How to get decent exim mainlog with all information?
I want to see how mail is delivered. I'm used to look into the exim_mainlog for this.
Normally I see traffic like this with also part of the title of the email:
etc. and last line like this:
I already changed the log_selector to +all but nothing changed. The Exim log in cPanel only gives me connections like this:
So I don't see any title from the email. This is incoming mail, for outgoing mail I don't see "queued for delivery" or "completed" or anything. How can I fix this so I can see all in my exim maillog?
2021-06-27 09:12:33 1lxOxx-0008TV-HF <= bounce@news.douglas.nl H=r64.p44.neolane.net [172.82.233.64] P=esmtp S=80480 DKIM=news.douglas.nl id=NM6328A60ED269A427Bdouglas_mkt_prod1@news.douglas.nl T="World Fragrance Day: alleen vandaag 25% korting* op alle geuren en geursets" from for mycustomer@customerdomain.nletc. and last line like this:
256-GCM-SHA384:256 CV=yes C="250 2.0.0 Ok: queued as0b1ff653-d717-11eb-b4d2-00505699f653"
2021-06-27 09:12:34 1lxOxx-0008TV-HF CompletedI already changed the log_selector to +all but nothing changed. The Exim log in cPanel only gives me connections like this:
2021-06-29 16:27:41.716 [20040] 1lyEiA-0005D6-1t SMTP connection outbound 1624976861 1lyEiA-0005D6-1t customerdomain.nl someuser@gmail.com
2021-06-29 16:27:41.942 [20040] 1lyEiA-0005D6-1t => user F= P= R=virtual_user T=dovecot_virtual_delivery S=42149 C="250 2.0.0 XXnrLt0t22B
QTgAA84uWjQ Saved" QT=3.883s DT=0.161sSo I don't see any title from the email. This is incoming mail, for outgoing mail I don't see "queued for delivery" or "completed" or anything. How can I fix this so I can see all in my exim maillog?
-
The "Mail Queue" in WHM GUI wouldn't show what you want? It can also be fetched with: exim -bp via SSH. 0 -
Hey there! You should see all of those entries in the log by default. Here is a root login notification from CSF from my personal server, so that is an outbound message (which is also currently blocked by ATT/Yahoo, so my host is investigating that) 2021-06-29 09:12:20 1lyDXI-00060A-DX <= root@host.domain.com U=root P=local S=598 T="lfd on host.domain.com: WHM/cPanel root access alert from 1.2.3.4 (US/United States/hou-2.n" for root 2021-06-29 09:12:20 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1lyDXI-00060A-DX 2021-06-29 09:12:20 1lyDXI-00060A-DX Sender identification U=root D=-system- S=root 2021-06-29 09:12:21 1lyDXI-00060A-DX ** email@address.net R=lookuphost T=remote_smtp H=ff-ip4-mx-vip2.prodigy.net [144.160.159.22]: SMTP error from remote mail server after MAIL FROM:: 553 5.3.0 flpd593 DNSBL:RBL 521< 1.2.3.4 >_is_blocked.For assistance forward this error to abuse_rbl@abuse-att.net 2021-06-29 09:12:21 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1lyDXI-00060A-DX 2021-06-29 09:12:21 1lyDXI-00060A-DX Completed
I always recommend searching for the full mail ID, in this case 1lyDXI-00060A-DX, to see everything in the logs about the message.0 -
The "Mail Queue" in WHM GUI wouldn't show what you want? It can also be fetched with:
No because i'm not looking to display a mailqueue, hence the exim -bp command won't be helping either. I'm looking for the mail traffic logs which should appear in the exim logs. Like in the example given. @cPRex Well... I certainly can't find any titles like in my example of the log. I found some "queued mail for delivery" and "completed" but nothing like: T="World Fragrance Day: alleen vandaag 25% korting* op alle geuren ....etc." which I can see on DA servers in the Exim logs, so it should be possible.I always recommend searching for the full mail ID
Then you already have to know the mail ID to look for. I rather search titels which works way faster because they are easier to find. Next to that, I wouldn't know how to get a mail ID when I'm trying to investigate what happens to certain mail which is send through our system, then I search for the sending email address. When I see the titles of the mail, I can verify that I'm looking at the correct mail. I know there's a mail tracking system in the users options, but I should be able to do the same via the exim logs too.0 -
If you wanted to search by subject, I would do this, using the email above as my example: # grep "root access" /var/log/exim_mainlog 2021-06-29 09:12:20 1lyDXI-00060A-DX <= root@host.domain.com U=root P=local S=598 T="lfd on host.hattmonkey.com: WHM/cPanel root access alert from 1.2.3.4 (US/United States/hou-2.n" for root
That first search will get you the mail ID, and then you can use that to perform a second search:grep 1lyDXI-00060A-DX /var/log/exim_mainlog
and that will get you the full mail transaction. If you have the "exigrep" command installed, which most cPanel machines should, you can do this and that will show you the full transaction in one step:exigrep 1lyDXI-00060A-DX /var/log/exim_mainlog0 -
Yes but that is a rather devious. It must be possible to get part of the subject in the logs, correct? I work a lot faster on the DA exim logs with nano and the search function, no mailID needed, no need to look or search for it. 0 -
In my example that was the subject of the message. Here is one where the subject is more obvious: 2021-06-29 13:16:40 1lyHLi-0003jH-6d <= username@gmail.com H=mail-lj1-f171.google.com [209.85.208.171]:39557 P=esmtps X=TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128 CV=no S=4286 id=CALewxqarMtpB1ag+hTmUhsy8gp166p5fyY-zJPF2E95Pyk+oWg@mail.gmail.com T="Subject line test" for cptest@domain.com
The "T=" section is the subject of the message. You would be able to open the /var/log/exim_mainlog file just the same on a cPanel machine with nano.0 -
Ah yes, found it now. At first I encountered several T=dkim_remote_smtp but further on there indeed were the T="some subject" so I have to search for T=" instead of T=. That explains it for me. I know I can use nano on this server too, but it was just the subject. Something else must be going on then. The customer which I'm investigating, is sending and stating the mail is going out. When tailling the exim mainlog, I only seen connections made from this customer, so I thought the mail and subject were not displayed and on the first few searches I encountered that T=DKIM stuff which got me confused. So it probably must be their exchange server says their mail is send, but our cPanel server did not receive it. Sending from webmail on their account works fine so probably something wrong with their exchange server then. At least now I'm able to search further to see what's going wrong with this customer. You can put this one on fixed. Thank you! 0 -
I'm glad that helped clear things up! I would expect to see something about the connection getting to your server, but if that isn't happening they'll need to investigate things on the Exchange side. 0
Please sign in to leave a comment.
Comments
8 comments