Reading and Understanding the exim_mainlog
At cPanel, we get a variety of tickets asking about different types of mail errors. I've been working on an Exim guide that will help you determine just what might be the cause of the errors you're receiving.
Exim, what a topic. For some, setting up exims configuration and troubleshooting, as well as simply just reading the logs could be as daunting as setting up custom configurations for apache with ssl reverse proxies on a high availability load balancer. Thankfully that’s not the case. Exim is not terribly difficult to read or understand, plus there is rather great documentation. Exim is one of the most widely used MTAs (Mail Transfer Agents) in use today. With a few tweaks to the configuration you will soon be a wizard at reading and understanding what the exim log contains. By modifying the exim configuration, we will be able to produce a much more verbose output of the log. This will lead to an easier to read and faster method to determine just what exactly is going on with the servers MTA.
SECTIONS:
- /A/ Enabling Verbose Logging
- A/1 Modifying the log_selector
- A/2 Logging Options
- A/3 Configuration Files
- /B/ Available Commands
- B/1 Available commands under exim:
- B/2 Command examples:
- B/3 Other Commands under exim:
- /C/ Errors Messages and Possible Solutions
- C/1 Log delivery entries found in exim_mainlog:
- C/2 Successful messages sent and received:
- C/3 Other exim configuration files and folder structure:
- C/4 Types of Errors:
- Failed 421 - Temporary Failures:
- C/4.1.1 Example 1 - Temporarily deferred
- C/4.1.2 Example 2 - Rate limited
- C/4.1.3 Example 3 - Permanently deferred
- Failed 450 - Service timeout:
- C/4.2.1 Example 1 - Client Host Rejected
- C/4.2.2 Example 2 - Clients Host is trying to much
- Failed 451 - Temporary Local Problem:
- C/4.3.1 Example 1 - Clients Host is unable to send
- C/4.3.2 Example 2 - Could not complete sender verify
- Failed 452 - Temporary Failures::
- C/4.4.1 Example 1 - Domain Size limit exceeded
- Failed 550 - Hard Failures:
- C/4.5.1 Example 1 - 550 Verification
- C/4.5.2 Example 2 - Invalid A, AAAA, MX, or other DNS record
- C/4.5.3 Example 3 - Mail Rejected 550 errors
- C/4.5.4 Example 4 - Mail Authentication 550 error
- C/4.5.5 Example 5 - Bad HELO Record
- C/4.5.6 Example 6 - Mail Delivery Failure
- Failed 553 - Authentications errors:
- C/4.6.1 Example 1 - Your domain does not exists
- C/4.6.2 Example 2 - Unable to verify address
- Failed 544 - rejected due to spam content:
- C/4.7.1 Example 1 - Reject
- Failed 421 - Temporary Failures:
- /D/ SpamBox & SpamAssassin log entries
- D/1 SpamBox:
- C/5.1.1 Example 1 - Mail flagged as spam is forwarded:
- D/2 SpamAssassin:
- C/5.1.1 Example 1 - Allowed email:
- C/5.1.1 Example 3 - Flagged email:
- D/1 SpamBox:
- Conslustion
/A/ Modify exim to Enabling Verbose Logging
A/1 Modifying the log_selector
The first thing we need to do is to get a better output from our log. By default, exim is not set to log every piece of information. To do this, we first need to login to your WHM interface and navigate to Home »Service Configuration »Exim Configuration Manager »Advanced Editor. Find the section "log_selector" and replace it with one of the following.
Code:
log_selector = +address_rewrite +all_parents +arguments +connection_reject +delay_delivery +delivery_size +dnslist_defer +incoming_interface +incoming_port +lost_incoming_connection +queue_run +received_sender +received_recipients +retry_defer +sender_on_delivery +size_reject +skip_delivery +smtp_confirmation +smtp_connection +smtp_protocol_error +smtp_syntax_error +subject +tls_cipher +tls_peerdn************
Code:
log_selector = +all
A/2 Logging Options:
[container]
address_rewrite | This applies both to global rewrites and per-transport rewrites, but not to rewrites in filters run as an unprivileged user (because such users cannot access the log). |
all_parents | Normally only the original and final addresses are logged on delivery lines; with this selector, intermediate parents are given in parentheses between them. |
arguments | This causes Exim to write the arguments with which it was called to the main log, preceded by the current working directory. This is a debugging feature, added to make it easier to find out how certain MUAs call/usr/sbin/sendmail. The logging does not happen if Exim has given up root privilege because it was called with the -C or -D options. Arguments that are empty or that contain white space are quoted. Non-printing characters are shown as escape sequences. This facility cannot log unrecognized arguments, because the arguments are checked before the configuration file is read. The only way to log such cases is to interpose a script such as util/logargs.shbetween the caller and Exim. |
connection_reject | A log entry is written whenever an incoming SMTP connection is rejected, for whatever reason. |
delay_delivery | A log entry is written whenever a delivery process is not started for an incoming message because the load is too high or too many messages were received on one connection. Logging does not occur if no delivery process is started because queue_only is set or -odq was used. |
delivery_size | For each delivery, the size of message delivered is added to the “=>” line, tagged with S=. |
dnslist_defer | A log entry is written if an attempt to look up a host in a DNS black list suffers a temporary error. |
incoming_interface | The interface on which a message was received is added to the “<=” line as an IP address in square brackets, tagged by I= and followed by a colon and the port number. The local interface and port are also added to other SMTP log lines, for example “SMTP connection from”, and to rejection lines. |
incoming_port | The remote port number from which a message was received is added to log entries and Received:header lines, following the IP address in square brackets, and separated from it by a colon. This is implemented by changing the value that is put in the $sender_fullhost and $sender_rcvhost variables. Recording the remote port number has become more important with the widening use of NAT (see RFC 2505). |
lost_incoming_connection | A log line is written when an incoming SMTP connection is unexpectedly dropped. |
queue_run | he start and end of every queue run are logged. |
received_sender | The unrewritten original sender of a message is added to the end of the log line that records the message’s arrival, after the word “from” (before the recipients if received_recipients is also set). |
rejected_header | If a message’s header has been received at the time a rejection is written to the reject log, the complete header is added to the log. Header logging can be turned off individually for messages that are rejected by the local_scan() function (see section 44.2). |
received_recipients | The recipients of a message are listed in the main log as soon as the message is received. The list appears at the end of the log line that is written when a message is received, preceded by the word “for”. The addresses are listed after they have been qualified, but before any rewriting has taken place. Recipients that were discarded by an ACL for MAIL or RCPT do not appear in the list. |
retry_defer | A log line is written if a delivery is deferred because a retry time has not yet been reached. However, this “retry time not reached” message is always omitted from individual message logs after the first delivery attempt |
sender_on_delivery | The message’s sender address is added to every delivery and bounce line, tagged by F= (for “from”). This is the original sender that was received with the message; it is not necessarily the same as the outgoing return path |
size_reject | A log line is written whenever a message is rejected because it is too big. |
skip_delivery | A log line is written whenever a message is skipped during a queue run because it is frozen or because another process is already delivering it. The message that is written is “spool file is locked”. |
smtp_confirmation | The response to the final “.” in the SMTP or LMTP dialogue for outgoing messages is added to delivery log lines in the form C=<text>. A number of MTAs (including Exim) return an identifying string in this response. |
smtp_connection | A log line is written whenever an SMTP connection is established or closed, unless the connection is from a host that matches hosts_connection_nolog. (In contrast, lost_incoming_connectionapplies only when the closure is unexpected.) This applies to connections from local processes that use -bs as well as to TCP/IP connections. If a connection is dropped in the middle of a message, a log line is always written, whether or not this selector is set, but otherwise nothing is written at the start and end of connections unless this selector is enabled. For TCP/IP connections to an Exim daemon, the current number of connections is included in the log message for each new connection, but note that the count is reset if the daemon is restarted. Also, because connections are closed (and the closure is logged) in subprocesses, the count may not include connections that have been closed but whose termination the daemon has not yet noticed. Thus, while it is possible to match up the opening and closing of connections in the log, the value of the logged counts may not be entirely accurate. |
smtp_protocol_error | A log line is written for every SMTP syntax error encountered. An unrecognized command is treated as a syntax error. For an external connection, the host identity is given; for an internal connection using -bsthe sender identification (normally the calling user) is given. |
smtp_syntax_error | A log line is written for every SMTP syntax error encountered. An unrecognized command is treated as a syntax error. For an external connection, the host identity is given; for an internal connection using -bsthe sender identification (normally the calling user) is given. |
subject | The subject of the message is added to the arrival log line, preceded by “T=” (T for “topic”, since S is already used for “size”). Any MIME “words” in the subject are decoded. The print_topbitchars option specifies whether characters with values greater than 127 should be logged unchanged, or whether they should be rendered as escape sequences. |
tls_cipher | When a message is sent or received over an encrypted connection, the cipher suite used is added to the log line, preceded by X=. |
tls_peerdn | When a message is sent or received over an encrypted connection, and a certificate is supplied by the remote host, the peer DN is added to the log line, preceded by DN=. |
A/3 Configuration Files:
The configuration files for exim can be found in the following location:
[container]
Exim | Configuration (main) | /etc/exim.conf | Main configuration file used by Exim |
Configuration (local) | /etc/exim.conf.local | This is the same file that the Advanced Editor for Exim in WHM uses | |
" | /etc/exim.conf.dist | Exim configuration template used to build the exim conf | |
" | /etc/exim.conf.localopts | This is the the same file that the Basic Editor for Exim in WHM uses. | |
Configuration (mailman-related) | exim.conf.mailman2.dist | Template used to build the mailman configuration |
A/4 Log entry Example:
Once you have the logging portion taken care of, we need to actually look at our log. You can find the exim log in /var/log/exim_mainlog, this will be done from the command line.
Code:
#head /var/log/exim_mainlog
2014-08-10 03:27:11 pid 1014: SIGHUP received: re-exec daemon
2014-08-10 03:27:15 cwd=/var/spool/exim 3 args: /usr/sbin/exim -bd -q1h
2014-08-10 03:27:15 exim 4.82 daemon started: pid=1014, -q1h, listening for SMTP on port 25 (IPv6 and IPv4) port 587 (IPv6 and IPv4) and for SMTPS on port 465 (IPv6 and IPv4)
2014-08-10 03:27:15 cwd=/var/spool/exim 2 args: /usr/sbin/exim -q
/B/ Exim Commands via the command line
B/1 Available commands under exim:
Exim has a couple of utilities to help search through the queue and logs, those are:
[container]
52.2 | exiqgrep | to obtain a queue listing, and then greps the output to select messages that match given criteria. The following selection options are available: -f Match the sender address using a case-insensitive search. The field that is tested is enclosed in angle brackets, so you can test for bounce messages withexiqgrep -f '^<>$' -r Match a recipient address using a case-insensitve search. The field that is tested is not enclosed in angle brackets. -s Match against the size field. -y Match messages that are younger than the given time. -o Match messages that are older than the given time. -z Match only frozen messages. -x Match only non-frozen messages. The following options control the format of the output: -c Display only the count of matching messages. -l Long format – display the full message information as output by Exim. This is the default. -i Display message ids only. -b Brief format – one line per message. -R Display messages in reverse order. -a Include delivered recipients in queue listing. -h, which outputs a list of options. |
52.4 | exiqgrep | exigrep [-t<n>] [-I] [-l] [-v] <pattern> [<log file>] ... grep the queue using exims specific grep rather than standard grep |
B/2 Commands examples:
The easiest to remember command, in my opinion, is exiwhat, this lets you know what exim is currently doing.
Code:
-bash-4.1# exiwhat
27589 daemon: -q1h, listening for SMTP on port 25 (IPv6 and IPv4) port 587 (IPv6 and IPv4) and for SMTPS on port 465 (IPv6 and IPv4)
Code:
-bash-4.1# exiqgrep [email protected]*
71h 6.7K 1XFRvF-0000Mz-B8 <>
[email protected]
71h 12K 1XFRvF-0000NF-NK <>
[email protected]
Code:
-bash-4.1# exigrep [email protected] /var/log/exim_mainlog
2014-08-10 10:52:01 1XGVPd-000707-4Y <= [email protected] H=localhost (10.5.40.204) [127.0.0.1]:39668 P=esmtpa A=dovecot_login:[email protected] S=748 [email protected] T="Llamas are awesome" for [email protected]
2014-08-10 10:52:01 1XGVPd-000707-4Y => aaron <[email protected]> R=virtual_user T=virtual_userdelivery
2014-08-10 10:52:01 1XGVPd-000707-4Y Completed
[container]
exim -bpc | Print a total count of messages in the queue |
exim -bp | Print a listing of the messages including time queue, size, message-ID, sender, and recipient |
exim -bp |exiqsum | Prints a summary of the exim mail queue. -bash-4.1# exim -bp | exiqsumm Count Volume Oldest Newest Domain ----- ------ ------ ------ ------ 7 39KB 71h 71h nt10598.os.cpanel.vm 3 19KB 14h 78m nt12664.product.cpanel.vm --------------------------------------------------------------- 10 58KB 71h 78m TOTAL |
exim -bt [email protected] | This will test how an email is routed through exim |
exim -bh <ip> | Run a pretend SMPT transaction from the CLI. The purpose of this is to check exims ACLs and filters. |
exim -q -v | Start a queue run |
exim -ql -v | Start a queue run for local mail only |
exim -Mrm <message-id> [ <message-id> ... ] | Remove a message from the queue |
exim -Mvb <message-id> | View the body of a message |
exim -Mvh <message-id> | View the header of a message |
exim -Mvc <message-id> | Provides the whole email and body |
There are additional commands for looking at the queue, but these two are the main utilities for reading the log. You can see the rest of the utilities exim uses in their official documentation.
You can also view some additional commands and example for exim from our exim cheat sheet created by cPanelJesus cPanel Exim Quick Reference.
*Exim runs under the user mailnull, you will commonly see U=mailnull in the exim log.
/C/ Errors Messages and Possible Solutions:
C/1 Main entries found in exim_mainlog:
Reading the exim mainlog can be daunting especially with so much information being logged. The main log records the arrival of each message and each delivery in a single line for each case.
Let's take a look at some examples of a few entries in an exim_mainlog; Exims main log is read from the left to the right.
The first thing when looking at a log is to determined what happened to it. Let's take a quick look at the breakdown of those entries.
[container]
<= | Indicates the arrival of a message to Exim for handling |
=> | Shows a normal message delivery |
-> | Additional address for the same delivery, i.e. an Email forwarder. |
>> | cutthrough is a router precondition This option requests delivery be attempted while the item is being received. It is usable in the RCPT ACL and valid only for single-recipient mails forwarded from one SMTP connection to another. If a recipient-verify callout connection is requested in the same ACL it is held open and used for the data, otherwise one is made after the ACL completes. |
*> | delivery suppressed by -N |
** | delivery failed; address bounced |
== | delivery deferred; temporary problem |
<> | For "<>" from the exim manual; Additionally, you will often find A bounce message is shown with the sender address “<>”, and if it is locally generated, this is followed by an item of the form R=<message id> |
You will also find entries like the below table in the main log such as:
[container]
R= | The address immediately following “<=” is the envelope sender address. A bounce message is shown with the sender address “<>”, and if it is locally generated, this is followed by an item of the form R=<message id> |
T= | The relay used to transmit the message. Example: T=remote_smtp T=local_delivery |
H= | Represents the host: H=localhost (10.5.40.204) [127.0.0.1]:39753 5.1) H=mail.fictional.example [192.168.123.123] U=exim 6) I=[127.0.0.1]:25 |
U= | The MTA used. |
I= | Followed by a colon and the port number, the I= is the local interface on which the mail was received. |
P= | This is the return_path_on_delivery: The return path that is being transmitted with the message is included in delivery and bounce lines, using the tag P=. This is omitted if no delivery actually happens, for example, if routing fails, or if delivery is to /dev/null or to :blackhole:. |
A= | If A= is present, then SMTP AUTH was used for the delivery. |
S= | Is the delivery size of the message |
M8S= | 8bitmime: This causes Exim to log any 8BITMIME status of received messages, which may help in tracking down interoperability issues with ancient MTAs that are not 8bit clean. This is added to the “<=” line, tagged with M8S= and a value of 0, 7 or 8, corresponding to "not given", 7BIT and 8BITMIME respectively. |
ID= | Represents the incoming message ID |
T= | Topic |
from | From whom the mail was received |
for | Who the email is for |
C/2 Successful messages sent and received:
Lets' take a quick look at a successfully sent message in the exim_mainlog.
Code:
2014-08-10 11:18:35 [28107] 1XGVpL-0007JL-14 <= [email protected] H=localhost (10.5.40.204) [127.0.0.1]:39753 I=[127.0.0.1]:25 P=esmtpa A=dovecot_login:[email protected] S=662 M8S=0 [email protected] T="what if you had a llama" from <[email protected]> for [email protected] 11:18:35
1XGVpL-0007JL-14
Code:
1) 2014-08-10 11:18:35
2) 1XGVpL-0007JL-14
3) <=
4) [email protected]
5) H=localhost (10.5.40.204) [127.0.0.1]:39753
5.1) H=mail.fictional.example [192.168.123.123] U=exim
6) I=[127.0.0.1]:25
7) P=esmtpa
8) A=dovecot_login:[email protected]
9) S=662
10) M8S=0
11) [email protected]
12) T="what if you had a llama"
13) from <[email protected]>
14) for [email protected]
[container]
/etc/mailhelo | This file is the configuration file for Exim's HELO command. Records should be represented as: addonor.subdomain.com: maindomain.com |
/etc/mailips | This file specifies the IP addresses from which Exim should send email. |
/etc/mail_reverse_dns | This file specifies the domains that are associated with the IP addresses from which Exim should send email. |
/etc/remotedomains | Sends out an email to an internet address. |
/etc/localdomains | Sends out an email to a local address. |
dig mx <domain> | Dig a domain and pull MX records only |
If all of those are valid and pointing to the correct location, the next step is to verify the mail box truly exists. You want to check the mail folder in the users home directory.
A user’s email is stored in ”’/home/user/mail/<domain>/<emailuser>/…”’.
Below is a sample directory structure of an email account:
/home/username/mail (mail folder)
/home/username/etc (configuration files)
/domain.com (domain)
admin (email user)
maildirsize (quota/usage summary, expendable)
cur (default inbox for read email)
new (default email for unread email)
Drafts ( sample folder )
- cur (read email)
- new (unread email)
C/4 types of Errors:
C/4.1 Failed 421 - Temporary Failures:
C/4.1.1 - Example 1 Temporarily deferred
There has been a temporary issue, please try sending the email again in 72 hours. This is usually a temporary ban by the network you're trying to contact.
Code:
2014-09-29 21:27:08 1XYdJu-002e6P-9F SMTP error from remote mail server after MAIL FROM:<[email protected]> SIZE=6601: host mta5.am0.yahoodns.net [66.196.118.240]: 421 4.7.0 [GL01] Message from (184.171.253.133) temporarily deferred - 4.16.50. Please refer to http://postmaster.yahoo.com/errors/postmaster-21.html
Too many emails have been sent out to this network and there is a temporary block preventing emails from being received. Like example 1, give it some time to clear out and try again in 72 hours.
Code:
2014-09-12 08:01:12 1XSLn4-003Fa1-OX SMTP error from remote mail server after end of data: host gmail-smtp-in.l.google.com [173.194.66.27]: 421-4.7.0 [77.69.28.195 15] Our system has detected an unusual rate of\n421-4.7.0 unsolicited mail originating from your IP address. To protect our\n421-4.7.0 users from spam, mail sent from your IP address has been temporarily\n421-4.7.0 rate limited. Please visit\n421-4.7.0 http://www.google.com/mail/help/bulk_mail.html to review our Bulk\n421 4.7.0 Email Senders Guidelines. q4si1448293wij.85 - gsmtp
The email will not be delivered since you have been blocked by the network, do not try to resend the emails, instead, contact the host you are trying to send the mail to.
Code:
2014-09-18 13:44:19 1XUb4M-000v5R-6R SMTP error from remote mail server after MAIL FROM:<[email protected]> SIZE=1811: host mta7.am0.yahoodns.net [66.66.66.66]: 421 4.7.1 [TS03] All messages from 5.196.113.212 will be permanently deferred; Retrying will NOT succeed. See http://postmaster.yahoo.com/421-ts03.html
C/4.2 Failed 450 - Service timeout:
C/4.2.1 Example 1 - Client Host Rejected
Code:
TO:<[email protected]>: host mx.someaddress.com [20.20.20.20]: 450 4.7.1 Client host rejected: cannot find your hostname, [20.20.20.20] 2014-09-21 16:06:05 1XUKFa-0003bb-EM ** [email protected]>: retry timeout exceeded
C/4.2.2 Example 2 - Clients Host is trying to much
Code:
2014-10-10 10:25:01 1XcKLM-003IGU-Fr SMTP error from remote mail server after RCPT TO:<[email protected]>: host pro-mail-mx-002.bol.com [20.20.20.20]: 450 4.7.1 Service unavai$
C/4.3 Failed 451 - Temporary Local Problem:
Usually, 451 is a temporary failure and trying again in just a few minutes usually allows it to send. Here's a few other suggestions.
C/4.3.1 Example 1 - Clients Host is unable to send
Code:
2014-09-24 12:59:49 1XWqqy-00028x-FK == [email protected] R=lookuphost
T=remote_smtp defer (-44): SMTP error from remote mail server after RCPT
TO:<[email protected]systems.com>: host gylsystems.com [69.69.69.69]: 451
Temporary local problem - please try later
C/4.3.2 Example 2 - Could not complete sender verify
Code:
2014-11-24 11:25:33 H=localhost (mail.fictional.example) [::1]:49956 sender verify defer for <[email protected]>: require_files: error for /home/aaron/etc/domain.com: Permission denied
2014-11-24 11:25:33 H=localhost (srv-hs1.netsons.net) [::1]:49956 F=<[email protected]> A=dovecot_login:[email protected] temporarily rejected RCPT <[email protected]>: Could not complete sender verify
C/4.4 Failed 452 - Temporary Failures:
C/4.4.1 Example 1 - Domain Size limit exceeded
Code:
2014-09-13 11:37:53 1XSdCz-00049U-5A [email protected] R=lookuphost T=remote_smtp defer (-44): SMTP error from remote mail server after RCPT TO:<[email protected]>: host mail.fictional.example [10.5.40.204]: 452 <[email protected]> Domain size limit exceeded
C/4.4.2 Example 2 - Domain Size limit exceeded
Code:
2014-09-13 11:37:53 1XSdCz-00049U-5A == [email protected] R=lookuphost T=remote_smtp defer (-44): SMTP error from remote mail server after RCPT TO:<[email protected]>: host mail.fictional.example [10.5.40.204]: 452 <[email protected]> Domain size limit exceeded
C/4.5 Failed 550 - Hard Failures:
A 550 is easily one of the most common error that occurs. So what does it mean? A 550 error code means that your SMTP server isn't able to deliver the sent email to the user. It could be because his mailbox does not , could be from a misconfiguration, or a DNS issues.
C/4.5.1 Example 1 - 550 Verification
In this example, we have a failed message with a 550-verification error:
Code:
2014-08-31 08:43:16 1XO5PX-0006SC-Qa ** [email protected] R=dkim_lookuphost T=dkim_remote_smtp: SMTP error from remote mail server after RCPT TO:<[email protected]>: host mail.domain.com [10.5.40.204]: 550-Verification for <[email protected]>\n550-The mail server could not deliver mail to [email protected] The account or domain may not exist, they may be blacklisted, or missing the proper dns entries.\n550 Sender verify failed
Things to check: First things we should check are the files on the server and make sure the email is pointing to the correct location.
C/4.5.2 Example 2 - Invalid A, AAAA, MX, or other DNS record
Code:
SMTP error from remote mail server after RCPT TO:: host mail.fictional.example[10.5.40.204]: 550-Sender has no A, AAAA, or MX DNS records. mail.fictional.example\n550 l mail.fictional.example
Verify the zone file in /etc/named for the correct information. If it appear correct, you can run named-checkzone domain.com domain.com.db to verify if named is able to load the zone.
Code:
Diagnostic-Code: X-Postfix; host mail1.domain.com [10.5.40.204] said: 550 5.7.1 Message rejected due to content restrictions (in reply to end of DATA command)
When you see an error such as 550 5.7.1
C/4.5.4 Example 4 - Mail Authentication 550 error
Code:
Final-Recipient: rfc822;[email protected]
Action: failed
Status: 5.5.0
Diagnostic-Code: smtp;550-Please turn on SMTP Authentication in your mail client.
550-mail.fictional.example [10.5.40.204]:58133 is not permitted to relay 550 through this server without authentication.
C/4.5.5 Example 5 - Bad HELO Record
Code:
"DHE-RSA-AES256-SHA:256: SMTP error from remote mail server after MAIL FROM:<[email protected]> SIZE=1834: host mail.fictional.example [10.5.40.204..212]: 550 "REJECTED - Bad HELO - Host impersonating [mail.fictional2.example]"
If the client has a lot of IPs, you can check every host address with this one liner:
ifconfig |grep "inet addr:[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}" | awk '{print $2}' | sed 's/addr://' | xargs-i host {}
C/4.5.6 Example 6 - Mail Delivery Failure
Code:
2014-08-31 08:43:16 1XO5PY-0006SO-GS <= <> R=1XO5PX-0006SC-Qa U=mailnull P=localS=1951 T="Mail delivery failed: returning message to sender" for [email protected]
A bounce back can be from an invalid address, or the receiving server may have blocked your connection. Check the folder structure template above and verify the domain exists if possible, also verify that the domain isn't blacklisted in an RBL with a tool such as mxtoolbox or dnsstuff.com
C/4.6 Failed 553 - Authentications errors:
C/4.6.1 Example 1 - Your domain does not exists
Code:
SMTP error from remote mail server after MAIL FROM:<[email protected]>: host mail.fictional.example [10.5.40.204]: 553 sorry, your domain does not exists.
C/4.6.2 Example 2 - Unable to verify address
Code:
2014-11-26 10:26:32 1XtYro-004Ecv-65 ** [email protected] R=dkim_lookuphost T=dkim_remote_smtp: SMTP error from remote mail server after MAIL FROM:<[email protected]> SIZE=1604: host mail.fictional.example [10.5.40.204]: 553 <[email protected]> unable to verify address
Verify that SMPT authentication has been enabled.
C/4.7.1 Example 1 - Reject
Code:
[15:03:30 hosts5 root /var/log]cPs# grep 1XeRdP-0006JC-FO exim_mainlog 2014-10-15 12:41:11 1XeRdP-0006JC-FO <= <> R=1XeRdF-0006HI-EY U=mailnull P=local S=5445 T="Mail delivery failed: returning message to sender" for [email protected] 2014-10-15 12:41:11 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1XeRdP-0006JC-FO 2014-10-15 12:42:12 1XeRdP-0006JC-FO ** [email protected] =dkim_lookuphost T=dkim_remote_smtp: SMTP error from remote mail server after end of data: host mail.fictional.example [10.5.40.204]: 554 rejected due to spam content
/D/ SpamBox & SpamAssassin log entries
Both SpamBox and SpamAssassin are used to prevent unwanted mail, while SpamAssassin is responsible for flagging the emails to prevent unwanted emails, SpamBox is used to auto move the email to the spam folder that has been flag by SpamAssassin. Here are a few examples of what a whitelisted email would look like as well as an email that has been flagged as spam.
D/1 SpamBox:
D/5.1.1 Example 1 - Mail flagged as spam is forwarded:
In this example, SpamAssassin is flagging out email as spam and making a forward to the spam folder configured for SpamBox inside the users cPanel account.
Code:
2014-10-01 15:12:26 1XZKdg-0001g3-JS H=mail.fictional.example [10.5.40.204]:4779 Warning: "SpamAssassin as marka22 detected message as spam (11.0)"
2014-10-01 15:12:26 1XZKdg-0001g3-JS <=10.5.40.204 H=mail.fictional.example[10.5.40.204]:4779 P=esmtp S=491878 [email protected] T="Payment confirmation: 7037487121" for [email protected] [
2014-10-01 15:12:26 1XZKdg-0001g3-JS => aaron <[email protected] [> R=virtual_user_spam T=virtual_userdelivery_spam
2014-10-01 15:12:26 1XZKdg-0001g3-JS Completed 2014-10-01 15:30:35 1XZKvG-0002HW-ML H=(12-12-12-12.domain.net [10.5.40.204]:65376 Warning: "SpamAssassin as marka22 detected message as spam (7.2)"
2014-10-01 15:30:35 1XZKvG-0002HW-ML <= [email protected] H=(12-12-12-12.domain.net [10.5.40.204]:65376 P=esmtp S=519381 [email protected] T="Payment confirmation: 7037487121" for [email protected] 2014-10-01 15:30:35 1XZKvG-0002HW-ML => mark <[email protected] [> R=virtual_user_spam T=virtual_userdelivery_spam
2014-10-01 15:30:35 1XZKvG-0002HW-ML Completed
D/5.1.2 Example 2 - Allowed email:
In our second example, the email is allowed through, SpamAssassin scans the email and allows it through.
Code:
2014-09-10 13:06:55 1XRlM6-003yMv-KG H=mail.fictional.example10.5.40.204]:46793 Warning: Message has been scanned: no virus or other harmful content was found
2014-09-10 13:06:56 1XRlM6-003yMv-KG H=mail.fictional.example[10.5.40.204]:46793 Warning: "SpamAssassin as cpaneleximscanner detected OUTGOING smtp message as NOT spam (-0.1)"
2014-09-10 13:06:56 1XRlM6-003yMv-KG <= [email protected] H=mail.fictional.example [10.5.40.204]:46793 P=esmtpsa X=TLSv1:AES128-SHA:128 A=dovecot_login:[email protected] S=18635 T="14\" plates" for [email protected]
2014-09-10 13:06:56 1XRlM6-003yMv-KG SMTP connection outbound 1410368816 1XRlM6-003yMv-KG domain.com [email protected]
2014-09-10 13:07:22 1XRlM6-003yMv-KG => [email protected] R=dkim_lookuphost T=dkim_remote_smtp H=mail.fictional.example [10.5.40.204] X=TLSv1:DHE-RSA-AES256-SHA:256 C="250 OK id=1XRlMC-0006w5-F4" 2014-09-10 13:07:22 1XRlM6-003yMv-KG Completed
Code:
Warning: Message has been scanned: no virus or other harmful content was found
SpamAssassin as cpaneleximscanner detected OUTGOING smtp message as NOT spam (-0.1)
In our last example, the email is not allowed through and is marked as spam through SpamAssassin. "SpamAssassin as sfgthib detected message as spam (998.0)"
Code:
2014-11-06 09:14:13 1XmNp0-0005Qp-MR H=mail-qg0-f68.google.com [10.5.40.204]:42603 Warning: "SpamAssassin as sfgthib detected message as spam (998.0)" 2014-11-06 09:14:13 1XmNp0-0005Qp-MR H=mail-qg0-f68.google.com [10.5.40.204]:42603 Warning: Message has been scanned: no virus or other harmful content was found
2014-11-06 09:14:13 1XmNp0-0005Qp-MR <= [email protected] H=mail.fictional.example [10.5.40.204]:42603 P=esmtps X=TLSv1:RC4-SHA:128 S=3411 [email protected]l.com
T="test" for [email protected]
D/ Conclusion:
Now that you've had a chance to get your feet wet with the exim configuration and logging, I hope this article will provide the necessary resources to review the exim mail_log log to check for spam, or to confirm that an email was sent or received. Sometime reading this log can be confusing and not make a lot of sense. With exim allowing more verbose logging as well as specific commands built around exim and additional utilities built for exim, you should be able to review the log in detail to determine if there is an issue with the mail transport agent. You can find further documentation on Exim and exims logs through exim directly at Documentation for Exim
If you have any comments or feedback, please feel free to use the Discussion tab.
*Resource will be edited as new information is found
Revised 2015-01-28