How To: Read An Exim Maillog

Posted on by Patrick Hawkins
Reading Time: 2 minutes

One of the best tools you can use when tracking down e-mail problems is mail logs. On Liquid Web’s cPanel servers, we have turned on all of exim’s logging capabilities. Full logging means that there is a lot going on, and trying to decipher the logs can be cryptic at first. Let’s take a look at how they are composed.

Note: this article assumes that you have found the mail transaction you are looking for using exigrep.

Getting Started

First, it is a good idea to get to know the following symbols:
<= =>

At least one of these symbols will be on nearly every line of exim’s mainlog. Other abbreviations in the log will change their meaning based on which of these symbols is on that line. These abbreviations consist of one or two letters.

The meaning for the symbols and abbreviations can be found at the exim manual.

Reading a Successful Transaction

Let’s start picking apart a successful transaction. Here is the transaction from that previous exigrep article, with numbers at the beginning of each line that are not in the original logfile:

1: 2010-09-13 05:00:13 [1487] 1Ov4tU-0000Nz-Rm []:51792 I=[]:25 Warning: "SpamAssassin as theuser detected message as NOT spam (0.0)"
2: 2010-09-13 05:00:13 [1487] 1Ov4tU-0000Nz-Rm <= []:51792 I=[]:25 P=esmtps X=TLSv1:AES256-SHA:256 CV=no S=21778 T="Daily Science Maillinglist: Chameleon" from for
3: 2010-09-13 05:00:14 [1534] 1Ov4tU-0000Nz-Rm => user F= P= R=virtual_user T=virtual_userdelivery S=21902 QT=6s DT=0s
4: 2010-09-13 05:00:15 [1534] 1Ov4tU-0000Nz-Rm Completed QT=7s

The Beginning of the Line

Each line starts with the date and time. Immediately following is the message’s process ID number (PID):


and then exim’s internal message ID:


The exigrep tool uses this ID to pull all log lines for this file out of the mainlog; on a busy mailserver, log lines from the same e-mail may be spread out across the logfile.

The First Line

The next item on the first line starts with “H=”. This specifies the hostname of the server that the mail originates from. Next (in square brackets) is the IP address of that server, followed by the port number. “I=” looks similar, but is describing your mailserver. A warning follows: Spamassassin believes that this message is not spam.

The Second Line

The second line almost starts the same (with H and I), but before that the “<=” symbol is used. This indicates that this line is describing the arrival of the message on your mailserver. Immediately after this symbol is the e-mail address that this mail is being sent from. After H and I, the “P” abbreviation designates the protocol being used (here esmtps). Note that this only means this because it is on a “<=” line; if this were a “=>” line it would indicate the return path of the message.

The X tells us the particular cipher suite that is used; this is usually not something you would be looking for when troubleshooting a mail issue. CV refers to certification verification status, and S is the size of the message.

Next, “id” refers to the message id that was created by the sending server and sent as one of the mail headers. T (for topic) is the subject of the e-mail. The line ends with “for”, letting us know just who the message is for.

The Third and Fourth Lines

The third line is just as easy to decipher using the exim manual. Parsing the next two lines of the mail transaction are left as an exercise to the reader. When doing so, note that the third line has the “=>” symbol; abbreviations on the line may mean something different than they did in previous lines.

Avatar for Patrick Hawkins

About the Author: Patrick Hawkins

Patrick Hawkins is a former Test Engineer and Managed WordPress admin with Liquid Web

Latest Articles

Controlling PHP settings with a custom php.ini file

Read Article

How to install Puppet Server on Linux (AlmaLinux)

Read Article

Email security best practices for using SPF, DKIM, and DMARC

Read Article

Linux dos2unix command syntax — removing hidden Windows characters from files

Read Article

Change cPanel password from WebHost Manager (WHM)

Read Article