using the same syntax as for &%-oMa%&. The interface address is placed in
&$received_ip_address$& and the port number, if present, in &$received_port$&.
+.vitem &%-oMm%&&~<&'message&~reference'&>
+.oindex "&%-oMm%&"
+.cindex "message reference" "message reference, specifying for local message"
+See &%-oMa%& above for general remarks about the &%-oM%& options. The &%-oMm%&
+option sets the message reference, e.g. message-id, and is logged during
+delivery. This is useful when some kind of audit trail is required to tie
+messages together. The format of the message reference is checked and will
+abort if the format is invalid. The option will only be accepted if exim is
+running in trusted mode, not as any regular user.
+
+The best example of a message reference is when Exim sends a bounce message.
+The message reference is the message-id of the original message for which Exim
+is sending the bounce.
+
.vitem &%-oMr%&&~<&'protocol&~name'&>
.oindex "&%-oMr%&"
.cindex "protocol, specifying for local message"
in the same way that multiple DNS records for a single item are handled. A
different separator can be specified, as described above.
+Modifiers for &(dnsdb)& lookups are givien by optional keywords,
+each followed by a comma,
+that may appear before the record type.
+
The &(dnsdb)& lookup fails only if all the DNS lookups fail. If there is a
temporary DNS error for any of them, the behaviour is controlled by
-an optional keyword followed by a comma that may appear before the record
-type. The possible keywords are &"defer_strict"&, &"defer_never"&, and
-&"defer_lax"&. With &"strict"& behaviour, any temporary DNS error causes the
+a defer-option modifier.
+The possible keywords are
+&"defer_strict"&, &"defer_never"&, and &"defer_lax"&.
+With &"strict"& behaviour, any temporary DNS error causes the
whole lookup to defer. With &"never"& behaviour, a temporary DNS error is
ignored, and the behaviour is as if the DNS lookup failed to find anything.
With &"lax"& behaviour, all the queries are attempted, but a temporary DNS
Thus, in the default case, as long as at least one of the DNS lookups
yields some data, the lookup succeeds.
+.new
+.cindex "DNSSEC" "dns lookup"
+Use of &(DNSSEC)& is controlled by a dnssec modifier.
+The possible keywords are
+&"dnssec_strict"&, &"dnssec_lax"&, and &"dnssec_never"&.
+With &"strict"& or &"lax"& DNSSEC information is requested
+with the lookup.
+With &"strict"& a response from the DNS resolver that
+is not labelled as authenticated data
+is treated as equivalent to a temporary DNS error.
+The default is &"never"&.
+
+See also the &$lookup_dnssec_authenticated$& variable.
+.wen
+
&`USER `& set the DN, for authenticating the LDAP bind
&`PASS `& set the password, likewise
&`REFERRALS `& set the referrals parameter
+.new
+&`SERVERS `& set alternate server list for this query only
+.wen
&`SIZE `& set the limit for the number of entries returned
&`TIME `& set the maximum waiting time for a query
.endd
The TIME parameter (also a number of seconds) is passed to the server to
set a server-side limit on the time taken to complete a search.
+.new
+The SERVERS parameter allows you to specify an alternate list of ldap servers
+to use for an individual lookup. The global ldap_servers option provides a
+default list of ldap servers, and a single lookup can specify a single ldap
+server to use. But when you need to do a lookup with a list of servers that is
+different than the default list (maybe different order, maybe a completely
+different set of servers), the SERVERS parameter allows you to specify this
+alternate list.
+.wen
Here is an example of an LDAP query in an Exim lookup that uses some of these
values. This is a single line, folded to fit on the page:
list. The effect of each one lasts until the next, or until the end of the
list.
-To explain the host/ip processing logic a different way for the same ACL:
+.new
+.section "Mixing wildcarded host names and addresses in host lists" &&&
+ "SECTmixwilhos"
+.cindex "host list" "mixing names and addresses in"
+
+This section explains the host/ip processing logic with the same concepts
+as the previous section, but specifically addresses what happens when a
+wildcarded hostname is one of the items in the hostlist.
.ilist
If you have name lookups or wildcarded host names and
&`+ignore_unknown`&, which was discussed in depth in the first example in
this section.
.endlist
-
+.wen
.section "Temporary DNS errors when looking up host information" &&&
-.section "Mixing wildcarded host names and addresses in host lists" &&&
- "SECTmixwilhos"
-.cindex "host list" "mixing names and addresses in"
-If you have name lookups or wildcarded host names and IP addresses in the same
-host list, you should normally put the IP addresses first. For example, in an
-ACL you could have:
-.code
-accept hosts = 10.9.8.7 : *.friend.example
-.endd
-The reason for this lies in the left-to-right way that Exim processes lists.
-It can test IP addresses without doing any DNS lookups, but when it reaches an
-item that requires a host name, it fails if it cannot find a host name to
-compare with the pattern. If the above list is given in the opposite order, the
-&%accept%& statement fails for a host whose name cannot be found, even if its
-IP address is 10.9.8.7.
-
-If you really do want to do the name check first, and still recognize the IP
-address, you can rewrite the ACL like this:
-.code
-accept hosts = *.friend.example
-accept hosts = 10.9.8.7
-.endd
-If the first &%accept%& fails, Exim goes on to try the second one. See chapter
-&<<CHAPACL>>& for details of ACLs.
-
-
-
.section "Address lists" "SECTaddresslist"
If the ACL returns defer the result is a forced-fail. Otherwise the expansion fails.
+.new
+.vitem "&*${certextract{*&<&'field'&>&*}{*&<&'certificate'&>&*}&&&
+ {*&<&'string2'&>&*}{*&<&'string3'&>&*}}*&"
+.cindex "expansion" "extracting cerificate fields"
+.cindex "&%certextract%&" "certificate fields"
+.cindex "certificate" "extracting fields"
+The <&'certificate'&> must be a variable of type certificate.
+The field name is expanded and used to retrive the relevant field from
+the certificate. Supported fields are:
+.display
+&`version `&
+&`serial_number `&
+&`subject `&
+&`issuer `&
+&`notbefore `&
+&`notafter `&
+&`sig_algorithm `&
+&`signature `&
+&`subj_altname `& tagged list
+&`ocsp_uri `& list
+&`crl_uri `& list
+.endd
+If the field is found,
+<&'string2'&> is expanded, and replaces the whole item;
+otherwise <&'string3'&> is used. During the expansion of <&'string2'&> the
+variable &$value$& contains the value that has been extracted. Afterwards, it
+is restored to any previous value it might have had.
+
+If {<&'string3'&>} is omitted, the item is replaced by an empty string if the
+key is not found. If {<&'string2'&>} is also omitted, the value that was
+extracted is used.
+
+Some field names take optional modifiers, appended and separated by commas.
+
+The field selectors marked as "list" above return a list,
+newline-separated by default,
+(embedded separator characters in elements are doubled).
+The separator may be changed by a modifier of
+a right angle-bracket followed immediately by the new separator.
+
+The field selectors marked as "tagged" above
+prefix each list element with a type string and an equals sign.
+Elements of only one type may be selected by a modifier
+which is one of "dns", "uri" or "mail";
+if so the elenment tags are omitted.
+
+Field values are generally presented in human-readable form.
+.wen
+
.vitem "&*${dlfunc{*&<&'file'&>&*}{*&<&'function'&>&*}{*&<&'arg'&>&*}&&&
{*&<&'arg'&>&*}...}*&"
.cindex &%dlfunc%&
.vitem &*${md5:*&<&'string'&>&*}*&
.cindex "MD5 hash"
.cindex "expansion" "MD5 hash"
+.cindex "certificate fingerprint"
.cindex "&%md5%& expansion item"
The &%md5%& operator computes the MD5 hash value of the string, and returns it
as a 32-digit hexadecimal number, in which any letters are in lower case.
.vitem &*${sha1:*&<&'string'&>&*}*&
.cindex "SHA-1 hash"
.cindex "expansion" "SHA-1 hashing"
+.cindex "certificate fingerprint"
.cindex "&%sha2%& expansion item"
The &%sha1%& operator computes the SHA-1 hash value of the string, and returns
it as a 40-digit hexadecimal number, in which any letters are in upper case.
+.vitem &*${sha256:*&<&'certificate'&>&*}*&
+.cindex "SHA-256 hash"
+.cindex "certificate fingerprint"
+.cindex "expansion" "SHA-256 hashing"
+.cindex "&%sha256%& expansion item"
+The &%sha256%& operator computes the SHA-256 hash fingerprint of the
+certificate,
+and returns
+it as a 64-digit hexadecimal number, in which any letters are in upper case.
+Only arguments which are a single variable of certificate type are supported.
+
+
.vitem &*${stat:*&<&'string'&>&*}*&
.cindex "expansion" "statting a file"
.cindex "file" "extracting characteristics"
the space value is -1. See also the &%check_log_space%& option.
+.new
+.vitem &$lookup_dnssec_authenticated$&
+.vindex "&$lookup_dnssec_authenticated$&"
+This variable is set after a DNS lookup done by
+a dnsdb lookup expansion, dnslookup router or smtp transport.
+It will be empty if &(DNSSEC)& was not requested,
+&"no"& if the result was not labelled as authenticated data
+and &"yes"& if it was.
+.wen
+
.vitem &$mailstore_basename$&
.vindex "&$mailstore_basename$&"
This variable is set only when doing deliveries in &"mailstore"& format in the
this depends upon the TLS implementation used.
If TLS has not been negotiated, the value will be 0.
+.new
+.vitem &$tls_in_ourcert$&
+.vindex "&$tls_in_ourcert$&"
+This variable refers to the certificate presented to the peer of an
+inbound connection when the message was received.
+It is only useful as the argument of a
+&%certextract%& expansion item, &%md5%& or &%sha1%& operator,
+or a &%def%& condition.
+.wen
+
+.new
+.vitem &$tls_in_peercert$&
+.vindex "&$tls_in_peercert$&"
+This variable refers to the certificate presented by the peer of an
+inbound connection when the message was received.
+It is only useful as the argument of a
+&%certextract%& expansion item, &%md5%& or &%sha1%& operator,
+or a &%def%& condition.
+.wen
+
+.new
+.vitem &$tls_out_ourcert$&
+.vindex "&$tls_out_ourcert$&"
+This variable refers to the certificate presented to the peer of an
+outbound connection. It is only useful as the argument of a
+&%certextract%& expansion item, &%md5%& or &%sha1%& operator,
+or a &%def%& condition.
+.wen
+
+.new
+.vitem &$tls_out_peercert$&
+.vindex "&$tls_out_peercert$&"
+This variable refers to the certificate presented by the peer of an
+outbound connection. It is only useful as the argument of a
+&%certextract%& expansion item, &%md5%& or &%sha1%& operator,
+or a &%def%& condition.
+.wen
+
.vitem &$tls_in_certificate_verified$&
.vindex "&$tls_in_certificate_verified$&"
This variable is set to &"1"& if a TLS certificate was verified when the
-.option headers_add routers string&!! unset
+.option headers_add routers list&!! unset
.cindex "header lines" "adding"
.cindex "router" "adding header lines"
-This option specifies a string of text that is expanded at routing time, and
-associated with any addresses that are accepted by the router. However, this
+This option specifies a list of text headers, newline-separated,
+that is associated with any addresses that are accepted by the router.
+Each item is separately expanded, at routing time. However, this
option has no effect when an address is just being verified. The way in which
the text is used to add header lines at transport time is described in section
&<<SECTheadersaddrem>>&. New header lines are not actually added until the
&"see"& the added header lines.
The &%headers_add%& option is expanded after &%errors_to%&, but before
-&%headers_remove%& and &%transport%&. If the expanded string is empty, or if
-the expansion is forced to fail, the option has no effect. Other expansion
+&%headers_remove%& and &%transport%&. If an item is empty, or if
+an item expansion is forced to fail, the item has no effect. Other expansion
failures are treated as configuration errors.
Unlike most options, &%headers_add%& can be specified multiple times
-.option headers_remove routers string&!! unset
+.option headers_remove routers list&!! unset
.cindex "header lines" "removing"
.cindex "router" "removing header lines"
-This option specifies a string of text that is expanded at routing time, and
-associated with any addresses that are accepted by the router. However, this
+This option specifies a list of text headers, colon-separated,
+that is associated with any addresses that are accepted by the router.
+Each item is separately expanded, at routing time. However, this
option has no effect when an address is just being verified. The way in which
the text is used to remove header lines at transport time is described in
section &<<SECTheadersaddrem>>&. Header lines are not actually removed until
&"see"& the original header lines.
The &%headers_remove%& option is expanded after &%errors_to%& and
-&%headers_add%&, but before &%transport%&. If the expansion is forced to fail,
-the option has no effect. Other expansion failures are treated as configuration
+&%headers_add%&, but before &%transport%&. If an item expansion is forced to fail,
+the item has no effect. Other expansion failures are treated as configuration
errors.
Unlike most options, &%headers_remove%& can be specified multiple times
+.new
+.option dnssec_request_domains dnslookup "domain list&!!" unset
+.cindex "MX record" "security"
+.cindex "DNSSEC" "MX lookup"
+.cindex "security" "MX lookup"
+.cindex "DNS" "DNSSEC"
+DNS lookups for domains matching &%dnssec_request_domains%& will be done with
+the dnssec request bit set.
+This applies to all of the SRV, MX A6, AAAA, A lookup sequence.
+.wen
+
+
+
+.new
+.option dnssec_require_domains dnslookup "domain list&!!" unset
+.cindex "MX record" "security"
+.cindex "DNSSEC" "MX lookup"
+.cindex "security" "MX lookup"
+.cindex "DNS" "DNSSEC"
+DNS lookups for domains matching &%dnssec_request_domains%& will be done with
+the dnssec request bit set. Any returns not having the Authenticated Data bit
+(AD bit) set wil be ignored and logged as a host-lookup failure.
+This applies to all of the SRV, MX A6, AAAA, A lookup sequence.
+.wen
+
+
+
.option mx_domains dnslookup "domain list&!!" unset
.cindex "MX record" "required to exist"
.cindex "SRV record" "required to exist"
&%user%& (see below).
-.option headers_add transports string&!! unset
+.option headers_add transports list&!! unset
.cindex "header lines" "adding in transport"
.cindex "transport" "header lines; adding"
-This option specifies a string of text that is expanded and added to the header
+This option specifies a list of text headers, newline-separated,
+which are (separately) expanded and added to the header
portion of a message as it is transported, as described in section
&<<SECTheadersaddrem>>&. Additional header lines can also be specified by
routers. If the result of the expansion is an empty string, or if the expansion
checked, since this option does not automatically suppress them.
-.option headers_remove transports string&!! unset
+.option headers_remove transports list&!! unset
.cindex "header lines" "removing"
.cindex "transport" "header lines; removing"
-This option specifies a string that is expanded into a list of header names;
+This option specifies a list of header names, colon-separated;
these headers are omitted from the message as it is transported, as described
in section &<<SECTheadersaddrem>>&. Header removal can also be specified by
-routers. If the result of the expansion is an empty string, or if the expansion
+routers.
+Each list item is separately expanded.
+If the result of the expansion is an empty string, or if the expansion
is forced to fail, no action is taken. Other expansion failures are treated as
errors and cause the delivery to be deferred.
Unlike most options, &%headers_remove%& can be specified multiple times
-for a router; all listed headers are added.
+for a router; all listed headers are removed.
details.
+.new
+.option dnssec_request_domains smtp "domain list&!!" unset
+.cindex "MX record" "security"
+.cindex "DNSSEC" "MX lookup"
+.cindex "security" "MX lookup"
+.cindex "DNS" "DNSSEC"
+DNS lookups for domains matching &%dnssec_request_domains%& will be done with
+the dnssec request bit set.
+This applies to all of the SRV, MX A6, AAAA, A lookup sequence.
+.wen
+
+
+
+.new
+.option dnssec_require_domains smtp "domain list&!!" unset
+.cindex "MX record" "security"
+.cindex "DNSSEC" "MX lookup"
+.cindex "security" "MX lookup"
+.cindex "DNS" "DNSSEC"
+DNS lookups for domains matching &%dnssec_request_domains%& will be done with
+the dnssec request bit set. Any returns not having the Authenticated Data bit
+(AD bit) set wil be ignored and logged as a host-lookup failure.
+This applies to all of the SRV, MX A6, AAAA, A lookup sequence.
+.wen
+
+
+
.option dscp smtp string&!! unset
.cindex "DCSP" "outbound"
This option causes the DSCP value associated with a socket to be set to one
the transport cannot refer to the modified header lines, because such
expansions all occur before the message is actually transported.
-For both routers and transports, the result of expanding a &%headers_add%&
+For both routers and transports, the argument of a &%headers_add%&
option must be in the form of one or more RFC 2822 header lines, separated by
newlines (coded as &"\n"&). For example:
.code
Exim does not check the syntax of these added header lines.
Multiple &%headers_add%& options for a single router or transport can be
-specified; the values will be concatenated (with a separating newline
-added) before expansion.
+specified; the values will append to a single list of header lines.
+Each header-line is separately expanded.
-The result of expanding &%headers_remove%& must consist of a colon-separated
+The argument of a &%headers_remove%& option must consist of a colon-separated
list of header names. This is confusing, because header names themselves are
often terminated by colons. In this case, the colons are the list separators,
not part of the names. For example:
.endd
Multiple &%headers_remove%& options for a single router or transport can be
-specified; the values will be concatenated (with a separating colon
-added) before expansion.
+specified; the arguments will append to a single header-names list.
+Each item is separately expanded.
-When &%headers_add%& or &%headers_remove%& is specified on a router, its value
-is expanded at routing time, and then associated with all addresses that are
+When &%headers_add%& or &%headers_remove%& is specified on a router,
+items are expanded at routing time,
+and then associated with all addresses that are
accepted by that router, and also with any new addresses that it generates. If
an address passes through several routers as a result of aliasing or
forwarding, the changes are cumulative.
.code
exim -bpu
.endd
-to obtain a queue listing with undelivered recipients only, and then greps the
-output to select messages that match given criteria. The following selection
-options are available:
+or (in case &*-a*& switch is specified)
+.code
+exim -bp
+.endd
+.new
+The &*-C*& option is used to specify an alternate &_exim.conf_& which might
+contain alternate exim configuration the queue management might be using.
+.wen
+
+to obtain a queue listing, and then greps the output to select messages
+that match given criteria. The following selection options are available:
.vlist
.vitem &*-f*&&~<&'regex'&>
.vitem &*-R*&
Display messages in reverse order.
+
+.vitem &*-a*&
+Include delivered recipients in queue listing.
.endlist
There is one more option, &%-h%&, which outputs a list of options.
projects / exim.git / blobdiff