Re: [Exim] Exim logging getting fooled by some Windows firew…

Top Page
Delete this message
Reply to this message
Author: Philip Hazel
Date:  
To: John Henders
CC: exim-users
Subject: Re: [Exim] Exim logging getting fooled by some Windows firewall.
On 17 Jul 2000, John Henders wrote:

> In the course of looking through my log files I discovered some log
> lines which are falsely recording an IP address of 127.0.0.1. The lines
> in question look like this.
>
> 2000-07-16 05:22:07 13DnQr-0000Dw-00 <= foo@???
> H=localhost (family2) [127.0.0.1] P=smtp S=3384
> id=001101bfef1e$e94f2a00$2100a8c0@family2
>
> 2000-07-16 05:51:41 13DntU-0000xc-00 <= bar@???
> H=localhost (nn) [127.0.0.1] P=smtp S=1361
> id=015401bfef23$b6cf5c80$14f4dc83@nn
>
> In both cases the actual username has been changed by me. Everything
> else in the line is as it appears in the logs. As some of the other
> messages had some information that showed the users were on cable modems
> and using Outlook or Outlook express I'm suspecting that this is coming
> from a masquerading program for Windows that allows multiple machines to
> share an IP address, but my understanding from the docs is that the IP
> address logged in square brackets came from a lookup on the incoming
> connection.


That is correct. The accept() function that the daemon calls to accept
an incoming call sets up a sockaddr structure which contains the IP
address of the caller. In the case of an inetd call, Exim calls
getpeername() to get the sockaddr.

> The chapter on logging in 48.3 says this is the only field
> that can be relied on.


Clearly over optimistic!

I don't think there is anything that can be done in Exim about this. The
OS is telling it that is where the call came from; as far as I know
there is no way it can find out any more information.


-- 
Philip Hazel            University of Cambridge Computing Service,
ph10@???      Cambridge, England. Phone: +44 1223 334714.