<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><style xmlns="" type="text/css">
div.added { background-color: #ffff99; }
div.deleted { text-decoration: line-through;
background-color: #FF7F7F; }
div.changed { background-color: #99ff99; }
div.off { }
span.added { background-color: #ffff99; }
span.deleted { text-decoration: line-through;
background-color: #FF7F7F; }
span.changed { background-color: #99ff99; }
span.off { }
pre.literallayout {
background-color: #E8E8D0;
padding-left: 0.5cm;
padding-top: 5px;
padding-bottom: 5px;
}
div[class=changed] pre.literallayout {
background-color: #99ff99;
padding-left: 0.5cm;
padding-top: 5px;
padding-bottom: 5px;
}
div.literallayout {
background-color: #E8E8D0;
padding-left: 0.5cm;
padding-top: 5px;
padding-bottom: 5px;
}
div[class=changed] div.literallayout {
background-color: #99ff99;
padding-left: 0.5cm;
padding-top: 5px;
padding-bottom: 5px;
}
</style><title>43. System-wide message filtering</title><meta name="generator" content="DocBook XSL Stylesheets V1.72.0" /><link rel="start" href="index.html" title="Specification of the Exim Mail Transfer Agent" /><link rel="up" href="index.html" title="Specification of the Exim Mail Transfer Agent" /><link rel="prev" href="ch42.html" title="42. Adding a local scan function to Exim" /><link rel="next" href="ch44.html" title="44. Message processing" /></head><body><div class="navheader">
<table width="100%" summary="Navigation header"><tr><td width="20%" align="left"><a accesskey="p" href="ch42.html">Prev</a> </td><th width="60%" align="center"> </th><td width="20%" align="right"> <a accesskey="n" href="ch44.html">Next</a></td></tr></table></div>
<div class="chapter" lang="en" xml:lang="en">
<div class="titlepage">
<div>
<div>
<h2 class="title"><a href="index.html#toc0374" id="CHAPsystemfilter">43. System-wide message filtering</a></h2></div>
</div>
</div>
<p>
<a id="IIDsysfil1" class="indexterm"></a>
<a id="IIDsysfil2" class="indexterm"></a>
<a id="IIDsysfil3" class="indexterm"></a>
The previous chapters (on ACLs and the local scan function) describe checks
that can be applied to messages before they are accepted by a host. There is
also a mechanism for checking messages once they have been received, but before
they are delivered. This is called the <span class="emphasis"><em>system filter</em></span>.
</p>
<p>
The system filter operates in a similar manner to users’ filter files, but it
is run just once per message (however many recipients the message has).
It should not normally be used as a substitute for routing, because <span><strong class="option">deliver</strong></span>
commands in a system router provide new envelope recipient addresses.
The system filter must be an Exim filter. It cannot be a Sieve filter.
</p>
<p>
The system filter is run at the start of a delivery attempt, before any routing
is done. If a message fails to be completely delivered at the first attempt,
the system filter is run again at the start of every retry.
If you want your filter to do something only once per message, you can make use
of the <span><strong class="option">first_delivery</strong></span> condition in an <span><strong class="option">if</strong></span> command in the filter to
prevent it happening on retries.
</p>
<p>
<a id="id640317" class="indexterm"></a>
<a id="id640329" class="indexterm"></a>
<span class="bold"><strong>Warning</strong></span>: Because the system filter runs just once, variables that are
specific to individual recipient addresses, such as <em class="varname">$local_part</em> and
<em class="varname">$domain</em>, are not set, and the “<span class="quote">personal</span>” condition is not meaningful. If
you want to run a centrally-specified filter for each recipient address
independently, you can do so by setting up a suitable <span><strong class="command">redirect</strong></span> router, as
described in section <a href="ch43.html#SECTperaddfil" title="43.8 Per-address filtering">43.8</a> below.
</p>
<div class="section" lang="en" xml:lang="en">
<div class="titlepage">
<div>
<div>
<h3 xmlns="" class="title"><a xmlns="http://www.w3.org/1999/xhtml" href="index.html#toc0375" id="SECID212">43.1 Specifying a system filter</a></h3></div>
</div>
</div>
<p>
<a id="id640386" class="indexterm"></a>
<a id="id640400" class="indexterm"></a>
The name of the file that contains the system filter must be specified by
setting <span><strong class="option">system_filter</strong></span>. If you want the filter to run under a uid and gid
other than root, you must also set <span><strong class="option">system_filter_user</strong></span> and
<span><strong class="option">system_filter_group</strong></span> as appropriate. For example:
</p>
<pre class="literallayout">system_filter = /etc/mail/exim.filter
system_filter_user = exim
</pre><p>
If a system filter generates any deliveries directly to files or pipes (via the
<span><strong class="option">save</strong></span> or <span><strong class="option">pipe</strong></span> commands), transports to handle these deliveries must be
specified by setting <span><strong class="option">system_filter_file_transport</strong></span> and
<span><strong class="option">system_filter_pipe_transport</strong></span>, respectively. Similarly,
<span><strong class="option">system_filter_reply_transport</strong></span> must be set to handle any messages generated
by the <span><strong class="option">reply</strong></span> command.
</p>
</div>
<div class="section" lang="en" xml:lang="en">
<div class="titlepage">
<div>
<div>
<h3 xmlns="" class="title"><a xmlns="http://www.w3.org/1999/xhtml" href="index.html#toc0376" id="SECID213">43.2 Testing a system filter</a></h3></div>
</div>
</div>
<p>
You can run simple tests of a system filter in the same way as for a user
filter, but you should use <span><strong class="option">-bF</strong></span> rather than <span><strong class="option">-bf</strong></span>, so that features that
are permitted only in system filters are recognized.
</p>
<p>
If you want to test the combined effect of a system filter and a user filter,
you can use both <span><strong class="option">-bF</strong></span> and <span><strong class="option">-bf</strong></span> on the same command line.
</p>
</div>
<div class="section" lang="en" xml:lang="en">
<div class="titlepage">
<div>
<div>
<h3 xmlns="" class="title"><a xmlns="http://www.w3.org/1999/xhtml" href="index.html#toc0377" id="SECID214">43.3 Contents of a system filter</a></h3></div>
</div>
</div>
<p>
The language used to specify system filters is the same as for users’ filter
files. It is described in the separate end-user document <span class="emphasis"><em>Exim’s interface to
mail filtering</em></span>. However, there are some additional features that are
available only in system filters; these are described in subsequent sections.
If they are encountered in a user’s filter file or when testing with <span><strong class="option">-bf</strong></span>,
they cause errors.
</p>
<p>
<a id="id640542" class="indexterm"></a>
There are two special conditions which, though available in users’ filter
files, are designed for use in system filters. The condition <span><strong class="option">first_delivery</strong></span>
is true only for the first attempt at delivering a message, and
<span><strong class="option">manually_thawed</strong></span> is true only if the message has been frozen, and
subsequently thawed by an admin user. An explicit forced delivery counts as a
manual thaw, but thawing as a result of the <span><strong class="option">auto_thaw</strong></span> setting does not.
</p>
<p>
<span class="bold"><strong>Warning</strong></span>: If a system filter uses the <span><strong class="option">first_delivery</strong></span> condition to
specify an “<span class="quote">unseen</span>” (non-significant) delivery, and that delivery does not
succeed, it will not be tried again.
If you want Exim to retry an unseen delivery until it succeeds, you should
arrange to set it up every time the filter runs.
</p>
<p>
When a system filter finishes running, the values of the variables <em class="varname">$n0</em> –
<em class="varname">$n9</em> are copied into <em class="varname">$sn0</em> – <em class="varname">$sn9</em> and are thereby made available to
users’ filter files. Thus a system filter can, for example, set up “<span class="quote">scores</span>”
to which users’ filter files can refer.
</p>
</div>
<div class="section" lang="en" xml:lang="en">
<div class="titlepage">
<div>
<div>
<h3 xmlns="" class="title"><a xmlns="http://www.w3.org/1999/xhtml" href="index.html#toc0378" id="SECID215">43.4 Additional variable for system filters</a></h3></div>
</div>
</div>
<p>
<a id="id640636" class="indexterm"></a>
The expansion variable <em class="varname">$recipients</em>, containing a list of all the recipients
of the message (separated by commas and white space), is available in system
filters. It is not available in users’ filters for privacy reasons.
</p>
</div>
<div class="section" lang="en" xml:lang="en">
<div class="titlepage">
<div>
<div>
<h3 xmlns="" class="title"><a xmlns="http://www.w3.org/1999/xhtml" href="index.html#toc0379" id="SECID216">43.5 Defer, freeze, and fail commands for system filters</a></h3></div>
</div>
</div>
<p>
<a id="id640672" class="indexterm"></a>
<a id="id640682" class="indexterm"></a>
<a id="id640697" class="indexterm"></a>
<a id="id640711" class="indexterm"></a>
<a id="id640727" class="indexterm"></a>
<a id="id640740" class="indexterm"></a>
There are three extra commands (<span><strong class="option">defer</strong></span>, <span><strong class="option">freeze</strong></span> and <span><strong class="option">fail</strong></span>) which are
always available in system filters, but are not normally enabled in users’
filters. (See the <span><strong class="option">allow_defer</strong></span>, <span><strong class="option">allow_freeze</strong></span> and <span><strong class="option">allow_fail</strong></span> options
for the <span><strong class="command">redirect</strong></span> router.) These commands can optionally be followed by the
word <span><strong class="option">text</strong></span> and a string containing an error message, for example:
</p>
<pre class="literallayout">fail text "this message looks like spam to me"
</pre><p>
The keyword <span><strong class="option">text</strong></span> is optional if the next character is a double quote.
</p>
<p>
The <span><strong class="option">defer</strong></span> command defers delivery of the original recipients of the
message. The <span><strong class="option">fail</strong></span> command causes all the original recipients to be failed,
and a bounce message to be created. The <span><strong class="option">freeze</strong></span> command suspends all
delivery attempts for the original recipients. In all cases, any new deliveries
that are specified by the filter are attempted as normal after the filter has
run.
</p>
<p>
The <span><strong class="option">freeze</strong></span> command is ignored if the message has been manually unfrozen and
not manually frozen since. This means that automatic freezing by a system
filter can be used as a way of checking out suspicious messages. If a message
is found to be all right, manually unfreezing it allows it to be delivered.
</p>
<p>
<a id="id640845" class="indexterm"></a>
<a id="id640861" class="indexterm"></a>
The text given with a fail command is used as part of the bounce message as
well as being written to the log. If the message is quite long, this can fill
up a lot of log space when such failures are common. To reduce the size of the
log message, Exim interprets the text in a special way if it starts with the
two characters <code class="literal"><<</code> and contains <code class="literal">>></code> later. The text between these two
strings is written to the log, and the rest of the text is used in the bounce
message. For example:
</p>
<pre class="literallayout">fail "<<filter test 1>>Your message is rejected \
because it contains attachments that we are \
not prepared to receive."
</pre><p>
<a id="id640912" class="indexterm"></a>
Take great care with the <span><strong class="option">fail</strong></span> command when basing the decision to fail on
the contents of the message, because the bounce message will of course include
the contents of the original message and will therefore trigger the <span><strong class="option">fail</strong></span>
command again (causing a mail loop) unless steps are taken to prevent this.
Testing the <span><strong class="option">error_message</strong></span> condition is one way to prevent this. You could
use, for example
</p>
<pre class="literallayout">if $message_body contains "this is spam" and not error_message
then fail text "spam is not wanted here" endif
</pre><p>
though of course that might let through unwanted bounce messages. The
alternative is clever checking of the body and/or headers to detect bounces
generated by the filter.
</p>
<p>
The interpretation of a system filter file ceases after a
<span><strong class="option">defer</strong></span>,
<span><strong class="option">freeze</strong></span>, or <span><strong class="option">fail</strong></span> command is obeyed. However, any deliveries that were
set up earlier in the filter file are honoured, so you can use a sequence such
as
</p>
<pre class="literallayout">mail ...
freeze
</pre><p>
to send a specified message when the system filter is freezing (or deferring or
failing) a message. The normal deliveries for the message do not, of course,
take place.
</p>
</div>
<div class="section" lang="en" xml:lang="en">
<div class="titlepage">
<div>
<div>
<h3 xmlns="" class="title"><a xmlns="http://www.w3.org/1999/xhtml" href="index.html#toc0380" id="SECTaddremheasys">43.6 Adding and removing headers in a system filter</a></h3></div>
</div>
</div>
<p>
<a id="id641008" class="indexterm"></a>
<a id="id641022" class="indexterm"></a>
<a id="id641036" class="indexterm"></a>
Two filter commands that are available only in system filters are:
</p>
<pre class="literallayout">headers add <string>
headers remove <string>
</pre><p>
The argument for the <span><strong class="option">headers add</strong></span> is a string that is expanded and then
added to the end of the message’s headers. It is the responsibility of the
filter maintainer to make sure it conforms to RFC 2822 syntax. Leading white
space is ignored, and if the string is otherwise empty, or if the expansion is
forced to fail, the command has no effect.
</p>
<p>
You can use “<span class="quote">\n</span>” within the string, followed by white space, to specify
continued header lines. More than one header may be added in one command by
including “<span class="quote">\n</span>” within the string without any following white space. For
example:
</p>
<pre class="literallayout">headers add "X-header-1: ....\n \
continuation of X-header-1 ...\n\
X-header-2: ...."
</pre><p>
Note that the header line continuation white space after the first newline must
be placed before the backslash that continues the input string, because white
space after input continuations is ignored.
</p>
<p>
The argument for <span><strong class="option">headers remove</strong></span> is a colon-separated list of header names.
This command applies only to those headers that are stored with the message;
those that are added at delivery time (such as <span class="emphasis"><em>Envelope-To:</em></span> and
<span class="emphasis"><em>Return-Path:</em></span>) cannot be removed by this means. If there is more than one
header with the same name, they are all removed.
</p>
<p>
The <span><strong class="option">headers</strong></span> command in a system filter makes an immediate change to the set
of header lines that was received with the message (with possible additions
from ACL processing). Subsequent commands in the system filter operate on the
modified set, which also forms the basis for subsequent message delivery.
Unless further modified during routing or transporting, this set of headers is
used for all recipients of the message.
</p>
<p>
During routing and transporting, the variables that refer to the contents of
header lines refer only to those lines that are in this set. Thus, header lines
that are added by a system filter are visible to users’ filter files and to all
routers and transports. This contrasts with the manipulation of header lines by
routers and transports, which is not immediate, but which instead is saved up
until the message is actually being written (see section
<a href="ch44.html#SECTheadersaddrem" title="44.17 Adding and removing header lines in routers and transports">44.17</a>).
</p>
<p>
If the message is not delivered at the first attempt, header lines that were
added by the system filter are stored with the message, and so are still
present at the next delivery attempt. Header lines that were removed are still
present, but marked “<span class="quote">deleted</span>” so that they are not transported with the
message. For this reason, it is usual to make the <span><strong class="option">headers</strong></span> command
conditional on <span><strong class="option">first_delivery</strong></span> so that the set of header lines is not
modified more than once.
</p>
<p>
Because header modification in a system filter acts immediately, you have to
use an indirect approach if you want to modify the contents of a header line.
For example:
</p>
<pre class="literallayout">headers add "Old-Subject: $h_subject:"
headers remove "Subject"
headers add "Subject: new subject (was: $h_old-subject:)"
headers remove "Old-Subject"
</pre></div>
<div class="section" lang="en" xml:lang="en">
<div class="titlepage">
<div>
<div>
<h3 xmlns="" class="title"><a xmlns="http://www.w3.org/1999/xhtml" href="index.html#toc0381" id="SECID217">43.7 Setting an errors address in a system filter</a></h3></div>
</div>
</div>
<p>
<a id="id641192" class="indexterm"></a>
In a system filter, if a <span><strong class="option">deliver</strong></span> command is followed by
</p>
<pre class="literallayout">errors_to <some address>
</pre><p>
in order to change the envelope sender (and hence the error reporting) for that
delivery, any address may be specified. (In a user filter, only the current
user’s address can be set.) For example, if some mail is being monitored, you
might use
</p>
<pre class="literallayout">unseen deliver monitor@spying.example errors_to root@local.example
</pre><p>
to take a copy which would not be sent back to the normal error reporting
address if its delivery failed.
</p>
</div>
<div class="section" lang="en" xml:lang="en">
<div class="titlepage">
<div>
<div>
<h3 xmlns="" class="title"><a xmlns="http://www.w3.org/1999/xhtml" href="index.html#toc0382" id="SECTperaddfil">43.8 Per-address filtering</a></h3></div>
</div>
</div>
<p>
<a id="id641253" class="indexterm"></a>
<a id="id641264" class="indexterm"></a>
In contrast to the system filter, which is run just once per message for each
delivery attempt, it is also possible to set up a system-wide filtering
operation that runs once for each recipient address. In this case, variables
such as <em class="varname">$local_part</em> and <em class="varname">$domain</em> can be used, and indeed, the choice of
filter file could be made dependent on them. This is an example of a router
which implements such a filter:
</p>
<pre class="literallayout">central_filter:
check_local_user
driver = redirect
domains = +local_domains
file = /central/filters/$local_part
no_verify
allow_filter
allow_freeze
</pre><p>
The filter is run in a separate process under its own uid. Therefore, either
<span><strong class="option">check_local_user</strong></span> must be set (as above), in which case the filter is run as
the local user, or the <span><strong class="option">user</strong></span> option must be used to specify which user to
use. If both are set, <span><strong class="option">user</strong></span> overrides.
</p>
<p>
Care should be taken to ensure that none of the commands in the filter file
specify a significant delivery if the message is to go on to be delivered to
its intended recipient. The router will not then claim to have dealt with the
address, so it will be passed on to subsequent routers to be delivered in the
normal way.
<a id="id641328" class="indexterm"></a>
<a id="id641340" class="indexterm"></a>
<a id="id641353" class="indexterm"></a>
</p>
</div>
</div>
<div class="navfooter">
<table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="ch42.html">Prev</a> </td><td width="20%" align="center"> </td><td width="40%" align="right"> <a accesskey="n" href="ch44.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top"> </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> </td></tr></table></div>
</body></html>
