Reading and Understanding the exim_mainlog
At cPanel, we get a variety of tickets asking about different types of mail errors. I've been working on an Exim guide that will help you determine just what might be the cause of the errors you're receiving.
Exim, what a topic. For some, setting up exims configuration and troubleshooting, as well as simply just reading the logs could be as daunting as setting up custom configurations for apache with ssl reverse proxies on a high availability load balancer. Thankfully thats not the case. Exim is not terribly difficult to read or understand, plus there is rather great documentation. Exim is one of the most widely used MTAs (Mail Transfer Agents) in use today. With a few tweaks to the configuration you will soon be a wizard at reading and understanding what the exim log contains. By modifying the exim configuration, we will be able to produce a much more verbose output of the log. This will lead to an easier to read and faster method to determine just what exactly is going on with the servers MTA.
SECTIONS:
- /A/ Enabling Verbose Logging
- A/1 Modifying the log_selector
- A/2 Logging Options
- A/3 Configuration Files
- /B/ Available Commands
- B/1 Available commands under exim:
- B/2 Command examples:
- B/3 Other Commands under exim:
- /C/ Errors Messages and Possible Solutions
- C/1 Log delivery entries found in exim_mainlog:
- C/2 Successful messages sent and received:
- C/3 Other exim configuration files and folder structure:
- C/4 Types of Errors:
- Failed 421 - Temporary Failures:
- C/4.1.1 Example 1 - Temporarily deferred
- C/4.1.2 Example 2 - Rate limited
- C/4.1.3 Example 3 - Permanently deferred
- Failed 450 - Service timeout:
- C/4.2.1 Example 1 - Client Host Rejected
- C/4.2.2 Example 2 - Clients Host is trying to much
- Failed 451 - Temporary Local Problem:
- C/4.3.1 Example 1 - Clients Host is unable to send
- C/4.3.2 Example 2 - Could not complete sender verify
- Failed 452 - Temporary Failures::
- C/4.4.1 Example 1 - Domain Size limit exceeded
- Failed 550 - Hard Failures:
- C/4.5.1 Example 1 - 550 Verification
- C/4.5.2 Example 2 - Invalid A, AAAA, MX, or other DNS record
- C/4.5.3 Example 3 - Mail Rejected 550 errors
- C/4.5.4 Example 4 - Mail Authentication 550 error
- C/4.5.5 Example 5 - Bad HELO Record
- C/4.5.6 Example 6 - Mail Delivery Failure
- Failed 553 - Authentications errors:
- C/4.6.1 Example 1 - Your domain does not exists
- C/4.6.2 Example 2 - Unable to verify address
- Failed 544 - rejected due to spam content:
- C/4.7.1 Example 1 - Reject
- /D/ SpamBox & SpamAssassin log entries
- D/1 SpamBox:
- C/5.1.1 Example 1 - Mail flagged as spam is forwarded:
- D/2 SpamAssassin:
- C/5.1.1 Example 1 - Allowed email:
- C/5.1.1 Example 3 - Flagged email:
- Conslustion
/A/ Modify exim to Enabling Verbose Logging
A/1 Modifying the log_selector
The first thing we need to do is to get a better output from our log. By default, exim is not set to log every piece of information. To do this, we first need to login to your WHM interface and navigate to Home »Service Configuration »Exim Configuration Manager »Advanced Editor. Find the section "log_selector" and replace it with one of the following.
Code:
log_selector = +address_rewrite +all_parents +arguments +connection_reject +delay_delivery +delivery_size +dnslist_defer +incoming_interface +incoming_port +lost_incoming_connection +queue_run +received_sender +received_recipients +retry_defer +sender_on_delivery +size_reject +skip_delivery +smtp_confirmation +smtp_connection +smtp_protocol_error +smtp_syntax_error +subject +tls_cipher +tls_peerdn************
Or, we can be lazy and just use:
Code:
log_selector = +all
regardless of which you chose, here's what each option means.
A/2 Logging Options:
| address_rewrite |
This applies both to global rewrites and per-transport rewrites, but not to rewrites in filters run as an unprivileged user (because such users cannot access the log). |
| all_parents |
Normally only the original and final addresses are logged on delivery lines; with this selector, intermediate parents are given in parentheses between them. |
| arguments |
This causes Exim to write the arguments with which it was called to the main log, preceded by the current working directory. This is a debugging feature, added to make it easier to find out how certain MUAs call/usr/sbin/sendmail. The logging does not happen if Exim has given up root privilege because it was called with the -C or -D options. Arguments that are empty or that contain white space are quoted. Non-printing characters are shown as escape sequences. This facility cannot log unrecognized arguments, because the arguments are checked before the configuration file is read. The only way to log such cases is to interpose a script such as util/logargs.shbetween the caller and Exim. |
| connection_reject |
A log entry is written whenever an incoming SMTP connection is rejected, for whatever reason. |
| delay_delivery |
A log entry is written whenever a delivery process is not started for an incoming message because the load is too high or too many messages were received on one connection. Logging does not occur if no delivery process is started because queue_only is set or -odq was used. |
| delivery_size |
For each delivery, the size of message delivered is added to the => line, tagged with S=. |
| dnslist_defer |
A log entry is written if an attempt to look up a host in a DNS black list suffers a temporary error. |
| incoming_interface |
The interface on which a message was received is added to the <= line as an IP address in square brackets, tagged by I= and followed by a colon and the port number. The local interface and port are also added to other SMTP log lines, for example SMTP connection from, and to rejection lines. |
| incoming_port |
The remote port number from which a message was received is added to log entries and Received:header lines, following the IP address in square brackets, and separated from it by a colon. This is implemented by changing the value that is put in the $sender_fullhost and $sender_rcvhost variables. Recording the remote port number has become more important with the widening use of NAT (see RFC 2505). |
| lost_incoming_connection |
A log line is written when an incoming SMTP connection is unexpectedly dropped. |
| queue_run |
he start and end of every queue run are logged. |
| received_sender |
The unrewritten original sender of a message is added to the end of the log line that records the messages arrival, after the word from (before the recipients if received_recipients is also set). |
| rejected_header |
If a messages header has been received at the time a rejection is written to the reject log, the complete header is added to the log. Header logging can be turned off individually for messages that are rejected by the local_scan() function (see section 44.2). |
| received_recipients |
The recipients of a message are listed in the main log as soon as the message is received. The list appears at the end of the log line that is written when a message is received, preceded by the word for. The addresses are listed after they have been qualified, but before any rewriting has taken place. Recipients that were discarded by an ACL for MAIL or RCPT do not appear in the list. |
| retry_defer |
A log line is written if a delivery is deferred because a retry time has not yet been reached. However, this retry time not reached message is always omitted from individual message logs after the first delivery attempt |
| sender_on_delivery |
The messages sender address is added to every delivery and bounce line, tagged by F= (for from). This is the original sender that was received with the message; it is not necessarily the same as the outgoing return path |
| size_reject |
A log line is written whenever a message is rejected because it is too big. |
| skip_delivery |
A log line is written whenever a message is skipped during a queue run because it is frozen or because another process is already delivering it. The message that is written is spool file is locked. |
| smtp_confirmation |
The response to the final . in the SMTP or LMTP dialogue for outgoing messages is added to delivery log lines in the form C=<text>. A number of MTAs (including Exim) return an identifying string in this response. |
| smtp_connection |
A log line is written whenever an SMTP connection is established or closed, unless the connection is from a host that matches hosts_connection_nolog. (In contrast, lost_incoming_connectionapplies only when the closure is unexpected.) This applies to connections from local processes that use -bs as well as to TCP/IP connections. If a connection is dropped in the middle of a message, a log line is always written, whether or not this selector is set, but otherwise nothing is written at the start and end of connections unless this selector is enabled.
For TCP/IP connections to an Exim daemon, the current number of connections is included in the log message for each new connection, but note that the count is reset if the daemon is restarted. Also, because connections are closed (and the closure is logged) in subprocesses, the count may not include connections that have been closed but whose termination the daemon has not yet noticed. Thus, while it is possible to match up the opening and closing of connections in the log, the value of the logged counts may not be entirely accurate. |
| smtp_protocol_error |
A log line is written for every SMTP syntax error encountered. An unrecognized command is treated as a syntax error. For an external connection, the host identity is given; for an internal connection using -bsthe sender identification (normally the calling user) is given. |
| smtp_syntax_error |
A log line is written for every SMTP syntax error encountered. An unrecognized command is treated as a syntax error. For an external connection, the host identity is given; for an internal connection using -bsthe sender identification (normally the calling user) is given. |
| subject |
The subject of the message is added to the arrival log line, preceded by T= (T for topic, since S is already used for size). Any MIME words in the subject are decoded. The print_topbitchars option specifies whether characters with values greater than 127 should be logged unchanged, or whether they should be rendered as escape sequences. |
| tls_cipher |
When a message is sent or received over an encrypted connection, the cipher suite used is added to the log line, preceded by X=. |
| tls_peerdn |
When a message is sent or received over an encrypted connection, and a certificate is supplied by the remote host, the peer DN is added to the log line, preceded by DN=. |
The configuration files for exim can be found in the following location:
| Exim |
Configuration (main) |
/etc/exim.conf |
Main configuration file used by Exim |
|
Configuration (local) |
/etc/exim.conf.local |
This is the same file that the Advanced Editor for Exim in WHM uses |
|
" |
/etc/exim.conf.dist |
Exim configuration template used to build the exim conf |
|
" |
/etc/exim.conf.localopts |
This is the the same file that the Basic Editor for Exim in WHM uses. |
|
Configuration (mailman-related) |
exim.conf.mailman2.dist |
Template used to build the mailman configuration |
Once you have the logging portion taken care of, we need to actually look at our log. You can find the exim log in /var/log/exim_mainlog, this will be done from the command line.
Code:
#head /var/log/exim_mainlog
2014-08-10 03:27:11 pid 1014: SIGHUP received: re-exec daemon
2014-08-10 03:27:15 cwd=/var/spool/exim 3 args: /usr/sbin/exim -bd -q1h
2014-08-10 03:27:15 exim 4.82 daemon started: pid=1014, -q1h, listening for SMTP on port 25 (IPv6 and IPv4) port 587 (IPv6 and IPv4) and for SMTPS on port 465 (IPv6 and IPv4)
2014-08-10 03:27:15 cwd=/var/spool/exim 2 args: /usr/sbin/exim -q
Before we dive into what the log is actually logging and what each piece of it means, let's take a look at some of the commands that are commonly used.
/B/ Exim Commands via the command line
B/1 Available commands under exim:
Exim has a couple of utilities to help search through the queue and logs, those are:
| 52.2 |
exiqgrep |
to obtain a queue listing, and then greps the output to select messages that match given criteria. The following selection options are available:
-f Match the sender address using a case-insensitive search. The field that is tested is enclosed in angle brackets, so you can test for bounce messages withexiqgrep -f '^<>$'
-r Match a recipient address using a case-insensitve search. The field that is tested is not enclosed in angle brackets.
-s Match against the size field.
-y Match messages that are younger than the given time.
-o Match messages that are older than the given time.
-z Match only frozen messages.
-x Match only non-frozen messages.
The following options control the format of the output:
-c Display only the count of matching messages.
-l Long format display the full message information as output by Exim. This is the default.
-i Display message ids only.
-b Brief format one line per message.
-R Display messages in reverse order.
-a Include delivered recipients in queue listing.
-h, which outputs a list of options. |
| 52.4 |
exiqgrep |
exigrep [-t<n>] [-I] [-l] [-v] <pattern> [<log file>] ...
grep the queue using exims specific grep rather than standard grep |
The easiest to remember command, in my opinion, is exiwhat, this lets you know what exim is currently doing.
Code:
-bash-4.1# exiwhat
27589 daemon: -q1h, listening for SMTP on port 25 (IPv6 and IPv4) port 587 (IPv6 and IPv4) and for SMTPS on port 465 (IPv6 and IPv4)
With exigrep, you can search the mail log easier. In this case I searched for "aaron@" using exiqgrep which looks through the main queue while exigrep looks through the log in the exim_mainlog. In this case, it returned two messages.
Code:
-bash-4.1# exiqgrep aaron@*
71h 6.7K 1XFRvF-0000Mz-B8 <>
root@nt10598.os.cpanel.vm
71h 12K 1XFRvF-0000NF-NK <>
root@nt10598.os.cpanel.vm
Here we can see I used exigrep to search the log file instead of exiqgrep.
Code:
-bash-4.1# exigrep aaron@ /var/log/exim_mainlog
2014-08-10 10:52:01 1XGVPd-000707-4Y <= aaron@llammasarewaycool.net H=localhost (10.5.40.204) [127.0.0.1]:39668 P=esmtpa A=dovecot_login:aaron@llammasarewaycool.net S=748 id=c828fa59721d8646a0fa75cbf8db9ba3@llammasarewaycool.net T="Llamas are awesome" for aaron@domain.com
2014-08-10 10:52:01 1XGVPd-000707-4Y => aaron <aaron@domain.com> R=virtual_user T=virtual_userdelivery
2014-08-10 10:52:01 1XGVPd-000707-4Y Completed
We can also use a few other commands from the exim command line to help read some of the messages. The next set of commands we will look at will be built into exim directly:
| exim -bpc |
Print a total count of messages in the queue |
| exim -bp |
Print a listing of the messages including time queue, size, message-ID, sender, and recipient |
| exim -bp |exiqsum |
Prints a summary of the exim mail queue.
-bash-4.1# exim -bp | exiqsumm
Count Volume Oldest Newest Domain
----- ------ ------ ------ ------
7 39KB 71h 71h nt10598.os.cpanel.vm
3 19KB 14h 78m nt12664.product.cpanel.vm
---------------------------------------------------------------
10 58KB 71h 78m TOTAL |
| exim -bt user@domain.com |
This will test how an email is routed through exim |
| exim -bh <ip> |
Run a pretend SMPT transaction from the CLI. The purpose of this is to check exims ACLs and filters. |
| exim -q -v |
Start a queue run |
| exim -ql -v |
Start a queue run for local mail only |
| exim -Mrm <message-id> [ <message-id> ... ] |
Remove a message from the queue |
| exim -Mvb <message-id> |
View the body of a message |
| exim -Mvh <message-id> |
View the header of a message |
| exim -Mvc <message-id> |
Provides the whole email and body |
There are additional commands for looking at the queue, but these two are the main utilities for reading the log. You can see the rest of the utilities exim uses in their
official documentation.
You can also view some additional commands and example for exim from our exim cheat sheet created by cPanelJesus
cPanel Exim Quick Reference.
*Exim runs under the user mailnull, you will commonly see U=mailnull in the exim log.
/C/ Errors Messages and Possible Solutions:
C/1 Main entries found in exim_mainlog:
Reading the exim mainlog can be daunting especially with so much information being logged. The main log records the arrival of each message and each delivery in a single line for each case.
Let's take a look at some examples of a few entries in an exim_mainlog; Exims main log is read from the left to the right.
The first thing when looking at a log is to determined what happened to it. Let's take a quick look at the breakdown of those entries.
| <= |
Indicates the arrival of a message for incoming mail |
| => |
Shows a normal message delivery for outgoing mail |
| -> |
Additional address for the same delivery, i.e. an Email forwarder. |
| >> |
cutthrough is a router precondition
This option requests delivery be attempted while the item is being received. It is usable in the RCPT ACL and valid only for single-recipient mails forwarded from one SMTP connection to another. If a recipient-verify callout connection is requested in the same ACL it is held open and used for the data, otherwise one is made after the ACL completes. |
| *> |
delivery suppressed by -N |
| ** |
delivery failed; address bounced |
| == |
delivery deferred; temporary problem |
| <> |
For "<>" from the exim manual; Additionally, you will often find A bounce message is shown with the sender address <>, and if it is locally generated, this is followed by an item of the form
R=<message id> |
You will also find entries like the below table in the main log such as:
| R= |
The address immediately following <= is the envelope sender address. A bounce message is shown with the sender address <>, and if it is locally generated, this is followed by an item of the form
R=<message id> |
| T= |
The relay used to transmit the message.
Example:
T=remote_smtp
T=local_delivery |
| H= |
Represents the host:
H=localhost (10.5.40.204) [127.0.0.1]:39753
5.1) H=mailer.fict.example [192.168.123.123] U=exim
6) I=[127.0.0.1]:25 |
| U= |
The MTA used. |
| I= |
Followed by a colon and the port number, the I= is the local interface on which the mail was received. |
| P= |
This is the return_path_on_delivery: The return path that is being transmitted with the message is included in delivery and bounce lines, using the tag P=. This is omitted if no delivery actually happens, for example, if routing fails, or if delivery is to /dev/null or to :blackhole:. |
| A= |
If A= is present, then SMTP AUTH was used for the delivery. |
| S= |
Is the delivery size of the message |
| M8S= |
8bitmime: This causes Exim to log any 8BITMIME status of received messages, which may help in tracking down interoperability issues with ancient MTAs that are not 8bit clean. This is added to the <= line, tagged with M8S= and a value of 0, 7 or 8, corresponding to "not given", 7BIT and 8BITMIME respectively. |
| ID= |
Represents the incoming message ID |
| T= |
Topic |
| from |
From whom the mail was received |
| for |
Who the email is for |
Lets' take a quick look at a successfully sent message in the exim_mainlog.
Code:
2014-08-10 11:18:35 [28107] 1XGVpL-0007JL-14 <= aaron@llamasarewaycool.net H=localhost (10.5.40.204) [127.0.0.1]:39753 I=[127.0.0.1]:25 P=esmtpa A=dovecot_login:aaron@llamasarewaycool.net S=662 M8S=0 id=d2b648f00f1a1b0813c483d552778dc6@llamasarewaycool.net T="what if you had a llama" from <aaron@llamasarewaycool.net> for aaron@domain.com2014-08-10 11:18:35
1XGVpL-0007JL-14
This is a standard sent and received message with no errors. Let's take a look at the entry to get a better understanding of a typical log entry.
Code:
1) 2014-08-10 11:18:35
2) 1XGVpL-0007JL-14
3) <=
4) aaron@llamasare.cool
5) H=localhost (10.5.40.204) [127.0.0.1]:39753
5.1) H=mailer.fict.example [192.168.123.123] U=exim
6) I=[127.0.0.1]:25
7) P=esmtpa
8) A=dovecot_login:aaron@llamasare.cool
9) S=662
10) M8S=0
11) id=d2b648f00f1a1b0813c483d552778dc6@llamasare.cool
12) T="what if you had a llama"
13) from <aaron@llamasare.cool>
14) for aaron@domain.com
C/3 Other exim configuration files and folder structure:
| /etc/mailhelo |
This file is the configuration file for Exim's HELO command. Records should be represented as: addonor.subdomain.com: maindomain.com |
| /etc/mailips |
This file specifies the IP addresses from which Exim should send email. |
| /etc/mail_reverse_dns |
This file specifies the domains that are associated with the IP addresses from which Exim should send email. |
| /etc/remotedomains |
Sends out an email to an internet address. |
| /etc/localdomains |
Sends out an email to a local address. |
| dig mx <domain> |
Dig a domain and pull MX records only |
If all of those are valid and pointing to the correct location, the next step is to verify the mail box truly exists. You want to check the mail folder in the users home directory.
A users email is stored in /home/user/mail/<domain>/<emailuser>/
.
Below is a sample directory structure of an email account:
/home/username/mail (mail folder)
/home/username/etc (configuration files)
/domain.com (domain)
admin (email user)
maildirsize (quota/usage summary, expendable)
cur (default inbox for read email)
new (default email for unread email)
Drafts ( sample folder )
- cur (read email)
- new (unread email)
C/4 types of Errors:
C/4.1 Failed 421 - Temporary Failures:
C/4.1.1 - Example 1 Temporarily deferred
There has been a temporary issue, please try sending the email again in 72 hours. This is usually a temporary ban by the network you're trying to contact.
Code:
2014-09-29 21:27:08 1XYdJu-002e6P-9F SMTP error from remote mail server after MAIL FROM:<someone@someaddress.com> SIZE=6601: host mta5.am0.yahoodns.net [66.196.118.240]: 421 4.7.0 [GL01] Message from (184.171.253.133) temporarily deferred - 4.16.50. Please refer to http://postmaster.yahoo.com/errors/postmaster-21.html
C/4.1.2 - Example 2 - Rate limited
Too many emails have been sent out to this network and there is a temporary block preventing emails from being received. Like example 1, give it some time to clear out and try again in 72 hours.
Code:
2014-09-12 08:01:12 1XSLn4-003Fa1-OX SMTP error from remote mail server after end of data: host gmail-smtp-in.l.google.com [173.194.66.27]: 421-4.7.0 [77.69.28.195 15] Our system has detected an unusual rate of\n421-4.7.0 unsolicited mail originating from your IP address. To protect our\n421-4.7.0 users from spam, mail sent from your IP address has been temporarily\n421-4.7.0 rate limited. Please visit\n421-4.7.0 http://www.google.com/mail/help/bulk_mail.html to review our Bulk\n421 4.7.0 Email Senders Guidelines. q4si1448293wij.85 - gsmtp
C/4.1.3 - Example 3 - Permanently deferred
The email will not be delivered since you have been blocked by the network, do not try to resend the emails, instead, contact the host you are trying to send the mail to.
Code:
2014-09-18 13:44:19 1XUb4M-000v5R-6R SMTP error from remote mail server after MAIL FROM:<someone@someaddress.com> SIZE=1811: host mta7.am0.yahoodns.net [66.66.66.66]: 421 4.7.1 [TS03] All messages from 5.196.113.212 will be permanently deferred; Retrying will NOT succeed. See http://postmaster.yahoo.com/421-ts03.html
Regardless of the 421 error that you receive, you should be checking if the users is on an RBL, and nearly all 421 errors mean that the mail service you are trying to reach has blocked you from allowing email to be received on their network. Please understand this means the main issue is not with your server per say, but an issue with the host or network you are trying to reach. This usually can just be waited out, but in some cases you will need to contact the host of the email network you are sending to.
C/4.2 Failed 450 - Service timeout:
C/4.2.1 Example 1 - Client Host Rejected
Code:
TO:<someone@someaddress>: host mx.someaddress.com [20.20.20.20]: 450 4.7.1 Client host rejected: cannot find your hostname, [20.20.20.20] 2014-09-21 16:06:05 1XUKFa-0003bb-EM ** someone@someaddress>: retry timeout exceeded
Verify the PTR record and the actual hostname are setup.
C/4.2.2 Example 2 - Clients Host is trying to much
Code:
2014-10-10 10:25:01 1XcKLM-003IGU-Fr SMTP error from remote mail server after RCPT TO:<ma@bol.com>: host pro-mail-mx-002.bol.com [20.20.20.20]: 450 4.7.1 Service unavai$
The client is trying to send to many emails and there is a temporary rejected from the network. Allow 72 hours for this to clear up and then try to send the mail again.
C/4.3 Failed 451 - Temporary Local Problem:
Usually, 451 is a temporary failure and trying again in just a few minutes usually allows it to send. Here's a few other suggestions.
C/4.3.1 Example 1 - Clients Host is unable to send
Code:
2014-09-24 12:59:49 1XWqqy-00028x-FK == test@badluckbryan.com R=lookuphost
T=remote_smtp defer (-44): SMTP error from remote mail server after RCPT
TO:<test@gylsystems.com>: host gylsystems.com [69.69.69.69]: 451
Temporary local problem - please try later
The server was missing an entry for its hostname in /etc/localdomains. Once this was added, you will no longer see the error recur
C/4.3.2 Example 2 - Could not complete sender verify
Code:
2014-11-24 11:25:33 H=localhost (srv-hs1.netsons.net) [::1]:49956 sender verify defer for <testcp@as-graphicdesign.net>: require_files: error for /home/bcivgkkq/etc/as-graphicdesign.net: Permission denied
2014-11-24 11:25:33 H=localhost (srv-hs1.netsons.net) [::1]:49956 F=<testcp@as-graphicdesign.net> A=dovecot_login:testcp@as-graphicdesign.net temporarily rejected RCPT <test@pleasecheck.net>: Could not complete sender verify
Verify the permission of the folders are correct, and that there is a valid reverse records for the domain. In this case permissions were set to 750 on the users home folder instead of 711.
C/4.4 Failed 452 - Temporary Failures:
C/4.4.1 Example 1 - Domain Size limit exceeded
Code:
2014-09-13 11:37:53 1XSdCz-00049U-5A == juan.miranda@apuestasdecordoba.com.co R=lookuphost T=remote_smtp defer (-44): SMTP error from remote mail server after RCPT TO:<juan.miranda@apuestasdecordoba.com.co>: host mail54.safesecureweb.com [208.112.111.212]: 452 <juan.miranda@apuestasdecordoba.com.co> Domain size limit exceeded
Verify the permission of the folders are correct. In this case permissions were set to 750 on the users home folder instead of 711.
C/4.4.2 Example 2 - Domain Size limit exceeded
Code:
2014-09-13 11:37:53 1XSdCz-00049U-5A == juan.miranda@apuestasdecordoba.com.co R=lookuphost T=remote_smtp defer (-44): SMTP error from remote mail server after RCPT TO:<juan.miranda@apuestasdecordoba.com.co>: host mail54.safesecureweb.com [208.112.111.212]: 452 <juan.miranda@apuestasdecordoba.com.co> Domain size limit exceeded
This failure is from a security scanner i.e. firewall packet inspection, a security application, or a virus scanner on the local mail server. This error is usually from the the receiving server.
C/4.5 Failed 550 - Hard Failures:
A 550 is easily one of the most common error that occurs. So what does it mean? A 550 error code means that your SMTP server isn't able to deliver the sent email to the user. It could be because his mailbox does not , could be from a misconfiguration, or a DNS issues.
C/4.5.1 Example 1 - 550 Verification
In this example, we have a failed message with a 550-verification error:
Code:
2014-08-31 08:43:16 1XO5PX-0006SC-Qa ** aaron@freaksavior.com R=dkim_lookuphost T=dkim_remote_smtp: SMTP error from remote mail server after RCPT TO:<aaron@freaksavior.com>: host mail.freaksavior.com [208.74.120.80]: 550-Verification for <garfield@llamasare.cool>\n550-The mail server could not deliver mail to garfield@llamasare.cool. The account or domain may not exist, they may be blacklisted, or missing the proper dns entries.\n550 Sender verify failed
The file /etc/remotedomains was modified to point llamasare.cool to an IP that does not exist on the server or an IP that hosts this domain, this caused a email failure due to no address in /etc/remotedomains being resolvable for that domain.
Things to check: First things we should check are the files on the server and make sure the email is pointing to the correct location.
C/4.5.2 Example 2 - Invalid A, AAAA, MX, or other DNS record
Code:
SMTP error from remote mail server after RCPT TO:: host idk.megawut.co[41.41.41.41]: 550-Sender has no A, AAAA, or MX DNS records. lnxweb1.jhb.ms.co.za\n550 lnxweb1.jhb.ms.co.za
Verify the zone file in /etc/named for the correct information. If it appear correct, you can run named-checkzone domain.com domain.com.db to verify if named is able to load the zone.
C/4.5.3 Example 3 - Mail Rejected 550 errors
Code:
Diagnostic-Code: X-Postfix; host mail1.domain.cog [15.15.15.15] said: 550 5.7.1 Message rejected due to content restrictions (in reply to end of DATA command)
When you see an error such as 550 5.7.1
"Message rejected due to content restrictions" This tell us it is due to an attachment that is included with the email. This could be from the content included, or the attachment size. First remove the attachments and try to send your email again. Double check the email attachments and signatures added to the body contain nothing which may be restricted.
C/4.5.4 Example 4 - Mail Authentication 550 error
Code:
Final-Recipient: rfc822;someuser@domain.com
Action: failed
Status: 5.5.0
Diagnostic-Code: smtp;550-Please turn on SMTP Authentication in your mail client.
550-ceaf004-com5q687.failmail.com [65.65.65.65]:58133 is not permitted to relay 550 through this server without authentication.
Since 550's have a number of different meanings and a number of solutions, If the users are getting Authentication 550 error then you should check If the domains is configured to use the local email exchange on the server. This may have been causing the email to be rejected for your domain.
C/4.5.5 Example 5 - Bad HELO Record
Code:
"DHE-RSA-AES256-SHA:256: SMTP error from remote mail server after MAIL FROM:<user@domain.com> SIZE=1834: host anawesomeone.com [212.212.212..212]: 550 "REJECTED - Bad HELO - Host impersonating [anotherawesomedomain.com]"
Since HELO records are the same as PTR records we want to check the host of the IP. We should also check to verify the /etc/mailhelo, and /etc/mailip of the server.
If the client has a lot of IPs, you can check every host address with this one liner:
ifconfig |grep "inet addr:[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}" | awk '{print $2}' | sed 's/addr://' | xargs-i host {}
C/4.5.6 Example 6 - Mail Delivery Failure
Code:
2014-08-31 08:43:16 1XO5PY-0006SO-GS <= <> R=1XO5PX-0006SC-Qa U=mailnull P=localS=1951 T="Mail delivery failed: returning message to sender" for garfield@llamasare.cool
In this example, we received a reply failed message from the server after example 1 failed to send successfully.
A bounceback can be from an invalid address, or the receiving server may have blocked your connection. Check the folder structure template above and verify the domain exists if possible, also verify that the domain isn't blacklisted in an RBL with a tool such as mxtoolbox or dnsstuff.com
C/4.6 Failed 553 - Authentications errors:
C/4.6.1 Example 1 - Your domain does not exists
Code:
SMTP error from remote mail server after MAIL FROM:<toor@domain.com>: host mail.domain.com [19.19.19.19]: 553 sorry, your domain does not exists.
Verify there are no ACL's in place dropping connectivity from local domains. SSP should show any changes made to the exim config. Verify the domain name is valid, that /etc/localdomains and /etc/remotedomains are set, and that the mailbox name does exist.
C/4.6.2 Example 2 - Unable to verify address
Code:
2014-11-26 10:26:32 1XtYro-004Ecv-65 ** honesting@ono.com R=dkim_lookuphost T=dkim_remote_smtp: SMTP error from remote mail server after MAIL FROM:<prueba@grupog.es> SIZE=1604: host mx.ono.com [62.42.230.22]: 553 <prueba@grupog.es> unable to verify address
Verify that SMPT authentication has been enabled.
C/4.7 Failed 554 - rejected due to spam content:
C/4.7.1 Example 1 - Reject
Code:
[15:03:30 hosts5 root /var/log]cPs# grep 1XeRdP-0006JC-FO exim_mainlog 2014-10-15 12:41:11 1XeRdP-0006JC-FO <= <> R=1XeRdF-0006HI-EY U=mailnull P=local S=5445 T="Mail delivery failed: returning message to sender" for somebody@awesomesauce.com 2014-10-15 12:41:11 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1XeRdP-0006JC-FO 2014-10-15 12:42:12 1XeRdP-0006JC-FO ** somebody@awesomesauce.com R=dkim_lookuphost T=dkim_remote_smtp: SMTP error from remote mail server after end of data: host mx02.lantanacom.com [20.20.20.20]: 554 rejected due to spam content
This means you need to check the content of the mail body. Some text or images may be flagged as spam. Verify the content is not spam like or suspicious and try again.
/D/ SpamBox & SpamAssassin log entries
Both SpamBox and SpamAssassin are used to prevent unwanted mail, while SpamAssassin is responsible for flagging the emails to prevent unwanted emails, SpamBox is used to auto move the email to the spam folder that has been flag by SpamAssassin. Here are a few examples of what a whitelisted email would look like as well as an email that has been flagged as spam.
D/1 SpamBox:
D/5.1.1 Example 1 - Mail flagged as spam is forwarded:
In this example, SpamAssassin is flagging out email as spam and making a forward to the spam folder configured for SpamBox inside the users cPanel account.
Code:
2014-10-01 15:12:26 1XZKdg-0001g3-JS H=12-12-12-12.domain.net [12.12.12.12]:4779 Warning: "SpamAssassin as marka22 detected message as spam (11.0)"
2014-10-01 15:12:26 1XZKdg-0001g3-JS <= item@something.net H=12-12-12-12.domain.net [12.12.12.12]:4779 P=esmtp S=491878 id=dos45yx4zbmri7f@something.net T="Payment confirmation: 7037487121" for mark@domain.net [
2014-10-01 15:12:26 1XZKdg-0001g3-JS => mark <mark@domain.net [> R=virtual_user_spam T=virtual_userdelivery_spam
2014-10-01 15:12:26 1XZKdg-0001g3-JS Completed 2014-10-01 15:30:35 1XZKvG-0002HW-ML H=(12-12-12-12.domain.net [12.12.12.12]:65376 Warning: "SpamAssassin as marka22 detected message as spam (7.2)"
2014-10-01 15:30:35 1XZKvG-0002HW-ML <= item@something.net H=(12-12-12-12.domain.net [12.12.12.12]:65376 P=esmtp S=519381 id=dos45yx4zbmri7f@something.net T="Payment confirmation: 7037487121" for mark@arka-multimedia.co.uk 2014-10-01 15:30:35 1XZKvG-0002HW-ML => mark <mark@domain.net [> R=virtual_user_spam T=virtual_userdelivery_spam
2014-10-01 15:30:35 1XZKvG-0002HW-ML Completed
D/1 SpamAssassin:
D/5.1.2 Example 2 - Allowed email:
In our second example, the email is allowed through, SpamAssassin scans the email and allows it through.
Code:
2014-09-10 13:06:55 1XRlM6-003yMv-KG H=shbkpq40-1168112132.sdsl.bell.ca (BobPC) [15.15.15.15]:46793 Warning: Message has been scanned: no virus or other harmful content was found
2014-09-10 13:06:56 1XRlM6-003yMv-KG H=shbkpq40-1168112132.sdsl.bell.ca (BobPC) [15.15.15.15]:46793 Warning: "SpamAssassin as cpaneleximscanner detected OUTGOING smtp message as NOT spam (-0.1)"
2014-09-10 13:06:56 1XRlM6-003yMv-KG <= bob@bob.com H=shbkpq40-1168112132.sdsl.bell.ca (BobPC) [15.15.15.15]:46793 P=esmtpsa X=TLSv1:AES128-SHA:128 A=dovecot_login:bob@bob.com S=18635 T="14\" plates" for live@somedomain.com
2014-09-10 13:06:56 1XRlM6-003yMv-KG SMTP connection outbound 1410368816 1XRlM6-003yMv-KG bob.com live@somedomain.com
2014-09-10 13:07:22 1XRlM6-003yMv-KG => live@somedomain.com R=dkim_lookuphost T=dkim_remote_smtp H=mx.spamexperts.com [108.59.11.79] X=TLSv1:DHE-RSA-AES256-SHA:256 C="250 OK id=1XRlMC-0006w5-F4" 2014-09-10 13:07:22 1XRlM6-003yMv-KG Completed
What we can see from this log is that Spamassassin with the PID of 46793 has scanned our email with the following message and found it to not be spam:
Code:
Warning: Message has been scanned: no virus or other harmful content was found
SpamAssassin as cpaneleximscanner detected OUTGOING smtp message as NOT spam (-0.1)
D/5.1.3 Example 3 - Flagged email:
In our last example, the email is not allowed through and is marked as spam through SpamAssassin. "SpamAssassin as sfgthib detected message as spam (998.0)"
Code:
2014-11-06 09:14:13 1XmNp0-0005Qp-MR H=mail-qg0-f68.google.com [209.85.192.68]:42603 Warning: "SpamAssassin as sfgthib detected message as spam (998.0)" 2014-11-06 09:14:13 1XmNp0-0005Qp-MR H=mail-qg0-f68.google.com [209.85.192.68]:42603 Warning: Message has been scanned: no virus or other harmful content was found
2014-11-06 09:14:13 1XmNp0-0005Qp-MR <= cpaneltest@gmail.com H=mail-qg0-f68.google.com [209.85.192.68]:42603 P=esmtps X=TLSv1:RC4-SHA:128 S=3411 id=CAPtYmmQYRDb38yTmnA_ULZVjnKVOdtu6yw-HapGmjBCAk6rYYw@mail.gmail.com
T="test" for cptest@cptest.local
These are just examples, and your log may look different. If you have any question on these, please feel free to ask, or open a ticket so we can look into it.
D/ Conclusion:
Now that you've had a chance to get your feet wet with the exim configuration and logging, I hope this article will provide the necessary resources to review the exim mail_log log to check for spam, or to confirm that an email was sent or received. Sometime reading this log can be confusing and not make a lot of sense. With exim allowing more verbose logging as well as specific commands built around exim and additional utilities built for exim, you should be able to review the log in detail to determine if there is an issue with the mail transport agent. You can find further documentation on Exim and exims logs through exim directly at
Documentation for Exim
*Post will be edited as new information is found