nicks-domain.com

Exim Commands

This is a page with a lot of useful exim commands. Its a work in progress, so bare with me.

 

The following gives you an hourly count of sent mail for a domain, by specifying the domain and date.

 

DOMAIN='somedomain.com';DATE='2011-11-03';o1=`for i in $(sudo grep $DOMAIN /var/log/exim_mainlog|grep $DATE|egrep "A=fixed|A=courier_login"|awk {'print $4'}|sort|uniq);do sudo grep $i /var/log/exim_mainlog;done|grep -v "retry time not reached for any host"`;unset DOMAIN;unset DATE;o2=`echo "$o1"|awk {'print $2'}|cut -d: -f1|sort|uniq -c`;echo " COUNT HOUR";echo "$o2";unset o1;unset o2;

 


The following will show you how many emails have been sent per email address for the specified domain.

 

sudo grep somedomain.com /var/log/exim_mainlog | grep courier_login | awk -F"courier_login:" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n

 

And the following with show you how many emails have been sent from ALL domains since the beginning of the log

 

sudo cat /var/log/exim_mainlog | grep "A\=courier_login" | awk -F"A=courier_login:" {'print $2'} | cut -f1 -d' ' | sort | uniq -c | sort -n | awk {'print $1, " unique emails sent by " , $2'}


 

Delete mail in queue from a certain user:

for i in $(exim -bp|grep user@domain.com|grep -|grep @|awk {'print $3'});do exim -Mrm $i;done

 


 

Is a form being exploited and sending spam? Where is it?:

echo -ne "What cpanel user: "; read p; sudo cat /var/log/exim_mainlog | grep cwd | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n | grep $p

 


 

Is there a file that sends mail via phpMail?:

find ./ -name \*.php -exec grep -l "mail(" {} \;

 


 

Which user has how many connections to IMAP?:

ps -ef |grep imap | awk '{print $1}' | sort | uniq -c | sort -g -k 1 | tail

 


 

Can the user receive, just not send and all settings are correct? Check that the shadow file has correct permissions. Login to the server and switch to the user and run this:

find /home/$whoami/etc -type f -name shadow -exec chmod 644 {} \;

 


 

Can the customer not even login to webmail? Are they being brute forced? This will show the number of failed logins per IP:

sudo grep FAILED /var/log/maillog |awk '{print $9}' |sort -n|uniq -c |sort -n |tail -7

 

The follow is better, but you may need more permissions to run. It shows number of failed logins, the IP doing the failing, and how many different users were attempted to be logged into:

awk -F"ffff:" '/FAILED/ {IP[$NF]++;}END{ for ( host in IP ) print IP[host]" "host}' /var/log/maillog | awk '{ if ( $1 > 99 ) print $0}' | sort -nk1 | sed 's#]##' > IPS; for IP in `awk '{print $2}' IPS`; do echo -n $(grep $IP IPS); echo -n " - Failed users: "; grep $IP /var/log/maillog | awk -F"user=" '/FAILED/ {print $2}' | cut -d, -f1 | sort | uniq | wc -l; done

Will show something like:

135 50.75.12.41 - Failed users: 3


 

The following command will show you all the emails in queue by domain

exim -bp | /usr/sbin/exiqsumm

 


 

The following command will show you all the emails in queue by email account


exim -bp|awk 'NF>1{print $4}' | sort | uniq -c |sort -nk1

 


When was the mail IP last changed? Run this:

ls -lah /etc/mailips

That will return something like this:

user@server[~]# ls -lah /etc/mailips
-rw-r----- 1 root mail 19 Oct 3 08:51 /etc/mailips


Force delivery of one message

exim -M email-id

 


Force another queue run

exim -qf

 


Force another queue run and attempt to flush the frozen message

exim -qff

 


View the log for the message

exim -Mvl messageID

 


 

View the body of the message

exim -Mvb messageID

 


 

View the header of the message

exim -Mvh messageID

 


 

Remove message without sending any error message

exim -Mrm messageID

 


 

Giveup and fail message to bounce the message to the Sender

exim -Mg messageID

 


 

How many Frozen mails in the queue

exim -bpr | grep frozen | wc -l

 


 

Deleting Frozen Messages

exim -bpr | grep frozen | awk {'print $3'} | xargs exim -Mrm

 


 

To find out, how many messages are there in the mail queue:

exim -bpc

 


 

To push email for a certain domain:

exim -v -Rff domain.com

 


 

To check the mails in the queue:

exim -bp

 


To check to see how many emails are in queue for domain.com, run the following:

exim -bp | grep 'domain.com>'

Make sure the '>' is in there because that character appears in the sending field. If you don't, then it will show you the to and from results.