Q5001: How can I arrange to allow a limited set of users to perform a limited set of Exim administration functions? I don't want to put them all in the exim group.
A5001: See http://www.chiark.greenend.org.uk/~ian/userv/. Using userv you can arrange (for example) for certain users to be able to invoke mailq or runq or other preset commands as exim (or any other user, as configured) with only userv configuration. If you want to check the particular Exim options available you can easily do it with shell or Perl scripts and userv configuration, and provided you know how to do argument unparsing properly in shell or Perl it will be secure.
Q5002: I want to tail the Exim log, but I have a number of other logs I also want to tail, and the number of tailing windows is getting to be a nuisance.
A5002: Look for a program called xtail (despite its name, it's not an X-windows application). It allows you to do multiple tails, even of entire directories.
Alternately, get the GNU version of tail, from the GNU textutils package (ftp://ftp.gnu.org/gnu/textutils/). GNU tail lets you run "tail -f" on multiple files at the same time, although it doesn't work on entire directories like xtail can. If you are running Linux, you probably already have a version of GNU tail that can follow multiple files.
Q5003: How can I persuade Exim to accept ETRN commands without the leading # character?
A5003: Set the option
smtp_etrn_command = /usr/lib/sendmail -R $domain
This causes Exim to run that command, with $domain replaced by the argument of ETRN. The default action of Exim is to require the # sign in order to be RFC-compliant, and to run the equivalent of
smtp_etrn_command = /usr/lib/sendmail -R ${substr_1:$domain}
which uses the argument without the leading # as the value for the -R option. You aren't restricted to running Exim with the -R option, of course. You can specify any command you like, with any number of arguments. In particular, you can pass over the IP address of the caller via $sender_host_address. However, if you make use of expansion strings in the arguments, each one must be entirely contained in a single argument. For example, if you want to remove the first character of the ETRN argument when it is @ or #, you could use
smtp_etrn_command = "/usr/lib/sendmail -R \ \"${if match {$domain}{^[@#]}{${substr_1:$domain}}{$domain}}\""
The internal quotes are necessary because of the white space inside the expansion string.
Q5004: I've recently noticed that emails I send with a Bcc: line are being delivered to their final destination with the Bcc: line still present.
A5004: Exim removes Bcc: lines only if you call it with the -t option (i.e. when it is acting partly as an MUA). It does not remove Bcc: lines that are present in incoming SMTP mail or command-line mail that does not use -t. Indeed, it should not remove them, because only the initiating software (i.e. the MUA) can tell what to do with Bcc: lines; any MTA software has to leave them alone. This is what RFC 2822 has to say about Bcc:
The Bcc: field (where the Bcc means Blind Carbon Copy) contains addresses of recipients of the message whose addresses are not to be revealed to other recipients of the message. There are three ways in which the Bcc: field is used. In the first case, when a message containing a Bcc: field is prepared to be sent, the Bcc: line is removed even though all of the recipients (including those specified in the Bcc: field) are sent a copy of the message. In the second case, recipients specified in the To: and Cc: lines each are sent a copy of the message with the Bcc: line removed as above, but the recipients on the Bcc: line get a separate copy of the message containing a Bcc: line. (When there are multiple recipient addresses in the Bcc: field, some implementations actually send a separate copy of the message to each recipient with a Bcc: containing only the address of that particular recipient.) Finally, since a Bcc: field may contain no addresses, a Bcc: field can be sent without any addresses indicating to the recipients that blind copies were sent to someone. Which method to use with Bcc: fields is implementation dependent, but refer to the ``Security Considerations'' section of this document for a discussion of each.
Q5005: I used gv 3.5.8 (ghostview) to try printing spec.ps. After every printed page, the printer ejects a blank sheet. Is this something to do with using letter rather than A4 paper?
A5005: This seems to be an effect of using ghostview. Although the PostScript is generated for A4 pages, the size of the page images is such that they should fit on a letter page (they are shorter than would normally be used on A4 paper). If the PostScript file is sent directly to a PostScript printer, there is no problem. An alternative is to get hold of the psutils toolset, which is available from ftp://ftp.dcs.ed.ac.uk/pub/psutils/psutils.tar.gz. It contains utilities for extracting pages (which can be useful for double-sided printing) and for resizing pages. If you resize from A4 to letter the text shrinks a bit, but should then be printable via ghostview.
Q5006: Why aren't there any man pages for Exim? I don't always carry my printed documentation.
A5006: A single man page that lists the command line options is provided in file doc/exim.8 in the Exim distribution. Several other forms of online documentation are available. As well as plain ASCII text, the there are two forms - Texinfo and HTML - which have a certain amount of built-in indexing for ease of finding your way around. There are no man pages apart from the command line one because the author of Exim hasn't the time (or desire :-) to maintain yet another documentation format. Besides, it is hard to know how to split the Exim manual up.
Q5007: When I send a message using the -t command line option, Exim sends only to the addresses within the message, not to those on the command line.
A5007: There seems to be some confusion in the Sendmail community about the interpretation of recipient addresses on the command line if the -t option is used. Some versions do one thing, and some another. Here is an except from one version of the Sendmail documentation for -t:
Read message for recipients. To:, Cc:, and Bcc: lines will be scanned for recipient addresses. The Bcc: line will be deleted before transmission. Any addresses in the argument list will be suppressed, that is, they will not receive copies even if listed in the message header.
By default Exim follows this specification, and interprets addresses on the command line as addresses not to send to. You can set
extract_addresses_remove_arguments = false
to change this behaviour so that command line addresses are added to the addresses that are taken from the header lines.
Q5008: If I set up a domain list to contain *customer.com, it matches customer.com and abc.customer.com as required, but it also matches noncustomer.com, which is wrong. How can I get round this?
A5008: You have to specify two entries in the list:
customer.com : *.customer.com
because * in a domain list matches any characters, including . and including a null sequence.
Q5009: I want to match all domains of the form *.oyoy.org but want a few exceptions. For instance I don't want foo.oyoy.org or bar.oyoy.org to be included. What is the best way to do this?
A5009: Use negative items in the domain list, like this:
domainlist local_domains = !foo.oyoy.org : !bar.oyoy.org : *.oyoy.org
If there are many exceptions, you can use a lookup instead of listing them all inline. If there are a number of exceptions that match a particular pattern, you could use a regular expression.
Q5010: I can't seem to find a pre-built version of Exim anywhere. The machine is a Sparc 5 running Solaris 2.6.
A5010: The primary distribution is source-only. However, some people have built and distributed RPMs and debs for Linux systems, and ports for FreeBSD. I haven't heard of anyone doing this for Solaris. The main problem with binary distributions is that there are a number of build-time options, requiring the answers to questions like:
. Which DBM library do you have? (On Solaris probably ndbm, but no easy default on some other systems.)
. Which uid/gid do you want to use for Exim?
. Where do you want the configuration file to be? (Many different answers, even on the same OS, depending on local policy.)
. Ditto for the binaries.
. Which optional bits of Exim do you want to include?
Q5011: Is there a version of Exim available that runs under Windows?
A5011: A long time ago somebody took a copy of the Exim source with the aim of trying to port it to Windows NT. However, I never heard anything more. However, current versions of Exim can be made to run under Cygwin.
Q5012: Does Exim support Delivery Status Notification (DSN), Message Status Notification (MSN), or any other form of delivery acknowledgement?
A5012: See Q0607.
Q5013: What does Exim stand for?
A5013: Originally, it was EXperimental Internet Mailer, which was the best I could come up with when I was starting out. At that point it was experimental - I wanted to see if the ideas I had for extending Smail's approach actually worked. Then somebody discovered about it and wanted to start using it, and told other people about it...
Q5014: Although I haven't set check_spool_space, Exim is still checking the amount of space on the spool for incoming SMTP messages that use the SIZE option. Can I suppress this?
A5014: The RFC for the SIZE option says:
If the server currently lacks sufficient resources to accept a message of the indicated size, but may be able to accept the message at a later time, it responds with code ``452 insufficient system storage''.
and that is what Exim is trying to implement. This is entirely independent from check_spool_space, which says don't accept any mail if there is less than so much space in the spool partition, though the code is optimised to do both checks at the same time if required. However, you can suppress the SIZE check if you want to, by unsetting smtp_check_spool_space.
Q5015: I just noticed log entries that start off <= <>. Am I correct in assuming that the <> indicates that the envelope did not contain any From data?
A5015: Yes. This indicates a delivery failure report (aka a bounce message), as specified in RFC 2821. The reason for using empty sender addresses is to identify bounce messages so that they themselves do not cause further bounces. Empty senders are also used for other kinds of report which should not themselves cause the generation of bounce messages. For example, Exim uses them when sending out warnings about delivery delays.
Q5016: I've received a message which does not have my address in the To: line. It is a spam message with the same address in both the From: and the To: headers. How can this happen, and why doesn't Exim reject it?
A5016: There is an important distinction between the envelope from and to and the header from and to. The former are sometimes called the sender and recipient. An email message needs an envelope for the same reason that paper mail does - the envelope tells the delivery mechanism what to do with this copy of the message, whereas the To: header lists all the recipients, including those who have been sent different copies of the message because their mailbox is on some other host.
An MTA such as Exim works entirely with the envelope addresses, not with those in the header lines. Don't try to block mail where envelope from and the header from differ. There are common legitimate cases where this happens, for example, messages forwarded from mailing lists and delivery failure reports.
Q5017: Can (or will) Exim ever handle a message delivery purely in memory, that is, it is handled without it ever hitting the disk?
A5017: It doesn't, and never will. Accepting and delivering a message are two entirely separate, independent processes, which communicate only by writing/reading the message on the disk.
Q5018: If I am using dbm files for data that Exim reads, can I rebuild them on the fly, or do I need to restart Exim every time I make a change?
A5018: Exim re-reads the file every time it consults it, so if you are using a cdb or a DBM library that uses just a single file (i.e. not ndbm), you can just build the new file with a temporary file name, and use mv to rename it into the correct place on the fly. If there are two files to rename, there is a window of time during which the DBM database is inconsistent. On lightly loaded systems this may not matter.
Q5019: I need an option that is the opposite of -bpa, that is, a listing of those addresses generated from a top-level address that have not yet been delivered.
A5019: Exim does not keep this information. It saves only the top-level addresses and the list of addresses that are finished with. At each delivery attempt, generated addresses are recomputed from scratch. This makes it possible to correct errors in redirection data that is causing delivery delays. However, there is an option you can set on a redirect router that changes things. It is called one_time, and if it is set, the list of generated addresses gets added to the top-level list at the first delivery attempt, and is never regenerated. Because top-level address lists must be real email addresses, this option cannot be used if any of the generated addresses are pipes, files, or autoreplies.
Q5020: How can I make Exim receive incoming mail, queue it, but not attempt to deliver it? I want to be in this state while moving some mailboxes.
A5020: Set queue_only in the Exim configuration. Then kill your daemon, and restart it without the -q option (i.e. with just the -bd option), so that it does not spawn any queue runners. This stops all deliveries, remote as well as local.
Q5021: What does Exim use for POP and IMAP as a default? Do I have to install anything else?
A5021: Yes. Exim provides MTA functionality. That is, it delivers mail. POP and IMAP are two of several ways of reading previously-delivered mail. Exim does not provide that functionality. You need to install POP and/or IMAP daemons; there are several to choose from.
Q5022: Is there an easy way of removing all queued messages at once in a safe way?
A5022: Try this command:
exim -bp | awk '/^ *[0-9]+[mhd]/{print "exim -Mrm " $3}' | sh
Q5023: Why does Exim do ident callbacks by default? Isn't this just a waste of resources? I've been told this is an ancient way of authentication. Is it obsolete?
A5023: This is a common misunderstanding, at least partially resulting from the incorrect naming of the protocol when it was first published. The service on port 113 is an identification service, which allows a target host to record information identifying the user responsible for making a connection to it. The information may not be intelligible to the recording host - it could, for example, be encrypted so that only someone on the calling host can make sense of it. It is useful for providing additional information in an audit trail.
At least one site has found ident effective against two rather prevalent kinds of open proxy (whether already blacklisted at the RBLs or not). An ACL statement is used to reject mail from servers that return ident strings of squid and CacheFlow Server. Snippets such as this in the RCPT ACL do the trick:
deny condition = ${if eq{$sender_ident}{CacheFlow Server}{1}{0}} message = Rejected - appears to be an unsecured proxy: $sender_ident
The likelihood that a genuine mail process would return those specific ident strings is vanishingly small.
The ident data should not be used for authentication in any form except on a closed secure network between cooperating hosts (probably not even then). The information from the source host is only as reliable as the host itself. If it's not under your control then you have to treat the information as opaque data that can be used only by the sysadmin of the source system to trace back connection data. Some ident implementations send out opaque cookies or DES encrypted information. Ident is hugely useful at times - especially for checking back on connections from multiuser machines (as opposed to one-person desktop boxes).
You can stop Exim making ident calls by adding
rfc1413_query_timeout = 0s
to its configuration, but it is better to leave it active (reducing the timeout to 10s or less if it is causing problems) - it costs very little, and in cases of mail forgery from a multiuser system can track the sinner concerned very quickly.
Q5024: I often have the problem that a message gets stuck in the mail queue and I want it to be bounced to a certain address.
A5024: You can do this using a combination of four command line options, like this:
exim -Mf 14Fdlq-0003kM-00 exim -Mmad 14Fdlq-0003kM-00 exim -Mar 14Fdlq-0003kM-00 new@ddress exim -M 14Fdlq-0003kM-00
The first command freezes the message so that a queue runner won't start to deliver it while you are changing things. The second command marks all existing recipients as delivered. The third command adds a new recipient, and the fourth command forces a delivery of the message, which will cause it to be delivered to the new address, and then deleted.
Q5025: What precautions should I take when editing Exim's run time configuration file?
A5025: Edit the file and save the result in a new file. Test the syntax of the new file by running a command like this:
exim -bV -C exim.conf.new
That will check for syntax errors without disturbing your running configuration. If you are paranoid enough, run, as root,
exim -C exim.conf.new <some address> <some message> .
and see if it delivers it. Carry on testing until happy. When happy,
mv exim.conf.new exim.conf kill -HUP `cat /var/spool/exim/exim-daemon.pid`
Then check the Exim log to be sure the daemon restarted OK. Watch the log for a bit to see that mail is flowing.
Q5026: Is exim able to use RFC 2645, On-demand Mail Relay (ODMR)?
A5026: No.
Q5027: Is there any way I can send bounces to the postmaster, and nobody else? Basically, I want to receive them, and I don't want the reply/from person to get them. If I think they need it I will forward it myself.
A5027: Put errors_to=postmaster on every router.
Q5028: When I HUP the Exim daemon, the name shown in the process table changes from /usr/lib/sendmail (which is a symlink) to the real binary name. Can I change this?
A5028: Add this to your Exim configuration:
exim_path = /usr/lib/sendmail
Q5029: A message with a recipient address that contains a non-printing character is stuck on my mail queue. How can I remove this address?
A5029: You can use the -Mmd command line option to mark a recipient address delivered, which effectively removes it. If you are using the Bash shell, you can enter non-printing characters using an escape sequence. For example:
exim -Mmd 15HKvU-00013Q-00 $'\240'abc@x.y.z
In this example, the first character of the local part has a code value of 240. If you are using a shell that does not support this, create the command in a file and run it as a shell script.
Q5030: I am using exim in a two queues scenario, with two different configuration files. How can I run a second copy of eximon to inspect and modify the alternate queue?
A5030: Use these commands (or put them in a script):
EXIMON_EXIM_CONFIG=/your/path/exim/configure.alternate export EXIMON_EXIM_CONFIG /your/path/exim/bin/eximon
Q5031: Why is there no sender address on bounce messages? It shows up as "<>".
A5031: See the answer to Q0042.
Q5032: Are there any Exim web-based administration scripts?
A5032: No (as far as is known). It seems likely that producing one that is generic enough would be a difficult task.
Q5033: How can I send a copy of all outgoing messages to another mailbox?
A5033: The most straightforward way is to set up a system filter, and include a command such as:
unseen deliver mailbox@whatever.domain
This sends a copy of every message to mailbox@whatever.domain (unless the message already has that recipient - Exim never does duplicate deliveries).
To save only outgoing messages, you need to come up with a definition of what outgoing means. Typically, this might be a check on the sender address and/or on the originating host. Here is an example:
if $sender_address_domain is mydomain.com and ${mask:$sender_host_address/24} is 192.168.324.0/24 then unseen deliver mailbox@whatever.domain endif
Q5034: Is there any way to make the queue_only option conditional? I would like the ability to queue messages from external sources while deliver locally generated email as normal.
A5034: There is no direct way of doing this. However, you can achieve the effect. In one of your ACLs that checks incoming mail from external sources, put
warn control = queue_only
You can add other conditions as well, of course.
Q5035: Does Exim run with different permissions between -bt and -bh, or between verifying and actual sending?
A5035: Yes. For -bt it runs as root, as it would when delivering a message. For -bh, -bv, and when actually receiving a message, it runs as the Exim user.