Understanding and Reading an Exim Maillog

Reading exim log can be a confusing or complicated at first, however, having understanding of  Summary of Fields, line fields, would help you understand your email server platform. 

Log line flags:
<= Indicates the arrival of a message for incoming mail

=> Shows a normal message delivery for outgoing mail

-> Additional address for the same delivery, i.e. an Email forwarder.

>> cutthrough is a router precondition This option requests delivery be attempted while the item is being received. It is usable in the RCPT ACL and valid only for single-recipient mails forwarded from one SMTP connection to another. If a recipient-verify callout connection is requested in the same ACL it is held open and used for the data, otherwise one is made after the ACL completes.

*>delivery suppressed by -N**delivery failed; address bounced

==delivery deferred; temporary problem

<> For "<>" from the exim manual; Additionally, you will often find A bounce message is shown with the sender address “<>”, and if it is locally generated, this is followed by an item of the form R=<message id>

Summry fields:

R=

The address immediately following “<=” is the envelope sender address. A bounce message is shown with the sender address “<>”, and if it is locally generated, this is followed by an item of the form R=<message id>

T=

The relay used to transmit the message. Example: T=remote_smtp T=local_delivery

H=

Represents the host: H=localhost (10.5.40.204) [127.0.0.1]:39753 5.1) H=mail.fictional.example [192.168.123.123] U=exim 6) I=[127.0.0.1]:25

U=

The MTA used.

I=

Followed by a colon and the port number, the I= is the local interface on which the mail was received.

P=

This is the return_path_on_delivery: The return path that is being transmitted with the message is included in delivery and bounce lines, using the tag P=. This is omitted if no delivery actually happens, for example, if routing fails, or if delivery is to /dev/null or to :blackhole:.

A=

If A= is present, then SMTP AUTH was used for the delivery.

S=

Is the delivery size of the message

M8S=

8bitmime: This causes Exim to log any 8BITMIME status of received messages, which may help in tracking down interoperability issues with ancient MTAs that are not 8bit clean. This is added to the “<=” line, tagged with M8S= and a value of 0, 7 or 8, corresponding to "not given", 7BIT and 8BITMIME respectively.

ID=

Represents the incoming message ID

T=

Topic / Subject

from

From whom the mail was received

for

Who the email is for

Example:

root@cloud100# exigrep 1f4iwT-0001k8-SP /var/log/exim_mainlog
Line1 : 2018-04-03 07:33:28 1f4iwT-0001k8-SP <= sales@softcarecs.com H=cloud100.samnetworks.in ([127.0.0.1]) [177.72.175.222]:2680 I=[74.220.215.211]:587 P=esmtpsa X=TLSv1:ECDHE-RSA-AES256-SHA:256 CV=no A=dovecot_plain:sales@softcarecs.com S=1095 id=e18441e866d1b2e02603aca40574716d@softcarecs.com T="Reading an Exim Maillog" from <sales@softcarecs.com> for info@softcarecs.com
Line 2: 2018-04-03 07:33:28 1f4iwT-0001k8-SP no immediate delivery: more than 30 messages received in one connection
Line 3: 2018-04-03 07:50:59 1f4iwT-0001k8-SP => /dev/null <info@softcarecs.com> F=<sales@softcarecs.com> R=fightspamESO T=**bypassed** S=0
Line 4: 2018-04-03 07:50:59 1f4iwT-0001k8-SP Completed

Let's cut this log into pieces so we can know whats exim log is telling us:

Line 1:
2018-04-03 07:33:28 [is date & time of beginning of email by exim]
1f4iwT-0001k8-SP [is exim ID created by exim before it starts sending]
<= sales@softcarecs.com > [email started by]

H=cloud100.samnetworks.in ([127.0.0.1]) [177.72.175.222]:2680 [connection from local ISP/smtp]
I=[74.220.215.211]:587 P=esmtpsa X=TLSv1:ECDHE-RSA-AES256-SHA:256 CV=no [Interface used to send email such as SMTP with IP & ports & SSL Details]
A=dovecot_plain:sales@softcarecs.com [Authneticator Dovecot]
S=1095 [email Size in bytes]
id=e18441e866d1b2e02603aca40574716d@softcarecs.com [message id]
T="Reading an Exim Maillog" [Email subject]
from <sales@softcarecs.com [Email From]
for info@softcarecs.com [Email To]

Line 2:
2018-04-03 07:33:28 1f4iwT-0001k8-SP no immediate delivery: more than 30 messages received in one connection
Exim received more than 30 emails within single connections using dovecot auth, so exim is going to wait before delivering it.

Line 3: 1f4iwT-0001k8-SP => /dev/null <info@softcarecs.com> F=<sales@softcarecs.com> R=fightspamESO T=**bypassed** S=0

            R=fightspamESO T=**bypassed** are local cPanel filters to stop spam emails from sending & bouncing back emails to local user.

Line 4: Completed [meaning exim is done with handling that email id, it doesn't mean that it succesfully sent email all the time.]

  • eximlog, reading eximlog, check eximlog, mail log, email log, email log flags, email log info, email log meaning, email log fields, email log example
  • 29 Users Found This Useful
Was this answer helpful?

Related Articles

How to enable the html display for horde webmail?

This step is only for VPS managed severs and cpanel/whm setup. Log into server via shell:vi...

Important Exim commands & Cheat sheet to manage your Email Queues via Secure Shell

Exim is an open source mail transfer agent (MTA), used in Linux based OS & is an email...

Best way to fight & prevent email spamming on your server

This article provides instruction on prevening email spamming from your hosting account or from...

How to clear or unmount cPanel jailed virtfs mounts?

You may see /home/virtfs taking a lot of disk space on the server or you may see a lot of virtfs...

Outlook, Thunderbird and Mobile Email Client Settings

In order to send and recieve emails using Email Clients, please make sure to use the following...