Which variable is permitted

Each shell has it's own ideas of what are valid variable NAMEs, so you have to read the man page for the shell-of-the-moment to see what it thinks. Generally, things like com. It depends on the shell. I'm guessing you're using bash by default, in which case letters, numbers and underscores are allowed, but you can't start the variable name with a number.

As of Bash v. While most shell will not allow setting enviroment variables as mentioned in other answers , if you have need you can execute other programs with nonstandard enviroment variables using env 1.

For example, erasing all enviroment and setting Strange. Env:Var to value foo , and executing perl program that prints it:. Stack Overflow for Teams — Collaborate and share knowledge with a private group. Create a free Team What is Teams? Collectives on Stack Overflow. Learn more. Allowed characters in Linux environment variable names Ask Question. Asked 11 years, 6 months ago.

Active 2 years ago. Viewed 92k times. Christian Semrau Christian Semrau 8, 2 2 gold badges 29 29 silver badges 37 37 bronze badges.

Luckily, I found that the program is just as happy with a Java system property declared with a -D command line option , so it works now.

Obviously the program looks in both variable sets without telling me. But still I am curious about which environment variable names are allowed. AleksandrDubinsky I deleted it. This is similar but about alias definition not exactly environment variables stackoverflow.

Add a comment. Active Oldest Votes. Robert Gamble Robert Gamble Also, the "portable character set" pubs. This is exactly what I observe. Complete the policy:. Add any additional policy items you require. Change the ending from Deny. Click the Apply Access Policy.

The access policy is configured to extract an ACL from an AAA server and apply it when processing occurs on the access policy branch. To apply this access policy to network traffic, add the access profile to a virtual server.

To ensure that logging is configured to meet your requirements, verify the log settings for the access profile. This allows you to combine multiple objects in a dynamic ACL. Here an example shows the general steps to do this. The policy you are working with needs to have a Variable Assign agent. In the visual policy editor, create entries for session variables with the required ACL values in the Variable Assign agent.

For example:. When you click Continue. F5 ACL format. Specifies F5 ACL syntax and provides examples. This syntax applies to both static and dynamic ACLs. Specify an F5 ACL using this syntax. The syntax allows multiple ACLs in a single string along with comments. Comments are optional. They have no effect on the ACLs. A space as a comment. Vertical bar comments. Allows the specified traffic. Silently drops the packets. Specifying a logging option is optional.

Enables default logging for the ACL. Writes packet-level logs to the packet filter log file. Writes configuration logs to the configuration log file. Context specifies a protocol followed by addresses, networks, and ports for the ACL action. Its effect lasts until the end of the SMTP connection.

If used with no options set, no immediate delivery process is started. The benefit is that the hints database will be updated for the message being waiting for a specific host, and a later queue run will be able to send all such messages on a single connection. The control only applies to the current message, not to any subsequent ones that may be received in the same SMTP connection.

Setting it tells Exim that the current message is a submission from a local MUA. For example, it adds a Date: header line if one is not present. Chapter 48 describes the processing that Exim applies to messages.

It disables the fixups that are normally applied to locally-submitted messages. There is no check that From: corresponds to the actual sender. This control may be useful when a remotely-originated message is accepted, passed to some scanning program, and then re-submitted for delivery.

Note: This control applies only to the current message, not to any others that are being submitted at the same time using -bs or -bS. This control enables conversion of UTF-8 in message envelope addresses to a-label form. For details see section Each one is checked for valid syntax; X-ACL-Warn: is added to the front of any line that is not a valid header line. However, if an identical header line is requested more than once, only one copy is actually added to the message.

Header lines are not visible in string expansions of message headers until they are added to the message. If you want to do this, you can use ACL variables, as described in section Notice the difference between these two cases:.

In the first case, the header line is always added, whether or not the condition is true. In the second case, the header line is added only if the condition is true. All those that are encountered before a condition fails are honoured. Furthermore, only the last occurrence of message is honoured. This usage of message is now deprecated. By default, new header lines are added to a message at the end of the existing header lines.

However, you can specify that any particular header line should be added right at the start before all the Received: lines , immediately after the first block of Received: lines, or immediately before any line that is not a Received: or Resent-something: header. Header text cannot start with a colon, as there has to be a header name first. If you add more than one line at the start, or after the Received: block, they end up in reverse order.

Warning : This facility currently applies only to header lines that are added in an ACL. It does NOT work for header lines that are added in a system filter or in a router or transport. More than one header can be removed at the same time by using a colon separated list of header names. The header matching is case insensitive.

If multiple header lines match, all are removed. There is no harm in attempting to remove the same header twice nor in removing a non-existent header.

Header lines are not visible in string expansions until the DATA phase when it is received. If you want to do this, you should instead use ACL variables, as described in section In the first case, the header line is always removed, whether or not the condition is true.

In the second case, the header line is removed only if the condition is true. Warning : This facility currently applies only to header lines that are present during ACL processing. It does NOT remove header lines that are added in a system filter or in a router or transport. Some of the conditions listed in this section are available only when Exim is compiled with the content-scanning extension.

They are included here briefly for completeness. More detailed descriptions can be found in the discussion on content scanning in chapter Not all conditions are relevant in all circumstances. You can use the same condition with different parameters more than once in the same ACL statement.

The conditions are as follows:. The named or inline ACL is run. This means that further processing of the warn verb ceases, but processing of the ACL continues. Previous values of these variables are restored after the call returns. The name and values are expanded separately. Note that spaces in complex expansions which are used as arguments will act as argument separators.

ACLs may be nested up to 20 deep; the limit exists purely to catch runaway loops. This condition allows you to use different ACLs in different circumstances. If the SMTP connection is not authenticated, the condition is false. Otherwise, the name of the authenticator is tested against the list.

To test for authentication by any authenticator, you can set. This feature allows you to make up custom conditions. However, if the expansion is forced to fail, the condition is ignored.

The effect is to treat it as true, whether it is positive or negative. It causes the current MIME part to be decoded into a file. If all goes well, the condition is true. It is false only if there are problems such as a syntax error or a memory shortage. For more details, see chapter This condition checks for entries in DNS black lists. There are too many different variants of this condition to describe briefly here.

See sections This condition is relevant only after a RCPT command. It checks that the domain of the recipient address is in the domain list. If percent-hack processing is enabled, it is done before this test is done.

If the SMTP connection is not encrypted, the condition is false. Otherwise, the name of the cipher suite in use is tested against the list. To test for encryption without testing for any specific cipher suite s , set. This condition tests that the calling host matches the host list. If you have name lookups or wildcarded host names and IP addresses in the same host list, you should normally put the IP addresses first.

For example, you could have:. The lookup in this example uses the host name for its key. The reason for the problem with host names lies in the left-to-right way that Exim processes lists. It can test IP addresses without doing any DNS lookups, but when it reaches an item that requires a host name, it fails if it cannot find a host name to compare with the pattern.

If the above list is given in the opposite order, the accept statement fails for a host whose name cannot be found, even if its IP address is If you really do want to do the name check first, and still recognize the IP address even if the name lookup fails, you can rewrite the ACL like this:.

The default action on failing to find the host name is to assume that the host is not in the list, so the first accept statement fails. The second statement can then check the IP address. This allows you, for example, to set up a statement like this:. It checks that the local part of the recipient address is in the list. If percent-hack processing is enabled, it is done before this test.

This condition is available only when Exim is compiled with the content-scanning extension and only after a DATA command. It causes the incoming message to be scanned for viruses. It causes the current MIME part to be scanned for a match with any of the regular expressions. This condition can be used to limit the rate at which a user or host submits messages.

Details are given in section It checks the entire recipient address against a list of recipients. It causes the incoming message to be scanned for a match with any of the regular expressions.

This condition tests the domain of the sender of the message against the given domain list. This is an exception to the general rule for testing domain lists. Warning : It is a bad idea to use this condition on its own as a control on relaying, because sender addresses are easily, and commonly, forged.

This condition tests the sender of the message against the given list. To test for a bounce message, which has an empty sender, set. This condition is available only when Exim is compiled with the content-scanning extension. It causes the incoming message to be scanned by SpamAssassin. This condition is true in an SMTP session if the session is encrypted, and a certificate was received from the client, and the certificate was verified.

This condition checks whether the sending host the client is authorized to send email. Details of how this works are given in section This condition is relevant only in an ACL that is run after a message has been received. It checks all header names not the content to make sure there are no non-ASCII characters, also excluding control characters. It checks that there is a verifiable address in at least one of the Sender: , Reply-To: , or From: header lines.

However, an address that appears in one of these headers need not be an address that accepts bounce messages; only sender addresses in envelopes are required to accept bounces. Therefore, if you use the callout option on this check, you might want to arrange for a non-empty address in the MAIL command.

Details of address verification and the options are given later, starting at section You can combine this condition with the senders condition to restrict it to bounce messages only:. It checks the syntax of all header lines that can contain lists of addresses Sender: , From: , Reply-To: , To: , Cc: , and Bcc: , returning true if there are no problems. Note that this condition is a syntax check only. However, a common spamming ploy used to be to send syntactically invalid headers such as.

This condition checks that there are no blind bcc recipients in the message. Every envelope recipient must appear either in a To: header line or in a Cc: header line for this condition to be true. Local parts are checked case-sensitively; domains are checked case-insensitively. If Resent-To: or Resent-Cc: header lines exist, they are also checked.

If this is present then local parts are checked case-insensitively. There are, of course, many legitimate messages that make use of blind bcc recipients. This check should not be used on its own for blocking messages. It verifies the current recipient.

Details of address verification are given later, starting at section This applies even if the verification fails. This condition ensures that a verified host name has been looked up from the IP address of the client host. Verification ensures that the host name obtained from a reverse DNS lookup, or one of its aliases, does, when it is itself looked up in the DNS, yield the original IP address. If this is present and a DNS operation returns a temporary error, the verify condition succeeds.

If this condition is used for a locally generated message that is, when there is no client host involved , it always succeeds. Otherwise, the sender address is verified. This value can be used in subsequent conditions and modifiers in the same ACL statement. It does not persist after the end of the current statement.

If you want to preserve the value for longer, you can save it in an ACL variable. Details of verification are given later, starting at section Exim caches the result of sender verification, to avoid doing it more than once per message. This is a variation of the previous option, in which a modified address is verified as a sender. In its simplest form, the dnslists condition tests whether the calling host is on at least one of a number of DNS lists by looking up the inverted IP address in one or more DNS domains.

As soon as Exim finds an existing DNS record, processing of the list stops. If a DNS lookup times out or otherwise fails to give a decisive answer, Exim behaves as if the host does not match the list item, that is, as if the DNS record does not exist. If there are further items in the DNS list, they are processed.

This is usually the required action when dnslists is used with deny which is the most common usage , because it prevents a DNS failure from blocking mail. However, you can change this behaviour by putting one of the following special items in the list:. Testing the list of domains stops as soon as a match is found. If you want to warn for one list and block for another, you can use two different statements:. Exim does not share information between multiple incoming connections but your local name server cache should be active.

There are a number of DNS lists to choose from, some commercial, some free, or free for small deployments. However, you can specify another IP address by listing it after the domain name, introduced by a slash. This feature is not very helpful with explicit IP addresses; it is intended for use with IP addresses that are looked up, for example, the IP addresses of the MX hosts or nameservers of an email sender address.

For an example, see section There are some lists that are keyed on domain names rather than inverted IP addresses see, e. No reversing of components is used with these lists. You can change the name that is looked up in a DNS list by listing it after the domain name, introduced by a slash.

A single dnslists condition can contain entries for both names and IP addresses. The whole condition is true if either of the DNS lookups succeeds. The syntax described above for looking up explicitly-defined values either names or IP addresses in a DNS blacklist is a simplification. After the domain name for the DNS list, what follows the slash can in fact be a list of items. As with all lists in Exim, the default separator is a colon.

However, because this is a sublist within the list of DNS blacklist domains, it is necessary either to double the separators like this:. If it is not an IP address, no inversion occurs. Consider this condition:.

Once a DNS record has been found that matches a specific IP return address, if specified — see section A temporary error for the whole dnslists item occurs only if no other DNS lookup in this sublist succeeds. In other words, a successful lookup for any of the items in the sublist overrides a temporary error for a previous item.

The ability to supply a list of items after the slash is in some sense just a syntactic convenience. These two examples have the same effect:. However, when the data for the list is obtained from a lookup, the second form is usually much more convenient. Consider this example:. The inner dnsdb lookup produces a list of MX hosts and the outer dnsdb lookup finds the IP addresses for these hosts.

The result of expanding the condition might be something like this:. The original RBL just used the address Some DNS lists may return more than one address record; see section In simple cases, for example:. In more complicated cases, however, this is not true. For example, using a data lookup as described in section See section You can add an equals sign and an IP address after a dnslists domain name in order to restrict its action to DNS records with a matching right hand side.

Without this additional data, any address record is considered to be a match. For the moment, we assume that the DNS lookup returns just one record. More than one IP address may be given for checking, using a comma as a separator. These are alternatives — if any one of them matches, the dnslists condition is true. If you want to specify a constraining address list and also specify names or IP addresses to be looked up, the constraining address list must be specified first.

In other words, the listed addresses are used as bit masks. The comparison is true if all the bits in the mask are present in the address that is being tested. If you want to test whether one bit or another bit is present as opposed to both being present , you must use multiple values. You can supply a negative list of IP addresses as part of a dnslists condition. Note : This kind of negation is not the same as negation in a domain, host, or address list which is why the syntax is different.

If you are using just one list, the negation syntax does not gain you much. The previous example is precisely equivalent to. However, if you are using multiple lists, the negation syntax is clearer. Negation can also be used with a bitwise-and restriction. The dnslists condition with only be trus if a result is returned by the lookup which, anded with the restriction, is all zeroes. For example, consider the condition:. Is the condition true because at least one given value was found, or is it false because at least one of the found values was not listed?

And how does this affect negated conditions? For the example above, the condition is true because If the condition is changed to:. You would need to have:. If the DNS lookup yields both This happens when lists are merged and the IP address in the A record is used to distinguish them; unfortunately there is only one TXT record. One way round this is not to use merged lists, but that can be inefficient because it requires multiple DNS lookups where one would do in the vast majority of cases when the host of interest is not on any of the lists.

A less inefficient way of solving this problem is available. If two domain names, comma-separated, are given, the second is used first to do an initial check, making use of any IP value restrictions that are set.

If there is a match, the first domain is used, without any IP value restrictions, to get the TXT record. As a byproduct of this, there is also a check that the IP being tested is indeed on the first list. For the first blacklist item, this starts by doing a lookup in sbl-xbl. If there is a match, it then looks in sbl. If there is no match in sbl-xbl. The second blacklist item is processed similarly.

If you are interested in more than one merged list, the same list must be given several times, but because the results of the DNS lookups are cached, the DNS calls themselves are not repeated. In this case there is one lookup in dnsbl. Only if there is a match is one of the more specific lists consulted. If Exim is asked to do a dnslist lookup for an IPv6 address, it inverts it nibble by nibble. For example, the DNS entry. You can exclude IPv6 addresses from DNS lookups by making use of a suitable condition condition, as in this example:.

If an explicit key is being used for a DNS lookup and it may be an IPv6 address you should specify alternate list separators for both the outer DNS list name list and inner lookup keys list:. The ratelimit ACL condition can be used to measure and control the rate at which clients can send email. The syntax of the ratelimit condition is:. If the average client sending rate is less than m messages per time period p then the condition is false; otherwise it is true.

The parameter p is the smoothing time constant, in the form of an Exim time interval, for example, 8h for eight hours. The parameter m is the maximum number of messages that a client is permitted to send in each time interval.

It also specifies the number of messages permitted in a fast burst. Conversely, if m and p are both small, messages must be sent at an even rate. The script prints usage instructions when it is run with no arguments. By changing the key you can change how Exim identifies clients for the purpose of ratelimiting. Each ratelimit condition can have up to four options.

You can also control when Exim updates the recorded rate using a strict , leaky , or readonly option. The options are separated by a slash, like the other parameters. They may appear in any order. Internally, Exim appends the smoothing constant p onto the lookup key with any options that alter the meaning of the stored data.

You can follow the limit m in the configuration with K, M, or G to specify limits in kilobytes, megabytes, or gigabytes, respectively. Note that in either case the rate limiting engine will see a message with many recipients as a large high-speed burst.