[exim] Spurious DNS lookups during inbound mail processing ?

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: Mike Tubby
Dátum:  
Címzett: exim users
Tárgy: [exim] Spurious DNS lookups during inbound mail processing ?
All,

I've been meaning to ask about this for over a year and not got round to
it ...

On my email relays (Exim 4.93 compiled from source, Devuan Beowulf,
64-bit Intel) I frequently see messages:

    no IP address found for host <spurious name>

Where 'spurious name' is one of two or three names that re-appear:

    localhost.localdomain
    sungardps.com
    bazar2.conectiva.com.br

Example:

2020-04-27 19:05:34 no host name found for IP address 103.74.71.78
2020-04-27 19:05:34 CONNECT: New connection from 103.74.71.78:48147 ->
195.171.43.32:25
2020-04-27 19:05:34 CONNECT: Reject: 103.74.71.78 according to:
zen.spamhaus.org : 127.0.0.11, 127.0.0.3, 127.0.0.4
2020-04-27 19:05:34 H=[103.74.71.78] rejected connection in "connect" ACL
2020-04-27 19:05:44 CONNECT: New connection from 192.64.238.20:12146 ->
195.171.43.32:25
2020-04-27 19:05:44 CONNECT: Accepting connection from: 192.64.238.20 -
not blocked by any RBL
2020-04-27 19:05:44 HELO: Accepted HELO/EHLO mx-wowcher-e.sailthru.com
from remote host: 192.64.238.20 (mx-wowcher-e.sailthru.com)
2020-04-27 19:05:44 MAIL: SPF Result=pass (bounce.wowcher.co.uk /
mx-wowcher-e.sailthru.com [192.64.238.20])
2020-04-27 19:05:44 H=mx-wowcher-e.sailthru.com [192.64.238.20] Warning:
MAIL: TLS-STATUS Sender domain=bounce.wowcher.co.uk
Host=mx-wowcher-e.sailthru.com [192.64.238.20] NOT using TLS
2020-04-27 19:05:44 no IP address found for host localhost.localdomain
(during SMTP connection from mx-wowcher-e.sailthru.com [192.64.238.20])
2020-04-27 19:05:44 no IP address found for host sungardps.com (during
SMTP connection from mx-wowcher-e.sailthru.com [192.64.238.20])
2020-04-27 19:05:44 no IP address found for host bazar2.conectiva.com.br
(during SMTP connection from mx-wowcher-e.sailthru.com [192.64.238.20])
2020-04-27 19:05:44 RCPT: SPF Result2=pass (bounce.wowcher.co.uk /
mx-wowcher-e.sailthru.com [192.64.238.20])
2020-04-27 19:05:46 1jT88X-0003Qr-G5 DKIM START:
domain=bounce.wowcher.co.uk possible_signer=e.wowcher.co.uk status=pass
2020-04-27 19:05:46 1jT88X-0003Qr-G5 no IP address found for host
localhost.localdomain
2020-04-27 19:05:46 1jT88X-0003Qr-G5 DKIM DEFAULT:
domain=bounce.wowcher.co.uk - message accepted (at end of ACL)
2020-04-27 19:05:46 1jT88X-0003Qr-G5 DKIM START:
domain=bounce.wowcher.co.uk possible_signer=info@??? status=pass
2020-04-27 19:05:46 1jT88X-0003Qr-G5 no IP address found for host
localhost.localdomain
2020-04-27 19:05:46 1jT88X-0003Qr-G5 DKIM DEFAULT:
domain=bounce.wowcher.co.uk - message accepted (at end of ACL)
2020-04-27 19:05:46 1jT88X-0003Qr-G5 MIME: Type=multipart/alternative
Size=164
2020-04-27 19:05:46 1jT88X-0003Qr-G5 MIME: Type=text/plain Size=57
2020-04-27 19:05:46 1jT88X-0003Qr-G5 MIME: Type=text/html Size=99
2020-04-27 19:05:46 1jT88X-0003Qr-G5 CONTENT: Start ACL with scan profile: 1
2020-04-27 19:05:46 1jT88X-0003Qr-G5 no IP address found for host
sungardps.com
2020-04-27 19:05:46 1jT88X-0003Qr-G5 no IP address found for host
bazar2.conectiva.com.br
2020-04-27 19:05:46 1jT88X-0003Qr-G5 no IP address found for host
localhost.localdomain
2020-04-27 19:05:46 1jT88X-0003Qr-G5 CONTENT: SPAM: Enabled in scan
profile (will test, reject at 8.0)
2020-04-27 19:05:47 1jT88X-0003Qr-G5 CONTENT: SPAM Score: -4.0 (----)
2020-04-27 19:05:47 1jT88X-0003Qr-G5 no IP address found for host
sungardps.com
2020-04-27 19:05:47 1jT88X-0003Qr-G5 no IP address found for host
bazar2.conectiva.com.br
2020-04-27 19:05:47 1jT88X-0003Qr-G5 no IP address found for host
sungardps.com
2020-04-27 19:05:47 1jT88X-0003Qr-G5 no IP address found for host
bazar2.conectiva.com.br
2020-04-27 19:05:47 1jT88X-0003Qr-G5 no IP address found for host
sungardps.com
2020-04-27 19:05:47 1jT88X-0003Qr-G5 no IP address found for host
bazar2.conectiva.com.br
2020-04-27 19:05:47 1jT88X-0003Qr-G5 CONTENT: ClamAV: Enabled in scan
profile (will test)
2020-04-27 19:05:47 1jT88X-0003Qr-G5 CONTENT: Added custom header:
X-Scan-Signature: d26d2954eec841500d5f8f8788d3c9ad
2020-04-27 19:05:47 1jT88X-0003Qr-G5 CONTENT: Checks completed, content
accepted
2020-04-27 19:05:47 1jT88X-0003Qr-G5 <=
delivery_20200427140443.20144495.139304@???
H=mx-wowcher-e.sailthru.com [192.64.238.20] P=esmtp S=171124
DKIM=e.wowcher.co.uk id=202
2020-04-27 19:05:47 1jT88X-0003Qr-G5 => redacted@???
R=inbound_route T=remote_smtp H=post.thorcom.com
[2a00:2381:19c6:2000::1300] X=TLS1.3:TLS_AES_256_GCM_SHA384:256 CV=yes
2020-04-27 19:05:47 1jT88X-0003Qr-G5 Completed


The rest of the log entries staring with a capital word like CONNECT:
HELO: MAIL: RCPT: MIME: and CONTENT: are my production level logging.

I don't understand where the spurious names are coming from but they
appear persistent across re-starts of Exim

Any ideas?


Mike