On Wed, Oct 5, 2016 at 11:52 AM, James Gibbard <thisbodydrop@???>
wrote:
> http://www.exim.org/exim-html-current/doc/html/spec_html/ch-log_files.html
>
>
> "queue_time: The amount of time the message has been in the queue on
> the local host is logged as QT=<time> on delivery (=>) lines, for
> example, QT=3m45s. The clock starts when Exim starts to receive the
> message, so it includes reception time as well as the delivery time
> for the current address. This means that it may be longer than the
> difference between the arrival and delivery log line times, because
> the arrival log line is not written until the message has been
> successfully received."
>
>
This is why it's a good idea to check logs for when the connection started.
Back when I first implemented rate limiting for a service, one part of
Lena's wonderful advice was to add a "warning" to the mainlog as well,
which looks something like this:
2016-10-05 09:14:25 +0000 [2432] Rate: 1.0/1h ID(ausername)
jan@??? (432.customer.isp.example[127.4.3.2]) ->
james@???
This will show up with "exigrep senderaddress /var/log/exim4/mainlog".
I've also turned on rather explicit logging, so that I can see when an IP
address first connected, and thereby connect the dots with the sending
attempt:
log_selector = +address_rewrite +deliver_time +delivery_size
+incoming_interface
+incoming_port +outgoing_port +pid +queue_time +queue_time_overall
+received_recipients
+received_sender +rejected_header +return_path_on_delivery +sender_on_delivery
+smtp_confirmation +smtp_connection +smtp_incomplete_transaction +smtp_no_mail
+smtp_protocol_error +smtp_syntax_error +subject +tls_peerdn +tls_sni
Here's the relevant config from the acl_check_rcpt section:
warn ratelimit = 0 / 1h / strict
logwrite = :main: \
Rate: $sender_rate/$sender_rate_period \
$message_id \
ID($authenticated_id) $sender_address
($sender_host_name[$sender_host_address]) \
-> $local_part@$domain
--
Jan
