X-Git-Url: https://git.exim.org/users/jgh/exim.git/blobdiff_plain/8e26e4bf9dacc7854f6e1036672a12bf490f626e..fc3f96af4e6c7f4ffe6612b705849d7860ab3cd0:/doc/doc-src/FAQ.src?ds=sidebyside diff --git a/doc/doc-src/FAQ.src b/doc/doc-src/FAQ.src index 13254b2fb..1d43cbcd2 100644 --- a/doc/doc-src/FAQ.src +++ b/doc/doc-src/FAQ.src @@ -1,4 +1,3 @@ -## $Cambridge: exim/doc/doc-src/FAQ.src,v 1.3 2004/10/14 09:53:12 ph10 Exp $ ## ## This file is processed by Perl scripts to produce an ASCII and an HTML ## version. Lines starting with ## are omitted. The markup used with paragraphs @@ -89,7 +88,7 @@ The FAQ is divided into the following sections: 94. BSDI 95. IRIX 96. Linux - 97. Sun sytems + 97. Sun systems 98. Configuration cookbook 99. List of sample configurations @@ -371,11 +370,11 @@ A0017: \*Broken pipe*\ is the error you get on some OS when the remote host just You can test the link using pings of large packets and see what works: -==> ping -s host 2048 +==> ping -s host 2048 Try reducing the MTU on the sending host: -==> ifconfig le0 mtu 1300 +==> ifconfig le0 mtu 1300 Alternatively, you can reduce the size of the buffer Exim uses for SMTP output by putting something like @@ -467,7 +466,7 @@ A0020: These kinds of delay are usually caused by some kind of network problem ==> deny hosts = *.x.example If at all possible, you should use IP addresses instead of host - names in blocking lists in order to to avoid this problem. + names in blocking lists in order to avoid this problem. You can use the \-bh-\ option to get more information about what is happening at the start of a connection. However, note that the \-bh-\ @@ -743,7 +742,7 @@ A0036: Your configuration specifies that local mailboxes are all held in second solution is used, users can empty their mailboxes by updating them, but cannot delete them. - If your problem involves mail to \/root/\, see also Q0507. + If your problem involves mail to \/root/\, see also Q0039. Q0037: I am experiencing mailbox locking problems with Sun's \"mailtool"\ used @@ -851,7 +850,9 @@ A0044: Exim has been unable to create a file in its spool area in which to If you are running Exim with an alternate configuration file using a command such as \"exim -C altconfig..."\, remember that the use of -C - takes away Exim's root privilege. + takes away Exim's root privilege, unless \\TRUSTED_CONFIG_LIST\\ + is set in \(Local/Makefile)\ and the corresponding file contains a + prefix which matches the alternative configuration file being used. Check that you have defined the spool directory correctly by running @@ -911,7 +912,7 @@ A0047: \-bz-\ is a Sendmail option requesting it to create a `configuration free ==> /usr/lib/sendmail -bz - in some start-up script (e.g. \(/etc/init.d/mail)\) immedately before + in some start-up script (e.g. \(/etc/init.d/mail)\) immediately before ==> /usr/lib/sendmail -bd -q15m @@ -1147,25 +1148,17 @@ Q0065: When (as \/root/\) I use -C to run Exim with an alternate configuration trying to run an \%autoreply%\ transport. Why is this? A0065: When Exim is called with -C, it passes on -C to any instances of itself - that it calls (so that the whole sequence uses the same config file). If - it's running as \/exim/\ when it does this, all is well. However, if it - happens as a consequence of a non-privileged user running \%autoreply%\, - the called Exim gives up its root privilege. Then it can't write to the - spool. - - This means that you can't use -C (even as \/root/\) to run an instance of - Exim that is going to try to run \%autoreply%\ from a process that is - neither \/root/\ nor \/exim/\. Because of the architecture of Exim (using - re-execs to regain privilege), there isn't any way round this - restriction. Therefore, the only way you can make this scenario work is - to run the \%autoreply%\ transport as \/exim/\ (that is, the user that - owns the Exim spool files). This may be satisfactory for autoreplies - that are essentially system-generated, but of course is no good for - autoreplies from unprivileged users, where you want the \%autoreply%\ - transport to be run as the user. To get that to work with an alternate - configuration, you'll have to use two Exim binaries, with different - configuration file names in each. See S001 for a script that patches - the configuration name in an Exim binary. + that it calls (so that the whole sequence uses the same config file). + However, Exim gives up its root privilege if any user except \/root\/ + passes a -C option to use a non-default configuration file, and that + includes the case where Exim re-execs itself to regain root privilege. + Thus it can't write to the spool. + + The fix for this is to use the \\TRUSTED_CONFIG_LIST\\ build-time + option. This defines a file containing a list of 'trusted' prefixes for + configuration files. Any configuration file specified with -C, if it + matches a prefix listed in that file, will be used without dropping root + privileges (as long as it is not writeable by a non-root user). Q0066: What does the message \*unable to set gid=xxx or uid=xxx*\ mean? @@ -1322,7 +1315,7 @@ A0076: You are probably putting your reject items into the main log as well; by a \"mail.info"\ descriptor). Test this by running the command: -==> logger -p mail.notice test +==> logger -p mail.notice test and seeing which logs it goes into. From Exim release 4.31 it is possible to disable the rejectlog by setting \write_rejectlog\ false. @@ -1811,9 +1804,9 @@ A0115: You are using FreeBSD, or another OS that has a \^make^\ command which ensure that this happens throughout the build, it's best to export it in your environment: -==> MAKEFLAGS='-B' - export MAKEFLAGS - make +==> MAKEFLAGS='-B' + export MAKEFLAGS + make Q0116: I have tried to build Exim with Berkeley DB 3 and 4, but I always get @@ -2124,7 +2117,7 @@ A0301: They mean exactly what they say. Exim expected to route an address to a with MX records pointing to \"localhost"\ (or other names with A records that specify 127.0.0.1), which causes this behaviour. You can use the \ignore_target_hosts\ option to get Exim to ignore these records. The - default contiguration does this. For more discussion, see Q0319. For + default configuration does this. For more discussion, see Q0319. For other cases: (1) If the domain is meant to be handled as a local domain, there @@ -2323,7 +2316,7 @@ A0310: If a DNS lookup returns no MXs, Exim looks for an address record, in Q0311: When a DNS lookup for MX records fails to complete, why doesn't Exim - send the messsage to the host defined by the A record? + send the message to the host defined by the A record? A0311: The RFCs are quite clear on this. Only if it is known that there are no MX records is an MTA allowed to make use of the A record. When an MX @@ -2478,25 +2471,25 @@ A0319: The admin in question is an idiot. Exim will always freeze such messages ==> # Don't allow domains whose single MX (or A) record is a # "special-use IPv4 address", as listed in RFC 3330. ignore_target_hosts = \ - # Hosts on "this network"; RFC 1700 (page 4) states that these - # are only allowed as source addresses - 0.0.0.0/8 : \ - # Private networks, RFC 1918 - 10.0.0.0/8 : 172.16.0.0/12 : 192.168.0.0/16 : \ - # Internet host loopback address, RFC 1700 (page 5) - 127.0.0.0/8 : \ - # "Link local" block - 169.254.0.0/16 : \ - # "TEST-NET" - should not appear on the public Internet - 192.0.2.0/24 : \ - # 6to4 relay anycast addresses, RFC 3068 - 192.88.99.0/24 : \ - # Network interconnect device benchmark testing, RFC 2544 - 198.18.0.0/15 : \ - # Multicast addresses, RFC 3171 - 224.0.0.0/4 : \ - # Reserved for future use, RFC 1700 (page 4) - 240.0.0.0/4 + # Hosts on "this network"; RFC 1700 (page 4) states that these + # are only allowed as source addresses + 0.0.0.0/8 : \ + # Private networks, RFC 1918 + 10.0.0.0/8 : 172.16.0.0/12 : 192.168.0.0/16 : \ + # Internet host loopback address, RFC 1700 (page 5) + 127.0.0.0/8 : \ + # "Link local" block + 169.254.0.0/16 : \ + # "TEST-NET" - should not appear on the public Internet + 192.0.2.0/24 : \ + # 6to4 relay anycast addresses, RFC 3068 + 192.88.99.0/24 : \ + # Network interconnect device benchmark testing, RFC 2544 + 198.18.0.0/15 : \ + # Multicast addresses, RFC 3171 + 224.0.0.0/4 : \ + # Reserved for future use, RFC 1700 (page 4) + 240.0.0.0/4 Q0320: How can I arrange for all mail to \*user@some.domain*\ to be forwarded @@ -2684,7 +2677,7 @@ A0408: Set the \qualify_preserve_domain\ option on the \%redirect%\ router. Q0409: I want mail for any local part at certain virtual domains to go to a single address for each domain. -A0409: One way to to this is +A0409: One way to do this is ==> virtual: driver = redirect @@ -2756,7 +2749,7 @@ A0413: Setting \skip_syntax_errors\ on the redirect router causes syntax driver = accept check_local_user transport = local_delivery - prefix = real- + local_part_prefix = real- before the \%redirect%\ router that handles \(.forward)\ files. This will do an ordinary local delivery without \(.forward)\ processing, if the @@ -3459,7 +3452,7 @@ A0510: \^elspy^\ is a layer of glue code that enables you to write Python code to scan email messages at SMTP time. \^elspy^\ also includes a small Python library with common mail-scanning tools, including an interface to SpamAssassin and a simple but effective virus detector. You can - optain \^elspy^\ from \?http://elspy.sourceforge.net/?\. + obtain \^elspy^\ from \?http://elspy.sourceforge.net/?\. Q0511: Whenever my system filter uses a \mail\ command to send a message, I get @@ -3550,7 +3543,7 @@ A0601: Whenever Exim does a local delivery, it runs a process under a specific ==> majordomo: |/local/mail/majordomo ... then Exim has to be told what uid/gid to use for the delivery. This can - be done either on the routerr that handles the address, or on the + be done either on the router that handles the address, or on the transport that actually does the delivery. If a pipe is going to run a setuid program, then it doesn't matter what uid Exim starts it out with, and so the most straightforward thing is to put @@ -3624,7 +3617,7 @@ A0603: Q0601 contains background information on this. If you are using, say, an Q0604: I want to use MMDF-style mailboxes. How can I get Exim to append the - ctrl-A characters that separate indvidual emails? + ctrl-A characters that separate individual emails? A0604: Set the \message_suffix\ option in the \%appendfile%\ transport. In fact, for MMDF mailboxes you need a prefix as well as a suffix to get it @@ -3667,15 +3660,15 @@ Q0606: I'm using tmail to do local deliveries, but when I turned on the \use_crlf\ option on the \%pipe%\ transport (tmail prefers \"@\r@\n"\ terminations) message bodies started to vanish. -A0606: You need to unset the \mesage_prefix\ option, or change it so that its +A0606: You need to unset the \message_prefix\ option, or change it so that its default \"@\n"\ terminator becomes \"@\r@\n"\. For example, the transport could be: ==> local_delivery_mbx: - driver = pipe - command = /usr/local/bin/tmail $local_part - user = exim - current_directory = / + driver = pipe + command = /usr/local/bin/tmail $local_part + user = exim + current_directory = / use_crlf message_prefix = @@ -4403,7 +4396,7 @@ A0710: Set up a file (or database) containing the messages, keyed by the ==> deny message = ${lookup{$sender_address=>$local_part@$domain}\ lsearch{/that/file}} condition = ${lookup{$sender_address=>$local_part@$domain}\ - lsearch{/that/file}}{yes}{no}} + lsearch{/that/file}{yes}{no}} The condition is tested first. If the lookup succeeds, the condition succeeds so access is denied. The message is then expanded, but the @@ -4807,10 +4800,10 @@ A0735: Many workstation clients send single-component names; take care that you do not block legitimate mail. With that proviso, you can do it using something like this in an ACL: -==> drop message = HELO doesn't look like a hostname - log_message = Not a hostname - condition = ${if match{$sender_helo_name} \ - {\N^[^.].*\.[^.]+$\N}{no}{yes}} +==> drop message = HELO doesn't look like a hostname + log_message = Not a hostname + condition = ${if match{$sender_helo_name} \ + {\N^[^.].*\.[^.]+$\N}{no}{yes}} This means: Drop the HELO unless it contains a dot somewhere in the HELO string, but the string may not begin or end with a dot. Thus, the @@ -5003,8 +4996,8 @@ Q0804: I'm using this rewriting rule to change login names into ``friendly'' names, but if mail comes in for an upper case login name, it doesn't get rewritten. -==> *@my.domain ${lookup{$1}dbm{/usr/lib/exim/longforms}\ - {$value}fail}@my.domain bcfrtFT +==> *@my.domain ${lookup{$1}dbm{/usr/lib/exim/longforms}\ + {$value}fail}@my.domain bcfrtFT The longforms database has entries of the form: @@ -5020,11 +5013,11 @@ A0805: It depends on what you mean by ``fail a message'' and what addresses you are rewriting. If you are rewriting recipient addresses for your local domain, you can do: -==> *@dom.ain ${lookup{$1}dbm{/wher/ever}{$value}{failaddr}} Ehq +==> *@dom.ain ${lookup{$1}dbm{/wher/ever}{$value}{failaddr}} Ehq and in your alias file put something like -==> failaddr: :fail: Rewriting failed +==> failaddr: :fail: Rewriting failed This fails a single recipient - others are processed independently. @@ -5045,7 +5038,7 @@ A0806: The value of \$domain$\ is the actual domain that appears in the address. but it is important to some people - especially if by some unfortunate accident the lowercased word is something indecent. - You can trivally force lower casing by means of the \"${lc:"\ operator. + You can trivially force lower casing by means of the \"${lc:"\ operator. Instead of \"$domain"\ write \"${lc:$domain}"\. @@ -5106,7 +5099,7 @@ A0905: You can only do this in a round about way, using filter commands like ==> headers add "New-Subject: SPAM: $h_subject:" headers remove subject - neaders add "Subject: $h_new-subject:" + headers add "Subject: $h_new-subject:" headers remove new-subject This trick works only in system filters, where the commands are obeyed @@ -5773,8 +5766,8 @@ A1701: It seems that some clients require that the certificate presented by encrypt the user/site/leaf certificate. If this isn't acceptable, you seem to be able to strip out the passphrase as follows: -==> openssl rsa -in user.key -our user.key.new - mv user.key.new +==> openssl rsa -in user.key -our user.key.new + mv user.key.new This should be done immediately after \(user.key)\ is created. @@ -6625,13 +6618,13 @@ A9604: The problem appears to be the number of open files the system can ==> # Now System is up, Modify kernel parameters for max open etc. ==> if [ -f /proc/sys/kernel/file-max ]; then - echo 16384 >> /proc/sys/kernel/file-max + echo 16384 >> /proc/sys/kernel/file-max fi if [ -f /proc/sys/kernel/inode-max ]; then - echo 24576 >> /proc/sys/kernel/inode-max + echo 24576 >> /proc/sys/kernel/inode-max fi if [ -f /proc/sys/kernel/file-nr ]; then - echo 2160 >> /proc/sys/kernel/file-nr + echo 2160 >> /proc/sys/kernel/file-nr fi By echoing the value you want for file-max to the file \(file-max)\ etc.,