What is [/var/spool/exim_incoming/msglog?

GOT

Get Proactive!
PartnerNOC
Apr 8, 2003
1,772
326
363
Chesapeake, VA
cPanel Access Level
DataCenter Provider
This directory has 116,016 files in it. I know it relates to mailscanner, but can someone tell me:

a) why they are being generated
b) if I need them

Because

a) If there is no good reason, lets make them stop being generated
b) I'll delete them if I do not need them.

I imagine that some of you with really busy servers have a lot more files in there than I do...

See below:

[email protected] [/var/spool/exim_incoming/msglog]# ls -al | more
total 116016
drwxr-x--- 2 mailnull mail 696320 Sep 11 18:04 ./
drwxr-x--- 5 mailnull mail 4096 Jul 24 08:34 ../
-rw-r----- 1 mailnull mail 116 Jul 27 05:27 19gg0e-0002xN-VU
-rw-r----- 1 mailnull mail 116 Jul 27 04:13 19ggUA-0003qX-1s
-rw-r----- 1 mailnull mail 116 Jul 27 05:25 19ghm0-0007pU-Ls
-rw-r----- 1 mailnull mail 116 Jul 27 05:35 19ghvg-0007zP-Gr

cPanel.net Support Ticket Number:
 

kuklovod

Member
Sep 9, 2003
5
0
151
it's the messages that could not be delivered due to one or another reason. basically, your undelivered mail queue. If it's too high, you probably have misconfigured exim.conf.

for example, try changing following values:

# how long to leave bounce errors on the queue (default few days)
ignore_bounce_errors_after = 0s

# how long to wait before removing frozen messages from queue, default 7d = 1 week
timeout_frozen_after = 2d

you could also add for some better performance:

deliver_queue_load_max = 3
remote_max_parallel = 5

And you should check which messages you have in your queue. If it's mostly Sobig.F virus (possible) and your server trying to send replys to every forged address, you should add this replacing your current check_message rule:

check_message:
require verify = header_sender
drop condition = \
${if match{$message_body} \
{(Please s|S)ee the attached file for details} \
{yes}{no}}
condition = ${if >{$message_size}{98000}{yes}{no}}
condition = \
${if eq{$header_X-MailScanner:}{Found to be clean} \
{yes}{no}}
message = "Sobig.F discarded"

accept

hope it helps somewhat (definitely reduced our queue from 1000+ to 1-2 messages at one time)

cPanel.net Support Ticket Number:
 

GOT

Get Proactive!
PartnerNOC
Apr 8, 2003
1,772
326
363
Chesapeake, VA
cPanel Access Level
DataCenter Provider
I changed mailscanner so taht notofies are not sent, so I really have nothing in my exim queue right now.

But I do have 116,000+ messages in this directory. I really do not think that exim is still trying to deliver these things as some of them are well over a month old.

Additionally, these are not actual email, but, rather, they look almost like log snippets:

2003-09-07 19:36:44 Received from [email protected] H=(EDWARDS) [207.191.34.70] P=esmtp S=102663

and

2003-09-09 10:36:57 Received from [email protected] H=(200-101-232-005.fnsce7004.dsl.brasiltelecom.net.br) [200.101.232.5] P=smtp S=8579 [email protected]

One line in each file and it contains this type of entry.

cPanel.net Support Ticket Number:
 

kuklovod

Member
Sep 9, 2003
5
0
151
oops, my bad. was thinking about the queue since my messagelog contains only the log for messages which are on queue, but yours obviously logs all previous mails, too, so you must have preserve_message_logs turned on.

straight from the horses mouth:
In addition to the four main log files, Exim writes a log file for each message that it handles. The names of these per-message logs are the message ids, and they are kept in the msglog sub-directory of the spool directory. A single line is written to the message log for each delivery attempt for each address. It records either a successful delivery, or the reason (temporary or permanent) for failure. If the log level is 5 or higher, `retry time not reached' messages are also written to individual message logs. If the log level is 4 or less, they are suppressed after the first delivery attempt.

When a local part is expanded by aliasing or a forwarding file, a line is written to the message log when all its child deliveries are completed. SMTP connection failures for each remote host are also logged here. The log is deleted when processing of the message is complete, unless preserve_message_logs is set, but this should be used only with great care because they can fill up your disc very quickly
 

GOT

Get Proactive!
PartnerNOC
Apr 8, 2003
1,772
326
363
Chesapeake, VA
cPanel Access Level
DataCenter Provider
Do you see this line in your exim.conf? Its not in mine at all.

Thank you so much for find that info for me! Now all I have to do is figure out where in exim.conf it goes! :)

cPanel.net Support Ticket Number:
 

Noldar

Well-Known Member
Jun 26, 2002
64
0
156
Ponchatoula, LA
Add this to your exim.conf. It can be entered into the first block in the exim config editor in WHM.
Code:
# turn off writing of logs to /var/spool/exim_incoming/msglog/
no_message_logs
Richard
 

Silverado

Well-Known Member
Mar 19, 2003
153
0
166
Backyard - Poolside
Originally posted by Noldar
Add this to your exim.conf. It can be entered into the first block in the exim config editor in WHM.
Code:
# turn off writing of logs to /var/spool/exim_incoming/msglog/
no_message_logs
Richard
Regarding this setting, I am curious if it will not process any logs in the overall /var/log (examples)
maillog
messages
exim_mainlog
eixm_paniclog... etc.etc.

Do you know if this is what that setting is supposed to do?
Great thread....
 

GOT

Get Proactive!
PartnerNOC
Apr 8, 2003
1,772
326
363
Chesapeake, VA
cPanel Access Level
DataCenter Provider
I can report that after doing this, there are no new files in my msglog folder, and all the normal logs relating to mail still look good.

Thanks a ton!
 

Website Rob

Well-Known Member
Mar 23, 2002
1,501
1
318
Alberta, Canada
cPanel Access Level
Root Administrator
GotHosting, can you provide what are you running?

My Servers show no such directory as: exim_incoming

I'm using:

WHM 8.5.4 cPanel 8.5.4-E97
RedHat 9
 

GOT

Get Proactive!
PartnerNOC
Apr 8, 2003
1,772
326
363
Chesapeake, VA
cPanel Access Level
DataCenter Provider
I do not think you'll have that directory unless you are running mailscanner.

I am running the same version of cpanel as you are under redhat 7.3.
 

Website Rob

Well-Known Member
Mar 23, 2002
1,501
1
318
Alberta, Canada
cPanel Access Level
Root Administrator
Thanks -- and you are correct. I do not use MailScanner and didn't realize the problem was directly related to it. Good thread for future problems though, if I ever do use it. :)
 

equens

Well-Known Member
Feb 8, 2002
283
5
318
My /var/spool/exim_incoming/msglog has 6.0G !!!

My /var/spool/exim_incoming/msglog has 6.0G !!! Can I delete this files?
 

webignition

Well-Known Member
Jan 22, 2005
1,876
1
166
equens said:
My /var/spool/exim_incoming/msglog has 6.0G !!! Can I delete this files?
On the other hand, my /var/spool/exim_incoming/msglog contains about 3MB, which seems quite nice for the moment.

Would anyone know if MailScanner clears old files from this directory periodically, or would it build up over time and surprise me one day?
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,437
33
473
Go on, have a guess
It looks like the exim cleanup routine is not working in exim_incoming, although it should as the coding is there. I'm going to look into it further and probably put a workaround in the daily cronjob associated with our MailScanner package to keep it tidy. If you're not interested in the msglog facility, you can switch it off by adding the following to the first textarea in the advanced mode exim config editor:

no_message_logs
 

webignition

Well-Known Member
Jan 22, 2005
1,876
1
166
I don't think I'm interested in the msglog facility, but then I can't say for sure because I'm not 100% sure what uses it.

I assume that the database 'mailscanner' is used by Mailwatch to produce its nice looking lists and stats, and of course there's always the contents /var/log/ to take a look through when needed.

What then the purpose of the contents of /var/spool/exim_incoming/msglog? I have a strong feeling that its of no use to me, but there's no harm in asking.