cPanel Exim Reference
Basic Exim commands
View all messages in the exim queue:
View only undelivered messages in the exim queue:
View the amount of messages in the exim queue:
Viewing information about a message The -M flag for exim by itself tells exim to attempt to deliver the specified message ID's, however, when used with the flags below, it is a useful tool for viewing information about the message View the headers of an individual message:
View the body of an individual message:
View both the headers and body of a message:
Test if messages to an address will be delivered locally, or routed remotely:
This is determined by the files /etc/remotedomains and /etc/localdomains. If a domain is present in localdomains, exim will automatically attempt routing the domain to a local mailbox. If it's not in localdomains, then it will check /etc/remotedomains and then attempt delivering to the MX host. Exigrep If you want to view log entries related to a transaction, you can use the Exigrep command to do so. It will not only search for the pattern you give it, but it will also return related transactions
Exiqsumm Exiqsumm is a rather simple utility that outputs the amount of messages and age of newest and oldest messages per domain in the following format:
To invoke it, you must pipe the output of exim -bp or exim -bpu to it:
Exiqgrep Exiqgrep is a standalone utility that allows you to search for specific information from the exim queue without having to use pipes. From its man page, the available flags are:
So in order to check the exim queue for messages originating from jsmith@domain.net[/EMAIL], you'd use:
You can also check for messages destined towards a certain recipient:
Or just return a list of Exim ID's:
Eximstats Eximstats is yet another useful utility, which will gather hourly statistics for you, it's quite handy for tracking which times you have the most mail traffic:
Sample Output:
You can find more flags in the man page at Investigating large amounts of mail Find amount of emails sent per login:
When there's an extraordinarily large amount of SMTP authenticated concentrated within 1 to 5 email accounts, this is usually indicative of a password compromise. It would be advisable to change the affected email account's password, as well as the cPanel user's for good measure. In cases where the queue is extremely large, this may be of better use:
Find amount of emails sent per CWD: When there aren't many SMTP Authenticated emails, it's usually a script that is sending messages out. It could be something as innocuous as a Tell-A-Friend script that is unprotected against automation, or it could be a compromised script, usually as a result of an unpatched or outdated CMS or plugin. You'll want to analyze the timestamps in the affected directory, though sometimes the headers will tell you the filename of the script.
Note: Extended logging should be enabled in exim for best results, Print out all headers in the exim queue Only do this on small to moderately sized queues - Otherwise you'll end up with a high load
Miscellaneous Fix eximstats db
You would do this typically when the Mail Delivery Reports in WHM is not returning any results. Recreate eximstats db:
Smart hosts / SMTP Relay: If you're seeing errors like this in the exim logs, and you can not telnet to any mail servers on port 25, the service provider may be blocking the connection. One common example is GoDaddy, which has its own SMTP Relay servers that must be added to exim as smart hosts.:
GoDaddy has a set of instructions for configuring this: Exim logging / log_selector: You can change the logging settings, or log_selector, in WHM >> Service Configuration >> Exim Configuration Manager >> Advanced Editor >> Config This option can be used to reduce or increase the number of things that Exim writes to its log files. Its argument is made up of names preceded by plus or minus characters. For example:
A list of possible names and what they control is given in the chapter on logging, in section 51.15 of the exim documentation:
exim -bpView only undelivered messages in the exim queue:
exim -bpuView the amount of messages in the exim queue:
exim -bpcViewing information about a message The -M flag for exim by itself tells exim to attempt to deliver the specified message ID's, however, when used with the flags below, it is a useful tool for viewing information about the message View the headers of an individual message:
exim -Mvh View the body of an individual message:
exim -Mvb View both the headers and body of a message:
exim -Mvc Test if messages to an address will be delivered locally, or routed remotely:
exim -bt This is determined by the files /etc/remotedomains and /etc/localdomains. If a domain is present in localdomains, exim will automatically attempt routing the domain to a local mailbox. If it's not in localdomains, then it will check /etc/remotedomains and then attempt delivering to the MX host. Exigrep If you want to view log entries related to a transaction, you can use the Exigrep command to do so. It will not only search for the pattern you give it, but it will also return related transactions
exigrep ...Exiqsumm Exiqsumm is a rather simple utility that outputs the amount of messages and age of newest and oldest messages per domain in the following format:
Count Volume Oldest Newest Domain
----- ------ ------ ------ ------
2 109KB 9h 5h cent6-64.cptechs.com
---------------------------------------------------------------
2 109KB 9h 5h TOTALTo invoke it, you must pipe the output of exim -bp or exim -bpu to it:
exim -bp | exiqsummExiqgrep Exiqgrep is a standalone utility that allows you to search for specific information from the exim queue without having to use pipes. From its man page, the available flags are:
-f
Match sender address (field is lq< >rq wrapped)
-r
Match recipient address
-s
Match against the site field from long output
-y
Message younger than
-o
Message older than
-z
Frozen messages only (exclude non-frozen)
-x
Non-frozen messages only (exclude frozen)
-c
Display match count
-l
Long Format [Default]
-i
Message IDs only
-b
Brief Format
-RSo in order to check the exim queue for messages originating from jsmith@domain.net[/EMAIL], you'd use:
exiqgrep -f jsmith@domain.net[/EMAIL]You can also check for messages destined towards a certain recipient:
exiqgrep -r jsmith@domain.net[/EMAIL]Or just return a list of Exim ID's:
exiqgrep -iEximstats Eximstats is yet another useful utility, which will gather hourly statistics for you, it's quite handy for tracking which times you have the most mail traffic:
eximstats -nr /var/log/exim_mainlog
eximstats -bydomain /var/log/exim_mainlog
eximstats -byhost /var/log/exim_mainlogSample Output:
root@cent6-64 [~]# eximstats -bydomain /var/log/exim_mainlog
Exim statistics from 2014-12-22 00:53:36 to 2014-12-23 08:00:02
Grand total summary
-------------------
At least one address
TOTAL Volume Messages Addresses Domains Delayed Failed
Received 901KB 36 1 0 0.0% 6 16.7%
Delivered 56KB 30 30 1
Deliveries by transport
-----------------------
Volume Messages
remote_smtp 56KB 30
Messages received per hour (each dot is 1 message)
--------------------------------------------------
00-01 2 ..
01-02 2 ..
02-03 0
03-04 2 ..
04-05 0
05-06 0
06-07 0
07-08 0
08-09 2 ..
09-10 0
10-11 0
11-12 0
12-13 0
13-14 0
14-15 0
15-16 0
16-17 0
17-18 0
18-19 26 ..........................
19-20 2 ..
20-21 0
21-22 0
22-23 0
23-24 0
Deliveries per hour (each dot is 1 delivery)
--------------------------------------------
00-01 0
01-02 2 ..
02-03 0
03-04 0
04-05 0
05-06 0
06-07 0
07-08 0
08-09 0
09-10 0
10-11 0
11-12 0
12-13 0
13-14 0
14-15 0
15-16 0
16-17 0
17-18 0
18-19 26 ..........................
19-20 2 ..
20-21 0
21-22 0
22-23 0
23-24 0
Time spent on the queue: all messages
-------------------------------------
Under 1m 33 94.3% 94.3%
Over 1d 2 5.7% 100.0%
Time spent on the queue: messages with at least one remote delivery
-------------------------------------------------------------------
Under 1m 30 100.0% 100.0%
No relayed messages
-------------------
Top 50 sending domains by message count
---------------------------------------
Messages Bytes Average Sending domain
36 901KB 25KB localdomain
Top 50 sending domains by volume
--------------------------------
Messages Bytes Average Sending domain
36 901KB 25KB localdomain
Top 50 local senders by message count
-------------------------------------
Messages Bytes Average Local sender
32 685KB 21KB root
3 214KB 71KB mailnull
1 1522 1522 mailman
Top 50 local senders by volume
------------------------------
Messages Bytes Average Local sender
32 685KB 21KB root
3 214KB 71KB mailnull
1 1522 1522 mailman
Top 50 domain destinations by message count
-------------------------------------------
Messages Addresses Bytes Average Domain destination
30 30 56KB 1911 cpanel.net
Top 50 domain destinations by volume
------------------------------------
Messages Addresses Bytes Average Domain destination
30 30 56KB 1911 cpanel.net
List of errors
--------------
1 postmaster@cent6-64.cptechs.com[/EMAIL] R=fail_remote_domains:
The mail server could not deliver mail to postmaster@cent6-64.cptechs.com[/EMAIL].
The account or domain may not exist, they may be blacklisted,
or missing the proper dns entries.
7 root@cent6-64.cptechs.com[/EMAIL] R=fail_remote_domains: The
mail server could not deliver mail to root@cent6-64.cptechs.com[/EMAIL].
The account or domain may not exist, they may be blacklisted,
or missing the proper dns entries.
Errors encountered: 8
---------------------You can find more flags in the man page at Investigating large amounts of mail Find amount of emails sent per login:
grep -oP "(?<=A=dovecot_(login|plain):)\S+|(?<= U=)\S+" /var/log/exim_mainlog | sort | uniq -c|awk '{print $2,$1}'|sort -k2n|column -t
When there's an extraordinarily large amount of SMTP authenticated concentrated within 1 to 5 email accounts, this is usually indicative of a password compromise. It would be advisable to change the affected email account's password, as well as the cPanel user's for good measure. In cases where the queue is extremely large, this may be of better use:
grep auth_id /var/spool/exim/input/*/*Find amount of emails sent per CWD: When there aren't many SMTP Authenticated emails, it's usually a script that is sending messages out. It could be something as innocuous as a Tell-A-Friend script that is unprotected against automation, or it could be a compromised script, usually as a result of an unpatched or outdated CMS or plugin. You'll want to analyze the timestamps in the affected directory, though sometimes the headers will tell you the filename of the script.
awk '$3 ~ /^cwd/{print $3}' /var/log/exim_mainlog | sort | uniq -c | sed "s|^ *||g" | sort -nrNote: Extended logging should be enabled in exim for best results, Print out all headers in the exim queue Only do this on small to moderately sized queues - Otherwise you'll end up with a high load
for i in `exiqgrep -i`; do exim -Mvh $i;doneMiscellaneous Fix eximstats db
mysqlcheck -r --use-frm eximstatsYou would do this typically when the Mail Delivery Reports in WHM is not returning any results. Recreate eximstats db:
/usr/local/cpanel/bin/updateeximstatsSmart hosts / SMTP Relay: If you're seeing errors like this in the exim logs, and you can not telnet to any mail servers on port 25, the service provider may be blocking the connection. One common example is GoDaddy, which has its own SMTP Relay servers that must be added to exim as smart hosts.:
retry time not reached for any host after a long failure period
Connection timed out
retry timeout exceededGoDaddy has a set of instructions for configuring this: Exim logging / log_selector: You can change the logging settings, or log_selector, in WHM >> Service Configuration >> Exim Configuration Manager >> Advanced Editor >> Config This option can be used to reduce or increase the number of things that Exim writes to its log files. Its argument is made up of names preceded by plus or minus characters. For example:
+arguments -retry_deferA list of possible names and what they control is given in the chapter on logging, in section 51.15 of the exim documentation:
-
Hi : ), Very useful information. Thank you for sharing. 0 -
+1 Thank you. 0
Please sign in to leave a comment.
Comments
2 comments