and &%-S%& options).
.cindex "queue runner" "description of operation"
-The &%-q%& option starts one queue runner process. This scans the queue of
+.new
+If other commandline options do not specify an action,
+.wen
+the &%-q%& option starts one queue runner process. This scans the queue of
waiting messages, and runs a delivery process for each one in turn. It waits
for each delivery process to finish before starting the next one. A delivery
process may not actually do any deliveries if the retry times for the addresses
The name should not contain a &'/'& character.
For a periodic queue run (see below)
append to the name a slash and a time value.
+
+If other commandline options speicify an action, a &'-qG<name>'& option
+will specify a queue to operate on.
+For example:
+.code
+exim -bp -qGquarantine
+mailq -qGquarantime
+exim -qGoffpeak -Rf @special.domain.example
+.endd
.wen
.vitem &%-q%&<&'qflags'&>&~<&'start&~id'&>&~<&'end&~id'&>
.cindex "&%extract%&" "substrings by key"
The key and <&'string1'&> are first expanded separately. Leading and trailing
white space is removed from the key (but not from any of the strings). The key
-must not consist entirely of digits. The expanded <&'string1'&> must be of the
-form:
+must not be empty and must not consist entirely of digits.
+The expanded <&'string1'&> must be of the form:
.display
<&'key1'&> = <&'value1'&> <&'key2'&> = <&'value2'&> ...
.endd
.cindex "SHA-1 hash"
.cindex "expansion" "SHA-1 hashing"
.cindex certificate fingerprint
-.cindex "&%sha2%& expansion item"
+.cindex "&%sha1%& expansion item"
The &%sha1%& operator computes the SHA-1 hash value of the string, and returns
it as a 40-digit hexadecimal number, in which any letters are in upper case.
returns the SHA-1 hash fingerprint of the certificate.
-.vitem &*${sha256:*&<&'certificate'&>&*}*&
+.vitem &*${sha256:*&<&'string'&>&*}*&
.cindex "SHA-256 hash"
.cindex certificate fingerprint
.cindex "expansion" "SHA-256 hashing"
.cindex "&%sha256%& expansion item"
-The &%sha256%& operator computes the SHA-256 hash fingerprint of the
-certificate,
+.new
+The &%sha256%& operator computes the SHA-256 hash value of the string
+and returns
+it as a 64-digit hexadecimal number, in which any letters are in upper case.
+.wen
+
+If the string is a single variable of type certificate,
+returns the SHA-256 hash fingerprint of the certificate.
+
+
+.new
+.vitem &*${sha3:*&<&'string'&>&*}*& &&&
+ &*${sha3_<n>:*&<&'string'&>&*}*&
+.cindex "SHA3 hash"
+.cindex "expansion" "SHA3 hashing"
+.cindex "&%sha3%& expansion item"
+The &%sha3%& operator computes the SHA3-256 hash value of the string
and returns
it as a 64-digit hexadecimal number, in which any letters are in upper case.
-Only arguments which are a single variable of certificate type are supported.
+
+If a number is appended, separated by an underbar, it specifies
+the output length. Values of 224, 256, 384 and 512 are accepted;
+with 256 being the default.
+
+The &%sha3%& expansion item is only supported if Exim has been
+compiled with GnuTLS 3.5.0 or later.
+.wen
.vitem &*${stat:*&<&'string'&>&*}*&
connection, this variable is set to the cipher suite that was negotiated, for
example DES-CBC3-SHA. In other circumstances, in particular, for message
received over unencrypted connections, the variable is empty. Testing
-&$tls_cipher$& for emptiness is one way of distinguishing between encrypted and
+&$tls_in_cipher$& for emptiness is one way of distinguishing between encrypted and
non-encrypted connections during ACL processing.
The deprecated &$tls_cipher$& variable is the same as &$tls_in_cipher$& during message reception,
.new
.cindex queues named
-.condex "named queues"
+.cindex "named queues"
To set limits for different named queues use
an expansion depending on the &$queue_name$& variable.
.wen
Otherwise, the option must expand to the name used by Exim for any of a number
of DH primes specified in RFC 2409, RFC 3526 and RFC 5114. As names, Exim uses
-"ike" followed by the number used by IKE, of "default" which corresponds to
+"ike" followed by the number used by IKE, or "default" which corresponds to
"ike23".
The available primes are:
.cindex "DNSSEC" "MX lookup"
.cindex "security" "MX lookup"
.cindex "DNS" "DNSSEC"
-DNS lookups for domains matching &%dnssec_request_domains%& will be done with
+DNS lookups for domains matching &%dnssec_require_domains%& will be done with
the dnssec request bit set. Any returns not having the Authenticated Data bit
(AD bit) set will be ignored and logged as a host-lookup failure.
This applies to all of the SRV, MX, AAAA, A lookup sequence.
.cindex "DNSSEC" "MX lookup"
.cindex "security" "MX lookup"
.cindex "DNS" "DNSSEC"
-DNS lookups for domains matching &%dnssec_request_domains%& will be done with
+DNS lookups for domains matching &%dnssec_require_domains%& will be done with
the dnssec request bit set. Any returns not having the Authenticated Data bit
(AD bit) set will be ignored and logged as a host-lookup failure.
This applies to all of the SRV, MX, AAAA, A lookup sequence.
.vitem &*queue*&&~=&~<&'text'&>
This modifier specifies the use of a named queue for spool files
for the message.
+It can only be used before the message is received (i.e. not in
+the DATA ACL).
This could be used, for example, for known high-volume burst sources
of traffic, or for quarantine of messages.
Separate queue-runner processes will be needed for named queues.
&'debuglog'&. The filename can be adjusted with the &'tag'& option, which
may access any variables already defined. The logging may be adjusted with
the &'opts'& option, which takes the same values as the &`-d`& command-line
-option. Some examples (which depend on variables that don't exist in all
+option.
+.new
+Logging may be stopped, and the file removed, with the &'kill'& option.
+.wen
+Some examples (which depend on variables that don't exist in all
contexts):
.code
control = debug
control = debug/tag=.$sender_host_address
control = debug/opts=+expand+acl
control = debug/tag=.$message_exim_id/opts=+expand
+ control = debug/kill
.endd
&`CV `& certificate verification status
&`D `& duration of &"no mail in SMTP session"&
&`DN `& distinguished name from peer certificate
+&`DS `& DNSSEC secured lookups
&`DT `& on &`=>`& lines: time taken for a delivery
&`F `& sender address (on delivery lines)
&`H `& host name and IP address
&` deliver_time `& time taken to perform delivery
&` delivery_size `& add &`S=`&&'nnn'& to => lines
&`*dnslist_defer `& defers of DNS list (aka RBL) lookups
+&` dnssec `& DNSSEC secured lookups
&`*etrn `& ETRN commands
&`*host_lookup_failed `& as it says
&` ident_timeout `& timeout for ident connection
&%dnslist_defer%&: A log entry is written if an attempt to look up a host in a
DNS black list suffers a temporary error.
.next
+.cindex log dnssec
+.cindex dnssec logging
+&%dnssec%&: For message acceptance and (attempted) delivery log lines, when
+dns lookups gave secure results a tag of DS is added.
+For acceptance this covers the reverse and forward lookups for host name verification.
+It does not cover helo-name verification.
+For delivery this covers the SRV, MX, A and/or AAAA lookups.
+.next
.cindex "log" "ETRN commands"
.cindex "ETRN" "logging"
&%etrn%&: Every valid ETRN command that is received is logged, before the ACL
Log lines and Received-by: header lines will acquire a "utf8"
prefix on the protocol element, eg. utf8esmtp.
-The following expansion operator can be used:
+The following expansion operators can be used:
.code
${utf8_domain_to_alabel:str}
${utf8_domain_from_alabel:str}
projects / exim.git / blobdiff