I found this lines in mainlog:
2012-02-13 16:25:53 1Rwxmr-0003tG-09 <= havicker@??? H=(User) [4.79.231.188] P=esmtpa A=login S=1695
2012-02-13 16:25:54 1Rwxmr-0003tG-09 => 23vbennett@??? R=dnslookup T=remote_smtp H=gmail-smtp-in.l.google.com [173.194.65.27]
2012-02-13 16:25:54 1Rwxmr-0003tG-09 Completed
I think, this is relaying.
There is the string A=login
Do you mean, this is the user name? But I mean, we have not a user named "login".
Raba
----------------ursprüngliche Nachricht-----------------
Von: "Oliver Heesakkers" exim4@???
An: exim-users@???
Datum: Tue, 14 Feb 2012 19:51:12 +0100
-------------------------------------------------
> Op di 14 feb 2012 15:43:00 schreef Ralph Ballier:
>> Hello,
>>
>> one of my server with exim 4.77 seems to be an open relay, but I mean I had
>> configured all right. I use smtp authentication and suppose, that hackers
>> had found out username and password of a legal user. Is it possible to
>> logging all information floating from mail client to server? I hope to get
>> the username which give access to the server.
>>
>> Or do you mean, there is an other reason for open relay?
>>
>> Raba
>
> The login name and authorisation _is_ logged in the standard configuration
> (the string preceded with 'A='). Also in standard configuration your box would
> not be an open relay.
>
> If no 'A=' string is present in the log for the outgoing mail, you might want
> to check is there is a 'U=' string which would signify that a user is
> submitting these mails locally (website, compromised local user).
>
> Some snippets from you log would help us greatly in any further investigation.
>
> --
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/
>
>
--
Systemsignatur