How To: Read An Exim Maillog

One of the best tools you can use when tracking down e-mail problems is mail logs. On Liquid Web’s cPanel servers, we have turned on all of exim’s logging capabilities. Full logging means that there is a lot going on, and trying to decipher the logs can be cryptic at first. Let’s take a look at how they are composed.

Note: this article assumes that you have found the mail transaction you are looking for using exigrep.

Getting Started

First, it is a good idea to get to know the following symbols:

At least one of these symbols will be on nearly every line of exim’s mainlog. Other abbreviations in the log will change their meaning based on which of these symbols is on that line. These abbreviations consist of one or two letters.

The meaning for the symbols and abbreviations can be found at the exim manual.

Reading a Successful Transaction

Let’s start picking apart a successful transaction. Here is the transaction from that previous exigrep article, with numbers at the beginning of each line that are not in the original logfile:

1: 2010-09-13 05:00:13 [1487] 1Ov4tU-0000Nz-Rm []:51792 I=[]:25 Warning: "SpamAssassin as theuser detected message as NOT spam (0.0)"
2: 2010-09-13 05:00:13 [1487] 1Ov4tU-0000Nz-Rm <= []:51792 I=[]:25 P=esmtps X=TLSv1:AES256-SHA:256 CV=no S=21778 T="Daily Science Maillinglist: Chameleon" from for
3: 2010-09-13 05:00:14 [1534] 1Ov4tU-0000Nz-Rm => user F= P= R=virtual_user T=virtual_userdelivery S=21902 QT=6s DT=0s
4: 2010-09-13 05:00:15 [1534] 1Ov4tU-0000Nz-Rm Completed QT=7s

The Beginning of the Line

Each line starts with the date and time. Immediately following is exim’s internal message ID:


in the example above. The exigrep tool uses this ID to pull all log lines for this file out of the mainlog; on a busy mailserver, log lines from the same e-mail may be spread out across the logfile.

The First Line

The next item on the first line starts with “H=”. This specifies the hostname of the server that the mail originates from. Next (in square brackets) is the IP address of that server, followed by the port number. “I=” looks similar, but is describing your mailserver. A warning follows: Spamassassin believes that this message is not spam.

The Second Line

The second line almost starts the same (with H and I), but before that the “<=” symbol is used. This indicates that this line is describing the arrival of the message on your mailserver. Immediately after this symbol is the e-mail address that this mail is being sent from.

After H and I, the “P” abbreviation designates the protocol being used (here esmtps). Note that this only means this because it is on a “<=” line; if this were a “=>” line it would indicate the return path of the message.

The X tells us the particular cipher suite that is used; this is usually not something you would be looking for when troubleshooting a mail issue. CV refers to certification verification status, and S is the size of the message.

Next, “id” refers to the message id that was created by the sending server and sent as one of the mail headers. T (for topic) is the subject of the e-mail. The line ends with “for”, letting us know just who the message is for.

The Third and Fourth Lines

The third line is just as easy to decipher using the exim manual. Parsing the next two lines of the mail transaction are left as an exercise to the reader. When doing so, note that the third line has the “=>” symbol; abbreviations on the line may mean something different than they did in previous lines.

Future articles will show some mail transactions that did not end as successfully as this one.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s