Reading the Mainlog

Find failed login IPs in the mainlog

cat /var/log/exim_mainlog | grep "535 Incorrect authentication data (set_id=user@example.com)" >> /home/temp/failed_email_login.txt
cat /home/temp/failed_email_login.txt | rev | cut -d' ' -f7 | rev | sort -M | cut -d'[' -f2 | cut -d']' -f1 | uniq > baduserips

If they are suspect, block them in CSF

for each in $(cat baduserips); do echo "$each # manually blocked for ticket blah" >> /etc/csf/csf.deny; done
csf -ra

SpamFu

List Queue

exim -bp

List Queue in Random Order (for when the queue is backed up)

exim -bpr

View Message Headers

If P=esmtpa then it's from a user account. If P=local, it's from a script.

exim -Mvh $messageid

View message body

exim -Mvb $messageid

View Message Logs

exim -Mvl $messageid

Add a recipient to a particular message

exim -Mar $messageid

List Exim PIDs and what they are doing

exiwhat

Stop Exim from killing the server on cPanel

touch /etc/eximdisable

Check origin of a suspicious message

After analyzing headers with exim -Mvh described above:

grep -B3 $messageid /var/log/exim_mainlog | grep cwd

Check auth_id for all messages in the queue

for i in $(exim -bp | awk '{print $3}');do echo $i; exim -Mvh $i | grep auth_id; done

Remove all e-mail from a domain in the queue

exiqgrep -i exampledomain | xargs exim -Mrm

Remove mail from a domain except for a few select e-mail addresses

exiqgrep -if domain.com | grep -v user1@domain.com | grep -v user2@domain.com | grep -v user3@domain.com | xargs exim -Mrm

Miscellaneous commands

Check version

exim -bV

Links

http://www.exim.org/exim-html-current/doc/html/spec_html/ - official docs

http://www.exim.org/exim-html-current/doc/html/spec_html/ch-log_files.html -official log file reference.

http://bradthemad.org/tech/notes/exim_cheatsheet.php

http://techinterplay.com/remove-mails-exim-queue-sender.html