipients of the message. There are three ways in + which the ::Bcc:: field is used. In the first case, when a message + containing a ::Bcc:: field is prepared to be sent, the ::Bcc:: line is + removed even though all of the recipients (including those specified + in the ::Bcc:: field) are sent a copy of the message. In the second + case, recipients specified in the ::To:: and ::Cc:: lines each are sent + a copy of the message with the ::Bcc:: line removed as above, but the + recipients on the ::Bcc:: line get a separate copy of the message + containing a ::Bcc:: line. (When there are multiple recipient + addresses in the ::Bcc:: field, some implementations actually send a + separate copy of the message to each recipient with a ::Bcc:: + containing only the address of that particular recipient.) Finally, + since a ::Bcc:: field may contain no addresses, a ::Bcc:: field can be + sent without any addresses indicating to the recipients that blind + copies were sent to someone. Which method to use with ::Bcc:: fields + is implementation dependent, but refer to the ``Security + Considerations'' section of this document for a discussion of each.*\ + + +Q5005: I used \^gv^\ 3.5.8 (\^ghostview^\) to try printing \(spec.ps)\. After every + printed page, the printer ejects a blank sheet. Is this something to do + with using ``letter'' rather than A4 paper? + +A5005: This seems to be an effect of using \^ghostview^\. Although the PostScript + is generated for A4 pages, the size of the page images is such that they + should fit on a letter page (they are shorter than would normally be + used on A4 paper). If the PostScript file is sent directly to a + PostScript printer, there is no problem. An alternative is to get hold + of the \^psutils^\ toolset, which is available from + \?ftp://ftp.dcs.ed.ac.uk/pub/psutils/psutils.tar.gz?\. + It contains utilities for extracting pages (which can be useful for + double-sided printing) and for resizing pages. If you resize from A4 to + letter the text shrinks a bit, but should then be printable via + \^ghostview^\. + + +Q5006: Why aren't there any man pages for Exim? I don't always carry my printed + documentation. + +A5006: A single man page which lists the command line options is provided in + file \(doc/exim.8)\ in the Exim distribution. Several other forms of + online documentation are available. As well as plain ASCII text, the + there are two forms - Texinfo and HTML - which have a certain amount of + built-in indexing for ease of finding your way around. There are no man + pages apart from the command line one because the author of Exim hasn't + the time (or desire :-) to maintain yet another documentation format. + Besides, it is hard to know how to split the Exim manual up. + + +Q5007: When I send a message using the \-t-\ command line option, Exim sends only + to the addresses within the message, not to those on the command line. + +A5007: There seems to be some confusion in the Sendmail community about the + interpretation of recipient addresses on the command line if the \-t-\ + option is used. Some versions do one thing, and some another. Here is an + except from one version of the Sendmail documentation for \-t-\: + + \*Read message for recipients. ::To::, ::Cc::, and ::Bcc:: lines will + be scanned for recipient addresses. The ::Bcc:: line will be + deleted before transmission. Any addresses in the argument + list will be suppressed, that is, they will not receive + copies even if listed in the message header.*\ + + By default Exim follows this specification, and interprets addresses on + the command line as addresses not to send to. You can set + +==> extract_addresses_remove_arguments = false + + to change this behaviour so that command line addresses are added to the + addresses that are taken from the header lines. + + +Q5008: If I set up a domain list to contain //*customer.com//, it matches + //customer.com// and //abc.customer.com// as required, but it also matches + //noncustomer.com//, which is wrong. How can I get round this? + +A5008: You have to specify two entries in the list: + +==> customer.com : *.customer.com + + because * in a domain list matches any characters, including \"."\ and + including a null sequence. + + +Q5009: I want to match all domains of the form //*.oyoy.org// but want a few + exceptions. For instance I don't want //foo.oyoy.org// or //bar.oyoy.org// to be + included. What is the best way to do this? + +A5009: Use negative items in the domain list, like this: + +==> domainlist local_domains = !foo.oyoy.org : !bar.oyoy.org : *.oyoy.org + + If there are many exceptions, you can use a lookup instead of listing + them all inline. If there are a number of exceptions that match a + particular pattern, you could use a regular expression. + + +Q5010: I can't seem to find a pre-built version of Exim anywhere. The machine + is a Sparc 5 running Solaris 2.6. + +A5010: The primary distribution is source-only. However, some people have built + and distributed RPMs and debs for Linux systems, and ports for FreeBSD. + I haven't heard of anyone doing this for Solaris. The main problem with + binary distributions is that there are a number of build-time options, + requiring the answers to questions like: + + . Which DBM library do you have? (On Solaris probably ndbm, but no easy + default on some other systems.) + + . Which uid/gid do you want to use for Exim? + + . Where do you want the configuration file to be? (Many different + answers, even on the same OS, depending on local policy.) + + . Ditto for the binaries. + + . Which optional bits of Exim do you want to include? + + +Q5011: Is there a version of Exim available that runs under Windows? + +A5011: A long time ago somebody took a copy of the Exim source with the aim of + trying to port it to Windows NT. However, I never heard anything more. + However, current versions of Exim can be made to run under Cygwin. + + +Q5012: Does Exim support Delivery Status Notification (DSN), Message Status + Notification (MSN), or any other form of delivery acknowledgement? + +A5012: See Q0607. + + +Q5013: What does ``Exim'' stand for? + +A5013: Originally, it was ``EXperimental Internet Mailer'', which was the best I + could come up with when I was starting out. At that point it was + experimental - I wanted to see if the ideas I had for extending Smail's + approach actually worked. Then somebody discovered about it and wanted + to start using it, and told other people about it... + + +Q5014: Although I haven't set \check_spool_space\, Exim is still checking the + amount of space on the spool for incoming SMTP messages that use the + SIZE option. Can I suppress this? + +A5014: The RFC for the SIZE option says: + + \*If the server currently lacks sufficient resources to accept a + message of the indicated size, but may be able to accept the + message at a later time, it responds with code ``452 + insufficient system storage''.*\ + + and that is what Exim is trying to implement. This is entirely + independent from \check_spool_space\, which says \*don't accept any mail + if there is less than so much space in the spool partition*\, though the + code is optimised to do both checks at the same time if required. + However, you can suppress the SIZE check if you want to, by unsetting + \smtp_check_spool_space\. + + +Q5015: I just noticed log entries that start off \"<= <>"\. Am I correct in + assuming that the \"<>"\ indicates that the envelope did not contain any + ``From'' data? + +A5015: Yes. This indicates a delivery failure report (aka a ``bounce message''), + as specified in RFC 2821. The reason for using empty sender addresses is + to identify bounce messages so that they themselves do not cause further + bounces. Empty senders are also used for other kinds of report which + should not themselves cause the generation of bounce messages. For + example, Exim uses them when sending out warnings about delivery delays. + + +Q5016: I've received a message which does not have my address in the ::To:: + line. It is a spam message with the same address in both the ::From:: and + the ::To:: headers. How can this happen, and why doesn't Exim reject it? + +A5016: There is an important distinction between the ``envelope'' from and to and + the ``header'' from and to. The former are sometimes called the ``sender'' + and ``recipient''. An email message needs an ``envelope'' for the same + reason that paper mail does - the envelope tells the delivery mechanism + what to do with this copy of the message, whereas the ::To:: header lists + all the recipients, including those who have been sent different copies + of the message because their mailbox is on some other host. + + An MTA such as Exim works entirely with the ``envelope'' addresses, not + with those in the header lines. Don't try to block mail where envelope + from and the header from differ. There are common legitimate cases where + this happens, for example, messages forwarded from mailing lists and + delivery failure reports. + + +Q5017: Can (or will) Exim ever handle a message delivery purely in memory, + that is, it is handled without it ever hitting the disk? + +A5017: It doesn't, and never will. Accepting and delivering a message are two + entirely separate, independent processes, which communicate only by + writing/reading the message on the disk. + + +Q5018: If I am using dbm files for data that Exim reads, can I rebuild them + on the fly, or do I need to restart Exim every time I make a change? + +A5018: Exim re-reads the file every time it consults it, so if you are using a + cdb or a DBM library that uses just a single file (i.e. not ndbm), + you can just build the new file with a temporary file name, and use + \^mv^\ to rename it into the correct place on the fly. If there are two + files to rename, there is a window of time during which the DBM database + is inconsistent. On lightly loaded systems this may not matter. + + +Q5019: I need an option that is the opposite of \-bpa-\, that is, a listing of + those addresses generated from a top-level address that have not yet + been delivered. + +A5019: Exim does not keep this information. It saves only the top-level + addresses and the list of addresses that are finished with. At each + delivery attempt, generated addresses are recomputed from scratch. This + makes it possible to correct errors in redirection data that is + causing delivery delays. However, there is an option you can set on a + \redirect\ router that changes things. It is called \one_time\, and if + it is set, the list of generated addresses gets added to the top-level + list at the first delivery attempt, and is never regenerated. Because + top-level address lists must be real email addresses, this option cannot + be used if any of the generated addresses are pipes, files, or + autoreplies. + + +Q5020: How can I make Exim receive incoming mail, queue it, but not attempt to + deliver it? I want to be in this state while moving some mailboxes. + +A5020: Set \queue_only\ in the Exim configuration. Then kill your daemon, + and restart it without the \-q-\ option (i.e. with just the \-bd-\ option), + so that it does not spawn any queue runners. This stops all deliveries, + remote as well as local. + + +Q5021: What does Exim use for POP and IMAP as a default? Do I have to install + anything else? + +A5021: Yes. Exim provides MTA functionality. That is, it delivers mail. POP and + IMAP are two of several ways of reading previously-delivered mail. Exim + does not provide that functionality. You need to install POP and/or IMAP + daemons; there are several to choose from. There is a mailing list at + //pop-imap@exim.org// for the discussion of POP/IMAP issues. + + +Q5022: Is there an easy way of removing all queued messages at once in a safe + way? + +A5022: Try this command: + +==> exim -bp | awk '/^ *[0-9]+[mhd]/{print "exim -Mrm " $3}' | sh + + +Q5023: Why does Exim do \*ident*\ callbacks by default? Isn't this just a waste + of resources? I've been told this is an ancient way of authentication. + Is it obsolete? + +A5023: This is a common misunderstanding, at least partially resulting from the + incorrect naming of the protocol when it was first published. + The service on port 113 is an identification service, which allows a + target host to record information identifying the user responsible for + making a connection to it. The information may not be intelligible to + the recording host - it could, for example, be encrypted so that only + someone on the calling host can make sense of it. It is useful for + providing additional information in an audit trail. + + At least one site has found \^ident^\ effective against two rather + prevalent kinds of open proxy (whether already blacklisted at the RBLs + or not). An ACL statement is used to reject mail from servers that + return \^ident^\ strings of \"squid"\ and \"CacheFlow Server"\. + Snippets such as this in the RCPT ACL do the trick: + +==> deny condition = ${if eq{$sender_ident}{CacheFlow Server}{1}{0}} + message = Rejected - appears to be an unsecured proxy: $sender_ident + + The likelihood that a genuine mail process would return those specific + ident strings is vanishingly small. + + The \^ident^\ data should not be used for authentication in any form + except on a closed secure network between cooperating hosts (probably + not even then). The information from the source host is only as reliable + as the host itself. If it's not under your control then you have to + treat the information as opaque data that can be used only by the + sysadmin of the source system to trace back connection data. Some + \^ident^\ implementations send out opaque cookies or DES encrypted + information. \^Ident^\ is hugely useful at times - especially for + checking back on connections from multiuser machines (as opposed to + one-person desktop boxes). + + You can stop Exim making ident calls by adding + +==> rfc1413_query_timeout = 0s + + to its configuration, but it is better to leave it active (reducing the + timeout to 10s or less if it is causing problems) - it costs very + little, and in cases of mail forgery from a multiuser system can track + the sinner concerned very quickly. + + +Q5024: I often have the problem that a message gets stuck in the mail queue and + I want it to be bounced to a certain address. + +A5024: You can do this using a combination of four command line options, like + this: + +==> exim -Mf 14Fdlq-0003kM-00 + exim -Mmad 14Fdlq-0003kM-00 + exim -Mar 14Fdlq-0003kM-00 new@ddress + exim -M 14Fdlq-0003kM-00 + + The first command freezes the message so that a queue runner won't start + to deliver it while you are changing things. The second command marks + all existing recipients as delivered. The third command adds a new + recipient, and the fourth command forces a delivery of the message, + which will cause it to be delivered to the new address, and then + deleted. + + +Q5025: What precautions should I take when editing Exim's run time + configuration file? + +A5025: Edit the file and save the result in a new file. Test the syntax of + the new file by running a command like this: + +==> exim -bV -C exim.conf.new + + That will check for syntax errors without disturbing your running + configuration. If you are paranoid enough, run, as \/root/\, + +==> exim -C exim.conf.new + + . + + and see if it delivers it. Carry on testing until happy. When happy, + +==> mv exim.conf.new exim.conf + kill -HUP `cat /var/spool/exim/exim-daemon.pid` + + Then check the Exim log to be sure the daemon restarted OK. Watch the + log for a bit to see that mail is flowing. + + +Q5026: Is exim able to use RFC 2645, \*On-demand Mail Relay*\ (ODMR)? + +A5026: No. + + +Q5027: Is there any way I can send bounces to the postmaster, and nobody else? + Basically, I want to receive them, and I don't want the reply/from + person to get them. If I think they need it I will forward it myself. + +A5027: Put \"errors_to=postmaster"\ on every router. + + +Q5028: When I HUP the Exim daemon, the name shown in the process table changes + from \(/usr/lib/sendmail)\ (which is a symlink) to the real binary name. + Can I change this? + +A5028: Add this to your Exim configuration: + +==> exim_path = /usr/lib/sendmail + + +Q5029: A message with a recipient address that contains a non-printing character + is stuck on my mail queue. How can I remove this address? + +A5029: You can use the \-Mmd-\ command line option to mark a recipient address + ``delivered'', which effectively removes it. If you are using the Bash + shell, you can enter non-printing characters using an escape sequence. + For example: + +==> exim -Mmd 15HKvU-00013Q-00 $'\240'abc@x.y.z + + In this example, the first character of the local part has a code value + of 240. If you are using a shell that does not support this, create the + command in a file and run it as a shell script. + + +Q5030: I am using exim in a two queues scenario, with two different + configuration files. How can I run a second copy of \^eximon^\ to + inspect and modify the alternate queue? + +A5030: Use these commands (or put them in a script): + +==> EXIMON_EXIM_CONFIG=/your/path/exim/configure.alternate + export EXIMON_EXIM_CONFIG + /your/path/exim/bin/eximon + + +Q5031: Why is there no sender address on bounce messages? It shows up as "<>". + +A5031: See the answer to Q0042. + + +Q5032: Are there any Exim web-based administration scripts? + +A5032: No (as far as is known). It seems likely that producing one that is + generic enough would be a difficult task. + + +Q5033: How can I send a copy of all outgoing messages to another mailbox? + +A5033: The most straightforward way is to set up a system filter, and include + a command such as: + +==> unseen deliver mailbox@whatever.domain + + This sends a copy of every message to //mailbox@whatever.domain// + (unless the message already has that recipient - Exim never does + duplicate deliveries). + + To save only ``outgoing'' messages, you need to come up with a + definition of what ``outgoing'' means. Typically, this might be a check + on the sender address and/or on the originating host. Here is an + example: + +==> if $sender_address_domain is mydomain.com and + ${mask:$sender_host_address/24} is 192.168.324.0/24 + then + unseen deliver mailbox@whatever.domain + endif + + +Q5034: Is there any way to make the \queue_only\ option conditional? I would + like the ability to queue messages from external sources while deliver + locally generated email as normal. + +A5034: There is no direct way of doing this. However, you can achieve the + effect. In one of your ACLs that checks incoming mail from external + sources, put + +==> warn control = queue_only + + You can add other conditions as well, of course. + + + +91. MAC OS X + +Q9101: How can I install Exim on Mac OS X? + +A9101: (1) There is useful advice on this web page: + \?http://www.afp548.com/Articles/Jaguar/exim410.html?\. + + (2) There is a package installer available at this URL: + \?ftp://members.aol.com/AFP548dotcom/EximInstaller.sit?\. + + (3) There is another package installer for the combination of MySQL, + Exim, Exiscan, CourierIMAP, and SpamAssassin at this URL: + \?http://maxo.captainnet.net/installs/mail-install.html?\. + + + +92. FREEBSD + +Q9201: On FreeBSD, \(/usr/sbin/sendmail)\ is a symbolic link to + \(/usr/sbin/mailwrapper)\; it doesn't contain the Sendmail binary. How + should I replace Sendmail with Exim on FreeBSD? + +A9201: There is a file called \(/etc/mail/mailer.conf)\ which selects what to + run for various MTA calls. Instead of changing \(/usr/sbin/sendmail)\, + you should edit this file instead, to read something like this: + +==> sendmail /usr/exim/bin/exim + send-mail /usr/exim/bin/exim + mailq /usr/exim/bin/exim -bp + newaliases /usr/bin/true + + You probably also need to edit \(/etc/periodic.conf)\; see Q9202. + + +Q9202: A script that FreeBSD runs nightly uses \^mailq^\ with the \-Ac-\ + parameter. Why doesn't Exim recognize this? + +A9202: \-Ac-\ is a Sendmail option that requests that mailq ``Show the mail + submission queue specified in \(/etc/mail/submit.cf)\ instead of the + MTA queue specified in \(/etc/mail/sendmail.cf)\''. Exim doesn't have + the concept of a ``submission queue''. You can disable this feature + of the nightly script by adding the line + +==> daily_status_include_submit_mailq="NO" # No separate 'submit' queue + + to the file \(/etc/periodic.conf)\. + + +Q9203: How can I use Exim for authenticated SMTP using Cyrus on FreeBSD? + +A9203: This web page may help: \?http://www.munk.nu/exim/exim-freebsd-asmtp.php?\. + + + +93. HP-UX + +Q9301: I'm trying to compile on an HP machine and I don't have \^gcc^\ there. So I + put \"CC=cc"\ in the \(Local/Makefile)\, but I got this error: + +==> (Bundled) cc: "buildconfig.c", line 54: error 1705: Function prototypes + are an ANSI feature. + +A9301: The bundled compiler is not an ANSI C compiler. You either have to get a + copy of \^gcc^\ from the HPUX Software Porting Archives or buy the ANSI cc + from HP. The advice given by one user of HP systems on the Exim + mailing list was as follows: + + \*Personally, I wouldn't use anything but the ANSI C compiler. gcc + works for compilation, but it doesn't know squat about PA-RISC chips + past the 1.0 rev. Since then, HP has come out with PA-RISC 1.1, 2.0, + and 2.1, each with better features. gcc will compile for them, but it + doesn't produce anywhere near the optimization that HP's compiler + does.*\ + + \*I took the gcc road when we moved from FreeBSD to HP-UX because I was + familiar with it. After 6 months, I had to go and re-port everything + over when we realized that gcc wasn't going to do it for us long-term. + If I could give advice to any new HP-UX admin: don't use gcc if you + can afford the ANSI C compiler. Based on the cost of even the lowest + HP workstation, that usually isn't a problem.*\ + + + +94. BSDI + +Q9401: On BSDI 4.0, Exim built with Perl support exits with the error message + +==> ./exim: can't load library 'libperl.so' + +A9401: You probably compiled perl5 yourself, without looking into + +==> /usr/src/contrib/perl5/perl5.004_02/hints/bsdos.sh + + first. The problem is that the command + +==> perl5 -MExtUtils::Embed -e ldopts + + doesn't give you sufficient flags to link something with libperl. + Since 5.004_02 the \(hints/bsdos.sh)\ file has changed to adapt to the + changes between BSDI 3.1 and 4.0, but it is still not entirely right. + + The solution is, when you compile perl, change the \ccdlflags\ + variable in config.sh to: + +==> -rdynamic -Wl,-rpath,/usr/local/lib/perl5/5.00502/i386-bsdos/CORE + + (or something similar). Alternatively, you can run \(./Configure)\ and + answering the question \*Any special flags to pass to cc to use dynamic + loading?*\ with the above line. It is not known what \-rdynamic-\ means + (it's not apparently documented in any man page), but that's what BSDI + guys did to compile perl5 which comes with BSDI 4.0 distribution. + + + +95. IRIX + +Q9501: The IP addresses for incoming calls are all being given as + 255.255.255.255 or 0.0.0.0. + +A9501: This problem should no longer occur because a workaround has been + installed in Exim. + + + +96. LINUX + +Q9601: Exim is mysteriously crashing, usually when forking to send a delivery + error message. + +A9601: This has been seen in cases where Exim has been incorrectly built with + a muddled combination of an \(ndbm.h)\ include file and a non-matching + DBM library. + + Faults like this have also been seen on systems with faulty motherboards. + You could try to compile the Linux kernel 10 times - if the compile + process stops with signal 11, your hardware is to blame. + + +Q9602: I want to use \^logrotate^\ which is standard with RH5.2 Linux to rotate + my mail logs. Anyone worked out the \^logrotate^\ config file that will + do this? + +A9602: Here's one suggestion: + +==> /var/log/exim/main.log { + create 644 exim exim + rotate 4 + compress + delaycompress + } + + The sleep is added to allow things to close the log file prior to + compression. You also need similar entries for the panic log and the + reject log, of course. + + +Q9603: I'm seeing the message \*inetd[334]: imap/tcp server failing (looping), + service terminated*\ on a RedHat 5.2 system, causing \^imap^\ connections to + be refused. The \^imapd^\ in use is Washington Univers 12.250. Could this + be anything to do with Exim? + +A9603: No, it's nothing to do with Exim, but here's the answer anyway: there + is a maximum connection rate for \^inetd^\. If connections come in faster + than that, it thinks a caller is looping. The default setting on RedHat + 5.2 is 40 calls in any one minute before \^inetd^\ thinks there's a problem + and suspends further calls for 10 mins. This default setting is very + conservative. You should probably increase it by a factor of 10 or 20. + For example: + +==> imap stream tcp nowait.400 root /usr/sbin/tcpd /usr/local/etc/imapd + + The rate setting is the number following ``nowait''. This syntax seems to + be specific to the Linux version of \^inetd^\. Other operating systems + provide similar functionality, but in different ways. + + +Q9604: I get the \*too many open files*\ error especially when a lot of messages + land for Majordomo at the same time. + +A9604: The problem appears to be the number of open files the system can + handle. This is changable by using the proc filesystem. To your + \(/etc/rc.d/rc.local)\ file append something like the following: + +==> # Now System is up, Modify kernel parameters for max open etc. + +==> if [ -f /proc/sys/kernel/file-max ]; then + echo 16384 >> /proc/sys/kernel/file-max + fi + if [ -f /proc/sys/kernel/inode-max ]; then + echo 24576 >> /proc/sys/kernel/inode-max + fi + if [ -f /proc/sys/kernel/file-nr ]; then + echo 2160 >> /proc/sys/kernel/file-nr + fi + + By echoing the value you want for file-max to the file \(file-max)\ etc., + you actually change the kernel parameters. + + +Q9605: I installed debian 2.2 linux on a small 325mb 486 laptop. When I try + to test the Mail program, I get the following error: \*Failed to open + configuration file /etc/exim.conf*\. + +A9605: The Debian installation should have given you \(/usr/sbin/eximconfig)\, + which asks you some questions and then sets up the configuration file + in \(/etc/exim.conf)\. Try running that (you'll probably need \/root/\) and see + how it goes. In any case you get a thoroughly commented conf file at + the end, which will give you a sample from which to work if you need + further modification. + + The Exim docs in the Debian package are in \(/usr/doc/exim)\ where the full + reference manual is \(spec.txt.gz)\. + + +Q9606: I'm having trouble configuring Exim 4 on a Debian system. How does + \(/etc/exim4/conf.d)\ work? + +A9606: The Debian Exim 4 package uses a quite uncommon, but elegant, + method of configuration where the ``real'' Exim configuration file is + assembled from a tree of snippets by a script invoked just before the + daemon is started (see Q9608). + + This fits very well into the Debian system of configuration file + management and is a great ease for the automatic configuration with + Debconf. However, it is \*very*\ different from the normal way Exim 4 is + configured. Non-Debian users on the Exim mailing list will probably have + difficulty in trying to answer specific questions about it. You may have + to find a Debian expert. + + +Q9607: I'm having difficulties trying to make Exim 4 with Redhat 9 and Berkeley + DB 4. + +A9607: Have you remembered to install the db4-devel package? + + +Q9608: I'm running Exim 3 under Debian, and want to upgrade to Exim 4. How + difficult is it? + +A9608: A user who did this, using the Debian Exim 4 package, reported as + follows: + + (1) The exim4 package installs easily, and the exim (3.38) package + uninstalls at the same time. + + (2) Exim runs from \^inetd^\. Exim4 runs from \^/etc/init.d^\. \*Much*\ nicer! + + (3) The exim conffile lives in \(/etc/exim/exim.conf)\. The exim4 conffile + lives in \(/var/lib/exim4/config.autogenerated)\. It is, as the name + suggests, autogenerated. + + (4) A new directory is created called \(/etc/exim4)\. This contains the + conffiles to generate the above config. You make changes here. + + (5) Once you have made changes to the files in \(/etc/exim4)\ you run the + script \^update-exim4.conf^\ which generates a replacement + \(config.autogenerated)\. + + [Added comment by the Debian maintainer, slightly edited: + You also need to tell the Exim daemon to reread the changed + configuration. You can do this using SIGHUP by hand. Alternatively, + instead of running \^update-exim4.conf^\ you can use + +==> invoke-rc.d exim4 reload + + which does the rebuild and also tells Exim to reread the changed + configuration.] + + (6) In my experience, you need to \*carefully*\ check the generated + configs. eg, it did not generate a system filter file reference in the + \(config.autogenerated)\. I didn't bother too much, since this is a home + setup. + + (7) All of this may be in the docs. I've read some of them, obviously, + but didn't come across an actual upgrade guide. + + [The Debian maintainer says: + \(/usr/share/doc/exim4-base/README.Debian.gz)\ and \^update-exim4.conf(8)^\ + should answer most of the questions.] + + (8) I've still got some minor things to tweak to get back to where I + was before with Exim 3. But overall, it's no drama. + + +Q9609: Why do some servers refuse SMTP connections from my Linux box, but accept + connections from hosts running other operating systems? + +A9609: If you are sure this isn't a policy issue (that is, your box isn't + administratively blocked for some reason), this may be because your + Linux box has ECN (Explicit Congestion Notification) enabled in its + TCP/IP stack. There are many broken firewalls that refuse connections + from ECN-enabled hosts. You can check the state of your box by running + +==> cat /proc/sys/net/ipv4/tcp_ecn + + If the value is "1", you have ECN enabled. You can turn it off by + running this command: + +==> echo "0" > /proc/sys/net/ipv4/tcp_ecn + + + +97. SUN SYSTEMS + +Q9701: Exim builds fine with \^gcc^\ on SunOS 4 but crashes inside \^^sscanf()^^\. + +A9701: Make sure you are liking with the GNU \^ld^\ linker and not the system + version of \^ld^\. + + +Q9702: How can I get rid of spurious \"^M"\ characters in messages sent from + CDE \^dtmail^\? + +A9702: CDE \^dtmail^\ passes messages to Exim via the command line interface with + lines terminated by CRLF, instead of the Unix convention of just LF. As + Exim is an 8-bit clean program it treats the CR as just another data + character. Exim has a command line option called \-dropcr-\ which causes + it to ignore all CR characters in an incoming non-SMTP message. You + should configure \^dtmail^\ to add this option to the command it uses to + call Exim (using the path \(/usr/lib/sendmail)\). However, it has been + reported that it isn't possible to change this call from \^dtmail^\ by any + official means. An alternative approach is to replace \(/usr/lib/sendmail)\ + by a filtering script which removes the spurious CRs from the input + before passing it to Exim. + + +Q9703: On SunOS 4 Exim crashes when looking up domains in the DNS that have + more than 10 A records. + +A9703: There are Sun library patches to fix this. It is not Exim's problem. + For 4.13_U1 the patch is 101558-xx; for 4.1.3 the patch is 100891-xx. + From the README: \*1054748 ftp, ping dump core when connecting to a host + with multiple DNS A records.*\ An alternative is to build another + resolver library - such as the ones that are part of the \^bind^\ + distribution - and explicitly link against those. + + +Q9704: I am experiencing mailbox locking problems with Sun's \^mailtool^\ used + over a network. + +A9704: Under the \"Expert"\ settings of \^mailtool^\ is a option to turn on \*Use + network aware mail file locking*\. By default \^dtmail^\ has this set, but + \^mailtool^\ doesn't. You should set it. The help info on \^dtmail^\ has this + to say about it: + + \*Mailer tries to prevent two different instances of itself from opening + the same mail file at the same time through a technique that detects + this access when both instances of Mailer and the file are all on the + same machine. A network-aware mail file locking protocol is available + that uses ToolTalk to coordinate instances of Mailer running from more + than one machine, or mail files accessed over the network. Mailer can + only change this option when first opening a mail file.*\ + + If you are using the SunOS4 version of \^mailtool^\, this apparently + doesn't work. The only thing which does seem to work it getting the user + to hit the \"done"\ button to make it release the lock. + + +Q9705: Exim has been crashing on my Solaris x86 system, apparently while + running DBM functions. + +A9705: The use of \^ndbm^\ with \^gcc^\ has caused problems on x86 Solaris systems. + Try changing one or the other; using either DB with gcc, or Sun's + WS compiler with \^ndbm^\, has fixed this in the past. + + +Q9706: The \^exiwhat^\ utility isn't working for me on a Solaris 2 system. + +A9706: Have you got \(/usr/ucb)\ on your path? If so, it is probably picking up the + wrong version of the \^ps^\ command. The \^exiwhat^\ script is built on + Solaris to expect the normal Solaris version of \^ps^\. + + +Q9707: How do I stop Sun's \^dtcm^\ from hanging? + +A9707: From qmail's FAQ: \*There is a novice programming error in dtcm, known as + ``failure to close the output side of the pipe in the child.'' Sun has, + at the time of this writing, not yet provided a patch.*\ + + +Q9708: I want Exim to use only the resolver (i.e. ignore \(/etc/hosts)\), but don't + want to alter the \(nsswitch.conf)\ file in Solaris 2. + +A9708: You need to rebuild Exim after fiddling with \(OS/os.h-SunOS5)\: + +==> #define gethostbyaddr res_gethostbyaddr + #define gethostbyname res_gethostbyname + #define endhostent res_endhostent + #define endnetent res_endnetent + #define gethostent res_gethostent + #define getnetbyaddr res_getnetbyaddr + #define getnetbyname res_getnetbyname + #define getnetent res_getnetent + #define sethostent res_sethostent + #define setnetent res_setnetent + + Note that \-lnsl-\ is still needed in the Makefile as it + contains code used by the NIS lookup and also the \^^inet_addr()^^\ function + that Exim uses. + + +Q9709: When I try to compile Exim 4.x on Solaris 2.5.1 I get an error along the + lines of \*no such field in struct as 'value.ui32'*\. + +A9709: Look in the Exim file \(OS/os.h-SunOS5.h)\ for the line + +==> #define LOAD_AVG_FIELD value.ui32 + + and change \"ui32"\ to \"ul"\ (that's u followed by the letter ell, not + the digit one). Solaris 2.5.1 is getting \*very*\ old now... + + + +98. CONFIGURATION COOKBOOK + +Q9801: How do I configure Exim as part of TPC (\?http://www.tpc.int?\)? + +A9801: Suppose you want to accept faxes destined for 1(801)539-*. These are + addressed to the domain //9.3.5.1.0.8.1.tpc.int//. Set up a transport to + handle the delivery: + +==> tpc: + driver = pipe + command = /usr/local/tpc/tpcmailer.pl $local_part@$domain \ + $sender_address + pipe_as_creator + + \(/usr/local/tpc/tpcmailer.pl)\ is the mail processing script that can + be obtained from the TPC distribution. Create a router to route mail + for the TPC domain to that transport. This must be placed before your + other routers: + +==> tpc_router: + driver = accept + transport = tpc + domains = *.9.3.5.1.0.8.1.tpc.int + + Of course, there are other things to do as well before your system is + a functioning TPC server. + + +Q9802: How do I configure Exim so that it sends mail to the outside world only + from a restricted list of our local users? + +A9802: You will need to have a convenient way of checking the list. If it is + only a handful of users, you could just list them inline. Otherwise, you + need to put them in a file or database. Let's suppose you've just got a + list in a file. Put this as your first router: + +==> check_outgoing: + driver = redirect + domains = ! +local_domains + senders = ! : ! lsearch;/etc/permitted/senders + allow_fail + data = :fail: you are not allowed to send outside + + The senders should be listed as complete addresses, with both a local + part and a domain. For a large list, use a DBM or cdb file instead, or + a database. The first item in the \senders\ list is empty, to match the + empty sender. This is necessary because bounce messages have null + senders. + + +Q9803: A site for which I provide secondary MX is down for some time. Is there + a way to run the queue for that destination separately from the main + queue? + +A9803: No, because Exim does not have the concept of ``the queue for that + destination''. It simply has a single pool of messages awaiting delivery + (and some of them may have several destinations). The best approach to + this is to arrange for all messages for the site to be saved somewhere + other than the main spool, either on a separate dedicated MTA, or in + BSMTP files. + + +Q9804: We want to be able to temporarily lock out a user by disabling the + password and moving the home directory to another place. How can we + arrange to reject mail for users in this state? + +A9804: Change the home directory pointer in the passwd file to something + distinctive. For example, we use \(/home/CANCELLED)\ for cancelled users. + Then you can pick up such users with this router, which is placed + immediately after \%system_aliases%\: + +==> cancelled_users: + driver = redirect + check_local_user + condition = ${if eq {$home}{/home/CANCELLED}{yes}{no}} + allow_fail + data = :fail: this account is cancelled + + +Q9805: How can I configure Exim so that all mails addressed to + //something@username.domain.net// get delivered to + \(/var/spool/mail/username)\? + +A9805: Assuming that you have set up //username// as a normal user, with + conventional routing for //username@domain.net// to that mailbox, all + you need to do is set up a redirection, using a router like this: + +==> user_in_domain: + driver = redirect + data = ${if match{$domain}{\N^(.*)\.domain\.net$\N}\ + {$1}fail}@domain.net + + If you set \envelope_to\ in the \%appendfile%\ transport, the original + envelope address is preserved in the message in an ::Envelope-to:: + header line. + + +Q9806: How do I get exim not to add a ::Sender:: header to locally originated + mail? + +A9806: It adds it only if the ::From:: header doesn't correspond to the user + sending the message. You can suppress this by setting + \no_local_from_check\. If your real question is \*How do I submit mail + from UUCP without it adding ::Sender::?*\, see Q1503. + + +Q9807: Is there any way to have messages sent to a specific local address + delayed by - say - 24 hours? + +A9807: Set up a router like this: + +==> delay: + driver = redirect + domains = the.domain + local_parts = thelocalpart + condition = ${if < {$message_age}{86400}{yes}{no}} + allow_defer + data = :defer: message not old enough + no_verify + + Of course, this will also have the effect of setting a retry time for + the address. You may want to set a special retry rule for it. Note the + use of \no_verify\ to ensure that this router is not used when Exim is + verifying addresses. + + +Q9808: I have a mailing list exploder on one host, and three other hosts where + I want to do the actual deliveries from. How can I get Exim to split + a message into groups of recipients between the three hosts? + +A9808: Set up a router that routes all remote addresses to a specific + transport, with a list of your three hosts. For example: + +==> send_to_three: + driver = manualroute + transport = to_three_smtp + route_list = !+local_domains hostA:hostB:hostC + + The transport looks like this: + +==> to_three_smtp: + driver = smtp + hosts_randomize + + By setting \hosts_randomize\, you request that the host list be sorted + randomly each time the transport is called, in order to spread the load. + The number of times the transport is called for each message depends on + the setting of the global option \remote_max_parallel\. If it is set to + 1, the transport is called only once for each message, so only one host + is used, but different messages use different hosts because of the + randomizing. + + The \max_rcpt\ option (default 100) controls the number of addresses + sent in each copy of the message - several copies are sent over the + same connection if necessary. + + If you want individual messages to be split between the three hosts, you + must set the global option \remote_max_parallel\ to 3. This allows Exim + to run 3 separate instances of the transport at once. It will pass + one-third of all the addresses to each instance. Because the host list + is randomized, not round-robinned, there is no guarantee that a single + message will use all three hosts, but on average it should. + + +Q9809: Can I configure Exim so that my gateway host sends a copy of each + incoming message to each of two internal hosts? + +A9809: The easiest way to do this is to make use of the \unseen\ router option, + and set up two separate routers. You need to be able to identify + incoming messages somehow. Typically this can be done by testing the + domain of the recipient address, in which case the configuration should + contain something like this: + +==> r1: + driver = manualroute + domains = ! *.your.domain.example + route_data = * host1.your.domain.example + transport = remote_smtp + unseen + +==> r2: + driver = manualroute + domains = ! *.your.domain.example + route_data = * host2.your.domain.example + transport = remote_smtp + + The \unseen\ setting on \%r1%\ means that after it has accepted an + address, the address is also passed on to \%r2%\, and so two deliveries + occur. + + +Q9810: How can I implement ``SMTP-after-POP'' with Exim? + +A9810: See Q0706. + + +Q9811: I would like to ``tap off'' a proportion of real mail traffic from my + live mail server to use in tests of a new server. I want to preserve the + envelope contents, but to suppress any error notifications to the + original sender. + +A9811: See C046. + + +Q9812: How can I lookup data from a single file using both single IP addresses + and IP address blocks as keys? I want to set \smtp_accept_max_per_host\ + by this means, and also include a default. + +A9812: You cannot do this in a single lookup, because you need separate lookups + for individual addresses and address blocks. However, these lookups can + be nested in a single expansion string. For example, suppose you are + using an lsearch file with entries like this: + +==> 192.168.34.35: 4 + 192.168.34.0/24: 2 + *: 1 + + You can use this setting: + +==> smtp_accept_max_per_host = \ + ${lookup{$sender_host_address}lsearch{/path/to/file}\ + {$value}\ + {\ + ${lookup{${mask:$sender_host_address/24}}lsearch*{/path/to/file}}\ + }} + + Note that the first lookup does \*not*\ have an asterisk on the search + type. If you have blocks of different sizes (/24, /26, etc) you have to + configure it to do a separate lookup for each size, with just the final + one using a default. + + + +99. LIST OF SAMPLE CONFIGURATIONS + +As well as being hyperlinked from the HTML version of this document, each +sample configuration is also available as a file in the \(config.samples)\ +directory, which can be independently downloaded. + +Samples whose names are of the form Cnnn are Exim configurations; those with +names of the form Fnnn are filter file fragments; those with names of the form +Lnnn are sample \^^local_scan()^^\ functions, and those with names of thf form +Snnn are scripts of various kinds. There are other examples of +\^^local_scan()^^\ functions at a number of web sites (for example, +\?http://marc.merlins.org/linux/exim/sa.html?\). + +There are gaps in the C and F numbers because I have omitted the Exim 3 samples +that have not been converted for Exim 4. + +C002: ``Although exim not intended for use in UUCP environment (it doesn't + know anything about bang!path addresses), I'm successfully using it for + delivering mail to UUCP clients.'' + +C006: ``This is how I have configured a PP-inspired vacationnote, there is + (was?) such a feature in PP. The user makes a file \(tripnote)\ in his/her + home directory, the message is passed to the sender once with a short + leading text.'' + +C022: ``This is the Exim configuration file of a machine which delivers mail to + several local domains where the mail is delivered locally, several hairy + domains, handled as described below, and a half-virtual domain, which is + first processed by its special alias file, then processed as other local + domains (including the processing by the global alias file).'' + +C037: An elegant way of using ETRN, which does immediate delivery if the host + is online, but saves mail in a BSMTP file after some time on the queue. + ETRN then re-injects the mail. + +C042: ``Since the Exim 4 configuration needed to get Mailman to work differs a + little bit from Exim 3 and since I still haven't seen a recipe for + Mailman with Exim 4, I'm providing my configuration (based heavily on + \?http://www.exim.org/howto/mailman.html?\).'' + +C043: ``Attached is an Exim 4 config file which is designed for an Exim server + that is put in front of an Exchange 5.5 system but which verifies the + valid addresses that are stored in Exchange via LDAP lookups against the + Exchange server.'' + +C044: ``I thought I'd submit this as an example of an authenticated mail hub + configuration. Several people have asked for it so I thought it + might be of interest.'' + +C045: ``Here it is, for Exim 4.10 and Cyrus IMAPD 2.1.5 using db3/db4-format + mailbox database. This configuration delivers the messages to Cyrus + IMAPD using LMTP over a TCP/IP socket.'' + +C046: ``Deliver a duplicate of some proportion of all messages to a special + machine specified in the file \(/MAIL_TAP_HOST)\, if it exists.'' + +C047: A sample configuration for calling Spamassassin directly from Exim. + +C049: ``I've been seeing a whole bunch of IPs that send me spam or virus mail + and HELOing as one of my own IPs, or as HELO one.of.my.own.domains (or + maybe HELO \primary_hostname\).'' + +C050: A configuration that uses the DNS to implement virtual domains. + +C051: ``I've been working quite hard to come up with a config that reasonably + matches the qmail-ldap setup, without the warts.'' + +F001: ``I thought that the rest of the list may be interested in reviewing our + filter as a starting point for their own system message filter.'' + +F002: ``... program which refused mail from unknown addresses until they mailed + me promising not to spam me ... since I'd already thought through how + to do it in Exim, and knew it'd be slightly easier than falling out of + bed, I went ahead and did it.'' + +F003: ``Here's four checks installed in our system wide filter that knock out + a lot of otherwise hard to detect rubbish.'' + +F004: ``This is an Exim filter snippet to change locally-generated ::Message-Id:: + and ::Resent-Message-Id:: headers to world-unique values.'' + +L001: A \^^local_scan()^^\ function for Exim that calls \^uvscan^\. + +S001: A Perl script for patching the name of the configuration file in an + Exim binary. + +S002: ``When I moved from smail to exim I built a program that took individual + config pieces, stripped all the comments, and built a config file.'' + +*** End of Exim FAQ ***