Don't let the look scare you, it's all the same stuff. Just use CTRL + F like always. You got this!

E-Mail / Exim

Exim is an open source mail transfer agent (MTA), which is a program responsible for receiving, routing, and delivering e-mail messages (this type of program is sometimes referred to as an "internet mailer", or a "mail server program").

 Important

You must perform the first procedurebelow, Point your domain to your hosting account, before you add DNS records by using any of the other procedures in this article.

After you make all of these changes at Hostgator, your domain will be set up to work with Microsoft services.

 Note

Typically it takes about 15 minutes for DNS changes to take effect. However, it can occasionally take longer for a change you've made to update across the Internet's DNS system. If you're having trouble with mail flow or other issues after adding DNS records, see Find and fix issues after adding your domain or DNS records.

Point your domain to your hosting account

 Important

You must perform this procedure before you perform any of the other procedures in this article.

Follow these steps to associate your domain and hosting accounts.

  1. To get started, go to your domain management page at Hostgator by using this link. You'll be prompted to log in.

  2. Select Domains on the left.

  3. On the Manage Domains page, select the domain you want to update.

  4. On the pop-out menu on the left, select Name Servers.

  5. On the Name Servers page for your domain, in the Automatically point this domain to my hosting account drop-down list, choose the hosting account that is associated with your domain.

  6. Select Save Name Servers.

Add a TXT record for verification

 Important

Before you perform this procedure, you must first perform the procedure in the first section of this article, Point your domain to your hosting account.

Before you use your domain with Microsoft, we have to make sure that you own it. Your ability to log in to your account at your domain registrar and create the DNS record proves to Microsoft that you own the domain.

 Note

This record is used only to verify that you own your domain; it doesn't affect anything else. You can delete it later, if you like.

  1. To get started, go to your cPanel page at Hostgator. You'll be prompted to log in first.

    (Each hosted account at Hostgator is assigned a unique cPanel address. Your cPanel address should look like this: https://YourSiteAddress:secure-port-number. The sign-up email you received from Hostgator will specify that address, and a cPanel link is also available on the Hosting page.)

     Important

    To have a cPanel associated with your domain, you need a hosting account with Hostgator. To get started with Microsoft, you can either purchase a hosting account from Hostgator or redelegate your nameservers to point to Microsoft.

  2. On the Control Panel page, in the Domains area, select Advanced Zone Editor.

  3. On the Advanced Zone Editor page, in the Add a Record area, in the boxes for the new record, type or copy and paste the values from the following table.

    (Choose the Type value from the drop-down list.)

           
    Name TTL Type TXT Data
    Use your domain_name. (for example, fourthcoffee.com.)
    This value MUST end with a period (.)    		 1 TXT MS=ms XXXXXXXX
    Note: This is an example. Use your specific Destination or Points to Address value here, from the table. How do I find this?

  4. Select Add Record.

  5. Wait a few minutes before you continue, so that the record you just created can update across the Internet.

Now that you've added the record at your domain registrar's site, you'll go back to Microsoft and request the record.

When Microsoft finds the correct TXT record, your domain is verified.

  1. In the admin center, go to the Settings > Domains page.

  2. On the Domains page, select the domain that you are verifying.

  3. On the Setup page, select Start setup.

  4. On the Verify domain page, select Verify.

 Note

Typically it takes about 15 minutes for DNS changes to take effect. However, it can occasionally take longer for a change you've made to update across the Internet's DNS system. If you're having trouble with mail flow or other issues after adding DNS records, see Find and fix issues after adding your domain or DNS records.

Add an MX record so email for your domain will come to Microsoft

 Important

Before you perform this procedure, you must first perform the procedure in the first section of this article, Point your domain to your hosting account.

  1. To get started, go to your cPanel page at Hostgator. You'll be prompted to log in first.

    (Each hosted account at Hostgator is assigned a unique cPanel address. Your cPanel address should look like this: https://YourSiteAddress:secure-port-number. The sign-up email you received from Hostgator will specify that address, and a cPanel link is also available on the Hosting page.)

     Important

    To have a cPanel associated with your domain, you need a hosting account with Hostgator. To get started with Microsoft, you can either purchase a hosting account from Hostgator or redelegate your nameservers to point to Microsoft.

  2. On the Control Panel page, in the Email area, select MX Entry.

  3. In the Email Routing area, select Remote Mail Exchanger.

  4. Select Change.

  5. In the Add a New Record area, in the boxes for the new record, type or copy and paste the values from the following table.

    Priority Destination
    0
    For more information about priority, see What is MX priority?    		 <domain-key> .mail.protection.outlook.com
    Note: Get your < domain-key > from your Microsoft account. How do I find this?

  6. Select Add New Record.

  7. If there are any other MX records in the MX Records section, remove each of them.

Add the six CNAME records that are required for Microsoft

 Important

Before you perform this procedure, you must first perform the procedure in the first section of this article, Point your domain to your hosting account.

  1. To get started, go to your cPanel page at Hostgator. You'll be prompted to log in first.

    (Each hosted account at Hostgator is assigned a unique cPanel address. Your cPanel address should look like this: https://YourSiteAddress:secure-port-number. The sign-up email you received from Hostgator will specify that address, and a cPanel link is also available on the Hosting page.)

     Important

    To have a cPanel associated with your domain, you need a hosting account with Hostgator. To get started with Microsoft, you can either purchase a hosting account from Hostgator or redelegate your nameservers to point to Microsoft.

  2. On the Control Panel page, in the Domains area, select Advanced Zone Editor.

  3. Add the first of the six CNAME records.

    On the Advanced Zone Editor page, in the Add a Record area, in the boxes for the new record, type or copy and paste the values from the first row in the following table.

    (Choose the Type value from the drop-down list.)

    Name TTL Type CNAME
    autodiscover. domain_name. (for example, autodiscover.fourthcoffee.com.)
    This value MUST end with a period (.)    		 3600 CNAME autodiscover.outlook.com
    sip. domain_name. (for example, sip.fourthcoffee.com.)
    This value MUST end with a period (.)    		 3600 CNAME sipdir.online.lync.com
    lyncdiscover. domain_name. (for example, lyncdiscover.fourthcoffee.com.)
    This value MUST end with a period (.)    		 3600 CNAME webdir.online.lync.com
    enterpriseregistration. domain_name. (for example, enterpriseregistration.fourthcoffee.com.)
    This value MUST end with a period (.)    		 3600 CNAME enterpriseregistration.windows.net
    enterpriseenrollment. domain_name. (for example, enterpriseregistration.fourthcoffee.com.)
    This value MUST end with a period (.)    		 3600 CNAME enterpriseenrollment-s.manage.microsoft.com

  4. Select Add Record.

  5. Add each of the other five CNAME records.

    In the Add a Record section, create a record by using the values from the next row in the table, and then again select Add Record to complete that record.

    Repeat this process until you have created all six CNAME records.

Add a TXT record for SPF to help prevent email spam

 Important

You cannot have more than one TXT record for SPF for a domain. If your domain has more than one SPF record, you'll get email errors, as well as delivery and spam classification issues. If you already have an SPF record for your domain, don't create a new one for Microsoft. Instead, add the required Microsoft values to the current record so that you have a single SPF record that includes both sets of values. Need examples? Check out these External Domain Name System records for Microsoft. To validate your SPF record, you can use one of these SPF validation tools.

 Important

Before you perform this procedure, you must first perform the procedure in the first section of this article, Point your domain to your hosting account.

  1. To get started, go to your cPanel page at Hostgator. You'll be prompted to log in first.

    (Each hosted account at Hostgator is assigned a unique cPanel address. Your cPanel address should look like this: https://YourSiteAddress:secure-port-number. The sign-up email you received from Hostgator will specify that address, and a cPanel link is also available on the Hosting page.)

     Important

    To have a cPanel associated with your domain, you need a hosting account with Hostgator. To get started with Microsoft, you can either purchase a hosting account from Hostgator or redelegate your nameservers to point to Microsoft.

  2. On the Control Panel page, in the Domains area, select Advanced Zone Editor.

  3. On the Advanced DNS Zone Editor page, in the Add a Record area, in the boxes for the new record, type or copy and paste the values from the following table.

    (Choose the Type value from the drop-down list.)

    Name TTL Type TXT Data
    Use your domain_name. (for example, fourthcoffee.com.)
    This value MUST end with a period (.)    		 3600 TXT v=spf1 include:spf.protection.outlook.com -all
    Note: We recommend copying and pasting this entry, so that all of the spacing stays correct.

  4. Select Add Record.

Add the two SRV records that are required for Microsoft

 Important

Before you perform this procedure, you must first perform the procedure in the first section of this article, Point your domain to your hosting account.

  1. To get started, go to your cPanel page at Hostgator. You'll be prompted to log in first.

    (Each hosted account at Hostgator is assigned a unique cPanel address. Your cPanel address should look like this: https://YourSiteAddress:secure-port-number. The sign-up email you received from Hostgator will specify that address, and a cPanel link is also available on the Hosting page.)

     Important

    To have a cPanel associated with your domain, you need a hosting account with Hostgator. To get started with Microsoft, you can either purchase a hosting account from Hostgator or redelegate your nameservers to point to Microsoft.

  2. On the Control Panel page, in the Domains area, select Advanced Zone Editor.

  3. Add the first of the two SRV records.

    On the Advanced DNS Zone Editor page, in the Add a Record area, in the boxes for the new record, type or copy and paste the values from the first row in the following table.

    (Choose the Type value from the drop-down list.)

    Name TTL Type Priority Weight Port Target
    _sip._tls. domain_name. (for example, _sip._tls.fourthcoffee.com.)
    This value MUST end with a period (.)    		 3600 SRV 100 1 443 sipdir.online.lync.com
    _sipfederationtls._tcp. domain_name. (for example, _sipfederationtls._tcp.fourthcoffee.com.)
    This value MUST end with a period (.)    		 3600 SRV 100 1 5061 sipfed.online.lync.com

  4. Select Add Record.

  5. Add the other SRV record.

    In the Add a Record section, create a record by using the values from the next row in the table, and then again select Add Record to complete that record.

 Note

Typically it takes about 15 minutes for DNS changes to take effect. However, it can occasionally take longer for a change you've made to update across the Internet's DNS system. If you're having trouble with mail flow or other issues after adding DNS records, see Find and fix issues after adding your domain or DNS records.

Reading and Understanding the Exim Log

<= 

=>

->

>>

*>

**

==

 

<>

Indicates the arrival of a message from an Outside Server

Shows a normal message delivery for outgoing mail (message sent from server)

Additional address for the same delivery, i.e. an Email forwarder.

Additional address for the same delivery, i.e. an Email forwarder.

delivery suppressed by -N

delivery failed; address bounced

delivery deferred; temporary problem

For "<>" from the exim manual; Additionally, you will often find A bounce message is shown with the sender address “<>”, and if it is locally generated, this is followed by an item of the form
R=<message id>

You will also find entries like the below table in the main log such as:

 

R=

The address immediately following “<=” is the envelope sender address. A bounce message is shown with the sender address “<>”, and if it is locally generated, this is followed by an item of the form
R=<message id>

 

T=

The relay used to transmit the message.
Example:
T=remote_smtp
T=local_delivery

 

H=

Represents the host:
H=localhost (10.5.40.204) [127.0.0.1]:39753
5.1) H=mail.fictional.example [192.168.123.123] U=exim
6) I=[127.0.0.1]:25

U=

I=

The MTA used.

Followed by a colon and the port number, the I= is the local interface on which the mail was received.

 
P=

This is the return_path_on_delivery: The return path that is being transmitted with the message is included in delivery and bounce lines, using the tag P=. This is omitted if no delivery actually happens, for example, if routing fails, or if delivery is to /dev/null or to :blackhole:.

A=

If A= is present, then SMTP AUTH was used for the delivery.

 
S=

Is the delivery size of the message
M8S= 8bitmime: This causes Exim to log any 8BITMIME status of received messages, which may help in tracking down interoperability issues with ancient MTAs that are not 8bit clean. This is added to the “<=” line, tagged with M8S= and a value of 0, 7 or 8, corresponding to "not given", 7BIT and 8BITMIME respectively.

ID=

T=

FROM

FOR

R=

R=

R=

Represents the incoming message ID

Topic (Subject)

From whom the email was sent from (Sender)

Whom the email is meant for (Receprent)

delivery suppressed by -N

delivery failed; address bounced

delivery deferred; temporary problem

For "<>" from the exim manual; Additionally, you will often find A bounce message is shown with the sender address “<>”, and if it is locally generated, this is followed by an item of the form
R=<message id>

Reading a successful Transaction

Let’s start picking apart a successful transaction.Below is the email logs of the successful transaction on an email :

2013-03-10 15:52:00 SMTP connection from [127.0.0.1]:35405 (TCP/IP connection count = 1)
2013-03-10 15:52:00 SMTP connection identification H=localhost A=127.0.0.1 P=35405 U=USER ID=1195 S=USER B=identify_local_connection
2013-03-10 15:52:00 1UEcvA-0004yA-9K <= test@domain.com H=localhost.localdomain ([***.***.***.***]) [127.0.0.1]:35405 P=esmtpa A=courier_login:test@domain.com S=805 id=f008291981178ae1333d69e68cd2e676.squirrel@***.* **.***.***T="Test email from support department to yahoo.com" for supp0rt_test@reciever.com
2013-03-10 15:52:00 SMTP connection from localhost.localdomain ([***.***.***.***]) [127.0.0.1]:35405 closed by QUIT
2013-03-10 15:52:00 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1UEcvA-0004yA-9K
2013-03-10 15:52:00 1UEcvA-0004yA-9K SMTP connection outbound 1362909120 1UEcvA-0004yA-9K domain.com supp0rt_test@reciever.com
2013-03-10 15:52:01 1UEcvA-0004yA-9K => supp0rt_test@reciever.com R=dkim_lookuphost T=dkim_remote_smtp H=mta5.am0.yahoodns.net [***.***.***.***]
2013-03-10 15:52:01 1UEcvA-0004yA-9K Completed

Line 1:

the email server the email has been sent from - it may be your localhost (i.e. 127.0.0.1 mostly for outgoing emails) or any other IP

Line 2:

Next the item which starts with “H=”. This specifies the hostname of the server that the mail originates from


Line 3:

Showing the internal email message ID after immediately to the start of date and time. Also it contains the " <=" symbol means the email is the outgoing email from the server from the email address test@domain.com alongwith the authentication of email account (see A=courier_login) shows that which webmail client (squirrel)has used. It also contains the subject of the email and the recipient address.

Line 4:

Line 5:

Line 6:

Email connectioin from the email client for that internal email ID is being closed.

The email is being in queue in the /var/spool/exim

Mail server sent the connection request to the recipient email server and this is mentioned as outbond email connection (Connection Establishment)

Line 7:

Line 8:

Once the connection is established to the remote email server the email being sent to the recipient.

Completed means the emails is being sent successfully

Managing the Mail Queue

To print a list of the messages in the queue, enter:

exim -bp

Start a Queue Run

exim -q -v

Start a Queue Run for Local Deliveries

exim -ql -v

Freeze A Single message in the queue

exim -Mf <message-id>

Thaw a Message to send

exim -Mt <message-id>

Deliver a message, whether it's frozen or not, whether the retry time has been reached or not:

exim -M <message-id>

Deliver a message, but only if the retry time has been reached

exim -Mc <message-id>

Force a message to fail and bounce as "cancelled by administrator"

exim -Mg <message-id>

Search the queue for messages from a specific sender

exiqgrep -f [luser]@domain

Search the queue for messages for a specific recipient/domain

exiqgrep -r [luser]@domain

Print messages older than the specified number of seconds. For example, messages older than 1 day

exiqgrep -o 86400

Print messages that are younger than the specified number of seconds. For example, messages less than an hour old

exiqgrep -y 3600

View a Messages Headers

exim -Mvh <message-id>

View a Messages Body

exim -Mvb <message-id>

View a Messages Logs

exim -Mvl <message-id>

Add a Receprient to a Message

exim -Mar <message-id> <address>

Edit the Sender of a message

exim -Mes <message-id> <address>

To remove all messages from the queue, enter:

exim -bp | awk '/^ *[0-9]+[mhd]/{print "exim -Mrm " $3}' | bash

OR a slightly Cleaner command:

exim -bp | exiqgrep -i | xargs exim -Mrm

Delete email for a particular user from Mail Server Queue

exiqgrep -ir email@domain.com | xargs exim -Mrm

Delete mail older than X hours

(Below is 5 Days - 86400 (seconds in a day) x 5 (Days) = 432000)

exiqgrep -i -o 432000 | xargs exim -Mrm

Remove ALL Frozen Messages from the Queue

exiqgrep -iz|xargs exim -Mrm

Delete all messages that are from sender@example.com.

You can add -v to the exim command in order to get more verbose output.

exiqgrep -i -f sender@example.com | exim -Mrm

You can add -v to the exim command in order to get more verbose output

exiqgrep -iv -f sender@example.com | exim -Mrm

You can do it a slightly different way where you generate a bounce message for each item. This emphasizes to the end user how much harm their compromised mailbox has been causing:

exiqgrep -i -f sender@example.com | exim -Mg

SPAM

One Liners for dealing with spam on servers using exim.

Locating Spam & Beginning Troubleshooting:

grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n

Find top 5 senders ("head -5" Change to add more or less) by email address

exim -bpr | grep -Eo "<[^ ]*@[^ ]*>" | sort | uniq -c | sort -nr | head -5

Most common subjects by count (may not work)

awk -F"T=\"" '/<=/ {print $2}' /var/log/exim_mainlog | cut -d\" -f1 | sort | uniq -c | sort -n | tail -3

Number of emails coming from scripts

sed -ne "s|$(date +%F).*cwd=\(/home[^ ]*\).*$|\1|p" /var/log/exim_mainlog | sort | uniq -c | awk '{printf "%05d %s\n",$1,$2}' | sort | tail -3

You can run the following command to see what scripts are located in that directory

ls -lahtr /userna5/public_html/data

You should get back something like this

15 /home/userna5/public_html/about-us
25 /home/userna5/public_html
7866 /home/userna5/public_html/data

We can see*/home/userna5/public_html/data* by far has more deliveries coming in than any others.
Now we can run the following command to see what scripts are located in that directory

ls -lahtr /userna5/public_html/data

In thise case we got back

drwxr-xr-x 17 userna5 userna5 4.0K Oct 20 10:25 ../
-rw-r--r-- 1 userna5 userna5 5.6K Oct 20 11:27 sitefile.php
-rw-r--r-- 1 userna5 userna5 5.6K Oct 20 11:27 sitefile2.php
-rw-r--r-- 1 userna5 userna5 5.6K Oct 20 11:27 mailer.php
-rw-r--r-- 1 userna5 userna5 5.6K Oct 20 11:27 sitefile3.php
-rw-r--r-- 1 userna5 userna5 5.6K Oct 20 11:27 sitefile4.php
drwxr-xr-x 2 userna5 userna5 4.0K Oct 20 11:27 ./

Knowing the*mailer.php*script was sending mail into Exim, we can now take a look at our Apache access log to see what IP addresses are accessing this script using the following command

grep "mailer.php" /home/userna5/access-logs/example.com | awk'{print $1}' | sort -n | uniq -c | sort -n

You should get something back like this

2 123.123.123.126
2 123.123.123.125
2 123.123.123.124
7860 123.123.123.123

We can see the IP address *123.123.123.123* was using our mailer script QUITE a bit. This typically indicates malicious activity.

If you find a malicious IP address sending a large volume of mail from a script, you'll probably want to go ahead and block them at your server's firewall so that they can't try to connect again.

This can be accomplished with the following command

apf -d 123.123.123.123 "Spamming from script in /home/userna5/public_html/data

For IPTables Use

iptables -A INPUT -s IP-ADDRESS -j DROP

Replace IP-ADDRESS with the actual IP address that you want to block completely. The above rule will drop all packets coming from that particular IP to all server ports

Not Sponsored by 

YET.....

Its My Wiki, for you, for me and for them! Want to contribute?

Contact Me!