High Exim queue volume is not just a performance issue. It can indicate account compromise, malicious scripts, destination rejection, or IP reputation problems.
This workflow is inspection-first, deletion-second.
0) Conceptual failure that breaks queue operations
Incorrect command pattern:
exim -Mvh silvana@domain.com-Mvh, -Mvb, and -Mrm require a Message-ID, not an email address. Use exiqgrep to map address -> queue IDs:
- recipient:
exiqgrep -i -r silvana@domain.com - sender:
exiqgrep -i -f silvana@domain.com
-i is critical for ID-only output in automation pipelines.
1) Initial triage
exim -bp
exim -bp | exiqsumm
exim -bpcFrozen messages:
exiqgrep -z -i2) ID-level forensic inspection
exim -Mvh MESSAGE_ID
exim -Mvb MESSAGE_ID
exim -Mvl MESSAGE_IDValidate sender identity, route, retention reason, and repetition pattern.
3) Selective cleanup patterns
By sender:
exiqgrep -i -f 'user@domain.com' | xargs -r exim -MrmBy recipient:
exiqgrep -i -r 'target@otherdomain.com' | xargs -r exim -MrmFrozen only:
exiqgrep -z -i | xargs -r exim -MrmForce queue run:
exim -qffAge-based cleanup (older than 7 days):
exiqgrep -i -o 604800 | xargs -r exim -MrmEmergency full purge (only after strict validation):
exiqgrep -i | xargs -r exim -MrmPre-check summary by domain:
exim -bp | exiqsumm4) Common incident patterns
- compromised WordPress plugin abusing
mail() - leaked SMTP credentials
- RBL rejection loops
- DNS failures causing permanent defers
Useful log pivots:
grep -i "cwd=/home" /var/log/exim_mainlog | tail -n 200
grep -i "A=dovecot_login" /var/log/exim_mainlog | tail -n 200
grep -i "rejected\|blacklist\|spam" /var/log/exim_mainlog | tail -n 200
grep 'silvana@domain.com' /var/log/exim_mainlog | tail -n 205) Recurrence prevention in WHM
- global hourly sending cap per domain
- per-account hourly relay cap
- credential rotation + MFA
- malware scan of web roots and user cronjobs
6) Acceptance checklist
- queue returns to baseline
- no abnormal regrowth in 24h
- abuse source blocked
- sending limits enforced
- IP reputation monitored in RBLs
Effective Exim queue handling is a process, not a single delete command. Forensic triage plus selective actions keeps legitimate mail flow intact.
This post is licensed under CC BY-NC.
Comments
Join the discussion below.
Comments are not configured yet. Add Cusdis settings in /assets/json/config/blog-comments-config.json.