As we see huge number of emails in a queue, first we need to find top senders, to do so, we can use a one liner such as:
exim -bp | grep "<" | awk -F "<" '{print $2}' | awk -F ">" '{print $1}' | sorted
We are grep'ing envelope from <anyuser@anydomain.com> in the exim queue then sorting it using awk command.
Example: Step 1 :
root@cloud100# exim -bp | grep "<" | awk -F "<" '{print $2}' | awk -F ">" '{print $1}' | sorted
8452 sales@softcarecs.com
Step 2:
Let's pick a single message ID & see why its in queue.
root@cloud100# exim -bp | grep sales@softcarecs.com | head -2
7m 1.1K 1f3N89-004H0b-SK <sales@softcarecs.com>
7m 1016 1f3N89-004GD4-Sb <sales@softcarecs.com>
Then,
root@cloud100# exigrep 1f3N89-004H0b-SK /var/log/exim_mainlog
+++ 1f3N89-004H0b-SK has not completed +++
2018-04-03 08:41:50 1f3N89-004H0b-SK <= sales@softcarecs.com H=([127.0.0.1]) [213.252.164.247]:2561 I=[74.220.207.195]:587 P=esmtpsa X=TLSv1:ECDHE-RSA-AES256-SHA:256 CV=no A=dovecot_plain:sales@softcarecs.com S=1118 id=0B77E456-0AC5-9242-1FE5-0B0CA9F118AC@softcarecs.com T="Feeling disgruntled?" from <sales@softcarecs.com> for thomaswain@hotmail.com
2018-04-03 08:41:50 1f3N89-004H0b-SK no immediate delivery: more than 30 messages received in one connection
2018-04-03 08:42:08 1f3N89-004H0b-SK == thomaswain@hotmail.com routing defer (-51): retry time not reached
By email subect, it looks like Spam email, check the message body & decide to remove them from queue or change his password.
When you find an exim message body looks like:
T3VyIGdyb3VuZC1icmVha2luZyBpbXBvdGVuY2UgcGlsbHMgd2VyZSBidWlsdCBvbiBvdmVyIDMyIHllYXJzJyB3b3J0aCBvZiBtZWRp
Y2FsIGtub3dsZWRnZS4gSWYgeW91IHdhbnQgeW91ciBlcmVjdGlsZSBkaXNmdW5jdGlvbiBzdXBwbGVtZW50IHRvIGJlIHJlcHV0YW
JsZSBhbmQgdHJpZWQtYW5kLXRydWUsIGxvb2sgbm8gZnVydGhlci4NClVzZSB0aGUgVVJMIG92ZXIgaGVyZSBhbmQgZ28gdGhyb3
VnaCBhbGwgdGhlIHJlYWwgcmV2aWV3cywgYWxsIGNsaW5pY2FsIHJlc2VhcmNoIGRhdGEgeW91IG5lZWQuDQoNCmh0dHA6Ly93d3
cuY2lzZWR1Y2F0aW9uLm9yZy9ldmVudHNfY2FsZW5kYXIuaW5jLnBocD9lbVZ1YkhWclpVQjVZV2h2Ynk1amIyMD0NCg==
This is base64 encoded email message, you can decode at: https://www.base64decode.net/
After decode, it looks like:
Our ground-breaking impotence pills were built on over 32 years' worth of medical knowledge. If you want your erectile disfunction supplement to be reputable and tried-and-true, look no further.
Use the URL over here and go through all the real reviews, all clinical research data you need.
http://www.ssssssss.org/events_calendar.inc.php?emVubHVrZUB5YWhvby5jb20=
Note: This procedure is normal email queues generated from dovecot auth via clients & not server-side scripts. This procedure may not work for all the email queue issues, you need to findout script based, spamming or malware based spamming manually. Please follow your corporate procedure when you suspend an account, removing emails, or changing passwords.
