<indexterm role="concept">
<primary>USE_TCP_WRAPPERS</primary>
</indexterm>
-<indexterm role="concept">
-<primary>TCP_WRAPPERS_DAEMON_NAME</primary>
-</indexterm>
-<indexterm role="concept">
-<primary>tcp_wrappers_daemon_name</primary>
-</indexterm>
Exim can be linked with the <emphasis>tcpwrappers</emphasis> library in order to check incoming
SMTP calls using the <emphasis>tcpwrappers</emphasis> control files. This may be a convenient
alternative to Exim’s own checking facilities for installations that are
EXTRALIBS_EXIM=-L/usr/local/lib -lwrap
</literallayout>
<para>
-in <filename>Local/Makefile</filename>. The daemon name to use in the <emphasis>tcpwrappers</emphasis> control
-files is <quote>exim</quote>. For example, the line
+in <filename>Local/Makefile</filename>. The name to use in the <emphasis>tcpwrappers</emphasis> control files is
+<quote>exim</quote>. For example, the line
</para>
<literallayout class="monospaced">
exim : LOCAL 192.168.1. .friendly.domain.example
<para>
in your <filename>/etc/hosts.allow</filename> file allows connections from the local host, from
the subnet 192.168.1.0/24, and from all hosts in <emphasis>friendly.domain.example</emphasis>.
-All other connections are denied. The daemon name used by <emphasis>tcpwrappers</emphasis>
-can be changed at build time by setting TCP_WRAPPERS_DAEMON_NAME in
-in <filename>Local/Makefile</filename>, or by setting tcp_wrappers_daemon_name in the
-configure file. Consult the <emphasis>tcpwrappers</emphasis> documentation for
+All other connections are denied. Consult the <emphasis>tcpwrappers</emphasis> documentation for
further details.
</para>
</section>
</para>
</listitem></varlistentry>
<varlistentry>
-<term><option>--version</option></term>
-<listitem>
-<para>
-<indexterm role="option">
-<primary><option>--version</option></primary>
-</indexterm>
-This option is an alias for <option>-bV</option> and causes version information to be
-displayed.
-</para>
-</listitem></varlistentry>
-<varlistentry>
<term><option>-B</option><<emphasis>type</emphasis>></term>
<listitem>
<para>
</para>
</listitem></varlistentry>
<varlistentry>
-<term><option>-bmalware</option> <<emphasis>filename</emphasis>></term>
-<listitem>
-<para>
-<indexterm role="option">
-<primary><option>-bmalware</option></primary>
-</indexterm>
-<indexterm role="concept">
-<primary>testing</primary>
-<secondary>,</secondary>
-</indexterm>
-<indexterm role="concept">
-<primary>malware scan test</primary>
-</indexterm>
-This debugging option causes Exim to scan the given file,
-using the malware scanning framework. The option of <option>av_scanner</option> influences
-this option, so if <option>av_scanner</option>’s value is dependent upon an expansion then
-the expansion should have defaults which apply to this invocation. ACLs are
-not invoked, so if <option>av_scanner</option> references an ACL variable then that variable
-will never be populated and <option>-bmalware</option> will fail.
-</para>
-<para>
-Exim will have changed working directory before resolving the filename, so
-using fully qualified pathnames is advisable. Exim will be running as the Exim
-user when it tries to open the file, rather than as the invoking user.
-This option requires admin privileges.
-</para>
-<para>
-The <option>-bmalware</option> option will not be extended to be more generally useful,
-there are better tools for file-scanning. This option exists to help
-administrators verify their Exim and AV scanner configuration.
-</para>
-</listitem></varlistentry>
-<varlistentry>
<term><option>-bt</option></term>
<listitem>
<para>
</indexterm>
<indexterm role="concept">
<primary>listing</primary>
-<secondary>message in RFC 2822 format</secondary>
+<secondary>message in RFC 2922 format</secondary>
</indexterm>
This option causes a copy of the complete message (header lines plus body) to
be written to the standard output in RFC 2822 format. This option can be used
</para>
</listitem></varlistentry>
<varlistentry>
-<term><emphasis role="bold">${reverse_ip:</emphasis><<emphasis>ipaddr</emphasis>><emphasis role="bold">}</emphasis></term>
-<listitem>
-<para>
-<indexterm role="concept">
-<primary>expansion</primary>
-<secondary>IP address</secondary>
-</indexterm>
-This operator reverses an IP address; for IPv4 addresses, the result is in
-dotted-quad decimal form, while for IPv6 addreses the result is in
-dotted-nibble hexadecimal form. In both cases, this is the "natural" form
-for DNS. For example,
-</para>
-<literallayout class="monospaced">
-${reverse_ip:192.0.2.4} and ${reverse_ip:2001:0db8:c42:9:1:abcd:192.0.2.3}
-</literallayout>
-<para>
-returns
-</para>
-<literallayout class="monospaced">
-4.2.0.192 and 3.0.2.0.0.0.0.c.d.c.b.a.1.0.0.0.9.0.0.0.2.4.c.0.8.b.d.0.1.0.0.2
-</literallayout>
-</listitem></varlistentry>
-<varlistentry>
<term><emphasis role="bold">${rfc2047:</emphasis><<emphasis>string</emphasis>><emphasis role="bold">}</emphasis></term>
<listitem>
<para>
This condition turns a string holding a true or false representation into
a boolean state. It parses <quote>true</quote>, <quote>false</quote>, <quote>yes</quote> and <quote>no</quote>
(case-insensitively); also positive integer numbers map to true if non-zero,
-false if zero. Leading and trailing whitespace is ignored.
+false if zero. Leading whitespace is ignored.
All other string values will result in expansion failure.
</para>
<para>
When combined with ACL variables, this expansion condition will let you
make decisions in one place and act on those decisions in another place.
-For example:
+For example,
</para>
<literallayout class="monospaced">
${if bool{$acl_m_privileged_sender} ...
</literallayout>
</listitem></varlistentry>
<varlistentry>
-<term><emphasis role="bold">bool_lax {</emphasis><<emphasis>string</emphasis>><emphasis role="bold">}</emphasis></term>
-<listitem>
-<para>
-<indexterm role="concept">
-<primary>expansion</primary>
-<secondary>boolean parsing</secondary>
-</indexterm>
-<indexterm role="concept">
-<primary><option>bool_lax</option> expansion condition</primary>
-</indexterm>
-Like <option>bool</option>, this condition turns a string into a boolean state. But
-where <option>bool</option> accepts a strict set of strings, <option>bool_lax</option> uses the same
-loose definition that the Router <option>condition</option> option uses. The empty string
-and the values <quote>false</quote>, <quote>no</quote> and <quote>0</quote> map to false, all others map to
-true. Leading and trailing whitespace is ignored.
-</para>
-<para>
-Note that where <quote>bool{00}</quote> is false, <quote>bool_lax{00}</quote> is true.
-</para>
-</listitem></varlistentry>
-<varlistentry>
<term><emphasis role="bold">crypteq {</emphasis><<emphasis>string1</emphasis>><emphasis role="bold">}{</emphasis><<emphasis>string2</emphasis>><emphasis role="bold">}</emphasis></term>
<listitem>
<para>
<entry>ACL for DATA</entry>
</row>
<row>
-<entry><option>acl_smtp_dkim</option></entry>
-<entry>ACL for DKIM verification</entry>
-</row>
-<row>
<entry><option>acl_smtp_etrn</option></entry>
<entry>ACL for ETRN</entry>
</row>
<entry>use GnuTLS compatibility mode</entry>
</row>
<row>
-<entry><option>openssl_options</option></entry>
-<entry>adjust OpenSSL compatibility options</entry>
-</row>
-<row>
<entry><option>tls_advertise_hosts</option></entry>
<entry>advertise TLS to these hosts</entry>
</row>
sophie:/var/run/sophie
</literallayout>
<para>
-If the value of <option>av_scanner</option> starts with a dollar character, it is expanded
+If the value of <option>av_scanner</option> starts with dollar character, it is expanded
before use. See section <xref linkend="SECTscanvirus"/> for further details.
</para>
<para>
message that an individual transport can process.
</para>
<para>
-If you use a virus-scanner and set this option to to a value larger than the
-maximum size that your virus-scanner is configured to support, you may get
-failures triggered by large mails. The right size to configure for the
-virus-scanner depends upon what data is passed and the options in use but it’s
-probably safest to just set it to a little larger than this value. Eg, with a
-default Exim message size of 50M and a default ClamAV StreamMaxLength of 10M,
-some problems may result.
-</para>
-<para>
<indexterm role="option">
<primary><option>move_frozen_messages</option></primary>
</indexterm>
</para>
<para>
<indexterm role="option">
-<primary><option>openssl_options</option></primary>
-</indexterm>
-</para>
-<informaltable frame="all">
-<tgroup cols="4" colsep="0" rowsep="0">
-<colspec colwidth="8*" align="left"/>
-<colspec colwidth="6*" align="center"/>
-<colspec colwidth="6*" align="center"/>
-<colspec colwidth="6*" align="right"/>
-<tbody>
-<row>
-<entry><option>openssl_options</option></entry>
-<entry>Use: <emphasis>main</emphasis></entry>
-<entry>Type: <emphasis>string list</emphasis></entry>
-<entry>Default: <emphasis>+dont_insert_empty_fragments</emphasis></entry>
-</row>
-</tbody>
-</tgroup>
-</informaltable>
-<para>
-<indexterm role="concept">
-<primary>OpenSSL </primary>
-<secondary>compatibility</secondary>
-</indexterm>
-This option allows an administrator to adjust the SSL options applied
-by OpenSSL to connections. It is given as a space-separated list of items,
-each one to be +added or -subtracted from the current value. The default
-value is one option which happens to have been set historically. You can
-remove all options with:
-</para>
-<literallayout class="monospaced">
-openssl_options = -all
-</literallayout>
-<para>
-This option is only available if Exim is built against OpenSSL. The values
-available for this option vary according to the age of your OpenSSL install.
-The <quote>all</quote> value controls a subset of flags which are available, typically
-the bug workaround options. The <emphasis>SSL_CTX_set_options</emphasis> man page will
-list the values known on your system and Exim should support all the
-<quote>bug workaround</quote> options and many of the <quote>modifying</quote> options. The Exim
-names lose the leading <quote>SSL_OP_</quote> and are lower-cased.
-</para>
-<para>
-Note that adjusting the options can have severe impact upon the security of
-SSL as used by Exim. It is possible to disable safety checks and shoot
-yourself in the foot in various unpleasant ways. This option should not be
-adjusted lightly. An unrecognised item will be detected at by invoking Exim
-with the <option>-bV</option> flag.
-</para>
-<para>
-An example:
-</para>
-<literallayout class="monospaced">
-openssl_options = -all +microsoft_big_sslv3_buffer
-</literallayout>
-<para>
-<indexterm role="option">
<primary><option>oracle_servers</option></primary>
</indexterm>
</para>
precondition to be evaluated, all the other preconditions must be true).
</para>
<para>
-This option is unique in that multiple <option>condition</option> options may be present.
-All <option>condition</option> options must succeed.
-</para>
-<para>
The <option>condition</option> option provides a means of applying custom conditions to the
running of routers. Note that in the case of a simple conditional expansion,
the default expansion values are exactly what is wanted. For example:
condition = ${if >{$message_age}{600}{true}{}}
</literallayout>
<para>
-A multiple condition example, which succeeds:
-</para>
-<literallayout class="monospaced">
-condition = ${if >{$message_age}{600}}
-condition = ${if !eq{${lc:$local_part}}{postmaster}}
-condition = foobar
-</literallayout>
-<para>
If the expansion fails (other than forced failure) delivery is deferred. Some
of the other precondition options are common special cases that could in fact
be specified using <option>condition</option>.
</para>
<para>
<indexterm role="option">
-<primary><option>permit_coredump</option></primary>
-</indexterm>
-</para>
-<informaltable frame="all">
-<tgroup cols="4" colsep="0" rowsep="0">
-<colspec colwidth="8*" align="left"/>
-<colspec colwidth="6*" align="center"/>
-<colspec colwidth="6*" align="center"/>
-<colspec colwidth="6*" align="right"/>
-<tbody>
-<row>
-<entry><option>permit_coredump</option></entry>
-<entry>Use: <emphasis>pipe</emphasis></entry>
-<entry>Type: <emphasis>boolean</emphasis></entry>
-<entry>Default: <emphasis>false</emphasis></entry>
-</row>
-</tbody>
-</tgroup>
-</informaltable>
-<para>
-Normally Exim inhibits core-dumps during delivery. If you have a need to get
-a core-dump of a pipe command, enable this command. This enables core-dumps
-during delivery and affects both the Exim binary and the pipe command run.
-It is recommended that this option remain off unless and until you have a need
-for it and that this only be enabled when needed, as the risk of excessive
-resource consumption can be quite high. Note also that Exim is typically
-installed as a setuid binary and most operating systems will inhibit coredumps
-of these by default, so further OS-specific action may be required.
-</para>
-<para>
-<indexterm role="option">
<primary><option>pipe_as_creator</option></primary>
</indexterm>
</para>
</para>
</listitem></varlistentry>
<varlistentry>
-<term><emphasis role="bold">control = debug/</emphasis><<emphasis>options</emphasis>></term>
-<listitem>
-<para>
-<indexterm role="concept">
-<primary>access control lists (ACLs)</primary>
-<secondary>enabling debug logging</secondary>
-</indexterm>
-<indexterm role="concept">
-<primary>debugging</primary>
-<secondary>enabling from an ACL</secondary>
-</indexterm>
-This control turns on debug logging, almost as though Exim had been invoked
-with <literal>-d</literal>, with the output going to a new logfile, by default called
-<emphasis>debuglog</emphasis>. The filename can be adjusted with the <emphasis>tag</emphasis> option, which
-may access any variables already defined. The logging may be adjusted with
-the <emphasis>opts</emphasis> option, which takes the same values as the <literal>-d</literal> command-line
-option. Some examples (which depend on variables that don’t exist in all
-contexts):
-</para>
-<literallayout class="monospaced">
- control = debug
- control = debug/tag=.$sender_host_address
- control = debug/opts=+expand+acl
- control = debug/tag=.$message_exim_id/opts=+expand
-</literallayout>
-</listitem></varlistentry>
-<varlistentry>
<term><emphasis role="bold">control = enforce_sync</emphasis></term>
<term><emphasis role="bold">control = no_enforce_sync</emphasis></term>
<listitem>
av_scanner = sophie:/var/run/sophie
</literallayout>
<para>
-If the value of <option>av_scanner</option> starts with a dollar character, it is expanded
+If the value of <option>av_scanner</option> starts with dollar character, it is expanded
before use. The following scanner types are supported in this release:
</para>
<variablelist>
</para>
<literallayout class="monospaced">
av_scanner = clamd:/opt/clamd/socket
-av_scanner = clamd:192.0.2.3 1234
-av_scanner = clamd:192.0.2.3 1234:local
+av_scanner = clamd:192.168.2.100 1234
</literallayout>
<para>
-If the value of av_scanner points to a UNIX socket file or contains the local
-keyword, then the ClamAV interface will pass a filename containing the data
-to be scanned, which will should normally result in less I/O happening and be
-more efficient. Normally in the TCP case, the data is streamed to ClamAV as
-Exim does not assume that there is a common filesystem with the remote host.
-There is an option WITH_OLD_CLAMAV_STREAM in <filename>src/EDITME</filename> available, should
-you be running a version of ClamAV prior to 0.95.
If the option is unset, the default is <filename>/tmp/clamd</filename>. Thanks to David Saez for
contributing the code for this scanner.
</para>
<option>malware</option> condition.
</para>
<para>
-Beware the interaction of Exim’s <option>message_size_limit</option> with any size limits
-imposed by your anti-virus scanner.
-</para>
-<para>
Here is a very simple scanning example:
</para>
<literallayout class="monospaced">
<secondary>returned variables</secondary>
</indexterm>
When the <option>spam</option> condition is run, it sets up a number of expansion
-variables. These variables are saved with the received message, thus they are
-available for use at delivery time.
+variables. With the exception of <varname>$spam_score_int</varname>, these are usable only
+within ACLs; their values are not retained with the message and so cannot be
+used at delivery time.
</para>
<variablelist>
<varlistentry>
The spam score of the message, multiplied by ten, as an integer value. For
example <quote>34</quote> or <quote>305</quote>. It may appear to disagree with <varname>$spam_score</varname>
because <varname>$spam_score</varname> is rounded and <varname>$spam_score_int</varname> is truncated.
-The integer value is useful for numeric comparisons in conditions.
+The integer value is useful for numeric comparisons in
+conditions. This variable is special; its value is saved with the message, and
+written to Exim’s spool file. This means that it can be used during the whole
+life of the message on your Exim system, in particular, in routers or
+transports during the later delivery phase.
</para>
</listitem></varlistentry>
<varlistentry>
<para>
Verify signatures in incoming messages: This is implemented by an additional
ACL (acl_smtp_dkim), which can be called several times per message, with
-different signature contexts.
+different signature context.
</para>
</listitem>
</orderedlist>
</tgroup>
</informaltable>
<para>
-MANDATORY:
+MANDATORY
The domain you want to sign with. The result of this expanded
option is put into the <option>$dkim_domain</option> expansion variable.
</para>
</tgroup>
</informaltable>
<para>
-MANDATORY:
+MANDATORY
This sets the key selector string. You can use the <option>$dkim_domain</option> expansion
variable to look up a matching selector. The result is put in the expansion
variable <option>$dkim_selector</option> which should be used in the <option>dkim_private_key</option>
</tgroup>
</informaltable>
<para>
-MANDATORY:
+MANDATORY
This sets the private key to use. You can use the <option>$dkim_domain</option> and
<option>$dkim_selector</option> expansion variables to determine the private key to use.
The result can either
</tgroup>
</informaltable>
<para>
-OPTIONAL:
+OPTIONAL
This option sets the canonicalization method used when signing a message.
The DKIM RFC currently supports two methods: "simple" and "relaxed".
The option defaults to "relaxed" when unset. Note: the current implementation
</tgroup>
</informaltable>
<para>
-OPTIONAL:
+OPTIONAL
This option defines how Exim behaves when signing a message that
should be signed fails for some reason. When the expansion evaluates to
either "1" or "true", Exim will defer. Otherwise Exim will send the message
</tgroup>
</informaltable>
<para>
-OPTIONAL:
+OPTIONAL
When set, this option must expand to (or be specified as) a colon-separated
list of header names. Headers with these names will be included in the message
signature. When unspecified, the header names recommended in RFC4871 will be
The global option <option>dkim_verify_signers</option> can be set to a colon-separated
list of DKIM domains or identities for which the ACL <option>acl_smtp_dkim</option> is
called. It is expanded when the message has been received. At this point,
-the expansion variable <option>$dkim_signers</option> already contains a colon-separated
-list of signer domains and identities for the message. When
+the expansion variable <option>$dkim_signers</option> already contains a colon-
+separated list of signer domains and identities for the message. When
<option>dkim_verify_signers</option> is not specified in the main configuration,
it defaults as:
</para>
<para>
This would result in <option>acl_smtp_dkim</option> always being called for "paypal.com"
and "ebay.com", plus all domains and identities that have signatures in the message.
-You can also be more creative in constructing your policy. For example:
+You can also be more creative in constructing your policy. Example:
</para>
<literallayout class="monospaced">
dkim_verify_signers = $sender_address_domain:$dkim_signers
<term><option>$dkim_cur_signer</option></term>
<listitem>
<para>
-The signer that is being evaluated in this ACL run. This can be a domain or
+The signer that is being evaluated in this ACL run. This can be domain or
an identity. This is one of the list items from the expanded main option
<option>dkim_verify_signers</option> (see above).
</para>
<term><option>$dkim_selector</option></term>
<listitem>
<para>
-The key record selector string.
+The key record selector string
</para>
</listitem></varlistentry>
<varlistentry>
<term><option>$dkim_key_notes</option></term>
<listitem>
<para>
-Notes from the key record (tag n=).
+Notes from the key record (tag n=)
</para>
</listitem></varlistentry>
</variablelist>
ACL condition that checks a colon-separated list of domains or identities
for a match against the domain or identity that the ACL is currently verifying
(reflected by <option>$dkim_cur_signer</option>). This is typically used to restrict an ACL
-verb to a group of domains or identities. For example:
+verb to a group of domains or identities, like:
</para>
<literallayout class="monospaced">
# Warn when message apparently from GMail has no signature at all
git://git.exim.org / exim-website.git / blobdiff