[exim] Logging IPv4 port numbers

Top Page
Delete this message
Reply to this message
Author: Richard Clayton
Date:  
To: exim-users
Subject: [exim] Logging IPv4 port numbers
This is something I raised a while back... and maybe #4.75 is the time
to finally sort it out ?

Within days the last /8 IPv4 address blocks will be passed to the RIRs
(there's a little cascade at the end, there's presently 7 blocks
remaining, there will soon be 0), and so the RIRs will consequently run
out of blocks to allocate around September/October or so.

This is widely expected to mean a rise in the usage of various types of
"carrier grade NAT" (as is already widely used for cellphone access to
the Internet).

This in turn means that if you are logging IPv4 addresses for security
purposes it is necessary to record not just the IPv4 address and a
reliable timestamp BUT ALSO the source port number for the connection.
Without the source port it will not be possible for the ISP of the
sender to trace which account (possibly out of a thousand or so) was
using the IPv4 address at the relevant time.

This is of course important for exim because on many occasions we use
the IPv4 addresses in connection logs and in Received header fields to
pass to other parties to request that they deal with abuse (or indeed
just to help them debug problems).

So source port numbers need to be added to exim's logging... this may
of course break some tools and log processing systems, so obviously
there needs to be option(s) to turn this on and off, but I would argue
that there was a strong case for immediately enabling this new
functionality by default -- because to do otherwise will be to start to
significantly degrade the community's ability to trace email :(

Looking at the code base, there is already some code for including port
numbers in host_build_sender_fullhost() but they will only make it into
the logging in limited circumstances.

For more reading, some chatty articles expanding on the above:

<http://www.lightbluetouchpaper.org/2010/01/12/extending-the-
requirements-for-traceability/>

and an Internet-Draft which is a bit more formal about what exim should
be considering doing:

<http://tools.ietf.org/html/draft-ietf-intarea-server-logging-
recommendations-02>

- -- 
Dr Richard Clayton                         <richard.clayton@???>
                                  tel: 01223 763570, mobile: 07887 794090
                    Computer Laboratory, University of Cambridge, CB3 0FD