My First Dive into Mail Logs on a Linux Server (Alma Linux 9 & CentOS 7)

Table of contents

π Introduction: My Journey Begins
Hi there! I'm currently working in a technical support role where I help customers solve common hosting and email issues. More complex server-level problems are usually escalated to the admins, but I'm on a mission to bridge that gap.
Recently, I took my first deep dive into email logs and Exim on AlmaLinux 9 and CentOS 7. This blog documents the key things I learned over a few intensive days of self-practice, study, and diagnosis.
π¦ Module 1: Understanding the Mail Flow
In the first stage of my journey, I learned that:
Emails are sent using Exim (Mail Transfer Agent or MTA)
Emails are received and stored via dovecot (Mail Delivery Agent or MDA)
Mail logs are stored in:
/var/log/exim_mainlog
/var/log/maillog
If you're dealing with cPanel/WHM, these locations are very relevant for mail delivery troubleshooting.
π§° Module 2: Reading Mail Queues and Logs
Once I understood the agents, I started exploring logs and queues using:
exim -bp # Shows the mail queue
exiqgrep -r user@domain.com # Filter queue by recipient
exim -Mvl <messageID> # View headers
exim -Mvb <messageID> # View message body
To tail real-time email logs:
tail -f /var/log/exim_mainlog
This is where the magic happens!
π Module 3: Learning Mail Storage Types - Maildir vs. mdbox
I explored the two major types of email storage formats:
Maildir: Stores each message as a separate file under
new/
,cur/
,tmp/
mbox/mdbox: Stores all emails in a single file (or batched files)
In Maildir:
cur/
= emails that have been readnew/
= unread emailstmp/
= temporary area before email is saved fully
π§ Module 4: Deciphering Real Logs
I reviewed real logs, like this one:
2025-07-28 01:25:58.055 SMTP connection from [80.94.95.229]:45090
no host name found for IP address
list matching forced to fail
π What I Understood:
If the hostname for the sender IP can't be resolved, Exim forces RBL checks to fail (anti-spam measure)
MAIL in SMTP connection
line missing = email was not sent fully=> user@domain.com
= email delivered to user=> /dev/null
= email discarded (used for filtering)R=virtual_user T=virtual_userdelivery
= email successfully routed to a mailbox
π Log structure revealed a lot:
Timestamps
SMTP connection info
Message delivery status
Filters in action
These gave me insight into what happens behind the scenes when an email is received or bounced.
π§© Bonus: Diagnosing a Real Customer Case
From a real customer interaction, I traced an email's journey using its Exim ID. Here's a breakdown:
Found delivery failure from IP due to hostname not found
Used
grep
to match Exim ID and trace the mail pathRealized it failed at RBL (blacklist) checks
This helped me understand why the email failed, and what logs to check when debugging.
π€ About Me
I'm a technical support engineer working directly with customers. Curious and eager to learn, I'm focusing on server administration, especially around email systems, logs, security, and automation.
My goal: become the go-to person for diagnosing issues without escalating.()π Useful Commands for Starters
exim -bp # Check mail queue
exiqgrep -r user@domain.com # Filter by recipient
exiqgrep -f sender@domain.com # Filter by sender
exim -Mvl <msg-id> # View headers
exim -Mvb <msg-id> # View body
exim -Mrm <msg-id> # Remove from queue
π§΅ Final Thoughts
This is just the beginning of my path βoff the boxβ β diving deep into the core of Linux servers. Email logging may seem scary, but itβs pure logic, and every log is a breadcrumb.
If youβre like me and want to move from basic support to backend pro β just follow the logs. π§
β If you found this helpful, follow me on LinkedIn and stay tuned for Part 2: Administering DNS in the Command Line.
Subscribe to my newsletter
Read articles from Mihir Savla directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
