Reading and Understanding Exim's exim_mainlog
PinnedReading and Understanding the exim_mainlog
At cPanel, we get a variety of tickets asking about different types of mail errors. This guide will help you determine the cause of the email errors you're receiving.
Exim is one of the most widely used MTAs (Mail Transfer Agents) in use today. With a few tweaks to its configuration you will soon be a wizard at reading and understanding data in the Exim log. By modifying the Exim configuration, we will be able to produce more verbose output in the log, leading to an easier-to-read and faster method to determine just what exactly is going on with the server.
Modify Exim to Enabling Verbose Logging
Modifying the log_selector
The first thing we need to do is to get better output from our log. By default, Exim is not set to log every piece of information it handles. To adjust this, we first need to login to the WHM interface and navigate to the "Exim Configuration Manager" page and choose the "Advanced Editor" tab. Find the "log_selector" section and replace it with one of the following.
log_selector = +address_rewrite +all_parents +arguments +connection_reject +delay_delivery +delivery_size +dnslist_defer +incoming_interface +incoming_port +lost_incoming_connection +queue_run +received_sender +received_recipients +retry_defer +sender_on_delivery +size_reject +skip_delivery +smtp_confirmation +smtp_connection +smtp_protocol_error +smtp_syntax_error +subject +tls_cipher +tls_peerdn************
Or, we can be lazy and just use:
log_selector = +all
Regardless of which you chose, here's what each option means:
Logging options:
address_rewrite
This applies both to global rewrites and per-transport rewrites, but not to rewrites in filters run as an unprivileged user (because such users cannot access the log).
all_parents
Normally only the original and final addresses are logged on delivery lines; with this selector, intermediate parents are given in parentheses between them.
arguments
This causes Exim to write the arguments with which it was called to the main log, preceded by the current working directory. This is a debugging feature, added to make it easier to find out how certain MUAs call/usr/sbin/sendmail. The logging does not happen if Exim has given up root privilege because it was called with the -C or -D options. Arguments that are empty or that contain white space are quoted. Non-printing characters are shown as escape sequences. This facility cannot log unrecognized arguments, because the arguments are checked before the configuration file is read. The only way to log such cases is to interpose a script such as util/logargs.shbetween the caller and Exim.
connection_reject
A log entry is written whenever an incoming SMTP connection is rejected, for whatever reason.
delay_delivery
A log entry is written whenever a delivery process is not started for an incoming message because the load is too high or too many messages were received on one connection. Logging does not occur if no delivery process is started because queue_only is set or -odq was used.
delivery_size
For each delivery, the size of message delivered is added to the "=>" line, tagged with S=.
dnslist_defer
A log entry is written if an attempt to look up a host in a DNS black list suffers a temporary error.
incoming_interface
The interface on which a message was received is added to the "<=" line as an IP address in square brackets, tagged by I= and followed by a colon and the port number. The local interface and port are also added to other SMTP log lines, for example "SMTP connection from", and to rejection lines.
incoming_port
The remote port number from which a message was received is added to log entries and Received:header lines, following the IP address in square brackets, and separated from it by a colon. This is implemented by changing the value that is put in the $sender_fullhost and $sender_rcvhost variables. Recording the remote port number has become more important with the widening use of NAT (see RFC 2505).
lost_incoming_connection
A log line is written when an incoming SMTP connection is unexpectedly dropped.
queue_run
the start and end of every queue run are logged.
received_sender
The unrewritten original sender of a message is added to the end of the log line that records the message"s arrival, after the word "from" (before the recipients if received_recipients is also set).
rejected_header
If a message’s header has been received at the time a rejection is written to the reject log, the complete header is added to the log. Header logging can be turned off individually for messages that are rejected by the local_scan() function (see section 44.2).
received_recipients
The recipients of a message are listed in the main log as soon as the message is received. The list appears at the end of the log line that is written when a message is received, preceded by the word "for". The addresses are listed after they have been qualified, but before any rewriting has taken place. Recipients that were discarded by an ACL for MAIL or RCPT do not appear in the list.
retry_defer
A log line is written if a delivery is deferred because a retry time has not yet been reached. However, this "retry time not reached" message is always omitted from individual message logs after the first delivery attempt
sender_on_delivery
The message’s sender address is added to every delivery and bounce line, tagged by F= (for "from"). This is the original sender that was received with the message; it is not necessarily the same as the outgoing return path
size_reject
A log line is written whenever a message is rejected because it is too big.
skip_delivery
A log line is written whenever a message is skipped during a queue run because it is frozen or because another process is already delivering it. The message that is written is "spool file is locked".
smtp_confirmation
The response to the final "." in the SMTP or LMTP dialogue for outgoing messages is added to delivery log lines in the form C=. A number of MTAs (including Exim) return an identifying string in this response.
smtp_connection
A log line is written whenever an SMTP connection is established or closed, unless the connection is from a host that matches hosts_connection_nolog. (In contrast, lost_incoming_connectionapplies only when the closure is unexpected.) This applies to connections from local processes that use -bs as well as to TCP/IP connections. If a connection is dropped in the middle of a message, a log line is always written, whether or not this selector is set, but otherwise nothing is written at the start and end of connections unless this selector is enabled. For TCP/IP connections to an Exim daemon, the current number of connections is included in the log message for each new connection, but note that the count is reset if the daemon is restarted. Also, because connections are closed (and the closure is logged) in subprocesses, the count may not include connections that have been closed but whose termination the daemon has not yet noticed. Thus, while it is possible to match up the opening and closing of connections in the log, the value of the logged counts may not be entirely accurate.
smtp_protocol_error
A log line is written for every SMTP syntax error encountered. An unrecognized command is treated as a syntax error. For an external connection, the host identity is given; for an internal connection using -bsthe sender identification (normally the calling user) is given.
smtp-syntax_error
A log line is written for every SMTP syntax error encountered. An unrecognized command is treated as a syntax error. For an external connection, the host identity is given; for an internal connection using -bsthe sender identification (normally the calling user) is given.
Subject
The subject of the message is added to the arrival log line, preceded by "T=" (T for "topic", since S is already used for "size"). Any MIME "words" in the subject are decoded. The print_topbitchars option specifies whether characters with values greater than 127 should be logged unchanged, or whether they should be rendered as escape sequences.
tls_cipher
When a message is sent or received over an encrypted connection, the cipher suite used is added to the log line, preceded by X=.
tls_peerdn
When a message is sent or received over an encrypted connection, and a certificate is supplied by the remote host, the peer DN is added to the log line, preceded by DN=.
Configuration Files
The configuration files for exim can be found in the following location:
Exim |
Configuration (main) |
/etc/exim.conf |
Main configuration file used by Exim |
|
Configuration (local) |
/etc/exim.conf.local |
This is the same file that the Advanced Editor for Exim in WHM uses |
|
" |
/etc/exim.conf.dist |
Exim configuration template used to build the exim conf |
|
" |
/etc/exim.conf.localopts |
This is the the same file that the Basic Editor for Exim in WHM uses. |
|
Configuration (mailman-related) |
exim.conf.mailman2.dist |
Template used to build the mailman configuration |
Log entry Example
Once you have the logging portion taken care of, we need to actually look at our log. You can find the exim log in /var/log/exim_mainlog, this will be done from the command line.
#head /var/log/exim_mainlog 2014-08-10 03:27:11 pid 1014: SIGHUP received: re-exec daemon 2014-08-10 03:27:15 cwd=/var/spool/exim 3 args: /usr/sbin/exim -bd -q1h 2014-08-10 03:27:15 exim 4.82 daemon started: pid=1014, -q1h, listening for SMTP on port 25 (IPv6 and IPv4) port 587 (IPv6 and IPv4) and for SMTPS on port 465 (IPv6 and IPv4) 2014-08-10 03:27:15 cwd=/var/spool/exim 2 args: /usr/sbin/exim -q
Before we dive into what the log is actually logging and what each piece of it means, let's take a look at some of the commands that are commonly used.
Exim Commands via the command line
Command Examples
The easiest to remember command, in my opinion, is exiwhat, this lets you know what exim is currently doing.
-bash-4.1# exiwhat 27589 daemon: -q1h, listening for SMTP on port 25 (IPv6 and IPv4) port 587 (IPv6 and IPv4) and for SMTPS on port 465 (IPv6 and IPv4)
With exigrep, you can search the mail log more easily. In this case I searched for "aaron@" using exiqgrep which looks through the main queue while exigrep looks through the log in the exim_mainlog. In this case, it returned two messages.
-bash-4.1# exiqgrep aaron@* 71h 6.7K 1XFRvF-0000Mz-B8 <> root@nt10598.os.cpanel.vm 71h 12K 1XFRvF-0000NF-NK <> root@nt10598.os.cpanel.vm
Here we can see I used exigrep to search the log file instead of exiqgrep.
-bash-4.1# exigrep aaron@ /var/log/exim_mainlog 2014-08-10 10:52:01 1XGVPd-000707-4Y <= aaron@domains.com H=localhost (10.5.40.204) [127.0.0.1]:39668 P=esmtpa A=dovecot_login:aaron@domains.com S=748 id=c828fa59721d8646a0fa75cbf8db9ba3@domain.com T="Llamas are awesome" for aaron@domain.com 2014-08-10 10:52:01 1XGVPd-000707-4Y => aaron R=virtual_user T=virtual_userdelivery 2014-08-10 10:52:01 1XGVPd-000707-4Y Completed
We can also use a few other commands from the exim command line to help read some of the messages. The next set of commands we will look at will be built into exim directly:
exim -bpc |
Print a total count of messages in the queue |
exim -bp |
Print a listing of the messages including time queue, size, message-ID, sender, and recipient |
exim -bp |exiqsum |
Prints a summary of the exim mail queue. -bash-4.1# exim -bp | exiqsumm Count Volume Oldest Newest Domain ----- ------ ------ ------ ------ 7 39KB 71h 71h nt10598.os.cpanel.vm 3 19KB 14h 78m nt12664.product.cpanel.vm --------------------------------------------------------------- 10 58KB 71h 78m TOTAL |
exim -bt user@domain.com[/EMAIL] |
This will test how an email is routed through exim |
exim -bh |
Run a pretend SMPT transaction from the CLI. The purpose of this is to check exims ACLs and filters. |
exim -q -v |
Start a queue run |
exim -ql -v |
Start a queue run for local mail only |
exim -Mrm [ ... ] |
Remove a message from the queue |
exim -Mvb |
View the body of a message |
exim -Mvh |
View the header of a message |
exim -Mvc |
Provides the whole email and body |
There are additional commands for looking at the queue, but these two are the main utilities for reading the log. You can see the rest of the utilities exim uses in their official documentation. You can also view some additional commands and example for exim from our exim cheat sheet at cPanel Exim Quick Reference.
*Exim runs under the user mailnull, you will commonly see U=mailnull in the exim log.
Error Messages and Possible Solutions
Main entries found in exim_mainlog: Reading the exim mainlog can be daunting especially with so much information being logged. The main log records the arrival of each message and each delivery in a single line for each case. Let's take a look at some examples of a few entries in an exim_mainlog; Exims main log is read from the left to the right. The first thing when looking at a log is to determined what happened to it. Let's take a quick look at the breakdown of those entries.
<= |
Indicates the arrival of a message for incoming mail |
=> |
Shows a normal message delivery for outgoing mail |
-> |
Additional address for the same delivery, i.e. an Email forwarder. |
>> |
cutthrough is a router precondition This option requests delivery be attempted while the item is being received. It is usable in the RCPT ACL and valid only for single-recipient mails forwarded from one SMTP connection to another. If a recipient-verify callout connection is requested in the same ACL it is held open and used for the data, otherwise one is made after the ACL completes. |
*> |
delivery suppressed by -N |
** |
delivery failed; address bounced |
== |
delivery deferred; temporary problem |
<> |
For "<>" from the exim manual; Additionally, you will often find A bounce message is shown with the sender address "<>", and if it is locally generated, this is followed by an item of the form R= |
You will also find entries like the below table in the main log such as:
R= |
The address immediately following "<=" is the envelope sender address. A bounce message is shown with the sender address "<>", and if it is locally generated, this is followed by an item of the form R= |
T= |
The relay used to transmit the message. Example: T=remote_smtp T=local_delivery |
H= |
Represents the host: H=localhost (10.5.40.204) [127.0.0.1]:39753 5.1) H=mail.fictional.example [192.168.123.123] U=exim 6) I=[127.0.0.1]:25 |
U= |
The MTA used. |
I= |
Followed by a colon and the port number, the I= is the local interface on which the mail was received. |
P= |
This is the return_path_on_delivery: The return path that is being transmitted with the message is included in delivery and bounce lines, using the tag P=. This is omitted if no delivery actually happens, for example, if routing fails, or if delivery is to /dev/null or to :blackhole:. |
A= |
If A= is present, then SMTP AUTH was used for the delivery. |
S= |
Is the delivery size of the message |
M8S= |
8bitmime: This causes Exim to log any 8BITMIME status of received messages, which may help in tracking down interoperability issues with ancient MTAs that are not 8bit clean. This is added to the "<=" line, tagged with M8S= and a value of 0, 7 or 8, corresponding to "not given", 7BIT and 8BITMIME respectively. |
ID= |
Represents the incoming message ID |
T= |
Topic |
from |
From whom the mail was received |
for |
Who the email is for |
Successful messages sent and received
Lets' take a quick look at a successfully sent message in the exim_mainlog.
2014-08-10 11:18:35 [28107] 1XGVpL-0007JL-14 <= aaron@domain.com H=localhost (10.5.40.204) [127.0.0.1]:39753 I=[127.0.0.1]:25 P=esmtpa A=dovecot_login:aaron@domain.com S=662 M8S=0 id=d2b648f00f1a1b0813c483d552778dc6@domain.com T="what if you had a llama" from for aaron@domain.com2014-08-10 11:18:35 1XGVpL-0007JL-14
This is a standard sent and received message with no errors. Let's take a look at the entry to get a better understanding of a typical log entry.
- 2014-08-10 11:18:35 2) 1XGVpL-0007JL-14 3) <= 4) aaron@domain.com 5) H=localhost (10.5.40.204) [127.0.0.1]:39753 5.1) H=mail.fictional.example [192.168.123.123] U=exim 6) I=[127.0.0.1]:25 7) P=esmtpa 8) A=dovecot_login:aaron@domain.com 9) S=662 10) M8S=0 11) id=d2b648f00f1a1b0813c483d552778dc6@domain.com 12) T="what if you had a llama" 13) from 14) for aaron@domain.com
Other exim configuration files and their folder structure:
/etc/mailhelo |
This file is the configuration file for Exim's HELO command. Records should be represented as: addonor.subdomain.com: maindomain.com |
/etc/mailips |
This file specifies the IP addresses from which Exim should send email. |
/etc/mail_reverse_dns |
This file specifies the domains that are associated with the IP addresses from which Exim should send email. |
/etc/remotedomains |
Sends out an email to an internet address. |
/etc/localdomains |
Sends out an email to a local address. |
dig mx |
Dig a domain and pull MX records only |
If all of those are valid and pointing to the correct location, the next step is to verify the mail box truly exists. You want to check the mail folder in the users home directory. A user"s email is stored in ""/home/user/mail///". Below is a sample directory structure of an email account:
/home/username/mail (mail folder) /home/username/etc (configuration files) /domain.com (domain) admin (email user) maildirsize (quota/usage summary, expendable) cur (default inbox for read email) new (default email for unread email) Drafts ( sample folder ) - cur (read email) - new (unread email)
Types of Errors:
Failed 421 - Temporary Failures:
Example 1 Temporarily deferred There has been a temporary issue, please try sending the email again in 72 hours. This is usually a temporary ban by the network you're trying to contact.
2014-09-29 21:27:08 1XYdJu-002e6P-9F SMTP error from remote mail server after MAIL FROM: SIZE=6601: host mta5.am0.yahoodns.net [66.196.118.240]: 421 4.7.0 [GL01] Message from (184.171.253.133) temporarily deferred - 4.16.50. Please refer to http://postmaster.yahoo.com/errors/postmaster-21.html
Example 2 - Rate limited
Too many emails have been sent out to this network and there is a temporary block preventing emails from being received. Like example 1, give it some time to clear out and try again in 72 hours.
2014-09-12 08:01:12 1XSLn4-003Fa1-OX SMTP error from remote mail server after end of data: host gmail-smtp-in.l.google.com [173.194.66.27]: 421-4.7.0 [77.69.28.195 15] Our system has detected an unusual rate of\n421-4.7.0 unsolicited mail originating from your IP address. To protect our\n421-4.7.0 users from spam, mail sent from your IP address has been temporarily\n421-4.7.0 rate limited. Please visit\n421-4.7.0 http://www.google.com/mail/help/bulk_mail.html to review our Bulk\n421 4.7.0 Email Senders Guidelines. q4si1448293wij.85 - gsmtp
Example 3 - Permanently deferred
The email will not be delivered since you have been blocked by the network, do not try to resend the emails, instead, contact the host you are trying to send the mail to.
2014-09-18 13:44:19 1XUb4M-000v5R-6R SMTP error from remote mail server after MAIL FROM: SIZE=1811: host mta7.am0.yahoodns.net [66.66.66.66]: 421 4.7.1 [TS03] All messages from 5.196.113.212 will be permanently deferred; Retrying will NOT succeed. See http://postmaster.yahoo.com/421-ts03.html
Regardless of the 421 error that you receive, you should be checking if the users is on an RBL, and nearly all 421 errors mean that the mail service you are trying to reach has blocked you from allowing email to be received on their network. Please understand this means the main issue is not with your server per say, but an issue with the host or network you are trying to reach. This usually can just be waited out, but in some cases you will need to contact the host of the email network you are sending to.
Failed 450 - Service timeout
Example 1 - Client Host Rejected
TO:: host mx.someaddress.com [20.20.20.20]: 450 4.7.1 Client host rejected: cannot find your hostname, [20.20.20.20] 2014-09-21 16:06:05 1XUKFa-0003bb-EM ** someone@someaddress>: retry timeout exceeded
Verify the PTR record and the actual hostname are setup.
Example 2 - Clients Host is trying to much
2014-10-10 10:25:01 1XcKLM-003IGU-Fr SMTP error from remote mail server after RCPT TO:: host pro-mail-mx-002.bol.com [20.20.20.20]: 450 4.7.1 Service unavai$
The client is trying to send to many emails and there is a temporary rejected from the network. Allow 72 hours for this to clear up and then try to send the mail again.
Failed 451 - Temporary Local Problem
Usually, 451 is a temporary failure and trying again in just a few minutes usually allows it to send. Here's a few other suggestions.
Example 1 - Clients Host is unable to send
2014-09-24 12:59:49 1XWqqy-00028x-FK == test@badluckbryan.com R=lookuphost T=remote_smtp defer (-44): SMTP error from remote mail server after RCPT TO:: host gylsystems.com [69.69.69.69]: 451 Temporary local problem - please try later
The server was missing an entry for its hostname in /etc/localdomains. Once this was added, you will no longer see the error recur
Example 2 - Could not complete sender verify
2014-11-24 11:25:33 H=localhost (mail.fictional.example) [::1]:49956 sender verify defer for : require_files: error for /home/aaron/etc/domain.com: Permission denied 2014-11-24 11:25:33 H=localhost (srv-hs1.netsons.net) [::1]:49956 F= A=dovecot_login:aaron@domain.com temporarily rejected RCPT : Could not complete sender verify
Verify the permission of the folders are correct, and that there is a valid reverse records for the domain. In this case permissions were set to 750 on the users home folder instead of 711.
Failed 452 - Temporary Failures
Example 1 - Domain Size limit exceeded
2014-09-13 11:37:53 1XSdCz-00049U-5A ==aaron@domain.com R=lookuphost T=remote_smtp defer (-44): SMTP error from remote mail server after RCPT TO:: host mail.fictional.example [10.5.40.204]: 452 Domain size limit exceeded
Verify the permission of the folders are correct. In this case permissions were set to 750 on the users home folder instead of 711.
Example 2 - Domain Size limit exceeded
2014-09-13 11:37:53 1XSdCz-00049U-5A == aaron@domain.com R=lookuphost T=remote_smtp defer (-44): SMTP error from remote mail server after RCPT TO:: host mail.fictional.example [10.5.40.204]: 452 Domain size limit exceeded
This failure is from a security scanner i.e. firewall packet inspection, a security application, or a virus scanner on the local mail server. This error is usually from the the receiving server.
Failed 550 - Hard Failures
A 550 is easily one of the most common error that occurs. So what does it mean? A 550 error code means that your SMTP server isn't able to deliver the sent email to the user. It could be because his mailbox does not, could be from a misconfiguration, or a DNS issues.
Example 1 - 550 Verification
In this example, we have a failed message with a 550-verification error:
2014-08-31 08:43:16 1XO5PX-0006SC-Qa ** aaron@domain.com R=dkim_lookuphost T=dkim_remote_smtp: SMTP error from remote mail server after RCPT TO:: host mail.domain.com [10.5.40.204]: 550-Verification for \n550-The mail server could not deliver mail to garfield@domain.com. The account or domain may not exist, they may be blacklisted, or missing the proper dns entries.\n550 Sender verify failed
The file /etc/remotedomains was modified to point domain.com to an IP that does not exist on the server or an IP that hosts this domain, this caused a email failure due to no address in /etc/remotedomains being resolvable for that domain. Things to check: First things we should check are the files on the server and make sure the email is pointing to the correct location.
Example 2 - Invalid A, AAAA, MX, or other DNS record
SMTP error from remote mail server after RCPT TO:: host mail.fictional.example[10.5.40.204]: 550-Sender has no A, AAAA, or MX DNS records. mail.fictional.example\n550 l mail.fictional.example Verify the zone file in /etc/named for the correct information. If it appear correct, you can run named-checkzone domain.com domain.com.db to verify if named is able to load the zone.
Example 3 - Mail Rejected 550 errors
Diagnostic-Code: X-Postfix; host mail1.domain.com [10.5.40.204] said: 550 5.7.1 Message rejected due to content restrictions (in reply to end of DATA command) When you see an error such as 550 5.7.1
"Message rejected due to content restrictions" This tell us it is due to an attachment that is included with the email. This could be from the content included, or the attachment size. First remove the attachments and try to send your email again. Double check the email attachments and signatures added to the body contain nothing which may be restricted.
Example 4 - Mail Authentication 550 error
Final-Recipient: rfc822;aaron@domain.com Action: failed Status: 5.5.0 Diagnostic-Code: smtp;550-Please turn on SMTP Authentication in your mail client. 550-mail.fictional.example [10.5.40.204]:58133 is not permitted to relay 550 through this server without authentication.
Since 550's have a number of different meanings and a number of solutions, If the users are getting Authentication 550 error then you should check If the domains is configured to use the local email exchange on the server. This may have been causing the email to be rejected for your domain.
Example 5 - Bad HELO Record
"DHE-RSA-AES256-SHA:256: SMTP error from remote mail server after MAIL FROM: SIZE=1834: host mail.fictional.example [10.5.40.204..212]: 550 "REJECTED - Bad HELO - Host impersonating [mail.fictional2.example]"
Since HELO records are the same as PTR records we want to check the host of the IP. We should also check to verify the /etc/mailhelo, and /etc/mailip of the server. If the client has a lot of IPs, you can check every host address with this one liner: ifconfig |grep "inet addr:[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}" | awk '{print $2}' | sed 's/addr://' | xargs-i host {} C/4.5.6
Example 6 - Mail Delivery Failure
2014-08-31 08:43:16 1XO5PY-0006SO-GS <= <> R=1XO5PX-0006SC-Qa U=mailnull P=localS=1951 T="Mail delivery failed: returning message to sender" for aaron@domain.com
In this example, we received a reply failed message from the server after example 1 failed to send successfully. A bounce back can be from an invalid address, or the receiving server may have blocked your connection. Check the folder structure template above and verify the domain exists if possible, also verify that the domain isn't blacklisted in an RBL with a tool such as mxtoolbox or dnsstuff.com
Failed 553 - Authentications errors
Example 1 - Your domain does not exists
SMTP error from remote mail server after MAIL FROM:: host mail.fictional.example [10.5.40.204]: 553 sorry, your domain does not exists.
Verify there are no ACL's in place dropping connectivity from local domains. SSP should show any changes made to the exim config. Verify the domain name is valid, that /etc/localdomains and /etc/remotedomains are set, and that the mailbox name does exist.
Example 2 - Unable to verify address
2014-11-26 10:26:32 1XtYro-004Ecv-65 ** aaron@domain.com R=dkim_lookuphost T=dkim_remote_smtp: SMTP error from remote mail server after MAIL FROM: SIZE=1604: host mail.fictional.example [10.5.40.204]: 553 unable to verify address Verify that SMPT authentication has been enabled.
Failed 554 - rejected due to spam content:
Example 1 - Reject
[15:03:30 hosts5 root /var/log]cPs# grep 1XeRdP-0006JC-FO exim_mainlog 2014-10-15 12:41:11 1XeRdP-0006JC-FO <= <> R=1XeRdF-0006HI-EY U=mailnull P=local S=5445 T="Mail delivery failed: returning message to sender" for aaron@domain.com 2014-10-15 12:41:11 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1XeRdP-0006JC-FO 2014-10-15 12:42:12 1XeRdP-0006JC-FO ** aaron@domain.com =dkim_lookuphost T=dkim_remote_smtp: SMTP error from remote mail server after end of data: host mail.fictional.example [10.5.40.204]: 554 rejected due to spam content
This means you need to check the content of the mail body. Some text or images may be flagged as spam. Verify the content is not spam like or suspicious and try again.
SpamBox & SpamAssassin log entries
Both SpamBox and SpamAssassin are used to prevent unwanted mail, while SpamAssassin is responsible for flagging the emails to prevent unwanted emails, SpamBox is used to auto move the email to the spam folder that has been flag by SpamAssassin. Here are a few examples of what a whitelisted email would look like as well as an email that has been flagged as spam.
SpamBox:
Example 1 - Mail flagged as spam is forwarded
In this example, SpamAssassin is flagging out email as spam and making a forward to the spam folder configured for SpamBox inside the users cPanel account.
2014-10-01 15:12:26 1XZKdg-0001g3-JS H=mail.fictional.example [10.5.40.204]:4779 Warning: "SpamAssassin as marka22 detected message as spam (11.0)" 2014-10-01 15:12:26 1XZKdg-0001g3-JS <=10.5.40.204 H=mail.fictional.example[10.5.40.204]:4779 P=esmtp S=491878 id=dos45yx4zbmri7f@domain.com T="Payment confirmation: 7037487121" for aaron@domain.net [ 2014-10-01 15:12:26 1XZKdg-0001g3-JS => aaron R=virtual_user_spam T=virtual_userdelivery_spam 2014-10-01 15:12:26 1XZKdg-0001g3-JS Completed 2014-10-01 15:30:35 1XZKvG-0002HW-ML H=(12-12-12-12.domain.net [10.5.40.204]:65376 Warning: "SpamAssassin as marka22 detected message as spam (7.2)" 2014-10-01 15:30:35 1XZKvG-0002HW-ML <= item@something.net H=(12-12-12-12.domain.net [10.5.40.204]:65376 P=esmtp S=519381 id=dos45yx4zbmri7f@domain.com T="Payment confirmation: 7037487121" for mark@domain.com 2014-10-01 15:30:35 1XZKvG-0002HW-ML => mark R=virtual_user_spam T=virtual_userdelivery_spam 2014-10-01 15:30:35 1XZKvG-0002HW-ML Completed
SpamAssassin:
Example 2 - Allowed email
In our second example, the email is allowed through, SpamAssassin scans the email and allows it through.
2014-09-10 13:06:55 1XRlM6-003yMv-KG H=mail.fictional.example10.5.40.204]:46793 Warning: Message has been scanned: no virus or other harmful content was found 2014-09-10 13:06:56 1XRlM6-003yMv-KG H=mail.fictional.example[10.5.40.204]:46793 Warning: "SpamAssassin as cpaneleximscanner detected OUTGOING smtp message as NOT spam (-0.1)" 2014-09-10 13:06:56 1XRlM6-003yMv-KG <= bob@bob.com H=mail.fictional.example [10.5.40.204]:46793 P=esmtpsa X=TLSv1:AES128-SHA:128 A=dovecot_login:aaron@domain.com S=18635 T="14\" plates" for live@somedomain.com 2014-09-10 13:06:56 1XRlM6-003yMv-KG SMTP connection outbound 1410368816 1XRlM6-003yMv-KG domain.com live@somedomain.com 2014-09-10 13:07:22 1XRlM6-003yMv-KG => live@somedomain.com R=dkim_lookuphost T=dkim_remote_smtp H=mail.fictional.example [10.5.40.204] X=TLSv1:DHE-RSA-AES256-SHA:256 C="250 OK id=1XRlMC-0006w5-F4" 2014-09-10 13:07:22 1XRlM6-003yMv-KG Completed
What we can see from this log is that Spamassassin with the PID of 46793 has scanned our email with the following message and found it to not be spam:
Warning: Message has been scanned: no virus or other harmful content was found SpamAssassin as cpaneleximscanner detected OUTGOING smtp message as NOT spam (-0.1)
Example 3 - Flagged email
In our last example, the email is not allowed through and is marked as spam through SpamAssassin. "SpamAssassin as sfgthib detected message as spam (998.0)"
2014-11-06 09:14:13 1XmNp0-0005Qp-MR H=mail-qg0-f68.google.com [10.5.40.204]:42603 Warning: "SpamAssassin as sfgthib detected message as spam (998.0)" 2014-11-06 09:14:13 1XmNp0-0005Qp-MR H=mail-qg0-f68.google.com [10.5.40.204]:42603 Warning: Message has been scanned: no virus or other harmful content was found 2014-11-06 09:14:13 1XmNp0-0005Qp-MR <= cpaneltest@gmail.com H=mail.fictional.example [10.5.40.204]:42603 P=esmtps X=TLSv1:RC4-SHA:128 S=3411 id=CAPtYmmQYRDb38yTmnA_ULZVjnKVOdtu6yw-HapGmjBCAk6rYYw@mail.gmail.com T="test" for aaron@domain.com
These are just examples, and your log may look different. If you have any question on these, please feel free to ask, or open a ticket so we can look into it.
Conclusion
Now that you've had a chance to get your feet wet with the exim configuration and logging, I hope this article will provide the necessary resources to review the exim mail_log log to check for spam, or to confirm that an email was sent or received. Sometime reading this log can be confusing and not make a lot of sense. With exim allowing more verbose logging as well as specific commands built around exim and additional utilities built for exim, you should be able to review the log in detail to determine if there is an issue with the mail transport agent. You can find further documentation on Exim and exims logs through exim directly at Documentation for Exim If you have any comments or feedback, please feel free to leave them below.
-
Hi Aaron. Thank you for the share. It will surely come handy to technicians who investigate the email/exim issues. 0 -
Wonderful !!!! That is the only word i could think of :) Thank you !!!! 0 -
Nice job on this manual! I've stickied this thread in our "E-mail Discussions" forum. 0 -
Awesome right up. - Removed by Moderator - 0 -
Excellent and very useful post. 0 -
This is an excellent post. Thanks a lot for this @AaronH. I just have one doubt regarding "*> delivery suppressed by -N" What does that mean? 0 -
This is an excellent post. Thanks a lot for this AaronH. I just have one doubt regarding "*> delivery suppressed by -N" What does that mean?
Hello, This is documented at: 52. Log files 11. Fake deliveries If a delivery does not actually take place because the -N option has been used to suppress it, a normal delivery line is written to the log, except that "=>" is replaced by "*>".
-N This is a debugging option that inhibits delivery of a message at the transport level. It implies at least -d1. Exim goes through many of the motions of delivery -- it just doesn't actually transport the message, but instead behaves as if it had successfully done so. However, it does not make any updates to the retry database, and the log entries for deliveries are flagged with `*>' rather than `=>'. Because -N discards any message to which it applies, only root or the Exim user are allowed to use it with -bd, -q, -Ror -M. In other words, an ordinary user can use it only when supplying an incoming message to which it will apply. Although transportation never fails when -N is set, an address may be deferred because of a configuration problem on a transport, or a routing or directing problem. Once -N has been used for a delivery attempt, it sticks to the message, and applies to any subsequent delivery attempts that may happen for that message.
Thanks!0 -
In my maillog I see the entry pop3(user+company.com): Disconnected: Logged out top=2/4756 retr=964/72080684 del=0/482 size=36031344 bytes=9474/72105440 I found this definition- bytes = number of bytes sent to client as a result of RETR command but what is before and after the / in bytes=9474/72105440 ? Could this be my problem with excessive pop3 bandwidth? 0 -
Sorry to post here but I'm not sure how to easily contact you.
In your article https://support.cpanel.net/hc/en-us/articles/360063199813-How-to-clear-out-the-archives-for-Mailman step 7 says:
/user/local/cpanel/scripts/update_mailman_cache
but it should be "/usr/.." instead of "/user/..". I was just copy pasting and didn't notice why it wasn't working.
0 -
albertorivera - thanks for pointing that out - I'll fix this now!
0
Please sign in to leave a comment.
Comments
10 comments