Exim Log
Being a techie, reading the manual is something of a rarity. The Exim Specification, however, is one thing I do read. Just occasionally I find the need to make some notes. Being on the terse side, Exim's logging is occasionally hard to fathom. Having discovered my notes on this subject are somewhat out of date I've updated them...
Log Flags
| <= | message arrival |
| => | normal message delivery |
| -> | additional address in same delivery |
| *> | delivery suppressed by -N |
| ** | delivery failed; address bounced |
| == | delivery deferred; temporary problem |
Fields
| A | authenticator name (and optional id) |
| C | SMTP confirmation on delivery |
| CV | certificate verification status |
| DN | distinguished name from peer certificate |
| DT | time taken for a delivery |
| F | sender address (on delivery lines) |
| H | host name and IP address |
| I | local interface used |
| id | message id for incoming message |
| P | on <= lines: protocol used |
| on => lines: return path | |
| QT | time spent on queue |
| R | on <= lines: reference for local bounce |
| on => lines: router name | |
| S | size of message |
| ST | shadow transport name |
| T | on <= lines: message subject (topic) |
| on => lines: transport name | |
| U | local user or RFC 1413 identity |
| X | TLS cipher suite |
Message Reception
2002-10-31 08:57:53 16ZCW1-0005MB-00 <= kryten@dwarf.fict.example
H=mailer.fict.example [192.168.123.123]:9767
I=[82.148.225.15]:25 U=exim
P=smtp S=5678 id=<incoming message id>
X=TLSv1:DES-CBC3-SHA:168 CV=no
T="Rimmer Directive #271"
- 2002-10-31 08:57:53
- date and time
- 16ZCW1-0005MB-00
- Message ID
- kryten@dwarf.fict.example
- envelope sender address
- A bounce message is shown with the sender address "<>"
- if locally generated 'R=<message id>' is a reference to the message that caused bounce it
- H=mailer.fict.example [192.168.123.123]:9767
- host name, IP address, port
- Ommitted for locally generated messages
- The number given in square brackets is the IP address of the sending host.
- If there is a single, unparenthesized host name in the H field it has been verified to correspond to the IP address (see the host_lookup option).
- If the name is in parentheses, it was the name quoted by the remote host in the SMTP HELO or EHLO command, and has not been verified.
- If verification yields a different name to that given for HELO or EHLO, the verified name appears first, followed by the HELO or EHLO name in parentheses.
- Only the final address in square brackets can be relied on.
- I=[82.148.225.15]:25
- incoming_interface & incoming_port
- U=exim
- local user or RFC 1413 identity (ident lookups not implemented)
- P=smtp
- protocol for incoming message
- X=TLSv1:DES-CBC3-SHA:168
- TLS cipher suite
- S=5678
- Size
- X=TLSv1:DES-CBC3-SHA:168
- TLS cipher suite
- S=5678
- size of message
- id=<incoming message id>
- incoming message id
- T="Rimmer Directive #271"
- message subject (topic)
- "No chance you metal bastard"
Message Delivery
There are 2 formats. First is for remote deliveries:
2002-10-31 08:59:13 16ZCW1-0005MB-00 => marv <marv@hitch.fict.example>
R=localuser T=remote_smtp S=1234
H=mailer.fict.example [192.168.123.123]
C="250 2.0.0 i1G0Bjif055100 Message accepted for delivery"
QT=6s DT='0's
The second is for local deliveries:
2002-10-31 09:00:10 16ZCW1-0005MB-00 => monk@holistic.fict.example
R=dnslookup T=local_delivery S=1234
QT=10s DT=4s
For ordinary local deliveries, the original address is given in angle brackets after the final delivery address, which might be a pipe or a file. If intermediate address(es) exists between the original and the final address, the last of these is given in parentheses a fter the final address. The R and T fields record the router and transport that were used to process the address.
- generation of a reply message by a filter file gets logged as a "delivery" to the addressee, preceded by ">"
- second and subsequent addresses are flagged with "->" instead of "=>"
- When two or more messages are delivered down a single SMTP connection, an asterisk follows the IP address in the "[-=]>" lines
Greppage
Using grep(1) to pull info from logfiles is useful. But it is mildly annoying as multiple log lines refer to individual mails. The exigrep utility is a Perl script that searches one or more main log files for entries that match a given pattern. When it finds a match, it extracts all the log entries for the relevant message, not just those that match the pattern. Thus, exigrep can extract complete log entries for a given message, or all mail for a given user, or for a given host, for example.
The usage is:
exigrep [-l] [-t<n>] <pattern> [<log file>] ...
The -t argument specifies a number of seconds. It adds an additional condition for message selection. Messages that are complete are shown only if they spent more than <n> seconds on the queue.
The -l flag means "literal", that is, treat all characters in the pattern as standing for themselves. Otherwise the pattern must be a Perl regular expression. The pattern match is case-insensitive. If no file names are given on the command line, the standard input is read.