Hubbry Logo
search
logo
Exim avatar
Exim
Exim
current hub
E

Exim

logo
Community Hub0 Subscribers
Read side by side
Exim
View on Wikipedia
from Wikipedia
Exim Internet Mailer
Original authorPhilip Hazel
DeveloperThe Exim Maintainers
Initial release1995; 30 years ago (1995)
Stable release
4.99[1] Edit this on Wikidata / 28 October 2025
Repository
Written inC
Operating systemUnix-like
PlatformCross-platform
TypeMail transfer agent
LicenseGPL-2.0-or-later[2]
Websitewww.exim.org Edit this at Wikidata

Exim is a mail transfer agent (MTA) used on Unix-like operating systems. Exim is a free software distributed under the terms of the GNU General Public License, and it aims to be a general and flexible mailer with extensive facilities for checking incoming e-mail.

Exim has been ported to most Unix-like systems, as well as to Microsoft Windows using the Cygwin emulation layer. Exim 4 is currently the default MTA on Debian Linux systems.[3]

Many Exim installations exist, especially within Internet service providers[4] and universities in the United Kingdom. Exim is also widely used with the GNU Mailman mailing list manager, and cPanel.

In March 2023 a study performed by E-Soft, Inc.,[5] approximated that 59% of the publicly reachable mail-servers on the Internet ran Exim.

Origin

[edit]

The first version of Exim was written in 1995 by Philip Hazel for use in the University of Cambridge Computing Service’s e-mail systems. The name initially stood for EXperimental Internet Mailer.[6] It was originally based on an older MTA, Smail-3, but it has since diverged from Smail-3 in its design and philosophy.[7][8]

Design model

[edit]

Exim, like Smail, still follows the Sendmail design model, where a single binary controls all the facilities of the MTA. Exim has well-defined stages during which it gains or loses privileges.[9]

Exim's security has had a number of serious security problems diagnosed over the years.[10] Since the redesigned version 4 was released there have been four remote code execution flaws and one conceptual flaw concerning how much trust it is appropriate to place in the run-time user; the latter was fixed in a security lockdown in revision 4.73, one of the very rare occasions when Exim has broken backwards compatibility with working configurations.

Configuration

[edit]

Exim is highly configurable and therefore has features that are lacking in other MTAs. It has always had substantial facilities for mail policy controls, providing facilities for the administrator to control who may send or relay mail through the system. In version 4.x this has matured to an Access Control List based system allowing very detailed and flexible controls. The integration of a framework for content scanning, which allowed for easier integration of anti-virus and anti-spam measures, happened in the 4.x releases. This made Exim very suitable for enforcing diverse mail policies.

The configuration is done through a (typically single) configuration file, which must include the main section with generic settings and variables, as well as the following optional sections:

  • the access control list (ACL) section which defines behaviour during the SMTP sessions,
  • the routers section which includes a number of processing elements which operate on addresses (the delivery logic), each tried in turn,
  • the transports section which includes processing elements which transmit actual messages to destinations,
  • the retry section where policy on retrying messages that fail to get delivered at the first attempt is defined,
  • the rewrite section, defining if and how the mail system will rewrite addresses on incoming e-mails
  • the authenticators' section with settings for SMTP AUTH, a rule per auth mechanism.

The configuration file permits inclusion of other files, which leads to two different configuration styles.

Configuration styles

[edit]

There are two main schools of configuration style for Exim. The native school keeps the Exim configuration in one file and external files are only used as data sources; this is strongly influenced by Philip Hazel's preferences and notes on performance as the configuration file is re-read at every exec, which happens post-fork for receiving inbound connections and at delivery.

The second commonly encountered style is the Debian style which is designed to make it easier to have an installed application automatically provide mail integration support without having the administrator edit configuration files. There are a couple of variants of this and Debian provide documentation of their approach as part of the packages. In these approaches, a debconf configuration file is used to build the Exim configuration file, together with templates and directories with configuration fragments. The meta-config is tuned with macros which have names starting DC_. When the supervisor for exim is invoked it re-processes the configuration files producing a single-file configuration that the exim binary uses.

Because the Debian approach diverges significantly from the Exim one it is common to find a lack of support for the Debian approach on the regular Exim mailing-lists, with people advised [11][12] to ask Debian questions on the Debian-managed mailing-list. The Ubuntu packaging [13] still advises users to use the Debian mailing-list.

Documentation

[edit]

Exim has extensive and exhaustive documentation; if a feature or some behaviour is not documented then this is classed as a bug. The documentation consists of The Exim Specification and two ancillary files: the experimental specification for features that might disappear and "NewStuff", which tracks very recent changes that might not have been fully integrated into the main specification. The Exim Specification is available in multiple formats, including online in HTML and in plain-text for fast searching. The document preparation system ensures that the plain-text format is highly usable.

Performance

[edit]

Exim has been deployed in busy environments, often handling thousands of emails per hour efficiently. Exim is designed to deliver email immediately, without queueing. However, its queue processing performance is comparatively poor when queues are large (which happens rarely on typical low-traffic sites but can happen regularly on high-traffic sites).

Unlike qmail, Postfix, and ZMailer, Exim does not have a central queue manager (i.e. an equivalent of qmail-send, qmgr, or scheduler). There is thus no centralized load balancing of queue processing (leading to disproportionate amounts of time being spent on processing the same queue entries repeatedly). System-wide remote transport concurrency is unlimited by default (leading to a "thundering herd problem" when multiple messages addressed to a single domain are submitted at once) but can be limited by the configuration. In Philip Hazel's own words:[14]

"The bottom line is that Exim does not perform particularly well in environments where the queue regularly gets very large. It was never designed for this; deliveries from the queue were always intended to be 'exceptions' rather than the norm."

In 1997, Hazel replaced Exim's POSIX regular expression library written by Henry Spencer with a new library he developed called PCRE (Perl Compatible Regular Expressions). Perl regular expressions are much more powerful than POSIX and other common regular expressions, and PCRE has become popular in applications other than Exim. In 2021 (after the 4.95 release) Exim transitioned to PCRE2.

Updates

[edit]

Historically, Exim used a peculiar version numbering scheme where the first decimal digit is updated only whenever the main documentation is fully up to date; until that time, changes were accumulated in the file NewStuff. For this reason, a 0.01 version change can signify important changes, not necessarily fully documented.[15] In 2005, changes to Exim's version numbering were on the table of discussion.[16]

In more recent times, the document preparation system for Exim has been overhauled and changes are much more likely to just go immediately into The Exim Specification. The 4.70 release just followed on naturally from 4.69 and the 4.6x releases had up-to-date documentation.

Philip Hazel retired from the University of Cambridge in 2007 and maintenance of Exim transitioned to a team of maintainers. Exim continues to be maintained actively, with frequent releases.

See also

[edit]

References

[edit]

Bibliography

[edit]
[edit]
Revisions and contributorsEdit on WikipediaRead on Wikipedia

Exim

View on Grokipedia
from Grokipedia
Exim is a free and open-source message transfer agent (MTA) designed for Unix-like operating systems, enabling the routing, delivery, and reception of email messages via the Simple Mail Transfer Protocol (SMTP).[1] Originally developed to handle mail on Internet-connected systems, it serves as a flexible alternative to other MTAs like Sendmail, with capabilities for local and remote message processing, including delivery to mailboxes, pipes, or aliases.[2] As of November 2025, the current stable version is 4.99, licensed under the GNU General Public License.[1] Exim's development began in 1995 at the University of Cambridge Computing Service, where Philip Hazel created it from scratch as a replacement for older MTAs such as Smail, aiming for greater flexibility in mail routing and enhanced security checks.[3] The first public release occurred in June 1996, following initial internal use starting in November 1995, and it quickly gained adoption, becoming the default MTA in Debian Linux distributions from version 2.1 in 1999.[4] Hazel maintained the project as a solo effort initially, incorporating volunteer contributions over time, until his retirement in 2007; development has continued under community stewardship hosted by the University of Cambridge.[3] Key to Exim's popularity are its highly configurable architecture, which uses a single configuration file for defining routing rules, access controls, and transport options, and its support for advanced features like access control lists (ACLs) for verifying senders and recipients, integration with databases for lookups, and content scanning for spam and virus detection.[2] It excels in scalability for high-volume environments, such as those in universities and Internet service providers, while offering robust performance through queue management and retry mechanisms for undeliverable messages.[5] Exim also includes built-in support for modern email standards, including authentication protocols like SMTP AUTH and encryption via TLS.[6]

History and Development

Origin and Initial Release

Exim's development began in 1995 under the leadership of Philip Hazel at the University of Cambridge Computing Service, where it was created as a successor to Smail 3 to serve as the primary mail transfer agent (MTA) for the institution's email systems.[7] Hazel, drawing from his experience with Smail 3's lightweight design and user interface, wrote Exim from scratch in C to provide enhanced functionality while maintaining simplicity and efficiency for Unix-like operating systems connected to the Internet.[7] This initiative addressed the growing demands of academic computing environments, where reliable and rapid email delivery was essential, with most messages at Cambridge being processed almost immediately.[7] The initial release, Exim 1.0, occurred at the end of 1995 for internal use, with the first public release following in June 1996. It emphasized flexibility in configuration to overcome the complexities associated with Sendmail, the dominant MTA at the time.[3] Unlike Sendmail, which often required recompiling the binary for site-specific customizations such as routing rules, Exim introduced a runtime configuration file approach that allowed administrators to modify behavior dynamically without rebuilding the software. This design choice stemmed from the need for a highly configurable MTA capable of handling intricate routing scenarios—such as domain-specific policies and address verification—through textual directives, making it more accessible for system administrators in diverse network setups.[8] Early adoption was driven by its deployment within Cambridge's infrastructure, where it quickly proved effective for high-volume email handling.[7] A significant milestone came with the release of Exim 4.00 in May 2000, which subsequently became the default MTA in Debian distributions with Debian 3.0 in July 2002, replacing earlier versions and solidifying its role in Linux ecosystems due to its debconf-integrated configuration framework.[9] This integration facilitated easier setup and maintenance, contributing to widespread use among Internet service providers and educational institutions.[9]

Evolution and Version History

Exim's development transitioned significantly following the retirement of its primary author, Philip Hazel, from the University of Cambridge Computing Service in September 2007, after which a volunteer maintenance team was established to ensure continued support and evolution of the software.[4] This team, comprising contributors from the Exim user community, has since handled releases, security patches, and feature enhancements, maintaining Exim's open-source status under the GNU General Public License. The major version 4.00, released in 2000, marked a substantial redesign from earlier iterations, introducing Access Control Lists (ACLs) to enable flexible policy enforcement on incoming and outgoing mail, replacing the more rigid director and transport mechanisms of prior versions.[10] Subsequent releases built on this foundation; for instance, version 4.80, issued in May 2012 with a security update in October, added native support for DomainKeys Identified Mail (DKIM) verification and signing, enhancing email authentication capabilities amid rising spam concerns.[11][12] Exim's responsiveness to security threats has been a hallmark of its evolution, exemplified by the handling of critical vulnerabilities. In 2019, the project promptly addressed CVE-2019-10149, a remote code execution flaw affecting versions 4.87 to 4.91 due to improper recipient address validation in the deliver_message() function, which allowed attackers to execute arbitrary commands as root after maintaining a long-lived connection.[13] This incident underscored the maintainers' commitment to rapid patching, with Exim 4.92 released shortly thereafter to mitigate the risk. Further, version 4.97, released on November 4, 2023, incorporated fixes for multiple zero-day vulnerabilities disclosed earlier that year, including remote code execution issues in the SMTP AUTH handling (CVE-2023-42115) and format string vulnerabilities (CVE-2023-42116, CVE-2023-42117), ensuring robustness against exploitation attempts on exposed servers.[14][15] Exim's enduring popularity is evidenced by its widespread adoption, with a March 2023 study by E-Soft, Inc., estimating that approximately 59% of publicly reachable mail servers on the Internet utilized Exim, highlighting its reliability and ease of configuration in diverse environments.[16] The most recent stable release, 4.99 on October 28, 2025, focused on stability and modernization, delivering bug fixes for issues like out-of-bounds reads and crashes, alongside TLS enhancements such as support for SRV records to specify TLS availability per draft standards, and new options for early TLS banners.[17] Ongoing development by the volunteer team continues to emphasize security, performance, and integration with contemporary email protocols, ensuring Exim remains a viable MTA for Unix-like systems into 2025 and beyond.

Design and Architecture

Core Design Principles

Exim employs a single-process model for message delivery, where each invocation of the Exim binary handles the reception, routing, and delivery of messages in a unified manner, without relying on multiple specialized daemons for different phases of mail processing.[18] This design emphasizes runtime configurability, allowing administrators to modify behavior through a single text-based configuration file that can be updated without recompiling the software, enabling flexible adaptation to diverse mail environments.[18] Unlike queue-manager architectures, Exim lacks a central queue manager process; instead, it manages deferred messages via periodic queue runs, which scan the spool directory at scheduled intervals to attempt redelivery based on retry rules.[18] In contrast to systems like Postfix, which utilize a dedicated central queue manager to orchestrate mail flow across modular components for enhanced scalability under high loads, Exim's single-process approach prioritizes simplicity and direct control, potentially at the cost of concurrent processing efficiency but with greater ease in scripting custom logic.[18][19] Central to Exim's principles are its expansion variables and string expansion syntax, which facilitate dynamic routing by substituting contextual data—such as sender details or host information—into configuration directives at runtime, allowing for conditional logic in address handling without hard-coded paths.[18] Additionally, the system focuses on policy enforcement during SMTP sessions through access control lists (ACLs), which apply granular rules at key protocol stages to validate senders, control relaying, and mitigate abuse, ensuring robust security within the delivery process.[18] Exim builds on the simplicity of its predecessor, Smail 3, by adopting core ideas like straightforward routing interfaces and batch SMTP handling while introducing entirely new code to incorporate advanced rewriting and routing capabilities, transforming it into a more powerful yet still scriptable mail transfer agent.[18] The configuration file plays a pivotal role in realizing these principles, serving as the primary mechanism for defining expansions, ACLs, and routing logic.[18]

Internal Components and Processing

Exim's internal architecture relies on modular components known as routers and transports, which form the core of its message handling pipeline. Routers are responsible for interpreting recipient addresses and determining the appropriate delivery path, either by assigning the address to a transport for immediate action or by generating additional addresses through mechanisms like aliasing or forwarding.[10] These routers operate sequentially during the delivery phase, with each one evaluated in configuration-defined order until a match is found, allowing for flexible decision-making based on domain, local part, or other criteria.[10] Transports execute the actual delivery of messages once routed, supporting a variety of methods such as writing to local files via the appendfile transport, piping to external commands with the pipe transport, or sending to remote hosts using SMTP through the smtp transport.[10] In earlier versions of Exim, a separate category called directors handled local deliveries, but since Exim 4, these functions have been integrated into the unified router framework, simplifying the overall structure while maintaining backward compatibility through configuration options.[20] For retry scenarios, transports are invoked again after deferrals, guided by retry rules that specify intervals and conditions for reattempting failed deliveries, ensuring persistent handling without dedicated "retransports" as a distinct component.[10] The message processing flow begins with reception, where incoming mail arrives either via SMTP over TCP/IP or through local submission interfaces, triggering the creation of spool files containing the message envelope, headers, and body.[10] Address rewriting may occur during this phase to normalize or expand recipients, followed by content scanning integrated via Access Control Lists (ACLs), which perform checks at key SMTP stages such as after RCPT TO and at the end of the DATA phase to enforce policies like spam detection or authentication requirements.[10] If delivery succeeds, the transport handles the final disposition; otherwise, the message is queued for later attempts. Queue management centers on the spool directory, typically located at /var/spool/exim, where undelivered messages are stored in subdirectories like input/ for organization and performance.[21] A dedicated queue runner process, invoked periodically via the exim -q command or as a daemon, scans the queue to retry deferred messages according to configured retry rules, freezing persistently failing ones and optionally discarding them after a timeout to prevent indefinite backlog.[10] This pipeline enables efficient, asynchronous processing, with local deliveries handled sequentially and remote ones in parallel up to a configurable limit.[10]

Configuration

File Structure and Syntax

Exim's primary configuration file, typically named exim.conf, serves as the central runtime configuration for the mail transfer agent and is compiled into the Exim binary via the CONFIGURE_FILE setting. This file supports optional inclusions using directives such as .include <filename> for mandatory files or .include_if_exists <filename> for optional ones, allowing nested includes with absolute or relative paths to modularize the configuration. On Debian-based systems, the configuration file is commonly located at /etc/exim4/exim4.conf.[22][9] The configuration file consists of global options and macro definitions, followed by optional sections separated by lines containing the word "begin" followed by the section name. These sections can appear in any order and include the Access Control Lists (ACLs) for SMTP processing, routers for address resolution and routing, transports for message delivery mechanisms, retry rules for handling delivery failures, and authenticators for SMTP authentication. Global options and macro definitions precede these sections, while rewrite rules may follow.[22] Syntax in the configuration file employs macro definitions in uppercase, such as NAME = value, which can be redefined with == and are expanded before processing begins. Option settings use the format name = value, including list types like domainlist for domains or hostlist for hosts, with boolean options toggled via prefixes like no_ or explicit true/false values. String expansions, enclosed in ${...}, enable dynamic content generation using variables such as $local_part for the recipient's local part, supporting conditionals, lookups, and operators as detailed in the specification.[22] Error handling in Exim involves logging to three primary files: the main log for deliveries and receipts, the reject log for policy denials, and the panic log for critical errors, with content controlled by the log_selector option to enable categories like +acl or +tls. Debugging is facilitated by the -d command-line option, which outputs verbose details to stderr for categories such as acl, expand, or route, restricted to administrators to prevent sensitive data exposure; additional flags like -dd limit debugging in subprocesses. Syntax errors trigger entries in the panic log and a non-zero exit code upon configuration loading.[23][24]

Styles and Customization Options

Exim offers two primary configuration styles to accommodate different administrative preferences and system requirements. The native style employs a single monolithic configuration file, typically named configure or exim.conf, which encompasses all global options, access control lists (ACLs), routers, transports, and other components in one cohesive document. This approach, provided by default in the Exim source distribution as src/configure.default, suits environments where simplicity and direct editing are prioritized.[25] In contrast, the Debian packaging of Exim introduces a split-file style, organizing the configuration into multiple modular files within the /etc/exim4/conf.d/ directory, such as separate files for main options, ACLs, routers, and transports. These files are automatically concatenated in alphanumeric order by the update-exim4.conf script, which generates the final runtime configuration in /var/lib/exim4/config.autogenerated based on debconf settings from /etc/exim4/update-exim4.conf.conf. This split style facilitates easier management and updates on Debian-based systems without overwriting custom changes.[26] Customization in Exim is achieved through flexible techniques that allow administrators to tailor behavior dynamically. Lookup tables enable integration with external data sources, such as LDAP for directory queries or SQL databases for user authentication and alias resolution; for instance, expansions like ${lookup ldap{user=$local_part}} or ${lookup sql{SELECT ...}} can retrieve values on demand during message processing. Conditional expansions further enhance adaptability by evaluating runtime conditions, using operators like ${if eq{$domain}{example.com}{yes}{no}} to branch logic based on variables, headers, or lookup results, thereby supporting scenario-specific routing or filtering. Additionally, runtime interfaces such as the exim -bP command allow querying expanded configuration variables without restarting the server, aiding in debugging and verification; for example, exim -bP configure displays the full expanded configuration.[27][28][24] For advanced customization, Exim supports dynamic module loading, enabling extensions like lookup types (e.g., SQLite or MySQL) and authentication drivers to be loaded at runtime without recompiling the binary, provided the platform allows it and appropriate build options such as LOOKUP_<type>=2 are set. This feature reduces binary size and dependencies, loading modules from a specified directory like /usr/lib/exim4/modules only when needed.[29] Best practices for large-scale deployments emphasize modular configurations to improve maintainability and scalability. The split-file approach is particularly recommended for sites with high traffic or complex needs, as it allows isolated updates to components like ACLs without risking the entire setup; custom files can be added (e.g., 40_custom-acls) and processed via update-exim4.conf followed by a service restart. For basic anti-spam setups, administrators can customize ACLs to deny messages based on DNS blacklists, such as by adding deny dnslists = zen.spamhaus.org in the connect or rcpt ACL sections, or integrate SpamAssassin via content scanning with expansions like ${if >{$spam_score_int}{50}{reject}{accept}} to score and filter incoming mail. These techniques balance security with performance, ensuring configurations remain robust across distributed environments.[26][30]

Features and Capabilities

Security and Policy Controls

Exim employs Access Control Lists (ACLs) to enforce granular policies during SMTP sessions, allowing administrators to accept, deny, or defer connections based on various criteria. For instance, ACLs can deny messages from sender IP addresses listed in DNS blacklists using the dnslists condition, such as deny dnslists = spamhaus.example, or accept only from trusted hosts via accept hosts = +local_networks. HELO checks are performed in the acl_smtp_helo phase, where the verify = helo condition validates the client's HELO/EHLO name against DNS records to prevent spoofing. Content inspection occurs in the acl_smtp_data phase, employing the regex condition to match patterns indicative of spam, like deny regex = ^Subject:.*viagra, thereby mitigating abuse at the protocol level.[30] SMTP authentication in Exim supports multiple mechanisms through the SASL framework, including CRAM-MD5 for challenge-response verification without transmitting plaintext passwords, as defined in the cram_md5 authenticator. Configuration involves specifying authenticators in the runtime file, such as cram_md5: driver = cram_md5 with server_secret for credential storage, and enabling via acl_smtp_auth. To enhance security, authentication can be restricted to TLS-encrypted sessions using conditions like ${if eq{$tls_in_cipher}{}{no}{yes}} in server_advertise_condition, ensuring encrypted transmission of credentials over opportunistic or mandatory TLS. Exim also integrates with external SASL libraries like Cyrus SASL when compiled with AUTH_CYRUS_SASL=yes.[31] Exim has faced notable vulnerabilities. One such issue is CVE-2019-10149, a remote code execution flaw affecting versions 4.87 to 4.91 due to improper validation of recipient addresses in the deliver_message() function, leading to remote command execution and root privilege escalation. This issue, disclosed in June 2019, allowed unauthenticated attackers to execute arbitrary commands via crafted emails. Mitigations include upgrading to version 4.92 or later, where the vulnerability is patched, alongside built-in features like rate limiting in ACLs—configured as ratelimit = 100 / 1h / strict to curb excessive connections—and sandboxing through privilege separation, where Exim drops root privileges early in processing to limit exploit impact.[32][13][30] More recently, CVE-2024-39929, disclosed in July 2024, affects Exim versions through 4.97.1 and involves misparsing of multiline RFC 2231 header filenames, allowing remote attackers to bypass the $mime_filename extension-blocking protection mechanism and deliver malicious attachments. Mitigation requires upgrading to version 4.98 or later. Additionally, CVE-2025-26794, disclosed in February 2025, is a remote SQL injection vulnerability in Exim 4.98 before 4.98.1 when SQLite hints and ETRN serialization are enabled, potentially allowing unauthorized database access. It is addressed in version 4.98.1 and later.[33][34] To combat email abuse, Exim provides native support for DKIM verification, enabled by default when compiled with TLS support, which checks incoming signatures in the acl_smtp_dkim phase and logs results like "DKIM verification succeeded" for auditing. DMARC integration requires the libopendmarc library and configuration options such as dmarc_tld_file for organizational domain identification, allowing policy enforcement in the DATA ACL based on dmarc_status—for example, rejecting messages with reject dmarc_status = reject. Additionally, the content scanning extension, activated via WITH_CONTENT_SCAN at compile time, offers hooks for anti-abuse tools: the malware condition interfaces with ClamAV using av_scanner = clamd:127.0.0.1 3310, while the spam condition calls SpamAssassin via spamd_address = 127.0.0.1 783, enabling rejection of infected or spammy content during MIME processing in acl_smtp_mime.[35][36]

Integration with External Tools

Exim provides robust hooks for content scanning through its Access Control Lists (ACLs), enabling integration with external antivirus and spam filtering tools via the malware and spam conditions in the acl_smtp_data ACL.[36] For antivirus scanning, Exim interfaces with ClamAV by connecting to its clamd daemon over TCP or Unix sockets, specified via the av_scanner option, such as av_scanner = clamd:/var/run/clamav/clamd.ctl.[36] This requires compiling Exim with the WITH_CONTENT_SCAN flag and running the ClamAV daemon; upon detection, variables like $malware_name capture details for logging or rejection.[36] Similarly, spam filtering integrates with SpamAssassin through the spam condition, which queries the spamd daemon via the spamd_address option, for example spamd_address = 127.0.0.1 783, returning scores in $spam_score for threshold-based actions.[36] These integrations often employ pipe transports to pass messages to the tools, processing temporary spool files during the DATA phase of SMTP.[36] Database integrations in Exim support dynamic lookups for virtual domains and user validation using query-style mechanisms in routers and ACLs.[27] For MySQL, lookups use SQL queries like ${lookup mysql{SELECT mailbox FROM users WHERE email='${quote_mysql:$local_part@$domain}'}, configured with mysql_servers to specify hosts, databases, users, and passwords, such as mysql_servers = localhost/maildb/eximuser/secret.[27] PostgreSQL follows a similar pattern with ${lookup pgsql{SELECT home FROM users WHERE email='${quote_pgsql:$local_part@$domain}'}} and the pgsql_servers option, enabling efficient validation of recipient addresses against virtual user tables.[27] LDAP integration employs URL-based queries, for instance ${lookup ldap{ldap:///ou=people,o=example?mail?sub?(mail=${quote_ldap:$local_part@$domain})}, with ldap_default_servers defining server connections, often for directory-based authentication and domain mapping in enterprise environments.[27] External scripting capabilities extend Exim's flexibility through embedded Perl support and callouts to external programs.[37] To enable embedded Perl, Exim is compiled with EXIM_PERL = perl.o in the Local/Makefile, requiring Perl 5.004 or later, and initialized via the perl_startup option to load subroutines from a file like /etc/exim.pl.[37] These subroutines are invoked in string expansions as ${perl{myfunc}{arg1}}, allowing custom verification logic, such as checking against external data sources, with access to Exim variables via Exim::expand_string().[37] For broader external interactions, the ${run} expansion executes programs during ACL processing, e.g., ${run{/usr/local/bin/verify $local_part}}, capturing output for conditions, while pipe transports route messages to custom scripts for advanced verification.[30] In common self-hosted setups, Exim integrates with Dovecot for local delivery using the LMTP transport, which pipes messages over Unix sockets or TCP as defined by RFC 2033, configured via options like command = /usr/lib/dovecot/deliver -f $sender_address -d $local_part.[38] This enables Dovecot to handle final delivery and Sieve filtering after Exim's routing. Exim is also frequently paired with Roundcube as a webmail interface, where Roundcube submits outgoing mail via Exim's SMTP port and retrieves messages through Dovecot's IMAP, forming a complete open-source email stack without direct API coupling.[39][40]

Performance and Comparisons

Efficiency and Benchmarks

Exim exhibits strong performance in email delivery, particularly for immediate transactions, with reported throughputs reaching up to 100,000 messages per hour on modest hardware configurations such as standard Unix servers with limited CPU and memory resources. This capability stems from its efficient single-process daemon model, which handles SMTP sessions with low latency by multiplexing connections within a single process and forking only for delivery tasks when necessary.[41] Empirical benchmarks from 2023 evaluations demonstrate Exim's advantages in scalability, enabling better handling of peak traffic without significant resource spikes. For queue management, Exim processes thousands of messages per hour without requiring a separate queue runner process, leveraging its built-in periodic scanning and delivery mechanisms to maintain steady throughput even during bursts. These results position Exim as particularly effective for environments with variable email volumes.[42][43] Key factors enhancing Exim's efficiency include the minimal computational overhead associated with its string expansion features, which allow flexible routing and filtering without introducing substantial delays, and built-in optimizations like DNS caching to avoid repeated network queries during message routing. The caching mechanism, for instance, stores recent DNS resolutions in memory, reducing average lookup times by orders of magnitude in high-volume scenarios.[44] In usage contexts, Exim proves ideal for low-to-medium volume servers, such as those in web hosting or small enterprise setups, where its balance of performance and configurability shines. As of July 2024, a survey indicated that Exim powers approximately 59% of publicly reachable mail transfer agents, reflecting its reliability and efficiency in real-world deployments across diverse infrastructures.[16]

Limitations and Optimizations

Exim exhibits limitations in scalability when handling very large mail queues, such as those exceeding one million messages, primarily due to the absence of a central queue manager and reliance on sequential directory scans for processing.[45][42] This design can lead to bottlenecks under high load, as each queue runner process individually scans the entire spool directory, potentially causing delays in delivery and increased I/O overhead.[24] To mitigate these issues, administrators can implement optimizations such as running multiple queue runners at regular intervals, for example, using the -q1h option to perform queue scans hourly, which distributes the workload over time and reduces contention.[24] Enabling the split_spool_directory option divides the spool into subdirectories based on message identifiers, improving file system performance by minimizing directory entry lookups in large queues.[46] Additionally, external utilities like exiqgrep allow for selective querying and management of queue messages without full scans, facilitating targeted interventions such as removing problematic entries.[47] In comparisons with other MTAs, Exim tends to be slower than Postfix in scenarios with high queue volumes due to Postfix's parallel queue processing via a dedicated manager, though Exim offers greater configuration flexibility for custom routing and filtering.[42] Historical resource exhaustion vulnerabilities, such as those enabling privilege escalation through failed privilege drops under load in versions prior to 4.76, have been addressed in subsequent releases to prevent excessive process forking and system overload.[48] Further tuning involves adjusting log selectors to minimize verbosity, such as disabling non-essential entries via the log_selector option, which reduces CPU and disk I/O load from excessive logging during peak operations.[23] Disabling unused features in the configuration, like unnecessary ACL checks or transports, also lowers overall resource consumption by streamlining message processing paths.[46]

Documentation and Community

Official Resources

The primary official documentation for Exim is the Exim Specification, a comprehensive reference manual that details all configuration options, features, and operational behaviors for the current release. Updated with each version, the specification for Exim 4.99, released on October 27, 2025, serves as the authoritative guide covering routers, transports, ACLs, and command-line interfaces, available in HTML, PDF, and other formats on the official website.[2][18] The official Exim website at exim.org provides central access to resources, including the downloads section at downloads.exim.org for source distributions in tar.xz, tar.gz, and tar.bz2 formats, signed with PGP keys from the Exim Maintainers. Mailing lists hosted at lists.exim.org facilitate communication: exim-users for general user discussions, exim-dev for development and bug reports, and exim-announce for low-volume release notifications, with archives searchable via the website. Bug reports are submitted through bugs.exim.org or email to [email protected].[1][49][8] Exim includes built-in administrative tools accessible via command-line options, such as -bt for testing address routing without actual delivery—accepting recipient addresses as arguments and returning codes indicating success (0), partial resolution (1), or failure (2)—and -M for forcing delivery of specified messages by ID, thawing frozen messages and bypassing retry rules, restricted to administrators unless configured otherwise. The source distribution features a contrib directory containing sample configuration files, scripts, and utilities contributed by maintainers for common setups like authentication and filtering.[24] Release notes and changelogs are provided in the distribution's doc directory, with ChangeLog detailing all modifications, deprecations, and new features per version, and NewStuff summarizing major updates since the previous release to aid upgrades.[8]

Support and Maintenance

Exim benefits from a dedicated open-source community that has supported its development and usage since its inception. The primary venue for user discussions and problem-solving is the exim-users mailing list, which has been active since 1996 and serves as a forum for administrators to share configurations, troubleshoot issues, and exchange best practices.[50] Complementing this, the exim-announce list, operational since 1999, provides official updates on releases and security advisories, while the exim-dev list facilitates contributions to the codebase.[50] Key maintenance responsibilities have been handled by Heiko Schlittermann since at least the early 2010s, with formal recognition of his role in project governance by 2022.[51] Bug reports and feature requests for Exim are managed through a dedicated Bugzilla instance at bugs.exim.org, where developers and users collaborate to identify, prioritize, and resolve issues.[52] This system has facilitated the addressing of numerous vulnerabilities and enhancements over the years, ensuring ongoing stability for deployments.[18] Exim is readily available through major Linux distributions, serving as the default mail transfer agent in Debian and Ubuntu systems, where it can be installed via standard package managers like apt.[26][53] For Red Hat-based distributions such as CentOS Stream, AlmaLinux, or RHEL, where Postfix is the default, Exim packages are provided by third-party repositories like EPEL, allowing users to adopt it as an alternative MTA.[54] As a volunteer-driven project under the GNU General Public License, Exim's maintenance emphasizes incremental updates and security hardening rather than architectural overhauls.[1] In 2025, efforts continue to focus on timely security patches, as evidenced by releases addressing critical vulnerabilities like CVE-2025-26794, with no indications of major rewrites in the near term.[55] The project's sustainability relies on community contributions, with ongoing support through mailing lists and the Bugzilla tracker to adapt to evolving email standards and threats.[1]

References

  1. Exim Internet Mailer
  2. Specification of the Exim Mail Transfer Agent
  3. How free software hijacked Philip Hazel's life - LWN.net
  4. Exim: a case study in sustainability - OSS Watch
  5. 1. Introduction - Exim: The Mail Transfer Agent [Book] - O'Reilly
  6. Exim - Mailrelay
  7. Exim Overview
  8. 1. Introduction
  9. Exim 4 for Debian - Chiark.greenend.org.uk
  10. Chapter 3 - How Exim receives and delivers mail
  11. [exim-announce] Exim 4.80.1 Security Release
  12. https://nvd.nist.gov/vuln/detail/CVE-2012-5671
  13. NVD - CVE-2019-10149
  14. [exim] Exim 4.97 released
  15. Exim 0day Vulnerabilities: Everything You Need to Know | Wiz Blog
  16. Critical Exim bug bypasses security filters on 1.5 million mail servers
  17. [exim-announce] Exim 4.99 Released
  18. [PDF] Specification of the Exim Mail Transfer Agent
  19. Postfix Architecture Overview
  20. 6.2.5 Router for Exim 4 - GNU.org
  21. 57. Format of spool files - Exim Internet Mailer
  22. Chapter 6 - The Exim runtime configuration file
  23. 53. Log files - Exim Internet Mailer
  24. 5. The Exim command line
  25. 7. The default configuration file - Exim Internet Mailer
  26. Exim - Debian Wiki
  27. Chapter 9 - File and database lookups - Exim Internet Mailer
  28. 11. String expansions - Exim Internet Mailer
  29. 4. Building and installing Exim - Exim Internet Mailer
  30. Access Control Lists (ACLs) are defined in a ... - Exim Internet Mailer
  31. 33. SMTP authentication - Exim Internet Mailer
  32. None
  33. 58. DKIM, SPF, SRS and DMARC - Exim Internet Mailer
  34. 45. Content scanning at ACL time - Exim Internet Mailer
  35. 12. Embedded Perl - Exim Internet Mailer
  36. 28. The lmtp transport
  37. Exim - ArchWiki
  38. 10 Best Self-Hosted Email Server Platforms to Use in 2025 - RunCloud
  39. Re: [exim] What's the performance benchmark of Exim4?
  40. Postfix vs Sendmail vs Exim - Choosing MTA - Mailtrap
  41. 30. The smtp transport - Exim Internet Mailer
  42. New Exim Vulnerability Exposes Servers to DoS Attacks, RCE Risks
  43. Exim | Linagora
  44. Chapter 14 - Main configuration - Exim Internet Mailer
  45. 54. Exim utilities - Exim Internet Mailer
  46. CVE-2011-0017 Exim: privilege escalation - Red Hat Bugzilla
  47. https://downloads.exim.org/
  48. Mailing lists for Exim
  49. Legal - Exim Internet Mailer
  50. Exim Mail Transport Agent - source, testsuite and documentation
  51. Install and configure Exim4 - Ubuntu Server documentation
  52. 4.12.2. Exim | Migration Planning Guide | Red Hat Enterprise Linux | 6
  53. Exim - CVE-2025-26794: upcoming security release
User Avatar
No comments yet.