Go to the first, previous, next, last section, table of contents.


The forwardfile director

The `forwardfile' director can be used for two different but related operations. Its effect is to replace a local part with a list of addresses, file names, or pipe commands, taken from a single file. It gets its name from the common case where the file is in a user's home directory and is called `.forward', but another common use is for expanding mailing lists, which are discussed in more detail in chapter "Using Exim to handle mailing lists".

A standard transport must not be specified for this director. That is, the generic `transport' option must not be set. A configuration error occurs if one is given. However, the special transports for handling files, pipes, and autoreplies must be set if needed.

When handling a user's `.forward' file, a uid, gid, and home directory are commonly obtained from the password file by calling `getpwnam()'. However, these may alternatively be specified by options to the director, in which case `getpwnam()' is not called.

Forward file items

The contents of the file are a list of addresses, file names, or pipe commands, separated by commas or newlines. Items that are empty are ignored. This includes items consisting solely of RFC 822 address comments. If an item is entirely enclosed in double quotes, these are removed, but otherwise double quotes are retained, because some forms of mail address require the use of double quotes, though never enclosing the whole address.

Lines starting with a # character are comments, and are ignored, and # may also appear following a comma, in which case everything between the # and the end of the line is ignored. If the file is empty, or contains only blank lines and comments, the director behaves as if it did not exist.

If a message is addressed to two or more different local parts, each of which results in an expansion that generates an identical file name or pipe command, different deliveries occur, though of course each delivery process runs with different values in the LOCAL_PART environment variable, and with different uids (in the common case). This happens only if the immediate ancestors of the pipes or files are different local parts. If several different local parts generate an intermediate alias which in turn generates a pipe or file delivery, only a single delivery is done, because the duplicate intermediate addresses are discarded.

Repeated forwarding expansion

When a message cannot be delivered to all of its recipients immediately, leading to two or more delivery attempts, forwarding expansion is carried out afresh each time for those addresses whose children were not all previously delivered. If a forward file is being used as a mailing list, this can lead to new members of the list receiving copies of old messages. The `one_time' option can be used to avoid this.

Errors in forward files

If `skip_syntax_errors' is set, a malformed address that causes a parsing error is skipped, and an entry is written to the main log. This may be useful for mailing lists that are automatically managed, but note the inherent danger. The option should never be set for users' `.forward' files. Otherwise, if any error is detected while generating the list of new addresses, the message is frozen, except for the special case of inability to open an included file when `no_freeze_missing_include' is set. In this case, delivery is simply deferred.

Filter files

As an alternative to treating the file as a simple list of addresses, the `forwardfile' director can be configured, by means of the `filter' option, to read a file and interpret it as a list of filtering instructions if it conforms to a specific format. The instructions can specify various actions such as appending the message to certain mail folders, or forwarding it to other users, predicated on the content of the message. Details of the syntax and semantics of filter files are described in a separate document entitled Exim's User interface to mail filtering; this is intended for use by end users. If filters are permitted to generate mail messages (see `forbid_reply') then the `reply_transport' option must be set.

The home directory

The `$home' expansion variable can be used in a number of local options for `forwardfile'. Its value depends on the way the options are set up, as follows:

If the generic `require_files' option, or any other expanded option, contains `$home', it takes the same value as it does when expanding the "file" option, and this value is also used for `$home' if encountered in a filter file, and as the default value to pass with the address when a pipe or file delivery is generated.

Note that the value of the `home_directory' generic option is not used during directing; it specifies a directory for use at transport time.

Special treatment of home_directory and current_directory

The generic options `home_directory' and `current_directory' (specified in chapter "Additional generic options for directors") are handled in a special way by the `forwardfile' director. Neither has any effect during the running of the director; they act only when it directs an address to a local transport because it specifies a file name, pipe command, or autoreply -- the values are passed with the address for use at transport time.

If `home_directory' is not set, then the directory specified by `file_directory', or if that is not set, the home directory obtained from `check_local_user' is used as the default value.

In installations where users' `.forward' files are not kept in their home directories, both `check_local_user' and `file_directory' may be set, which leads to the `file_directory' value being used as the default, when the actual home directory may be wanted. It is no good specifying

home_directory = $home

because the same value is used for `$home'. A special string value is therefore provided for use in this case. If `home_directory' is set to the string `check_local_user' it is converted into the user's home directory path. The same magic string can also be used for `current_directory'.

Forwardfile private options

allow_system_actions (forwardfile) option

Option: allow_system_actions
Type: boolean
Default: false

Setting this option permits the use of `freeze' and `fail' in filter files. This should not be set on the director for users' `.forward' files, but can be useful if you want to run a system-wide filter for each address, as opposed to the system filter, which runs just once per message. See chapter "System-wide message filtering".

check_ancestor (forwardfile) option

Option: check_ancestor
Type: boolean
Default: false

This option is concerned with handling generated addresses which are the same as some address in the list of aliasing or forwarding ancestors of the current address. Although it is turned off by default in the code, it is set in the default configuration file for handling users' `.forward' files. It is recommended for this use of the `forwardfile' director.

When `check_ancestor' is set, if a generated address is the same as any ancestor of the current address, then it is not used, but instead the current address gets passed on to subsequent directors. This helps in the case where local part A is aliased to B, and B has a `.forward' file pointing back to A. For example: `Joe.Bloggs' is aliased to `jb' and `~jb/.forward' contains:

\Joe.Bloggs, <other item(s)>

Without the `check_ancestor' setting, either local part (`jb' or `joe.bloggs') gets processed once by each director and so ends up as it was originally. If `jb' is the real mailbox name, then mail to `jb' gets delivered (having been turned into `joe.bloggs' by the `.forward' file and back to `jb' by the alias), but mail to `joe.bloggs' fails. Setting `check_ancestor' on the `forwardfile' director prevents it from turning `jb' back into `joe.bloggs' when that was the original address.

The `aliasfile' director also has a `check_ancestor' option for use in special cases. Setting it does not have the desired effect in a conventional configuration.

check_group (forwardfile) option

Option: check_group
Type: boolean
Default: false

The group of the file is checked only when this option is set. If `check_local_user' is set, then the user's default group is permitted; otherwise the group must be one of those listed in the `owngroups' option.

check_local_user (forwardfile) option

Option: check_local_user
Type: boolean
Default: true

If this option is true, then the local part that is passed to this director is checked to ensure that it is the login of a local user by calling the `getpwnam()' function. The director fails to handle the address if it is not. In addition, when this option is true, the string specified for the `file' option is taken as relative to the user's home directory if it is not an absolute path, unless the `file_directory' option is set.

When this option is set, the local user is always one of the permitted owners of the file, and the local user's uid is used when reading the forward file if the `seteuid' option is set or if the global security setting is not `setuid'. In addition the uid and gid read from the `passwd' file are used as defaults for the generic `user' and `group' options.

directory_transport (forwardfile) option

Option: directory_transport
Type: string
Default: unset

A `forwardfile' director sets up a direct delivery to a directory when a path name ending with a slash is specified as a new `address'. The transport used is specified by this option, which, after expansion, must be the name of a configured transport.

directory2_transport (forwardfile) option

Option: directory2_transport
Type: string
Default: unset

A `forwardfile' director sets up a direct delivery to a directory when a path name ending with two slashes is specified as a new `address'. The transport used is specified by this option, which, after expansion, must be the name of a configured transport.

errors_to (forwardfile) option

Option: errors_to
Type: string
Default: unset

This used to exist as an option specific to this director, but it is now a generic option that can be used on any director or router (see chapter "Common generic options for directors and routers").

file (forwardfile) option

Option: file
Type: string
Default: unset

This option must be set. The string is expanded before use -- see above for a discussion of the `home' expansion variable. If expansion fails, Exim panics. The expanded string is interpreted as a single file name, and must start with a slash character unless `check_local_user' is true, or a `file_directory' option is set. A non-absolute path is interpreted relative to the `file_directory' setting if it exists; otherwise it is interpreted relative to the user's home directory.

If a non-absolute path is used, Exim uses the `stat()' function to check the directory before attempting to open the file therein. If the directory is inaccessible, the delivery to the current address is deferred. This distinguishes between the cases of a non-existent file (where the director cannot handle the address) and an unmounted NFS directory (where delivery should be deferred). Thus the difference between the two settings

file = .forward
file = $home/.forward

is that in the second case the directory is not checked with `stat()'.

If the file exists but is empty or contains only blank and comment lines starting with #, Exim behaves as if it did not exist, and the director fails to handle the address. Note that this is not the case when the file contains syntactically valid items that happen to yield empty addresses, for example, items containing only RFC 822 address comments.

file_directory (forwardfile) option

Option: file_directory
Type: string
Default: unset

The string is expanded before use -- see above for a discussion of the `home' expansion variable. The option sets a directory path which is used if the `file' option does not specify an absolute path. This on its own is not very useful, since the directory string could just as well be prepended to the file string. However, if a separate directory is given, it is treated like a directory obtained from `check_local_user', and its existence is tested before trying to open the file. If the directory appears not to exist, delivery is deferred. Thus, a setting such as

file_directory = /usr/forwards
file = ${local_part}.forward

defers delivery if `/usr/forwards' appears not to exist. This can be useful if the directory is NFS mounted. If `check_local_user' is also set, `file_directory' takes precedence in determining the directory name for non-absolute files.

If `forwardfile' sets up a delivery to a file or a pipe command and the `home_directory' option is not set, then the directory specified by `file_directory', or if that is not set, the home directory obtained from `check_local_user' is associated with the address during delivery.

file_transport (forwardfile) option

Option: file_transport
Type: string
Default: unset

A `forwardfile' director sets up a direct delivery to a file when a path name not ending in a slash is specified as a new `address'. The transport used is specified by this option, which, after expansion, must be the name of a configured transport.

filter (forwardfile) option

Option: filter
Type: boolean
Default: false

If this option is set, and the forward file starts with the text `# Exim filter', then it is interpreted as a set of filtering commands instead of a list of forwarding addresses. Details of the syntax and semantics of filter files are described in a separate document entitled Exim's User interface to mail filtering; this is intended for use by end users.

In addition to the commands described therein, there are some extra commands that are permitted only in system filter files, or if `allow_system_actions' is set. These are described in chapter "System-wide message filtering".

Filter files may contain string expansions, but some administrators may not want to permit those expansion features that involve accessing files. The options `forbid_filter_existstest', `forbid_filter_lookup', and `forbid_filter_perl' (see below) can be used to lock out these features.

The logging facility in filter files is available only if the filter is being run under some unprivileged uid. The system configuration must specify that `seteuid()' is available, either `user' or `check_local_user' must be set on the director, `forbid_filter_log' must not be set, and the global `security' setting must not be `setuid'. Writing the log takes place while the filter file is being interpreted, that is, at directing time. It does not queue up for later like the delivery commands. The reason for this is so that a log file need be opened only once for several write operations.

forbid_file (forwardfile) option

Option: forbid_file
Type: boolean
Default: false

If this option is true, then this director may not generate a new address which specifies delivery to a local file. If it attempts to do so, a delivery failure occurs.

forbid_filter_existstest (forwardfile) option

Option: forbid_filter_existstest
Type: boolean
Default: false

If this option is true, string expansions in filter files are not allowed to make use of the `exists' condition.

forbid_filter_logwrite (forwardfile) option

Option: forbid_filter_logwrite
Type: boolean
Default: false

If this option is true, use of the logging facility in filter files is not permitted. This is in any case available only if the filter is being run under some unprivileged uid, which is normally the case for ordinary users' `.forward' files on a system with `seteuid()' available.

forbid_filter_lookup (forwardfile) option

Option: forbid_filter_lookup
Type: boolean
Default: false

If this option is true, string expansions in filter files are not allowed to make use of `lookup' items.

forbid_filter_perl (forwardfile) option

Option: forbid_filter_perl
Type: boolean
Default: false

This option is available only if Exim is built with embedded Perl support. If it is true, string expansions in filter files are not allowed to make use of the embedded Perl support.

forbid_include (forwardfile) option

Option: forbid_include
Type: boolean
Default: false

If this option is true, then items of the form

:include:<path name>

are not permitted, and if one is encountered, the message is frozen.

forbid_pipe (forwardfile) option

Option: forbid_pipe
Type: boolean
Default: false

If this option is true, then this director may not generate a new address which specifies delivery to a pipe. If it attempts to do so, a delivery failure occurs.

forbid_reply (forwardfile) option

Option: forbid_reply
Type: boolean
Default: false

If this option is true, then this director may not generate an automatic reply message. If it attempts to do so, a delivery failure occurs. Automatic replies can be generated only from filter files, not from traditional forward files.

freeze_missing_include (forwardfile) option

Option: freeze_missing_include
Type: boolean
Default: true

If a file named by the `include' mechanism fails to open, delivery is frozen if this option is true. Otherwise, delivery is just deferred. Unsetting this option can be useful if included files are NFS mounted and may not always be available.

ignore_eacces (forwardfile) option

Option: ignore_eacces
Type: boolean
Default: false

If this option is set and an attempt to open the forward file yields the EACCES error (permission denied) then `forwardfile' behaves as if the file did not exist.

ignore_enotdir (forwardfile) option

Option: ignore_enotdir
Type: boolean
Default: false

If this option is set and an attempt to open the forward file yields the ENOTDIR error (something on the path is not a directory) then `forwardfile' behaves as if the file did not exist.

match_directory (forwardfile) option

Option: match_directory
Type: string
Default: unset

If this option is set with `check_local_user', the user's home directory, as obtained from `getpwnam()', must match the given string. If it does not, the director fails to match the address. The string is expanded before use if it contains any $ characters. If the expansion fails, Exim panics, unless the failure was explicitly triggered by a `fail' item in a conditional sub-expression in the expansion, in which case the director just fails to handle the address.

If the expanded string starts with an asterisk, then the remainder must match the end of the home directory name; if it starts with a circumflex, a regular expression match is performed. In fact, the matching process is the same as is used for domain list items and may include file lookups.

modemask (forwardfile) option

Option: modemask
Type: "octal
Default: integer" 022

This specifies mode bits which must not be set for the forward file. If they are set, the director defers.

one_time (forwardfile) option

Option: one_time
Type: boolean
Default: false

Sometimes the fact that Exim re-processes forward files each time it tries to deliver a message causes problems. This is particularly true in the case of mailing lists (see chapter "Using Exim to handle mailing lists").

If `one_time' is set and any addresses generated by the director fail to deliver at the first attempt, the failing addresses are added to the message as `top level' addresses, and the parent address that generated them is marked `delivered'. Thus expansion via the forward file does not happen again at the next delivery attempt. To ensure that `forwardfile' generates only addresses (as opposed to pipe or file deliveries or autoreplies) `forbid_file' and `forbid_pipe' must also be set, as must `forbid_reply' if `filter' is set.

The original top-level address is remembered with each of the generated addresses, and is output in any log messages. However, any intermediate parent addresses are not recorded. This makes a difference to the log only if `log_all_parents' is set. It is expected that `one_time' will typically be used for mailing lists, where there is normally just one level of expansion.

owners (forwardfile) option

Option: owners
Type: string-list
Default: unset

This specifies a list of permitted owners for the file. These are in addition to the local user in the case when `check_local_user' is set. If `owners' is unset and `check_local_user' is false, no check on the ownership is done. If the file is not correctly owned, the director fails and the message is frozen.

owngroups (forwardfile) option

Option: owngroups
Type: string-list
Default: unset

This specifies a list of permitted groups for the file. These are in addition to the local user's group in the case when `check_local_user' is set. However, a check on the group is made only when `check_group' is set. If the file's group is not correct, the director fails and the message is frozen.

pipe_transport (forwardfile) option

Option: pipe_transport
Type: string
Default: unset

A `forwardfile' director sets up a direct delivery to a pipe when a string starting with a vertical bar character is specified as a new `address'. The transport used is specified by this option, which, after expansion, must be the name of a configured transport.

qualify_preserve_domain (forwardfile) option

Option: qualify_preserve_domain
Type: boolean
Default: false

If this is set and an unqualified address (one without a domain) is generated, it is qualified with the domain of the incoming address instead of the global setting in `qualify_recipient'.

reply_transport (forwardfile) option

Option: reply_transport
Type: string
Default: unset

A `forwardfile' director sets up a delivery to an `autoreply' transport when a `mail' or `vacation' command is used in a filter file. The transport used is specified by this option, which, after expansion, must be the name of a configured transport.

rewrite (forwardfile) option

Option: rewrite
Type: boolean
Default: true

If this option is set false, addresses generated by the director are not subject to address rewriting. Otherwise, they are treated like new addresses.

seteuid (forwardfile) option

Option: seteuid
Type: boolean
Default: false

This option may not be set unless the compile-time configuration in the OS-specific configuration files specifies that the `seteuid()' function is available in the operating system. In addition, either the `check_local_user' or the generic `user' and `group' options must be set. A configuration error occurs if these conditions do not hold.

When this option is true, the `seteuid()' and `setegid()' functions are called to change the effective uid and gid before accessing the home directory and the file. If both `check_local_user' and `user' are set, the uid is taken from the latter. If the generic `initgroups' option is set, `initgroups()' is called to initialise the group list with all the user's groups. The user remains set during interpretation of a filter file; if it writes log entries the log file must be accessible to the uid or gid. Changing uid is necessary in two circumstances:

  1. When Exim is configured to change the effective uid from root to the Exim user (using `seteuid()') while running the directors. See chapter "Security considerations" for details.
  2. When users' home directories are NFS mounted, and root access is not exported to the local host, to allow for cases when the files are not world-readable.

The `forwardfile' director can detect the first of these cases, and it always uses `seteuid()', regardless of the setting of this option, since it does not make sense to do otherwise.

On a system without the `seteuid()' function, but with NFS home directories that do not export root, it is necessary for forward files to be world-readable.

skip_syntax_errors (forwardfile) option

Option: skip_syntax_errors
Type: boolean
Default: false

If `skip_syntax_errors' is set for a non-filter forward file, a malformed address that causes a parsing error is skipped, and an entry is written to the main log. This may be useful for mailing lists that are automatically managed, but note the inherent danger. If all the addresses in the list are malformed, the original address is passed on to subsequent directors.

If `skip_syntax_errors' is set for an Exim filter file, any syntax error in the filter file causes filtering to be abandoned, the incident is logged, and the address is passed on to the next director.

If `skip_syntax_errors' is set for the director that handles users' `.forward' files, it should normally be done in conjunction with

syntax_errors_to = $local_part@domain

in order to pass the error report back to the owner of the `.forward' file. Additional locally-written explanation can be included by setting `syntax_errors_text'.

syntax_errors_text (forwardfile) option

Option: syntax_errors_text
Type: string
Default: unset

See `syntax_errors_to'.

syntax_errors_to (forwardfile) option

Option: syntax_errors_to
Type: string
Default: unset

This option applies only when `skip_syntax_errors' is set. If any addresses are skipped because of syntax errors, a mail message is sent to the address specified by `syntax_errors_to', giving details of the failing address(es). If `syntax_errors_text' is set, its contents are expanded and placed at the head of the error message. Often it will be appropriate to set `syntax_errors_to' to be the same address as `errors_to'.


Go to the first, previous, next, last section, table of contents.