Exim Internet Mailer

<-previousnext->

XWARNING: This documentation is for an old version of Exim (latest)

Chapter 14 - Main configuration

The first part of the runtime configuration file contains three types of item:

  • Macro definitions: These lines start with an upper case letter. See section 6.4 for details of macro processing.

  • Named list definitions: These lines start with one of the words “domainlist”, “hostlist”, “addresslist”, or “localpartlist”. Their use is described in section 10.6.

  • Main configuration settings: Each setting occupies one line of the file (with possible continuations). If any setting is preceded by the word “hide”, the -bP command line option displays its value to admin users only. See section 6.11 for a description of the syntax of these option settings.

This chapter specifies all the main configuration options, along with their types and default values. For ease of finding a particular option, they appear in alphabetical order in section 14.23 below. However, because there are now so many options, they are first listed briefly in functional groups, as an aid to finding the name of the option you are looking for. Some options are listed in more than one group.

1. Miscellaneous

bi_command to run for -bi command line option
debug_store do extra internal checks
disable_ipv6 do no IPv6 processing
keep_malformed for broken files – should not happen
localhost_number for unique message ids in clusters
message_body_newlines retain newlines in $message_body
message_body_visible how much to show in $message_body
mua_wrapper run in “MUA wrapper” mode
print_topbitchars top-bit characters are printing
spool_wireformat use wire-format spool data files when possible
timezone force time zone

2. Exim parameters

exim_group override compiled-in value
exim_path override compiled-in value
exim_user override compiled-in value
primary_hostname default from uname()
split_spool_directory use multiple directories
spool_directory override compiled-in value

3. Privilege controls

admin_groups groups that are Exim admin users
commandline_checks_require_admin require admin for various checks
deliver_drop_privilege drop root for delivery processes
local_from_check insert Sender: if necessary
local_from_prefix for testing From: for local sender
local_from_suffix for testing From: for local sender
local_sender_retain keep Sender: from untrusted user
never_users do not run deliveries as these
prod_requires_admin forced delivery requires admin user
queue_list_requires_admin queue listing requires admin user
trusted_groups groups that are trusted
trusted_users users that are trusted

4. Logging

event_action custom logging
hosts_connection_nolog exemption from connect logging
log_file_path override compiled-in value
log_selector set/unset optional logging
log_timezone add timezone to log lines
message_logs create per-message logs
preserve_message_logs after message completion
process_log_path for SIGUSR1 and exiwhat
slow_lookup_log control logging of slow DNS lookups
syslog_duplication controls duplicate log lines on syslog
syslog_facility set syslog “facility” field
syslog_pid pid in syslog lines
syslog_processname set syslog “ident” field
syslog_timestamp timestamp syslog lines
write_rejectlog control use of message log

5. Frozen messages

auto_thaw sets time for retrying frozen messages
freeze_tell send message when freezing
move_frozen_messages to another directory
timeout_frozen_after keep frozen messages only so long

6. Data lookups

ibase_servers InterBase servers
ldap_ca_cert_dir dir of CA certs to verify LDAP server’s
ldap_ca_cert_file file of CA certs to verify LDAP server’s
ldap_cert_file client cert file for LDAP
ldap_cert_key client key file for LDAP
ldap_cipher_suite TLS negotiation preference control
ldap_default_servers used if no server in query
ldap_require_cert action to take without LDAP server cert
ldap_start_tls require TLS within LDAP
ldap_version set protocol version
lookup_open_max lookup files held open
mysql_servers default MySQL servers
oracle_servers Oracle servers
pgsql_servers default PostgreSQL servers
sqlite_lock_timeout as it says

7. Message ids

message_id_header_domain used to build Message-ID: header
message_id_header_text ditto

8. Embedded Perl Startup

perl_at_start always start the interpreter
perl_startup code to obey when starting Perl
perl_taintmode enable taint mode in Perl

9. Daemon

daemon_smtp_ports default ports
daemon_startup_retries number of times to retry
daemon_startup_sleep time to sleep between tries
extra_local_interfaces not necessarily listened on
local_interfaces on which to listen, with optional ports
notifier_socket override compiled-in value
pid_file_path override compiled-in value
queue_run_max maximum simultaneous queue runners

10. Resource control

check_log_inodes before accepting a message
check_log_space before accepting a message
check_spool_inodes before accepting a message
check_spool_space before accepting a message
deliver_queue_load_max no queue deliveries if load high
queue_only_load queue incoming if load high
queue_only_load_latch don’t re-evaluate load for each message
queue_run_max maximum simultaneous queue runners
remote_max_parallel parallel SMTP delivery per message
smtp_accept_max simultaneous incoming connections
smtp_accept_max_nonmail non-mail commands
smtp_accept_max_nonmail_hosts hosts to which the limit applies
smtp_accept_max_per_connection messages per connection
smtp_accept_max_per_host connections from one host
smtp_accept_queue queue mail if more connections
smtp_accept_queue_per_connection queue if more messages per connection
smtp_accept_reserve only reserve hosts if more connections
smtp_check_spool_space from SIZE on MAIL command
smtp_connect_backlog passed to TCP/IP stack
smtp_load_reserve SMTP from reserved hosts if load high
smtp_reserve_hosts these are the reserve hosts

11. Policy controls

acl_not_smtp ACL for non-SMTP messages
acl_not_smtp_mime ACL for non-SMTP MIME parts
acl_not_smtp_start ACL for start of non-SMTP message
acl_smtp_auth ACL for AUTH
acl_smtp_connect ACL for connection
acl_smtp_data ACL for DATA
acl_smtp_data_prdr ACL for DATA, per-recipient
acl_smtp_dkim ACL for DKIM verification
acl_smtp_etrn ACL for ETRN
acl_smtp_expn ACL for EXPN
acl_smtp_helo ACL for EHLO or HELO
acl_smtp_mail ACL for MAIL
acl_smtp_mailauth ACL for AUTH on MAIL command
acl_smtp_mime ACL for MIME parts
acl_smtp_notquit ACL for non-QUIT terminations
acl_smtp_predata ACL for start of data
acl_smtp_quit ACL for QUIT
acl_smtp_rcpt ACL for RCPT
acl_smtp_starttls ACL for STARTTLS
acl_smtp_vrfy ACL for VRFY
av_scanner specify virus scanner
check_rfc2047_length check length of RFC 2047 “encoded words”
dns_cname_loops follow CNAMEs returned by resolver
dns_csa_search_limit control CSA parent search depth
dns_csa_use_reverse en/disable CSA IP reverse search
header_maxsize total size of message header
header_line_maxsize individual header line limit
helo_accept_junk_hosts allow syntactic junk from these hosts
helo_allow_chars allow illegal chars in HELO names
helo_lookup_domains lookup hostname for these HELO names
helo_try_verify_hosts HELO soft-checked for these hosts
helo_verify_hosts HELO hard-checked for these hosts
host_lookup host name looked up for these hosts
host_lookup_order order of DNS and local name lookups
hosts_proxy use proxy protocol for these hosts
host_reject_connection reject connection from these hosts
hosts_treat_as_local useful in some cluster configurations
local_scan_timeout timeout for local_scan()
message_size_limit for all messages
percent_hack_domains recognize %-hack for these domains
spamd_address set interface to SpamAssassin
strict_acl_vars object to unset ACL variables
spf_smtp_comment_template template for $spf_smtp_comment

12. Callout cache

callout_domain_negative_expire timeout for negative domain cache item
callout_domain_positive_expire timeout for positive domain cache item
callout_negative_expire timeout for negative address cache item
callout_positive_expire timeout for positive address cache item
callout_random_local_part string to use for “random” testing

13. TLS

gnutls_compat_mode use GnuTLS compatibility mode
gnutls_allow_auto_pkcs11 allow GnuTLS to autoload PKCS11 modules
openssl_options adjust OpenSSL compatibility options
tls_advertise_hosts advertise TLS to these hosts
tls_certificate location of server certificate
tls_crl certificate revocation list
tls_dh_max_bits clamp D-H bit count suggestion
tls_dhparam DH parameters for server
tls_eccurve EC curve selection for server
tls_ocsp_file location of server certificate status proof
tls_on_connect_ports specify SSMTP (SMTPS) ports
tls_privatekey location of server private key
tls_remember_esmtp don’t reset after starting TLS
tls_require_ciphers specify acceptable ciphers
tls_try_verify_hosts try to verify client certificate
tls_verify_certificates expected client certificates
tls_verify_hosts insist on client certificate verify

14. Local user handling

finduser_retries useful in NIS environments
gecos_name used when creating Sender:
gecos_pattern ditto
max_username_length for systems that truncate
unknown_login used when no login name found
unknown_username ditto
uucp_from_pattern for recognizing “From ” lines
uucp_from_sender ditto

15. All incoming messages (SMTP and non-SMTP)

header_maxsize total size of message header
header_line_maxsize individual header line limit
message_size_limit applies to all messages
percent_hack_domains recognize %-hack for these domains
received_header_text expanded to make Received:
received_headers_max for mail loop detection
recipients_max limit per message
recipients_max_reject permanently reject excess recipients

16. Non-SMTP incoming messages

receive_timeout for non-SMTP messages

17. Incoming SMTP messages

See also the Policy controls section above.

dkim_verify_hashes DKIM hash methods accepted for signatures
dkim_verify_keytypes DKIM key types accepted for signatures
dkim_verify_min_keysizes DKIM key sizes accepted for signatures
dkim_verify_signers DKIM domains for which DKIM ACL is run
dmarc_forensic_sender DMARC sender for report messages
dmarc_history_file DMARC results log
dmarc_tld_file DMARC toplevel domains file
host_lookup host name looked up for these hosts
host_lookup_order order of DNS and local name lookups
recipient_unqualified_hosts may send unqualified recipients
rfc1413_hosts make ident calls to these hosts
rfc1413_query_timeout zero disables ident calls
sender_unqualified_hosts may send unqualified senders
smtp_accept_keepalive some TCP/IP magic
smtp_accept_max simultaneous incoming connections
smtp_accept_max_nonmail non-mail commands
smtp_accept_max_nonmail_hosts hosts to which the limit applies
smtp_accept_max_per_connection messages per connection
smtp_accept_max_per_host connections from one host
smtp_accept_queue queue mail if more connections
smtp_accept_queue_per_connection queue if more messages per connection
smtp_accept_reserve only reserve hosts if more connections
smtp_active_hostname host name to use in messages
smtp_banner text for welcome banner
smtp_check_spool_space from SIZE on MAIL command
smtp_connect_backlog passed to TCP/IP stack
smtp_enforce_sync of SMTP command/responses
smtp_etrn_command what to run for ETRN
smtp_etrn_serialize only one at once
smtp_load_reserve only reserve hosts if this load
smtp_max_unknown_commands before dropping connection
smtp_ratelimit_hosts apply ratelimiting to these hosts
smtp_ratelimit_mail ratelimit for MAIL commands
smtp_ratelimit_rcpt ratelimit for RCPT commands
smtp_receive_timeout per command or data line
smtp_reserve_hosts these are the reserve hosts
smtp_return_error_details give detail on rejections

18. SMTP extensions

accept_8bitmime advertise 8BITMIME
auth_advertise_hosts advertise AUTH to these hosts
chunking_advertise_hosts advertise CHUNKING to these hosts
dsn_advertise_hosts advertise DSN extensions to these hosts
ignore_fromline_hosts allow “From ” from these hosts
ignore_fromline_local allow “From ” from local SMTP
pipelining_advertise_hosts advertise pipelining to these hosts
pipelining_connect_advertise_hosts advertise pipelining to these hosts
prdr_enable advertise PRDR to all hosts
smtputf8_advertise_hosts advertise SMTPUTF8 to these hosts
tls_advertise_hosts advertise TLS to these hosts

19. Processing messages

allow_domain_literals recognize domain literal syntax
allow_mx_to_ip allow MX to point to IP address
allow_utf8_domains in addresses
check_rfc2047_length check length of RFC 2047 “encoded words”
delivery_date_remove from incoming messages
envelope_to_remove from incoming messages
extract_addresses_remove_arguments affects -t processing
headers_charset default for translations
qualify_domain default for senders
qualify_recipient default for recipients
return_path_remove from incoming messages
strip_excess_angle_brackets in addresses
strip_trailing_dot at end of addresses
untrusted_set_sender untrusted can set envelope sender

20. System filter

system_filter locate system filter
system_filter_directory_transport transport for delivery to a directory
system_filter_file_transport transport for delivery to a file
system_filter_group group for filter running
system_filter_pipe_transport transport for delivery to a pipe
system_filter_reply_transport transport for autoreply delivery
system_filter_user user for filter running

21. Routing and delivery

disable_ipv6 do no IPv6 processing
dns_again_means_nonexist for broken domains
dns_check_names_pattern pre-DNS syntax check
dns_dnssec_ok parameter for resolver
dns_ipv4_lookup only v4 lookup for these domains
dns_retrans parameter for resolver
dns_retry parameter for resolver
dns_trust_aa DNS zones trusted as authentic
dns_use_edns0 parameter for resolver
hold_domains hold delivery for these domains
local_interfaces for routing checks
queue_domains no immediate delivery for these
queue_only no immediate delivery at all
queue_only_file no immediate delivery if file exists
queue_only_load no immediate delivery if load is high
queue_only_load_latch don’t re-evaluate load for each message
queue_only_override allow command line to override
queue_run_in_order order of arrival
queue_run_max of simultaneous queue runners
queue_smtp_domains no immediate SMTP delivery for these
remote_max_parallel parallel SMTP delivery per message
remote_sort_domains order of remote deliveries
retry_data_expire timeout for retry data
retry_interval_max safety net for retry rules

22. Bounce and warning messages

bounce_message_file content of bounce
bounce_message_text content of bounce
bounce_return_body include body if returning message
bounce_return_linesize_limit limit on returned message line length
bounce_return_message include original message in bounce
bounce_return_size_limit limit on returned message
bounce_sender_authentication send authenticated sender with bounce
dsn_from set From: contents in bounces
errors_copy copy bounce messages
errors_reply_to Reply-to: in bounces
delay_warning time schedule
delay_warning_condition condition for warning messages
ignore_bounce_errors_after discard undeliverable bounces
smtp_return_error_details give detail on rejections
warn_message_file content of warning message

23. Alphabetical list of main options

Those options that undergo string expansion before use are marked with †.

accept_8bitmime Use: main Type: boolean Default: true

This option causes Exim to send 8BITMIME in its response to an SMTP EHLO command, and to accept the BODY= parameter on MAIL commands. However, though Exim is 8-bit clean, it is not a protocol converter, and it takes no steps to do anything special with messages received by this route.

Historically Exim kept this option off by default, but the maintainers feel that in today’s Internet, this causes more problems than it solves. It now defaults to true. A more detailed analysis of the issues is provided by Dan Bernstein:

To log received 8BITMIME status use

log_selector = +8bitmime

acl_not_smtp Use: main Type: string Default: unset

This option defines the ACL that is run when a non-SMTP message has been read and is on the point of being accepted. See chapter 44 for further details.

acl_not_smtp_mime Use: main Type: string Default: unset

This option defines the ACL that is run for individual MIME parts of non-SMTP messages. It operates in exactly the same way as acl_smtp_mime operates for SMTP messages.

acl_not_smtp_start Use: main Type: string Default: unset

This option defines the ACL that is run before Exim starts reading a non-SMTP message. See chapter 44 for further details.

acl_smtp_auth Use: main Type: string Default: unset

This option defines the ACL that is run when an SMTP AUTH command is received. See chapter 44 for further details.

acl_smtp_connect Use: main Type: string Default: unset

This option defines the ACL that is run when an SMTP connection is received. See chapter 44 for further details.

acl_smtp_data Use: main Type: string Default: unset

This option defines the ACL that is run after an SMTP DATA command has been processed and the message itself has been received, but before the final acknowledgment is sent. See chapter 44 for further details.

acl_smtp_data_prdr Use: main Type: string Default: accept

This option defines the ACL that, if the PRDR feature has been negotiated, is run for each recipient after an SMTP DATA command has been processed and the message itself has been received, but before the acknowledgment is sent. See chapter 44 for further details.

acl_smtp_dkim Use: main Type: string Default: unset

This option defines the ACL that is run for each DKIM signature (by default, or as specified in the dkim_verify_signers option) of a received message. See section 58.3 for further details.

acl_smtp_etrn Use: main Type: string Default: unset

This option defines the ACL that is run when an SMTP ETRN command is received. See chapter 44 for further details.

acl_smtp_expn Use: main Type: string Default: unset

This option defines the ACL that is run when an SMTP EXPN command is received. See chapter 44 for further details.

acl_smtp_helo Use: main Type: string Default: unset

This option defines the ACL that is run when an SMTP EHLO or HELO command is received. See chapter 44 for further details.

acl_smtp_mail Use: main Type: string Default: unset

This option defines the ACL that is run when an SMTP MAIL command is received. See chapter 44 for further details.

acl_smtp_mailauth Use: main Type: string Default: unset

This option defines the ACL that is run when there is an AUTH parameter on a MAIL command. See chapter 44 for details of ACLs, and chapter 33 for details of authentication.

acl_smtp_mime Use: main Type: string Default: unset

This option is available when Exim is built with the content-scanning extension. It defines the ACL that is run for each MIME part in a message. See section 45.4 for details.

acl_smtp_notquit Use: main Type: string Default: unset

This option defines the ACL that is run when an SMTP session ends without a QUIT command being received. See chapter 44 for further details.

acl_smtp_predata Use: main Type: string Default: unset

This option defines the ACL that is run when an SMTP DATA command is received, before the message itself is received. See chapter 44 for further details.

acl_smtp_quit Use: main Type: string Default: unset

This option defines the ACL that is run when an SMTP QUIT command is received. See chapter 44 for further details.

acl_smtp_rcpt Use: main Type: string Default: unset

This option defines the ACL that is run when an SMTP RCPT command is received. See chapter 44 for further details.

acl_smtp_starttls Use: main Type: string Default: unset

This option defines the ACL that is run when an SMTP STARTTLS command is received. See chapter 44 for further details.

acl_smtp_vrfy Use: main Type: string Default: unset

This option defines the ACL that is run when an SMTP VRFY command is received. See chapter 44 for further details.

add_environment Use: main Type: string list Default: empty

This option adds individual environment variables that the currently linked libraries and programs in child processes may use. Each list element should be of the form “name=value”.

See 29.4 for the environment of pipe transports.

admin_groups Use: main Type: string list Default: unset

This option is expanded just once, at the start of Exim’s processing. If the current group or any of the supplementary groups of an Exim caller is in this colon-separated list, the caller has admin privileges. If all your system programmers are in a specific group, for example, you can give them all Exim admin privileges by putting that group in admin_groups. However, this does not permit them to read Exim’s spool files (whose group owner is the Exim gid). To permit this, you have to add individuals to the Exim group.

allow_domain_literals Use: main Type: boolean Default: false

If this option is set, the RFC 2822 domain literal format is permitted in email addresses. The option is not set by default, because the domain literal format is not normally required these days, and few people know about it. It has, however, been exploited by mail abusers.

Unfortunately, it seems that some DNS black list maintainers are using this format to report black listing to postmasters. If you want to accept messages addressed to your hosts by IP address, you need to set allow_domain_literals true, and also to add @[] to the list of local domains (defined in the named domain list local_domains in the default configuration). This “magic string” matches the domain literal form of all the local host’s IP addresses.

allow_mx_to_ip Use: main Type: boolean Default: false

It appears that more and more DNS zone administrators are breaking the rules and putting domain names that look like IP addresses on the right hand side of MX records. Exim follows the rules and rejects this, giving an error message that explains the misconfiguration. However, some other MTAs support this practice, so to avoid “Why can’t Exim do this?” complaints, allow_mx_to_ip exists, in order to enable this heinous activity. It is not recommended, except when you have no other choice.

allow_utf8_domains Use: main Type: boolean Default: false

Lots of discussion is going on about internationalized domain names. One camp is strongly in favour of just using UTF-8 characters, and it seems that at least two other MTAs permit this. This option allows Exim users to experiment if they wish.

If it is set true, Exim’s domain parsing function allows valid UTF-8 multicharacters to appear in domain name components, in addition to letters, digits, and hyphens.

If Exim is built with internationalization support and the SMTPUTF8 ESMTP option is in use (see chapter 60) this option can be left as default. Without that, if you want to look up such domain names in the DNS, you must also adjust the value of dns_check_names_pattern to match the extended form. A suitable setting is:

dns_check_names_pattern = (?i)^(?>(?(1)\.|())[a-z0-9\xc0-\xff]\
  (?>[-a-z0-9\x80-\xff]*[a-z0-9\x80-\xbf])?)+$

Alternatively, you can just disable this feature by setting

dns_check_names_pattern =

That is, set the option to an empty string so that no check is done.

auth_advertise_hosts Use: main Type: host list Default: *

If any server authentication mechanisms are configured, Exim advertises them in response to an EHLO command only if the calling host matches this list. Otherwise, Exim does not advertise AUTH. Exim does not accept AUTH commands from clients to which it has not advertised the availability of AUTH. The advertising of individual authentication mechanisms can be controlled by the use of the server_advertise_condition generic authenticator option on the individual authenticators. See chapter 33 for further details.

Certain mail clients (for example, Netscape) require the user to provide a name and password for authentication if AUTH is advertised, even though it may not be needed (the host may accept messages from hosts on its local LAN without authentication, for example). The auth_advertise_hosts option can be used to make these clients more friendly by excluding them from the set of hosts to which Exim advertises AUTH.

If you want to advertise the availability of AUTH only when the connection is encrypted using TLS, you can make use of the fact that the value of this option is expanded, with a setting like this:

auth_advertise_hosts = ${if eq{$tls_in_cipher}{}{}{*}}

If $tls_in_cipher is empty, the session is not encrypted, and the result of the expansion is empty, thus matching no hosts. Otherwise, the result of the expansion is *, which matches all hosts.

auto_thaw Use: main Type: time Default: 0s

If this option is set to a time greater than zero, a queue runner will try a new delivery attempt on any frozen message, other than a bounce message, if this much time has passed since it was frozen. This may result in the message being re-frozen if nothing has changed since the last attempt. It is a way of saying “keep on trying, even though there are big problems”.

Note: This is an old option, which predates timeout_frozen_after and ignore_bounce_errors_after. It is retained for compatibility, but it is not thought to be very useful any more, and its use should probably be avoided.

av_scanner Use: main Type: string Default: see below

This option is available if Exim is built with the content-scanning extension. It specifies which anti-virus scanner to use. The default value is:

sophie:/var/run/sophie

If the value of av_scanner starts with a dollar character, it is expanded before use. See section 45.1 for further details.

bi_command Use: main Type: string Default: unset

This option supplies the name of a command that is run when Exim is called with the -bi option (see chapter 5). The string value is just the command name, it is not a complete command line. If an argument is required, it must come from the -oA command line option.

bounce_message_file Use: main Type: string Default: unset

This option defines a template file containing paragraphs of text to be used for constructing bounce messages. Details of the file’s contents are given in chapter 50.

The option is expanded to give the file path, which must be absolute and untainted.

See also warn_message_file.

bounce_message_text Use: main Type: string Default: unset

When this option is set, its contents are included in the default bounce message immediately after “This message was created automatically by mail delivery software.” It is not used if bounce_message_file is set.

bounce_return_body Use: main Type: boolean Default: true

This option controls whether the body of an incoming message is included in a bounce message when bounce_return_message is true. The default setting causes the entire message, both header and body, to be returned (subject to the value of bounce_return_size_limit). If this option is false, only the message header is included. In the case of a non-SMTP message containing an error that is detected during reception, only those header lines preceding the point at which the error was detected are returned.

bounce_return_linesize_limit Use: main Type: integer Default: 998

This option sets a limit in bytes on the line length of messages that are returned to senders due to delivery problems, when bounce_return_message is true. The default value corresponds to RFC limits. If the message being returned has lines longer than this value it is treated as if the bounce_return_size_limit (below) restriction was exceeded.

The option also applies to bounces returned when an error is detected during reception of a message. In this case lines from the original are truncated.

The option does not apply to messages generated by an autoreply transport.

bounce_return_message Use: main Type: boolean Default: true

If this option is set false, none of the original message is included in bounce messages generated by Exim. See also bounce_return_size_limit and bounce_return_body.

bounce_return_size_limit Use: main Type: integer Default: 100K

This option sets a limit in bytes on the size of messages that are returned to senders as part of bounce messages when bounce_return_message is true. The limit should be less than the value of the global message_size_limit and of any message_size_limit settings on transports, to allow for the bounce text that Exim generates. If this option is set to zero there is no limit.

When the body of any message that is to be included in a bounce message is greater than the limit, it is truncated, and a comment pointing this out is added at the top. The actual cutoff may be greater than the value given, owing to the use of buffering for transferring the message in chunks (typically 8K in size). The idea is to save bandwidth on those undeliverable 15-megabyte messages.

bounce_sender_authentication Use: main Type: string Default: unset

This option provides an authenticated sender address that is sent with any bounce messages generated by Exim that are sent over an authenticated SMTP connection. A typical setting might be:

bounce_sender_authentication = mailer-daemon@my.domain.example

which would cause bounce messages to be sent using the SMTP command:

MAIL FROM:<> AUTH=mailer-daemon@my.domain.example

The value of bounce_sender_authentication must always be a complete email address.

callout_domain_negative_expire Use: main Type: time Default: 3h

This option specifies the expiry time for negative callout cache data for a domain. See section 44.45 for details of callout verification, and section 44.47 for details of the caching.

callout_domain_positive_expire Use: main Type: time Default: 7d

This option specifies the expiry time for positive callout cache data for a domain. See section 44.45 for details of callout verification, and section 44.47 for details of the caching.

callout_negative_expire Use: main Type: time Default: 2h

This option specifies the expiry time for negative callout cache data for an address. See section 44.45 for details of callout verification, and section 44.47 for details of the caching.

callout_positive_expire Use: main Type: time Default: 24h

This option specifies the expiry time for positive callout cache data for an address. See section 44.45 for details of callout verification, and section 44.47 for details of the caching.

callout_random_local_part Use: main Type: string Default: see below

This option defines the “random” local part that can be used as part of callout verification. The default value is

$primary_hostname-$tod_epoch-testing

See section 44.46 for details of how this value is used.

check_log_inodes Use: main Type: integer Default: 100

See check_spool_space below.

check_log_space Use: main Type: integer Default: 10M

See check_spool_space below.

check_rfc2047_length Use: main Type: boolean Default: true

RFC 2047 defines a way of encoding non-ASCII characters in headers using a system of “encoded words”. The RFC specifies a maximum length for an encoded word; strings to be encoded that exceed this length are supposed to use multiple encoded words. By default, Exim does not recognize encoded words that exceed the maximum length. However, it seems that some software, in violation of the RFC, generates overlong encoded words. If check_rfc2047_length is set false, Exim recognizes encoded words of any length.

check_spool_inodes Use: main Type: integer Default: 100

See check_spool_space below.

check_spool_space Use: main Type: integer Default: 10M

The four check_... options allow for checking of disk resources before a message is accepted.

When any of these options are nonzero, they apply to all incoming messages. If you want to apply different checks to different kinds of message, you can do so by testing the variables $log_inodes, $log_space, $spool_inodes, and $spool_space in an ACL with appropriate additional conditions.

check_spool_space and check_spool_inodes check the spool partition if either value is greater than zero, for example:

check_spool_space = 100M
check_spool_inodes = 100

The spool partition is the one that contains the directory defined by SPOOL_DIRECTORY in Local/Makefile. It is used for holding messages in transit.

check_log_space and check_log_inodes check the partition in which log files are written if either is greater than zero. These should be set only if log_file_path and spool_directory refer to different partitions.

If there is less space or fewer inodes than requested, Exim refuses to accept incoming mail. In the case of SMTP input this is done by giving a 452 temporary error response to the MAIL command. If ESMTP is in use and there was a SIZE parameter on the MAIL command, its value is added to the check_spool_space value, and the check is performed even if check_spool_space is zero, unless no_smtp_check_spool_space is set.

The values for check_spool_space and check_log_space are held as a number of kilobytes (though specified in bytes). If a non-multiple of 1024 is specified, it is rounded up.

For non-SMTP input and for batched SMTP input, the test is done at start-up; on failure a message is written to stderr and Exim exits with a non-zero code, as it obviously cannot send an error message of any kind.

There is a slight performance penalty for these checks. Versions of Exim preceding 4.88 had these disabled by default; high-rate installations confident they will never run out of resources may wish to deliberately disable them.

chunking_advertise_hosts Use: main Type: host list Default: *

The CHUNKING extension (RFC3030) will be advertised in the EHLO message to these hosts. Hosts may use the BDAT command as an alternate to DATA.

commandline_checks_require_admin Use: main Type: boolean Default: false

This option restricts various basic checking features to require an administrative user. This affects most of the -b* options, such as -be.

debug_store Use: main Type: boolean Default: false

This option, when true, enables extra checking in Exim’s internal memory management. For use when a memory corruption issue is being investigated, it should normally be left as default.

daemon_smtp_ports Use: main Type: string Default: smtp

This option specifies one or more default SMTP ports on which the Exim daemon listens. See chapter 13 for details of how it is used. For backward compatibility, daemon_smtp_port (singular) is a synonym.

daemon_startup_retries Use: main Type: integer Default: 9

This option, along with daemon_startup_sleep, controls the retrying done by the daemon at startup when it cannot immediately bind a listening socket (typically because the socket is already in use): daemon_startup_retries defines the number of retries after the first failure, and daemon_startup_sleep defines the length of time to wait between retries.

daemon_startup_sleep Use: main Type: time Default: 30s

See daemon_startup_retries.

delay_warning Use: main Type: time list Default: 24h

When a message is delayed, Exim sends a warning message to the sender at intervals specified by this option. The data is a colon-separated list of times after which to send warning messages. If the value of the option is an empty string or a zero time, no warnings are sent. Up to 10 times may be given. If a message has been in the queue for longer than the last time, the last interval between the times is used to compute subsequent warning times. For example, with

delay_warning = 4h:8h:24h

the first message is sent after 4 hours, the second after 8 hours, and the third one after 24 hours. After that, messages are sent every 16 hours, because that is the interval between the last two times on the list. If you set just one time, it specifies the repeat interval. For example, with:

delay_warning = 6h

messages are repeated every six hours. To stop warnings after a given time, set a very large time at the end of the list. For example:

delay_warning = 2h:12h:99d

Note that the option is only evaluated at the time a delivery attempt fails, which depends on retry and queue-runner configuration. Typically retries will be configured more frequently than warning messages.

delay_warning_condition Use: main Type: string Default: see below

The string is expanded at the time a warning message might be sent. If all the deferred addresses have the same domain, it is set in $domain during the expansion. Otherwise $domain is empty. If the result of the expansion is a forced failure, an empty string, or a string matching any of “0”, “no” or “false” (the comparison being done caselessly) then the warning message is not sent. The default is:

delay_warning_condition = ${if or {\
  { !eq{$h_list-id:$h_list-post:$h_list-subscribe:}{} }\
  { match{$h_precedence:}{(?i)bulk|list|junk} }\
  { match{$h_auto-submitted:}{(?i)auto-generated|auto-replied} }\
  } {no}{yes}}

This suppresses the sending of warnings for messages that contain List-ID:, List-Post:, or List-Subscribe: headers, or have “bulk”, “list” or “junk” in a Precedence: header, or have “auto-generated” or “auto-replied” in an Auto-Submitted: header.

deliver_drop_privilege Use: main Type: boolean Default: false

If this option is set true, Exim drops its root privilege at the start of a delivery process, and runs as the Exim user throughout. This severely restricts the kinds of local delivery that are possible, but is viable in certain types of configuration. There is a discussion about the use of root privilege in chapter 56.

deliver_queue_load_max Use: main Type: fixed-point Default: unset

When this option is set, a queue run is abandoned if the system load average becomes greater than the value of the option. The option has no effect on ancient operating systems on which Exim cannot determine the load average. See also queue_only_load and smtp_load_reserve.

delivery_date_remove Use: main Type: boolean Default: true

Exim’s transports have an option for adding a Delivery-date: header to a message when it is delivered, in exactly the same way as Return-path: is handled. Delivery-date: records the actual time of delivery. Such headers should not be present in incoming messages, and this option causes them to be removed at the time the message is received, to avoid any problems that might occur when a delivered message is subsequently sent on to some other recipient.

disable_fsync Use: main Type: boolean Default: false

This option is available only if Exim was built with the compile-time option ENABLE_DISABLE_FSYNC. When this is not set, a reference to disable_fsync in a runtime configuration generates an “unknown option” error. You should not build Exim with ENABLE_DISABLE_FSYNC or set disable_fsync unless you really, really, really understand what you are doing. No pre-compiled distributions of Exim should ever make this option available.

When disable_fsync is set true, Exim no longer calls fsync() to force updated files’ data to be written to disc before continuing. Unexpected events such as crashes and power outages may cause data to be lost or scrambled. Here be Dragons. Beware.

disable_ipv6 Use: main Type: boolean Default: false

If this option is set true, even if the Exim binary has IPv6 support, no IPv6 activities take place. AAAA records are never looked up, and any IPv6 addresses that are listed in local_interfaces, data for the manualroute router, etc. are ignored. If IP literals are enabled, the ipliteral router declines to handle IPv6 literal addresses.

dkim_verify_hashes Use: main Type: string list Default: sha256 : sha512

This option gives a list of hash types which are acceptable in signatures,

and an order of processing. Signatures with algorithms not in the list will be ignored.

Acceptable values include:

sha1
sha256
sha512

Note that the acceptance of sha1 violates RFC 8301.

dkim_verify_keytypes Use: main Type: string list Default: ed25519 : rsa

This option gives a list of key types which are acceptable in signatures, and an order of processing. Signatures with algorithms not in the list will be ignored.

dkim_verify_min_keysizes Use: main Type: string list Default: rsa=1024 ed25519=250

This option gives a list of key sizes which are acceptable in signatures. The list is keyed by the algorithm type for the key; the values are in bits. Signatures with keys smaller than given by this option will fail verification.

The default enforces the RFC 8301 minimum key size for RSA signatures.

dkim_verify_minimal Use: main Type: boolean Default: false

If set to true, verification of signatures will terminate after the first success.

dkim_verify_signers Use: main Type: domain list Default: $dkim_signers

This option gives a list of DKIM domains for which the DKIM ACL is run. It is expanded after the message is received; by default it runs the ACL once for each signature in the message. See section 58.3.

dmarc_forensic_sender Use: main Type: string Default: unset

dmarc_history_file Use: main Type: string Default: unset

dmarc_tld_file Use: main Type: string Default: unset

These options control DMARC processing. See section 58.5 for details.

dns_again_means_nonexist Use: main Type: domain list Default: unset

DNS lookups give a “try again” response for the DNS errors “non-authoritative host not found” and “SERVERFAIL”. This can cause Exim to keep trying to deliver a message, or to give repeated temporary errors to incoming mail. Sometimes the effect is caused by a badly set up name server and may persist for a long time. If a domain which exhibits this problem matches anything in dns_again_means_nonexist, it is treated as if it did not exist. This option should be used with care. You can make it apply to reverse lookups by a setting such as this:

dns_again_means_nonexist = *.in-addr.arpa

This option applies to all DNS lookups that Exim does. It also applies when the gethostbyname() or getipnodebyname() functions give temporary errors, since these are most likely to be caused by DNS lookup problems. The dnslookup router has some options of its own for controlling what happens when lookups for MX or SRV records give temporary errors. These more specific options are applied after this global option.

dns_check_names_pattern Use: main Type: string Default: see below

When this option is set to a non-empty string, it causes Exim to check domain names for characters that are not allowed in host names before handing them to the DNS resolver, because some resolvers give temporary errors for names that contain unusual characters. If a domain name contains any unwanted characters, a “not found” result is forced, and the resolver is not called. The check is done by matching the domain name against a regular expression, which is the value of this option. The default pattern is

dns_check_names_pattern = \
  (?i)^(?>(?(1)\.|())[^\W_](?>[a-z0-9/-]*[^\W_])?)+$

which permits only letters, digits, slashes, and hyphens in components, but they must start and end with a letter or digit. Slashes are not, in fact, permitted in host names, but they are found in certain NS records (which can be accessed in Exim by using a dnsdb lookup). If you set allow_utf8_domains, you must modify this pattern, or set the option to an empty string.

dns_csa_search_limit Use: main Type: integer Default: 5

This option controls the depth of parental searching for CSA SRV records in the DNS, as described in more detail in section 44.50.

dns_csa_use_reverse Use: main Type: boolean Default: true

This option controls whether or not an IP address, given as a CSA domain, is reversed and looked up in the reverse DNS, as described in more detail in section 44.50.

dns_cname_loops Use: main Type: integer Default: 1

This option controls the following of CNAME chains, needed if the resolver does not do it internally. As of 2018 most should, and the default can be left. If you have an ancient one, a value of 10 is likely needed.

The default value of one CNAME-follow is needed thanks to the observed return for an MX request, given no MX presence but a CNAME to an A, of the CNAME.

dns_dnssec_ok Use: main Type: integer Default: -1

If this option is set to a non-negative number then Exim will initialise the DNS resolver library to either use or not use DNSSEC, overriding the system default. A value of 0 coerces DNSSEC off, a value of 1 coerces DNSSEC on.

If the resolver library does not support DNSSEC then this option has no effect.

On Linux with glibc 2.31 or newer this is insufficient, the resolver library will default to stripping out a successful validation status. This will break a previously working Exim installation. Provided that you do trust the resolver (ie, is on localhost) you can tell glibc to pass through any successful validation with a new option in /etc/resolv.conf:

options trust-ad

dns_ipv4_lookup Use: main Type: domain list Default: unset

When Exim is compiled with IPv6 support and disable_ipv6 is not set, it looks for IPv6 address records (AAAA records) as well as IPv4 address records (A records) when trying to find IP addresses for hosts, unless the host’s domain matches this list.

This is a fudge to help with name servers that give big delays or otherwise do not work for the AAAA record type. In due course, when the world’s name servers have all been upgraded, there should be no need for this option. Note that all lookups, including those done for verification, are affected; this will result in verify failure for IPv6 connections or ones using names only valid for IPv6 addresses.

dns_retrans Use: main Type: time Default: 0s

The options dns_retrans and dns_retry can be used to set the retransmission and retry parameters for DNS lookups. Values of zero (the defaults) leave the system default settings unchanged. The first value is the time between retries, and the second is the number of retries. It isn’t totally clear exactly how these settings affect the total time a DNS lookup may take. I haven’t found any documentation about timeouts on DNS lookups; these parameter values are available in the external resolver interface structure, but nowhere does it seem to describe how they are used or what you might want to set in them. See also the slow_lookup_log option.

dns_retry Use: main Type: integer Default: 0

See dns_retrans above.

dns_trust_aa Use: main Type: domain list Default: unset

If this option is set then lookup results marked with the AA bit (Authoritative Answer) are trusted the same way as if they were DNSSEC-verified. The authority section’s name of the answer must match with this expanded domain list.

Use this option only if you talk directly to a resolver that is authoritative for some zones and does not set the AD (Authentic Data) bit in the answer. Some DNS servers may have an configuration option to mark the answers from their own zones as verified (they set the AD bit). Others do not have this option. It is considered as poor practice using a resolver that is an authoritative server for some zones.

Use this option only if you really have to (e.g. if you want to use DANE for remote delivery to a server that is listed in the DNS zones that your resolver is authoritative for).

If the DNS answer packet has the AA bit set and contains resource record in the answer section, the name of the first NS record appearing in the authority section is compared against the list. If the answer packet is authoritative but the answer section is empty, the name of the first SOA record in the authoritative section is used instead.

dns_use_edns0 Use: main Type: integer Default: -1

If this option is set to a non-negative number then Exim will initialise the DNS resolver library to either use or not use EDNS0 extensions, overriding the system default. A value of 0 coerces EDNS0 off, a value of 1 coerces EDNS0 on.

If the resolver library does not support EDNS0 then this option has no effect.

OpenBSD’s asr resolver routines are known to ignore the EDNS0 option; this means that DNSSEC will not work with Exim on that platform either, unless Exim is linked against an alternative DNS client library.

drop_cr Use: main Type: boolean Default: false

This is an obsolete option that is now a no-op. It used to affect the way Exim handled CR and LF characters in incoming messages. What happens now is described in section 48.2.

dsn_advertise_hosts Use: main Type: host list Default: unset

DSN extensions (RFC3461) will be advertised in the EHLO message to, and accepted from, these hosts. Hosts may use the NOTIFY and ENVID options on RCPT TO commands, and RET and ORCPT options on MAIL FROM commands. A NOTIFY=SUCCESS option requests success-DSN messages. A NOTIFY= option with no argument requests that no delay or failure DSNs are sent.

Note: Supplying success-DSN messages has been criticised on privacy grounds; it can leak details of internal forwarding.

dsn_from Use: main Type: string Default: see below

This option can be used to vary the contents of From: header lines in bounces and other automatically generated messages (“Delivery Status Notifications” – hence the name of the option). The default setting is:

dsn_from = Mail Delivery System <Mailer-Daemon@$qualify_domain>

The value is expanded every time it is needed. If the expansion fails, a panic is logged, and the default value is used.

envelope_to_remove Use: main Type: boolean Default: true

Exim’s transports have an option for adding an Envelope-to: header to a message when it is delivered, in exactly the same way as Return-path: is handled. Envelope-to: records the original recipient address from the message’s envelope that caused the delivery to happen. Such headers should not be present in incoming messages, and this option causes them to be removed at the time the message is received, to avoid any problems that might occur when a delivered message is subsequently sent on to some other recipient.

errors_copy Use: main Type: string list Default: unset

Setting this option causes Exim to send bcc copies of bounce messages that it generates to other addresses. Note: This does not apply to bounce messages coming from elsewhere. The value of the option is a colon-separated list of items. Each item consists of a pattern, terminated by white space, followed by a comma-separated list of email addresses. If a pattern contains spaces, it must be enclosed in double quotes.

Each pattern is processed in the same way as a single item in an address list (see section 10.20). When a pattern matches the recipient of the bounce message, the message is copied to the addresses on the list. The items are scanned in order, and once a matching one is found, no further items are examined. For example:

errors_copy = spqr@mydomain   postmaster@mydomain.example :\
              rqps@mydomain   hostmaster@mydomain.example,\
                              postmaster@mydomain.example

The address list is expanded before use. The expansion variables $local_part and $domain are set from the original recipient of the error message, and if there was any wildcard matching in the pattern, the expansion variables $0, $1, etc. are set in the normal way.

errors_reply_to Use: main Type: string Default: unset

By default, Exim’s bounce and delivery warning messages contain the header line

From: Mail Delivery System <Mailer-Daemon@qualify-domain>

where qualify-domain is the value of the qualify_domain option. A warning message that is generated by the quota_warn_message option in an appendfile transport may contain its own From: header line that overrides the default.

Experience shows that people reply to bounce messages. If the errors_reply_to option is set, a Reply-To: header is added to bounce and warning messages. For example:

errors_reply_to = postmaster@my.domain.example

The value of the option is not expanded. It must specify a valid RFC 2822 address. However, if a warning message that is generated by the quota_warn_message option in an appendfile transport contain its own Reply-To: header line, the value of the errors_reply_to option is not used.

event_action Use: main Type: string Default: unset

This option declares a string to be expanded for Exim’s events mechanism. For details see chapter 61.

exim_group Use: main Type: string Default: compile-time configured

This option changes the gid under which Exim runs when it gives up root privilege. The default value is compiled into the binary. The value of this option is used only when exim_user is also set. Unless it consists entirely of digits, the string is looked up using getgrnam(), and failure causes a configuration error. See chapter 56 for a discussion of security issues.

exim_path Use: main Type: string Default: see below

This option specifies the path name of the Exim binary, which is used when Exim needs to re-exec itself. The default is set up to point to the file exim in the directory configured at compile time by the BIN_DIRECTORY setting. It is necessary to change exim_path if, exceptionally, Exim is run from some other place. Warning: Do not use a macro to define the value of this option, because you will break those Exim utilities that scan the configuration file to find where the binary is. (They then use the -bP option to extract option settings such as the value of spool_directory.)

exim_user Use: main Type: string Default: compile-time configured

This option changes the uid under which Exim runs when it gives up root privilege. The default value is compiled into the binary. Ownership of the run time configuration file and the use of the -C and -D command line options is checked against the values in the binary, not what is set here.

Unless it consists entirely of digits, the string is looked up using getpwnam(), and failure causes a configuration error. If exim_group is not also supplied, the gid is taken from the result of getpwnam() if it is used. See chapter 56 for a discussion of security issues.

exim_version Use: main Type: string Default: current version

This option overrides the $version_number/$exim_version that Exim reports in various places. Use with care; this may fool stupid security scanners.

extra_local_interfaces Use: main Type: string list Default: unset

This option defines network interfaces that are to be considered local when routing, but which are not used for listening by the daemon. See section 13.8 for details.

extract_addresses_remove_arguments Use: main Type: boolean Default: true

According to some Sendmail documentation (Sun, IRIX, HP-UX), if any addresses are present on the command line when the -t option is used to build an envelope from a message’s To:, Cc: and Bcc: headers, the command line addresses are removed from the recipients list. This is also how Smail behaves. However, other Sendmail documentation (the O’Reilly book) states that command line addresses are added to those obtained from the header lines. When extract_addresses_remove_arguments is true (the default), Exim subtracts argument headers. If it is set false, Exim adds rather than removes argument addresses.

finduser_retries Use: main Type: integer Default: 0

On systems running NIS or other schemes in which user and group information is distributed from a remote system, there can be times when getpwnam() and related functions fail, even when given valid data, because things time out. Unfortunately these failures cannot be distinguished from genuine “not found” errors. If finduser_retries is set greater than zero, Exim will try that many extra times to find a user or a group, waiting for one second between retries.

You should not set this option greater than zero if your user information is in a traditional /etc/passwd file, because it will cause Exim needlessly to search the file multiple times for non-existent users, and also cause delay.

freeze_tell Use: main Type: string list, comma separated Default: unset

On encountering certain errors, or when configured to do so in a system filter, ACL, or special router, Exim freezes a message. This means that no further delivery attempts take place until an administrator thaws the message, or the auto_thaw, ignore_bounce_errors_after, or timeout_frozen_after feature cause it to be processed. If freeze_tell is set, Exim generates a warning message whenever it freezes something, unless the message it is freezing is a locally-generated bounce message. (Without this exception there is the possibility of looping.) The warning message is sent to the addresses supplied as the comma-separated value of this option. If several of the message’s addresses cause freezing, only a single message is sent. If the freezing was automatic, the reason(s) for freezing can be found in the message log. If you configure freezing in a filter or ACL, you must arrange for any logging that you require.

gecos_name Use: main Type: string Default: unset

Some operating systems, notably HP-UX, use the “gecos” field in the system password file to hold other information in addition to users’ real names. Exim looks up this field for use when it is creating Sender: or From: headers. If either gecos_pattern or gecos_name are unset, the contents of the field are used unchanged, except that, if an ampersand is encountered, it is replaced by the user’s login name with the first character forced to upper case, since this is a convention that is observed on many systems.

When these options are set, gecos_pattern is treated as a regular expression that is to be applied to the field (again with & replaced by the login name), and if it matches, gecos_name is expanded and used as the user’s name.

Numeric variables such as $1, $2, etc. can be used in the expansion to pick up sub-fields that were matched by the pattern. In HP-UX, where the user’s name terminates at the first comma, the following can be used:

gecos_pattern = ([^,]*)
gecos_name = $1

gecos_pattern Use: main Type: string Default: unset

See gecos_name above.

gnutls_compat_mode Use: main Type: boolean Default: unset

This option controls whether GnuTLS is used in compatibility mode in an Exim server. This reduces security slightly, but improves interworking with older implementations of TLS.

gnutls_allow_auto_pkcs11 Use: main Type: boolean Default: unset

This option will let GnuTLS (2.12.0 or later) autoload PKCS11 modules with the p11-kit configuration files in /etc/pkcs11/modules/.

See https://www.gnutls.org/manual/gnutls.html#Smart-cards-and-HSMs for documentation.

headers_charset Use: main Type: string Default: see below

This option sets a default character set for translating from encoded MIME “words” in header lines, when referenced by an $h_xxx expansion item. The default is the value of HEADERS_CHARSET in Local/Makefile. The ultimate default is ISO-8859-1. For more details see the description of header insertions in section 11.5.

header_maxsize Use: main Type: integer Default: see below

This option controls the overall maximum size of a message’s header section. The default is the value of HEADER_MAXSIZE in Local/Makefile; the default for that is 1M. Messages with larger header sections are rejected.

header_line_maxsize Use: main Type: integer Default: 0

This option limits the length of any individual header line in a message, after all the continuations have been joined together. Messages with individual header lines that are longer than the limit are rejected. The default value of zero means “no limit”.

helo_accept_junk_hosts Use: main Type: host list Default: unset

Exim checks the syntax of HELO and EHLO commands for incoming SMTP mail, and gives an error response for invalid data. Unfortunately, there are some SMTP clients that send syntactic junk. They can be accommodated by setting this option. Note that this is a syntax check only. See helo_verify_hosts if you want to do semantic checking. See also helo_allow_chars for a way of extending the permitted character set.

helo_allow_chars Use: main Type: string Default: unset

This option can be set to a string of rogue characters that are permitted in all EHLO and HELO names in addition to the standard letters, digits, hyphens, and dots. If you really must allow underscores, you can set

helo_allow_chars = _

Note that the value is one string, not a list.

helo_lookup_domains Use: main Type: domain list Default: @:@[]

If the domain given by a client in a HELO or EHLO command matches this list, a reverse lookup is done in order to establish the host’s true name. The default forces a lookup if the client host gives the server’s name or any of its IP addresses (in brackets), something that broken clients have been seen to do.

helo_try_verify_hosts Use: main Type: host list Default: unset

By default, Exim just checks the syntax of HELO and EHLO commands (see helo_accept_junk_hosts and helo_allow_chars). However, some sites like to do more extensive checking of the data supplied by these commands. The ACL condition verify = helo is provided to make this possible. Formerly, it was necessary also to set this option (helo_try_verify_hosts) to force the check to occur. From release 4.53 onwards, this is no longer necessary. If the check has not been done before verify = helo is encountered, it is done at that time. Consequently, this option is obsolete. Its specification is retained here for backwards compatibility.

When an EHLO or HELO command is received, if the calling host matches helo_try_verify_hosts, Exim checks that the host name given in the HELO or EHLO command either:

  • is an IP literal matching the calling address of the host, or

  • matches the host name that Exim obtains by doing a reverse lookup of the calling host address, or

  • when looked up in DNS yields the calling host address.

However, the EHLO or HELO command is not rejected if any of the checks fail. Processing continues, but the result of the check is remembered, and can be detected later in an ACL by the verify = helo condition.

If DNS was used for successful verification, the variable $helo_verify_dnssec records the DNSSEC status of the lookups.

helo_verify_hosts Use: main Type: host list Default: unset

Like helo_try_verify_hosts, this option is obsolete, and retained only for backwards compatibility. For hosts that match this option, Exim checks the host name given in the HELO or EHLO in the same way as for helo_try_verify_hosts. If the check fails, the HELO or EHLO command is rejected with a 550 error, and entries are written to the main and reject logs. If a MAIL command is received before EHLO or HELO, it is rejected with a 503 error.

hold_domains Use: main Type: domain list Default: unset

This option allows mail for particular domains to be held in the queue manually. The option is overridden if a message delivery is forced with the -M, -qf, -Rf or -Sf options, and also while testing or verifying addresses using -bt or -bv. Otherwise, if a domain matches an item in hold_domains, no routing or delivery for that address is done, and it is deferred every time the message is looked at.

This option is intended as a temporary operational measure for delaying the delivery of mail while some problem is being sorted out, or some new configuration tested. If you just want to delay the processing of some domains until a queue run occurs, you should use queue_domains or queue_smtp_domains, not hold_domains.

A setting of hold_domains does not override Exim’s code for removing messages from the queue if they have been there longer than the longest retry time in any retry rule. If you want to hold messages for longer than the normal retry times, insert a dummy retry rule with a long retry time.

host_lookup Use: main Type: host list Default: unset

Exim does not look up the name of a calling host from its IP address unless it is required to compare against some host list, or the host matches helo_try_verify_hosts or helo_verify_hosts, or the host matches this option (which normally contains IP addresses rather than host names). The default configuration file contains

host_lookup = *

which causes a lookup to happen for all hosts. If the expense of these lookups is felt to be too great, the setting can be changed or removed.

After a successful reverse lookup, Exim does a forward lookup on the name it has obtained, to verify that it yields the IP address that it started with. If this check fails, Exim behaves as if the name lookup failed.

After any kind of failure, the host name (in $sender_host_name) remains unset, and $host_lookup_failed is set to the string “1”. See also dns_again_means_nonexist, helo_lookup_domains, and verify = reverse_host_lookup in ACLs.

host_lookup_order Use: main Type: string list Default: bydns:byaddr

This option specifies the order of different lookup methods when Exim is trying to find a host name from an IP address. The default is to do a DNS lookup first, and then to try a local lookup (using gethostbyaddr() or equivalent) if that fails. You can change the order of these lookups, or omit one entirely, if you want.

Warning: The “byaddr” method does not always yield aliases when there are multiple PTR records in the DNS and the IP address is not listed in /etc/hosts. Different operating systems give different results in this case. That is why the default tries a DNS lookup first.

host_reject_connection Use: main Type: host list Default: unset

If this option is set, incoming SMTP calls from the hosts listed are rejected as soon as the connection is made. This option is obsolete, and retained only for backward compatibility, because nowadays the ACL specified by acl_smtp_connect can also reject incoming connections immediately.

The ability to give an immediate rejection (either by this option or using an ACL) is provided for use in unusual cases. Many hosts will just try again, sometimes without much delay. Normally, it is better to use an ACL to reject incoming messages at a later stage, such as after RCPT commands. See chapter 44.

hosts_connection_nolog Use: main Type: host list Default: unset

This option defines a list of hosts for which connection logging does not happen, even though the smtp_connection log selector is set. For example, you might want not to log SMTP connections from local processes, or from 127.0.0.1, or from your local LAN. This option is consulted in the main loop of the daemon; you should therefore strive to restrict its value to a short inline list of IP addresses and networks. To disable logging SMTP connections from local processes, you must create a host list with an empty item. For example:

hosts_connection_nolog = :

If the smtp_connection log selector is not set, this option has no effect.

hosts_proxy Use: main Type: host list Default: unset

This option enables use of Proxy Protocol proxies for incoming connections. For details see section 59.1.

hosts_treat_as_local Use: main Type: domain list Default: unset

If this option is set, any host names that match the domain list are treated as if they were the local host when Exim is scanning host lists obtained from MX records or other sources. Note that the value of this option is a domain list, not a host list, because it is always used to check host names, not IP addresses.

This option also applies when Exim is matching the special items @mx_any, @mx_primary, and @mx_secondary in a domain list (see section 10.9), and when checking the hosts option in the smtp transport for the local host (see the allow_localhost option in that transport). See also local_interfaces, extra_local_interfaces, and chapter 13, which contains a discussion about local network interfaces and recognizing the local host.

ibase_servers Use: main Type: string list Default: unset

This option provides a list of InterBase servers and associated connection data, to be used in conjunction with ibase lookups (see section 9.22). The option is available only if Exim has been built with InterBase support.

ignore_bounce_errors_after Use: main Type: time Default: 10w

This option affects the processing of bounce messages that cannot be delivered, that is, those that suffer a permanent delivery failure. (Bounce messages that suffer temporary delivery failures are of course retried in the usual way.)

After a permanent delivery failure, bounce messages are frozen, because there is no sender to whom they can be returned. When a frozen bounce message has been in the queue for more than the given time, it is unfrozen at the next queue run, and a further delivery is attempted. If delivery fails again, the bounce message is discarded. This makes it possible to keep failed bounce messages around for a shorter time than the normal maximum retry time for frozen messages. For example,

ignore_bounce_errors_after = 12h

retries failed bounce message deliveries after 12 hours, discarding any further failures. If the value of this option is set to a zero time period, bounce failures are discarded immediately. Setting a very long time (as in the default value) has the effect of disabling this option. For ways of automatically dealing with other kinds of frozen message, see auto_thaw and timeout_frozen_after.

ignore_fromline_hosts Use: main Type: host list Default: unset

Some broken SMTP clients insist on sending a UUCP-like “From ” line before the headers of a message. By default this is treated as the start of the message’s body, which means that any following headers are not recognized as such. Exim can be made to ignore it by setting ignore_fromline_hosts to match those hosts that insist on sending it. If the sender is actually a local process rather than a remote host, and is using -bs to inject the messages, ignore_fromline_local must be set to achieve this effect.

ignore_fromline_local Use: main Type: boolean Default: false

See ignore_fromline_hosts above.

keep_environment Use: main Type: string list Default: unset

This option contains a string list of environment variables to keep. You have to trust these variables or you have to be sure that these variables do not impose any security risk. Keep in mind that during the startup phase Exim is running with an effective UID 0 in most installations. As the default value is an empty list, the default environment for using libraries, running embedded Perl code, or running external binaries is empty, and does not not even contain PATH or HOME.

Actually the list is interpreted as a list of patterns (10.1), except that it is not expanded first.

WARNING: Macro substitution is still done first, so having a macro FOO and having FOO_HOME in your keep_environment option may have unexpected results. You may work around this using a regular expression that does not match the macro name: ^[F]OO_HOME$.

Current versions of Exim issue a warning during startup if you do not mention keep_environment in your runtime configuration file and if your current environment is not empty. Future versions may not issue that warning anymore.

See the add_environment main config option for a way to set environment variables to a fixed value. The environment for pipe transports is handled separately, see section 29.4 for details.

keep_malformed Use: main Type: time Default: 4d

This option specifies the length of time to keep messages whose spool files have been corrupted in some way. This should, of course, never happen. At the next attempt to deliver such a message, it gets removed. The incident is logged.

ldap_ca_cert_dir Use: main Type: string Default: unset

This option indicates which directory contains CA certificates for verifying a TLS certificate presented by an LDAP server. While Exim does not provide a default value, your SSL library may. Analogous to tls_verify_certificates but as a client-side option for LDAP and constrained to be a directory.

ldap_ca_cert_file Use: main Type: string Default: unset

This option indicates which file contains CA certificates for verifying a TLS certificate presented by an LDAP server. While Exim does not provide a default value, your SSL library may. Analogous to tls_verify_certificates but as a client-side option for LDAP and constrained to be a file.

ldap_cert_file Use: main Type: string Default: unset

This option indicates which file contains an TLS client certificate which Exim should present to the LDAP server during TLS negotiation. Should be used together with ldap_cert_key.

ldap_cert_key Use: main Type: string Default: unset

This option indicates which file contains the secret/private key to use to prove identity to the LDAP server during TLS negotiation. Should be used together with ldap_cert_file, which contains the identity to be proven.

ldap_cipher_suite Use: main Type: string Default: unset

This controls the TLS cipher-suite negotiation during TLS negotiation with the LDAP server. See 43.4 for more details of the format of cipher-suite options with OpenSSL (as used by LDAP client libraries).

ldap_default_servers Use: main Type: string list Default: unset

This option provides a list of LDAP servers which are tried in turn when an LDAP query does not contain a server. See section 9.15 for details of LDAP queries. This option is available only when Exim has been built with LDAP support.

ldap_require_cert Use: main Type: string Default: unset.

This should be one of the values "hard", "demand", "allow", "try" or "never". A value other than one of these is interpreted as "never". See the entry "TLS_REQCERT" in your system man page for ldap.conf(5). Although Exim does not set a default, the LDAP library probably defaults to hard/demand.

ldap_start_tls Use: main Type: boolean Default: false

If set, Exim will attempt to negotiate TLS with the LDAP server when connecting on a regular LDAP port. This is the LDAP equivalent of SMTP’s "STARTTLS". This is distinct from using "ldaps", which is the LDAP form of SSL-on-connect. In the event of failure to negotiate TLS, the action taken is controlled by ldap_require_cert. This option is ignored for ldapi connections.

ldap_version Use: main Type: integer Default: unset

This option can be used to force Exim to set a specific protocol version for LDAP. If it option is unset, it is shown by the -bP command line option as -1. When this is the case, the default is 3 if LDAP_VERSION3 is defined in the LDAP headers; otherwise it is 2. This option is available only when Exim has been built with LDAP support.

local_from_check Use: main Type: boolean Default: true

When a message is submitted locally (that is, not over a TCP/IP connection) by an untrusted user, Exim removes any existing Sender: header line, and checks that the From: header line matches the login of the calling user and the domain specified by qualify_domain.

Note: An unqualified address (no domain) in the From: header in a locally submitted message is automatically qualified by Exim, unless the -bnq command line option is used.

You can use local_from_prefix and local_from_suffix to permit affixes on the local part. If the From: header line does not match, Exim adds a Sender: header with an address constructed from the calling user’s login and the default qualify domain.

If local_from_check is set false, the From: header check is disabled, and no Sender: header is ever added. If, in addition, you want to retain Sender: header lines supplied by untrusted users, you must also set local_sender_retain to be true.

These options affect only the header lines in the message. The envelope sender is still forced to be the login id at the qualify domain unless untrusted_set_sender permits the user to supply an envelope sender.

For messages received over TCP/IP, an ACL can specify “submission mode” to request similar header line checking. See section 48.16, which has more details about Sender: processing.

local_from_prefix Use: main Type: string Default: unset

When Exim checks the From: header line of locally submitted messages for matching the login id (see local_from_check above), it can be configured to ignore certain prefixes and suffixes in the local part of the address. This is done by setting local_from_prefix and/or local_from_suffix to appropriate lists, in the same form as the local_part_prefix and local_part_suffix router options (see chapter 15). For example, if

local_from_prefix = *-

is set, a From: line containing

From: anything-user@your.domain.example

will not cause a Sender: header to be added if user@your.domain.example matches the actual sender address that is constructed from the login name and qualify domain.

local_from_suffix Use: main Type: string Default: unset

See local_from_prefix above.

local_interfaces Use: main Type: string list Default: see below

This option controls which network interfaces are used by the daemon for listening; they are also used to identify the local host when routing. Chapter 13 contains a full description of this option and the related options daemon_smtp_ports, extra_local_interfaces, hosts_treat_as_local, and tls_on_connect_ports. The default value for local_interfaces is

local_interfaces = 0.0.0.0

when Exim is built without IPv6 support; otherwise it is

local_interfaces = <; ::0 ; 0.0.0.0

local_scan_timeout Use: main Type: time Default: 5m

This timeout applies to the local_scan() function (see chapter 46). Zero means “no timeout”. If the timeout is exceeded, the incoming message is rejected with a temporary error if it is an SMTP message. For a non-SMTP message, the message is dropped and Exim ends with a non-zero code. The incident is logged on the main and reject logs.

local_sender_retain Use: main Type: boolean Default: false

When a message is submitted locally (that is, not over a TCP/IP connection) by an untrusted user, Exim removes any existing Sender: header line. If you do not want this to happen, you must set local_sender_retain, and you must also set local_from_check to be false (Exim will complain if you do not). See also the ACL modifier control = suppress_local_fixups. Section 48.16 has more details about Sender: processing.

localhost_number Use: main Type: string Default: unset

Exim’s message ids are normally unique only within the local host. If uniqueness among a set of hosts is required, each host must set a different value for the localhost_number option. The string is expanded immediately after reading the configuration file (so that a number can be computed from the host name, for example) and the result of the expansion must be a number in the range 0–16 (or 0–10 on operating systems with case-insensitive file systems). This is available in subsequent string expansions via the variable $localhost_number. When localhost_number is set, the final two characters of the message id, instead of just being a fractional part of the time, are computed from the time and the local host number as described in section 3.4.

log_file_path Use: main Type: string list Default: set at compile time

This option sets the path which is used to determine the names of Exim’s log files, or indicates that logging is to be to syslog, or both. It is expanded when Exim is entered, so it can, for example, contain a reference to the host name. If no specific path is set for the log files at compile or runtime, or if the option is unset at runtime (i.e. log_file_path = ) they are written in a sub-directory called log in Exim’s spool directory. A path must start with a slash. To send to syslog, use the word “syslog”. Chapter 53 contains further details about Exim’s logging, and section 53.1 describes how the contents of log_file_path are used. If this string is fixed at your installation (contains no expansion variables) it is recommended that you do not set this option in the configuration file, but instead supply the path using LOG_FILE_PATH in Local/Makefile so that it is available to Exim for logging errors detected early on – in particular, failure to read the configuration file.

log_selector Use: main Type: string Default: unset

This option can be used to reduce or increase the number of things that Exim writes to its log files. Its argument is made up of names preceded by plus or minus characters. For example:

log_selector = +arguments -retry_defer

A list of possible names and what they control is given in the chapter on logging, in section 53.15.

log_timezone Use: main Type: boolean Default: false

By default, the timestamps on log lines are in local time without the timezone. This means that if your timezone changes twice a year, the timestamps in log lines are ambiguous for an hour when the clocks go back. One way of avoiding this problem is to set the timezone to UTC. An alternative is to set log_timezone true. This turns on the addition of the timezone offset to timestamps in log lines. Turning on this option can add quite a lot to the size of log files because each line is extended by 6 characters. Note that the $tod_log variable contains the log timestamp without the zone, but there is another variable called $tod_zone that contains just the timezone offset.

lookup_open_max Use: main Type: integer Default: 25

This option limits the number of simultaneously open files for single-key lookups that use regular files (that is, lsearch, dbm, and cdb). Exim normally keeps these files open during routing, because often the same file is required several times. If the limit is reached, Exim closes the least recently used file. Note that if you are using the ndbm library, it actually opens two files for each logical DBM database, though it still counts as one for the purposes of lookup_open_max. If you are getting “too many open files” errors with NDBM, you need to reduce the value of lookup_open_max.

max_username_length Use: main Type: integer Default: 0

Some operating systems are broken in that they truncate long arguments to getpwnam() to eight characters, instead of returning “no such user”. If this option is set greater than zero, any attempt to call getpwnam() with an argument that is longer behaves as if getpwnam() failed.

message_body_newlines Use: main Type: bool Default: false

By default, newlines in the message body are replaced by spaces when setting the $message_body and $message_body_end expansion variables. If this option is set true, this no longer happens.

message_body_visible Use: main Type: integer Default: 500

This option specifies how much of a message’s body is to be included in the $message_body and $message_body_end expansion variables.

message_id_header_domain Use: main Type: string Default: unset

If this option is set, the string is expanded and used as the right hand side (domain) of the Message-ID: header that Exim creates if a locally-originated incoming message does not have one. “Locally-originated” means “not received over TCP/IP.” Otherwise, the primary host name is used. Only letters, digits, dot and hyphen are accepted; any other characters are replaced by hyphens. If the expansion is forced to fail, or if the result is an empty string, the option is ignored.

message_id_header_text Use: main Type: string Default: unset

If this variable is set, the string is expanded and used to augment the text of the Message-id: header that Exim creates if a locally-originated incoming message does not have one. The text of this header is required by RFC 2822 to take the form of an address. By default, Exim uses its internal message id as the local part, and the primary host name as the domain. If this option is set, it is expanded, and provided the expansion is not forced to fail, and does not yield an empty string, the result is inserted into the header immediately before the @, separated from the internal message id by a dot. Any characters that are illegal in an address are automatically converted into hyphens. This means that variables such as $tod_log can be used, because the spaces and colons will become hyphens.

message_logs Use: main Type: boolean Default: true

If this option is turned off, per-message log files are not created in the msglog spool sub-directory. This reduces the amount of disk I/O required by Exim, by reducing the number of files involved in handling a message from a minimum of four (header spool file, body spool file, delivery journal, and per-message log) to three. The other major I/O activity is Exim’s main log, which is not affected by this option.

message_size_limit Use: main Type: string Default: 50M

This option limits the maximum size of message that Exim will process. The value is expanded for each incoming connection so, for example, it can be made to depend on the IP address of the remote host for messages arriving via TCP/IP. After expansion, the value must be a sequence of decimal digits, optionally followed by K or M.

If nonzero the value will be advertised as a parameter to the ESMTP SIZE service extension keyword.

Note: This limit cannot be made to depend on a message’s sender or any other properties of an individual message, because it has to be advertised in the server’s response to EHLO. String expansion failure causes a temporary error. A value of zero means no limit, but its use is not recommended. See also bounce_return_size_limit.

Incoming SMTP messages are failed with a 552 error if the limit is exceeded; locally-generated messages either get a stderr message or a delivery failure message to the sender, depending on the -oe setting. Rejection of an oversized message is logged in both the main and the reject logs. See also the generic transport option message_size_limit, which limits the size of message that an individual transport can process.

If you use a virus-scanner and set this option to to a value larger than the maximum size that your virus-scanner is configured to support, you may get failures triggered by large mails. The right size to configure for the virus-scanner depends upon what data is passed and the options in use but it’s probably safest to just set it to a little larger than this value. E.g., with a default Exim message size of 50M and a default ClamAV StreamMaxLength of 10M, some problems may result.

A value of 0 will disable size limit checking; Exim will still advertise the SIZE extension in an EHLO response, but without a limit, so as to permit SMTP clients to still indicate the message size along with the MAIL verb.

move_frozen_messages Use: main Type: boolean Default: false

This option, which is available only if Exim has been built with the setting

SUPPORT_MOVE_FROZEN_MESSAGES=yes

in Local/Makefile, causes frozen messages and their message logs to be moved from the input and msglog directories on the spool to Finput and Fmsglog, respectively. There is currently no support in Exim or the standard utilities for handling such moved messages, and they do not show up in lists generated by -bp or by the Exim monitor.

mua_wrapper Use: main Type: boolean Default: false

Setting this option true causes Exim to run in a very restrictive mode in which it passes messages synchronously to a smart host. Chapter 52 contains a full description of this facility.

mysql_servers Use: main Type: string list Default: unset

This option provides a list of MySQL servers and associated connection data, to be used in conjunction with mysql lookups (see section 9.22). The option is available only if Exim has been built with MySQL support.

never_users Use: main Type: string list Default: unset

This option is expanded just once, at the start of Exim’s processing. Local message deliveries are normally run in processes that are setuid to the recipient, and remote deliveries are normally run under Exim’s own uid and gid. It is usually desirable to prevent any deliveries from running as root, as a safety precaution.

When Exim is built, an option called FIXED_NEVER_USERS can be set to a list of users that must not be used for local deliveries. This list is fixed in the binary and cannot be overridden by the configuration file. By default, it contains just the single user name “root”. The never_users runtime option can be used to add more users to the fixed list.

If a message is to be delivered as one of the users on the fixed list or the never_users list, an error occurs, and delivery is deferred. A common example is

never_users = root:daemon:bin

Including root is redundant if it is also on the fixed list, but it does no harm. This option overrides the pipe_as_creator option of the pipe transport driver.

notifier_socket Use: main Type: string Default: $spool_directory/exim_daemon_notify

This option gives the name for a unix-domain socket on which the daemon listens for work and information-requests. Only installations running multiple daemons sharing a spool directory should need to modify the default.

The option is expanded before use. If the platform supports Linux-style abstract socket names, the result is used with a nul byte prefixed. Otherwise, it should be a full path name and use a directory accessible to Exim.

If the Exim command line uses a -oX option and does not use -oP then a notifier socket is not created.

openssl_options Use: main Type: string list Default: +no_sslv2 +no_sslv3 +single_dh_use +no_ticket +no_renegotiation

This option allows an administrator to adjust the SSL options applied by OpenSSL to connections. It is given as a space-separated list of items, each one to be +added or -subtracted from the current value.

This option is only available if Exim is built against OpenSSL. The values available for this option vary according to the age of your OpenSSL install. The “all” value controls a subset of flags which are available, typically the bug workaround options. The SSL_CTX_set_options man page will list the values known on your system and Exim should support all the “bug workaround” options and many of the “modifying” options. The Exim names lose the leading “SSL_OP_” and are lower-cased.

Note that adjusting the options can have severe impact upon the security of SSL as used by Exim. It is possible to disable safety checks and shoot yourself in the foot in various unpleasant ways. This option should not be adjusted lightly. An unrecognised item will be detected at startup, by invoking Exim with the -bV flag.

The option affects Exim operating both as a server and as a client.

Historical note: prior to release 4.80, Exim defaulted this value to "+dont_insert_empty_fragments", which may still be needed for compatibility with some clients, but which lowers security by increasing exposure to some now infamous attacks.

Examples:

# Make both old MS and old Eudora happy:
openssl_options = -all +microsoft_big_sslv3_buffer \
                       +dont_insert_empty_fragments

# Disable older protocol versions:
openssl_options = +no_sslv2 +no_sslv3

Possible options may include:

  • all

  • allow_unsafe_legacy_renegotiation

  • cipher_server_preference

  • dont_insert_empty_fragments

  • ephemeral_rsa

  • legacy_server_connect

  • microsoft_big_sslv3_buffer

  • microsoft_sess_id_bug

  • msie_sslv2_rsa_padding

  • netscape_challenge_bug

  • netscape_reuse_cipher_change_bug

  • no_compression

  • no_session_resumption_on_renegotiation

  • no_sslv2

  • no_sslv3

  • no_ticket

  • no_tlsv1

  • no_tlsv1_1

  • no_tlsv1_2

  • safari_ecdhe_ecdsa_bug

  • single_dh_use

  • single_ecdh_use

  • ssleay_080_client_dh_bug

  • sslref2_reuse_cert_type_bug

  • tls_block_padding_bug

  • tls_d5_bug

  • tls_rollback_bug

As an aside, the safari_ecdhe_ecdsa_bug item is a misnomer and affects all clients connecting using the MacOS SecureTransport TLS facility prior to MacOS 10.8.4, including email clients. If you see old MacOS clients failing to negotiate TLS then this option value might help, provided that your OpenSSL release is new enough to contain this work-around. This may be a situation where you have to upgrade OpenSSL to get buggy clients working.

oracle_servers Use: main Type: string list Default: unset

This option provides a list of Oracle servers and associated connection data, to be used in conjunction with oracle lookups (see section 9.22). The option is available only if Exim has been built with Oracle support.

percent_hack_domains Use: main Type: domain list Default: unset

The “percent hack” is the convention whereby a local part containing a percent sign is re-interpreted as a new email address, with the percent replaced by @. This is sometimes called “source routing”, though that term is also applied to RFC 2822 addresses that begin with an @ character. If this option is set, Exim implements the percent facility for those domains listed, but no others. This happens before an incoming SMTP address is tested against an ACL.

Warning: The “percent hack” has often been abused by people who are trying to get round relaying restrictions. For this reason, it is best avoided if at all possible. Unfortunately, a number of less security-conscious MTAs implement it unconditionally. If you are running Exim on a gateway host, and routing mail through to internal MTAs without processing the local parts, it is a good idea to reject recipient addresses with percent characters in their local parts. Exim’s default configuration does this.

perl_at_start Use: main Type: boolean Default: false

This option is available only when Exim is built with an embedded Perl interpreter. See chapter 12 for details of its use.

perl_startup Use: main Type: string Default: unset

This option is available only when Exim is built with an embedded Perl interpreter. See chapter 12 for details of its use.

perl_taintmode Use: main Type: boolean Default: false

This option enables the taint mode of the embedded Perl interpreter.

pgsql_servers Use: main Type: string list Default: unset

This option provides a list of PostgreSQL servers and associated connection data, to be used in conjunction with pgsql lookups (see section 9.22). The option is available only if Exim has been built with PostgreSQL support.

pid_file_path Use: main Type: string Default: set at compile time

This option sets the name of the file to which the Exim daemon writes its process id. The string is expanded, so it can contain, for example, references to the host name:

pid_file_path = /var/log/$primary_hostname/exim.pid

If no path is set, the pid is written to the file exim-daemon.pid in Exim’s spool directory. The value set by the option can be overridden by the -oP command line option. A pid file is not written if a “non-standard” daemon is run by means of the -oX option, unless a path is explicitly supplied by -oP.

pipelining_advertise_hosts Use: main Type: host list Default: *

This option can be used to suppress the advertisement of the SMTP PIPELINING extension to specific hosts. See also the no_pipelining control in section 44.22. When PIPELINING is not advertised and smtp_enforce_sync is true, an Exim server enforces strict synchronization for each SMTP command and response. When PIPELINING is advertised, Exim assumes that clients will use it; “out of order” commands that are “expected” do not count as protocol errors (see smtp_max_synprot_errors).

pipelining_connect_advertise_hosts Use: main Type: host list Default: *

If Exim is built with the SUPPORT_PIPE_CONNECT build option this option controls which hosts the facility is advertised to and from which pipeline early-connection (before MAIL) SMTP commands are acceptable. When used, the pipelining saves on roundtrip times.

See also the hosts_pipe_connect smtp transport option.

Currently the option name “X_PIPE_CONNECT” is used.

prdr_enable Use: main Type: boolean Default: false

This option can be used to enable the Per-Recipient Data Response extension to SMTP, defined by Eric Hall. If the option is set, PRDR is advertised by Exim when operating as a server. If the client requests PRDR, and more than one recipient, for a message an additional ACL is called for each recipient after the message content is received. See section 44.9.

preserve_message_logs Use: main Type: boolean Default: false

If this option is set, message log files are not deleted when messages are completed. Instead, they are moved to a sub-directory of the spool directory called msglog.OLD, where they remain available for statistical or debugging purposes. This is a dangerous option to set on systems with any appreciable volume of mail. Use with care!

primary_hostname Use: main Type: string Default: see below

This specifies the name of the current host. It is used in the default EHLO or HELO command for outgoing SMTP messages (changeable via the helo_data option in the smtp transport), and as the default for qualify_domain. The value is also used by default in some SMTP response messages from an Exim server. This can be changed dynamically by setting smtp_active_hostname.

If primary_hostname is not set, Exim calls uname() to find the host name. If this fails, Exim panics and dies. If the name returned by uname() contains only one component, Exim passes it to gethostbyname() (or getipnodebyname() when available) in order to obtain the fully qualified version. The variable $primary_hostname contains the host name, whether set explicitly by this option, or defaulted.

print_topbitchars Use: main Type: boolean Default: false

By default, Exim considers only those characters whose codes lie in the range 32–126 to be printing characters. In a number of circumstances (for example, when writing log entries) non-printing characters are converted into escape sequences, primarily to avoid messing up the layout. If print_topbitchars is set, code values of 128 and above are also considered to be printing characters.

This option also affects the header syntax checks performed by the autoreply transport, and whether Exim uses RFC 2047 encoding of the user’s full name when constructing From: and Sender: addresses (as described in section 48.18). Setting this option can cause Exim to generate eight bit message headers that do not conform to the standards.

process_log_path Use: main Type: string Default: unset

This option sets the name of the file to which an Exim process writes its “process log” when sent a USR1 signal. This is used by the exiwhat utility script. If this option is unset, the file called exim-process.info in Exim’s spool directory is used. The ability to specify the name explicitly can be useful in environments where two different Exims are running, using different spool directories.

prod_requires_admin Use: main Type: boolean Default: true

The -M, -R, and -q command-line options require the caller to be an admin user unless prod_requires_admin is set false. See also queue_list_requires_admin and commandline_checks_require_admin.

qualify_domain Use: main Type: string Default: see below

This option specifies the domain name that is added to any envelope sender addresses that do not have a domain qualification. It also applies to recipient addresses if qualify_recipient is not set. Unqualified addresses are accepted by default only for locally-generated messages. Qualification is also applied to addresses in header lines such as From: and To: for locally-generated messages, unless the -bnq command line option is used.

Messages from external sources must always contain fully qualified addresses, unless the sending host matches sender_unqualified_hosts or recipient_unqualified_hosts (as appropriate), in which case incoming addresses are qualified with qualify_domain or qualify_recipient as necessary. Internally, Exim always works with fully qualified envelope addresses. If qualify_domain is not set, it defaults to the primary_hostname value.

qualify_recipient Use: main Type: string Default: see below

This option allows you to specify a different domain for qualifying recipient addresses to the one that is used for senders. See qualify_domain above.

queue_domains Use: main Type: domain list Default: unset

This option lists domains for which immediate delivery is not required. A delivery process is started whenever a message is received, but only those domains that do not match are processed. All other deliveries wait until the next queue run. See also hold_domains and queue_smtp_domains.

queue_list_requires_admin Use: main Type: boolean Default: true

The -bp command-line option, which lists the messages that are on the queue, requires the caller to be an admin user unless queue_list_requires_admin is set false. See also prod_requires_admin and commandline_checks_require_admin.

queue_only Use: main Type: boolean Default: false

If queue_only is set, a delivery process is not automatically started whenever a message is received. Instead, the message waits in the queue for the next queue run. Even if queue_only is false, incoming messages may not get delivered immediately when certain conditions (such as heavy load) occur.

The -odq command line has the same effect as queue_only. The -odb and -odi command line options override queue_only unless queue_only_override is set false. See also queue_only_file, queue_only_load, and smtp_accept_queue.

queue_only_file Use: main Type: string Default: unset

This option can be set to a colon-separated list of absolute path names, each one optionally preceded by “smtp”. When Exim is receiving a message, it tests for the existence of each listed path using a call to stat(). For each path that exists, the corresponding queueing option is set. For paths with no prefix, queue_only is set; for paths prefixed by “smtp”, queue_smtp_domains is set to match all domains. So, for example,

queue_only_file = smtp/some/file

causes Exim to behave as if queue_smtp_domains were set to “*” whenever /some/file exists.

queue_only_load Use: main Type: fixed-point Default: unset

If the system load average is higher than this value, incoming messages from all sources are queued, and no automatic deliveries are started. If this happens during local or remote SMTP input, all subsequent messages received on the same SMTP connection are queued by default, whatever happens to the load in the meantime, but this can be changed by setting queue_only_load_latch false.

Deliveries will subsequently be performed by queue runner processes. This option has no effect on ancient operating systems on which Exim cannot determine the load average. See also deliver_queue_load_max and smtp_load_reserve.

queue_only_load_latch Use: main Type: boolean Default: true

When this option is true (the default), once one message has been queued because the load average is higher than the value set by queue_only_load, all subsequent messages received on the same SMTP connection are also queued. This is a deliberate choice; even though the load average may fall below the threshold, it doesn’t seem right to deliver later messages on the same connection when not delivering earlier ones. However, there are special circumstances such as very long-lived connections from scanning appliances where this is not the best strategy. In such cases, queue_only_load_latch should be set false. This causes the value of the load average to be re-evaluated for each message.

queue_only_override Use: main Type: boolean Default: true

When this option is true, the -odx command line options override the setting of queue_only or queue_only_file in the configuration file. If queue_only_override is set false, the -odx options cannot be used to override; they are accepted, but ignored.

queue_run_in_order Use: main Type: boolean Default: false

If this option is set, queue runs happen in order of message arrival instead of in an arbitrary order. For this to happen, a complete list of the entire queue must be set up before the deliveries start. When the queue is all held in a single directory (the default), a single list is created for both the ordered and the non-ordered cases. However, if split_spool_directory is set, a single list is not created when queue_run_in_order is false. In this case, the sub-directories are processed one at a time (in a random order), and this avoids setting up one huge list for the whole queue. Thus, setting queue_run_in_order with split_spool_directory may degrade performance when the queue is large, because of the extra work in setting up the single, large list. In most situations, queue_run_in_order should not be set.

queue_run_max Use: main Type: integer Default: 5

This controls the maximum number of queue runner processes that an Exim daemon can run simultaneously. This does not mean that it starts them all at once, but rather that if the maximum number are still running when the time comes to start another one, it refrains from starting another one. This can happen with very large queues and/or very sluggish deliveries. This option does not, however, interlock with other processes, so additional queue runners can be started by other means, or by killing and restarting the daemon.

Setting this option to zero does not suppress queue runs; rather, it disables the limit, allowing any number of simultaneous queue runner processes to be run. If you do not want queue runs to occur, omit the -qxx setting on the daemon’s command line.

To set limits for different named queues use an expansion depending on the $queue_name variable.

queue_smtp_domains Use: main Type: domain list Default: unset

When this option is set, a delivery process is started whenever a message is received, routing is performed, and local deliveries take place. However, if any SMTP deliveries are required for domains that match queue_smtp_domains, they are not immediately delivered, but instead the message waits in the queue for the next queue run. Since routing of the message has taken place, Exim knows to which remote hosts it must be delivered, and so when the queue run happens, multiple messages for the same host are delivered over a single SMTP connection. The -odqs command line option causes all SMTP deliveries to be queued in this way, and is equivalent to setting queue_smtp_domains to “*”. See also hold_domains and queue_domains.

receive_timeout Use: main Type: time Default: 0s

This option sets the timeout for accepting a non-SMTP message, that is, the maximum time that Exim waits when reading a message on the standard input. If the value is zero, it will wait forever. This setting is overridden by the -or command line option. The timeout for incoming SMTP messages is controlled by smtp_receive_timeout.

received_header_text Use: main Type: string Default: see below

This string defines the contents of the Received: message header that is added to each message, except for the timestamp, which is automatically added on at the end (preceded by a semicolon). The string is expanded each time it is used. If the expansion yields an empty string, no Received: header line is added to the message. Otherwise, the string should start with the text “Received:” and conform to the RFC 2822 specification for Received: header lines. The default setting is:

received_header_text = Received: \
  ${if def:sender_rcvhost {from $sender_rcvhost\n\t}\
    {${if def:sender_ident \
      {from ${quote_local_part:$sender_ident} }}\
        ${if def:sender_helo_name {(helo=$sender_helo_name)\n\t}}}}\
  by $primary_hostname \
  ${if def:received_protocol {with $received_protocol }}\
  ${if def:tls_in_ver        { ($tls_in_ver)}}\
  ${if def:tls_in_cipher_std { tls $tls_in_cipher_std\n\t}}\
  (Exim $version_number)\n\t\
  ${if def:sender_address \
  {(envelope-from <$sender_address>)\n\t}}\
  id $message_exim_id\
  ${if def:received_for {\n\tfor $received_for}}

The references to the TLS version and cipher are omitted when Exim is built without TLS support. The use of conditional expansions ensures that this works for both locally generated messages and messages received from remote hosts, giving header lines such as the following:

Received: from scrooge.carol.example ([192.168.12.25] ident=root)
by marley.carol.example with esmtp (Exim 4.00)
(envelope-from <bob@carol.example>)
id 16IOWa-00019l-00
for chas@dickens.example; Tue, 25 Dec 2001 14:43:44 +0000
Received: by scrooge.carol.example with local (Exim 4.00)
id 16IOWW-000083-00; Tue, 25 Dec 2001 14:43:41 +0000

Until the body of the message has been received, the timestamp is the time when the message started to be received. Once the body has arrived, and all policy checks have taken place, the timestamp is updated to the time at which the message was accepted.

received_headers_max Use: main Type: integer Default: 30

When a message is to be delivered, the number of Received: headers is counted, and if it is greater than this parameter, a mail loop is assumed to have occurred, the delivery is abandoned, and an error message is generated. This applies to both local and remote deliveries.

recipient_unqualified_hosts Use: main Type: host list Default: unset

This option lists those hosts from which Exim is prepared to accept unqualified recipient addresses in message envelopes. The addresses are made fully qualified by the addition of the qualify_recipient value. This option also affects message header lines. Exim does not reject unqualified recipient addresses in headers, but it qualifies them only if the message came from a host that matches recipient_unqualified_hosts, or if the message was submitted locally (not using TCP/IP), and the -bnq option was not set.

recipients_max Use: main Type: integer Default: 0

If this option is set greater than zero, it specifies the maximum number of original recipients for any message. Additional recipients that are generated by aliasing or forwarding do not count. SMTP messages get a 452 response for all recipients over the limit; earlier recipients are delivered as normal. Non-SMTP messages with too many recipients are failed, and no deliveries are done.

Note: The RFCs specify that an SMTP server should accept at least 100 RCPT commands in a single message.

recipients_max_reject Use: main Type: boolean Default: false

If this option is set true, Exim rejects SMTP messages containing too many recipients by giving 552 errors to the surplus RCPT commands, and a 554 error to the eventual DATA command. Otherwise (the default) it gives a 452 error to the surplus RCPT commands and accepts the message on behalf of the initial set of recipients. The remote server should then re-send the message for the remaining recipients at a later time.

remote_max_parallel Use: main Type: integer Default: 2

This option controls parallel delivery of one message to a number of remote hosts. If the value is less than 2, parallel delivery is disabled, and Exim does all the remote deliveries for a message one by one. Otherwise, if a single message has to be delivered to more than one remote host, or if several copies have to be sent to the same remote host, up to remote_max_parallel deliveries are done simultaneously. If more than remote_max_parallel deliveries are required, the maximum number of processes are started, and as each one finishes, another is begun. The order of starting processes is the same as if sequential delivery were being done, and can be controlled by the remote_sort_domains option. If parallel delivery takes place while running with debugging turned on, the debugging output from each delivery process is tagged with its process id.

This option controls only the maximum number of parallel deliveries for one message in one Exim delivery process. Because Exim has no central queue manager, there is no way of controlling the total number of simultaneous deliveries if the configuration allows a delivery attempt as soon as a message is received.

If you want to control the total number of deliveries on the system, you need to set the queue_only option. This ensures that all incoming messages are added to the queue without starting a delivery process. Then set up an Exim daemon to start queue runner processes at appropriate intervals (probably fairly often, for example, every minute), and limit the total number of queue runners by setting the queue_run_max parameter. Because each queue runner delivers only one message at a time, the maximum number of deliveries that can then take place at once is queue_run_max multiplied by remote_max_parallel.

If it is purely remote deliveries you want to control, use queue_smtp_domains instead of queue_only. This has the added benefit of doing the SMTP routing before queueing, so that several messages for the same host will eventually get delivered down the same connection.

remote_sort_domains Use: main Type: domain list Default: unset

When there are a number of remote deliveries for a message, they are sorted by domain into the order given by this list. For example,

remote_sort_domains = *.cam.ac.uk:*.uk

would attempt to deliver to all addresses in the cam.ac.uk domain first, then to those in the uk domain, then to any others.

retry_data_expire Use: main Type: time Default: 7d

This option sets a “use before” time on retry information in Exim’s hints database. Any older retry data is ignored. This means that, for example, once a host has not been tried for 7 days, Exim behaves as if it has no knowledge of past failures.

retry_interval_max Use: main Type: time Default: 24h

Chapter 32 describes Exim’s mechanisms for controlling the intervals between delivery attempts for messages that cannot be delivered straight away. This option sets an overall limit to the length of time between retries. It cannot be set greater than 24 hours; any attempt to do so forces the default value.

return_path_remove Use: main Type: boolean Default: true

RFC 2821, section 4.4, states that an SMTP server must insert a Return-path: header line into a message when it makes a “final delivery”. The Return-path: header preserves the sender address as received in the MAIL command. This description implies that this header should not be present in an incoming message. If return_path_remove is true, any existing Return-path: headers are removed from messages at the time they are received. Exim’s transports have options for adding Return-path: headers at the time of delivery. They are normally used only for final local deliveries.

return_size_limit Use: main Type: integer Default: 100K

This option is an obsolete synonym for bounce_return_size_limit.

rfc1413_hosts Use: main Type: host list Default: @[]

RFC 1413 identification calls are made to any client host which matches an item in the list. The default value specifies just this host, being any local interface for the system.

rfc1413_query_timeout Use: main Type: time Default: 0s

This sets the timeout on RFC 1413 identification calls. If it is set to zero, no RFC 1413 calls are ever made.

sender_unqualified_hosts Use: main Type: host list Default: unset

This option lists those hosts from which Exim is prepared to accept unqualified sender addresses. The addresses are made fully qualified by the addition of qualify_domain. This option also affects message header lines. Exim does not reject unqualified addresses in headers that contain sender addresses, but it qualifies them only if the message came from a host that matches sender_unqualified_hosts, or if the message was submitted locally (not using TCP/IP), and the -bnq option was not set.

slow_lookup_log Use: main Type: integer Default: 0

This option controls logging of slow lookups. If the value is nonzero it is taken as a number of milliseconds and lookups taking longer than this are logged. Currently this applies only to DNS lookups.

smtp_accept_keepalive Use: main Type: boolean Default: true

This option controls the setting of the SO_KEEPALIVE option on incoming TCP/IP socket connections. When set, it causes the kernel to probe idle connections periodically, by sending packets with “old” sequence numbers. The other end of the connection should send an acknowledgment if the connection is still okay or a reset if the connection has been aborted. The reason for doing this is that it has the beneficial effect of freeing up certain types of connection that can get stuck when the remote host is disconnected without tidying up the TCP/IP call properly. The keepalive mechanism takes several hours to detect unreachable hosts.

smtp_accept_max Use: main Type: integer Default: 20

This option specifies the maximum number of simultaneous incoming SMTP calls that Exim will accept. It applies only to the listening daemon; there is no control (in Exim) when incoming SMTP is being handled by inetd. If the value is set to zero, no limit is applied. However, it is required to be non-zero if either smtp_accept_max_per_host or smtp_accept_queue is set. See also smtp_accept_reserve and smtp_load_reserve.

A new SMTP connection is immediately rejected if the smtp_accept_max limit has been reached. If not, Exim first checks smtp_accept_max_per_host. If that limit has not been reached for the client host, smtp_accept_reserve and smtp_load_reserve are then checked before accepting the connection.

smtp_accept_max_nonmail Use: main Type: integer Default: 10

Exim counts the number of “non-mail” commands in an SMTP session, and drops the connection if there are too many. This option defines “too many”. The check catches some denial-of-service attacks, repeated failing AUTHs, or a mad client looping sending EHLO, for example. The check is applied only if the client host matches smtp_accept_max_nonmail_hosts.

When a new message is expected, one occurrence of RSET is not counted. This allows a client to send one RSET between messages (this is not necessary, but some clients do it). Exim also allows one uncounted occurrence of HELO or EHLO, and one occurrence of STARTTLS between messages. After starting up a TLS session, another EHLO is expected, and so it too is not counted. The first occurrence of AUTH in a connection, or immediately following STARTTLS is not counted. Otherwise, all commands other than MAIL, RCPT, DATA, and QUIT are counted.

smtp_accept_max_nonmail_hosts Use: main Type: host list Default: *

You can control which hosts are subject to the smtp_accept_max_nonmail check by setting this option. The default value makes it apply to all hosts. By changing the value, you can exclude any badly-behaved hosts that you have to live with.

smtp_accept_max_per_connection Use: main Type: integer Default: 1000

The value of this option limits the number of MAIL commands that Exim is prepared to accept over a single SMTP connection, whether or not each command results in the transfer of a message. After the limit is reached, a 421 response is given to subsequent MAIL commands. This limit is a safety precaution against a client that goes mad (incidents of this type have been seen).

smtp_accept_max_per_host Use: main Type: string Default: unset

This option restricts the number of simultaneous IP connections from a single host (strictly, from a single IP address) to the Exim daemon. The option is expanded, to enable different limits to be applied to different hosts by reference to $sender_host_address. Once the limit is reached, additional connection attempts from the same host are rejected with error code 421. This is entirely independent of smtp_accept_reserve. The option’s default value of zero imposes no limit. If this option is set greater than zero, it is required that smtp_accept_max be non-zero.

Warning: When setting this option you should not use any expansion constructions that take an appreciable amount of time. The expansion and test happen in the main daemon loop, in order to reject additional connections without forking additional processes (otherwise a denial-of-service attack could cause a vast number or processes to be created). While the daemon is doing this processing, it cannot accept any other incoming connections.

smtp_accept_queue Use: main Type: integer Default: 0

If the number of simultaneous incoming SMTP connections being handled via the listening daemon exceeds this value, messages received by SMTP are just placed in the queue; no delivery processes are started automatically. The count is fixed at the start of an SMTP connection. It cannot be updated in the subprocess that receives messages, and so the queueing or not queueing applies to all messages received in the same connection.

A value of zero implies no limit, and clearly any non-zero value is useful only if it is less than the smtp_accept_max value (unless that is zero). See also queue_only, queue_only_load, queue_smtp_domains, and the various -odx command line options.

smtp_accept_queue_per_connection Use: main Type: integer Default: 10

This option limits the number of delivery processes that Exim starts automatically when receiving messages via SMTP, whether via the daemon or by the use of -bs or -bS. If the value of the option is greater than zero, and the number of messages received in a single SMTP session exceeds this number, subsequent messages are placed in the queue, but no delivery processes are started. This helps to limit the number of Exim processes when a server restarts after downtime and there is a lot of mail waiting for it on other systems. On large systems, the default should probably be increased, and on dial-in client systems it should probably be set to zero (that is, disabled).

smtp_accept_reserve Use: main Type: integer Default: 0

When smtp_accept_max is set greater than zero, this option specifies a number of SMTP connections that are reserved for connections from the hosts that are specified in smtp_reserve_hosts. The value set in smtp_accept_max includes this reserve pool. The specified hosts are not restricted to this number of connections; the option specifies a minimum number of connection slots for them, not a maximum. It is a guarantee that this group of hosts can always get at least smtp_accept_reserve connections. However, the limit specified by smtp_accept_max_per_host is still applied to each individual host.

For example, if smtp_accept_max is set to 50 and smtp_accept_reserve is set to 5, once there are 45 active connections (from any hosts), new connections are accepted only from hosts listed in smtp_reserve_hosts, provided the other criteria for acceptance are met.

smtp_active_hostname Use: main Type: string Default: unset

This option is provided for multi-homed servers that want to masquerade as several different hosts. At the start of an incoming SMTP connection, its value is expanded and used instead of the value of $primary_hostname in SMTP responses. For example, it is used as domain name in the response to an incoming HELO or EHLO command.

The active hostname is placed in the $smtp_active_hostname variable, which is saved with any messages that are received. It is therefore available for use in routers and transports when the message is later delivered.

If this option is unset, or if its expansion is forced to fail, or if the expansion results in an empty string, the value of $primary_hostname is used. Other expansion failures cause a message to be written to the main and panic logs, and the SMTP command receives a temporary error. Typically, the value of smtp_active_hostname depends on the incoming interface address. For example:

smtp_active_hostname = ${if eq{$received_ip_address}{10.0.0.1}\
  {cox.mydomain}{box.mydomain}}

Although $smtp_active_hostname is primarily concerned with incoming messages, it is also used as the default for HELO commands in callout verification if there is no remote transport from which to obtain a helo_data value.

smtp_banner Use: main Type: string Default: see below

This string, which is expanded every time it is used, is output as the initial positive response to an SMTP connection. The default setting is:

smtp_banner = $smtp_active_hostname ESMTP Exim \
  $version_number $tod_full

Failure to expand the string causes a panic error. If you want to create a multiline response to the initial SMTP connection, use “\n” in the string at appropriate points, but not at the end. Note that the 220 code is not included in this string. Exim adds it automatically (several times in the case of a multiline response).

smtp_check_spool_space Use: main Type: boolean Default: true

When this option is set, if an incoming SMTP session encounters the SIZE option on a MAIL command, it checks that there is enough space in the spool directory’s partition to accept a message of that size, while still leaving free the amount specified by check_spool_space (even if that value is zero). If there isn’t enough space, a temporary error code is returned.

smtp_connect_backlog Use: main Type: integer Default: 20

This option specifies a maximum number of waiting SMTP connections. Exim passes this value to the TCP/IP system when it sets up its listener. Once this number of connections are waiting for the daemon’s attention, subsequent connection attempts are refused at the TCP/IP level. At least, that is what the manuals say; in some circumstances such connection attempts have been observed to time out instead. For large systems it is probably a good idea to increase the value (to 50, say). It also gives some protection against denial-of-service attacks by SYN flooding.

smtp_enforce_sync Use: main Type: boolean Default: true

The SMTP protocol specification requires the client to wait for a response from the server at certain points in the dialogue. Without PIPELINING these synchronization points are after every command; with PIPELINING they are fewer, but they still exist.

Some spamming sites send out a complete set of SMTP commands without waiting for any response. Exim protects against this by rejecting a message if the client has sent further input when it should not have. The error response “554 SMTP synchronization error” is sent, and the connection is dropped. Testing for this error cannot be perfect because of transmission delays (unexpected input may be on its way but not yet received when Exim checks). However, it does detect many instances.

The check can be globally disabled by setting smtp_enforce_sync false. If you want to disable the check selectively (for example, only for certain hosts), you can do so by an appropriate use of a control modifier in an ACL (see section 44.22). See also pipelining_advertise_hosts.

smtp_etrn_command Use: main Type: string Default: unset

If this option is set, the given command is run whenever an SMTP ETRN command is received from a host that is permitted to issue such commands (see chapter 44). The string is split up into separate arguments which are independently expanded. The expansion variable $domain is set to the argument of the ETRN command, and no syntax checking is done on it. For example:

smtp_etrn_command = /etc/etrn_command $domain \
                    $sender_host_address

If the option is not set, the argument for the ETRN command must be a # followed by an address string. In this case an exim -R <string> command is used; if the ETRN ACL has set up a named-queue then -MCG <queue> is appended.

A new process is created to run the command, but Exim does not wait for it to complete. Consequently, its status cannot be checked. If the command cannot be run, a line is written to the panic log, but the ETRN caller still receives a 250 success response. Exim is normally running under its own uid when receiving SMTP, so it is not possible for it to change the uid before running the command.

smtp_etrn_serialize Use: main Type: boolean Default: true

When this option is set, it prevents the simultaneous execution of more than one identical command as a result of ETRN in an SMTP connection. See section 49.8 for details.

smtp_load_reserve Use: main Type: fixed-point Default: unset

If the system load average ever gets higher than this, incoming SMTP calls are accepted only from those hosts that match an entry in smtp_reserve_hosts. If smtp_reserve_hosts is not set, no incoming SMTP calls are accepted when the load is over the limit. The option has no effect on ancient operating systems on which Exim cannot determine the load average. See also deliver_queue_load_max and queue_only_load.

smtp_max_synprot_errors Use: main Type: integer Default: 3

Exim rejects SMTP commands that contain syntax or protocol errors. In particular, a syntactically invalid email address, as in this command:

RCPT TO:<abc xyz@a.b.c>

causes immediate rejection of the command, before any other tests are done. (The ACL cannot be run if there is no valid address to set up for it.) An example of a protocol error is receiving RCPT before MAIL. If there are too many syntax or protocol errors in one SMTP session, the connection is dropped. The limit is set by this option.

When the PIPELINING extension to SMTP is in use, some protocol errors are “expected”, for instance, a RCPT command after a rejected MAIL command. Exim assumes that PIPELINING will be used if it advertises it (see pipelining_advertise_hosts), and in this situation, “expected” errors do not count towards the limit.

smtp_max_unknown_commands Use: main Type: integer Default: 3

If there are too many unrecognized commands in an incoming SMTP session, an Exim server drops the connection. This is a defence against some kinds of abuse that subvert web clients into making connections to SMTP ports; in these circumstances, a number of non-SMTP command lines are sent first.

smtp_ratelimit_hosts Use: main Type: host list Default: unset

Some sites find it helpful to be able to limit the rate at which certain hosts can send them messages, and the rate at which an individual message can specify recipients.

Exim has two rate-limiting facilities. This section describes the older facility, which can limit rates within a single connection. The newer ratelimit ACL condition can limit rates across all connections. See section 44.38 for details of the newer facility.

When a host matches smtp_ratelimit_hosts, the values of smtp_ratelimit_mail and smtp_ratelimit_rcpt are used to control the rate of acceptance of MAIL and RCPT commands in a single SMTP session, respectively. Each option, if set, must contain a set of four comma-separated values:

  • A threshold, before which there is no rate limiting.

  • An initial time delay. Unlike other times in Exim, numbers with decimal fractional parts are allowed here.

  • A factor by which to increase the delay each time.

  • A maximum value for the delay. This should normally be less than 5 minutes, because after that time, the client is liable to timeout the SMTP command.

For example, these settings have been used successfully at the site which first suggested this feature, for controlling mail from their customers:

smtp_ratelimit_mail = 2,0.5s,1.05,4m
smtp_ratelimit_rcpt = 4,0.25s,1.015,4m

The first setting specifies delays that are applied to MAIL commands after two have been received over a single connection. The initial delay is 0.5 seconds, increasing by a factor of 1.05 each time. The second setting applies delays to RCPT commands when more than four occur in a single message.

smtp_ratelimit_mail Use: main Type: string Default: unset

See smtp_ratelimit_hosts above.

smtp_ratelimit_rcpt Use: main Type: string Default: unset

See smtp_ratelimit_hosts above.

smtp_receive_timeout Use: main Type: time Default: 5m

This sets a timeout value for SMTP reception. It applies to all forms of SMTP input, including batch SMTP. If a line of input (either an SMTP command or a data line) is not received within this time, the SMTP connection is dropped and the message is abandoned. A line is written to the log containing one of the following messages:

SMTP command timeout on connection from...
SMTP data timeout on connection from...

The former means that Exim was expecting to read an SMTP command; the latter means that it was in the DATA phase, reading the contents of a message.

If the first character of the option is a “$” the option is expanded before use and may depend on $sender_host_name, $sender_host_address and $sender_host_port.

The value set by this option can be overridden by the -os command-line option. A setting of zero time disables the timeout, but this should never be used for SMTP over TCP/IP. (It can be useful in some cases of local input using -bs or -bS.) For non-SMTP input, the reception timeout is controlled by receive_timeout and -or.

smtp_reserve_hosts Use: main Type: host list Default: unset

This option defines hosts for which SMTP connections are reserved; see smtp_accept_reserve and smtp_load_reserve above.

smtp_return_error_details Use: main Type: boolean Default: false

In the default state, Exim uses bland messages such as “Administrative prohibition” when it rejects SMTP commands for policy reasons. Many sysadmins like this because it gives away little information to spammers. However, some other sysadmins who are applying strict checking policies want to give out much fuller information about failures. Setting smtp_return_error_details true causes Exim to be more forthcoming. For example, instead of “Administrative prohibition”, it might give:

550-Rejected after DATA: '>' missing at end of address:
550 failing address in "From" header is: <user@dom.ain

smtputf8_advertise_hosts Use: main Type: host list Default: *

When Exim is built with support for internationalised mail names, the availability thereof is advertised in response to EHLO only to those client hosts that match this option. See chapter 60 for details of Exim’s support for internationalisation.

spamd_address Use: main Type: string Default: 127.0.0.1 783

This option is available when Exim is compiled with the content-scanning extension. It specifies how Exim connects to SpamAssassin’s spamd daemon. See section 45.2 for more details.

spf_guess Use: main Type: string Default: v=spf1 a/24 mx/24 ptr ?all

This option is available when Exim is compiled with SPF support. See section 58.4 for more details.

spf_smtp_comment_template Use: main Type: string Default: Please%_see%_http://www.open-spf.org/Why

This option is available when Exim is compiled with SPF support. It allows the customisation of the SMTP comment that the SPF library generates. You are strongly encouraged to link to your own explanative site. The template must not contain spaces. If you need spaces in the output, use the proper placeholder. If libspf2 can not parse the template, it uses a built-in default broken link. The following placeholders (along with Exim variables (but see below)) are allowed in the template:

  • %_: A space.

  • %{L}: Envelope sender’s local part.

  • %{S}: Envelope sender.

  • %{O}: Envelope sender’s domain.

  • %{D}: Current(?) domain.

  • %{I}: SMTP client Ip.

  • %{C}: SMTP client pretty IP.

  • %{T}: Epoch time (UTC).

  • %{P}: SMTP client domain name.

  • %{V}: IP version.

  • %{H}: EHLO/HELO domain.

  • %{R}: Receiving domain.

The capitalized placeholders do proper URL encoding, if you use them lowercased, no encoding takes place. This list was compiled from the libspf2 sources.

A note on using Exim variables: As currently the SPF library is initialized before the SMTP EHLO phase, the variables useful for expansion are quite limited.

split_spool_directory Use: main Type: boolean Default: false

If this option is set, it causes Exim to split its input directory into 62 subdirectories, each with a single alphanumeric character as its name. The sixth character of the message id is used to allocate messages to subdirectories; this is the least significant base-62 digit of the time of arrival of the message.

Splitting up the spool in this way may provide better performance on systems where there are long mail queues, by reducing the number of files in any one directory. The msglog directory is also split up in a similar way to the input directory; however, if preserve_message_logs is set, all old msglog files are still placed in the single directory msglog.OLD.

It is not necessary to take any special action for existing messages when changing split_spool_directory. Exim notices messages that are in the “wrong” place, and continues to process them. If the option is turned off after a period of being on, the subdirectories will eventually empty and be automatically deleted.

When split_spool_directory is set, the behaviour of queue runner processes changes. Instead of creating a list of all messages in the queue, and then trying to deliver each one, in turn, it constructs a list of those in one sub-directory and tries to deliver them, before moving on to the next sub-directory. The sub-directories are processed in a random order. This spreads out the scanning of the input directories, and uses less memory. It is particularly beneficial when there are lots of messages in the queue. However, if queue_run_in_order is set, none of this new processing happens. The entire queue has to be scanned and sorted before any deliveries can start.

spool_directory Use: main Type: string Default: set at compile time

This defines the directory in which Exim keeps its spool, that is, the messages it is waiting to deliver. The default value is taken from the compile-time configuration setting, if there is one. If not, this option must be set. The string is expanded, so it can contain, for example, a reference to $primary_hostname.

If the spool directory name is fixed on your installation, it is recommended that you set it at build time rather than from this option, particularly if the log files are being written to the spool directory (see log_file_path). Otherwise log files cannot be used for errors that are detected early on, such as failures in the configuration file.

By using this option to override the compiled-in path, it is possible to run tests of Exim without using the standard spool.

spool_wireformat Use: main Type: boolean Default: false

If this option is set, Exim may for some messages use an alternative format for data-files in the spool which matches the wire format. Doing this permits more efficient message reception and transmission. Currently it is only done for messages received using the ESMTP CHUNKING option.

The following variables will not have useful values:

$max_received_linelength
$body_linecount
$body_zerocount

Users of the local_scan() API (see 46), and any external programs which are passed a reference to a message data file (except via the “regex”, “malware” or “spam”) ACL conditions) will need to be aware of the different formats potentially available.

Using any of the ACL conditions noted will negate the reception benefit (as a Unix-mbox-format file is constructed for them). The transmission benefit is maintained.

sqlite_lock_timeout Use: main Type: time Default: 5s

This option controls the timeout that the sqlite lookup uses when trying to access an SQLite database. See section 9.26 for more details.

strict_acl_vars Use: main Type: boolean Default: false

This option controls what happens if a syntactically valid but undefined ACL variable is referenced. If it is false (the default), an empty string is substituted; if it is true, an error is generated. See section 44.19 for details of ACL variables.

strip_excess_angle_brackets Use: main Type: boolean Default: false

If this option is set, redundant pairs of angle brackets round “route-addr” items in addresses are stripped. For example, <<xxx@a.b.c.d>> is treated as <xxx@a.b.c.d>. If this is in the envelope and the message is passed on to another MTA, the excess angle brackets are not passed on. If this option is not set, multiple pairs of angle brackets cause a syntax error.

strip_trailing_dot Use: main Type: boolean Default: false

If this option is set, a trailing dot at the end of a domain in an address is ignored. If this is in the envelope and the message is passed on to another MTA, the dot is not passed on. If this option is not set, a dot at the end of a domain causes a syntax error. However, addresses in header lines are checked only when an ACL requests header syntax checking.

syslog_duplication Use: main Type: boolean Default: true

When Exim is logging to syslog, it writes the log lines for its three separate logs at different syslog priorities so that they can in principle be separated on the logging hosts. Some installations do not require this separation, and in those cases, the duplication of certain log lines is a nuisance. If syslog_duplication is set false, only one copy of any particular log line is written to syslog. For lines that normally go to both the main log and the reject log, the reject log version (possibly containing message header lines) is written, at LOG_NOTICE priority. Lines that normally go to both the main and the panic log are written at the LOG_ALERT priority.

syslog_facility Use: main Type: string Default: unset

This option sets the syslog “facility” name, used when Exim is logging to syslog. The value must be one of the strings “mail”, “user”, “news”, “uucp”, “daemon”, or “localx” where x is a digit between 0 and 7. If this option is unset, “mail” is used. See chapter 53 for details of Exim’s logging.

syslog_pid Use: main Type: boolean Default: true

If syslog_pid is set false, the PID on Exim’s log lines are omitted when these lines are sent to syslog. (Syslog normally prefixes the log lines with the PID of the logging process automatically.) You need to enable the +pid log selector item, if you want Exim to write it’s PID into the logs.) See chapter 53 for details of Exim’s logging.

syslog_processname Use: main Type: string Default: exim

This option sets the syslog “ident” name, used when Exim is logging to syslog. The value must be no longer than 32 characters. See chapter 53 for details of Exim’s logging.

syslog_timestamp Use: main Type: boolean Default: true

If syslog_timestamp is set false, the timestamps on Exim’s log lines are omitted when these lines are sent to syslog. See chapter 53 for details of Exim’s logging.

system_filter Use: main Type: string Default: unset

This option specifies an Exim filter file that is applied to all messages at the start of each delivery attempt, before any routing is done. System filters must be Exim filters; they cannot be Sieve filters. If the system filter generates any deliveries to files or pipes, or any new mail messages, the appropriate system_filter_..._transport option(s) must be set, to define which transports are to be used. Details of this facility are given in chapter 47. A forced expansion failure results in no filter operation.

system_filter_directory_transport Use: main Type: string Default: unset

This sets the name of the transport driver that is to be used when the save command in a system message filter specifies a path ending in “/”, implying delivery of each message into a separate file in some directory. During the delivery, the variable $address_file contains the path name.

system_filter_file_transport Use: main Type: string Default: unset

This sets the name of the transport driver that is to be used when the save command in a system message filter specifies a path not ending in “/”. During the delivery, the variable $address_file contains the path name.

system_filter_group Use: main Type: string Default: unset

This option is used only when system_filter_user is also set. It sets the gid under which the system filter is run, overriding any gid that is associated with the user. The value may be numerical or symbolic.

system_filter_pipe_transport Use: main Type: string Default: unset

This specifies the transport driver that is to be used when a pipe command is used in a system filter. During the delivery, the variable $address_pipe contains the pipe command.

system_filter_reply_transport Use: main Type: string Default: unset

This specifies the transport driver that is to be used when a mail command is used in a system filter.

system_filter_user Use: main Type: string Default: unset

If this option is set to root, the system filter is run in the main Exim delivery process, as root. Otherwise, the system filter runs in a separate process, as the given user, defaulting to the Exim run-time user. Unless the string consists entirely of digits, it is looked up in the password data. Failure to find the named user causes a configuration error. The gid is either taken from the password data, or specified by system_filter_group. When the uid is specified numerically, system_filter_group is required to be set.

If the system filter generates any pipe, file, or reply deliveries, the uid under which the filter is run is used when transporting them, unless a transport option overrides.

tcp_nodelay Use: main Type: boolean Default: true

If this option is set false, it stops the Exim daemon setting the TCP_NODELAY option on its listening sockets. Setting TCP_NODELAY turns off the “Nagle algorithm”, which is a way of improving network performance in interactive (character-by-character) situations. Turning it off should improve Exim’s performance a bit, so that is what happens by default. However, it appears that some broken clients cannot cope, and time out. Hence this option. It affects only those sockets that are set up for listening by the daemon. Sockets created by the smtp transport for delivering mail always set TCP_NODELAY.

timeout_frozen_after Use: main Type: time Default: 0s

If timeout_frozen_after is set to a time greater than zero, a frozen message of any kind that has been in the queue for longer than the given time is automatically cancelled at the next queue run. If the frozen message is a bounce message, it is just discarded; otherwise, a bounce is sent to the sender, in a similar manner to cancellation by the -Mg command line option. If you want to timeout frozen bounce messages earlier than other kinds of frozen message, see ignore_bounce_errors_after.

Note: the default value of zero means no timeouts; with this setting, frozen messages remain in the queue forever (except for any frozen bounce messages that are released by ignore_bounce_errors_after).

timezone Use: main Type: string Default: unset

The value of timezone is used to set the environment variable TZ while running Exim (if it is different on entry). This ensures that all timestamps created by Exim are in the required timezone. If you want all your timestamps to be in UTC (aka GMT) you should set

timezone = UTC

The default value is taken from TIMEZONE_DEFAULT in Local/Makefile, or, if that is not set, from the value of the TZ environment variable when Exim is built. If timezone is set to the empty string, either at build or run time, any existing TZ variable is removed from the environment when Exim runs. This is appropriate behaviour for obtaining wall-clock time on some, but unfortunately not all, operating systems.

tls_advertise_hosts Use: main Type: host list Default: *

When Exim is built with support for TLS encrypted connections, the availability of the STARTTLS command to set up an encrypted session is advertised in response to EHLO only to those client hosts that match this option. See chapter 43 for details of Exim’s support for TLS. Note that the default value requires that a certificate be supplied using the tls_certificate option. If TLS support for incoming connections is not required the tls_advertise_hosts option should be set empty.

tls_certificate Use: main Type: string Default: list

The value of this option is expanded, and must then be a list of absolute paths to files which contain the server’s certificates (in PEM format). Commonly only one file is needed. The server’s private key is also assumed to be in this file if tls_privatekey is unset. See chapter 43 for further details.

Note: The certificates defined by this option are used only when Exim is receiving incoming messages as a server. If you want to supply certificates for use when sending messages as a client, you must set the tls_certificate option in the relevant smtp transport.

Note: If you use filenames based on IP addresses, change the list separator in the usual way (6.21) to avoid confusion under IPv6.

Note: Under versions of OpenSSL preceding 1.1.1, when a list of more than one file is used, the $tls_in_ourcert variable is unreliable. The macro "_TLS_BAD_MULTICERT_IN_OURCERT" will be defined for those versions.

If the option contains $tls_out_sni and Exim is built against OpenSSL, then if the OpenSSL build supports TLS extensions and the TLS client sends the Server Name Indication extension, then this option and others documented in 43.10 will be re-expanded.

If this option is unset or empty a fresh self-signed certificate will be generated for every connection.

tls_crl Use: main Type: string Default: unset

This option specifies a certificate revocation list. The expanded value must be the name of a file that contains CRLs in PEM format.

Under OpenSSL the option can specify a directory with CRL files.

Note: Under OpenSSL the option must, if given, supply a CRL for each signing element of the certificate chain (i.e. all but the leaf). For the file variant this can be multiple PEM blocks in the one file.

See 43.10 for discussion of when this option might be re-expanded.

tls_dh_max_bits Use: main Type: integer Default: 2236

The number of bits used for Diffie-Hellman key-exchange may be suggested by the chosen TLS library. That value might prove to be too high for interoperability. This option provides a maximum clamp on the value suggested, trading off security for interoperability.

The value must be at least 1024.

The value 2236 was chosen because, at time of adding the option, it was the hard-coded maximum value supported by the NSS cryptographic library, as used by Thunderbird, while GnuTLS was suggesting 2432 bits as normal.

If you prefer more security and are willing to break some clients, raise this number.

Note that the value passed to GnuTLS for *generating* a new prime may be a little less than this figure, because GnuTLS is inexact and may produce a larger prime than requested.

tls_dhparam Use: main Type: string Default: unset

The value of this option is expanded and indicates the source of DH parameters to be used by Exim.

This option is ignored for GnuTLS version 3.6.0 and later. The library manages parameter negotiation internally.

Note: The Exim Maintainers strongly recommend, for other TLS library versions, using a filename with site-generated local DH parameters, which has been supported across all versions of Exim. The other specific constants available are a fallback so that even when "unconfigured", Exim can offer Perfect Forward Secrecy in older ciphersuites in TLS.

If tls_dhparam is a filename starting with a /, then it names a file from which DH parameters should be loaded. If the file exists, it should hold a PEM-encoded PKCS#3 representation of the DH prime. If the file does not exist, for OpenSSL it is an error. For GnuTLS, Exim will attempt to create the file and fill it with a generated DH prime. For OpenSSL, if the DH bit-count from loading the file is greater than tls_dh_max_bits then it will be ignored, and treated as though the tls_dhparam were set to "none".

If this option expands to the string "none", then no DH parameters will be loaded by Exim.

If this option expands to the string "historic" and Exim is using GnuTLS, then Exim will attempt to load a file from inside the spool directory. If the file does not exist, Exim will attempt to create it. See section 43.3 for further details.

If Exim is using OpenSSL and this option is empty or unset, then Exim will load a default DH prime; the default is Exim-specific but lacks verifiable provenance.

In older versions of Exim the default was the 2048 bit prime described in section 2.2 of RFC 5114, "2048-bit MODP Group with 224-bit Prime Order Subgroup", which in IKE is assigned number 23.

Otherwise, the option must expand to the name used by Exim for any of a number of DH primes specified in RFC 2409, RFC 3526, RFC 5114, RFC 7919, or from other sources. As names, Exim uses a standard specified name, else "ike" followed by the number used by IKE, or "default" which corresponds to exim.dev.20160529.3.

The available standard primes are: ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, ike1, ike2, ike5, ike14, ike15, ike16, ike17, ike18, ike22, ike23 and ike24.

The available additional primes are: exim.dev.20160529.1, exim.dev.20160529.2 and exim.dev.20160529.3.

Some of these will be too small to be accepted by clients. Some may be too large to be accepted by clients. The open cryptographic community has suspicions about the integrity of some of the later IKE values, which led into RFC7919 providing new fixed constants (the "ffdhe" identifiers).

At this point, all of the "ike" values should be considered obsolete; they’re still in Exim to avoid breaking unusual configurations, but are candidates for removal the next time we have backwards-incompatible changes.

The TLS protocol does not negotiate an acceptable size for this; clients tend to hard-drop connections if what is offered by the server is unacceptable, whether too large or too small, and there’s no provision for the client to tell the server what these constraints are. Thus, as a server operator, you need to make an educated guess as to what is most likely to work for your userbase.

Some known size constraints suggest that a bit-size in the range 2048 to 2236 is most likely to maximise interoperability. The upper bound comes from applications using the Mozilla Network Security Services (NSS) library, which used to set its DH_MAX_P_BITS upper-bound to 2236. This affects many mail user agents (MUAs). The lower bound comes from Debian installs of Exim4 prior to the 4.80 release, as Debian used to patch Exim to raise the minimum acceptable bound from 1024 to 2048.

tls_eccurve Use: main Type: string Default: auto

This option selects a EC curve for use by Exim when used with OpenSSL. It has no effect when Exim is used with GnuTLS.

After expansion it must contain a valid EC curve parameter, such as prime256v1, secp384r1, or P-512. Consult your OpenSSL manual for valid selections.

For OpenSSL versions before (and not including) 1.0.2, the string auto selects prime256v1. For more recent OpenSSL versions auto tells the library to choose.

If the option expands to an empty string, no EC curves will be enabled.

tls_ocsp_file Use: main Type: string Default: unset

This option must if set expand to the absolute path to a file which contains a current status proof for the server’s certificate, as obtained from the Certificate Authority.

Usable for GnuTLS 3.4.4 or 3.3.17 or OpenSSL 1.1.0 (or later). The macro "_HAVE_TLS_OCSP" will be defined for those versions.

For OpenSSL 1.1.0 or later, and for GnuTLS 3.5.6 or later the expanded value of this option can be a list of files, to match a list given for the tls_certificate option. The ordering of the two lists must match. The macro "_HAVE_TLS_OCSP_LIST" will be defined for those versions.

The file(s) should be in DER format, except for GnuTLS 3.6.3 or later or for OpenSSL, when an optional filetype prefix can be used. The prefix must be one of "DER" or "PEM", followed by a single space. If one is used it sets the format for subsequent files in the list; the initial format is DER. If multiple proofs are wanted, for multiple chain elements (this only works under TLS1.3) they must be coded as a combined OCSP response.

Although GnuTLS will accept PEM files with multiple separate PEM blobs (ie. separate OCSP responses), it sends them in the TLS Certificate record interleaved with the certificates of the chain; although a GnuTLS client is happy with that, an OpenSSL client is not.

tls_on_connect_ports Use: main Type: string list Default: unset

This option specifies a list of incoming SSMTP (aka SMTPS) ports that should operate the SSMTP (SMTPS) protocol, where a TLS session is immediately set up without waiting for the client to issue a STARTTLS command. For further details, see section 13.4.

tls_privatekey Use: main Type: string Default: list

The value of this option is expanded, and must then be a list of absolute paths to files which contains the server’s private keys. If this option is unset, or if the expansion is forced to fail, or the result is an empty string, the private key is assumed to be in the same file as the server’s certificates. See chapter 43 for further details.

See 43.10 for discussion of when this option might be re-expanded.

tls_remember_esmtp Use: main Type: boolean Default: false

If this option is set true, Exim violates the RFCs by remembering that it is in “esmtp” state after successfully negotiating a TLS session. This provides support for broken clients that fail to send a new EHLO after starting a TLS session.

tls_require_ciphers Use: main Type: string Default: unset

This option controls which ciphers can be used for incoming TLS connections. The smtp transport has an option of the same name for controlling outgoing connections. This option is expanded for each connection, so can be varied for different clients if required. The value of this option must be a list of permitted cipher suites. The OpenSSL and GnuTLS libraries handle cipher control in somewhat different ways. If GnuTLS is being used, the client controls the preference order of the available ciphers. Details are given in sections 43.4 and 43.5.

tls_try_verify_hosts Use: main Type: host list Default: unset

See tls_verify_hosts below.

tls_verify_certificates Use: main Type: string Default: system

The value of this option is expanded, and must then be either the word "system" or the absolute path to a file or directory containing permitted certificates for clients that match tls_verify_hosts or tls_try_verify_hosts.

The "system" value for the option will use a system default location compiled into the SSL library. This is not available for GnuTLS versions preceding 3.0.20, and will be taken as empty; an explicit location must be specified.

The use of a directory for the option value is not available for GnuTLS versions preceding 3.3.6 and a single file must be used.

With OpenSSL the certificates specified explicitly either by file or directory are added to those given by the system default location.

These certificates should be for the certificate authorities trusted, rather than the public cert of individual clients. With both OpenSSL and GnuTLS, if the value is a file then the certificates are sent by Exim as a server to connecting clients, defining the list of accepted certificate authorities. Thus the values defined should be considered public data. To avoid this, use the explicit directory version.

See 43.10 for discussion of when this option might be re-expanded.

A forced expansion failure or setting to an empty string is equivalent to being unset.

tls_verify_hosts Use: main Type: host list Default: unset

This option, along with tls_try_verify_hosts, controls the checking of certificates from clients. The expected certificates are defined by tls_verify_certificates, which must be set. A configuration error occurs if either tls_verify_hosts or tls_try_verify_hosts is set and tls_verify_certificates is not set.

Any client that matches tls_verify_hosts is constrained by tls_verify_certificates. When the client initiates a TLS session, it must present one of the listed certificates. If it does not, the connection is aborted. Warning: Including a host in tls_verify_hosts does not require the host to use TLS. It can still send SMTP commands through unencrypted connections. Forcing a client to use TLS has to be done separately using an ACL to reject inappropriate commands when the connection is not encrypted.

A weaker form of checking is provided by tls_try_verify_hosts. If a client matches this option (but not tls_verify_hosts), Exim requests a certificate and checks it against tls_verify_certificates, but does not abort the connection if there is no certificate or if it does not match. This state can be detected in an ACL, which makes it possible to implement policies such as “accept for relay only if a verified certificate has been received, but accept for local delivery if encrypted, even without a verified certificate”.

Client hosts that match neither of these lists are not asked to present certificates.

trusted_groups Use: main Type: string list Default: unset

This option is expanded just once, at the start of Exim’s processing. If this option is set, any process that is running in one of the listed groups, or which has one of them as a supplementary group, is trusted. The groups can be specified numerically or by name. See section 5.2 for details of what trusted callers are permitted to do. If neither trusted_groups nor trusted_users is set, only root and the Exim user are trusted.

trusted_users Use: main Type: string list Default: unset

This option is expanded just once, at the start of Exim’s processing. If this option is set, any process that is running as one of the listed users is trusted. The users can be specified numerically or by name. See section 5.2 for details of what trusted callers are permitted to do. If neither trusted_groups nor trusted_users is set, only root and the Exim user are trusted.

unknown_login Use: main Type: string Default: unset

This is a specialized feature for use in unusual configurations. By default, if the uid of the caller of Exim cannot be looked up using getpwuid(), Exim gives up. The unknown_login option can be used to set a login name to be used in this circumstance. It is expanded, so values like user$caller_uid can be set. When unknown_login is used, the value of unknown_username is used for the user’s real name (gecos field), unless this has been set by the -F option.

unknown_username Use: main Type: string Default: unset

See unknown_login.

untrusted_set_sender Use: main Type: address list Default: unset

When an untrusted user submits a message to Exim using the standard input, Exim normally creates an envelope sender address from the user’s login and the default qualification domain. Data from the -f option (for setting envelope senders on non-SMTP messages) or the SMTP MAIL command (if -bs or -bS is used) is ignored.

However, untrusted users are permitted to set an empty envelope sender address, to declare that a message should never generate any bounces. For example:

exim -f '<>' user@domain.example

The untrusted_set_sender option allows you to permit untrusted users to set other envelope sender addresses in a controlled way. When it is set, untrusted users are allowed to set envelope sender addresses that match any of the patterns in the list. Like all address lists, the string is expanded. The identity of the user is in $sender_ident, so you can, for example, restrict users to setting senders that start with their login ids followed by a hyphen by a setting like this:

untrusted_set_sender = ^$sender_ident-

If you want to allow untrusted users to set envelope sender addresses without restriction, you can use

untrusted_set_sender = *

The untrusted_set_sender option applies to all forms of local input, but only to the setting of the envelope sender. It does not permit untrusted users to use the other options which trusted user can use to override message parameters. Furthermore, it does not stop Exim from removing an existing Sender: header in the message, or from adding a Sender: header if necessary. See local_sender_retain and local_from_check for ways of overriding these actions. The handling of the Sender: header is also described in section 48.16.

The log line for a message’s arrival shows the envelope sender following “<=”. For local messages, the user’s login always follows, after “U=”. In -bp displays, and in the Exim monitor, if an untrusted user sets an envelope sender address, the user’s login is shown in parentheses after the sender address.

uucp_from_pattern Use: main Type: string Default: see below

Some applications that pass messages to an MTA via a command line interface use an initial line starting with “From ” to pass the envelope sender. In particular, this is used by UUCP software. Exim recognizes such a line by means of a regular expression that is set in uucp_from_pattern. When the pattern matches, the sender address is constructed by expanding the contents of uucp_from_sender, provided that the caller of Exim is a trusted user. The default pattern recognizes lines in the following two forms:

From ph10 Fri Jan  5 12:35 GMT 1996
From ph10 Fri, 7 Jan 97 14:00:00 GMT

The pattern can be seen by running

exim -bP uucp_from_pattern

It checks only up to the hours and minutes, and allows for a 2-digit or 4-digit year in the second case. The first word after “From ” is matched in the regular expression by a parenthesized subpattern. The default value for uucp_from_sender is “$1”, which therefore just uses this first word (“ph10” in the example above) as the message’s sender. See also ignore_fromline_hosts.

uucp_from_sender Use: main Type: string Default: $1

See uucp_from_pattern above.

warn_message_file Use: main Type: string Default: unset

This option defines a template file containing paragraphs of text to be used for constructing the warning message which is sent by Exim when a message has been in the queue for a specified amount of time, as specified by delay_warning. Details of the file’s contents are given in chapter 50.

The option is expanded to give the file path, which must be absolute and untainted.

See also bounce_message_file.

write_rejectlog Use: main Type: boolean Default: true

If this option is set false, Exim no longer writes anything to the reject log. See chapter 53 for details of what Exim writes to its logs.

<-previousTable of Contentsnext->