waiting for it by the time it recovers, and sending them in a single SMTP
connection is clearly beneficial. Whenever a delivery to a remote host is
deferred,
-.cindex "hints database"
+.cindex "hints database" "deferred deliveries"
Exim makes a note in its hints database, and whenever a successful
SMTP delivery has happened, it looks to see if any other messages are waiting
for the same host. If any are found, they are sent over the same SMTP
in the ASCII character set, and to label them as being in a particular
character set. When Exim is inspecting header lines by means of the &%$h_%&
mechanism, it decodes them, and translates them into a specified character set
-(default ISO-8859-1). The translation is possible only if the operating system
+(default is set at build time). The translation is possible only if the operating system
supports the &[iconv()]& function.
However, some of the operating systems that supply &[iconv()]& do not support
.code
mysql_servers = <value not displayable>
.endd
-If &%configure_file%& is given as an argument, the name of the run time
-configuration file is output.
+If &%config%& is given as an argument, the config is
+output, as it was parsed, any include file resolved, any comment removed.
+
+If &%config_file%& is given as an argument, the name of the run time
+configuration file is output. (&%configure_file%& works too, for
+backward compatibility.)
If a list of configuration files was supplied, the value that is output here
is the name of the file that was actually used.
exim '-D ABC = something' ...
.endd
&%-D%& may be repeated up to 10 times on a command line.
+.new
+Only macro names up to 22 letters long can be set.
+.wen
.vitem &%-d%&<&'debug&~options'&>
Exim's configuration file is divided into a number of different parts. General
option settings must always appear at the start of the file. The other parts
are all optional, and may appear in any order. Each part other than the first
-is introduced by the word &"begin"& followed by the name of the part. The
-optional parts are:
+is introduced by the word &"begin"& followed by at least one literal
+space, and the name of the part. The optional parts are:
.ilist
&'ACL'&: Access control lists for controlling incoming SMTP mail (see chapter
.endd
This transport is used for handling deliveries to pipes that are generated by
redirection (aliasing or users' &_.forward_& files). The &%return_output%&
-option specifies that any output generated by the pipe is to be returned to the
-sender.
+option specifies that any output on stdout or stderr generated by the pipe is to
+be returned to the sender.
.code
address_file:
driver = appendfile
The form if &"retry_VAL"& where VAL is an integer.
The default count is set by the main configuration option &%dns_retry%&.
+.new
+.cindex cacheing "of dns lookup"
+.cindex TTL "of dns lookup"
+.cindex DNS TTL
+Dnsdb lookup results are cached within a single process (and its children).
+The cache entry lifetime is limited to the smallest time-to-live (TTL)
+value of the set of returned DNS records.
+.wen
+
.section "Pseudo dnsdb record types" "SECID66"
.cindex "MX record" "in &(dnsdb)& lookup"
must be &"follow"& (the default) or &"nofollow"&. The latter stops the LDAP
library from trying to follow referrals issued by the LDAP server.
+.cindex LDAP timeout
+.cindex timeout "LDAP lookup"
The name CONNECT is an obsolete name for NETTIME, retained for
backwards compatibility. This timeout (specified as a number of seconds) is
enforced from the client end for operations that can be carried out over a
set a server-side limit on the time taken to complete a search.
The SERVERS parameter allows you to specify an alternate list of ldap servers
-to use for an individual lookup. The global ldap_servers option provides a
+to use for an individual lookup. The global &%ldap_default_servers%& option provides a
default list of ldap servers, and a single lookup can specify a single ldap
server to use. But when you need to do a lookup with a list of servers that is
different than the default list (maybe different order, maybe a completely
The &(ldapdn)& lookup type returns the Distinguished Name from a single entry
as a sequence of values, for example
.code
-cn=manager, o=University of Cambridge, c=UK
+cn=manager,o=University of Cambridge,c=UK
.endd
The &(ldap)& lookup type generates an error if more than one entry matches the
search filter, whereas &(ldapm)& permits this case, and inserts a newline in
In the common case where you specify a single attribute in your LDAP query, the
result is not quoted, and does not contain the attribute name. If the attribute
-has multiple values, they are separated by commas.
+has multiple values, they are separated by commas. Any comma that is
+part of an attribute's value is doubled.
If you specify multiple attributes, the result contains space-separated, quoted
strings, each preceded by the attribute name and an equals sign. Within the
Here are some examples of the output format. The first line of each pair is an
LDAP query, and the second is the data that is returned. The attribute called
&%attr1%& has two values, one of them with an embedded comma, whereas
-&%attr2%& has only one value:
+&%attr2%& has only one value. Both attributes are derived from &%attr%&
+(they have SUP &%attr%& in their schema definitions).
+
.code
ldap:///o=base?attr1?sub?(uid=fred)
value1.1,value1,,2
ldap:///o=base?attr2?sub?(uid=fred)
value two
+ldap:///o=base?attr?sub?(uid=fred)
+value1.1,value1,,2,value two
+
ldap:///o=base?attr1,attr2?sub?(uid=fred)
attr1="value1.1,value1,,2" attr2="value two"
found, but that is still a successful query. In other words, the list of
servers provides a backup facility, not a list of different places to look.
+.new
The &%quote_mysql%&, &%quote_pgsql%&, and &%quote_oracle%& expansion operators
convert newline, tab, carriage return, and backspace to \n, \t, \r, and \b
respectively, and the characters single-quote, double-quote, and backslash
-itself are escaped with backslashes. The &%quote_pgsql%& expansion operator, in
-addition, escapes the percent and underscore characters. This cannot be done
-for MySQL because these escapes are not recognized in contexts where these
-characters are not special.
+itself are escaped with backslashes.
+.wen
.section "Specifying the server in the query" "SECTspeserque"
For MySQL and PostgreSQL lookups (but not currently for Oracle and InterBase),
.section "Special MySQL features" "SECID73"
For MySQL, an empty host name or the use of &"localhost"& in &%mysql_servers%&
causes a connection to the server on the local host by means of a Unix domain
-socket. An alternate socket can be specified in parentheses. The full syntax of
-each item in &%mysql_servers%& is:
+socket. An alternate socket can be specified in parentheses.
+.new
+An option group name for MySQL option files can be specified in square brackets;
+the default value is &"exim"&.
+.wen
+The full syntax of each item in &%mysql_servers%& is:
.display
-<&'hostname'&>::<&'port'&>(<&'socket name'&>)/<&'database'&>/&&&
- <&'user'&>/<&'password'&>
+<&'hostname'&>::<&'port'&>(<&'socket name'&>)[<&'option group'&>]/&&&
+ <&'database'&>/<&'user'&>/<&'password'&>
.endd
-Any of the three sub-parts of the first field can be omitted. For normal use on
+Any of the four sub-parts of the first field can be omitted. For normal use on
the local host it can be left blank or set to just &"localhost"&.
No database need be supplied &-- but if it is absent here, it must be given in
The only character affected by the &%quote_sqlite%& operator is a single
quote, which it doubles.
+.cindex timeout SQLite
+.cindex sqlite "lookup timeout"
The SQLite library handles multiple simultaneous accesses to the database
internally. Multiple readers are permitted, but only one process can
update at once. Attempts to access the database while it is being updated
Upper case and lower case letters are synonymous in header names. If the
following character is white space, the terminating colon may be omitted, but
this is not recommended, because you may then forget it when it is needed. When
-white space terminates the header name, it is included in the expanded string.
-If the message does not contain the given header, the expansion item is
-replaced by an empty string. (See the &%def%& condition in section
-&<<SECTexpcond>>& for a means of testing for the existence of a header.)
+white space terminates the header name, this white space is included in the
+expanded string. If the message does not contain the given header, the
+expansion item is replaced by an empty string. (See the &%def%& condition in
+section &<<SECTexpcond>>& for a means of testing for the existence of a
+header.)
If there is more than one header with the same name, they are all concatenated
to form the substitution string, up to a maximum length of 64K. Unless
.code
${listextract{-3}{<, x,42,99,& Mailer,,/bin/bash}{result: $value}}
.endd
-yields &"result: 99"&.
+yields &"result: 42"&.
If {<&'string3'&>} is omitted, an empty string is used for string3.
If {<&'string2'&>} is also omitted, the value that was
byte value 127 is converted to &`\x7f`&.
+.new
+.vitem &*${ipv6denorm:*&<&'string'&>&*}*&
+.cindex "&%ipv6denorm%& expansion item"
+.cindex "IP address" normalisation
+This expands an IPv6 address to a full eight-element colon-separated set
+of hex digits including leading zeroes.
+A trailing ipv4-style dotted-decimal set is converted to hex.
+Pure IPv4 addresses are converted to IPv4-mapped IPv6.
+
+.vitem &*${ipv6norm:*&<&'string'&>&*}*&
+.cindex "&%ipv6norm%& expansion item"
+.cindex "IP address" normalisation
+.cindex "IP address" "canonical form"
+This converts an IPv6 address to canonical form.
+Leading zeroes of groups are omitted, and the longest
+set of zero-valued groups is replaced with a double colon.
+A trailing ipv4-style dotted-decimal set is converted to hex.
+Pure IPv4 addresses are converted to IPv4-mapped IPv6.
+.wen
+
+
.vitem &*${lc:*&<&'string'&>&*}*&
.cindex "case forcing in strings"
.cindex "string" "case forcing"
This operator encodes text according to the rules of RFC 2047. This is an
encoding that is used in header lines to encode non-ASCII characters. It is
assumed that the input string is in the encoding specified by the
-&%headers_charset%& option, which defaults to ISO-8859-1. If the string
+&%headers_charset%& option, which gets its default at build time. If the string
contains only characters in the range 33&--126, and no instances of the
characters
.code
When a &%match%& expansion condition succeeds, these variables contain the
captured substrings identified by the regular expression during subsequent
processing of the success string of the containing &%if%& expansion item.
-However, they do not retain their values afterwards; in fact, their previous
+In the expansion condition case
+they do not retain their values afterwards; in fact, their previous
values are restored at the end of processing an &%if%& item. The numerical
variables may also be set externally by some other matching process which
precedes the expansion of the string. For example, the commands available in
&$originator_uid$&). If Exim re-execs itself, this variable in the new
incarnation normally contains the Exim uid.
-.vitem &$compile_date$&
-.vindex "&$compile_date$&"
-The date on which the Exim binary was compiled.
+.vitem &$callout_address$&
+.vindex "&$callout_address$&"
+After a callout for verification, spamd or malware daemon service, the
+address that was connected to.
.vitem &$compile_number$&
.vindex "&$compile_number$&"
&$dkim_key_nosubdomains$& &&&
&$dkim_key_srvtype$& &&&
&$dkim_key_granularity$& &&&
- &$dkim_key_notes$&
+ &$dkim_key_notes$& &&&
+ &$dkim_key_length$&
These variables are only available within the DKIM ACL.
For details see chapter &<<CHAPdkim>>&.
qualified host name. See also &$smtp_active_hostname$&.
+.new
+.vitem &$proxy_host_address$& &&&
+ &$proxy_host_port$& &&&
+ &$proxy_target_address$& &&&
+ &$proxy_target_port$& &&&
+ &$proxy_session$&
+These variables are only available when built with Proxy Protocol
+or Socks5 support
+For details see chapter &<<SECTproxyInbound>>&.
+.wen
+
+.new
+.vitem &$prdr_requested$&
+.cindex "PRDR" "variable for"
+This variable is set to &"yes"& if PRDR was requested by the client for the
+current message, otherwise &"no"&.
+.wen
+
.vitem &$prvscheck_address$&
This variable is used in conjunction with the &%prvscheck%& expansion item,
which is described in sections &<<SECTexpansionitems>>& and
This variable is set to contain the matching regular expression after a
&%regex%& ACL condition has matched (see section &<<SECTscanregex>>&).
+.vitem "&$regex1$&, &$regex2$&, etc"
+.cindex "regex submatch variables (&$1regex$& &$2regex$& etc)"
+When a &%regex%& or &%mime_regex%& ACL condition succeeds,
+these variables contain the
+captured substrings identified by the regular expression.
+
.vitem &$reply_address$&
.vindex "&$reply_address$&"
.row &%helo_verify_hosts%& "HELO hard-checked for these hosts"
.row &%host_lookup%& "host name looked up for these hosts"
.row &%host_lookup_order%& "order of DNS and local name lookups"
+.row &%hosts_proxy%& "use proxy protocol for these hosts"
.row &%host_reject_connection%& "reject connection from these hosts"
.row &%hosts_treat_as_local%& "useful in some cluster configurations"
.row &%local_scan_timeout%& "timeout for &[local_scan()]&"
. Allow this long option name to split; give it unsplit as a fifth argument
. for the automatic .oindex that is generated by .option.
-.option "extract_addresses_remove_ &~&~arguments" main boolean true &&&
+.option "extract_addresses_remove_arguments" main boolean true &&&
extract_addresses_remove_arguments
.oindex "&%-t%&"
.cindex "command line" "addresses with &%-t%&"
+.new
+.option hosts_proxy main "host list&!!" unset
+.cindex proxy "proxy protocol"
+This option enables use of Proxy Protocol proxies for incoming
+connections. For details see &<<SECTproxyInbound>>&.
+.wen
+
+
.option hosts_treat_as_local main "domain list&!!" unset
.cindex "local host" "domains treated as"
.cindex "host" "treated as local"
unfortunately not all, operating systems.
-.option tls_advertise_hosts main "host list&!!" unset
+.new
+.option tls_advertise_hosts main "host list&!!" *
+.wen
.cindex "TLS" "advertising"
.cindex "encryption" "on SMTP connection"
.cindex "SMTP" "encrypted connection"
of the STARTTLS command to set up an encrypted session is advertised in
response to EHLO only to those client hosts that match this option. See
chapter &<<CHAPTLS>>& for details of Exim's support for TLS.
+.new
+Note that the default value requires that a certificate be supplied
+using the &%tls_certificate%& option. If no certificate is available then
+the &%tls_advertise_hosts%& option should be set empty.
+.wen
.option tls_certificate main string&!! unset
status proof for the server's certificate, as obtained from the
Certificate Authority.
+.new
+Usable for GnuTLS 3.4.4 or 3.3.17 or OpenSSL 1.1.0 (or later).
+.wen
+
.option tls_on_connect_ports main "string list" unset
.cindex SSMTP
to ensure that any additional groups associated with the uid are set up.
+.new
+.option max_parallel transports integer&!! unset
+.cindex limit "transport parallelism"
+.cindex transport "parallel processes"
+.cindex transport "concurrency limit"
+.cindex "delivery" "parallelism for transport"
+If this option is set and expands to an integer greater than zero
+it limits the number of concurrent runs of the transport.
+The control does not apply to shadow transports.
+
+.cindex "hints database" "transport concurrency control"
+Exim implements this control by means of a hints database in which a record is
+incremented whenever a transport process is beaing created. The record
+is decremented and possibly removed when the process terminates.
+Obviously there is scope for
+records to get left lying around if there is a system or program crash. To
+guard against this, Exim ignores any records that are more than six hours old.
+
+If you use this option, you should also arrange to delete the
+relevant hints database whenever your system reboots. The names of the files
+start with &_misc_& and they are kept in the &_spool/db_& directory. There
+may be one or two files, depending on the type of DBM in use. The same files
+are used for ETRN and smtp transport serialization.
+.wen
+
+
.option message_size_limit transports string&!! 0
.cindex "limit" "message size per transport"
.cindex "size" "of message, limit"
This option sets up a filtering (in the Unix shell sense) process for messages
at transport time. It should not be confused with mail filtering as set up by
individual users or via a system filter.
+.new
+If unset, or expanding to an empty string, no filtering is done.
+.wen
When the message is about to be written out, the command specified by
&%transport_filter%& is started up in a separate, parallel process, and
delivery, the two pipe transports may be run concurrently. You must ensure that
any pipe commands you set up are robust against this happening. If the commands
write to a file, the &%exim_lock%& utility might be of use.
+.new
+Alternatively the &%max_parallel%& option could be used with a value
+of "1" to enforce serialization.
+.wen
&%force_command%& is set, expanding out to the original argument vector as
separate items, similarly to a Unix shell &`"$@"`& construct.
+
.option ignore_status pipe boolean false
If this option is true, the status returned by the subprocess that is set up to
run the command is ignored, and Exim behaves as if zero had been returned.
&*Note*&: This option does not apply to timeouts, which do not return a status.
See the &%timeout_defer%& option for how timeouts are handled.
+
.option log_defer_output pipe boolean false
.cindex "&(pipe)& transport" "logging output"
If this option is set, and the status returned by the command is
one of the codes listed in &%temp_errors%& (that is, delivery was deferred),
-and any output was produced, the first line of it is written to the main log.
+and any output was produced on stdout or stderr, the first line of it is
+written to the main log.
.option log_fail_output pipe boolean false
-If this option is set, and the command returns any output, and also ends with a
-return code that is neither zero nor one of the return codes listed in
-&%temp_errors%& (that is, the delivery failed), the first line of output is
-written to the main log. This option and &%log_output%& are mutually exclusive.
-Only one of them may be set.
-
+If this option is set, and the command returns any output on stdout or
+stderr, and also ends with a return code that is neither zero nor one of
+the return codes listed in &%temp_errors%& (that is, the delivery
+failed), the first line of output is written to the main log. This
+option and &%log_output%& are mutually exclusive. Only one of them may
+be set.
.option log_output pipe boolean false
-If this option is set and the command returns any output, the first line of
-output is written to the main log, whatever the return code. This option and
-&%log_fail_output%& are mutually exclusive. Only one of them may be set.
-
+If this option is set and the command returns any output on stdout or
+stderr, the first line of output is written to the main log, whatever
+the return code. This option and &%log_fail_output%& are mutually
+exclusive. Only one of them may be set.
.option max_output pipe integer 20K
may be one or two files, depending on the type of DBM in use. The same files
are used for ETRN serialization.
+.new
+See also the &%max_parallel%& generic transport option.
+.wen
+
.option size_addition smtp integer 1024
.cindex "SMTP" "SIZE"
the use of the SIZE option altogether.
+.new
+.option socks_proxy smtp string&!! unset
+.cindex proxy SOCKS
+This option enables use of SOCKS proxies for connections made by the
+transport. For details see &<<SECTproxySOCKS>>&.
+.wen
+
+
.option tls_certificate smtp string&!! unset
.cindex "TLS" "client certificate, location of"
.cindex "certificate" "client, location of"
2822 address, including the angle brackets if necessary. If text outside angle
brackets contains a character whose value is greater than 126 or less than 32
(except for tab), the text is encoded according to RFC 2047. The character set
-is taken from &%headers_charset%&, which defaults to ISO-8859-1.
+is taken from &%headers_charset%&, which gets its default at build time.
When the &"w"& flag is set on a rule that causes an envelope address to be
rewritten, all but the working part of the replacement address is discarded.
proof expires. The downside is that it requires server support.
Unless Exim is built with the support disabled,
-or with GnuTLS earlier than version 3.1.3,
+.new
+or with GnuTLS earlier than version 3.3.16 / 3.4.8
+.wen
support for OCSP stapling is included.
There is a global option called &%tls_ocsp_file%&.
PRDR may be used to support per-user content filtering. Without it
one must defer any recipient after the first that has a different
content-filter configuration. With PRDR, the RCPT-time check
-for this can be disabled when the MAIL-time $smtp_command included
-"PRDR". Any required difference in behaviour of the main DATA-time
+.new
+.cindex "PRDR" "variable for"
+for this can be disabled when the variable &$prdr_requested$&
+is &"yes"&.
+.wen
+Any required difference in behaviour of the main DATA-time
ACL should however depend on the PRDR-time ACL having run, as Exim
will avoid doing so in some situations (e.g. single-recipient mails).
received, that is, in an ACL specified by &%acl_smtp_data%& or
&%acl_not_smtp%&. It checks the syntax of all header lines that can contain
lists of addresses (&'Sender:'&, &'From:'&, &'Reply-To:'&, &'To:'&, &'Cc:'&,
-and &'Bcc:'&). Unqualified addresses (local parts without domains) are
+and &'Bcc:'&), returning true if there are no problems.
+Unqualified addresses (local parts without domains) are
permitted only in locally generated messages and from hosts that match
&%sender_unqualified_hosts%& or &%recipient_unqualified_hosts%&, as
appropriate.
warn message = X-Warn: sending host is on dialups list
dnslists = dialups.mail-abuse.org
.endd
-DNS list lookups are cached by Exim for the duration of the SMTP session,
+.cindex cacheing "of dns lookup"
+.cindex DNS TTL
+DNS list lookups are cached by Exim for the duration of the SMTP session
+.new
+(but limited by the DNS return TTL value),
+.wen
so a lookup based on the IP address is done at most once for any incoming
-connection. Exim does not share information between multiple incoming
+connection (assuming long-enough TTL).
+Exim does not share information between multiple incoming
connections (but your local name server cache should be active).
.endd
A timeout causes the ACL to defer.
+.vindex "&$callout_address$&"
+When a connection is made to the scanner the expansion variable &$callout_address$&
+is set to record the actual address used.
+
.vindex "&$malware_name$&"
When a virus is found, the condition sets up an expansion variable called
&$malware_name$& that contains the name of the virus. You can use it in a
Elements after the first for Unix sockets, or second for TCP socket,
are options.
-The supported option are:
+The supported options are:
.code
pri=<priority> Selection priority
weight=<value> Selection bias
used as the list so that multiple spamd servers can be the result of an
expansion.
+.vindex "&$callout_address$&"
+When a connection is made to the server the expansion variable &$callout_address$&
+is set to record the actual address used.
+
.section "Calling SpamAssassin from an Exim ACL" "SECID206"
Here is a simple example of the use of the &%spam%& condition in a DATA ACL:
.code
A string consisting of a number of &"+"& or &"-"& characters, representing the
integer part of the spam score value. A spam score of 4.4 would have a
&$spam_bar$& value of &"++++"&. This is useful for inclusion in warning
-headers, since MUAs can match on such strings.
+headers, since MUAs can match on such strings. The maximum length of the
+spam bar is 50 characters.
.vitem &$spam_report$&
A multiline text table, containing the full SpamAssassin report for the
The conditions returns true if any one of the regular expressions matches. The
&$regex_match_string$& expansion variable is then set up and contains the
matching regular expression.
+The expansion variables &$regex1$& &$regex2$& etc
+are set to any substrings captured by the regular expression.
&*Warning*&: With large messages, these conditions can be fairly
CPU-intensive.
.cindex "log" "delivery line"
The format of the single-line entry in the main log that is written for every
delivery is shown in one of the examples below, for local and remote
-deliveries, respectively. Each example has been split into two lines in order
+deliveries, respectively. Each example has been split into multiple lines in order
to fit it on the page:
.code
2002-10-31 08:59:13 16ZCW1-0005MB-00 => marv
&` incoming_interface `& local interface on <= and => lines
&` incoming_port `& remote port on <= lines
&`*lost_incoming_connection `& as it says (includes timeouts)
+.new
+&` outgoing_interface `& local interface on => lines
+.wen
&` outgoing_port `& add remote port to => lines
&`*queue_run `& start and end queue runs
&` queue_time `& time on queue for one recipient
&` queue_time_overall `& time on queue for whole message
&` pid `& Exim process id
+.new
+&` proxy `& proxy address on <= and => lines
+.wen
&` received_recipients `& recipients on <= lines
&` received_sender `& sender on <= lines
&`*rejected_header `& header contents on reject log
&%incoming_interface%&: The interface on which a message was received is added
to the &"<="& line as an IP address in square brackets, tagged by I= and
followed by a colon and the port number. The local interface and port are also
-added to other SMTP log lines, for example &"SMTP connection from"& and to
-rejection lines
-and (despite the name) the local interface is added to &"=>"& lines..
+added to other SMTP log lines, for example &"SMTP connection from"&, to
+rejection lines, and (despite the name) to outgoing &"=>"& and &"->"& lines.
+.new
+The latter can be disabled by turning off the &%outgoing_interface%& option.
+.wen
+.next
+.new
+.cindex log "incoming proxy address"
+.cindex proxy "logging proxy address"
+.cindex "TCP/IP" "logging proxy address"
+&%proxy%&: The internal (closest to the system running Exim) IP address
+of the proxy, tagged by PRX=, on the &"<="& line for a message accepted
+on a proxied connection
+or the &"=>"& line for a message delivered on a proxied connection..
+See &<<SECTproxyInbound>>& for more information.
+.wen
.next
.cindex "log" "incoming remote port"
.cindex "port" "logging remote"
&%lost_incoming_connection%&: A log line is written when an incoming SMTP
connection is unexpectedly dropped.
.next
+.cindex "log" "outgoing interface"
+.cindex "log" "local interface"
+.cindex "log" "local address and port"
+.cindex "TCP/IP" "logging local address and port"
+.cindex "interface" "logging"
+.new
+&%outgoing_interface%&: If &%incoming_interface%& is turned on, then the
+interface on which a message was sent is added to delivery lines as an I= tag
+followed by IP address in square brackets. You can disable this by turning
+off the &%outgoing_interface%& option.
+.wen
+.next
.cindex "log" "outgoing remote port"
.cindex "port" "logging outgoint remote"
.cindex "TCP/IP" "logging ougtoing remote port"
&%outgoing_port%&: The remote port number is added to delivery log lines (those
-containing => tags) following the IP address. This option is not included in
-the default setting, because for most ordinary configurations, the remote port
-number is always 25 (the SMTP port).
+containing => tags) following the IP address.
+.new
+The local port is also added if &%incoming_interface%& and
+&%outgoing_interface%& are both enabled.
+.wen
+This option is not included in the default setting, because for most ordinary
+configurations, the remote port number is always 25 (the SMTP port), and the
+local port is a random ephemeral port.
.next
.cindex "log" "process ids in"
.cindex "pid (process id)" "in log lines"
.next
Serializing delivery to a specific host (when &%serialize_hosts%& is set in an
&(smtp)& transport)
+.next
+Limiting the concurrency of specific transports (when &%max_parallel%& is set
+in a transport)
.endlist
in the key record.
.vitem &%$dkim_key_notes%&
Notes from the key record (tag n=).
+.vitem &%$dkim_key_length%&
+Number of bits in the key.
.endlist
In addition, two ACL conditions are provided:
. ////////////////////////////////////////////////////////////////////////////
. ////////////////////////////////////////////////////////////////////////////
+.chapter "Proxies" "CHAPproxies" &&&
+ "Proxy support"
+.cindex "proxy support"
+.cindex "proxy" "access via"
+
+.new
+A proxy is an intermediate system through which communication is passed.
+Proxies may provide a security, availability or load-distribution function.
+
+
+.section "Inbound proxies" SECTproxyInbound
+.cindex proxy inbound
+.cindex proxy "server side"
+.cindex proxy "Proxy protocol"
+.cindex "Proxy protocol" proxy
+
+Exim has support for receiving inbound SMTP connections via a proxy
+that uses &"Proxy Protocol"& to speak to it.
+To include this support, include &"SUPPORT_PROXY=yes"&
+in Local/Makefile.
+
+It was built on specifications from:
+http://haproxy.1wt.eu/download/1.5/doc/proxy-protocol.txt
+That URL was revised in May 2014 to version 2 spec:
+http://git.1wt.eu/web?p=haproxy.git;a=commitdiff;h=afb768340c9d7e50d8e
+
+The purpose of this facility is so that an application load balancer,
+such as HAProxy, can sit in front of several Exim servers
+to distribute load.
+Exim uses the local protocol communication with the proxy to obtain
+the remote SMTP system IP address and port information.
+There is no logging if a host passes or
+fails Proxy Protocol negotiation, but it can easily be determined and
+recorded in an ACL (example is below).
+
+Use of a proxy is enabled by setting the &%hosts_proxy%&
+main configuration option to a hostlist; connections from these
+hosts will use Proxy Protocol.
+
+The following expansion variables are usable
+(&"internal"& and &"external"& here refer to the interfaces
+of the proxy):
+.display
+&'proxy_host_address '& internal IP address of the proxy
+&'proxy_host_port '& internal TCP port of the proxy
+&'proxy_target_address '& external IP address of the proxy
+&'proxy_target_port '& external TCP port of the proxy
+&'proxy_session '& boolean: SMTP connection via proxy
+.endd
+If &$proxy_session$& is set but &$proxy_host_address$& is empty
+there was a protocol error.
+
+Since the real connections are all coming from the proxy, and the
+per host connection tracking is done before Proxy Protocol is
+evaluated, &%smtp_accept_max_per_host%& must be set high enough to
+handle all of the parallel volume you expect per inbound proxy.
+With the option set so high, you lose the ability
+to protect your server from many connections from one IP.
+In order to prevent your server from overload, you
+need to add a per connection ratelimit to your connect ACL.
+A possible solution is:
+.display
+ # Set max number of connections per host
+ LIMIT = 5
+ # Or do some kind of IP lookup in a flat file or database
+ # LIMIT = ${lookup{$sender_host_address}iplsearch{/etc/exim/proxy_limits}}
+
+ defer message = Too many connections from this IP right now
+ ratelimit = LIMIT / 5s / per_conn / strict
+.endd
+
+
+
+.section "Outbound proxies" SECTproxySOCKS
+.cindex proxy outbound
+.cindex proxy "client side"
+.cindex proxy SOCKS
+.cindex SOCKS proxy
+Exim has support for sending outbound SMTP via a proxy
+using a protocol called SOCKS5 (defined by RFC1928).
+The support can be optionally included by defining SUPPORT_SOCKS=yes in
+Local/Makefile.
+
+Use of a proxy is enabled by setting the &%socks_proxy%& option
+on an smtp transport.
+The option value is expanded and should then be a list
+(colon-separated by default) of proxy specifiers.
+Each proxy specifier is a list
+(space-separated by default) where the initial element
+is an IP address and any subsequent elements are options.
+
+Options are a string <name>=<value>.
+The list of options is in the following table:
+.display
+&`auth `& authentication method
+&`name `& authentication username
+&`pass `& authentication password
+&`port `& tcp port
+&`tmo `& connection timeout
+&`pri `& priority
+&`weight `& selection bias
+.endd
+
+More details on each of these options follows:
+
+.ilist
+.cindex authentication "to proxy"
+.cindex proxy authentication
+&%auth%&: Either &"none"& (default) or &"name"&.
+Using &"name"& selects username/password authentication per RFC 1929
+for access to the proxy.
+Default is &"none"&.
+.next
+&%name%&: sets the username for the &"name"& authentication method.
+Default is empty.
+.next
+&%pass%&: sets the password for the &"name"& authentication method.
+Default is empty.
+.next
+&%port%&: the TCP port number to use for the connection to the proxy.
+Default is 1080.
+.next
+&%tmo%&: sets a connection timeout in seconds for this proxy.
+Default is 5.
+.next
+&%pri%&: specifies a priority for the proxy within the list,
+higher values being tried first.
+The default priority is 1.
+.next
+&%weight%&: specifies a selection bias.
+Within a priority set servers are queried in a random fashion,
+weighted by this value.
+The default value for selection bias is 1.
+.endlist
+
+Proxies from the list are tried according to their priority
+and weight settings until one responds. The timeout for the
+overall connection applies to the set of proxied attempts.
+
+.section Logging SECTproxyLog
+To log the (local) IP of a proxy in the incoming or delivery logline,
+add &"+proxy"& to the &%log_selector%& option.
+This will add a component tagged with &"PRX="& to the line.
+.wen
+
+. ////////////////////////////////////////////////////////////////////////////
+. ////////////////////////////////////////////////////////////////////////////
+
.chapter "Adding new drivers or lookup types" "CHID13" &&&
"Adding drivers or lookups"
.cindex "adding drivers"
projects / exim.git / blobdiff