Ken,
> Many entries in my maillog show the client's IP address twice. In most
> cases it is the same, but in some cases the IP addresses differ as
> follows. The domains and IP addresses have been munged to protect the
> innocent:
>
> Dec 10 13:10:24 maildrop amavis[2805]: (02805-01) Passed CLEAN,
> [204.29.186.233] [70.79.44.125] <[EMAIL PROTECTED]> -> <[EMAIL PROTECTED]>,
>
> Using the "un-munged" log entry, the IP addresses both correlate with
> the sender domain.
> ...why each log entry shows two IP addresses and why they sometimes
> differ.
The default log template includes macros %a and %e in its report.
README.customize tells:
a original SMTP session client IP address (empty if unknown,
e.g. no XFORWARD)
e best guess of the originator IP address collected from
the Received trace
So the first reported address is the IP address of a client
which directly connected to your MTA, i.e. the last SMTP hop.
It is the information as provided by Postfix in its XFORWARD
smtp command.
The second address is parsed from a header. Searching through
'Received' header fields bottom up, it is the first non-private
IP address found.
When mail is delivered directly from a MUA to your MTA, both
addressess match (assuming the Received headers fields are
parseable and valid). On multi-hop mail they usually differ.
Mark
-------------------------------------------------------------------------
SF.Net email is sponsored by:
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php
_______________________________________________
AMaViS-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/
