## $Cambridge: exim/doc/doc-src/FAQ.src,v 1.6 2005/02/15 09:27:45 ph10 Exp $ ## ## This file is processed by Perl scripts to produce an ASCII and an HTML ## version. Lines starting with ## are omitted. The markup used with paragraphs ## is as follows: ## ## Markup User for HTML Text ## ------------------------------------------------------ ## \...\ option fixed-pitch "quoted" ## \$...$\ variable $italic $plain ## \*...*\ titles, quotes italic "quoted" ## \(...)\ file name italic plain ## \[...]\ replaceable ## \?...?\ URL URL plain ## \^...^\ Unix command italic plain ## \%...%\ Exim driver bold "quoted" ## \^^.^^\ C function bold plain ## ::...:: header name italic: plain: ## //...// domain italic plain ## \/.../\ local part italic plain ## \"..."\ literal fixed-pitch "quoted" ## \\...\\ SMTP, build small caps caps ## \**...**\ warn, item bold plain ## \-...-\ cmd option -italic -plain ## \# hard space   space ## ## ``...'' quoted string “...” "..." ## ## @\ is used when a real backslash is required ## ## In addition, sequences of not blank lines that start with ==> are displayed ## in fixed-pitch with no further interpretation. A line containing only [[br]] ## is removed from the text version, but turned into
in the HTML version. ## ## The starts of sections and of questions and answers are automatically ## detected by the scripts. ## ## THE EXIM FAQ ------------ This is the FAQ for the Exim Mail Transfer Agent. Many thanks to the many people who provided the original information. This file would be amazingly cluttered if I tried to list them all. Suggestions for corrections, improvements, and additions are always welcome. This version of the FAQ applies to Exim 4.43 and later releases. References of the form Cnnn, Fnnn, Lnnn, and Snnn are to the sample configuration, filter, \^^local_scan()^^\, and ``useful script'' files. These are hyperlinked from the HTML version of this FAQ. They can also be found in the separately distributed directory called \(config.samples)\. The primary location is \?ftp://ftp.csx.cam.ac.uk/pub/software/email/exim/exim4/config.samples.tar.gz?\ \?ftp://ftp.csx.cam.ac.uk/pub/software/email/exim/exim4/config.samples.tar.bz2?\ There are brief descriptions of these files at the end of this document. Philip Hazel Last update: 14-October-2004 The FAQ is divided into the following sections: 0. General Debugging 1. Building and Installing 2. Routing in general 3. Routing to remote hosts 4. Routing for local delivery 5. Filtering 6. Delivery 7. Policy controls 8. Rewriting addresses 9. Headers 10. Performance 11. Majordomo 12. Fetchmail 13. Perl 14. Dial-up and ISDN 15. UUCP 16. Modifying message bodies 17. Encryption (TLS/SSL) 20. Millennium 50. Miscellaneous 91. Mac OS X 92. FreeBSD 93. HP-UX 94. BSDI 95. IRIX 96. Linux 97. Sun systems 98. Configuration cookbook 99. List of sample configurations 0. GENERAL DEBUGGING Q0001: Exim is crashing. What is wrong? A0001: Exim should never crash. The author is always keen to know about crashes, so that they can be diagnosed and fixed. However, before you start sending me email, please check that you are running the latest release of Exim, in case the problem has already been fixed. The techniques described below can also be useful in trying to pin down exactly which circumstances caused the crash and what Exim was trying to do at the time. If the crash is reproducible (by a particular message, say) keep a copy of that message. Q0002: Exim is not working. What is wrong? How can I check what it is doing? A0002: Exactly how is it not working? Check the more specific questions in the other sections of this FAQ. Some general techniques for debugging are: (1) Look for information in Exim's log files. These are in the \(log)\ directory in Exim's spool directory, unless you have configured a different path for them. Serious operational problems are reported in paniclog. (2) If the problem involves the delivery of one or more messages, try forcing a delivery with the \-M-\ option and also set the \-d-\ option, to cause Exim to output debugging information. For example: ==> exim -d -M 0z6CXU-0005RR-00 The output is written to the standard error stream. You need to have admin privileges to use \-M-\ and \-d-\. (3) If the problem involves incoming SMTP mail, try using the \-bh-\ option to simulate an incoming connection from a specific host, for example: ==> exim -bh 10.9.8.7 This goes through the motions of an SMTP session, without actually accepting a message. Information about various policy checks is output. You will need to know how to pretend to be an SMTP client. (4) If the problem involves lack of recognition or incorrect handling of local addresses, try using the \-bt-\ option with debugging turned on, to see how Exim is handling the address. For example, ==> exim -d -bt z6abc shows you how it would handle the local part \"z6abc"\. Q0003: What does the error \*Child process of address_pipe transport returned 127 from command xxx*\ mean? A0003: It means that when a transport called \%address_pipe%\ was run to pass an email message by means of a pipe to another process running the command xxx, the return code from that command was 127, which indicates some kind of error (the success return code is 0). The most common meaning of exit code 127 is that when Exim tried to run the command \(xxx)\, it failed. One cause of this might be incorrect permissions on the file containing the command. See also Q0026. Q0004: My virtual domain setup isn't working. How can I debug it? A0004: You can use an exim command with \-d-\ to get it to show you how it is processing addresses. You don't actually need to send a message; use the \-bt-\ option like this: ==> exim -d -bt localpart@virtualhost This will show you which routers it is using. If the problem appears to be with the expansion of an option setting, you can use the \debug_print\ option on a router to get Exim to output the expanded string values as it goes along. Q0005: Why is Exim not rejecting incoming messages addressed to non-existent users at SMTP time? A0005: This is controlled by the ACL that is run for each incoming RCPT command. It is defined by the \acl_smtp_rcpt\ option. You can check this part of your configuration by using the \-bh-\ option to run a simulated SMTP session, during which Exim will tell you what things it is checking. Q0006: I've put an entry for \"*.my.domain"\ in a DBM lookup file, but it isn't getting recognized. A0006: You need to request ``partial matching'' by setting the search type to \partial-dbm\ in order for this to work. Q0007: I've put the entry \"*@domain.com"\ in a lookup database, but it isn't working. The expansion I'm using is: ==> ${lookup{${lc:$sender_address}}dbm{/the/file} ... A0007: As no sender address will ever be //*@domain.com// this will indeed have no effect as it stands. You need to tell Exim that you want it to look for defaults after the normal lookup has failed. In this case, change the search type from \"dbm"\ to \"dbm*@"\. See the section on \*Default values in single-key lookups*\ in the chapter entitled \*File and database lookups*\ in the Exim manual. Q0008: If I run \"./exim -d -bt user@domain"\ all seems well, but when I send a message from my User Agent, it does not arrive at its destination. A0008: Try sending a message directly to Exim by typing this: ==> exim -v user@domain . If the message gets delivered to a remote host, but never arrives at its final destination, then the problem is at the remote host. If, however, the message gets through correctly, then the problem may be between your User Agent and Exim. Try setting Exim's \log_selector\ option to include \"+arguments"\, to see with which arguments the UA is calling Exim. Q0009: What does \*no immediate delivery: too many messages received in one SMTP connection*\ mean? A0009: An SMTP client may send any number of messages down a single SMTP connection to a server. Initially, an Exim server starts up a delivery process as soon as a message is received. However, in order not to start up too many processes when lots of messages are arriving (typically after a period of downtime), it stops doing immediate delivery after a certain number of messages have arrived down the same connection. The threshold is set by \smtp_accept_queue_per_connection\, and the default value is 10. On large systems, the value should be increased. If you are running a dial-in host and expecting to get all your mail down a single SMTP connection, then you can disable the limit altogether by setting the value to zero. Q0010: Exim puts \*for \[address]\*\ in the ::Received:: headers of some, but not all, messages. Is this a bug? A0010: No. It is deliberate. Exim inserts a ``for'' phrase only if the incoming message has precisely one recipient. If there is more than one recipient, nothing is inserted. The reason for this is that not all recipients appear in the ::To:: or ::Cc:: headers, and it is considered a breach of privacy to expose such recipients to the others. A common case is when a message has come from a mailing list. Q0011: Instead of \^exim_dbmbuild^\, I'm using a homegrown program to build DBM (or cdb) files, but Exim doesn't seem to be able to use them. A0011: Exim expects there to be a binary zero value on the end of each key used in a DBM file if you use the \"dbm"\ lookup type, but not for the \"dbmnz"\ lookup type or for the keys of a cdb file. Check that you haven't slipped up in this regard. Q0012: Exim is unable to route to any remote domains. It doesn't seen to be able to access the DNS. A0012: Try running \"exim -d+resolver -bt \[remote address]\"\. The \-d-\ options turns on debugging output, and the addition of \"+resolver"\ will make it show the resolver queries it is building and the results of its DNS queries. If it appears unable to contact any name servers, check the contents and permissions of \(/etc/resolv.conf)\. Q0013: What does the error message \*transport system_aliases: cannot find transport driver "redirect" in line 92*\ mean? A0013: \%redirect%\ is a router, not a transport. You have put a configuration for a router into the transports section of the configuration file. Q0014: Exim is timing out after receiving and responding to the DATA command from one particular host, and yet the client host also claims to be timing out. This seems to affect only certain messages. A0014: This kind of problem can have many different causes. (1) This problem has been seen with a network that was dropping all packets over a certain size, which mean that the first part of the SMTP transaction worked, but when the body of a large message started flowing, the main data bits never got through the network. See also Q0017. (2) This can also happen if a host has a broken TCP stack and won't reassemble fragmented datagrams. (3) A very few ISDN lines have been seen which failed when certain data patterns were sent through them, and replacing the routers at both end of the link did not fix things. One of them was triggered by more than 4 X's in a row in the data. Q0015: What does the message \*Socket bind() to port 25 for address (any) failed: address already in use*\ mean? A0015: You are trying to run an Exim daemon when there is one already running - or maybe some other MTA is running, or perhaps you have an SMTP line in \(/etc/inetd.conf)\ which is causing \(inetd)\ to listen on port 25. Q0016: I've set \"verify = header_syntax"\ in my ACL, but this causes Exim to complain about header lines like \"To: Work: Jim , Home: Bob "\ which look all right to me. Is this a bug? A0016: No. Header lines such as ::From::, ::To::, etc., which contain addresses, are structured, and have to be in a specific format which is defined in RFC 2822. Unquoted colons are not allowed in the ``phrase'' part of an email address (they are OK in other headers such as ::Subject::). The correct form for that header is ==> To: "Work: Jim" , "Home: Bob" You will sometimes see unquoted colons in ::To:: and ::Cc:: headers, but only in connection with name lists (called ``groups''), for example: ==> To: My friends: X , Y ;, My enemies: A , B ; Each list must be terminated by a semicolon, as shown. Q0017: Whenever Exim tries to deliver a specific message to a particular server, it fails, giving the error \*Remote end closed connection after data*\ or \*Broken pipe*\ or a timeout. What's going on? A0017: \*Broken pipe*\ is the error you get on some OS when the remote host just drops the connection. The alternative is \*connection reset by peer*\. There are many potential causes. Here are some of them (see also Q0068): (1) There are some firewalls that fall over on binary zero characters in email. Have a look, e.g. with \"hexdump -c mymail | tail"\ to see if your mail contains any binary zero characters. (2) There are broken SMTP servers around that just drop the connection after the data has been sent if they don't like the message for some reason (e.g. it is too big) instead of sending a 5xx error code. Have you tried sending a small message to the same address? It has been reported that some releases of Novell servers running NIMS are unable to handle lines longer than 1024 characters, and just close the connection. This is an example of this behaviour. (3) If the problem occurs right at the start of the mail, then it could be a network problem with mishandling of large packets. Many emails are small and thus appear to propagate correctly, but big emails will generate big IP datagrams. There have been problems when something in the middle of the network mishandles large packets due to IP tunnelling. In a tunnelled link, your IP datagrams gets wrapped in a larger datagram and sent over a network. This is how virtual private networks (VPNs), and some ISP transit circuits work. Since the datagrams going over the tunnel require a larger packet size, the tunnel needs a bigger maximum transfer unit (MTU) in the network handling the tunnelled packets. However, MTUs are often fixed, so the tunnel will try to fragment the packets. If the systems outside the tunnel are using path MTU discovery, (most Sun Sparc Solaris machines do by default), and set the DF (don't fragment) bit because they don't send packets larger than their \(local)\ MTU, then ICMP control messages will be sent by the routers at the ends of the tunnel to tell them to reduce their MTU, since the tunnel can't fragment the data, and has to throw it away. If this mechanism stops working, e.g. a firewall blocks ICMP, then your host never knows it has hit the maximum path MTU, but it has received no ACK on the packet either, so it continues to resend the same packet and the connection stalls, eventually timing out. You can test the link using pings of large packets and see what works: ==> ping -s host 2048 Try reducing the MTU on the sending host: ==> ifconfig le0 mtu 1300 Alternatively, you can reduce the size of the buffer Exim uses for SMTP output by putting something like ==> DELIVER_OUT_BUFFER_SIZE=512 in your \(Local/Makefile)\ and rebuilding Exim (the default is 8192). While this should not in principle have any effect on the size of packets sent, in practice it does seem to have an effect on some OS. You can also try disabling path MTU discovery on the sending host. On Linux, try: ==> echo 1 >/proc/sys/net/ipv4/ip_no_pmtu_disc For a general discussion and information about other operating systems, see \?http://www.netheaven.com/pmtu.html?\. If disabling path MTU discovery fixes the problem, try to find the broken or misconfigured router/firewall that swallows the ICMP-unreachable packets. Increasing timeouts on the receiving host will not work around the problem. Q0018: Why do messages not get delivered down the same connection when I do something like: \"exim -v -R @aol.com"\? For other domains, I do this and I see the appropriate \*waiting for passed connections to get used*\ messages. A0018: Recall that Exim does not keep separate queues for each domain, but operates in a distributed fashion. Messages get into its `waiting for host x' hints database only when a delivery has been tried, and has had a temporary error. Here are some possibilities: (1) The messages to \(aol.com)\ got put in your queue, but no previous delivery attempt occured before you did the \-R-\. This might have been because of your settings of \queue_only_load\, \smtp_accept_queue\, or any other option that caused no immediate delivery attempt on arrival. If this is the case, you can try using \-qqR-\ instead of \-R-\. (2) You have set \connection_max_messages\ on the smtp transport, and that limit was reached. This would show as a sequence of messages down one connection, then another sequence down a new connection, etc. (3) Exim tried to pass on the SMTP connection to another message, but that message was in the process of being delivered to \(aol.com)\ by some other process (typically, a normal queue runner). This will break the sequence, though the other delivery should pass its connection on to other messages if there are any. (4) The folk at \(aol.com)\ changed the MX records so the host names have changed - or a new host has been added. I don't know how likely this is. (5) Exim is not performing as it should in this regard, for some reason. Next time you have mail queued up for \(aol.com)\, try running ==> exim_dumpdb /var/spool/exim wait-remote_smtp to see if those messages are listed among those waiting for the relevant \(aol.com)\ hosts. Q0019: There seems to be a problem in the string expansion code: it doesn't recognize references to headers such as \"${h_to}"\. A0019: The only valid syntax for header references is (for example) \"$h_to:"\ because header names are permitted by RFC 2822 to contain a very wide range of characters. A colon (or white space) is required as the terminator. Q0020: Why do connections to my machine's SMTP port take a long time to respond with the banner, when connections to other ports respond instantly? The delay is sometimes as long as 30 seconds. A0020: These kinds of delay are usually caused by some kind of network problem that affects outgoing calls made by Exim at the start of an incoming connection. Configuration options that cause outgoing calls are: (1) \rfc1413_hosts\ and \rfc1413_query_timeout\ (for \*ident*\ calls). Firewalls sometimes block ident connections so that they time out, instead of refusing them immediately. This can cause this problem. See Q5023 for a discussion of the usefulness of \*ident*\. (2) The \host_lookup\ option, the \host_reject_connection\ option, or a condition in the ACL that runs at connection time requires the remote host's name to be looked up from its IP address. Sometimes these DNS lookups time out. You can get this effect with ACL statements like this: ==> deny hosts = *.x.example If at all possible, you should use IP addresses instead of host names in blocking lists in order to to avoid this problem. You can use the \-bh-\ option to get more information about what is happening at the start of a connection. However, note that the \-bh-\ option does not provide a complete simulation. In particular, no \*ident*\ checks are done, so it won't show up a delay problem that is related to (1) above. Q0021: What does \*failed to create child process to send failure message*\ mean? This is a busy mail server with \smtp_accept_max\ set to 500, but this problem started to occur at about 300 incoming connections. A0021: Some message delivery failed, and when Exim wanted to send a bounce message, it was unable to create a process in which to do so. Probably the limit on the maximum number of simultaneously active processes has been reached. Most OS have some means of increasing this limit, and in some operating systems there is also a limit per uid which can be varied. Q0022: What does \*No transport set by system filter*\ in a log line mean? A0022: Your system filter contains a \"pipe"\ or \"save"\ or \"mail"\ command, but you have not set the corresponding option which specifies which transport is to be used. You need to set whichever of \system_filter_pipe_transport\, \system_filter_file_transport\ or \system_filter_reply_transport\ is relevant. Q0023: Why is Exim refusing to relay, saying \*failed to find host name from IP address*\ when I have the sender's IP address in an ACL condition? My configuration contains this ACL statement: ==> accept hosts = lsearch;/etc/mail/relaydomains:192.168.96.0/24 A0023: When checking a host list, the items are tested in left-to-right order. The first item in your list is a lookup on the incoming host's name, so Exim has to determine the name from the incoming IP address in order to perform the test. If it can't find the host name, it can't do the check, so it gives up. You would have discovered what was going on if you had run a test such as ==> exim -bh 192.168.96.131 The solution is to put all explicit IP addresses first in the list. Alternatively, you can split the ACL statement into two like this: ==> accept hosts = lsearch;/etc/mail/relaydomains accept hosts = 192.168.96.0/24 If the host lookup fails, the first \"accept"\ fails, but then the second one is considered. Q0024: When I run \"exim -bd -q10m"\ I get \*PANIC LOG: exec of exim -q failed*\. A0024: This probably means that Exim doesn't know its own path so it can't re-exec itself to do the first queue run. Check the output of ==> exim -bP exim_path Q0025: I can't seem to get a pipe command to run when I include a \"${if"\ expansion in it. This fails: ==> command = perl -T /usr/local/rt/bin/rtmux.pl \ rt-mailgate helpdesk \ ${if eq {$local_part}{rt} {correspond}{action}} A0025: You need some internal quoting in there. Exim expands each individual argument separately. Because you have (necessarily) got spaces in your \"${if"\ item, you have to quote that argument. Try ==> command = perl -T /usr/local/rt/bin/rtmux.pl \ rt-mailgate helpdesk \ "${if eq {$local_part}{rt} {correspond}{action}}" \**Warning:**\ If command starts with an item that requires quoting, you cannot just put it in quotes, because a leading quote means that the entire option setting is being quoted. What you have to do is to quote the entire value, and use internally escaped quotes for the ones you really want. For example: ==> command = "\"${if ....}\" arg1 arg2" Any backslashes in the expansion items will have to be doubled to stop them being interpreted by the string reader. Q0026: I'm trying to get Exim to connect an alias to a pipe, but it always gives error code 127, with the comment \*(could mean unable to exec or command does not exist)*\. A0026: If your alias entry looks like this: ==> alias: |"/some/command some parameters" change it to look like this: ==> alias: "|/some/command some parameters" Q0027: What does the error \*Spool file is locked*\ mean? A0027: This is not an error. All it means is that when an Exim delivery process (probably started by a queue runner process) looked at a message in order to start delivering it, it found that another Exim process was already busy delivering it. On a busy system this is quite a common occurrence. If you set \"-skip_delivery"\ in the \log_selector\ option, these messages are omitted from the log. The only time when this message might indicate a problem is if it is repeated for the same message for a very long time. That would suggest that the process that is delivering the message has somehow got stuck. Q0028: Exim is reporting IP addresses as 0.0.0.0 or 255.255.255.255 instead of their correct values. What's going on? A0028: You are using a version of Exim built with gcc on an IRIX box. See Q9502. Q0029: I can't seem to figure out why PAM support doesn't work correctly. A0029: There is a problem using PAM with shadow passwords when the calling program is not running as \/root/\. Exim is normally running as the Exim user when authenticating a remote host. (1) One solution can be found at \?http://www.e-admin.de/pam_exim/?\. (2) PAM 0.72 allows authorization as non-\/root/\, using setuid helper programs. Furthermore, in \(/etc/pam.d/exim)\ you can explicitly specify that this authorization (using setuid helpers) is only permitted for certain users and groups. (3) Another approach is to authenticate using the \^saslauthd^\ daemon, which has its own interface to PAM. The daemon runs as root, so there is no access problem. (4) One suggested solution was to set ==> exim_group=shadow in the configuration file, or the equivalent at build time. This is very strongly discouraged. Do not do it! It works, but it's a potential security exposure. Exim is intended to run as a non-privileged user for much of the time. This setting gives it have privileged access to crucial security information all of the time, simply for the purposes of authentication (which Exim will only spend a tiny part of its total time doing). The result is that a successful compromise of the Exim system can give someone direct access to the system passwords. Q0030: I'm trying to use a query-style lookup for hosts that are allowed to relay, but it is giving really weird errors. A0030: Does your query contain a colon character? Remember that host lists are colon-separated, so you need to double any colons in the query. This applies even if the query is defined as a macro. Q0031: Exim is rejecting connections from hosts that have more than one IP address, for no apparent reason. A0031: You are using Solaris 7 or earlier, and have \"nis dns files"\ in \(/etc/nsswitch.conf)\. Change this to \"dns nis files"\ to avoid hitting Sun bug 1154236 (a bad interaction between NIS and the DNS). Q0032: Exim is failing to find the MySQL library, even though is it present within \\LD_LIBRARY_PATH\\. I'm getting this error: ==> /usr/local/bin/exim: fatal: libmysqlclient.so.6: open failed: No such file or directory A0032: Exim is suid, and \\LD_LIBRARY_PATH\\ is ignored for suid binaries on a Solaris (and other?) systems. What you should be doing is adding \"-R/local/lib/mysql"\ to the same place in the compilation that you added \"-L/local/lib/mysql"\. This tells the binary where to look without needing a path variable. Q0033: What does the error \*lookup of host "xx.xx.xx" failed in yyy router*\ mean? A0033: You configured a \%manualroute%\ router to send the message to xx.xx.xx. When it tried to look up the IP address for that host, the lookup failed with a permanent error. As this is a manual routing, this is a considered to be a serious error which the postmaster needs to know about (maybe you have a typo in your file), and there is little point in keeping on trying. So it freezes the message. (1) Don't set up routes to non-existent hosts. (2) If you must set up routes to non-existent hosts, and don't want freezing, set the \host_find_failed\ option on the router to do something other than freeze. Q0034: Exim works fine on one host, but when I copied the binary to another identical host, it stopped working (it could not resolve DNS names). A0034: Is the new host running exactly the same operating system? Most importantly, are the versions of the dynamically loaded libraries (files with names like \(libsocket.so.1)\) the same on both systems? If not, that is probably the cause of the problem. Either arrange for the libraries to be the same, or rebuild Exim from source on the new host. Q0035: I set a \"hosts"\ condition in an ACL to do a lookup in a file of IP addresses, but it doesn't work. A0035: Did you remember to put \"net-"\ at the start of the the search type? If you set something like this: ==> accept hosts = lsearch;/some/file Exim searches the file for the host name, not the IP address. You need to set ==> accept hosts = net-lsearch;/some/file to make it use the IP address as the key to the lookup. Q0036: Why do I get the error \*Permission denied: creating lock file hitching post*\ when Exim tries to do a local delivery? A0036: Your configuration specifies that local mailboxes are all held in single directory, via configuration lines like these (taken from the default configuration): ==> local_delivery: driver = appendfile file = /var/mail/$local_part and the permissions on the directory probably look like this: ==> drwxrwxr-x 3 root mail 512 Jul 9 13:48 /var/mail/ Using the default configuration, Exim runs as the local user when doing a local delivery, and it uses a lock file to prevent any other process from updating the mailbox while it is writing to it. With those permissions the delivery process, running as the user, is unable to create a lock file in the \(/var/mail(\ directory. There are two solutions to this problem: (1) Set the \"write"\ and \"sticky bit"\ permissions on the directory, so that it looks like this: ==> drwxrwxrwt 3 root mail 512 Jul 9 13:48 /var/mail/ The \"w"\ allows any user to create new files in the directory, but the \"t"\ bit means that only the creator of a file is able to remove it. This is the same setting as is normally used with the \(/tmp)\ directory. (2) Arrange to run the local_delivery transport under a specific group by changing the configuration to read ==> local_delivery: driver = appendfile file = /var/mail/${local_part} group = mail The delivery process still runs under the user's uid, but with the group set to \"mail"\. The group permission on the directory allows the process to create and remove the lock file. The choice between (1) and (2) is up to the administrator. If the second solution is used, users can empty their mailboxes by updating them, but cannot delete them. If your problem involves mail to \/root/\, see also Q0507. Q0037: I am experiencing mailbox locking problems with Sun's \"mailtool"\ used over a network. A0037: See Q9705 in the Sun-specific section below. Q0038: What does the error message \*error in forward file (filtering not enabled): missing or malformed local part*\ mean? A0038: If you are trying to use an Exim filter, you have forgotten to enable the facility, which is disabled by default. In the \%redirect%\ router (in the Exim run time configuration file) you need to set ==> allow_filter = true to allow a \(.forward)\ file to be used as an Exim filter. If you are not trying to use an Exim filter, then you have put a malformed address in the \(.forward)\ file. Q0039: I have installed Exim, but now I can't mail to \/root/\ any more. Why is this? A0039: Most people set up \/root/\ as an alias for the manager of the host. If you haven't done this, Exim will attempt to deliver to \/root/\ as if it were a normal user. This isn't really a good idea because the delivery process would run as \/root/\. Exim has two trigger guards that stop deliveries running as root. In the build-time configuration, there is a setting called FIXED_NEVER_USERS, which defaults to \"root"\. This setting cannot be overridden. In addition, the default runtime configuration contains the option ==> never_users = root just to be on the safe side. If you really want to run local deliveries as \/root/\, you must use a version of Exim that was built without the FIXED_NEVER_USERS option, and remove the above line from the runtime configuration, but it would be better to create an alias for \/root/\ instead. Q0040: How can I stop undeliverable bounce messages (e.g. to routeable, but undeliverable, spammer senders) from clogging up the queue for days? A0040: If at all possible, you should try to avoid getting into this situation in the first place, for example, by verifying recipients so that you do not accept undeliverable messages that lead to these bounces. You can, however, configure Exim to discard failing bounce messages early. Just set \ignore_bounce_errors_after\ to specify a (short) time to keep them for. Q0041: What does the message \*unable to set gid=ddd or uid=ddd (euid=ddd): local delivery to ... transport=ttt*\ mean? A0041: Have you remembered to make Exim setuid \/root/\? It needs root privilege if it is to do any local deliveries, because it does them ``as the user''. Note also that the partition from which Exim is running (where the binary is installed) must not have the \nosuid\ mount option set. You can check this by looking at its \(/etc/fstab)\ entry (or \(/etc/vfstab)\, depending on your OS). Q0042: My ISP's mail server is rejecting bounce messages from Exim, complaining that they have no sender. The SMTP trace does indeed show that the sender address is \"<>"\. Why is the Sender on the bounce message empty? A0042: Because the RFCs say it must be. Your ISP is at fault. Send them this extract from RFC 2821 section 6.1 (\*Reliable Delivery and Replies by Email*\): If there is a delivery failure after acceptance of a message, the receiver-SMTP MUST formulate and mail a notification message. This notification MUST be sent using a null (\"<>"\) reverse path in the envelope. The recipient of this notification MUST be the address from the envelope return path (or the ::Return-Path:: header line). However, if this address is null (\"<>"\), the receiver-SMTP MUST NOT send a notification. The reason that bounce messages have no sender is so that they themselves cannot provoke further bounces, as this could lead to a unending exchange of undeliverable messages. Q0043: What does the error \*Unable to get interface configuration: 22 Invalid argument*\ mean? A0043: This is an error that occurs when Exim is trying to find out the all the IP addresses on all of the local host's interfaces. If you have lots of virtual interfaces, this can occur if there are more than around 250 of them. The solution is to set the option \local_interfaces\ to list just those IP addresses that you want to use for making and receiving SMTP connections. Q0044: What does the error \*Failed to create spool file*\ mean? A0044: Exim has been unable to create a file in its spool area in which to store an incoming message. This is most likely to be either a permissions problem in the file hierarchy, or a problem with the uid under which Exim is running, though it could be something more drastic such as your disk being full. If you are running Exim with an alternate configuration file using a command such as \"exim -C altconfig..."\, remember that the use of -C takes away Exim's root privilege. Check that you have defined the spool directory correctly by running ==> exim -bP spool_directory and examining the output. Check the mode of this directory. It should look like this, assuming you are running Exim as user \/exim/\: ==> drwxr-x--- 6 exim exim 512 Jul 16 12:29 /var/spool/exim If there are any subdirectories already in existence, they should have the same permissions, owner, and group. Check also that you haven't got incorrect permissions on superior directories (for example, \(/var/spool)\). Check that you have set up the Exim binary to be setuid \/root/\. It should look like this: ==> -rwsr-xr-x 1 root xxx 502780 Jul 16 14:16 exim Note that it is not just the owner that must be \/root/\, but also the third permission must be \"s"\ rather than \"x"\. Q0045: I see entries in the log that mention two different IP addresses for the same connection. Why is this? For example: ==> H=tip-mp8-ncs-13.stanford.edu ([36.173.0.189]) [36.173.0.156] A0045: The actual IP address from which the call came is the final one. Whenever there's something in parentheses in a host name, it is what the host quoted as the domain part of an SMTP HELO or EHLO command. So in this case, the client, despite being 36.173.0.156, issued the command ==> EHLO [36.173.0.189] when it sent your server the message. This is, of course, very misleading. Q0046: A short time after I start Exim I see a defunct zombie process. What is causing this? A0046: Your system must be lightly loaded as far as mail is concerned. The daemon sets off a queue runner process when it is started, but it only tidies up completed child processes when it wakes up for some other reason. When there's nothing much going on, you occasionally see defunct processes like this waiting to be dealt with. This is perfectly normal. Q0047: On a reboot, or a restart of the mail system, I see the message \*Mailer daemons: exim abandoned: unknown, malformed, or incomplete option -bz sendmail*\. What does this mean? A0047: \-bz-\ is a Sendmail option requesting it to create a `configuration freeze file'. Exim has no such concept and so does not support the option. You probably have a line like ==> /usr/lib/sendmail -bz in some start-up script (e.g. \(/etc/init.d/mail)\) immedately before ==> /usr/lib/sendmail -bd -q15m The first of these lines should be commented out. Q0048: Whenever exim restarts it takes up to 3-5 minutes to start responding on the SMTP port. Why is this? A0048: Something else is hanging onto port 25 and not releasing it. One place to look is \(/etc/inetd.conf)\ in case for any reason an SMTP stream is configured there. Q0049: What does the log message \*no immediate delivery: more than 10 messages received in one connection*\ mean? A0049: A remote MTA sent a number of messages in a single SMTP session. Exim limits the number of immediate delivery processes it creates as a result of a single SMTP connection, in order to avoid creating a zillion processes on systems that can have many incoming connections. If you are dialing in to collect mail from your ISP, you should probably set \smtp_accept_queue_per_connection\ to some number larger than 10, or arrange to start a queue runner for local delivery (using \-ql-\) immediately after collecting the mail. Q0050: I am getting complaints from a customer who uses my Exim server for relaying that they are being blocked with a \*Too many connections*\ error. A0050: See \smtp_accept_max\, \smep_accept_max_per_host\ and \smtp_accept_reserve\. Q0051: When I test my system filter with \-bf-\, I get the error \*filtering command "fail" is disabled*\. Why is this? A0051: Use the \-bF-\ option to test system filters. This gives you access to the freeze and fail actions. Q0052: What does \*ridiculously long message header*\ in an error report mean? A0052: There has to be some limit to the length of a message's header lines, because otherwise a malefactor could open an SMTP channel to your host, start a message, and then just send characters continuously until your host runs out of memory. (Exim stores all the header lines in main memory while processing a message). For this reason a limit is imposed on the total amount of memory that can be used for header lines. The default is 1MB, but this can be changed by setting \\HEADER_MAXSIZE\\ in \(Local/Makefile)\ before building Exim. Exceeding the limit provokes the ``ridiculous'' error message. Q0053: Exim on my host responds to a connection with \"220 *****..."\ and won't understand \\EHLO\\ commands. A0053: This is the sign of a Cisco Pix ``Mailguard'' sitting in front of your MTA. Pix breaks ESMTP and only does SMTP. It is a nuisance when you have a secure MTA running on your box. Something like ``no fixup protocol smtp 25'' in the Pix configuration is needed. It may be possible to do this by logging into the Pix (using \^telnet^\ or \^ssh^\) and typing \"no fixup smtp"\ to its console. (You may need to use other commands before or after to set up configuration mode and to activate a changed configuration. Consult your Pix documentation or expert.) See also Q0078. Q0054: I'm getting an Exim configuration error \*unknown rewrite flag character (m) in line 386*\ but I haven't used any flags on my rewriting rules. A0054: You have probably forgotten to quote a replacement string that contains white space. Q0055: What does the error \*Failed to open wait-remote_smtp database: Invalid argument*\ mean? A0055: This is something that happens if you have existing DBM hints files when you install a new version of Exim that is compiled to use a different or upgraded DBM library. The simplest thing to try is ==> rm /var/spool/exim/db/* This removes all the hints files. Exim will start afresh and build new ones. If the symptom recurs, it suggests there is some problem with your DBM library. Q0056: We are using Exim to send mail from our web server. However, whenever a user sends an email it gets sent with the return path (envelope sender) //apache@server_name.com// because the PHP script is running as \/apache/\. A0056: You need to include \/apache/\ in the \trusted_users\ configuration option. Only trusted users are permitted to specify senders when mail is passed to Exim via the command line. Q0057: We've got people complaining about attachments that don't show up as attachments, but are included in the body of the message. A0057: In the past, these symptoms could be seen when some software passed a CRLF line terminated message via the command line, because Exim expected lines to be terminated by LF only, and so it preserved the CRs as data. Modern versions of Exim (4.21 or later) use heuristics to try to do the right thing with line endings. Q0058: What does the error \*failed to open DB file \(/var/spool/exim/db/retry)\: File exists*\ mean? A0058: This error is most often caused when a hints file that was written with one version of the Berkeley DB library is read by another version. Sometimes this can happen if you change from a binary version of Exim to a locally compiled version. Or it can happen if you compile and install a new version of Exim after changing Berkeley DB versions. You can find out which version your Exim is using by running: ==> ldd /usr/sbin/exim The solution to the problem is to delete all the files in the \(/var/spool/exim/db)\ directory, and let Exim recreate them. Q0059: When my Outlook Express 6.0 client sends a STARTTLS command to begin a TLS session, Exim doesn't seem to receive it. The Outlook log shows this: ==> SMTP: 14:19:27 [tx] STARTTLS SMTP: 14:19:27 [rx] 500 Unsupported command. but the Exim debugging output shows this: ==> SMTP<< EHLO xxxx SMTP>> 250-yyyy Hello xxxx [nnn.nnn.nnn.nnn] 250-SIZE 52428800 250-PIPELINING 250-AUTH CRAM-MD5 PLAIN LOGIN 250-STARTTLS 250 HELP SMTP<< QUIT A0059: Turn off scanning of outgoing email in Norton Antivirus. If you aren't running Norton Antivirus, see if you are running some other kind of SMTP proxying, either on the client or on a firewall between the client and server. ``Unsupported command'' is not an Exim message. Q0060: Why am I getting the error \*failed to expand \"/data/lists/lists/${lc"\ for require_files: \"${lc"\ is not a known operator*\ for this setting: ==> require_files = MAILMAN_HOME/lists/${lc:$local_part}/config.db A0060: The value of \"require_files"\ is a list in which each item is separately expanded. In other words, the splitting into items happens before the string expansion. You need either to double the colon, or switch to a different list separator. Q0061: What does the error \*Too many ``Received'' headers - suspected mail loop*\ mean? A0061: Whenever a message passes through an MTA, a ::Received:: header gets added. Exim counts the number of these headers in incoming messages. If there are more than the value of \received_headers_max\ (default 30), Exim assumes there is some kind of mail routing loop occurring. For example, host A passes the message to host B, which immediately passes it back to host A. Check the ::Received:: headers and the mail logs to determine exactly what is going on. One common cause of this problem is users with accounts on both systems who set up each one to forward to the other, thinking that will cause copies of all messages to be delivered on both of them. Q0062: When I try to start an Exim daemon with \-bd-\ it crashes. I ran a debugger and discovered that the crash is happening in the function \^^getservbyname()^^\. What's going on? A0062: What have you got in the file \(/etc/nsswitch.conf)\? If it contains this line: ==> services: db files try removing the \"db"\. Your system is trying to look in some kind of database before searching the file \(/etc/services)\, and there is an incompatibility the is causing the function \^^getservbyname()^^\ crash. This is an OS problem. See, for instance: \?http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=129025?\ Another workaround in Exim is to set ==> daemon_smtp_port = 25 in the configuration, to stop Exim calling \^^getservbyname()^^\. Q0063: When I try to start an Exim daemon, nothing happens. There is no process, and nothing is written to the Exim log. A0063: Check to see if anything is written to \(syslog)\. This problem can be caused by a permission problem that stops Exim from writing to its log files, especially if you've specified that they should be written somewhere other than under Exim's spool directory. You could also try running the daemon with debugging turned on. Q0064: When I run \"exim -d test@domain"\ it delivers fine, but when I send a message from the \^mail^\ command, I get \*User unknown*\ and the mail is saved in \(dead.letter)\. A0064: It looks as if Exim isn't being called by \^mail^\; instead it is calling some other program (probably Sendmail). Try running the command ==> /usr/sbin/sendmail -bV (If you get \*No such file or directory*\ or \*Command not found*\ you are running Solaris or IRIX. Try again with \(/usr/lib/sendmail)\.) The output should be something like this: ==> Exim version 4.05 #1 built 13-Jun-2002 10:27:15 Copyright (c) University of Cambridge 2002 If you don't see this, your Exim installation isn't fully operational. If you are running FreeBSD, see Q9201. For other systems, see Q0114. Q0065: When (as \/root/\) I use -C to run Exim with an alternate configuration file, it gives an error about being unable to create a spool file when trying to run an \%autoreply%\ transport. Why is this? A0065: When Exim is called with -C, it passes on -C to any instances of itself that it calls (so that the whole sequence uses the same config file). If it's running as \/exim/\ when it does this, all is well. However, if it happens as a consequence of a non-privileged user running \%autoreply%\, the called Exim gives up its root privilege. Then it can't write to the spool. This means that you can't use -C (even as \/root/\) to run an instance of Exim that is going to try to run \%autoreply%\ from a process that is neither \/root/\ nor \/exim/\. Because of the architecture of Exim (using re-execs to regain privilege), there isn't any way round this restriction. Therefore, the only way you can make this scenario work is to run the \%autoreply%\ transport as \/exim/\ (that is, the user that owns the Exim spool files). This may be satisfactory for autoreplies that are essentially system-generated, but of course is no good for autoreplies from unprivileged users, where you want the \%autoreply%\ transport to be run as the user. To get that to work with an alternate configuration, you'll have to use two Exim binaries, with different configuration file names in each. See S001 for a script that patches the configuration name in an Exim binary. Q0066: What does the message \*unable to set gid=xxx or uid=xxx*\ mean? A0066: This message is given when an Exim process is unable to change uid or gid when it needs to, because it does not have root privilege. This is a serious problem that prevents Exim from carrying on with what it is doing. The two most common situations where Exim needs to change uid/gid are doing local deliveries and processing users' filter files. There are two common causes of this error: (1) You have forgotten to make the exim binary setuid to \/root/\. This means that it can never change uid/gid in any situation. Also, the setuid binary must reside on a disk partition that does not have the \"nosuid"\ mount option set. (2) The exim binary is setuid, but you have configured Exim so that, while trying to verify an address at SMTP time, it runs a router that needs to change uid/gid. Because Exim runs as \/exim/\ and not \/root/\ while receiving messages, the router is unable to change uid and therefore it cannot operate. The usual example of this is a \%redirect%\ router for users' filter files. Setting the \user\ or \check_local_user\ options on a \redirect\ router causes this to happen (except in the special case when the redirection list is provided by the \data\ option and does not contain \":include:"\). The solution is to set \no_verify\ on the router that is causing the problem. This means that it is skipped when an address is being verified. In ``normal'' configurations where the router is indeed handling users' filter files, this is quite acceptable, because you do not usually need to process a filter file in order to verify that the local part is valid. See, for example, the \%userforward%\ router in the default configuration. Q0067: What does the error \*too many unrecognized commands*\ mean? A0067: There have been instances of network abuse involving mail sent out by web servers. In most cases, unrecognizable commands are sent as part of the SMTP session. A real MTA never sends out such invalid commands. Exim allows a few unrecognized commands in a session to permit humans who are testing to make a few typos (it responds with a 5xx error). However, if Exim receives too many such commands, it assumes that it is dealing with an abuse of some kind, and so it drops the connection. Q0068: Exim times out when trying to connect to some hosts, though those hosts are known to be up and running. What's the problem? A0068: There could be a number of reasons for this (see also Q0017). The obvious one is that there is a networking problem between the hosts. If you can ping between the hosts or connect in other ways, the problem might be caused by ECN (Explicit Congestion Notification) being enabled in your kernel. ECN uses TCP flags originally assigned to TOS - it's a "new" invention, and some hosts and routers are known to be confused if a client uses it. If you are running Linux, you can turn ECN off by running this command: ==> /bin/echo "0" > /proc/sys/net/ipv4/tcp_ecn This has also been reported to cure web connection problems from Mozilla and Netscape browsers in Linux when there were no problems with Windows Netscape browsers. Q0069: What does the error \*SMTP data timeout (message abandoned) on connection from...*\ mean? A0069: It means that there was a timeout while Exim was reading the contents of a message on an incoming SMTP connection. That is, it had successfully accepted a MAIL command, one or more RCPT commands, and a DATA command, and was in the process of reading the data itself. The length of timeout is controlled by the \smtp_receive_timeout\ option. If you get this error regularly, the cause may be incorrect handling of large packets by a router or firewall. The maximum size of a packet is restricted on some links; routers should split packets that are larger. There is a feature called ``path MTU discovery'' that enables a sender to discover the maximum packet size over an entire path (multiple Internet links). This can be broken by misconfigured firewalls and routers. There is a good explanation at \?http://www.netheaven.com/pmtu.html?\. Reducing the MTU on your local network can sometimes work round this problem. See Q0017 (3) for further discussion. Q0070: What does the error \*SMTP command timeout on connection from...*\ mean? A0070: Exim was expecting to read an SMTP command from the client, but no command was read within the \smtp_receive_timeout\ time limit. Q0071: What does the error \*failed to open DB file \(/var/spool/exim//db/retry)\: Illegal argument*\ mean? A0071: See Q0058. The cause of this error is usually the same. Q0072: Exim will deliver to normal aliases, and aliases that are pipes or files, but it objects to aliases that involve \":include:"\ items, complaining that it can't change gid or uid. Why is this? A0072: See Q0066 for a general answer. The problem happens during verification of an incoming SMTP message, not during delivery itself. In this particular case, you must have set up your aliasing router with a \user\ setting. This causes Exim to change uid/gid when reading \":include:"\ files. If you do not need the detailed verification provided by the router, the easy solution is to set \no_verify\ so that the router isn't used during verification. Otherwise, if you set \user\ on the router in order to provide a user for delivery to pipes or files, one solution is to put the \user\ setting on the transports instead of on the router. You may need to create some special transports just for this router. The alternative is to supply two different routers, one with \user\ and \no_verify\, and the with \verify_only\ but no \user\ setting. Q0073: I'm seeing log file corruption, with parts of log lines getting mangled by other log entries. A0073: The only time this has been seen is when several servers were writing to the same log files over NFS. Exim assumes that its log file is on local disk, and using NFS, especially for more than one server, will not work. Q0074: What does the error message \*remote delivery process count got out of step*\ mean? A0074: Exim uses subprocesses for remote deliveries; this error means that the master process expected to have a child process running, but found there were none. Prior to release 4.11, this error could be caused by running Exim under \^strace^\ on a Linux system, because stracing causes children to be ``stolen'' such that a parent that tries to wait for ``any of my children'' is told that it has none. Current releases of Exim have code to get round this problem. Q0075: I'm using LDAP, and some email addresses that contain special characters are causing parsing errors in my LDAP lookups. A0075: You should be using \"${quote_ldap:$local_part}"\ instead of just \"$local_part"\ in your lookups. Q0076: I've configured Exim to use \^syslog^\ for its logs, with the main and reject logs sent to different files, but whenever a message is rejected, I get one message on the reject log and two messages on the main log. A0076: You are probably putting your reject items into the main log as well; remember \^syslog^\ levels are inclusive (for example, \"mail.info"\ includes all higher levels, so a \"mail.notice"\ message will be caught by a \"mail.info"\ descriptor). Test this by running the command: ==> logger -p mail.notice test and seeing which logs it goes into. From Exim release 4.31 it is possible to disable the rejectlog by setting \write_rejectlog\ false. Q0077: I've installed Exim and it is delivering mail just fine. However, when I try to read mail from my PC I get \*connection rejected*\ or \*unable to connect*\. A0077: See Q5021. Q0078: Exim is logging the unknown SMTP command \"XXXX"\ from my client hosts, and they are unable to authenticate. A0078: This is a sign of a Cisco PIX firewall getting in the way. It does not support ESMTP, and turns EHLO commands into XXXX. You should configure the Pix to leave SMTP alone; see Q0053 for how to do this. Q0079: Our new PIX firewall is causing problems with incoming mail. How can this be fixed? A0079: See Q0053 and Q0078. If some messages get through and others do not, see also Q0017. Q0080: Am I to understand that the database lookups must only return one value? They can not return a list of values? The documentation seems to indicate that it's possible to return a list. A0080: Lookups can be used in two different situations, and what they return is different in the two cases. (Be thankful Exim 3 is gone; there was yet another case!) (1) You can use a lookup in any expanded string. The syntax is ==> ${lookup ..... } In this case, whatever is looked up replaces the expansion item. It may be one value or a list of values. Whether a single value or a list is acceptable or not depends on where you are using the string expansion. If it is for an option that expects just one value, then only one value is allowed (for example). (2) You can make use of the lookup mechanism to test whether something (typically a host name or IP address) is in a list. For example, ==> hosts = a : b : c in an ACL tests whether the calling host's name matches ``a'', or ``b'', or ``c''. Now, suppose you want to keep the list of names in a database, or cdb file, or NIS map, or... By writing ==> hosts = pgsql;select .... you are saying to Exim: ``Run this lookup; if it succeeds, behave as if the host is in the list; if it fails, the host is not in the list.'' You are using the indexing mechanism of the database as a fast way of checking a list. A simpler example is ==> hosts = lsearch;/some/file where the file contains the list of hosts to be searched. The complication happens when a list is first expanded before being interpreted as a list. This happens in a lot of cases. You can therefore write either of these: ==> hosts = cdb;/some/file hosts = ${lookup{something}cdb{/some/file}} but they have different meanings. The first means ``see if the host name is in the list in this file''. The second means ``run this lookup and use the result of the lookup as a list of host items to check''. In the second case, the list could contain multiple values (colon separated), and one of those values could even be ``cdb;/some/file''. Flexibility does lead to complexity, I'm afraid. Q0081: What does \*error in redirect data: included file xxxx is too big*\ mean? A0081: You are trying to include a very large file in a redirection list, using the \":include:"\ feature. Exim has a built-in limit on the size, as a safety precaution. The default is 1 megabyte. If you want to increase this, you have to rebuild Exim. In your \(Local/Makefile)\, put ==> MAX_INCLUDE_SIZE = whatever and then rebuild Exim. The value is a number of bytes, but you can give it as a parenthesized arithmetic expression such as \"(3*1024*1024)"\. However, an included file of more than a megabyte is likely to be quite inefficient. How many addresses does yours contain? You get the best performance out of Exim if you arrange to send mailing list messages with no more than about 100 recipients (in order to get parallelism in the routing). Q0082: What does \*relocation error: /lib/libnss_dns.so.2: symbol __libc_res_nquery, version GLIBC_PRIVATE not defined in file libresolv.so.2 with link time reference*\ mean? A0082: You have updated \^glibc^\ while an Exim daemon is running. Stop and restart the daemon. Q0083: Netscape on Unix is sending messages containing an unqualified user name in the ::Sender:: header line, which Exim is rejecting because I have set \"verify = header_syntax"\. How can I fix this? A0083: The only thing you can do in Exim is to set the \sender_unqualified_hosts\ option to allow unqualified sender addresses form the relevant hosts; of course, this applies to all sender addresses, not just the ::Sender:: header line. Alternatively, you can configure Netscape not to include the header line in the first place. Add the following line to the \($HOME/.netscape/preferences.js)\ and \($HOME/.netscape/liprefs.js)\ files: ==> user_pref("mail.suppress_sender_header", true); Netscape must be shut down while doing this. Q0084: I want to set up an alias that pipes a message to \^gpg^\ and then pipes the result to \^mailx^\ to resubmit the message, but when I use my tested command in an alias file, I get an error from \^gpg^\. A0084: Probably you are using a shell command with two pipe symbols in it. An alias like this: ==> gpg-xxx: "|gpg | mailx helo_allow_chars = _ For more seriously malformed host names, see \helo_accept_junk_hosts\. See also Q0732. Q0086: What does \*SMTP protocol violation: synchronization error (next input sent too soon)*\ mean? A0086: SMTP is a ``lock-step'' protocol, which means that, at certain points in the protocol, the client must wait for the server to respond before sending more data. Exim checks for correct behaviour, and issues this error if the client sends data too soon. This protects against malefactious clients who send a bunch of SMTP commands (usually to transmit spam) without waiting for any replies. This error is also provoked if a client unexpectedly tries to start up a TLS session immediately on connection, without using the STARTTLS command. See Q1707 for a discussion of this case. Q0087: What does \*rejected after DATA: malformed address: xx@yy may not follow : failing address in "from" header*\ mean? A0087: Your DATA ACL contains ==> verify = header_syntax and an incoming message contained the line ==> From: xx@yy This is syntactically invalid. The contents of an address in a header line are either just the address, or a ``phrase'' followed by an address in angle brackets. In the latter case, the ``phrase'' must be quoted if it contains special characters such as @. The following are valid versions of the bad header: ==> From: xx@yy From: "xx@yy" though why on earth anything generates this kind of redundant nonsense I can't think. Q0088: The Windows mailer SENDFILE.EXE sometimes hangs while trying to send a message to Exim 4, and eventually times out. It worked flawlessly with Exim 3. What has changed? A0088: Exim 4 sets an obscure TCP/IP parameter called TCP_NODELAY. This disables the "Nagle algorithm" for the TCP/IP transmission. The Nagle algorithm can improve network performance in interactive situations such as a human typing at a keyboard, by buffering up outgoing data until the previous packet has been acknowledged, and thereby reducing the number of packets used. This is not relevant for mail transmission, which mostly consists of quite large blocks of data; setting TCP_NODELAY should improve performance. However, it seems that some Windows clients do not function correctly if the server turns off the Nagle algorithm. If you are using Exim 4.23 or later, you can set ==> tcp_nodelay = false This stops Exim setting TCP_NODELAY on the sockets created by the listening daemon. Q0089: What does the error \*kernel: application bug: exim(12099) has SIGCHLD set to SIG_IGN but calls wait()*\ mean? A0089: This was a bad interaction between a change to the Linux kernel and some ``belt and braces'' programming in Exim. The following explanation is taken from Exim's change log: When Exim is receiving multiple messages on a single connection, and spinning off delivery processess, it sets the SIGCHLD signal handling to SIG_IGN, because it doesn't want to wait for these processes. However, because on some OS this didn't work, it also has a paranoid call to \^waitpid()^\ in the loop to reap any children that have finished. Some versions of Linux now complain (to the system log) about this ``illogical'' call to \^waitpid()^\. I have therefore put it inside a conditional compilation, and arranged for it to be omitted for Linux. I am pretty sure I caught all the places in Exim where this happened. However, there are still occasional reports of this error. I have not heard of any resolutions, but my current belief is that they are caused by something that Exim calls falling foul of the same check. There was at one time a suspicion that the IPv6 stack was involved. Q0090: I can't seem to get a pipe command to run when I include a \"${lookup"\ expansion in it. A0090: See Q0025. Q0091: Why is Exim giving the error \*Failed to send message from address_reply transport*\ when I run it using -C to specify an alternate configuration? A0091: See Q0065. Q0092: The error message \*Program received signal SIGINT, Interrupt.*\ occurs when I try to use Exim with PostgreSQL. A0092: Check that you have not set ==> log_statement=true in the PostgreSQL configuration file. It seems that this causes PostgreSQL to return logging information as the first row in a query result, which totally confuses Exim. 1. BUILDING AND INSTALLING Q0101: I'm having a problem with an Exim RPM. A0101: Normally the thing to do if you have a problem with an RPM package is to contact the person who built the package first, not the person who made the software that's in the package. You can usually find out who made a package using the following command: ==> rpm --query --package --queryformat '%{PACKAGER}\n' where \[rpm-package-file]\ is the actual file, e.g. \(exim-3.03-2.i386.rpm)\. Or, if the package is installed on your system: ==> rpm --query --queryformat '%{PACKAGER}\n' where \[package-name]\ is the name component of the package, e.g. \"exim"\. If the packager is unable or unwilling to help, only then should you contact the actual author or associated mailing list of the software. If you discover through the querying process that you can't tell who the person (or company or group) is who built the package, or that they no longer exist at the given address, then you should reconsider whether you want a package from an unknown source on your system. If you discover through the querying process that you yourself are the person who built the package, then you should either (a) contact the author or associated mailing list, or (b) reconsider whether you ought to be building and distributing RPM packages of software you don't understand. Similar rules of thumb govern other binary package formats, including debs, tarballs, and POSIX packages. Q0102: I can't get Exim to compile with Berkeley DB version 2.x or 3.x. A0102: Have you set \"USE_DB=yes\" in \(Local/Makefile)\? This causes Exim to use the native interface to the DBM library instead of the compatibility interface, which needs a header called \(ndbm.h)\ that may not exist on your system. Q0103: I'm getting an \*undefined symbol*\ error for \"hosts_ctl"\ when I try to build Exim. (On some systems this error is \*undefined reference to 'hosts_ctl'*\.) A0103: You should either remove the definition of \\USE_TCP_WRAPPERS\\ or add \"-lwrap"\ to your \\EXTRALIBS\\ setting in Local/Makefile. Q0104: I'm about to upgrade to a new Exim release. Do I need to ensure the spool is empty, or take any other special action? A0104: It depends on where you are coming from. (1) If you are changing to release 4.00 or later from a release prior to 4.00, you will need to make changes to the run time configuration file. See the file \(doc/Exim4.upgrade)\ for details. If you are coming from before release 3.00, you should also see \(doc/Exim3.upgrade)\. (2) If you are upgrading from an Exim 4 release to a later release, you do not need to take special action. New releases are made backwards compatible with old spool files and hints databases, so that upgrading can be done on a running system. All that should be necessary is to install a new binary and then HUP the daemon. \**Warning**\: If you have changed the release of your DBM library, so that your new Exim is linked with a different release than the old one, you may encounter errors when Exim attempts to access the old hints databases. See Q0055. Q0105: What does the error \*install-info: command not found*\ mean? A0105: You have set \\INFO_DIRECTORY\\ in your \(Local/Makefile)\, and Exim is trying to install the Texinfo documentation, but cannot find the command called \(install-info)\. If you have a version of Texinfo prior to 3.9, you should upgrade. Otherwise, check your installation of Texinfo to see why the \(install-info)\ command is not available. Q0106: Exim doesn't seem to be recognizing my operating system type correctly, and so is failing to build. A0106: Run the command \"scripts/os-type -generic"\. The output should be one of the known OS types, and should correspond to your operating system. You can see which OS are supported by obeying \"ls OS/Makefile-*"\ and looking at the file name suffixes. If there is a discrepancy, it means that the script is failing to interpret the output from the \"uname"\ command correctly, or that the output is wrong. Meanwhile, you can build Exim by obeying ==> EXIM_OSTYPE=xxxx make instead of just \"make"\, provided you are running a Bourne-compatible shell, or otherwise by setting \\EXIM_OSTYPE\\ correctly in your environment. It is probably best to start again from a clean distribution, to avoid any wreckage left over from the failed attempt. Q0107: Exim fails to build, complaining about the absence of the \"killpg"\ function. A0107: This function should be present in all modern flavours of Unix. If you are using an older version, you should be able to get round the problem by inserting ==> #define killpg(pgid,sig) kill(-(pgid),sig) into the file called \(OS/os.h-xxx)\, where xxx identifies your operating system, and is the output of the command \"scripts/os-type -generic"\. Q0108: I'm getting an unresolved symbol \"ldap_is_ldap_url"\ when trying to build Exim. A0108: You must have specified \"LOOKUP_LDAP=yes"\ in the configuration. Have you remembered to set \"-lldap"\ somewhere (e.g. in \\LOOKUP_LIBS\\)? You need that in order to get the LDAP library scanned when linking. Q0109: I'm getting an unresolved symbol \"mysql_close"\ when trying to build Exim. A0109: You must have specified \"LOOKUP_MYSQL=yes"\ in the configuration. Have you remembered to set \"-lmysqlclient"\ somewhere (e.g. in \\LOOKUP_LIBS\\)? You need that in order to get the MySQL library scanned when linking. Q0110: I'm trying to build Exim with PAM support. I have included \"-lpam"\ in \\EXTRALIBS\\, but I'm still getting a linking error: ==> /lib/libpam.so: undefined reference to `dlerror' /lib/libpam.so: undefined reference to `dlclose' /lib/libpam.so: undefined reference to `dlopen' /lib/libpam.so: undefined reference to `dlsym' A0110: Add \"-ldl"\ to \\EXTRALIBS\\. In some systems these dynamic loading functions are in their own library. Q0111: I'm getting the error \*db.h: No such file or directory*\ when I try to build Exim. A0111: This problem has been seen with RedHat 7.0, but could also happen in other environments. If your system is using the DB library, you need to install the DB development package in order to build Exim. The package is called something like \"db3-devel-3.1.14-16.i386.rpm"\ for Linux systems, but you should check which version of DB you have installed (current releases are DB 4). Q0112: I'm getting the error \*/usr/bin/ld: cannot find -ldb*\ when I try to build Exim. A0112: This is probably the same problem as Q0111. Q0113: I've compiled Exim and I've managed to start it but there was one problem - it always complained that \(libmsqlclient.so.10)\ was not found, even though this file is in \(/usr/local/lib/mysql/)\. A0113: Solaris: ensure you have this in your \(Local/Makefile)\: ==> LOOKUP_LIBS=-L/usr/local/lib/mysql -R/usr/local/lib/mysql Net/Open/FreeBSD: Run this command (or ensure it gets run automatically at boot time): ==> ldconfig -m /usr/local/lib/mysql Linux: add \(/usr/local/lib/mysql)\ to \(/etc/ld.so.conf)\ and re-run \(ldconfig)\. Alternatively, add ==> -Wl,-rpath -Wl,/usr/local/lib/mysql to EXTRA_LIBS and then re-link (this is similar to the Solaris solution above). This will probably also work on other systems that use GNU Binutils. Q0114: How can I remove Sendmail from my system? I've built Exim and run \"make install"\, but it still doesn't seem to be fully operational. A0114: If you are running FreeBSD, see Q9201. Otherwise, you need to arrange that whichever of the paths \(/usr/sbin/sendmail)\ or \(/usr/lib/sendmail)\ exists on your system is changed to refer to Exim. For example, you could use these commands (as \/root/\): ==> mv /usr/sbin/sendmail /usr/sbin/sendmail.original chmod u-s /usr/sbin/sendmail.original ln -s /path/to/exim /usr/sbin/sendmail The second command removes the setuid privilege from the old MTA, as a general safety precaution. In the third command, substitute the actual path to the Exim binary for \(/path/to/exim)\. Q0115: What does \*Can't open \(../scripts/newer)\: No such file or directory*\ mean? I got it while trying to build Exim. A0115: You are using FreeBSD, or another OS that has a \^make^\ command which tries to optimize the running of commands. Exim's \(Makefile)\ contains targets with sequential commands like this: ==> buildpcre: @cd pcre; $(MAKE) SHELL=$(SHELL) AR="$(AR)" $(MFLAGS) CC="$(CC)" \ CFLAGS="$(CFLAGS) $(PCRE_CFLAGS)" \ RANLIB="$(RANLIB)" HDRS="$(PHDRS)" \ INCLUDE="$(INCLUDE) $(IPV6_INCLUDE) $(TLS_INCLUDE)" @if $(SHELL) $(SCRIPTS)/newer pcre/libpcre.a exim; then \ /bin/rm -f exim eximon.bin; fi The second command assumes that the \"cd pcre"\ in the first command is no longer in effect. If you have \"-j3"\ in your default set of \"MAKEFLAGS"\, FreeBSD \^make^\ tries to optimize, and ends up up with both commands in the same shell process. The result is that \"$(SCRIPTS)"\ (which has a value of \"../scripts"\) is not found. The simplest solution is to force \^make^\ to use backwards compatibility mode with each command in its own shell, by using the \-B\ flag. To ensure that this happens throughout the build, it's best to export it in your environment: ==> MAKEFLAGS='-B' export MAKEFLAGS make Q0116: I have tried to build Exim with Berkeley DB 3 and 4, but I always get errors. A0116: One common problem, especially when you have several different versions of BDB installed on the same host, is that the header files and library files for BDB are not in a standard place. You therefore need to tell Exim where they are, by setting INCLUDE and DBMLIB in your \(Local/Makefile)\. For example, you could use this when you want to build with DB 4.1: ==> INCLUDE=-I/usr/local/include/db-4.1 DBMLIB=/usr/local/lib/db-4.1/libdb.a Specifying the complete library file like this will cause it to be statically linked with Exim. You'll have to check to see where these files are on your system. For example, on FreeBSD 5, the header is in \(/usr/local/include/db4)\ and the library is in \(/usr/local/lib)\ and called \(libdb4)\. In that environment, you could use: ==> INCLUDE=-I/usr/local/include/db4 DBMLIB=-L/usr/local/lib -ldb4 This time, DBMLIB is specifying the library directory (\(/usr/local/lib)\) and the name of the library (\(db4)\) separately. The name of the actual library file is \(/usr/local/lib/libdb4.something)\. If the library was compiled for dynamic linking, that will be used. Q0117: Is there a quick walk-through of an Exim install from source anywhere? A0117: Here! This is a contribution from a RedHat user, somewhat edited. On other operating systems things may be slightly different, but the general approach is the same. (1) Install the db needed for Exim. This needs to be done first if you don't have a DBM library installed. Go to \?http://www.sleepycat.com?\ and download \(db-4.1.25.tar.gz)\, or whatever the current release is. Then: ==> gunzip db-4.1.25.tar.gz tar -xvf db-4.1.25.tar cd db-4.1.25 cd build_unix ../dist/configure make make install (2) Add a user for use by Exim, unless you want to use an existing user such as \/mail/\: ==> adduser exim (3) Now you can prepare to build Exim. Go to \?http://www.exim.org?\ or one of its mirrors, or the master ftp site \?ftp://ftp.csx.cam.ac.uk/pub/software/email/exim/exim4?\, and download \(exim-4.20.tar.gz)\ or whatever the current release is. Then: ==> gunzip exim-4.20.tar.gz tar -xvf exim-4.20.tar cd exim-4.20 cp src/EDITME Local/Makefile cp exim_monitor/EDITME Local/eximon.conf (4) Edit \(Local/Makefile)\: Comment out EXIM_MONITOR= unless you want to install the Exim monitor (it requires X-windows). Set the user you want Exim to use for itself: ==> EXIM_USER=exim If your DBM library is Berkeley DB, set up to use its native interface: ==> USE_DB=yes Make sure Exim's build can find the DBM library and its headers. If you've installed Berkeley DB 4 you'll need to have settings like this in \(Local/Makefile)\: ==> INCLUDE=-I/usr/local/BerkeleyDB.4.1/include DBMLIB=/usr/local/BerkeleyDB.4.1/lib/libdb.a (Check that the first directory contains the db.h file and that the second library exists.) You don't need to change anything else, but you might want to review the default settings in the ``must specify'' section. (4) Build Exim by running the \/make/\ command. (5) Install Exim by running, as \/root/\: ==> make install You must be \/root/\ to do this. You do not have to be root for any of the previous building activity. (6) Run some tests on Exim; see if it will do local and remote deliveries. Change the configuration if necessary (for example, uncommenting \group\ on the \%local_delivery%\ transport if you don't use a ``sticky bit'' directory). (7) Change Sendmail to Exim (of course you need to have had Sendmail installed to do this). ==> /etc/init.d/sendmail stop mv /usr/sbin/sendmail /usr/sbin/sendmail.org ln -s /usr/exim/bin/exim /usr/sbin/sendmail /etc/init.d/sendmail start (8) Check the Exim log. Either use the Exim monitor, or: ==> tail -f /var/spool/exim/log/mainlog Q0118: I've set \"LOOKUP_INCLUDE=-I/client/include"\ in Local/Makefile, but the compilation of \^exim_dumpdb^\ is ignoring this option and failing. Why? A0118: LOOKUP_INCLUDE is the special include file for lookup modules in Exim (e.g. mysql, LDAP). Confusingly, it doesn't apply to basic DBM code which is used also for other things. Try setting INCLUDE and DBMLIB instead. For example: ==> USE_DB=yes INCLUDE=-I/client/include DBMLIB=/client/lib/libdb.a Q0119: I know there are some 3rd-party patches for Exim, for exiscan and other things. Where are they? A0119: Exiscan is at \?http://duncanthrax.net/exiscan-acl/?\. [[br]] Scanexi is at \?http://w1.231.telia.com/~u23107873/scanexi.html?\ [[br]] A sample \^^local_scan()^^\ function for interfacing to \^uvscan^\ is at \?http://www.dcs.qmul.ac.uk/~mb/local_scan/?\. [[br]] An interface to SpamAssassin at SMTP time is at \?http://marc.merlins.org/linux/exim/sa.html?\. [[br]] A mini-HOWTO (PDF file) about scanning and virus scanning, and some RPMs can be found at \?http://www.timj.co.uk/linux/exim.php?\. Q0120: I'm trying to compile with LOOKUP_WHOSON, but I keep getting \*In function `whoson_find': undefined reference to `wso_query'*\. A0120: Try adding \"-lwhoson"\ to your LOOKUP_LIBS setting in \(Local/Makefile)\. 2. ROUTING IN GENERAL Q0201: How can I arrange that messages larger than some limit are handled by a special router? A0201: You can use a \condition\ option on the router line this: ==> condition = ${if >{$message_size}{100K}{yes}{no}} Q0202: Can I specify a list of domains to explicitly reject? A0202: Set up a named domain list containing the domains in the first section of the configuration, for example: ==> domainlist reject_domains = list:of:domains:to:reject You can use this list in an ACL to reject any SMTP recipients in those domains. You can also give a customized error message, like this: ==> deny message = The domain $domain is no longer supported domains = +reject_domains If you also want to reject these domains in messages that are submitted from the command line (not using SMTP), you need to set up a router to do it, like this: ==> reject_domains: driver = redirect domains = +reject_domains allow_fail data = :fail: The domain $domain is no longer supported Q0203: How can I arrange to do my own qualification of non-fully-qualified domains, and then pass them on to the next router? A0203: If you have some list of domains that you want to qualify, you can do this using a redirect router. For example, ==> qualify: driver = redirect domains = *.a.b data = ${quote:$local_part}@$domain.c.com This adds \".c.com"\ to any domain that matches \"*.a.b"\. If you want to do this in conjunction with a \%dnslookup%\ router, the \widen_domains\ option of that router may be another way of achieving what you want. Q0204: Every system has a \"nobody"\ account under which httpd etc run. I would like to know how to restrict mail which comes from that account to users on that host only. A0204: Set up a first router like this: ==> fail_nobody: driver = redirect senders = nobody@your.domain domains = ! +local_domains allow_fail data = :fail: Nobody may not mail off-site This assumes you have defined \+local_domains\ as in the default configuration. Q0205: How can I get Exim to deliver to me locally and everyone else at the same domain via SMTP to the MX record specified host? A0205: Create an \%accept%\ router to pick off the one address and pass it to an appropriate transport. Put this router before the one that does MX routing: ==> me: driver = accept domains = dom.com local_parts = me transport = local_delivery In the transport you will have to specify the \user\ option. An alternative way of doing this is to add a condition to the router that does MX lookups to make it skip your address. Subsequent routers can then deliver your address locally. You'll need a condition like this: ==> condition = \ ${if and {{eq{$domain}{dom.com}}{eq{$local_part}{me}}}{no}{yes}} Q0206: How can I get Exim to deliver certain domains to a different SMTP port on my local host? A0206: You must set up a special \%smtp%\ transport, where you can specify the \port\ option, and then set up a router to route the domains to that transport. There are two possibilities for specifying the host: (1) If you use a \%manualroute%\ router, you can specify the local host in the router options. You must also set ==> self = send so that it does not object to sending to the local host. (2) If you use a router that cannot specify hosts (for example, an \%accept%\ router with appropriate conditions), you have to specify the host using the \hosts\ option of the transport. In this case, you must also set \allow_localhost\ on the transport. Q0207: Why does Exim lower-case the local-part of a non-local domain when routing? A0207: Because \caseful_local_part\ is not set (in the default configuration) for the \%dnslookup%\ router. This does not matter because the local part takes no part in the routing, and the actual local part that is sent out in the RCPT command is always the original local part. Q0208: I can't get a lookup to work in a domain list. I'm trying this: ==> domainlist local_domains = @:localhost:${lookup pgsql{SELECT ... A0208: Does the lookup return a colon separated list of domains? If not, you are using the wrong kind of lookup. The most common way of using a lookup in a domain list is something like this: ==> domainlist local_domains = @:localhost:pgsql;SELECT ... Using that syntax, if the query succeeds, the domain is considered to be in the list. The value that is returned is not relevant. 3. ROUTING TO REMOTE HOSTS Q0301: What do \*lowest numbered MX record points to local host*\ and \*remote host address is the local host*\ mean? A0301: They mean exactly what they say. Exim expected to route an address to a remote host, but the IP address it obtained from a router was for the local host. If you really do want to send over TCP/IP to the local host (to a different version of Exim or another MTA, for example), see Q0206. More commonly, these errors arise when Exim thinks it is routing some foreign domain. For example, the router configuration causes Exim to look up the domain in the DNS, but when Exim examines the DNS output, either the lowest numbered MX record points at the local host, or there are no MX records, and the address record for the domain contains an IP address that belongs to the local host. There has been a rash of instances of domains being deliberately set up with MX records pointing to \"localhost"\ (or other names with A records that specify 127.0.0.1), which causes this behaviour. You can use the \ignore_target_hosts\ option to get Exim to ignore these records. The default contiguration does this. For more discussion, see Q0319. For other cases: (1) If the domain is meant to be handled as a local domain, there is a problem with the configuration, because it should not then have been looked up in the DNS. Check the \domains\ settings on your routers. (2) If the domain is one for which the local host is providing a relaying service (called ``mail hubbing''), possibly as part of a firewall, you need to set up a router to tell Exim where to send messages addressed to this domain, because the DNS directs them to the local host. You should put a router like this one before the one that does DNS lookups: ==> hubbed_hosts: driver = manualroute transport = remote_smtp route_list = see discussion below The contents of the \route_list\ option depend on how many hosts you are hubbing for, and how their names are related to the domain name. Suppose the local host is a firewall, and all the domains in \(*.foo.bar)\ have MX records pointing to it, and each domain corresponds to a host of the same name. Then the setting could be ==> route_list = *.foo.bar $domain If there isn't a convenient relationship between the domain names and the host names, you either have to list each domain separately, or use a lookup expansion to look up the host from the domain, or put the routing information in a file and use the \route_data\ option with a lookup expansion. (3) If neither (1) nor (2) is the case, the lowest numbered MX record or the address record for the domain should not be pointing to your host. You should arrange to get the DNS mended. Q0302: Why does Exim say \*all relevant MX records point to non-existent hosts*\ when MX records point to IP addresses? A0302: MX records cannot point to IP addresses. They are defined to point to host names, so Exim always interprets them that way. (An IP address is a syntactically valid host name.) The DNS for the domain you are having problems with is misconfigured. However, it appears that more and more DNS zones are breaking the rules and putting IP addresses on the RHS of MX records. Exim follows the rules and rejects this, but other MTAs do support it, so the \allow_mx_to_ip\ was regretfully added at release 3.14 to permit this heinous activity. Q0303: How do I configure Exim to send all messages to a central server? I don't want to do any local deliveries at all on this host. A0303: Use this as your first and only router: ==> send_to_gateway: driver = manualroute transport = remote_smtp route_list = * central.server.host Q0304: How do I configure Exim to send all non-local mail to a gateway host? A0304: Replace the \%dnslookup%\ router in the default configuration with the following: ==> send_to_gateway: driver = manualroute domains = !+local_domains transport = remote_smtp route_list = * gate.way.host If there are several hosts you can send to, you can specify them as a colon-separated list. Q0305: How can I arrange for mail on my local network to be delivered directly to the relevant hosts, but all other mail to be sent to my ISP's mail server? The local hosts are all DNS-registered and behave like normal Internet hosts. A0305: Set up a first router to pick off all the domains for your local network. There are several ways you might do this. For example ==> local_network: driver = dnslookup transport = remote_smtp domains = *.mydomain.com This does a perfectly conventional DNS routing operation, but only for the domains that match \(*.mydomain.com)\. Follow this with a `smart host' router: ==> internet: driver = manualroute domains = !+local_domains transport = remote_smtp route_list = * mail.isp.net This routes any other non-local domains to the smart host. Q0306: How do I configure Exim to send all non-local mail to a central server if it cannot be immediately delivered by my host? I don't want to have queued mail waiting on my host. A0306: Add to the \%remote_smtp%\ transport the following: ==> fallback_hosts = central.server.name(s) If there are several names, they must be separated by colons. Q0307: The \route_list\ setting \"^foo$:^bar$ $domain"\ in a \%manualroute%\ router does not work. A0307: The first thing in a \route_list\ item is a single pattern, not a list of patterns. You need to write that as \"^(foo|bar)$ $domain"\. Alternatively, you could use several items and write ==> route_list = foo $domain; bar $domain Note the semicolon separator. This is because the second thing in each item can itself be a colon-separated list of hosts. Q0308: I have a domain for which some local parts must be delivered locally, but the remainder are to be treated like any other remote addresses. A0308: One possible way of doing this is as follows: Assuming you are using a configuration that is similar to the default one, first exclude your domain from the first router by changing it to look like this: ==> non_special_remote: driver = dnslookup domains = ! +local_domains : ! special.domain transport = remote_smtp ignore_target_hosts = 127.0.0.0/8 no_more Then add a second router to handle the local parts that are not to be delivered locally: ==> special_remote: driver = dnslookup domains = special.domain local_parts = ! lsearch;/list/of/special/localparts transport = remote_smtp ignore_target_hosts = 127.0.0.0/8 no_more The remaining local parts will fall through to the remaining routers, which can delivery them locally. Q0309: How can I configure Exim on a firewall machine so that if mail arrives addressed to a domain whose MX points to the firewall, it is forwarded to the internal mail server, without having to have a list of all the domains involved? A0309: As your first router, have the standard \%dnslookup%\ router from the default configuration, with the added option ==> self = pass This will handle all domains whose lowest numbered MX records do not point to your host. Because of the \no_more\ setting, if it encounters an unknown domain, routing will fail. However, if it hits a domain whose lowest numbered MX points to your host, the \self\ option comes into play, and overrides \no_more\. The \"pass"\ setting causes it to pass the address on to the next router. (The default causes it to generate an error.) The only non-local domains that reach the second router are those with MX records pointing to the local host. Set it up to send them to the internal mail server like this: ==> internal: driver = manualroute domains = ! +local_domains transport = remote_smtp route_list = * internal.server Q0310: If a DNS lookup returns no MX records why doesn't Exim just bin the message? A0310: If a DNS lookup returns no MXs, Exim looks for an address record, in accordance with the rules that are defined in the RFCs. If you want to break the rules, you can set \mx_domains\ in the \%dnslookup%\ router, but you will cut yourself off from those sites (and there still seem to be plenty) who do not set up MX records. Q0311: When a DNS lookup for MX records fails to complete, why doesn't Exim send the messsage to the host defined by the A record? A0311: The RFCs are quite clear on this. Only if it is known that there are no MX records is an MTA allowed to make use of the A record. When an MX lookup fails to complete, Exim does not know whether there are any MX records or not. There seem to be some name servers (or some configurations of some name servers) that give a ``server fail'' error when asked for a non-existent MX record. Exim uses standard resolver calls, which unfortunately do not distinguish between this case and a timeout, so all Exim can do is try again later. Q0312: Is it possible to use a conditional expression for the host item in a \route_list\ for \%manualroute%\ router? I tried the following, but it doesn't work: ==> route_list = * ${if match{$header_from:}{\N.*\.usa\.net$\N} \ {}{} A0312: The problem is that the second item in \route_list\ contains white space, which means that it gets terminated prematurely. To avoid this, you must put the second item in quotes: ==> route_list = * "${if match{$header_from:}{\N.*\.usa\.net$\N} \ {}{}}" Q0313: I send all external mail to a smart host, but this means that bad addresses also get passed to the smart host. Can I avoid this? A0313: Assuming you have DNS availability, set up a conventional \%dnslookup%\ router to do the routing, but in the \%remote_smtp%\ transport set this: ==> hosts = your.smart.host hosts_override This will override the hosts that the router finds so that everything goes to the smart host, but any non-existent domains will be failed by the router. Q0314: I have a really annoying intermittent problem where attempts to mail to valid sites are rejected with \*unknown mail domain*\. This only happens a few times a day and there is no particular pattern to the sites it rejects. If I try to lookup the same domain a few minutes later then it is OK. A0314: This is almost certainly a problem with the DNS resolver or the the domain's name servers. (1) Have you linked Exim against the newest DNS resolver library that comes with Bind? If you are using SunOS4 that may be your problem, as the resolver that comes with that OS is known to be buggy and to give intermittent false negatives. (2) Effects like this are sometimes seen if a domain's name servers get out of step with each other. Q0315: I'd like route all mail with addresses that can't be resolved (the DNS lookup times out) to a relay machine. A0315: Set \pass_on_timeout\ on your \%dnslookup%\ router, and add below it a \%manualroute%\ router that routes all relevant domains to the relay. Q0316: I would like to forward all incoming email for a particular domain to another host via SMTP. Whereabouts would I configure that? A0316: Use this as your first router: ==> special: driver = manualroute transport = remote_smtp route_list = the.particular.domain the.other.host You will also need to adjust the ACL for incoming SMTP so that this domain is accepted for relaying. If you are using the default configuration, there is a domain list called \relay_domains\ that is set up for this. Q0317: What I'd like to do is have alternative smart hosts, where the one to be used is determined by which ISP I'm connected to. A0317: The simplest way to do this is to arrange for the name of the smart host du jour to be placed in a file when you connect, say \(/etc/smarthost)\. Then you can read this file from a \%manualroute%\ router like this: ==> smarthost: driver = manualroute transport = remote_smtp route_list = * ${readfile{/etc/smarthost}{}} The second argument of the \"readfile"\ item is a string that replaces any newline characters in the file (in this case, with nothing). By keeping the data out of the main configuration file, you avoid having to HUP the daemon when it changes. Q0318: Exim won't route to a host with no MX record. A0318: More than one thing may cause this. (1) Are you sure there really is no MX record? Sometimes a typo results in a malformed MX record in the zone file, in which case some name servers give a SERVFAIL error rather than NXDOMAIN. Exim has to treat this as a temporary error, so it can't go on to look for address records. You can check for this state using one of the DNS interrogation commands, such as \(nslookup)\, \(host)\, or \(dig)\. (2) Is there a wildcard MX record for \(your)\ domain? Is the \search_parents\ option on in your \%dnslookup%\ router? If the answer to both these questions is ``yes'', that is the cause of the problem. When the DNS resolver fails to find the MX record, it tries adding on your domain if \search_parents\ is true, and thereby finds your wildcard MX record. For example: . There is a wildcard MX record for \(*.a.b.c)\. . There is a host called \(x.y.z)\ that has an A record and no MX record. . Somebody on the host \(m.a.b.c)\ domain tries to mail to \(user@x.y.z)\. . Exim calls the DNS to look for an MX record for \(x.y.z)\. . The DNS doesn't find any MX record. Because \search_parents\ is true, it then tries searching the current host's parent domain, so it looks for \(x.y.z.a.b.c)\ and picks up the wildcard MX record. Setting \search_parents\ false makes this case work while retaining the wildcard MX record. However, anybody on the host \(m.a.b.c)\ who mails to \(user@n.a)\ (expecting it to go to \(user@n.a.b.c)\) now has a problem. The \widen_domains\ option of the \%dnslookup%\ router may be helpful in this circumstance. Q0319: I have some mails on my queues that are sticking around longer than the retry time indicates they should. They are all getting frozen because some remote admin has set their MX record to 127.0.0.1. A0319: The admin in question is an idiot. Exim will always freeze such messages because they are apparently routed to the local host. To bounce these messages immediately, set ==> ignore_target_hosts = 127.0.0.1 on the \%dnslookup%\ router. This causes Exim to completely ignore any hosts with that IP address. In fact, there are quite a number of IP addresses that should never be used. Here is a suggested configuration list for the IPv4 ones: ==> # Don't allow domains whose single MX (or A) record is a # "special-use IPv4 address", as listed in RFC 3330. ignore_target_hosts = \ # Hosts on "this network"; RFC 1700 (page 4) states that these # are only allowed as source addresses 0.0.0.0/8 : \ # Private networks, RFC 1918 10.0.0.0/8 : 172.16.0.0/12 : 192.168.0.0/16 : \ # Internet host loopback address, RFC 1700 (page 5) 127.0.0.0/8 : \ # "Link local" block 169.254.0.0/16 : \ # "TEST-NET" - should not appear on the public Internet 192.0.2.0/24 : \ # 6to4 relay anycast addresses, RFC 3068 192.88.99.0/24 : \ # Network interconnect device benchmark testing, RFC 2544 198.18.0.0/15 : \ # Multicast addresses, RFC 3171 224.0.0.0/4 : \ # Reserved for future use, RFC 1700 (page 4) 240.0.0.0/4 Q0320: How can I arrange for all mail to \*user@some.domain*\ to be forwarded to \*user@other.domain*\? A0320: Put this as your first router: ==> forward: driver = redirect domains = some.domain data = ${quote:$local_part}@other.domain Q0321: How can I tell an Exim router to use only IPv4 or only IPv6 addresses when it finds both types in the DNS? A0321: You can do this by making it ignore the addresses you don't want. This example ignores all IPv6 addresses and all IPv4 addresses in the 127 network: ==> ignore_target_hosts = <; 0000::0000/0 ; 127.0.0.0/8 To ignore all IPv4 addresses, use ==> ignore_target_hosts = 0.0.0.0/0 See Q0319 for a general discussion of \ignore_target_hosts\. Q0322: How can I reroute all messages bound for 192.168.10.0 and 10.0.0.0 to a specific mail server? A0322: That is an odd requirement. However, there is an obscure feature in Exim, originally implemented for packet radio people, that perhaps can help. Check out the \translate_ip_address\ generic router option. 4. ROUTING FOR LOCAL DELIVERY Q0401: I need to have any mail for \(virt.dom.ain)\ that doesn't match one of the aliases in \(/usr/lib/aliases.virt)\ delivered to a particular address, for example, \(postmaster@virt.dom.ain)\. A0401: Adding an asterisk to a search type causes Exim to look up ``*'' when the normal lookup fails. So if your aliasing router is something like this: ==> virtual: driver = redirect domains = virt.dom.ain data = ${lookup{$local_part}lsearch{/usr/lib/aliases.virt}} no_more you should change \"lsearch"\ to \"lsearch*"\, and put this in the alias file: ==> *: postmaster@virt.dom.ain This solution has the feature that if there are several unknown addresses in the same message, only one copy gets sent to the postmaster, because of Exim's normal de-duplication rules. NOTE: This solution works only if there is also an entry for \(postmaster)\ in the alias file, ultimately resolving to an address that is not in \(virt.dom.ain)\. See also Q0434. Q0402: How do I arrange for all incoming email for \(*@some.domain)\ to go into one pop3 mail account? The customer doesn't want to add a list of specific local parts to the system. A0402: Set up a special transport that writes to the mailbox like this: ==> special_transport: driver = appendfile file = /pop/mailbox envelope_to_add return_path_add delivery_date_add user = exim The file will be written as the user \"exim"\. Then arrange to route all mail for that domain to that transport, with a router like this: ==> special_router: driver = accept domains = some.domain transport = special_transport Q0403: How do I configure Exim to send messages for unknown local users to a central server? A0403: Assuming you are using something like the default configuration, where local users are processed by the later routers, you should add the following router at the end: ==> unknown: driver = manualroute transport = remote_smtp route_list = * server.host.name no_verify However, you should if possible try to verify that the user is known on the central server before accepting the message in the first place. This can be done by making use of Exim's ``call forward'' facility. Q0404: How can I arrange for messages submitted by (for example) Majordomo to be handled specially? A0404: You can use the \condition\ option on a router, with a setting such as ==> condition = ${if and {{eq {$sender_host_address}{}} \ {eq {$sender_ident}{majordom}}} {yes}{no}} This first tests for a locally-submitted message, by ensuring there is no sending host address, and then it checks the identity of the user that ran the submitting process. Q0405: On a host that accepts mail for several domains, do I have to use fully qualified addresses in \(/etc/aliases)\ or do I have to set up an alias file for each domain? A0405: You can do it either way. The default aliasing router contains this line: ==> data = ${lookup{$local_part}lsearch{/etc/aliases}} which is what does the actual lookup. To make it look up the complete address instead of just the local part, use ==> data = ${lookup{$local_part@$domain}lsearch{/etc/aliases}} If you want to use a separate file for each domain, use ==> data = ${lookup{$local_part}lsearch{/etc/aliases/$domain}} Q0406: Some of my users are using the \(.forward)\ to pipe to a shell command which appends to the user's INBOX. How can I forbid this? A0406: If you allow your users to run shells in pipes, you cannot control which commands they run or which files they write to. However, you should point out to them that writing to an INBOX by arbitrary commands is not interlocked with the MTA and MUAs, and is liable to mess up the contents of the file. If a user simply wants to choose a specific file for the delivery of messages, this can be done by putting a file name in a \(.forward)\ file rather than using a pipe, or by using the \"save"\ command in an Exim filter file. You can set \forbid_pipe\ on the router, but that will prevent them from running any pipe commands at all. Alternatively, you can restrict which commands they may run in their pipes by setting the \allow_commands\ and/or \restrict_to_path\ options in the \%address_pipe%\ transport. Q0407: How can I arrange for a default value when using a query-style lookup such as LDAP or NIS+ to handle aliases? A0407: Use a second query in the failure part of the original lookup, like this: ==> data = ${lookup ldap\ {ldap://x.y.z/l=yvr?aliasaddress?sub?(&(mail=$local_part@$domain))}\ {$value}\ {\ ${lookup ldap \ {ldap://x.y.z/l=yvr?aliasaddress?sub?(&(mail=default@$domain))}}\ }} Of course, if the default is a fixed value you can just include it directly. Q0408: If I don't fully qualify the addresses in a virtual domain's alias file then mail to aliases which also match the local domain get delivered to the local domain. A0408: Set the \qualify_preserve_domain\ option on the \%redirect%\ router. Q0409: I want mail for any local part at certain virtual domains to go to a single address for each domain. A0409: One way to to this is ==> virtual: driver = redirect data = ${lookup{$domain}lsearch{/etc/virtual}} The \(/etc/virtual)\ file contains a list of domains and the addresses to which their mail should be sent. For example: ==> domain1: postmaster@some.where.else domain2: joe@xyz.plc If the number of domains is large, using a DBM or cdb file would be more efficient. If the lookup fails to find the domain in the file, the value of the \data\ option is empty, causing the router to decline. Q0410: How can I make Exim look in the alias NIS map instead of \(/etc/aliases)\? A0410: The default configuration does not use NIS (many hosts don't run it). You need to change this line in the \%system_aliases%\ router: ==> data = ${lookup{$local_part}lsearch{/etc/aliases}} Change it to ==> data = ${lookup{$local_part}nis{mail.aliases}} If you want to use \(/etc/aliases)\ as well as NIS, put this router (with a different name) before or after the default one, depending on which data source you want to take precedence. Q0411: Why will Exim deliver a message locally to any username that is longer than 8 characters as long as the first 8 characters match one of the local usernames? A0411: The problem is in your operating system. Exim just calls the \^^getpwnam()^^\ function to test a local part for being a local login name. It does not presume to guess the maximum length of user name for the underlying operating system. Many operating systems correctly reject names that are longer than the maximum length; yours is apparently deficient in this regard. To cope with such systems, Exim has an option called \max_user_name_length\ which you can set to the maximum allowed length. Q0412: Why am I seeing the error \*bad mode (100664) for /home/test/.forward*\? I've looked through the documentation but can't see anything to suggest that Exim has to do anything other than read the \(.forward)\ file. A0412: For security, Exim checks for mode bits that shouldn't be set, by default 022. You can change this by setting the \modemask\ option of the \%redirect%\ router that is handling \(.forward)\ files. Q0413: When a user's \(.forward)\ file is syntactially invalid, Exim defers delivery of all messages to that user, which sometimes include the user's own test messages. Can it be told to ignore the \(.forward)\ file and/or inform the user of the error? A0413: Setting \skip_syntax_errors\ on the redirect router causes syntax errors to be skipped. When dealing with users' \(.forward)\ files it is best to combine this with a setting of \syntax_errors_to\ in order to send a message about the error to the user. However, to avoid an infinite cascade of messages, you have to be able to send to an address that bypasses \(.forward)\ file processing. This can be done by including a router like this one ==> real_localuser: driver = accept check_local_user transport = local_delivery local_part_prefix = real- before the \%redirect%\ router that handles \(.forward)\ files. This will do an ordinary local delivery without \(.forward)\ processing, if the local part is prefixed by \"real-"\. You can then set something like the following options on the \%redirect%\ router: ==> skip_syntax_errors syntax_errors_to = real-$local_part@$domain syntax_errors_text = "\ This is an automatically generated message. An error has been \ found\nin your .forward file. Details of the error are reported \ below. While\nthis error persists, messages addressed to you will \ get delivered into\nyour normal mailbox and you will receive a \ copy of this message for\neach one." A final tidying setting to go with this is a rewriting rule that changes \"real-username"\ into just \"username"\ in the headers of the message: ==> \N^real-([^@]+)@your\.dom\.ain$\N $1@your.dom.ain h This means that users won't ever see the \"real-"\ prefix, unless they look at the ::Envelope-To:: header. Q0414: I have set \caseful_local_part\ on the routers that handle my local domain because my users have upper case letters in their login names, but incoming mail now has to use the correct case. Can I relax this somehow? A0414: If you really have to live with caseful user names but want incoming local parts to be caseless, then you have to maintain a file, indexed by the lower case forms, that gives the correct case for each login, like this: ==> admin: Admin steven: Steven mcdonald: McDonald lamanch: LaManche ... and at the start of the routers that handle your local domain, put one like this: ==> set_case_router: driver = redirect data = ${lookup{${lc:$local_part}}lsearch{/the/file}} qualify_preserve_domain For efficiency, you should also set the \redirect_router\ option to cause processing of the changed address to begin at the next router. If you are otherwise using the default configuration, the setting would be ==> redirect_router = system_aliases If there are lots of users, then a DBM or cdb file would be more efficient than a linear search. If you are handling several domains, you will have to extend this configuration to cope appropriately. Q0415: Can I use my existing alias files and forward files as well as procmail and effectively drop in Exim in place of Sendmail ? A0415: Yes, as long as your alias and forward files don't assume that pipes are going to run under a shell. If they do, you either have to change them, or configure Exim to use a shell (which it doesn't by default). Q0416: What is quickest way to set up Exim so any message sent to a non-existing user would bounce back with a different message, based on the name of non-existing user? A0416: Place this router last, so that it catches any local addresses that are not otherwise handled: ==> non_exist: driver = accept transport = non_exist_reply no_verify Then add the following transport to the transports section: ==> non_exist_reply: driver = autoreply user = exim to = $sender_address subject = User does not exist text = You sent mail to $local_part. That's not a valid user here. \ The subject was: $subject. If you want to pick up a message from a file, you can use the \file\ option (use \file_expand\ if you want its contents expanded). Q0417: What do I need to do to make Exim handle \(/usr/ucb/vacation)\ processing automatically, so that people could just create a \(.vacation.msg)\ file in their home directory and not have to edit their \(.forward)\ file? A0417: Add a new router like this, immediately before the normal \%localuser%\ router: ==> vacation: driver = accept check_local_user require_files = $home/.vacation.msg transport = vacation_transport unseen and a matching new transport like this: ==> vacation_transport: driver = pipe command = /usr/ucb/vacation $local_part However, some versions of \(/usr/ucb/vacation)\ do not work properly unless the DBM file(s) it uses are created in advance - it won't create them itself. You also need a way of removing them when the vacation is over. Another possibility is to use a fixed filter file which is run whenever \(.vacation.msg)\ exists, for example: ==> vacation: driver = redirect check_local_user require_files = $home/.vacation.msg file = /some/central/filter allow_filter The filter file should use the \"if personal"\ check before sending mail, to avoid generating automatic responses to mailing lists. If sending a message is all that it does, this doesn't count as a ``significant'' delivery, so the original message goes on to be delivered as normal. Yet another possibility is to make use of Exim's \%autoreply%\ transport, and not use \(/usr/ucb/vacation)\ at all. Q0418: I want to use a default entry in my alias file to handle unknown local parts, but it picks up the local parts that the aliases generate. For example, if the alias file is ==> luke.skywalker: luke ls: luke *: postmaster then messages addressed to \/luke.skywalker/\ end up at \/postmaster/\. A0418: The default mechanism works best with virtual domains, where the generated address is not in the same domain. If you just want to pick up all unknown local parts and send them to postmaster, an easier way to do it is to put this as your last router: ==> unknown: driver = redirect data = postmaster no_verify Another possibility is to put the redirect router for these aliases after all the other routers, so that local parts which are user names get picked off first. You will need to have two aliasing routers if there are some local parts (e.g. \/root/\) which are login names, but which you want to handle as aliases. Q0419: I have some obsolete domains which people have been warned not to use any more. How can I arrange to delete any mail that is sent to them? A0419: To reject them at SMTP time, with a customized error message, place statments like this in the ACL: ==> deny message = The domain $domain is obsolete domains = lsearch;/etc/exim/obsolete.domains For messages that don't arrive over SMTP, you can use a router like this to bounce them: ==> obsolete: driver = redirect domains = lsearch;/etc/exim/obsolete.domains allow_fail data = :fail: the domain $domain is obsolete If you just want to throw away mail to those domains, accept them at SMTP time, and use a router like this: ==> obsolete: domains = lsearch;/etc/exim/obsolete.domains data = :blackhole: Q0420: How can I arrange that mail addressed to \(anything@something.mydomain.com)\ gets delivered to \(something@mydomain.com)\? A0420: Set up a router like this: ==> user_from_domain: driver = redirect data = ${if match{$domain}{\N^(.+)\.mydomain\.com$\N}\ {$1@mydomain.com}} Q0421: I can't get a regular expression to work in a \local_parts\ option on one of my routers. A0421: Have you remembered to protect any backslash and dollar characters in your regex from unwanted expansion? The easiest way is to use the \"@\N"\ facility, like this: ==> local_parts = \N^0740\d{6}\N Q0422: How can I arrange for all addresses in a group of domains \(*.example.com)\ to share the same alias file? I have a number of such groups. A0422: For a single group you could just hard wire the file name into a router that had ==> domains = *.example.com set, to restrict it to the relevant domains. For a number of such groups you can create a file containing the domains, like this: ==> *.example1.com example1.com *.example2.com example2.com ... Then create a router like this ==> domain_aliases: driver = redirect domains = partial-lsearch;/that/file data = ${lookup{$local_part}lsearch*{/etc/aliases.d/$domain_data}} The variable \$domain_data$\ contains the data that was looked up when the \domains\ option was matched, i.e. \"example1.com"\, \"example2.com"\, etc. in this case. Q0423: Some of our users have no home directories; the field in the password file contains \(/no/home/dir)\. This causes the error \*failed to stat /no/home/dir (No such file or directory)*\ when Exim tries to look for a \(.forward file)\, and the delivery is deferred. A0423: There are two issues involved here: (1) With the default configuration, you are asking Exim to check for a \(.forward)\ file in the user's home directory. If no file is found, Exim tries to \^^stat()^^\ the home directory. This is so that it will notice a missing NFS home directory, and not treat it as if the \(.forward)\ file did not exist. This \^^stat()^^\ is failing when the home directory really doesn't exist. You should arrange for the \%userforward%\ router not to run for these special users, by adding this line: ==> condition = ${if eq {$home}{/no/home/dir}{no}{yes}} (2) If you use \check_local_user\ on another router to route to a local transport (again, this is what is in the default configuration), you will also have to specify a current directory for the transport, because by default it makes the home directory current. This is easily done by adding ==> current_directory = / to the transport or ==> transport_current_directory = / to the router. Or you can add \home_directory\ to the transport, because the current directory defaults to the home directory. Q0424: How can I disable Exim's de-duplication features? I want it to do two deliveries if two different aliases expand to the same address. A0424: This is not possible. Duplication has other ramifications other than just (in)convenience. Consider: . Message is addressed to A and to B. . Both A and B are aliased to C. . Without de-duplication, two deliveries to C are scheduled. . One delivery happens, Exim records that it has delivered the message to C. . The next delivery fails (C's mailbox is over quota, say). Next time round, Exim wants to know if it has already delivered to C or not, before scheduling a new delivery. Has it? Obviously, if duplicate deliveries are supported, it has to remember not only that it has delivered to C but also the ``history'' of how that delivery happened - in effect an ancestry list back to the original envelope address. This it does not do, and changing it to work in that way would be a lot of work and a big upheaval. The best way to get duplicate deliveries if you want them is not to use aliases, but to route the addresses directly to a transport, e.g. ==> duplicates: driver = accept local_parts = lsearch;/etc/list/of/special/local/parts transport = local_delivery user = exim Q0425: My users' mailboxes are distributed between several servers according to the first letter of the user name. All the servers receive incoming mail at random. I would like to have the same configuration file for all the servers, which does local delivery for the mailboxes it holds, and sends other addresses to the correct other server. Is this possible? A0425: It is easiest if you arrange for all the users to have password entries on all the servers. This means that non-existent users can be detected at the first server they reach. Set up a file containing a mapping from the first letter of the user names to the servers where their mailboxes are held. For example: ==> a: server1 b: server1 c: server2 ... Before the normal \%localuser%\ router, place the following router: ==> mailbox_host: driver = manualroute check_local_user transport = remote_smtp route_list = * ${lookup{${substr_0_1:$local_part}}lsearch{/etc/mapfile}} self = pass This router checks for a local account, then looks up the host from the first character of the local part. If the host is not the local host, the address is routed to the \%remote_smtp%\ transport, and sent to the correct host. If the host is the local host, the \self\ option causes the router to pass the address to the next router, which does a local delivery. The router is skipped for local parts that are not the names of local users, and so these addresses fail. Q0426: One of the things I want to set up is for \(anything@onedomain)\ to forward to \(anything@anotherdomain)\. I tried adding \($local_part@anotherdomain)\ to my aliases but it did not expand - it sent it to that literal address. A0426: If you want to do it that way, you can use the \"expand"\ operator on the lookup used in the data option of the redirect router. For example: ==> data = ${expand:${lookup{$local_part}lsearch*{/etc/aliases}}} Another approach is to use a router like this: ==> forwarddomain: driver = redirect domains = onedomain data = $local_part@anotherdomain The value of \data\ can, of course, be more complicated, involving lookups etc. if you have lots of different cases. Q0427: How can I have an address looked up in two different alias files, and delivered to all the addresses that are found? A0427: Use a router like this: ==> multi_aliases: driver = redirect data = ${lookup{$local_part}lsearch{/etc/aliases1}\ {$value${lookup{$local_part}lsearch{/etc/aliases2}{,$value}}}\ {${lookup{$local_part}lsearch{/etc/aliases2}{$value}fail}}}\ If the first lookup succeeds, the result is its data, followed by the data from the second lookup, if any, separated by a comma. If the first lookup fails, the result is the data from the third lookup (which also looks in the second file), but if this also fails, the entire expansion is forced to fail, thereby causing the router to decline. Another approach is to use two routers, with the first re-generating the original local part when it succeeds. This won't get processed by the same router again. For example: ==> multi_aliases1: driver = redirect data = ${lookup{$local_part}lsearch{/etc/aliases1}{$value,$local_part}} ==> multi_aliases2: data = ${lookup{$local_part}lsearch{/etc/aliases2}} This scales more easily to three or more alias files. Q0428: I've converted from Sendmail, and I notice that Exim doesn't make use of the \"owner-"\ entries in my alias file to change the sender address in outgoing messages to a mailing list. A0428: If you have an alias file with entries like this: ==> somelist: a@b, c@d, ... owner-somelist: postmaster Sendmail assumes that the second entry specifies a new sender address for the first. Exim does not make this assumption. However, you can make it take the same action, by adding ==> errors_to = owner-$local_part@whatever.domain to the configuration for your aliasing router. This is fail-safe, because Exim verifies a new sender address before using it. Thus, the change of sender address occurs only when the owner entry exists. Q0429: I would like to deliver mail addressed to a given domain to local mailboxes, but also to generate messages to the envelope senders. A0429: You can do this with an ``unseen'' router and an \%autoreply%\ transport, along the following lines: ==> # Router auto_warning_r: driver = accept check_local_user domains = condition = ${if eq{$sender_address}{}{no}{yes}} transport = warning_t no_verify unseen Place this router immediately before the normal \%localuser%\ router. The \unseen\ option means that the address is still passed on to the next router. The transport is configured like this: ==> # Transport warning_t: driver = autoreply file = /usr/local/mail/warning.txt file_expand from = postmaster@your.domain to = $sender_address user = exim subject = Re: Your mail to $local_part@$domain Note the use of the \condition\ option to avoid attempting to send a message when there is no sender (that is, when the incoming message is a bounce message). You can of course extend this to include other conditions. If you want to log the sending of messages, you can add ==> log = /some/file to the transport and also make use of the \once\ option if you want to send only one message to each sender. Q0430: Whenever Exim tries to route a local address, it gives a permission denied error for the \(.forward)\ file, like this: ==> 1998-08-10 16:55:32 0z5y2W-0000B8-00 == xxxx@yyy.zzz D=userforward defer (-1): failed to open /home/xxxx/.forward (userforward router): Permission denied (euid=1234 egid=101) A0430: Have you remembered to make Exim setuid \/root/\? Q0431: How do I configure Exim to allow arbitrary extensions in local parts, of the form \/+extension/\? A0431: Add this pre-condition to the relevant router: ==> local_part_suffix = +* If you want the extensions to be optional, also add the option ==> local_part_suffix_optional When the router runs, \$local_part$\ contains the local part with the extension removed, and the extension (if any) is in \$local_part_suffix$\. If you have set \check_local_user\, the test is carried out after the extension is removed. Q0432: I use NIS for my user data. How can I stop Exim rejecting mail when my NIS servers are being restarted? A0432: Exim doesn't know that you are using NIS; it just calls the \^^getpwnam()^^\ function, which is routed by nsswitch. Unfortunately, \^^getpwnam()^^\ was never designed to be routed through NIS, and it returns NULL if the entry is not found or if the connection to the NIS server fails. This means that Exim cannot tell the difference between ``no such user'' and ``NIS is down''. Crutches to help with this problem are \finduser_retries\ in Exim, and \^nscd^\ on the Unix side, but they are not perfect, and mail can still be lost. However, Nico Erfurth pointed out that you can create a router for Exim that tests for the availability of NIS, and force a defer if NIS is not running: ==> check_nis: driver = redirect data = ${lookup {$local_part} nis {passwd}{}} This should be placed before any router that makes any use of NIS, typically at the start of your local routers. How does it work? If your NIS server is reachable, the lookup will take place, and whether it succeeds or fails, the result is an empty string. This causes the router to decline, and the address is passed to the following routers. If your NIS server is down, the lookup defers, and this causes the router to defer. A verification of an incoming address gets a temporary rejection, and a delivery is deferred till later. Q0433: How can I arrange for a single address to be processed by both \%redirect%\ and \%accept%\? A0433: Check out the \unseen\ option. Q0434: How can I redirect all local parts that are not in my system aliases to a single address? I tried using an asterisk in the system alias file with an \"lsearch*"\ lookup, but that sent all messages to the default address. A0434: If your alias file generates addresses in the local domain, they are also processed as a potential aliases. For example, suppose this is your alias file: ==> caesar: jc anthony: ma *: brutus The local part \/caesar/\ is aliased to \/jc/\, but that address is then reprocessed by the routers. As the address is in the local domain, the alias file is again consulted, and this time the default matches. In fact after the second aliasing, \/brutus/\ is also processed again from the start, and is aliased to itself. However, this happens only once, because the next time, Exim notices that the aliasing router has already processed \/brutus/\, so the router is skipped in order to avoid looping. There are several ways of solving this problem; which one you use depends on your aliasing data. (1) If the result of aliasing is always a local user name, that is, aliasing never generates another alias, you can use the \redirect_router\ option on the router to specify that processing the generated addresses must start at the next router. For example: ==> redirect_router = userforward assuming that the next router is called \%userforward%\. This ensures that there is at most one pass through the aliasing router. (2) If you cannot rely on aliases generating non-aliases, it is often easier not to use a default alias, but instead to place a router such as the one below after all the other local routers (for the relevant domains): ==> catch_unknown: driver = redirect domains = ... data = brutus@$domain Note that the default aliasing technique works more successfully for virtual domains (see Q0401) because the generated address for the default is not usually in the same virtual domain as the incoming address. Q0435: My alias file contains fully qualified addresses as keys, and some wildcard domains in the form @foo.bar. Can Exim handle these? A0435: You can handle fully qualified addresses with this router: ==> qualified_aliases: driver = redirect data = ${lookup{$local_part@$domain}lsearch{/etc/aliases}} (Add any other options you need for the \%redirect%\ router.) Place this router either before or after the default aliases router that looks up the local part only. (Or, if you have no unqualified aliases, replace the default router.) To handle wildcards in the form @foo.bar you will need yet another router. (Wildcards of the form *@foo.bar can be handled by an lsearch*@ lookup.) Something like this: ==> wildcard_aliases: driver = redirect data = ${lookup{@$domain}lsearch{/etc/aliases}} Place this after the routers that handle the more specific aliases. 5. FILTERING Q0501: My filter isn't working. How can I test it? A0501: Use the \-bf-\ option (\-bF-\ for a system filter) to test the basic operation of your filter. You can request debugging information for filtering only by adding \"-d-all+filter"\ to the command. Q0502: What I really need is the ability to obtain the result of a pipe command so that I can filter externally and redirect internally. Is this possible? A0502: The result of a pipe command is not available to a filter, because Exim does not run any actual deliveries while filtering. It just sets up deliveries at this time. They all actually happen later. If you want to run pipes and examine their results, you need to set up a single delivery to a delivery agent such as \^procmail^\ which provides this kind of facility. An possible alternative is to use the \"${run"\ expansion item to run an external command while filtering. In this case, you can make use of some of the results of the command. Q0503: I received a message with a ::Subject:: line that contained a non-printing character (a carriage return). This messed up my filter file. Is there a way to get round it? A0503: Instead of \"$h_subject:"\ use \"${escape:$h_subject:}"\ Q0504: I want to search for \"$"\ in the subject line, but I can't seem to get the syntax. A0504: Try one of these: ==> if $h_subject: contains \$ then ... if $h_subject: contains "\\$" then ... Q0505: My problem is that Exim replaces \$local_part$\ with an empty string in the system filtering. What's wrong or what did I miss? A0505: A message may have many recipients. The system filter is run just once at the start of a delivery attempt. Consequently, it does not make sense to set \$local_part$\. Which recipient should it be set to? However, you can access all the recipients from a system filter via the variable called \$recipients$\. Q0506: Using \$recipients$\ in a system filter gives me another problem: how can I do a string lookup if \$recipients$\ is a list of addresses? A0506: Check out the section of the filter specification called \*Testing a list of addresses*\. If that doesn't help, you may have to resort to calling an embedded Perl interpreter - but that is expensive. Q0507: What are the main differences between using an Exim filter and using \^procmail^\? A0507: Exim filters and \^procmail^\ provide different facilities. Exim filters run at routing time, before any deliveries are done. A filter is like a ``\(.forward)\ file with conditions''. One of the benefits is de-duplication. Another is that if you forward, you are forwarding the original message. However, this does mean that pipes etc. are not run at filtering time, nor can you change the headers, because the message may have other recipients and Exim keeps only a single set of headers. \^procmail^\ runs at delivery time. This is for one recipient only, and so it can change headers, run pipes and check the results, etc. However, if it wants to forward, it has to create a new message containing a copy of the original message. It's your choice as to which of these you use. You can of course use both. Q0508: How can I allow the use of relative paths in users' filter files when the directories concerned are not available from the password data? A0508: You need to be running Exim 4.11 or later. You can then specify a value for \$home$\ by setting the router_home_directory option on the \%redirect%\ router. For earlier releases, there is no way to specify the value of \$home$\ for a \%redirect%\ router; it either comes from the password data as a result of \check_local_user\, or is unset. Q0509: How can I set up a filter file to detect and block virus attachments? A0509: Exim's filter facilities aren't powerful enough to do much more than very crude testing. Most people that want virus checking are nowadays using one of the separate scanning programs such as \^exiscan^\ (see \?http://duncanthrax.net/exiscan/?\). There is some further information about scanning with Exim via \?http://www.timj.co.uk/linux/exim.php?\. Q0510: Is it possible to write code for scanning messages in Python? A0510: \^elspy^\ is a layer of glue code that enables you to write Python code to scan email messages at SMTP time. \^elspy^\ also includes a small Python library with common mail-scanning tools, including an interface to SpamAssassin and a simple but effective virus detector. You can optain \^elspy^\ from \?http://elspy.sourceforge.net/?\. Q0511: Whenever my system filter uses a \mail\ command to send a message, I get the error \*User 0 set for address_reply transport is on the never_users list*\. What does this mean? A0511: The system filter runs as \/root/\ in Exim 4, unless you set \system_filter_user\ to specify otherwise. When you set up a delivery direct from a system filter (an autoreply is a special kind of ``delivery'') the transport runs as the same user, unless it has a \user\ setting of its own. Normally, deliveries are not allowed to run as \/root/\ as a security precaution; this is implemented by the \never_users\ option (see Q0039). The easiest solution is to add this to your configuration: ==> system_filter_user = exim The system filter then runs as \/exim/\ instead of \/root/\. Alternatively, you can arrange for autoreplies from the system filter to use a special transport of their own, and set the \user\ option on that transport. Q0512: I'm trying to reference the ::Envelope-To:: header in my filter, but \$h_envelope-to:$\ is always empty. A0512: ::Envelope-To:: is added at delivery time, by the transport. Therefore, the header doesn't exist at filter time. In a user filter, the values you probably want are in \$original_local_part$\ and \$original_domain$\. In a system filter, the complete list of all envelope recipients is in \$recipients$\. Q0513: I want my system filter to freeze all mails greater than 500K in size, but to exclude those to a specific domain. However, I don't seem to be able to use \$domain$\ in a system filter. A0513: You cannot do this in a system filter, because a single message may have multiple recipients, some in the special domain, and some not. That is also the reason why \$domain$\ is not set in a system filter. If you want to take actions on a per-recipient basis, you have to do it in a router. However, freezing is not appropriate, because freezing stops all deliveries. You could, however, delay delivery to all but the special domains by using something like this: ==> delay_if_too_big: driver = redirect domains = !the.special.domain condition = ${if >{$message_size}{500K}{yes}{no}} allow_defer data = :defer: message too big. However, there isn't an easy way of ``releasing'' such messages at present. Q0514: When I try to send to two addresses I get an error in the filter file \*malformed address: , e@fgh.com may not follow a@bcd.com*\. What is going on? A0514: Have you got ==> deliver "a@bcd.com, e@fgh.com" in your filter? If so, that is your problem. You should have ==> deliver a@bcd.com deliver e@fgh.com Each \deliver\ command expects just one address. 6. DELIVERY Q0601: What does the error \*Neither the xxx router nor the yyy transport set a uid for local delivery of...*\ mean? A0601: Whenever Exim does a local delivery, it runs a process under a specific user and group id (uid and gid). For deliveries into mailboxes, and to pipes and files set up by forwarding, it normally picks up the uid/gid of the receiving user. However, if an address is directed to a pipe or a file by some other means, such an entry in the system alias file of the form ==> majordomo: |/local/mail/majordomo ... then Exim has to be told what uid/gid to use for the delivery. This can be done either on the routerr that handles the address, or on the transport that actually does the delivery. If a pipe is going to run a setuid program, then it doesn't matter what uid Exim starts it out with, and so the most straightforward thing is to put ==> user = exim on either the router or the transport. A setting on the transport overrides a setting on the router, so if the same transport is being used with several routers, you should set the user on it only if you want the same uid to be used in all cases. In the default configuration, the transports used for file and pipe deliveries are the ones called \address_file\ and \address_pipe\. You can specify different transports by setting, for example, ==> pipe_transport = special_pipe_transport on the \%system_aliases%\ router. Then you can set up \%special_pipe_transport%\ ==> special_pipe_transport: driver = pipe user = ???? which will be used only for pipe deliveries from that one router. What you put for the ???? is up to you, and depends on the particular circumstances. Q0602: Exim keeps crashing with segmentation errors (signal 11 or 139) during delivery. This seems to happen when it is about to contact a remote host or when a delivery is deferred. A0602: This could be a problem with Exim's databases. Try running a delivery with debugging turned on. If the last line of the debug output is something like this: ==> locked /var/spool/exim/db/retry.lockfile the crash is happening inside the DBM library. Check that your DBM library is correctly installed. In particular, if you have installed a second DBM library onto a system that already had one, check that its version of \(ndbm.h)\ is being seen first. For example, if the new version is in \(/usr/local/include)\, check that there isn't another version in \(/usr/include)\. If you are using Berkeley db, you can set ==> USE_DB=yes in your \(Local/Makefile)\ to avoid using \(ndbm.h)\ altogether. This is particularly relevant for version 2 (or later) of Berkeley db, because no \(ndbm.h)\ file is distributed with it. Another thing you can try is to run ==> exim_dumpdb /var/spool/exim retry to see if it also crashes, or build the \^test_dbfn^\ tool and fiddle around with it. If both fail, it is most almost certainly a problem with your DBM library. You could try to update it, or force Exim to use another library. See the file \(doc/dbm.discuss.txt)\ for hints about this. Q0603: How can mails that are being routed through routers that do not set \check_local_user\ be delivered under the uid of the recipient? A0603: Q0601 contains background information on this. If you are using, say, an alias file to direct messages to specific mailboxes, you can use the \user\ option on either the router or the transport to set the uid. What you put in the setting depends on how the required uid is to be found. It could be looked up in a file or computed somehow from the local part, for example. Q0604: I want to use MMDF-style mailboxes. How can I get Exim to append the ctrl-A characters that separate indvidual emails? A0604: Set the \message_suffix\ option in the \%appendfile%\ transport. In fact, for MMDF mailboxes you need a prefix as well as a suffix to get it working right, so your transport should contain these settings: ==> message_prefix = "\1\1\1\1\n" message_suffix = "\1\1\1\1\n" Also, you need to change the \check_string\ and \escape_string\ settings so that the escaping happens for lines in the message that happen to begin with the MMDF prefix or suffix string, rather than ``From'' (the default): ==> check_string = "\1\1\1\1\n" escape_string = "\1\1\1\1 \n" Adding a space to the line is sufficient to prevent it being taken as a separator. Q0605: If a user's mailbox is over quota, is there a way for me to set it up so that the mail bounces to the sender and is not stored in the mail queue? A0605: In the retry section of the configuration, put ==> *@your.dom.ain quota That is, provide no retry timings for over quota errors. They will then bounce immediately. Alternatively, you can set up retries for a short time only, or use something like this: ==> *@your.dom.ain quota_7d *@your.dom.ain quota F,2h,15m; F,3d,1h which bounces immediately if the user's mailbox hasn't been read for 7 days, but otherwise tries for up to 3 days after the first quota failure. Q0606: I'm using tmail to do local deliveries, but when I turned on the \use_crlf\ option on the \%pipe%\ transport (tmail prefers \"@\r@\n"\ terminations) message bodies started to vanish. A0606: You need to unset the \mesage_prefix\ option, or change it so that its default \"@\n"\ terminator becomes \"@\r@\n"\. For example, the transport could be: ==> local_delivery_mbx: driver = pipe command = /usr/local/bin/tmail $local_part user = exim current_directory = / use_crlf message_prefix = The reason for this is as follows: tmail uses the line terminator on the first line it sees to determine whether lines are terminated by \"@\r@\n"\ or \"@\n"\. If the latter, it moans to stderr and changes subsequent \"@\n"\ terminators to \"@\r@\n"\. The default setting of the \message_prefix\ option is \"From ...@\n"\, and this is unaffected by the \use_crlf\ option. If you don't change this, tmail sees the first line terminated by \"@\n"\ and prepends \"@\r"\ to the \"@\n"\ terminator on all subsequent lines. However, if \use_crlf\ is set, Exim makes all other lines \"@\r@\n"\ terminated, leading to doubled \"@\r@\r@\n"\ lines and corrupt mbx mailboxes. Q0607: When I activate ``return receipt'' for example in Netscape Mailbox sending options, then I get an error message from Exim... something like \*not supported*\. Can I activate delivery confirmations? A0607: Exim does not support any kind of delivery notification. (1) You can configure it to recognize headers such as \Return-receipt-to:\ if you wish. (2) Some people want MSN (message status notification). Such services are implemented in MUAs, and don't impact on the MTA at all. (3) I investigated the RFCs which describe the DSN (delivery status notification) system. However, I was unable to specify any sensible way of actually doing anything with the data. There were comments on the mailing list at the time; many people, including me, conclude that DSN is in practice unworkable. The killer problem is with forwarding and aliasing. Do you propagate the DSN data with the generated addresses? Do you send back a ``reached end of the DSN world'' or ``expanded'' message? Do you do this differently for different kinds of aliasing/forwarding? For a user who has a \(.forward)\ file with a single address in, this might seem easy - just propagate the data. But what if there are several forwardings? If you propagate the DSN data, the sender may get back several DSN messages - and should the sender really know about the detail of the receiver's forwarding arrangements? There isn't really any way to distinguish between a \(.forward)\ file that is forwarding and one that is a mini mailing list. And so on, and so on. There are so many questions that don't have obvious answers. Q0608: What does the message \*retry time not reached [for any host]*\ on the log mean? Why won't Exim try to deliver the message? A0608: That is not an error. It means exactly what it says. A previous attempt to deliver to that address failed with a temporary error, and Exim computed the earliest time at which to try again. This can apply to local as well as to remote deliveries. For remote deliveries, each host (if there are several) has its own retry time. If you are running on a dial-up host, the rest of this answer probably does not apply to you. Go and read Q1404 instead. If your host is permanently online, read on... Some MTAs have a retrying schedule for each message. Exim does not work like this. Retry timing is normally host-based for remote deliveries and address-based for local deliveries. (There are some exceptions for certain kinds of remote failure - see \*Errors in outgoing SMTP*\ in the manual.) If a new message arrives for a failing address and the retry time has not yet arrived, Exim will log \*retry time not reached*\ and leave the message on the queue, without attempting delivery. Similarly, if a queue runner notices the message before the time to retry has arrived, it writes the same log entry. When the retry time has past, Exim attempts delivery at the next queue run. If you want to know when that will be, run the exinext utility on the address, for example: ==> exinext user@some.domain You can suppress these messages on the log by including \"-retry_defer"\ in the setting of \log_selector\. You can force a delivery attempt on a specific message (overriding the retry time) by means of the -M option: ==> exim -M 10hCET-0000Bf-00 If you want to do this for the entire queue, use the \-qf-\ option. Q0609: Exim seems to be sending the same message twice, according to the log, although there is a difference in capitalization of the local part of the address. A0609: That is correct. The RFCs are explicit in stating that capitalization matters for local parts. For remote domains, Exim is not entitled to assume case independence of local parts. I know, it is utterly silly, and it causes a lot of grief, but that's what the rules say. Here is a quote from RFC 2821: ... a command verb, an argument value other than a mailbox local-part, and free form text MAY be encoded in upper case, lower case, or any mixture of upper and lower case with no impact on its meaning. This is NOT true of a mailbox local-part. The local-part of a mailbox MUST BE treated as case sensitive. Therefore, SMTP implementations MUST take care to preserve the case of mailbox local-parts. Mailbox domains are not case sensitive. In particular, for some hosts the user "smith" is different from the user "Smith". However, exploiting the case sensitivity of mailbox local-parts impedes interoperability and is discouraged. Q0610: How can I force the next retry time for a host to be now? A0610: You can change the retry time with the \^exim_fixdb^\ utility, but its interface is very clumsy. If you have a message for the host on the queue, the simplest thing to do is to force a delivery with the \-M-\ command line option. If delivery succeeds, the retry data will get cleared. If the host is past the cutoff time, so that messages are bouncing immediately without trying a delivery, you can use \-odq-\ to put a message on the queue without a delivery attempt, and then use \-M-\ on it. Q0611: I set up \"|/bin/grep Subject|/usr/bin/smbclient -M "\ as an alias but it doesn't work. A0611: That is a shell command line. Exim does not run pipe commands under a shell by default (for added security - and it saves a process). You need something like ==> "|/bin/sh -c '/bin/grep Subject|/usr/bin/smbclient -M '" Q0612: Why does the \%pipe%\ transport add a line starting with \">From"\ to messages? A0612: Actually, it adds a line starting with \"From"\ followed by a space. This is commonly referred to as the \"From_"\ line, to emphasize the fact that \"From"\ is followed by a space and not a colon. This is a pseudo-header line that contains the envelope sender address and the time of delivery. It originated as a separator line in Berkeley format mailboxes, but is also used in other contexts. (And yes, it is often confused with the ::From:: header line, and this causes a lot of grief. The use of \"From_"\ was one of the really bad email design decisions.) Exim's \%pipe%\ transport adds this pseudo-header line by default because \(/usr/ucb/vacation)\ needs it, and that is one of the the most common uses of piping. The \^procmail^\ local delivery agent also makes use of the \"From_"\ line. If you do not want it, change the setting of \message_prefix\ on the \%pipe%\ transport. For example, to remove the line altogether, use ==> message_prefix = If you are not piping to \(/usr/ucb/vacation)\ or \^procmail^\, it is likely that you do not need a \"From_"\ line, and indeed it may cause problems if it is present. One user reported that this line gave trouble when a pipe was used to send messages to Courier's \^deliverquota^\ program. The line was retained with the message, and caused problems for MS Exchange 2000 when retrieving messages with its built-in POP collector. Specifically, it caused Exchange to not be able to recognise message attachments. Q0613: I have set \fallback_hosts\ on my \%smtp%\ transport, but after the error \*sem@chat.ru cannot be resolved at this time*\ Exim isn't using them. A0613: \fallback_hosts\ works only if an attempt at delivery to the original host(s) fails. In this case, Exim couldn't even resolve the domain \(chat.ru)\ to discover what the original hosts were, so it never got as far as the transport. However, see Q0315 for a possible solution. Q0614: After the holidays my ISP has always hundreds of e-mails waiting for me. These are forced down Exim's throat in one go. Exim spawns a lot of kids, but is there some limit to the number of processes it creates? A0614: Unless you have changed \smtp_accept_queue_per_connection\ it should spawn only that many processes per connection (default 10). Your ISP may be making many connections, of course. That is limited by \smtp_accept_max\. Q0615: When a message in the queue got to 12h old, Exim wrote \*retry timeout exceeded*\ and removed all messages in the queue to this host - even recent messages. How I can avoid this behaviour? I only want to remove messages that have exceeded the maximum retry time. A0615: Exim's retrying is host-based rather than message-based. The philosophy is that if a host has been down for a very long time, there is no point in keeping messages hanging around. However, you might like to check out \delay_after_cutoff\ in the \%smtp%\ transport. It doesn't do what you want, but it might help. Q0616: Can Exim add a ::Content-Length:: header to messages it delivers? A0616: You could include something like ==> headers_remove = "content-length" headers_add = "Content-Length: $message_body_size" to the \%appendfile%\ transport. However, the use of ::Content-Length:: can cause several problems, and is not recommended unless you really know what you are doing. There is a discussion of the problems in \?http://home.netscape.com/eng/mozilla/2.0/relnotes/demo/content-length.html?\. Q0617: Exim seems to be trying to deliver a message every 10 minutes, though the retry rules specify longer times after a while, because it is writing a log entry every time, like this: ==> 1999-08-26 14:51:19 11IVsE-000MuP-00 == example@example.com T=smtp defer (-34): some host address lookups failed and retry time not reached for other hosts or connection limit reached A0617: It is looking at the message every 10 minutes, but it isn't actually trying to deliver. It's looking up \(example.com)\ in the DNS and finding this information: ==> example.com. MX 10 example-com.isp.example.com. example.com. MX 0 mail.example.com. mail.example.com. A 202.77.183.45 A lookup for example-com.isp.example.com. yielded NXDOMAIN The last line means that there is no address (A) record in the DNS for \(example-com.isp.example.com)\. That accounts for \*some host address lookups failed*\, but the retry time for \(mail.example.com)\ hasn't been reached, which accounts for \*retry time not reached for other hosts*\. Q0618: I am trying to set exim up to have a automatic failover if it sees that the system that it is sending all mail to is down. A0618: Add to the \%remote_smtp%\ transport the following: ==> fallback_hosts = failover.server.name(s) If there are several names, they must be separated by colons. Q0619: I can't get Exim to deliver over NFS. I get the error \*fcntl() failed: No locks available*\, though the lock daemon is running on the NFS server and other hosts are able to access it. A0619: Check that you have \(lockd)\ running on the NFS client. This is not always running by default on some systems (Red Hat is believed to be one such system). Q0620: Why does Exim bounce messages without even attempting delivery, giving the error \*retry time not reached for any host after a long failure period*\? A0620: This message means that all hosts to which the message could be sent have been failing for so long that the end of the retry period (typically 4 or 5 days) has been reached. In this situation, Exim still computes a next time to retry, but any messages that arrive in the meantime are bounced straight away. You can alter this behaviour by unsetting the \delay_after_cutoff\ option on the smtp transport. Then Exim will try most messages for those hosts once before giving up. Q0621: My \(.forward)\ file is \"|/usr/bin/procmail -f-"\ and mail gets delivered, but there was a bounce to the sender, sending him the output of procmail. How can I prevent this? A0621: Exim's default configuration is set up like this: ==> address_pipe: driver = pipe return_output The \return_output\ option requests that any output that the pipe produces be returned to the sender. That is the safest default. If you don't want this, you can either remove the option altogether, or change it to \return_fail_output\, to return output only if the command fails. Note that this will affect all pipes that users run, not just your procmail one. It might be better to arrange for procmail not to produce any output when it succeeds. Q0622: Can I write an ordinary file when I run a perl script as a transport filter for the \%remote_smtp%\ and \%address_pipe%\ transports? A0622: Yes, provided the file is writeable by the uid under which the transport runs (the Exim user in the case of the remote transport). However, if two messages are being delivered at once, their data will get mixed up in the file unless you implement your own locking scheme. If all you want to do is to take a copy of the message, another approach that avoids the locking problem is to use a system filter to set up an ``unseen'' delivery to a file. If you only want the message's headers, you can set \message_filter_file_transport\ to point to a special \%appendfile%\ transport that has \headers_only\ set. Q0623: My \(/var/spool/mail)\ has grown drastically. Is there any possibility of using two directories? A0623: You can use an expansion string to split mailboxes between two directories. For example, ==> file = /var/spool/mail${nhash_2:$local_part}/$local_part which does a hash on the local part, producing either 0 or 1, thereby using \(mail0) or \(mail1)\. But remember, the MUAs that read these mailboxes also have to know where they are. Q0624: Sendmail has a program called \^smrsh^\ that restricts what binaries can be run from sendmail aliases. Is there something like this in Exim ? A0624: Check out the \allow_commands\ option in the \%pipe%\ transport. Q0625: I wish to have large emails go out one at a time. A0625: One possibility is to set up a router that defers all large messages, except in queue runs. Since queue runners deliver just one message at a time, if you limited the number of simultaneous queue runners to 1, you would get the effect you wanted. A suitable router might be ==> defer_if_large_unless_queue_run: driver = redirect condition = ${if or{{queue_running}{<{$message_size}{200K}}}{no}{yes}} allow_defer data = :defer: too large for immediate delivery no_verify Of course, this would always delay any large message until the next queue runner, but if you run them fairly regularly, this shouldn't be a huge problem, and may even be desirable. Note the use of \no_verify\ to ensure that this router is not used when Exim is verifying addresses. Q0626: Exim can route local parts independent of their case, but the Cyrus LMTP daemon requires the correct case. How can I fix this? A0626: You need to rewrite the local part to the correct case before running the router that routes to Cyrus. For example, if you require all lower case, and your router is called \local_user\, put this router in front of it: ==> lowercase_local: driver = redirect redirect_router = local_user domains = +local_domains data = ${lc:$local_part}@$domain The setting of \redirect_router\ causes processing of the rewritten address to start at the next router, instead of the first router. See also Q0630 and Q0414, and see C045 for a more complete Cyrus configuration. Q0627: Is there a command I can send to Exim to retry all queued messages regardless of their retry schedule? A0627: The \-qff-\ option starts a queue runner that forces a delivery attempt for all messages, including frozen ones. If you use \-qf-\, frozen messages are skipped. Q0628: I have the default retry rule, which I thought meant that Exim should keep trying for four days, but it seems to be bouncing some messages immediately. A0628: See Q0615 and Q0620. Q0629: I'm having trouble with quotas and Courier, because Exim is not handling maildirsize files. A0629: You must be using an old version of Exim; it has supported maildirsize files since release 4.30. Q0630: How can I configure Exim to deliver to a Cyrus message store? A0630: (1) The reference manual contains an example that uses pipe delivery. (2) Here is a transport that uses LMTP delivery, assuming that \$local_part$\ contains the username: ==> cyrus_inbox: driver =lmtp user = cyrus socket = /var/cyrus/socket/lmtp (3) This is a transport that delivers direct to a non-inbox mailbox: ==> cyrus_mailbox: driver = pipe user = $local_part message_prefix = message_suffix = log_fail_output return_output command = "/usr/cyrus/bin/deliver -a $local_part \ -m $local_part" This delivers to the Cyrus mailbox \"user.$local_part."\. Using \"user = $local_part"\ and \"-a $local_part"\ makes it work without needing an explicit `p' ACL set for `anyone' on the mailbox. Q0631: I would like to choose a retry rule based on on the sender rather than the recipient address. Is this possible? A0631: Yes. In release 4.43 and later releases, you can do this directly by adding a third item to a retry rule of the form "senders=
". The retry timings themselves then become the fourth item. For example: ==> * * senders=: F,1h,30m would match all bounce messages. If the address list contains white space, it must be enclosed in quotes. For example: ==> a.domain timeout senders="x@b.dom : y@c.dom" G,8h,10m,1.5 If you are using an earlier release of Exim, you can still achieve the effect, but in a more complicated way. The address part of a retry rule is matched as a single-item address list. Such lists are always expanded, so you can use something like this: ==> "${if eq{$sender_address}{xxx}{*@*}{no@no}}" quota F,1h,10m; ... If the sender address is ``xxx'', the pattern expands to ``*@*'', which matches all recipient addresses; if you want to, you can make this a more restrictive pattern. If the sender address is not ``xxx'', the pattern expands to ``no@no'', which is assumed to be a recipient address that can never match, so the retry rule is skipped. Q0632: What does the error \*User 1 set for local_mbx_delivery transport is on the never_users list*\ mean? A0632: You have configured the \%local_mbx_delivery%\ to run as the user whose id (uid) is 1. However, this user is on the list defined by the \never_users\ runtime option, or the \\FIXED_NEVER_USERS\\ compile-time option. These are ``safety catch'' lists; Exim refuses to deliver to any user that is on them. The most common use of \never_users\ is to avoid doing any deliveries as \/root/\, but it can contain other uids. Q0633: Why is \$domain$\ not set in the \%smtp%\ transport? A0633: The \%smtp%\ transport can handle several recipient addresses at once. This happens by default if the host lists for the addresses are identical. A single copy of the message is sent, using multiple \\RCPT\\ commands to transmit multiple envelope recipients. The \$domain$\ variable is set in the \%smtp%\ transport only if all the recipient addresses have the same domain. You must have a case where several addresses with different domains resolve to the same set of hosts. If you want to restrict the transport so that it handles only a single domain at once (but still possibly with more than one recipient), set ==> multi_domain = false If you want to restrict the transport so that it handles only a single address at once, set ==> max_rcpt = 1 Q0634: How can I stop a local transport from trying to access the user's home directory, even when the delivery is to a file that is elsewhere? A0634: See answer (2) for Q0423. Q0635: The log message \*error ignored*\ appears after some delivery failures. What does it mean? A0635: This message is written when Exim fails to deliver a bounce message whose age is greater than \ignore_bounce_errors_after\. It indicates that the failing bounce message has been discarded. The same message is written after failed deliveries when a filter file uses the \noerror\ feature when setting up a delivery, or if a router has the setting ==> errors_to = <> Both of these specify that delivery failures are to be discarded. 7. POLICY CONTROLS Q0701: How do I block unwanted messages from outside my host? A0701: Exim uses Access Control Lists (ACLs) for controlling incoming mail from other hosts. A whole chapter in the reference manual is devoted to describing how they work. A wide variety of conditions can be imposed on incoming messages. The default Exim run time configuration contains an example of an ACL which blocks all relaying, and messages whose senders cannot be verified. This example is heavily commented and worth studying. Q0702: I don't want to block spam entirely; how can I inspect each message before deciding whether or not to deliver it? A0702: Wherever possible, inspection and rejection is best done automatically in an ACL, that is, before the message is accepted. If you want to verify manually each message that is classified as spam by an automatic check, you can arrange for a system filter to freeze such messages after they have been accepted. If, after inspection, you decide not to deliver the message, it is safest to discard it, using the \-Mrm-\ option. Use of the \-Mg-\ option to force a bounce carries the risk of ``collateral spam'' if the sender address is faked (as it usually is in spam). Q0703: How can I test that my spam blocks are working? A0703: The \-bh-\ option allows you to run a testing SMTP session as if from a given IP address. For example, ==> exim -bh 192.168.178.39 In addition to the normal SMTP replies, it outputs commentary about which tests have succeeded or failed. If you are not interested in the details, but just want to know if a particular sender at a particular IP address is able to mail to a particular recipient, you can use the \exim_checkaccess\ utility, which provides a ``packaged'' version of \-bh-\. You call it like this: ==> exim_checkaccess 192.168.53.23 recip@my.domain -f sender@some.domain If you don't give a sender, \"<>"\ is used (that it, it acts like a bounce message). Q0704: How can I test that Exim is correctly configured to use a DNS black list such as the Realtime Blackhole List (RBL)? A0704: The \-bh-\ option allows you to run a testing SMTP session as if from a given address. The \^exim_checkaccess^\ utility provides a more packaged version of this facility. You need to know a blocked IP address with which to test. Such a testing address is kindly provided by Russell Nelson: ==> linux.crynwr.com [192.203.178.39] You can also send mail to \(nelson@linux.crynwr.com)\ from the server whose RBL block you are testing. The robot that receives that email will attempt to send a piece of test email in reply. If your RBL block didn't work, you get a message to that effect. Regardless of whether the RBL block succeeds or not, it emails you the results of the SMTP conversation from a host that is not on the RBL, so you can see how your server looks from the view of someone on the RBL. Q0705: How can I use tcpwrappers in conjunction with Exim? A0705: Exim's own control facilities can do all that tcpwrappers can do. However, if you are already using tcpwrappers for other things it might be convenient to include Exim controls in the same place. First of all, ensure that Exim is built to call the tcpwrappers library, by including \\USE_TCPWRAPPERS=yes\\ in \(Local/Makefile)\. You also need to ensure that the header file \(tcpd.h)\ is available at compile time, and the \(libwrap.a)\ library is available at link time, typically by including it in \\EXTRALIBS\\. You may need to copy these two files from the tcpwrappers build directory to, for example, \(/usr/local/include)\ and \(/usr/local/lib)\, respectively. Then you could reference them by ==> CFLAGS=-I/usr/local/include EXTRALIBS=-L/usr/local/lib -lwrap in \(Local/Makefile)\. There are two ways to make use of the functionality, depending on how you have tcpwrappers set up. If you have it set up to use only one file, you ought to have something like: ==> /etc/hosts.allow: ==> exim : : For example: ==> exim : LOCAL 192.168.0. .friendly.domain special.host : ALLOW exim : ALL : DENY This allows connections from local hosts (chiefly //localhost//), from the subnet 192.168.0.0/24, from all hosts in \(*.friendly.domain)\, and from a specific host called \(special.host)\. All other connections are denied. If you have tcpwrappers set up to use two files, use the following: ==> /etc/hosts.allow: ==> exim : ==> /etc/hosts.deny: ==> exim : Read the \^hosts_access^\ man page for more ways of specifying clients, including ports, etc., and on logging connections. Q0706: How can I get POP-auth-before-relay (aka POP-before-SMTP) support in Exim? A0706: A cleaner way of authentication is to use the SMTP AUTH facility, which does not require a prior use of POP. However, it is possible to do what you have asked for: Exim 4 supports the ``whoson'' (\?http://whoson.sourceforge.net?\) facility for doing this. If you set this up, you can do the check in an Exim ACL by a statement like this: ==> require condition = \ ${lookup whoson {$sender_host_address}{yes}{no}} Otherwise you need to arrange for a list of permitted IP addresses to be maintained in a file or database, and use this in a \hosts\ condition in an ACL statement. An Exim user has published this recipe: \#\#\#\#\?http://www.zeiss.cx/memo/computer/linux/email/exim-s-a-p.html?\ Another Exim user submitted the following idea: Use a script to grab authenticated IP addresses from the log files of the POP3 and IMAP4 daemons. These are used to create files in the directory tree \(/var/db/popb4smtp)\. The existence of a file represents a valid ``popped recently token'' for the IP address used as the filename. Another script periodically removes stale files from the tree (after two hours). There's a small race condition here; it's possible for a file to be deleted just after it has been updated by the script that watches the logs. For low-volume servers, the odds of hitting this window are low. A POPB4SMTP_CLIENT macro in the Exim configure file provides a reusable ``has this sender popped recently?'' query: ==> POPB4SMTP_SUBDIR = /var/db/popb4smtp/${substr_-1_1:$sender_host_address} POPB4SMTP_CLIENT = ${if exists {POPB4SMTP_SUBDIR/$sender_host_address} \ {$sender_host_address} {0} } Now you can use it just about anywhere, including in your ACLs. Simple examples include: ==> hostlist relay_hosts = 127.0.0.1/32 : ... : POPB4SMTP_CLIENT host_lookup = !127.0.0.1/32 : ... : !POPB4SMTP_CLIENT rfc1413_hosts = !127.0.0.1/32 : ... : !POPB4SMTP_CLIENT The two scripts (and a FreeBSD startup script for them) are available for download at: \#\#\#\#\?http://people.FreeBSD.org/~sheldonh/popb4smtp-nodb.tar.gz?\ Q0707: I have one or two cases where my host correctly rejects messages, but the remote host is quite persistent, and keeps trying over and over. A0707: It is an unfortunate fact that a number of SMTP clients, in violation of the SMTP RFC, do not treat a permanent error code that is given after the DATA portion of the transaction as a permanent error. Consequently they keep resending the message, and the worst offenders do so at very short intervals. The only way to stop such behaviour is to blacklist the IP address, or the envelope sender, or both, in such a way that future messages get rejected at RCPT time instead of at DATA time. You could also complain to the remote host's administrators. Q0708: How can I run customized verification checks on incoming addresses? A0708: There are a number of possibilities: (1) If you can implement your checks in Perl, you can use Exim's facility for running an embedded Perl interpreter. For example, if you want to run special checks on local addresses, you could use ACL an statement like this: ==> require domains = my.local.domain condition = ${perl{verify}{$local_part}} The result of the Perl function should be ``yes'' or ``no''. (2) You could also run an external program in a similar way, by a statement such as: ==> require domains = my.local.domain condition = ${run{/my/verifier $local_part}} This requires the use of another process, so could prove more expensive than Perl. (3) If you are prepared to write C code, read the chapter in the manual entitled \*Adding a local scan function to Exim*\. Q0709: Does Exim apply RBL checks to error messages, those with an envelope sender of \"<>"\ ? A0709: This depends on the ACL configuration. You can test for bounce messages (by looking for an empty sender address) and thereby exclude them from RBL checking if you want. This ACL statement does that: ==> deny senders = ! : dnslist = blackholes.mail-abuse.org However, some spam does come with an empty sender address, so this may not be a good idea. Q0710: I want to reject certain sender-recipient combinations, with a specific message for each such combination. A0710: Set up a file (or database) containing the messages, keyed by the combination, for example: ==> sender1@sdomain1=>recipient1@rdomain1: blocked because... sender2@sdomain2=>recipient2@rdomain2: blocked because... If you have lots of recipients for the same sender, it might be easier to generate this file from more convenient data. In your ACL that is run for each RCPT command, you can then put: ==> deny message = ${lookup{$sender_address=>$local_part@$domain}\ lsearch{/that/file}} condition = ${lookup{$sender_address=>$local_part@$domain}\ lsearch{/that/file}{yes}{no}} The condition is tested first. If the lookup succeeds, the condition succeeds so access is denied. The message is then expanded, but the lookup won't be repeated, because Exim will have cached the previous result. This approach blocks only incoming SMTP messages. If you need to do similar blocks for messages that do not arrive over SMTP, you have to set up a suitable \%redirect%\ router with a \:fail:\ setting. Q0711: Will Exim allow me to create a file of regexs and match incoming external email to the list - and if a match is found file the offending message into a special location? Also is it possible to make Exim only filter parts of an incoming email - e.g. ignore large MIME attachments for example and only process text/plain? A0711: You can do some of this in a system filter. For example: ==> if $message_body matches <...some complicated regex...> or $message_body matches <...some other regex...> or $header_from: matches <...regex...> or etc. then save /some/special/file endif or instead of \"save"\ you could have \"deliver"\ (to some address) or \"pipe"\ (to some script). There isn't any mechanism for ignoring attachments, but \$message_body$\ only looks at the first n bytes of the body, where n defaults to 500 but can be changed. A more expensive alternative would be to run a Perl subroutine using the embedded Perl mechanism. If you passed over the message id, the Perl code could read the message files on the spool and implement any algorithm it liked for deciding what should be done. Q0712: I've hacked sendmail to make an ioctl call at the time of the SMTP RCPT command, to check if a user has exceeded their email quota. If they have I issue a temporary failure and a message - can I do this with Exim? A0712: If you can make this happen in Perl you can use the embedded Perl facility, and use it from a \condition\ condition in an ACL statement. You can also use the expansion facility to run an external program, but this uses more resources because it uses another process. Q0713: I'd like to pass all messages through a virus-scanning system before delivery. Can Exim do this? A0713: One way of achieving this is to deliver all messages via a pipe to a checking program that resubmits them for delivery in some private way that can be checked (e.g. on a specific SMTP port, or IP address). One possibility is to use the `received protocol` field that can be set for locally submitted mail via the \-oMr-\ command line option. This router sends all messages that are not from the local host and whose received protocol is not \"scanned-ok"\ to the \%virus_scan%\ transport: ==> vircheck: driver = accept transport = virus_scan condition = ${if or {{eq {$received_protocol}{scanned-ok}} \ {eq {$sender_host_address}{127.0.0.1}}}\ {0}{1}} One problem is that this approach, by default, scans the message for each recipient, not just once per message. However, you can set the \batch_max\ option on the transport to allow it to send a single copy for multiple recipients. The virus_scan transport should be set up to pipe the message to a suitable checking program or script which runs as a trusted user. This can then re-submit the message to Exim, using \-oMr-\ to set the received protocol to \"scanned-ok"\. It is probably easiest to use the Batch SMTP (BSMTP) facilities for passing the sender address and the recipient addresses to the checker and then back to Exim (using the \-bS-\ command line option). \**Warning:**\ If you forget to make the resubmitting process run as a trusted user, the sender address will be incorrect and what is worse, the received protocol does not get set, and you are likely to generate a loop. Q0714: Is there a way to configure Exim to reject mail to a certain local host? A0714: No, only to certain domains. To reject at SMTP time, you can put a line like this in your ACL: ==> deny message = this domain is deliberately rejected domains = a.certain.domain To fail addresses in messages that do not arrive over SMTP, you can set up a router like this: ==> reject_a_certain_domain: driver = redirect domains = a.certain.domain allow_fail data = :fail: this domain is deliberately rejected Q0715: How can I get Exim to remove attachments from messages? A0715: Exim does not contain facilities for modifying messages. You must use an external program if you want to do this. You can route messages that have a ::Content-type:: header line via a pipe to a command that does the job and then re-submits the message to Exim. Alternatively, you could use a transport filter to do this job. Q0716: How can I arrange for each user to have a file listing the only sender addresses from which she will accept mail? I want to do this so my family members don't get any spam (or other inappropriate mail). A0716: Let's assume each user has a file called \(.acceptlist)\ in the home directory. You can put in your ACL a line like this: ==> require senders = /home/$local_part/.acceptlist This will reject RCPT commands when the sender is not in the accept list for the recipient. (Replace \(/home/$local_part)\ with whatever the correct path to your user's home directories is.) One problem with this is that it will block bounce messages, which have empty senders. You can get round this, by changing the line to this: ==> require senders = : /home/$local_part/.acceptlist However, this will, of course, let in spam that has a null sender. Q0717: When using Nessus on a system that runs Exim, a number of security issues are raised. Nessus complains that Exim answers to EXPN and/or VRFY; sometimes it even complains that Exim allows relaying. A0717: Exim supports EXPN and VRFY only if you permit it to do so in the ACLs defined by \acl_smtp_expn\ and \acl_smtp_vrfy\, respectively. Otherwise, its responses are ==> 550 Administrative prohibition 252 Administrative prohibition Maybe the use of 252 is the ``problem''. It is recommended that this be done (by those that discuss these things) because there are stupid clients that attempt VRFY before sending a message. Q0718: Could anyone points me to right rules to prevent sending/receiving messages to/for domains which have one MX to localhost or only have address 127.0.0.1 ? A0718: See Q0319. Q0719: I would like to have a per-user limit for the maximum size of messages that can be sent. A0719: The simplest way to do this is to put something in a system filter along these lines: ==> if $message_size is above "${lookup{$sender_address}lsearch{/some/file}{$value}{10M}}" then fail "Message is larger than $sender_address is allowed to send" endif In practice, an additional check that the message has arrived from your local host or local network is probably wise because sender addresses are easily forged. Q0720: I set \"accept hosts=192.168.122.96/32"\ in order to accept mail for relaying from my local LAN, but it doesn't work. What's wrong? A0720: 192.168.122.96/32 is not a network, it is a single host. Exim uses CIDR notation for specifying networks, where the number after the slash is the number of bits in the IP address that must match. Your setting says ``32 bits must match''. If you really mean to specify ``the next 32 IP addresses'', you need 192.168.122.96/27. Q0721: I have POP-before-SMTP set up on my Exim server, but some clients use Outlook Express, which sends queued messages before checking the mailbox, so it doesn't work. A0721: Implement SMTP authentication. Q0722: I installed Amavis and it is working, but bounces are simply vanishing. A0722: Check that you haven't inadvertently set up the transport like this: ==> amavis: driver = pipe command = "/usr/sbin/amavis -f ${sender_address} -d ${pipe_addresses}" The last line should be: ==> command = /usr/sbin/amavis -f <$sender_address> -d $pipe_addresses The important thing is the <> around the sender address; removal of the unnecessary "" and {} is just tidying. See the amavis FAQ at \?http://www.amavis.org/amavis-faq.php3?\. Q0723: I can't get Pine to work with PLAIN authentication; Exim keeps responding "535 Incorrect authentication data". A0723: You need to have this setting in your PLAIN authenticator: ==> server_prompts = : This is missing in the examples in early Exim documentation, because it was not realized that PLAIN authentication could be requested by a client without sending the data with the request. If the data is not sent, an empty prompt is expected. Q0724: I have used \":fail:"\ in some aliases; when one of these addresses is refused, I see the message on the log, but the response to the remote user is ``unknown user'' instead of the message from the alias file. How can I change this? A0724: Have you got a \message\ qualifier in the relevant ACL? Exim uses the message line in the ACL in preference to the message returned by the router. This is so you can restrict the amount of information that ``escapes'' from your site via SMTP if you want to. Remove the \message\ line in the ACL entry that has \"verify = recipient"\ and your message will get through. Alternatively, if you are running Exim 4.10 or later, you can use the \$acl_verify_message$\ variable in your message to include the message from the router. See also Q0725. Q0725: I've set up some specific rejection messages for certain recipients, but when I test them, the SMTP message is always \*550 5.1.1 ... User unknown*\. A0725: That is not an Exim message (the ``5.1.1'' is a clue; Exim doesn't use those extended codes). You are probably being defeated by software that sees the 550 error code, and insists on putting in its own text. There is stupid software that does this. You can test Exim by using \-bh-\ or making a telnet call to the SMTP port. That way, there's no other software intervening. Q0726: My SMTP authentication can be bypassed by sending an unknown user name and an empty password. What is wrong with this condition in a PLAIN authenticator? ==> server_condition = ${if eq{$2} {${lookup mysql{SELECT password FROM \ accounts WHERE username='${local_part:$1}'}}}{1}{0}} A0726: Your lookup item returns an empty string when the user does not exist. You should instead arrange for the lookup to fail: ==> server_condition = ${if eq{$2} {${lookup mysql{SELECT password FROM \ accounts WHERE username='${local_part:$1}'}{$value}fail}}{1}{0}} Q0727: When a message has many recipients, how can I stop SpamAssassin from being called for each of them? I'm running it from a pipe transport. A0727: In the transport configuration, set \batch_max\ to a value greater than one. Q0728: How do I use Exiscan, SA-Exim, SpamAssassin, Clam Antivirus, Sophos SAVI, or sophie with Exim? A0728: There's a mini-HOWTO about these available via \?http://www.timj.co.uk/linux/exim.php?\. See also sample configuration C047. Q0729: How can I screen out addresses that are neither valid usernames or distribution lists on mail being forwarded to an internal Win2K server? A0729: A user suggested using a router like this to do the recipient verification: ==> verify_user_router: driver = accept domains = win2kdomain.com local_parts=\ ldap;user="cn=ldap-guest,cn=Users,dc=win2kdomain,dc=com"\ pass=guest \ ldap:://win2kpdc/dc=win2kdomain,dc=com?mailNickname?\ sub?(&(mailNickname=$local_part)\ (showInAddressBook=*)(sAMAccountName=*)) verify_only Set up ldap-guest as a normal domain user on the Win2K PDC. Also, you need to set \no_verify\ on all the other routers that handle that domain. Q0730: How can I use the same passwords for SMTP authentication as I use for Courier IMAP access to my server? A0730: You can access the Courier authdaemon from an Exim authenticator. You must arrange for the Exim user (often \/exim/\ but sometimes \/mail/\) to be able to access \(/var/run/courier/authdaemon/socket)\. The configuration is something of a hack, but it is reported to work. Here is a LOGIN authenticator: ==> login: driver = plaintext public_name = LOGIN server_prompts = Username:: : Password:: server_condition = \ ${if eq {${readsocket{/var/run/courier/authdaemon/socket}\ {AUTH 76\n${length_76:exim\nlogin\n$1\n$2\ \n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\ \n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\ \n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n}}}}{FAIL\n} {no}{yes}} server_set_id = $1 Here is a PLAIN authenticator: ==> plain: driver = plaintext public_name = PLAIN server_prompts = : server_condition = \ ${if eq {${readsocket{/var/run/courier/authdaemon/socket}\ {AUTH 76\n${length_76:exim\nlogin\n$2\n$3\ \n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\ \n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\ \n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n}}}}{FAIL\n} {no}{yes}} server_set_id = $2 Q0731: Is there any defence I can use against spam sent through an open proxy? A0731: The \*ident*\ feature can be used in some cases. See the discussion in Q5023. Q0732: I would like to either warn or deny when a host uses an underscore in the EHLO command. A0732: First, set ==> helo_allow_chars = _ This tells Exim not to reject the EHLO or HELO command immediately. Once you have done that, you can test for the underscore in an ACL. For example, to log a warning for hosts in your LAN, and reject for other hosts, you could do something like this: ==> deny message = Underscores are not valid in host names hosts = ! +lan_hosts condition = ${if match{$sender_helo_name}{_}{yes}{no}} ==> warn log_message = Accepted underscore from [$sender_host_address] condition = ${if match{$sender_helo_name}{_}{yes}{no}} Q0733: Is there any way to tell Exim not to lookup the IP address against any DNS black list if the connection is over IPv6? A0733: Use this condition in your ACL: ==> condition = ${if match{${mask:$sender_host_address/0}}\ {${mask:::0/0}}{no}{yes}} From Exim 4.23 onwards, this can be simplified to ==> condition = ${if isip6{$sender_host_address}{no}{yes}} Q0734: How do MailScanner and Exiscan compare? What are the pros and cons? A0734: The big advantage of Exiscan is that it can reject messages at SMTP time before you have accepted responsibility for them, which means you don't have to deal with bouncing messages and thereby becoming a collateral spammer. The big advantage of MailScanner is that it gives you much greater control over the load on your machines. You configure it according to the maximum processing capacity of your computer and it will not exceed that; in fact because it deals with messages in batches the cost of processing a message actually goes down slightly as the load increases, because the per-batch costs are shared by more messages. With Exiscan, you have to rely on Exim's load protection mechanisms, which basically means that you have to stop accepting messages when your machine gets too loaded. This is bad if the machine happens to be an SMTP smarthost. You therefore need more overcapacity with Exiscan than with MailScanner. Q0735: How can I block non-FQDNs in HELO/EHLOs? A0735: Many workstation clients send single-component names; take care that you do not block legitimate mail. With that proviso, you can do it using something like this in an ACL: ==> drop message = HELO doesn't look like a hostname log_message = Not a hostname condition = ${if match{$sender_helo_name} \ {\N^[^.].*\.[^.]+$\N}{no}{yes}} This means: Drop the HELO unless it contains a dot somewhere in the HELO string, but the string may not begin or end with a dot. Thus, the imposed minimum length is 3 characters. The data for HELO/EHLO doesn't have to be a host name; it may legitimately be an IP address literal instead. The above test succeeds with an IPv4 address literal, but if you want also to accept IPv6 address literals, you will have to modify the regular expression. Q0736: Is it possible to tell exim to drop the connection after a server attempts to send a message to a number of unknown users? A0736: Yes. Use \$rcpt_fail_count$\ and the \^drop^\ ACL command, as in this example: ==> drop message = Too many unknown users condition = ${if >{$rcpt_fail_count}{15}{yes}{no}} Q0737: Is there some way to tell Exim not to consider 127.0.0.1 as a valid MX? A0737: See Q0319. Q0738: How can I configure Exim to delay the SMTP connection if more than 10 invalid recipients are received in one message? A0738: Put something like this in your RCPT ACL: ==> deny message = Max $rcpt_fail_count failed recipients allowed condition = ${if >{$rcpt_fail_count}{10} {1}} ! verify = recipient delay = ${eval: $rcpt_fail_count * 10}s log_message = $rcpt_fail_count failed recipient attempts This example increases the delay for each failed recipient. Q0739: Does Exim support SPF? A0739: An Exim ACL can be used. See \?http://spf.pobox.com/downloads.html?\. Q0740: How can I change the MAIL FROM address that is used for callouts? A0740: It depends on which type of callout you are using. (1) For envelope sender verification callouts, you cannot make any change. My view is that an envelope sender verification is testing whether Exim could send a bounce to that address. Therefore, it must use \"MAIL FROM:<>"\ because that is what it would do if it were sending a bounce message. If \"MAIL FROM:<>"\ is rejected, it means Exim could not send a bounce. Therefore the callout fails. (2) For verifying addresses in the ::From::, ::Sender::, or ::Reply-to:: header lines (the \"verify = header_sender"\ condition), it is possible to make a change, on the grounds that these addresses are not necessarily ones that must accept bounce messages. You can do this by adding a \"mailfrom"\ option, like this: ==> require verify = header_sender/callout=mailfrom=abcd@x.y.z (3) It is also possible to make a change for the postmaster verification option, also on the grounds that a postmaster address need not accept bounces if it is never used as an envelope sender. Instead of just \"postmaster"\, \"postmaster_mailfrom"\ is used, like this: ==> require verify = sender/callout=postmaster_mailfrom=abcd@x.y.z (4) For recipient verification, there are three possibilities. The default is to use \"MAIL FROM:<>"\. If the \use_postmaster\ option is given, for example: ==> require verify = recipient/callout=use_postmaster then the address for MAIL FROM is made up from the local part \"postmaster"\ and the contents of \$qualify_domain$\. Alternatively, if the \use_sender\ option is given, the sender address of the incoming message is used. You should use this option only when you know that the receiving host makes use of the sender address when verifying. The reason is that the callout cache is much less effective in this case, causing many more callouts to be performed. In all cases when you configure Exim to use a non-empty address in MAIL FROM during callout processing, you should think carefully about what might happen if this causes the called host to make its own callout back to your host. Make sure that callout loops cannot happen. Q0741: How can I get Outlook Express to use TLS when authenticating? A0741: If you check \"auth required"\ in OE, it will authenticate as soon as it sees AUTH LOGIN, in preference to STARTTLS. The trick is to advertise things to OE in a certain order. The first EHLO should advertise STARTTLS but not AUTH, and only the second EHLO (after TLS starts) should advert AUTH. One way of achieving this is to put, in the main section of your Exim configuration: ==> auth_advertise_hosts = ${if eq{$tls_cipher}{}{127.0.0.1}{*}} This means that the only host to which AUTH is advertised is 127.0.0.1 when the session is not encrypted (that is, before TLS has started). The idea here is that there's no need for encryption for anything coming via the loopback interface. For an encrypted session, however, AUTH is advertised to all hosts. You can also block the AUTH command itself for unencrypted connections, by creating an ACL for \acl_smtp_auth\ that is something like this: ==> accept encrypted = * accept hosts = 127.0.0.1 deny message = TLS encryption required before AUTH 8. REWRITING ADDRESSES Q0801: How can I get Exim to strip the hostname from the sender's address? A0801: If you set up a rewriting rule in the following form: ==> *@*.your.domain $1@your.domain then Exim will rewrite all addresses in the envelope and the headers, removing anything between \"@"\ and \"your.domain"\. This applies to all messages that Exim processes. If you want to rewrite sender addresses only, the the rule should be ==> *@*.your.domain $1@your.domain Ffrs This applies the rule only to the envelope sender address and to the ::From::, ::Reply-to::, and ::Sender:: headers. Q0802: I have Exim configured to remove the hostname portion of the domain on outgoing mail, and yet the hostname is present when the mail gets delivered. A0802: Check the DNS record for your domain. If the MX record points to a CNAME record instead of to an A record, some MTAs (not Exim) are liable to rewrite addresses, changing your domain name to its ``canonical'' form, as obtained from the CNAME record. Q0803: I want to rewrite local addresses in mail that goes to the outside world, but not for messages that remain within the local intranet. A0803: You can use the \headers_rewrite\ option on a transport to do this. The rewriting will then apply to just those copies of a message that pass through the transport. The \return_path\ option can similarly be used to rewrite the sender address. There is no way of rewriting recipient addresses at transport time. However, as these are by definition remote addresses, you probably don't want to rewrite them. You have to set up the configuration so that it uses different SMTP transports for internal and external mail. If you are using a single router in both cases, you could configure it like this: ==> dnslookup: driver = dnslookup transport = ${if match{$domain}{\N\.my\.domain$\N}{int_smtp}{ext_smtp}} This example uses the \%int_smtp%\ transport for domains ending in \(.my.domain)\, and \%ext_smtp%\ for everything else. The \%ext_smtp%\ transport could be something like this: ==> ext_smtp: driver = smtp headers_rewrite = *@*.my.domain \ ${lookup{$1}cdb{/etc/$2/mail.handles.cdb}{$value}fail} return_path = \ ${if match{$return_path}{\N^([^@]+)@(.*)\.my\.domain$\N}\ {\ ${lookup{$1}cdb{/etc/$2/mail.handles.cdb}{$value}fail}\ }\ fail} This example uses a separate file of local-to-external address translations for each domain. This is not the only possibility, of course. The \headers_rewrite\ and \return_path\ options apply the same rewriting to the header lines and the envelope sender address, respectively. Q0804: I'm using this rewriting rule to change login names into ``friendly'' names, but if mail comes in for an upper case login name, it doesn't get rewritten. ==> *@my.domain ${lookup{$1}dbm{/usr/lib/exim/longforms}\ {$value}fail}@my.domain bcfrtFT The longforms database has entries of the form: ==> ano23: A.N.Other A0804: Replace \"$1"\ in your rule by \"${lc:$1}"\ to force the local part to lower case before it is used as a lookup key. Q0805: Is it possible to completely fail a message if the rewrite rules fail? A0805: It depends on what you mean by ``fail a message'' and what addresses you are rewriting. If you are rewriting recipient addresses for your local domain, you can do: ==> *@dom.ain ${lookup{$1}dbm{/wher/ever}{$value}{failaddr}} Ehq and in your alias file put something like ==> failaddr: :fail: Rewriting failed This fails a single recipient - others are processed independently. Q0806: I'm using \$domain$\ as the key for a lookup in a rewriting rule, but its contents are not being lowercased. Aren't domains supposed to be handled caselessly? A0806: The value of \$domain$\ is the actual domain that appears in the address. It could of course be lower cased, but I know that would cause some unhappiness, because some people have mixed-case domain names which look silly if the case is changed. Thus, one wants to preserve the case in rewrites such as ==> *@*.TheRap.com something@$domain because ``therap'' doesn't look like two words. I know it seems trivial, but it is important to some people - especially if by some unfortunate accident the lowercased word is something indecent. You can trivally force lower casing by means of the \"${lc:"\ operator. Instead of \"$domain"\ write \"${lc:$domain}"\. Q0807: I want to rewrite local sender addresses depending on the domain of the recipient. A0807: In general, this is not possible, because a message may have more than one recipient and Exim keeps just a single copy of each message. It may also deliver one copy of a message with several recipient addresses. You can do an incomplete job by using a regular expression match in a rewrite rule to test, for example, the contents of the ::To:: header. This would work except in cases of multiple recipients. 9. HEADERS Q0901: I would like add some custom headers to selected outgoing mail based on a specific domain and the subject line. A0901: To the remote_smtp transport, add something like ==> headers_add = ${if and{\ {eq{$domain}{spec.dom}}\ {matches{$h_subject:}{whatever}}}\ {Content-Type: text/html; charset="us-ascii"} fail } This example shows a ::Content-Type:: header, but you can have anything you like, and multiple headers can be inserted by using \"@\n"\ to separate them. Q0902: Is it possible to have Exim add a header to only certain local parts of outgoing mail? A0902: Only if you arrange for each such local part to receive its own private copy of the mail. See \max_rcpt\ in the SMTP transport. If you set this to 1, you could use conditions in an expansion string to add or not add a header. Q0903: How can I remove some part of the ::Received:: header? A0903: Set \received_header_text\. Q0904: How I can insert the PGP header line using Exim filters? A0904: You can't insert headers in a user filter. A system filter can do so, but the inserted lines then are included for all recipients. Q0905: I know I can use a system filter to replace certain headers in messages, but how can I add text to existing headers? I want to add [SPAM] to the subject line of messages that appear to be spam. A0905: You can only do this in a round about way, using filter commands like this: ==> headers add "New-Subject: SPAM: $h_subject:" headers remove subject neaders add "Subject: $h_new-subject:" headers remove new-subject This trick works only in system filters, where the commands are obeyed in order, and affect the master list of headers that apply to the whole message. You cannot do this with the \headers_add\ and \headers_remove\ options on drivers. 10. PERFORMANCE Q1001: I'm running a large mail server. Should I set \split_spool_directory\ to improve performance? A1001: Splitting the spool directory has most benefit if there are times when there are a large number of messages on the queue. If all mail is delivered very quickly, and the queue is always less than, say, a few hundred messages, there isn't any need to do this. With larger queues, there is a definite performance benefit to splitting the spool. It shows up earlier on some types of file system, compared with others. Exim was not designed for handling large queues. If you are in an enviroment where lots of messages remain on the queue for long periods of time, consider implementing a back up host to which you pass these messages, so that the main host's queue remains short. You can use \fallback_hosts\ to do this, or a router that is conditional on \$message_age$\. Q1002: How well does Exim scale? A1002: Although the author did not specifically set out to write a high- performance MTA, Exim does seem to be fairly efficient. The biggest server at the University of Cambridge (a large Sun box) goes over 100,000 deliveries per day on busy days (it has over 20,000 users). There was a report of a mailing list exploder that sometimes handles over 100,000 deliveries a day on a big Linux box, the record being 177,000 deliveries (791MB in total). Up to 13,000 deliveries an hour have been reported. These are quotes from some Exim users: "... Canada's largest internet provider, uses Exim on all of our mail machines, and we're absolutely delighted with it. It brought life back into one of our machines plagued with backlogs and high load averages. Here's just an example of how much email our largest mail server (quad SS1000) is seeing ... " [230,911 deliveries in a day: 4,475MB] "... Exim has to ... do gethostbyname()s and RBL lookups on all of the incoming mail servers, and he runs from inetd (TCP Wrappers connected). All the same, it seems to me that he runs as fast as lightning on our SCO 5.0.4 box (1 Pentium 166) - far faster than MMDF which I (and many customers) had before." "On a PII 400 with 128M of RAM running Linux 2.2.5, I have achieved 36656 messages per hour (outgoing unique messages and recipients). For about a 5 minute period, I was able to achieve an average of 30 messages per second (that would be 108000 m/hour)! We are using: (options that make a difference): ==> queue_only split_spool_directory queue_run_max = 1 remote_max_parallel = 1 We have a cron job hat runs every five minutes that spawns 5 \"exim -q"\ if there are less that 120 exim processes currently running. We found that by manually controlling the concurrency of \"exim -q"\ processes contending for the spool for \%remote_smtp%\ delivery that we gained considerable performance - 10000 m/hour." Q1003: We have a large password file. Can Exim use alternative lookups during delivery to speed things up? A1003: If you are using FreeBSD, this problem should not arise, because it automatically uses an indexed password file. In some other operating systems you can arrange for this to happen too. On Linux, for example, all you need to do is ==> # cd /var/db # make and put \"db"\ before \"files"\ in any \(/etc/nsswitch.conf)\ lines you want to use db for. On systems that do not include support for indexed password files, you can build one yourself, and reference it from the Exim configuration. For example, for routing to local mailboxes you could use this: ==> localuser: driver = accept condition = ${lookup{$local_part}cdb{/etc/passwd.cdb}{yes}{no}} transport = local_delivery user = ${extract{1}{:}{${lookup{$local_part}cdb{/etc/passwd.cdb}}} This assumes a cdb version of the password file. Q1004: I just wondered if it might be helpful to put the hints database on a RAM disk during regular operation. Did anybody try that yet? A1004: A user reported thus: ``I have found that this works great under Solaris. Make a RAM disk partition and keep everything in the \(db)\ directory on it. However, when I try the same thing on Linux, I don't see the same boost. I think that Linux's file buffer cache works about the same. Plus, this leave more room for processes to run.'' There have been other reports that Linux's delayed buffer write provides better overall performance in general. Apparently there is support in the Solaris kernel for a delayed writing, as in Linux, but Sun's server policy is to have it disabled so that you don't lose so much if the server crashes. There is a program called \^fastfs^\ to enable and disable this support. You have to download and compile it yourself; find it by looking for \"fastfs.c"\ in a search engine. Solaris performance is reported to be much improved, but you should take care to understand the potential hazards. In particular, \^fsck^\ may be unable to ``fix'' disks automatically after a crash. Q1005: A lot of incoming mail is pushing up my system load too much, and there are many Exim processes. How can I control this? A1005: Have you set any of the Exim configuration options that limit what it does under high load? For example, queue_only_load, deliver_queue_load_max? See the list in the section entitled \*Resource control*\ in the manual. It sounds like a lot of simultaneous incoming mail pushes your system into uncontrolled overload. The multiple Exim processes are probably just multiple incoming messages. You can use the \^exiwhat^\ utility to confirm this. 11. MAJORDOMO Q1101: How do I set up Majordomo to work with Exim? A1101: Users have found several ways of setting up Exim for use with Majordomo. One way has been documented at \?http://www.averillpark.net/exim/majordomo.html?\. Somewhere in the Majordomo docs or FAQ it mentions using batchmail or other additional programs to improve the performance of large lists. They are not needed with Exim, and their use can actually make things worse. However, it's a good idea to set \remote_max_parallel\ to a value greater than 1 in the Exim configuration. Q1102: I have set \$mailer$\ in \(majordomo.cf)\, but it still isn't setting the sender correctly in the messages it sends. A1102: Make sure you have got the quoting correct in the \$mailer$\ setting. For example, ==> $mailer = "$sendmail_command -oi -oee -f$sender\@lists.mydomain.de"; is not correct. It needs three backslashes, not one, and the $ at the start of \$sender$\ has to be escaped with a backslash. Q1103: I'm trying to set up majordomo, but I'm getting a wrong mode error when I try to send it mail. A1103: Check the mode of \(/var/lib/majordomo/lists/lists.aliases)\ and compare it with the setting of the \modemask\ option in the Majordomo aliases router. This option specifies bits which must not be set for the alias file, and it defaults to 022. Q1104: I'm getting return code 9 from \(/home/majordomo/majordomo-1.94.4/wrapper)\ when it is passed a message from Exim. A1104: A problem like this turned out to be the Perl version that came with RedHat 5.2. Rebuilding Perl 5.005x solved it. Q1105: Exim is complaining about an invalid command line when Majordomo tries to send it a message for delivery. A1105: Take a look at your \(majordomo.cf)\ file, It should have something that looks like ==> $sendmail_command = "/usr/lib/sendmail"; and another line like ==> $mailer = "$sendmail_command -oi -oee -f\$sender"; If you have modified \^resend^\ (one of the majordomo programs) to use \$sendmail_command$\ instead of \$mailer$\ you will be calling Exim with no command line arguments. 12. FETCHMAIL Q1201: When I run fetchmail, I get the error \*SMTP listener doesn't like recipient address xxx@localhost*\. A1201: Make sure that //localhost// is recognized as a domain that is to be delivered locally. If you are using the default Exim run time configuration, you'll see a line near the top like this: ==> domainlist local_domains = @ Change it to ==> domainlist local_domains = @ : localhost Q1202: I'm currently using Exim with fetchmail and I'd like to use the RBL on Exim, but will it work? Do I need to configure fetchmail any particular way? As far as Exim knows, all mail is coming from 127.0.0.1. Will it check the source address against RBL? Or will it check the ::From:: header? A1202: It will check 127.0.0.1 (not very useful). The point of the RBL is to keep messages from black-listed hosts out of your machine. If you are using fetchmail, you have got the messages into your machine before you approach Exim. That kind of defeats the purpose of the RBL. The right way to do this would be for the host from which you fetch your mail to do the RBL checking and insert some kind of warning header for you to test, as Exim does if you run RBL checks in warning mode. 13. PERL Q1301: Exim built with Perl support exits with the error message \*./exim: can't load library 'libperl.so'*\. A1301: If you are using BSDI, see Q9401. Q1302: Exim built with Perl support exits with several error messages of the form \*undefined reference to `PL_stack_sp'*\. A1302: This has been seen on FreeBSD systems that had two different versions of Perl installed, the older with an \^a.out^\ library and the newer with an ELF library. Ensure that the older package is removed. 14. DIAL-UP AND ISDN Q1401: When I'm not connected to the Internet, how can I arrange for mail to other hosts on my local network to be delivered, while at the same time mail to Internet hosts is queued without any delivery attempts? A1401: Use the \queue_domains\ option to control which domains are held on the queue for later delivery. For example, ==> queue_domains = ! *.localnet allows delivery to domains ending in \(.localnet)\, while queueing all the others. Q1402: I have a dial-up machine, and I use the \queue_smtp_domains\ option so that remote mail only goes out when I do a queue run. However, any email I send with an address \(anything@aol.com)\ is returned within about 15 minutes saying \*retry time exceeded*\, and all addresses are affected. A1402: You should be using \queue_domains\ rather than \queue_smtp_domains\. With the latter, Exim is trying to route the addresses, which involves a DNS lookup. This is presumably timing out, causing a retry time to be set for the domain, and somehow a valid lookup never happened before the maximum retry time (default of 4 days) passed. Hence the bounce. The fact that it is \(aol.com)\ is probably not relevant. You should probably also be using \-qq-\ to do your queue run rather than \-q-\. Q1403: How should Exim be configured when it is acting as a temporary storage system for a domain on a dial-up host? A1403: Exim isn't really designed for this, but... The lowest-numbered MX record for the domain should be pointing to the dial-up host. A higher numbered MX record (lower priority) should point to the Exim server that is acting as a temporary storage system. You should set a large retry time for the domain, so that Exim doesn't keep trying to deliver when the host is offline. When the host comes online, the waiting messages have to be kicked somehow. This can be done by calling Exim with the \-R-\ option, or via the SMTP ETRN command. This works provided the number of messages is low. If you are handling lots of mail, keeping messages waiting for their host to connect and those that are having delivery problems to remote hosts all in the same queue doesn't work so well. It is better in this case to get Exim to deliver the mail for the dial-in hosts into some local files which then get transmitted by other software when the host connects. One tool for doing this can be found at \?http://cr.yp.to/serialmail.html?\. For further discussion, see section entitled \*Intermittently connected hosts*\ in the manual, and also the section in the Exim book with the same name. Q1404: I have \queue_domains\ or \queue_smtp_domains\ set, and use \-qf-\ to force delivery of waiting mail when I dial in. How can I arrange for any new messages that arrive while I'm connected to be delivered immediately? A1404: Instead of \queue_domains\ or \queue_smtp_domains\, use the \queue_only_file\ option. This causes messages to be queued if a particular file exists. If you put the word ``smtp'' before the file name, the queueing applies only to domains that are delivered by SMTP, thus not affecting local deliveries: ==> queue_only_file = smtp/etc/present/when/not/connected Then, in the scripts which are run when you connect and disconnect, arrange to remove the file after connection, and create it just before disconnection. Q1405: I have an ISDN connection and would like a way of running the queue automatically when it is up. A1405: The following shell commands test for the interface being up and then run the queue: ==> ifconfig ppp0 | fgrep UP >/dev/null if [ $? -eq 0 ] ; then exim -q ; fi You could put these commands into a script which runs them at regular intervals. You might want to use \-qq-\ instead of \-q-\. With Linux, the script \(/etc/ppp/ip-up)\ is run after a ISDN connection or a more general PPP connection has been established. If you are using Linux, you could put the call to Exim in that script. Q1406: When I dial up to collect mail from my ISP, only the first 10 messages get delivered immediately; the remainder just sit on the queue until a queue runner process finds them. A1406: See Q0049. Q1407: RFC 1985 specifies that the SMTP command \"ETRN host.domain"\ causes all mail queued for that host, no matter what domain it's for, to be delivered. Why doesn't Exim support this? A1407: Exim does not keep queues of mail for specific destinations. It just keeps one pool of undelivered messages. What is more, once you start a delivery of a message, it tries to deliver to all the addresses in the message, not just the one you may be interested in. (Of course, this doesn't usually do any harm.) The only way it could be done within Exim would be, for every message on the queue, to go through the motions of routing each undelivered address and see if that resulted in a delivery to the host of interest. This could be extremely expensive (e.g. 1,000 messages on the queue, only 1 for the given host). The bottom line is that Exim just wasn't designed for this kind of operation, that is, holding messages for intermittently connected hosts. The queueing arrangements are designed for handling delivery problems that are not expected to be common. A better way to do this is to implement the required queues separately. After all, keeping such mail on an active queue (where Exim will keep trying to deliver) is silly. If there is a lot of mail for these hosts, it also masks genuine delivery problems when you inspect the queue. Large ISPs who provide this kind of functionality do not usually leave waiting mail on the MTA's queue. Instead, they get it delivered into per-host directories, one message per file, in one of the special formats (BSMTP, maildir, or mailstore) and when an ETRN arrives, it kicks off some completely different program that establishes an SMTP connection to the host and shovels the waiting mail down it. That seems to me to be a much neater way of doing this. It means you can easily add additional functionality such as archiving or throwing away uncollected mail. One program that has this functionality is \^ssmtp^\, which can be found in \?ftp://metalab.unc.edu/pub/Linux/system/mail/mta/?\. Alternatively, sample configuration C037 demonstrates an elegant way of using Exim itself to deliver the saved messages when the client issues an ETRN. Q1408: If email has been deferred to a member on a local mailing list (implemented through forward files), and one of our ETRN clients is on this mailing list, the \-R-\ won't flush the mailing list message for that client. A1408: That is because \-R-\ matches only original recipient addresses, not those produced as a result of expansion, because these are not (by default) preserved from delivery to delivery. You can get round this by setting \one_time\ on the forwarding router, but you are not allowed to have expansions to pipes or files on routers that have \one_time\ set. Therefore, you will have to have a separate router for mailing lists (with \one_time\ set) to the one used for normal forward files that might specify pipe or file deliveries. However, the problem will still be present for any user who sets up a \(.forward)\ file to redirect to any of the ETRN domains. See the last 3 paragraphs of Q1407 for a discussion of an alternative approach. Q1409: I would like to have a separate queue per domain for hosts which dial in to collect their mail. A1409: Exim isn't really designed for this kind of operation. The only way to do this would be to cause it to send those messages to a differently configured version of Exim with its own spool area. This could be done via a pipe or SMTP to a private port. The main Exim, listening on port 25, would then be configured to run an appropriate command to prod one of the others when it received ETRN, by means of the \smtp_etrn_command\ option. You could probably manage this with a single Exim binary and a number of different configuration files, passed to the special versions using the \-C-\ option. For this application they could all run as \^exim^\, since no root privilege would be needed. An alternative approach id to get Exim to deliver mail for such hosts in batch SMTP format into some directory, and have the ETRN run something to pass such messages to the dialled-in host. See also Q1403. 15. UUCP Q1501: The MX records for some UUCP domains point to my local host. How do I get it to pass the messages on to UUCP? A1501: The simplest way is to create a file containing a list of domains, and the hosts to which their messages should be sent, like this: ==> uucp1.domain.example: uucp1.host.example uucp2.domain.example: uucp2.host.example .... Then you can use a router like this: ==> uucp_router: driver = accept domains = lsearch;/etc/uucp/domains transport = uucp_transport and a transport like this: ==> uucp_transport: driver = pipe user = nobody command = /usr/local/bin/uux - -r $domain_data!rmail $local_part return_fail_output The \$domain_data$\ variable retains the value that is looked up when the \domains\ option in the router is matched. Q1502: How can I get Exim to handle ``bang path'' addresses? A1502: In general, you can't (Exim is an Internet mailer and recognizes only RFC 2822 domain-style addresses) but some restricted kinds of bang path can be dealt with by appropriate rewriting - but please note the warning below. Exim treats a bang path address as an unqualified local part, and so will qualify it with your domain. A rule such as ==> \N^([^!]+)!(.+)@your\.domain$\N $2@$1 turns \(a!b@your.domain)\ into \(b@a)\. You can also use a repeating rule to turn multi-component paths into the ``percent hack'' notation with a rule such as ==> \N^([^!]+)!([^@%]+)(.+)$\N $2%$1$3 R which turns \(a!b@c)\ into \(b%a@c)\ and \(a!b!c@d)\ first into \(b!c%a@d)\ and then, because of the R flag, into \(c%b%a@d)\. The R flag causes repetition up to 10 times. \**Warning:**\ If you install a general rewriting rule like the above, you are opening yourself up to the possibility of unwanted relaying. A host that is not permitted to relay through your system could send a message with an SMTP command line such as ==> RCPT TO: and this would be accepted because it is addressed to your domain. However, the rewriting then converts the address, and the message does in fact get relayed. One way round this, if all your bang path messages are passed to Exim via SMTP, is to use the \"S"\ rewriting flag. This applies a rewriting rule to incoming SMTP addresses as soon as they are received, before checking for qualification, relaying, etc. So a rule such as ==> \N^([^!]+)!(.+)$\N $2@$1 S rewrites simple two-component bang paths before the result is checked for relaying. However, this does not rewrite addresses in the headers of the message. Q1503: We see something strange on our system in regards to mail coming in via rmail from a UUCP link. The sender is being set to mailmaster instead of the real sender, and a ::Sender:: header is being added to the message. A1503: If \(mailmaster)\ is the user that is running rmail, you need to include that user in the \trusted_users\ configuration option. Only trusted users are permitted to specify senders when mail is passed to Exim via the command line. 16. MODIFYING MESSAGE BODIES Q1601: How can I add a disclaimer or an advertisement to a message? A1601: There are a number of technical and potential legal problems that arise in connection with message modification. Some of them are listed below. Some comment on the legal position of email disclaimers in English law can be found at \?http://www.weblaw.co.uk/artemail.htm?\. See also \?http://www.goldmark.org/jeff/stupid-disclaimers/?\. There is some discussion about the problems of actually adding disclaimers in \?http://www.goldmark.org/jeff/stupid-disclaimers/apply.html?\. In many cases, email disclaimers will make your company look ridiculous, at the very least. At worst, they may interfere with the normal processing of mail. If, despite these considerations, you still want to modify messages, you can do so using Exim, but not directly in Exim itself. It is not the job of an MTA to modify messages, something that requires understanding of their content and format. Exim provides a hook called a ``transport filter'' that lets you pass any outgoing message through a program or script of your choice. It is the job of this script to make any changes to the message that you require. By this means, you have full control over what changes are made, and Exim does not need to know anything about message bodies. However, using a transport filter requires additional resources, and may slow down mail delivery. You can use Exim's routers to arrange for those messages that you want to modify to be delivered via a transport filter. For example, suppose you want to do this for messages from addresses in your domain that are being delivered to a remote host. First you need to set up a special \%smtp%\ transport that uses a filter, like this: ==> remote_smtp_filter: driver = smtp transport_filter = /your/filter/command Then you need to modify the \%dnslookup%\ router to use this transport when the conditions are right: ==> dnslookup: driver = dnslookup domains = ! +local_domains transport = ${if eq {$sender_address_domain}{your.domain}\ {remote_smtp_filter}{remote_smtp}} ignore_target_hosts = 127.0.0.0/8 no_more This is the standard \%dnslookup%\ router, but with a modified setting of the \transport\ option. When the sender address is in your domain, it routes to the special transport instead of the standard one. The entire message is passed to your filter command on its standard input. It must write the modified version to the standard output, taking care not to break the RFC 2822 syntax. The command is run as the Exim user. There are a number of potential problems in doing this kind of modification in an MTA. Many people believe that to attempt is it wrong, because: 1. It breaks digital signatures, which are becoming legally binding in some countries. It may well also break encryption. 2. It is likely to break MIME encoding, that is, it is likely to wreck attachments, unless great care is taken. And what about the case of a message containing only binary MIME parts? 3. It is illegal under German and Dutch law to change the body of a mail message in transit. It might potentially be illegal in the UK under European law. This consideration applies to ISPs and other ``common carriers''. It would presumably not apply in a corporate environment where modification was done only to messages originating from the employees, before they left the company's network. It might also not apply if the senders have explicitly given their consent (e.g. agreed to have advertisements added to their incoming mail). 4. Since the delivered message body was produced by the MTA (not the originator, because it was modified), the MTA operator could potentially be sued for any content. This again applies to `common carrier' MTAs. It's interesting that adding a disclaimer of liability could be making you liable for the message, but this case seems more likely to involve adding advertisements than disclaimers. After all, no postal service in the world opens all the mail it carries to add disclaimers. 5. Some mail clients (old versions of MS outlook) crash if the message body of an incoming MIME message has been tampered with. There are also potential problems that could arise if a scheme to add disclaimers goes wrong for some messages: 1. False negatives: `Ah, this guy usually says he does not represent their views, but in this message he doesn't have the disclaimer'. 2. False positives: `This official announcement does not represent our views, oh no'. An alternative approach to the disclaimer problem would be to insist that all relevant messages have the disclaimer appended by the MUA. The MTA should refuse to accept any that do not. Again, however, the MTA must understand the format of messages in order to do this. Simply checking for appropriate wording at the end of the body is not good enough. It would probably be necessary to run a Perl script from within an Exim system filter, or write a \^^local_scan()^^\ function in order to adopt this approach. Finally, it's a trivial matter to add customized headers of the sort: ==> X-Disclaimer: This is a standard disclaimer that says that the views X-Disclaimer: contained within this message are somebody else's. which is a much easier alternative to modifying message bodies. Q1602: How can I remove attachments from messages? A1602: The answer to this is essentially the same as for Q1601. 17. ENCRYPTION (TLS/SSL) Q1701: I am trying to set up an Exim server that uses a self-signed certificate to enable my clients to use TLS. However, clients other than Exim refuse to accept this certificate. What's wrong? A1701: It seems that some clients require that the certificate presented by the server be a user (also called ``leaf'' or ``site'') certificate, and not a self-signed certificate. In this situation, the self-signed certificate must be installed on the client as a trusted root \*certification authority*\ (CA), and the certificate used by the server must be a user certificate signed with that self-signed certificate. For information on creating self-signed CA certificates and using them to sign user certificates, see the \*General implementation overview*\ chapter of the Open-source PKI book, available online at \?http://ospkibook.sourceforge.net/?\. Here is a quick overview. First, read this message: \?http://www.FreeBSD.org/cgi/mid.cgi?id=3C3F3A93.C1ECF9B0%40mindspring.com?\ Then, follow the instructions found on these two (consecutive) pages: \?http://ospkibook.sourceforge.net/docs/OSPKI-2.4.6/OSPKI/initialisation.htm?\ \?http://ospkibook.sourceforge.net/docs/OSPKI-2.4.6/OSPKI/keygensign.htm?\ Two points on the PKI Book literature: (1) It's assumed that it's okay to use a passphrase-protected key to encrypt the user/site/leaf certificate. If this isn't acceptable, you seem to be able to strip out the passphrase as follows: ==> openssl rsa -in user.key -our user.key.new mv user.key.new This should be done immediately after \(user.key)\ is created. (2) The \*sign.sh*\ script is available in the \*mod_ssl*\ distribution, available at \?http://www.modssl.org/source/?\. Having followed the instructions, you end up with the following files: (a) \(ca.crt)\ This file should be installed into the client software as a trusted root certification authority. In Windows XP, this can be done as follows: \#\#Call the file \(ca_cert.cer)\ [[br]] \#\#Double-click on the file [[br]] \#\#"Install Certificate"; [[br]] \#\#"Next" [[br]] \#\#"Place all certificates in the following store" [[br]] \#\#"Browse..." [[br]] \#\#"Trusted Root Certification Authorities" [[br]] \#\#"OK" [[br]] \#\#"Next" [[br]] \#\#"Finish" [[br]] \#\#"Yes" [[br]] \#\#"OK" (b) \(user.crt)\ and \(user.key)\ These files should be installed into the server software. In Exim, this can be done by adding these lines to the configuration file: ==> tls_certificate = /usr/local/etc/exim/tls_cert tls_privatekey = /usr/local/etc/exim/tls_key Then install \(user.crt)\ and \(user.key)\ under the names \(tls_cert)\ and \(tls_key)\ in the appropriate directory. Q1702: How can I arrange for Exim to advertise support for SMTP authentication only when the session is encrypted? A1702: Use this setting: ==> auth_advertise_hosts = ${if eq{$tls_cipher}{}{}{*}} Q1703: I have some legacy clients that don't use STARTTLS, but which expect to negotiate a TLS session automatically on connection to the ssmtp port (465). Can Exim handle this? A1703: If you are using release 4.43 or later, you can set ==> tls_on_connect_ports = 465 and then arrange for your daemon to listen on both port 25 and port 465 by setting \daemon_smtp_ports\ or \local_interfaces\ or the \-X-\ command line option. Or use \(inetd)\ to listen on port 465. If you are using an earlier release of Exim, you need to run two Exim listeners, on different ports, one of which is started with the \-tls-on-connect-\ option (which makes all ports act this way). You can either use two daemons, or a single daemon, with the other listener using \^inetd^\. For example, here are commands to start two daemons: ==> exim -bd -q15m exim -bd -oX '[0.0.0.0]::465' -tls-on-connect The first is a ``normal'' daemon; the second listens on port 465 and expects to negotiate a TLS session at the start of each connection. Q1704: When my Outlook Express 6.0 client sends a STARTTLS command to begin a TLS session, Exim doesn't seem to receive it. A1704: See Q0059. Q1705: I have listed some hosts in \tls_try_verify_hosts\, but when they connect, no data appears in \$tls_peerdn$\. A1705: This means that the clients have not sent certificates when asked by the server to do so. If the clients are running Exim, check that \tls_certificate\ is correctly set in their \%smtp%\ transports. Note that this value is not automatically inherited from the global \tls_certificate\ option. Q1706: I have listed some hosts in \tls_verify_hosts\ and provided them with certificates, but their connections are always rejected. A1706: Make sure that the server file containing the expected certificates (defined by \tls_verify_certificates\) is readable by the Exim user. See also the answer to Q1705. Q1707: I am trying to use TLS with Evolution as a client, and keep seeing this error: \*SMTP protocol violation: synchronization error (next input sent too soon): rejected "\200F^A^C".*\ What does it mean? A1707: See Q0086 for a general explanation of the error. In this case, it probably means that Evolution is trying to negotiate a TLS session immediately it connects, without first using the STARTTLS command. This was an older way of starting up TLS, before STARTTLS was defined. See Q1703 for how to deal with this. Q1708: I trying to use TLS with Outlook as a client on a box that is running Norton Antivirus, but all my email is being rejected with \*Unsupported command*\ errors. Why? A1708: Norton Antivirus does not support TLS or AUTH. It puts a broken SMTP proxy between you and the Exim server. You need to turn off outbound scanning of email. 20. MILLENNIUM Q2000: Are there any Y2K issues with Exim? A2000: The author of Exim believes that it is Y2K-compliant, as long as the underlying operating system and C library are. Exim does not parse dates or times at all. Internally, it makes some use of binary timestamps in Unix format (number of seconds since 1-Jan-1970) and uses C library services to convert these to printing forms (e.g. for logging). The printing forms all use 4-digit years. Some people have tried various tests. No problems have been reported, but details of what tests have been done are not available. Well, it's now November 2001, and no Y2K problems have been reported, so it looks like I was right. This entry is retained as historical nostalgia. 50. MISCELLANEOUS Q5001: How can I arrange to allow a limited set of users to perform a limited set of Exim administration functions? I don't want to put them all in the //exim// group. A5001: See \?http://www.chiark.greenend.org.uk/~ian/userv/?\. Using \^userv^\ you can arrange (for example) for certain users to be able to invoke \^mailq^\ or \^runq^\ or other preset commands as \^exim^\ (or any other user, as configured) with only \^userv^\ configuration. If you want to check the particular Exim options available you can easily do it with shell or Perl scripts and \^userv^\ configuration, and provided you know how to do argument ``unparsing'' properly in shell or Perl it will be secure. Q5002: I want to ``tail'' the Exim log, but I have a number of other logs I also want to ``tail'', and the number of tailing windows is getting to be a nuisance. A5002: Look for a program called \^xtail^\ (despite its name, it's not an X-windows application). It allows you to do multiple tails, even of entire directories. Alternately, get the GNU version of \^tail^\, from the GNU textutils package (\?ftp://ftp.gnu.org/gnu/textutils/?\). GNU tail lets you run \"tail -f\" on multiple files at the same time, although it doesn't work on entire directories like \^xtail^\ can. If you are running Linux, you probably already have a version of GNU \^tail^\ that can follow multiple files. Q5003: How can I persuade Exim to accept ETRN commands without the leading # character? A5003: Set the option ==> smtp_etrn_command = /usr/lib/sendmail -R $domain This causes Exim to run that command, with \$domain$\ replaced by the argument of ETRN. The default action of Exim is to require the # sign in order to be RFC-compliant, and to run the equivalent of ==> smtp_etrn_command = /usr/lib/sendmail -R ${substr_1:$domain} which uses the argument without the leading # as the value for the \-R-\ option. You aren't restricted to running Exim with the \-R-\ option, of course. You can specify any command you like, with any number of arguments. In particular, you can pass over the IP address of the caller via \$sender_host_address$\. However, if you make use of expansion strings in the arguments, each one must be entirely contained in a single argument. For example, if you want to remove the first character of the ETRN argument when it is @ or #, you could use ==> smtp_etrn_command = "/usr/lib/sendmail -R \ \"${if match {$domain}{^[@#]}{${substr_1:$domain}}{$domain}}\"" The internal quotes are necessary because of the white space inside the expansion string. Q5004: I've recently noticed that emails I send with a ::Bcc:: line are being delivered to their final destination with the ::Bcc:: line still present. A5004: Exim removes ::Bcc:: lines only if you call it with the \-t-\ option (i.e. when it is acting partly as an MUA). It does not remove ::Bcc:: lines that are present in incoming SMTP mail or command-line mail that does not use \-t-\. Indeed, it should not remove them, because only the initiating software (i.e. the MUA) can tell what to do with ::Bcc:: lines; any MTA software has to leave them alone. This is what RFC 2822 has to say about ::Bcc:: \*The ::Bcc:: field (where the ``Bcc'' means ``Blind Carbon Copy'') contains addresses of recipients of the message whose addresses are not to be revealed to other recipients of the message. There are three ways in which the ::Bcc:: field is used. In the first case, when a message containing a ::Bcc:: field is prepared to be sent, the ::Bcc:: line is removed even though all of the recipients (including those specified in the ::Bcc:: field) are sent a copy of the message. In the second case, recipients specified in the ::To:: and ::Cc:: lines each are sent a copy of the message with the ::Bcc:: line removed as above, but the recipients on the ::Bcc:: line get a separate copy of the message containing a ::Bcc:: line. (When there are multiple recipient addresses in the ::Bcc:: field, some implementations actually send a separate copy of the message to each recipient with a ::Bcc:: containing only the address of that particular recipient.) Finally, since a ::Bcc:: field may contain no addresses, a ::Bcc:: field can be sent without any addresses indicating to the recipients that blind copies were sent to someone. Which method to use with ::Bcc:: fields is implementation dependent, but refer to the ``Security Considerations'' section of this document for a discussion of each.*\ Q5005: I used \^gv^\ 3.5.8 (\^ghostview^\) to try printing \(spec.ps)\. After every printed page, the printer ejects a blank sheet. Is this something to do with using ``letter'' rather than A4 paper? A5005: This seems to be an effect of using \^ghostview^\. Although the PostScript is generated for A4 pages, the size of the page images is such that they should fit on a letter page (they are shorter than would normally be used on A4 paper). If the PostScript file is sent directly to a PostScript printer, there is no problem. An alternative is to get hold of the \^psutils^\ toolset, which is available from \?ftp://ftp.dcs.ed.ac.uk/pub/psutils/psutils.tar.gz?\. It contains utilities for extracting pages (which can be useful for double-sided printing) and for resizing pages. If you resize from A4 to letter the text shrinks a bit, but should then be printable via \^ghostview^\. Q5006: Why aren't there any man pages for Exim? I don't always carry my printed documentation. A5006: A single man page that lists the command line options is provided in file \(doc/exim.8)\ in the Exim distribution. Several other forms of online documentation are available. As well as plain ASCII text, the there are two forms - Texinfo and HTML - which have a certain amount of built-in indexing for ease of finding your way around. There are no man pages apart from the command line one because the author of Exim hasn't the time (or desire :-) to maintain yet another documentation format. Besides, it is hard to know how to split the Exim manual up. Q5007: When I send a message using the \-t-\ command line option, Exim sends only to the addresses within the message, not to those on the command line. A5007: There seems to be some confusion in the Sendmail community about the interpretation of recipient addresses on the command line if the \-t-\ option is used. Some versions do one thing, and some another. Here is an except from one version of the Sendmail documentation for \-t-\: \*Read message for recipients. ::To::, ::Cc::, and ::Bcc:: lines will be scanned for recipient addresses. The ::Bcc:: line will be deleted before transmission. Any addresses in the argument list will be suppressed, that is, they will not receive copies even if listed in the message header.*\ By default Exim follows this specification, and interprets addresses on the command line as addresses not to send to. You can set ==> extract_addresses_remove_arguments = false to change this behaviour so that command line addresses are added to the addresses that are taken from the header lines. Q5008: If I set up a domain list to contain //*customer.com//, it matches //customer.com// and //abc.customer.com// as required, but it also matches //noncustomer.com//, which is wrong. How can I get round this? A5008: You have to specify two entries in the list: ==> customer.com : *.customer.com because * in a domain list matches any characters, including \"."\ and including a null sequence. Q5009: I want to match all domains of the form //*.oyoy.org// but want a few exceptions. For instance I don't want //foo.oyoy.org// or //bar.oyoy.org// to be included. What is the best way to do this? A5009: Use negative items in the domain list, like this: ==> domainlist local_domains = !foo.oyoy.org : !bar.oyoy.org : *.oyoy.org If there are many exceptions, you can use a lookup instead of listing them all inline. If there are a number of exceptions that match a particular pattern, you could use a regular expression. Q5010: I can't seem to find a pre-built version of Exim anywhere. The machine is a Sparc 5 running Solaris 2.6. A5010: The primary distribution is source-only. However, some people have built and distributed RPMs and debs for Linux systems, and ports for FreeBSD. I haven't heard of anyone doing this for Solaris. The main problem with binary distributions is that there are a number of build-time options, requiring the answers to questions like: . Which DBM library do you have? (On Solaris probably ndbm, but no easy default on some other systems.) . Which uid/gid do you want to use for Exim? . Where do you want the configuration file to be? (Many different answers, even on the same OS, depending on local policy.) . Ditto for the binaries. . Which optional bits of Exim do you want to include? Q5011: Is there a version of Exim available that runs under Windows? A5011: A long time ago somebody took a copy of the Exim source with the aim of trying to port it to Windows NT. However, I never heard anything more. However, current versions of Exim can be made to run under Cygwin. Q5012: Does Exim support Delivery Status Notification (DSN), Message Status Notification (MSN), or any other form of delivery acknowledgement? A5012: See Q0607. Q5013: What does ``Exim'' stand for? A5013: Originally, it was ``EXperimental Internet Mailer'', which was the best I could come up with when I was starting out. At that point it was experimental - I wanted to see if the ideas I had for extending Smail's approach actually worked. Then somebody discovered about it and wanted to start using it, and told other people about it... Q5014: Although I haven't set \check_spool_space\, Exim is still checking the amount of space on the spool for incoming SMTP messages that use the SIZE option. Can I suppress this? A5014: The RFC for the SIZE option says: \*If the server currently lacks sufficient resources to accept a message of the indicated size, but may be able to accept the message at a later time, it responds with code ``452 insufficient system storage''.*\ and that is what Exim is trying to implement. This is entirely independent from \check_spool_space\, which says \*don't accept any mail if there is less than so much space in the spool partition*\, though the code is optimised to do both checks at the same time if required. However, you can suppress the SIZE check if you want to, by unsetting \smtp_check_spool_space\. Q5015: I just noticed log entries that start off \"<= <>"\. Am I correct in assuming that the \"<>"\ indicates that the envelope did not contain any ``From'' data? A5015: Yes. This indicates a delivery failure report (aka a ``bounce message''), as specified in RFC 2821. The reason for using empty sender addresses is to identify bounce messages so that they themselves do not cause further bounces. Empty senders are also used for other kinds of report which should not themselves cause the generation of bounce messages. For example, Exim uses them when sending out warnings about delivery delays. Q5016: I've received a message which does not have my address in the ::To:: line. It is a spam message with the same address in both the ::From:: and the ::To:: headers. How can this happen, and why doesn't Exim reject it? A5016: There is an important distinction between the ``envelope'' from and to and the ``header'' from and to. The former are sometimes called the ``sender'' and ``recipient''. An email message needs an ``envelope'' for the same reason that paper mail does - the envelope tells the delivery mechanism what to do with this copy of the message, whereas the ::To:: header lists all the recipients, including those who have been sent different copies of the message because their mailbox is on some other host. An MTA such as Exim works entirely with the ``envelope'' addresses, not with those in the header lines. Don't try to block mail where envelope from and the header from differ. There are common legitimate cases where this happens, for example, messages forwarded from mailing lists and delivery failure reports. Q5017: Can (or will) Exim ever handle a message delivery purely in memory, that is, it is handled without it ever hitting the disk? A5017: It doesn't, and never will. Accepting and delivering a message are two entirely separate, independent processes, which communicate only by writing/reading the message on the disk. Q5018: If I am using dbm files for data that Exim reads, can I rebuild them on the fly, or do I need to restart Exim every time I make a change? A5018: Exim re-reads the file every time it consults it, so if you are using a cdb or a DBM library that uses just a single file (i.e. not ndbm), you can just build the new file with a temporary file name, and use \^mv^\ to rename it into the correct place on the fly. If there are two files to rename, there is a window of time during which the DBM database is inconsistent. On lightly loaded systems this may not matter. Q5019: I need an option that is the opposite of \-bpa-\, that is, a listing of those addresses generated from a top-level address that have not yet been delivered. A5019: Exim does not keep this information. It saves only the top-level addresses and the list of addresses that are finished with. At each delivery attempt, generated addresses are recomputed from scratch. This makes it possible to correct errors in redirection data that is causing delivery delays. However, there is an option you can set on a \redirect\ router that changes things. It is called \one_time\, and if it is set, the list of generated addresses gets added to the top-level list at the first delivery attempt, and is never regenerated. Because top-level address lists must be real email addresses, this option cannot be used if any of the generated addresses are pipes, files, or autoreplies. Q5020: How can I make Exim receive incoming mail, queue it, but not attempt to deliver it? I want to be in this state while moving some mailboxes. A5020: Set \queue_only\ in the Exim configuration. Then kill your daemon, and restart it without the \-q-\ option (i.e. with just the \-bd-\ option), so that it does not spawn any queue runners. This stops all deliveries, remote as well as local. Q5021: What does Exim use for POP and IMAP as a default? Do I have to install anything else? A5021: Yes. Exim provides MTA functionality. That is, it delivers mail. POP and IMAP are two of several ways of reading previously-delivered mail. Exim does not provide that functionality. You need to install POP and/or IMAP daemons; there are several to choose from. Q5022: Is there an easy way of removing all queued messages at once in a safe way? A5022: Try this command: ==> exim -bp | awk '/^ *[0-9]+[mhd]/{print "exim -Mrm " $3}' | sh Q5023: Why does Exim do \*ident*\ callbacks by default? Isn't this just a waste of resources? I've been told this is an ancient way of authentication. Is it obsolete? A5023: This is a common misunderstanding, at least partially resulting from the incorrect naming of the protocol when it was first published. The service on port 113 is an identification service, which allows a target host to record information identifying the user responsible for making a connection to it. The information may not be intelligible to the recording host - it could, for example, be encrypted so that only someone on the calling host can make sense of it. It is useful for providing additional information in an audit trail. At least one site has found \^ident^\ effective against two rather prevalent kinds of open proxy (whether already blacklisted at the RBLs or not). An ACL statement is used to reject mail from servers that return \^ident^\ strings of \"squid"\ and \"CacheFlow Server"\. Snippets such as this in the RCPT ACL do the trick: ==> deny condition = ${if eq{$sender_ident}{CacheFlow Server}{1}{0}} message = Rejected - appears to be an unsecured proxy: $sender_ident The likelihood that a genuine mail process would return those specific ident strings is vanishingly small. The \^ident^\ data should not be used for authentication in any form except on a closed secure network between cooperating hosts (probably not even then). The information from the source host is only as reliable as the host itself. If it's not under your control then you have to treat the information as opaque data that can be used only by the sysadmin of the source system to trace back connection data. Some \^ident^\ implementations send out opaque cookies or DES encrypted information. \^Ident^\ is hugely useful at times - especially for checking back on connections from multiuser machines (as opposed to one-person desktop boxes). You can stop Exim making ident calls by adding ==> rfc1413_query_timeout = 0s to its configuration, but it is better to leave it active (reducing the timeout to 10s or less if it is causing problems) - it costs very little, and in cases of mail forgery from a multiuser system can track the sinner concerned very quickly. Q5024: I often have the problem that a message gets stuck in the mail queue and I want it to be bounced to a certain address. A5024: You can do this using a combination of four command line options, like this: ==> exim -Mf 14Fdlq-0003kM-00 exim -Mmad 14Fdlq-0003kM-00 exim -Mar 14Fdlq-0003kM-00 new@ddress exim -M 14Fdlq-0003kM-00 The first command freezes the message so that a queue runner won't start to deliver it while you are changing things. The second command marks all existing recipients as delivered. The third command adds a new recipient, and the fourth command forces a delivery of the message, which will cause it to be delivered to the new address, and then deleted. Q5025: What precautions should I take when editing Exim's run time configuration file? A5025: Edit the file and save the result in a new file. Test the syntax of the new file by running a command like this: ==> exim -bV -C exim.conf.new That will check for syntax errors without disturbing your running configuration. If you are paranoid enough, run, as \/root/\, ==> exim -C exim.conf.new . and see if it delivers it. Carry on testing until happy. When happy, ==> mv exim.conf.new exim.conf kill -HUP `cat /var/spool/exim/exim-daemon.pid` Then check the Exim log to be sure the daemon restarted OK. Watch the log for a bit to see that mail is flowing. Q5026: Is exim able to use RFC 2645, \*On-demand Mail Relay*\ (ODMR)? A5026: No. Q5027: Is there any way I can send bounces to the postmaster, and nobody else? Basically, I want to receive them, and I don't want the reply/from person to get them. If I think they need it I will forward it myself. A5027: Put \"errors_to=postmaster"\ on every router. Q5028: When I HUP the Exim daemon, the name shown in the process table changes from \(/usr/lib/sendmail)\ (which is a symlink) to the real binary name. Can I change this? A5028: Add this to your Exim configuration: ==> exim_path = /usr/lib/sendmail Q5029: A message with a recipient address that contains a non-printing character is stuck on my mail queue. How can I remove this address? A5029: You can use the \-Mmd-\ command line option to mark a recipient address ``delivered'', which effectively removes it. If you are using the Bash shell, you can enter non-printing characters using an escape sequence. For example: ==> exim -Mmd 15HKvU-00013Q-00 $'\240'abc@x.y.z In this example, the first character of the local part has a code value of 240. If you are using a shell that does not support this, create the command in a file and run it as a shell script. Q5030: I am using exim in a two queues scenario, with two different configuration files. How can I run a second copy of \^eximon^\ to inspect and modify the alternate queue? A5030: Use these commands (or put them in a script): ==> EXIMON_EXIM_CONFIG=/your/path/exim/configure.alternate export EXIMON_EXIM_CONFIG /your/path/exim/bin/eximon Q5031: Why is there no sender address on bounce messages? It shows up as "<>". A5031: See the answer to Q0042. Q5032: Are there any Exim web-based administration scripts? A5032: No (as far as is known). It seems likely that producing one that is generic enough would be a difficult task. Q5033: How can I send a copy of all outgoing messages to another mailbox? A5033: The most straightforward way is to set up a system filter, and include a command such as: ==> unseen deliver mailbox@whatever.domain This sends a copy of every message to //mailbox@whatever.domain// (unless the message already has that recipient - Exim never does duplicate deliveries). To save only ``outgoing'' messages, you need to come up with a definition of what ``outgoing'' means. Typically, this might be a check on the sender address and/or on the originating host. Here is an example: ==> if $sender_address_domain is mydomain.com and ${mask:$sender_host_address/24} is 192.168.324.0/24 then unseen deliver mailbox@whatever.domain endif Q5034: Is there any way to make the \queue_only\ option conditional? I would like the ability to queue messages from external sources while deliver locally generated email as normal. A5034: There is no direct way of doing this. However, you can achieve the effect. In one of your ACLs that checks incoming mail from external sources, put ==> warn control = queue_only You can add other conditions as well, of course. Q5035: Does Exim run with different permissions between \-bt-\ and \-bh-\, or between verifying and actual sending? A5035: Yes. For \-bt-\ it runs as root, as it would when delivering a message. For \-bh-\, \-bv-\, and when actually receiving a message, it runs as the Exim user. 91. MAC OS X Q9101: How can I install Exim on Mac OS X? A9101: (1) There is useful advice on this web page: \?http://www.afp548.com/Articles/Jaguar/exim410.html?\. (2) There is a package installer available at this URL: \?ftp://members.aol.com/AFP548dotcom/EximInstaller.sit?\. (3) There is another package installer for the combination of MySQL, Exim, Exiscan, CourierIMAP, and SpamAssassin at this URL: \?http://maxo.captainnet.net/installs/mail-install.html?\. 92. FREEBSD Q9201: On FreeBSD, \(/usr/sbin/sendmail)\ is a symbolic link to \(/usr/sbin/mailwrapper)\; it doesn't contain the Sendmail binary. How should I replace Sendmail with Exim on FreeBSD? A9201: There is a file called \(/etc/mail/mailer.conf)\ which selects what to run for various MTA calls. Instead of changing \(/usr/sbin/sendmail)\, you should edit this file instead, to read something like this: ==> sendmail /usr/exim/bin/exim send-mail /usr/exim/bin/exim mailq /usr/exim/bin/exim -bp newaliases /usr/bin/true You probably also need to edit \(/etc/periodic.conf)\; see Q9202. Q9202: A script that FreeBSD runs nightly uses \^mailq^\ with the \-Ac-\ parameter. Why doesn't Exim recognize this? A9202: \-Ac-\ is a Sendmail option that requests that mailq ``Show the mail submission queue specified in \(/etc/mail/submit.cf)\ instead of the MTA queue specified in \(/etc/mail/sendmail.cf)\''. Exim doesn't have the concept of a ``submission queue''. You can disable this feature of the nightly script by adding the line ==> daily_status_include_submit_mailq="NO" # No separate 'submit' queue to the file \(/etc/periodic.conf)\. Q9203: How can I use Exim for authenticated SMTP using Cyrus on FreeBSD? A9203: This web page may help: \?http://www.munk.nu/exim/exim-freebsd-asmtp.php?\. 93. HP-UX Q9301: I'm trying to compile on an HP machine and I don't have \^gcc^\ there. So I put \"CC=cc"\ in the \(Local/Makefile)\, but I got this error: ==> (Bundled) cc: "buildconfig.c", line 54: error 1705: Function prototypes are an ANSI feature. A9301: The bundled compiler is not an ANSI C compiler. You either have to get a copy of \^gcc^\ from the HPUX Software Porting Archives or buy the ANSI cc from HP. The advice given by one user of HP systems on the Exim mailing list was as follows: \*Personally, I wouldn't use anything but the ANSI C compiler. gcc works for compilation, but it doesn't know squat about PA-RISC chips past the 1.0 rev. Since then, HP has come out with PA-RISC 1.1, 2.0, and 2.1, each with better features. gcc will compile for them, but it doesn't produce anywhere near the optimization that HP's compiler does.*\ \*I took the gcc road when we moved from FreeBSD to HP-UX because I was familiar with it. After 6 months, I had to go and re-port everything over when we realized that gcc wasn't going to do it for us long-term. If I could give advice to any new HP-UX admin: don't use gcc if you can afford the ANSI C compiler. Based on the cost of even the lowest HP workstation, that usually isn't a problem.*\ 94. BSDI Q9401: On BSDI 4.0, Exim built with Perl support exits with the error message ==> ./exim: can't load library 'libperl.so' A9401: You probably compiled perl5 yourself, without looking into ==> /usr/src/contrib/perl5/perl5.004_02/hints/bsdos.sh first. The problem is that the command ==> perl5 -MExtUtils::Embed -e ldopts doesn't give you sufficient flags to link something with libperl. Since 5.004_02 the \(hints/bsdos.sh)\ file has changed to adapt to the changes between BSDI 3.1 and 4.0, but it is still not entirely right. The solution is, when you compile perl, change the \ccdlflags\ variable in config.sh to: ==> -rdynamic -Wl,-rpath,/usr/local/lib/perl5/5.00502/i386-bsdos/CORE (or something similar). Alternatively, you can run \(./Configure)\ and answering the question \*Any special flags to pass to cc to use dynamic loading?*\ with the above line. It is not known what \-rdynamic-\ means (it's not apparently documented in any man page), but that's what BSDI guys did to compile perl5 which comes with BSDI 4.0 distribution. 95. IRIX Q9501: The IP addresses for incoming calls are all being given as 255.255.255.255 or 0.0.0.0. A9501: This problem should no longer occur because a workaround has been installed in Exim. 96. LINUX Q9601: Exim is mysteriously crashing, usually when forking to send a delivery error message. A9601: This has been seen in cases where Exim has been incorrectly built with a muddled combination of an \(ndbm.h)\ include file and a non-matching DBM library. Faults like this have also been seen on systems with faulty motherboards. You could try to compile the Linux kernel 10 times - if the compile process stops with signal 11, your hardware is to blame. Q9602: I want to use \^logrotate^\ which is standard with RH5.2 Linux to rotate my mail logs. Anyone worked out the \^logrotate^\ config file that will do this? A9602: Here's one suggestion: ==> /var/log/exim/main.log { create 644 exim exim rotate 4 compress delaycompress } The sleep is added to allow things to close the log file prior to compression. You also need similar entries for the panic log and the reject log, of course. Q9603: I'm seeing the message \*inetd[334]: imap/tcp server failing (looping), service terminated*\ on a RedHat 5.2 system, causing \^imap^\ connections to be refused. The \^imapd^\ in use is Washington Univers 12.250. Could this be anything to do with Exim? A9603: No, it's nothing to do with Exim, but here's the answer anyway: there is a maximum connection rate for \^inetd^\. If connections come in faster than that, it thinks a caller is looping. The default setting on RedHat 5.2 is 40 calls in any one minute before \^inetd^\ thinks there's a problem and suspends further calls for 10 mins. This default setting is very conservative. You should probably increase it by a factor of 10 or 20. For example: ==> imap stream tcp nowait.400 root /usr/sbin/tcpd /usr/local/etc/imapd The rate setting is the number following ``nowait''. This syntax seems to be specific to the Linux version of \^inetd^\. Other operating systems provide similar functionality, but in different ways. Q9604: I get the \*too many open files*\ error especially when a lot of messages land for Majordomo at the same time. A9604: The problem appears to be the number of open files the system can handle. This is changable by using the proc filesystem. To your \(/etc/rc.d/rc.local)\ file append something like the following: ==> # Now System is up, Modify kernel parameters for max open etc. ==> if [ -f /proc/sys/kernel/file-max ]; then echo 16384 >> /proc/sys/kernel/file-max fi if [ -f /proc/sys/kernel/inode-max ]; then echo 24576 >> /proc/sys/kernel/inode-max fi if [ -f /proc/sys/kernel/file-nr ]; then echo 2160 >> /proc/sys/kernel/file-nr fi By echoing the value you want for file-max to the file \(file-max)\ etc., you actually change the kernel parameters. Q9605: I installed debian 2.2 linux on a small 325mb 486 laptop. When I try to test the Mail program, I get the following error: \*Failed to open configuration file /etc/exim.conf*\. A9605: The Debian installation should have given you \(/usr/sbin/eximconfig)\, which asks you some questions and then sets up the configuration file in \(/etc/exim.conf)\. Try running that (you'll probably need \/root/\) and see how it goes. In any case you get a thoroughly commented conf file at the end, which will give you a sample from which to work if you need further modification. The Exim docs in the Debian package are in \(/usr/doc/exim)\ where the full reference manual is \(spec.txt.gz)\. Q9606: I'm having trouble configuring Exim 4 on a Debian system. How does \(/etc/exim4/conf.d)\ work? A9606: The Debian Exim 4 package uses a quite uncommon, but elegant, method of configuration where the ``real'' Exim configuration file is assembled from a tree of snippets by a script invoked just before the daemon is started (see Q9608). This fits very well into the Debian system of configuration file management and is a great ease for the automatic configuration with Debconf. However, it is very different from the normal way Exim 4 is configured. Non-Debian users on the Exim mailing list will probably have difficulty in trying to answer specific questions about it. You may have to find a Debian expert. Q9607: I'm having difficulties trying to make Exim 4 with Redhat 9 and Berkeley DB 4. A9607: Have you remembered to install the db4-devel package? Q9608: I'm running Exim 3 under Debian, and want to upgrade to Exim 4. How difficult is it? A9608: A user who did this, using the Debian Exim 4 package, reported as follows: (1) The exim4 package installs easily, and the exim (3.38) package uninstalls at the same time. (2) Exim runs from \^inetd^\. Exim4 runs from \^/etc/init.d^\. Much nicer! (3) The exim conffile lives in \(/etc/exim/exim.conf)\. The exim4 conffile lives in \(/var/lib/exim4/config.autogenerated)\. It is, as the name suggests, autogenerated. (4) A new directory is created called \(/etc/exim4)\. This contains the conffiles to generate the above config. You make changes here. (5) Once you have made changes to the files in \(/etc/exim4)\ you run the script \^update-exim4.conf^\ which generates a replacement \(config.autogenerated)\. [Added comment by the Debian maintainer, slightly edited: You also need to tell the Exim daemon to reread the changed configuration. You can do this using SIGHUP by hand. Alternatively, instead of running \^update-exim4.conf^\ you can use ==> invoke-rc.d exim4 reload which does the rebuild and also tells Exim to reread the changed configuration.] (6) In my experience, you need to carefully check the generated configs. eg, it did not generate a system filter file reference in the \(config.autogenerated)\. I didn't bother too much, since this is a home setup. (7) All of this may be in the docs. I've read some of them, obviously, but didn't come across an actual upgrade guide. [The Debian maintainer says: \(/usr/share/doc/exim4-base/README.Debian.gz)\ and \^update-exim4.conf(8)^\ should answer most of the questions.] (8) I've still got some minor things to tweak to get back to where I was before with Exim 3. But overall, it's no drama. Q9609: Why do some servers refuse SMTP connections from my Linux box, but accept connections from hosts running other operating systems? A9609: If you are sure this isn't a policy issue (that is, your box isn't administratively blocked for some reason), this may be because your Linux box has ECN (Explicit Congestion Notification) enabled in its TCP/IP stack. There are many broken firewalls that refuse connections from ECN-enabled hosts. You can check the state of your box by running ==> cat /proc/sys/net/ipv4/tcp_ecn If the value is "1", you have ECN enabled. You can turn it off by running this command: ==> echo "0" > /proc/sys/net/ipv4/tcp_ecn 97. SUN SYSTEMS Q9701: Exim builds fine with \^gcc^\ on SunOS 4 but crashes inside \^^sscanf()^^\. A9701: Make sure you are linking with the GNU \^ld^\ linker and not the system version of \^ld^\. Q9702: How can I get rid of spurious \"^M"\ (carriage return) characters in messages sent from CDE \^dtmail^\? A9702: CDE \^dtmail^\ passes messages to Exim via the command line interface with lines terminated by CRLF, instead of the Unix convention of just LF. This should not be a problem if you are using Exim release 4.21 or later, as changes were made to detect CRLF line endings. In earlier versions of Exim, CR would be treated as just another data character. There was, however, a command line option called \-dropcr-\ which caused Exim to ignore all CR characters in an incoming non-SMTP message. (This option is a no-op in current releases.) If you are using a pre-4.21 version of Exim, you should configure \^dtmail^\ to add this option to the command it uses to call Exim (using the path \(/usr/lib/sendmail)\). However, it has been reported that it isn't possible to change this call from \^dtmail^\ by any official means. An alternative approach is to replace \(/usr/lib/sendmail)\ by a filtering script that removes the spurious CRs from the input before passing it to Exim. Q9703: On SunOS 4 Exim crashes when looking up domains in the DNS that have more than 10 A records. A9703: There are Sun library patches to fix this. It is not Exim's problem. For 4.13_U1 the patch is 101558-xx; for 4.1.3 the patch is 100891-xx. From the README: \*1054748 ftp, ping dump core when connecting to a host with multiple DNS A records.*\ An alternative is to build another resolver library - such as the ones that are part of the \^bind^\ distribution - and explicitly link against those. Q9704: I am experiencing mailbox locking problems with Sun's \^mailtool^\ used over a network. A9704: Under the \"Expert"\ settings of \^mailtool^\ is a option to turn on \*Use network aware mail file locking*\. By default \^dtmail^\ has this set, but \^mailtool^\ doesn't. You should set it. The help info on \^dtmail^\ has this to say about it: \*Mailer tries to prevent two different instances of itself from opening the same mail file at the same time through a technique that detects this access when both instances of Mailer and the file are all on the same machine. A network-aware mail file locking protocol is available that uses ToolTalk to coordinate instances of Mailer running from more than one machine, or mail files accessed over the network. Mailer can only change this option when first opening a mail file.*\ If you are using the SunOS4 version of \^mailtool^\, this apparently doesn't work. The only thing which does seem to work it getting the user to hit the \"done"\ button to make it release the lock. Q9705: Exim has been crashing on my Solaris x86 system, apparently while running DBM functions. A9705: The use of \^ndbm^\ with \^gcc^\ has caused problems on x86 Solaris systems. Try changing one or the other; using either DB with gcc, or Sun's WS compiler with \^ndbm^\, has fixed this in the past. Q9706: The \^exiwhat^\ utility isn't working for me on a Solaris 2 system. A9706: Have you got \(/usr/ucb)\ on your path? If so, it is probably picking up the wrong version of the \^ps^\ command. The \^exiwhat^\ script is built on Solaris to expect the normal Solaris version of \^ps^\. Q9707: How do I stop Sun's \^dtcm^\ from hanging? A9707: From qmail's FAQ: \*There is a novice programming error in dtcm, known as ``failure to close the output side of the pipe in the child.'' Sun has, at the time of this writing, not yet provided a patch.*\ Q9708: I want Exim to use only the resolver (i.e. ignore \(/etc/hosts)\), but don't want to alter the \(nsswitch.conf)\ file in Solaris 2. A9708: You need to rebuild Exim after fiddling with \(OS/os.h-SunOS5)\: ==> #define gethostbyaddr res_gethostbyaddr #define gethostbyname res_gethostbyname #define endhostent res_endhostent #define endnetent res_endnetent #define gethostent res_gethostent #define getnetbyaddr res_getnetbyaddr #define getnetbyname res_getnetbyname #define getnetent res_getnetent #define sethostent res_sethostent #define setnetent res_setnetent Note that \-lnsl-\ is still needed in the Makefile as it contains code used by the NIS lookup and also the \^^inet_addr()^^\ function that Exim uses. Q9709: When I try to compile Exim 4.x on Solaris 2.5.1 I get an error along the lines of \*no such field in struct as 'value.ui32'*\. A9709: Look in the Exim file \(OS/os.h-SunOS5.h)\ for the line ==> #define LOAD_AVG_FIELD value.ui32 and change \"ui32"\ to \"ul"\ (that's u followed by the letter ell, not the digit one). Solaris 2.5.1 is getting very old now... 98. CONFIGURATION COOKBOOK Q9801: How do I configure Exim as part of TPC (\?http://www.tpc.int?\)? A9801: Suppose you want to accept faxes destined for 1(801)539-*. These are addressed to the domain //9.3.5.1.0.8.1.tpc.int//. Set up a transport to handle the delivery: ==> tpc: driver = pipe command = /usr/local/tpc/tpcmailer.pl $local_part@$domain \ $sender_address pipe_as_creator \(/usr/local/tpc/tpcmailer.pl)\ is the mail processing script that can be obtained from the TPC distribution. Create a router to route mail for the TPC domain to that transport. This must be placed before your other routers: ==> tpc_router: driver = accept transport = tpc domains = *.9.3.5.1.0.8.1.tpc.int Of course, there are other things to do as well before your system is a functioning TPC server. Q9802: How do I configure Exim so that it sends mail to the outside world only from a restricted list of our local users? A9802: You will need to have a convenient way of checking the list. If it is only a handful of users, you could just list them inline. Otherwise, you need to put them in a file or database. Let's suppose you've just got a list in a file. Put this as your first router: ==> check_outgoing: driver = redirect domains = ! +local_domains senders = ! : ! lsearch;/etc/permitted/senders allow_fail data = :fail: you are not allowed to send outside The senders should be listed as complete addresses, with both a local part and a domain. For a large list, use a DBM or cdb file instead, or a database. The first item in the \senders\ list is empty, to match the empty sender. This is necessary because bounce messages have null senders. Q9803: A site for which I provide secondary MX is down for some time. Is there a way to run the queue for that destination separately from the main queue? A9803: No, because Exim does not have the concept of ``the queue for that destination''. It simply has a single pool of messages awaiting delivery (and some of them may have several destinations). The best approach to this is to arrange for all messages for the site to be saved somewhere other than the main spool, either on a separate dedicated MTA, or in BSMTP files. Q9804: We want to be able to temporarily lock out a user by disabling the password and moving the home directory to another place. How can we arrange to reject mail for users in this state? A9804: Change the home directory pointer in the passwd file to something distinctive. For example, we use \(/home/CANCELLED)\ for cancelled users. Then you can pick up such users with this router, which is placed immediately after \%system_aliases%\: ==> cancelled_users: driver = redirect check_local_user condition = ${if eq {$home}{/home/CANCELLED}{yes}{no}} allow_fail data = :fail: this account is cancelled Q9805: How can I configure Exim so that all mails addressed to //something@username.domain.net// get delivered to \(/var/spool/mail/username)\? A9805: Assuming that you have set up //username// as a normal user, with conventional routing for //username@domain.net// to that mailbox, all you need to do is set up a redirection, using a router like this: ==> user_in_domain: driver = redirect data = ${if match{$domain}{\N^(.*)\.domain\.net$\N}\ {$1}fail}@domain.net If you set \envelope_to\ in the \%appendfile%\ transport, the original envelope address is preserved in the message in an ::Envelope-to:: header line. Q9806: How do I get exim not to add a ::Sender:: header to locally originated mail? A9806: It adds it only if the ::From:: header doesn't correspond to the user sending the message. You can suppress this by setting \no_local_from_check\. If your real question is \*How do I submit mail from UUCP without it adding ::Sender::?*\, see Q1503. Q9807: Is there any way to have messages sent to a specific local address delayed by - say - 24 hours? A9807: Set up a router like this: ==> delay: driver = redirect domains = the.domain local_parts = thelocalpart condition = ${if < {$message_age}{86400}{yes}{no}} allow_defer data = :defer: message not old enough no_verify Of course, this will also have the effect of setting a retry time for the address. You may want to set a special retry rule for it. Note the use of \no_verify\ to ensure that this router is not used when Exim is verifying addresses. Q9808: I have a mailing list exploder on one host, and three other hosts where I want to do the actual deliveries from. How can I get Exim to split a message into groups of recipients between the three hosts? A9808: Set up a router that routes all remote addresses to a specific transport, with a list of your three hosts. For example: ==> send_to_three: driver = manualroute transport = to_three_smtp route_list = !+local_domains hostA:hostB:hostC The transport looks like this: ==> to_three_smtp: driver = smtp hosts_randomize By setting \hosts_randomize\, you request that the host list be sorted randomly each time the transport is called, in order to spread the load. The number of times the transport is called for each message depends on the setting of the global option \remote_max_parallel\. If it is set to 1, the transport is called only once for each message, so only one host is used, but different messages use different hosts because of the randomizing. The \max_rcpt\ option (default 100) controls the number of addresses sent in each copy of the message - several copies are sent over the same connection if necessary. If you want individual messages to be split between the three hosts, you must set the global option \remote_max_parallel\ to 3. This allows Exim to run 3 separate instances of the transport at once. It will pass one-third of all the addresses to each instance. Because the host list is randomized, not round-robinned, there is no guarantee that a single message will use all three hosts, but on average it should. Q9809: Can I configure Exim so that my gateway host sends a copy of each incoming message to each of two internal hosts? A9809: The easiest way to do this is to make use of the \unseen\ router option, and set up two separate routers. You need to be able to identify incoming messages somehow. Typically this can be done by testing the domain of the recipient address, in which case the configuration should contain something like this: ==> r1: driver = manualroute domains = ! *.your.domain.example route_data = * host1.your.domain.example transport = remote_smtp unseen ==> r2: driver = manualroute domains = ! *.your.domain.example route_data = * host2.your.domain.example transport = remote_smtp The \unseen\ setting on \%r1%\ means that after it has accepted an address, the address is also passed on to \%r2%\, and so two deliveries occur. Q9810: How can I implement ``SMTP-after-POP'' with Exim? A9810: See Q0706. Q9811: I would like to ``tap off'' a proportion of real mail traffic from my live mail server to use in tests of a new server. I want to preserve the envelope contents, but to suppress any error notifications to the original sender. A9811: See C046. Q9812: How can I lookup data from a single file using both single IP addresses and IP address blocks as keys? I want to set \smtp_accept_max_per_host\ by this means, and also include a default. A9812: You cannot do this in a single lookup, because you need separate lookups for individual addresses and address blocks. However, these lookups can be nested in a single expansion string. For example, suppose you are using an lsearch file with entries like this: ==> 192.168.34.35: 4 192.168.34.0/24: 2 *: 1 You can use this setting: ==> smtp_accept_max_per_host = \ ${lookup{$sender_host_address}lsearch{/path/to/file}\ {$value}\ {\ ${lookup{${mask:$sender_host_address/24}}lsearch*{/path/to/file}}\ }} Note that the first lookup does not have an asterisk on the search type. If you have blocks of different sizes (/24, /26, etc) you have to configure it to do a separate lookup for each size, with just the final one using a default. 99. LIST OF SAMPLE CONFIGURATIONS As well as being hyperlinked from the HTML version of this document, each sample configuration is also available as a file in the \(config.samples)\ directory, which can be independently downloaded. Samples whose names are of the form Cnnn are Exim configurations; those with names of the form Fnnn are filter file fragments; those with names of the form Lnnn are sample \^^local_scan()^^\ functions, and those with names of thf form Snnn are scripts of various kinds. There are other examples of \^^local_scan()^^\ functions at a number of web sites (for example, \?http://marc.merlins.org/linux/exim/sa.html?\). There are gaps in the C and F numbers because I have omitted the Exim 3 samples that have not been converted for Exim 4. C002: ``Although exim not intended for use in UUCP environment (it doesn't know anything about bang!path addresses), I'm successfully using it for delivering mail to UUCP clients.'' C006: ``This is how I have configured a PP-inspired vacationnote, there is (was?) such a feature in PP. The user makes a file \(tripnote)\ in his/her home directory, the message is passed to the sender once with a short leading text.'' C022: ``This is the Exim configuration file of a machine which delivers mail to several local domains where the mail is delivered locally, several hairy domains, handled as described below, and a half-virtual domain, which is first processed by its special alias file, then processed as other local domains (including the processing by the global alias file).'' C037: An elegant way of using ETRN, which does immediate delivery if the host is online, but saves mail in a BSMTP file after some time on the queue. ETRN then re-injects the mail. C042: ``Since the Exim 4 configuration needed to get Mailman to work differs a little bit from Exim 3 and since I still haven't seen a recipe for Mailman with Exim 4, I'm providing my configuration (based heavily on \?http://www.exim.org/howto/mailman.html?\).'' C043: ``Attached is an Exim 4 config file which is designed for an Exim server that is put in front of an Exchange 5.5 system but which verifies the valid addresses that are stored in Exchange via LDAP lookups against the Exchange server.'' C044: ``I thought I'd submit this as an example of an authenticated mail hub configuration. Several people have asked for it so I thought it might be of interest.'' C045: ``Here it is, for Exim 4.10 and Cyrus IMAPD 2.1.5 using db3/db4-format mailbox database. This configuration delivers the messages to Cyrus IMAPD using LMTP over a TCP/IP socket.'' C046: ``Deliver a duplicate of some proportion of all messages to a special machine specified in the file \(/MAIL_TAP_HOST)\, if it exists.'' C047: A sample configuration for calling Spamassassin directly from Exim. C049: ``I've been seeing a whole bunch of IPs that send me spam or virus mail and HELOing as one of my own IPs, or as HELO one.of.my.own.domains (or maybe HELO \primary_hostname\).'' C050: A configuration that uses the DNS to implement virtual domains. C051: ``I've been working quite hard to come up with a config that reasonably matches the qmail-ldap setup, without the warts.'' F001: ``I thought that the rest of the list may be interested in reviewing our filter as a starting point for their own system message filter.'' F002: ``... program which refused mail from unknown addresses until they mailed me promising not to spam me ... since I'd already thought through how to do it in Exim, and knew it'd be slightly easier than falling out of bed, I went ahead and did it.'' F003: ``Here's four checks installed in our system wide filter that knock out a lot of otherwise hard to detect rubbish.'' F004: ``This is an Exim filter snippet to change locally-generated ::Message-Id:: and ::Resent-Message-Id:: headers to world-unique values.'' L001: A \^^local_scan()^^\ function for Exim that calls \^uvscan^\. S001: A Perl script for patching the name of the configuration file in an Exim binary. S002: ``When I moved from smail to exim I built a program that took individual config pieces, stripped all the comments, and built a config file.'' *** End of Exim FAQ ***