Exim Commands

This is a page with a lot of useful exim commands. Its a work in progress, so bare with me.


The following gives you an hourly count of sent mail for a domain, by specifying the domain and date.


DOMAIN='';DATE='2011-11-03';o1=`for i in $(sudo grep $DOMAIN /var/log/exim_mainlog|grep $DATE|egrep "A=fixed|A=courier_login"|awk {'print $4'}|sort|uniq);do sudo grep $i /var/log/exim_mainlog;done|grep -v "retry time not reached for any host"`;unset DOMAIN;unset DATE;o2=`echo "$o1"|awk {'print $2'}|cut -d: -f1|sort|uniq -c`;echo " COUNT HOUR";echo "$o2";unset o1;unset o2;


The following will show you how many emails have been sent per email address for the specified domain.


sudo grep /var/log/exim_mainlog | grep courier_login | awk -F"courier_login:" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n


And the following with show you how many emails have been sent from ALL domains since the beginning of the log


sudo cat /var/log/exim_mainlog | grep "A\=courier_login" | awk -F"A=courier_login:" {'print $2'} | cut -f1 -d' ' | sort | uniq -c | sort -n | awk {'print $1, " unique emails sent by " , $2'}


Delete mail in queue from a certain user:

for i in $(exim -bp|grep|grep -|grep @|awk {'print $3'});do exim -Mrm $i;done



Is a form being exploited and sending spam? Where is it?:

echo -ne "What cpanel user: "; read p; sudo cat /var/log/exim_mainlog | grep cwd | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n | grep $p



Is there a file that sends mail via phpMail?:

find ./ -name \*.php -exec grep -l "mail(" {} \;



Which user has how many connections to IMAP?:

ps -ef |grep imap | awk '{print $1}' | sort | uniq -c | sort -g -k 1 | tail



Can the user receive, just not send and all settings are correct? Check that the shadow file has correct permissions. Login to the server and switch to the user and run this:

find /home/$whoami/etc -type f -name shadow -exec chmod 644 {} \;



Can the customer not even login to webmail? Are they being brute forced? This will show the number of failed logins per IP:

sudo grep FAILED /var/log/maillog |awk '{print $9}' |sort -n|uniq -c |sort -n |tail -7


The follow is better, but you may need more permissions to run. It shows number of failed logins, the IP doing the failing, and how many different users were attempted to be logged into:

awk -F"ffff:" '/FAILED/ {IP[$NF]++;}END{ for ( host in IP ) print IP[host]" "host}' /var/log/maillog | awk '{ if ( $1 > 99 ) print $0}' | sort -nk1 | sed 's#]##' > IPS; for IP in `awk '{print $2}' IPS`; do echo -n $(grep $IP IPS); echo -n " - Failed users: "; grep $IP /var/log/maillog | awk -F"user=" '/FAILED/ {print $2}' | cut -d, -f1 | sort | uniq | wc -l; done

Will show something like:

135 - Failed users: 3


The following command will show you all the emails in queue by domain

exim -bp | /usr/sbin/exiqsumm



The following command will show you all the emails in queue by email account

exim -bp|awk 'NF>1{print $4}' | sort | uniq -c |sort -nk1


When was the mail IP last changed? Run this:

ls -lah /etc/mailips

That will return something like this:

user@server[~]# ls -lah /etc/mailips
-rw-r----- 1 root mail 19 Oct 3 08:51 /etc/mailips

Force delivery of one message

exim -M email-id


Force another queue run

exim -qf


Force another queue run and attempt to flush the frozen message

exim -qff


View the log for the message

exim -Mvl messageID



View the body of the message

exim -Mvb messageID



View the header of the message

exim -Mvh messageID



Remove message without sending any error message

exim -Mrm messageID



Giveup and fail message to bounce the message to the Sender

exim -Mg messageID



How many Frozen mails in the queue

exim -bpr | grep frozen | wc -l



Deleting Frozen Messages

exim -bpr | grep frozen | awk {'print $3'} | xargs exim -Mrm



To find out, how many messages are there in the mail queue:

exim -bpc



To push email for a certain domain:

exim -v -Rff



To check the mails in the queue:

exim -bp


To check to see how many emails are in queue for, run the following:

exim -bp | grep '>'

Make sure the '>' is in there because that character appears in the sending field. If you don't, then it will show you the to and from results.