Exim Mail Logs
General Information
The exim mail logs are located in: /var/log/
The three main mail logs are:
- /var/log/exim_mainlog
- /var/log/exim_paniclog
- /var/log/exim_rejectlog
exim_mainlog - tracks every mail transaction handled by the server.
exim_rejectlog - logs only delivery rejections. This log is of limited usage.
exim_paniclog - contains info on the exim program and does not log mail transaction data.
Searching through the exim mail logs using exigrep
The exigrep command works by locating your search string in transactions, and then gathering every log entry into separate, complete transactions.
exigrep "input_string" /var/log/exim_mainlog
The input string can be anything from an email address, a domain name, a Mail ID, or even an IP Address. So, for example, if you were wanting to search for any email sent to/from the email address [email protected] in your server's exim_mainlog, you would use the following command:
<syntaxhighlight lang="bash">exigrep [email protected] /var/log/exim_mainlog</syntaxhighlight>
If the results of your search are quite large, you can output them to a file if you like. In order to do this, all you need to do is add an > to the end of your command followed by the file you're wanting to output the results of your search to. Here is an example command:
<syntaxhighlight lang="bash">exigrep [email protected] /var/log/exim_mainlog > /home/email_log_file.txt</syntaxhighlight>
Note: if the file you're outputting your search results to does not exist, it will be created when the command is executed.
The above command will output the results of the search to the file /home/email_log_file.txt on the server. This makes it easier to review the results of the search because that file can be opened in a text editor (nano, vi, etc.) to review. You can also provide that file to others that do not have access to your server's mail logs.
Interpreting the exim_mainlog
A typical mail log of a successful email delivery will look similar to the following:
<syntaxhighlight lang="bash">2012-12-15 09:35:11 1Tjspb-0006c6-DD <= [email protected] H=c-69-245-103-30.hsd1.mi.comcast.net ([10.1.10.13]) [83.83.83.83]:63316 P=esmtpa A=courier_login:[email protected] S=645 [email protected] T="Test Message" for [email protected] 2012-12-15 09:35:11 1Tjspb-0006c6-DD => emailaddress2 <[email protected]> R=virtual_user T=virtual_userdelivery 2012-12-15 09:35:11 1Tjspb-0006c6-DD Completed</syntaxhighlight>
<= :: indicates the sending email address. In the above example, the email address [email protected] is the sending email address because it is next to the <= symbol.
A=courier_login :: indicates which email address was logged into and sent the email. In the above example, the email address [email protected] was logged into and sent the email. If you do not see this line in your log, this means that a script was responsible for sending the email or the email was not sent from your server.
T= :: indicates the subject of the email. The subject of the above example email is: Test Message
=> :: indicates the recipient email address(es). In the above example, the only recipient email address is [email protected].
Completed :: indicates that the email was successfully delivered to the recipient email address' email server.
Other things you may see in your logs
== :: indicates a temporary error condition in which the email will be placed in the sending mail server's queue and attempt to be delivered at a later time. Here's an example:
<syntaxhighlight lang="bash">2012-12-09 04:05:43 1ThcpT-00180S-IA == [email protected] R=localuser T=local_delivery defer (122): Disk quota exceeded: mailbox is full</syntaxhighlight>
** :: indicates a message will not be retried. Here's an example:
<syntaxhighlight lang="bash">2012-12-09 04:05:43 1ThcpT-00180S-IA ** [email protected]: retry timeout exceeded</syntaxhighlight>