Re: [exim] Understanding flow of exim log files

Top Page
Delete this message
Reply to this message
Author: Heiko Schlittermann
Date:  
To: exim-users
Subject: Re: [exim] Understanding flow of exim log files
Chip <jeffschips@???> (Fr 08 Jun 2012 19:11:39 CEST):
> Below is a snippet of a log file which has raised my suspicion. The
> names and identities of the innocent (and not so innocent) have been
> obscured. I am trying to understand the *flow* of the traffic and what
> actually happened.
>
> Any help on the flow and what messages were delivered, where, would be
> greatly appreciated.


Obscuring logs is mostly a bad idea, since it prevents helpful people
from checking e.g. MX records of related domains, or prevents from doing
some tests against the mentioned servers.

And not linebreaking the logs is helpful too. (I re-unbroke the lines).

2012-06-08 12:51:36 SMTP connection from [77.248.xx.xxx]:63305 (TCP/IP connection count = 1)
2012-06-08 12:51:37 H=(wzhfmiaqb) [77.248.xx.xxx]:63305 rejected MAIL <lakenxxxxxx@???>: Access denied - Invalid HELO name (See RFC2821 4.1.1.1)
2012-06-08 12:51:37 SMTP connection from (wzhfmiaqb) [77.248.xx.xxx]:63305 closed by DROP in ACL

So far the connection was rejected by the logging host. If an invalid
HELO should lead to such drastic action?? How do you accept mails for
postmaster@…?

2012-06-08 12:51:42 SMTP connection from [124.12.xx.xxx]:60909 (TCP/IP connection count = 1)
2012-06-08 12:51:48 1Sd2Pb-0007mS-He <= dawnxxx@??? H=124-12-xx-xxx.dynamic.xxx.xxx.tw (pa91lxxx.com) [124.12.xx.xxx]:60909 P=smtp S=982 id=30v18f98p29-09887224-926q7p37@lkcttldr T="This is It & " for bluey@???
2012-06-08 12:51:48 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1Sd2Pb-0007mS-He
2012-06-08 12:51:48 1Sd2Pb-0007mS-He check_mail_permissions could not determine the sender domain [message_exim_id=1Sd2Pb-0007mS-He sender_host_address=124.12.xxx.xxx recipients_count=1]

check_mail_permissions … never have seen it. Probably cpanel? But it
doesn't seem like a reason for rejecting the mail, because the the exim
spool id appears on the next lines again, until exim logs the
"Completed" line. This ("Completed") is a strong indication that the
"transaction" is done. The => lines are a strong indication for a
successful delivery to the local mailbox and for the remote delivery.

2012-06-08 12:51:48 1Sd2Pb-0007mS-He => bluey <bluey@???> P=<dawnxxx@???> R=virtual_user T=virtual_userdelivery
2012-06-08 12:51:49 1Sd2Pb-0007mS-He => jeffxxx@??? <bluey@???> P=<dawnxxx@???> R=lookuphost T=remote_smtp H=gmail-smtp-in.l.google.com [173.194.77.27] X=TLSv1:RC4-SHA:128
2012-06-08 12:51:49 1Sd2Pb-0007mS-He Completed
2012-06-08 12:51:50 SMTP connection from 124.12.xx.xxx (pa91lxxx.com) [124.12.xx.xxx]:60909 closed by QUIT

After all, this second connection lead to two mail deliveries, one local
and one remote. It does not look unusual, except the fact of the
rejection at the MAIL command already.

--
Heiko :: dresden : linux : SCHLITTERMANN.de
GPG Key 48D0359B : 3061 CFBF 2D88 F034 E8D2 7E92 EE4E AC98 48D0 359B