Thursday, November 11, 2010

EXIM(MTA) , its service and administration

What is EXIM ?

Exim is an open source mail transfer agent (MTA), which is a program responsible for receiving, routing, and delivering e-mail messages. MTAs receive e-mail messages and recipient addresses from local users and remote hosts, perform alias creation and forwarding functions, and deliver the messages to their destinations.

Exim was developed at the University of Cambridge for the use of Unix systems connected over the Internet.

Three logs are available for exim. They are

–->The main exim log file (exim_mainlog) records the arrival of each message as well as the delivery in a single logical line.
–->The reject log file (exim_rejectlog) records information about messages and addresses that are rejected based on policy.
–-> The exim panic log (exim_paniclog) is only used when Exim suffers a disastrous error. (most often related to syntax errors in the log files)

Exim configuration files and important directories
/etc/exim.conf
/var/log/exim_mainlog
/var/log/exim_rejectlog
/var/log/exim_paniclog
/etc/valiases/
/etc/vfilters/
/home//.forward
 

Message-IDs
The message-IDs are mixed-case alpha-numeric, and take the form of: XXXXXX-YYYYYY-ZZ. Exim uses this message ID's to refer to messages in the exim queue.

Files in /var/spool/exim/msglog contain logging information for each message and are named the same as the message-id.

Files in /var/spool/exim/input are named after the message-id, plus a suffix denoting whether it is the envelope header (-H) or message data (-D).


Commnads to handle the EXIM

root@localhost# exim -bpc
Print a listing of the messages in the queue (time queued, size, message-id, sender, recipient):

-->root@localhost# exim -bp
 Print a summary of messages in the queue (count, volume, oldest, newest, domain, and totals):

-->root@localhost# exim -bp | exiqsumm
Print what Exim is doing right now:

root@localhost# exiwhat
Test how exim will route a given address:

root@localhost# exim -bt alias@localdomain.com
user@thishost.com
<-- alias@localdomain.com
router = localuser, transport = local_delivery

root@localhost# exim -bt user@thishost.com
user@thishost.com router = localuser, transport = local_delivery

root@localhost# exim -bt user@remotehost.com
router = lookuphost, transport = remote_smtp
host mail.remotehost.com [1.2.3.4] MX=0

Run a pretend SMTP transaction from the command line, as if it were coming from the given IP address. This will display Exim's checks, ACLs, and filters as they are applied. The message will NOT actually be delivered.

root@localhost# exim -bh 192.168.11.22
-->Display all of Exim's configuration settings:

root@localhost# exim –bP
Searching the queue with exiqgrep

Exim includes a utility that is quite nice for grepping through the queue, called exiqgrep.
First, various flags that control what messages are matched. These can be combined to come up with a very particular search.

Use -f to search the queue for messages from a specific sender:

root@localhost# exiqgrep -f [luser]@domain

Use -r to search the queue for messages for a specific recipient/domain:

root@localhost# exiqgrep -r [luser]@domain

Use -o to print messages older than the specified number of seconds. For example, messages older than 1 day:

root@localhost# exiqgrep -o 86400 [...]

Use -y to print messages that are younger than the specified number of seconds. For example, messages less than an hour old:

root@localhost# exiqgrep -y 3600 [...]

Use -s to match the size of a message. For example, 700-799 bytes:

root@localhost# exiqgrep -s '^7..$' [...]

Use -z to match only frozen messages, or -x to match only unfrozen messages.

There are also a few flags that control the display of the output.

Use -i to print just the message-id as a result of one of the above two searches:

root@localhost# exiqgrep -i [ -r | -f ] ...

Use -c to print a count of messages matching one of the above searches:

root@localhost# exiqgrep -c ...

Managing the queue
The main exim binary (/usr/sbin/exim) is used with various flags to make things happen to messages in the queue.
Most of these require one or more message-IDs to be specified in the command line, which is where `exiqgrep -i` as
described above really comes in handy.

Start a queue run:

root@localhost# exim -q -v

-->Start a queue run for just local deliveries:

root@localhost# exim -ql -v

-->Remove a message from the queue:

root@localhost# exim -Mrm [ ... ]


-->Freeze a message:

root@localhost# exim -Mf [ ... ]

-->Thaw a message:

root@localhost# exim -Mt [ ... ]

-->Deliver a message:

root@localhost# exim -M [ ... ]

-->Force a message to fail and bounce as "cancelled by administrator":

root@localhost# exim -Mg [ ... ]

-->Remove all frozen messages:

root@localhost# exiqgrep -z -i | xargs exim -Mrm


-->Remove all messages older than five days (86400 * 5 = 432000 seconds):

root@localhost# exiqgrep -o 432000 -i | xargs exim -Mrm

-->Freeze all queued mail from a given sender:

root@localhost# exiqgrep -i -f luser@example.tld | xargs exim -Mf

-->View a message's headers:

root@localhost# exim -Mvh

-->View a message's body:

root@localhost# exim -Mvb

-->View a message's logs:

root@localhost# exim -Mvl

-->Add a recipient to a message:

root@localhost# exim -Mar

[
... ]
-->Edit the sender of a message:

root@localhost# exim -Mes

If mail queue have more then 10000 mails client is unable to send the mails, you may need to clear out frozen mails.

exim -bpru|grep frozen | wc -l - This will list the number of frozen mails

exim -bpru|grep frozen|awk {'print $3'}|xargs exim -Mrm - Remove the frozen messages.

Please check mail queue properly and observer which account is sending the mask mails.
run following command to delete mails of that account.

Example:
grep -lr account@yourdomain.com /var/spool/exim/input/* | xargs rm -rf

-->do the following things to delete mail from particular domains.

grep -lr domainname.com /var/spool/exim/input/* |xargs rm –rf

The exigrep utility (not to be confused with exiqgrep) is used to search an exim log for a string or pattern. exigrep will search the entire content of a log entry, not just particular fields.

-->One can search for messages sent from a particular IP address:

root@localhost# exigrep '<= .* \[12.34.56.78\] ' /path/to/exim_log

Search for messages sent to a particular IP address:

root@localhost# exigrep '=> .* \[12.34.56.78\]' /path/to/exim_log

This example searches for outgoing messages, which have the "=>" symbol, sent to "user@domain.tld".
The pipe to grep for the "<=" symbol will match only the lines with information on the sender - the From address,
the sender's IP address, the message size, the message ID, and the subject line if you have enabled logging the subject. The purpose of doing such a search is that the desired information is not on the same log line as the string being searched for.

root@localhost# exigrep '=> .*user@domain.tld' /path/to/exim_log | fgrep '<='
 
Generate and display Exim stats from a logfile:

root@localhost# eximstats /path/to/exim_mainlog

Same as above, with less verbose output:

root@localhost# eximstats -ne -nr -nt /path/to/exim_mainlog

Same as above, for one particular day:

root@localhost# fgrep YYYY-MM-DD /path/to/exim_mainlog | eximstats

-->To delete all queued messages containing a certain string in the body:

root@localhost# grep -lr 'a certain string' /var/spool/exim/input/ | \
sed -e 's/^.*\/\([a-zA-Z0-9-]*\)-[DH]$/\1/g' | xargs exim –Mrm
   
Exim Tweaks

1.) Stop group mailing from the server.

Please add following lines in /etc/exim.conf

recipients_max = 10
recipients_max_reject = true

2). To receive root's mail

create a .forward file in /root with your email address.
 
3.) Disable Attachment Blocking

To disable the executable-attachment blocking that many Cpanel servers do by default but don't provide any controls for on a per-domain basis, add the following block to the beginning of the /etc/antivirus.exim file:

if $header_to: matches "example\.com|example2\.com"
then
finish
endif

4.) Exim Extended Logging
 
Exim extended logging adds valuable logging information to your exim_mainlog file so that you can determine where messages are coming from, whos sending the message and from what directory on your server the user NOBODY is originating from, if your seeing mail leaving as nobody.

Here is an example;

2003-06-27 14:06:18 cwd=/home/usersite/public_html/forums 3 args: /usr/sbin/sendmail -t -i
2003-06-27 14:06:18 19W0QE-0001Nr-1b nobody@yourserversname.com from env-from rewritten as ""usersite.com" " by rule 1

The message above tells me where the message came from, who sent it from my server, the user and the path it was called from. It also tells me how it was called and what it was renamed to before leaving my server.

The message below, tells me an incoming msg arrived with the subject line = "Naked Newsreaders? OH YEAH!". Very helpful in determining spam!!!!! You will see many other messages in exim_mainlog that you didnt see before. Great for debugging your msg logs and catching spammers!!

EG: 19W0bO-0001cY-Ej <= jessica@stripdownnews.com H=(one) [128.121.247.84]:52087 I=[64.246.38.122]:25 P=smtp S=2387 T="Naked Newsreaders? OH YEAH!" from jessica@stripdownnews.com

Lets Begin!
Note to MailScanner users: you must also do this to exim_config, so repeat these steps for both: exim.conf and exim_outgoing.conf

1. Open exim.conf
pico /etc/exim.conf

2) Find this;
Ctrl + W: hostlist auth_relay_hosts = *

#########################
Runtime configuration file for Exim #
#########################

3) After hostlist auth_relay_hosts = *

add the following

log_selector = +address_rewrite +all_parents +arguments +connection_reject +delay_delivery +delivery_size +dnslist_defer +incoming_interface +incoming_port +lost_incoming_connection +queue_run +received_sender +received_recipients +retry_defer +sender_on_delivery +size_reject +skip_delivery +smtp_confirmation +smtp_connection +smtp_protocol_error +smtp_syntax_error +subject +tls_cipher +tls_peerdn

4) The final result should look like this

hostlist auth_relay_hosts = *

log_selector = +address_rewrite +all_parents +arguments +connection_reject +delay_delivery +delivery_size +dnslist_defer +incoming_interface +incoming_port +lost_incoming_connection +queue_run +received_sender +received_recipients +retry_defer +sender_on_delivery +size_reject +skip_delivery +smtp_confirmation +smtp_connection +smtp_protocol_error +smtp_syntax_error +subject +tls_cipher +tls_peerdn

#######################################
# Runtime configuration file for Exim #
#######################################

5) Save and restart exim DONE!
ctrl + X then Y
/etc/init.d/exim restart

Now tail your log and watch the show!
tail -f /var/log/exim_mainlog

WARNING CPANEL USERS:
Cpanel/WHM updates will over-ride these changes. You can prevent Cpanel from deleting your changes by doing the following

chattr +i /etc/exim.conf

5). If server Load is high due to Exim
 
Execute: netstat -n |grep :25

on that server, you will see a bunch of connections with outgoing port 25.

ps auxww|grep -v httpd|grep -v root|grep -v mysql

You will see a bunch of processes (usually perl) executed by one user. As it takes some time to connect to a remote system and send a message, those scripts hang in the memory and are easy to observe.

In Tweak Settings

Enable.

Prevent "nobody" from sending mails
The maximum number of mails that can be send out by a domain -100
Track the origin of messages sent though the mail server by adding the X-Source headers (exim 4.34+)

You can setup Exim so that all users have the same quota. Here's the all system users have the same quota way: (this goes in the transport section of the config file)

quota = 10M quota_is_inclusive = false

If you'd like system users to have separate quotas, you can do it like this:

quota = ${lookup{$local_part}lsearch*{/etc/exim/quotafile}{$value}{10M}}

The contents of the quotafile would look something like this:

user1 10M user2 35M * 20M

To bounce mail immediately because of quota violation, the following needs to be entered into the config file: (this goes in the retry configuration section above the all errors rule)

* quota

6). There is one local server some isp has and it was down for several days, the mails were all bounced, now exim doesn't accept any mails for this isp server. Any mail send to that generates "Retry time not reached for any host after a long failure period. How i get rid of this probs ???
This could be that your Exim databases are tainted with bad information. Try the following:

/usr/sbin/exim_tidydb -t 1d /var/spool/exim retry > /dev/null /usr/sbin/exim_tidydb -t 1d /var/spool/exim reject > /dev/null /usr/sbin/exim_tidydb -t 1d /var/spool/exim wait-remote_smtp > /dev/null

You may have to touch some files in order for the above to work with cPanel's install of Exim 4, simply complete the following:

Code:
touch /var/spool/exim/db/wait-remote_smtp.lockfile touch /var/spool/exim/db/retry.lockfile chown mailnull.mail /var/spool/exim/db/* chmod 640 /var/spool/exim/db/*

You may want to cron the exim_tidydb commands to execute once a day. After you've executed those commands via the command line, clean out your queue with:

exim -v -qff &

7). Limit attachment size which exim will accept from users. At times we have users sending 50MB attachments (believe i have had this several times)
This should work fine:
Code:
message_size_limit = 10M return_size_limit = 10K


Hope it will be helpful for you.

Kishore



No comments:

Post a Comment