JesusS.

Registered
Jan 8, 2013
1
0
1
cPanel Access Level
Root Administrator
Basic Exim commands


View all messages in the exim queue:
Code:
exim -bp
View only undelivered messages in the exim queue:
Code:
exim -bpu
View the amount of messages in the exim queue:
Code:
exim -bpc
Viewing information about a message

The -M flag for exim by itself tells exim to attempt to deliver the specified message ID's, however, when used with the flags below, it is a useful tool for viewing information about the message

View the headers of an individual message:
Code:
exim -Mvh <exim-ID>
View the body of an individual message:
Code:
exim -Mvb <exim-ID>
View both the headers and body of a message:
Code:
exim -Mvc <exim-ID>
Test if messages to an address will be delivered locally, or routed remotely:
Code:
exim -bt <address>
This is determined by the files /etc/remotedomains and /etc/localdomains. If a domain is present in localdomains, exim will automatically attempt routing the domain to a local mailbox. If it's not in localdomains, then it will check /etc/remotedomains and then attempt delivering to the MX host.

Exigrep
If you want to view log entries related to a transaction, you can use the Exigrep command to do so. It will not only search for the pattern you give it, but it will also return related transactions

Code:
exigrep <pattern> <log-file> <log-file> ...
Exiqsumm
Exiqsumm is a rather simple utility that outputs the amount of messages and age of newest and oldest messages per domain in the following format:

Code:
Count  Volume  Oldest  Newest  Domain
-----  ------  ------  ------  ------
 
    2   109KB      9h      5h  cent6-64.cptechs.com
---------------------------------------------------------------
    2   109KB      9h      5h  TOTAL
To invoke it, you must pipe the output of exim -bp or exim -bpu to it:

Code:
exim -bp | exiqsumm
Exiqgrep
Exiqgrep is a standalone utility that allows you to search for specific information from the exim queue without having to use pipes. From its man page, the available flags are:

Code:
-f <regexp>
Match sender address (field is lq< >rq wrapped)
-r <regexp>
Match recipient address
-s <regexp>
Match against the site field from long output
-y <seconds>
Message younger than
-o <seconds>
Message older than
-z
Frozen messages only (exclude non-frozen)
-x
Non-frozen messages only (exclude frozen)
-c
Display match count
-l
Long Format [Default]
-i
Message IDs only
-b
Brief Format
-R
So in order to check the exim queue for messages originating from [email protected], you'd use:

Code:
exiqgrep -f [EMAIL][email protected][/EMAIL]
You can also check for messages destined towards a certain recipient:

Code:
exiqgrep -r [EMAIL][email protected][/EMAIL]
Or just return a list of Exim ID's:

Code:
exiqgrep -i
Eximstats
Eximstats is yet another useful utility, which will gather hourly statistics for you, it's quite handy for tracking which times you have the most mail traffic:

Code:
eximstats -nr /var/log/exim_mainlog
eximstats -bydomain /var/log/exim_mainlog
eximstats -byhost /var/log/exim_mainlog
Sample Output:
Code:
[email protected] [~]# eximstats -bydomain /var/log/exim_mainlog

Exim statistics from 2014-12-22 00:53:36 to 2014-12-23 08:00:02

Grand total summary
-------------------
                                                                  At least one address
  TOTAL               Volume   Messages Addresses   Domains      Delayed       Failed
  Received             901KB         36                   1       0  0.0%      6 16.7%
  Delivered             56KB         30        30         1

Deliveries by transport
-----------------------
                      Volume    Messages
  remote_smtp           56KB          30

Messages received per hour (each dot is 1 message)
--------------------------------------------------

00-01      2 ..
01-02      2 ..
02-03      0
03-04      2 ..
04-05      0
05-06      0
06-07      0
07-08      0
08-09      2 ..
09-10      0
10-11      0
11-12      0
12-13      0
13-14      0
14-15      0
15-16      0
16-17      0
17-18      0
18-19     26 ..........................
19-20      2 ..
20-21      0
21-22      0
22-23      0
23-24      0

Deliveries per hour (each dot is 1 delivery)
--------------------------------------------

00-01      0
01-02      2 ..
02-03      0
03-04      0
04-05      0
05-06      0
06-07      0
07-08      0
08-09      0
09-10      0
10-11      0
11-12      0
12-13      0
13-14      0
14-15      0
15-16      0
16-17      0
17-18      0
18-19     26 ..........................
19-20      2 ..
20-21      0
21-22      0
22-23      0
23-24      0

Time spent on the queue: all messages
-------------------------------------
Under   1m       33  94.3%   94.3%
Over    1d        2   5.7%  100.0%


Time spent on the queue: messages with at least one remote delivery
-------------------------------------------------------------------
Under   1m       30 100.0%  100.0%


No relayed messages
-------------------
Top 50 sending domains by message count
---------------------------------------
  Messages      Bytes    Average   Sending domain
        36      901KB       25KB   localdomain

Top 50 sending domains by volume
--------------------------------
  Messages      Bytes    Average   Sending domain
        36      901KB       25KB   localdomain
Top 50 local senders by message count
-------------------------------------
  Messages      Bytes    Average   Local sender
        32      685KB       21KB   root
         3      214KB       71KB   mailnull
         1       1522       1522   mailman

Top 50 local senders by volume
------------------------------
  Messages      Bytes    Average   Local sender
        32      685KB       21KB   root
         3      214KB       71KB   mailnull
         1       1522       1522   mailman

Top 50 domain destinations by message count
-------------------------------------------
  Messages  Addresses      Bytes    Average   Domain destination
        30         30       56KB       1911   cpanel.net

Top 50 domain destinations by volume
------------------------------------
  Messages  Addresses      Bytes    Average   Domain destination
        30         30       56KB       1911   cpanel.net

List of errors
--------------
    1 [EMAIL][email protected][/EMAIL] R=fail_remote_domains:
        The mail server could not deliver mail to [EMAIL][email protected][/EMAIL].
        The account or domain may not exist, they may be blacklisted,
        or missing the proper dns entries.

    7 [EMAIL][email protected][/EMAIL] R=fail_remote_domains: The
        mail server could not deliver mail to [EMAIL][email protected][/EMAIL].
        The account or domain may not exist, they may be blacklisted,
        or missing the proper dns entries.

Errors encountered: 8
---------------------
You can find more flags in the man page at eximstats(8) - Linux man page

Manipulating messages in the queue

Remove messages from the queue:
Code:
exim -Mrm <exim-ID> <exim-ID> ...
Thaw frozen messages
Code:
exim Mt <exim-ID> <exim-ID> ...
Attempt delivery of messages
Code:
exim -M <exim-ID> <exim-ID> ...
One-liners for managing Exim:

Process and attempt delivery of all unfrozen messages in the queue:
Code:
exim -qv
Clearing the Exim Queue
Clearing a moderate queue with exim -Mrm
This command takes the current exim queue in its entirety, extracts the exim message ID's, and outputs them to exim -Mrm, which is the command for removing messages from the queue

Code:
exim -bp | exiqgrep -i | xargs exim -Mrm
Clearing an extremely large exim queue

This one-liner stops exim, kills all remaining exim processes, cleans out the mail queue and mail DB at the file level, then starts exim:

Code:
touch /etc/eximdisable; echo Stopping Exim...; service exim stop; sleep 10; killall exim; sleep 5; killall -9 exim; echo Clearing out the Exim spool...; find /var/spool/exim/{db,input,msglog} -type f -delete; echo Starting Exim...; rm -f /etc/eximdisable; /scripts/restartsrv_exim; echo Done.;
Source: Cpanel Exim How To Clear The Mail Queue | Server Sitters

Investigating large amounts of mail

Find amount of emails sent per login:

Code:
grep -oP  "(?<=A=dovecot_(login|plain):)\S+|(?<= U=)\S+" /var/log/exim_mainlog | sort | uniq -c|awk '{print $2,$1}'|sort -k2n|column -t
When there's an extraordinarily large amount of SMTP authenticated concentrated within 1 to 5 email accounts, this is usually indicative of a password compromise. It would be advisable to change the affected email account's password, as well as the cPanel user's for good measure.
In cases where the queue is extremely large, this may be of better use:

Code:
grep auth_id /var/spool/exim/input/*/*
Find amount of emails sent per CWD:

When there aren't many SMTP Authenticated emails, it's usually a script that is sending messages out. It could be something as innocuous as a Tell-A-Friend script that is unprotected against automation, or it could be a compromised script, usually as a result of an unpatched or outdated CMS or plugin. You'll want to analyze the timestamps in the affected directory, though sometimes the headers will tell you the filename of the script.

Code:
awk '$3 ~ /^cwd/{print $3}' /var/log/exim_mainlog | sort | uniq -c | sed "s|^ *||g" | sort -nr
Note: Extended logging should be enabled in exim for best results,

Print out all headers in the exim queue
Only do this on small to moderately sized queues - Otherwise you'll end up with a high load

Code:
for i in `exiqgrep -i`; do exim -Mvh $i;done

Miscellaneous

Fix eximstats db
Code:
mysqlcheck -r --use-frm eximstats
You would do this typically when the Mail Delivery Reports in WHM is not returning any results.

Recreate eximstats db:
Code:
/usr/local/cpanel/bin/updateeximstats
Smart hosts / SMTP Relay:
If you're seeing errors like this in the exim logs, and you can not telnet to any mail servers on port 25, the service provider may be blocking the connection. One common example is GoDaddy, which has its own SMTP Relay servers that must be added to exim as smart hosts.:

Code:
retry time not reached for any host after a long failure period
Connection timed out
retry timeout exceeded
GoDaddy has a set of instructions for configuring this:
http://support.godaddy.com/help/art...r-on-your-linux-server-using-cpanel?locale=en

Our own documentation, however, may be more reliable:
http://documentation.cpanel.net/display/1144Docs/Exim+Mail#EximMail-Smarthostsupport

Exim logging / log_selector:
You can change the logging settings, or log_selector, in WHM >> Service Configuration >> Exim Configuration Manager >> Advanced Editor >> Config
This option can be used to reduce or increase the number of things that Exim writes to its log files. Its argument is made up of names preceded by plus or minus characters. For example:
Code:
+arguments -retry_defer
A list of possible names and what they control is given in the chapter on logging, in section 51.15 of the exim documentation: 51. Log files

Note that cPanel will always enable these mandatory options in your configuration.
Code:
+incoming_port +smtp_connection +all_parents
The following default options will also be enabled except when you specify a negative form.
Code:
-retry_defer +subject +arguments +received_recipients
This is the default setting set by cPanel:
Code:
+incoming_port +smtp_connection +all_parents -retry_defer +subject +arguments +received_recipients
The following is the recommended setting for extended logging:

Code:
+address_rewrite +all_parents +arguments +connection_reject +delay_delivery +delivery_size +dnslist_defer +incoming_interface +incoming_port +lost_incoming_connection +queue_run +received_sender +received_recipients +retry_defer +sender_on_delivery +size_reject +skip_delivery +smtp_confirmation +smtp_connection +smtp_protocol_error +smtp_syntax_error +subject +tls_cipher +tls_peerdn