Substitute the contents of the named variable, for example:

$local_part
${domain}

The second form can be used to separate the name from subsequent alphanumeric characters. This form (using braces) is available only for variables; it does not apply to message headers. The names of the variables are given in section 11.9 below. If the name of a non-existent variable is given, the expansion fails.

The string is first itself expanded, and then the operation specified by <op> is applied to it. For example:

${lc:$local_part}

The string starts with the first character after the colon, which may be leading white space. A list of operators is given in section 11.6 below. The operator notation is used for simple expansion items that have just one argument, because it reduces the number of braces and therefore makes the string easier to understand.

This item inserts “basic” header lines. It is described with the header expansion item below.

This expansion dynamically loads and then calls a locally-written C function. This functionality is available only if Exim is compiled with

EXPAND_DLFUNC=yes

set in Local/Makefile. Once loaded, Exim remembers the dynamically loaded object so that it doesn’t reload the same object file in the same Exim process (but of course Exim does start new processes frequently).

There may be from zero to eight arguments to the function. When compiling a local function that is to be called in this way, local_scan.h should be included. The Exim variables and functions that are defined by that API are also available for dynamically loaded functions. The function itself must have the following type:

int dlfunction(uschar **yield, int argc, uschar *argv[])

Where uschar is a typedef for unsigned char in local_scan.h. The function should return one of the following values:

OK: Success. The string that is placed in the variable yield is put into the expanded string that is being built.

FAIL: A non-forced expansion failure occurs, with the error message taken from yield, if it is set.

FAIL_FORCED: A forced expansion failure occurs, with the error message taken from yield if it is set.

ERROR: Same as FAIL, except that a panic log entry is written.

When compiling a function that is to be used in this way with gcc, you need to add -shared to the gcc command. Also, in the Exim build-time configuration, you must add -export-dynamic to EXTRALIBS.

The key and <string1> are first expanded separately. Leading and trailing white space is removed from the key (but not from any of the strings). The key must not consist entirely of digits. The expanded <string1> must be of the form:

where the equals signs and spaces (but not both) are optional. If any of the values contain white space, they must be enclosed in double quotes, and any values that are enclosed in double quotes are subject to escape processing as described in section 6.16. The expanded <string1> is searched for the value that corresponds to the key. The search is case-insensitive. If the key is found, <string2> is expanded, and replaces the whole item; otherwise <string3> is used. During the expansion of <string2> the variable $value contains the value that has been extracted. Afterwards, it is restored to any previous value it might have had.

If {<string3>} is omitted, the item is replaced by an empty string if the key is not found. If {<string2>} is also omitted, the value that was extracted is used. Thus, for example, these two expansions are identical, and yield “2001”:

${extract{gid}{uid=1984 gid=2001}}
${extract{gid}{uid=1984 gid=2001}{$value}}

Instead of {<string3>} the word “fail” (not in curly brackets) can appear, for example:

${extract{Z}{A=... B=...}{$value} fail }

This forces an expansion failure (see section 11.4); {<string2>} must be present for “fail” to be recognized.

The <number> argument must consist entirely of decimal digits, apart from leading and trailing white space, which is ignored. This is what distinguishes this form of extract from the previous kind. It behaves in the same way, except that, instead of extracting a named field, it extracts from <string1> the field whose number is given as the first argument. You can use $value in <string2> or fail instead of <string3> as before.

The fields in the string are separated by any one of the characters in the separator string. These may include space or tab characters. The first field is numbered one. If the number is negative, the fields are counted from the end of the string, with the rightmost one numbered -1. If the number given is zero, the entire string is returned. If the modulus of the number is greater than the number of fields in the string, the result is the expansion of <string3>, or the empty string if <string3> is not provided. For example:

${extract{2}{:}{x:42:99:& Mailer::/bin/bash}}

yields “42”, and

${extract{-4}{:}{x:42:99:& Mailer::/bin/bash}}

yields “99”. Two successive separators mean that the field between them is empty (for example, the fifth field above).

After expansion, <string> is interpreted as a list, colon-separated by default, but the separator can be changed in the usual way. For each item in this list, its value is place in $item, and then the condition is evaluated. If the condition is true, $item is added to the output as an item in a new list; if the condition is false, the item is discarded. The separator used for the output list is the same as the one used for the input, but a separator setting is not included in the output. For example:

${filter{a:b:c}{!eq{$item}{b}}

yields a:c. At the end of the expansion, the value of $item is restored to what it was before. See also the map and reduce expansion items.

This is a textual hashing function, and was the first to be implemented in early versions of Exim. In current releases, there are other hashing functions (numeric, MD5, and SHA-1), which are described below.

The first two strings, after expansion, must be numbers. Call them <m> and <n>. If you are using fixed values for these numbers, that is, if <string1> and <string2> do not change when they are expanded, you can use the simpler operator notation that avoids some of the braces:

${hash_<n>_<m>:<string>}

The second number is optional (in both notations). If <n> is greater than or equal to the length of the string, the expansion item returns the string. Otherwise it computes a new string of length <n> by applying a hashing function to the string. The new string consists of characters taken from the first <m> characters of the string

abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQWRSTUVWXYZ0123456789

If <m> is not present the value 26 is used, so that only lower case letters appear. For example:

Substitute the contents of the named message header line, for example

$header_reply-to:

The newline that terminates a header line is not included in the expansion, but internal newlines (caused by splitting the header line over several physical lines) may be present.

The difference between rheader, bheader, and header is in the way the data in the header line is interpreted.

In a filter file, the target character set for header can be specified by a command of the following form:

headers charset "UTF-8"

This command affects all references to $h_ (or $header_) expansions in subsequently obeyed filter commands. In the absence of this command, the target character set in a filter is taken from the setting of the headers_charset option in the runtime configuration. The value of this option defaults to the value of HEADERS_CHARSET in Local/Makefile. The ultimate default is ISO-8859-1.

Header names follow the syntax of RFC 2822, which states that they may contain any printing characters except space and colon. Consequently, curly brackets do not terminate header names, and should not be used to enclose them as if they were variables. Attempting to do so causes a syntax error.

Only header lines that are common to all copies of a message are visible to this mechanism. These are the original header lines that are received with the message, and any that are added by an ACL statement or by a system filter. Header lines that are added to a particular copy of a message by a router or transport are not accessible.

For incoming SMTP messages, no header lines are visible in ACLs that are obeyed before the DATA ACL, because the header structure is not set up until the message is received. Header lines that are added in a RCPT ACL (for example) are saved until the message’s incoming header lines are available, at which point they are added. When a DATA ACL is running, however, header lines added by earlier ACLs are visible.

Upper case and lower case letters are synonymous in header names. If the following character is white space, the terminating colon may be omitted, but this is not recommended, because you may then forget it when it is needed. When white space terminates the header name, it is included in the expanded string. If the message does not contain the given header, the expansion item is replaced by an empty string. (See the def condition in section 11.7 for a means of testing for the existence of a header.)

If there is more than one header with the same name, they are all concatenated to form the substitution string, up to a maximum length of 64K. Unless rheader is being used, leading and trailing white space is removed from each header before concatenation, and a completely empty header is ignored. A newline character is then inserted between non-empty headers, but there is no newline at the very end. For the header and bheader expansion, for those headers that contain lists of addresses, a comma is also inserted at the junctions between headers. This does not happen for the rheader expansion.

This function uses cryptographic hashing (either MD5 or SHA-1) to convert a shared secret and some text into a message authentication code, as specified in RFC 2104. This differs from ${md5:secret_text...} or ${sha1:secret_text...} in that the hmac step adds a signature to the cryptographic hash, allowing for authentication that is not possible with MD5 or SHA-1 alone. The hash name must expand to either md5 or sha1 at present. For example:

${hmac{md5}{somesecret}{$primary_hostname $tod_log}}

For the hostname mail.example.com and time 2002-10-17 11:30:59, this produces:

dd97e3ba5d1a61b5006108f8c8252953

As an example of how this might be used, you might put in the main part of an Exim configuration:

SPAMSCAN_SECRET=cohgheeLei2thahw

In a router or a transport you could then have:

headers_add = \
  X-Spam-Scanned: ${primary_hostname} ${message_exim_id} \
  ${hmac{md5}{SPAMSCAN_SECRET}\
  {${primary_hostname},${message_exim_id},$h_message-id:}}

Then given a message, you can check where it was scanned by looking at the X-Spam-Scanned: header line. If you know the secret, you can check that this header line is authentic by recomputing the authentication code from the host name, message ID and the Message-id: header line. This can be done using Exim’s -be option, or by other means, for example by using the hmac_md5_hex() function in Perl.

If <condition> is true, <string1> is expanded and replaces the whole item; otherwise <string2> is used. The available conditions are described in section 11.7 below. For example:

${if eq {$local_part}{postmaster} {yes}{no} }

The second string need not be present; if it is not and the condition is not true, the item is replaced with nothing. Alternatively, the word “fail” may be present instead of the second string (without any curly brackets). In this case, the expansion is forced to fail if the condition is not true (see section 11.4).

If both strings are omitted, the result is the string true if the condition is true, and the empty string if the condition is false. This makes it less cumbersome to write custom ACL and router conditions. For example, instead of

condition = ${if >{$acl_m4}{3}{true}{false}}

you can use

condition = ${if >{$acl_m4}{3}}

The length item is used to extract the initial portion of a string. Both strings are expanded, and the first one must yield a number, <n>, say. If you are using a fixed value for the number, that is, if <string1> does not change when expanded, you can use the simpler operator notation that avoids some of the braces:

${length_<n>:<string>}

The result of this item is either the first <n> characters or the whole of <string2>, whichever is the shorter. Do not confuse length with strlen, which gives the length of a string.

This is the first of one of two different types of lookup item, which are both described in the next item.

The two forms of lookup item specify data lookups in files and databases, as discussed in chapter 9. The first form is used for single-key lookups, and the second is used for query-style lookups. The <key>, <file>, and <query> strings are expanded before use.

If there is any white space in a lookup item which is part of a filter command, a retry or rewrite rule, a routing rule for the manualroute router, or any other place where white space is significant, the lookup item must be enclosed in double quotes. The use of data lookups in users’ filter files may be locked out by the system administrator.

If the lookup succeeds, <string1> is expanded and replaces the entire item. During its expansion, the variable $value contains the data returned by the lookup. Afterwards it reverts to the value it had previously (at the outer level it is empty). If the lookup fails, <string2> is expanded and replaces the entire item. If {<string2>} is omitted, the replacement is the empty string on failure. If <string2> is provided, it can itself be a nested lookup, thus providing a mechanism for looking up a default value when the original lookup fails.

If a nested lookup is used as part of <string1>, $value contains the data for the outer lookup while the parameters of the second lookup are expanded, and also while <string2> of the second lookup is expanded, should the second lookup fail. Instead of {<string2>} the word “fail” can appear, and in this case, if the lookup fails, the entire expansion is forced to fail (see section 11.4). If both {<string1>} and {<string2>} are omitted, the result is the looked up value in the case of a successful lookup, and nothing in the case of failure.

For single-key lookups, the string “partial” is permitted to precede the search type in order to do partial matching, and * or *@ may follow a search type to request default lookups if the key does not match (see sections 9.6 and 9.7 for details).

If a partial search is used, the variables $1 and $2 contain the wild and non-wild parts of the key during the expansion of the replacement text. They return to their previous values at the end of the lookup item.

This example looks up the postmaster alias in the conventional alias file:

${lookup {postmaster} lsearch {/etc/aliases} {$value}}

This example uses NIS+ to look up the full name of the user corresponding to the local part of an address, forcing the expansion to fail if it is not found:

${lookup nisplus {[name=$local_part],passwd.org_dir:gcos} \
  {$value}fail}

After expansion, <string1> is interpreted as a list, colon-separated by default, but the separator can be changed in the usual way. For each item in this list, its value is place in $item, and then <string2> is expanded and added to the output as an item in a new list. The separator used for the output list is the same as the one used for the input, but a separator setting is not included in the output. For example:

${map{a:b:c}{[$item]}} ${map{<- x-y-z}{($item)}}

expands to [a]:[b]:[c] (x)-(y)-(z). At the end of the expansion, the value of $item is restored to what it was before. See also the filter and reduce expansion items.

The three strings are expanded; the first two must yield numbers. Call them <n> and <m>. If you are using fixed values for these numbers, that is, if <string1> and <string2> do not change when they are expanded, you can use the simpler operator notation that avoids some of the braces:

${nhash_<n>_<m>:<string>}

The second number is optional (in both notations). If there is only one number, the result is a number in the range 0–<n>-1. Otherwise, the string is processed by a div/mod hash function that returns two numbers, separated by a slash, in the ranges 0 to <n>-1 and 0 to <m>-1, respectively. For example,

${nhash{8}{64}{supercalifragilisticexpialidocious}}

returns the string “6/33”.

This item is available only if Exim has been built to include an embedded Perl interpreter. The subroutine name and the arguments are first separately expanded, and then the Perl subroutine is called with those arguments. No additional arguments need be given; the maximum number permitted, including the name of the subroutine, is nine.

The return value of the subroutine is inserted into the expanded string, unless the return value is undef. In that case, the expansion fails in the same way as an explicit “fail” on a lookup item. The return value is a scalar. Whatever you return is evaluated in a scalar context. For example, if you return the name of a Perl vector, the return value is the size of the vector, not its contents.

If the subroutine exits by calling Perl’s die function, the expansion fails with the error message that was passed to die. More details of the embedded Perl facility are given in chapter 12.

The redirect router has an option called forbid_filter_perl which locks out the use of this expansion item in filter files.

The first argument is a complete email address and the second is secret keystring. The third argument, specifying a key number, is optional. If absent, it defaults to 0. The result of the expansion is a prvs-signed email address, to be typically used with the return_path option on an smtp transport as part of a bounce address tag validation (BATV) scheme. For more discussion and an example, see section 40.47.

This expansion item is the complement of the prvs item. It is used for checking prvs-signed addresses. If the expansion of the first argument does not yield a syntactically valid prvs-signed address, the whole item expands to the empty string. When the first argument does expand to a syntactically valid prvs-signed address, the second argument is expanded, with the prvs-decoded version of the address and the key number extracted from the address in the variables $prvscheck_address and $prvscheck_keynum, respectively.

These two variables can be used in the expansion of the second argument to retrieve the secret. The validity of the prvs-signed address is then checked against the secret. The result is stored in the variable $prvscheck_result, which is empty for failure or “1” for success.

The third argument is optional; if it is missing, it defaults to an empty string. This argument is now expanded. If the result is an empty string, the result of the expansion is the decoded version of the address. This is the case whether or not the signature was valid. Otherwise, the result of the expansion is the expansion of the third argument.

All three variables can be used in the expansion of the third argument. However, once the expansion is complete, only $prvscheck_result remains set. For more discussion and an example, see section 40.47.

The file name and end-of-line string are first expanded separately. The file is then read, and its contents replace the entire item. All newline characters in the file are replaced by the end-of-line string if it is present. Otherwise, newlines are left in the string. String expansion is not applied to the contents of the file. If you want this, you must wrap the item in an expand operator. If the file cannot be read, the string expansion fails.

The redirect router has an option called forbid_filter_readfile which locks out the use of this expansion item in filter files.

This item inserts data from a Unix domain or Internet socket into the expanded string. The minimal way of using it uses just two arguments, as in these examples:

${readsocket{/socket/name}{request string}}
${readsocket{inet:some.host:1234}{request string}}

For a Unix domain socket, the first substring must be the path to the socket. For an Internet socket, the first substring must contain inet: followed by a host name or IP address, followed by a colon and a port, which can be a number or the name of a TCP port in /etc/services. An IP address may optionally be enclosed in square brackets. This is best for IPv6 addresses. For example:

${readsocket{inet:[::1]:1234}{request string}}

Only a single host name may be given, but if looking it up yields more than one IP address, they are each tried in turn until a connection is made. For both kinds of socket, Exim makes a connection, writes the request string (unless it is an empty string) and reads from the socket until an end-of-file is read. A timeout of 5 seconds is applied. Additional, optional arguments extend what can be done. Firstly, you can vary the timeout. For example:

${readsocket{/socket/name}{request string}{3s}}

A fourth argument allows you to change any newlines that are in the data that is read, in the same way as for readfile (see above). This example turns them into spaces:

${readsocket{inet:127.0.0.1:3294}{request string}{3s}{ }}

As with all expansions, the substrings are expanded before the processing happens. Errors in these sub-expansions cause the expansion to fail. In addition, the following errors can occur:

By default, any of these errors causes the expansion to fail. However, if you supply a fifth substring, it is expanded and used when any of the above errors occurs. For example:

${readsocket{/socket/name}{request string}{3s}{\n}\
  {socket failure}}

You can test for the existence of a Unix domain socket by wrapping this expansion in ${if exists, but there is a race condition between that test and the actual opening of the socket, so it is safer to use the fifth argument if you want to be absolutely sure of avoiding an expansion error for a non-existent Unix domain socket, or a failure to connect to an Internet socket.

The redirect router has an option called forbid_filter_readsocket which locks out the use of this expansion item in filter files.

This operation reduces a list to a single, scalar string. After expansion, <string1> is interpreted as a list, colon-separated by default, but the separator can be changed in the usual way. Then <string2> is expanded and assigned to the $value variable. After this, each item in the <string1> list is assigned to $item in turn, and <string3> is expanded for each of them. The result of that expansion is assigned to $value before the next iteration. When the end of the list is reached, the final value of $value is added to the expansion output. The reduce expansion item can be used in a number of ways. For example, to add up a list of numbers:

${reduce {<, 1,2,3}{0}{${eval:$value+$item}}}

The result of that expansion would be 6. The maximum of a list of numbers can be found:

${reduce {3:0:9:4:6}{0}{${if >{$item}{$value}{$item}{$value}}}}

At the end of a reduce expansion, the values of $item and $value are restored to what they were before. See also the filter and map expansion items.

This item inserts “raw” header lines. It is described with the header expansion item above.

The command and its arguments are first expanded separately, and then the command is run in a separate process, but under the same uid and gid. As in other command executions from Exim, a shell is not used by default. If you want a shell, you must explicitly code it.

The standard input for the command exists, but is empty. The standard output and standard error are set to the same file descriptor. If the command succeeds (gives a zero return code) <string1> is expanded and replaces the entire item; during this expansion, the standard output/error from the command is in the variable $value. If the command fails, <string2>, if present, is expanded and used. Once again, during the expansion, the standard output/error from the command is in the variable $value.

If <string2> is absent, the result is empty. Alternatively, <string2> can be the word “fail” (not in braces) to force expansion failure if the command does not succeed. If both strings are omitted, the result is contents of the standard output/error on success, and nothing on failure.

The return code from the command is put in the variable $runrc, and this remains set afterwards, so in a filter file you can do things like this:

if "${run{x y z}{}}$runrc" is 1 then ...
  elif $runrc is 2 then ...
  ...
endif

If execution of the command fails (for example, the command does not exist), the return code is 127 – the same code that shells use for non-existent commands.

Warning: In a router or transport, you cannot assume the order in which option values are expanded, except for those preconditions whose order of testing is documented. Therefore, you cannot reliably expect to set $runrc by the expansion of one option, and use it in another.

The redirect router has an option called forbid_filter_run which locks out the use of this expansion item in filter files.

This item works like Perl’s substitution operator (s) with the global (/g) option; hence its name. However, unlike the Perl equivalent, Exim does not modify the subject string; instead it returns the modified string for insertion into the overall expansion. The item takes three arguments: the subject string, a regular expression, and a substitution string. For example:

${sg{abcdefabcdef}{abc}{xyz}}

yields “xyzdefxyzdef”. Because all three arguments are expanded before use, if any $ or \ characters are required in the regular expression or in the substitution string, they have to be escaped. For example:

${sg{abcdef}{^(...)(...)\$}{\$2\$1}}

yields “defabc”, and

${sg{1=A 4=D 3=C}{\N(\d+)=\N}{K\$1=}}

yields “K1=A K4=D K3=C”. Note the use of \N to protect the contents of the regular expression from string expansion.

The three strings are expanded; the first two must yield numbers. Call them <n> and <m>. If you are using fixed values for these numbers, that is, if <string1> and <string2> do not change when they are expanded, you can use the simpler operator notation that avoids some of the braces:

${substr_<n>_<m>:<string>}

The second number is optional (in both notations). If it is absent in the simpler format, the preceding underscore must also be omitted.

The substr item can be used to extract more general substrings than length. The first number, <n>, is a starting offset, and <m> is the length required. For example

${substr{3}{2}{$local_part}}

If the starting offset is greater than the string length the result is the null string; if the length plus starting offset is greater than the string length, the result is the right-hand part of the string, starting from the given offset. The first character in the string has offset zero.

The substr expansion item can take negative offset values to count from the right-hand end of its operand. The last character is offset -1, the second-last is offset -2, and so on. Thus, for example,

${substr{-5}{2}{1234567}}

yields “34”. If the absolute value of a negative offset is greater than the length of the string, the substring starts at the beginning of the string, and the length is reduced by the amount of overshoot. Thus, for example,

${substr{-5}{2}{12}}

yields an empty string, but

${substr{-3}{2}{12}}

yields “1”.

When the second number is omitted from substr, the remainder of the string is taken if the offset is positive. If it is negative, all characters in the string preceding the offset point are taken. For example, an offset of -1 and no length, as in these semantically identical examples:

${substr_-1:abcde}
${substr{-1}{abcde}}

yields all but the last character of the string, that is, “abcd”.

This item does single-character translation on its subject string. The second argument is a list of characters to be translated in the subject string. Each matching character is replaced by the corresponding character from the replacement list. For example

${tr{abcdea}{ac}{13}}

yields 1b3de1. If there are duplicates in the second character string, the last occurrence is used. If the third string is shorter than the second, its last character is replicated. However, if it is empty, no translation takes place.

The string is interpreted as an RFC 2822 address, as it might appear in a header line, and the effective address is extracted from it. If the string does not parse successfully, the result is empty.

The string (after expansion) is interpreted as a list of addresses in RFC 2822 format, such as can be found in a To: or Cc: header line. The operative address (local-part@domain) is extracted from each item, and the result of the expansion is a colon-separated list, with appropriate doubling of colons should any happen to be present in the email addresses. Syntactically invalid RFC2822 address items are omitted from the output.

It is possible to specify a character other than colon for the output separator by starting the string with > followed by the new separator character. For example:

${addresses:>& Chief <ceo@up.stairs>, sec@base.ment (dogsbody)}

expands to ceo@up.stairs&sec@base.ment. Compare the address (singular) expansion item, which extracts the working address from a single RFC2822 address. See the filter, map, and reduce items for ways of processing lists.

The string must consist entirely of decimal digits. The number is converted to base 62 and output as a string of six characters, including leading zeros. In the few operating environments where Exim uses base 36 instead of base 62 for its message identifiers (because those systems do not have case-sensitive file names), base 36 is used by this operator, despite its name. Note: Just to be absolutely clear: this is not base64 encoding.

The string must consist entirely of base-62 digits, or, in operating environments where Exim uses base 36 instead of base 62 for its message identifiers, base-36 digits. The number is converted to decimal and output as a string.

The string is interpreted as an RFC 2822 address and the domain is extracted from it. If the string does not parse successfully, the result is empty.

If the string contains any non-printing characters, they are converted to escape sequences starting with a backslash. Whether characters with the most significant bit set (so-called “8-bit characters”) count as printing or not is controlled by the print_topbitchars option.

These items supports simple arithmetic and bitwise logical operations in expansion strings. The string (after expansion) must be a conventional arithmetic expression, but it is limited to basic arithmetic operators, bitwise logical operators, and parentheses. All operations are carried out using integer arithmetic. The operator priorities are as follows (the same as in the C programming language):

Binary operators with the same priority are evaluated from left to right. White space is permitted before or after operators.

For eval, numbers may be decimal, octal (starting with “0”) or hexadecimal (starting with “0x”). For eval10, all numbers are taken as decimal, even if they start with a leading zero; hexadecimal numbers are not permitted. This can be useful when processing numbers extracted from dates or times, which often do have leading zeros.

A number may be followed by “K” or “M” to multiply it by 1024 or 1024*1024, respectively. Negative numbers are supported. The result of the computation is a decimal representation of the answer (without “K” or “M”). For example:

As a more realistic example, in an ACL you might have

deny   message = Too many bad recipients
       condition =                    \
         ${if and {                   \
           {>{$rcpt_count}{10}}       \
           {                          \
           <                          \
             {$recipients_count}      \
             {${eval:$rcpt_count/2}}  \
           }                          \
         }{yes}{no}}

The condition is true if there have been more than 10 RCPT commands and fewer than half of them have resulted in a valid recipient.

The expand operator causes a string to be expanded for a second time. For example,

${expand:${lookup{$domain}dbm{/some/file}{$value}}}

first looks up a string in a file while expanding the operand for expand, and then re-expands what it has found.

The world is slowly moving towards Unicode, although there are no standards for email yet. However, other applications (including some databases) are starting to store data in Unicode, using UTF-8 encoding. This operator converts from a UTF-8 string to an ISO-8859-1 string. UTF-8 code values greater than 255 are converted to underscores. The input must be a valid UTF-8 string. If it is not, the result is an undefined sequence of bytes.

Unicode code points with values less than 256 are compatible with ASCII and ISO-8859-1 (also known as Latin-1). For example, character 169 is the copyright symbol in both cases, though the way it is encoded is different. In UTF-8, more than one byte is needed for characters with code values greater than 127, whereas ISO-8859-1 is a single-byte encoding (but thereby limited to 256 characters). This makes translation from UTF-8 to ISO-8859-1 straightforward.

The hash operator is a simpler interface to the hashing function that can be used when the two parameters are fixed numbers (as opposed to strings that change when expanded). The effect is the same as

${hash{<n>}{<m>}{<string>}}

See the description of the general hash item above for details. The abbreviation h can be used when hash is used as an operator.

This operator converts a hex string into one that is base64 encoded. This can be useful for processing the output of the MD5 and SHA-1 hashing functions.

This forces the letters in the string into lower-case, for example:

${lc:$local_part}

The length operator is a simpler interface to the length function that can be used when the parameter is a fixed number (as opposed to a string that changes when expanded). The effect is the same as

${length{<number>}{<string>}}

See the description of the general length item above for details. Note that length is not the same as strlen. The abbreviation l can be used when length is used as an operator.

The string is interpreted as an RFC 2822 address and the local part is extracted from it. If the string does not parse successfully, the result is empty.

If the form of the string to be operated on is not an IP address followed by a slash and an integer (that is, a network address in CIDR notation), the expansion fails. Otherwise, this operator converts the IP address to binary, masks off the least significant bits according to the bit count, and converts the result back to text, with mask appended. For example,

${mask:10.111.131.206/28}

returns the string “10.111.131.192/28”. Since this operation is expected to be mostly used for looking up masked addresses in files, the result for an IPv6 address uses dots to separate components instead of colons, because colon terminates a key string in lsearch files. So, for example,

${mask:3ffe:ffff:836f:0a00:000a:0800:200a:c031/99}

returns the string

3ffe.ffff.836f.0a00.000a.0800.2000.0000/99

Letters in IPv6 addresses are always output in lower case.

The md5 operator computes the MD5 hash value of the string, and returns it as a 32-digit hexadecimal number, in which any letters are in lower case.

The nhash operator is a simpler interface to the numeric hashing function that can be used when the two parameters are fixed numbers (as opposed to strings that change when expanded). The effect is the same as

${nhash{<n>}{<m>}{<string>}}

See the description of the general nhash item above for details.

The quote operator puts its argument into double quotes if it is an empty string or contains anything other than letters, digits, underscores, dots, and hyphens. Any occurrences of double quotes and backslashes are escaped with a backslash. Newlines and carriage returns are converted to \n and \r, respectively For example,

${quote:ab"*"cd}

becomes

"ab\"*\"cd"

The place where this is useful is when the argument is a substitution from a variable or a message header.

This operator is like quote, except that it quotes the string only if required to do so by the rules of RFC 2822 for quoting local parts. For example, a plus sign would not cause quoting (but it would for quote). If you are creating a new email address from the contents of $local_part (or any other unknown data), you should always use this operator.

This operator applies lookup-specific quoting rules to the string. Each query-style lookup type has its own quoting rules which are described with the lookups in chapter 9. For example,

${quote_ldap:two * two}

returns

two%20%5C2A%20two

For single-key lookup types, no quoting is ever necessary and this operator yields an unchanged string.

This operator encodes text according to the rules of RFC 2047. This is an encoding that is used in header lines to encode non-ASCII characters. It is assumed that the input string is in the encoding specified by the headers_charset option, which defaults to ISO-8859-1. If the string contains only characters in the range 33–126, and no instances of the characters

? = ( ) < > @ , ; : \ " . [ ] _

it is not modified. Otherwise, the result is the RFC 2047 encoding of the string, using as many “encoded words” as necessary to encode all the characters.

This operator decodes strings that are encoded as per RFC 2047. Binary zero bytes are replaced by question marks. Characters are converted into the character set defined by headers_charset. Overlong RFC 2047 “words” are not recognized unless check_rfc2047_length is set false.

The rxquote operator inserts a backslash before any non-alphanumeric characters in its argument. This is useful when substituting the values of variables or headers inside regular expressions.

The sha1 operator computes the SHA-1 hash value of the string, and returns it as a 40-digit hexadecimal number, in which any letters are in upper case.

The string, after expansion, must be a file path. A call to the stat() function is made for this path. If stat() fails, an error occurs and the expansion fails. If it succeeds, the data from the stat replaces the item, as a series of <name>=<value> pairs, where the values are all numerical, except for the value of “smode”. The names are: “mode” (giving the mode as a 4-digit octal number), “smode” (giving the mode in symbolic format as a 10-character string, as for the ls command), “inode”, “device”, “links”, “uid”, “gid”, “size”, “atime”, “mtime”, and “ctime”. You can extract individual fields using the extract expansion item.

The use of the stat expansion in users’ filter files can be locked out by the system administrator. Warning: The file size may be incorrect on 32-bit systems for files larger than 2GB.

This operator converts a string into one that is base64 encoded.

The item is replace by the length of the expanded string, expressed as a decimal number. Note: Do not confuse strlen with length.

The substr operator is a simpler interface to the substr function that can be used when the two parameters are fixed numbers (as opposed to strings that change when expanded). The effect is the same as

${substr{<start>}{<length>}{<string>}}

See the description of the general substr item above for details. The abbreviation s can be used when substr is used as an operator.

This item converts an Exim time interval such as 2d4h5m into a number of seconds.

The argument (after sub-expansion) must be a sequence of decimal digits that represents an interval of time as a number of seconds. It is converted into a number of larger units and output in Exim’s normal time format, for example, 1w3d4h2m6s.

This forces the letters in the string into upper-case.

Preceding any condition with an exclamation mark negates the result of the condition.

There are a number of symbolic operators for doing numeric comparisons. They are:

For example:

${if >{$message_size}{10M} ...

Note that the general negation operator provides for inequality testing. The two strings must take the form of optionally signed decimal integers, optionally followed by one of the letters “K” or “M” (in either upper or lower case), signifying multiplication by 1024 or 1024*1024, respectively. As a special case, the numerical value of an empty string is taken as zero.

This condition is included in the Exim binary if it is built to support any authentication mechanisms (see chapter 33). Otherwise, it is necessary to define SUPPORT_CRYPTEQ in Local/Makefile to get crypteq included in the binary.

The crypteq condition has two arguments. The first is encrypted and compared against the second, which is already encrypted. The second string may be in the LDAP form for storing encrypted strings, which starts with the encryption type in curly brackets, followed by the data. If the second string does not begin with “{” it is assumed to be encrypted with crypt() or crypt16() (see below), since such strings cannot begin with “{”. Typically this will be a field from a password file. An example of an encrypted string in LDAP form is:

{md5}CY9rzUYh03PK3k6DJie09g==

If such a string appears directly in an expansion, the curly brackets have to be quoted, because they are part of the expansion syntax. For example:

${if crypteq {test}{\{md5\}CY9rzUYh03PK3k6DJie09g==}{yes}{no}}

The following encryption types (whose names are matched case-independently) are supported:

Exim has its own version of crypt16(), which is just a double call to crypt(). For operating systems that have their own version, setting HAVE_CRYPT16 in Local/Makefile when building Exim causes it to use the operating system version instead of its own. This option is set by default in the OS-dependent Makefile for those operating systems that are known to support crypt16().

Some years after Exim’s crypt16() was implemented, a user discovered that it was not using the same algorithm as some operating systems’ versions. It turns out that as well as crypt16() there is a function called bigcrypt() in some operating systems. This may or may not use the same algorithm, and both of them may be different to Exim’s built-in crypt16().

However, since there is now a move away from the traditional crypt() functions towards using SHA1 and other algorithms, tidying up this area of Exim is seen as very low priority.

If you do not put a encryption type (in curly brackets) in a crypteq comparison, the default is usually either {crypt} or {crypt16}, as determined by the setting of DEFAULT_CRYPT in Local/Makefile. The default default is {crypt}. Whatever the default, you can always use either function by specifying it explicitly in curly brackets.

The def condition must be followed by the name of one of the expansion variables defined in section 11.9. The condition is true if the variable does not contain the empty string. For example:

${if def:sender_ident {from $sender_ident}}

Note that the variable name is given without a leading $ character. If the variable does not exist, the expansion fails.

This condition is true if a message is being processed and the named header exists in the message. For example,

${if def:header_reply-to:{$h_reply-to:}{$h_from:}}

Note: No $ appears before header_ or h_ in the condition, and the header name must be terminated by a colon if white space does not follow.

The two substrings are first expanded. The condition is true if the two resulting strings are identical. For eq the comparison includes the case of letters, whereas for eqi the comparison is case-independent.

The substring is first expanded and then interpreted as an absolute path. The condition is true if the named file (or directory) exists. The existence test is done by calling the stat() function. The use of the exists test in users’ filter files may be locked out by the system administrator.

This condition, which has no data, is true during a message’s first delivery attempt. It is false during any subsequent delivery attempts.

These conditions iterate over a list. The first argument is expanded to form the list. By default, the list separator is a colon, but it can be changed by the normal method. The second argument is interpreted as a condition that is to be applied to each item in the list in turn. During the interpretation of the condition, the current list item is placed in a variable called $item.

Note that negation of forany means that the condition must be false for all items for the overall condition to succeed, and negation of forall means that the condition must be false for at least one item. In this example, the list separator is changed to a comma:

${if forany{<, $recipients}{match{$item}{^user3@}}{yes}{no}}

The value of $item is saved and restored while forany or forall is being processed, to enable these expansion items to be nested.

The two substrings are first expanded. The condition is true if the first string is lexically greater than or equal to the second string. For ge the comparison includes the case of letters, whereas for gei the comparison is case-independent.

The two substrings are first expanded. The condition is true if the first string is lexically greater than the second string. For gt the comparison includes the case of letters, whereas for gti the comparison is case-independent.

The substring is first expanded, and then tested to see if it has the form of an IP address. Both IPv4 and IPv6 addresses are valid for isip, whereas isip4 and isip6 test specifically for IPv4 or IPv6 addresses.

${if isip4{$sender_host_address}...

This condition supports user authentication using LDAP. See section 9.13 for details of how to use LDAP in lookups and the syntax of queries. For this use, the query must contain a user name and password. The query itself is not used, and can be empty. The condition is true if the password is not empty, and the user name and password are accepted by the LDAP server. An empty password is rejected without calling LDAP because LDAP binds with an empty password are considered anonymous regardless of the username, and will succeed in most configurations. See chapter 33 for details of SMTP authentication, and chapter 34 for an example of how this can be used.

The two substrings are first expanded. The condition is true if the first string is lexically less than or equal to the second string. For le the comparison includes the case of letters, whereas for lei the comparison is case-independent.

The two substrings are first expanded. The condition is true if the first string is lexically less than the second string. For lt the comparison includes the case of letters, whereas for lti the comparison is case-independent.

The two substrings are first expanded. The second is then treated as a regular expression and applied to the first. Because of the pre-expansion, if the regular expression contains dollar, or backslash characters, they must be escaped. Care must also be taken if the regular expression contains braces (curly brackets). A closing brace must be escaped so that it is not taken as a premature termination of <string2>. The easiest approach is to use the \N feature to disable expansion of the regular expression. For example,

${if match {$local_part}{\N^\d{3}\N} ...

If the whole expansion string is in double quotes, further escaping of backslashes is also required.

The condition is true if the regular expression match succeeds. The regular expression is not required to begin with a circumflex metacharacter, but if there is no circumflex, the expression is not anchored, and it may match anywhere in the subject, not just at the start. If you want the pattern to match at the end of the subject, you must include the $ metacharacter at an appropriate point.

At the start of an if expansion the values of the numeric variable substitutions $1 etc. are remembered. Obeying a match condition that succeeds causes them to be reset to the substrings of that condition and they will have these values during the expansion of the success string. At the end of the if expansion, the previous values are restored. After testing a combination of conditions using or, the subsequent values of the numeric variables are those of the condition that succeeded.

See match_local_part.

See match_local_part.

This condition matches an IP address to a list of IP address patterns. It must be followed by two argument strings. The first (after expansion) must be an IP address or an empty string. The second (after expansion) is a restricted host list that can match only an IP address, not a host name. For example:

${if match_ip{$sender_host_address}{1.2.3.4:5.6.7.8}{...}{...}}

The specific types of host list item that are permitted in the list are:

Consult section 10.11 for further details of these patterns.

This condition, together with match_address and match_domain, make it possible to test domain, address, and local part lists within expansions. Each condition requires two arguments: an item and a list to match. A trivial example is:

${if match_domain{a.b.c}{x.y.z:a.b.c:p.q.r}{yes}{no}}

In each case, the second argument may contain any of the allowable items for a list of the appropriate type. Also, because the second argument (after expansion) is a standard form of list, it is possible to refer to a named list. Thus, you can use conditions like this:

${if match_domain{$domain}{+local_domains}{...

For address lists, the matching starts off caselessly, but the +caseful item can be used, as in all address lists, to cause subsequent items to have their local parts matched casefully. Domains are always matched caselessly.

Note: Host lists are not supported in this way. This is because hosts have two identities: a name and an IP address, and it is not clear how to specify cleanly how such a test would work. However, IP addresses can be matched using match_ip.

Pluggable Authentication Modules (http://www.kernel.org/pub/linux/libs/pam/) are a facility that is available in the latest releases of Solaris and in some GNU/Linux distributions. The Exim support, which is intended for use in conjunction with the SMTP AUTH command, is available only if Exim is compiled with

SUPPORT_PAM=yes

in Local/Makefile. You probably need to add -lpam to EXTRALIBS, and in some releases of GNU/Linux -ldl is also needed.

The argument string is first expanded, and the result must be a colon-separated list of strings. Leading and trailing white space is ignored. The PAM module is initialized with the service name “exim” and the user name taken from the first item in the colon-separated data string (<string1>). The remaining items in the data string are passed over in response to requests from the authentication function. In the simple case there will only be one request, for a password, so the data consists of just two strings.

There can be problems if any of the strings are permitted to contain colon characters. In the usual way, these have to be doubled to avoid being taken as separators. If the data is being inserted from a variable, the sg expansion item can be used to double any existing colons. For example, the configuration of a LOGIN authenticator might contain this setting:

server_condition = ${if pam{$auth1:${sg{$auth2}{:}{::}}}}

For a PLAIN authenticator you could use:

server_condition = ${if pam{$auth2:${sg{$auth3}{:}{::}}}}

In some operating systems, PAM authentication can be done only from a process running as root. Since Exim is running as the Exim user when receiving messages, this means that PAM cannot be used directly in those systems. A patched version of the pam_unix module that comes with the Linux PAM package is available from http://www.e-admin.de/pam_exim/. The patched module allows one special uid/gid combination, in addition to root, to authenticate. If you build the patched module to allow the Exim user and group, PAM can then be used from an Exim authenticator.

This condition supports user authentication using the Cyrus pwcheck daemon. This is one way of making it possible for passwords to be checked by a process that is not running as root. Note: The use of pwcheck is now deprecated. Its replacement is saslauthd (see below).

The pwcheck support is not included in Exim by default. You need to specify the location of the pwcheck daemon’s socket in Local/Makefile before building Exim. For example:

CYRUS_