Access Control Lists (ACLs) are defined in a separate section of the run time configuration file, headed by “begin acl”. Each ACL definition starts with a name, terminated by a colon. Here is a complete ACL section which contains just one very small ACL:
begin acl small_acl: accept hosts = one.host.only
You can have as many lists as you like in the ACL section, and the order in which they appear does not matter. The lists are self-terminating.
The majority of ACLs are used to control Exim's behaviour when it receives certain SMTP commands. This applies both to incoming TCP/IP connections, and when a local process submits a message over a pipe (using the -bs option). The most common use is for controlling which recipients are accepted in incoming messages. In addition, you can also define an ACL that is used to check local non-SMTP messages. The default configuration file contains an example of a realistic ACL for checking RCPT commands. This is discussed in chapter 7.
The -bh command line option provides a way of testing your ACL configuration locally by running a fake SMTP session with which you interact. The host relay-test.mail-abuse.org provides a service for checking your relaying configuration (see section 38.27 for more details).
In order to cause an ACL to be used, you have to name it in one of the relevant options in the main part of the configuration. These options are:
| acl_not_smtp | ACL for non-SMTP messages |
| acl_smtp_auth | ACL for AUTH |
| acl_smtp_connect | ACL for start of SMTP connection |
| acl_smtp_data | ACL after DATA |
| acl_smtp_etrn | ACL for ETRN |
| acl_smtp_expn | ACL for EXPN |
| acl_smtp_helo | ACL for HELO or EHLO |
| acl_smtp_mail | ACL for MAIL |
| acl_smtp_mailauth | ACL for the AUTH parameter of MAIL |
| acl_smtp_rcpt | ACL for RCPT |
| acl_smtp_starttls | ACL for STARTTLS |
| acl_smtp_vrfy | ACL for VRFY |
For example, if you set
acl_smtp_rcpt = small_acl
the little ACL defined above is used whenever Exim receives a RCPT command
in an SMTP dialogue. The majority of policy tests on incoming messages can be
done when RCPT commands arrive. A rejection of RCPT should cause the
sending MTA to give up on the recipient address contained in the
A
B
C
D
E
F
G
H
I
J
K
L
M
N
O
P
Q
R
S
T
U
V
W
X
Z
“
Concepts
$1, $2, etc. see numerical variables
$bheader_
$header_
$host [2]
$host_address [2]
$rheader_
$value [2] [3]
*@ with single-key lookup [2]
+caseful [2]
+defer_unknown
+exclude_unknown
+ignore_unknown
+include_unknown [2]
-be option [2]
-bF option
-bf option
-bh option [2]
-bi option
-bp option
-bt option
-bv option [2]
-C option
-D option
-f option
-f option:for address testing
-f option:for filter testing
-f option:overriding “From” line
-M option [2]
-os option
-q option [2]
-R option
-t option
.ifdef
.include in configuration file
.include_if_exists in configuration file
/dev/null
/etc/aliases
/etc/mail/mailer.conf
/etc/userdbshadow.dat
8-bit characters [2] [3]
8BITMIME
@ in a domain list [2]
@ in a host list
@@ with single-key lookup
@[] in a domain list
@[] in a host list
@mx_any
@mx_primary
@mx_secondary
A
abandoning mail [2]
accept router
ACL:certificate verification
ACL:conditions, list of
ACL:conditions, processing
ACL:customized test
ACL:data for message ACL
ACL:data for non-message ACL
ACL:default configuration
ACL:description
ACL:for non-SMTP messages
ACL:format of
ACL:indirect
ACL:introduction
ACL:modifiers, list of
ACL:modifiers, processing
ACL:nested
ACL:on SMTP connection
ACL:options for specifying
ACL:relay control
ACL:return codes
ACL:rewriting addresses in
ACL:setting up for SMTP commands
ACL:specifying which to use
ACL:testing a DNS list [2]
ACL:testing a local part
ACL:testing a recipient
ACL:testing a recipient domain
ACL:testing a sender
ACL:testing a sender domain
ACL:testing for authentication
ACL:testing for encryption
ACL:testing the client host
ACL:unset options
ACL:variables
ACL:verbs, definition of
ACL:verifying header syntax
ACL:verifying HELO/EHLO
ACL:verifying host reverse lookup
ACL:verifying recipient
ACL:verifying sender
ACL:verifying sender in the header
adding drivers
additional groups [2]
address list:@@ lookup type
address list:case forcing
address list:empty item
address list:in a rewriting pattern
address list:in expansion condition
address list:local part starting with !
address list:lookup for complete address
address list:patterns
address list:regular expression in
address list:split local part and domain
address redirection:broken files
address redirection:disabling rewriting
address redirection:domain, preserving
address redirection:errors
address redirection:included external list
address redirection:local part without domain
address redirection:non-filter list items
address redirection:one-time expansion
address redirection:redirect router
address redirection:repeated for each delivery attempt
address redirection:to black hole
address redirection:to file
address redirection:to local mailbox
address redirection:to pipe
address redirection:while verifying [2]
address:constructed
address:copying routing [2]
address:duplicate, discarding [2]
address:qualification [2]
address:qualification, suppressing
address:sender
address:source-routed
address:testing [2]
address:verification
address:without domain
address||rewriting see rewriting
admin user [2] [3]
admin user:definition of
alias file:backslash in
alias file:broken
alias file:building [2]
alias file:exception to default
alias file:in a redirect router
alias file:one-time expansion
alias file:ownership
alias file:per-domain default
alias for host
alternate configuration file
angle brackets, excess
appendfile transport
appending to a file
asterisk:after IP address
asterisk:in address list
asterisk:in domain list
asterisk:in host list [2]
asterisk:in lookup type
asterisk:in search type
Athena
AUTH:ACL for [2]
AUTH:advertising
AUTH:advertising when encrypted
AUTH:argument
AUTH:configuration [2]
AUTH:description of
AUTH:in plaintext authenticator
AUTH:logging
AUTH:on bounce message
AUTH:on MAIL command [2] [3] [4]
AUTH:testing a server
AUTH:with PAM
authentication
authentication:ACL checking
authentication:advertising
authentication:bounce message
authentication:CRAM-MD5 mechanism
authentication:failure
authentication:generic options
authentication:id
authentication:id, specifying for local message
authentication:logging
authentication:LOGIN mechanism
authentication:Microsoft Secure Password
authentication:name, specifying for local message
authentication:NTLM
authentication:on an Exim client
authentication:on an Exim server
authentication:optional in client
authentication:PLAIN mechanism
authentication:required by client
authentication:sender
authentication:sender, authenticated
authentication:sender, specifying for local message
authentication:testing a server
authenticators:cram_md5
authenticators:plaintext
authenticators:spa
auto_thaw
autoreply transport
autoreply transport:for system filter
B
background delivery
backlog of connections
backslash in alias file
bang paths:not handled by Exim
bang paths:rewriting
banner for SMTP
base36
base62 [2] [3] [4]
base64 encoding:conversion from hex
base64 encoding:creating authentication test data
base64 encoding:functions for local_scan() use
base64 encoding:in encrypted password
base64 encoding:in header lines
base64 encoding:in plaintext authenticator
batch_id
batch_max
batched local delivery
batched SMTP input [2]
batched SMTP output
batched SMTP output example
Bcc: header line [2]
Berkeley DB library
Berkeley DB library:file format
BIN_DIRECTORY
binary zero:in authentication data
binary zero:in header line
binary zero:in lookup key [2] [3] [4] [5]
binary zero:in message body [2]
binary zero:in plaintext authenticator [2]
binary zero:in RFC 2047 decoding
bind IP address
black hole
black list (DNS) [2] [3] [4]
body of message:binary zero count
body of message:definition of
body of message:expansion variable [2]
body of message:line count
body of message:size
body of message:transporting
body of message:visible size
books about Exim
boolean configuration values
bounce message:copy to other address
bounce message:customizing [2]
bounce message:definition of
bounce message:discarding
bounce message:failure to deliver
bounce message:generating
bounce message:including body
bounce message:including original
bounce message:recipient of
bounce message:redirection details, suppressing
bounce message:Reply-to: in
bounce message:sender authentication
bounce message:size limit
bounce message:when generated
broken alias or forward files
BSD, DBM library for
bug reports
build directory
build-time options, overriding
building alias file
building DBM files
building Exim
building Exim:architecture type
building Exim:multiple OS/architectures
building Exim:operating system type
building Exim:OS-specific C header files
building Exim:overriding default settings
building Exim:pre-building configuration
building Eximon:overriding default options
C
caching:callout
caching:callout, suppressing
caching:callout, timeouts
caching:lookup data
caching:named lists
callout:cache, suppressing
callout:caching
callout:caching timeouts
callout:defer, action on
callout:postmaster, checking
callout:sender for recipient check
callout:timeout, specifying
callout:verification
callout:“random” check
carriage return [2] [3] [4] [5]
case forcing in address lists
case forcing in strings [2]
case of local parts [2] [3] [4]
Cc: header line
cdb:acknowledgement
cdb:description of
cdb:including support for
certificate:for client, location of
certificate:for server, location of
certificate:references to discussion
certificate:revocation list
certificate:revocation list for client
certificate:revocation list for server
certificate:self-signed
certificate:verification of client [2] [3] [4] [5]
certificate:verification of server
change log
checking access
checking disk space [2]
CIDR notation
CIDR notation
cipher:logging [2]
cipher:requiring specific [2]
command line:addresses with -t
command line:options
common option syntax
configuration file:alternate [2]
configuration file:common option syntax
configuration file:conditional skips
configuration file:default, “walk through”
configuration file:editing
configuration file:errors in
configuration file:format of
configuration file:general description
configuration file:including other files
configuration file:macros
configuration file:main section
configuration file:ownership
configuration file:retry section
configuration for building Exim
configuration options, extracting
CONFIGURE_FILE [2] [3]
connection backlog
constructed address
contributed material
control of incoming mail
copy of bounce message
copy of message (unseen option)
Courier
CR character see carriage return
CRAM-MD5 authentication mechanism
cram_md5 authenticator
creating directories
CRL see certificate revocation list
crypt()
crypt16()
current directory for local transport [2]
customizing: Received: header
customizing:ACL condition
customizing:ACL failure message
customizing:batching condition
customizing:bounce message [2]
customizing:failure message
customizing:input scan using C function
customizing:precondition
customizing:SMTP banner
customizing:warning message [2]
customizing:“cannot route” message
cycling logs [2]
Cygwin
Cyrus [2] [3] [4] [5] [6]
D
daemon [2]
daemon:listening IP addresses
daemon:pid file path
daemon:process id (pid) [2] [3]
daemon:starting
daemon:TCP_NODELAY on sockets
Darwin
DATA, ACL for [2]
database lookups
Date: header line
DBM:building dbm files
DBM:libraries, configuration for building [2]
DBM:libraries, discussion of
DBM:lookup type
debugging:-bh option
debugging:-d option
debugging:-N option
debugging:from embedded Perl
debugging:list of selectors
debugging:suppressing delivery
default:ACLs
default:configuration file “walk through”
default:in single-key lookups
default:retry rule
default:routers
default:transports
defer in system filter
deferred delivery, forcing
delay warning, specifying
delay_after_cutoff
delay_warning_condition
delayed delivery, logging
Delivery-date: header line [2] [3]
delivery:abandoning further attempts
delivery:by external agent
delivery:cancelling all
delivery:cancelling by address
delivery:deferral
delivery:delaying certain domains
delivery:discarded, logging
delivery:failure, logging
delivery:failure, long-term
delivery:fake, logging
delivery:first
delivery:forcing attempt
delivery:forcing deferral
delivery:forcing failure [2]
delivery:forcing in queue run
delivery:from given sender
delivery:in detail
delivery:in the background
delivery:in the foreground
delivery:log line format
delivery:manually started, not forced
delivery:maximum number of
delivery:parallelism for remote
delivery:permanent failure
delivery:problems with
delivery:procmail
delivery:retry in remote transports
delivery:retry mechanism
delivery:sorting remote
delivery:suppressing immediate
delivery:temporary failure
delivery:to file, forbidding
delivery:to given domain
delivery:to pipe, forbidding
delivery:to single file
delivery:unprivileged
delivery_date_remove
delivery||failure report see bounce message
design philosophy
dialup see intermittently connected hosts
directories, multiple
directory creation [2] [3] [4]
discarded messages
discarding bounce message
disk space, checking [2]
distribution:ftp site
distribution:public key
distribution:signing details
dmbnz lookup type
DNS list:in ACL [2]
DNS list:logging defer
DNS:as a lookup type [2]
DNS:IPv6 lookup for AAAA records
DNS:pre-check of name syntax
DNS:qualifying single-component names
DNS:resolver options [2] [3]
DNS:resolver, debugging output
DNS:reverse lookup [2] [3]
DNS:“try again” response, overriding
dnsdb lookup
dnslookup router
doc/ChangeLog
doc/NewStuff
doc/spec.txt
documentation
documentation:available formats
domain list:asterisk in
domain list:in expansion condition
domain list:matching by lookup
domain list:matching literal domain name
domain list:matching local IP interfaces
domain list:matching MX pointers to local host
domain list:matching primary host name
domain list:matching regular expression
domain list:matching “ends with”
domain list:patterns for
domain literal [2]
domain literal:default router
domain literal:recognizing format
domain literal:routing
domain:ACL checking
domain:definition of
domain:delaying delivery
domain:delivery to
domain:extraction
domain:for qualifying addresses
domain:in redirection, preserving
domain:manually routing
This is the FAQ for the Exim Mail Transfer Agent. Many thanks to the many people who provided the original information. This file would be amazingly cluttered if I tried to list them all. Suggestions for corrections, improvements, and additions are always welcome.
This version of the FAQ applies to Exim 4.43 and later releases.
References of the form Cnnn, Fnnn, Lnnn, and Snnn are to the sample configuration, filter, local_scan(), and “useful script” files. These are hyperlinked from the HTML version of this FAQ. They can also be found in the separately distributed directory called config.samples. The primary location is
ftp://ftp.csx.cam.ac.uk/pub/software/email/exim/exim4/config.samples.tar.gz ftp://ftp.csx.cam.ac.uk/pub/software/email/exim/exim4/config.samples.tar.bz2
There are brief descriptions of these files at the end of this document.
Philip Hazel
Last update: 14-October-2004
A Keyword-in-context index to the questions is available. This is usually the quickest way to find information in the FAQ.
The FAQ is divided into the following sections:
Q0001: Exim is crashing. What is wrong?
A0001: Exim should never crash. The author is always keen to know about crashes, so that they can be diagnosed and fixed. However, before you start sending me email, please check that you are running the latest release of Exim, in case the problem has already been fixed. The techniques described below can also be useful in trying to pin down exactly which circumstances caused the crash and what Exim was trying to do at the time. If the crash is reproducible (by a particular message, say) keep a copy of that message.
Q0002: Exim is not working. What is wrong? How can I check what it is doing?
A0002: Exactly how is it not working? Check the more specific questions in the other sections of this FAQ. Some general techniques for debugging are:
(1) Look for information in Exim's log files. These are in the log directory in Exim's spool directory, unless you have configured a different path for them. Serious operational problems are reported in paniclog.
(2) If the problem involves the delivery of one or more messages, try forcing a delivery with the -M option and also set the -d option, to cause Exim to output debugging information. For example:
exim -d -M 0z6CXU-0005RR-00
The output is written to the standard error stream. You need to have admin privileges to use -M and -d.
(3) If the problem involves incoming SMTP mail, try using the -bh option to simulate an incoming connection from a specific host, for example:
exim -bh 10.9.8.7
This goes through the motions of an SMTP session, without actually accepting a message. Information about various policy checks is output. You will need to know how to pretend to be an SMTP client.
(4) If the problem involves lack of recognition or incorrect handling of local addresses, try using the -bt option with debugging turned on, to see how Exim is handling the address. For example,
exim -d -bt z6abc
shows you how it would handle the local part z6abc.
Q0003: What does the error Child process of address_pipe transport returned 127 from command xxx mean?
A0003: It means that when a transport called address_pipe was run to pass an email message by means of a pipe to another process running the command xxx, the return code from that command was 127, which indicates some kind of error (the success return code is 0).
The most common meaning of exit code 127 is that when Exim tried to run the command xxx, it failed. One cause of this might be incorrect permissions on the file containing the command. See also Q0026.
Q0004: My virtual domain setup isn't working. How can I debug it?
A0004: You can use an exim command with -d to get it to show you how it is processing addresses. You don't actually need to send a message; use the -bt option like this:
exim -d -bt localpart@virtualhost
This will show you which routers it is using. If the problem appears to be with the expansion of an option setting, you can use the debug_print option on a router to get Exim to output the expanded string values as it goes along.
Q0005: Why is Exim not rejecting incoming messages addressed to non-existent users at SMTP time?
A0005: This is controlled by the ACL that is run for each incoming RCPT command. It is defined by the acl_smtp_rcpt option. You can check this part of your configuration by using the -bh option to run a simulated SMTP session, during which Exim will tell you what things it is checking.
Q0006: I've put an entry for *.my.domain in a DBM lookup file, but it isn't getting recognized.
A0006: You need to request “partial matching” by setting the search type to partial-dbm in order for this to work.
Q0007: I've put the entry *@domain.com in a lookup database, but it isn't working. The expansion I'm using is:
${lookup{${lc:$sender_address}}dbm{/the/file} ...
A0007: As no sender address will ever be *@domain.com this will indeed have no effect as it stands. You need to tell Exim that you want it to look for defaults after the normal lookup has failed. In this case, change the search type from dbm to dbm*@. See the section on Default values in single-key lookups in the chapter entitled File and database lookups in the Exim manual.
Q0008: If I run ./exim -d -bt user@domain all seems well, but when I send a message from my User Agent, it does not arrive at its destination.
A0008: Try sending a message directly to Exim by typing this:
exim -v user@domain <some message, could be empty> .
If the message gets delivered to a rem