Digging Into Exim Mail Logs With Exigrep

Reading Time: 3 minutes

Perhaps a particular domain on your cPanel server has stopped receiving e-mail. Or, an address on your domain is able to receive e-mail, except from your supplier. Maybe you can receive e-mail just fine, but are receiving error message bounce-backs from Yahoo. How are you going to get the fine-grained information you need to figure out just what is going on?

The answers you seek can be found in exim’s logs.

Getting Started

Once you have sshed into your cPanel server, you will need to cd into the directory where exim keeps its logs. Exim puts all of its logs into the following directory:

[root@host / ]% cd /var/log

Exim maintains three logfiles:

/var/log/exim_mainlog
/var/log/exim_paniclog
/var/log/exim_rejectlog

exim_mainlog: This logs tracks every single mail transaction that your server handles. This is the go-to log when troubleshooting all e-mail delivery problems.

exim_rejectlog: This log only logs delivery rejections. While this can be useful, this is not the first log file you will want to search when troubleshooting a mail problem. For example, if mail is getting through on the server, but your mail client is silently failing to download mail, this log will not help you.

exim_paniclog: This log contains has information regarding the exim program itself, and not mail transactions. For this reason, it is not suitable for most mail troubleshooting.

Using Exigrep

As you can imagine, on a server sending and receiving a lot of mail, exim’s log files can get large fast. While normally one would use the grep command to find lines in a file matching a search string, that does not work as well with exim’s logs. One single mail transaction will span multiple lines in the file, and not every line will have the search string you are looking for. The exigrep command works around this problem by finding your search string in transactions, and then helpfully gathering every log entry into separate, complete transactions.

exigrep is run just like grep; simply pass it the search string and the filename of the log file you are searching in:


[root@host /var/log/ ]% exigrep "input_string" exim_mainlog

A typical result will look something like this:

2010-09-13 05:00:13 [1487] 1Ov4tU-0000Nz-Rm H=mailhost.domain.com [208.42.54.2]:51792 I=[67.215.162.175]:25 Warning: "SpamAssassin as theuser detected message as NOT spam (0.0)"
2010-09-13 05:00:13 [1487] 1Ov4tU-0000Nz-Rm <= maillinglist@domain.com H=mailhost.domain.com [208.42.54.2]:51792 I=[67.215.162.175]:25 P=esmtps X=TLSv1:AES256-SHA:256 CV=no S=21778 id=384a86a39e83be0d9b3a94d1feb3119f@domain.com T="Daily Science Maillinglist: Chameleon" from for user@example.com
2010-09-13 05:00:14 [1534] 1Ov4tU-0000Nz-Rm => user F= P= R=virtual_user T=virtual_userdelivery S=21902 QT=6s DT=0s
2010-09-13 05:00:15 [1534] 1Ov4tU-0000Nz-Rm Completed QT=7s

Reading exigrep Output

The most basic thing to check for when reading exigrep output is the word “Completed” on the last line. If it says “Completed”, then the e-mail in question has been delivered. If you do not see the word “Completed” you will likely see an error, which is a good starting place for tracking down your delivery failures.

These are a parts of the transaction that are also important:

  • Timestamp: the beginning of each line has the date and time that a specific step of the mail transaction occurred.
  • from and to: as you can see in the second entry of the example (as indicated with the second timestamp), one line of every transaction shows both who the e-mail is from, and who the e-mail is being sent to
  • Transaction ID: each transaction gets its own unique identification string; in the above example, that string is 1Ov4tU-0000Nz-Rm.

Hopefully, understanding the basics of a successful transaction in cPanel’s exim_mainlog will give you a sound basis for starting to troubleshoot thornier exim issues. If you are having trouble making out a particular transaction on your Liquid Web server, do not hesitate to contact Liquid Web’s Heroic Support to find out more. Further articles on this topic will dig more deeply into more complex exigrep queries, as well as transaction results for e-mails that have not been delivered.

Avatar for Patrick Hawkins

About the Author: Patrick Hawkins

Patrick Hawkins is a former Test Engineer and Managed WordPress admin with Liquid Web

Latest Articles

Blocking IP or whitelisting IP addresses with UFW

Read Article

CentOS Linux 7 end of life migrations

Read Article

Use ChatGPT to diagnose and resolve server issues

Read Article

What is SDDC VMware?

Read Article

Best authentication practices for email senders

Read Article