Exim
Jump to navigation
Jump to search
Reading the Mainlog
| <= | Incoming mail, sender may be local or remote |
| => | Outgoing mail, sender may be local or remote |
| == | Message delivery deferred |
| ** | Message delivery failure |
| A | authenticator name (and optional id) |
| C | SMTP confirmation on delivery |
| command list for “no mail in SMTP session” | |
| CV | certificate verification status |
| D | duration of “no mail in SMTP session” |
| DN | distinguished name from peer certificate |
| DT | on => lines: time taken for a delivery |
| F | sender address (on delivery lines) |
| H | host name and IP address |
| I | local interface used |
| id | message id for incoming message |
| P | on <= lines: protocol used |
| on => and ** lines: return path | |
| QT | on => lines: time spent on queue so far |
| on “Completed” lines: time spent on queue | |
| R | on <= lines: reference for local bounce |
| on => ** and == lines: router name | |
| S | size of message |
| ST | shadow transport name |
| T | on <= lines: message subject (topic) |
| on => ** and == lines: transport name | |
| U | local user or RFC 1413 identity |
| X | TLS cipher suite |
Find failed login IPs in the mainlog
cat /var/log/exim_mainlog | grep "535 Incorrect authentication data (set_id=user@example.com)" >> /home/temp/failed_email_login.txt cat /home/temp/failed_email_login.txt | rev | cut -d' ' -f7 | rev | sort -M | cut -d'[' -f2 | cut -d']' -f1 | uniq > baduserips
If they are suspect, block them in CSF
for each in $(cat baduserips); do echo "$each # manually blocked for ticket blah" >> /etc/csf/csf.deny; done csf -ra
SpamFu
List Queue
exim -bp
List Queue in Random Order (for when the queue is backed up)
exim -bpr
View Message Headers
If P=esmtpa then it's from a user account. If P=local, it's from a script.
exim -Mvh $messageid
View message body
exim -Mvb $messageid
View Message Logs
exim -Mvl $messageid
Add a recipient to a particular message
exim -Mar $messageid
List Exim PIDs and what they are doing
exiwhat
Stop Exim from killing the server on cPanel
touch /etc/eximdisable
Check origin of a suspicious message
After analyzing headers with exim -Mvh described above:
grep -B3 $messageid /var/log/exim_mainlog | grep cwd
Check auth_id for all messages in the queue
for i in $(exim -bp | awk '{print $3}');do echo $i; exim -Mvh $i | grep auth_id; done
Remove all e-mail from a domain in the queue
exiqgrep -i exampledomain | xargs exim -Mrm
Remove mail from a domain except for a few select e-mail addresses
exiqgrep -if domain.com | grep -v user1@domain.com | grep -v user2@domain.com | grep -v user3@domain.com | xargs exim -Mrm
Miscellaneous commands
Check version
exim -bV
Links
http://www.exim.org/exim-html-current/doc/html/spec_html/ - official docs
http://www.exim.org/exim-html-current/doc/html/spec_html/ch-log_files.html -official log file reference.
http://bradthemad.org/tech/notes/exim_cheatsheet.php
http://techinterplay.com/remove-mails-exim-queue-sender.html