On 22.06.2014 16:35, Always Learning wrote:
> On Sat, 2014-06-21 at 20:57 -0700, Kaz Kylheku wrote:
>
>> I know what the range 192.168 is; but what is the syntax of the log?
>> The
>> Exim reject logs vary in their structure. I have seen variations like:
>>
>> H=X [Z]
>> H=(X) [Z]
>> H=X ([Y]) [Z]
>> H=([Y]) [Z]
>>
>> and possibly others. The address Z in square brackets is consistent.
>> Between the H= and that, sometimes there are two tokens and sometimes
>> only one, with various combinations of brackets or parentheses.
>
> H= occurs twice. Once in receiving messages and once when sending
> messages.
>
> Sending messages
> H= host_name [ip address]
> -------------------------------
> Receiving messages (examples from yesterday's log; all rejected by my
> defences)
>
> When the HELO (or EHLO) is the same as the host name, the HELO is not
> shown.
> H=41.254.3.13.wimax.dynamic.ltt.ly [41.254.3.13]:51672
>
> NO HOST_NAME
> H=[82.221.106.233]:53132
>
> HELO DIFFERENT FROM HOST_NAME
> H=87.69.22.53.cable.012.net.il (user-f886ea06f2) [87.69.22.53]:2207
>
> * Host_name not in brackets
> * HELO different from host_name, HELO in round brackets ()
> * IP address in square brackets []
>
>> How can we parse all these variations?
>
> You can 'play' with these in the ACLs.
Thanks for all the hints.
I don't need this to reject the connections with ACL's; that works fine.
I'm scanning the textual logs themselves in real-time to additionally
ban IP addresses from connecting.
The detailed H= info isn't critical, but it would be nice to parse
properly.
---
By the way, doh, of course the way to test this stuff empirically is
to just run exim -bh.
We can use this to show that sending mail without HELO is perfectly
possible. (I seem to recall seeing an option to reject connections that
bypass HELO.)
# exim4 -bh 10.20.30.40
**** SMTP testing session as if from host 10.20.30.40
[ snip ]
220 kylheku.com ESMTP Exim 4.69 Sun, 22 Jun 2014 18:30:19 -0700
MAIL from: spammer@???
>>> using ACL "acl_check_mail"
>>> processing "accept"
>>> accept: condition test succeeded
250 OK
RCPT to: kaz@???
>>> using ACL "acl_check_rcpt"
[ snip ]
LOG: H=[10.20.30.40] F=<spammer@???> rejected RCPT
kaz@???: host lookup failed (failed to find host name from IP
address)
So, since no HELO was given, and the IP address didn't resolve to a host
name, there is nothing between the H= token and the [IP].
Here is what it looks like if I use an IP which does resolve, but no
HELO:
LOG: H=sea09s02-in-f19.1e100.net [173.194.33.51] F=<foo@???>
rejected RCPT nonexistent@???: Unrouteable address
And if I do supply a HELO and use the exact string
"sea09s02-in-f19.1e100.net", I get the same log.
So it looks like we are both right: if the HELO matches the reversed
host name, then the parenthesized HELO string is not shown. If there is
no HELO, then that string is also not shown; we cannot tell from H=
information in the reject log line whether or not a HELO had been given.
That's fine.
Cheers.
