In this article we are going to go over how to quickly review the entire mail log for your VPS or dedicated server in order to find delivery failures that are occurring.
Email delivery failures can happen for a large number of reasons, for a more in-depth explanation on these types of issues you can check out my article on why does email bounce?
In order to follow the steps below you’ll need root access to your server.
Locating email delivery failed messages
- Login to your server via SSH as the root user.
- Run the following command to get a sorted report of the users with the highest amounts of delivery failures:
grep "for .*@.*" /var/log/exim_mainlog | grep "<= <>" | awk -F"T=" '{print $2}' |
awk '{print $NF,$0}' | awk -F" for" '{print $1}' | sort | uniq -c | sort -n
Code breakdown:grep “for .*@.*” /var/log/exim_mainlog Locate lines in the Exim mail log that include any variation of “for [email protected]” grep “<= <>” Locate lines that are being sent from a null sender, which indicates a bounce back awk -F”T=” ‘{print $2}’ Use the awk command with the Field seperator set to T= which is the subject line in the mail log, then only print the $2nd column of data. awk ‘{print $NF,$0}’ | awk -F” for” ‘{print $1}’ Use awk to print $NF which is the very last column, which is the email address. Then run awk again with the Field seperator set to for and then print out only the $1st colum of data (this strips the email user off of the end of the line). sort | uniq -c | sort -n Sort all of the data by the email users, then uniquely count them, and finally sort those counts by lowest to highest. This will give you back data looking like this:
573 [email protected] "Mail delivery failed: returning message to sender
663 [email protected] "Mail delivery failed: returning message to sender
871 [email protected] "Mail delivery failed: returning message to sender
1282 [email protected] "Mail delivery failed: returning message to sender
Investigate cause of delivery failures
Now that you know one user in particular [email protected] had the most delivery errors, you can use the steps below to investigate the cause of these problems.
- Run the following command to find the latest delivery failure:
grep "Mail delivery failed:" /var/log/exim_mainlog | grep [email protected] | tail -1
This should give you back the full line from the Exim mail log that contains that error:2013-01-16 14:45:34 1TvYvW-0006AC-ER <= <> R=1TvYvW-00069r-Au U=mailnull P=local S=2012
T="Mail delivery failed: returning message to sender" for [email protected]
Copy the messaged ID following R=, so in this case it would be 1TvYvW-00069r-Au - Using the message ID you copied, run the following command:
exigrep -I -l 1TvYvW-00069r-Au /var/log/exim_mainlog
This will display the full message transaction for the message that bounced:
2013-01-16 14:45:34 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1TvYvW-00069r-Au
2013-01-16 14:45:34 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1TvYvW-00069r-Au
2013-01-16 14:45:34 1TvYvW-00069r-Au <= [email protected] H=localhost (secure103.inmotionhosting.com) [127.0.0.1]:40726 P=esmtpa A=courier_login:[email protected] S=1172 [email protected] T="Test" for [email protected]
2013-01-16 14:45:34 1TvYvW-00069r-Au ** [email protected] R=virtual_aliases: No Such User Here"
2013-01-16 14:45:34 1TvYvW-00069r-Au Completed
2013-01-16 14:45:34 1TvYvW-0006AC-ER <= <> R=1TvYvW-00069r-Au U=mailnull P=local S=2012 T="Mail delivery failed: returning message to sender" for [email protected]
2013-01-16 14:45:34 1TvYvW-0006AC-ER => help <[email protected]> R=virtual_user T=virtual_userdelivery
2013-01-16 14:45:34 1TvYvW-0006AC-ER Completed
So in this case we can see the reason the message bounced was ** [email protected] R=virtual_aliases: No Such User Here. Basically, [email protected] had tried to send a message to an email address that didn’t exist so it bounced. - You can repeat the sames steps to investigate other bounces that user has been generating. Or an alternative method would be to directly look at the user’s mail with the following commands:
grep "Mail delivery failed" /home/userna5/mail/example.com/help/{cur,new} -R
This gives back something like:
/home/userna5/mail/example.com/help/cur/1358366803.H952383P10133.ecbiz103.inmotionhosting.com,S=2120:2,:Subject: Mail delivery failed: returning message to sender
/home/userna5/mail/example.com/help/cur/1358366759.H640077P7532.ecbiz103.inmotionhosting.com,S=2115:2,:Subject: Mail delivery failed: returning message to sender
/home/userna5/mail/example.com/help/cur/1358365534.H479296P23705.ecbiz103.inmotionhosting.com,S=2107:2,:Subject: Mail delivery failed: returning message to sender
/home/userna5/mail/example.com/help/cur/1358366776.H336048P8578.ecbiz103.inmotionhosting.com,S=2123:2,:Subject: Mail delivery failed: returning message to sender
You can then read one of the bounce backs for further details with this command:
less /home/userna5/mail/example.com/help/cur/1358366776.H336048P8578.ecbiz103.inmotionhosting.com,S=2123:2,
When you’re done looking at the file, you can hit q to quit and get back to the command line.
You should now understand how to locate users on your server that are generating a large amount of delivery failures, and also how to investigate those bounces to see the root cause of those issues.
I am looking for a way to identify the emails that are bouncing, not the accounts sending the message.
Is there a one-liner like that which would show bouncing emails?
For example a result returned like:
from:[email protected] sent and bounced: [email protected]
Thanks!
I’ve found a douzen messages not sent because of a “No user here” error.
I’ve fixed it by creating the user; but can I somehow resend the messages?
The messages were generated by a web-page contact form on the same domain, practically I see the errors on the WHM Mail Delivery Status; but I’m not sure how to resend them.
P.S. The messages are 1-2 days old.
Thanks for your time, and help.
Mr. Byte
Hello Mr. Byte,
Thank you for your question. If the form was sending the emails from PHP, it is possible there is a copy if the message on the server. If that is the case, you may be able to view them by logging into Webmail with your cPanel username and password.
If the contact form was attempting to send from the email account that was not created, then it most likely failed before hitting the server, and there will be no log available.
If you have any further questions, feel free to post them below.
Thank you,
-John-Paul