On Sat, 2014-06-21 at 20:57 -0700, Kaz Kylheku wrote:
> I know what the range 192.168 is; but what is the syntax of the log? The
> Exim reject logs vary in their structure. I have seen variations like:
>
> H=X [Z]
> H=(X) [Z]
> H=X ([Y]) [Z]
> H=([Y]) [Z]
>
> and possibly others. The address Z in square brackets is consistent.
> Between the H= and that, sometimes there are two tokens and sometimes
> only one, with various combinations of brackets or parentheses.
H= occurs twice. Once in receiving messages and once when sending
messages.
Sending messages
H= host_name [ip address]
-------------------------------
Receiving messages (examples from yesterday's log; all rejected by my
defences)
When the HELO (or EHLO) is the same as the host name, the HELO is not
shown.
H=41.254.3.13.wimax.dynamic.ltt.ly [41.254.3.13]:51672
NO HOST_NAME
H=[82.221.106.233]:53132
HELO DIFFERENT FROM HOST_NAME
H=87.69.22.53.cable.012.net.il (user-f886ea06f2) [87.69.22.53]:2207
* Host_name not in brackets
* HELO different from host_name, HELO in round brackets ()
* IP address in square brackets []
> How can we parse all these variations?
You can 'play' with these in the ACLs.
> In the case of ([192.168.2.33]),
> if that is the HELO string, what came from the host? Just the numeric
> address, or with the square brackets? Or are the square brackets Exim's
> convention for logging IP addresses?
'192.168.2.33' is the HELO ! All numeric. Note it is in round brackets
and is shown because it is different from the host_name. Because the
bogus HELO is an IP address it is also enclosed in square brackets.
> Do parentheses always denote the HELO information?
Round brackets yes - but shown only when it is different from the
host_name.
> I'm guessing:
>
> H=X [Z] -- host gave no HELO; X is a reverse lookup from Z.
host_name = HELO. Yes, X is derived from Z.
> H=(X) [Z] -- X was given as HELO; but matches Z
Wrong - I think. HELO, if different from host_name will be in round
brackets. First entry on line is either host_name (if derived from IP
address) or IP address; never HELO.
> H=X ([Y]) [Z] -- X was reversed from Z; host gave Y numeric IP as HELO
HELO (y) is different from host_name (x)
> H=X (Y) [Z] -- X was reversed from Z; host gave Y non-numeric item as
> HELO
Yes.
--
Regards,
Paul.
England, EU.
Centos, Exim, Apache, Libre Office.
Linux is the future. Micro$oft is the past.