Digging Into Exim Mail Logs With Exigrep
Perhaps a particular domain on your cPanel server has stopped receiving e-mail. Or, an address on your domain is able to receive e-mail, except from your supplier. Maybe you can receive e-mail just fine, but are receiving error message bounce-backs from Yahoo. How are you going to get the fine-grained information you need to figure out just what is going on?
The answers you seek can be found in exim’s logs.
[[email protected] / ]% cd /var/log
Exim maintains three logfiles:
exim_mainlog: This logs tracks every single mail transaction that your server handles. This is the go-to log when troubleshooting all e-mail delivery problems.
exim_rejectlog: This log only logs delivery rejections. While this can be useful, this is not the first log file you will want to search when troubleshooting a mail problem. For example, if mail is getting through on the server, but your mail client is silently failing to download mail, this log will not help you.
exim_paniclog: This log contains has information regarding the exim program itself, and not mail transactions. For this reason, it is not suitable for most mail troubleshooting.
As you can imagine, on a server sending and receiving a lot of mail, exim’s log files can get large fast. While normally one would use the grep command to find lines in a file matching a search string, that does not work as well with exim’s logs. One single mail transaction will span multiple lines in the file, and not every line will have the search string you are looking for. The exigrep command works around this problem by finding your search string in transactions, and then helpfully gathering every log entry into separate, complete transactions.
[[email protected] /var/log/ ]% exigrep "input_string" exim_mainlog
A typical result will look something like this:
2010-09-13 05:00:13  1Ov4tU-0000Nz-Rm H=mailhost.domain.com [188.8.131.52]:51792 I=[184.108.40.206]:25 Warning: "SpamAssassin as theuser detected message as NOT spam (0.0)"
2010-09-13 05:00:13  1Ov4tU-0000Nz-Rm <= [email protected] H=mailhost.domain.com [220.127.116.11]:51792 I=[18.104.22.168]:25 P=esmtps X=TLSv1:AES256-SHA:256 CV=no S=21778 [email protected] T="Daily Science Maillinglist: Chameleon" from for [email protected]
2010-09-13 05:00:14  1Ov4tU-0000Nz-Rm => user F= P= R=virtual_user T=virtual_userdelivery S=21902 QT=6s DT=0s
2010-09-13 05:00:15  1Ov4tU-0000Nz-Rm Completed QT=7s
Reading exigrep Output
The most basic thing to check for when reading exigrep output is the word “Completed” on the last line. If it says “Completed”, then the e-mail in question has been delivered. If you do not see the word “Completed” you will likely see an error, which is a good starting place for tracking down your delivery failures.
These are a parts of the transaction that are also important:
- Timestamp: the beginning of each line has the date and time that a specific step of the mail transaction occurred.
- from and to: as you can see in the second entry of the example (as indicated with the second timestamp), one line of every transaction shows both who the e-mail is from, and who the e-mail is being sent to
- Transaction ID: each transaction gets its own unique identification string; in the above example, that string is 1Ov4tU-0000Nz-Rm.
Hopefully, understanding the basics of a successful transaction in cPanel’s exim_mainlog will give you a sound basis for starting to troubleshoot thornier exim issues. If you are having trouble making out a particular transaction on your sxi.io Web server, do not hesitate to contact sxi.io Web’s Heroic Support to find out more. Further articles on this topic will dig more deeply into more complex exigrep queries, as well as transaction results for e-mails that have not been delivered.