Exim Internet Mailer

<-previousnext->

Chapter 11 - String expansions

Many strings in Exim’s runtime configuration are expanded before use. Some of them are expanded every time they are used; others are expanded only once.

When a string is being expanded it is copied verbatim from left to right except when a dollar or backslash character is encountered. A dollar specifies the start of a portion of the string that is interpreted and replaced as described below in section 11.5 onwards. Backslash is used as an escape character, as described in the following section.

Whether a string is expanded depends upon the context. Usually this is solely dependent upon the option for which a value is sought; in this documentation, options for which string expansion is performed are marked with † after the data type. ACL rules always expand strings. A couple of expansion conditions do not expand some of the brace-delimited branches, for security reasons, and expansion of data deriving from the sender (“tainted data”)

is not permitted (including acessing a file using a tainted name). The main config option allow_insecure_tainted_data can be used as mitigation during uprades to more secure configurations.

Common ways of obtaining untainted equivalents of variables with tainted values come down to using the tainted value as a lookup key in a trusted database. This database could be the filesystem structure, or the password file, or accessed via a DBMS. Specific methods are indexed under “de-tainting”.

1. Literal text in expanded strings

An uninterpreted dollar can be included in an expanded string by putting a backslash in front of it. A backslash can be used to prevent any special character being treated specially in an expansion, including backslash itself. If the string appears in quotes in the configuration file, two backslashes are required because the quotes themselves cause interpretation of backslashes when the string is read in (see section 6.17).

A portion of the string can specified as non-expandable by placing it between two occurrences of \N. This is particularly useful for protecting regular expressions, which often contain backslashes and dollar signs. For example:

deny senders = \N^\d{8}[a-z]@some\.site\.example$\N

On encountering the first \N, the expander copies subsequent characters without interpretation until it reaches the next \N or the end of the string.

2. Character escape sequences in expanded strings

A backslash followed by one of the letters “n”, “r”, or “t” in an expanded string is recognized as an escape sequence for the character newline, carriage return, or tab, respectively. A backslash followed by up to three octal digits is recognized as an octal encoding for a single character, and a backslash followed by “x” and up to two hexadecimal digits is a hexadecimal encoding.

These escape sequences are also recognized in quoted strings when they are read in. Their interpretation in expansions as well is useful for unquoted strings, and for other cases such as looked-up strings that are then expanded.

3. Testing string expansions

Many expansions can be tested by calling Exim with the -be option. This takes the command arguments, or lines from the standard input if there are no arguments, runs them through the string expansion code, and writes the results to the standard output. Variables based on configuration values are set up, but since no message is being processed, variables such as $local_part have no value. Nevertheless the -be option can be useful for checking out file and database lookups, and the use of expansion operators such as sg, substr and nhash.

Exim gives up its root privilege when it is called with the -be option, and instead runs under the uid and gid it was called with, to prevent users from using -be for reading files to which they do not have access.

If you want to test expansions that include variables whose values are taken from a message, there are two other options that can be used. The -bem option is like -be except that it is followed by a filename. The file is read as a message before doing the test expansions. For example:

exim -bem /tmp/test.message '$h_subject:'

The -Mset option is used in conjunction with -be and is followed by an Exim message identifier. For example:

exim -be -Mset 1GrA8W-0004WS-LQ '$recipients'

This loads the message from Exim’s spool before doing the test expansions, and is therefore restricted to admin users.

4. Forced expansion failure

A number of expansions that are described in the following section have alternative “true” and “false” substrings, enclosed in brace characters (which are sometimes called “curly brackets”). Which of the two strings is used depends on some condition that is evaluated as part of the expansion. If, instead of a “false” substring, the word “fail” is used (not in braces), the entire string expansion fails in a way that can be detected by the code that requested the expansion. This is called “forced expansion failure”, and its consequences depend on the circumstances. In some cases it is no different from any other expansion failure, but in others a different action may be taken. Such variations are mentioned in the documentation of the option that is being expanded.

5. Expansion items

The following items are recognized in expanded strings. White space may be used between sub-items that are keywords or substrings enclosed in braces inside an outer set of braces, to improve readability. Warning: Within braces, white space is significant.

$<variable name> or ${<variable name>}

Substitute the contents of the named variable, for example:

$local_part
${domain}

The second form can be used to separate the name from subsequent alphanumeric characters. This form (using braces) is available only for variables; it does not apply to message headers. The names of the variables are given in section 11.9 below. If the name of a non-existent variable is given, the expansion fails.

${<op>:<string>}

The string is first itself expanded, and then the operation specified by <op> is applied to it. For example:

${lc:$local_part}

The string starts with the first character after the colon, which may be leading white space. A list of operators is given in section 11.6 below. The operator notation is used for simple expansion items that have just one argument, because it reduces the number of braces and therefore makes the string easier to understand.

$bheader_<header name>: or $bh_<header name>:

This item inserts “basic” header lines. It is described with the header expansion item below.

${acl{<name>}{<arg>}...}

The name and zero to nine argument strings are first expanded separately. The expanded arguments are assigned to the variables $acl_arg1 to $acl_arg9 in order. Any unused are made empty. The variable $acl_narg is set to the number of arguments. The named ACL (see chapter 44) is called and may use the variables; if another acl expansion is used the values are restored after it returns. If the ACL sets a value using a "message =" modifier and returns accept or deny, the value becomes the result of the expansion. If no message is set and the ACL returns accept or deny the expansion result is an empty string. If the ACL returns defer the result is a forced-fail. Otherwise the expansion fails.

${authresults{<authserv-id>}}

This item returns a string suitable for insertion as an Authentication-Results: header line. The given <authserv-id> is included in the result; typically this will be a domain name identifying the system performing the authentications. Methods that might be present in the result include:

none
iprev
auth
spf
dkim

Example use (as an ACL modifier):

      add_header = :at_start:${authresults {$primary_hostname}}

This is safe even if no authentication results are available.

${certextract{<field>}{<certificate>}{<string2>}{<string3>}}

The <certificate> must be a variable of type certificate. The field name is expanded and used to retrieve the relevant field from the certificate. Supported fields are:

version        
serial_number  
subject         RFC4514 DN
issuer          RFC4514 DN
notbefore       time
notafter        time
sig_algorithm  
signature      
subj_altname    tagged list
ocsp_uri        list
crl_uri         list

If the field is found, <string2> is expanded, and replaces the whole item; otherwise <string3> is used. During the expansion of <string2> the variable $value contains the value that has been extracted. Afterwards, it is restored to any previous value it might have had.

If {<string3>} is omitted, the item is replaced by an empty string if the key is not found. If {<string2>} is also omitted, the value that was extracted is used.

Some field names take optional modifiers, appended and separated by commas.

The field selectors marked as "RFC4514" above output a Distinguished Name string which is not quite parseable by Exim as a comma-separated tagged list (the exceptions being elements containing commas). RDN elements of a single type may be selected by a modifier of the type label; if so the expansion result is a list (newline-separated by default). The separator may be changed by another modifier of a right angle-bracket followed immediately by the new separator. Recognised RDN type labels include "CN", "O", "OU" and "DC".

The field selectors marked as "time" above take an optional modifier of "int" for which the result is the number of seconds since epoch. Otherwise the result is a human-readable string in the timezone selected by the main "timezone" option.

The field selectors marked as "list" above return a list, newline-separated by default, (embedded separator characters in elements are doubled). The separator may be changed by a modifier of a right angle-bracket followed immediately by the new separator.

The field selectors marked as "tagged" above prefix each list element with a type string and an equals sign. Elements of only one type may be selected by a modifier which is one of "dns", "uri" or "mail"; if so the element tags are omitted.

If not otherwise noted field values are presented in human-readable form.

${dlfunc{<file>}{<function>}{<arg>}{<arg>}...}

This expansion dynamically loads and then calls a locally-written C function. This functionality is available only if Exim is compiled with

EXPAND_DLFUNC=yes

set in Local/Makefile. Once loaded, Exim remembers the dynamically loaded object so that it doesn’t reload the same object file in the same Exim process (but of course Exim does start new processes frequently).

There may be from zero to eight arguments to the function.

When compiling a local function that is to be called in this way, first DLFUNC_IMPL should be defined, and second local_scan.h should be included. The Exim variables and functions that are defined by that API are also available for dynamically loaded functions. The function itself must have the following type:

int dlfunction(uschar **yield, int argc, uschar *argv[])

Where uschar is a typedef for unsigned char in local_scan.h. The function should return one of the following values:

OK: Success. The string that is placed in the variable yield is put into the expanded string that is being built.

FAIL: A non-forced expansion failure occurs, with the error message taken from yield, if it is set.

FAIL_FORCED: A forced expansion failure occurs, with the error message taken from yield if it is set.

ERROR: Same as FAIL, except that a panic log entry is written.

When compiling a function that is to be used in this way with gcc, you need to add -shared to the gcc command. Also, in the Exim build-time configuration, you must add -export-dynamic to EXTRALIBS.

${env{<key>}{<string1>}{<string2>}}

The key is first expanded separately, and leading and trailing white space removed. This is then searched for as a name in the environment. If a variable is found then its value is placed in $value and <string1> is expanded, otherwise <string2> is expanded.

Instead of {<string2>} the word “fail” (not in curly brackets) can appear, for example:

${env{USER}{$value} fail }

This forces an expansion failure (see section 11.4); {<string1>} must be present for “fail” to be recognized.

If {<string2>} is omitted an empty string is substituted on search failure. If {<string1>} is omitted the search result is substituted on search success.

The environment is adjusted by the keep_environment and add_environment main section options.

${extract{<key>}{<string1>}{<string2>}{<string3>}}

The key and <string1> are first expanded separately. Leading and trailing white space is removed from the key (but not from any of the strings). The key must not be empty and must not consist entirely of digits. The expanded <string1> must be of the form:

<key1> = <value1>  <key2> = <value2> ...

where the equals signs and spaces (but not both) are optional. If any of the values contain white space, they must be enclosed in double quotes, and any values that are enclosed in double quotes are subject to escape processing as described in section 6.17. The expanded <string1> is searched for the value that corresponds to the key. The search is case-insensitive. If the key is found, <string2> is expanded, and replaces the whole item; otherwise <string3> is used. During the expansion of <string2> the variable $value contains the value that has been extracted. Afterwards, it is restored to any previous value it might have had.

If {<string3>} is omitted, the item is replaced by an empty string if the key is not found. If {<string2>} is also omitted, the value that was extracted is used. Thus, for example, these two expansions are identical, and yield “2001”:

${extract{gid}{uid=1984 gid=2001}}
${extract{gid}{uid=1984 gid=2001}{$value}}

Instead of {<string3>} the word “fail” (not in curly brackets) can appear, for example:

${extract{Z}{A=... B=...}{$value} fail }

This forces an expansion failure (see section 11.4); {<string2>} must be present for “fail” to be recognized.

${extract json{<key>}{<string1>}{<string2>}{<string3>}}
${extract jsons{<key>}{<string1>}{<string2>}{<string3>}}

The key and <string1> are first expanded separately. Leading and trailing white space is removed from the key (but not from any of the strings). The key must not be empty and must not consist entirely of digits. The expanded <string1> must be of the form:

{ <"key1"> : <value1> ,  <"key2"> , <value2> ... }

The braces, commas and colons, and the quoting of the member name are required; the spaces are optional. Matching of the key against the member names is done case-sensitively. For the “json” variant, if a returned value is a JSON string, it retains its leading and trailing quotes. For the “jsons” variant, which is intended for use with JSON strings, the leading and trailing quotes are removed from the returned value.

The results of matching are handled as above.

${extract{<number>}{<separators>}{<string1>}{<string2>}{<string3>}}

The <number> argument must consist entirely of decimal digits, apart from leading and trailing white space, which is ignored. This is what distinguishes this form of extract from the previous kind. It behaves in the same way, except that, instead of extracting a named field, it extracts from <string1> the field whose number is given as the first argument. You can use $value in <string2> or fail instead of <string3> as before.

The fields in the string are separated by any one of the characters in the separator string. These may include space or tab characters. The first field is numbered one. If the number is negative, the fields are counted from the end of the string, with the rightmost one numbered -1. If the number given is zero, the entire string is returned. If the modulus of the number is greater than the number of fields in the string, the result is the expansion of <string3>, or the empty string if <string3> is not provided. For example:

${extract{2}{:}{x:42:99:& Mailer::/bin/bash}}

yields “42”, and

${extract{-4}{:}{x:42:99:& Mailer::/bin/bash}}

yields “99”. Two successive separators mean that the field between them is empty (for example, the fifth field above).

${extract json {<number>}}{<string1>}{<string2>}{<string3>}}
${extract jsons{<number>}}{<string1>}{<string2>}{<string3>}}

The <number> argument must consist entirely of decimal digits, apart from leading and trailing white space, which is ignored.

Field selection and result handling is as above; there is no choice of field separator. For the “json” variant, if a returned value is a JSON string, it retains its leading and trailing quotes. For the “jsons” variant, which is intended for use with JSON strings, the leading and trailing quotes are removed from the returned value.

${filter{<string>}{<condition>}}

After expansion, <string> is interpreted as a list, colon-separated by default, but the separator can be changed in the usual way (6.21). For each item in this list, its value is place in $item, and then the condition is evaluated. If the condition is true, $item is added to the output as an item in a new list; if the condition is false, the item is discarded. The separator used for the output list is the same as the one used for the input, but a separator setting is not included in the output. For example:

${filter{a:b:c}{!eq{$item}{b}}}

yields a:c. At the end of the expansion, the value of $item is restored to what it was before. See also the map and reduce expansion items.

${hash{<string1>}{<string2>}{<string3>}}

This is a textual hashing function, and was the first to be implemented in early versions of Exim. In current releases, there are other hashing functions (numeric, MD5, and SHA-1), which are described below.

The first two strings, after expansion, must be numbers. Call them <m> and <n>. If you are using fixed values for these numbers, that is, if <string1> and <string2> do not change when they are expanded, you can use the simpler operator notation that avoids some of the braces:

${hash_<n>_<m>:<string>}

The second number is optional (in both notations). If <n> is greater than or equal to the length of the string, the expansion item returns the string. Otherwise it computes a new string of length <n> by applying a hashing function to the string. The new string consists of characters taken from the first <m> characters of the string

abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQWRSTUVWXYZ0123456789

If <m> is not present the value 26 is used, so that only lower case letters appear. For example:

$hash{3}{monty}}              yields  jmg
$hash{5}{monty}}              yields  monty
$hash{4}{62}{monty python}}   yields  fbWx
$header_<header name>: or $h_<header name>:
$bheader_<header name>: or $bh_<header name>:
$lheader_<header name>: or $lh_<header name>:
$rheader_<header name>: or $rh_<header name>:

Substitute the contents of the named message header line, for example

$header_reply-to:

The newline that terminates a header line is not included in the expansion, but internal newlines (caused by splitting the header line over several physical lines) may be present.

The difference between the four pairs of expansions is in the way the data in the header line is interpreted.

  • rheader gives the original “raw” content of the header line, with no processing at all, and without the removal of leading and trailing white space.

  • lheader gives a colon-separated list, one element per header when there are multiple headers with a given name. Any embedded colon characters within an element are doubled, so normal Exim list-processing facilities can be used. The terminating newline of each element is removed; in other respects the content is “raw”.

  • bheader removes leading and trailing white space, and then decodes base64 or quoted-printable MIME “words” within the header text, but does no character set translation. If decoding of what looks superficially like a MIME “word” fails, the raw string is returned. If decoding produces a binary zero character, it is replaced by a question mark – this is what Exim does for binary zeros that are actually received in header lines.

  • header tries to translate the string as decoded by bheader to a standard character set. This is an attempt to produce the same string as would be displayed on a user’s MUA. If translation fails, the bheader string is returned. Translation is attempted only on operating systems that support the iconv() function. This is indicated by the compile-time macro HAVE_ICONV in a system Makefile or in Local/Makefile.

In a filter file, the target character set for header can be specified by a command of the following form:

headers charset "UTF-8"

This command affects all references to $h_ (or $header_) expansions in subsequently obeyed filter commands. In the absence of this command, the target character set in a filter is taken from the setting of the headers_charset option in the runtime configuration. The value of this option defaults to the value of HEADERS_CHARSET in Local/Makefile. The ultimate default is ISO-8859-1.

Header names follow the syntax of RFC 2822, which states that they may contain any printing characters except space and colon. Consequently, curly brackets do not terminate header names, and should not be used to enclose them as if they were variables. Attempting to do so causes a syntax error.

Only header lines that are common to all copies of a message are visible to this mechanism. These are the original header lines that are received with the message, and any that are added by an ACL statement or by a system filter. Header lines that are added to a particular copy of a message by a router or transport are not accessible.

For incoming SMTP messages, no header lines are visible in ACLs that are obeyed before the data phase completes, because the header structure is not set up until the message is received. They are visible in DKIM, PRDR and DATA ACLs. Header lines that are added in a RCPT ACL (for example) are saved until the message’s incoming header lines are available, at which point they are added. When any of the above ACLs are running, however, header lines added by earlier ACLs are visible.

Upper case and lower case letters are synonymous in header names. If the following character is white space, the terminating colon may be omitted, but this is not recommended, because you may then forget it when it is needed. When white space terminates the header name, this white space is included in the expanded string. If the message does not contain the given header, the expansion item is replaced by an empty string. (See the def condition in section 11.7 for a means of testing for the existence of a header.)

If there is more than one header with the same name, they are all concatenated to form the substitution string, up to a maximum length of 64K. Unless rheader is being used, leading and trailing white space is removed from each header before concatenation, and a completely empty header is ignored. A newline character is then inserted between non-empty headers, but there is no newline at the very end. For the header and bheader expansion, for those headers that contain lists of addresses, a comma is also inserted at the junctions between headers. This does not happen for the rheader expansion.

When the headers are from an incoming message, the result of expanding any of these variables is tainted.

${hmac{<hashname>}{<secret>}{<string>}}

This function uses cryptographic hashing (either MD5 or SHA-1) to convert a shared secret and some text into a message authentication code, as specified in RFC 2104. This differs from ${md5:secret_text...} or ${sha1:secret_text...} in that the hmac step adds a signature to the cryptographic hash, allowing for authentication that is not possible with MD5 or SHA-1 alone. The hash name must expand to either md5 or sha1 at present. For example:

${hmac{md5}{somesecret}{$primary_hostname $tod_log}}

For the hostname mail.example.com and time 2002-10-17 11:30:59, this produces:

dd97e3ba5d1a61b5006108f8c8252953

As an example of how this might be used, you might put in the main part of an Exim configuration:

SPAMSCAN_SECRET=cohgheeLei2thahw

In a router or a transport you could then have:

headers_add = \
  X-Spam-Scanned: ${primary_hostname} ${message_exim_id} \
  ${hmac{md5}{SPAMSCAN_SECRET}\
  {${primary_hostname},${message_exim_id},$h_message-id:}}

Then given a message, you can check where it was scanned by looking at the X-Spam-Scanned: header line. If you know the secret, you can check that this header line is authentic by recomputing the authentication code from the host name, message ID and the Message-id: header line. This can be done using Exim’s -be option, or by other means, for example, by using the hmac_md5_hex() function in Perl.

${if <condition> {<string1>}{<string2>}}

If <condition> is true, <string1> is expanded and replaces the whole item; otherwise <string2> is used. The available conditions are described in section 11.7 below. For example:

${if eq {$local_part}{postmaster} {yes}{no} }

The second string need not be present; if it is not and the condition is not true, the item is replaced with nothing. Alternatively, the word “fail” may be present instead of the second string (without any curly brackets). In this case, the expansion is forced to fail if the condition is not true (see section 11.4).

If both strings are omitted, the result is the string true if the condition is true, and the empty string if the condition is false. This makes it less cumbersome to write custom ACL and router conditions. For example, instead of

condition = ${if >{$acl_m4}{3}{true}{false}}

you can use

condition = ${if >{$acl_m4}{3}}
${imapfolder{<foldername>}}

This item converts a (possibly multilevel, or with non-ASCII characters) folder specification to a Maildir name for filesystem use. For information on internationalisation support see 60.2.

${length{<string1>}{<string2>}}

The length item is used to extract the initial portion of a string. Both strings are expanded, and the first one must yield a number, <n>, say. If you are using a fixed value for the number, that is, if <string1> does not change when expanded, you can use the simpler operator notation that avoids some of the braces:

${length_<n>:<string>}

The result of this item is either the first <n> bytes or the whole of <string2>, whichever is the shorter. Do not confuse length with strlen, which gives the length of a string. All measurement is done in bytes and is not UTF-8 aware.

${listextract{<number>}{<string1>}{<string2>}{<string3>}}

The <number> argument must consist entirely of decimal digits, apart from an optional leading minus, and leading and trailing white space (which is ignored).

After expansion, <string1> is interpreted as a list, colon-separated by default, but the separator can be changed in the usual way (6.21).

The first field of the list is numbered one. If the number is negative, the fields are counted from the end of the list, with the rightmost one numbered -1. The numbered element of the list is extracted and placed in $value, then <string2> is expanded as the result.

If the modulus of the number is zero or greater than the number of fields in the string, the result is the expansion of <string3>.

For example:

${listextract{2}{x:42:99}}

yields “42”, and

${listextract{-3}{<, x,42,99,& Mailer,,/bin/bash}{result: $value}}

yields “result: 42”.

If {<string3>} is omitted, an empty string is used for string3. If {<string2>} is also omitted, the value that was extracted is used. You can use fail instead of {<string3>} as in a string extract.

${listquote{<separator>}{<string>}}

This item doubles any occurrence of the separator character in the given string. An empty string is replaced with a single space. This converts the string into a safe form for use as a list element, in a list using the given separator.

${lookup {<key><search type> {<file>} {<string1>} {<string2>}}
${lookup <search type> {<query>} {<string1>} {<string2>}}

The two forms of lookup item specify data lookups in files and databases, as discussed in chapter 9. The first form is used for single-key lookups, and the second is used for query-style lookups. The <key>, <file>, and <query> strings are expanded before use.

If there is any white space in a lookup item which is part of a filter command, a retry or rewrite rule, a routing rule for the manualroute router, or any other place where white space is significant, the lookup item must be enclosed in double quotes. The use of data lookups in users’ filter files may be locked out by the system administrator.

If the lookup succeeds, <string1> is expanded and replaces the entire item. During its expansion, the variable $value contains the data returned by the lookup. Afterwards it reverts to the value it had previously (at the outer level it is empty). If the lookup fails, <string2> is expanded and replaces the entire item. If {<string2>} is omitted, the replacement is the empty string on failure. If <string2> is provided, it can itself be a nested lookup, thus providing a mechanism for looking up a default value when the original lookup fails.

If a nested lookup is used as part of <string1>, $value contains the data for the outer lookup while the parameters of the second lookup are expanded, and also while <string2> of the second lookup is expanded, should the second lookup fail. Instead of {<string2>} the word “fail” can appear, and in this case, if the lookup fails, the entire expansion is forced to fail (see section 11.4). If both {<string1>} and {<string2>} are omitted, the result is the looked up value in the case of a successful lookup, and nothing in the case of failure.

For single-key lookups, the string “partial” is permitted to precede the search type in order to do partial matching, and * or *@ may follow a search type to request default lookups if the key does not match (see sections 9.6 and 9.7 for details).

If a partial search is used, the variables $1 and $2 contain the wild and non-wild parts of the key during the expansion of the replacement text. They return to their previous values at the end of the lookup item.

This example looks up the postmaster alias in the conventional alias file:

${lookup {postmaster} lsearch {/etc/aliases} {$value}}

This example uses NIS+ to look up the full name of the user corresponding to the local part of an address, forcing the expansion to fail if it is not found:

${lookup nisplus {[name=$local_part],passwd.org_dir:gcos} \
  {$value}fail}
${map{<string1>}{<string2>}}

After expansion, <string1> is interpreted as a list, colon-separated by default, but the separator can be changed in the usual way (6.21). For each item in this list, its value is place in $item, and then <string2> is expanded and added to the output as an item in a new list. The separator used for the output list is the same as the one used for the input, but a separator setting is not included in the output. For example:

${map{a:b:c}{[$item]}} ${map{<- x-y-z}{($item)}}

expands to [a]:[b]:[c] (x)-(y)-(z). At the end of the expansion, the value of $item is restored to what it was before. See also the filter and reduce expansion items.

${nhash{<string1>}{<string2>}{<string3>}}

The three strings are expanded; the first two must yield numbers. Call them <n> and <m>. If you are using fixed values for these numbers, that is, if <string1> and <string2> do not change when they are expanded, you can use the simpler operator notation that avoids some of the braces:

${nhash_<n>_<m>:<string>}

The second number is optional (in both notations). If there is only one number, the result is a number in the range 0–<n>-1. Otherwise, the string is processed by a div/mod hash function that returns two numbers, separated by a slash, in the ranges 0 to <n>-1 and 0 to <m>-1, respectively. For example,

${nhash{8}{64}{supercalifragilisticexpialidocious}}

returns the string “6/33”.

${perl{<subroutine>}{<arg>}{<arg>}...}

This item is available only if Exim has been built to include an embedded Perl interpreter. The subroutine name and the arguments are first separately expanded, and then the Perl subroutine is called with those arguments. No additional arguments need be given; the maximum number permitted, including the name of the subroutine, is nine.

The return value of the subroutine is inserted into the expanded string, unless the return value is undef. In that case, the entire expansion is forced to fail, in the same way as an explicit “fail” on a lookup item does (see section 11.4). Whatever you return is evaluated in a scalar context, thus the return value is a scalar. For example, if you return a Perl vector, the return value is the size of the vector, not its contents.

If the subroutine exits by calling Perl’s die function, the expansion fails with the error message that was passed to die. More details of the embedded Perl facility are given in chapter 12.

The redirect router has an option called forbid_filter_perl which locks out the use of this expansion item in filter files.

${prvs{<address>}{<secret>}{<keynumber>}}

The first argument is a complete email address and the second is secret keystring. The third argument, specifying a key number, is optional. If absent, it defaults to 0. The result of the expansion is a prvs-signed email address, to be typically used with the return_path option on an smtp transport as part of a bounce address tag validation (BATV) scheme. For more discussion and an example, see section 44.52.

${prvscheck{<address>}{<secret>}{<string>}}

This expansion item is the complement of the prvs item. It is used for checking prvs-signed addresses. If the expansion of the first argument does not yield a syntactically valid prvs-signed address, the whole item expands to the empty string. When the first argument does expand to a syntactically valid prvs-signed address, the second argument is expanded, with the prvs-decoded version of the address and the key number extracted from the address in the variables $prvscheck_address and $prvscheck_keynum, respectively.

These two variables can be used in the expansion of the second argument to retrieve the secret. The validity of the prvs-signed address is then checked against the secret. The result is stored in the variable $prvscheck_result, which is empty for failure or “1” for success.

The third argument is optional; if it is missing, it defaults to an empty string. This argument is now expanded. If the result is an empty string, the result of the expansion is the decoded version of the address. This is the case whether or not the signature was valid. Otherwise, the result of the expansion is the expansion of the third argument.

All three variables can be used in the expansion of the third argument. However, once the expansion is complete, only $prvscheck_result remains set. For more discussion and an example, see section 44.52.

${readfile{<file name>}{<eol string>}}

The filename and end-of-line (eol) string are first expanded separately. The file is then read, and its contents replace the entire item. All newline characters in the file are replaced by the end-of-line string if it is present. Otherwise, newlines are left in the string. String expansion is not applied to the contents of the file. If you want this, you must wrap the item in an expand operator. If the file cannot be read, the string expansion fails.

The redirect router has an option called forbid_filter_readfile which locks out the use of this expansion item in filter files.

${readsocket{<name>}{<request>}{<options>}{<eol string>}{<fail string>}}

This item inserts data from a Unix domain or TCP socket into the expanded string. The minimal way of using it uses just two arguments, as in these examples:

${readsocket{/socket/name}{request string}}
${readsocket{inet:some.host:1234}{request string}}

For a Unix domain socket, the first substring must be the path to the socket. For an Internet socket, the first substring must contain inet: followed by a host name or IP address, followed by a colon and a port, which can be a number or the name of a TCP port in /etc/services. An IP address may optionally be enclosed in square brackets. This is best for IPv6 addresses. For example:

${readsocket{inet:[::1]:1234}{request string}}

Only a single host name may be given, but if looking it up yields more than one IP address, they are each tried in turn until a connection is made. For both kinds of socket, Exim makes a connection, writes the request string (unless it is an empty string; no terminating NUL is ever sent) and reads from the socket until an end-of-file is read. A timeout of 5 seconds is applied. Additional, optional arguments extend what can be done. Firstly, you can vary the timeout. For example:

${readsocket{/socket/name}{request string}{3s}}

The third argument is a list of options, of which the first element is the timeout and must be present if any options are given. Further elements are options of form name=value. Example:

${readsocket{/socket/name}{request string}{3s:shutdown=no}}

The following option names are recognised:

  • cache Defines if the result data can be cached for use by a later identical request in the same process. Values are “yes” or “no” (the default). If not, all cached results for this connection specification will be invalidated.

  • shutdown Defines whether or not a write-shutdown is done on the connection after sending the request. Values are “yes” (the default) or “no” (preferred, eg. by some webservers).

  • tls Controls the use of TLS on the connection. Values are “yes” or “no” (the default). If it is enabled, a shutdown as descripbed above is never done.

A fourth argument allows you to change any newlines that are in the data that is read, in the same way as for readfile (see above). This example turns them into spaces:

${readsocket{inet:127.0.0.1:3294}{request string}{3s}{ }}

As with all expansions, the substrings are expanded before the processing happens. Errors in these sub-expansions cause the expansion to fail. In addition, the following errors can occur:

  • Failure to create a socket file descriptor;

  • Failure to connect the socket;

  • Failure to write the request string;

  • Timeout on reading from the socket.

By default, any of these errors causes the expansion to fail. However, if you supply a fifth substring, it is expanded and used when any of the above errors occurs. For example:

${readsocket{/socket/name}{request string}{3s}{\n}\
  {socket failure}}

You can test for the existence of a Unix domain socket by wrapping this expansion in ${if exists, but there is a race condition between that test and the actual opening of the socket, so it is safer to use the fifth argument if you want to be absolutely sure of avoiding an expansion error for a non-existent Unix domain socket, or a failure to connect to an Internet socket.

The redirect router has an option called forbid_filter_readsocket which locks out the use of this expansion item in filter files.

${reduce{<string1>}{<string2>}{<string3>}}

This operation reduces a list to a single, scalar string. After expansion, <string1> is interpreted as a list, colon-separated by default, but the separator can be changed in the usual way (6.21). Then <string2> is expanded and assigned to the $value variable. After this, each item in the <string1> list is assigned to $item, in turn, and <string3> is expanded for each of them. The result of that expansion is assigned to $value before the next iteration. When the end of the list is reached, the final value of $value is added to the expansion output. The reduce expansion item can be used in a number of ways. For example, to add up a list of numbers:

${reduce {<, 1,2,3}{0}{${eval:$value+$item}}}

The result of that expansion would be 6. The maximum of a list of numbers can be found:

${reduce {3:0:9:4:6}{0}{${if >{$item}{$value}{$item}{$value}}}}

At the end of a reduce expansion, the values of $item and $value are restored to what they were before. See also the filter and map expansion items.

$rheader_<header name>: or $rh_<header name>:

This item inserts “raw” header lines. It is described with the header expansion item in section 11.5 above.

${run{<command> <args>}{<string1>}{<string2>}}

The command and its arguments are first expanded as one string. The string is split apart into individual arguments by spaces, and then the command is run in a separate process, but under the same uid and gid. As in other command executions from Exim, a shell is not used by default. If the command requires a shell, you must explicitly code it.

Since the arguments are split by spaces, when there is a variable expansion which has an empty result, it will cause the situation that the argument will simply be omitted when the program is actually executed by Exim. If the script/program requires a specific number of arguments and the expanded variable could possibly result in this empty expansion, the variable must be quoted. This is more difficult if the expanded variable itself could result in a string containing quotes, because it would interfere with the quotes around the command arguments. A possible guard against this is to wrap the variable in the sg operator to change any quote marks to some other character.

The standard input for the command exists, but is empty. The standard output and standard error are set to the same file descriptor. If the command succeeds (gives a zero return code) <string1> is expanded and replaces the entire item; during this expansion, the standard output/error from the command is in the variable $value. If the command fails, <string2>, if present, is expanded and used. Once again, during the expansion, the standard output/error from the command is in the variable $value.

If <string2> is absent, the result is empty. Alternatively, <string2> can be the word “fail” (not in braces) to force expansion failure if the command does not succeed. If both strings are omitted, the result is contents of the standard output/error on success, and nothing on failure.

The standard output/error of the command is put in the variable $value. In this ACL example, the output of a command is logged for the admin to troubleshoot:

warn  condition    = ${run{/usr/bin/id}{yes}{no}}
      log_message  = Output of id: $value

If the command requires shell idioms, such as the > redirect operator, the shell must be invoked directly, such as with:

${run{/bin/bash -c "/usr/bin/id >/tmp/id"}{yes}{yes}}

The return code from the command is put in the variable $runrc, and this remains set afterwards, so in a filter file you can do things like this:

if "${run{x y z}{}}$runrc" is 1 then ...
  elif $runrc is 2 then ...
  ...
endif

If execution of the command fails (for example, the command does not exist), the return code is 127 – the same code that shells use for non-existent commands.

Warning: In a router or transport, you cannot assume the order in which option values are expanded, except for those preconditions whose order of testing is documented. Therefore, you cannot reliably expect to set $runrc by the expansion of one option, and use it in another.

The redirect router has an option called forbid_filter_run which locks out the use of this expansion item in filter files.

${sg{<subject>}{<regex>}{<replacement>}}

This item works like Perl’s substitution operator (s) with the global (/g) option; hence its name. However, unlike the Perl equivalent, Exim does not modify the subject string; instead it returns the modified string for insertion into the overall expansion. The item takes three arguments: the subject string, a regular expression, and a substitution string. For example:

${sg{abcdefabcdef}{abc}{xyz}}

yields “xyzdefxyzdef”. Because all three arguments are expanded before use, if any $, } or \ characters are required in the regular expression or in the substitution string, they have to be escaped. For example:

${sg{abcdef}{^(...)(...)\$}{\$2\$1}}

yields “defabc”, and

${sg{1=A 4=D 3=C}{\N(\d+)=\N}{K\$1=}}

yields “K1=A K4=D K3=C”. Note the use of \N to protect the contents of the regular expression from string expansion.

The regular expression is compiled in 8-bit mode, working against bytes rather than any Unicode-aware character handling.

${sort{<string>}{<comparator>}{<extractor>}}

After expansion, <string> is interpreted as a list, colon-separated by default, but the separator can be changed in the usual way (6.21). The <comparator> argument is interpreted as the operator of a two-argument expansion condition. The numeric operators plus ge, gt, le, lt (and ~i variants) are supported. The comparison should return true when applied to two values if the first value should sort before the second value. The <extractor> expansion is applied repeatedly to elements of the list, the element being placed in $item, to give values for comparison.

The item result is a sorted list, with the original list separator, of the list elements (in full) of the original.

Examples:

${sort{3:2:1:4}{<}{$item}}

sorts a list of numbers, and

${sort {${lookup dnsdb{>:,,mx=example.com}}} {<} {${listextract{1}{<,$item}}}}

will sort an MX lookup into priority order.

${srs_encode {<secret>}{<return path>}{<original domain>}}

SRS encoding. See SECT 58.5 for details.

${substr{<string1>}{<string2>}{<string3>}}

The three strings are expanded; the first two must yield numbers. Call them <n> and <m>. If you are using fixed values for these numbers, that is, if <string1> and <string2> do not change when they are expanded, you can use the simpler operator notation that avoids some of the braces:

${substr_<n>_<m>:<string>}

The second number is optional (in both notations). If it is absent in the simpler format, the preceding underscore must also be omitted.

The substr item can be used to extract more general substrings than length. The first number, <n>, is a starting offset, and <m> is the length required. For example

${substr{3}{2}{$local_part}}

If the starting offset is greater than the string length the result is the null string; if the length plus starting offset is greater than the string length, the result is the right-hand part of the string, starting from the given offset. The first byte (character) in the string has offset zero.

The substr expansion item can take negative offset values to count from the right-hand end of its operand. The last byte (character) is offset -1, the second-last is offset -2, and so on. Thus, for example,

${substr{-5}{2}{1234567}}

yields “34”. If the absolute value of a negative offset is greater than the length of the string, the substring starts at the beginning of the string, and the length is reduced by the amount of overshoot. Thus, for example,

${substr{-5}{2}{12}}

yields an empty string, but

${substr{-3}{2}{12}}

yields “1”.

When the second number is omitted from substr, the remainder of the string is taken if the offset is positive. If it is negative, all bytes (characters) in the string preceding the offset point are taken. For example, an offset of -1 and no length, as in these semantically identical examples:

${substr_-1:abcde}
${substr{-1}{abcde}}

yields all but the last character of the string, that is, “abcd”.

All measurement is done in bytes and is not UTF-8 aware.

${tr{<subject>}{<characters>}{<replacements>}}

This item does single-character (in bytes) translation on its subject string. The second argument is a list of characters to be translated in the subject string. Each matching character is replaced by the corresponding character from the replacement list. For example

${tr{abcdea}{ac}{13}}

yields 1b3de1. If there are duplicates in the second character string, the last occurrence is used. If the third string is shorter than the second, its last character is replicated. However, if it is empty, no translation takes place.

All character handling is done in bytes and is not UTF-8 aware.

6. Expansion operators

For expansion items that perform transformations on a single argument string, the “operator” notation is used because it is simpler and uses fewer braces. The substring is first expanded before the operation is applied to it. The following operations can be performed:

${address:<string>}

The string is interpreted as an RFC 2822 address, as it might appear in a header line, and the effective address is extracted from it. If the string does not parse successfully, the result is empty.

The parsing correctly handles SMTPUTF8 Unicode in the string.

${addresses:<string>}

The string (after expansion) is interpreted as a list of addresses in RFC 2822 format, such as can be found in a To: or Cc: header line. The operative address (local-part@domain) is extracted from each item, and the result of the expansion is a colon-separated list, with appropriate doubling of colons should any happen to be present in the email addresses. Syntactically invalid RFC2822 address items are omitted from the output.

It is possible to specify a character other than colon for the output separator by starting the string with > followed by the new separator character. For example:

${addresses:>& Chief <ceo@up.stairs>, sec@base.ment (dogsbody)}

expands to ceo@up.stairs&sec@base.ment. The string is expanded first, so if the expanded string starts with >, it may change the output separator unintentionally. This can be avoided by setting the output separator explicitly:

${addresses:>:$h_from:}

Compare the address (singular) expansion item, which extracts the working address from a single RFC2822 address. See the filter, map, and reduce items for ways of processing lists.

To clarify "list of addresses in RFC 2822 format" mentioned above, Exim follows a strict interpretation of header line formatting. Exim parses the bare, unquoted portion of an email address and if it finds a comma, treats it as an email address separator. For the example header line:

From: =?iso-8859-2?Q?Last=2C_First?= <user@example.com>

The first example below demonstrates that Q-encoded email addresses are parsed properly if it is given the raw header (in this example, $rheader_from:). It does not see the comma because it’s still encoded as "=2C". The second example below is passed the contents of $header_from:, meaning it gets de-mimed. Exim sees the decoded "," so it treats it as two email addresses. The third example shows that the presence of a comma is skipped when it is quoted. The fourth example shows SMTPUTF8 handling.

# exim -be '${addresses:From: \
=?iso-8859-2?Q?Last=2C_First?= <user@example.com>}'
user@example.com
# exim -be '${addresses:From: Last, First <user@example.com>}'
Last:user@example.com
# exim -be '${addresses:From: "Last, First" <user@example.com>}'
user@example.com
# exim -be '${addresses:フィル <フィリップ@example.jp>}'
フィリップ@example.jp
${base32:<digits>}

The string must consist entirely of decimal digits. The number is converted to base 32 and output as a (empty, for zero) string of characters. Only lowercase letters are used.

${base32d:<base-32 digits>}

The string must consist entirely of base-32 digits. The number is converted to decimal and output as a string.

${base62:<digits>}

The string must consist entirely of decimal digits. The number is converted to base 62 and output as a string of six characters, including leading zeros. In the few operating environments where Exim uses base 36 instead of base 62 for its message identifiers (because those systems do not have case-sensitive filenames), base 36 is used by this operator, despite its name. Note: Just to be absolutely clear: this is not base64 encoding.

${base62d:<base-62 digits>}

The string must consist entirely of base-62 digits, or, in operating environments where Exim uses base 36 instead of base 62 for its message identifiers, base-36 digits. The number is converted to decimal and output as a string.

${base64:<string>}

This operator converts a string into one that is base64 encoded.

If the string is a single variable of type certificate, returns the base64 encoding of the DER form of the certificate.

${base64d:<string>}

This operator converts a base64-encoded string into the un-coded form.

${domain:<string>}

The string is interpreted as an RFC 2822 address and the domain is extracted from it. If the string does not parse successfully, the result is empty.

${escape:<string>}

If the string contains any non-printing characters, they are converted to escape sequences starting with a backslash. Whether characters with the most significant bit set (so-called “8-bit characters”) count as printing or not is controlled by the print_topbitchars option.

${escape8bit:<string>}

If the string contains any characters with the most significant bit set, they are converted to escape sequences starting with a backslash. Backslashes and DEL characters are also converted.

${eval:<string>} and ${eval10:<string>}

These items supports simple arithmetic and bitwise logical operations in expansion strings. The string (after expansion) must be a conventional arithmetic expression, but it is limited to basic arithmetic operators, bitwise logical operators, and parentheses. All operations are carried out using integer arithmetic. The operator priorities are as follows (the same as in the C programming language):

    highest: not (~), negate (-)
     multiply (*), divide (/), remainder (%)
     plus (+), minus (-)
     shift-left (<<), shift-right (>>)
     and (&)
     xor (^)
    lowest: or (|)

Binary operators with the same priority are evaluated from left to right. White space is permitted before or after operators.

For eval, numbers may be decimal, octal (starting with “0”) or hexadecimal (starting with “0x”). For eval10, all numbers are taken as decimal, even if they start with a leading zero; hexadecimal numbers are not permitted. This can be useful when processing numbers extracted from dates or times, which often do have leading zeros.

A number may be followed by “K”, “M” or “G” to multiply it by 1024, 1024*1024 or 1024*1024*1024, respectively. Negative numbers are supported. The result of the computation is a decimal representation of the answer (without “K”, “M” or “G”). For example:

${eval:1+1}              yields 2
${eval:1+2*3}            yields 7
${eval:(1+2)*3}          yields 9
${eval:2+42%5}           yields 4
${eval:0xc&5}            yields 4
${eval:0xc|5}            yields 13
${eval:0xc^5}            yields 9
${eval:0xc>>1}           yields 6
${eval:0xc<<1}           yields 24
${eval:~255&0x1234}      yields 4608
${eval:-(~255&0x1234)}   yields -4608

As a more realistic example, in an ACL you might have

deny   condition =                    \
         ${if and {                   \
           {>{$rcpt_count}{10}}       \
           {                          \
           <                          \
             {$recipients_count}      \
             {${eval:$rcpt_count/2}}  \
           }                          \
         }{yes}{no}}
       message = Too many bad recipients

The condition is true if there have been more than 10 RCPT commands and fewer than half of them have resulted in a valid recipient.

${expand:<string>}

The expand operator causes a string to be expanded for a second time. For example,

${expand:${lookup{$domain}dbm{/some/file}{$value}}}

first looks up a string in a file while expanding the operand for expand, and then re-expands what it has found.

${from_utf8:<string>}

The world is slowly moving towards Unicode, although there are no standards for email yet. However, other applications (including some databases) are starting to store data in Unicode, using UTF-8 encoding. This operator converts from a UTF-8 string to an ISO-8859-1 string. UTF-8 code values greater than 255 are converted to underscores. The input must be a valid UTF-8 string. If it is not, the result is an undefined sequence of bytes.

Unicode code points with values less than 256 are compatible with ASCII and ISO-8859-1 (also known as Latin-1). For example, character 169 is the copyright symbol in both cases, though the way it is encoded is different. In UTF-8, more than one byte is needed for characters with code values greater than 127, whereas ISO-8859-1 is a single-byte encoding (but thereby limited to 256 characters). This makes translation from UTF-8 to ISO-8859-1 straightforward.

${hash_<n>_<m>:<string>}

The hash operator is a simpler interface to the hashing function that can be used when the two parameters are fixed numbers (as opposed to strings that change when expanded). The effect is the same as

${hash{<n>}{<m>}{<string>}}

See the description of the general hash item above for details. The abbreviation h can be used when hash is used as an operator.

${hex2b64:<hexstring>}

This operator converts a hex string into one that is base64 encoded. This can be useful for processing the output of the various hashing functions.

${hexquote:<string>}

This operator converts non-printable characters in a string into a hex escape form. Byte values between 33 (!) and 126 (~) inclusive are left as is, and other byte values are converted to \xNN, for example, a byte value 127 is converted to \x7f.

${ipv6denorm:<string>}

This expands an IPv6 address to a full eight-element colon-separated set of hex digits including leading zeroes. A trailing ipv4-style dotted-decimal set is converted to hex. Pure IPv4 addresses are converted to IPv4-mapped IPv6.

${ipv6norm:<string>}

This converts an IPv6 address to canonical form. Leading zeroes of groups are omitted, and the longest set of zero-valued groups is replaced with a double colon. A trailing ipv4-style dotted-decimal set is converted to hex. Pure IPv4 addresses are converted to IPv4-mapped IPv6.

${lc:<string>}

This forces the letters in the string into lower-case, for example:

${lc:$local_part}

Case is defined per the system C locale.

${length_<number>:<string>}

The length operator is a simpler interface to the length function that can be used when the parameter is a fixed number (as opposed to a string that changes when expanded). The effect is the same as

${length{<number>}{<string>}}

See the description of the general length item above for details. Note that length is not the same as strlen. The abbreviation l can be used when length is used as an operator. All measurement is done in bytes and is not UTF-8 aware.

${listcount:<string>}

The string is interpreted as a list and the number of items is returned.

${listnamed:<name>} and ${listnamed_<type>:<name>}

The name is interpreted as a named list and the content of the list is returned, expanding any referenced lists, re-quoting as needed for colon-separation. If the optional type is given it must be one of "a", "d", "h" or "l" and selects address-, domain-, host- or localpart- lists to search among respectively. Otherwise all types are searched in an undefined order and the first matching list is returned.

Note: Neither string-expansion of lists referenced by named-list syntax elements, nor expansion of lookup elements, is done by the listnamed operator.

${local_part:<string>}

The string is interpreted as an RFC 2822 address and the local part is extracted from it. If the string does not parse successfully, the result is empty. The parsing correctly handles SMTPUTF8 Unicode in the string.

${mask:<IP address>/<bit count>}

If the form of the string to be operated on is not an IP address followed by a slash and an integer (that is, a network address in CIDR notation), the expansion fails. Otherwise, this operator converts the IP address to binary, masks off the least significant bits according to the bit count, and converts the result back to text, with mask appended. For example,

${mask:10.111.131.206/28}

returns the string “10.111.131.192/28”. Since this operation is expected to be mostly used for looking up masked addresses in files, the result for an IPv6 address uses dots to separate components instead of colons, because colon terminates a key string in lsearch files. So, for example,

${mask:3ffe:ffff:836f:0a00:000a:0800:200a:c031/99}

returns the string

3ffe.ffff.836f.0a00.000a.0800.2000.0000/99

Letters in IPv6 addresses are always output in lower case.

${md5:<string>}

The md5 operator computes the MD5 hash value of the string, and returns it as a 32-digit hexadecimal number, in which any letters are in lower case.

If the string is a single variable of type certificate, returns the MD5 hash fingerprint of the certificate.

${nhash_<n>_<m>:<string>}

The nhash operator is a simpler interface to the numeric hashing function that can be used when the two parameters are fixed numbers (as opposed to strings that change when expanded). The effect is the same as

${nhash{<n>}{<m>}{<string>}}

See the description of the general nhash item above for details.

${quote:<string>}

The quote operator puts its argument into double quotes if it is an empty string or contains anything other than letters, digits, underscores, dots, and hyphens. Any occurrences of double quotes and backslashes are escaped with a backslash. Newlines and carriage returns are converted to \n and \r, respectively For example,

${quote:ab"*"cd}

becomes

"ab\"*\"cd"

The place where this is useful is when the argument is a substitution from a variable or a message header.

${quote_local_part:<string>}

This operator is like quote, except that it quotes the string only if required to do so by the rules of RFC 2822 for quoting local parts. For example, a plus sign would not cause quoting (but it would for quote). If you are creating a new email address from the contents of $local_part (or any other unknown data), you should always use this operator.

This quoting determination is not SMTPUTF8-aware, thus quoting non-ASCII data will likely use the quoting form. Thus ${quote_local_part:フィル} will always become "フィル".

${quote_<lookup-type>:<string>}

This operator applies lookup-specific quoting rules to the string. Each query-style lookup type has its own quoting rules which are described with the lookups in chapter 9. For example,

${quote_ldap:two * two}

returns

two%20%5C2A%20two

For single-key lookup types, no quoting is ever necessary and this operator yields an unchanged string.

${randint:<n>}

This operator returns a somewhat random number which is less than the supplied number and is at least 0. The quality of this randomness depends on how Exim was built; the values are not suitable for keying material. If Exim is linked against OpenSSL then RAND_pseudo_bytes() is used. If Exim is linked against GnuTLS then gnutls_rnd(GNUTLS_RND_NONCE) is used, for versions of GnuTLS with that function. Otherwise, the implementation may be arc4random(), random() seeded by srandomdev() or srandom(), or a custom implementation even weaker than random().

${reverse_ip:<ipaddr>}

This operator reverses an IP address; for IPv4 addresses, the result is in dotted-quad decimal form, while for IPv6 addresses the result is in dotted-nibble hexadecimal form. In both cases, this is the "natural" form for DNS. For example,

${reverse_ip:192.0.2.4}
${reverse_ip:2001:0db8:c42:9:1:abcd:192.0.2.127}

returns

4.2.0.192
f.7.2.0.0.0.0.c.d.c.b.a.1.0.0.0.9.0.0.0.2.4.c.0.8.b.d.0.1.0.0.2
${rfc2047:<string>}

This operator encodes text according to the rules of RFC 2047. This is an encoding that is used in header lines to encode non-ASCII characters. It is assumed that the input string is in the encoding specified by the headers_charset option, which gets its default at build time. If the string contains only characters in the range 33–126, and no instances of the characters

? = ( ) < > @ , ; : \ " . [ ] _

it is not modified. Otherwise, the result is the RFC 2047 encoding of the string, using as many “encoded words” as necessary to encode all the characters.

${rfc2047d:<string>}

This operator decodes strings that are encoded as per RFC 2047. Binary zero bytes are replaced by question marks. Characters are converted into the character set defined by headers_charset. Overlong RFC 2047 “words” are not recognized unless check_rfc2047_length is set false.

Note: If you use $header_xxx: (or $h_xxx:) to access a header line, RFC 2047 decoding is done automatically. You do not need to use this operator as well.

${rxquote:<string>}

The rxquote operator inserts a backslash before any non-alphanumeric characters in its argument. This is useful when substituting the values of variables or headers inside regular expressions.

${sha1:<string>}

The sha1 operator computes the SHA-1 hash value of the string, and returns it as a 40-digit hexadecimal number, in which any letters are in upper case.

If the string is a single variable of type certificate, returns the SHA-1 hash fingerprint of the certificate.

${sha256:<string>}
${sha2:<string>}
${sha2_<n>:<string>}

The sha256 operator computes the SHA-256 hash value of the string and returns it as a 64-digit hexadecimal number, in which any letters are in upper case.

If the string is a single variable of type certificate, returns the SHA-256 hash fingerprint of the certificate.

The operator can also be spelled sha2 and does the same as sha256 (except for certificates, which are not supported). Finally, if an underbar and a number is appended it specifies the output length, selecting a member of the SHA-2 family of hash functions. Values of 256, 384 and 512 are accepted, with 256 being the default.

${sha3:<string>}
${sha3_<n>:<string>}

The sha3 operator computes the SHA3-256 hash value of the string and returns it as a 64-digit hexadecimal number, in which any letters are in upper case.

If a number is appended, separated by an underbar, it specifies the output length. Values of 224, 256, 384 and 512 are accepted; with 256 being the default.

The sha3 expansion item is only supported if Exim has been compiled with GnuTLS 3.5.0 or later, or OpenSSL 1.1.1 or later. The macro "_CRYPTO_HASH_SHA3" will be defined if it is supported.

${stat:<string>}

The string, after expansion, must be a file path. A call to the stat() function is made for this path. If stat() fails, an error occurs and the expansion fails. If it succeeds, the data from the stat replaces the item, as a series of <name>=<value> pairs, where the values are all numerical, except for the value of “smode”. The names are: “mode” (giving the mode as a 4-digit octal number), “smode” (giving the mode in symbolic format as a 10-character string, as for the ls command), “inode”, “device”, “links”, “uid”, “gid”, “size”, “atime”, “mtime”, and “ctime”. You can extract individual fields using the extract expansion item.

The use of the stat expansion in users’ filter files can be locked out by the system administrator. Warning: The file size may be incorrect on 32-bit systems for files larger than 2GB.

${str2b64:<string>}

Now deprecated, a synonym for the base64 expansion operator.

${strlen:<string>}

The item is replaced by the length of the expanded string, expressed as a decimal number. Note: Do not confuse strlen with length. All measurement is done in bytes and is not UTF-8 aware.

${substr_<start>_<length>:<string>}

The substr operator is a simpler interface to the substr function that can be used when the two parameters are fixed numbers (as opposed to strings that change when expanded). The effect is the same as

${substr{<start>}{<length>}{<string>}}

See the description of the general substr item above for details. The abbreviation s can be used when substr is used as an operator. All measurement is done in bytes and is not UTF-8 aware.

${time_eval:<string>}

This item converts an Exim time interval such as 2d4h5m into a number of seconds.

${time_interval:<string>}

The argument (after sub-expansion) must be a sequence of decimal digits that represents an interval of time as a number of seconds. It is converted into a number of larger units and output in Exim’s normal time format, for example, 1w3d4h2m6s.

${uc:<string>}

This forces the letters in the string into upper-case. Case is defined per the system C locale.

${utf8clean:<string>}

This replaces any invalid utf-8 sequence in the string by the character ?. In versions of Exim before 4.92, this did not correctly do so for a truncated final codepoint’s encoding, and the character would be silently dropped. If you must handle detection of this scenario across both sets of Exim behavior, the complexity will depend upon the task. For instance, to detect if the first character is multibyte and a 1-byte extraction can be successfully used as a path component (as is common for dividing up delivery folders), you might use:

condition = ${if inlist{${utf8clean:${length_1:$local_part}}}{:?}{yes}{no}}

(which will false-positive if the first character of the local part is a literal question mark).

${utf8_domain_to_alabel:<string>}
${utf8_domain_from_alabel:<string>}
${utf8_localpart_to_alabel:<string>}
${utf8_localpart_from_alabel:<string>}

These convert EAI mail name components between UTF-8 and a-label forms. For information on internationalisation support see 60.1.

7. Expansion conditions

The following conditions are available for testing by the ${if construct while expanding strings:

!<condition>

Preceding any condition with an exclamation mark negates the result of the condition.

<symbolic operator{<string1>}{<string2>}

There are a number of symbolic operators for doing numeric comparisons. They are:

=      equal
==     equal
>      greater
>=     greater or equal
<      less
<=     less or equal

For example:

${if >{$message_size}{10M} ...

Note that the general negation operator provides for inequality testing. The two strings must take the form of optionally signed decimal integers, optionally followed by one of the letters “K”, “M” or “G” (in either upper or lower case), signifying multiplication by 1024, 1024*1024 or 1024*1024*1024, respectively. As a special case, the numerical value of an empty string is taken as zero.

In all cases, a relative comparator OP is testing if <string1> OP <string2>; the above example is checking if $message_size is larger than 10M, not if 10M is larger than $message_size.

acl {{<name>}{<arg1>}{<arg2>}...}

The name and zero to nine argument strings are first expanded separately. The expanded arguments are assigned to the variables $acl_arg1 to $acl_arg9 in order. Any unused are made empty. The variable $acl_narg is set to the number of arguments. The named ACL (see chapter 44) is called and may use the variables; if another acl expansion is used the values are restored after it returns. If the ACL sets a value using a "message =" modifier the variable $value becomes the result of the expansion, otherwise it is empty. If the ACL returns accept the condition is true; if deny, false. If the ACL returns defer the result is a forced-fail.

bool {<string>}

This condition turns a string holding a true or false representation into a boolean state. It parses “true”, “false”, “yes” and “no” (case-insensitively); also integer numbers map to true if non-zero, false if zero. An empty string is treated as false. Leading and trailing whitespace is ignored; thus a string consisting only of whitespace is false. All other string values will result in expansion failure.

When combined with ACL variables, this expansion condition will let you make decisions in one place and act on those decisions in another place. For example:

${if bool{$acl_m_privileged_sender} ...
bool_lax {<string>}

Like bool, this condition turns a string into a boolean state. But where bool accepts a strict set of strings, bool_lax uses the same loose definition that the Router condition option uses. The empty string and the values “false”, “no” and “0” map to false, all others map to true. Leading and trailing whitespace is ignored.

Note that where “bool{00}” is false, “bool_lax{00}” is true.

crypteq {<string1>}{<string2>}

This condition is included in the Exim binary if it is built to support any authentication mechanisms (see chapter 33). Otherwise, it is necessary to define SUPPORT_CRYPTEQ in Local/Makefile to get crypteq included in the binary.

The crypteq condition has two arguments. The first is encrypted and compared against the second, which is already encrypted. The second string may be in the LDAP form for storing encrypted strings, which starts with the encryption type in curly brackets, followed by the data. If the second string does not begin with “{” it is assumed to be encrypted with crypt() or crypt16() (see below), since such strings cannot begin with “{”. Typically this will be a field from a password file. An example of an encrypted string in LDAP form is:

{md5}CY9rzUYh03PK3k6DJie09g==

If such a string appears directly in an expansion, the curly brackets have to be quoted, because they are part of the expansion syntax. For example:

${if crypteq {test}{\{md5\}CY9rzUYh03PK3k6DJie09g==}{yes}{no}}

The following encryption types (whose names are matched case-independently) are supported:

  • {md5} computes the MD5 digest of the first string, and expresses this as printable characters to compare with the remainder of the second string. If the length of the comparison string is 24, Exim assumes that it is base64 encoded (as in the above example). If the length is 32, Exim assumes that it is a hexadecimal encoding of the MD5 digest. If the length not 24 or 32, the comparison fails.

  • {sha1} computes the SHA-1 digest of the first string, and expresses this as printable characters to compare with the remainder of the second string. If the length of the comparison string is 28, Exim assumes that it is base64 encoded. If the length is 40, Exim assumes that it is a hexadecimal encoding of the SHA-1 digest. If the length is not 28 or 40, the comparison fails.

  • {crypt} calls the crypt() function, which traditionally used to use only the first eight characters of the password. However, in modern operating systems this is no longer true, and in many cases the entire password is used, whatever its length.

  • {crypt16} calls the crypt16() function, which was originally created to use up to 16 characters of the password in some operating systems. Again, in modern operating systems, more characters may be used.

Exim has its own version of crypt16(), which is just a double call to crypt(). For operating systems that have their own version, setting HAVE_CRYPT16 in Local/Makefile when building Exim causes it to use the operating system version instead of its own. This option is set by default in the OS-dependent Makefile for those operating systems that are known to support crypt16().

Some years after Exim’s crypt16() was implemented, a user discovered that it was not using the same algorithm as some operating systems’ versions. It turns out that as well as crypt16() there is a function called bigcrypt() in some operating systems. This may or may not use the same algorithm, and both of them may be different to Exim’s built-in crypt16().

However, since there is now a move away from the traditional crypt() functions towards using SHA1 and other algorithms, tidying up this area of Exim is seen as very low priority.

If you do not put a encryption type (in curly brackets) in a crypteq comparison, the default is usually either {crypt} or {crypt16}, as determined by the setting of DEFAULT_CRYPT in Local/Makefile. The default default is {crypt}. Whatever the default, you can always use either function by specifying it explicitly in curly brackets.

def:<variable name>

The def condition must be followed by the name of one of the expansion variables defined in section 11.9. The condition is true if the variable does not contain the empty string. For example:

${if def:sender_ident {from $sender_ident}}

Note that the variable name is given without a leading $ character. If the variable does not exist, the expansion fails.

def:header_<header name>:  or  def:h_<header name>:

This condition is true if a message is being processed and the named header exists in the message. For example,

${if def:header_reply-to:{$h_reply-to:}{$h_from:}}

Note: No $ appears before header_ or h_ in the condition, and the header name must be terminated by a colon if white space does not follow.

eq {<string1>}{<string2>}
eqi {<string1>}{<string2>}

The two substrings are first expanded. The condition is true if the two resulting strings are identical. For eq the comparison includes the case of letters, whereas for eqi the comparison is case-independent, where case is defined per the system C locale.

exists {<file name>}

The substring is first expanded and then interpreted as an absolute path. The condition is true if the named file (or directory) exists. The existence test is done by calling the stat() function. The use of the exists test in users’ filter files may be locked out by the system administrator.

Note: Testing a path using this condition is not a sufficient way of de-tainting it. Consider using a dsearch lookup.

first_delivery

This condition, which has no data, is true during a message’s first delivery attempt. It is false during any subsequent delivery attempts.

forall{<a list>}{<a condition>}
forany{<a list>}{<a condition>}

These conditions iterate over a list. The first argument is expanded to form the list. By default, the list separator is a colon, but it can be changed by the normal method (6.21). The second argument is interpreted as a condition that is to be applied to each item in the list in turn. During the interpretation of the condition, the current list item is placed in a variable called $item.

  • For forany, interpretation stops if the condition is true for any item, and the result of the whole condition is true. If the condition is false for all items in the list, the overall condition is false.

  • For forall, interpretation stops if the condition is false for any item, and the result of the whole condition is false. If the condition is true for all items in the list, the overall condition is true.

Note that negation of forany means that the condition must be false for all items for the overall condition to succeed, and negation of forall means that the condition must be false for at least one item. In this example, the list separator is changed to a comma:

${if forany{<, $recipients}{match{$item}{^user3@}}{yes}{no}}

The value of $item is saved and restored while forany or forall is being processed, to enable these expansion items to be nested.

To scan a named list, expand it with the listnamed operator.

forall_json{<a JSON array>}{<a condition>}
forany_json{<a JSON array>}{<a condition>}
forall_jsons{<a JSON array>}{<a condition>}
forany_jsons{<a JSON array>}{<a condition>}

As for the above, except that the first argument must, after expansion, be a JSON array. The array separator is not changeable. For the “jsons” variants the elements are expected to be JSON strings and have their quotes removed before the evaluation of the condition.

ge {<string1>}{<string2>}
gei {<string1>}{<string2>}

The two substrings are first expanded. The condition is true if the first string is lexically greater than or equal to the second string. For ge the comparison includes the case of letters, whereas for gei the comparison is case-independent. Case and collation order are defined per the system C locale.

gt {<string1>}{<string2>}
gti {<string1>}{<string2>}

The two substrings are first expanded. The condition is true if the first string is lexically greater than the second string. For gt the comparison includes the case of letters, whereas for gti the comparison is case-independent. Case and collation order are defined per the system C locale.

inbound_srs {<local part>}{<secret>}

SRS decode. See SECT 58.5 for details.

inlist {<string1>}{<string2>}
inlisti {<string1>}{<string2>}

Both strings are expanded; the second string is treated as a list of simple strings; if the first string is a member of the second, then the condition is true. For the case-independent inlisti condition, case is defined per the system C locale.

These are simpler to use versions of the more powerful forany condition. Examples, and the forany equivalents:

${if inlist{needle}{foo:needle:bar}}
  ${if forany{foo:needle:bar}{eq{$item}{needle}}}
${if inlisti{Needle}{fOo:NeeDLE:bAr}}
  ${if forany{fOo:NeeDLE:bAr}{eqi{$item}{Needle}}}
isip {<string>}
isip4 {<string>}
isip6 {<string>}

The substring is first expanded, and then tested to see if it has the form of an IP address. Both IPv4 and IPv6 addresses are valid for isip, whereas isip4 and isip6 test specifically for IPv4 or IPv6 addresses.

For an IPv4 address, the test is for four dot-separated components, each of which consists of from one to three digits. For an IPv6 address, up to eight colon-separated components are permitted, each containing from one to four hexadecimal digits. There may be fewer than eight components if an empty component (adjacent colons) is present. Only one empty component is permitted.

Note: The checks used to be just on the form of the address; actual numerical values were not considered. Thus, for example, 999.999.999.999 passed the IPv4 check. This is no longer the case.

The main use of these tests is to distinguish between IP addresses and host names, or between IPv4 and IPv6 addresses. For example, you could use

${if isip4{$sender_host_address}...

to test which IP version an incoming SMTP connection is using.

ldapauth {<ldap query>}

This condition supports user authentication using LDAP. See section 9.14 for details of how to use LDAP in lookups and the syntax of queries. For this use, the query must contain a user name and password. The query itself is not used, and can be empty. The condition is true if the password is not empty, and the user name and password are accepted by the LDAP server. An empty password is rejected without calling LDAP because LDAP binds with an empty password are considered anonymous regardless of the username, and will succeed in most configurations. See chapter 33 for details of SMTP authentication, and chapter 34 for an example of how this can be used.

le {<string1>}{<string2>}
lei {<string1>}{<string2>}

The two substrings are first expanded. The condition is true if the first string is lexically less than or equal to the second string. For le the comparison includes the case of letters, whereas for lei the comparison is case-independent. Case and collation order are defined per the system C locale.

lt {<string1>}{<string2>}
lti {<string1>}{<string2>}

The two substrings are first expanded. The condition is true if the first string is lexically less than the second string. For lt the comparison includes the case of letters, whereas for lti the comparison is case-independent. Case and collation order are defined per the system C locale.

match {<string1>}{<string2>}

The two substrings are first expanded. The second is then treated as a regular expression and applied to the first. Because of the pre-expansion, if the regular expression contains dollar, or backslash characters, they must be escaped. Care must also be taken if the regular expression contains braces (curly brackets). A closing brace must be escaped so that it is not taken as a premature termination of <string2>. The easiest approach is to use the \N feature to disable expansion of the regular expression. For example,

${if match {$local_part}{\N^\d{3}\N} ...

If the whole expansion string is in double quotes, further escaping of backslashes is also required.

The condition is true if the regular expression match succeeds. The regular expression is not required to begin with a circumflex metacharacter, but if there is no circumflex, the expression is not anchored, and it may match anywhere in the subject, not just at the start. If you want the pattern to match at the end of the subject, you must include the $ metacharacter at an appropriate point. All character handling is done in bytes and is not UTF-8 aware, but we might change this in a future Exim release.

At the start of an if expansion the values of the numeric variable substitutions $1 etc. are remembered. Obeying a match condition that succeeds causes them to be reset to the substrings of that condition and they will have these values during the expansion of the success string. At the end of the if expansion, the previous values are restored. After testing a combination of conditions using or, the subsequent values of the numeric variables are those of the condition that succeeded.

match_address {<string1>}{<string2>}

See match_local_part.

match_domain {<string1>}{<string2>}

See match_local_part.

match_ip {<string1>}{<string2>}

This condition matches an IP address to a list of IP address patterns. It must be followed by two argument strings. The first (after expansion) must be an IP address or an empty string. The second (not expanded) is a restricted host list that can match only an IP address, not a host name. For example:

${if match_ip{$sender_host_address}{1.2.3.4:5.6.7.8}{...}{...}}

The specific types of host list item that are permitted in the list are:

  • An IP address, optionally with a CIDR mask.

  • A single asterisk, which matches any IP address.

  • An empty item, which matches only if the IP address is empty. This could be useful for testing for a locally submitted message or one from specific hosts in a single test such as

      ${if match_ip{$sender_host_address}{:4.3.2.1:...}{...}{...}}
    

    where the first item in the list is the empty string.

  • The item @[] matches any of the local host’s interface addresses.

  • Single-key lookups are assumed to be like “net-” style lookups in host lists, even if net- is not specified. There is never any attempt to turn the IP address into a host name. The most common type of linear search for match_ip is likely to be iplsearch, in which the file can contain CIDR masks. For example:

      ${if match_ip{$sender_host_address}{iplsearch;/some/file}...
    

    It is of course possible to use other kinds of lookup, and in such a case, you do need to specify the net- prefix if you want to specify a specific address mask, for example:

      ${if match_ip{$sender_host_address}{net24-dbm;/some/file}...
    

    However, unless you are combining a match_ip condition with others, it is just as easy to use the fact that a lookup is itself a condition, and write:

      ${lookup{${mask:$sender_host_address/24}}dbm{/a/file}...
    

Note that <string2> is not itself subject to string expansion, unless Exim was built with the EXPAND_LISTMATCH_RHS option.

Consult section 10.12 for further details of these patterns.

match_local_part {<string1>}{<string2>}

This condition, together with match_address and match_domain, make it possible to test domain, address, and local part lists within expansions. Each condition requires two arguments: an item and a list to match. A trivial example is:

${if match_domain{a.b.c}{x.y.z:a.b.c:p.q.r}{yes}{no}}

In each case, the second argument may contain any of the allowable items for a list of the appropriate type. Also, because the second argument is a standard form of list, it is possible to refer to a named list. Thus, you can use conditions like this:

${if match_domain{$domain}{+local_domains}{...

For address lists, the matching starts off caselessly, but the +caseful item can be used, as in all address lists, to cause subsequent items to have their local parts matched casefully. Domains are always matched caselessly.

Note that <string2> is not itself subject to string expansion, unless Exim was built with the EXPAND_LISTMATCH_RHS option.

Note: Host lists are not supported in this way. This is because hosts have two identities: a name and an IP address, and it is not clear how to specify cleanly how such a test would work. However, IP addresses can be matched using match_ip.

pam {<string1>:<string2>:...}

Pluggable Authentication Modules (https://mirrors.edge.kernel.org/pub/linux/libs/pam/) are a facility that is available in the latest releases of Solaris and in some GNU/Linux distributions. The Exim support, which is intended for use in conjunction with the SMTP AUTH command, is available only if Exim is compiled with

SUPPORT_PAM=yes

in Local/Makefile. You probably need to add -lpam to EXTRALIBS, and in some releases of GNU/Linux -ldl is also needed.

The argument string is first expanded, and the result must be a colon-separated list of strings. Leading and trailing white space is ignored. The PAM module is initialized with the service name “exim” and the user name taken from the first item in the colon-separated data string (<string1>). The remaining items in the data string are passed over in response to requests from the authentication function. In the simple case there will only be one request, for a password, so the data consists of just two strings.

There can be problems if any of the strings are permitted to contain colon characters. In the usual way, these have to be doubled to avoid being taken as separators. The listquote expansion item can be used for this. For example, the configuration of a LOGIN authenticator might contain this setting:

server_condition = ${if pam{$auth1:${listquote{:}{$auth2}}}}

In some operating systems, PAM authentication can be done only from a process running as root. Since Exim is running as the Exim user when receiving messages, this means that PAM cannot be used directly in those systems.

pwcheck {<string1>:<string2>}

This condition supports user authentication using the Cyrus pwcheck daemon. This is one way of making it possible for passwords to be checked by a process that is not running as root. Note: The use of pwcheck is now deprecated. Its replacement is saslauthd (see below).

The pwcheck support is not included in Exim by default. You need to specify the location of the pwcheck daemon’s socket in Local/Makefile before building Exim. For example:

CYRUS_PWCHECK_SOCKET=/var/pwcheck/pwcheck

You do not need to install the full Cyrus software suite in order to use the pwcheck daemon. You can compile and install just the daemon alone from the Cyrus SASL library. Ensure that exim is the only user that has access to the /var/pwcheck directory.

The pwcheck condition takes one argument, which must be the user name and password, separated by a colon. For example, in a LOGIN authenticator configuration, you might have this:

server_condition = ${if pwcheck{$auth1:$auth2}}

Again, for a PLAIN authenticator configuration, this would be:

server_condition = ${if pwcheck{$auth2:$auth3}}
queue_running

This condition, which has no data, is true during delivery attempts that are initiated by queue runner processes, and false otherwise.

radius {<authentication string>}

Radius authentication (RFC 2865) is supported in a similar way to PAM. You must set RADIUS_CONFIG_FILE in Local/Makefile to specify the location of the Radius client configuration file in order to build Exim with Radius support.

With just that one setting, Exim expects to be linked with the radiusclient library, using the original API. If you are using release 0.4.0 or later of this library, you need to set

RADIUS_LIB_TYPE=RADIUSCLIENTNEW

in Local/Makefile when building Exim. You can also link Exim with the libradius library that comes with FreeBSD. To do this, set

RADIUS_LIB_TYPE=RADLIB

in Local/Makefile, in addition to setting RADIUS_CONFIGURE_FILE. You may also have to supply a suitable setting in EXTRALIBS so that the Radius library can be found when Exim is linked.

The string specified by RADIUS_CONFIG_FILE is expanded and passed to the Radius client library, which calls the Radius server. The condition is true if the authentication is successful. For example:

server_condition = ${if radius{<arguments>}}
saslauthd {{<user>}{<password>}{<service>}{<realm>}}

This condition supports user authentication using the Cyrus saslauthd daemon. This replaces the older pwcheck daemon, which is now deprecated. Using this daemon is one way of making it possible for passwords to be checked by a process that is not running as root.

The saslauthd support is not included in Exim by default. You need to specify the location of the saslauthd daemon’s socket in Local/Makefile before building Exim. For example:

CYRUS_SASLAUTHD_SOCKET=/var/state/saslauthd/mux

You do not need to install the full Cyrus software suite in order to use the saslauthd daemon. You can compile and install just the daemon alone from the Cyrus SASL library.

Up to four arguments can be supplied to the saslauthd condition, but only two are mandatory. For example:

server_condition = ${if saslauthd{{$auth1}{$auth2}}}

The service and the realm are optional (which is why the arguments are enclosed in their own set of braces). For details of the meaning of the service and realm, and how to run the daemon, consult the Cyrus documentation.

8. Combining expansion conditions

Several conditions can be tested at once by combining them using the and and or combination conditions. Note that and and or are complete conditions on their own, and precede their lists of sub-conditions. Each sub-condition must be enclosed in braces within the overall braces that contain the list. No repetition of if is used.

or {{<cond1>}{<cond2>}...}

The sub-conditions are evaluated from left to right. The condition is true if any one of the sub-conditions is true. For example,

${if or {{eq{$local_part}{spqr}}{eq{$domain}{testing.com}}}...

When a true sub-condition is found, the following ones are parsed but not evaluated. If there are several “match” sub-conditions the values of the numeric variables afterwards are taken from the first one that succeeds.

and {{<cond1>}{<cond2>}...}

The sub-conditions are evaluated from left to right. The condition is true if all of the sub-conditions are true. If there are several “match” sub-conditions, the values of the numeric variables afterwards are taken from the last one. When a false sub-condition is found, the following ones are parsed but not evaluated.

9. Expansion variables

This section contains an alphabetical list of all the expansion variables. Some of them are available only when Exim is compiled with specific options such as support for TLS or the content scanning extension.

$0, $1, etc

When a match expansion condition succeeds, these variables contain the captured substrings identified by the regular expression during subsequent processing of the success string of the containing if expansion item. In the expansion condition case they do not retain their values afterwards; in fact, their previous values are restored at the end of processing an if item. The numerical variables may also be set externally by some other matching process which precedes the expansion of the string. For example, the commands available in Exim filter files include an if command with its own regular expression matching condition.

$acl_arg1, $acl_arg2, etc

Within an acl condition, expansion condition or expansion item any arguments are copied to these variables, any unused variables being made empty.

$acl_c...

Values can be placed in these variables by the set modifier in an ACL. They can be given any name that starts with $acl_c and is at least six characters long, but the sixth character must be either a digit or an underscore. For example: $acl_c5, $acl_c_mycount. The values of the $acl_c... variables persist throughout the lifetime of an SMTP connection. They can be used to pass information between ACLs and between different invocations of the same ACL. When a message is received, the values of these variables are saved with the message, and can be accessed by filters, routers, and transports during subsequent delivery.

$acl_m...

These variables are like the $acl_c... variables, except that their values are reset after a message has been received. Thus, if several messages are received in one SMTP connection, $acl_m... values are not passed on from one message to the next, as $acl_c... values are. The $acl_m... variables are also reset by MAIL, RSET, EHLO, HELO, and after starting a TLS session. When a message is received, the values of these variables are saved with the message, and can be accessed by filters, routers, and transports during subsequent delivery.

$acl_narg

Within an acl condition, expansion condition or expansion item this variable has the number of arguments.

$acl_verify_message

After an address verification has failed, this variable contains the failure message. It retains its value for use in subsequent modifiers of the verb. The message can be preserved by coding like this:

warn !verify = sender
     set acl_m0 = $acl_verify_message

You can use $acl_verify_message during the expansion of the message or log_message modifiers, to include information about the verification failure.

Note: The variable is cleared at the end of processing the ACL verb.

$address_data

This variable is set by means of the address_data option in routers. The value then remains with the address while it is processed by subsequent routers and eventually a transport. If the transport is handling multiple addresses, the value from the first address is used. See chapter 15 for more details. Note: The contents of $address_data are visible in user filter files.

If $address_data is set when the routers are called from an ACL to verify a recipient address, the final value is still in the variable for subsequent conditions and modifiers of the ACL statement. If routing the address caused it to be redirected to just one address, the child address is also routed as part of the verification, and in this case the final value of $address_data is from the child’s routing.

If $address_data is set when the routers are called from an ACL to verify a sender address, the final value is also preserved, but this time in $sender_address_data, to distinguish it from data from a recipient address.

In both cases (recipient and sender verification), the value does not persist after the end of the current ACL statement. If you want to preserve these values for longer, you can save them in ACL variables.

$address_file

When, as a result of aliasing, forwarding, or filtering, a message is directed to a specific file, this variable holds the name of the file when the transport is running. At other times, the variable is empty. For example, using the default configuration, if user r2d2 has a .forward file containing

/home/r2d2/savemail

then when the address_file transport is running, $address_file contains the text string /home/r2d2/savemail. For Sieve filters, the value may be “inbox” or a relative folder name. It is then up to the transport configuration to generate an appropriate absolute path to the relevant file.

$address_pipe

When, as a result of aliasing or forwarding, a message is directed to a pipe, this variable holds the pipe command when the transport is running.

$auth1 – $auth4

These variables are used in SMTP authenticators (see chapters 3442). Elsewhere, they are empty.

$authenticated_id

When a server successfully authenticates a client it may be configured to preserve some of the authentication information in the variable $authenticated_id (see chapter 33). For example, a user/password authenticator configuration might preserve the user name for use in the routers. Note that this is not the same information that is saved in $sender_host_authenticated.

When a message is submitted locally (that is, not over a TCP connection) the value of $authenticated_id is normally the login name of the calling process. However, a trusted user can override this by means of the -oMai command line option. This second case also sets up information used by the $authresults expansion item.

$authenticated_fail_id

When an authentication attempt fails, the variable $authenticated_fail_id will contain the failed authentication id. If more than one authentication id is attempted, it will contain only the last one. The variable is available for processing in the ACL’s, generally the quit or notquit ACL. A message to a local recipient could still be accepted without requiring authentication, which means this variable could also be visible in all of the ACL’s as well.

$authenticated_sender

When acting as a server, Exim takes note of the AUTH= parameter on an incoming SMTP MAIL command if it believes the sender is sufficiently trusted, as described in section 33.2. Unless the data is the string “<>”, it is set as the authenticated sender of the message, and the value is available during delivery in the $authenticated_sender variable. If the sender is not trusted, Exim accepts the syntax of AUTH=, but ignores the data.

When a message is submitted locally (that is, not over a TCP connection), the value of $authenticated_sender is an address constructed from the login name of the calling process and $qualify_domain, except that a trusted user can override this by means of the -oMas command line option.

$authentication_failed

This variable is set to “1” in an Exim server if a client issues an AUTH command that does not succeed. Otherwise it is set to “0”. This makes it possible to distinguish between “did not try to authenticate” ($sender_host_authenticated is empty and $authentication_failed is set to “0”) and “tried to authenticate but failed” ($sender_host_authenticated is empty and $authentication_failed is set to “1”). Failure includes any negative response to an AUTH command, including (for example) an attempt to use an undefined mechanism.

$av_failed

This variable is available when Exim is compiled with the content-scanning extension. It is set to “0” by default, but will be set to “1” if any problem occurs with the virus scanner (specified by av_scanner) during the ACL malware condition.

$body_linecount

When a message is being received or delivered, this variable contains the number of lines in the message’s body. See also $message_linecount.

$body_zerocount

When a message is being received or delivered, this variable contains the number of binary zero bytes (ASCII NULs) in the message’s body.

$bounce_recipient

This is set to the recipient address of a bounce message while Exim is creating it. It is useful if a customized bounce message text file is in use (see chapter 50).

$bounce_return_size_limit

This contains the value set in the bounce_return_size_limit option, rounded up to a multiple of 1000. It is useful when a customized error message text file is in use (see chapter 50).

$caller_gid

The real group id under which the process that called Exim was running. This is not the same as the group id of the originator of a message (see $originator_gid). If Exim re-execs itself, this variable in the new incarnation normally contains the Exim gid.

$caller_uid

The real user id under which the process that called Exim was running. This is not the same as the user id of the originator of a message (see $originator_uid). If Exim re-execs itself, this variable in the new incarnation normally contains the Exim uid.

$callout_address

After a callout for verification, spamd or malware daemon service, the address that was connected to.

$compile_number

The building process for Exim keeps a count of the number of times it has been compiled. This serves to distinguish different compilations of the same version of Exim.

$config_dir

The directory name of the main configuration file. That is, the content of $config_file with the last component stripped. The value does not contain the trailing slash. If $config_file does not contain a slash, $config_dir is ".".

$config_file

The name of the main configuration file Exim is using.

$dkim_verify_status

Results of DKIM verification. For details see section 58.3.

$dkim_cur_signer
$dkim_verify_reason
$dkim_domain
$dkim_identity
$dkim_selector
$dkim_algo
$dkim_canon_body
$dkim_canon_headers
$dkim_copiedheaders
$dkim_bodylength
$dkim_created
$dkim_expires
$dkim_headernames
$dkim_key_testing
$dkim_key_nosubdomains
$dkim_key_srvtype
$dkim_key_granularity
$dkim_key_notes
$dkim_key_length

These variables are only available within the DKIM ACL. For details see section 58.3.

$dkim_signers

When a message has been received this variable contains a colon-separated list of signer domains and identities for the message. For details see section 58.3.

$dmarc_domain_policy
$dmarc_status
$dmarc_status_text
$dmarc_used_domains

Results of DMARC verification. For details see section 58.6.

$dnslist_domain
$dnslist_matched
$dnslist_text
$dnslist_value

When a DNS (black) list lookup succeeds, these variables are set to contain the following data from the lookup: the list’s domain name, the key that was looked up, the contents of any associated TXT record, and the value from the main A record. See section 44.32 for more details.

$domain

When an address is being routed, or delivered on its own, this variable contains the domain. Uppercase letters in the domain are converted into lower case for $domain.

Global address rewriting happens when a message is received, so the value of $domain during routing and delivery is the value after rewriting. $domain is set during user filtering, but not during system filtering, because a message may have many recipients and the system filter is called just once.

When more than one address is being delivered at once (for example, several RCPT commands in one SMTP delivery), $domain is set only if they all have the same domain. Transports can be restricted to handling only one domain at a time if the value of $domain is required at transport time – this is the default for local transports. For further details of the environment in which local transports are run, see chapter 23.

At the end of a delivery, if all deferred addresses have the same domain, it is set in $domain during the expansion of delay_warning_condition.

The $domain variable is also used in some other circumstances:

  • When an ACL is running for a RCPT command, $domain contains the domain of the recipient address. The domain of the sender address is in $sender_address_domain at both MAIL time and at RCPT time. $domain is not normally set during the running of the MAIL ACL. However, if the sender address is verified with a callout during the MAIL ACL, the sender domain is placed in $domain during the expansions of hosts, interface, and port in the smtp transport.

  • When a rewrite item is being processed (see chapter 31), $domain contains the domain portion of the address that is being rewritten; it can be used in the expansion of the replacement address, for example, to rewrite domains by file lookup.

  • With one important exception, whenever a domain list is being scanned, $domain contains the subject domain. Exception: When a domain list in a sender_domains condition in an ACL is being processed, the subject domain is in $sender_address_domain and not in $domain. It works this way so that, in a RCPT ACL, the sender domain list can be dependent on the recipient domain (which is what is in $domain at this time).

  • When the smtp_etrn_command option is being expanded, $domain contains the complete argument of the ETRN command (see section 49.8).

If the origin of the data is an incoming message, the result of expanding this variable is tainted and may not be further expanded or used as a filename. When an untainted version is needed, one should be obtained from looking up the value in a local (therefore trusted) database. Often $domain_data is usable in this role.

$domain_data

When the domains condition on a router

or an ACL matches a domain against a list, the match value is copied to $domain_data. This is an enhancement over previous versions of Exim, when it only applied to the data read by a lookup. For details on match values see section 10.5 et. al.

If the router routes the address to a transport, the value is available in that transport. If the transport is handling multiple addresses, the value from the first address is used.

$domain_data set in an ACL is available during the rest of the ACL statement.

$exim_gid

This variable contains the numerical value of the Exim group id.

$exim_path

This variable contains the path to the Exim binary.

$exim_uid

This variable contains the numerical value of the Exim user id.

$exim_version

This variable contains the version string of the Exim build. The first character is a major version number, currently 4. Then after a dot, the next group of digits is a minor version number. There may be other characters following the minor version. This value may be overridden by the exim_version main config option.

$header_<name>

This is not strictly an expansion variable. It is expansion syntax for inserting the message header line with the given name. Note that the name must be terminated by colon or white space, because it may contain a wide variety of characters. Note also that braces must not be used. See the full description in section 11.5 above.

$headers_added

Within an ACL this variable contains the headers added so far by the ACL modifier add_header (section 44.24). The headers are a newline-separated list.

$home

When the check_local_user option is set for a router, the user’s home directory is placed in $home when the check succeeds. In particular, this means it is set during the running of users’ filter files. A router may also explicitly set a home directory for use by a transport; this can be overridden by a setting on the transport itself.

When running a filter test via the -bf option, $home is set to the value of the environment variable HOME, which is subject to the keep_environment and add_environment main config options.

$host

If a router assigns an address to a transport (any transport), and passes a list of hosts with the address, the value of $host when the transport starts to run is the name of the first host on the list. Note that this applies both to local and remote transports.

For the smtp transport, if there is more than one host, the value of $host changes as the transport works its way through the list. In particular, when the smtp transport is expanding its options for encryption using TLS, or for specifying a transport filter (see chapter 24), $host contains the name of the host to which it is connected.

When used in the client part of an authenticator configuration (see chapter 33), $host contains the name of the server to which the client is connected.

$host_address

This variable is set to the remote host’s IP address whenever $host is set for a remote connection. It is also set to the IP address that is being checked when the ignore_target_hosts option is being processed.

$host_data

If a hosts condition in an ACL is satisfied by means of a lookup, the result of the lookup is made available in the $host_data variable. This allows you, for example, to do things like this:

deny  hosts = net-lsearch;/some/file
      message = $host_data
$host_lookup_deferred

This variable normally contains “0”, as does $host_lookup_failed. When a message comes from a remote host and there is an attempt to look up the host’s name from its IP address, and the attempt is not successful, one of these variables is set to “1”.

  • If the lookup receives a definite negative response (for example, a DNS lookup succeeded, but no records were found), $host_lookup_failed is set to “1”.

  • If there is any kind of problem during the lookup, such that Exim cannot tell whether or not the host name is defined (for example, a timeout for a DNS lookup), $host_lookup_deferred is set to “1”.

Looking up a host’s name from its IP address consists of more than just a single reverse lookup. Exim checks that a forward lookup of at least one of the names it receives from a reverse lookup yields the original IP address. If this is not the case, Exim does not accept the looked up name(s), and $host_lookup_failed is set to “1”. Thus, being able to find a name from an IP address (for example, the existence of a PTR record in the DNS) is not sufficient on its own for the success of a host name lookup. If the reverse lookup succeeds, but there is a lookup problem such as a timeout when checking the result, the name is not accepted, and $host_lookup_deferred is set to “1”. See also $sender_host_name.

Performing these checks sets up information used by the authresults expansion item.

$host_lookup_failed

See $host_lookup_deferred.

$host_port

This variable is set to the remote host’s TCP port whenever $host is set for an outbound connection.

$initial_cwd

This variable contains the full path name of the initial working directory of the current Exim process. This may differ from the current working directory, as Exim changes this to "/" during early startup, and to $spool_directory later.

$inode

The only time this variable is set is while expanding the directory_file option in the appendfile transport. The variable contains the inode number of the temporary file which is about to be renamed. It can be used to construct a unique name for the file.

$interface_address
$interface_port

These are obsolete names for $received_ip_address and $received_port.

$item

This variable is used during the expansion of forall and forany conditions (see section 11.7), and filter, map, and reduce items (see section 11.7). In other circumstances, it is empty.

$ldap_dn

This variable, which is available only when Exim is compiled with LDAP support, contains the DN from the last entry in the most recently successful LDAP lookup.

$load_average

This variable contains the system load average, multiplied by 1000 so that it is an integer. For example, if the load average is 0.21, the value of the variable is 210. The value is recomputed every time the variable is referenced.

$local_part

When an address is being routed, or delivered on its own, this variable contains the local part. When a number of addresses are being delivered together (for example, multiple RCPT commands in an SMTP session), $local_part is not set.

Global address rewriting happens when a message is received, so the value of $local_part during routing and delivery is the value after rewriting. $local_part is set during user filtering, but not during system filtering, because a message may have many recipients and the system filter is called just once.

If the origin of the data is an incoming message, the result of expanding this variable is tainted and may not be further expanded or used as a filename.

Warning: the content of this variable is usually provided by a potential attacker. Consider carefully the implications of using it unvalidated as a name for file access. This presents issues for users’ .forward and filter files. For traditional full user accounts, use check_local_users and the $local_part_data variable rather than this one. For virtual users, store a suitable pathname component in the database which is used for account name validation, and use that retrieved value rather than this variable. Often $local_part_data is usable in this role. If needed, use a router address_data or set option for the retrieved data.

When a message is being delivered to a file, pipe, or autoreply transport as a result of aliasing or forwarding, $local_part is set to the local part of the parent address, not to the filename or command (see $address_file and $address_pipe).

When an ACL is running for a RCPT command, $local_part contains the local part of the recipient address.

When a rewrite item is being processed (see chapter 31), $local_part contains the local part of the address that is being rewritten; it can be used in the expansion of the replacement address, for example.

In all cases, all quoting is removed from the local part. For example, for both the addresses

"abc:xyz"@test.example
abc\:xyz@test.example

the value of $local_part is

abc:xyz

If you use $local_part to create another address, you should always wrap it inside a quoting operator. For example, in a redirect router you could have:

data = ${quote_local_part:$local_part}@new.domain.example

Note: The value of $local_part is normally lower cased. If you want to process local parts in a case-dependent manner in a router, you can set the caseful_local_part option (see chapter 15).

$local_part_data

When the local_parts condition on a router or ACL matches a local part list

the match value is copied to $local_part_data. This is an enhancement over previous versions of Exim, when it only applied to the data read by a lookup. For details on match values see section 10.5 et. al.

The check_local_user router option also sets this variable.

If a local part prefix or suffix has been recognized, it is not included in the value of $local_part during routing and subsequent delivery. The values of any prefix or suffix are in $local_part_prefix and $local_part_suffix, respectively. If the specification did not include a wildcard then the affix variable value is not tainted.

If the affix specification included a wildcard then the portion of the affix matched by the wildcard is in $local_part_prefix_v or $local_part_suffix_v as appropriate, and both the whole and varying values are tainted.

$local_scan_data

This variable contains the text returned by the local_scan() function when a message is received. See chapter 46 for more details.

$local_user_gid

See $local_user_uid.

$local_user_uid

This variable and $local_user_gid are set to the uid and gid after the check_local_user router precondition succeeds. This means that their values are available for the remaining preconditions (senders, require_files, and condition), for the address_data expansion, and for any router-specific expansions. At all other times, the values in these variables are (uid_t)(-1) and (gid_t)(-1), respectively.

$localhost_number

This contains the expanded value of the localhost_number option. The expansion happens after the main options have been read.

$log_inodes

The number of free inodes in the disk partition where Exim’s log files are being written. The value is recalculated whenever the variable is referenced. If the relevant file system does not have the concept of inodes, the value of is -1. See also the check_log_inodes option.

$log_space

The amount of free space (as a number of kilobytes) in the disk partition where Exim’s log files are being written. The value is recalculated whenever the variable is referenced. If the operating system does not have the ability to find the amount of free space (only true for experimental systems), the space value is -1. See also the check_log_space option.

$lookup_dnssec_authenticated

This variable is set after a DNS lookup done by a dnsdb lookup expansion, dnslookup router or smtp transport. It will be empty if DNSSEC was not requested, “no” if the result was not labelled as authenticated data and “yes” if it was. Results that are labelled as authoritative answer that match the dns_trust_aa configuration variable count also as authenticated data.

$mailstore_basename

This variable is set only when doing deliveries in “mailstore” format in the appendfile transport. During the expansion of the mailstore_prefix, mailstore_suffix, message_prefix, and message_suffix options, it contains the basename of the files that are being written, that is, the name without the “.tmp”, “.env”, or “.msg” suffix. At all other times, this variable is empty.

$malware_name

This variable is available when Exim is compiled with the content-scanning extension. It is set to the name of the virus that was found when the ACL malware condition is true (see section 45.1).

$max_received_linelength

This variable contains the number of bytes in the longest line that was received as part of the message, not counting the line termination character(s). It is not valid if the spool_wireformat option is used.

$message_age

This variable is set at the start of a delivery attempt to contain the number of seconds since the message was received. It does not change during a single delivery attempt.

$message_body

This variable contains the initial portion of a message’s body while it is being delivered, and is intended mainly for use in filter files. The maximum number of characters of the body that are put into the variable is set by the message_body_visible configuration option; the default is 500.

By default, newlines are converted into spaces in $message_body, to make it easier to search for phrases that might be split over a line break. However, this can be disabled by setting message_body_newlines to be true. Binary zeros are always converted into spaces.

$message_body_end

This variable contains the final portion of a message’s body while it is being delivered. The format and maximum size are as for $message_body.

$message_body_size

When a message is being delivered, this variable contains the size of the body in bytes. The count starts from the character after the blank line that separates the body from the header. Newlines are included in the count. See also $message_size, $body_linecount, and $body_zerocount.

If the spool file is wireformat (see the spool_wireformat main option) the CRLF line-terminators are included in the count.

$message_exim_id

When a message is being received or delivered, this variable contains the unique message id that is generated and used by Exim to identify the message. An id is not created for a message until after its header has been successfully received. Note: This is not the contents of the Message-ID: header line; it is the local id that Exim assigns to the message, for example: 1BXTIK-0001yO-VA.

$message_headers

This variable contains a concatenation of all the header lines when a message is being processed, except for lines added by routers or transports. The header lines are separated by newline characters. Their contents are decoded in the same way as a header line that is inserted by bheader.

$message_headers_raw

This variable is like $message_headers except that no processing of the contents of header lines is done.

$message_id

This is an old name for $message_exim_id. It is now deprecated.

$message_linecount

This variable contains the total number of lines in the header and body of the message. Compare $body_linecount, which is the count for the body only. During the DATA and content-scanning ACLs, $message_linecount contains the number of lines received. Before delivery happens (that is, before filters, routers, and transports run) the count is increased to include the Received: header line that Exim standardly adds, and also any other header lines that are added by ACLs. The blank line that separates the message header from the body is not counted.

As with the special case of $message_size, during the expansion of the appendfile transport’s maildir_tag option in maildir format, the value of $message_linecount is the precise size of the number of newlines in the file that has been written (minus one for the blank line between the header and the body).

Here is an example of the use of this variable in a DATA ACL:

deny condition = \
      ${if <{250}{${eval:$message_linecount - $body_linecount}}}
     message   = Too many lines in message header

In the MAIL and RCPT ACLs, the value is zero because at that stage the message has not yet been received.

This variable is not valid if the spool_wireformat option is used.

$message_size

When a message is being processed, this variable contains its size in bytes. In most cases, the size includes those headers that were received with the message, but not those (such as Envelope-to:) that are added to individual deliveries as they are written. However, there is one special case: during the expansion of the maildir_tag option in the appendfile transport while doing a delivery in maildir format, the value of $message_size is the precise size of the file that has been written. See also $message_body_size, $body_linecount, and $body_zerocount.

While running a per message ACL (mail/rcpt/predata), $message_size contains the size supplied on the MAIL command, or -1 if no size was given. The value may not, of course, be truthful.

$mime_anomaly_level
$mime_anomaly_text
$mime_boundary
$mime_charset
$mime_content_description
$mime_content_disposition
$mime_content_id
$mime_content_size
$mime_content_transfer_encoding
$mime_content_type
$mime_decoded_filename
$mime_filename
$mime_is_coverletter
$mime_is_multipart
$mime_is_rfc822
$mime_part_count

A number of variables whose names start with $mime are available when Exim is compiled with the content-scanning extension. For details, see section 45.4.

$n0 – $n9

These variables are counters that can be incremented by means of the add command in filter files.

$original_domain

When a top-level address is being processed for delivery, this contains the same value as $domain. However, if a “child” address (for example, generated by an alias, forward, or filter file) is being processed, this variable contains the domain of the original address (lower cased). This differs from $parent_domain only when there is more than one level of aliasing or forwarding. When more than one address is being delivered in a single transport run, $original_domain is not set.

If a new address is created by means of a deliver command in a system filter, it is set up with an artificial “parent” address. This has the local part system-filter and the default qualify domain.

$original_local_part

When a top-level address is being processed for delivery, this contains the same value as $local_part, unless a prefix or suffix was removed from the local part, because $original_local_part always contains the full local part. When a “child” address (for example, generated by an alias, forward, or filter file) is being processed, this variable contains the full local part of the original address.

If the router that did the redirection processed the local part case-insensitively, the value in $original_local_part is in lower case. This variable differs from $parent_local_part only when there is more than one level of aliasing or forwarding. When more than one address is being delivered in a single transport run, $original_local_part is not set.

If a new address is created by means of a deliver command in a system filter, it is set up with an artificial “parent” address. This has the local part system-filter and the default qualify domain.

$originator_gid

This variable contains the value of $caller_gid that was set when the message was received. For messages received via the command line, this is the gid of the sending user. For messages received by SMTP over TCP/IP, this is normally the gid of the Exim user.

$originator_uid

The value of $caller_uid that was set when the message was received. For messages received via the command line, this is the uid of the sending user. For messages received by SMTP over TCP/IP, this is normally the uid of the Exim user.

$parent_domain

This variable is similar to $original_domain (see above), except that it refers to the immediately preceding parent address.

$parent_local_part

This variable is similar to $original_local_part (see above), except that it refers to the immediately preceding parent address.

$pid

This variable contains the current process id.

$pipe_addresses

This is not an expansion variable, but is mentioned here because the string $pipe_addresses is handled specially in the command specification for the pipe transport (chapter 29) and in transport filters (described under transport_filter in chapter 24). It cannot be used in general expansion strings, and provokes an “unknown variable” error if encountered.

$primary_hostname

This variable contains the value set by primary_hostname in the configuration file, or read by the uname() function. If uname() returns a single-component name, Exim calls gethostbyname() (or getipnodebyname() where available) in an attempt to acquire a fully qualified host name. See also $smtp_active_hostname.

$proxy_external_address
$proxy_external_port
$proxy_local_address
$proxy_local_port
$proxy_session

These variables are only available when built with Proxy Protocol or SOCKS5 support. For details see chapter 59.1.

$prdr_requested

This variable is set to “yes” if PRDR was requested by the client for the current message, otherwise “no”.

$prvscheck_address
$prvscheck_keynum
$prvscheck_result

These variables are used in conjunction with the prvscheck expansion item, which is described in sections 11.5 and 44.52.

$qualify_domain

The value set for the qualify_domain option in the configuration file.

$qualify_recipient

The value set for the qualify_recipient option in the configuration file, or if not set, the value of $qualify_domain.

$queue_name

The name of the spool queue in use; empty for the default queue.

$queue_size

This variable contains the number of messages queued. It is evaluated on demand, but no more often than once every minute. If there is no daemon notifier socket open, the value will be an empty string.

$r_...

Values can be placed in these variables by the set option of a router. They can be given any name that starts with $r_. The values persist for the address being handled through subsequent routers and the eventual transport.

$rcpt_count

When a message is being received by SMTP, this variable contains the number of RCPT commands received for the current message. If this variable is used in a RCPT ACL, its value includes the current command.

$rcpt_defer_count

When a message is being received by SMTP, this variable contains the number of RCPT commands in the current message that have previously been rejected with a temporary (4xx) response.

$rcpt_fail_count

When a message is being received by SMTP, this variable contains the number of RCPT commands in the current message that have previously been rejected with a permanent (5xx) response.

$received_count

This variable contains the number of Received: header lines in the message, including the one added by Exim (so its value is always greater than zero). It is available in the DATA ACL, the non-SMTP ACL, and while routing and delivering.

$received_for

If there is only a single recipient address in an incoming message, this variable contains that address when the Received: header line is being built. The value is copied after recipient rewriting has happened, but before the local_scan() function is run.

$received_ip_address
$received_port

As soon as an Exim server starts processing an incoming TCP/IP connection, these variables are set to the address and port on the local IP interface. (The remote IP address and port are in $sender_host_address and $sender_host_port.) When testing with -bh, the port value is -1 unless it has been set using the -oMi command line option.

As well as being useful in ACLs (including the “connect” ACL), these variable could be used, for example, to make the filename for a TLS certificate depend on which interface and/or port is being used for the incoming connection. The values of $received_ip_address and $received_port are saved with any messages that are received, thus making these variables available at delivery time. For outbound connections see $sending_ip_address.

$received_protocol

When a message is being processed, this variable contains the name of the protocol by which it was received. Most of the names used by Exim are defined by RFCs 821, 2821, and 3848. They start with “smtp” (the client used HELO) or “esmtp” (the client used EHLO). This can be followed by “s” for secure (encrypted) and/or “a” for authenticated. Thus, for example, if the protocol is set to “esmtpsa”, the message was received over an encrypted SMTP connection and the client was successfully authenticated.

Exim uses the protocol name “smtps” for the case when encryption is automatically set up on connection without the use of STARTTLS (see tls_on_connect_ports), and the client uses HELO to initiate the encrypted SMTP session. The name “smtps” is also used for the rare situation where the client initially uses EHLO, sets up an encrypted connection using STARTTLS, and then uses HELO afterwards.

The -oMr option provides a way of specifying a custom protocol name for messages that are injected locally by trusted callers. This is commonly used to identify messages that are being re-injected after some kind of scanning.

$received_time

This variable contains the date and time when the current message was received, as a number of seconds since the start of the Unix epoch.

$recipient_data

This variable is set after an indexing lookup success in an ACL recipients condition. It contains the data from the lookup, and the value remains set until the next recipients test. Thus, you can do things like this:

require recipients  = cdb*@;/some/file
deny    some further test involving $recipient_data

Warning: This variable is set only when a lookup is used as an indexing method in the address list, using the semicolon syntax as in the example above. The variable is not set for a lookup that is used as part of the string expansion that all such lists undergo before being interpreted.

$recipient_verify_failure

In an ACL, when a recipient verification fails, this variable contains information about the failure. It is set to one of the following words:

  • “qualify”: The address was unqualified (no domain), and the message was neither local nor came from an exempted host.

  • “route”: Routing failed.

  • “mail”: Routing succeeded, and a callout was attempted; rejection occurred at or before the MAIL command (that is, on initial connection, HELO, or MAIL).

  • “recipient”: The RCPT command in a callout was rejected.

  • “postmaster”: The postmaster check in a callout was rejected.

The main use of this variable is expected to be to distinguish between rejections of MAIL and rejections of RCPT.

$recipients

This variable contains a list of envelope recipients for a message. A comma and a space separate the addresses in the replacement text. However, the variable is not generally available, to prevent exposure of Bcc recipients in unprivileged users’ filter files. You can use $recipients only in these cases:

  1. In a system filter file.

  2. In the ACLs associated with the DATA command and with non-SMTP messages, that is, the ACLs defined by acl_smtp_predata, acl_smtp_data, acl_smtp_mime, acl_not_smtp_start, acl_not_smtp, and acl_not_smtp_mime.

  3. From within a local_scan() function.

$recipients_count

When a message is being processed, this variable contains the number of envelope recipients that came with the message. Duplicates are not excluded from the count. While a message is being received over SMTP, the number increases for each accepted recipient. It can be referenced in an ACL.

$regex_match_string

This variable is set to contain the matching regular expression after a regex ACL condition has matched (see section 45.5).

$regex1, $regex2, etc

When a regex or mime_regex ACL condition succeeds, these variables contain the captured substrings identified by the regular expression.

$reply_address

When a message is being processed, this variable contains the contents of the Reply-To: header line if one exists and it is not empty, or otherwise the contents of the From: header line. Apart from the removal of leading white space, the value is not processed in any way. In particular, no RFC 2047 decoding or character code translation takes place.

$return_path

When a message is being delivered, this variable contains the return path – the sender field that will be sent as part of the envelope. It is not enclosed in <> characters. At the start of routing an address, $return_path has the same value as $sender_address, but if, for example, an incoming message to a mailing list has been expanded by a router which specifies a different address for bounce messages, $return_path subsequently contains the new bounce address, whereas $sender_address always contains the original sender address that was received with the message. In other words, $sender_address contains the incoming envelope sender, and $return_path contains the outgoing envelope sender.

$return_size_limit

This is an obsolete name for $bounce_return_size_limit.

$router_name

During the running of a router this variable contains its name.

$runrc

This variable contains the return code from a command that is run by the ${run...} expansion item. Warning: In a router or transport, you cannot assume the order in which option values are expanded, except for those preconditions whose order of testing is documented. Therefore, you cannot reliably expect to set $runrc by the expansion of one option, and use it in another.

$self_hostname

When an address is routed to a supposedly remote host that turns out to be the local host, what happens is controlled by the self generic router option. One of its values causes the address to be passed to another router. When this happens, $self_hostname is set to the name of the local host that the original router encountered. In other circumstances its contents are null.

$sender_address

When a message is being processed, this variable contains the sender’s address that was received in the message’s envelope. The case of letters in the address is retained, in both the local part and the domain. For bounce messages, the value of this variable is the empty string. See also $return_path.

$sender_address_data

If $address_data is set when the routers are called from an ACL to verify a sender address, the final value is preserved in $sender_address_data, to distinguish it from data from a recipient address. The value does not persist after the end of the current ACL statement. If you want to preserve it for longer, you can save it in an ACL variable.

$sender_address_domain

The domain portion of $sender_address.

$sender_address_local_part

The local part portion of $sender_address.

$sender_data

This variable is set after a lookup success in an ACL senders condition or in a router senders option. It contains the data from the lookup, and the value remains set until the next senders test. Thus, you can do things like this:

require senders      = cdb*@;/some/file
deny    some further test involving $sender_data

Warning: This variable is set only when a lookup is used as an indexing method in the address list, using the semicolon syntax as in the example above. The variable is not set for a lookup that is used as part of the string expansion that all such lists undergo before being interpreted.

$sender_fullhost

When a message is received from a remote host, this variable contains the host name and IP address in a single string. It ends with the IP address in square brackets, followed by a colon and a port number if the logging of ports is enabled. The format of the rest of the string depends on whether the host issued a HELO or EHLO SMTP command, and whether the host name was verified by looking up its IP address. (Looking up the IP address can be forced by the host_lookup option, independent of verification.) A plain host name at the start of the string is a verified host name; if this is not present, verification either failed or was not requested. A host name in parentheses is the argument of a HELO or EHLO command. This is omitted if it is identical to the verified host name or to the host’s IP address in square brackets.

$sender_helo_dnssec

This boolean variable is true if a successful HELO verification was done using DNS information the resolver library stated was authenticated data.

$sender_helo_name

When a message is received from a remote host that has issued a HELO or EHLO command, the argument of that command is placed in this variable. It is also set if HELO or EHLO is used when a message is received using SMTP locally via the -bs or -bS options.

$sender_host_address

When a message is received from a remote host using SMTP, this variable contains that host’s IP address. For locally non-SMTP submitted messages, it is empty.

$sender_host_authenticated

This variable contains the name (not the public name) of the authenticator driver that successfully authenticated the client from which the message was received. It is empty if there was no successful authentication. See also $authenticated_id.

$sender_host_dnssec

If an attempt to populate $sender_host_name has been made (by reference, hosts_lookup or otherwise) then this boolean will have been set true if, and only if, the resolver library states that both the reverse and forward DNS were authenticated data. At all other times, this variable is false.

It is likely that you will need to coerce DNSSEC support on in the resolver library, by setting:

dns_dnssec_ok = 1

In addition, on Linux with glibc 2.31 or newer the resolver library will default to stripping out a successful validation status. This will break a previously working Exim installation. Provided that you do trust the resolver (ie, is on localhost) you can tell glibc to pass through any successful validation with a new option in /etc/resolv.conf:

options trust-ad

Exim does not perform DNSSEC validation itself, instead leaving that to a validating resolver (e.g. unbound, or bind with suitable configuration).

If you have changed host_lookup_order so that bydns is not the first mechanism in the list, then this variable will be false.

This requires that your system resolver library support EDNS0 (and that DNSSEC flags exist in the system headers). If the resolver silently drops all EDNS0 options, then this will have no effect. OpenBSD’s asr resolver is known to currently ignore EDNS0, documented in CAVEATS of asr_run(3).

$sender_host_name

When a message is received from a remote host, this variable contains the host’s name as obtained by looking up its IP address. For messages received by other means, this variable is empty.

If the host name has not previously been looked up, a reference to $sender_host_name triggers a lookup (for messages from remote hosts). A looked up name is accepted only if it leads back to the original IP address via a forward lookup. If either the reverse or the forward lookup fails to find any data, or if the forward lookup does not yield the original IP address, $sender_host_name remains empty, and $host_lookup_failed is set to “1”.

However, if either of the lookups cannot be completed (for example, there is a DNS timeout), $host_lookup_deferred is set to “1”, and $host_lookup_failed remains set to “0”.

Once $host_lookup_failed is set to “1”, Exim does not try to look up the host name again if there is a subsequent reference to $sender_host_name in the same Exim process, but it does try again if $host_lookup_deferred is set to “1”.

Exim does not automatically look up every calling host’s name. If you want maximum efficiency, you should arrange your configuration so that it avoids these lookups altogether. The lookup happens only if one or more of the following are true:

  • A string containing $sender_host_name is expanded.

  • The calling host matches the list in host_lookup. In the default configuration, this option is set to *, so it must be changed if lookups are to be avoided. (In the code, the default for host_lookup is unset.)

  • Exim needs the host name in order to test an item in a host list. The items that require this are described in sections 10.14 and 10.18.

  • The calling host matches helo_try_verify_hosts or helo_verify_hosts. In this case, the host name is required to compare with the name quoted in any EHLO or HELO commands that the client issues.

  • The remote host issues a EHLO or HELO command that quotes one of the domains in helo_lookup_domains. The default value of this option is

      helo_lookup_domains = @ : @[]
    

    which causes a lookup if a remote host (incorrectly) gives the server’s name or IP address in an EHLO or HELO command.

$sender_host_port

When a message is received from a remote host, this variable contains the port number that was used on the remote host.

$sender_ident

When a message is received from a remote host, this variable contains the identification received in response to an RFC 1413 request. When a message has been received locally, this variable contains the login name of the user that called Exim.

$sender_rate_xxx

A number of variables whose names begin $sender_rate_ are set as part of the ratelimit ACL condition. Details are given in section 44.38.

$sender_rcvhost

This is provided specifically for use in Received: headers. It starts with either the verified host name (as obtained from a reverse DNS lookup) or, if there is no verified host name, the IP address in square brackets. After that there may be text in parentheses. When the first item is a verified host name, the first thing in the parentheses is the IP address in square brackets, followed by a colon and a port number if port logging is enabled. When the first item is an IP address, the port is recorded as “port=xxxx” inside the parentheses.

There may also be items of the form “helo=xxxx” if HELO or EHLO was used and its argument was not identical to the real host name or IP address, and “ident=xxxx” if an RFC 1413 ident string is available. If all three items are present in the parentheses, a newline and tab are inserted into the string, to improve the formatting of the Received: header.

$sender_verify_failure

In an ACL, when a sender verification fails, this variable contains information about the failure. The details are the same as for $recipient_verify_failure.

$sending_ip_address

This variable is set whenever an outgoing SMTP connection to another host has been set up. It contains the IP address of the local interface that is being used. This is useful if a host that has more than one IP address wants to take on different personalities depending on which one is being used. For incoming connections, see $received_ip_address.

$sending_port

This variable is set whenever an outgoing SMTP connection to another host has been set up. It contains the local port that is being used. For incoming connections, see $received_port.

$smtp_active_hostname

During an incoming SMTP session, this variable contains the value of the active host name, as specified by the smtp_active_hostname option. The value of $smtp_active_hostname is saved with any message that is received, so its value can be consulted during routing and delivery.

$smtp_command

During the processing of an incoming SMTP command, this variable contains the entire command. This makes it possible to distinguish between HELO and EHLO in the HELO ACL, and also to distinguish between commands such as these:

MAIL FROM:<>
MAIL FROM: <>

For a MAIL command, extra parameters such as SIZE can be inspected. For a RCPT command, the address in $smtp_command is the original address before any rewriting, whereas the values in $local_part and $domain are taken from the address after SMTP-time rewriting.

$smtp_command_argument

While an ACL is running to check an SMTP command, this variable contains the argument, that is, the text that follows the command name, with leading white space removed. Following the introduction of $smtp_command, this variable is somewhat redundant, but is retained for backwards compatibility.

$smtp_command_history

A comma-separated list (with no whitespace) of the most-recent SMTP commands received, in time-order left to right. Only a limited number of commands are remembered.

$smtp_count_at_connection_start

This variable is set greater than zero only in processes spawned by the Exim daemon for handling incoming SMTP connections. The name is deliberately long, in order to emphasize what the contents are. When the daemon accepts a new connection, it increments this variable. A copy of the variable is passed to the child process that handles the connection, but its value is fixed, and never changes. It is only an approximation of how many incoming connections there actually are, because many other connections may come and go while a single connection is being processed. When a child process terminates, the daemon decrements its copy of the variable.

$sn0 – $sn9

These variables are copies of the values of the $n0 – $n9 accumulators that were current at the end of the system filter file. This allows a system filter file to set values that can be tested in users’ filter files. For example, a system filter could set a value indicating how likely it is that a message is junk mail.

$spam_score
$spam_score_int
$spam_bar
$spam_report
$spam_action

A number of variables whose names start with $spam are available when Exim is compiled with the content-scanning extension. For details, see section 45.2.

$spf_header_comment
$spf_received
$spf_result
$spf_result_guessed
$spf_smtp_comment

These variables are only available if Exim is built with SPF support. For details see section 58.4.

$spool_directory

The name of Exim’s spool directory.

$spool_inodes

The number of free inodes in the disk partition where Exim’s spool files are being written. The value is recalculated whenever the variable is referenced. If the relevant file system does not have the concept of inodes, the value of is -1. See also the check_spool_inodes option.

$spool_space

The amount of free space (as a number of kilobytes) in the disk partition where Exim’s spool files are being written. The value is recalculated whenever the variable is referenced. If the operating system does not have the ability to find the amount of free space (only true for experimental systems), the space value is -1. For example, to check in an ACL that there is at least 50 megabytes free on the spool, you could write:

condition = ${if > {$spool_space}{50000}}

See also the check_spool_space option.

$thisaddress

This variable is set only during the processing of the foranyaddress command in a filter file. Its use is explained in the description of that command, which can be found in the separate document entitled Exim’s interfaces to mail filtering.

$tls_in_bits

Contains an approximation of the TLS cipher’s bit-strength on the inbound connection; the meaning of this depends upon the TLS implementation used. If TLS has not been negotiated, the value will be 0. The value of this is automatically fed into the Cyrus SASL authenticator when acting as a server, to specify the "external SSF" (a SASL term).

The deprecated $tls_bits variable refers to the inbound side except when used in the context of an outbound SMTP delivery, when it refers to the outbound.

$tls_out_bits

Contains an approximation of the TLS cipher’s bit-strength on an outbound SMTP connection; the meaning of this depends upon the TLS implementation used. If TLS has not been negotiated, the value will be 0.

$tls_in_ourcert

This variable refers to the certificate presented to the peer of an inbound connection when the message was received. It is only useful as the argument of a certextract expansion item, md5, sha1 or sha256 operator, or a def condition.

Note: Under versions of OpenSSL preceding 1.1.1, when a list of more than one file is used for tls_certificate, this variable is not reliable. The macro "_TLS_BAD_MULTICERT_IN_OURCERT" will be defined for those versions.

$tls_in_peercert

This variable refers to the certificate presented by the peer of an inbound connection when the message was received. It is only useful as the argument of a certextract expansion item, md5, sha1 or sha256 operator, or a def condition. If certificate verification fails it may refer to a failing chain element which is not the leaf.

$tls_out_ourcert

This variable refers to the certificate presented to the peer of an outbound connection. It is only useful as the argument of a certextract expansion item, md5, sha1 or sha256 operator, or a def condition.

$tls_out_peercert

This variable refers to the certificate presented by the peer of an outbound connection. It is only useful as the argument of a certextract expansion item, md5, sha1 or sha256 operator, or a def condition. If certificate verification fails it may refer to a failing chain element which is not the leaf.

$tls_in_certificate_verified

This variable is set to “1” if a TLS certificate was verified when the message was received, and “0” otherwise.

The deprecated $tls_certificate_verified variable refers to the inbound side except when used in the context of an outbound SMTP delivery, when it refers to the outbound.

$tls_out_certificate_verified

This variable is set to “1” if a TLS certificate was verified when an outbound SMTP connection was made, and “0” otherwise.

$tls_in_cipher

When a message is received from a remote host over an encrypted SMTP connection, this variable is set to the cipher suite that was negotiated, for example DES-CBC3-SHA. In other circumstances, in particular, for message received over unencrypted connections, the variable is empty. Testing $tls_in_cipher for emptiness is one way of distinguishing between encrypted and non-encrypted connections during ACL processing.

The deprecated $tls_cipher variable is the same as $tls_in_cipher during message reception, but in the context of an outward SMTP delivery taking place via the smtp transport becomes the same as $tls_out_cipher.

$tls_in_cipher_std

As above, but returning the RFC standard name for the cipher suite.

$tls_out_cipher

This variable is cleared before any outgoing SMTP connection is made, and then set to the outgoing cipher suite if one is negotiated. See chapter 43 for details of TLS support and chapter 30 for details of the smtp transport.

$tls_out_cipher_std

As above, but returning the RFC standard name for the cipher suite.

$tls_out_dane

DANE active status. See section 43.18.

$tls_in_ocsp

When a message is received from a remote client connection the result of any OCSP request from the client is encoded in this variable:

0 OCSP proof was not requested (default value)
1 No response to request
2 Response not verified
3 Verification failed
4 Verification succeeded
$tls_out_ocsp

When a message is sent to a remote host connection the result of any OCSP request made is encoded in this variable. See $tls_in_ocsp for values.

$tls_in_peerdn

When a message is received from a remote host over an encrypted SMTP connection, and Exim is configured to request a certificate from the client, the value of the Distinguished Name of the certificate is made available in the $tls_in_peerdn during subsequent processing. If certificate verification fails it may refer to a failing chain element which is not the leaf.

The deprecated $tls_peerdn variable refers to the inbound side except when used in the context of an outbound SMTP delivery, when it refers to the outbound.

$tls_out_peerdn

When a message is being delivered to a remote host over an encrypted SMTP connection, and Exim is configured to request a certificate from the server, the value of the Distinguished Name of the certificate is made available in the $tls_out_peerdn during subsequent processing. If certificate verification fails it may refer to a failing chain element which is not the leaf.

$tls_in_resumption
$tls_out_resumption

Observability for TLS session resumption. See 43.17 for details.

$tls_in_sni

When a TLS session is being established, if the client sends the Server Name Indication extension, the value will be placed in this variable. If the variable appears in tls_certificate then this option and some others, described in 43.12, will be re-expanded early in the TLS session, to permit a different certificate to be presented (and optionally a different key to be used) to the client, based upon the value of the SNI extension.

The deprecated $tls_sni variable refers to the inbound side except when used in the context of an outbound SMTP delivery, when it refers to the outbound.

$tls_out_sni

During outbound SMTP deliveries, this variable reflects the value of the tls_sni option on the transport.

$tls_out_tlsa_usage

Bitfield of TLSA record types found. See section 43.18.

$tls_in_ver

When a message is received from a remote host over an encrypted SMTP connection this variable is set to the protocol version, eg TLS1.2.

$tls_out_ver

When a message is being delivered to a remote host over an encrypted SMTP connection this variable is set to the protocol version.

$tod_bsdinbox

The time of day and the date, in the format required for BSD-style mailbox files, for example: Thu Oct 17 17:14:09 1995.

$tod_epoch

The time and date as a number of seconds since the start of the Unix epoch.

$tod_epoch_l

The time and date as a number of microseconds since the start of the Unix epoch.

$tod_full

A full version of the time and date, for example: Wed, 16 Oct 1995 09:51:40 +0100. The timezone is always given as a numerical offset from UTC, with positive values used for timezones that are ahead (east) of UTC, and negative values for those that are behind (west).

$tod_log

The time and date in the format used for writing Exim’s log files, for example: 1995-10-12 15:32:29, but without a timezone.

$tod_logfile

This variable contains the date in the format yyyymmdd. This is the format that is used for datestamping log files when log_file_path contains the %D flag.

$tod_zone

This variable contains the numerical value of the local timezone, for example: -0500.

$tod_zulu

This variable contains the UTC date and time in “Zulu” format, as specified by ISO 8601, for example: 20030221154023Z.

$transport_name

During the running of a transport, this variable contains its name.

$value

This variable contains the result of an expansion lookup, extraction operation, or external command, as described above. It is also used during a reduce expansion.

$verify_mode

While a router or transport is being run in verify mode or for cutthrough delivery, contains "S" for sender-verification or "R" for recipient-verification. Otherwise, empty.

$version_number

The version number of Exim. Same as $exim_version, may be overridden by the exim_version main config option.

$warn_message_delay

This variable is set only during the creation of a message warning about a delivery delay. Details of its use are explained in section 50.2.

$warn_message_recipients

This variable is set only during the creation of a message warning about a delivery delay. Details of its use are explained in section 50.2.

<-previousTable of Contentsnext->