in the ASCII character set, and to label them as being in a particular
character set. When Exim is inspecting header lines by means of the &%$h_%&
mechanism, it decodes them, and translates them into a specified character set
-(default ISO-8859-1). The translation is possible only if the operating system
+(default is set at build time). The translation is possible only if the operating system
supports the &[iconv()]& function.
However, some of the operating systems that supply &[iconv()]& do not support
exim '-D ABC = something' ...
.endd
&%-D%& may be repeated up to 10 times on a command line.
+.new
+Only macro names up to 22 letters long can be set.
+.wen
.vitem &%-d%&<&'debug&~options'&>
must be &"follow"& (the default) or &"nofollow"&. The latter stops the LDAP
library from trying to follow referrals issued by the LDAP server.
+.cindex LDAP timeout
+.cindex timeout "LDAP lookup"
The name CONNECT is an obsolete name for NETTIME, retained for
backwards compatibility. This timeout (specified as a number of seconds) is
enforced from the client end for operations that can be carried out over a
The &(ldapdn)& lookup type returns the Distinguished Name from a single entry
as a sequence of values, for example
.code
-cn=manager, o=University of Cambridge, c=UK
+cn=manager,o=University of Cambridge,c=UK
.endd
The &(ldap)& lookup type generates an error if more than one entry matches the
search filter, whereas &(ldapm)& permits this case, and inserts a newline in
In the common case where you specify a single attribute in your LDAP query, the
result is not quoted, and does not contain the attribute name. If the attribute
-has multiple values, they are separated by commas.
+has multiple values, they are separated by commas. Any comma that is
+part of an attribute's value is doubled.
If you specify multiple attributes, the result contains space-separated, quoted
strings, each preceded by the attribute name and an equals sign. Within the
Here are some examples of the output format. The first line of each pair is an
LDAP query, and the second is the data that is returned. The attribute called
&%attr1%& has two values, one of them with an embedded comma, whereas
-&%attr2%& has only one value:
+&%attr2%& has only one value. Both attributes are derived from &%attr%&
+(they have SUP &%attr%& in their schema definitions).
+
.code
ldap:///o=base?attr1?sub?(uid=fred)
value1.1,value1,,2
ldap:///o=base?attr2?sub?(uid=fred)
value two
+ldap:///o=base?attr?sub?(uid=fred)
+value1.1,value1,,2,value two
+
ldap:///o=base?attr1,attr2?sub?(uid=fred)
attr1="value1.1,value1,,2" attr2="value two"
.section "Special MySQL features" "SECID73"
For MySQL, an empty host name or the use of &"localhost"& in &%mysql_servers%&
causes a connection to the server on the local host by means of a Unix domain
-socket. An alternate socket can be specified in parentheses. The full syntax of
-each item in &%mysql_servers%& is:
+socket. An alternate socket can be specified in parentheses.
+.new
+An option group name for MySQL option files can be specified in square brackets;
+the default value is &"exim"&.
+.wen
+The full syntax of each item in &%mysql_servers%& is:
.display
-<&'hostname'&>::<&'port'&>(<&'socket name'&>)/<&'database'&>/&&&
- <&'user'&>/<&'password'&>
+<&'hostname'&>::<&'port'&>(<&'socket name'&>)[<&'option group'&>]/&&&
+ <&'database'&>/<&'user'&>/<&'password'&>
.endd
-Any of the three sub-parts of the first field can be omitted. For normal use on
+Any of the four sub-parts of the first field can be omitted. For normal use on
the local host it can be left blank or set to just &"localhost"&.
No database need be supplied &-- but if it is absent here, it must be given in
The only character affected by the &%quote_sqlite%& operator is a single
quote, which it doubles.
+.cindex timeout SQLite
+.cindex sqlite "lookup timeout"
The SQLite library handles multiple simultaneous accesses to the database
internally. Multiple readers are permitted, but only one process can
update at once. Attempts to access the database while it is being updated
This operator encodes text according to the rules of RFC 2047. This is an
encoding that is used in header lines to encode non-ASCII characters. It is
assumed that the input string is in the encoding specified by the
-&%headers_charset%& option, which defaults to ISO-8859-1. If the string
+&%headers_charset%& option, which gets its default at build time. If the string
contains only characters in the range 33&--126, and no instances of the
characters
.code
&$dkim_key_nosubdomains$& &&&
&$dkim_key_srvtype$& &&&
&$dkim_key_granularity$& &&&
- &$dkim_key_notes$&
+ &$dkim_key_notes$& &&&
+ &$dkim_key_length$&
These variables are only available within the DKIM ACL.
For details see chapter &<<CHAPdkim>>&.
qualified host name. See also &$smtp_active_hostname$&.
+.new
+.vitem &$proxy_host_address$& &&&
+ &$proxy_host_port$& &&&
+ &$proxy_target_address$& &&&
+ &$proxy_target_port$& &&&
+ &$proxy_session$&
+These variables are only available when built with Proxy Protocol
+or Socks5 support
+For details see chapter &<<SECTproxyInbound>>&.
+.wen
+
.new
.vitem &$prdr_requested$&
.cindex "PRDR" "variable for"
.row &%helo_verify_hosts%& "HELO hard-checked for these hosts"
.row &%host_lookup%& "host name looked up for these hosts"
.row &%host_lookup_order%& "order of DNS and local name lookups"
+.row &%hosts_proxy%& "use proxy protocol for these hosts"
.row &%host_reject_connection%& "reject connection from these hosts"
.row &%hosts_treat_as_local%& "useful in some cluster configurations"
.row &%local_scan_timeout%& "timeout for &[local_scan()]&"
+.new
+.option hosts_proxy main "host list&!!" unset
+.cindex proxy "proxy protocol"
+This option enables use of Proxy Protocol proxies for incoming
+connections. For details see &<<SECTproxyInbound>>&.
+.wen
+
+
.option hosts_treat_as_local main "domain list&!!" unset
.cindex "local host" "domains treated as"
.cindex "host" "treated as local"
the use of the SIZE option altogether.
+.new
+.option socks_proxy smtp string&!! unset
+.cindex proxy SOCKS
+This option enables use of SOCKS proxies for connections made by the
+transport. For details see &<<SECTproxySOCKS>>&.
+.wen
+
+
.option tls_certificate smtp string&!! unset
.cindex "TLS" "client certificate, location of"
.cindex "certificate" "client, location of"
2822 address, including the angle brackets if necessary. If text outside angle
brackets contains a character whose value is greater than 126 or less than 32
(except for tab), the text is encoded according to RFC 2047. The character set
-is taken from &%headers_charset%&, which defaults to ISO-8859-1.
+is taken from &%headers_charset%&, which gets its default at build time.
When the &"w"& flag is set on a rule that causes an envelope address to be
rewritten, all but the working part of the replacement address is discarded.
.cindex "log" "delivery line"
The format of the single-line entry in the main log that is written for every
delivery is shown in one of the examples below, for local and remote
-deliveries, respectively. Each example has been split into two lines in order
+deliveries, respectively. Each example has been split into multiple lines in order
to fit it on the page:
.code
2002-10-31 08:59:13 16ZCW1-0005MB-00 => marv
&` queue_time `& time on queue for one recipient
&` queue_time_overall `& time on queue for whole message
&` pid `& Exim process id
+.new
+&` proxy `& proxy address on <= and => lines
+.wen
&` received_recipients `& recipients on <= lines
&` received_sender `& sender on <= lines
&`*rejected_header `& header contents on reject log
The latter can be disabled by turning off the &%outgoing_interface%& option.
.wen
.next
+.new
+.cindex log "incoming proxy address"
+.cindex proxy "logging proxy address"
+.cindex "TCP/IP" "logging proxy address"
+&%proxy%&: The internal (closest to the system running Exim) IP address
+of the proxy, tagged by PRX=, on the &"<="& line for a message accepted
+on a proxied connection
+or the &"=>"& line for a message delivered on a proxied connection..
+See &<<SECTproxyInbound>>& for more information.
+.wen
+.next
.cindex "log" "incoming remote port"
.cindex "port" "logging remote"
.cindex "TCP/IP" "logging incoming remote port"
in the key record.
.vitem &%$dkim_key_notes%&
Notes from the key record (tag n=).
+.vitem &%$dkim_key_length%&
+Number of bits in the key.
.endlist
In addition, two ACL conditions are provided:
. ////////////////////////////////////////////////////////////////////////////
. ////////////////////////////////////////////////////////////////////////////
+.chapter "Proxies" "CHAPproxies" &&&
+ "Proxy support"
+.cindex "proxy support"
+.cindex "proxy" "access via"
+
+.new
+A proxy is an intermediate system through which communication is passed.
+Proxies may provide a security, availability or load-distribution function.
+
+
+.section "Inbound proxies" SECTproxyInbound
+.cindex proxy inbound
+.cindex proxy "server side"
+.cindex proxy "Proxy protocol"
+.cindex "Proxy protocol" proxy
+
+Exim has support for receiving inbound SMTP connections via a proxy
+that uses &"Proxy Protocol"& to speak to it.
+To include this support, include &"SUPPORT_PROXY=yes"&
+in Local/Makefile.
+
+It was built on specifications from:
+http://haproxy.1wt.eu/download/1.5/doc/proxy-protocol.txt
+That URL was revised in May 2014 to version 2 spec:
+http://git.1wt.eu/web?p=haproxy.git;a=commitdiff;h=afb768340c9d7e50d8e
+
+The purpose of this facility is so that an application load balancer,
+such as HAProxy, can sit in front of several Exim servers
+to distribute load.
+Exim uses the local protocol communication with the proxy to obtain
+the remote SMTP system IP address and port information.
+There is no logging if a host passes or
+fails Proxy Protocol negotiation, but it can easily be determined and
+recorded in an ACL (example is below).
+
+Use of a proxy is enabled by setting the &%hosts_proxy%&
+main configuration option to a hostlist; connections from these
+hosts will use Proxy Protocol.
+
+The following expansion variables are usable
+(&"internal"& and &"external"& here refer to the interfaces
+of the proxy):
+.display
+&'proxy_host_address '& internal IP address of the proxy
+&'proxy_host_port '& internal TCP port of the proxy
+&'proxy_target_address '& external IP address of the proxy
+&'proxy_target_port '& external TCP port of the proxy
+&'proxy_session '& boolean: SMTP connection via proxy
+.endd
+If &$proxy_session$& is set but &$proxy_host_address$& is empty
+there was a protocol error.
+
+Since the real connections are all coming from the proxy, and the
+per host connection tracking is done before Proxy Protocol is
+evaluated, &%smtp_accept_max_per_host%& must be set high enough to
+handle all of the parallel volume you expect per inbound proxy.
+With the option set so high, you lose the ability
+to protect your server from many connections from one IP.
+In order to prevent your server from overload, you
+need to add a per connection ratelimit to your connect ACL.
+A possible solution is:
+.display
+ # Set max number of connections per host
+ LIMIT = 5
+ # Or do some kind of IP lookup in a flat file or database
+ # LIMIT = ${lookup{$sender_host_address}iplsearch{/etc/exim/proxy_limits}}
+
+ defer message = Too many connections from this IP right now
+ ratelimit = LIMIT / 5s / per_conn / strict
+.endd
+
+
+
+.section "Outbound proxies" SECTproxySOCKS
+.cindex proxy outbound
+.cindex proxy "client side"
+.cindex proxy SOCKS
+.cindex SOCKS proxy
+Exim has support for sending outbound SMTP via a proxy
+using a protocol called SOCKS5 (defined by RFC1928).
+The support can be optionally included by defining SUPPORT_SOCKS=yes in
+Local/Makefile.
+
+Use of a proxy is enabled by setting the &%socks_proxy%& option
+on an smtp transport.
+The option value is expanded and should then be a list
+(colon-separated by default) of proxy specifiers.
+Each proxy specifier is a list
+(space-separated by default) where the initial element
+is an IP address and any subsequent elements are options.
+
+Options are a string <name>=<value>.
+The list of options is in the following table:
+.display
+&`auth `& authentication method
+&`name `& authentication username
+&`pass `& authentication password
+&`port `& tcp port
+&`tmo `& connection timeout
+&`pri `& priority
+&`weight `& selection bias
+.endd
+
+More details on each of these options follows:
+
+.ilist
+.cindex authentication "to proxy"
+.cindex proxy authentication
+&%auth%&: Either &"none"& (default) or &"name"&.
+Using &"name"& selects username/password authentication per RFC 1929
+for access to the proxy.
+Default is &"none"&.
+.next
+&%name%&: sets the username for the &"name"& authentication method.
+Default is empty.
+.next
+&%pass%&: sets the password for the &"name"& authentication method.
+Default is empty.
+.next
+&%port%&: the TCP port number to use for the connection to the proxy.
+Default is 1080.
+.next
+&%tmo%&: sets a connection timeout in seconds for this proxy.
+Default is 5.
+.next
+&%pri%&: specifies a priority for the proxy within the list,
+higher values being tried first.
+The default priority is 1.
+.next
+&%weight%&: specifies a selection bias.
+Within a priority set servers are queried in a random fashion,
+weighted by this value.
+The default value for selection bias is 1.
+.endlist
+
+Proxies from the list are tried according to their priority
+and weight settings until one responds. The timeout for the
+overall connection applies to the set of proxied attempts.
+
+.section Logging SECTproxyLog
+To log the (local) IP of a proxy in the incoming or delivery logline,
+add &"+proxy"& to the &%log_selector%& option.
+This will add a component tagged with &"PRX="& to the line.
+.wen
+
+. ////////////////////////////////////////////////////////////////////////////
+. ////////////////////////////////////////////////////////////////////////////
+
.chapter "Adding new drivers or lookup types" "CHID13" &&&
"Adding drivers or lookups"
.cindex "adding drivers"
projects / exim.git / blobdiff