Exim: Difference between revisions
Jump to navigation
Jump to search
Creation |
→SpamFu: Added a couple tricks |
||
| (One intermediate revision by the same user not shown) | |||
| Line 1: | Line 1: | ||
=Reading the Mainlog= | =Reading the Mainlog= | ||
{| class="wikitable" style="width: 50%;" | |||
| style="width: 5%"| <= | |||
| style="width: 95%"| Incoming mail, sender may be local or remote | |||
|- | |||
| style="width: 5%"| => | |||
| style="width: 95%"| Outgoing mail, sender may be local or remote | |||
|- | |||
| style="width: 5%"| == | |||
| style="width: 95%"| Message delivery deferred | |||
|- | |||
| style="width: 5%"| ** | |||
| style="width: 95%"| Message delivery failure | |||
|- | |||
| style="width: 5%"| A | |||
| style="width: 95%"| authenticator name (and optional id) | |||
|- | |||
| style="width: 5%"| C | |||
| style="width: 95%"| SMTP confirmation on delivery | |||
|- | |||
| style="width: 5%"| | |||
| style="width: 95%"| command list for “no mail in SMTP session” | |||
|- | |||
| style="width: 5%"| CV | |||
| style="width: 95%"| certificate verification status | |||
|- | |||
| style="width: 5%"| D | |||
| style="width: 95%"| duration of “no mail in SMTP session” | |||
|- | |||
| style="width: 5%"| DN | |||
| style="width: 95%"| distinguished name from peer certificate | |||
|- | |||
| style="width: 5%"| DT | |||
| style="width: 95%"| on => lines: time taken for a delivery | |||
|- | |||
| style="width: 5%"| F | |||
| style="width: 95%"| sender address (on delivery lines) | |||
|- | |||
| style="width: 5%"| H | |||
| style="width: 95%"| host name and IP address | |||
|- | |||
| style="width: 5%"| I | |||
| style="width: 95%"| local interface used | |||
|- | |||
| style="width: 5%"| id | |||
| style="width: 95%"| message id for incoming message | |||
|- | |||
| style="width: 5%"| P | |||
| style="width: 95%"| on <= lines: protocol used | |||
|- | |||
| style="width: 5%"| | |||
| style="width: 95%"| on => and ** lines: return path | |||
|- | |||
| style="width: 5%"| QT | |||
| style="width: 95%"| on => lines: time spent on queue so far | |||
|- | |||
| style="width: 5%"| | |||
| style="width: 95%"| on “Completed” lines: time spent on queue | |||
|- | |||
| style="width: 5%"| R | |||
| style="width: 95%"| on <= lines: reference for local bounce | |||
|- | |||
| style="width: 5%"| | |||
| style="width: 95%"| on => ** and == lines: router name | |||
|- | |||
| style="width: 5%"| S | |||
| style="width: 95%"| size of message | |||
|- | |||
| style="width: 5%"| ST | |||
| style="width: 95%"| shadow transport name | |||
|- | |||
| style="width: 5%"| T | |||
| style="width: 95%"| on <= lines: message subject (topic) | |||
|- | |||
| style="width: 5%"| | |||
| style="width: 95%"| on => ** and == lines: transport name | |||
|- | |||
| style="width: 5%"| U | |||
| style="width: 95%"| local user or RFC 1413 identity | |||
|- | |||
| style="width: 5%"| X | |||
| style="width: 95%"| TLS cipher suite | |||
|- | |||
|} | |||
==Find failed login IPs in the mainlog== | ==Find failed login IPs in the mainlog== | ||
cat /var/log/exim_mainlog | grep "535 Incorrect authentication data (set_id=user@example.com)" >> /home/temp/failed_email_login.txt | cat /var/log/exim_mainlog | grep "535 Incorrect authentication data (set_id=user@example.com)" >> /home/temp/failed_email_login.txt | ||
| Line 7: | Line 89: | ||
for each in $(cat baduserips); do echo "$each # manually blocked for ticket blah" >> /etc/csf/csf.deny; done | for each in $(cat baduserips); do echo "$each # manually blocked for ticket blah" >> /etc/csf/csf.deny; done | ||
csf -ra | csf -ra | ||
=SpamFu= | =SpamFu= | ||
==List Queue== | ==List Queue== | ||
| Line 13: | Line 96: | ||
exim -bpr | exim -bpr | ||
==View Message Headers== | ==View Message Headers== | ||
If P=esmtpa then it's from a user account. If P=local, it's from a script. | |||
exim -Mvh $messageid | exim -Mvh $messageid | ||
==View message body== | ==View message body== | ||
| Line 24: | Line 108: | ||
==Stop Exim from killing the server on cPanel== | ==Stop Exim from killing the server on cPanel== | ||
touch /etc/eximdisable | touch /etc/eximdisable | ||
==Check origin of a suspicious message== | |||
After analyzing headers with exim -Mvh described above: | |||
grep -B3 $messageid /var/log/exim_mainlog | grep cwd | |||
==Check auth_id for all messages in the queue== | |||
for i in $(exim -bp | awk '{print $3}');do echo $i; exim -Mvh $i | grep auth_id; done | |||
==Remove all e-mail from a domain in the queue== | ==Remove all e-mail from a domain in the queue== | ||
exiqgrep -i exampledomain | xargs exim -Mrm | exiqgrep -i exampledomain | xargs exim -Mrm | ||
==Remove mail from a domain except for a few select e-mail addresses== | ==Remove mail from a domain except for a few select e-mail addresses== | ||
exiqgrep -if domain.com | grep -v user1@domain.com | grep -v user2@domain.com | grep -v user3@domain.com | xargs exim -Mrm | exiqgrep -if domain.com | grep -v user1@domain.com | grep -v user2@domain.com | grep -v user3@domain.com | xargs exim -Mrm | ||
=Miscellaneous commands= | =Miscellaneous commands= | ||
==Check version== | ==Check version== | ||
Latest revision as of 07:57, December 14, 2023
Reading the Mainlog
| <= | Incoming mail, sender may be local or remote |
| => | Outgoing mail, sender may be local or remote |
| == | Message delivery deferred |
| ** | Message delivery failure |
| A | authenticator name (and optional id) |
| C | SMTP confirmation on delivery |
| command list for “no mail in SMTP session” | |
| CV | certificate verification status |
| D | duration of “no mail in SMTP session” |
| DN | distinguished name from peer certificate |
| DT | on => lines: time taken for a delivery |
| F | sender address (on delivery lines) |
| H | host name and IP address |
| I | local interface used |
| id | message id for incoming message |
| P | on <= lines: protocol used |
| on => and ** lines: return path | |
| QT | on => lines: time spent on queue so far |
| on “Completed” lines: time spent on queue | |
| R | on <= lines: reference for local bounce |
| on => ** and == lines: router name | |
| S | size of message |
| ST | shadow transport name |
| T | on <= lines: message subject (topic) |
| on => ** and == lines: transport name | |
| U | local user or RFC 1413 identity |
| X | TLS cipher suite |
Find failed login IPs in the mainlog
cat /var/log/exim_mainlog | grep "535 Incorrect authentication data (set_id=user@example.com)" >> /home/temp/failed_email_login.txt cat /home/temp/failed_email_login.txt | rev | cut -d' ' -f7 | rev | sort -M | cut -d'[' -f2 | cut -d']' -f1 | uniq > baduserips
If they are suspect, block them in CSF
for each in $(cat baduserips); do echo "$each # manually blocked for ticket blah" >> /etc/csf/csf.deny; done csf -ra
SpamFu
List Queue
exim -bp
List Queue in Random Order (for when the queue is backed up)
exim -bpr
View Message Headers
If P=esmtpa then it's from a user account. If P=local, it's from a script.
exim -Mvh $messageid
View message body
exim -Mvb $messageid
View Message Logs
exim -Mvl $messageid
Add a recipient to a particular message
exim -Mar $messageid
List Exim PIDs and what they are doing
exiwhat
Stop Exim from killing the server on cPanel
touch /etc/eximdisable
Check origin of a suspicious message
After analyzing headers with exim -Mvh described above:
grep -B3 $messageid /var/log/exim_mainlog | grep cwd
Check auth_id for all messages in the queue
for i in $(exim -bp | awk '{print $3}');do echo $i; exim -Mvh $i | grep auth_id; done
Remove all e-mail from a domain in the queue
exiqgrep -i exampledomain | xargs exim -Mrm
Remove mail from a domain except for a few select e-mail addresses
exiqgrep -if domain.com | grep -v user1@domain.com | grep -v user2@domain.com | grep -v user3@domain.com | xargs exim -Mrm
Miscellaneous commands
Check version
exim -bV
Links
http://www.exim.org/exim-html-current/doc/html/spec_html/ - official docs
http://www.exim.org/exim-html-current/doc/html/spec_html/ch-log_files.html -official log file reference.
http://bradthemad.org/tech/notes/exim_cheatsheet.php
http://techinterplay.com/remove-mails-exim-queue-sender.html