The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Reading and Understanding the exim main_log

Discussion in 'E-mail Discussions' started by cPanelAaronH, Dec 31, 2014.

  1. cPanelAaronH

    cPanelAaronH Member
    Staff Member

    Joined:
    Dec 31, 2014
    Messages:
    6
    Likes Received:
    4
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    Reading and Understanding the exim_mainlog


    At cPanel, we get a variety of tickets asking about different types of mail errors. I've been working on an Exim guide that will help you determine just what might be the cause of the errors you're receiving.

    Exim, what a topic. For some, setting up exims configuration and troubleshooting, as well as simply just reading the logs could be as daunting as setting up custom configurations for apache with ssl reverse proxies on a high availability load balancer. Thankfully that’s not the case. Exim is not terribly difficult to read or understand, plus there is rather great documentation. Exim is one of the most widely used MTAs (Mail Transfer Agents) in use today. With a few tweaks to the configuration you will soon be a wizard at reading and understanding what the exim log contains. By modifying the exim configuration, we will be able to produce a much more verbose output of the log. This will lead to an easier to read and faster method to determine just what exactly is going on with the servers MTA.

    SECTIONS:

    • /A/ Enabling Verbose Logging
      • A/1 Modifying the log_selector
      • A/2 Logging Options
      • A/3 Configuration Files

    • /B/ Available Commands
      • B/1 Available commands under exim:
      • B/2 Command examples:
      • B/3 Other Commands under exim:

    • /C/ Errors Messages and Possible Solutions
      • C/1 Log delivery entries found in exim_mainlog:
      • C/2 Successful messages sent and received:
      • C/3 Other exim configuration files and folder structure:
      • C/4 Types of Errors:
        • Failed 421 - Temporary Failures:
          • C/4.1.1 Example 1 - Temporarily deferred
          • C/4.1.2 Example 2 - Rate limited
          • C/4.1.3 Example 3 - Permanently deferred
        • Failed 450 - Service timeout:
          • C/4.2.1 Example 1 - Client Host Rejected
          • C/4.2.2 Example 2 - Clients Host is trying to much
        • Failed 451 - Temporary Local Problem:
          • C/4.3.1 Example 1 - Clients Host is unable to send
          • C/4.3.2 Example 2 - Could not complete sender verify
        • Failed 452 - Temporary Failures::
          • C/4.4.1 Example 1 - Domain Size limit exceeded
        • Failed 550 - Hard Failures:
          • C/4.5.1 Example 1 - 550 Verification
          • C/4.5.2 Example 2 - Invalid A, AAAA, MX, or other DNS record
          • C/4.5.3 Example 3 - Mail Rejected 550 errors
          • C/4.5.4 Example 4 - Mail Authentication 550 error
          • C/4.5.5 Example 5 - Bad HELO Record
          • C/4.5.6 Example 6 - Mail Delivery Failure
        • Failed 553 - Authentications errors:
          • C/4.6.1 Example 1 - Your domain does not exists
          • C/4.6.2 Example 2 - Unable to verify address
        • Failed 544 - rejected due to spam content:
          • C/4.7.1 Example 1 - Reject

    • /D/ SpamBox & SpamAssassin log entries
      • D/1 SpamBox:
        • C/5.1.1 Example 1 - Mail flagged as spam is forwarded:
      • D/2 SpamAssassin:
        • C/5.1.1 Example 1 - Allowed email:
        • C/5.1.1 Example 3 - Flagged email:
    • Conslustion



    /A/ Modify exim to Enabling Verbose Logging

    A/1 Modifying the log_selector

    The first thing we need to do is to get a better output from our log. By default, exim is not set to log every piece of information. To do this, we first need to login to your WHM interface and navigate to Home »Service Configuration »Exim Configuration Manager »Advanced Editor. Find the section "log_selector" and replace it with one of the following.

    Code:
    log_selector = +address_rewrite +all_parents +arguments +connection_reject +delay_delivery +delivery_size +dnslist_defer +incoming_interface +incoming_port +lost_incoming_connection +queue_run +received_sender +received_recipients +retry_defer +sender_on_delivery +size_reject +skip_delivery +smtp_confirmation +smtp_connection +smtp_protocol_error +smtp_syntax_error +subject +tls_cipher +tls_peerdn************
    
    Or, we can be lazy and just use:

    Code:
    log_selector = +all
    
    regardless of which you chose, here's what each option means.

    A/2 Logging Options:
    address_rewrite This applies both to global rewrites and per-transport rewrites, but not to rewrites in filters run as an unprivileged user (because such users cannot access the log).
    all_parents Normally only the original and final addresses are logged on delivery lines; with this selector, intermediate parents are given in parentheses between them.
    arguments This causes Exim to write the arguments with which it was called to the main log, preceded by the current working directory. This is a debugging feature, added to make it easier to find out how certain MUAs call/usr/sbin/sendmail. The logging does not happen if Exim has given up root privilege because it was called with the -C or -D options. Arguments that are empty or that contain white space are quoted. Non-printing characters are shown as escape sequences. This facility cannot log unrecognized arguments, because the arguments are checked before the configuration file is read. The only way to log such cases is to interpose a script such as util/logargs.shbetween the caller and Exim.
    connection_reject A log entry is written whenever an incoming SMTP connection is rejected, for whatever reason.
    delay_delivery A log entry is written whenever a delivery process is not started for an incoming message because the load is too high or too many messages were received on one connection. Logging does not occur if no delivery process is started because queue_only is set or -odq was used.
    delivery_size For each delivery, the size of message delivered is added to the “=>” line, tagged with S=.
    dnslist_defer A log entry is written if an attempt to look up a host in a DNS black list suffers a temporary error.
    incoming_interface The interface on which a message was received is added to the “<=” line as an IP address in square brackets, tagged by I= and followed by a colon and the port number. The local interface and port are also added to other SMTP log lines, for example “SMTP connection from”, and to rejection lines.
    incoming_port The remote port number from which a message was received is added to log entries and Received:header lines, following the IP address in square brackets, and separated from it by a colon. This is implemented by changing the value that is put in the $sender_fullhost and $sender_rcvhost variables. Recording the remote port number has become more important with the widening use of NAT (see RFC 2505).
    lost_incoming_connection A log line is written when an incoming SMTP connection is unexpectedly dropped.
    queue_run he start and end of every queue run are logged.
    received_sender The unrewritten original sender of a message is added to the end of the log line that records the message’s arrival, after the word “from” (before the recipients if received_recipients is also set).
    rejected_header If a message’s header has been received at the time a rejection is written to the reject log, the complete header is added to the log. Header logging can be turned off individually for messages that are rejected by the local_scan() function (see section 44.2).
    received_recipients The recipients of a message are listed in the main log as soon as the message is received. The list appears at the end of the log line that is written when a message is received, preceded by the word “for”. The addresses are listed after they have been qualified, but before any rewriting has taken place. Recipients that were discarded by an ACL for MAIL or RCPT do not appear in the list.
    retry_defer A log line is written if a delivery is deferred because a retry time has not yet been reached. However, this “retry time not reached” message is always omitted from individual message logs after the first delivery attempt
    sender_on_delivery The message’s sender address is added to every delivery and bounce line, tagged by F= (for “from”). This is the original sender that was received with the message; it is not necessarily the same as the outgoing return path
    size_reject A log line is written whenever a message is rejected because it is too big.
    skip_delivery A log line is written whenever a message is skipped during a queue run because it is frozen or because another process is already delivering it. The message that is written is “spool file is locked”.
    smtp_confirmation The response to the final “.” in the SMTP or LMTP dialogue for outgoing messages is added to delivery log lines in the form C=<text>. A number of MTAs (including Exim) return an identifying string in this response.
    smtp_connection A log line is written whenever an SMTP connection is established or closed, unless the connection is from a host that matches hosts_connection_nolog. (In contrast, lost_incoming_connectionapplies only when the closure is unexpected.) This applies to connections from local processes that use -bs as well as to TCP/IP connections. If a connection is dropped in the middle of a message, a log line is always written, whether or not this selector is set, but otherwise nothing is written at the start and end of connections unless this selector is enabled. For TCP/IP connections to an Exim daemon, the current number of connections is included in the log message for each new connection, but note that the count is reset if the daemon is restarted. Also, because connections are closed (and the closure is logged) in subprocesses, the count may not include connections that have been closed but whose termination the daemon has not yet noticed. Thus, while it is possible to match up the opening and closing of connections in the log, the value of the logged counts may not be entirely accurate.
    smtp_protocol_error A log line is written for every SMTP syntax error encountered. An unrecognized command is treated as a syntax error. For an external connection, the host identity is given; for an internal connection using -bsthe sender identification (normally the calling user) is given.
    smtp_syntax_error A log line is written for every SMTP syntax error encountered. An unrecognized command is treated as a syntax error. For an external connection, the host identity is given; for an internal connection using -bsthe sender identification (normally the calling user) is given.
    subject The subject of the message is added to the arrival log line, preceded by “T=” (T for “topic”, since S is already used for “size”). Any MIME “words” in the subject are decoded. The print_topbitchars option specifies whether characters with values greater than 127 should be logged unchanged, or whether they should be rendered as escape sequences.
    tls_cipher When a message is sent or received over an encrypted connection, the cipher suite used is added to the log line, preceded by X=.
    tls_peerdn When a message is sent or received over an encrypted connection, and a certificate is supplied by the remote host, the peer DN is added to the log line, preceded by DN=.

    A/3 Configuration Files:

    The configuration files for exim can be found in the following location:
    Exim Configuration (main) /etc/exim.conf Main configuration file used by Exim
    Configuration (local) /etc/exim.conf.local This is the same file that the Advanced Editor for Exim in WHM uses
    " /etc/exim.conf.dist Exim configuration template used to build the exim conf
    " /etc/exim.conf.localopts This is the the same file that the Basic Editor for Exim in WHM uses.
    Configuration (mailman-related) exim.conf.mailman2.dist Template used to build the mailman configuration

    A/4 Log entry Example:

    Once you have the logging portion taken care of, we need to actually look at our log. You can find the exim log in /var/log/exim_mainlog, this will be done from the command line.
    Code:
    #head /var/log/exim_mainlog
    2014-08-10 03:27:11 pid 1014: SIGHUP received: re-exec daemon
    2014-08-10 03:27:15 cwd=/var/spool/exim 3 args: /usr/sbin/exim -bd -q1h
    2014-08-10 03:27:15 exim 4.82 daemon started: pid=1014, -q1h, listening for SMTP on port 25 (IPv6 and IPv4) port 587 (IPv6 and IPv4) and for SMTPS on port 465 (IPv6 and IPv4)
    2014-08-10 03:27:15 cwd=/var/spool/exim 2 args: /usr/sbin/exim -q
    
    Before we dive into what the log is actually logging and what each piece of it means, let's take a look at some of the commands that are commonly used.

    /B/ Exim Commands via the command line

    B/1 Available commands under exim:

    Exim has a couple of utilities to help search through the queue and logs, those are:

    52.2 exiqgrep to obtain a queue listing, and then greps the output to select messages that match given criteria. The following selection options are available: -f Match the sender address using a case-insensitive search. The field that is tested is enclosed in angle brackets, so you can test for bounce messages withexiqgrep -f '^<>$' -r Match a recipient address using a case-insensitve search. The field that is tested is not enclosed in angle brackets. -s Match against the size field. -y Match messages that are younger than the given time. -o Match messages that are older than the given time. -z Match only frozen messages. -x Match only non-frozen messages. The following options control the format of the output: -c Display only the count of matching messages. -l Long format – display the full message information as output by Exim. This is the default. -i Display message ids only. -b Brief format – one line per message. -R Display messages in reverse order. -a Include delivered recipients in queue listing. -h, which outputs a list of options.
    52.4 exiqgrep exigrep [-t<n>] [-I] [-l] [-v] <pattern> [<log file>] ... grep the queue using exims specific grep rather than standard grep


    B/2 Commands examples:

    The easiest to remember command, in my opinion, is exiwhat, this lets you know what exim is currently doing.

    Code:
    -bash-4.1# exiwhat
    27589 daemon: -q1h, listening for SMTP on port 25 (IPv6 and IPv4) port 587 (IPv6 and IPv4) and for SMTPS on port 465 (IPv6 and IPv4)
    
    With exigrep, you can search the mail log easier. In this case I searched for "aaron@" using exiqgrep which looks through the main queue while exigrep looks through the log in the exim_mainlog. In this case, it returned two messages.

    Code:
    -bash-4.1# exiqgrep aaron@*
    71h  6.7K 1XFRvF-0000Mz-B8 <>
          root@nt10598.os.cpanel.vm
    
    71h   12K 1XFRvF-0000NF-NK <>
          root@nt10598.os.cpanel.vm
    
    Here we can see I used exigrep to search the log file instead of exiqgrep.

    Code:
    -bash-4.1# exigrep aaron@ /var/log/exim_mainlog
    2014-08-10 10:52:01 1XGVPd-000707-4Y <= aaron@domains.com H=localhost (10.5.40.204) [127.0.0.1]:39668 P=esmtpa A=dovecot_login:aaron@domains.com S=748 id=c828fa59721d8646a0fa75cbf8db9ba3@domain.com T="Llamas are awesome" for aaron@domain.com
    2014-08-10 10:52:01 1XGVPd-000707-4Y => aaron <aaron@domain.com> R=virtual_user T=virtual_userdelivery
    2014-08-10 10:52:01 1XGVPd-000707-4Y Completed
    
    We can also use a few other commands from the exim command line to help read some of the messages. The next set of commands we will look at will be built into exim directly:
    exim -bpc Print a total count of messages in the queue
    exim -bp Print a listing of the messages including time queue, size, message-ID, sender, and recipient
    exim -bp |exiqsum Prints a summary of the exim mail queue. -bash-4.1# exim -bp | exiqsumm Count Volume Oldest Newest Domain ----- ------ ------ ------ ------ 7 39KB 71h 71h nt10598.os.cpanel.vm 3 19KB 14h 78m nt12664.product.cpanel.vm --------------------------------------------------------------- 10 58KB 71h 78m TOTAL
    exim -bt user@domain.com This will test how an email is routed through exim
    exim -bh <ip> Run a pretend SMPT transaction from the CLI. The purpose of this is to check exims ACLs and filters.
    exim -q -v Start a queue run
    exim -ql -v Start a queue run for local mail only
    exim -Mrm <message-id> [ <message-id> ... ] Remove a message from the queue
    exim -Mvb <message-id> View the body of a message
    exim -Mvh <message-id> View the header of a message
    exim -Mvc <message-id> Provides the whole email and body

    There are additional commands for looking at the queue, but these two are the main utilities for reading the log. You can see the rest of the utilities exim uses in their official documentation.

    You can also view some additional commands and example for exim from our exim cheat sheet created by cPanelJesus cPanel Exim Quick Reference.

    *Exim runs under the user mailnull, you will commonly see U=mailnull in the exim log.

    /C/ Errors Messages and Possible Solutions:

    C/1 Main entries found in exim_mainlog:

    Reading the exim mainlog can be daunting especially with so much information being logged. The main log records the arrival of each message and each delivery in a single line for each case.
    Let's take a look at some examples of a few entries in an exim_mainlog; Exims main log is read from the left to the right.

    The first thing when looking at a log is to determined what happened to it. Let's take a quick look at the breakdown of those entries.

    <= Indicates the arrival of a message for incoming mail
    => Shows a normal message delivery for outgoing mail
    -> Additional address for the same delivery, i.e. an Email forwarder.
    >> cutthrough is a router precondition This option requests delivery be attempted while the item is being received. It is usable in the RCPT ACL and valid only for single-recipient mails forwarded from one SMTP connection to another. If a recipient-verify callout connection is requested in the same ACL it is held open and used for the data, otherwise one is made after the ACL completes.
    *> delivery suppressed by -N
    ** delivery failed; address bounced
    == delivery deferred; temporary problem
    <> For "<>" from the exim manual; Additionally, you will often find A bounce message is shown with the sender address “<>”, and if it is locally generated, this is followed by an item of the form R=<message id>

    You will also find entries like the below table in the main log such as:

    R= The address immediately following “<=” is the envelope sender address. A bounce message is shown with the sender address “<>”, and if it is locally generated, this is followed by an item of the form R=<message id>
    T= The relay used to transmit the message. Example: T=remote_smtp T=local_delivery
    H= Represents the host: H=localhost (10.5.40.204) [127.0.0.1]:39753 5.1) H=mail.fictional.example [192.168.123.123] U=exim 6) I=[127.0.0.1]:25
    U= The MTA used.
    I= Followed by a colon and the port number, the I= is the local interface on which the mail was received.
    P= This is the return_path_on_delivery: The return path that is being transmitted with the message is included in delivery and bounce lines, using the tag P=. This is omitted if no delivery actually happens, for example, if routing fails, or if delivery is to /dev/null or to :blackhole:.
    A= If A= is present, then SMTP AUTH was used for the delivery.
    S= Is the delivery size of the message
    M8S= 8bitmime: This causes Exim to log any 8BITMIME status of received messages, which may help in tracking down interoperability issues with ancient MTAs that are not 8bit clean. This is added to the “<=” line, tagged with M8S= and a value of 0, 7 or 8, corresponding to "not given", 7BIT and 8BITMIME respectively.
    ID= Represents the incoming message ID
    T= Topic
    from From whom the mail was received
    for Who the email is for


    C/2 Successful messages sent and received:

    Lets' take a quick look at a successfully sent message in the exim_mainlog.

    Code:
    2014-08-10 11:18:35 [28107] 1XGVpL-0007JL-14 <= aaron@domain.com H=localhost (10.5.40.204) [127.0.0.1]:39753 I=[127.0.0.1]:25 P=esmtpa A=dovecot_login:aaron@domain.com S=662 M8S=0 id=d2b648f00f1a1b0813c483d552778dc6@domain.com T="what if you had a llama" from <aaron@domain.com> for aaron@domain.com2014-08-10 11:18:35
    1XGVpL-0007JL-14
    
    This is a standard sent and received message with no errors. Let's take a look at the entry to get a better understanding of a typical log entry.

    Code:
    1) 2014-08-10 11:18:35
    2) 1XGVpL-0007JL-14
    3) <=
    4) aaron@domain.com
    5) H=localhost (10.5.40.204) [127.0.0.1]:39753
        5.1) H=mail.fictional.example [192.168.123.123] U=exim
    6) I=[127.0.0.1]:25
    7) P=esmtpa
    8) A=dovecot_login:aaron@domain.com
    9) S=662
    10) M8S=0
    11) id=d2b648f00f1a1b0813c483d552778dc6@domain.com
    12) T="what if you had a llama"
    13) from <aaron@domain.com>
    14) for aaron@domain.com
    
    C/3 Other exim configuration files and folder structure:

    /etc/mailhelo This file is the configuration file for Exim's HELO command. Records should be represented as: addonor.subdomain.com: maindomain.com
    /etc/mailips This file specifies the IP addresses from which Exim should send email.
    /etc/mail_reverse_dns This file specifies the domains that are associated with the IP addresses from which Exim should send email.
    /etc/remotedomains Sends out an email to an internet address.
    /etc/localdomains Sends out an email to a local address.
    dig mx <domain> Dig a domain and pull MX records only

    If all of those are valid and pointing to the correct location, the next step is to verify the mail box truly exists. You want to check the mail folder in the users home directory.

    A user’s email is stored in ”’/home/user/mail/<domain>/<emailuser>/…”’.

    Below is a sample directory structure of an email account:
    /home/username/mail (mail folder)
    /home/username/etc (configuration files)
    /domain.com (domain)
    admin (email user)
    maildirsize (quota/usage summary, expendable)
    cur (default inbox for read email)
    new (default email for unread email)
    Drafts ( sample folder )
    - cur (read email)
    - new (unread email)

    C/4 types of Errors:

    C/4.1 Failed 421 - Temporary Failures:

    C/4.1.1 - Example 1 Temporarily deferred

    There has been a temporary issue, please try sending the email again in 72 hours. This is usually a temporary ban by the network you're trying to contact.

    Code:
    2014-09-29 21:27:08 1XYdJu-002e6P-9F SMTP error from remote mail server after MAIL FROM:<someone@someaddress.com> SIZE=6601: host mta5.am0.yahoodns.net [66.196.118.240]: 421 4.7.0 [GL01] Message from (184.171.253.133) temporarily deferred - 4.16.50. Please refer to http://postmaster.yahoo.com/errors/postmaster-21.html
    
    C/4.1.2 - Example 2 - Rate limited

    Too many emails have been sent out to this network and there is a temporary block preventing emails from being received. Like example 1, give it some time to clear out and try again in 72 hours.

    Code:
    2014-09-12 08:01:12 1XSLn4-003Fa1-OX SMTP error from remote mail server after end of data: host gmail-smtp-in.l.google.com [173.194.66.27]: 421-4.7.0 [77.69.28.195 15] Our system has detected an unusual rate of\n421-4.7.0 unsolicited mail originating from your IP address. To protect our\n421-4.7.0 users from spam, mail sent from your IP address has been temporarily\n421-4.7.0 rate limited. Please visit\n421-4.7.0 http://www.google.com/mail/help/bulk_mail.html to review our Bulk\n421 4.7.0 Email Senders Guidelines. q4si1448293wij.85 - gsmtp
    
    C/4.1.3 - Example 3 - Permanently deferred

    The email will not be delivered since you have been blocked by the network, do not try to resend the emails, instead, contact the host you are trying to send the mail to.

    Code:
    2014-09-18 13:44:19 1XUb4M-000v5R-6R SMTP error from remote mail server after MAIL FROM:<someone@someaddress.com> SIZE=1811: host mta7.am0.yahoodns.net [66.66.66.66]: 421 4.7.1 [TS03] All messages from 5.196.113.212 will be permanently deferred; Retrying will NOT succeed. See http://postmaster.yahoo.com/421-ts03.html
    
    Regardless of the 421 error that you receive, you should be checking if the users is on an RBL, and nearly all 421 errors mean that the mail service you are trying to reach has blocked you from allowing email to be received on their network. Please understand this means the main issue is not with your server per say, but an issue with the host or network you are trying to reach. This usually can just be waited out, but in some cases you will need to contact the host of the email network you are sending to.

    C/4.2 Failed 450 - Service timeout:

    C/4.2.1 Example 1 - Client Host Rejected

    Code:
    TO:<someone@someaddress>: host mx.someaddress.com [20.20.20.20]: 450 4.7.1 Client host rejected: cannot find your hostname, [20.20.20.20] 2014-09-21 16:06:05 1XUKFa-0003bb-EM ** someone@someaddress>: retry timeout exceeded
    Verify the PTR record and the actual hostname are setup.

    C/4.2.2 Example 2 - Clients Host is trying to much

    Code:
    2014-10-10 10:25:01 1XcKLM-003IGU-Fr SMTP error from remote mail server after RCPT TO:<ma@bol.com>: host pro-mail-mx-002.bol.com [20.20.20.20]: 450 4.7.1 Service unavai$
    
    The client is trying to send to many emails and there is a temporary rejected from the network. Allow 72 hours for this to clear up and then try to send the mail again.

    C/4.3 Failed 451 - Temporary Local Problem:

    Usually, 451 is a temporary failure and trying again in just a few minutes usually allows it to send. Here's a few other suggestions.

    C/4.3.1 Example 1 - Clients Host is unable to send


    Code:
    2014-09-24 12:59:49 1XWqqy-00028x-FK == test@badluckbryan.com R=lookuphost
    T=remote_smtp defer (-44): SMTP error from remote mail server after RCPT
    TO:<test@gylsystems.com>: host gylsystems.com [69.69.69.69]: 451
    Temporary local problem - please try later
    
    The server was missing an entry for its hostname in /etc/localdomains. Once this was added, you will no longer see the error recur

    C/4.3.2 Example 2 - Could not complete sender verify

    Code:
    2014-11-24 11:25:33 H=localhost (mail.fictional.example) [::1]:49956 sender verify defer for <aaron@domain.com>: require_files: error for /home/aaron/etc/domain.com: Permission denied
    2014-11-24 11:25:33 H=localhost (srv-hs1.netsons.net) [::1]:49956 F=<aaron@domain.com> A=dovecot_login:aaron@domain.com temporarily rejected RCPT <test@pleasecheck.net>: Could not complete sender verify
    
    Verify the permission of the folders are correct, and that there is a valid reverse records for the domain. In this case permissions were set to 750 on the users home folder instead of 711.

    C/4.4 Failed 452 - Temporary Failures:

    C/4.4.1 Example 1 - Domain Size limit exceeded

    Code:
    2014-09-13 11:37:53 1XSdCz-00049U-5A ==aaron@domain.com R=lookuphost T=remote_smtp defer (-44): SMTP error from remote mail server after RCPT TO:<aaron@domain.com>: host mail.fictional.example [10.5.40.204]: 452 <aron@domain.com> Domain size limit exceeded
    
    Verify the permission of the folders are correct. In this case permissions were set to 750 on the users home folder instead of 711.

    C/4.4.2 Example 2 - Domain Size limit exceeded

    Code:
    2014-09-13 11:37:53 1XSdCz-00049U-5A == aaron@domain.com R=lookuphost T=remote_smtp defer (-44): SMTP error from remote mail server after RCPT TO:<aaron@domain.com>: host mail.fictional.example [10.5.40.204]: 452 <aaron@domain.com> Domain size limit exceeded
    
    This failure is from a security scanner i.e. firewall packet inspection, a security application, or a virus scanner on the local mail server. This error is usually from the the receiving server.

    C/4.5 Failed 550 - Hard Failures:

    A 550 is easily one of the most common error that occurs. So what does it mean? A 550 error code means that your SMTP server isn't able to deliver the sent email to the user. It could be because his mailbox does not , could be from a misconfiguration, or a DNS issues.

    C/4.5.1 Example 1 - 550 Verification

    In this example, we have a failed message with a 550-verification error:

    Code:
    2014-08-31 08:43:16 1XO5PX-0006SC-Qa ** aaron@domain.com R=dkim_lookuphost T=dkim_remote_smtp: SMTP error from remote mail server after RCPT TO:<aaron@domain.com>: host mail.domain.com [10.5.40.204]: 550-Verification for <garfield@domain.com>\n550-The mail server could not deliver mail to garfield@domain.com. The account or domain may not exist, they may be blacklisted, or missing the proper dns entries.\n550 Sender verify failed
    
    The file /etc/remotedomains was modified to point domain.com to an IP that does not exist on the server or an IP that hosts this domain, this caused a email failure due to no address in /etc/remotedomains being resolvable for that domain.

    Things to check: First things we should check are the files on the server and make sure the email is pointing to the correct location.

    C/4.5.2 Example 2 - Invalid A, AAAA, MX, or other DNS record

    Code:
    SMTP error from remote mail server after RCPT TO:: host mail.fictional.example[10.5.40.204]: 550-Sender has no A, AAAA, or MX DNS records. mail.fictional.example\n550 l mail.fictional.example
    Verify the zone file in /etc/named for the correct information. If it appear correct, you can run named-checkzone domain.com domain.com.db to verify if named is able to load the zone.
    
    C/4.5.3 Example 3 - Mail Rejected 550 errors

    Code:
    Diagnostic-Code: X-Postfix; host mail1.domain.com [10.5.40.204] said: 550 5.7.1 Message rejected due to content restrictions (in reply to end of DATA command)
    When you see an error such as 550 5.7.1
    
    "Message rejected due to content restrictions" This tell us it is due to an attachment that is included with the email. This could be from the content included, or the attachment size. First remove the attachments and try to send your email again. Double check the email attachments and signatures added to the body contain nothing which may be restricted.

    C/4.5.4 Example 4 - Mail Authentication 550 error

    Code:
    Final-Recipient: rfc822;aaron@domain.com
    Action: failed
    Status: 5.5.0
    Diagnostic-Code: smtp;550-Please turn on SMTP Authentication in your mail client.
    550-mail.fictional.example [10.5.40.204]:58133 is not permitted to relay 550 through this server without authentication.
    
    Since 550's have a number of different meanings and a number of solutions, If the users are getting Authentication 550 error then you should check If the domains is configured to use the local email exchange on the server. This may have been causing the email to be rejected for your domain.

    C/4.5.5 Example 5 - Bad HELO Record

    Code:
    "DHE-RSA-AES256-SHA:256: SMTP error from remote mail server after MAIL FROM:<aaron@domain.com> SIZE=1834: host mail.fictional.example [10.5.40.204..212]: 550 "REJECTED - Bad HELO - Host impersonating [mail.fictional2.example]"
    
    Since HELO records are the same as PTR records we want to check the host of the IP. We should also check to verify the /etc/mailhelo, and /etc/mailip of the server.

    If the client has a lot of IPs, you can check every host address with this one liner:
    ifconfig |grep "inet addr:[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}" | awk '{print $2}' | sed 's/addr://' | xargs-i host {}

    C/4.5.6 Example 6 - Mail Delivery Failure


    Code:
    2014-08-31 08:43:16 1XO5PY-0006SO-GS <= <> R=1XO5PX-0006SC-Qa U=mailnull P=localS=1951 T="Mail delivery failed: returning message to sender" for aaron@domain.com
    
    In this example, we received a reply failed message from the server after example 1 failed to send successfully.
    A bounce back can be from an invalid address, or the receiving server may have blocked your connection. Check the folder structure template above and verify the domain exists if possible, also verify that the domain isn't blacklisted in an RBL with a tool such as mxtoolbox or dnsstuff.com

    C/4.6 Failed 553 - Authentications errors:

    C/4.6.1 Example 1 - Your domain does not exists

    Code:
    SMTP error from remote mail server after MAIL FROM:<aaron@domain.com>: host mail.fictional.example [10.5.40.204]: 553 sorry, your domain does not exists.
    
    Verify there are no ACL's in place dropping connectivity from local domains. SSP should show any changes made to the exim config. Verify the domain name is valid, that /etc/localdomains and /etc/remotedomains are set, and that the mailbox name does exist.

    C/4.6.2 Example 2 - Unable to verify address

    Code:
    2014-11-26 10:26:32 1XtYro-004Ecv-65 ** aaron@domain.com R=dkim_lookuphost T=dkim_remote_smtp: SMTP error from remote mail server after MAIL FROM:<aaron@domain.com> SIZE=1604: host mail.fictional.example [10.5.40.204]: 553 <aaron@domain.com> unable to verify address
    Verify that SMPT authentication has been enabled.
    
    C/4.7 Failed 554 - rejected due to spam content:

    C/4.7.1 Example 1 - Reject

    Code:
    [15:03:30 hosts5 root /var/log]cPs# grep 1XeRdP-0006JC-FO exim_mainlog 2014-10-15 12:41:11 1XeRdP-0006JC-FO <= <> R=1XeRdF-0006HI-EY U=mailnull P=local S=5445 T="Mail delivery failed: returning message to sender" for aaron@domain.com 2014-10-15 12:41:11 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1XeRdP-0006JC-FO 2014-10-15 12:42:12 1XeRdP-0006JC-FO ** aaron@domain.com =dkim_lookuphost T=dkim_remote_smtp: SMTP error from remote mail server after end of data: host mail.fictional.example [10.5.40.204]: 554 rejected due to spam content
    
    This means you need to check the content of the mail body. Some text or images may be flagged as spam. Verify the content is not spam like or suspicious and try again.


    /D/ SpamBox & SpamAssassin log entries

    Both SpamBox and SpamAssassin are used to prevent unwanted mail, while SpamAssassin is responsible for flagging the emails to prevent unwanted emails, SpamBox is used to auto move the email to the spam folder that has been flag by SpamAssassin. Here are a few examples of what a whitelisted email would look like as well as an email that has been flagged as spam.

    D/1 SpamBox:

    D/5.1.1 Example 1 - Mail flagged as spam is forwarded:

    In this example, SpamAssassin is flagging out email as spam and making a forward to the spam folder configured for SpamBox inside the users cPanel account.

    Code:
    2014-10-01 15:12:26 1XZKdg-0001g3-JS H=mail.fictional.example [10.5.40.204]:4779 Warning: "SpamAssassin as marka22 detected message as spam (11.0)"
    2014-10-01 15:12:26 1XZKdg-0001g3-JS <=10.5.40.204 H=mail.fictional.example[10.5.40.204]:4779 P=esmtp S=491878 id=dos45yx4zbmri7f@domain.com T="Payment confirmation: 7037487121" for aaron@domain.net [
    2014-10-01 15:12:26 1XZKdg-0001g3-JS => aaron  <aaron@domain.net [> R=virtual_user_spam T=virtual_userdelivery_spam
    2014-10-01 15:12:26 1XZKdg-0001g3-JS Completed 2014-10-01 15:30:35 1XZKvG-0002HW-ML H=(12-12-12-12.domain.net [10.5.40.204]:65376 Warning: "SpamAssassin as marka22 detected message as spam (7.2)"
    2014-10-01 15:30:35 1XZKvG-0002HW-ML <= item@something.net H=(12-12-12-12.domain.net [10.5.40.204]:65376 P=esmtp S=519381 id=dos45yx4zbmri7f@domain.com T="Payment confirmation: 7037487121" for mark@domain.com 2014-10-01 15:30:35 1XZKvG-0002HW-ML => mark <mark@domain.net [> R=virtual_user_spam T=virtual_userdelivery_spam
    2014-10-01 15:30:35 1XZKvG-0002HW-ML Completed
    
    D/1 SpamAssassin:

    D/5.1.2 Example 2 - Allowed email:

    In our second example, the email is allowed through, SpamAssassin scans the email and allows it through.

    Code:
    2014-09-10 13:06:55 1XRlM6-003yMv-KG H=mail.fictional.example10.5.40.204]:46793 Warning: Message has been scanned: no virus or other harmful content was found
    2014-09-10 13:06:56 1XRlM6-003yMv-KG H=mail.fictional.example[10.5.40.204]:46793 Warning: "SpamAssassin as cpaneleximscanner detected OUTGOING smtp message as NOT spam (-0.1)"
    2014-09-10 13:06:56 1XRlM6-003yMv-KG <= bob@bob.com H=mail.fictional.example [10.5.40.204]:46793 P=esmtpsa X=TLSv1:AES128-SHA:128 A=dovecot_login:aaron@domain.com S=18635 T="14\" plates" for live@somedomain.com
    2014-09-10 13:06:56 1XRlM6-003yMv-KG SMTP connection outbound 1410368816 1XRlM6-003yMv-KG domain.com live@somedomain.com
    2014-09-10 13:07:22 1XRlM6-003yMv-KG => live@somedomain.com R=dkim_lookuphost T=dkim_remote_smtp H=mail.fictional.example [10.5.40.204] X=TLSv1:DHE-RSA-AES256-SHA:256 C="250 OK id=1XRlMC-0006w5-F4" 2014-09-10 13:07:22 1XRlM6-003yMv-KG Completed
    
    What we can see from this log is that Spamassassin with the PID of 46793 has scanned our email with the following message and found it to not be spam:
    Code:
    Warning: Message has been scanned: no virus or other harmful content was found
    SpamAssassin as cpaneleximscanner detected OUTGOING smtp message as NOT spam (-0.1)
    
    D/5.1.3 Example 3 - Flagged email:

    In our last example, the email is not allowed through and is marked as spam through SpamAssassin. "SpamAssassin as sfgthib detected message as spam (998.0)"

    Code:
    
    2014-11-06 09:14:13 1XmNp0-0005Qp-MR H=mail-qg0-f68.google.com [10.5.40.204]:42603 Warning: "SpamAssassin as sfgthib detected message as spam (998.0)" 2014-11-06 09:14:13 1XmNp0-0005Qp-MR H=mail-qg0-f68.google.com [10.5.40.204]:42603 Warning: Message has been scanned: no virus or other harmful content was found
    2014-11-06 09:14:13 1XmNp0-0005Qp-MR <= cpaneltest@gmail.com H=mail.fictional.example [10.5.40.204]:42603 P=esmtps X=TLSv1:RC4-SHA:128 S=3411 id=CAPtYmmQYRDb38yTmnA_ULZVjnKVOdtu6yw-HapGmjBCAk6rYYw@mail.gmail.com
    T="test" for aaron@domain.com
    
    These are just examples, and your log may look different. If you have any question on these, please feel free to ask, or open a ticket so we can look into it.

    D/ Conclusion:

    Now that you've had a chance to get your feet wet with the exim configuration and logging, I hope this article will provide the necessary resources to review the exim mail_log log to check for spam, or to confirm that an email was sent or received. Sometime reading this log can be confusing and not make a lot of sense. With exim allowing more verbose logging as well as specific commands built around exim and additional utilities built for exim, you should be able to review the log in detail to determine if there is an issue with the mail transport agent. You can find further documentation on Exim and exims logs through exim directly at Documentation for Exim

    If you have any comments or feedback, please feel free to leave them or message me directly.

    *Post will be edited as new information is found

    Revised 2015-01-28
     
    #1 cPanelAaronH, Dec 31, 2014
    Last edited by a moderator: Apr 23, 2015
  2. MilesWeb

    MilesWeb Well-Known Member
    PartnerNOC

    Joined:
    May 23, 2012
    Messages:
    174
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Hi Aaron. Thank you for the share. It will surely come handy to technicians who investigate the email/exim issues.
     
  3. furquan

    furquan Well-Known Member

    Joined:
    Jul 27, 2002
    Messages:
    425
    Likes Received:
    0
    Trophy Points:
    16
    Wonderful !!!!


    That is the only word i could think of :)

    Thank you !!!!
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,762
    Likes Received:
    662
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  5. sahostking

    sahostking Well-Known Member

    Joined:
    May 15, 2012
    Messages:
    300
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Cape Town, South Africa
    cPanel Access Level:
    Root Administrator
    Awesome right up.

    - Removed by Moderator -
     
    #5 sahostking, Apr 22, 2015
    Last edited by a moderator: Apr 23, 2015
  6. MarkDalton

    MarkDalton Active Member

    Joined:
    Mar 16, 2013
    Messages:
    28
    Likes Received:
    1
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    Excellent and very useful post.
     
    parthdudhagra likes this.
  7. YanOri

    YanOri Registered

    Joined:
    Feb 29, 2016
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    India
    cPanel Access Level:
    Root Administrator
    This is an excellent post. Thanks a lot for this @AaronH.
    I just have one doubt regarding "*> delivery suppressed by -N"
    What does that mean?
     
  8. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,762
    Likes Received:
    662
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    This is documented at:

    52. Log files

    Thanks!
     
    YanOri likes this.
  9. dlsweb

    dlsweb Member

    Joined:
    Jun 17, 2004
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    1
    In my maillog I see the entry
    pop3(user+company.com): Disconnected: Logged out top=2/4756 retr=964/72080684 del=0/482 size=36031344 bytes=9474/72105440

    I found this definition- bytes = number of bytes sent to client as a result of RETR command
    but what is before and after the / in bytes=9474/72105440 ?
    Could this be my problem with excessive pop3 bandwidth?
     
Loading...

Share This Page