The first three non-comment configuration lines are as follows:
.code
-domainlist local_domains = @
+domainlist local_domains = @
domainlist relay_to_domains =
hostlist relay_from_hosts = 127.0.0.1
.endd
fact authenticate until you complete the authenticator definitions.
.code
require message = relay not permitted
- domains = +local_domains : +relay_domains
+ domains = +local_domains : +relay_to_domains
.endd
This statement rejects the address if its domain is neither a local domain nor
one of the domains for which this host is a relay.
# server_set_id = $auth2
# server_prompts = :
# server_condition = Authentication is not yet configured
-# server_advertise_condition = ${if def:tls_cipher }
+# server_advertise_condition = ${if def:tls_in_cipher }
.endd
And the example LOGIN authenticator looks like this:
.code
# server_set_id = $auth1
# server_prompts = <| Username: | Password:
# server_condition = Authentication is not yet configured
-# server_advertise_condition = ${if def:tls_cipher }
+# server_advertise_condition = ${if def:tls_in_cipher }
.endd
The &%server_set_id%& option makes Exim remember the authenticated username
.endd
In a list, the syntax is similar. For example:
.code
-domainlist relay_domains = sqlite;/some/thing/sqlitedb \
+domainlist relay_to_domains = sqlite;/some/thing/sqlitedb \
select * from relays where ip='$sender_host_address';
.endd
The only character affected by the &%quote_sqlite%& operator is a single
subject having matched any of the patterns, it is in the set if the last item
was a negative one, but not if it was a positive one. For example, the list in
.code
-domainlist relay_domains = !a.b.c : *.b.c
+domainlist relay_to_domains = !a.b.c : *.b.c
.endd
matches any domain ending in &'.b.c'& except for &'a.b.c'&. Domains that match
neither &'a.b.c'& nor &'*.b.c'& do not match, because the last item in the
list is positive. However, if the setting were
.code
-domainlist relay_domains = !a.b.c
+domainlist relay_to_domains = !a.b.c
.endd
then all domains other than &'a.b.c'& would match because the last item in the
list is negative. In other words, a list that ends with a negative item behaves
respectively. Then there follows the name that you are defining, followed by an
equals sign and the list itself. For example:
.code
-hostlist relay_hosts = 192.168.23.0/24 : my.friend.example
+hostlist relay_from_hosts = 192.168.23.0/24 : my.friend.example
addresslist bad_senders = cdb;/etc/badsenders
.endd
A named list may refer to other named lists:
This item inserts &"basic"& header lines. It is described with the &%header%&
expansion item below.
+
+.vitem "&*${acl{*&<&'name'&>&*}{*&<&'arg'&>&*}...}*&"
+.cindex "expansion" "calling an acl"
+.cindex "&%acl%&" "call from expansion"
+The name and zero to nine argument strings are first expanded separately. The expanded
+arguments are assigned to the variables &$acl_arg1$& to &$acl_arg9$& in order.
+Any unused are made empty. The variable &$acl_narg$& is set to the number of
+arguments. The named ACL (see chapter &<<CHAPACL>>&) is called
+and may use the variables; if another acl expansion is used the values
+are overwritten. If the ACL sets
+a value using a "message =" modifier and returns accept or deny, the value becomes
+the result of the expansion.
+If no message was set and the ACL returned accept or deny
+the value is an empty string.
+If the ACL returned defer the result is a forced-fail. Otherwise the expansion fails.
+
+
.vitem "&*${dlfunc{*&<&'file'&>&*}{*&<&'function'&>&*}{*&<&'arg'&>&*}&&&
{*&<&'arg'&>&*}...}*&"
.cindex &%dlfunc%&
identifiers, base-36 digits. The number is converted to decimal and output as a
string.
+
.vitem &*${domain:*&<&'string'&>&*}*&
.cindex "domain" "extraction"
.cindex "expansion" "domain extraction"
when &%length%& is used as an operator.
+.vitem &*${listcount:*&<&'string'&>&*}*&
+.cindex "expansion" "list item count"
+.cindex "list" "item count"
+.cindex "list" "count of items"
+.cindex "&%listcount%& expansion item"
+The string is interpreted as a list and the number of items is returned.
+
+
+.vitem &*${listnamed:*&<&'name'&>&*}*&&~and&~&*${list_*&<&'type'&>&*name'&>&*}*&
+.cindex "expansion" "named list"
+.cindex "&%listnamed%& expansion item"
+The name is interpreted as a named list and the content of the list is returned,
+expanding any referenced lists, re-quoting as needed for colon-separation.
+If the optional type if given it must be one of "a", "d", "h" or "l"
+and selects address-, domain-, host- or localpart- lists to search among respectively.
+Otherwise all types are searched in an undefined order and the first
+matching list is returned.
+
+
.vitem &*${local_part:*&<&'string'&>&*}*&
.cindex "expansion" "local part extraction"
.cindex "&%local_part%& expansion item"
.endd
Note that the general negation operator provides for inequality testing. The
two strings must take the form of optionally signed decimal integers,
-optionally followed by one of the letters &"K"& or &"M"& (in either upper or
-lower case), signifying multiplication by 1024 or 1024*1024, respectively.
+optionally followed by one of the letters &"K"&, &"M"& or &"G"& (in either upper or
+lower case), signifying multiplication by 1024, 1024*1024 or 1024*1024*1024, respectively.
As a special case, the numerical value of an empty string is taken as
zero.
10M, not if 10M is larger than &$message_size$&.
+.vitem &*acl&~{{*&<&'name'&>&*}{*&<&'arg1'&>&*}&&&
+ {*&<&'arg2'&>&*}...}*&
+.cindex "expansion" "calling an acl"
+.cindex "&%acl%&" "expansion condition"
+The name and zero to nine argument strings are first expanded separately. The expanded
+arguments are assigned to the variables &$acl_arg1$& to &$acl_arg9$& in order.
+Any unused are made empty. The variable &$acl_narg$& is set to the number of
+arguments. The named ACL (see chapter &<<CHAPACL>>&) is called
+and may use the variables; if another acl expansion is used the values
+are overwritten. If the ACL sets
+a value using a "message =" modifier the variable $value becomes
+the result of the expansion, otherwise it is empty.
+If the ACL returns accept the condition is true; if deny, false.
+If the ACL returns defer the result is a forced-fail.
+
.vitem &*bool&~{*&<&'string'&>&*}*&
.cindex "expansion" "boolean parsing"
.cindex "&%bool%& expansion condition"
command, which can be found in the separate document entitled &'Exim's
interfaces to mail filtering'&.
-.vitem &$tls_bits$&
-.vindex "&$tls_bits$&"
-Contains an approximation of the TLS cipher's bit-strength; the meaning of
+.vitem &$tls_in_bits$&
+.vindex "&$tls_in_bits$&"
+Contains an approximation of the TLS cipher's bit-strength
+on the inbound connection; the meaning of
this depends upon the TLS implementation used.
If TLS has not been negotiated, the value will be 0.
The value of this is automatically fed into the Cyrus SASL authenticator
when acting as a server, to specify the "external SSF" (a SASL term).
-.vitem &$tls_certificate_verified$&
-.vindex "&$tls_certificate_verified$&"
+The deprecated &$tls_bits$& variable refers to the inbound side
+except when used in the context of an outbound SMTP delivery, when it refers to
+the outbound.
+
+.vitem &$tls_out_bits$&
+.vindex "&$tls_out_bits$&"
+Contains an approximation of the TLS cipher's bit-strength
+on an outbound SMTP connection; the meaning of
+this depends upon the TLS implementation used.
+If TLS has not been negotiated, the value will be 0.
+
+.vitem &$tls_in_certificate_verified$&
+.vindex "&$tls_in_certificate_verified$&"
This variable is set to &"1"& if a TLS certificate was verified when the
message was received, and &"0"& otherwise.
-.vitem &$tls_cipher$&
+The deprecated &$tls_certificate_verfied$& variable refers to the inbound side
+except when used in the context of an outbound SMTP delivery, when it refers to
+the outbound.
+
+.vitem &$tls_out_certificate_verified$&
+.vindex "&$tls_out_certificate_verified$&"
+This variable is set to &"1"& if a TLS certificate was verified when an
+outbound SMTP connection was made,
+and &"0"& otherwise.
+
+.vitem &$tls_in_cipher$&
+.vindex "&$tls_in_cipher$&"
.vindex "&$tls_cipher$&"
When a message is received from a remote host over an encrypted SMTP
connection, this variable is set to the cipher suite that was negotiated, for
&$tls_cipher$& for emptiness is one way of distinguishing between encrypted and
non-encrypted connections during ACL processing.
-The &$tls_cipher$& variable retains its value during message delivery, except
-when an outward SMTP delivery takes place via the &(smtp)& transport. In this
-case, &$tls_cipher$& is cleared before any outgoing SMTP connection is made,
+The deprecated &$tls_cipher$& variable is the same as &$tls_in_cipher$& during message reception,
+but in the context of an outward SMTP delivery taking place via the &(smtp)& transport
+becomes the same as &$tls_out_cipher$&.
+
+.vitem &$tls_out_cipher$&
+.vindex "&$tls_out_cipher$&"
+This variable is
+cleared before any outgoing SMTP connection is made,
and then set to the outgoing cipher suite if one is negotiated. See chapter
&<<CHAPTLS>>& for details of TLS support and chapter &<<CHAPsmtptrans>>& for
details of the &(smtp)& transport.
-.vitem &$tls_peerdn$&
+.vitem &$tls_in_peerdn$&
+.vindex "&$tls_in_peerdn$&"
.vindex "&$tls_peerdn$&"
When a message is received from a remote host over an encrypted SMTP
connection, and Exim is configured to request a certificate from the client,
the value of the Distinguished Name of the certificate is made available in the
-&$tls_peerdn$& during subsequent processing. Like &$tls_cipher$&, the
-value is retained during message delivery, except during outbound SMTP
-deliveries.
+&$tls_in_peerdn$& during subsequent processing.
+
+The deprecated &$tls_peerdn$& variable refers to the inbound side
+except when used in the context of an outbound SMTP delivery, when it refers to
+the outbound.
+
+.vitem &$tls_out_peerdn$&
+.vindex "&$tls_out_peerdn$&"
+When a message is being delivered to a remote host over an encrypted SMTP
+connection, and Exim is configured to request a certificate from the server,
+the value of the Distinguished Name of the certificate is made available in the
+&$tls_out_peerdn$& during subsequent processing.
-.vitem &$tls_sni$&
+.vitem &$tls_in_sni$&
+.vindex "&$tls_in_sni$&"
.vindex "&$tls_sni$&"
.cindex "TLS" "Server Name Indication"
When a TLS session is being established, if the client sends the Server
a different certificate to be presented (and optionally a different key to be
used) to the client, based upon the value of the SNI extension.
-The value will be retained for the lifetime of the message. During outbound
-SMTP deliveries, it reflects the value of the &%tls_sni%& option on
+The deprecated &$tls_sni$& variable refers to the inbound side
+except when used in the context of an outbound SMTP delivery, when it refers to
+the outbound.
+
+.vitem &$tls_out_sni$&
+.vindex "&$tls_out_sni$&"
+.cindex "TLS" "Server Name Indication"
+During outbound
+SMTP deliveries, this variable reflects the value of the &%tls_sni%& option on
the transport.
.vitem &$tod_bsdinbox$&
.section "TLS" "SECID108"
.table2
.row &%gnutls_compat_mode%& "use GnuTLS compatibility mode"
+.new
+.row &%gnutls_enable_pkcs11%& "allow GnuTLS to autoload PKCS11 modules"
+.wen
.row &%openssl_options%& "adjust OpenSSL compatibility options"
.row &%tls_advertise_hosts%& "advertise TLS to these hosts"
.row &%tls_certificate%& "location of server certificate"
is encrypted using TLS, you can make use of the fact that the value of this
option is expanded, with a setting like this:
.code
-auth_advertise_hosts = ${if eq{$tls_cipher}{}{}{*}}
+auth_advertise_hosts = ${if eq{$tls_in_cipher}{}{}{*}}
.endd
-.vindex "&$tls_cipher$&"
-If &$tls_cipher$& is empty, the session is not encrypted, and the result of
+.vindex "&$tls_in_cipher$&"
+If &$tls_in_cipher$& is empty, the session is not encrypted, and the result of
the expansion is empty, thus matching no hosts. Otherwise, the result of the
expansion is *, which matches all hosts.
server. This reduces security slightly, but improves interworking with older
implementations of TLS.
+
+.new
+option gnutls_enable_pkcs11 main boolean unset
+This option will let GnuTLS (2.12.0 or later) autoload PKCS11 modules with
+the p11-kit configuration files in &_/etc/pkcs11/modules/_&.
+
+See
+&url(http://www.gnu.org/software/gnutls/manual/gnutls.html#Smart-cards-and-HSMs)
+for documentation.
+.wen
+
+
+
.option headers_charset main string "see below"
This option sets a default character set for translating from encoded MIME
&"words"& in header lines, when referenced by an &$h_xxx$& expansion item. The
${if def:sender_helo_name {(helo=$sender_helo_name)\n\t}}}}\
by $primary_hostname \
${if def:received_protocol {with $received_protocol}} \
- ${if def:tls_cipher {($tls_cipher)\n\t}}\
+ ${if def:tls_in_cipher {($tls_in_cipher)\n\t}}\
(Exim $version_number)\n\t\
${if def:sender_address \
{(envelope-from <$sender_address>)\n\t}}\
. Allow this long option name to split; give it unsplit as a fifth argument
. for the automatic .oindex that is generated by .option.
-.option "smtp_accept_max_per_ &~&~connection" main integer 1000 &&&
+.option "smtp_accept_max_per_connection" main integer 1000 &&&
smtp_accept_max_per_connection
.cindex "SMTP" "limiting incoming message count"
.cindex "limit" "messages per SMTP connection"
use when sending messages as a client, you must set the &%tls_certificate%&
option in the relevant &(smtp)& transport.
-If the option contains &$tls_sni$& and Exim is built against OpenSSL, then
+If the option contains &$tls_out_sni$& and Exim is built against OpenSSL, then
if the OpenSSL build supports TLS extensions and the TLS client sends the
Server Name Indication extension, then this option and others documented in
&<<SECTtlssni>>& will be re-expanded.
If the result is any other value, the router is run (as this is the last
precondition to be evaluated, all the other preconditions must be true).
-This option is unique in that multiple &%condition%& options may be present.
+This option is unusual in that multiple &%condition%& options may be present.
All &%condition%& options must succeed.
The &%condition%& option provides a means of applying custom conditions to the
the expansion is forced to fail, the option has no effect. Other expansion
failures are treated as configuration errors.
+Unlike most options, &%headers_add%& can be specified multiple times
+for a router; all listed headers are added.
+
&*Warning 1*&: The &%headers_add%& option cannot be used for a &(redirect)&
router that has the &%one_time%& option set.
the option has no effect. Other expansion failures are treated as configuration
errors.
+Unlike most options, &%headers_remove%& can be specified multiple times
+for a router; all listed headers are removed.
+
&*Warning 1*&: The &%headers_remove%& option cannot be used for a &(redirect)&
router that has the &%one_time%& option set.
is forced to fail, no action is taken. Other expansion failures are treated as
errors and cause the delivery to be deferred.
+Unlike most options, &%headers_add%& can be specified multiple times
+for a transport; all listed headers are added.
+
.option headers_only transports boolean false
is forced to fail, no action is taken. Other expansion failures are treated as
errors and cause the delivery to be deferred.
+Unlike most options, &%headers_remove%& can be specified multiple times
+for a router; all listed headers are added.
+
.option headers_rewrite transports string unset
are in force when any authenticators are run and when the
&%authenticated_sender%& option is expanded.
+These variables are deprecated in favour of &$tls_in_cipher$& et. al.
+and will be removed in a future release.
+
.section "Private options for smtp" "SECID146"
.cindex "options" "&(smtp)& transport"
The expansion happens after the outgoing connection has been made and TLS
started, if required. This means that the &$host$&, &$host_address$&,
-&$tls_cipher$&, and &$tls_peerdn$& variables are set according to the
+&$tls_out_cipher$&, and &$tls_out_peerdn$& variables are set according to the
particular connection.
If the SMTP session is not authenticated, the expansion of
Exim will not try to start a TLS session when delivering to any host that
matches this list. See chapter &<<CHAPTLS>>& for details of TLS.
+.option hosts_verify_avoid_tls smtp "host list&!!" *
+.cindex "TLS" "avoiding for certain hosts"
+Exim will not try to start a TLS session for a verify callout,
+or when delivering in cutthrough mode,
+to any host that matches this list.
+Note that the default is to not use TLS.
+
.option hosts_max_try smtp integer 5
.cindex "host" "maximum number to try"
.option tls_sni smtp string&!! unset
.cindex "TLS" "Server Name Indication"
.vindex "&$tls_sni$&"
-If this option is set then it sets the $tls_sni variable and causes any
+If this option is set then it sets the $tls_out_sni variable and causes any
TLS session to pass this value as the Server Name Indication extension to
the remote side, which can be used by the remote side to select an appropriate
certificate and private key for the session.
used, for example, to skip plain text authenticators when the connection is not
encrypted by a setting such as:
.code
-client_condition = ${if !eq{$tls_cipher}{}}
+client_condition = ${if !eq{$tls_out_cipher}{}}
.endd
-(Older documentation incorrectly states that &$tls_cipher$& contains the cipher
-used for incoming messages. In fact, during SMTP delivery, it contains the
-cipher used for the delivery.)
.option driver authenticators string unset
advertisement of a particular mechanism to encrypted connections, by a setting
such as:
.code
-server_advertise_condition = ${if eq{$tls_cipher}{}{no}{yes}}
+server_advertise_condition = ${if eq{$tls_in_cipher}{}{no}{yes}}
.endd
-.vindex "&$tls_cipher$&"
-If the session is encrypted, &$tls_cipher$& is not empty, and so the expansion
+.vindex "&$tls_in_cipher$&"
+If the session is encrypted, &$tls_in_cipher$& is not empty, and so the expansion
yields &"yes"&, which allows the advertisement to happen.
When an Exim server receives an AUTH command from a client, it rejects it
.next
The default value for &%tls_dhparam%& differs for historical reasons.
.next
-.vindex "&$tls_peerdn$&"
+.vindex "&$tls_in_peerdn$&"
+.vindex "&$tls_out_peerdn$&"
Distinguished Name (DN) strings reported by the OpenSSL library use a slash for
separating fields; GnuTLS uses commas, in accordance with RFC 2253. This
-affects the value of the &$tls_peerdn$& variable.
+affects the value of the &$tls_in_peerdn$& and &$tls_out_peerdn$& variables.
.next
OpenSSL identifies cipher suites using hyphens as separators, for example:
DES-CBC3-SHA. GnuTLS historically used underscores, for example:
.cindex "cipher" "logging"
.cindex "log" "TLS cipher"
-.vindex "&$tls_cipher$&"
-The variable &$tls_cipher$& is set to the cipher suite that was negotiated for
+.vindex "&$tls_in_cipher$&"
+The variable &$tls_in_cipher$& is set to the cipher suite that was negotiated for
an incoming TLS connection. It is included in the &'Received:'& header of an
incoming message (by default &-- you can, of course, change this), and it is
also included in the log line that records a message's arrival, keyed by
&"X="&, unless the &%tls_cipher%& log selector is turned off. The &%encrypted%&
condition can be used to test for specific cipher suites in ACLs.
-(For outgoing SMTP deliveries, &$tls_cipher$& is reset &-- see section
-&<<SECID185>>&.)
Once TLS has been established, the ACLs that run for subsequent SMTP commands
can check the name of the cipher suite and vary their actions accordingly. The
contexts is known as TLS_RSA_WITH_3DES_EDE_CBC_SHA. Check the OpenSSL or GnuTLS
documentation for more details.
+For outgoing SMTP deliveries, &$tls_out_cipher$& is used and logged
+(again depending on the &%tls_cipher%& log selector).
+
.section "Requesting and verifying client certificates" "SECID183"
.cindex "certificate" "verification of client"
example, you can insist on a certificate before accepting a message for
relaying, but not when the message is destined for local delivery.
-.vindex "&$tls_peerdn$&"
+.vindex "&$tls_in_peerdn$&"
When a client supplies a certificate (whether it verifies or not), the value of
the Distinguished Name of the certificate is made available in the variable
-&$tls_peerdn$& during subsequent processing of the message.
+&$tls_in_peerdn$& during subsequent processing of the message.
.cindex "log" "distinguished name"
Because it is often a long text string, it is not included in the log line or
&'Received:'& header by default. You can arrange for it to be logged, keyed by
&"DN="&, by setting the &%tls_peerdn%& log selector, and you can use
&%received_header_text%& to change the &'Received:'& header. When no
-certificate is supplied, &$tls_peerdn$& is empty.
+certificate is supplied, &$tls_in_peerdn$& is empty.
.section "Revoked certificates" "SECID184"
which the client is connected. Forced failure of an expansion causes Exim to
behave as if the relevant option were unset.
-.vindex &$tls_bits$&
-.vindex &$tls_cipher$&
-.vindex &$tls_peerdn$&
-.vindex &$tls_sni$&
+.vindex &$tls_out_bits$&
+.vindex &$tls_out_cipher$&
+.vindex &$tls_out_peerdn$&
+.vindex &$tls_out_sni$&
Before an SMTP connection is established, the
-&$tls_bits$&, &$tls_cipher$&, &$tls_peerdn$& and &$tls_sni$&
+&$tls_out_bits$&, &$tls_out_cipher$&, &$tls_out_peerdn$& and &$tls_out_sni$&
variables are emptied. (Until the first connection, they contain the values
that were set when the message was received.) If STARTTLS is subsequently
successfully obeyed, these variables are set to the relevant values for the
.section "Use of TLS Server Name Indication" "SECTtlssni"
.cindex "TLS" "Server Name Indication"
-.vindex "&$tls_sni$&"
-.oindex "&%tls_sni%&"
+.vindex "&$tls_in_sni$&"
+.oindex "&%tls_in_sni%&"
With TLS1.0 or above, there is an extension mechanism by which extra
information can be included at various points in the protocol. One of these
extensions, documented in RFC 6066 (and before that RFC 4366) is
The &%tls_sni%& option on an SMTP transport is an expanded string; the result,
if not empty, will be sent on a TLS session as part of the handshake. There's
nothing more to it. Choosing a sensible value not derived insecurely is the
-only point of caution. The &$tls_sni$& variable will be set to this string
+only point of caution. The &$tls_out_sni$& variable will be set to this string
for the lifetime of the client connection (including during authentication).
-Except during SMTP client sessions, if &$tls_sni$& is set then it is a string
+Except during SMTP client sessions, if &$tls_in_sni$& is set then it is a string
received from a client.
It can be logged with the &%log_selector%& item &`+tls_sni`&.
-If the string &`tls_sni`& appears in the main section's &%tls_certificate%&
+If the string &`tls_in_sni`& appears in the main section's &%tls_certificate%&
option (prior to expansion) then the following options will be re-expanded
during TLS session handshake, to permit alternative values to be chosen:
This modifier sets up a message that is used as part of the log message if the
ACL denies access or a &%warn%& statement's conditions are true. For example:
.code
-require log_message = wrong cipher suite $tls_cipher
+require log_message = wrong cipher suite $tls_in_cipher
encrypted = DES-CBC3-SHA
.endd
&%log_message%& is also used when recipients are discarded by &%discard%&. For
is what is wanted for subsequent tests.
+.new
+.vitem &*control&~=&~cutthrough_delivery*&
+.cindex "&ACL;" "cutthrough routing"
+This option requests delivery be attempted while the item is being received.
+It is usable in the RCPT ACL and valid only for single-recipient mails forwarded
+from one SMTP connection to another. If a recipient-verify callout connection is
+requested in the same ACL it is held open and used for the data, otherwise one is made
+after the ACL completes.
+
+Should the ultimate destination system positively accept or reject the mail,
+a corresponding indication is given to the source system and nothing is queued.
+If there is a temporary error the item is queued for later delivery in the
+usual fashion. If the item is successfully delivered in cutthrough mode the log line
+is tagged with ">>" rather than "=>" and appears before the acceptance "<="
+line.
+
+Delivery in this mode avoids the generation of a bounce mail to a (possibly faked)
+sender when the destination system is doing content-scan based rejection.
+.wen
+
+
.new
.vitem &*control&~=&~dscp/*&<&'value'&>
.cindex "&ACL;" "setting DSCP value"
.vitem &*acl&~=&~*&<&'name&~of&~acl&~or&~ACL&~string&~or&~file&~name&~'&>
.cindex "&ACL;" "nested"
.cindex "&ACL;" "indirect"
+.cindex "&ACL;" "arguments"
.cindex "&%acl%& ACL condition"
The possible values of the argument are the same as for the
&%acl_smtp_%&&'xxx'& options. The named or inline ACL is run. If it returns
condition false. This means that further processing of the &%warn%& verb
ceases, but processing of the ACL continues.
+If the argument is a named ACL, up to nine space-separated optional values
+can be appended; they appear in $acl_arg1 to $acl_arg9, and $acl_narg is set
+to the count of values. The name and values are expanded separately.
+
If the nested &%acl%& returns &"drop"& and the outer condition denies access,
the connection is dropped. If it returns &"discard"&, the verb must be
&%accept%& or &%discard%&, and the action is taken immediately &-- no further
In the main part of the configuration, you put the following definitions:
.code
-domainlist local_domains = my.dom1.example : my.dom2.example
-domainlist relay_domains = friend1.example : friend2.example
-hostlist relay_hosts = 192.168.45.0/24
+domainlist local_domains = my.dom1.example : my.dom2.example
+domainlist relay_to_domains = friend1.example : friend2.example
+hostlist relay_from_hosts = 192.168.45.0/24
.endd
Now you can use these definitions in the ACL that is run for every RCPT
command:
.code
acl_check_rcpt:
- accept domains = +local_domains : +relay_domains
- accept hosts = +relay_hosts
+ accept domains = +local_domains : +relay_to_domains
+ accept hosts = +relay_from_hosts
.endd
The first statement accepts any RCPT command that contains an address in
the local or relay domains. For any other domain, control passes to the second
.endd
Exim does not check the syntax of these added header lines.
+Multiple &%headers_add%& options for a single router or transport can be
+specified; the values will be concatenated (with a separating newline
+added) before expansion.
+
The result of expanding &%headers_remove%& must consist of a colon-separated
list of header names. This is confusing, because header names themselves are
often terminated by colons. In this case, the colons are the list separators,
.code
headers_remove = return-receipt-to:acknowledge-to
.endd
+
+Multiple &%headers_remove%& options for a single router or transport can be
+specified; the values will be concatenated (with a separating colon
+added) before expansion.
+
When &%headers_add%& or &%headers_remove%& is specified on a router, its value
is expanded at routing time, and then associated with all addresses that are
accepted by that router, and also with any new addresses that it generates. If
If the remote server advertises support for the STARTTLS command, and Exim
was built to support TLS encryption, it tries to start a TLS session unless the
server matches &%hosts_avoid_tls%&. See chapter &<<CHAPTLS>>& for more details.
+Either a match in that or &%hosts_verify_avoid_tls%& apply when the transport
+is called for verification.
If the remote server advertises support for the AUTH command, Exim scans
the authenticators configuration for any suitable client settings, as described
projects / exim.git / blobdiff