SOLVED How to get decent exim mainlog with all information?

rhm.geerts

Well-Known Member
Jul 29, 2008
147
15
68
Maastricht
cPanel Access Level
Root Administrator
I want to see how mail is delivered. I'm used to look into the exim_mainlog for this.
Normally I see traffic like this with also part of the title of the email:

Code:
2021-06-27 09:12:33 1lxOxx-0008TV-HF <= [email protected] H=r64.p44.neolane.net [172.82.233.64] P=esmtp S=80480 DKIM=news.douglas.nl [email protected] T="World Fragrance Day: alleen vandaag 25% korting* op alle geuren en geursets" from <[email protected]> for [email protected]
etc.
and last line like this:
Code:
256-GCM-SHA384:256 CV=yes C="250 2.0.0 Ok: queued as0b1ff653-d717-11eb-b4d2-00505699f653"
2021-06-27 09:12:34 1lxOxx-0008TV-HF Completed
I already changed the log_selector to +all but nothing changed.
The Exim log in cPanel only gives me connections like this:
Code:
2021-06-29 16:27:41.716 [20040] 1lyEiA-0005D6-1t SMTP connection outbound 1624976861 1lyEiA-0005D6-1t customerdomain.nl [email protected]
2021-06-29 16:27:41.942 [20040] 1lyEiA-0005D6-1t => user <[email protected]> F=<[email protected]> P=<bounce
-xxxxxxxxxxxx.xxxxxxxxxxxxxxxxx.xxxxxxxxxxxxxx> R=virtual_user T=dovecot_virtual_delivery S=42149 C="250 2.0.0 <[email protected]> XXnrLt0t22B
QTgAA84uWjQ Saved" QT=3.883s DT=0.161s
So I don't see any title from the email. This is incoming mail, for outgoing mail I don't see "queued for delivery" or "completed" or anything.
How can I fix this so I can see all in my exim maillog?
 

andrew.n

Well-Known Member
Jun 9, 2020
611
175
43
EU
cPanel Access Level
Root Administrator
The "Mail Queue" in WHM GUI wouldn't show what you want? It can also be fetched with:

exim -bp

via SSH.
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
6,923
912
313
cPanel Access Level
Root Administrator
Hey there! You should see all of those entries in the log by default. Here is a root login notification from CSF from my personal server, so that is an outbound message (which is also currently blocked by ATT/Yahoo, so my host is investigating that)

Code:
2021-06-29 09:12:20 1lyDXI-00060A-DX <= [email protected] U=root P=local S=598 T="lfd on host.domain.com: WHM/cPanel root access alert from 1.2.3.4 (US/United States/hou-2.n" for root
2021-06-29 09:12:20 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1lyDXI-00060A-DX
2021-06-29 09:12:20 1lyDXI-00060A-DX Sender identification U=root D=-system- S=root
2021-06-29 09:12:21 1lyDXI-00060A-DX ** [email protected] <[email protected]> R=lookuphost T=remote_smtp H=ff-ip4-mx-vip2.prodigy.net [144.160.159.22]: SMTP error from remote mail server after MAIL FROM:<[email protected]>: 553 5.3.0 flpd593 DNSBL:RBL 521< 1.2.3.4 >_is_blocked.For assistance forward this error to [email protected]
2021-06-29 09:12:21 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1lyDXI-00060A-DX
2021-06-29 09:12:21 1lyDXI-00060A-DX Completed
I always recommend searching for the full mail ID, in this case 1lyDXI-00060A-DX, to see everything in the logs about the message.
 

rhm.geerts

Well-Known Member
Jul 29, 2008
147
15
68
Maastricht
cPanel Access Level
Root Administrator
The "Mail Queue" in WHM GUI wouldn't show what you want? It can also be fetched with:
No because i'm not looking to display a mailqueue, hence the exim -bp command won't be helping either.
I'm looking for the mail traffic logs which should appear in the exim logs. Like in the example given.

@cPRex Well... I certainly can't find any titles like in my example of the log.
I found some "queued mail for delivery" and "completed" but nothing like:
T="World Fragrance Day: alleen vandaag 25% korting* op alle geuren ....etc." which I can see on DA servers in the Exim logs, so it should be possible.

I always recommend searching for the full mail ID
Then you already have to know the mail ID to look for. I rather search titels which works way faster because they are easier to find.
Next to that, I wouldn't know how to get a mail ID when I'm trying to investigate what happens to certain mail which is send through our system, then I search for the sending email address.
When I see the titles of the mail, I can verify that I'm looking at the correct mail.

I know there's a mail tracking system in the users options, but I should be able to do the same via the exim logs too.
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
6,923
912
313
cPanel Access Level
Root Administrator
If you wanted to search by subject, I would do this, using the email above as my example:

Code:
# grep "root access" /var/log/exim_mainlog
2021-06-29 09:12:20 1lyDXI-00060A-DX <= [email protected] U=root P=local S=598 T="lfd on host.hattmonkey.com: WHM/cPanel root access alert from 1.2.3.4 (US/United States/hou-2.n" for root
That first search will get you the mail ID, and then you can use that to perform a second search:

Code:
grep 1lyDXI-00060A-DX /var/log/exim_mainlog
and that will get you the full mail transaction.

If you have the "exigrep" command installed, which most cPanel machines should, you can do this and that will show you the full transaction in one step:

Code:
exigrep 1lyDXI-00060A-DX /var/log/exim_mainlog
 
  • Like
Reactions: rhm.geerts

rhm.geerts

Well-Known Member
Jul 29, 2008
147
15
68
Maastricht
cPanel Access Level
Root Administrator
Yes but that is a rather devious. It must be possible to get part of the subject in the logs, correct?
I work a lot faster on the DA exim logs with nano and the search function, no mailID needed, no need to look or search for it.
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
6,923
912
313
cPanel Access Level
Root Administrator
In my example that was the subject of the message. Here is one where the subject is more obvious:

Code:
2021-06-29 13:16:40 1lyHLi-0003jH-6d <= [email protected] H=mail-lj1-f171.google.com [209.85.208.171]:39557 P=esmtps X=TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128 CV=no S=4286 [email protected]l.com T="Subject line test" for [email protected]
The "T=" section is the subject of the message.

You would be able to open the /var/log/exim_mainlog file just the same on a cPanel machine with nano.
 

rhm.geerts

Well-Known Member
Jul 29, 2008
147
15
68
Maastricht
cPanel Access Level
Root Administrator
Ah yes, found it now. At first I encountered several T=dkim_remote_smtp but further on there indeed were the T="some subject" so I have to search for T=" instead of T=.
That explains it for me.

I know I can use nano on this server too, but it was just the subject. Something else must be going on then. The customer which I'm investigating, is sending and stating the mail is going out. When tailling the exim mainlog, I only seen connections made from this customer, so I thought the mail and subject were not displayed and on the first few searches I encountered that T=DKIM stuff which got me confused.
So it probably must be their exchange server says their mail is send, but our cPanel server did not receive it. Sending from webmail on their account works fine so probably something wrong with their exchange server then.

At least now I'm able to search further to see what's going wrong with this customer.

You can put this one on fixed.
Thank you!