Re: [exim] Meaning of addresses in rejectlog

Top Page
Delete this message
Reply to this message
Author: Kaz Kylheku
Date:  
To: Always Learning
CC: Exim
Subject: Re: [exim] Meaning of addresses in rejectlog
On 22.06.2014 16:35, Always Learning wrote:
> On Sat, 2014-06-21 at 20:57 -0700, Kaz Kylheku wrote:
>
>> I know what the range 192.168 is; but what is the syntax of the log?
>> The
>> Exim reject logs vary in their structure. I have seen variations like:
>>
>>    H=X [Z]
>>    H=(X) [Z]
>>    H=X ([Y]) [Z]
>>    H=([Y]) [Z]

>>
>> and possibly others. The address Z in square brackets is consistent.
>> Between the H= and that, sometimes there are two tokens and sometimes
>> only one, with various combinations of brackets or parentheses.
>
> H= occurs twice. Once in receiving messages and once when sending
> messages.
>
> Sending messages
> H= host_name [ip address]
> -------------------------------
> Receiving messages (examples from yesterday's log; all rejected by my
> defences)
>
> When the HELO (or EHLO) is the same as the host name, the HELO is not
> shown.
> H=41.254.3.13.wimax.dynamic.ltt.ly [41.254.3.13]:51672
>
> NO HOST_NAME
> H=[82.221.106.233]:53132
>
> HELO DIFFERENT FROM HOST_NAME
> H=87.69.22.53.cable.012.net.il (user-f886ea06f2) [87.69.22.53]:2207
>
> * Host_name not in brackets
> * HELO different from host_name, HELO in round brackets ()
> * IP address in square brackets []
>
>> How can we parse all these variations?
>
> You can 'play' with these in the ACLs.


Thanks for all the hints.

I don't need this to reject the connections with ACL's; that works fine.

I'm scanning the textual logs themselves in real-time to additionally
ban IP addresses from connecting.

The detailed H= info isn't critical, but it would be nice to parse
properly.

---

By the way, doh, of course the way to test this stuff empirically is
to just run exim -bh.

We can use this to show that sending mail without HELO is perfectly
possible. (I seem to recall seeing an option to reject connections that
bypass HELO.)

# exim4 -bh 10.20.30.40

**** SMTP testing session as if from host 10.20.30.40

[ snip ]

220 kylheku.com ESMTP Exim 4.69 Sun, 22 Jun 2014 18:30:19 -0700
MAIL from: spammer@???
>>> using ACL "acl_check_mail"
>>> processing "accept"
>>> accept: condition test succeeded
250 OK
RCPT to: kaz@???
>>> using ACL "acl_check_rcpt"

[ snip ]

LOG: H=[10.20.30.40] F=<spammer@???> rejected RCPT
kaz@???: host lookup failed (failed to find host name from IP
address)

So, since no HELO was given, and the IP address didn't resolve to a host
name, there is nothing between the H= token and the [IP].

Here is what it looks like if I use an IP which does resolve, but no
HELO:

LOG: H=sea09s02-in-f19.1e100.net [173.194.33.51] F=<foo@???>
rejected RCPT nonexistent@???: Unrouteable address

And if I do supply a HELO and use the exact string
"sea09s02-in-f19.1e100.net", I get the same log.

So it looks like we are both right: if the HELO matches the reversed
host name, then the parenthesized HELO string is not shown. If there is
no HELO, then that string is also not shown; we cannot tell from H=
information in the reject log line whether or not a HELO had been given.

That's fine.

Cheers.