The Exim FAQ

Contents   Next

0. GENERAL DEBUGGING

Q0001:  Exim is crashing. What is wrong?

A0001:  Exim should never crash. The author is always keen to know about crashes, so that they can be diagnosed and fixed. However, before you start sending me email, please check that you are running the latest release of Exim, in case the problem has already been fixed. The techniques described below can also be useful in trying to pin down exactly which circumstances caused the crash and what Exim was trying to do at the time. If the crash is reproducable (by a particular message, say) keep a copy of that message.

Q0002:  Exim is not working. What is wrong? How can I check what it is doing?

A0002:  Exactly how is it not working? Check the more specific questions in the other sections of this FAQ. Some general techniques for debugging are:

(1)  Look for information in Exim's log files. These are in the log directory in Exim's spool directory, unless you have configured a different path for them. Serious operational problems are reported in paniclog.

(2)  If the problem involves the delivery of one or more messages, try forcing a delivery with the -M option and also set the -d option, to cause Exim to output debugging information. For example:

   exim -d -M 0z6CXU-0005RR-00

The output is written to the standard error stream. You need to have admin privileges to use -M and -d.

(3)  If the problem involves incoming SMTP mail, try using the -bh option to simulate an incoming connection from a specific host, for example:

   exim -bh 10.9.8.7

This goes through the motions of an SMTP session, without actually accepting a message. Information about various policy checks is output. You will need to know how to pretend to be an SMTP client.

(4)  If the problem involves lack of recognition or incorrect handling of local addresses, try using the -bt option with debugging turned on, to see how Exim is handling the address. For example,

   exim -d -bt z6abc

shows you how it would handle the local part z6abc.

Q0003:  What does the error Child process of address_pipe transport returned 69 from command xxx mean?

A0003:  It means that when a transport called address_pipe was run to pass an email message by means of a pipe to another process running the command xxx, the return code from that command was 69, which indicates some kind of error (the success return code is 0).

The most common meaning of exit code 69 is “unavailable”, and this often means that when Exim tried to run the command xxx, it failed. One cause of this might be incorrect permissions on the file containing the command. See also Q0026.

Q0004:  My virtual domain setup isn't working. How can I debug it?

A0004:  You can use an exim command with -d to get it to show you how it is processing addresses. You don't actually need to send a message; use the -bt option like this:

   exim -d -bt localpart@virtualhost

This will show you which routers it is using. If the problem appears to be with the expansion of an option setting, you can use the debug_print option on a router to get Exim to output the expanded string values as it goes along.

Q0005:  Why is Exim not rejecting incoming messages addressed to non-existent users at SMTP time?

A0005:  This is controlled by the ACL that is run for each incoming RCPT command. It is defined by the acl_smtp_rcpt option. You can check this part of your configuration by using the -bh option to run a simulated SMTP session, during which Exim will tell you what things it is checking.

Q0006:  I've put an entry for *.my.domain in a DBM lookup file, but it isn't getting recognized.

A0006:  You need to request “partial matching” by setting the search type to partial-dbm in order for this to work.

Q0007:  I've put the entry *@domain.com in a lookup database, but it isn't working. The expansion I'm using is:

   ${lookup{${lc:$sender_address}}dbm{/the/file} ...

A0007:  As no sender address will ever be *@domain.com this will indeed have no effect as it stands. You need to tell Exim that you want it to look for defaults after the normal lookup has failed. In this case, change the search type from dbm to dbm*@. See the section on Default values in single-key lookups in the chapter entitled File and database lookups in the Exim manual.

Q0008:  If I run ./exim -d -bt user@domain all seems well, but when I send a message from my User Agent, it does not arrive at its destination.

A0008:  Try sending a message directly to Exim by typing this:

   exim -v user@domain
   <some message, could be empty>
   .

If the message gets delivered to a remote host, but never arrives at its final destination, then the problem is at the remote host. If, however, the message gets through correctly, then the problem may be between your User Agent and Exim. Try setting Exim's log_selector option to include +arguments, to see with which arguments the UA is calling Exim.

Q0009:  What does no immediate delivery: too many messages received in one SMTP connection mean?

A0009:  An SMTP client may send any number of messages down a single SMTP connection to a server. Initially, an Exim server starts up a delivery process as soon as a message is received. However, in order not to start up too many processes when lots of messages are arriving (typically after a period of downtime), it stops doing immediate delivery after a certain number of messages have arrived down the same connection. The threshold is set by smtp_accept_queue_per_connection, and the default value is 10. On large systems, the value should be increased. If you are running a dial-in host and expecting to get all your mail down a single SMTP connection, then you can disable the limit altogether by setting the value to zero.

Q0010:  Exim puts for <address> in the Received: headers of some, but not all, messages. Is this a bug?

A0010:  No. It is deliberate. Exim inserts a “for” phrase only if the incoming message has precisely one recipient. If there is more than one recipient, nothing is inserted. The reason for this is that not all recipients appear in the To: or Cc: headers, and it is considered a breach of privacy to expose such recipients to the others. A common case is when a message has come from a mailing list.

Q0011:  Instead of exim_dbmbuild, I'm using a homegrown program to build DBM (or cdb) files, but Exim doesn't seem to be able to use them.

A0011:  Exim expects there to be a binary zero value on the end of each key used in a DBM file if you use the dbm lookup type, but not for the dbmnz lookup type or for the keys of a cdb file. Check that you haven't slipped up in this regard.

Q0012:  Exim is unable to route to any remote domains. It doesn't seen to be able to access the DNS.

A0012:  Try running exim -d+resolver -bt <remote address>. The -d options turns on debugging output, and the addition of +resolver will make it show the resolver queries it is building and the results of its DNS queries. If it appears unable to contact any name servers, check the contents and permissions of /etc/resolv.conf.

Q0013:  What does the error message transport system_aliases: cannot find transport driver "redirect" in line 92 mean?

A0013:  redirect is a router, not a transport. You have put a configuration for a router into the transports section of the configuration file.

Q0014:  Exim is timing out after receiving and responding to the DATA command from one particular host, and yet the client host also claims to be timing out. This seems to affect only certain messages.

A0014:  This kind of problem can have many different causes.

(1)  This problem has been seen with a network that was dropping all packets over a certain size, which mean that the first part of the SMTP transaction worked, but when the body of a large message started flowing, the main data bits never got through the network. See also Q0017.

(2)  This can also happen if a host has a broken TCP stack and won't reassemble fragmented datagrams.

(3)  A very few ISDN lines have been seen which failed when certain data patterns were sent through them, and replacing the routers at both end of the link did not fix things. One of them was triggered by more than 4 X's in a row in the data.

Q0015:  What does the message Socket bind() to port 25 for address (any) failed: address already in use mean?

A0015:  You are trying to run an Exim daemon when there is one already running - or maybe some other MTA is running, or perhaps you have an SMTP line in /etc/inetd.conf which is causing inetd to listen on port 25.

Q0016:  I've set verify = header_syntax in my ACL, but this causes Exim to complain about header lines like To: Work: Jim <jims@email>, Home: Bob <bobs@email> which look all right to me. Is this a bug?

A0016:  No. Header lines such as From:, To:, etc., which contain addresses, are structured, and have to be in a specific format which is defined in RFC 2822. Unquoted colons are not allowed in the “phrase” part of an email address (they are OK in other headers such as Subject:). The correct form for that header is

   To: "Work: Jim" <jims@email>, "Home: Bob" <bobs@email>

You will sometimes see unquoted colons in To: and Cc: headers, but only in connection with name lists (called “groups”), for example:

   To: My friends: X <x@y.x>, Y <y@w.z>;,
       My enemies: A <a@b.c>, B <b@c.d>;

Each list must be terminated by a semicolon, as shown.

Q0017:  Whenever Exim tries to deliver a specific message to a particular server, it fails, giving the error Remote end closed connection after data or Broken pipe or a timeout. What's going on?

A0017:  Broken pipe is the error you get on some OS when the remote host just drops the connection. The alternative is connection reset by peer. There are many potential causes. Here are some of them (see also Q0068):

(1)  There are some firewalls that fall over on binary zero characters in email. Have a look, e.g. with hexdump -c mymail | tail to see if your mail contains any binary zero characters.

(2)  There are broken SMTP servers around that just drop the connection after the data has been sent if they don't like the message for some reason (e.g. it is too big) instead of sending a 5xx error code. Have you tried sending a small message to the same address?

It has been reported that some releases of Novell servers running NIMS are unable to handle lines longer than 1024 characters, and just close the connection. This is an example of this behaviour.

(3)  If the problem occurs right at the start of the mail, then it could be a network problem with mishandling of large packets. Many emails are small and thus appear to propagate correctly, but big emails will generate big IP datagrams.

There have been problems when something in the middle of the network mishandles large packets due to IP tunnelling. In a tunnelled link, your IP datagrams gets wrapped in a larger datagram and sent over a network. This is how virtual private networks (VPNs), and some ISP transit circuits work. Since the datagrams going over the tunnel require a larger packet size, the tunnel needs a bigger maximum transfer unit (MTU) in the network handling the tunnelled packets. However, MTUs are often fixed, so the tunnel will try to fragment the packets.

If the systems outside the tunnel are using path MTU discovery, (most Sun Sparc Solaris machines do by default), and set the DF (don't fragment) bit because they don't send packets larger than their local MTU, then ICMP control messages will be sent by the routers at the ends of the tunnel to tell them to reduce their MTU, since the tunnel can't fragment the data, and has to throw it away. If this mechanism stops working, e.g. a firewall blocks ICMP, then your host never knows it has hit the maximum path MTU, but it has received no ACK on the packet either, so it continues to resend the same packet and the connection stalls, eventually timing out.

You can test the link using pings of large packets and see what works:

 	 ping -s host 2048

Try reducing the MTU on the sending host:

 	 ifconfig le0 mtu 1300

Alternatively, you can reduce the size of the buffer Exim uses for SMTP output by putting something like

   DELIVER_OUT_BUFFER_SIZE=512

in your Local/Makefile and rebuilding Exim (the default is 8192). While this should not in principle have any effect on the size of packets sent, in practice it does seem to have an effect on some OS.

You can also try disabling path MTU discovery on the sending host. On Linux, try:

   echo 1 >/proc/sys/net/ipv4/ip_no_pmtu_disc

For a general discussion and information about other operating systems, see http://www.netheaven.com/pmtu.html. If disabling path MTU discovery fixes the problem, try to find the broken or misconfigured router/firewall that swallows the ICMP-unreachable packets. Increasing timeouts on the receiving host will not work around the problem.

Q0018:  Why do messages not get delivered down the same connection when I do something like: exim -v -R @aol.com? For other domains, I do this and I see the appropriate waiting for passed connections to get used messages.

A0018:  Recall that Exim does not keep separate queues for each domain, but operates in a distributed fashion. Messages get into its `waiting for host x' hints database only when a delivery has been tried, and has had a temporary error. Here are some possibilities:

(1)  The messages to aol.com got put in your queue, but no previous delivery attempt occured before you did the -R. This might have been because of your settings of queue_only_load, smtp_accept_queue, or any other option that caused no immediate delivery attempt on arrival. If this is the case, you can try using -qqR instead of -R.

(2)  You have set connection_max_messages on the smtp transport, and that limit was reached. This would show as a sequence of messages down one connection, then another sequence down a new connection, etc.

(3)  Exim tried to pass on the SMTP connection to another message, but that message was in the process of being delivered to aol.com by some other process (typically, a normal queue runner). This will break the sequence, though the other delivery should pass its connection on to other messages if there are any.

(4)  The folk at aol.com changed the MX records so the host names have changed - or a new host has been added. I don't know how likely this is.

(5)  Exim is not performing as it should in this regard, for some reason. Next time you have mail queued up for aol.com, try running

   exim_dumpdb /var/spool/exim wait-remote_smtp

to see if those messages are listed among those waiting for the relevant aol.com hosts.

Q0019:  There seems to be a problem in the string expansion code: it doesn't recognize references to headers such as ${h_to}.

A0019:  The only valid syntax for header references is (for example) $h_to: because header names are permitted by RFC 2822 to contain a very wide range of characters. A colon (or white space) is required as the terminator.

Q0020:  Why do connections to my machine's SMTP port take a long time to respond with the banner, when connections to other ports respond instantly? The delay is sometimes as long as 30 seconds.

A0020:  These kinds of delay are usually caused by some kind of network problem that affects outgoing calls made by Exim at the start of an incoming connection. Configuration options that cause outgoing calls are:

(1)  rfc1413_hosts and rfc1413_query_timeout (for ident calls). Firewalls sometimes block ident connections so that they time out, instead of refusing them immediately. This can cause this problem. See Q5023 for a discussion of the usefulness of ident.

(2)  The host_lookup option, the host_reject_connection option, or a condition in the ACL that runs at connection time requires the remote host's name to be looked up from its IP address. Sometimes these DNS lookups time out. You can get this effect with ACL statements like this:

   deny  hosts = *.x.example

If at all possible, you should use IP addresses instead of host names in blocking lists in order to to avoid this problem.

You can use the -bh option to get more information about what is happening at the start of a connection. However, note that the -bh option does not provide a complete simulation. In particular, no ident checks are done, so it won't show up a delay problem that is related to (1) above.

Q0021:  What does failed to create child process to send failure message mean? This is a busy mail server with smtp_accept_max set to 500, but this problem started to occur at about 300 incoming connections.

A0021:  Some message delivery failed, and when Exim wanted to send a bounce message, it was unable to create a process in which to do so. Probably the limit on the maximum number of simultaneously active processes has been reached. Most OS have some means of increasing this limit, and in some operating systems there is also a limit per uid which can be varied.

Q0022:  What does No transport set by system filter in a log line mean?

A0022:  Your system filter contains a pipe or save or mail command, but you have not set the corresponding option which specifies which transport is to be used. You need to set whichever of system_filter_pipe_transport, system_filter_file_transport or system_filter_reply_transport is relevant.

Q0023:  Why is Exim refusing to relay, saying failed to find host name from IP address when I have the sender's IP address in an ACL condition? My configuration contains this ACL statement:

   accept hosts = lsearch;/etc/mail/relaydomains:192.168.96.0/24

A0023:  When checking a host list, the items are tested in left-to-right order. The first item in your list is a lookup on the incoming host's name, so Exim has to determine the name from the incoming IP address in order to perform the test. If it can't find the host name, it can't do the check, so it gives up. You would have discovered what was going on if you had run a test such as

   exim -bh 192.168.96.131

The solution is to put all explicit IP addresses first in the list. Alternatively, you can split the ACL statement into two like this:

   accept hosts = lsearch;/etc/mail/relaydomains
   accept hosts = 192.168.96.0/24

If the host lookup fails, the first accept fails, but then the second one is considered.

Q0024:  When I run exim -bd -q10m I get PANIC LOG: exec of exim -q failed.

A0024:  This probably means that Exim doesn't know its own path so it can't re-exec itself to do the first queue run. Check the output of

   exim -bP exim_path

Q0025:  I can't seem to get a pipe command to run when I include a ${if expansion in it. This fails:

   command = perl -T /usr/local/rt/bin/rtmux.pl \
               rt-mailgate helpdesk \
               ${if eq {$local_part}{rt} {correspond}{action}}

A0025:  You need some internal quoting in there. Exim expands each individual argument separately. Because you have (necessarily) got spaces in your ${if item, you have to quote that argument. Try

   command = perl -T /usr/local/rt/bin/rtmux.pl \
               rt-mailgate helpdesk \
               "${if eq {$local_part}{rt} {correspond}{action}}"

Warning: If command starts with an item that requires quoting, you cannot just put it in quotes, because a leading quote means that the entire option setting is being quoted. What you have to do is to quote the entire value, and use internally escaped quotes for the ones you really want. For example:

   command = "\"${if ....}\" arg1 arg2"

Any backslashes in the expansion items will have to be doubled to stop them being interpreted by the string reader.

Q0026:  I'm trying to get Exim to connect an alias to a pipe, but it always gives error code 69, with the comment (could mean service or program unavailable).

A0026:  If your alias entry looks like this:

   alias:  |"/some/command some parameters"

change it to look like this:

   alias:  "|/some/command some parameters"

Q0027:  What does the error Spool file is locked mean?

A0027:  This is not an error. All it means is that when an Exim delivery process (probably started by a queue runner process) looked at a message in order to start delivering it, it found that another Exim process was already busy delivering it. On a busy system this is quite a common occurrence. If you set -skip_delivery in the log_selector option, these messages are omitted from the log.

The only time when this message might indicate a problem is if it is repeated for the same message for a very long time. That would suggest that the process that is delivering the message has somehow got stuck.

Q0028:  Exim is reporting IP addresses as 0.0.0.0 or 255.255.255.255 instead of their correct values. What's going on?

A0028:  You are using a version of Exim built with gcc on an IRIX box. See Q9502.

Q0029:  I can't seem to figure out why PAM support doesn't work correctly.

A0029:  There is a problem using PAM with shadow passwords when the calling program is not running as root. Exim is normally running as the Exim user when authenticating a remote host. See this posting for one way round the problem:

http://www.exim.org/mailman/htdig/exim-users/Week-of-Mon-20010917/030371.html

Another solution can be found at http://www.e-admin.de/pam_exim/.

PAM 0.72 allows authorization as non-root, using setuid helper programs. Furthermore, in /etc/pam.d/exim you can explicitelly specify that this authorization (using setuid helpers) is only permitted for certain users and groups.

Q0030:  I'm trying to use a query-style lookup for hosts that are allowed to relay, but it is giving really weird errors.

A0030:  Does your query contain a colon character? Remember that host lists are colon-separated, so you need to double any colons in the query. This applies even if the query is defined as a macro.

Q0031:  Exim is rejecting connections from hosts that have more than one IP address, for no apparent reason.

A0031:  You are using Solaris 7 or earlier, and have nis dns files in /etc/nsswitch.conf. Change this to dns nis files to avoid hitting Sun bug 1154236 (a bad interaction between NIS and the DNS).

Q0032:  Exim is failing to find the MySQL library, even though is it present within LD_LIBRARY_PATH. I'm getting this error:

   /usr/local/bin/exim: fatal: libmysqlclient.so.6: open failed:
   No such file or directory

A0032:  Exim is suid, and LD_LIBRARY_PATH is ignored for suid binaries on a Solaris (and other?) systems. What you should be doing is adding -R/local/lib/mysql to the same place in the compilation that you added -L/local/lib/mysql. This tells the binary where to look without needing a path variable.

Q0033:  What does the error lookup of host "xx.xx.xx" failed in yyy router mean?

A0033:  You configured a manualroute router to send the message to xx.xx.xx. When it tried to look up the IP address for that host, the lookup failed with a permanent error. As this is a manual routing, this is a considered to be a serious error which the postmaster needs to know about (maybe you have a typo in your file), and there is little point in keeping on trying. So it freezes the message.

(1)  Don't set up routes to non-existent hosts.

(2)  If you must set up routes to non-existent hosts, and don't want freezing, set the host_find_failed option on the router to do something other than freeze.

Q0034:  Exim works fine on one host, but when I copied the binary to another identical host, it stopped working (it could not resolve DNS names).

A0034:  Is the new host running exactly the same operating system? Most importantly, are the versions of the dynamically loaded libraries (files with names like libsocket.so.1) the same on both systems? If not, that is probably the cause of the problem. Either arrange for the libraries to be the same, or rebuild Exim from source on the new host.

Q0035:  I set a hosts condition in an ACL to do a lookup in a file of IP addresses, but it doesn't work.

A0035:  Did you remember to put net- at the start of the the search type? If you set something like this:

   accept hosts = lsearch;/some/file

Exim searches the file for the host name, not the IP address. You need to set

   accept hosts = net-lsearch;/some/file

to make it use the IP address as the key to the lookup.

Q0036:  Why do I get the error Permission denied: creating lock file hitching post when Exim tries to do a local delivery?

A0036:  Your configuration specifies that local mailboxes are all held in single directory, via configuration lines like these (taken from the default configuration):

   local_delivery:
     driver = appendfile
     file = /var/mail/$local_part

and the permissions on the directory probably look like this:

   drwxrwxr-x   3 root     mail         512 Jul  9 13:48 /var/mail/

Using the default configuration, Exim runs as the local user when doing a local delivery, and it uses a lock file to prevent any other process from updating the mailbox while it is writing to it. With those permissions the delivery process, running as the user, is unable to create a lock file in the (/var/mail( directory. There are two solutions to this problem:

(1)  Set the write and sticky bit permissions on the directory, so that it looks like this:

   drwxrwxrwt   3 root     mail         512 Jul  9 13:48 /var/mail/

The w allows any user to create new files in the directory, but the t bit means that only the creator of a file is able to remove it. This is the same setting as is normally used with the /tmp directory.

(2)  Arrange to run the local_delivery transport under a specific group by changing the configuration to read

   local_delivery:
     driver = appendfile
     file = /var/mail/${local_part}
     group = mail

The delivery process still runs under the user's uid, but with the group set to mail. The group permission on the directory allows the process to create and remove the lock file.

The choice between (1) and (2) is up to the administrator. If the second solution is used, users can empty their mailboxes by updating them, but cannot delete them.

If your problem involves mail to root, see also Q0507.

Q0037:  I am experiencing mailbox locking problems with Sun's mailtool used over a network.

A0037:  See Q9705 in the Sun-specific section below.

Q0038:  What does the error message error in forward file (filtering not enabled): missing or malformed local part mean?

A0038:  If you are trying to use an Exim filter, you have forgotten to enable the facility, which is disabled by default. In the redirect router (in the Exim run time configuration file) you need to set

   allow_filter = true

to allow a .forward file to be used as an Exim filter. If you are not trying to use an Exim filter, then you have put a malformed address in the .forward file.

Q0039:  I have installed Exim, but now I can't mail to root any more. Why is this?

A0039:  Most people set up root as an alias for the manager of the host. If you haven't done this, Exim will attempt to deliver to root as if it were a normal user. This isn't really a good idea because the delivery process would run as root. Exim has a trigger guard in the option

   never_users = root

in the default configuration file. This prevents it from running as root when doing any deliveries. If you really want to run local deliveries as root, remove this line, but it would be better to create an alias for root instead.

Q0040:  How can I stop undeliverable bounce messages (e.g. to routeable, but undeliverable, spammer senders) from clogging up the queue for days?

A0040:  If at all possible, you should try to avoid getting into this situation in the first place, for example, by verifying recipients so that you do not accept undeliverable messages that lead to these bounces. You can, however, configure Exim to discard failing bounce messages early. Just set ignore_bounce_errors_after to specify a (short) time to keep them for.

Q0041:  What does the message unable to set gid=ddd or uid=ddd (euid=ddd): local delivery to ... transport=ttt mean?

A0041:  Have you remembered to make Exim setuid root? It needs root privilege if it is to do any local deliveries, because it does them “as the user”. Note also that the partition from which Exim is running (where the binary is installed) must not have the nosuid mount option set. You can check this by looking at its /etc/fstab entry (or /etc/vfstab, depending on your OS).

Q0042:  My ISP's mail server is rejecting bounce messages from Exim, complaining that they have no sender. The SMTP trace does indeed show that the sender address is <>. Why is the Sender on the bounce message empty?

A0042:  Because the RFCs say it must be. Your ISP is at fault. Send them this extract from RFC 2821 section 6.1 (Reliable Delivery and Replies by Email):

If there is a delivery failure after acceptance of a message, the receiver-SMTP MUST formulate and mail a notification message. This notification MUST be sent using a null (<>) reverse path in the envelope. The recipient of this notification MUST be the address from the envelope return path (or the Return-Path: header line). However, if this address is null (<>), the receiver-SMTP MUST NOT send a notification.

The reason that bounce messages have no sender is so that they themselves cannot provoke further bounces, as this could lead to a unending exchange of undeliverable messages.

Q0043:  What does the error Unable to get interface configuration: 22 Invalid argument mean?

A0043:  This is an error that occurs when Exim is trying to find out the all the IP addresses on all of the local host's interfaces. If you have lots of virtual interfaces, this can occur if there are more than around 250 of them. The solution is to set the option local_interfaces to list just those IP addresses that you want to use for making and receiving SMTP connections.

Q0044:  What does the error Failed to create spool file mean?

A0044:  Exim has been unable to create a file in its spool area in which to store an incoming message. This is most likely to be either a permissions problem in the file hierarchy, or a problem with the uid under which Exim is running, though it could be something more drastic such as your disk being full.

If you are running Exim with an alternate configuration file using a command such as exim -C altconfig..., remember that the use of -C takes away Exim's root privilege.

Check that you have defined the spool directory correctly by running

   exim -bP spool_directory

and examining the output. Check the mode of this directory. It should look like this, assuming you are running Exim as user exim:

   drwxr-x---   6 exim  exim      512 Jul 16 12:29 /var/spool/exim

If there are any subdirectories already in existence, they should have the same permissions, owner, and group. Check also that you haven't got incorrect permissions on superior directories (for example, /var/spool). Check that you have set up the Exim binary to be setuid root. It should look like this:

   -rwsr-xr-x   1 root     xxx       502780 Jul 16 14:16 exim

Note that it is not just the owner that must be root, but also the third permission must be s rather than x.

Q0045:  I see entries in the log that mention two different IP addresses for the same connection. Why is this? For example:

   H=tip-mp8-ncs-13.stanford.edu ([36.173.0.189]) [36.173.0.156]

A0045:  The actual IP address from which the call came is the final one. Whenever there's something in parentheses in a host name, it is what the host quoted as the domain part of an SMTP HELO or EHLO command. So in this case, the client, despite being 36.173.0.156, issued the command

   EHLO [36.173.0.189]

when it sent your server the message. This is, of course, very misleading.

Q0046:  A short time after I start Exim I see a defunct zombie process. What is causing this?

A0046:  Your system must be lightly loaded as far as mail is concerned. The daemon sets off a queue runner process when it is started, but it only tidies up completed child processes when it wakes up for some other reason. When there's nothing much going on, you occasionally see defunct processes like this waiting to be dealt with. This is perfectly normal.

Q0047:  On a reboot, or a restart of the mail system, I see the message Mailer daemons: exim abandoned: unknown, malformed, or incomplete option -bz sendmail. What does this mean?

A0047:  -bz is a Sendmail option requesting it to create a `configuration freeze file'. Exim has no such concept and so does not support the option. You probably have a line like

   /usr/lib/sendmail -bz

in some start-up script (e.g. /etc/init.d/mail) immedately before

   /usr/lib/sendmail -bd -q15m

The first of these lines should be commented out.

Q0048:  Whenever exim restarts it takes up to 3-5 minutes to start responding on the SMTP port. Why is this?

A0048:  Something else is hanging onto port 25 and not releasing it. One place to look is /etc/inetd.conf in case for any reason an SMTP stream is configured there.

Q0049:  What does the log message no immediate delivery: more than 10 messages received in one connection mean?

A0049:  A remote MTA sent a number of messages in a single SMTP session. Exim limits the number of immediate delivery processes it creates as a result of a single SMTP connection, in order to avoid creating a zillion processes on systems that can have many incoming connections. If you are dialing in to collect mail from your ISP, you should probably set smtp_accept_queue_per_connection to some number larger than 10, or arrange to start a queue runner for local delivery (using -ql) immediately after collecting the mail.

Q0050:  I am getting complaints from a customer who uses my Exim server for relaying that they are being blocked with a Too many connections error.

A0050:  See smtp_accept_max, smep_accept_max_per_host and smtp_accept_reserve.

Q0051:  When I try exim -bf to test a system filter, I received the following error message: Filter error: unavailable filtering command "fail" near line 8 of filter file.

A0051:  Use the -bF option to test system filters. This gives you access to the freeze and fail actions.

Q0052:  What does ridiculously long message header in an error report mean?

A0052:  There has to be some limit to the length of a message's header lines, because otherwise a malefactor could open an SMTP channel to your host, start a message, and then just send characters continuously until your host ran out of memory. (Exim stores all the header lines in main memory while processing a message). For this reason a limit is imposed on the total amount of memory that can be used for header lines. The default is 1MB, but this can be changed by setting HEADER_MAXSIZE in Local/Makefile before building Exim. Exceeding the limit provokes the “ridiculous” error message.

Q0053:  Exim on my host responds to a connection with 220 *****... and won't understand EHLO commands.

A0053:  This is the sign of a Cisco Pix “Mailguard” sitting in front of your MTA. Pix breaks ESMTP and only does SMTP. It is a nuisance when you have a secure MTA running on your box. Something like ``no fixup protocol smtp 25'' in the Pix configuration is needed. It may be possible to do this by logging into the Pix (using telnet or ssh) and typing no fixup smtp to its console. (You may need to use other commands before or after to set up configuration mode and to activate a changed configuration. Consult your Pix documentation or expert.) See also Q0078.

Q0054:  I'm getting an Exim configuration error unknown rewrite flag character (m) in line 386 but I haven't used any flags on my rewriting rules.

A0054:  You have probably forgotten to quote a replacement string that contains white space.

Q0055:  What does the error Failed to open wait-remote_smtp database: Invalid argument mean?

A0055:  This is something that happens if you have existing DBM hints files when you install a new version of Exim that is compiled to use a different or upgraded DBM library. The simplest thing to try is

   rm /var/spool/exim/db/*

This removes all the hints files. Exim will start afresh and build new ones. If the symptom recurs, it suggests there is some problem with your DBM library.

Q0056:  We are using Exim to send mail from our web server. However, whenever a user sends an email it gets sent with the return path (envelope sender) apache@server_name.com because the PHP script is running as apache.

A0056:  You need to include apache in the trusted_users configuration option. Only trusted users are permitted to specify senders when mail is passed to Exim via the command line.

Q0057:  We've got people complaining about attachments that don't show up as attachments, but are included in the body of the message.

A0057:  These symptoms can be seen when some software passes a CRLF line terminated message via the command line to an MTA that expects lines to be terminated by LF only, and so preserves the CRs as data. If you can identify the software that is doing this, try setting the -dropcr option on the command it uses to call Exim. Alternatively, you can set drop_cr in the configuration file, but then that will apply to all input.

Q0058:  What does the error failed to open DB file /var/spool/exim/db/retry: File exists mean?

A0058:  This error is most often caused when a hints file that was written with one version of the Berkeley DB library is read by another version. Sometimes this can happen if you change from a binary version of Exim to a locally compiled version. Or it can happen if you compile and install a new version of Exim after changing Berkeley DB versions. You can find out which version your Exim is using by running:

   ldd /usr/sbin/exim

The solution to the problem is to delete all the files in the /var/spool/exim/db directory, and let Exim recreate them.

Q0059:  When my Outlook Express 6.0 client sends a STARTTLS command to begin a TLS session, Exim doesn't seem to receive it. The Outlook log shows this:

   SMTP: 14:19:27 [tx] STARTTLS
   SMTP: 14:19:27 [rx] 500 Unsupported command.

but the Exim debugging output shows this:

   SMTP<< EHLO xxxx
   SMTP>> 250-yyyy Hello xxxx [nnn.nnn.nnn.nnn]
   250-SIZE 52428800
   250-PIPELINING
   250-AUTH CRAM-MD5 PLAIN LOGIN
   250-STARTTLS
   250 HELP
   SMTP<< QUIT

A0059:  Turn off scanning of outgoing email in Norton Antivirus. If you aren't running Norton Antivirus, see if you are running some other kind of SMTP proxying, either on the client or on a firewall between the client and server. “Unsupported command” is not an Exim message.

Q0060:  Why am I getting the error failed to expand /data/lists/lists/${lc for require_files: ${lc is not a known operator for this setting:

   require_files = MAILMAN_HOME/lists/${lc:$local_part}/config.db

A0060:  The value of require_files is a list in which each item is separately expanded. You need either to double the colon, or switch to a different list separator.

Q0061:  What does the error Too many “Received” headers - suspected mail loop mean?

A0061:  Whenever a message passes through an MTA, a Received: header gets added. Exim counts the number of these headers in incoming messages. If there are more than the value of received_headers_max (default 30), Exim assumes there is some kind of mail routing loop occurring. For example, host A passes the message to host B, which immediately passes it back to host A. Check the Received: headers and the mail logs to determine exactly what is going on.

One common cause of this problem is users with accounts on both systems who set up each one to forward to the other, thinking that will cause copies of all messages to be delivered on both of them.

Q0062:  When I try to start an Exim daemon it crashes. I ran a debugger and discovered that the crash is happening in the function getservbyname(). What's going on?

A0062:  What have you got in the file /etc/nsswitch.conf? If it contains this line:

   services:       db files

try removing the db. (Your system is trying to look in some kind of database before searching the file /etc/services.)

Q0063:  When I try to start an Exim daemon, nothing happens. There is no process, and nothing is written to the Exim log.

A0063:  Check to see if anything is written to syslog. This problem can be caused by a permission problem that stops Exim from writing to its log files, especially if you've specified that they should be written somewhere other than under Exim's spool directory. You could also try running the daemon with debugging turned on.

Q0064:  When I run exim -d test@domain it delivers fine, but when I send a message from the mail command, I get User unknown and the mail is saved in dead.letter.

A0064:  It looks as if Exim isn't being called by mail; instead it is calling some other program (probably Sendmail). Try running the command

   /usr/sbin/sendmail -bV

(If you get No such file or directory or Command not found you are running Solaris or IRIX. Try again with /usr/lib/sendmail.) The output should be something like this:

   Exim version 4.05 #1 built 13-Jun-2002 10:27:15
   Copyright (c) University of Cambridge 2002

If you don't see this, your Exim installation isn't fully operational. If you are running FreeBSD, see Q9201. For other systems, see Q0114.

Q0065:  When (as root) I use -C to run Exim with an alternate configuration file, it gives an error about being unable to create a spool file when trying to run an autoreply transport. Why is this?

A0065:  When Exim is called with -C, it passes on -C to any instances of itself that it calls (so that the whole sequence uses the same config file). If it's running as exim when it does this, all is well. However, if it happens as a consequence of a non-privileged user running autoreply, the called Exim gives up its root privilege. Then it can't write to the spool.

This means that you can't use -C (even as root) to run an instance of Exim that is going to try to run autoreply from a process that is neither root nor exim. Because of the architecture of Exim (using re-execs to regain privilege), there isn't any way round this restriction. Therefore, the only way you can make this scenario work is to run the autoreply transport as exim (that is, the user that owns the Exim spool files). This may be satisfactory for autoreplies that are essentially system-generated, but of course is no good for autoreplies from unprivileged users, where you want the autoreply transport to be run as the user. To get that to work with an alternate configuration, you'll have to use two Exim binaries, with different configuration file names in each. See S001 for a script that patches the configuration name in an Exim binary.

Q0066:  What does the message unable to set gid=xxx or uid=xxx mean?

A0066:  This message is given when an Exim process is unable to change uid or gid when it needs to, because it does not have root privilege. This is a serious problem that prevents Exim from carrying on with what it is doing. The two most common situations where Exim needs to change uid/gid are doing local deliveries and processing users' filter files. There are two common causes of this error:

(1)  You have forgotten to make the exim binary setuid to root. This means that it can never change uid/gid in any situation. Also, the setuid binary must reside on a disk partition that does not have the nosuid mount option set.

(2)  The exim binary is setuid, but you have configured Exim so that, while trying to verify an address at SMTP time, it runs a router that needs to change uid/gid. Because Exim runs as exim and not root while receiving messages, the router is unable to change uid and therefore it cannot operate. The usual example of this is a redirect router for users' filter files.

Setting the user or check_local_user options on a redirect router causes this to happen (except in the special case when the redirection list is provided by the data option and does not contain :include:).

The solution is to set no_verify on the router that is causing the problem. This means that it is skipped when an address is being verified. In “normal” configurations where the router is indeed handling users' filter files, this is quite acceptable, because you do not usually need to process a filter file in order to verify that the local part is valid. See, for example, the userforward router in the default configuration.

Q0067:  What does the error too many unrecognized commands mean?

A0067:  There have been instances of network abuse involving mail sent out by web servers. In most cases, unrecognizable commands are sent as part of the SMTP session. A real MTA never sends out such invalid commands. Exim allows a few unrecognized commands in a session to permit humans who are testing to make a few typos (it responds with a 5xx error). However, if Exim receives too many such commands, it assumes that it is dealing with an abuse of some kind, and so it drops the connection.

Q0068:  Exim times out when trying to connect to some hosts, though those hosts are known to be up and running. What's the problem?

A0068:  There could be a number of reasons for this (see also Q0017). The obvious one is that there is a networking problem between the hosts. If you can ping between the hosts or connect in other ways, the problem might be caused by ECN (Explicit Congestion Notification) being enabled in your kernel. ECN uses TCP flags originally assigned to TOS - it's a "new" invention, and some hosts and routers are known to be confused if a client uses it. If you are running Linux, you can turn ECN off by running this command:

   /bin/echo "0" > /proc/sys/net/ipv4/tcp_ecn

This has also been reported to cure web connection problems from Mozilla and Netscape browsers in Linux when there were no problems with Windows Netscape browsers.

Q0069:  What does the error SMTP data timeout (message abandoned) on connection from... mean?

A0069:  It means that there was a timeout while Exim was reading the contents of a message on an incoming SMTP connection. That is, it had successfully accepted a MAIL command, one or more RCPT commands, and a DATA command, and was in the process of reading the data itself. The length of timeout is controlled by the smtp_receive_timeout option.

If you get this error regularly, the cause may be incorrect handling of large packets by a router or firewall. The maximum size of a packet is restricted on some links; routers should split packets that are larger. There is a feature called “path MTU discovery” that enables a sender to discover the maximum packet size over an entire path (multiple Internet links). This can be broken by misconfigured firewalls and routers. There is a good explanation at http://www.netheaven.com/pmtu.html. Reducing the MTU on your local network can sometimes work round this problem. See Q0017 (3) for further discussion.

Q0070:  What does the error SMTP command timeout on connection from... mean?

A0070:  Exim was expecting to read an SMTP command from the client, but no command was read within the smtp_receive_timeout time limit.

Q0071:  What does the error failed to open DB file /var/spool/exim//db/retry: Illegal argument mean?

A0071:  See Q0058. The cause of this error is usually the same.

Q0072:  Exim will deliver to normal aliases, and aliases that are pipes or files, but it objects to aliases that involve :include: items, complaining that it can't change gid or uid. Why is this?

A0072:  See Q0066 for a general answer. The problem happens during verification of an incoming SMTP message, not during delivery itself. In this particular case, you must have set up your aliasing router with a user setting. This causes Exim to change uid/gid when reading :include: files. If you do not need the detailed verification provided by the router, the easy solution is to set no_verify so that the router isn't used during verification.

Otherwise, if you set user on the router in order to provide a user for delivery to pipes or files, one solution is to put the user setting on the transports instead of on the router. You may need to create some special transports just for this router. The alternative is to supply two different routers, one with user and no_verify, and the with verify_only but no user setting.

Q0073:  I'm seeing log file corruption, with parts of log lines getting mangled by other log entries.

A0073:  The only time this has been seen is when several servers were writing to the same log files over NFS. Exim assumes that its log file is on local disk, and using NFS, especially for more than one server, will not work.

Q0074:  What does the error message remote delivery process count got out of step mean?

A0074:  Exim uses subprocesses for remote deliveries; this error means that the master process expected to have a child process running, but found there were none. Prior to release 4.11, this error could be caused by running Exim under strace on a Linux system, because stracing causes children to be “stolen” such that a parent that tries to wait for “any of my children” is told that it has none. Current releases of Exim have code to get round this problem.

Q0075:  I'm using LDAP, and some email addresses that contain special characters are causing parsing errors in my LDAP lookups.

A0075:  You should be using ${quote_ldap:$local_part} instead of just $local_part in your lookups.

Q0076:  I've configured Exim to use syslog for its logs, with the main and reject logs sent to different files, but whenever a message is rejected, I get one message on the reject log and two messages on the main log.

A0076:  You are probably putting your reject items into the main log as well; remember syslog levels are inclusive (for example, mail.info includes all higher levels, so a mail.notice message will be caught by a mail.info descriptor). Test this by running the command:

 	 logger -p mail.notice test

and seeing which logs it goes into.

Q0077:  I've installed Exim and it is delivering mail just fine. However, when I try to read mail from my PC I get connection rejected or unable to connect.

A0077:  See Q5021.

Q0078:  Exim is logging the unknown SMTP command XXXX from my client hosts, and they are unable to authenticate.

A0078:  This is a sign of a Cisco PIX firewall getting in the way. It does not support ESMTP, and turns EHLO commands into XXXX. You should configure the Pix to leave SMTP alone; see Q0053 for how to do this.

Q0079:  Our new PIX firewall is causing problems with incoming mail. How can this be fixed?

A0079:  See Q0053 and Q0078. If some messages get through and others do not, see also Q0017.

Q0080:  Am I to understand that the database lookups must only return one value? They can not return a list of values? The documentation seems to indicate that it's possible to return a list.

A0080:  Lookups can be used in two different situations, and what they return is different in the two cases. (Be thankful Exim 3 is gone; there was yet another case!)

(1)  You can use a lookup in any expanded string. The syntax is

   ${lookup ..... }

In this case, whatever is looked up replaces the expansion item. It may be one value or a list of values. Whether a single value or a list is acceptable or not depends on where you are using the string expansion. If it is for an option that expects just one value, then only one value is allowed (for example).

(2)  You can make use of the lookup mechanism to test whether something (typically a host name or IP address) is in a list. For example,

   hosts = a : b : c

in an ACL tests whether the calling host's name matches “a”, or “b”, or “c”. Now, suppose you want to keep the list of names in a database, or cdb file, or NIS map, or... By writing

   hosts = pgsql;select ....

you are saying to Exim: ``Run this lookup; if it succeeds, behave as if the host is in the list; if it fails, the host is not in the list.'' You are using the indexing mechanism of the database as a fast way of checking a list. A simpler example is

   hosts = lsearch;/some/file

where the file contains the list of hosts to be searched.

The complication happens when a list is first expanded before being interpreted as a list. This happens in a lot of cases. You can therefore write either of these:

   hosts = cdb;/some/file
   hosts = ${lookup{something}cdb{/some/file}}

but they have different meanings. The first means ``see if the host name is in the list in this file''. The second means ``run this lookup and use the result of the lookup as a list of host items to check''. In the second case, the list could contain multiple values (colon separated), and one of those values could even be “cdb;/some/file”.

Flexibility does lead to complexity, I'm afraid.

Q0081:  What does error in redirect data: included file xxxx is too big mean?

A0081:  You are trying to include a very large file in a redirection list, using the :include: feature. Exim has a built-in limit on the size, as a safety precaution. The default is 1 megabyte. If you want to increase this, you have to rebuild Exim. In your Local/Makefile, put

   MAX_INCLUDE_SIZE = whatever

and then rebuild Exim. The value is a number of bytes, but you can give it as a parenthesized arithmetic expression such as (3*1024*1024). However, an included file of more than a megabyte is likely to be quite inefficient. How many addresses does yours contain? You get the best performance out of Exim if you arrange to send mailing list messages with no more than about 100 recipients (in order to get parallelism in the routing).

Q0082:  What does relocation error: /lib/libnss_dns.so.2: symbol __libc_res_nquery, version GLIBC_PRIVATE not defined in file libresolv.so.2 with link time reference mean?

A0082:  You have updated glibc while an Exim daemon is running. Stop and restart the daemon.

Q0083:  Netscape on Unix is sending messages containing an unqualified user name in the Sender: header line, which Exim is rejecting because I have set verify = header_syntax. How can I fix this?

A0083:  The only thing you can do in Exim is to set the sender_unqualified_hosts option to allow unqualified sender addresses form the relevant hosts; of course, this applies to all sender addresses, not just the Sender: header line.

Alternatively, you can configure Netscape not to include the header line in the first place. Add the following line to the $HOME/.netscape/preferences.js and $HOME/.netscape/liprefs.js files:

   user_pref("mail.suppress_sender_header", true);

Netscape must be shutdown while doing this.

Q0084:  I want to set up an alias that pipes a message to gpg and then pipes the result to mailx to resubmit the message, but when I use my tested command in an alias file, I get an error from gpg.

A0084:  Probably you are using a shell command with two pipe symbols in it. An alias like this:

   gpg-xxx: "|gpg <options> | mailx <options"

does not work, because Exim does not run pipes under a shell by default. You must call a shell explicitly if you want to make use of the shell's features for double-piping, either by piping to /bin/sh with a suitable -c option, or by piping to a shell script.

Q0085:  I see a lot of rejected EHLO ... syntactically invalid argument(s). I know it's because of the underscore in the host name, but is there a switch to allow Exim to accept mail from such hosts?

A0085:  Yes. Add this to your configuration:

   helo_allow_chars = _

For more seriously malformed host names, see helo_accept_junk_hosts. See also Q0732.

Q0086:  What does SMTP protocol violation: synchronization error (next input sent too soon) mean?

A0086:  SMTP is a “lock-step” protocol, which means that, at certain points in the protocol, the client must wait for the server to respond before sending more data. Exim checks for correct behaviour, and issues this error if the client sends data too soon. This protects against malefactious clients who send a bunch of SMTP commands (usually to transmit spam) without waiting for any replies.

This error is also provoked if the client is trying to start up a TLS session immediately on connection, without using the STARTTLS command. See Q1707 for a discussion of this case.

Q0087:  What does rejected after DATA: malformed address: xx@yy may not follow <xx@yy> : failing address in "from" header mean? (I've obscured the real email addresses.)

A0087:  Your DATA ACL contains

   verify = header_syntax

and an incoming message contained the line

   From: xx@yy <xx@yy>

This is syntactically invalid. The contents of an address in a header line are either just the address, or a “phrase” followed by an address in angle brackets. In the latter case, the “phrase” must be quoted if it contains special characters such as @. The following are valid versions of the bad header:

   From: xx@yy
   From: "xx@yy" <xx@yy>

though why on earth anything generates this kind of redundant nonsense I can't think.

Q0088:  The Windows mailer SENDFILE.EXE sometimes hangs while trying to send a message to Exim 4, and eventually times out. It worked flawlessly with Exim 3. What has changed?

A0088:  Exim 4 sets an obscure TCP/IP parameter called TCP_NODELAY. This disables the "Nagle algorithm" for the TCP/IP transmission. The Nagle algorithm can improve network performance in interactive situations such as a human typing at a keyboard, by buffering up outgoing data until the previous packet has been acknowledged, and thereby reducing the number of packets used. This is not relevant for mail transmission, which mostly consists of quite large blocks of data; setting TCP_NODELAY should improve performance. However, it seems that some Windows clients do not function correctly if the server turns off the Nagle algorithm. If you are using Exim 4.23 or later, you can set

   tcp_nodelay = false

This stops Exim setting TCP_NODELAY on the sockets created by the listening daemon.

Q0089:  What does the error kernel: application bug: exim(12099) has SIGCHLD set to SIG_IGN but calls wait() mean?

A0089:  This was a bad interaction between a relatively recent change to the Linux kernel and some “belt and braces” programming in Exim. The following explanation is taken from Exim's change log:

When Exim is receiving multiple messages on a single connection, and spinning off delivery processess, it sets the SIGCHLD signal handling to SIG_IGN, because it doesn't want to wait for these processes. However, because on some OS this didn't work, it also has a paranoid call to waitpid() in the loop to reap any children that have finished. Some versions of Linux now complain (to the system log) about this “illogical” call to waitpid(). I have therefore put it inside a conditional compilation, and arranged for it to be omitted for Linux.

I am pretty sure I caught all the places in Exim where this happened. However, there are still occasional reports of this error. I have not heard of any resolutions, but my current belief is that they are caused by something that Exim calls falling foul of the same check. There was at one time a suspicion that the IPv6 stack was involved.

Q0090:  I can't seem to get a pipe command to run when I include a ${lookup expansion in it.

A0090:  See Q0025.

Q0091:  Why is Exim giving the error Failed to send message from address_reply transport when I run it using -C to specify an alternate configuration?

A0091:  See Q0065.



Contents   Next