##
## This file is processed by Perl scripts to produce an ASCII and an HTML
## version. Lines starting with ## are omitted. The markup used with paragraphs
## is as follows:
##
## Markup       User for           HTML            Text
## ------------------------------------------------------
##  \...\       option          fixed-pitch     "quoted"
## \$...$\      variable         $italic         $plain
## \*...*\      titles, quotes    italic        "quoted"
## \(...)\      file name         italic          plain
## \[...]\      replaceable      <italic>        <plain>
## \?...?\      URL                 URL           plain
## \^...^\      Unix command      italic          plain
## \%...%\      Exim driver        bold         "quoted"
## \^^.^^\      C function         bold           plain
## ::...::      header name       italic:         plain:
## //...//      domain            italic          plain
## \/.../\      local part        italic          plain
## \"..."\      literal         fixed-pitch     "quoted"
## \\...\\      SMTP, build     small caps        caps
## \**...**\    warn, item        bold            plain
## \-...-\      cmd option       -italic         -plain
## \#           hard space        &nbsp;          space
##
## ``...''      quoted string  &#147;...&#148;    "..."
##
## @\ is used when a real backslash is required
##
## In addition, sequences of not blank lines that start with ==> are displayed
## in fixed-pitch with no further interpretation. A line containing only [[br]]
## is removed from the text version, but turned into <br> in the HTML version.
##
## The starts of sections and of questions and answers are automatically
## detected by the scripts.
##
##
THE EXIM FAQ
------------

This is the FAQ for the Exim Mail Transfer Agent. Many thanks to the many
people who provided the original information. This file would be amazingly
cluttered if I tried to list them all. Suggestions for corrections,
improvements, and additions are always welcome.

This version of the FAQ applies to Exim 4.43 and later releases.

References of the form Cnnn, Fnnn, Lnnn, and Snnn are to the sample
configuration, filter, \^^local_scan()^^\, and ``useful script'' files. These
are hyperlinked from the HTML version of this FAQ. They can also be found in
the separately distributed directory called \(config.samples)\. The primary
location is

\?ftp://ftp.csx.cam.ac.uk/pub/software/email/exim/exim4/config.samples.tar.gz?\
\?ftp://ftp.csx.cam.ac.uk/pub/software/email/exim/exim4/config.samples.tar.bz2?\

There are brief descriptions of these files at the end of this document.

Philip Hazel
Last update: 14-October-2004


The FAQ is divided into the following sections:

  0. General Debugging
  1. Building and Installing
  2. Routing in general
  3. Routing to remote hosts
  4. Routing for local delivery
  5. Filtering
  6. Delivery
  7. Policy controls
  8. Rewriting addresses
  9. Headers
 10. Performance
 11. Majordomo
 12. Fetchmail
 13. Perl
 14. Dial-up and ISDN
 15. UUCP
 16. Modifying message bodies
 17. Encryption (TLS/SSL)
 20. Millennium
 50. Miscellaneous
 91. Mac OS X
 92. FreeBSD
 93. HP-UX
 94. BSDI
 95. IRIX
 96. Linux
 97. Sun systems
 98. Configuration cookbook
 99. List of sample configurations



0. GENERAL DEBUGGING

Q0001: Exim is crashing. What is wrong?

A0001: Exim should never crash. The author is always keen to know about
       crashes, so that they can be diagnosed and fixed. However, before you
       start sending me email, please check that you are running the latest
       release of Exim, in case the problem has already been fixed. The
       techniques described below can also be useful in trying to pin down
       exactly which circumstances caused the crash and what Exim was trying to
       do at the time. If the crash is reproducible (by a particular message,
       say) keep a copy of that message.


Q0002: Exim is not working. What is wrong? How can I check what it is doing?

A0002: Exactly how is it not working? Check the more specific questions in the
       other sections of this FAQ. Some general techniques for debugging are:

       (1) Look for information in Exim's log files. These are in the \(log)\
           directory in Exim's spool directory, unless you have configured a
           different path for them. Serious operational problems are reported
           in paniclog.

       (2) If the problem involves the delivery of one or more messages, try
           forcing a delivery with the \-M-\ option and also set the \-d-\
           option, to cause Exim to output debugging information. For example:

==>          exim -d -M 0z6CXU-0005RR-00

           The output is written to the standard error stream. You need to have
           admin privileges to use \-M-\ and \-d-\.

       (3) If the problem involves incoming SMTP mail, try using the \-bh-\
           option to simulate an incoming connection from a specific host,
           for example:

==>          exim -bh 10.9.8.7

           This goes through the motions of an SMTP session, without actually
           accepting a message. Information about various policy checks is
           output. You will need to know how to pretend to be an SMTP client.

       (4) If the problem involves lack of recognition or incorrect handling
           of local addresses, try using the \-bt-\ option with debugging turned
           on, to see how Exim is handling the address. For example,

==>          exim -d -bt z6abc

           shows you how it would handle the local part \"z6abc"\.


Q0003: What does the error \*Child process of address_pipe transport returned
       127 from command xxx*\ mean?

A0003: It means that when a transport called \%address_pipe%\ was run to pass an
       email message by means of a pipe to another process running the command
       xxx, the return code from that command was 127, which indicates some kind
       of error (the success return code is 0).

       The most common meaning of exit code 127 is that when Exim tried to run
       the command \(xxx)\, it failed. One cause of this might be incorrect
       permissions on the file containing the command. See also Q0026.


Q0004: My virtual domain setup isn't working. How can I debug it?

A0004: You can use an exim command with \-d-\ to get it to show you how it is
       processing addresses. You don't actually need to send a message; use the
       \-bt-\ option like this:

==>      exim -d -bt localpart@virtualhost

       This will show you which routers it is using. If the problem appears
       to be with the expansion of an option setting, you can use the
       \debug_print\ option on a router to get Exim to output the expanded
       string values as it goes along.


Q0005: Why is Exim not rejecting incoming messages addressed to non-existent
       users at SMTP time?

A0005: This is controlled by the ACL that is run for each incoming RCPT
       command. It is defined by the \acl_smtp_rcpt\ option. You can check this
       part of your configuration by using the \-bh-\ option to run a simulated
       SMTP session, during which Exim will tell you what things it is
       checking.


Q0006: I've put an entry for \"*.my.domain"\ in a DBM lookup file, but it isn't
       getting recognized.

A0006: You need to request ``partial matching'' by setting the search type to
       \partial-dbm\ in order for this to work.


Q0007: I've put the entry \"*@domain.com"\ in a lookup database, but it isn't
       working. The expansion I'm using is:

==>      ${lookup{${lc:$sender_address}}dbm{/the/file} ...

A0007: As no sender address will ever be //*@domain.com// this will indeed have
       no effect as it stands. You need to tell Exim that you want it to look
       for defaults after the normal lookup has failed. In this case, change the
       search type from \"dbm"\ to \"dbm*@"\. See the section on \*Default values in
       single-key lookups*\ in the chapter entitled \*File and database
       lookups*\ in the Exim manual.


Q0008: If I run \"./exim -d -bt user@domain"\ all seems well, but when I send
       a message from my User Agent, it does not arrive at its destination.

A0008: Try sending a message directly to Exim by typing this:

==>      exim -v user@domain
         <some message, could be empty>
         .

       If the message gets delivered to a remote host, but never arrives at its
       final destination, then the problem is at the remote host. If, however,
       the message gets through correctly, then the problem may be between your
       User Agent and Exim. Try setting Exim's \log_selector\ option to include
       \"+arguments"\, to see with which arguments the UA is calling Exim.


Q0009: What does \*no immediate delivery: too many messages received in one SMTP
       connection*\ mean?

A0009: An SMTP client may send any number of messages down a single SMTP
       connection to a server. Initially, an Exim server starts up a delivery
       process as soon as a message is received. However, in order not to start
       up too many processes when lots of messages are arriving (typically
       after a period of downtime), it stops doing immediate delivery after a
       certain number of messages have arrived down the same connection. The
       threshold is set by \smtp_accept_queue_per_connection\, and the default
       value is 10. On large systems, the value should be increased. If you are
       running a dial-in host and expecting to get all your mail down a single
       SMTP connection, then you can disable the limit altogether by setting
       the value to zero.


Q0010: Exim puts \*for \[address]\*\ in the ::Received:: headers of some, but not all,
       messages. Is this a bug?

A0010: No. It is deliberate. Exim inserts a ``for'' phrase only if the incoming
       message has precisely one recipient. If there is more than one
       recipient, nothing is inserted. The reason for this is that not all
       recipients appear in the ::To:: or ::Cc:: headers, and it is considered a
       breach of privacy to expose such recipients to the others. A common
       case is when a message has come from a mailing list.


Q0011: Instead of \^exim_dbmbuild^\, I'm using a homegrown program to build DBM
       (or cdb) files, but Exim doesn't seem to be able to use them.

A0011: Exim expects there to be a binary zero value on the end of each key used
       in a DBM file if you use the \"dbm"\ lookup type, but not for the \"dbmnz"\
       lookup type or for the keys of a cdb file. Check that you haven't
       slipped up in this regard.


Q0012: Exim is unable to route to any remote domains. It doesn't seen to be
       able to access the DNS.

A0012: Try running \"exim -d+resolver -bt \[remote address]\"\. The \-d-\
       options turns on debugging output, and the addition of \"+resolver"\
       will make it show the resolver queries it is building and the results of
       its DNS queries. If it appears unable to contact any name servers, check
       the contents and permissions of \(/etc/resolv.conf)\.


Q0013: What does the error message \*transport system_aliases: cannot find
       transport driver "redirect" in line 92*\ mean?

A0013: \%redirect%\ is a router, not a transport. You have put a configuration
       for a router into the transports section of the configuration file.


Q0014: Exim is timing out after receiving and responding to the DATA command
       from one particular host, and yet the client host also claims to be
       timing out. This seems to affect only certain messages.

A0014: This kind of problem can have many different causes.

       (1) This problem has been seen with a network that was dropping all
       packets over a certain size, which mean that the first part of the SMTP
       transaction worked, but when the body of a large message started
       flowing, the main data bits never got through the network. See also
       Q0017.

       (2) This can also happen if a host has a broken TCP stack and won't
       reassemble fragmented datagrams.

       (3) A very few ISDN lines have been seen which failed when certain data
       patterns were sent through them, and replacing the routers at both end
       of the link did not fix things. One of them was triggered by more than 4
       X's in a row in the data.


Q0015: What does the message \*Socket bind() to port 25 for address (any)
       failed: address already in use*\ mean?

A0015: You are trying to run an Exim daemon when there is one already running -
       or maybe some other MTA is running, or perhaps you have an SMTP line in
       \(/etc/inetd.conf)\ which is causing \(inetd)\ to listen on port 25.


Q0016: I've set \"verify = header_syntax"\ in my ACL, but this causes Exim to
       complain about header lines like \"To: Work: Jim <jims@email>,
       Home: Bob <bobs@email>"\ which look all right to me. Is this a bug?

A0016: No. Header lines such as ::From::, ::To::, etc., which contain addresses, are
       structured, and have to be in a specific format which is defined in RFC
       2822. Unquoted colons are not allowed in the ``phrase'' part of an email
       address (they are OK in other headers such as ::Subject::). The correct
       form for that header is

==>      To: "Work: Jim" <jims@email>, "Home: Bob" <bobs@email>

       You will sometimes see unquoted colons in ::To:: and ::Cc:: headers, but only
       in connection with name lists (called ``groups''), for example:

==>      To: My friends: X <x@y.x>, Y <y@w.z>;,
             My enemies: A <a@b.c>, B <b@c.d>;

       Each list must be terminated by a semicolon, as shown.


Q0017: Whenever Exim tries to deliver a specific message to a particular
       server, it fails, giving the error \*Remote end closed connection after
       data*\ or \*Broken pipe*\ or a timeout. What's going on?

A0017: \*Broken pipe*\ is the error you get on some OS when the remote host just
       drops the connection. The alternative is \*connection reset by peer*\.
       There are many potential causes. Here are some of them (see also Q0068):

       (1) There are some firewalls that fall over on binary zero characters
       in email. Have a look, e.g. with \"hexdump -c mymail | tail"\ to see if
       your mail contains any binary zero characters.

       (2) There are broken SMTP servers around that just drop the connection
       after the data has been sent if they don't like the message for some
       reason (e.g. it is too big) instead of sending a 5xx error code. Have
       you tried sending a small message to the same address?

       It has been reported that some releases of Novell servers running NIMS
       are unable to handle lines longer than 1024 characters, and just close
       the connection. This is an example of this behaviour.

       (3) If the problem occurs right at the start of the mail, then it could
       be a network problem with mishandling of large packets. Many emails are
       small and thus appear to propagate correctly, but big emails will
       generate big IP datagrams.

       There have been problems when something in the middle of the network
       mishandles large packets due to IP tunnelling. In a tunnelled link, your
       IP datagrams gets wrapped in a larger datagram and sent over a network.
       This is how virtual private networks (VPNs), and some ISP transit
       circuits work. Since the datagrams going over the tunnel require a
       larger packet size, the tunnel needs a bigger maximum transfer unit
       (MTU) in the network handling the tunnelled packets. However, MTUs
       are often fixed, so the tunnel will try to fragment the packets.

       If the systems outside the tunnel are using path MTU discovery, (most
       Sun Sparc Solaris machines do by default), and set the DF (don't
       fragment) bit because they don't send packets larger than their \(local)\
       MTU, then ICMP control messages will be sent by the routers at the
       ends of the tunnel to tell them to reduce their MTU, since the tunnel
       can't fragment the data, and has to throw it away. If this mechanism
       stops working, e.g. a firewall blocks ICMP, then your host never
       knows it has hit the maximum path MTU, but it has received no ACK on
       the packet either, so it continues to resend the same packet and the
       connection stalls, eventually timing out.

       You can test the link using pings of large packets and see what works:

==>      ping -s host 2048

       Try reducing the MTU on the sending host:

==>      ifconfig le0 mtu 1300

       Alternatively, you can reduce the size of the buffer Exim uses for SMTP
       output by putting something like

==>      DELIVER_OUT_BUFFER_SIZE=512

       in your \(Local/Makefile)\ and rebuilding Exim (the default is 8192).
       While this should not in principle have any effect on the size of
       packets sent, in practice it does seem to have an effect on some OS.

       You can also try disabling path MTU discovery on the sending host. On
       Linux, try:

==>      echo 1 >/proc/sys/net/ipv4/ip_no_pmtu_disc

       For a general discussion and information about other operating systems, see
       \?http://www.netheaven.com/pmtu.html?\. If disabling path MTU discovery
       fixes the problem, try to find the broken or misconfigured
       router/firewall that swallows the ICMP-unreachable packets. Increasing
       timeouts on the receiving host will not work around the problem.


Q0018: Why do messages not get delivered down the same connection when I do
       something like: \"exim -v -R @aol.com"\? For other domains, I do this and
       I see the appropriate \*waiting for passed connections to get used*\
       messages.

A0018: Recall that Exim does not keep separate queues for each domain, but
       operates in a distributed fashion. Messages get into its `waiting for
       host x' hints database only when a delivery has been tried, and has had
       a temporary error. Here are some possibilities:

       (1) The messages to \(aol.com)\ got put in your queue, but no previous
       delivery attempt occured before you did the \-R-\. This might have been
       because of your settings of \queue_only_load\, \smtp_accept_queue\, or any
       other option that caused no immediate delivery attempt on arrival. If
       this is the case, you can try using \-qqR-\ instead of \-R-\.

       (2) You have set \connection_max_messages\ on the smtp transport, and
       that limit was reached. This would show as a sequence of messages
       down one connection, then another sequence down a new connection, etc.

       (3) Exim tried to pass on the SMTP connection to another message, but
       that message was in the process of being delivered to \(aol.com)\ by some
       other process (typically, a normal queue runner). This will break the
       sequence, though the other delivery should pass its connection on to
       other messages if there are any.

       (4) The folk at \(aol.com)\ changed the MX records so the host names have
       changed - or a new host has been added. I don't know how likely this is.

       (5) Exim is not performing as it should in this regard, for some reason.
       Next time you have mail queued up for \(aol.com)\, try running

==>      exim_dumpdb /var/spool/exim wait-remote_smtp

       to see if those messages are listed among those waiting for the relevant
       \(aol.com)\ hosts.


Q0019: There seems to be a problem in the string expansion code: it doesn't
       recognize references to headers such as \"${h_to}"\.

A0019: The only valid syntax for header references is (for example) \"$h_to:"\
       because header names are permitted by RFC 2822 to contain a very wide
       range of characters. A colon (or white space) is required as the
       terminator.


Q0020: Why do connections to my machine's SMTP port take a long time to respond
       with the banner, when connections to other ports respond instantly? The
       delay is sometimes as long as 30 seconds.

A0020: These kinds of delay are usually caused by some kind of network problem
       that affects outgoing calls made by Exim at the start of an incoming
       connection. Configuration options that cause outgoing calls are:

       (1) \rfc1413_hosts\ and \rfc1413_query_timeout\ (for \*ident*\ calls).
           Firewalls sometimes block ident connections so that they time out,
           instead of refusing them immediately. This can cause this problem.
           See Q5023 for a discussion of the usefulness of \*ident*\.

       (2) The \host_lookup\ option, the \host_reject_connection\ option, or a
           condition in the ACL that runs at connection time requires the
           remote host's name to be looked up from its IP address. Sometimes
           these DNS lookups time out. You can get this effect with ACL
           statements like this:

==>          deny  hosts = *.x.example

           If at all possible, you should use IP addresses instead of host
           names in blocking lists in order to avoid this problem.

       You can use the \-bh-\ option to get more information about what is
       happening at the start of a connection. However, note that the \-bh-\
       option does not provide a complete simulation. In particular, no
       \*ident*\ checks are done, so it won't show up a delay problem that is
       related to (1) above.


Q0021: What does \*failed to create child process to send failure message*\ mean?
       This is a busy mail server with \smtp_accept_max\ set to 500, but this
       problem started to occur at about 300 incoming connections.

A0021: Some message delivery failed, and when Exim wanted to send a bounce
       message, it was unable to create a process in which to do so. Probably
       the limit on the maximum number of simultaneously active processes has
       been reached. Most OS have some means of increasing this limit, and in
       some operating systems there is also a limit per uid which can be
       varied.


Q0022: What does \*No transport set by system filter*\ in a log line mean?

A0022: Your system filter contains a \"pipe"\ or \"save"\ or \"mail"\ command,
       but you have not set the corresponding option which specifies which
       transport is to be used. You need to set whichever of
       \system_filter_pipe_transport\, \system_filter_file_transport\ or
       \system_filter_reply_transport\ is relevant.


Q0023: Why is Exim refusing to relay, saying \*failed to find host name from IP
       address*\ when I have the sender's IP address in an ACL condition? My
       configuration contains this ACL statement:

==>      accept hosts = lsearch;/etc/mail/relaydomains:192.168.96.0/24

A0023: When checking a host list, the items are tested in left-to-right
       order. The first item in your list is a lookup on the incoming host's
       name, so Exim has to determine the name from the incoming IP address in
       order to perform the test. If it can't find the host name, it can't do
       the check, so it gives up. You would have discovered what was going
       on if you had run a test such as

==>      exim -bh 192.168.96.131

       The solution is to put all explicit IP addresses first in the list.
       Alternatively, you can split the ACL statement into two like this:

==>      accept hosts = lsearch;/etc/mail/relaydomains
         accept hosts = 192.168.96.0/24

       If the host lookup fails, the first \"accept"\ fails, but then the
       second one is considered.


Q0024: When I run \"exim -bd -q10m"\ I get \*PANIC LOG: exec of exim -q failed*\.

A0024: This probably means that Exim doesn't know its own path so it can't
       re-exec itself to do the first queue run. Check the output of

==>      exim -bP exim_path


Q0025: I can't seem to get a pipe command to run when I include a \"${if"\
       expansion in it. This fails:

==>      command = perl -T /usr/local/rt/bin/rtmux.pl \
                     rt-mailgate helpdesk \
                     ${if eq {$local_part}{rt} {correspond}{action}}

A0025: You need some internal quoting in there. Exim expands each individual
       argument separately. Because you have (necessarily) got spaces in your
       \"${if"\ item, you have to quote that argument. Try

==>      command = perl -T /usr/local/rt/bin/rtmux.pl \
                     rt-mailgate helpdesk \
                     "${if eq {$local_part}{rt} {correspond}{action}}"

       \**Warning:**\ If command starts with an item that requires quoting,
       you cannot just put it in quotes, because a leading quote means that the
       entire option setting is being quoted. What you have to do is to quote
       the entire value, and use internally escaped quotes for the ones you
       really want. For example:

==>      command = "\"${if ....}\" arg1 arg2"

       Any backslashes in the expansion items will have to be doubled to stop
       them being interpreted by the string reader.


Q0026: I'm trying to get Exim to connect an alias to a pipe, but it always
       gives error code 127, with the comment \*(could mean unable to exec
       or command does not exist)*\.

A0026: If your alias entry looks like this:

==>      alias:  |"/some/command some parameters"

       change it to look like this:

==>      alias:  "|/some/command some parameters"


Q0027: What does the error \*Spool file is locked*\ mean?

A0027: This is not an error. All it means is that when an Exim delivery
       process (probably started by a queue runner process) looked at a message
       in order to start delivering it, it found that another Exim process was
       already busy delivering it. On a busy system this is quite a common
       occurrence. If you set \"-skip_delivery"\ in the \log_selector\ option,
       these messages are omitted from the log.

       The only time when this message might indicate a problem is if it is
       repeated for the same message for a very long time. That would suggest
       that the process that is delivering the message has somehow got stuck.


Q0028: Exim is reporting IP addresses as 0.0.0.0 or 255.255.255.255 instead of
       their correct values. What's going on?

A0028: You are using a version of Exim built with gcc on an IRIX box.
       See Q9502.


Q0029: I can't seem to figure out why PAM support doesn't work correctly.

A0029: There is a problem using PAM with shadow passwords when the calling
       program is not running as \/root/\. Exim is normally running as the
       Exim user when authenticating a remote host.

       (1) One solution can be found at \?http://www.e-admin.de/pam_exim/?\.

       (2) PAM 0.72 allows authorization as non-\/root/\, using setuid helper
           programs. Furthermore, in \(/etc/pam.d/exim)\ you can explicitly
           specify that this authorization (using setuid helpers) is only
           permitted for certain users and groups.

       (3) Another approach is to authenticate using the \^saslauthd^\ daemon,
           which has its own interface to PAM. The daemon runs as root, so
           there is no access problem.

       (4) One suggested solution was to set

==>          exim_group=shadow

           in the configuration file, or the equivalent at build time. This is
           very strongly discouraged. Do not do it! It works, but it's a
           potential security exposure.  Exim is intended to run as a
           non-privileged user for much of the time. This setting gives it have
           privileged access to crucial security information all of the time,
           simply for the purposes of authentication (which Exim will only
           spend a tiny part of its total time doing). The result is that a
           successful compromise of the Exim system can give someone direct
           access to the system passwords.


Q0030: I'm trying to use a query-style lookup for hosts that are allowed to
       relay, but it is giving really weird errors.

A0030: Does your query contain a colon character? Remember that host lists are
       colon-separated, so you need to double any colons in the query. This
       applies even if the query is defined as a macro.


Q0031: Exim is rejecting connections from hosts that have more than one IP
       address, for no apparent reason.

A0031: You are using Solaris 7 or earlier, and have \"nis dns files"\ in
       \(/etc/nsswitch.conf)\. Change this to \"dns nis files"\ to avoid hitting Sun
       bug 1154236 (a bad interaction between NIS and the DNS).


Q0032: Exim is failing to find the MySQL library, even though is it present
       within \\LD_LIBRARY_PATH\\. I'm getting this error:

==>      /usr/local/bin/exim: fatal: libmysqlclient.so.6: open failed:
         No such file or directory

A0032: Exim is suid, and \\LD_LIBRARY_PATH\\ is ignored for suid binaries on a
       Solaris (and other?) systems. What you should be doing is adding
       \"-R/local/lib/mysql"\ to the same place in the compilation that you added
       \"-L/local/lib/mysql"\. This tells the binary where to look without
       needing a path variable.


Q0033: What does the error \*lookup of host "xx.xx.xx" failed in yyy router*\
       mean?

A0033: You configured a \%manualroute%\ router to send the message to xx.xx.xx. When
       it tried to look up the IP address for that host, the lookup failed
       with a permanent error. As this is a manual routing, this is a
       considered to be a serious error which the postmaster needs to know
       about (maybe you have a typo in your file), and there is little point
       in keeping on trying. So it freezes the message.

       (1) Don't set up routes to non-existent hosts.

       (2) If you must set up routes to non-existent hosts, and don't want
       freezing, set the \host_find_failed\ option on the router to do something
       other than freeze.


Q0034: Exim works fine on one host, but when I copied the binary to another
       identical host, it stopped working (it could not resolve DNS names).

A0034: Is the new host running exactly the same operating system? Most
       importantly, are the versions of the dynamically loaded libraries
       (files with names like \(libsocket.so.1)\) the same on both systems? If not,
       that is probably the cause of the problem. Either arrange for the
       libraries to be the same, or rebuild Exim from source on the new host.


Q0035: I set a \"hosts"\ condition in an ACL to do a lookup in a file of IP
       addresses, but it doesn't work.

A0035: Did you remember to put \"net-"\ at the start of the the search type? If
       you set something like this:

==>      accept hosts = lsearch;/some/file

       Exim searches the file for the host name, not the IP address. You need
       to set

==>      accept hosts = net-lsearch;/some/file

       to make it use the IP address as the key to the lookup.


Q0036: Why do I get the error \*Permission denied: creating lock file hitching
       post*\ when Exim tries to do a local delivery?

A0036: Your configuration specifies that local mailboxes are all held in
       single directory, via configuration lines like these (taken from the
       default configuration):

==>      local_delivery:
           driver = appendfile
           file = /var/mail/$local_part

       and the permissions on the directory probably look like this:

==>      drwxrwxr-x   3 root     mail         512 Jul  9 13:48 /var/mail/

       Using the default configuration, Exim runs as the local user when doing
       a local delivery, and it uses a lock file to prevent any other process
       from updating the mailbox while it is writing to it. With those
       permissions the delivery process, running as the user, is unable to
       create a lock file in the \(/var/mail(\ directory. There are two solutions
       to this problem:

       (1) Set the \"write"\ and \"sticky bit"\ permissions on the directory, so
           that it looks like this:

==>          drwxrwxrwt   3 root     mail         512 Jul  9 13:48 /var/mail/

           The \"w"\ allows any user to create new files in the directory, but
           the \"t"\ bit means that only the creator of a file is able to remove
           it. This is the same setting as is normally used with the \(/tmp)\
           directory.

       (2) Arrange to run the local_delivery transport under a specific group
           by changing the configuration to read

==>          local_delivery:
               driver = appendfile
               file = /var/mail/${local_part}
               group = mail

           The delivery process still runs under the user's uid, but with the
           group set to \"mail"\. The group permission on the directory allows
           the process to create and remove the lock file.

           The choice between (1) and (2) is up to the administrator. If the
           second solution is used, users can empty their mailboxes by updating
           them, but cannot delete them.

       If your problem involves mail to \/root/\, see also Q0039.


Q0037: I am experiencing mailbox locking problems with Sun's \"mailtool"\ used
       over a network.

A0037: See Q9705 in the Sun-specific section below.


Q0038: What does the error message \*error in forward file (filtering not
       enabled): missing or malformed local part*\ mean?

A0038: If you are trying to use an Exim filter, you have forgotten to enable
       the facility, which is disabled by default. In the \%redirect%\ router
       (in the Exim run time configuration file) you need to set

==>      allow_filter = true

       to allow a \(.forward)\ file to be used as an Exim filter. If you are not
       trying to use an Exim filter, then you have put a malformed address in
       the \(.forward)\ file.


Q0039: I have installed Exim, but now I can't mail to \/root/\ any more. Why is
       this?

A0039: Most people set up \/root/\ as an alias for the manager of the host. If
       you haven't done this, Exim will attempt to deliver to \/root/\ as if it
       were a normal user. This isn't really a good idea because the delivery
       process would run as \/root/\. Exim has two trigger guards that stop
       deliveries running as root. In the build-time configuration, there is a
       setting called FIXED_NEVER_USERS, which defaults to \"root"\. This
       setting cannot be overridden. In addition, the default runtime
       configuration contains the option

==>      never_users = root

       just to be on the safe side. If you really want to run local deliveries
       as \/root/\, you must use a version of Exim that was built without the
       FIXED_NEVER_USERS option, and remove the above line from the runtime
       configuration, but it would be better to create an alias for \/root/\
       instead.


Q0040: How can I stop undeliverable bounce messages (e.g. to routeable, but
       undeliverable, spammer senders) from clogging up the queue for days?

A0040: If at all possible, you should try to avoid getting into this situation
       in the first place, for example, by verifying recipients so that you
       do not accept undeliverable messages that lead to these bounces.
       You can, however, configure Exim to discard failing bounce messages
       early. Just set \ignore_bounce_errors_after\ to specify a (short) time
       to keep them for.


Q0041: What does the message \*unable to set gid=ddd or uid=ddd (euid=ddd):
       local delivery to ... transport=ttt*\ mean?

A0041: Have you remembered to make Exim setuid \/root/\? It needs root privilege if
       it is to do any local deliveries, because it does them ``as the user''.
       Note also that the partition from which Exim is running (where the
       binary is installed) must not have the \nosuid\ mount option set. You
       can check this by looking at its \(/etc/fstab)\ entry (or \(/etc/vfstab)\,
       depending on your OS).


Q0042: My ISP's mail server is rejecting bounce messages from Exim, complaining
       that they have no sender. The SMTP trace does indeed show that the
       sender address is \"<>"\. Why is the Sender on the bounce message empty?

A0042: Because the RFCs say it must be. Your ISP is at fault. Send them this
       extract from RFC 2821 section 6.1 (\*Reliable Delivery and Replies by
       Email*\):

         If there is a delivery failure after acceptance of a message, the
         receiver-SMTP MUST formulate and mail a notification message.  This
         notification MUST be sent using a null (\"<>"\) reverse path in the
         envelope.  The recipient of this notification MUST be the address
         from the envelope return path (or the ::Return-Path:: header line).
         However, if this address is null (\"<>"\), the receiver-SMTP MUST NOT
         send a notification.

       The reason that bounce messages have no sender is so that they
       themselves cannot provoke further bounces, as this could lead to a
       unending exchange of undeliverable messages.


Q0043: What does the error \*Unable to get interface configuration: 22 Invalid
       argument*\ mean?

A0043: This is an error that occurs when Exim is trying to find out the all the
       IP addresses on all of the local host's interfaces. If you have lots of
       virtual interfaces, this can occur if there are more than around 250 of
       them. The solution is to set the option \local_interfaces\ to list just
       those IP addresses that you want to use for making and receiving SMTP
       connections.


Q0044: What does the error \*Failed to create spool file*\ mean?

A0044: Exim has been unable to create a file in its spool area in which to
       store an incoming message. This is most likely to be either a
       permissions problem in the file hierarchy, or a problem with the uid
       under which Exim is running, though it could be something more drastic
       such as your disk being full.

       If you are running Exim with an alternate configuration file using a
       command such as \"exim -C altconfig..."\, remember that the use of -C
       takes away Exim's root privilege, unless \\TRUSTED_CONFIG_LIST\\
       is set in \(Local/Makefile)\ and the corresponding file contains a
       prefix which matches the alternative configuration file being used.

       Check that you have defined the spool directory correctly by running

==>      exim -bP spool_directory

       and examining the output. Check the mode of this directory. It should
       look like this, assuming you are running Exim as user \/exim/\:

==>      drwxr-x---   6 exim  exim      512 Jul 16 12:29 /var/spool/exim

       If there are any subdirectories already in existence, they should have
       the same permissions, owner, and group. Check also that you haven't got
       incorrect permissions on superior directories (for example, \(/var/spool)\).
       Check that you have set up the Exim binary to be setuid \/root/\. It should
       look like this:

==>      -rwsr-xr-x   1 root     xxx       502780 Jul 16 14:16 exim

       Note that it is not just the owner that must be \/root/\, but also the third
       permission must be \"s"\ rather than \"x"\.


Q0045: I see entries in the log that mention two different IP addresses for the
       same connection. Why is this? For example:

==>      H=tip-mp8-ncs-13.stanford.edu ([36.173.0.189]) [36.173.0.156]

A0045: The actual IP address from which the call came is the final one.
       Whenever there's something in parentheses in a host name, it is what the
       host quoted as the domain part of an SMTP HELO or EHLO command. So in
       this case, the client, despite being 36.173.0.156, issued the command

==>      EHLO [36.173.0.189]

       when it sent your server the message. This is, of course, very
       misleading.


Q0046: A short time after I start Exim I see a defunct zombie process. What
       is causing this?

A0046: Your system must be lightly loaded as far as mail is concerned. The
       daemon sets off a queue runner process when it is started, but it only
       tidies up completed child processes when it wakes up for some other
       reason. When there's nothing much going on, you occasionally see
       defunct processes like this waiting to be dealt with. This is
       perfectly normal.


Q0047: On a reboot, or a restart of the mail system, I see the message \*Mailer
       daemons: exim abandoned: unknown, malformed, or incomplete option
       -bz sendmail*\. What does this mean?

A0047: \-bz-\ is a Sendmail option requesting it to create a `configuration freeze
       file'. Exim has no such concept and so does not support the option. You
       probably have a line like

==>      /usr/lib/sendmail -bz

       in some start-up script (e.g. \(/etc/init.d/mail)\) immedately before

==>      /usr/lib/sendmail -bd -q15m

       The first of these lines should be commented out.


Q0048: Whenever exim restarts it takes up to 3-5 minutes to start responding on
       the SMTP port. Why is this?

A0048: Something else is hanging onto port 25 and not releasing it. One place
       to look is \(/etc/inetd.conf)\ in case for any reason an SMTP stream is
       configured there.


Q0049: What does the log message \*no immediate delivery: more than 10 messages
       received in one connection*\ mean?

A0049: A remote MTA sent a number of messages in a single SMTP session. Exim
       limits the number of immediate delivery processes it creates as a
       result of a single SMTP connection, in order to avoid creating a zillion
       processes on systems that can have many incoming connections. If you are
       dialing in to collect mail from your ISP, you should probably set
       \smtp_accept_queue_per_connection\ to some number larger than 10, or
       arrange to start a queue runner for local delivery (using \-ql-\)
       immediately after collecting the mail.


Q0050: I am getting complaints from a customer who uses my Exim server for
       relaying that they are being blocked with a \*Too many connections*\
       error.

A0050: See \smtp_accept_max\, \smep_accept_max_per_host\ and \smtp_accept_reserve\.


Q0051: When I test my system filter with \-bf-\, I get the error \*filtering
       command "fail" is disabled*\. Why is this?

A0051: Use the \-bF-\ option to test system filters. This gives you access to the
       freeze and fail actions.


Q0052: What does \*ridiculously long message header*\ in an error report mean?

A0052: There has to be some limit to the length of a message's header lines,
       because otherwise a malefactor could open an SMTP channel to your host,
       start a message, and then just send characters continuously until your
       host runs out of memory. (Exim stores all the header lines in main
       memory while processing a message). For this reason a limit is imposed
       on the total amount of memory that can be used for header lines. The
       default is 1MB, but this can be changed by setting \\HEADER_MAXSIZE\\ in
       \(Local/Makefile)\ before building Exim. Exceeding the limit provokes
       the ``ridiculous'' error message.


Q0053: Exim on my host responds to a connection with \"220 *****..."\ and
       won't understand \\EHLO\\ commands.

A0053: This is the sign of a Cisco Pix ``Mailguard'' sitting in front of your
       MTA. Pix breaks ESMTP and only does SMTP. It is a nuisance when you have
       a secure MTA running on your box. Something like ``no fixup protocol
       smtp 25'' in the Pix configuration is needed. It may be possible to do
       this by logging into the Pix (using \^telnet^\ or \^ssh^\) and typing
       \"no fixup smtp"\ to its console. (You may need to use other commands
       before or after to set up configuration mode and to activate a changed
       configuration. Consult your Pix documentation or expert.) See also
       Q0078.


Q0054: I'm getting an Exim configuration error \*unknown rewrite flag
       character (m) in line 386*\ but I haven't used any flags on my rewriting
       rules.

A0054: You have probably forgotten to quote a replacement string that contains
       white space.


Q0055: What does the error \*Failed to open wait-remote_smtp database: Invalid
       argument*\ mean?

A0055: This is something that happens if you have existing DBM hints files when
       you install a new version of Exim that is compiled to use a different or
       upgraded DBM library. The simplest thing to try is

==>      rm /var/spool/exim/db/*

       This removes all the hints files. Exim will start afresh and build new
       ones. If the symptom recurs, it suggests there is some problem with your
       DBM library.


Q0056: We are using Exim to send mail from our web server. However, whenever a
       user sends an email it gets sent with the return path (envelope sender)
       //apache@server_name.com// because the PHP script is running as
       \/apache/\.

A0056: You need to include \/apache/\ in the \trusted_users\ configuration option.
       Only trusted users are permitted to specify senders when mail is passed
       to Exim via the command line.


Q0057: We've got people complaining about attachments that don't show up
       as attachments, but are included in the body of the message.

A0057: In the past, these symptoms could be seen when some software passed a
       CRLF line terminated message via the command line, because Exim expected
       lines to be terminated by LF only, and so it preserved the CRs as data.
       Modern versions of Exim (4.21 or later) use heuristics to try to do the
       right thing with line endings.


Q0058: What does the error \*failed to open DB file \(/var/spool/exim/db/retry)\:
       File exists*\ mean?

A0058: This error is most often caused when a hints file that was written with
       one version of the Berkeley DB library is read by another version.
       Sometimes this can happen if you change from a binary version of Exim to
       a locally compiled version. Or it can happen if you compile and install
       a new version of Exim after changing Berkeley DB versions. You can find
       out which version your Exim is using by running:

==>      ldd /usr/sbin/exim

       The solution to the problem is to delete all the files in the
       \(/var/spool/exim/db)\ directory, and let Exim recreate them.


Q0059: When my Outlook Express 6.0 client sends a STARTTLS command to begin a
       TLS session, Exim doesn't seem to receive it. The Outlook log shows
       this:

==>      SMTP: 14:19:27 [tx] STARTTLS
         SMTP: 14:19:27 [rx] 500 Unsupported command.

        but the Exim debugging output shows this:

==>       SMTP<< EHLO xxxx
          SMTP>> 250-yyyy Hello xxxx [nnn.nnn.nnn.nnn]
          250-SIZE 52428800
          250-PIPELINING
          250-AUTH CRAM-MD5 PLAIN LOGIN
          250-STARTTLS
          250 HELP
          SMTP<< QUIT

A0059: Turn off scanning of outgoing email in Norton Antivirus. If you aren't
       running Norton Antivirus, see if you are running some other kind of SMTP
       proxying, either on the client or on a firewall between the client and
       server. ``Unsupported command'' is not an Exim message.


Q0060: Why am I getting the error \*failed to expand \"/data/lists/lists/${lc"\
       for require_files: \"${lc"\ is not a known operator*\ for this setting:

==>      require_files = MAILMAN_HOME/lists/${lc:$local_part}/config.db

A0060: The value of \"require_files"\ is a list in which each item is
       separately expanded. In other words, the splitting into items happens
       before the string expansion. You need either to double the colon, or
       switch to a different list separator.


Q0061: What does the error \*Too many ``Received'' headers - suspected mail
       loop*\ mean?

A0061: Whenever a message passes through an MTA, a ::Received:: header gets
       added. Exim counts the number of these headers in incoming messages. If
       there are more than the value of \received_headers_max\ (default 30),
       Exim assumes there is some kind of mail routing loop occurring. For
       example, host A passes the message to host B, which immediately passes
       it back to host A. Check the ::Received:: headers and the mail logs to
       determine exactly what is going on.

       One common cause of this problem is users with accounts on both systems
       who set up each one to forward to the other, thinking that will cause
       copies of all messages to be delivered on both of them.


Q0062: When I try to start an Exim daemon with \-bd-\ it crashes. I ran a
       debugger and discovered that the crash is happening in the function
       \^^getservbyname()^^\. What's going on?

A0062: What have you got in the file \(/etc/nsswitch.conf)\? If it contains this
       line:

==>      services:       db files

       try removing the \"db"\. Your system is trying to look in some kind of
       database before searching the file \(/etc/services)\, and there is an
       incompatibility the is causing the function \^^getservbyname()^^\ crash.
       This is an OS problem. See, for instance:

       \?http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=129025?\

       Another workaround in Exim is to set

==>      daemon_smtp_port = 25

       in the configuration, to stop Exim calling \^^getservbyname()^^\.


Q0063: When I try to start an Exim daemon, nothing happens. There is no
       process, and nothing is written to the Exim log.

A0063: Check to see if anything is written to \(syslog)\. This problem can be
       caused by a permission problem that stops Exim from writing to its log
       files, especially if you've specified that they should be written
       somewhere other than under Exim's spool directory. You could also try
       running the daemon with debugging turned on.


Q0064: When I run \"exim -d test@domain"\ it delivers fine, but when I send a
       message from the \^mail^\ command, I get \*User unknown*\ and the mail
       is saved in \(dead.letter)\.

A0064: It looks as if Exim isn't being called by \^mail^\; instead it is
       calling some other program (probably Sendmail). Try running the command

==>      /usr/sbin/sendmail -bV

       (If you get \*No such file or directory*\ or \*Command not found*\ you
       are running Solaris or IRIX. Try again with \(/usr/lib/sendmail)\.) The
       output should be something like this:

==>      Exim version 4.05 #1 built 13-Jun-2002 10:27:15
         Copyright (c) University of Cambridge 2002

       If you don't see this, your Exim installation isn't fully operational.
       If you are running FreeBSD, see Q9201. For other systems, see Q0114.


Q0065: When (as \/root/\) I use -C to run Exim with an alternate configuration
       file, it gives an error about being unable to create a spool file when
       trying to run an \%autoreply%\ transport. Why is this?

A0065: When Exim is called with -C, it passes on -C to any instances of itself
       that it calls (so that the whole sequence uses the same config file).
       However, Exim gives up its root privilege if any user except \/root\/
       passes a -C option to use a non-default configuration file, and that
       includes the case where Exim re-execs itself to regain root privilege.
       Thus it can't write to the spool.

       The fix for this is to use the \\TRUSTED_CONFIG_LIST\\ build-time
       option. This defines a file containing a list of 'trusted' prefixes for
       configuration files. Any configuration file specified with -C, if it
       matches a prefix listed in that file, will be used without dropping root
       privileges (as long as it is not writeable by a non-root user).


Q0066: What does the message \*unable to set gid=xxx or uid=xxx*\ mean?

A0066: This message is given when an Exim process is unable to change uid or
       gid when it needs to, because it does not have root privilege. This is a
       serious problem that prevents Exim from carrying on with what it is
       doing. The two most common situations where Exim needs to change uid/gid
       are doing local deliveries and processing users' filter files. There are
       two common causes of this error:

       (1) You have forgotten to make the exim binary setuid to \/root/\. This
           means that it can never change uid/gid in any situation. Also, the
           setuid binary must reside on a disk partition that does not have the
           \"nosuid"\ mount option set.

       (2) The exim binary is setuid, but you have configured Exim so that,
           while trying to verify an address at SMTP time, it runs a router
           that needs to change uid/gid. Because Exim runs as \/exim/\ and not
           \/root/\ while receiving messages, the router is unable to change
           uid and therefore it cannot operate. The usual example of this is a
           \%redirect%\ router for users' filter files.

           Setting the \user\ or \check_local_user\ options on a \redirect\
           router causes this to happen (except in the special case when the
           redirection list is provided by the \data\ option and does not
           contain \":include:"\).

           The solution is to set \no_verify\ on the router that is causing the
           problem. This means that it is skipped when an address is being
           verified. In ``normal'' configurations where the router is indeed
           handling users' filter files, this is quite acceptable, because you
           do not usually need to process a filter file in order to verify that
           the local part is valid. See, for example, the \%userforward%\
           router in the default configuration.


Q0067: What does the error \*too many unrecognized commands*\ mean?

A0067: There have been instances of network abuse involving mail sent out by
       web servers. In most cases, unrecognizable commands are sent as part of
       the SMTP session. A real MTA never sends out such invalid commands. Exim
       allows a few unrecognized commands in a session to permit humans who are
       testing to make a few typos (it responds with a 5xx error). However, if
       Exim receives too many such commands, it assumes that it is dealing with
       an abuse of some kind, and so it drops the connection.


Q0068: Exim times out when trying to connect to some hosts, though those hosts
       are known to be up and running. What's the problem?

A0068: There could be a number of reasons for this (see also Q0017). The
       obvious one is that there is a networking problem between the hosts.
       If you can ping between the hosts or connect in other ways, the problem
       might be caused by ECN (Explicit Congestion Notification) being enabled
       in your kernel. ECN uses TCP flags originally assigned to TOS - it's a
       "new" invention, and some hosts and routers are known to be confused if
       a client uses it. If you are running Linux, you can turn ECN off by
       running this command:

==>      /bin/echo "0" > /proc/sys/net/ipv4/tcp_ecn

       This has also been reported to cure web connection problems from Mozilla
       and Netscape browsers in Linux when there were no problems with Windows
       Netscape browsers.


Q0069: What does the error \*SMTP data timeout (message abandoned) on connection
       from...*\ mean?

A0069: It means that there was a timeout while Exim was reading the contents of
       a message on an incoming SMTP connection. That is, it had successfully
       accepted a MAIL command, one or more RCPT commands, and a DATA command,
       and was in the process of reading the data itself. The length of timeout
       is controlled by the \smtp_receive_timeout\ option.

       If you get this error regularly, the cause may be incorrect handling of
       large packets by a router or firewall. The maximum size of a packet is
       restricted on some links; routers should split packets that are larger.
       There is a feature called ``path MTU discovery'' that enables a sender
       to discover the maximum packet size over an entire path (multiple
       Internet links). This can be broken by misconfigured firewalls and
       routers. There is a good explanation at \?http://www.netheaven.com/pmtu.html?\.
       Reducing the MTU on your local network can sometimes work round this
       problem. See Q0017 (3) for further discussion.


Q0070: What does the error \*SMTP command timeout on connection from...*\ mean?

A0070: Exim was expecting to read an SMTP command from the client, but no
       command was read within the \smtp_receive_timeout\ time limit.


Q0071: What does the error \*failed to open DB file \(/var/spool/exim//db/retry)\:
       Illegal argument*\ mean?

A0071: See Q0058. The cause of this error is usually the same.


Q0072: Exim will deliver to normal aliases, and aliases that are pipes or
       files, but it objects to aliases that involve \":include:"\ items,
       complaining that it can't change gid or uid. Why is this?

A0072: See Q0066 for a general answer. The problem happens during verification
       of an incoming SMTP message, not during delivery itself. In this
       particular case, you must have set up your aliasing router with a \user\
       setting. This causes Exim to change uid/gid when reading \":include:"\
       files. If you do not need the detailed verification provided by the
       router, the easy solution is to set \no_verify\ so that the router isn't
       used during verification.

       Otherwise, if you set \user\ on the router in order to provide a user
       for delivery to pipes or files, one solution is to put the \user\
       setting on the transports instead of on the router. You may need to
       create some special transports just for this router. The alternative is
       to supply two different routers, one with \user\ and \no_verify\, and
       the with \verify_only\ but no \user\ setting.


Q0073: I'm seeing log file corruption, with parts of log lines getting mangled
       by other log entries.

A0073: The only time this has been seen is when several servers were writing to
       the same log files over NFS. Exim assumes that its log file is on local
       disk, and using NFS, especially for more than one server, will not work.


Q0074: What does the error message \*remote delivery process count got out of
       step*\ mean?

A0074: Exim uses subprocesses for remote deliveries; this error means that the
       master process expected to have a child process running, but found there
       were none. Prior to release 4.11, this error could be caused by running
       Exim under \^strace^\ on a Linux system, because stracing causes
       children to be ``stolen'' such that a parent that tries to wait for
       ``any of my children'' is told that it has none. Current releases of
       Exim have code to get round this problem.


Q0075: I'm using LDAP, and some email addresses that contain special characters
       are causing parsing errors in my LDAP lookups.

A0075: You should be using \"${quote_ldap:$local_part}"\ instead of just
       \"$local_part"\ in your lookups.


Q0076: I've configured Exim to use \^syslog^\ for its logs, with the main and
       reject logs sent to different files, but whenever a message is rejected,
       I get one message on the reject log and two messages on the main log.

A0076: You are probably putting your reject items into the main log as well;
       remember \^syslog^\ levels are inclusive (for example, \"mail.info"\
       includes all higher levels, so a \"mail.notice"\ message will be caught
       by a \"mail.info"\ descriptor).
       Test this by running the command:

==>      logger -p mail.notice test

       and seeing which logs it goes into. From Exim release 4.31 it is
       possible to disable the rejectlog by setting \write_rejectlog\ false.


Q0077: I've installed Exim and it is delivering mail just fine. However, when I
       try to read mail from my PC I get \*connection rejected*\ or \*unable to
       connect*\.

A0077: See Q5021.


Q0078: Exim is logging the unknown SMTP command \"XXXX"\ from my client hosts,
       and they are unable to authenticate.

A0078: This is a sign of a Cisco PIX firewall getting in the way. It does not
       support ESMTP, and turns EHLO commands into XXXX. You should configure
       the Pix to leave SMTP alone; see Q0053 for how to do this.


Q0079: Our new PIX firewall is causing problems with incoming mail. How can
       this be fixed?

A0079: See Q0053 and Q0078. If some messages get through and others do not,
       see also Q0017.


Q0080: Am I to understand that the database lookups must only return one value?
       They can not return a list of values? The documentation seems to
       indicate that it's possible to return a list.

A0080: Lookups can be used in two different situations, and what they return is
       different in the two cases. (Be thankful Exim 3 is gone; there was yet
       another case!)

       (1) You can use a lookup in any expanded string. The syntax is

==>          ${lookup ..... }

           In this case, whatever is looked up replaces the expansion item. It
           may be one value or a list of values. Whether a single value or a
           list is acceptable or not depends on where you are using the string
           expansion. If it is for an option that expects just one value, then
           only one value is allowed (for example).

       (2) You can make use of the lookup mechanism to test whether something
           (typically a host name or IP address) is in a list. For example,

==>          hosts = a : b : c

           in an ACL tests whether the calling host's name matches ``a'', or
           ``b'', or ``c''. Now, suppose you want to keep the list of names in
           a database, or cdb file, or NIS map, or...  By writing

==>           hosts = pgsql;select ....

           you are saying to Exim: ``Run this lookup; if it succeeds, behave as
           if the host is in the list; if it fails, the host is not in the
           list.'' You are using the indexing mechanism of the database as a
           fast way of checking a list. A simpler example is

==>           hosts = lsearch;/some/file

           where the file contains the list of hosts to be searched.

       The complication happens when a list is first expanded before being
       interpreted as a list. This happens in a lot of cases. You can therefore
       write either of these:

==>       hosts = cdb;/some/file
          hosts = ${lookup{something}cdb{/some/file}}

       but they have different meanings. The first means ``see if the host name
       is in the list in this file''. The second means ``run this lookup and
       use the result of the lookup as a list of host items to check''. In the
       second case, the list could contain multiple values (colon separated),
       and one of those values could even be ``cdb;/some/file''.

       Flexibility does lead to complexity, I'm afraid.


Q0081: What does \*error in redirect data: included file xxxx is too big*\
       mean?

A0081: You are trying to include a very large file in a redirection list, using
       the \":include:"\ feature. Exim has a built-in limit on the size, as a
       safety precaution. The default is 1 megabyte. If you want to increase
       this, you have to rebuild Exim. In your \(Local/Makefile)\, put

==>      MAX_INCLUDE_SIZE = whatever

       and then rebuild Exim. The value is a number of bytes, but you can give
       it as a parenthesized arithmetic expression such as \"(3*1024*1024)"\.
       However, an included file of more than a megabyte is likely to be quite
       inefficient. How many addresses does yours contain? You get the best
       performance out of Exim if you arrange to send mailing list messages
       with no more than about 100 recipients (in order to get parallelism in
       the routing).


Q0082: What does \*relocation error: /lib/libnss_dns.so.2: symbol
       __libc_res_nquery, version GLIBC_PRIVATE not defined in file
       libresolv.so.2 with link time reference*\ mean?

A0082: You have updated \^glibc^\ while an Exim daemon is running. Stop and
       restart the daemon.


Q0083: Netscape on Unix is sending messages containing an unqualified user name
       in the ::Sender:: header line, which Exim is rejecting because I have
       set \"verify = header_syntax"\. How can I fix this?

A0083: The only thing you can do in Exim is to set the
       \sender_unqualified_hosts\ option to allow unqualified sender addresses
       form the relevant hosts; of course, this applies to all sender
       addresses, not just the ::Sender:: header line.

       Alternatively, you can configure Netscape not to include the header line
       in the first place. Add the following line to the
       \($HOME/.netscape/preferences.js)\ and \($HOME/.netscape/liprefs.js)\
       files:

==>      user_pref("mail.suppress_sender_header", true);

       Netscape must be shut down while doing this.


Q0084: I want to set up an alias that pipes a message to \^gpg^\ and then pipes
       the result to \^mailx^\ to resubmit the message, but when I use my
       tested command in an alias file, I get an error from \^gpg^\.

A0084: Probably you are using a shell command with two pipe symbols in it. An
       alias like this:

==>      gpg-xxx: "|gpg <options> | mailx <options"

       does not work, because Exim does not run pipes under a shell by default.
       You must call a shell explicitly if you want to make use of the shell's
       features for double-piping, either by piping to \"/bin/sh"\ with a
       suitable \"-c"\ option, or by piping to a shell script.


Q0085: I see a lot of \*rejected EHLO ... syntactically invalid argument(s)*\.
       I know it's because of the underscore in the host name, but is there a
       switch to allow Exim to accept mail from such hosts?

A0085: Yes. Add this to your configuration:

==>      helo_allow_chars = _

       For more seriously malformed host names, see \helo_accept_junk_hosts\.
       See also Q0732.


Q0086: What does \*SMTP protocol violation: synchronization error (next input
       sent too soon)*\ mean?

A0086: SMTP is a ``lock-step'' protocol, which means that, at certain points in
       the protocol, the client must wait for the server to respond before
       sending more data. Exim checks for correct behaviour, and issues this
       error if the client sends data too soon. This protects against
       malefactious clients who send a bunch of SMTP commands (usually to
       transmit spam) without waiting for any replies.

       This error is also provoked if a client unexpectedly tries to start up a
       TLS session immediately on connection, without using the STARTTLS
       command. See Q1707 for a discussion of this case.


Q0087: What does \*rejected after DATA: malformed address: xx@yy may not follow
       <xx@yy> : failing address in "from" header*\ mean?

A0087: Your DATA ACL contains

==>      verify = header_syntax

       and an incoming message contained the line

==>      From: xx@yy <xx@yy>

       This is syntactically invalid. The contents of an address in a header
       line are either just the address, or a ``phrase'' followed by an address
       in angle brackets. In the latter case, the ``phrase'' must be quoted if
       it contains special characters such as @. The following are valid
       versions of the bad header:

==>      From: xx@yy
         From: "xx@yy" <xx@yy>

       though why on earth anything generates this kind of redundant nonsense I
       can't think.


Q0088: The Windows mailer SENDFILE.EXE sometimes hangs while trying to send a
       message to Exim 4, and eventually times out. It worked flawlessly with
       Exim 3. What has changed?

A0088: Exim 4 sets an obscure TCP/IP parameter called TCP_NODELAY. This
       disables the "Nagle algorithm" for the TCP/IP transmission. The Nagle
       algorithm can improve network performance in interactive situations such
       as a human typing at a keyboard, by buffering up outgoing data until the
       previous packet has been acknowledged, and thereby reducing the number
       of packets used. This is not relevant for mail transmission, which
       mostly consists of quite large blocks of data; setting TCP_NODELAY
       should improve performance. However, it seems that some Windows clients
       do not function correctly if the server turns off the Nagle algorithm.
       If you are using Exim 4.23 or later, you can set

==>      tcp_nodelay = false

       This stops Exim setting TCP_NODELAY on the sockets created by the
       listening daemon.


Q0089: What does the error \*kernel: application bug: exim(12099) has SIGCHLD
       set to SIG_IGN but calls wait()*\ mean?

A0089: This was a bad interaction between a change to the Linux kernel and some
       ``belt and braces'' programming in Exim. The following explanation is
       taken from Exim's change log:

       When Exim is receiving multiple messages on a single connection, and
       spinning off delivery processess, it sets the SIGCHLD signal handling to
       SIG_IGN, because it doesn't want to wait for these processes. However,
       because on some OS this didn't work, it also has a paranoid call to
       \^waitpid()^\ in the loop to reap any children that have finished. Some
       versions of Linux now complain (to the system log) about this
       ``illogical'' call to \^waitpid()^\. I have therefore put it inside a
       conditional compilation, and arranged for it to be omitted for Linux.

       I am pretty sure I caught all the places in Exim where this happened.
       However, there are still occasional reports of this error. I have not
       heard of any resolutions, but my current belief is that they are caused
       by something that Exim calls falling foul of the same check. There was
       at one time a suspicion that the IPv6 stack was involved.


Q0090: I can't seem to get a pipe command to run when I include a \"${lookup"\
       expansion in it.

A0090: See Q0025.


Q0091: Why is Exim giving the error \*Failed to send message from address_reply
       transport*\ when I run it using -C to specify an alternate
       configuration?

A0091: See Q0065.


Q0092: The error message \*Program received signal SIGINT, Interrupt.*\ occurs
       when I try to use Exim with PostgreSQL.

A0092: Check that you have not set

==>      log_statement=true

       in the PostgreSQL configuration file. It seems that this causes
       PostgreSQL to return logging information as the first row in a query
       result, which totally confuses Exim.



1. BUILDING AND INSTALLING

Q0101: I'm having a problem with an Exim RPM.

A0101: Normally the thing to do if you have a problem with an RPM package is
       to contact the person who built the package first, not the person who
       made the software that's in the package.  You can usually find out who
       made a package using the following command:

==>      rpm --query --package --queryformat '%{PACKAGER}\n' <rpm-package-file>

       where \[rpm-package-file]\ is the actual file, e.g. \(exim-3.03-2.i386.rpm)\.
       Or, if the package is installed on your system:

==>      rpm --query --queryformat '%{PACKAGER}\n' <package-name>

       where \[package-name]\ is the name component of the package, e.g. \"exim"\.
       If the packager is unable or unwilling to help, only then should you
       contact the actual author or associated mailing list of the software.

       If you discover through the querying process that you can't tell who
       the person (or company or group) is who built the package, or that they
       no longer exist at the given address, then you should reconsider
       whether you want a package from an unknown source on your system.

       If you discover through the querying process that you yourself are the
       person who built the package, then you should either (a) contact the
       author or associated mailing list, or (b) reconsider whether you ought
       to be building and distributing RPM packages of software you don't
       understand.

       Similar rules of thumb govern other binary package formats, including
       debs, tarballs, and POSIX packages.


Q0102: I can't get Exim to compile with Berkeley DB version 2.x or 3.x.

A0102: Have you set \"USE_DB=yes\" in \(Local/Makefile)\? This causes Exim to use the
       native interface to the DBM library instead of the compatibility
       interface, which needs a header called \(ndbm.h)\ that may not exist on your
       system.


Q0103: I'm getting an \*undefined symbol*\ error for \"hosts_ctl"\ when I try to
       build Exim. (On some systems this error is \*undefined reference to
       'hosts_ctl'*\.)

A0103: You should either remove the definition of \\USE_TCP_WRAPPERS\\ or add
       \"-lwrap"\ to your \\EXTRALIBS\\ setting in Local/Makefile.


Q0104: I'm about to upgrade to a new Exim release. Do I need to ensure the
       spool is empty, or take any other special action?

A0104: It depends on where you are coming from.

       (1) If you are changing to release 4.00 or later from a release prior to
       4.00, you will need to make changes to the run time configuration file.
       See the file \(doc/Exim4.upgrade)\ for details. If you are coming from
       before release 3.00, you should also see \(doc/Exim3.upgrade)\.

       (2) If you are upgrading from an Exim 4 release to a later release, you
       do not need to take special action. New releases are made backwards
       compatible with old spool files and hints databases, so that upgrading
       can be done on a running system. All that should be necessary is to
       install a new binary and then HUP the daemon.

       \**Warning**\: If you have changed the release of your DBM library, so
       that your new Exim is linked with a different release than the old one,
       you may encounter errors when Exim attempts to access the old hints
       databases. See Q0055.


Q0105: What does the error \*install-info: command not found*\ mean?

A0105: You have set \\INFO_DIRECTORY\\ in your \(Local/Makefile)\, and Exim is trying
       to install the Texinfo documentation, but cannot find the command called
       \(install-info)\. If you have a version of Texinfo prior to 3.9, you
       should upgrade. Otherwise, check your installation of Texinfo to see why
       the \(install-info)\ command is not available.


Q0106: Exim doesn't seem to be recognizing my operating system type correctly,
       and so is failing to build.

A0106: Run the command \"scripts/os-type -generic"\. The output should be one of
       the known OS types, and should correspond to your operating system. You
       can see which OS are supported by obeying \"ls OS/Makefile-*"\ and looking
       at the file name suffixes.

       If there is a discrepancy, it means that the script is failing to
       interpret the output from the \"uname"\ command correctly, or that the
       output is wrong. Meanwhile, you can build Exim by obeying

==>      EXIM_OSTYPE=xxxx make

       instead of just \"make"\, provided you are running a Bourne-compatible
       shell, or otherwise by setting \\EXIM_OSTYPE\\ correctly in your
       environment. It is probably best to start again from a clean
       distribution, to avoid any wreckage left over from the failed attempt.


Q0107: Exim fails to build, complaining about the absence of the \"killpg"\
       function.

A0107: This function should be present in all modern flavours of Unix. If you
       are using an older version, you should be able to get round the problem
       by inserting

==>      #define killpg(pgid,sig)   kill(-(pgid),sig)

       into the file called \(OS/os.h-xxx)\, where xxx identifies your operating
       system, and is the output of the command \"scripts/os-type -generic"\.


Q0108: I'm getting an unresolved symbol \"ldap_is_ldap_url"\ when trying to build
       Exim.

A0108: You must have specified \"LOOKUP_LDAP=yes"\ in the configuration. Have you
       remembered to set \"-lldap"\ somewhere (e.g. in \\LOOKUP_LIBS\\)? You need that
       in order to get the LDAP library scanned when linking.


Q0109: I'm getting an unresolved symbol \"mysql_close"\ when trying to build Exim.

A0109: You must have specified \"LOOKUP_MYSQL=yes"\ in the configuration. Have you
       remembered to set \"-lmysqlclient"\ somewhere (e.g. in \\LOOKUP_LIBS\\)? You
       need that in order to get the MySQL library scanned when linking.


Q0110: I'm trying to build Exim with PAM support. I have included \"-lpam"\ in
       \\EXTRALIBS\\, but I'm still getting a linking error:

==>      /lib/libpam.so: undefined reference to `dlerror'
         /lib/libpam.so: undefined reference to `dlclose'
         /lib/libpam.so: undefined reference to `dlopen'
         /lib/libpam.so: undefined reference to `dlsym'

A0110: Add \"-ldl"\ to \\EXTRALIBS\\. In some systems these dynamic loading functions
       are in their own library.


Q0111: I'm getting the error \*db.h: No such file or directory*\ when I try to
       build Exim.

A0111: This problem has been seen with RedHat 7.0, but could also happen in
       other environments. If your system is using the DB library, you
       need to install the DB development package in order to build Exim.
       The package is called something like \"db3-devel-3.1.14-16.i386.rpm"\ for
       Linux systems, but you should check which version of DB you have
       installed (current releases are DB 4).


Q0112: I'm getting the error \*/usr/bin/ld: cannot find -ldb*\ when I try to
       build Exim.

A0112: This is probably the same problem as Q0111.


Q0113: I've compiled Exim and I've managed to start it but there was one
       problem - it always complained that \(libmsqlclient.so.10)\ was not found,
       even though this file is in \(/usr/local/lib/mysql/)\.

A0113: Solaris: ensure you have this in your \(Local/Makefile)\:

==>      LOOKUP_LIBS=-L/usr/local/lib/mysql -R/usr/local/lib/mysql

       Net/Open/FreeBSD: Run this command (or ensure it gets run automatically
       at boot time):

==>      ldconfig -m /usr/local/lib/mysql

       Linux: add \(/usr/local/lib/mysql)\ to \(/etc/ld.so.conf)\ and re-run \(ldconfig)\.
       Alternatively, add

==>      -Wl,-rpath -Wl,/usr/local/lib/mysql

       to EXTRA_LIBS and  then re-link (this is similar to the Solaris solution
       above). This will probably also work on other systems that use GNU
       Binutils.


Q0114: How can I remove Sendmail from my system? I've built Exim and run \"make
       install"\, but it still doesn't seem to be fully operational.

A0114: If you are running FreeBSD, see Q9201. Otherwise, you need to arrange
       that whichever of the paths \(/usr/sbin/sendmail)\ or \(/usr/lib/sendmail)\
       exists on your system is changed to refer to Exim. For example, you
       could use these commands (as \/root/\):

==>      mv /usr/sbin/sendmail /usr/sbin/sendmail.original
         chmod u-s /usr/sbin/sendmail.original
         ln -s /path/to/exim /usr/sbin/sendmail

       The second command removes the setuid privilege from the old MTA, as a
       general safety precaution. In the third command, substitute the actual
       path to the Exim binary for \(/path/to/exim)\.


Q0115: What does \*Can't open \(../scripts/newer)\: No such file or directory*\
       mean? I got it while trying to build Exim.

A0115: You are using FreeBSD, or another OS that has a \^make^\ command which
       tries to optimize the running of commands. Exim's \(Makefile)\ contains
       targets with sequential commands like this:

==>      buildpcre:
           @cd pcre; $(MAKE) SHELL=$(SHELL) AR="$(AR)" $(MFLAGS) CC="$(CC)" \
             CFLAGS="$(CFLAGS) $(PCRE_CFLAGS)" \
             RANLIB="$(RANLIB)" HDRS="$(PHDRS)" \
             INCLUDE="$(INCLUDE) $(IPV6_INCLUDE) $(TLS_INCLUDE)"
           @if $(SHELL) $(SCRIPTS)/newer pcre/libpcre.a exim; then \
             /bin/rm -f exim eximon.bin; fi

       The second command assumes that the \"cd pcre"\ in the first command is
       no longer in effect. If you have \"-j3"\ in your default set of
       \"MAKEFLAGS"\, FreeBSD \^make^\ tries to optimize, and ends up up with both
       commands in the same shell process. The result is that \"$(SCRIPTS)"\
       (which has a value of \"../scripts"\) is not found.

       The simplest solution is to force \^make^\ to use backwards compatibility
       mode with each command in its own shell, by using the \-B\ flag. To
       ensure that this happens throughout the build, it's best to export it in
       your environment:

==>      MAKEFLAGS='-B'
         export MAKEFLAGS
          make


Q0116: I have tried to build Exim with Berkeley DB 3 and 4, but I always get
       errors.

A0116: One common problem, especially when you have several different versions
       of BDB installed on the same host, is that the header files and library
       files for BDB are not in a standard place. You therefore need to tell
       Exim where they are, by setting INCLUDE and DBMLIB in your
       \(Local/Makefile)\. For example, you could use this when you want to
       build with DB 4.1:

==>      INCLUDE=-I/usr/local/include/db-4.1
         DBMLIB=/usr/local/lib/db-4.1/libdb.a

       Specifying the complete library file like this will cause it to be
       statically linked with Exim. You'll have to check to see where these
       files are on your system. For example, on FreeBSD 5, the header is in
       \(/usr/local/include/db4)\ and the library is in \(/usr/local/lib)\ and
       called \(libdb4)\. In that environment, you could use:

==>      INCLUDE=-I/usr/local/include/db4
         DBMLIB=-L/usr/local/lib -ldb4

       This time, DBMLIB is specifying the library directory (\(/usr/local/lib)\)
       and the name of the library (\(db4)\) separately. The name of the actual
       library file is \(/usr/local/lib/libdb4.something)\. If the library was
       compiled for dynamic linking, that will be used.


Q0117: Is there a quick walk-through of an Exim install from source anywhere?

A0117: Here! This is a contribution from a RedHat user, somewhat edited. On
       other operating systems things may be slightly different, but the
       general approach is the same.

       (1) Install the db needed for Exim. This needs to be done first if you
       don't have a DBM library installed. Go to \?http://www.sleepycat.com?\
       and download \(db-4.1.25.tar.gz)\, or whatever the current release is.
       Then:

==>      gunzip db-4.1.25.tar.gz
         tar -xvf db-4.1.25.tar
         cd db-4.1.25
         cd build_unix
         ../dist/configure
         make
         make install

       (2) Add a user for use by Exim, unless you want to use an existing user
       such as \/mail/\:

==>      adduser exim

       (3) Now you can prepare to build Exim. Go to \?http://www.exim.org?\ or
       one of its mirrors, or the master ftp site
       \?ftp://ftp.csx.cam.ac.uk/pub/software/email/exim/exim4?\, and download
       \(exim-4.20.tar.gz)\ or whatever the current release is. Then:

==>      gunzip exim-4.20.tar.gz
         tar -xvf exim-4.20.tar
         cd exim-4.20
         cp src/EDITME Local/Makefile
         cp exim_monitor/EDITME Local/eximon.conf

       (4) Edit \(Local/Makefile)\:

       Comment out EXIM_MONITOR= unless you want to install the Exim
         monitor (it requires X-windows).

       Set the user you want Exim to use for itself:

==>        EXIM_USER=exim

       If your DBM library is Berkeley DB, set up to use its native interface:

==>        USE_DB=yes

       Make sure Exim's build can find the DBM library and its headers. If
         you've installed Berkeley DB 4 you'll need to have settings like this
         in \(Local/Makefile)\:

==>        INCLUDE=-I/usr/local/BerkeleyDB.4.1/include
           DBMLIB=/usr/local/BerkeleyDB.4.1/lib/libdb.a

         (Check that the first directory contains the db.h file and that the
         second library exists.)

       You don't need to change anything else, but you might want to review
         the default settings in the ``must specify'' section.

       (4) Build Exim by running the \/make/\ command.

       (5) Install Exim by running, as \/root/\:

==>      make install

       You must be \/root/\ to do this. You do not have to be root for any of
       the previous building activity.

       (6) Run some tests on Exim; see if it will do local and remote
       deliveries. Change the configuration if necessary (for example,
       uncommenting \group\ on the \%local_delivery%\ transport if you don't
       use a ``sticky bit'' directory).

       (7) Change Sendmail to Exim (of course you need to have had Sendmail
       installed to do this).

==>      /etc/init.d/sendmail stop
         mv /usr/sbin/sendmail /usr/sbin/sendmail.org
         ln -s /usr/exim/bin/exim /usr/sbin/sendmail
         /etc/init.d/sendmail start

       (8) Check the Exim log. Either use the Exim monitor, or:

==>      tail -f /var/spool/exim/log/mainlog


Q0118: I've set \"LOOKUP_INCLUDE=-I/client/include"\ in Local/Makefile, but the
       compilation of \^exim_dumpdb^\ is ignoring this option and failing. Why?

A0118: LOOKUP_INCLUDE is the special include file for lookup modules in Exim
       (e.g. mysql, LDAP). Confusingly, it doesn't apply to basic DBM code
       which is used also for other things. Try setting INCLUDE and DBMLIB
       instead. For example:

==>      USE_DB=yes
         INCLUDE=-I/client/include
         DBMLIB=/client/lib/libdb.a


Q0119: I know there are some 3rd-party patches for Exim, for exiscan and
       other things. Where are they?

A0119: Exiscan is at \?http://duncanthrax.net/exiscan-acl/?\.
[[br]]
       Scanexi is at \?http://w1.231.telia.com/~u23107873/scanexi.html?\
[[br]]
       A sample \^^local_scan()^^\ function for interfacing to \^uvscan^\ is
       at \?http://www.dcs.qmul.ac.uk/~mb/local_scan/?\.
[[br]]
       An interface to SpamAssassin at SMTP time is at
       \?http://marc.merlins.org/linux/exim/sa.html?\.
[[br]]
       A mini-HOWTO (PDF file) about scanning and virus scanning, and some RPMs
       can be found at \?http://www.timj.co.uk/linux/exim.php?\.


Q0120: I'm trying to compile with LOOKUP_WHOSON, but I keep getting \*In
       function `whoson_find': undefined reference to `wso_query'*\.

A0120: Try adding \"-lwhoson"\ to your LOOKUP_LIBS setting in \(Local/Makefile)\.



2. ROUTING IN GENERAL

Q0201: How can I arrange that messages larger than some limit are handled by
       a special router?

A0201: You can use a \condition\ option on the router line this:

==>      condition = ${if >{$message_size}{100K}{yes}{no}}


Q0202: Can I specify a list of domains to explicitly reject?

A0202: Set up a named domain list containing the domains in the first section
       of the configuration, for example:

==>      domainlist reject_domains = list:of:domains:to:reject

       You can use this list in an ACL to reject any SMTP recipients in those
       domains. You can also give a customized error message, like this:

==>      deny message = The domain $domain is no longer supported
              domains = +reject_domains

       If you also want to reject these domains in messages that are submitted
       from the command line (not using SMTP), you need to set up a router to
       do it, like this:

==>      reject_domains:
           driver = redirect
           domains = +reject_domains
           allow_fail
           data = :fail: The domain $domain is no longer supported


Q0203: How can I arrange to do my own qualification of non-fully-qualified
       domains, and then pass them on to the next router?

A0203: If you have some list of domains that you want to qualify, you can do
       this using a redirect router. For example,

==>      qualify:
           driver = redirect
           domains = *.a.b
           data = ${quote:$local_part}@$domain.c.com

       This adds \".c.com"\ to any domain that matches \"*.a.b"\.
       If you want to do this in conjunction with a \%dnslookup%\ router, the
       \widen_domains\ option of that router may be another way of achieving
       what you want.


Q0204: Every system has a \"nobody"\ account under which httpd etc run. I would
       like to know how to restrict mail which comes from that account to users
       on that host only.

A0204: Set up a first router like this:

==>      fail_nobody:
            driver = redirect
            senders = nobody@your.domain
            domains = ! +local_domains
            allow_fail
            data = :fail: Nobody may not mail off-site

       This assumes you have defined \+local_domains\ as in the default
       configuration.


Q0205: How can I get Exim to deliver to me locally and everyone else at the same
       domain via SMTP to the MX record specified host?

A0205: Create an \%accept%\ router to pick off the one address and pass it to
       an appropriate transport. Put this router before the one that does MX
       routing:

==>      me:
           driver = accept
           domains = dom.com
           local_parts = me
           transport = local_delivery

       In the transport you will have to specify the \user\ option. An
       alternative way of doing this is to add a condition to the router that
       does MX lookups to make it skip your address. Subsequent routers can then
       deliver your address locally. You'll need a condition like this:

==>      condition = \
           ${if and {{eq{$domain}{dom.com}}{eq{$local_part}{me}}}{no}{yes}}


Q0206: How can I get Exim to deliver certain domains to a different SMTP port
       on my local host?

A0206: You must set up a special \%smtp%\ transport, where you can specify the
       \port\ option, and then set up a router to route the domains to that
       transport. There are two possibilities for specifying the host:

       (1) If you use a \%manualroute%\ router, you can specify the local host
           in the router options. You must also set

==>          self = send

           so that it does not object to sending to the local host.

       (2) If you use a router that cannot specify hosts (for example, an
           \%accept%\ router with appropriate conditions), you have to specify
           the host using the \hosts\ option of the transport. In this case,
           you must also set \allow_localhost\ on the transport.


Q0207: Why does Exim lower-case the local-part of a non-local domain when
       routing?

A0207: Because \caseful_local_part\ is not set (in the default configuration)
       for the \%dnslookup%\ router. This does not matter because the local
       part takes no part in the routing, and the actual local part that is
       sent out in the RCPT command is always the original local part.


Q0208: I can't get a lookup to work in a domain list. I'm trying this:

==>      domainlist local_domains = @:localhost:${lookup pgsql{SELECT ...

A0208: Does the lookup return a colon separated list of domains? If not, you
       are using the wrong kind of lookup. The most common way of using a
       lookup in a domain list is something like this:

==>      domainlist local_domains = @:localhost:pgsql;SELECT ...

       Using that syntax, if the query succeeds, the domain is considered to be
       in the list. The value that is returned is not relevant.



3. ROUTING TO REMOTE HOSTS

Q0301: What do \*lowest numbered MX record points to local host*\ and \*remote
       host address is the local host*\ mean?

A0301: They mean exactly what they say. Exim expected to route an address to a
       remote host, but the IP address it obtained from a router was for the
       local host. If you really do want to send over TCP/IP to the local host
       (to a different version of Exim or another MTA, for example), see Q0206.

       More commonly, these errors arise when Exim thinks it is routing some
       foreign domain. For example, the router configuration causes Exim to
       look up the domain in the DNS, but when Exim examines the DNS output,
       either the lowest numbered MX record points at the local host, or there
       are no MX records, and the address record for the domain contains an
       IP address that belongs to the local host.

       There has been a rash of instances of domains being deliberately set up
       with MX records pointing to \"localhost"\ (or other names with A records
       that specify 127.0.0.1), which causes this behaviour. You can use the
       \ignore_target_hosts\ option to get Exim to ignore these records. The
       default contiguration does this. For more discussion, see Q0319. For
       other cases:

       (1) If the domain is meant to be handled as a local domain, there
           is a problem with the configuration, because it should not then have
           been looked up in the DNS. Check the \domains\ settings on your
           routers.

       (2) If the domain is one for which the local host is providing a
           relaying service (called ``mail hubbing''), possibly as part of a
           firewall, you need to set up a router to tell Exim where to send
           messages addressed to this domain, because the DNS directs them to
           the local host. You should put a router like this one before the one
           that does DNS lookups:

==>          hubbed_hosts:
               driver = manualroute
               transport = remote_smtp
               route_list = see discussion below

           The contents of the \route_list\ option depend on how many hosts you
           are hubbing for, and how their names are related to the domain name.
           Suppose the local host is a firewall, and all the domains in
           \(*.foo.bar)\ have MX records pointing to it, and each domain
           corresponds to a host of the same name. Then the setting could be

==>          route_list = *.foo.bar $domain

           If there isn't a convenient relationship between the domain names
           and the host names, you either have to list each domain separately,
           or use a lookup expansion to look up the host from the domain, or
           put the routing information in a file and use the \route_data\
           option with a lookup expansion.

       (3) If neither (1) nor (2) is the case, the lowest numbered MX record or
           the address record for the domain should not be pointing to your
           host. You should arrange to get the DNS mended.


Q0302: Why does Exim say \*all relevant MX records point to non-existent hosts*\
       when MX records point to IP addresses?

A0302: MX records cannot point to IP addresses. They are defined to point to
       host names, so Exim always interprets them that way. (An IP address is a
       syntactically valid host name.) The DNS for the domain you are having
       problems with is misconfigured.

       However, it appears that more and more DNS zones are breaking the rules
       and putting IP addresses on the RHS of MX records. Exim follows the
       rules and rejects this, but other MTAs do support it, so the
       \allow_mx_to_ip\ was regretfully added at release 3.14 to permit this
       heinous activity.


Q0303: How do I configure Exim to send all messages to a central server? I
       don't want to do any local deliveries at all on this host.

A0303: Use this as your first and only router:

==>      send_to_gateway:
           driver = manualroute
           transport = remote_smtp
           route_list = * central.server.host


Q0304: How do I configure Exim to send all non-local mail to a gateway host?

A0304: Replace the \%dnslookup%\ router in the default configuration with the
       following:

==>      send_to_gateway:
           driver = manualroute
           domains = !+local_domains
           transport = remote_smtp
           route_list = * gate.way.host

       If there are several hosts you can send to, you can specify them as a
       colon-separated list.


Q0305: How can I arrange for mail on my local network to be delivered directly
       to the relevant hosts, but all other mail to be sent to my ISP's mail
       server? The local hosts are all DNS-registered and behave like normal
       Internet hosts.

A0305: Set up a first router to pick off all the domains for your local
       network. There are several ways you might do this. For example

==>      local_network:
           driver = dnslookup
           transport = remote_smtp
           domains = *.mydomain.com

       This does a perfectly conventional DNS routing operation, but only for
       the domains that match \(*.mydomain.com)\. Follow this with a `smart
       host' router:

==>      internet:
           driver = manualroute
           domains = !+local_domains
           transport = remote_smtp
           route_list = * mail.isp.net

       This routes any other non-local domains to the smart host.


Q0306: How do I configure Exim to send all non-local mail to a central server
       if it cannot be immediately delivered by my host? I don't want to have
       queued mail waiting on my host.

A0306: Add to the \%remote_smtp%\ transport the following:

==>      fallback_hosts = central.server.name(s)

       If there are several names, they must be separated by colons.


Q0307: The \route_list\ setting \"^foo$:^bar$ $domain"\ in a \%manualroute%\
       router does not work.

A0307: The first thing in a \route_list\ item is a single pattern, not a list of
       patterns. You need to write that as \"^(foo|bar)$ $domain"\.
       Alternatively, you could use several items and write

==>      route_list = foo $domain; bar $domain

       Note the semicolon separator. This is because the second thing in each
       item can itself be a colon-separated list of hosts.


Q0308: I have a domain for which some local parts must be delivered locally,
       but the remainder are to be treated like any other remote addresses.

A0308: One possible way of doing this is as follows: Assuming you are using a
       configuration that is similar to the default one, first exclude your
       domain from the first router by changing it to look like this:

==>      non_special_remote:
           driver = dnslookup
           domains = ! +local_domains : ! special.domain
           transport = remote_smtp
           ignore_target_hosts = 127.0.0.0/8
           no_more

       Then add a second router to handle the local parts that are not to
       be delivered locally:

==>      special_remote:
           driver = dnslookup
           domains = special.domain
           local_parts = ! lsearch;/list/of/special/localparts
           transport = remote_smtp
           ignore_target_hosts = 127.0.0.0/8
           no_more

       The remaining local parts will fall through to the remaining routers,
       which can delivery them locally.


Q0309: How can I configure Exim on a firewall machine so that if mail arrives
       addressed to a domain whose MX points to the firewall, it is forwarded
       to the internal mail server, without having to have a list of all the
       domains involved?

A0309: As your first router, have the standard \%dnslookup%\ router from the
       default configuration, with the added option

==>      self = pass

       This will handle all domains whose lowest numbered MX records do not
       point to your host. Because of the \no_more\ setting, if it encounters
       an unknown domain, routing will fail. However, if it hits a domain whose
       lowest numbered MX points to your host, the \self\ option comes into
       play, and overrides \no_more\. The \"pass"\ setting causes it to pass
       the address on to the next router. (The default causes it to generate an
       error.)

       The only non-local domains that reach the second router are those with
       MX records pointing to the local host. Set it up to send them to the
       internal mail server like this:

==>      internal:
           driver = manualroute
           domains = ! +local_domains
           transport = remote_smtp
           route_list = * internal.server


Q0310: If a DNS lookup returns no MX records why doesn't Exim just bin the
       message?

A0310: If a DNS lookup returns no MXs, Exim looks for an address record, in
       accordance with the rules that are defined in the RFCs. If you want to
       break the rules, you can set \mx_domains\ in the \%dnslookup%\ router, but
       you will cut yourself off from those sites (and there still seem to be
       plenty) who do not set up MX records.


Q0311: When a DNS lookup for MX records fails to complete, why doesn't Exim
       send the messsage to the host defined by the A record?

A0311: The RFCs are quite clear on this. Only if it is known that there are no
       MX records is an MTA allowed to make use of the A record. When an MX
       lookup fails to complete, Exim does not know whether there are any MX
       records or not. There seem to be some name servers (or some
       configurations of some name servers) that give a ``server fail'' error when
       asked for a non-existent MX record. Exim uses standard resolver calls,
       which unfortunately do not distinguish between this case and a timeout,
       so all Exim can do is try again later.


Q0312: Is it possible to use a conditional expression for the host item in a
       \route_list\ for \%manualroute%\ router? I tried the following, but it
       doesn't work:

==>      route_list = * ${if match{$header_from:}{\N.*\.usa\.net$\N} \
                      {<smarthost1>}{<smarthost2>}

A0312: The problem is that the second item in \route_list\ contains white
       space, which means that it gets terminated prematurely. To avoid this,
       you must put the second item in quotes:

==>      route_list = * "${if match{$header_from:}{\N.*\.usa\.net$\N} \
                      {<smarthost1>}{<smarthost2>}}"


Q0313: I send all external mail to a smart host, but this means that bad
       addresses also get passed to the smart host. Can I avoid this?

A0313: Assuming you have DNS availability, set up a conventional \%dnslookup%\
       router to do the routing, but in the \%remote_smtp%\ transport set this:

==>    hosts = your.smart.host
       hosts_override

       This will override the hosts that the router finds so that everything
       goes to the smart host, but any non-existent domains will be failed by
       the router.


Q0314: I have a really annoying intermittent problem where attempts to mail to
       valid sites are rejected with \*unknown mail domain*\. This only happens a
       few times a day and there is no particular pattern to the sites it
       rejects. If I try to lookup the same domain a few minutes later then it
       is OK.

A0314: This is almost certainly a problem with the DNS resolver or the the
       domain's name servers.

       (1) Have you linked Exim against the newest DNS resolver library that
       comes with Bind? If you are using SunOS4 that may be your problem, as
       the resolver that comes with that OS is known to be buggy and to give
       intermittent false negatives.

       (2) Effects like this are sometimes seen if a domain's name servers get
       out of step with each other.


Q0315: I'd like route all mail with addresses that can't be resolved (the DNS
       lookup times out) to a relay machine.

A0315: Set \pass_on_timeout\ on your \%dnslookup%\ router, and add below it a
       \%manualroute%\ router that routes all relevant domains to the relay.


Q0316: I would like to forward all incoming email for a particular domain to
       another host via SMTP. Whereabouts would I configure that?

A0316: Use this as your first router:

==>      special:
           driver = manualroute
           transport = remote_smtp
           route_list = the.particular.domain the.other.host

       You will also need to adjust the ACL for incoming SMTP so that this
       domain is accepted for relaying. If you are using the default
       configuration, there is a domain list called \relay_domains\ that is
       set up for this.


Q0317: What I'd like to do is have alternative smart hosts, where the one to be
       used is determined by which ISP I'm connected to.

A0317: The simplest way to do this is to arrange for the name of the smart host
       du jour to be placed in a file when you connect, say \(/etc/smarthost)\.
       Then you can read this file from a \%manualroute%\ router like this:

==>      smarthost:
           driver = manualroute
           transport = remote_smtp
           route_list = * ${readfile{/etc/smarthost}{}}

       The second argument of the \"readfile"\ item is a string that replaces
       any newline characters in the file (in this case, with nothing).
       By keeping the data out of the main configuration file, you avoid having
       to HUP the daemon when it changes.


Q0318: Exim won't route to a host with no MX record.

A0318: More than one thing may cause this.

       (1) Are you sure there really is no MX record? Sometimes a typo results
       in a malformed MX record in the zone file, in which case some name
       servers give a SERVFAIL error rather than NXDOMAIN. Exim has to treat
       this as a temporary error, so it can't go on to look for address records.
       You can check for this state using one of the DNS interrogation commands,
       such as \(nslookup)\, \(host)\, or \(dig)\.

       (2) Is there a wildcard MX record for \(your)\ domain? Is the
       \search_parents\ option on in your \%dnslookup%\ router? If the answer to
       both these questions is ``yes'', that is the cause of the problem. When
       the DNS resolver fails to find the MX record, it tries adding on your
       domain if \search_parents\ is true, and thereby finds your wildcard MX
       record. For example:

         .  There is a wildcard MX record for \(*.a.b.c)\.

         .  There is a host called \(x.y.z)\ that has an A record and no MX record.

         .  Somebody on the host \(m.a.b.c)\ domain tries to mail to \(user@x.y.z)\.

         .  Exim calls the DNS to look for an MX record for \(x.y.z)\.

         .  The DNS doesn't find any MX record. Because \search_parents\ is true,
            it then tries searching the current host's parent domain, so it
            looks for \(x.y.z.a.b.c)\ and picks up the wildcard MX record.

       Setting \search_parents\ false makes this case work while retaining the
       wildcard MX record. However, anybody on the host \(m.a.b.c)\ who mails to
       \(user@n.a)\ (expecting it to go to \(user@n.a.b.c)\) now has a problem. The
       \widen_domains\ option of the \%dnslookup%\ router may be helpful in this
       circumstance.


Q0319: I have some mails on my queues that are sticking around longer than
       the retry time indicates they should. They are all getting frozen
       because some remote admin has set their MX record to 127.0.0.1.

A0319: The admin in question is an idiot. Exim will always freeze such messages
       because they are apparently routed to the local host. To bounce these
       messages immediately, set

==>      ignore_target_hosts = 127.0.0.1

       on the \%dnslookup%\ router. This causes Exim to completely ignore any hosts
       with that IP address. In fact, there are quite a number of IP addresses
       that should never be used. Here is a suggested configuration list for
       the IPv4 ones:

==>      # Don't allow domains whose single MX (or A) record is a
         # "special-use IPv4 address", as listed in RFC 3330.
         ignore_target_hosts = \
         # Hosts on "this network"; RFC 1700 (page 4) states that these
         # are only allowed as source addresses
         0.0.0.0/8 : \
         # Private networks, RFC 1918
         10.0.0.0/8 : 172.16.0.0/12 : 192.168.0.0/16 : \
         # Internet host loopback address, RFC 1700 (page 5)
         127.0.0.0/8 : \
         # "Link local" block
         169.254.0.0/16 : \
         # "TEST-NET" - should not appear on the public Internet
         192.0.2.0/24 : \
         # 6to4 relay anycast addresses, RFC 3068
         192.88.99.0/24 : \
         # Network interconnect device benchmark testing, RFC 2544
         198.18.0.0/15 : \
         # Multicast addresses, RFC 3171
         224.0.0.0/4 : \
         # Reserved for future use, RFC 1700 (page 4)
         240.0.0.0/4


Q0320: How can I arrange for all mail to \*user@some.domain*\ to be forwarded
       to \*user@other.domain*\?

A0320: Put this as your first router:

==>      forward:
           driver = redirect
           domains = some.domain
           data = ${quote:$local_part}@other.domain


Q0321: How can I tell an Exim router to use only IPv4 or only IPv6 addresses
       when it finds both types in the DNS?

A0321: You can do this by making it ignore the addresses you don't want. This
       example ignores all IPv6 addresses and all IPv4 addresses in the 127
       network:

==>      ignore_target_hosts = <; 0000::0000/0 ; 127.0.0.0/8

       To ignore all IPv4 addresses, use

==>      ignore_target_hosts = 0.0.0.0/0

       See Q0319 for a general discussion of \ignore_target_hosts\.


Q0322: How can I reroute all messages bound for 192.168.10.0 and 10.0.0.0 to
       a specific mail server?

A0322: That is an odd requirement. However, there is an obscure feature in
       Exim, originally implemented for packet radio people, that perhaps can
       help. Check out the \translate_ip_address\ generic router option.



4. ROUTING FOR LOCAL DELIVERY

Q0401: I need to have any mail for \(virt.dom.ain)\ that doesn't match one of the
       aliases in \(/usr/lib/aliases.virt)\ delivered to a particular address, for
       example, \(postmaster@virt.dom.ain)\.

A0401: Adding an asterisk to a search type causes Exim to look up ``*'' when the
       normal lookup fails. So if your aliasing router is something like this:

==>      virtual:
           driver = redirect
           domains = virt.dom.ain
           data = ${lookup{$local_part}lsearch{/usr/lib/aliases.virt}}
           no_more

       you should change \"lsearch"\ to \"lsearch*"\, and put this in the alias
       file:

==>      *: postmaster@virt.dom.ain

       This solution has the feature that if there are several unknown
       addresses in the same message, only one copy gets sent to the
       postmaster, because of Exim's normal de-duplication rules.

       NOTE: This solution works only if there is also an entry for \(postmaster)\
       in the alias file, ultimately resolving to an address that is not in
       \(virt.dom.ain)\. See also Q0434.


Q0402: How do I arrange for all incoming email for \(*@some.domain)\ to go into one
       pop3 mail account? The customer doesn't want to add a list of specific
       local parts to the system.

A0402: Set up a special transport that writes to the mailbox like this:

==>      special_transport:
           driver = appendfile
           file = /pop/mailbox
           envelope_to_add
           return_path_add
           delivery_date_add
           user = exim

       The file will be written as the user \"exim"\. Then arrange to route all
       mail for that domain to that transport, with a router like this:

==>      special_router:
           driver = accept
           domains = some.domain
           transport = special_transport


Q0403: How do I configure Exim to send messages for unknown local users to a
       central server?

A0403: Assuming you are using something like the default configuration, where
       local users are processed by the later routers, you should add the
       following router at the end:

==>      unknown:
           driver = manualroute
           transport = remote_smtp
           route_list = * server.host.name
           no_verify

       However, you should if possible try to verify that the user is known on
       the central server before accepting the message in the first place. This
       can be done by making use of Exim's ``call forward'' facility.


Q0404: How can I arrange for messages submitted by (for example) Majordomo to
       be handled specially?

A0404: You can use the \condition\ option on a router, with a setting such as

==>      condition = ${if and {{eq {$sender_host_address}{}} \
                     {eq {$sender_ident}{majordom}}} {yes}{no}}

       This first tests for a locally-submitted message, by ensuring there is
       no sending host address, and then it checks the identity of the user
       that ran the submitting process.


Q0405: On a host that accepts mail for several domains, do I have to use fully
       qualified addresses in \(/etc/aliases)\ or do I have to set up an alias
       file for each domain?

A0405: You can do it either way. The default aliasing router contains this line:

==>      data = ${lookup{$local_part}lsearch{/etc/aliases}}

       which is what does the actual lookup. To make it look up the complete
       address instead of just the local part, use

==>      data = ${lookup{$local_part@$domain}lsearch{/etc/aliases}}

       If you want to use a separate file for each domain, use

==>      data = ${lookup{$local_part}lsearch{/etc/aliases/$domain}}


Q0406: Some of my users are using the \(.forward)\ to pipe to a shell command which
       appends to the user's INBOX. How can I forbid this?

A0406: If you allow your users to run shells in pipes, you cannot control which
       commands they run or which files they write to. However, you should point
       out to them that writing to an INBOX by arbitrary commands is not
       interlocked with the MTA and MUAs, and is liable to mess up the contents
       of the file.

       If a user simply wants to choose a specific file for the delivery of
       messages, this can be done by putting a file name in a \(.forward)\ file
       rather than using a pipe, or by using the \"save"\ command in an Exim
       filter file.

       You can set \forbid_pipe\ on the router, but that will prevent them from
       running any pipe commands at all. Alternatively, you can restrict which
       commands they may run in their pipes by setting the \allow_commands\
       and/or \restrict_to_path\ options in the \%address_pipe%\ transport.


Q0407: How can I arrange for a default value when using a query-style lookup
       such as LDAP or NIS+ to handle aliases?

A0407: Use a second query in the failure part of the original lookup, like
       this:

==>      data = ${lookup ldap\
           {ldap://x.y.z/l=yvr?aliasaddress?sub?(&(mail=$local_part@$domain))}\
           {$value}\
           {\
           ${lookup ldap \
             {ldap://x.y.z/l=yvr?aliasaddress?sub?(&(mail=default@$domain))}}\
           }}

        Of course, if the default is a fixed value you can just include it
        directly.


Q0408: If I don't fully qualify the addresses in a virtual domain's alias file
       then mail to aliases which also match the local domain get delivered to
       the local domain.

A0408: Set the \qualify_preserve_domain\ option on the \%redirect%\ router.


Q0409: I want mail for any local part at certain virtual domains to go
       to a single address for each domain.

A0409: One way to do this is

==>      virtual:
           driver = redirect
           data = ${lookup{$domain}lsearch{/etc/virtual}}

       The \(/etc/virtual)\ file contains a list of domains and the addresses to
       which their mail should be sent. For example:

==>       domain1:  postmaster@some.where.else
          domain2:  joe@xyz.plc

       If the number of domains is large, using a DBM or cdb file would be more
       efficient. If the lookup fails to find the domain in the file, the value
       of the \data\ option is empty, causing the router to decline.


Q0410: How can I make Exim look in the alias NIS map instead of \(/etc/aliases)\?

A0410: The default configuration does not use NIS (many hosts don't run it).
       You need to change this line in the \%system_aliases%\ router:

==>      data = ${lookup{$local_part}lsearch{/etc/aliases}}

       Change it to

==>      data = ${lookup{$local_part}nis{mail.aliases}}

       If you want to use \(/etc/aliases)\ as well as NIS, put this router (with
       a different name) before or after the default one, depending on which
       data source you want to take precedence.


Q0411: Why will Exim deliver a message locally to any username that is longer
       than 8 characters as long as the first 8 characters match one of the
       local usernames?

A0411: The problem is in your operating system. Exim just calls the \^^getpwnam()^^\
       function to test a local part for being a local login name. It does not
       presume to guess the maximum length of user name for the underlying
       operating system. Many operating systems correctly reject names that are
       longer than the maximum length; yours is apparently deficient in this
       regard. To cope with such systems, Exim has an option called
       \max_user_name_length\ which you can set to the maximum allowed length.


Q0412: Why am I seeing the error \*bad mode (100664) for /home/test/.forward*\?
       I've looked through the documentation but can't see anything to suggest
       that Exim has to do anything other than read the \(.forward)\ file.

A0412: For security, Exim checks for mode bits that shouldn't be set, by
       default 022. You can change this by setting the \modemask\ option of the
       \%redirect%\ router that is handling \(.forward)\ files.


Q0413: When a user's \(.forward)\ file is syntactially invalid, Exim defers
       delivery of all messages to that user, which sometimes include the
       user's own test messages. Can it be told to ignore the \(.forward)\ file
       and/or inform the user of the error?

A0413: Setting \skip_syntax_errors\ on the redirect router causes syntax
       errors to be skipped. When dealing with users' \(.forward)\ files it is best
       to combine this with a setting of \syntax_errors_to\ in order to send
       a message about the error to the user. However, to avoid an infinite
       cascade of messages, you have to be able to send to an address that
       bypasses \(.forward)\ file processing. This can be done by including a
       router like this one

==>      real_localuser:
           driver = accept
           check_local_user
           transport = local_delivery
           local_part_prefix = real-

       before the \%redirect%\ router that handles \(.forward)\ files. This will
       do an ordinary local delivery without \(.forward)\ processing, if the
       local part is prefixed by \"real-"\. You can then set something like
       the following options on the \%redirect%\ router:

==>      skip_syntax_errors
         syntax_errors_to = real-$local_part@$domain
         syntax_errors_text = "\
           This is an automatically generated message. An error has been \
           found\nin your .forward file. Details of the error are reported \
           below. While\nthis error persists, messages addressed to you will \
           get delivered into\nyour normal mailbox and you will receive a \
           copy of this message for\neach one."

       A final tidying setting to go with this is a rewriting rule that changes
       \"real-username"\ into just \"username"\ in the headers of the message:

==>      \N^real-([^@]+)@your\.dom\.ain$\N    $1@your.dom.ain   h

       This means that users won't ever see the \"real-"\ prefix, unless they
       look at the ::Envelope-To:: header.


Q0414: I have set \caseful_local_part\ on the routers that handle my local
       domain because my users have upper case letters in their login names,
       but incoming mail now has to use the correct case. Can I relax this
       somehow?

A0414: If you really have to live with caseful user names but want incoming
       local parts to be caseless, then you have to maintain a file, indexed by
       the lower case forms, that gives the correct case for each login, like
       this:

==>      admin:    Admin
         steven:   Steven
         mcdonald: McDonald
         lamanch:  LaManche
         ...

       and at the start of the routers that handle your local domain, put one
       like this:

==>      set_case_router:
           driver = redirect
           data = ${lookup{${lc:$local_part}}lsearch{/the/file}}
           qualify_preserve_domain

       For efficiency, you should also set the \redirect_router\ option to cause
       processing of the changed address to begin at the next router. If you
       are otherwise using the default configuration, the setting would be

==>      redirect_router = system_aliases

       If there are lots of users, then a DBM or cdb file would be more
       efficient than a linear search. If you are handling several domains,
       you will have to extend this configuration to cope appropriately.


Q0415: Can I use my existing alias files and forward files as well as procmail
       and effectively drop in Exim in place of Sendmail ?

A0415: Yes, as long as your alias and forward files don't assume that pipes are
       going to run under a shell. If they do, you either have to change them,
       or configure Exim to use a shell (which it doesn't by default).


Q0416: What is quickest way to set up Exim so any message sent to a
       non-existing user would bounce back with a different message, based
       on the name of non-existing user?

A0416: Place this router last, so that it catches any local addresses that
       are not otherwise handled:

==>      non_exist:
           driver = accept
           transport = non_exist_reply
           no_verify

       Then add the following transport to the transports section:

==>      non_exist_reply:
           driver = autoreply
           user = exim
           to = $sender_address
           subject = User does not exist
           text = You sent mail to $local_part. That's not a valid user here. \
                  The subject was: $subject.

       If you want to pick up a message from a file, you can use the \file\
       option (use \file_expand\ if you want its contents expanded).


Q0417: What do I need to do to make Exim handle \(/usr/ucb/vacation)\ processing
       automatically, so that people could just create a \(.vacation.msg)\ file in
       their home directory and not have to edit their \(.forward)\ file?

A0417: Add a new router like this, immediately before the normal \%localuser%\
       router:

==>      vacation:
           driver = accept
           check_local_user
           require_files = $home/.vacation.msg
           transport = vacation_transport
           unseen

       and a matching new transport like this:

==>      vacation_transport:
           driver = pipe
           command = /usr/ucb/vacation $local_part

       However, some versions of \(/usr/ucb/vacation)\ do not work properly unless
       the DBM file(s) it uses are created in advance - it won't create them
       itself. You also need a way of removing them when the vacation is over.

       Another possibility is to use a fixed filter file which is run whenever
       \(.vacation.msg)\ exists, for example:

==>      vacation:
           driver = redirect
           check_local_user
           require_files = $home/.vacation.msg
           file = /some/central/filter
           allow_filter

       The filter file should use the \"if personal"\ check before sending mail,
       to avoid generating automatic responses to mailing lists. If sending a
       message is all that it does, this doesn't count as a ``significant''
       delivery, so the original message goes on to be delivered as normal.

       Yet another possibility is to make use of Exim's \%autoreply%\ transport,
       and not use \(/usr/ucb/vacation)\ at all.


Q0418: I want to use a default entry in my alias file to handle unknown local
       parts, but it picks up the local parts that the aliases generate. For
       example, if the alias file is

==>      luke.skywalker: luke
         ls: luke
         *: postmaster

       then messages addressed to \/luke.skywalker/\ end up at \/postmaster/\.

A0418: The default mechanism works best with virtual domains, where the
       generated address is not in the same domain. If you just want to pick up
       all unknown local parts and send them to postmaster, an easier way to do
       it is to put this as your last router:

==>      unknown:
           driver = redirect
           data = postmaster
           no_verify

       Another possibility is to put the redirect router for these aliases
       after all the other routers, so that local parts which are user names
       get picked off first. You will need to have two aliasing routers if
       there are some local parts (e.g. \/root/\) which are login names, but which
       you want to handle as aliases.


Q0419: I have some obsolete domains which people have been warned not to use
       any more. How can I arrange to delete any mail that is sent to them?

A0419: To reject them at SMTP time, with a customized error message, place
       statments like this in the ACL:

==>      deny message = The domain $domain is obsolete
              domains = lsearch;/etc/exim/obsolete.domains

       For messages that don't arrive over SMTP, you can use a router like
       this to bounce them:

==>      obsolete:
           driver = redirect
           domains = lsearch;/etc/exim/obsolete.domains
           allow_fail
           data = :fail: the domain $domain is obsolete

       If you just want to throw away mail to those domains, accept them at
       SMTP time, and use a router like this:

==>      obsolete:
           domains = lsearch;/etc/exim/obsolete.domains
           data = :blackhole:


Q0420: How can I arrange that mail addressed to \(anything@something.mydomain.com)\
       gets delivered to \(something@mydomain.com)\?

A0420: Set up a router like this:

==>      user_from_domain:
           driver = redirect
           data = ${if match{$domain}{\N^(.+)\.mydomain\.com$\N}\
             {$1@mydomain.com}}


Q0421: I can't get a regular expression to work in a \local_parts\ option on
       one of my routers.

A0421: Have you remembered to protect any backslash and dollar characters in
       your regex from unwanted expansion? The easiest way is to use the
       \"@\N"\ facility, like this:

==>      local_parts = \N^0740\d{6}\N


Q0422: How can I arrange for all addresses in a group of domains \(*.example.com)\
       to share the same alias file? I have a number of such groups.

A0422: For a single group you could just hard wire the file name into a router
       that had

==>      domains = *.example.com

       set, to restrict it to the relevant domains. For a number of such groups
       you can create a file containing the domains, like this:

==>      *.example1.com    example1.com
         *.example2.com    example2.com
         ...

       Then create a router like this

==>      domain_aliases:
           driver = redirect
           domains = partial-lsearch;/that/file
           data = ${lookup{$local_part}lsearch*{/etc/aliases.d/$domain_data}}

       The variable \$domain_data$\ contains the data that was looked up when the
       \domains\ option was matched, i.e. \"example1.com"\, \"example2.com"\, etc.
       in this case.


Q0423: Some of our users have no home directories; the field in the password
       file contains \(/no/home/dir)\. This causes the error \*failed to stat
       /no/home/dir (No such file or directory)*\ when Exim tries to look for a
       \(.forward file)\, and the delivery is deferred.

A0423: There are two issues involved here:

       (1) With the default configuration, you are asking Exim to check for a
       \(.forward)\ file in the user's home directory. If no file is found,
       Exim tries to \^^stat()^^\ the home directory. This is so that it will
       notice a missing NFS home directory, and not treat it as if the
       \(.forward)\ file did not exist. This \^^stat()^^\ is failing when the
       home directory really doesn't exist. You should arrange for the
       \%userforward%\ router not to run for these special users, by adding
       this line:

==>      condition = ${if eq {$home}{/no/home/dir}{no}{yes}}

       (2) If you use \check_local_user\ on another router to route to a local
       transport (again, this is what is in the default configuration), you
       will also have to specify a current directory for the transport, because
       by default it makes the home directory current. This is easily done by
       adding

==>      current_directory = /

       to the transport or

==>      transport_current_directory = /

       to the router. Or you can add \home_directory\ to the transport, because
       the current directory defaults to the home directory.


Q0424: How can I disable Exim's de-duplication features? I want it to do two
       deliveries if two different aliases expand to the same address.

A0424: This is not possible. Duplication has other ramifications other than
       just (in)convenience. Consider:

         . Message is addressed to A and to B.

         . Both A and B are aliased to C.

         . Without de-duplication, two deliveries to C are scheduled.

         . One delivery happens, Exim records that it has delivered the message
           to C.

         . The next delivery fails (C's mailbox is over quota, say).

       Next time round, Exim wants to know if it has already delivered to C or
       not, before scheduling a new delivery. Has it? Obviously, if duplicate
       deliveries are supported, it has to remember not only that it has
       delivered to C but also the ``history'' of how that delivery happened - in
       effect an ancestry list back to the original envelope address. This it
       does not do, and changing it to work in that way would be a lot of work
       and a big upheaval.

       The best way to get duplicate deliveries if you want them is not to use
       aliases, but to route the addresses directly to a transport, e.g.

==>    duplicates:
         driver = accept
         local_parts = lsearch;/etc/list/of/special/local/parts
         transport = local_delivery
         user = exim


Q0425: My users' mailboxes are distributed between several servers according to
       the first letter of the user name. All the servers receive incoming mail
       at random. I would like to have the same configuration file for all the
       servers, which does local delivery for the mailboxes it holds, and sends
       other addresses to the correct other server. Is this possible?

A0425: It is easiest if you arrange for all the users to have password entries
       on all the servers. This means that non-existent users can be detected
       at the first server they reach. Set up a file containing a mapping from
       the first letter of the user names to the servers where their mailboxes
       are held. For example:

==>      a: server1
         b: server1
         c: server2
         ...

       Before the normal \%localuser%\ router, place the following router:

==>      mailbox_host:
           driver = manualroute
           check_local_user
           transport = remote_smtp
           route_list = * ${lookup{${substr_0_1:$local_part}}lsearch{/etc/mapfile}}
           self = pass

       This router checks for a local account, then looks up the host from the
       first character of the local part. If the host is not the local host,
       the address is routed to the \%remote_smtp%\ transport, and sent to the
       correct host. If the host is the local host, the \self\ option causes
       the router to pass the address to the next router, which does a local
       delivery.

       The router is skipped for local parts that are not the names of local
       users, and so these addresses fail.


Q0426: One of the things I want to set up is for \(anything@onedomain)\ to forward
       to \(anything@anotherdomain)\. I tried adding \($local_part@anotherdomain)\ to
       my aliases but it did not expand - it sent it to that literal address.

A0426: If you want to do it that way, you can use the \"expand"\ operator on
       the lookup used in the data option of the redirect router. For example:

==>      data = ${expand:${lookup{$local_part}lsearch*{/etc/aliases}}}

       Another approach is to use a router like this:

==>      forwarddomain:
           driver = redirect
           domains = onedomain
           data = $local_part@anotherdomain

       The value of \data\ can, of course, be more complicated, involving
       lookups etc. if you have lots of different cases.


Q0427: How can I have an address looked up in two different alias files, and
       delivered to all the addresses that are found?

A0427: Use a router like this:

==>      multi_aliases:
           driver = redirect
           data = ${lookup{$local_part}lsearch{/etc/aliases1}\
             {$value${lookup{$local_part}lsearch{/etc/aliases2}{,$value}}}\
             {${lookup{$local_part}lsearch{/etc/aliases2}{$value}fail}}}\

       If the first lookup succeeds, the result is its data, followed by the
       data from the second lookup, if any, separated by a comma. If the first
       lookup fails, the result is the data from the third lookup (which also
       looks in the second file), but if this also fails, the entire expansion
       is forced to fail, thereby causing the router to decline.

       Another approach is to use two routers, with the first re-generating the
       original local part when it succeeds. This won't get processed by the
       same router again. For example:

==>      multi_aliases1:
           driver = redirect
           data = ${lookup{$local_part}lsearch{/etc/aliases1}{$value,$local_part}}

==>      multi_aliases2:
           data = ${lookup{$local_part}lsearch{/etc/aliases2}}

       This scales more easily to three or more alias files.


Q0428: I've converted from Sendmail, and I notice that Exim doesn't make use
       of the \"owner-"\ entries in my alias file to change the sender address in
       outgoing messages to a mailing list.

A0428: If you have an alias file with entries like this:

==>      somelist:        a@b, c@d, ...
         owner-somelist:  postmaster

       Sendmail assumes that the second entry specifies a new sender address
       for the first. Exim does not make this assumption. However, you can make
       it take the same action, by adding

==>      errors_to = owner-$local_part@whatever.domain

       to the configuration for your aliasing router. This is fail-safe,
       because Exim verifies a new sender address before using it. Thus, the
       change of sender address occurs only when the owner entry exists.


Q0429: I would like to deliver mail addressed to a given domain to local
       mailboxes, but also to generate messages to the envelope senders.

A0429: You can do this with an ``unseen'' router and an \%autoreply%\ transport,
       along the following lines:

==>      # Router
         auto_warning_r:
           driver = accept
           check_local_user
           domains = <domains you want to do this for>
           condition = ${if eq{$sender_address}{}{no}{yes}}
           transport = warning_t
           no_verify
           unseen

       Place this router immediately before the normal \%localuser%\ router. The
       \unseen\ option means that the address is still passed on to the next
       router. The transport is configured like this:

==>      # Transport
         warning_t:
           driver = autoreply
           file = /usr/local/mail/warning.txt
           file_expand
           from = postmaster@your.domain
           to = $sender_address
           user = exim
           subject = Re: Your mail to $local_part@$domain

       Note the use of the \condition\ option to avoid attempting to send a
       message when there is no sender (that is, when the incoming message is a
       bounce message). You can of course extend this to include other
       conditions. If you want to log the sending of messages, you can add

==>      log = /some/file

       to the transport and also make use of the \once\ option if you want to
       send only one message to each sender.


Q0430: Whenever Exim tries to route a local address, it gives a permission
       denied error for the \(.forward)\ file, like this:

==>      1998-08-10 16:55:32 0z5y2W-0000B8-00 == xxxx@yyy.zzz <xxxx@yyy.zz>
           D=userforward defer (-1): failed to open /home/xxxx/.forward
           (userforward router): Permission denied (euid=1234 egid=101)

A0430: Have you remembered to make Exim setuid \/root/\?


Q0431: How do I configure Exim to allow arbitrary extensions in local parts, of
       the form \/+extension/\?

A0431: Add this pre-condition to the relevant router:

==>      local_part_suffix = +*

       If you want the extensions to be optional, also add the option

==>      local_part_suffix_optional

       When the router runs, \$local_part$\ contains the local part with the
       extension removed, and the extension (if any) is in \$local_part_suffix$\.
       If you have set \check_local_user\, the test is carried out after the
       extension is removed.


Q0432: I use NIS for my user data. How can I stop Exim rejecting mail when my
       NIS servers are being restarted?

A0432: Exim doesn't know that you are using NIS; it just calls the \^^getpwnam()^^\
       function, which is routed by nsswitch. Unfortunately, \^^getpwnam()^^\
       was never designed to be routed through NIS, and it returns NULL if the
       entry is not found or if the connection to the NIS server fails. This
       means that Exim cannot tell the difference between ``no such user'' and
       ``NIS is down''.

       Crutches to help with this problem are \finduser_retries\ in Exim, and
       \^nscd^\ on the Unix side, but they are not perfect, and mail can still
       be lost. However, Nico Erfurth pointed out that you can create a router
       for Exim that tests for the availability of NIS, and force a defer if
       NIS is not running:

==>      check_nis:
            driver = redirect
            data = ${lookup {$local_part} nis {passwd}{}}

       This should be placed before any router that makes any use of NIS,
       typically at the start of your local routers. How does it work? If
       your NIS server is reachable, the lookup will take place, and whether it
       succeeds or fails, the result is an empty string. This causes the
       router to decline, and the address is passed to the following routers.
       If your NIS server is down, the lookup defers, and this causes the
       router to defer. A verification of an incoming address gets a temporary
       rejection, and a delivery is deferred till later.


Q0433: How can I arrange for a single address to be processed by both
       \%redirect%\ and \%accept%\?

A0433: Check out the \unseen\ option.


Q0434: How can I redirect all local parts that are not in my system aliases to
       a single address? I tried using an asterisk in the system alias file
       with an \"lsearch*"\ lookup, but that sent all messages to the
       default address.

A0434: If your alias file generates addresses in the local domain, they are
       also processed as a potential aliases. For example, suppose this is your
       alias file:

==>      caesar:   jc
         anthony:  ma
         *:        brutus

       The local part \/caesar/\ is aliased to \/jc/\, but that address is then
       reprocessed by the routers. As the address is in the local domain, the
       alias file is again consulted, and this time the default matches. In
       fact after the second aliasing, \/brutus/\ is also processed again from
       the start, and is aliased to itself. However, this happens only once,
       because the next time, Exim notices that the aliasing router has already
       processed \/brutus/\, so the router is skipped in order to avoid
       looping.

       There are several ways of solving this problem; which one you use
       depends on your aliasing data.

       (1) If the result of aliasing is always a local user name, that is,
           aliasing never generates another alias, you can use the
           \redirect_router\ option on the router to specify that processing
           the generated addresses must start at the next router. For example:

==>          redirect_router = userforward

           assuming that the next router is called \%userforward%\. This
           ensures that there is at most one pass through the aliasing router.

       (2) If you cannot rely on aliases generating non-aliases, it is often
           easier not to use a default alias, but instead to place a router
           such as the one below after all the other local routers (for the
           relevant domains):

==>          catch_unknown:
               driver = redirect
               domains = ...
               data = brutus@$domain

       Note that the default aliasing technique works more successfully for
       virtual domains (see Q0401) because the generated address for the
       default is not usually in the same virtual domain as the incoming
       address.


Q0435: My alias file contains fully qualified addresses as keys, and some
       wildcard domains in the form @foo.bar. Can Exim handle these?

A0435: You can handle fully qualified addresses with this router:

==>      qualified_aliases:
           driver = redirect
           data = ${lookup{$local_part@$domain}lsearch{/etc/aliases}}

       (Add any other options you need for the \%redirect%\ router.) Place this
       router either before or after the default aliases router that looks up
       the local part only. (Or, if you have no unqualified aliases, replace
       the default router.)

       To handle wildcards in the form @foo.bar you will need yet another
       router. (Wildcards of the form *@foo.bar can be handled by an lsearch*@
       lookup.) Something like this:

==>      wildcard_aliases:
           driver = redirect
           data = ${lookup{@$domain}lsearch{/etc/aliases}}

       Place this after the routers that handle the more specific aliases.



5. FILTERING

Q0501: My filter isn't working. How can I test it?

A0501: Use the \-bf-\ option (\-bF-\ for a system filter) to test the basic operation
       of your filter. You can request debugging information for filtering only
       by adding \"-d-all+filter"\ to the command.


Q0502: What I really need is the ability to obtain the result of a pipe
       command so that I can filter externally and redirect internally. Is
       this possible?

A0502: The result of a pipe command is not available to a filter, because Exim
       does not run any actual deliveries while filtering. It just sets up
       deliveries at this time. They all actually happen later. If you want to
       run pipes and examine their results, you need to set up a single
       delivery to a delivery agent such as \^procmail^\ which provides this kind
       of facility.

       An possible alternative is to use the \"${run"\ expansion item to run an
       external command while filtering. In this case, you can make use of some
       of the results of the command.


Q0503: I received a message with a ::Subject:: line that contained a non-printing
       character (a carriage return). This messed up my filter file. Is there a
       way to get round it?

A0503: Instead of \"$h_subject:"\ use \"${escape:$h_subject:}"\


Q0504: I want to search for \"$"\ in the subject line, but I can't seem to get
       the syntax.

A0504: Try one of these:

==>      if $h_subject: contains \$ then ...
         if $h_subject: contains "\\$" then ...


Q0505: My problem is that Exim replaces \$local_part$\ with an empty string in the
       system filtering. What's wrong or what did I miss?

A0505: A message may have many recipients. The system filter is run just once
       at the start of a delivery attempt. Consequently, it does not make sense
       to set \$local_part$\. Which recipient should it be set to? However, you
       can access all the recipients from a system filter via the variable
       called \$recipients$\.


Q0506: Using \$recipients$\ in a system filter gives me another problem: how can
       I do a string lookup if \$recipients$\ is a list of addresses?

A0506: Check out the section of the filter specification called \*Testing a list of
       addresses*\. If that doesn't help, you may have to resort to calling an
       embedded Perl interpreter - but that is expensive.


Q0507: What are the main differences between using an Exim filter and using
       \^procmail^\?

A0507: Exim filters and \^procmail^\ provide different facilities. Exim filters run
       at routing time, before any deliveries are done. A filter is like a
       ``\(.forward)\ file with conditions''. One of the benefits is de-duplication.
       Another is that if you forward, you are forwarding the original message.

       However, this does mean that pipes etc. are not run at filtering time,
       nor can you change the headers, because the message may have other
       recipients and Exim keeps only a single set of headers.

       \^procmail^\ runs at delivery time. This is for one recipient only, and so
       it can change headers, run pipes and check the results, etc. However, if
       it wants to forward, it has to create a new message containing a copy
       of the original message.

       It's your choice as to which of these you use. You can of course use
       both.


Q0508: How can I allow the use of relative paths in users' filter files when
       the directories concerned are not available from the password data?

A0508: You need to be running Exim 4.11 or later. You can then specify a value
       for \$home$\ by setting the router_home_directory option on the
       \%redirect%\ router.

       For earlier releases, there is no way to specify the value of \$home$\
       for a \%redirect%\ router; it either comes from the password data as a
       result of \check_local_user\, or is unset.


Q0509: How can I set up a filter file to detect and block virus attachments?

A0509: Exim's filter facilities aren't powerful enough to do much more than
       very crude testing. Most people that want virus checking are nowadays
       using one of the separate scanning programs such as \^exiscan^\ (see
       \?http://duncanthrax.net/exiscan/?\). There is some further information
       about scanning with Exim via \?http://www.timj.co.uk/linux/exim.php?\.


Q0510: Is it possible to write code for scanning messages in Python?

A0510: \^elspy^\ is a layer of glue code that enables you to write Python code
       to scan email messages at SMTP time. \^elspy^\ also includes a small
       Python library with common mail-scanning tools, including an interface
       to SpamAssassin and a simple but effective virus detector. You can
       optain \^elspy^\ from \?http://elspy.sourceforge.net/?\.


Q0511: Whenever my system filter uses a \mail\ command to send a message, I get
       the error \*User 0 set for address_reply transport is on the never_users
       list*\. What does this mean?

A0511: The system filter runs as \/root/\ in Exim 4, unless you set
       \system_filter_user\ to specify otherwise. When you set up a delivery
       direct from a system filter (an autoreply is a special kind of
       ``delivery'') the transport runs as the same user, unless it has a
       \user\ setting of its own. Normally, deliveries are not allowed to run
       as \/root/\ as a security precaution; this is implemented by the
       \never_users\ option (see Q0039).

       The easiest solution is to add this to your configuration:

==>      system_filter_user = exim

       The system filter then runs as \/exim/\ instead of \/root/\.
       Alternatively, you can arrange for autoreplies from the system filter to
       use a special transport of their own, and set the \user\ option on that
       transport.


Q0512: I'm trying to reference the ::Envelope-To:: header in my filter, but
       \$h_envelope-to:$\ is always empty.

A0512: ::Envelope-To:: is added at delivery time, by the transport. Therefore,
       the header doesn't exist at filter time. In a user filter, the values
       you probably want are in \$original_local_part$\ and
       \$original_domain$\. In a system filter, the complete list of all
       envelope recipients is in \$recipients$\.


Q0513: I want my system filter to freeze all mails greater than 500K in size,
       but to exclude those to a specific domain. However, I don't seem to be
       able to use \$domain$\ in a system filter.

A0513: You cannot do this in a system filter, because a single message may have
       multiple recipients, some in the special domain, and some not. That is
       also the reason why \$domain$\ is not set in a system filter.

       If you want to take actions on a per-recipient basis, you have to do it
       in a router. However, freezing is not appropriate, because freezing
       stops all deliveries. You could, however, delay delivery to all but the
       special domains by using something like this:

==>      delay_if_too_big:
           driver = redirect
           domains = !the.special.domain
           condition = ${if >{$message_size}{500K}{yes}{no}}
           allow_defer
           data = :defer: message too big.

       However, there isn't an easy way of ``releasing'' such messages at
       present.


Q0514: When I try to send to two addresses I get an error in the filter
       file \*malformed address: , e@fgh.com may not follow a@bcd.com*\. What
       is going on?

A0514: Have you got

==>      deliver "a@bcd.com, e@fgh.com"

       in your filter? If so, that is your problem. You should have

==>      deliver a@bcd.com
         deliver e@fgh.com

       Each \deliver\ command expects just one address.



6. DELIVERY

Q0601: What does the error \*Neither the xxx router nor the yyy transport set
       a uid for local delivery of...*\ mean?

A0601: Whenever Exim does a local delivery, it runs a process under a specific
       user and group id (uid and gid). For deliveries into mailboxes, and to
       pipes and files set up by forwarding, it normally picks up the uid/gid
       of the receiving user. However, if an address is directed to a pipe or a
       file by some other means, such an entry in the system alias file of the
       form

==>      majordomo: |/local/mail/majordomo ...

       then Exim has to be told what uid/gid to use for the delivery. This can
       be done either on the routerr that handles the address, or on the
       transport that actually does the delivery. If a pipe is going to run a
       setuid program, then it doesn't matter what uid Exim starts it out with,
       and so the most straightforward thing is to put

==>      user = exim

       on either the router or the transport. A setting on the transport
       overrides a setting on the router, so if the same transport is being
       used with several routers, you should set the user on it only if you
       want the same uid to be used in all cases.

       In the default configuration, the transports used for file and pipe
       deliveries are the ones called \address_file\ and \address_pipe\. You
       can specify different transports by setting, for example,

==>      pipe_transport = special_pipe_transport

       on the \%system_aliases%\ router. Then you can set up \%special_pipe_transport%\

==>      special_pipe_transport:
           driver = pipe
           user = ????

       which will be used only for pipe deliveries from that one router.
       What you put for the ???? is up to you, and depends on the particular
       circumstances.


Q0602: Exim keeps crashing with segmentation errors (signal 11 or 139) during
       delivery. This seems to happen when it is about to contact a remote
       host or when a delivery is deferred.

A0602: This could be a problem with Exim's databases. Try running a delivery
       with debugging turned on. If the last line of the debug output is
       something like this:

==>      locked /var/spool/exim/db/retry.lockfile

       the crash is happening inside the DBM library. Check that your DBM
       library is correctly installed. In particular, if you have installed a
       second DBM library onto a system that already had one, check that its
       version of \(ndbm.h)\ is being seen first. For example, if the new
       version is in \(/usr/local/include)\, check that there isn't another
       version in \(/usr/include)\. If you are using Berkeley db, you can set

==>      USE_DB=yes

       in your \(Local/Makefile)\ to avoid using \(ndbm.h)\ altogether. This is
       particularly relevant for version 2 (or later) of Berkeley db, because
       no \(ndbm.h)\ file is distributed with it. Another thing you can try is
       to run

==>      exim_dumpdb /var/spool/exim retry

       to see if it also crashes, or build the \^test_dbfn^\ tool and fiddle
       around with it. If both fail, it is most almost certainly a problem with
       your DBM library. You could try to update it, or force Exim to use
       another library. See the file \(doc/dbm.discuss.txt)\ for hints about
       this.


Q0603: How can mails that are being routed through routers that do not set
       \check_local_user\ be delivered under the uid of the recipient?

A0603: Q0601 contains background information on this. If you are using, say, an
       alias file to direct messages to specific mailboxes, you can use
       the \user\ option on either the router or the transport to set the uid.
       What you put in the setting depends on how the required uid is to be
       found. It could be looked up in a file or computed somehow from the
       local part, for example.


Q0604: I want to use MMDF-style mailboxes. How can I get Exim to append the
       ctrl-A characters that separate indvidual emails?

A0604: Set the \message_suffix\ option in the \%appendfile%\ transport. In fact,
       for MMDF mailboxes you need a prefix as well as a suffix to get it
       working right, so your transport should contain these settings:

==>      message_prefix = "\1\1\1\1\n"
         message_suffix = "\1\1\1\1\n"

       Also, you need to change the \check_string\ and \escape_string\ settings so
       that the escaping happens for lines in the message that happen to begin
       with the MMDF prefix or suffix string, rather than ``From'' (the default):

==>      check_string  = "\1\1\1\1\n"
         escape_string = "\1\1\1\1 \n"

       Adding a space to the line is sufficient to prevent it being taken as a
       separator.


Q0605: If a user's mailbox is over quota, is there a way for me to set it up so
       that the mail bounces to the sender and is not stored in the mail queue?

A0605: In the retry section of the configuration, put

==>      *@your.dom.ain        quota

       That is, provide no retry timings for over quota errors. They will then
       bounce immediately. Alternatively, you can set up retries for a short
       time only, or use something like this:

==>      *@your.dom.ain        quota_7d
         *@your.dom.ain        quota       F,2h,15m; F,3d,1h

       which bounces immediately if the user's mailbox hasn't been read for 7
       days, but otherwise tries for up to 3 days after the first quota
       failure.


Q0606: I'm using tmail to do local deliveries, but when I turned on the
       \use_crlf\ option on the \%pipe%\ transport (tmail prefers \"@\r@\n"\
       terminations) message bodies started to vanish.

A0606: You need to unset the \mesage_prefix\ option, or change it so that its
       default \"@\n"\ terminator becomes \"@\r@\n"\. For example, the
       transport could be:

==>      local_delivery_mbx:
           driver = pipe
           command = /usr/local/bin/tmail $local_part
           user = exim
           current_directory = /
           use_crlf
           message_prefix =

       The reason for this is as follows: tmail uses the line terminator on
       the first line it sees to determine whether lines are terminated by
       \"@\r@\n"\ or \"@\n"\. If the latter, it moans to stderr and changes subsequent
       \"@\n"\ terminators to \"@\r@\n"\. The default setting of the \message_prefix\
       option is \"From ...@\n"\, and this is unaffected by the \use_crlf\ option.
       If you don't change this, tmail sees the first line terminated by
       \"@\n"\ and prepends \"@\r"\ to the \"@\n"\ terminator on all subsequent
       lines. However, if \use_crlf\ is set, Exim makes all other lines
       \"@\r@\n"\ terminated, leading to doubled \"@\r@\r@\n"\ lines and
       corrupt mbx mailboxes.


Q0607: When I activate ``return receipt'' for example in Netscape Mailbox
       sending options, then I get an error message from Exim... something
       like \*not supported*\. Can I activate delivery confirmations?

A0607: Exim does not support any kind of delivery notification.

       (1) You can configure it to recognize headers such as
       \Return-receipt-to:\ if you wish.

       (2) Some people want MSN (message status notification). Such services
       are implemented in MUAs, and don't impact on the MTA at all.

       (3) I investigated the RFCs which describe the DSN (delivery status
       notification) system. However, I was unable to specify any sensible way
       of actually doing anything with the data. There were comments on the
       mailing list at the time; many people, including me, conclude that DSN
       is in practice unworkable. The killer problem is with forwarding and
       aliasing. Do you propagate the DSN data with the generated addresses?
       Do you send back a ``reached end of the DSN world'' or ``expanded'' message?
       Do you do this differently for different kinds of aliasing/forwarding?
       For a user who has a \(.forward)\ file with a single address in, this
       might seem easy - just propagate the data. But what if there are several
       forwardings? If you propagate the DSN data, the sender may get back
       several DSN messages - and should the sender really know about the
       detail of the receiver's forwarding arrangements? There isn't really
       any way to distinguish between a \(.forward)\ file that is forwarding
       and one that is a mini mailing list. And so on, and so on. There are so
       many questions that don't have obvious answers.


Q0608: What does the message \*retry time not reached [for any host]*\ on the log
       mean? Why won't Exim try to deliver the message?

A0608: That is not an error. It means exactly what it says. A previous attempt
       to deliver to that address failed with a temporary error, and Exim
       computed the earliest time at which to try again. This can apply to
       local as well as to remote deliveries. For remote deliveries, each host
       (if there are several) has its own retry time.

       If you are running on a dial-up host, the rest of this answer probably
       does not apply to you. Go and read Q1404 instead. If your host is
       permanently online, read on...

       Some MTAs have a retrying schedule for each message. Exim does not work
       like this. Retry timing is normally host-based for remote deliveries and
       address-based for local deliveries. (There are some exceptions for certain
       kinds of remote failure - see \*Errors in outgoing SMTP*\ in the manual.)

       If a new message arrives for a failing address and the retry time has
       not yet arrived, Exim will log \*retry time not reached*\ and leave the
       message on the queue, without attempting delivery. Similarly, if a queue
       runner notices the message before the time to retry has arrived, it
       writes the same log entry. When the retry time has past, Exim attempts
       delivery at the next queue run. If you want to know when that will be,
       run the exinext utility on the address, for example:

==>      exinext user@some.domain

       You can suppress these messages on the log by including \"-retry_defer"\
       in the setting of \log_selector\. You can force a delivery attempt on a
       specific message (overriding the retry time) by means of the -M option:

==>      exim -M 10hCET-0000Bf-00

       If you want to do this for the entire queue, use the \-qf-\ option.


Q0609: Exim seems to be sending the same message twice, according to the log,
       although there is a difference in capitalization of the local part of
       the address.

A0609: That is correct. The RFCs are explicit in stating that capitalization
       matters for local parts. For remote domains, Exim is not entitled to
       assume case independence of local parts. I know, it is utterly silly,
       and it causes a lot of grief, but that's what the rules say. Here is a
       quote from RFC 2821:

         ... a command verb, an argument value other than a mailbox local-part,
         and free form text MAY be encoded in upper case, lower case, or any
         mixture of upper and lower case with no impact on its meaning.  This
         is NOT true of a mailbox local-part.  The local-part of a mailbox
         MUST BE treated as case sensitive.  Therefore, SMTP implementations
         MUST take care to preserve the case of mailbox local-parts.  Mailbox
         domains are not case sensitive.  In particular, for some hosts the
         user "smith" is different from the user "Smith".  However, exploiting
         the case sensitivity of mailbox local-parts impedes interoperability
         and is discouraged.


Q0610: How can I force the next retry time for a host to be now?

A0610: You can change the retry time with the \^exim_fixdb^\ utility, but its
       interface is very clumsy. If you have a message for the host on the
       queue, the simplest thing to do is to force a delivery with the \-M-\
       command line option. If delivery succeeds, the retry data will get
       cleared. If the host is past the cutoff time, so that messages are
       bouncing immediately without trying a delivery, you can use \-odq-\ to
       put a message on the queue without a delivery attempt, and then use
       \-M-\ on it.


Q0611: I set up \"|/bin/grep Subject|/usr/bin/smbclient -M <netbiosname>"\ as an
       alias but it doesn't work.

A0611: That is a shell command line. Exim does not run pipe commands under a
       shell by default (for added security - and it saves a process). You
       need something like

==>      "|/bin/sh -c '/bin/grep Subject|/usr/bin/smbclient -M <netbiosname>'"


Q0612: Why does the \%pipe%\ transport add a line starting with \">From"\ to
       messages?

A0612: Actually, it adds a line starting with \"From"\ followed by a space.
       This is commonly referred to as the \"From_"\ line, to emphasize the
       fact that \"From"\ is followed by a space and not a colon. This is a
       pseudo-header line that contains the envelope sender address and the
       time of delivery. It originated as a separator line in Berkeley format
       mailboxes, but is also used in other contexts. (And yes, it is often
       confused with the ::From:: header line, and this causes a lot of grief.
       The use of \"From_"\ was one of the really bad email design decisions.)

       Exim's \%pipe%\ transport adds this pseudo-header line by default
       because \(/usr/ucb/vacation)\ needs it, and that is one of the the most
       common uses of piping. The \^procmail^\ local delivery agent also makes
       use of the \"From_"\ line. If you do not want it, change the setting of
       \message_prefix\ on the \%pipe%\ transport. For example, to remove the
       line altogether, use

==>      message_prefix =

       If you are not piping to \(/usr/ucb/vacation)\ or \^procmail^\, it is
       likely that you do not need a \"From_"\ line, and indeed it may cause
       problems if it is present.

       One user reported that this line gave trouble when a pipe was used to
       send messages to Courier's \^deliverquota^\ program. The line was
       retained with the message, and caused problems for MS Exchange 2000 when
       retrieving messages with its built-in POP collector. Specifically, it
       caused Exchange to not be able to recognise message attachments.


Q0613: I have set \fallback_hosts\ on my \%smtp%\ transport, but after the error
       \*sem@chat.ru cannot be resolved at this time*\ Exim isn't using them.

A0613: \fallback_hosts\ works only if an attempt at delivery to the original
       host(s) fails. In this case, Exim couldn't even resolve the domain
       \(chat.ru)\ to discover what the original hosts were, so it never got as far
       as the transport. However, see Q0315 for a possible solution.


Q0614: After the holidays my ISP has always hundreds of e-mails waiting for me.
       These are forced down Exim's throat in one go. Exim spawns a lot of
       kids, but is there some limit to the number of processes it creates?

A0614: Unless you have changed \smtp_accept_queue_per_connection\ it should
       spawn only that many processes per connection (default 10). Your ISP
       may be making many connections, of course. That is limited by
       \smtp_accept_max\.


Q0615: When a message in the queue got to 12h old, Exim wrote \*retry timeout
       exceeded*\ and removed all messages in the queue to this host - even
       recent messages. How I can avoid this behaviour? I only want to remove
       messages that have exceeded the maximum retry time.

A0615: Exim's retrying is host-based rather than message-based. The philosophy
       is that if a host has been down for a very long time, there is no point
       in keeping messages hanging around. However, you might like to check
       out \delay_after_cutoff\ in the \%smtp%\ transport. It doesn't do what you
       want, but it might help.


Q0616: Can Exim add a ::Content-Length:: header to messages it delivers?

A0616: You could include something like

==>      headers_remove = "content-length"
         headers_add = "Content-Length: $message_body_size"

       to the \%appendfile%\ transport. However, the use of ::Content-Length:: can
       cause several problems, and is not recommended unless you really know
       what you are doing. There is a discussion of the problems in
       \?http://home.netscape.com/eng/mozilla/2.0/relnotes/demo/content-length.html?\.


Q0617: Exim seems to be trying to deliver a message every 10 minutes, though
       the retry rules specify longer times after a while, because it is
       writing a log entry every time, like this:

==>    1999-08-26 14:51:19 11IVsE-000MuP-00 == example@example.com T=smtp defer
       (-34): some host address lookups failed and retry time not reached for
       other hosts or connection limit reached

A0617: It is looking at the message every 10 minutes, but it isn't actually
       trying to deliver. It's looking up \(example.com)\ in the DNS and finding
       this information:

==>      example.com.                MX 10 example-com.isp.example.com.
         example.com.                MX  0 mail.example.com.
         mail.example.com.           A  202.77.183.45
         A lookup for example-com.isp.example.com. yielded NXDOMAIN

       The last line means that there is no address (A) record in the DNS for
       \(example-com.isp.example.com)\. That accounts for \*some host address
       lookups failed*\, but the retry time for \(mail.example.com)\ hasn't been
       reached, which accounts for \*retry time not reached for other hosts*\.


Q0618: I am trying to set exim up to have a automatic failover if it sees that
       the system that it is sending all mail to is down.

A0618: Add to the \%remote_smtp%\ transport the following:

==>      fallback_hosts = failover.server.name(s)

       If there are several names, they must be separated by colons.


Q0619: I can't get Exim to deliver over NFS. I get the error \*fcntl() failed:
       No locks available*\, though the lock daemon is running on the NFS server
       and other hosts are able to access it.

A0619: Check that you have \(lockd)\ running on the NFS client. This is not
       always running by default on some systems (Red Hat is believed to be one
       such system).


Q0620: Why does Exim bounce messages without even attempting delivery, giving
       the error \*retry time not reached for any host after a long failure
       period*\?

A0620: This message means that all hosts to which the message could be sent
       have been failing for so long that the end of the retry period
       (typically 4 or 5 days) has been reached. In this situation, Exim still
       computes a next time to retry, but any messages that arrive in the
       meantime are bounced straight away. You can alter this behaviour by
       unsetting the \delay_after_cutoff\ option on the smtp transport. Then Exim
       will try most messages for those hosts once before giving up.


Q0621: My \(.forward)\ file is \"|/usr/bin/procmail -f-"\ and mail gets delivered,
       but there was a bounce to the sender, sending him the output of procmail.
       How can I prevent this?

A0621: Exim's default configuration is set up like this:

==>      address_pipe:
           driver = pipe
           return_output

       The \return_output\ option requests that any output that the pipe
       produces be returned to the sender. That is the safest default. If you
       don't want this, you can either remove the option altogether, or change
       it to \return_fail_output\, to return output only if the command fails.
       Note that this will affect all pipes that users run, not just your
       procmail one. It might be better to arrange for procmail not to produce
       any output when it succeeds.


Q0622: Can I write an ordinary file when I run a perl script as a transport
       filter for the \%remote_smtp%\ and \%address_pipe%\ transports?

A0622: Yes, provided the file is writeable by the uid under which the transport
       runs (the Exim user in the case of the remote transport). However, if two
       messages are being delivered at once, their data will get mixed up in
       the file unless you implement your own locking scheme. If all you want
       to do is to take a copy of the message, another approach that avoids
       the locking problem is to use a system filter to set up an ``unseen''
       delivery to a file. If you only want the message's headers, you can
       set \message_filter_file_transport\ to point to a special \%appendfile%\
       transport that has \headers_only\ set.


Q0623: My \(/var/spool/mail)\ has grown drastically. Is there any possibility of
       using two directories?

A0623: You can use an expansion string to split mailboxes between two
       directories. For example,

==>      file = /var/spool/mail${nhash_2:$local_part}/$local_part

       which does a hash on the local part, producing either 0 or 1, thereby
       using \(mail0) or \(mail1)\. But remember, the MUAs that read these mailboxes
       also have to know where they are.


Q0624: Sendmail has a program called \^smrsh^\ that restricts what binaries
       can be run from sendmail aliases. Is there something like this in Exim ?

A0624: Check out the \allow_commands\ option in the \%pipe%\ transport.


Q0625: I wish to have large emails go out one at a time.

A0625: One possibility is to set up a router that defers all large messages,
       except in queue runs. Since queue runners deliver just one
       message at a time, if you limited the number of simultaneous queue
       runners to 1, you would get the effect you wanted. A suitable router
       might be

==>      defer_if_large_unless_queue_run:
           driver = redirect
           condition = ${if or{{queue_running}{<{$message_size}{200K}}}{no}{yes}}
           allow_defer
           data = :defer: too large for immediate delivery
           no_verify

       Of course, this would always delay any large message until the next
       queue runner, but if you run them fairly regularly, this shouldn't be a
       huge problem, and may even be desirable. Note the use of \no_verify\ to
       ensure that this router is not used when Exim is verifying addresses.


Q0626: Exim can route local parts independent of their case, but the Cyrus LMTP
       daemon requires the correct case. How can I fix this?

A0626: You need to rewrite the local part to the correct case before running
       the router that routes to Cyrus. For example, if you require all lower
       case, and your router is called \local_user\, put this router in front
       of it:

==>      lowercase_local:
           driver = redirect
           redirect_router = local_user
           domains = +local_domains
           data = ${lc:$local_part}@$domain

       The setting of \redirect_router\ causes processing of the rewritten
       address to start at the next router, instead of the first router. See
       also Q0630 and Q0414, and see C045 for a more complete Cyrus
       configuration.


Q0627: Is there a command I can send to Exim to retry all queued messages
       regardless of their retry schedule?

A0627: The \-qff-\ option starts a queue runner that forces a delivery attempt
       for all messages, including frozen ones. If you use \-qf-\, frozen
       messages are skipped.


Q0628: I have the default retry rule, which I thought meant that Exim should
       keep trying for four days, but it seems to be bouncing some messages
       immediately.

A0628: See Q0615 and Q0620.


Q0629: I'm having trouble with quotas and Courier, because Exim is not handling
       maildirsize files.

A0629: You must be using an old version of Exim; it has supported maildirsize
       files since release 4.30.


Q0630: How can I configure Exim to deliver to a Cyrus message store?

A0630: (1) The reference manual contains an example that uses pipe delivery.

       (2) Here is a transport that uses LMTP delivery, assuming that
           \$local_part$\ contains the username:

==>      cyrus_inbox:
           driver =lmtp
           user = cyrus
           socket = /var/cyrus/socket/lmtp

       (3) This is a transport that delivers direct to a non-inbox mailbox:

==>      cyrus_mailbox:
           driver = pipe
           user = $local_part
           message_prefix =
           message_suffix =
           log_fail_output
           return_output
           command = "/usr/cyrus/bin/deliver -a $local_part \
                      -m <mailbox-name> $local_part"

       This delivers to the Cyrus mailbox \"user.$local_part.<mailbox-name>"\.
       Using \"user = $local_part"\ and \"-a $local_part"\ makes it work
       without needing an explicit `p' ACL set for `anyone' on the mailbox.


Q0631: I would like to choose a retry rule based on on the sender rather than
       the recipient address. Is this possible?

A0631: Yes. In release 4.43 and later releases, you can do this directly by
       adding a third item to a retry rule of the form "senders=<address
       list>". The retry timings themselves then become the fourth item. For
       example:

==>      *   *   senders=:   F,1h,30m

       would match all bounce messages. If the address list contains white
       space, it must be enclosed in quotes. For example:

==>      a.domain  timeout  senders="x@b.dom : y@c.dom"  G,8h,10m,1.5

       If you are using an earlier release of Exim, you can still achieve the
       effect, but in a more complicated way. The address part of a retry rule
       is matched as a single-item address list. Such lists are always
       expanded, so you can use something like this:

==>      "${if eq{$sender_address}{xxx}{*@*}{no@no}}" quota F,1h,10m; ...

       If the sender address is ``xxx'', the pattern expands to ``*@*'', which
       matches all recipient addresses; if you want to, you can make this a
       more restrictive pattern. If the sender address is not ``xxx'', the
       pattern expands to ``no@no'', which is assumed to be a recipient address
       that can never match, so the retry rule is skipped.


Q0632: What does the error \*User 1 set for local_mbx_delivery transport is on
       the never_users list*\ mean?

A0632: You have configured the \%local_mbx_delivery%\ to run as the user whose
       id (uid) is 1. However, this user is on the list defined by the
       \never_users\ runtime option, or the \\FIXED_NEVER_USERS\\ compile-time
       option. These are ``safety catch'' lists; Exim refuses to deliver to any
       user that is on them. The most common use of \never_users\ is to avoid
       doing any deliveries as \/root/\, but it can contain other uids.


Q0633: Why is \$domain$\ not set in the \%smtp%\ transport?

A0633: The \%smtp%\ transport can handle several recipient addresses at once.
       This happens by default if the host lists for the addresses are
       identical. A single copy of the message is sent, using multiple \\RCPT\\
       commands to transmit multiple envelope recipients. The \$domain$\
       variable is set in the \%smtp%\ transport only if all the recipient
       addresses have the same domain. You must have a case where several
       addresses with different domains resolve to the same set of hosts.

       If you want to restrict the transport so that it handles only a single
       domain at once (but still possibly with more than one recipient), set

==>      multi_domain = false

       If you want to restrict the transport so that it handles only a single
       address at once, set

==>      max_rcpt = 1


Q0634: How can I stop a local transport from trying to access the user's home
       directory, even when the delivery is to a file that is elsewhere?

A0634: See answer (2) for Q0423.


Q0635: The log message \*error ignored*\ appears after some delivery failures.
       What does it mean?

A0635: This message is written when Exim fails to deliver a bounce message whose
       age is greater than \ignore_bounce_errors_after\. It indicates that the
       failing bounce message has been discarded.

       The same message is written after failed deliveries when a filter file
       uses the \noerror\ feature when setting up a delivery, or if a router
       has the setting

==>      errors_to = <>

       Both of these specify that delivery failures are to be discarded.



7. POLICY CONTROLS

Q0701: How do I block unwanted messages from outside my host?

A0701: Exim uses Access Control Lists (ACLs) for controlling incoming mail from
       other hosts. A whole chapter in the reference manual is devoted to
       describing how they work. A wide variety of conditions can be imposed on
       incoming messages.

       The default Exim run time configuration contains an example of an ACL
       which blocks all relaying, and messages whose senders cannot be
       verified. This example is heavily commented and worth studying.


Q0702: I don't want to block spam entirely; how can I inspect each message
       before deciding whether or not to deliver it?

A0702: Wherever possible, inspection and rejection is best done automatically
       in an ACL, that is, before the message is accepted. If you want to
       verify manually each message that is classified as spam by an automatic
       check, you can arrange for a system filter to freeze such messages after
       they have been accepted.

       If, after inspection, you decide not to deliver the message, it is
       safest to discard it, using the \-Mrm-\ option. Use of the \-Mg-\ option
       to force a bounce carries the risk of ``collateral spam'' if the sender
       address is faked (as it usually is in spam).


Q0703: How can I test that my spam blocks are working?

A0703: The \-bh-\ option allows you to run a testing SMTP session as if from a
       given IP address. For example,

==>      exim -bh 192.168.178.39

       In addition to the normal SMTP replies, it outputs commentary about
       which tests have succeeded or failed. If you are not interested in the
       details, but just want to know if a particular sender at a particular IP
       address is able to mail to a particular recipient, you can use the
       \exim_checkaccess\ utility, which provides a ``packaged'' version of
       \-bh-\. You call it like this:

==>      exim_checkaccess 192.168.53.23 recip@my.domain -f sender@some.domain

       If you don't give a sender, \"<>"\ is used (that it, it acts like a
       bounce message).


Q0704: How can I test that Exim is correctly configured to use a DNS black list
       such as the Realtime Blackhole List (RBL)?

A0704: The \-bh-\ option allows you to run a testing SMTP session as if from a
       given address. The \^exim_checkaccess^\ utility provides a more packaged
       version of this facility. You need to know a blocked IP address with
       which to test. Such a testing address is kindly provided by Russell
       Nelson:

==>      linux.crynwr.com [192.203.178.39]

       You can also send mail to \(nelson@linux.crynwr.com)\ from the server
       whose RBL block you are testing. The robot that receives that email
       will attempt to send a piece of test email in reply. If your RBL block
       didn't work, you get a message to that effect. Regardless of whether the
       RBL block succeeds or not, it emails you the results of the SMTP
       conversation from a host that is not on the RBL, so you can see how your
       server looks from the view of someone on the RBL.


Q0705: How can I use tcpwrappers in conjunction with Exim?

A0705: Exim's own control facilities can do all that tcpwrappers can do.
       However, if you are already using tcpwrappers for other things it might
       be convenient to include Exim controls in the same place.

       First of all, ensure that Exim is built to call the tcpwrappers library,
       by including \\USE_TCPWRAPPERS=yes\\ in \(Local/Makefile)\. You also need to
       ensure that the header file \(tcpd.h)\ is available at compile time, and the
       \(libwrap.a)\ library is available at link time, typically by including it in
       \\EXTRALIBS\\. You may need to copy these two files from the tcpwrappers
       build directory to, for example, \(/usr/local/include)\ and \(/usr/local/lib)\,
       respectively. Then you could reference them by

==>      CFLAGS=-I/usr/local/include
         EXTRALIBS=-L/usr/local/lib -lwrap

       in \(Local/Makefile)\. There are two ways to make use of the functionality,
       depending on how you have tcpwrappers set up. If you have it set up to
       use only one file, you ought to have something like:

==>      /etc/hosts.allow:

==>          exim : <client_list>  : <allow_or_deny>

         For example:

==>          exim : LOCAL  192.168.0.  .friendly.domain  special.host : ALLOW
             exim : ALL                                               : DENY

       This allows connections from local hosts (chiefly //localhost//), from
       the subnet 192.168.0.0/24, from all hosts in \(*.friendly.domain)\, and
       from a specific host called \(special.host)\. All other connections are
       denied. If you have tcpwrappers set up to use two files, use the
       following:

==>      /etc/hosts.allow:

==>          exim    : <client_list>

==>      /etc/hosts.deny:

==>          exim    : <client_list>

       Read the \^hosts_access^\ man page for more ways of specifying clients,
       including ports, etc., and on logging connections.


Q0706: How can I get POP-auth-before-relay (aka POP-before-SMTP) support in
       Exim?

A0706: A cleaner way of authentication is to use the SMTP AUTH facility, which
       does not require a prior use of POP. However, it is possible to do what
       you have asked for:

       Exim 4 supports the ``whoson'' (\?http://whoson.sourceforge.net?\)
       facility for doing this. If you set this up, you can do the check in an
       Exim ACL by a statement like this:

==>      require condition = \
           ${lookup whoson {$sender_host_address}{yes}{no}}

       Otherwise you need to arrange for a list of permitted IP addresses to be
       maintained in a file or database, and use this in a \hosts\ condition in
       an ACL statement. An Exim user has published this recipe:

       \#\#\#\#\?http://www.zeiss.cx/memo/computer/linux/email/exim-s-a-p.html?\

       Another Exim user submitted the following idea:

       Use a script to grab authenticated IP addresses from the log files of
       the POP3 and IMAP4 daemons. These are used to create files in the
       directory tree \(/var/db/popb4smtp)\. The existence of a file represents a
       valid ``popped recently token'' for the IP address used as the filename.

       Another script periodically removes stale files from the tree (after two
       hours).  There's a small race condition here; it's possible for a file
       to be deleted just after it has been updated by the script that watches
       the logs. For low-volume servers, the odds of hitting this window are
       low.

       A POPB4SMTP_CLIENT macro in the Exim configure file provides a reusable
       ``has this sender popped recently?'' query:

==>    POPB4SMTP_SUBDIR = /var/db/popb4smtp/${substr_-1_1:$sender_host_address}
       POPB4SMTP_CLIENT = ${if exists {POPB4SMTP_SUBDIR/$sender_host_address} \
           {$sender_host_address} {0} }

       Now you can use it just about anywhere, including in your ACLs. Simple
       examples include:

==>    hostlist relay_hosts = 127.0.0.1/32 : ... : POPB4SMTP_CLIENT
       host_lookup = !127.0.0.1/32 : ... : !POPB4SMTP_CLIENT
       rfc1413_hosts = !127.0.0.1/32 : ... : !POPB4SMTP_CLIENT

       The two scripts (and a FreeBSD startup script for them) are available
       for download at:

       \#\#\#\#\?http://people.FreeBSD.org/~sheldonh/popb4smtp-nodb.tar.gz?\


Q0707: I have one or two cases where my host correctly rejects messages, but
       the remote host is quite persistent, and keeps trying over and over.

A0707: It is an unfortunate fact that a number of SMTP clients, in violation of
       the SMTP RFC, do not treat a permanent error code that is given after
       the DATA portion of the transaction as a permanent error. Consequently
       they keep resending the message, and the worst offenders do so at very
       short intervals.

       The only way to stop such behaviour is to blacklist the IP address, or
       the envelope sender, or both, in such a way that future messages get
       rejected at RCPT time instead of at DATA time. You could also complain
       to the remote host's administrators.


Q0708: How can I run customized verification checks on incoming addresses?

A0708: There are a number of possibilities:

       (1) If you can implement your checks in Perl, you can use Exim's
       facility for running an embedded Perl interpreter. For example, if you
       want to run special checks on local addresses, you could use ACL
       an statement like this:

==>      require domains = my.local.domain
                 condition = ${perl{verify}{$local_part}}

       The result of the Perl function should be ``yes'' or ``no''.

       (2) You could also run an external program in a similar way, by a
       statement such as:

==>      require domains = my.local.domain
                 condition = ${run{/my/verifier $local_part}}

       This requires the use of another process, so could prove more expensive
       than Perl.

       (3) If you are prepared to write C code, read the chapter in the manual
       entitled \*Adding a local scan function to Exim*\.


Q0709: Does Exim apply RBL checks to error messages, those with an envelope
       sender of \"<>"\ ?

A0709: This depends on the ACL configuration. You can test for bounce messages
       (by looking for an empty sender address) and thereby exclude them from
       RBL checking if you want. This ACL statement does that:

==>      deny senders = ! :
              dnslist = blackholes.mail-abuse.org

       However, some spam does come with an empty sender address, so this may
       not be a good idea.


Q0710: I want to reject certain sender-recipient combinations, with a specific
       message for each such combination.

A0710: Set up a file (or database) containing the messages, keyed by the
       combination, for example:

==>      sender1@sdomain1=>recipient1@rdomain1: blocked because...
         sender2@sdomain2=>recipient2@rdomain2: blocked because...

       If you have lots of recipients for the same sender, it might be easier
       to generate this file from more convenient data. In your ACL that is run
       for each RCPT command, you can then put:

==>      deny message   = ${lookup{$sender_address=>$local_part@$domain}\
                          lsearch{/that/file}}
              condition = ${lookup{$sender_address=>$local_part@$domain}\
                          lsearch{/that/file}{yes}{no}}

       The condition is tested first. If the lookup succeeds, the condition
       succeeds so access is denied. The message is then expanded, but the
       lookup won't be repeated, because Exim will have cached the previous
       result.

       This approach blocks only incoming SMTP messages. If you need to do
       similar blocks for messages that do not arrive over SMTP, you have to
       set up a suitable \%redirect%\ router with a \:fail:\ setting.


Q0711: Will Exim allow me to create a file of regexs and match incoming
       external email to the list - and if a match is found file the offending
       message into a special location? Also is it possible to make Exim only
       filter parts of an incoming email - e.g. ignore large MIME attachments
       for example and only process text/plain?

A0711: You can do some of this in a system filter. For example:

==>      if $message_body matches <...some complicated regex...> or
            $message_body matches <...some other regex...> or
            $header_from: matches <...regex...> or
            etc.
         then
           save /some/special/file
         endif

       or instead of \"save"\ you could have \"deliver"\ (to some address) or
       \"pipe"\ (to some script).

       There isn't any mechanism for ignoring attachments, but \$message_body$\
       only looks at the first n bytes of the body, where n defaults to 500 but
       can be changed.

       A more expensive alternative would be to run a Perl subroutine using the
       embedded Perl mechanism. If you passed over the message id, the Perl
       code could read the message files on the spool and implement any
       algorithm it liked for deciding what should be done.


Q0712: I've hacked sendmail to make an ioctl call at the time of the SMTP RCPT
       command, to check if a user has exceeded their email quota. If they have
       I issue a temporary failure and a message - can I do this with Exim?

A0712: If you can make this happen in Perl you can use the embedded Perl
       facility, and use it from a \condition\ condition in an ACL statement.
       You can also use the expansion facility to run an external program, but
       this uses more resources because it uses another process.


Q0713: I'd like to pass all messages through a virus-scanning system before
       delivery. Can Exim do this?

A0713: One way of achieving this is to deliver all messages via a pipe to a
       checking program that resubmits them for delivery in some private way
       that can be checked (e.g. on a specific SMTP port, or IP address). One
       possibility is to use the `received protocol` field that can be set
       for locally submitted mail via the \-oMr-\ command line option. This
       router sends all messages that are not from the local host and whose
       received protocol is not \"scanned-ok"\ to the \%virus_scan%\ transport:

==>      vircheck:
           driver = accept
           transport = virus_scan
           condition = ${if or {{eq {$received_protocol}{scanned-ok}} \
                                {eq {$sender_host_address}{127.0.0.1}}}\
                                {0}{1}}

       One problem is that this approach, by default, scans the message for
       each recipient, not just once per message. However, you can set the
       \batch_max\ option on the transport to allow it to send a single copy
       for multiple recipients.

       The virus_scan transport should be set up to pipe the message to a
       suitable checking program or script which runs as a trusted user. This
       can then re-submit the message to Exim, using \-oMr-\ to set the received
       protocol to \"scanned-ok"\. It is probably easiest to use the Batch SMTP
       (BSMTP) facilities for passing the sender address and the recipient
       addresses to the checker and then back to Exim (using the \-bS-\
       command line option). \**Warning:**\ If you forget to make the
       resubmitting process run as a trusted user, the sender address will be
       incorrect and what is worse, the received protocol does not get set, and
       you are likely to generate a loop.


Q0714: Is there a way to configure Exim to reject mail to a certain local host?

A0714: No, only to certain domains. To reject at SMTP time, you can put a line
       like this in your ACL:

==>      deny message = this domain is deliberately rejected
              domains = a.certain.domain

       To fail addresses in messages that do not arrive over SMTP, you can set
       up a router like this:

==>      reject_a_certain_domain:
           driver = redirect
           domains = a.certain.domain
           allow_fail
           data = :fail: this domain is deliberately rejected


Q0715: How can I get Exim to remove attachments from messages?

A0715: Exim does not contain facilities for modifying messages. You must use
       an external program if you want to do this. You can route messages that
       have a ::Content-type:: header line via a pipe to a command that does
       the job and then re-submits the message to Exim. Alternatively, you
       could use a transport filter to do this job.


Q0716: How can I arrange for each user to have a file listing the only sender
       addresses from which she will accept mail? I want to do this so my
       family members don't get any spam (or other inappropriate mail).

A0716: Let's assume each user has a file called \(.acceptlist)\ in the home
       directory. You can put in your ACL a line like this:

==>      require senders = /home/$local_part/.acceptlist

       This will reject RCPT commands when the sender is not in the accept
       list for the recipient. (Replace \(/home/$local_part)\ with whatever
       the correct path to your user's home directories is.)

       One problem with this is that it will block bounce messages, which have
       empty senders. You can get round this, by changing the line to this:

==>      require senders =  : /home/$local_part/.acceptlist

       However, this will, of course, let in spam that has a null sender.


Q0717: When using Nessus on a system that runs Exim, a number of security
       issues are raised. Nessus complains that Exim answers to EXPN and/or
       VRFY; sometimes it even complains that Exim allows relaying.

A0717: Exim supports EXPN and VRFY only if you permit it to do so in the ACLs
       defined by \acl_smtp_expn\ and \acl_smtp_vrfy\, respectively. Otherwise,
       its responses are

==>      550 Administrative prohibition
         252 Administrative prohibition

       Maybe the use of 252 is the ``problem''. It is recommended that this be
       done (by those that discuss these things) because there are stupid
       clients that attempt VRFY before sending a message.


Q0718: Could anyone points me to right rules to prevent sending/receiving
       messages to/for domains which have one MX to localhost or only have
       address 127.0.0.1 ?

A0718: See Q0319.


Q0719: I would like to have a per-user limit for the maximum size of messages
       that can be sent.

A0719: The simplest way to do this is to put something in a system filter along
       these lines:

==>    if $message_size is above
         "${lookup{$sender_address}lsearch{/some/file}{$value}{10M}}"
       then
         fail "Message is larger than $sender_address is allowed to send"
       endif

       In practice, an additional check that the message has arrived from your
       local host or local network is probably wise because sender addresses
       are easily forged.


Q0720: I set \"accept hosts=192.168.122.96/32"\ in order to accept mail for
       relaying from my local LAN, but it doesn't work. What's wrong?

A0720: 192.168.122.96/32 is not a network, it is a single host. Exim uses CIDR
       notation for specifying networks, where the number after the slash is
       the number of bits in the IP address that must match. Your setting says
       ``32 bits must match''. If you really mean to specify ``the next 32
       IP addresses'', you need 192.168.122.96/27.


Q0721: I have POP-before-SMTP set up on my Exim server, but some clients use
       Outlook Express, which sends queued messages before checking the
       mailbox, so it doesn't work.

A0721: Implement SMTP authentication.


Q0722: I installed Amavis and it is working, but bounces are simply vanishing.

A0722: Check that you haven't inadvertently set up the transport like this:

==>      amavis:
           driver = pipe
           command = "/usr/sbin/amavis -f ${sender_address} -d ${pipe_addresses}"

       The last line should be:

==>        command = /usr/sbin/amavis -f <$sender_address> -d $pipe_addresses

       The important thing is the <> around the sender address; removal of
       the unnecessary "" and {} is just tidying. See the amavis FAQ at
       \?http://www.amavis.org/amavis-faq.php3?\.


Q0723: I can't get Pine to work with PLAIN authentication; Exim keeps
       responding "535 Incorrect authentication data".

A0723: You need to have this setting in your PLAIN authenticator:

==>      server_prompts = :

       This is missing in the examples in early Exim documentation, because it
       was not realized that PLAIN authentication could be requested by a
       client without sending the data with the request. If the data is not
       sent, an empty prompt is expected.


Q0724: I have used \":fail:"\ in some aliases; when one of these addresses is
       refused, I see the message on the log, but the response to the remote
       user is ``unknown user'' instead of the message from the alias file.
       How can I change this?

A0724: Have you got a \message\ qualifier in the relevant ACL? Exim uses the
       message line in the ACL in preference to the message returned by the
       router. This is so you can restrict the amount of information that
       ``escapes'' from your site via SMTP if you want to. Remove the \message\
       line in the ACL entry that has \"verify = recipient"\ and your message
       will get through.

       Alternatively, if you are running Exim 4.10 or later, you can use the
       \$acl_verify_message$\ variable in your message to include the message
       from the router. See also Q0725.


Q0725: I've set up some specific rejection messages for certain recipients, but
       when I test them, the SMTP message is always \*550 5.1.1
       <user@mydomain.com>... User unknown*\.

A0725: That is not an Exim message (the ``5.1.1'' is a clue; Exim doesn't use
       those extended codes). You are probably being defeated by software that
       sees the 550 error code, and insists on putting in its own text. There
       is stupid software that does this. You can test Exim by using \-bh-\ or
       making a telnet call to the SMTP port. That way, there's no other
       software intervening.


Q0726: My SMTP authentication can be bypassed by sending an unknown user name
       and an empty password. What is wrong with this condition in a PLAIN
       authenticator?

==>     server_condition = ${if eq{$2} {${lookup mysql{SELECT password FROM \
          accounts WHERE username='${local_part:$1}'}}}{1}{0}}

A0726: Your lookup item returns an empty string when the user does not exist.
       You should instead arrange for the lookup to fail:

==>     server_condition = ${if eq{$2} {${lookup mysql{SELECT password FROM \
          accounts WHERE username='${local_part:$1}'}{$value}fail}}{1}{0}}


Q0727: When a message has many recipients, how can I stop SpamAssassin from
       being called for each of them? I'm running it from a pipe transport.

A0727: In the transport configuration, set \batch_max\ to a value greater than
       one.


Q0728: How do I use Exiscan, SA-Exim, SpamAssassin, Clam Antivirus, Sophos
       SAVI, or sophie with Exim?

A0728: There's a mini-HOWTO about these available via
       \?http://www.timj.co.uk/linux/exim.php?\.
       See also sample configuration C047.


Q0729: How can I screen out addresses that are neither valid usernames or
       distribution lists on mail being forwarded to an internal Win2K server?

A0729: A user suggested using a router like this to do the recipient
       verification:

==>      verify_user_router:
            driver = accept
            domains = win2kdomain.com
            local_parts=\
              ldap;user="cn=ldap-guest,cn=Users,dc=win2kdomain,dc=com"\
              pass=guest \
              ldap:://win2kpdc/dc=win2kdomain,dc=com?mailNickname?\
              sub?(&(mailNickname=$local_part)\
              (showInAddressBook=*)(sAMAccountName=*))
            verify_only

       Set up ldap-guest as a normal domain user on the Win2K PDC.

       Also, you need to set \no_verify\ on all the other routers that handle
       that domain.


Q0730: How can I use the same passwords for SMTP authentication as I use for
       Courier IMAP access to my server?

A0730: You can access the Courier authdaemon from an Exim authenticator. You
       must arrange for the Exim user (often \/exim/\ but sometimes \/mail/\)
       to be able to access \(/var/run/courier/authdaemon/socket)\. The
       configuration is something of a hack, but it is reported to work. Here
       is a LOGIN authenticator:

==>      login:
           driver = plaintext
           public_name = LOGIN
           server_prompts = Username:: : Password::
           server_condition = \
             ${if eq {${readsocket{/var/run/courier/authdaemon/socket}\
             {AUTH 76\n${length_76:exim\nlogin\n$1\n$2\
             \n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\
             \n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\
             \n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n}}}}{FAIL\n} {no}{yes}}
           server_set_id = $1

       Here is a PLAIN authenticator:

==>      plain:
           driver = plaintext
           public_name = PLAIN
           server_prompts = :
           server_condition = \
             ${if eq {${readsocket{/var/run/courier/authdaemon/socket}\
             {AUTH 76\n${length_76:exim\nlogin\n$2\n$3\
             \n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\
             \n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\
             \n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n}}}}{FAIL\n} {no}{yes}}
           server_set_id = $2


Q0731: Is there any defence I can use against spam sent through an open proxy?

A0731: The \*ident*\ feature can be used in some cases. See the discussion in
       Q5023.


Q0732: I would like to either warn or deny when a host uses an underscore in
       the EHLO command.

A0732: First, set

==>      helo_allow_chars = _

       This tells Exim not to reject the EHLO or HELO command immediately. Once
       you have done that, you can test for the underscore in an ACL. For
       example, to log a warning for hosts in your LAN, and reject for other
       hosts, you could do something like this:

==>      deny  message = Underscores are not valid in host names
               hosts = ! +lan_hosts
               condition = ${if match{$sender_helo_name}{_}{yes}{no}}

==>      warn  log_message = Accepted underscore from [$sender_host_address]
               condition = ${if match{$sender_helo_name}{_}{yes}{no}}


Q0733: Is there any way to tell Exim not to lookup the IP address against any
       DNS black list if the connection is over IPv6?

A0733: Use this condition in your ACL:

==>      condition = ${if match{${mask:$sender_host_address/0}}\
                      {${mask:::0/0}}{no}{yes}}

       From Exim 4.23 onwards, this can be simplified to

==>      condition = ${if isip6{$sender_host_address}{no}{yes}}


Q0734: How do MailScanner and Exiscan compare? What are the pros and cons?

A0734: The big advantage of Exiscan is that it can reject messages at SMTP time
       before you have accepted responsibility for them, which means you don't
       have to deal with bouncing messages and thereby becoming a collateral
       spammer.

       The big advantage of MailScanner is that it gives you much greater
       control over the load on your machines. You configure it according to
       the maximum processing capacity of your computer and it will not exceed
       that; in fact because it deals with messages in batches the cost of
       processing a message actually goes down slightly as the load increases,
       because the per-batch costs are shared by more messages.

       With Exiscan, you have to rely on Exim's load protection mechanisms,
       which basically means that you have to stop accepting messages when your
       machine gets too loaded. This is bad if the machine happens to be an
       SMTP smarthost. You therefore need more overcapacity with Exiscan than
       with MailScanner.


Q0735: How can I block non-FQDNs in HELO/EHLOs?

A0735: Many workstation clients send single-component names; take care that you
       do not block legitimate mail. With that proviso, you can do it using
       something like this in an ACL:

==>      drop  message = HELO doesn't look like a hostname
               log_message = Not a hostname
               condition = ${if match{$sender_helo_name} \
                           {\N^[^.].*\.[^.]+$\N}{no}{yes}}

       This means: Drop the HELO unless it contains a dot somewhere in the HELO
       string, but the string may not begin or end with a dot. Thus, the
       imposed minimum length is 3 characters.

       The data for HELO/EHLO doesn't have to be a host name; it may
       legitimately be an IP address literal instead. The above test succeeds
       with an IPv4 address literal, but if you want also to accept IPv6
       address literals, you will have to modify the regular expression.


Q0736: Is it possible to tell exim to drop the connection after a server
       attempts to send a message to a number of unknown users?

A0736: Yes. Use \$rcpt_fail_count$\ and the \^drop^\ ACL command, as in this
       example:

==>      drop  message = Too many unknown users
               condition = ${if >{$rcpt_fail_count}{15}{yes}{no}}


Q0737: Is there some way to tell Exim not to consider 127.0.0.1 as a valid MX?

A0737: See Q0319.


Q0738: How can I configure Exim to delay the SMTP connection if more than 10
       invalid recipients are received in one message?

A0738: Put something like this in your RCPT ACL:

==>      deny  message         = Max $rcpt_fail_count failed recipients allowed
               condition       = ${if >{$rcpt_fail_count}{10} {1}}
               ! verify        = recipient
               delay           = ${eval: $rcpt_fail_count * 10}s
               log_message     = $rcpt_fail_count failed recipient attempts

       This example increases the delay for each failed recipient.


Q0739: Does Exim support SPF?

A0739: An Exim ACL can be used. See \?http://spf.pobox.com/downloads.html?\.


Q0740: How can I change the MAIL FROM address that is used for callouts?

A0740: It depends on which type of callout you are using.

       (1) For envelope sender verification callouts, you cannot make any
           change. My view is that an envelope sender verification is testing
           whether Exim could send a bounce to that address. Therefore, it must
           use \"MAIL FROM:<>"\ because that is what it would do if it were
           sending a bounce message. If \"MAIL FROM:<>"\ is rejected, it means
           Exim could not send a bounce. Therefore the callout fails.

       (2) For verifying addresses in the ::From::, ::Sender::, or ::Reply-to::
           header lines (the \"verify = header_sender"\ condition), it is
           possible to make a change, on the grounds that these addresses are
           not necessarily ones that must accept bounce messages. You can do
           this by adding a \"mailfrom"\ option, like this:

==>          require  verify = header_sender/callout=mailfrom=abcd@x.y.z

       (3) It is also possible to make a change for the postmaster verification
           option, also on the grounds that a postmaster address need not
           accept bounces if it is never used as an envelope sender. Instead of
           just \"postmaster"\, \"postmaster_mailfrom"\ is used, like this:

==>          require  verify = sender/callout=postmaster_mailfrom=abcd@x.y.z

       (4) For recipient verification, there are three possibilities. The
           default is to use \"MAIL FROM:<>"\. If the \use_postmaster\ option
           is given, for example:

==>          require  verify = recipient/callout=use_postmaster

           then the address for MAIL FROM is made up from the local part
           \"postmaster"\ and the contents of \$qualify_domain$\.

           Alternatively, if the \use_sender\ option is given, the sender
           address of the incoming message is used. You should use this option
           only when you know that the receiving host makes use of the sender
           address when verifying. The reason is that the callout cache is much
           less effective in this case, causing many more callouts to be
           performed.

       In all cases when you configure Exim to use a non-empty address in MAIL
       FROM during callout processing, you should think carefully about what
       might happen if this causes the called host to make its own callout back
       to your host. Make sure that callout loops cannot happen.


Q0741: How can I get Outlook Express to use TLS when authenticating?

A0741: If you check \"auth required"\ in OE, it will authenticate as soon as
       it sees AUTH LOGIN, in preference to STARTTLS. The trick is to
       advertise things to OE in a certain order. The first EHLO should
       advertise STARTTLS but not AUTH, and only the second EHLO (after TLS
       starts) should advert AUTH. One way of achieving this is to put, in
       the main section of your Exim configuration:

==>      auth_advertise_hosts = ${if eq{$tls_cipher}{}{127.0.0.1}{*}}

       This means that the only host to which AUTH is advertised is 127.0.0.1
       when the session is not encrypted (that is, before TLS has started). The
       idea here is that there's no need for encryption for anything coming via
       the loopback interface. For an encrypted session, however, AUTH is
       advertised to all hosts.

       You can also block the AUTH command itself for unencrypted connections,
       by creating an ACL for \acl_smtp_auth\ that is something like this:

==>      accept  encrypted = *
         accept  hosts = 127.0.0.1
         deny    message = TLS encryption required before AUTH



8. REWRITING ADDRESSES

Q0801: How can I get Exim to strip the hostname from the sender's address?

A0801: If you set up a rewriting rule in the following form:

==>       *@*.your.domain  $1@your.domain

       then Exim will rewrite all addresses in the envelope and the headers,
       removing anything between \"@"\ and \"your.domain"\. This applies to all
       messages that Exim processes. If you want to rewrite sender addresses
       only, the the rule should be

==>       *@*.your.domain  $1@your.domain  Ffrs

       This applies the rule only to the envelope sender address and to the
       ::From::, ::Reply-to::, and ::Sender:: headers.


Q0802: I have Exim configured to remove the hostname portion of the domain on
       outgoing mail, and yet the hostname is present when the mail gets
       delivered.

A0802: Check the DNS record for your domain. If the MX record points to a CNAME
       record instead of to an A record, some MTAs (not Exim) are liable to
       rewrite addresses, changing your domain name to its ``canonical'' form,
       as obtained from the CNAME record.


Q0803: I want to rewrite local addresses in mail that goes to the outside
       world, but not for messages that remain within the local intranet.

A0803: You can use the \headers_rewrite\ option on a transport to do this.
       The rewriting will then apply to just those copies of a message that
       pass through the transport. The \return_path\ option can similarly be
       used to rewrite the sender address. There is no way of rewriting
       recipient addresses at transport time. However, as these are by
       definition remote addresses, you probably don't want to rewrite them.

       You have to set up the configuration so that it uses different SMTP
       transports for internal and external mail. If you are using a single
       router in both cases, you could configure it like this:

==>    dnslookup:
         driver = dnslookup
         transport = ${if match{$domain}{\N\.my\.domain$\N}{int_smtp}{ext_smtp}}

       This example uses the \%int_smtp%\ transport for domains ending in
       \(.my.domain)\, and \%ext_smtp%\ for everything else. The \%ext_smtp%\ transport
       could be something like this:

==>    ext_smtp:
         driver = smtp
         headers_rewrite = *@*.my.domain \
              ${lookup{$1}cdb{/etc/$2/mail.handles.cdb}{$value}fail}
         return_path = \
           ${if match{$return_path}{\N^([^@]+)@(.*)\.my\.domain$\N}\
            {\
            ${lookup{$1}cdb{/etc/$2/mail.handles.cdb}{$value}fail}\
            }\
            fail}

       This example uses a separate file of local-to-external address
       translations for each domain. This is not the only possibility, of
       course. The \headers_rewrite\ and \return_path\ options apply the same
       rewriting to the header lines and the envelope sender address,
       respectively.


Q0804: I'm using this rewriting rule to change login names into ``friendly''
       names, but if mail comes in for an upper case login name, it doesn't
       get rewritten.

==>      *@my.domain   ${lookup{$1}dbm{/usr/lib/exim/longforms}\
                        {$value}fail}@my.domain bcfrtFT

       The longforms database has entries of the form:

==>      ano23: A.N.Other

A0804: Replace \"$1"\ in your rule by \"${lc:$1}"\ to force the local part to lower
       case before it is used as a lookup key.


Q0805: Is it possible to completely fail a message if the rewrite rules fail?

A0805: It depends on what you mean by ``fail a message'' and what addresses you
       are rewriting. If you are rewriting recipient addresses for your local
       domain, you can do:

==>      *@dom.ain  ${lookup{$1}dbm{/wher/ever}{$value}{failaddr}}  Ehq

       and in your alias file put something like

==>      failaddr:   :fail: Rewriting failed

       This fails a single recipient - others are processed independently.


Q0806: I'm using \$domain$\ as the key for a lookup in a rewriting rule, but its
       contents are not being lowercased. Aren't domains supposed to be handled
       caselessly?

A0806: The value of \$domain$\ is the actual domain that appears in the address.
       It could of course be lower cased, but I know that would cause some
       unhappiness, because some people have mixed-case domain names which look
       silly if the case is changed. Thus, one wants to preserve the case in
       rewrites such as

==>      *@*.TheRap.com   something@$domain

       because ``therap'' doesn't look like two words. I know it seems trivial,
       but it is important to some people - especially if by some unfortunate
       accident the lowercased word is something indecent.

       You can trivally force lower casing by means of the \"${lc:"\ operator.
       Instead of \"$domain"\ write \"${lc:$domain}"\.


Q0807: I want to rewrite local sender addresses depending on the domain of the
       recipient.

A0807: In general, this is not possible, because a message may have more than
       one recipient and Exim keeps just a single copy of each message. It may
       also deliver one copy of a message with several recipient addresses.
       You can do an incomplete job by using a regular expression match in a
       rewrite rule to test, for example, the contents of the ::To:: header. This
       would work except in cases of multiple recipients.



9. HEADERS

Q0901: I would like add some custom headers to selected outgoing mail based on
       a specific domain and the subject line.

A0901: To the remote_smtp transport, add something like

==>      headers_add = ${if and{\
                       {eq{$domain}{spec.dom}}\
                       {matches{$h_subject:}{whatever}}}\
                       {Content-Type: text/html; charset="us-ascii"} fail }

       This example shows a ::Content-Type:: header, but you can have anything you
       like, and multiple headers can be inserted by using \"@\n"\ to separate them.


Q0902: Is it possible to have Exim add a header to only certain local parts of
       outgoing mail?

A0902: Only if you arrange for each such local part to receive its own private
       copy of the mail. See \max_rcpt\ in the SMTP transport. If you set this
       to 1, you could use conditions in an expansion string to add or not add
       a header.


Q0903: How can I remove some part of the ::Received:: header?

A0903: Set \received_header_text\.


Q0904: How I can insert the PGP header line using Exim filters?

A0904: You can't insert headers in a user filter. A system filter can do so,
       but the inserted lines then are included for all recipients.


Q0905: I know I can use a system filter to replace certain headers in messages,
       but how can I add text to existing headers? I want to add [SPAM] to
       the subject line of messages that appear to be spam.

A0905: You can only do this in a round about way, using filter commands like
       this:

==>      headers add "New-Subject: SPAM: $h_subject:"
         headers remove subject
         neaders add "Subject: $h_new-subject:"
         headers remove new-subject

       This trick works only in system filters, where the commands are obeyed
       in order, and affect the master list of headers that apply to the whole
       message. You cannot do this with the \headers_add\ and \headers_remove\
       options on drivers.



10. PERFORMANCE

Q1001: I'm running a large mail server. Should I set \split_spool_directory\ to
       improve performance?

A1001: Splitting the spool directory has most benefit if there are times when
       there are a large number of messages on the queue. If all mail is
       delivered very quickly, and the queue is always less than, say, a few
       hundred messages, there isn't any need to do this. With larger queues,
       there is a definite performance benefit to splitting the spool. It shows
       up earlier on some types of file system, compared with others.

       Exim was not designed for handling large queues. If you are in an
       enviroment where lots of messages remain on the queue for long periods
       of time, consider implementing a back up host to which you pass these
       messages, so that the main host's queue remains short. You can use
       \fallback_hosts\ to do this, or a router that is conditional on
       \$message_age$\.


Q1002: How well does Exim scale?

A1002: Although the author did not specifically set out to write a high-
       performance MTA, Exim does seem to be fairly efficient. The biggest
       server at the University of Cambridge (a large Sun box) goes over
       100,000 deliveries per day on busy days (it has over 20,000 users).
       There was a report of a mailing list exploder that sometimes handles
       over 100,000 deliveries a day on a big Linux box, the record being
       177,000 deliveries (791MB in total). Up to 13,000 deliveries an hour
       have been reported.

       These are quotes from some Exim users:

       "... Canada's largest internet provider, uses Exim on all of our mail
       machines, and we're absolutely delighted with it. It brought life back
       into one of our machines plagued with backlogs and high load averages.
       Here's just an example of how much email our largest mail server
       (quad SS1000) is seeing ... "  [230,911 deliveries in a day: 4,475MB]

       "... Exim has to ... do gethostbyname()s and RBL lookups on all of the
       incoming mail servers, and he runs from inetd (TCP Wrappers connected).
       All the same, it seems to me that he runs as fast as lightning on our
       SCO 5.0.4 box (1 Pentium 166) - far faster than MMDF which I (and many
       customers) had before."

       "On a PII 400 with 128M of RAM running Linux 2.2.5, I have achieved
       36656 messages per hour (outgoing unique messages and recipients). For
       about a 5 minute period, I was able to achieve an average of 30 messages
       per second (that would be 108000 m/hour)! We are using: (options that
       make a difference):

==>      queue_only
         split_spool_directory
         queue_run_max = 1
         remote_max_parallel = 1

       We have a cron job hat runs every five minutes that spawns 5 \"exim -q"\ if
       there are less that 120 exim processes currently running. We found
       that by manually controlling the concurrency of \"exim -q"\ processes
       contending for the spool for \%remote_smtp%\ delivery that we gained
       considerable performance - 10000 m/hour."


Q1003: We have a large password file. Can Exim use alternative lookups during
       delivery to speed things up?

A1003: If you are using FreeBSD, this problem should not arise, because it
       automatically uses an indexed password file. In some other operating
       systems you can arrange for this to happen too. On Linux, for example,
       all you need to do is

==>      # cd /var/db
         # make

       and put \"db"\ before \"files"\ in any \(/etc/nsswitch.conf)\ lines you want to
       use db for.

       On systems that do not include support for indexed password files, you
       can build one yourself, and reference it from the Exim configuration.
       For example, for routing to local mailboxes you could use this:

==>      localuser:
           driver = accept
           condition = ${lookup{$local_part}cdb{/etc/passwd.cdb}{yes}{no}}
           transport = local_delivery
           user = ${extract{1}{:}{${lookup{$local_part}cdb{/etc/passwd.cdb}}}

       This assumes a cdb version of the password file.


Q1004: I just wondered if it might be helpful to put the hints database on a
       RAM disk during regular operation. Did anybody try that yet?

A1004: A user reported thus: ``I have found that this works great under Solaris.
       Make a RAM disk partition and keep everything in the \(db)\ directory on
       it. However, when I try the same thing on Linux, I don't see the same
       boost. I think that Linux's file buffer cache works about the same.
       Plus, this leave more room for processes to run.''

       There have been other reports that Linux's delayed buffer write provides
       better overall performance in general.

       Apparently there is support in the Solaris kernel for a delayed writing,
       as in Linux, but Sun's server policy is to have it disabled so that you
       don't lose so much if the server crashes. There is a program called
       \^fastfs^\ to enable and disable this support. You have to download and
       compile it yourself; find it by looking for \"fastfs.c"\ in a search
       engine. Solaris performance is reported to be much improved, but you
       should take care to understand the potential hazards. In particular,
       \^fsck^\ may be unable to ``fix'' disks automatically after a crash.


Q1005: A lot of incoming mail is pushing up my system load too much, and there
       are many Exim processes. How can I control this?

A1005: Have you set any of the Exim configuration options that limit what it
       does under high load? For example, queue_only_load, deliver_queue_load_max?
       See the list in the section entitled \*Resource control*\ in the manual.

       It sounds like a lot of simultaneous incoming mail pushes your system
       into uncontrolled overload. The multiple Exim processes are probably
       just multiple incoming messages. You can use the \^exiwhat^\ utility to
       confirm this.



11. MAJORDOMO

Q1101: How do I set up Majordomo to work with Exim?

A1101: Users have found several ways of setting up Exim for use with Majordomo.
       One way has been documented at
       \?http://www.averillpark.net/exim/majordomo.html?\.

       Somewhere in the Majordomo docs or FAQ it mentions using batchmail or
       other additional programs to improve the performance of large lists.
       They are not needed with Exim, and their use can actually make things
       worse. However, it's a good idea to set \remote_max_parallel\ to a value
       greater than 1 in the Exim configuration.


Q1102: I have set \$mailer$\ in \(majordomo.cf)\, but it still isn't setting the
       sender correctly in the messages it sends.

A1102: Make sure you have got the quoting correct in the \$mailer$\ setting. For
       example,

==>      $mailer = "$sendmail_command -oi -oee -f$sender\@lists.mydomain.de";

       is not correct. It needs three backslashes, not one, and the $ at the
       start of \$sender$\ has to be escaped with a backslash.


Q1103: I'm trying to set up majordomo, but I'm getting a wrong mode error
       when I try to send it mail.

A1103: Check the mode of \(/var/lib/majordomo/lists/lists.aliases)\ and compare it
       with the setting of the \modemask\ option in the Majordomo aliases
       router. This option specifies bits which must not be set for the alias
       file, and it defaults to 022.


Q1104: I'm getting return code 9 from \(/home/majordomo/majordomo-1.94.4/wrapper)\
       when it is passed a message from Exim.

A1104: A problem like this turned out to be the Perl version that came with
       RedHat 5.2. Rebuilding Perl 5.005x solved it.


Q1105: Exim is complaining about an invalid command line when Majordomo tries
       to send it a message for delivery.

A1105: Take a look at your \(majordomo.cf)\ file,  It should have something that
       looks like

==>      $sendmail_command = "/usr/lib/sendmail";

       and another line like

==>      $mailer = "$sendmail_command -oi -oee -f\$sender";

       If you have modified \^resend^\ (one of the majordomo programs) to use
       \$sendmail_command$\ instead of \$mailer$\ you will be calling Exim with no
       command line arguments.



12. FETCHMAIL

Q1201: When I run fetchmail, I get the error \*SMTP listener doesn't like
       recipient address xxx@localhost*\.

A1201: Make sure that //localhost// is recognized as a domain that is to be
       delivered locally. If you are using the default Exim run time
       configuration, you'll see a line near the top like this:

==>      domainlist local_domains = @

       Change it to

==>      domainlist local_domains = @ : localhost


Q1202: I'm currently using Exim with fetchmail and I'd like to use the RBL on
       Exim, but will it work? Do I need to configure fetchmail any particular
       way? As far as Exim knows, all mail is coming from 127.0.0.1. Will it
       check the source address against RBL? Or will it check the ::From:: header?

A1202: It will check 127.0.0.1 (not very useful). The point of the RBL is to
       keep messages from black-listed hosts out of your machine. If you are
       using fetchmail, you have got the messages into your machine before you
       approach Exim. That kind of defeats the purpose of the RBL. The right
       way to do this would be for the host from which you fetch your mail to
       do the RBL checking and insert some kind of warning header for you to
       test, as Exim does if you run RBL checks in warning mode.



13. PERL

Q1301: Exim built with Perl support exits with the error message \*./exim: can't
       load library 'libperl.so'*\.

A1301: If you are using BSDI, see Q9401.


Q1302: Exim built with Perl support exits with several error messages of the
       form \*undefined reference to `PL_stack_sp'*\.

A1302: This has been seen on FreeBSD systems that had two different versions of
       Perl installed, the older with an \^a.out^\ library and the newer with an
       ELF library. Ensure that the older package is removed.



14. DIAL-UP AND ISDN

Q1401: When I'm not connected to the Internet, how can I arrange for mail to
       other hosts on my local network to be delivered, while at the
       same time mail to Internet hosts is queued without any delivery
       attempts?

A1401: Use the \queue_domains\ option to control which domains are held
       on the queue for later delivery. For example,

==>      queue_domains = ! *.localnet

       allows delivery to domains ending in \(.localnet)\, while queueing all the
       others.


Q1402: I have a dial-up machine, and I use the \queue_smtp_domains\ option so
       that remote mail only goes out when I do a queue run. However, any email
       I send with an address \(anything@aol.com)\ is returned within about 15
       minutes saying \*retry time exceeded*\, and all addresses are affected.

A1402: You should be using \queue_domains\ rather than \queue_smtp_domains\.
       With the latter, Exim is trying to route the addresses, which involves a
       DNS lookup. This is presumably timing out, causing a retry time to be
       set for the domain, and somehow a valid lookup never happened before the
       maximum retry time (default of 4 days) passed. Hence the bounce. The
       fact that it is \(aol.com)\ is probably not relevant. You should probably
       also be using \-qq-\ to do your queue run rather than \-q-\.


Q1403: How should Exim be configured when it is acting as a temporary storage
       system for a domain on a dial-up host?

A1403: Exim isn't really designed for this, but... The lowest-numbered MX
       record for the domain should be pointing to the dial-up host. A higher
       numbered MX record (lower priority) should point to the Exim server that
       is acting as a temporary storage system.

       You should set a large retry time for the domain, so that Exim doesn't
       keep trying to deliver when the host is offline. When the host comes
       online, the waiting messages have to be kicked somehow. This can be done
       by calling Exim with the \-R-\ option, or via the SMTP ETRN command.

       This works provided the number of messages is low. If you are handling
       lots of mail, keeping messages waiting for their host to connect and
       those that are having delivery problems to remote hosts all in the same
       queue doesn't work so well. It is better in this case to get Exim to
       deliver the mail for the dial-in hosts into some local files which then
       get transmitted by other software when the host connects. One tool for
       doing this can be found at \?http://cr.yp.to/serialmail.html?\.

       For further discussion, see section entitled \*Intermittently connected
       hosts*\ in the manual, and also the section in the Exim book with the
       same name.


Q1404: I have \queue_domains\ or \queue_smtp_domains\ set, and use \-qf-\ to
       force delivery of waiting mail when I dial in. How can I arrange for any
       new messages that arrive while I'm connected to be delivered immediately?

A1404: Instead of \queue_domains\ or \queue_smtp_domains\, use the \queue_only_file\
       option. This causes messages to be queued if a particular file exists.
       If you put the word ``smtp'' before the file name, the queueing applies
       only to domains that are delivered by SMTP, thus not affecting local
       deliveries:

==>      queue_only_file = smtp/etc/present/when/not/connected

       Then, in the scripts which are run when you connect and disconnect,
       arrange to remove the file after connection, and create it just before
       disconnection.


Q1405: I have an ISDN connection and would like a way of running the queue
       automatically when it is up.

A1405: The following shell commands test for the interface being up and then
       run the queue:

==>      ifconfig ppp0 | fgrep UP >/dev/null
         if [ $? -eq 0 ] ; then exim -q ; fi

       You could put these commands into a script which runs them at regular
       intervals. You might want to use \-qq-\ instead of \-q-\.

       With Linux, the script \(/etc/ppp/ip-up)\ is run after a ISDN connection
       or a more general PPP connection has been established. If you are using
       Linux, you could put the call to Exim in that script.


Q1406: When I dial up to collect mail from my ISP, only the first 10 messages
       get delivered immediately; the remainder just sit on the queue until a
       queue runner process finds them.

A1406: See Q0049.


Q1407: RFC 1985 specifies that the SMTP command \"ETRN host.domain"\ causes all
       mail queued for that host, no matter what domain it's for, to be
       delivered. Why doesn't Exim support this?

A1407: Exim does not keep queues of mail for specific destinations. It just
       keeps one pool of undelivered messages. What is more, once you start a
       delivery of a message, it tries to deliver to all the addresses in the
       message, not just the one you may be interested in. (Of course, this
       doesn't usually do any harm.)

       The only way it could be done within Exim would be, for every message
       on the queue, to go through the motions of routing each undelivered
       address and see if that resulted in a delivery to the host of interest.
       This could be extremely expensive (e.g. 1,000 messages on the queue,
       only 1 for the given host).

       The bottom line is that Exim just wasn't designed for this kind of
       operation, that is, holding messages for intermittently connected hosts.
       The queueing arrangements are designed for handling delivery problems
       that are not expected to be common.

       A better way to do this is to implement the required queues separately.
       After all, keeping such mail on an active queue (where Exim will keep
       trying to deliver) is silly. If there is a lot of mail for these hosts,
       it also masks genuine delivery problems when you inspect the queue.

       Large ISPs who provide this kind of functionality do not usually leave
       waiting mail on the MTA's queue. Instead, they get it delivered into
       per-host directories, one message per file, in one of the special
       formats (BSMTP, maildir, or mailstore) and when an ETRN arrives, it
       kicks off some completely different program that establishes an SMTP
       connection to the host and shovels the waiting mail down it. That seems
       to me to be a much neater way of doing this. It means you can easily add
       additional functionality such as archiving or throwing away uncollected
       mail.

       One program that has this functionality is \^ssmtp^\, which can be
       found in \?ftp://metalab.unc.edu/pub/Linux/system/mail/mta/?\.
       Alternatively, sample configuration C037 demonstrates an elegant way of
       using Exim itself to deliver the saved messages when the client issues
       an ETRN.


Q1408: If email has been deferred to a member on a local mailing list
       (implemented through forward files), and one of our ETRN clients is on
       this mailing list, the \-R-\ won't flush the mailing list message for
       that client.

A1408: That is because \-R-\ matches only original recipient addresses, not those
       produced as a result of expansion, because these are not (by default)
       preserved from delivery to delivery. You can get round this by setting
       \one_time\ on the forwarding router, but you are not allowed to have
       expansions to pipes or files on routers that have \one_time\ set.
       Therefore, you will have to have a separate router for mailing lists
       (with \one_time\ set) to the one used for normal forward files that might
       specify pipe or file deliveries. However, the problem will still be
       present for any user who sets up a \(.forward)\ file to redirect to any of
       the ETRN domains. See the last 3 paragraphs of Q1407 for a discussion of
       an alternative approach.


Q1409: I would like to have a separate queue per domain for hosts which dial
       in to collect their mail.

A1409: Exim isn't really designed for this kind of operation. The only way to
       do this would be to cause it to send those messages to a differently
       configured version of Exim with its own spool area. This could be done
       via a pipe or SMTP to a private port. The main Exim, listening on port
       25, would then be configured to run an appropriate command to prod one
       of the others when it received ETRN, by means of the \smtp_etrn_command\
       option.

       You could probably manage this with a single Exim binary and a number of
       different configuration files, passed to the special versions using the
       \-C-\ option. For this application they could all run as \^exim^\, since no
       root privilege would be needed.

       An alternative approach id to get Exim to deliver mail for such hosts
       in batch SMTP format into some directory, and have the ETRN run
       something to pass such messages to the dialled-in host. See also Q1403.



15. UUCP

Q1501: The MX records for some UUCP domains point to my local host. How do I
       get it to pass the messages on to UUCP?

A1501: The simplest way is to create a file containing a list of domains, and
       the hosts to which their messages should be sent, like this:

==>      uucp1.domain.example:   uucp1.host.example
         uucp2.domain.example:   uucp2.host.example
         ....

       Then you can use a router like this:

==>      uucp_router:
           driver = accept
           domains = lsearch;/etc/uucp/domains
           transport = uucp_transport

       and a transport like this:

==>      uucp_transport:
           driver = pipe
           user = nobody
           command = /usr/local/bin/uux - -r $domain_data!rmail $local_part
           return_fail_output

       The \$domain_data$\ variable retains the value that is looked up when
       the \domains\ option in the router is matched.


Q1502: How can I get Exim to handle ``bang path'' addresses?

A1502: In general, you can't (Exim is an Internet mailer and recognizes only
       RFC 2822 domain-style addresses) but some restricted kinds of bang path
       can be dealt with by appropriate rewriting - but please note the warning
       below.

       Exim treats a bang path address as an unqualified local part, and so
       will qualify it with your domain. A rule such as

==>      \N^([^!]+)!(.+)@your\.domain$\N   $2@$1

       turns \(a!b@your.domain)\ into \(b@a)\. You can also use a repeating rule to
       turn multi-component paths into the ``percent hack'' notation with a rule
       such as

==>      \N^([^!]+)!([^@%]+)(.+)$\N   $2%$1$3   R

       which turns \(a!b@c)\ into \(b%a@c)\ and \(a!b!c@d)\ first into \(b!c%a@d)\ and then,
       because of the R flag, into \(c%b%a@d)\. The R flag causes repetition up to
       10 times.

       \**Warning:**\ If you install a general rewriting rule like the above, you are
       opening yourself up to the possibility of unwanted relaying. A host that
       is not permitted to relay through your system could send a message with
       an SMTP command line such as

==>      RCPT TO:<victim-host!victim-user@your.domain>

       and this would be accepted because it is addressed to your domain.
       However, the rewriting then converts the address, and the message does
       in fact get relayed. One way round this, if all your bang path messages
       are passed to Exim via SMTP, is to use the \"S"\ rewriting flag. This
       applies a rewriting rule to incoming SMTP addresses as soon as they are
       received, before checking for qualification, relaying, etc. So a rule
       such as

==>      \N^([^!]+)!(.+)$\N  $2@$1  S

       rewrites simple two-component bang paths before the result is checked
       for relaying. However, this does not rewrite addresses in the headers of
       the message.


Q1503: We see something strange on our system in regards to mail coming in via
       rmail from a UUCP link. The sender is being set to mailmaster instead of
       the real sender, and a ::Sender:: header is being added to the message.

A1503: If \(mailmaster)\ is the user that is running rmail, you need to include
       that user in the \trusted_users\ configuration option. Only trusted users
       are permitted to specify senders when mail is passed to Exim via the
       command line.



16. MODIFYING MESSAGE BODIES

Q1601: How can I add a disclaimer or an advertisement to a message?

A1601: There are a number of technical and potential legal problems that arise
       in connection with message modification. Some of them are listed below.
       Some comment on the legal position of email disclaimers in English law
       can be found at \?http://www.weblaw.co.uk/artemail.htm?\.

       See also \?http://www.goldmark.org/jeff/stupid-disclaimers/?\. There is
       some discussion about the problems of actually adding disclaimers in
       \?http://www.goldmark.org/jeff/stupid-disclaimers/apply.html?\.

       In many cases, email disclaimers will make your company look ridiculous,
       at the very least. At worst, they may interfere with the normal
       processing of mail.

       If, despite these considerations, you still want to modify messages, you
       can do so using Exim, but not directly in Exim itself. It is not the job
       of an MTA to modify messages, something that requires understanding of
       their content and format.

       Exim provides a hook called a ``transport filter'' that lets you pass
       any outgoing message through a program or script of your choice. It
       is the job of this script to make any changes to the message that you
       require. By this means, you have full control over what changes are
       made, and Exim does not need to know anything about message bodies.
       However, using a transport filter requires additional resources, and may
       slow down mail delivery.

       You can use Exim's routers to arrange for those messages that you want
       to modify to be delivered via a transport filter. For example, suppose
       you want to do this for messages from addresses in your domain that are
       being delivered to a remote host. First you need to set up a special
       \%smtp%\ transport that uses a filter, like this:

==>      remote_smtp_filter:
           driver = smtp
           transport_filter = /your/filter/command

       Then you need to modify the \%dnslookup%\ router to use this transport
       when the conditions are right:

==>      dnslookup:
           driver = dnslookup
           domains = ! +local_domains
           transport = ${if eq {$sender_address_domain}{your.domain}\
                        {remote_smtp_filter}{remote_smtp}}
           ignore_target_hosts = 127.0.0.0/8
           no_more

       This is the standard \%dnslookup%\ router, but with a modified setting of
       the \transport\ option. When the sender address is in your domain, it
       routes to the special transport instead of the standard one.

       The entire message is passed to your filter command on its standard
       input. It must write the modified version to the standard output, taking
       care not to break the RFC 2822 syntax. The command is run as the Exim
       user.

       There are a number of potential problems in doing this kind of
       modification in an MTA. Many people believe that to attempt is it wrong,
       because:

       1. It breaks digital signatures, which are becoming legally binding
          in some countries. It may well also break encryption.

       2. It is likely to break MIME encoding, that is, it is likely to wreck
          attachments, unless great care is taken. And what about the case of a
          message containing only binary MIME parts?

       3. It is illegal under German and Dutch law to change the body of
          a mail message in transit. It might potentially be illegal in
          the UK under European law. This consideration applies to ISPs and
          other ``common carriers''. It would presumably not apply in a corporate
          environment where modification was done only to messages originating
          from the employees, before they left the company's network. It might
          also not apply if the senders have explicitly given their consent
          (e.g. agreed to have advertisements added to their incoming mail).

       4. Since the delivered message body was produced by the MTA (not the
          originator, because it was modified), the MTA operator could
          potentially be sued for any content. This again applies to `common
          carrier' MTAs. It's interesting that adding a disclaimer of liability
          could be making you liable for the message, but this case seems
          more likely to involve adding advertisements than disclaimers. After
          all, no postal service in the world opens all the mail it carries to
          add disclaimers.

       5. Some mail clients (old versions of MS outlook) crash if the message
          body of an incoming MIME message has been tampered with.

       There are also potential problems that could arise if a scheme to add
       disclaimers goes wrong for some messages:

       1. False negatives: `Ah, this guy usually says he does not represent
          their views, but in this message he doesn't have the disclaimer'.

       2. False positives: `This official announcement does not represent our
          views, oh no'.

       An alternative approach to the disclaimer problem would be to insist
       that all relevant messages have the disclaimer appended by the MUA. The
       MTA should refuse to accept any that do not. Again, however, the MTA
       must understand the format of messages in order to do this. Simply
       checking for appropriate wording at the end of the body is not good
       enough. It would probably be necessary to run a Perl script from within
       an Exim system filter, or write a \^^local_scan()^^\ function in order
       to adopt this approach.

       Finally, it's a trivial matter to add customized headers of the sort:

==>      X-Disclaimer:  This is a standard disclaimer that says that the views
         X-Disclaimer:  contained within this message are somebody else's.

       which is a much easier alternative to modifying message bodies.


Q1602: How can I remove attachments from messages?

A1602: The answer to this is essentially the same as for Q1601.



17. ENCRYPTION (TLS/SSL)

Q1701: I am trying to set up an Exim server that uses a self-signed certificate
       to enable my clients to use TLS. However, clients other than Exim
       refuse to accept this certificate. What's wrong?

A1701: It seems that some clients require that the certificate presented by
       the server be a user (also called ``leaf'' or ``site'') certificate, and not
       a self-signed certificate. In this situation, the self-signed
       certificate must be installed on the client as a trusted root
       \*certification authority*\ (CA), and the certificate used by the server
       must be a user certificate signed with that self-signed certificate.

       For information on creating self-signed CA certificates and using them
       to sign user certificates, see the \*General implementation overview*\
       chapter of the Open-source PKI book, available online at
       \?http://ospkibook.sourceforge.net/?\. Here is a quick overview. First,
       read this message:

       \?http://www.FreeBSD.org/cgi/mid.cgi?id=3C3F3A93.C1ECF9B0%40mindspring.com?\

       Then, follow the instructions found on these two (consecutive) pages:

       \?http://ospkibook.sourceforge.net/docs/OSPKI-2.4.6/OSPKI/initialisation.htm?\
       \?http://ospkibook.sourceforge.net/docs/OSPKI-2.4.6/OSPKI/keygensign.htm?\

       Two points on the PKI Book literature:

       (1) It's assumed that it's okay to use a passphrase-protected key to
           encrypt the user/site/leaf certificate. If this isn't acceptable,
           you seem to be able to strip out the passphrase as follows:

==>          openssl rsa -in user.key -our user.key.new
             mv user.key.new

           This should be done immediately after \(user.key)\ is created.

       (2) The \*sign.sh*\ script is available in the \*mod_ssl*\ distribution,
           available at \?http://www.modssl.org/source/?\.

       Having followed the instructions, you end up with the following files:

       (a) \(ca.crt)\

       This file should be installed into the client software as a trusted
       root certification authority. In Windows XP, this can be done as follows:

       \#\#Call the file \(ca_cert.cer)\
       [[br]]
       \#\#Double-click on the file
       [[br]]
       \#\#"Install Certificate";
       [[br]]
       \#\#"Next"
       [[br]]
       \#\#"Place all certificates in the following store"
       [[br]]
       \#\#"Browse..."
       [[br]]
       \#\#"Trusted Root Certification Authorities"
       [[br]]
       \#\#"OK"
       [[br]]
       \#\#"Next"
       [[br]]
       \#\#"Finish"
       [[br]]
       \#\#"Yes"
       [[br]]
       \#\#"OK"

       (b) \(user.crt)\ and \(user.key)\

       These files should be installed into the server software. In Exim, this
       can be done by adding these lines to the configuration file:

==>      tls_certificate = /usr/local/etc/exim/tls_cert
         tls_privatekey = /usr/local/etc/exim/tls_key

       Then install \(user.crt)\ and \(user.key)\ under the names \(tls_cert)\
       and \(tls_key)\ in the appropriate directory.


Q1702: How can I arrange for Exim to advertise support for SMTP authentication
       only when the session is encrypted?

A1702: Use this setting:

==>      auth_advertise_hosts = ${if eq{$tls_cipher}{}{}{*}}


Q1703: I have some legacy clients that don't use STARTTLS, but which expect to
       negotiate a TLS session automatically on connection to the ssmtp port
       (465). Can Exim handle this?

A1703: If you are using release 4.43 or later, you can set

==>      tls_on_connect_ports = 465

       and then arrange for your daemon to listen on both port 25 and port 465
       by setting \daemon_smtp_ports\ or \local_interfaces\ or the \-X-\
       command line option. Or use \(inetd)\ to listen on port 465.

       If you are using an earlier release of Exim, you need to run two
       Exim listeners, on different ports, one of which is started with the
       \-tls-on-connect-\ option (which makes all ports act this way). You can
       either use two daemons, or a single daemon, with the other listener
       using \^inetd^\. For example, here are commands to start two daemons:

==>      exim -bd -q15m
         exim -bd -oX '[0.0.0.0]::465' -tls-on-connect

       The first is a ``normal'' daemon; the second listens on port 465 and
       expects to negotiate a TLS session at the start of each connection.


Q1704: When my Outlook Express 6.0 client sends a STARTTLS command to begin a
       TLS session, Exim doesn't seem to receive it.

A1704: See Q0059.


Q1705: I have listed some hosts in \tls_try_verify_hosts\, but when they
       connect, no data appears in \$tls_peerdn$\.

A1705: This means that the clients have not sent certificates when asked by
       the server to do so. If the clients are running Exim, check that
       \tls_certificate\ is correctly set in their \%smtp%\ transports. Note
       that this value is not automatically inherited from the global
       \tls_certificate\ option.


Q1706: I have listed some hosts in \tls_verify_hosts\ and provided them with
       certificates, but their connections are always rejected.

A1706: Make sure that the server file containing the expected certificates
       (defined by \tls_verify_certificates\) is readable by the Exim user.
       See also the answer to Q1705.


Q1707: I am trying to use TLS with Evolution as a client, and keep seeing this
       error: \*SMTP protocol violation: synchronization error (next input
       sent too soon): rejected "\200F^A^C".*\ What does it mean?

A1707: See Q0086 for a general explanation of the error. In this case, it
       probably means that Evolution is trying to negotiate a TLS session
       immediately it connects, without first using the STARTTLS command. This
       was an older way of starting up TLS, before STARTTLS was defined. See
       Q1703 for how to deal with this.


Q1708: I trying to use TLS with Outlook as a client on a box that is running
       Norton Antivirus, but all my email is being rejected with \*Unsupported
       command*\ errors. Why?

A1708: Norton Antivirus does not support TLS or AUTH. It puts a broken SMTP
       proxy between you and the Exim server. You need to turn off outbound
       scanning of email.



20. MILLENNIUM

Q2000: Are there any Y2K issues with Exim?

A2000: The author of Exim believes that it is Y2K-compliant, as long as the
       underlying operating system and C library are. Exim does not parse dates
       or times at all. Internally, it makes some use of binary timestamps in
       Unix format (number of seconds since 1-Jan-1970) and uses C library
       services to convert these to printing forms (e.g. for logging). The
       printing forms all use 4-digit years. Some people have tried various
       tests. No problems have been reported, but details of what tests have
       been done are not available.

       Well, it's now November 2001, and no Y2K problems have been reported, so
       it looks like I was right. This entry is retained as historical
       nostalgia.



50. MISCELLANEOUS

Q5001: How can I arrange to allow a limited set of users to perform a limited
       set of Exim administration functions? I don't want to put them all in
       the //exim// group.

A5001: See \?http://www.chiark.greenend.org.uk/~ian/userv/?\. Using \^userv^\ you can
       arrange (for example) for certain users to be able to invoke \^mailq^\ or
       \^runq^\ or other preset commands as \^exim^\ (or any other user, as configured)
       with only \^userv^\ configuration. If you want to check the particular Exim
       options available you can easily do it with shell or Perl scripts and
       \^userv^\ configuration, and provided you know how to do argument
       ``unparsing'' properly in shell or Perl it will be secure.


Q5002: I want to ``tail'' the Exim log, but I have a number of other logs I also
       want to ``tail'', and the number of tailing windows is getting to be a
       nuisance.

A5002: Look for a program called \^xtail^\ (despite its name, it's not an
       X-windows application). It allows you to do multiple tails, even of
       entire directories.

       Alternately, get the GNU version of \^tail^\, from the GNU textutils
       package (\?ftp://ftp.gnu.org/gnu/textutils/?\). GNU tail lets you run
       \"tail -f\" on multiple files at the same time, although it doesn't work
       on entire directories like \^xtail^\ can. If you are running Linux, you
       probably already have a version of GNU \^tail^\ that can follow multiple
       files.


Q5003: How can I persuade Exim to accept ETRN commands without the leading
       # character?

A5003: Set the option

==>      smtp_etrn_command = /usr/lib/sendmail -R $domain

       This causes Exim to run that command, with \$domain$\ replaced by the
       argument of ETRN. The default action of Exim is to require the # sign
       in order to be RFC-compliant, and to run the equivalent of

==>      smtp_etrn_command = /usr/lib/sendmail -R ${substr_1:$domain}

       which uses the argument without the leading # as the value for the \-R-\
       option. You aren't restricted to running Exim with the \-R-\ option, of
       course. You can specify any command you like, with any number of
       arguments. In particular, you can pass over the IP address of the caller
       via \$sender_host_address$\. However, if you make use of expansion strings
       in the arguments, each one must be entirely contained in a single
       argument. For example, if you want to remove the first character of the
       ETRN argument when it is @ or #, you could use

==>      smtp_etrn_command = "/usr/lib/sendmail -R \
           \"${if match {$domain}{^[@#]}{${substr_1:$domain}}{$domain}}\""

       The internal quotes are necessary because of the white space inside the
       expansion string.


Q5004: I've recently noticed that emails I send with a ::Bcc:: line are being
       delivered to their final destination with the ::Bcc:: line still present.

A5004: Exim removes ::Bcc:: lines only if you call it with the \-t-\ option (i.e.
       when it is acting partly as an MUA). It does not remove ::Bcc:: lines that
       are present in incoming SMTP mail or command-line mail that does not
       use \-t-\. Indeed, it should not remove them, because only the
       initiating software (i.e. the MUA) can tell what to do with ::Bcc::
       lines; any MTA software has to leave them alone. This is what RFC 2822
       has to say about ::Bcc::

         \*The ::Bcc:: field (where the ``Bcc'' means ``Blind Carbon Copy'') contains
         addresses of recipients of the message whose addresses are not to be
         revealed to other recipients of the message.  There are three ways in
         which the ::Bcc:: field is used.  In the first case, when a message
         containing a ::Bcc:: field is prepared to be sent, the ::Bcc:: line is
         removed even though all of the recipients (including those specified
         in the ::Bcc:: field) are sent a copy of the message.  In the second
         case, recipients specified in the ::To:: and ::Cc:: lines each are sent
         a copy of the message with the ::Bcc:: line removed as above, but the
         recipients on the ::Bcc:: line get a separate copy of the message
         containing a ::Bcc:: line.  (When there are multiple recipient
         addresses in the ::Bcc:: field, some implementations actually send a
         separate copy of the message to each recipient with a ::Bcc::
         containing only the address of that particular recipient.) Finally,
         since a ::Bcc:: field may contain no addresses, a ::Bcc:: field can be
         sent without any addresses indicating to the recipients that blind
         copies were sent to someone.  Which method to use with ::Bcc:: fields
         is implementation dependent, but refer to the ``Security
         Considerations'' section of this document for a discussion of each.*\


Q5005: I used \^gv^\ 3.5.8 (\^ghostview^\) to try printing \(spec.ps)\. After every
       printed page, the printer ejects a blank sheet. Is this something to do
       with using ``letter'' rather than A4 paper?

A5005: This seems to be an effect of using \^ghostview^\. Although the PostScript
       is generated for A4 pages, the size of the page images is such that they
       should fit on a letter page (they are shorter than would normally be
       used on A4 paper). If the PostScript file is sent directly to a
       PostScript printer, there is no problem. An alternative is to get hold
       of the \^psutils^\ toolset, which is available from
       \?ftp://ftp.dcs.ed.ac.uk/pub/psutils/psutils.tar.gz?\.
       It contains utilities for extracting pages (which can be useful for
       double-sided printing) and for resizing pages. If you resize from A4 to
       letter the text shrinks a bit, but should then be printable via
       \^ghostview^\.


Q5006: Why aren't there any man pages for Exim? I don't always carry my printed
       documentation.

A5006: A single man page that lists the command line options is provided in
       file \(doc/exim.8)\ in the Exim distribution. Several other forms of
       online documentation are available. As well as plain ASCII text, the
       there are two forms - Texinfo and HTML - which have a certain amount of
       built-in indexing for ease of finding your way around. There are no man
       pages apart from the command line one because the author of Exim hasn't
       the time (or desire :-) to maintain yet another documentation format.
       Besides, it is hard to know how to split the Exim manual up.


Q5007: When I send a message using the \-t-\ command line option, Exim sends only
       to the addresses within the message, not to those on the command line.

A5007: There seems to be some confusion in the Sendmail community about the
       interpretation of recipient addresses on the command line if the \-t-\
       option is used. Some versions do one thing, and some another. Here is an
       except from one version of the Sendmail documentation for \-t-\:

       \*Read message for recipients. ::To::, ::Cc::, and ::Bcc:: lines will
       be scanned for recipient addresses. The ::Bcc:: line will be
       deleted before transmission. Any addresses in the argument
       list will be suppressed, that is, they will not receive
       copies even if listed in the message header.*\

       By default Exim follows this specification, and interprets addresses on
       the command line as addresses not to send to. You can set

==>      extract_addresses_remove_arguments = false

       to change this behaviour so that command line addresses are added to the
       addresses that are taken from the header lines.


Q5008: If I set up a domain list to contain //*customer.com//, it matches
       //customer.com// and //abc.customer.com// as required, but it also matches
       //noncustomer.com//, which is wrong. How can I get round this?

A5008: You have to specify two entries in the list:

==>      customer.com : *.customer.com

       because * in a domain list matches any characters, including \"."\ and
       including a null sequence.


Q5009: I want to match all domains of the form //*.oyoy.org// but want a few
       exceptions. For instance I don't want //foo.oyoy.org// or //bar.oyoy.org// to be
       included. What is the best way to do this?

A5009: Use negative items in the domain list, like this:

==>      domainlist local_domains = !foo.oyoy.org : !bar.oyoy.org : *.oyoy.org

       If there are many exceptions, you can use a lookup instead of listing
       them all inline. If there are a number of exceptions that match a
       particular pattern, you could use a regular expression.


Q5010: I can't seem to find a pre-built version of Exim anywhere. The machine
       is a Sparc 5 running Solaris 2.6.

A5010: The primary distribution is source-only. However, some people have built
       and distributed RPMs and debs for Linux systems, and ports for FreeBSD.
       I haven't heard of anyone doing this for Solaris. The main problem with
       binary distributions is that there are a number of build-time options,
       requiring the answers to questions like:

       . Which DBM library do you have? (On Solaris probably ndbm, but no easy
         default on some other systems.)

       . Which uid/gid do you want to use for Exim?

       . Where do you want the configuration file to be? (Many different
         answers, even on the same OS, depending on local policy.)

       . Ditto for the binaries.

       . Which optional bits of Exim do you want to include?


Q5011: Is there a version of Exim available that runs under Windows?

A5011: A long time ago somebody took a copy of the Exim source with the aim of
       trying to port it to Windows NT. However, I never heard anything more.
       However, current versions of Exim can be made to run under Cygwin.


Q5012: Does Exim support Delivery Status Notification (DSN), Message Status
       Notification (MSN), or any other form of delivery acknowledgement?

A5012: See Q0607.


Q5013: What does ``Exim'' stand for?

A5013: Originally, it was ``EXperimental Internet Mailer'', which was the best I
       could come up with when I was starting out. At that point it was
       experimental - I wanted to see if the ideas I had for extending Smail's
       approach actually worked. Then somebody discovered about it and wanted
       to start using it, and told other people about it...


Q5014: Although I haven't set \check_spool_space\, Exim is still checking the
       amount of space on the spool for incoming SMTP messages that use the
       SIZE option. Can I suppress this?

A5014: The RFC for the SIZE option says:

         \*If the server currently lacks sufficient resources to accept a
         message of the indicated size, but may be able to accept the
         message at a later time, it responds with code ``452
         insufficient system storage''.*\

       and that is what Exim is trying to implement. This is entirely
       independent from \check_spool_space\, which says \*don't accept any mail
       if there is less than so much space in the spool partition*\, though the
       code is optimised to do both checks at the same time if required.
       However, you can suppress the SIZE check if you want to, by unsetting
       \smtp_check_spool_space\.


Q5015: I just noticed log entries that start off \"<= <>"\. Am I correct in
       assuming that the \"<>"\ indicates that the envelope did not contain any
       ``From'' data?

A5015: Yes. This indicates a delivery failure report (aka a ``bounce message''),
       as specified in RFC 2821. The reason for using empty sender addresses is
       to identify bounce messages so that they themselves do not cause further
       bounces. Empty senders are also used for other kinds of report which
       should not themselves cause the generation of bounce messages. For
       example, Exim uses them when sending out warnings about delivery delays.


Q5016: I've received a message which does not have my address in the ::To::
       line. It is a spam message with the same address in both the ::From:: and
       the ::To:: headers. How can this happen, and why doesn't Exim reject it?

A5016: There is an important distinction between the ``envelope'' from and to and
       the ``header'' from and to. The former are sometimes called the ``sender''
       and ``recipient''. An email message needs an ``envelope'' for the same
       reason that paper mail does - the envelope tells the delivery mechanism
       what to do with this copy of the message, whereas the ::To:: header lists
       all the recipients, including those who have been sent different copies
       of the message because their mailbox is on some other host.

       An MTA such as Exim works entirely with the ``envelope'' addresses, not
       with those in the header lines. Don't try to block mail where envelope
       from and the header from differ. There are common legitimate cases where
       this happens, for example, messages forwarded from mailing lists and
       delivery failure reports.


Q5017: Can (or will) Exim ever handle a message delivery purely in memory,
       that is, it is handled without it ever hitting the disk?

A5017: It doesn't, and never will. Accepting and delivering a message are two
       entirely separate, independent processes, which communicate only by
       writing/reading the message on the disk.


Q5018: If I am using dbm files for data that Exim reads, can I rebuild them
       on the fly, or do I need to restart Exim every time I make a change?

A5018: Exim re-reads the file every time it consults it, so if you are using a
       cdb or a DBM library that uses just a single file (i.e. not ndbm),
       you can just build the new file with a temporary file name, and use
       \^mv^\ to rename it into the correct place on the fly. If there are two
       files to rename, there is a window of time during which the DBM database
       is inconsistent. On lightly loaded systems this may not matter.


Q5019: I need an option that is the opposite of \-bpa-\, that is, a listing of
       those addresses generated from a top-level address that have not yet
       been delivered.

A5019: Exim does not keep this information. It saves only the top-level
       addresses and the list of addresses that are finished with. At each
       delivery attempt, generated addresses are recomputed from scratch. This
       makes it possible to correct errors in redirection data that is
       causing delivery delays. However, there is an option you can set on a
       \redirect\ router that changes things. It is called \one_time\, and if
       it is set, the list of generated addresses gets added to the top-level
       list at the first delivery attempt, and is never regenerated. Because
       top-level address lists must be real email addresses, this option cannot
       be used if any of the generated addresses are pipes, files, or
       autoreplies.


Q5020: How can I make Exim receive incoming mail, queue it, but not attempt to
       deliver it? I want to be in this state while moving some mailboxes.

A5020: Set \queue_only\ in the Exim configuration. Then kill your daemon,
       and restart it without the \-q-\ option (i.e. with just the \-bd-\ option),
       so that it does not spawn any queue runners. This stops all deliveries,
       remote as well as local.


Q5021: What does Exim use for POP and IMAP as a default?  Do I have to install
       anything else?

A5021: Yes. Exim provides MTA functionality. That is, it delivers mail. POP and
       IMAP are two of several ways of reading previously-delivered mail. Exim
       does not provide that functionality. You need to install POP and/or IMAP
       daemons; there are several to choose from.


Q5022: Is there an easy way of removing all queued messages at once in a safe
       way?

A5022: Try this command:

==>    exim -bp | awk '/^ *[0-9]+[mhd]/{print "exim -Mrm " $3}' | sh


Q5023: Why does Exim do \*ident*\ callbacks by default? Isn't this just a waste
       of resources? I've been told this is an ancient way of authentication.
       Is it obsolete?

A5023: This is a common misunderstanding, at least partially resulting from the
       incorrect naming of the protocol when it was first published.
       The service on port 113 is an identification service, which allows a
       target host to record information identifying the user responsible for
       making a connection to it. The information may not be intelligible to
       the recording host - it could, for example, be encrypted so that only
       someone on the calling host can make sense of it. It is useful for
       providing additional information in an audit trail.

       At least one site has found \^ident^\ effective against two rather
       prevalent kinds of open proxy (whether already blacklisted at the RBLs
       or not). An ACL statement is used to reject mail from servers that
       return \^ident^\ strings of \"squid"\ and \"CacheFlow Server"\.
       Snippets such as this in the RCPT ACL do the trick:

==>      deny  condition = ${if eq{$sender_ident}{CacheFlow Server}{1}{0}}
           message = Rejected - appears to be an unsecured proxy: $sender_ident

       The likelihood that a genuine mail process would return those specific
       ident strings is vanishingly small.

       The \^ident^\ data should not be used for authentication in any form
       except on a closed secure network between cooperating hosts (probably
       not even then). The information from the source host is only as reliable
       as the host itself. If it's not under your control then you have to
       treat the information as opaque data that can be used only by the
       sysadmin of the source system to trace back connection data. Some
       \^ident^\ implementations send out opaque cookies or DES encrypted
       information. \^Ident^\ is hugely useful at times - especially for
       checking back on connections from multiuser machines (as opposed to
       one-person desktop boxes).

       You can stop Exim making ident calls by adding

==>      rfc1413_query_timeout = 0s

       to its configuration, but it is better to leave it active (reducing the
       timeout to 10s or less if it is causing problems) - it costs very
       little, and in cases of mail forgery from a multiuser system can track
       the sinner concerned very quickly.


Q5024: I often have the problem that a message gets stuck in the mail queue and
       I want it to be bounced to a certain address.

A5024: You can do this using a combination of four command line options, like
       this:

==>      exim -Mf   14Fdlq-0003kM-00
         exim -Mmad 14Fdlq-0003kM-00
         exim -Mar  14Fdlq-0003kM-00  new@ddress
         exim -M    14Fdlq-0003kM-00

       The first command freezes the message so that a queue runner won't start
       to deliver it while you are changing things. The second command marks
       all existing recipients as delivered. The third command adds a new
       recipient, and the fourth command forces a delivery of the message,
       which will cause it to be delivered to the new address, and then
       deleted.


Q5025: What precautions should I take when editing Exim's run time
       configuration file?

A5025: Edit the file and save the result in a new file. Test the syntax of
       the new file by running a command like this:

==>      exim -bV -C exim.conf.new

       That will check for syntax errors without disturbing your running
       configuration. If you are paranoid enough, run, as \/root/\,

==>      exim -C exim.conf.new <some address>
         <some message>
         .

       and see if it delivers it. Carry on testing until happy. When happy,

==>      mv exim.conf.new exim.conf
         kill -HUP `cat /var/spool/exim/exim-daemon.pid`

       Then check the Exim log to be sure the daemon restarted OK. Watch the
       log for a bit to see that mail is flowing.


Q5026: Is exim able to use RFC 2645, \*On-demand Mail Relay*\ (ODMR)?

A5026: No.


Q5027: Is there any way I can send bounces to the postmaster, and nobody else?
       Basically, I want to receive them, and I don't want the reply/from
       person to get them. If I think they need it I will forward it myself.

A5027: Put \"errors_to=postmaster"\ on every router.


Q5028: When I HUP the Exim daemon, the name shown in the process table changes
       from \(/usr/lib/sendmail)\ (which is a symlink) to the real binary name.
       Can I change this?

A5028: Add this to your Exim configuration:

==>      exim_path = /usr/lib/sendmail


Q5029: A message with a recipient address that contains a non-printing character
       is stuck on my mail queue. How can I remove this address?

A5029: You can use the \-Mmd-\ command line option to mark a recipient address
       ``delivered'', which effectively removes it. If you are using the Bash
       shell, you can enter non-printing characters using an escape sequence.
       For example:

==>      exim -Mmd 15HKvU-00013Q-00 $'\240'abc@x.y.z

       In this example, the first character of the local part has a code value
       of 240. If you are using a shell that does not support this, create the
       command in a file and run it as a shell script.


Q5030: I am using exim in a two queues scenario, with two different
       configuration files. How can I run a second copy of \^eximon^\ to
       inspect and modify the alternate queue?

A5030: Use these commands (or put them in a script):

==>      EXIMON_EXIM_CONFIG=/your/path/exim/configure.alternate
         export EXIMON_EXIM_CONFIG
         /your/path/exim/bin/eximon


Q5031: Why is there no sender address on bounce messages? It shows up as "<>".

A5031: See the answer to Q0042.


Q5032: Are there any Exim web-based administration scripts?

A5032: No (as far as is known). It seems likely that producing one that is
       generic enough would be a difficult task.


Q5033: How can I send a copy of all outgoing messages to another mailbox?

A5033: The most straightforward way is to set up a system filter, and include
       a command such as:

==>      unseen deliver mailbox@whatever.domain

       This sends a copy of every message to //mailbox@whatever.domain//
       (unless the message already has that recipient - Exim never does
       duplicate deliveries).

       To save only ``outgoing'' messages, you need to come up with a
       definition of what ``outgoing'' means. Typically, this might be a check
       on the sender address and/or on the originating host. Here is an
       example:

==>      if $sender_address_domain is mydomain.com and
            ${mask:$sender_host_address/24} is 192.168.324.0/24
         then
           unseen deliver mailbox@whatever.domain
         endif


Q5034: Is there any way to make the \queue_only\ option conditional? I would
       like the ability to queue messages from external sources while deliver
       locally generated email as normal.

A5034: There is no direct way of doing this. However, you can achieve the
       effect. In one of your ACLs that checks incoming mail from external
       sources, put

==>      warn  control = queue_only

       You can add other conditions as well, of course.


Q5035: Does Exim run with different permissions between \-bt-\ and \-bh-\, or
       between verifying and actual sending?

A5035: Yes. For \-bt-\ it runs as root, as it would when delivering a message.
       For \-bh-\, \-bv-\, and when actually receiving a message, it runs as
       the Exim user.



91. MAC OS X

Q9101: How can I install Exim on Mac OS X?

A9101: (1) There is useful advice on this web page:
       \?http://www.afp548.com/Articles/Jaguar/exim410.html?\.

       (2) There is a package installer available at this URL:
       \?ftp://members.aol.com/AFP548dotcom/EximInstaller.sit?\.

       (3) There is another package installer for the combination of MySQL,
       Exim, Exiscan, CourierIMAP, and SpamAssassin at this URL:
       \?http://maxo.captainnet.net/installs/mail-install.html?\.



92. FREEBSD

Q9201: On FreeBSD, \(/usr/sbin/sendmail)\ is a symbolic link to
       \(/usr/sbin/mailwrapper)\; it doesn't contain the Sendmail binary. How
       should I replace Sendmail with Exim on FreeBSD?

A9201: There is a file called \(/etc/mail/mailer.conf)\ which selects what to
       run for various MTA calls. Instead of changing \(/usr/sbin/sendmail)\,
       you should edit this file instead, to read something like this:

==>      sendmail          /usr/exim/bin/exim
         send-mail         /usr/exim/bin/exim
         mailq             /usr/exim/bin/exim -bp
         newaliases        /usr/bin/true

       You probably also need to edit \(/etc/periodic.conf)\; see Q9202.


Q9202: A script that FreeBSD runs nightly uses \^mailq^\ with the \-Ac-\
       parameter. Why doesn't Exim recognize this?

A9202: \-Ac-\ is a Sendmail option that requests that mailq ``Show the mail
       submission queue specified in \(/etc/mail/submit.cf)\ instead of the
       MTA queue specified in \(/etc/mail/sendmail.cf)\''. Exim doesn't have
       the concept of a ``submission queue''. You can disable this feature
       of the nightly script by adding the line

==>      daily_status_include_submit_mailq="NO"  # No separate 'submit' queue

       to the file \(/etc/periodic.conf)\.


Q9203: How can I use Exim for authenticated SMTP using Cyrus on FreeBSD?

A9203: This web page may help: \?http://www.munk.nu/exim/exim-freebsd-asmtp.php?\.



93. HP-UX

Q9301: I'm trying to compile on an HP machine and I don't have \^gcc^\ there. So I
       put \"CC=cc"\ in the \(Local/Makefile)\, but I got this error:

==>    (Bundled) cc: "buildconfig.c", line 54: error 1705: Function prototypes
         are an ANSI feature.

A9301: The bundled compiler is not an ANSI C compiler. You either have to get a
       copy of \^gcc^\ from the HPUX Software Porting Archives or buy the ANSI cc
       from HP. The advice given by one user of HP systems on the Exim
       mailing list was as follows:

         \*Personally, I wouldn't use anything but the ANSI C compiler. gcc
         works for compilation, but it doesn't know squat about PA-RISC chips
         past the 1.0 rev. Since then, HP has come out with PA-RISC 1.1, 2.0,
         and 2.1, each with better features. gcc will compile for them, but it
         doesn't produce anywhere near the optimization that HP's compiler
         does.*\

         \*I took the gcc road when we moved from FreeBSD to HP-UX because I was
         familiar with it. After 6 months, I had to go and re-port everything
         over when we realized that gcc wasn't going to do it for us long-term.
         If I could give advice to any new HP-UX admin: don't use gcc if you
         can afford the ANSI C compiler.  Based on the cost of even the lowest
         HP workstation, that usually isn't a problem.*\



94. BSDI

Q9401: On BSDI 4.0, Exim built with Perl support exits with the error message

==>      ./exim: can't load library 'libperl.so'

A9401: You probably compiled perl5 yourself, without looking into

==>      /usr/src/contrib/perl5/perl5.004_02/hints/bsdos.sh

       first. The problem is that the command

==>      perl5 -MExtUtils::Embed -e ldopts

       doesn't give you sufficient flags to link something with libperl.
       Since 5.004_02 the \(hints/bsdos.sh)\ file has changed to adapt to the
       changes between BSDI 3.1 and 4.0, but it is still not entirely right.

       The solution is, when you compile perl, change the \ccdlflags\
       variable in config.sh to:

==>      -rdynamic -Wl,-rpath,/usr/local/lib/perl5/5.00502/i386-bsdos/CORE

       (or something similar). Alternatively, you can run \(./Configure)\ and
       answering the question \*Any special flags to pass to cc to use dynamic
       loading?*\ with the above line. It is not known what \-rdynamic-\ means
       (it's not apparently documented in any man page), but that's what BSDI
       guys did to compile perl5 which comes with BSDI 4.0 distribution.



95. IRIX

Q9501: The IP addresses for incoming calls are all being given as
       255.255.255.255 or 0.0.0.0.

A9501: This problem should no longer occur because a workaround has been
       installed in Exim.



96. LINUX

Q9601: Exim is mysteriously crashing, usually when forking to send a delivery
       error message.

A9601: This has been seen in cases where Exim has been incorrectly built with
       a muddled combination of an \(ndbm.h)\ include file and a non-matching
       DBM library.

       Faults like this have also been seen on systems with faulty motherboards.
       You could try to compile the Linux kernel 10 times - if the compile
       process stops with signal 11, your hardware is to blame.


Q9602: I want to use \^logrotate^\ which is standard with RH5.2 Linux to rotate
       my mail logs. Anyone worked out the \^logrotate^\ config file that will
       do this?

A9602: Here's one suggestion:

==>      /var/log/exim/main.log {
             create 644 exim exim
             rotate 4
             compress
             delaycompress
         }

       The sleep is added to allow things to close the log file prior to
       compression. You also need similar entries for the panic log and the
       reject log, of course.


Q9603: I'm seeing the message \*inetd[334]: imap/tcp server failing (looping),
       service terminated*\ on a RedHat 5.2 system, causing \^imap^\ connections to
       be refused. The \^imapd^\ in use is Washington Univers 12.250. Could this
       be anything to do with Exim?

A9603: No, it's nothing to do with Exim, but here's the answer anyway: there
       is a maximum connection rate for \^inetd^\. If connections come in faster
       than that, it thinks a caller is looping. The default setting on RedHat
       5.2 is 40 calls in any one minute before \^inetd^\ thinks there's a problem
       and suspends further calls for 10 mins. This default setting is very
       conservative. You should probably increase it by a factor of 10 or 20.
       For example:

==>      imap stream tcp nowait.400 root /usr/sbin/tcpd /usr/local/etc/imapd

       The rate setting is the number following ``nowait''. This syntax seems to
       be specific to the Linux version of \^inetd^\. Other operating systems
       provide similar functionality, but in different ways.


Q9604: I get the \*too many open files*\ error especially when a lot of messages
       land for Majordomo at the same time.

A9604: The problem appears to be the number of open files the system can
       handle. This is changable by using the proc filesystem. To your
       \(/etc/rc.d/rc.local)\ file append something like the following:

==>      # Now System is up, Modify kernel parameters for max open etc.

==>      if [ -f /proc/sys/kernel/file-max ]; then
           echo 16384 >> /proc/sys/kernel/file-max
         fi
         if [ -f /proc/sys/kernel/inode-max ]; then
           echo 24576 >> /proc/sys/kernel/inode-max
         fi
         if [ -f /proc/sys/kernel/file-nr ]; then
           echo 2160 >> /proc/sys/kernel/file-nr
         fi

       By echoing the value you want for file-max to the file \(file-max)\ etc.,
       you actually change the kernel parameters.


Q9605: I installed debian 2.2 linux on a small 325mb 486 laptop. When I try
       to test the Mail program, I get the following error: \*Failed to open
       configuration file /etc/exim.conf*\.

A9605: The Debian installation should have given you \(/usr/sbin/eximconfig)\,
       which asks you some questions and then sets up the configuration file
       in \(/etc/exim.conf)\. Try running that (you'll probably need \/root/\) and see
       how it goes. In any case you get a thoroughly commented conf file at
       the end, which will give you a sample from which to work if you need
       further modification.

       The Exim docs in the Debian package are in \(/usr/doc/exim)\ where the full
       reference manual is \(spec.txt.gz)\.


Q9606: I'm having trouble configuring Exim 4 on a Debian system. How does
       \(/etc/exim4/conf.d)\ work?

A9606: The Debian Exim 4 package uses a quite uncommon, but elegant,
       method of configuration where the ``real'' Exim configuration file is
       assembled from a tree of snippets by a script invoked just before the
       daemon is started (see Q9608).

       This fits very well into the Debian system of configuration file
       management and is a great ease for the automatic configuration with
       Debconf. However, it is very different from the normal way Exim 4 is
       configured. Non-Debian users on the Exim mailing list will probably have
       difficulty in trying to answer specific questions about it. You may have
       to find a Debian expert.


Q9607: I'm having difficulties trying to make Exim 4 with Redhat 9 and Berkeley
       DB 4.

A9607: Have you remembered to install the db4-devel package?


Q9608: I'm running Exim 3 under Debian, and want to upgrade to Exim 4. How
       difficult is it?

A9608: A user who did this, using the Debian Exim 4 package, reported as
       follows:

       (1) The exim4 package installs easily, and the exim (3.38) package
       uninstalls at the same time.

       (2) Exim runs from \^inetd^\. Exim4 runs from \^/etc/init.d^\. Much nicer!

       (3) The exim conffile lives in \(/etc/exim/exim.conf)\. The exim4 conffile
       lives in \(/var/lib/exim4/config.autogenerated)\. It is, as the name
       suggests, autogenerated.

       (4) A new directory is created called \(/etc/exim4)\. This contains the
       conffiles to generate the above config. You make changes here.

       (5) Once you have made changes to the files in \(/etc/exim4)\ you run the
       script \^update-exim4.conf^\ which generates a replacement
       \(config.autogenerated)\.

       [Added comment by the Debian maintainer, slightly edited:
       You also need to tell the Exim daemon to reread the changed
       configuration. You can do this using SIGHUP by hand. Alternatively,
       instead of running \^update-exim4.conf^\ you can use

==>    invoke-rc.d exim4 reload

       which does the rebuild and also tells Exim to reread the changed
       configuration.]

       (6) In my experience, you need to carefully check the generated
       configs. eg, it did not generate a system filter file reference in the
       \(config.autogenerated)\. I didn't bother too much, since this is a home
       setup.

       (7) All of this may be in the docs. I've read some of them, obviously,
       but didn't come across an actual upgrade guide.

       [The Debian maintainer says:
       \(/usr/share/doc/exim4-base/README.Debian.gz)\ and \^update-exim4.conf(8)^\
       should answer most of the questions.]

       (8) I've still got some minor things to tweak to get back to where I
       was before with Exim 3. But overall, it's no drama.


Q9609: Why do some servers refuse SMTP connections from my Linux box, but accept
       connections from hosts running other operating systems?

A9609: If you are sure this isn't a policy issue (that is, your box isn't
       administratively blocked for some reason), this may be because your
       Linux box has ECN (Explicit Congestion Notification) enabled in its
       TCP/IP stack. There are many broken firewalls that refuse connections
       from ECN-enabled hosts. You can check the state of your box by running

==>      cat /proc/sys/net/ipv4/tcp_ecn

       If the value is "1", you have ECN enabled. You can turn it off by
       running this command:

==>      echo "0" > /proc/sys/net/ipv4/tcp_ecn



97. SUN SYSTEMS

Q9701: Exim builds fine with \^gcc^\ on SunOS 4 but crashes inside \^^sscanf()^^\.

A9701: Make sure you are linking with the GNU \^ld^\ linker and not the system
       version of \^ld^\.


Q9702: How can I get rid of spurious \"^M"\ (carriage return) characters in
       messages sent from CDE \^dtmail^\?

A9702: CDE \^dtmail^\ passes messages to Exim via the command line interface with
       lines terminated by CRLF, instead of the Unix convention of just LF.
       This should not be a problem if you are using Exim release 4.21 or
       later, as changes were made to detect CRLF line endings.

       In earlier versions of Exim, CR would be treated as just another data
       character. There was, however, a command line option called
       \-dropcr-\ which caused Exim to ignore all CR characters in an incoming
       non-SMTP message. (This option is a no-op in current releases.)

       If you are using a pre-4.21 version of Exim, you should configure
       \^dtmail^\ to add this option to the command it uses to call Exim (using
       the path \(/usr/lib/sendmail)\). However, it has been reported that it
       isn't possible to change this call from \^dtmail^\ by any official
       means. An alternative approach is to replace \(/usr/lib/sendmail)\ by a
       filtering script that removes the spurious CRs from the input before
       passing it to Exim.


Q9703: On SunOS 4 Exim crashes when looking up domains in the DNS that have
       more than 10 A records.

A9703: There are Sun library patches to fix this. It is not Exim's problem.
       For 4.13_U1 the patch is 101558-xx; for 4.1.3 the patch is 100891-xx.
       From the README: \*1054748 ftp, ping dump core when connecting to a host
       with multiple DNS A records.*\ An alternative is to build another
       resolver library - such as the ones that are part of the \^bind^\
       distribution - and explicitly link against those.


Q9704: I am experiencing mailbox locking problems with Sun's \^mailtool^\ used
       over a network.

A9704: Under the \"Expert"\ settings of \^mailtool^\ is a option to turn on \*Use
       network aware mail file locking*\. By default \^dtmail^\ has this set, but
       \^mailtool^\ doesn't. You should set it. The help info on \^dtmail^\ has this
       to say about it:

       \*Mailer tries to prevent two different instances of itself from opening
       the same mail file at the same time through a technique that detects
       this access when both instances of Mailer and the file are all on the
       same machine. A network-aware mail file locking protocol is available
       that uses ToolTalk to coordinate instances of Mailer running from more
       than one machine, or mail files accessed over the network. Mailer can
       only change this option when first opening a mail file.*\

       If you are using the SunOS4 version of \^mailtool^\, this apparently
       doesn't work. The only thing which does seem to work it getting the user
       to hit the \"done"\ button to make it release the lock.


Q9705: Exim has been crashing on my Solaris x86 system, apparently while
       running DBM functions.

A9705: The use of \^ndbm^\ with \^gcc^\ has caused problems on x86 Solaris systems.
       Try changing one or the other; using either DB with gcc, or Sun's
       WS compiler with \^ndbm^\, has fixed this in the past.


Q9706: The \^exiwhat^\ utility isn't working for me on a Solaris 2 system.

A9706: Have you got \(/usr/ucb)\ on your path? If so, it is probably picking up the
       wrong version of the \^ps^\ command. The \^exiwhat^\ script is built on
       Solaris to expect the normal Solaris version of \^ps^\.


Q9707: How do I stop Sun's \^dtcm^\ from hanging?

A9707: From qmail's FAQ: \*There is a novice programming error in dtcm, known as
       ``failure to close the output side of the pipe in the child.'' Sun has,
       at the time of this writing, not yet provided a patch.*\


Q9708: I want Exim to use only the resolver (i.e. ignore \(/etc/hosts)\), but don't
       want to alter the \(nsswitch.conf)\ file in Solaris 2.

A9708: You need to rebuild Exim after fiddling with \(OS/os.h-SunOS5)\:

==>    #define gethostbyaddr res_gethostbyaddr
       #define gethostbyname res_gethostbyname
       #define endhostent res_endhostent
       #define endnetent res_endnetent
       #define gethostent res_gethostent
       #define getnetbyaddr res_getnetbyaddr
       #define getnetbyname res_getnetbyname
       #define getnetent res_getnetent
       #define sethostent res_sethostent
       #define setnetent res_setnetent

       Note that \-lnsl-\ is still needed in the Makefile as it
       contains code used by the NIS lookup and also the \^^inet_addr()^^\ function
       that Exim uses.


Q9709: When I try to compile Exim 4.x on Solaris 2.5.1 I get an error along the
       lines of \*no such field in struct as 'value.ui32'*\.

A9709: Look in the Exim file \(OS/os.h-SunOS5.h)\ for the line

==>      #define LOAD_AVG_FIELD          value.ui32

       and change \"ui32"\ to \"ul"\ (that's u followed by the letter ell, not
       the digit one). Solaris 2.5.1 is getting very old now...



98. CONFIGURATION COOKBOOK

Q9801: How do I configure Exim as part of TPC (\?http://www.tpc.int?\)?

A9801: Suppose you want to accept faxes destined for 1(801)539-*. These are
       addressed to the domain //9.3.5.1.0.8.1.tpc.int//. Set up a transport to
       handle the delivery:

==>      tpc:
           driver = pipe
           command = /usr/local/tpc/tpcmailer.pl $local_part@$domain \
             $sender_address
           pipe_as_creator

        \(/usr/local/tpc/tpcmailer.pl)\ is the mail processing script that can
        be obtained from the TPC distribution. Create a router to route mail
        for the TPC domain to that transport. This must be placed before your
        other routers:

==>       tpc_router:
            driver = accept
            transport = tpc
            domains = *.9.3.5.1.0.8.1.tpc.int

       Of course, there are other things to do as well before your system is
       a functioning TPC server.


Q9802: How do I configure Exim so that it sends mail to the outside world only
       from a restricted list of our local users?

A9802: You will need to have a convenient way of checking the list. If it is
       only a handful of users, you could just list them inline. Otherwise, you
       need to put them in a file or database. Let's suppose you've just got a
       list in a file. Put this as your first router:

==>      check_outgoing:
           driver = redirect
           domains = ! +local_domains
           senders = ! : ! lsearch;/etc/permitted/senders
           allow_fail
           data = :fail: you are not allowed to send outside

       The senders should be listed as complete addresses, with both a local
       part and a domain. For a large list, use a DBM or cdb file instead, or
       a database. The first item in the \senders\ list is empty, to match the
       empty sender. This is necessary because bounce messages have null
       senders.


Q9803: A site for which I provide secondary MX is down for some time. Is there
       a way to run the queue for that destination separately from the main
       queue?

A9803: No, because Exim does not have the concept of ``the queue for that
       destination''. It simply has a single pool of messages awaiting delivery
       (and some of them may have several destinations). The best approach to
       this is to arrange for all messages for the site to be saved somewhere
       other than the main spool, either on a separate dedicated MTA, or in
       BSMTP files.


Q9804: We want to be able to temporarily lock out a user by disabling the
       password and moving the home directory to another place. How can we
       arrange to reject mail for users in this state?

A9804: Change the home directory pointer in the passwd file to something
       distinctive. For example, we use \(/home/CANCELLED)\ for cancelled users.
       Then you can pick up such users with this router, which is placed
       immediately after \%system_aliases%\:

==>      cancelled_users:
           driver = redirect
           check_local_user
           condition = ${if eq {$home}{/home/CANCELLED}{yes}{no}}
           allow_fail
           data = :fail: this account is cancelled


Q9805: How can I configure Exim so that all mails addressed to
       //something@username.domain.net// get delivered to
       \(/var/spool/mail/username)\?

A9805: Assuming that you have set up //username// as a normal user, with
       conventional routing for //username@domain.net// to that mailbox, all
       you need to do is set up a redirection, using a router like this:

==>      user_in_domain:
           driver = redirect
           data = ${if match{$domain}{\N^(.*)\.domain\.net$\N}\
                  {$1}fail}@domain.net

       If you set \envelope_to\ in the \%appendfile%\ transport, the original
       envelope address is preserved in the message in an ::Envelope-to::
       header line.


Q9806: How do I get exim not to add a ::Sender:: header to locally originated
       mail?

A9806: It adds it only if the ::From:: header doesn't correspond to the user
       sending the message. You can suppress this by setting
       \no_local_from_check\. If your real question is \*How do I submit mail
       from UUCP without it adding ::Sender::?*\, see Q1503.


Q9807: Is there any way to have messages sent to a specific local address
       delayed by - say - 24 hours?

A9807: Set up a router like this:

==>      delay:
           driver = redirect
           domains = the.domain
           local_parts = thelocalpart
           condition = ${if < {$message_age}{86400}{yes}{no}}
           allow_defer
           data = :defer: message not old enough
           no_verify

       Of course, this will also have the effect of setting a retry time for
       the address. You may want to set a special retry rule for it. Note the
       use of \no_verify\ to ensure that this router is not used when Exim is
       verifying addresses.


Q9808: I have a mailing list exploder on one host, and three other hosts where
       I want to do the actual deliveries from. How can I get Exim to split
       a message into groups of recipients between the three hosts?

A9808: Set up a router that routes all remote addresses to a specific
       transport, with a list of your three hosts. For example:

==>      send_to_three:
           driver = manualroute
           transport = to_three_smtp
           route_list = !+local_domains  hostA:hostB:hostC

       The transport looks like this:

==>      to_three_smtp:
           driver = smtp
           hosts_randomize

       By setting \hosts_randomize\, you request that the host list be sorted
       randomly each time the transport is called, in order to spread the load.
       The number of times the transport is called for each message depends on
       the setting of the global option \remote_max_parallel\. If it is set to
       1, the transport is called only once for each message, so only one host
       is used, but different messages use different hosts because of the
       randomizing.

       The \max_rcpt\ option (default 100) controls the number of addresses
       sent in each copy of the message - several copies are sent over the
       same connection if necessary.

       If you want individual messages to be split between the three hosts, you
       must set the global option \remote_max_parallel\ to 3. This allows Exim
       to run 3 separate instances of the transport at once. It will pass
       one-third of all the addresses to each instance. Because the host list
       is randomized, not round-robinned, there is no guarantee that a single
       message will use all three hosts, but on average it should.


Q9809: Can I configure Exim so that my gateway host sends a copy of each
       incoming message to each of two internal hosts?

A9809: The easiest way to do this is to make use of the \unseen\ router option,
       and set up two separate routers. You need to be able to identify
       incoming messages somehow. Typically this can be done by testing the
       domain of the recipient address, in which case the configuration should
       contain something like this:

==>      r1:
           driver = manualroute
           domains = ! *.your.domain.example
           route_data = * host1.your.domain.example
           transport = remote_smtp
           unseen

==>      r2:
           driver = manualroute
           domains = ! *.your.domain.example
           route_data = * host2.your.domain.example
           transport = remote_smtp

       The \unseen\ setting on \%r1%\ means that after it has accepted an
       address, the address is also passed on to \%r2%\, and so two deliveries
       occur.


Q9810: How can I implement ``SMTP-after-POP'' with Exim?

A9810: See Q0706.


Q9811: I would like to ``tap off'' a proportion of real mail traffic from my
       live mail server to use in tests of a new server. I want to preserve the
       envelope contents, but to suppress any error notifications to the
       original sender.

A9811: See C046.


Q9812: How can I lookup data from a single file using both single IP addresses
       and IP address blocks as keys? I want to set \smtp_accept_max_per_host\
       by this means, and also include a default.

A9812: You cannot do this in a single lookup, because you need separate lookups
       for individual addresses and address blocks. However, these lookups can
       be nested in a single expansion string. For example, suppose you are
       using an lsearch file with entries like this:

==>      192.168.34.35:    4
         192.168.34.0/24:  2
         *:                1

       You can use this setting:

==>      smtp_accept_max_per_host = \
           ${lookup{$sender_host_address}lsearch{/path/to/file}\
           {$value}\
           {\
           ${lookup{${mask:$sender_host_address/24}}lsearch*{/path/to/file}}\
           }}

       Note that the first lookup does not have an asterisk on the search
       type. If you have blocks of different sizes (/24, /26, etc) you have to
       configure it to do a separate lookup for each size, with just the final
       one using a default.



99. LIST OF SAMPLE CONFIGURATIONS

As well as being hyperlinked from the HTML version of this document, each
sample configuration is also available as a file in the \(config.samples)\
directory, which can be independently downloaded.

Samples whose names are of the form Cnnn are Exim configurations; those with
names of the form Fnnn are filter file fragments; those with names of the form
Lnnn are sample \^^local_scan()^^\ functions, and those with names of thf form
Snnn are scripts of various kinds. There are other examples of
\^^local_scan()^^\ functions at a number of web sites (for example,
\?http://marc.merlins.org/linux/exim/sa.html?\).

There are gaps in the C and F numbers because I have omitted the Exim 3 samples
that have not been converted for Exim 4.

C002:  ``Although exim not intended for use in UUCP environment (it doesn't
       know anything about bang!path addresses), I'm successfully using it for
       delivering mail to UUCP clients.''

C006:  ``This is how I have configured a PP-inspired vacationnote, there is
       (was?) such a feature in PP. The user makes a file \(tripnote)\ in his/her
       home directory, the message is passed to the sender once with a short
       leading text.''

C022:  ``This is the Exim configuration file of a machine which delivers mail to
       several local domains where the mail is delivered locally, several hairy
       domains, handled as described below, and a half-virtual domain, which is
       first processed by its special alias file, then processed as other local
       domains (including the processing by the global alias file).''

C037:  An elegant way of using ETRN, which does immediate delivery if the host
       is online, but saves mail in a BSMTP file after some time on the queue.
       ETRN then re-injects the mail.

C042:  ``Since the Exim 4 configuration needed to get Mailman to work differs a
       little bit from Exim 3 and since I still haven't seen a recipe for
       Mailman with Exim 4, I'm providing my configuration (based heavily on
       \?http://www.exim.org/howto/mailman.html?\).''

C043:  ``Attached is an Exim 4 config file which is designed for an Exim server
       that is put in front of an Exchange 5.5 system but which verifies the
       valid addresses that are stored in Exchange via LDAP lookups against the
       Exchange server.''

C044:  ``I thought I'd submit this as an example of an authenticated mail hub
       configuration. Several people have asked for it so I thought it
       might be of interest.''

C045:  ``Here it is, for Exim 4.10 and Cyrus IMAPD 2.1.5 using db3/db4-format
       mailbox database. This configuration delivers the messages to Cyrus
       IMAPD using LMTP over a TCP/IP socket.''

C046:  ``Deliver a duplicate of some proportion of all messages to a special
       machine specified in the file \(/MAIL_TAP_HOST)\, if it exists.''

C047:  A sample configuration for calling Spamassassin directly from Exim.

C049:  ``I've been seeing a whole bunch of IPs that send me spam or virus mail
       and HELOing as one of my own IPs, or as HELO one.of.my.own.domains (or
       maybe HELO \primary_hostname\).''

C050:  A configuration that uses the DNS to implement virtual domains.

C051:  ``I've been working quite hard to come up with a config that reasonably
       matches the qmail-ldap setup, without the warts.''

F001:  ``I thought that the rest of the list may be interested in reviewing our
       filter as a starting point for their own system message filter.''

F002:  ``... program which refused mail from unknown addresses until they mailed
       me promising not to spam me ... since I'd already thought through how
       to do it in Exim, and knew it'd be slightly easier than falling out of
       bed, I went ahead and did it.''

F003:  ``Here's four checks installed in our system wide filter that knock out
       a lot of otherwise hard to detect rubbish.''

F004:  ``This is an Exim filter snippet to change locally-generated ::Message-Id::
       and ::Resent-Message-Id:: headers to world-unique values.''

L001:  A \^^local_scan()^^\ function for Exim that calls \^uvscan^\.

S001:  A Perl script for patching the name of the configuration file in an
       Exim binary.

S002:  ``When I moved from smail to exim I built a program that took individual
       config pieces, stripped all the comments, and built a config file.''

*** End of Exim FAQ ***