I found this lines in mainlog: 2012-02-13 16:25:53 1Rwxmr-0003tG-09 <= [email protected] H=(User) [4.79.231.188] P=esmtpa A=login S=1695 2012-02-13 16:25:54 1Rwxmr-0003tG-09 => [email protected] R=dnslookup T=remote_smtp H=gmail-smtp-in.l.google.com [173.194.65.27] 2012-02-13 16:25:54 1Rwxmr-0003tG-09 Completed
I think, this is relaying. There is the string A=login Do you mean, this is the user name? But I mean, we have not a user named "login". Raba ----------------ursprüngliche Nachricht----------------- Von: "Oliver Heesakkers" [email protected] An: [email protected] Datum: Tue, 14 Feb 2012 19:51:12 +0100 ------------------------------------------------- > Op di 14 feb 2012 15:43:00 schreef Ralph Ballier: >> Hello, >> >> one of my server with exim 4.77 seems to be an open relay, but I mean I had >> configured all right. I use smtp authentication and suppose, that hackers >> had found out username and password of a legal user. Is it possible to >> logging all information floating from mail client to server? I hope to get >> the username which give access to the server. >> >> Or do you mean, there is an other reason for open relay? >> >> Raba > > The login name and authorisation _is_ logged in the standard configuration > (the string preceded with 'A='). Also in standard configuration your box > would > not be an open relay. > > If no 'A=' string is present in the log for the outgoing mail, you might want > to check is there is a 'U=' string which would signify that a user is > submitting these mails locally (website, compromised local user). > > Some snippets from you log would help us greatly in any further investigation. > > -- > ## List details at https://lists.exim.org/mailman/listinfo/exim-users > ## Exim details at http://www.exim.org/ > ## Please use the Wiki with this list - http://wiki.exim.org/ > > -- Systemsignatur -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
