Package: exim4-config Version: 4.95-6 Severity: minor Tags: patch Dear Maintainer,
* What led up to the situation? Reading the man page with "man" (uses "groff"). * What was the outcome of this action? Output on the standard error stream (circumventing default "man" behaviour). * What outcome did you expect instead? No output on standard error stream. ### [ "test-groff" is a developmental version of "groff" ] Input file is /usr/share/man/man5/exim4-config_files.5.gz Output from test-groff -b -man -dAD=l -rF0 -rHY=0 -t -w w -z : an.tmac:exim4-config_files.5:68: style: blank line in input an.tmac:exim4-config_files.5:74: style: blank line in input an.tmac:exim4-config_files.5:76: style: blank line in input an.tmac:exim4-config_files.5:81: style: blank line in input an.tmac:exim4-config_files.5:86: style: blank line in input an.tmac:exim4-config_files.5:98: style: blank line in input an.tmac:exim4-config_files.5:101: style: blank line in input an.tmac:exim4-config_files.5:103: style: blank line in input an.tmac:exim4-config_files.5:112: style: blank line in input an.tmac:exim4-config_files.5:116: style: blank line in input an.tmac:exim4-config_files.5:122: style: blank line in input an.tmac:exim4-config_files.5:133: style: blank line in input an.tmac:exim4-config_files.5:136: style: blank line in input an.tmac:exim4-config_files.5:138: style: blank line in input an.tmac:exim4-config_files.5:147: style: blank line in input an.tmac:exim4-config_files.5:151: style: blank line in input an.tmac:exim4-config_files.5:157: style: blank line in input an.tmac:exim4-config_files.5:163: style: blank line in input an.tmac:exim4-config_files.5:170: style: blank line in input an.tmac:exim4-config_files.5:179: style: blank line in input an.tmac:exim4-config_files.5:188: style: blank line in input an.tmac:exim4-config_files.5:191: style: blank line in input an.tmac:exim4-config_files.5:200: style: blank line in input an.tmac:exim4-config_files.5:204: style: blank line in input an.tmac:exim4-config_files.5:207: style: blank line in input an.tmac:exim4-config_files.5:211: style: blank line in input an.tmac:exim4-config_files.5:213: style: blank line in input an.tmac:exim4-config_files.5:216: style: blank line in input an.tmac:exim4-config_files.5:221: style: blank line in input an.tmac:exim4-config_files.5:225: style: blank line in input an.tmac:exim4-config_files.5:228: style: blank line in input an.tmac:exim4-config_files.5:232: style: blank line in input an.tmac:exim4-config_files.5:234: style: blank line in input an.tmac:exim4-config_files.5:237: style: blank line in input an.tmac:exim4-config_files.5:244: style: blank line in input an.tmac:exim4-config_files.5:251: style: blank line in input an.tmac:exim4-config_files.5:254: style: blank line in input an.tmac:exim4-config_files.5:260: style: blank line in input an.tmac:exim4-config_files.5:265: style: blank line in input an.tmac:exim4-config_files.5:269: style: blank line in input an.tmac:exim4-config_files.5:272: style: blank line in input an.tmac:exim4-config_files.5:296: style: blank line in input an.tmac:exim4-config_files.5:302: style: blank line in input an.tmac:exim4-config_files.5:308: style: blank line in input an.tmac:exim4-config_files.5:311: style: blank line in input an.tmac:exim4-config_files.5:315: style: blank line in input an.tmac:exim4-config_files.5:318: style: blank line in input troff: backtrace: file 'exim4-config_files.5':319 troff:exim4-config_files.5:319: warning: trailing space in the line an.tmac:exim4-config_files.5:321: style: blank line in input troff: backtrace: file 'exim4-config_files.5':322 troff:exim4-config_files.5:322: warning: trailing space in the line troff: backtrace: file 'exim4-config_files.5':326 troff:exim4-config_files.5:326: warning: trailing space in the line an.tmac:exim4-config_files.5:329: style: blank line in input an.tmac:exim4-config_files.5:333: style: blank line in input an.tmac:exim4-config_files.5:335: style: blank line in input an.tmac:exim4-config_files.5:340: style: blank line in input troff: backtrace: file 'exim4-config_files.5':341 troff:exim4-config_files.5:341: warning: trailing space in the line an.tmac:exim4-config_files.5:344: style: blank line in input troff: backtrace: file 'exim4-config_files.5':345 troff:exim4-config_files.5:345: warning: trailing space in the line an.tmac:exim4-config_files.5:350: style: blank line in input an.tmac:exim4-config_files.5:355: style: .BR expects at least 2 arguments, got 1 an.tmac:exim4-config_files.5:357: style: .BR expects at least 2 arguments, got 1 an.tmac:exim4-config_files.5:360: style: .BR expects at least 2 arguments, got 1 an.tmac:exim4-config_files.5:361: style: blank line in input an.tmac:exim4-config_files.5:364: style: blank line in input Patch: --- exim4-config_files.5 2022-07-04 15:59:32.000000000 +0000 +++ exim4-config_files.5.new 2022-07-04 16:06:09.000000000 +0000 @@ -65,25 +65,30 @@ handled equally. For more detailed docum /usr/share/doc/exim4\-base/README.Debian.gz. Please note that it is not possible to use delivery to arbitrary files, directories and to pipes. This is forbidden in Debian's exim4 default configuration. - +. +.LP You should at least set up an alias for postmaster in the /etc/aliases file. .SH /etc/email\-addresses is used to rewrite the email addresses of users. This is particularly useful for users who use their ISP's domain for email. - +. +.LP The file should contain lines of the form - +. +.LP .br user: some...@isp.com .br otheruser: someonee...@anotherisp.com - +. +.LP This way emails from user will appear to be from some...@isp.com to the outside world. Technically, the from, reply\-to, and sender addresses, along with the envelope sender, are rewritten for users that appear to be in the local domain. - +. +.LP .SH /etc/exim4/local_host_blacklist .I [exim host list] is an optional file containing a list of IP addresses, networks and @@ -95,12 +100,15 @@ convenience, as an additional method to blocked, an explicit whitelist is read in from /etc/exim4/host_local_deny_exceptions. Entries in the whitelist override corresponding blacklist entries. - +. +.LP In the blacklist, the trick is to read a line break as "or" if it follows a positive item, and as "and" if it follows a negative item. - +. +.LP For example, a /etc/exim4/local_host_blacklist - +. +.LP .br 192.168.10.0/24 .br @@ -109,17 +117,20 @@ For example, a /etc/exim4/local_host_bla 172.16.10.0/24 .br 10.0.0.0/8 - +. +.LP Exim just evaluates left to right (or up-down in the file listing context), so you don't get the same kind of operator binding as in a programming language. - +. +.LP .SH /etc/exim4/host_local_deny_exceptions .I [exim host list] contains a list of IP addresses, networks and host names whose messages will be accepted despite the address is also listed in /etc/exim4/local_host_blacklist, overriding a blacklisting. - +. +.LP .SH /etc/exim4/local_sender_blacklist .I [exim address list] is an optional files containing a list of envelope senders whose @@ -130,12 +141,15 @@ addresses from being blacklisted. For co method to whitelist addresses from being blocked, an explicit whitelist is read in from /etc/exim4/sender_local_deny_exceptions. Entries in the whitelist override corresponding blacklist entries. - +. +.LP In the blacklist, the trick is to read a line break as "or" if it follows a positive item, and as "and" if it follows a negative item. - +. +.LP For example, a /etc/exim4/local_sender_blacklist - +. +.LP .br domain1.example .br @@ -144,30 +158,35 @@ domain1.example domain2.example .br domain3.example - +. +.LP Exim just evaluates left to right (or up-down in the file listing context), so you don't get the same kind of operator binding as in a programming language. - +. +.LP .SH /etc/exim4/sender_local_deny_exceptions .I [exim address list] is an optional file containing a list of envelope senders whose messages will be accepted despite the address being also listed in /etc/exim4/local_sender_blacklist, overriding a blacklisting. - +. +.LP .SH /etc/exim4/local_sender_callout .I [exim address list] is an optional file containing a list of envelope senders whose messages are subject to sender verification with a callout. This is a full exim4 address list, and all available features can be used. - +. +.LP .SH /etc/exim4/local_rcpt_callout .I [exim address list] is an optional file containing a list of envelope recipients for which incoming messages are subject to recipient verification with a callout. This is a full exim4 address list, and all available features can be used. - +. +.LP .SH /etc/exim4/local_domain_dnsbl_whitelist .I [exim address list] is an optional file containing a list of envelope senders whose @@ -176,7 +195,8 @@ is a full exim4 address list, and all av This feature is intended to be used in case of a domain-based DNSBL being too heavy handed, for example listing entire top-level domains for their registry policies. - +. +.LP .SH /etc/exim4/hubbed_hosts .I [exim domain list] is an optional file containing a list of route_data records which can @@ -185,10 +205,12 @@ particularly useful for mail hubs which domain in the DNS but are not final destination of the messages, passing them on to a host which is not publicly reachable, or to temporarily fix mail routing in case of broken DNS setups. - +. +.LP The file should contain key-value pairs of domain pattern and route data of the form - +. +.LP .br domain: host-list options .br @@ -197,79 +219,98 @@ dict.ref.example: mail\-1.ref.example:m foo.example: internal.mail.example.com .br bar.example: 192.168.183.3 - +. +.LP which will cause mail for foo.example to be sent to the host internal.mail.example (IP address derived from A record only), and mail to bar.example to be sent to 192.168.183.3. - +. +.LP See spec.txt chapter 20.3 through 20.7 for a more detailed explanation of host list format and available options. - +. +.LP .SH /etc/exim4/passwd contains account and password data for SMTP authentication when the local exim is SMTP server and clients authenticate to the local exim. - +. +.LP The file should contain lines of the form - +. +.LP .br username:crypted-password:clear-password - +. +.LP crypted-password is the crypt(3)-created hash of your password. You can, for example, use the mkpasswd program from the whois package to create a crypted password. It is recommended to use a modern hash algorithm, see mkpasswd \-\-method=help. Consider not using crypt or MD5. - +. +.LP clear-password is only necessary if you want to offer CRAM-MD5 authentication. If you don't plan on doing so, the third column can be omitted completely. - +. +.LP This file must be readable for the Debian\-exim user and should not be readable for others. Recommended file mode is root:Debian\-exim 640. - +. +.LP .SH /etc/exim4/passwd.client contains account and password data for SMTP authentication when exim is authenticating as a client to some remote server. - +. +.LP The file should contain lines of the form - +. +.LP .br target.mail.server.example:login-user-name:password - +. +.LP which will cause exim to use login-user-name and password when sending messages to a server with the canonical host name target.mail.server.example. Please note that this does not configure the mail server to send to (this is determined in Debconf), but only creates the correlation between host name and authentication credentials to avoid exposing passwords to the wrong host. - +. +.LP Please note that target.mail.server.example is currently the value that exim can read from reverse DNS: It first follows the host name of the target system until it finds an IP address, and then looks up the reverse DNS for that IP address to use the outcome of this query (or the IP address itself should the query fail) as index into /etc/exim4/passwd.client. - +. +.LP This goes inevitably wrong if the host name of the mail server is a CNAME (a DNS alias), or the reverse lookup does not fit the forward one. - +. +.LP Currently, you need to manually lookup all reverse DNS names for all IP addresses that your SMTP server host name points to, for example by using the host command. If the SMTP smarthost alias expands to multiple IPs, you need to have multiple lines for all the hosts. When your ISP changes the alias, you will need to manually fix that. - +. +.LP You may minimize this trouble by using a wild card entry or regular expressions, thus reducing the risk of divulging the password to the wrong SMTP server while reducing the number of necessary lines. For a deeper discussion, see the Debian BTS #244724. - +. +.LP password is your SMTP password in clear text. If you do not know about your SMTP password, you can try using your POP3 password as a first guess. - +. +.LP This file must be readable for the Debian\-exim user and should not be readable for others. Recommended file mode is root:Debian\-exim 640. - +. +.LP .br # example for CONFDIR/passwd.client .br @@ -293,72 +334,87 @@ mail.server.example:user:password .br ^smtp[0\-9]*\\.mail\\.server\\.example:user:password .br - +. +.LP .SH /etc/exim4/exim.crt contains the certificate that exim uses to initiate TLS connections. This is public information and can be world readable. /usr/share/doc/exim4\-base/examples/exim\-gencert can be used to generate a private key and self-signed certificate. - +. +.LP .SH /etc/exim4/exim.key contains the private key belonging to the certificate in exim.crt. This file's contents must be kept secret and should have mode root:Debian\-exim 640. /usr/share/doc/exim4\-base/examples/exim\-gencert can be used to generate a private key and self-signed certificate. - +. +.LP .SH BUGS Plenty. Please report them through the Debian BTS - +. +.LP This manual page needs a major re-work. If somebody knows better groff than us and has more experience in writing manual pages, any patches would be greatly appreciated. - +. +.LP .SH NOTES .SS Unresolvable items in host lists - -Adding or keeping items in the abovementioned host lists which are not +. +.LP +Adding or keeping items in the abovementioned host lists which are not resolvable by DNS has severe consequences. - -e.g. if resolving a +. +.LP +e.g. if resolving a .B hostname in local_host_blacklist returns a temporary error (DNS timeout) exim will not be able to check whether a connecting host is part of the list. -Exim will therefore return a temporary SMTP error for +Exim will therefore return a temporary SMTP error for .I every connecting host. - +. +.LP On the other hand if there is a permanent error in resolving a name in the host list (the record was removed from DNS) exim behaves as if the host does not match the list. e.g. a local_host_blacklist consisting of - +. +.LP notresolvable.example.com:rejectme.example.com - +. +.LP is equivalent to an empty one. - Exim tries to match the IP-address of the connecting host to notresolvable.example.com, resolving this IP by DNS fails, exim behaves as if the connecting host does not match the list. List processing stops at this point! - -Starting the list with the special pattern +ignore_unknown as a +. +.LP +Starting the list with the special pattern +ignore_unknown as a safeguard against this behavior is strongly recommended if hostnames are used in hostlists. - -See Exim specification Chapter +. +.LP +See Exim specification Chapter .I Domain, host, address, and local part lists , section .I Behaviour when an IP address or name cannot be found. <http://www.exim.org/exim\-html\-current/doc/html/spec_html/ch\-domain_host_address_and_local_part_lists.html> - +. +.LP .SH SEE ALSO .br .BR exim (8), .br -.BR update\-exim4.conf(8), +.BR update\-exim4.conf (8), .br -.BR /usr/share/doc/exim4\-base/, +.BR /usr/share/doc/exim4\-base/ , .br and for general notes and details about interaction with debconf -.BR /usr/share/doc/exim4\-base/README.Debian.gz - +.B /usr/share/doc/exim4\-base/README.Debian.gz +. +.LP .SH AUTHOR Marc Haber <mh+debian-packa...@zugschlus.de> with help from Ross Boylan. - +. +.LP ### -- System Information: Debian Release: bookworm/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 5.18.5-1 (SMP w/2 CPU threads; PREEMPT) Kernel taint flags: TAINT_WARN Locale: LANG=is_IS.iso88591, LC_CTYPE=is_IS.iso88591 (charmap=ISO-8859-1), LANGUAGE not set Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init) Versions of packages exim4-config depends on: ii adduser 3.121 ii debconf [debconf-2.0] 1.5.79 Versions of packages exim4-config recommends: ii ca-certificates 20211016 exim4-config suggests no packages. -- Configuration Files: /etc/email-addresses changed [not included] /etc/exim4/exim4.conf.template changed [not included] /etc/exim4/passwd.client [Errno 13] Permission denied: '/etc/exim4/passwd.client' -- debconf information excluded