On Sat, 2014-06-21 at 20:57 -0700, Kaz Kylheku wrote: > I know what the range 192.168 is; but what is the syntax of the log? The > Exim reject logs vary in their structure. I have seen variations like: > > H=X [Z] > H=(X) [Z] > H=X ([Y]) [Z] > H=([Y]) [Z] > > and possibly others. The address Z in square brackets is consistent. > Between the H= and that, sometimes there are two tokens and sometimes > only one, with various combinations of brackets or parentheses.
H= occurs twice. Once in receiving messages and once when sending messages. Sending messages H= host_name [ip address] ------------------------------- Receiving messages (examples from yesterday's log; all rejected by my defences) When the HELO (or EHLO) is the same as the host name, the HELO is not shown. H=41.254.3.13.wimax.dynamic.ltt.ly [41.254.3.13]:51672 NO HOST_NAME H=[82.221.106.233]:53132 HELO DIFFERENT FROM HOST_NAME H=87.69.22.53.cable.012.net.il (user-f886ea06f2) [87.69.22.53]:2207 * Host_name not in brackets * HELO different from host_name, HELO in round brackets () * IP address in square brackets [] > How can we parse all these variations? You can 'play' with these in the ACLs. > In the case of ([192.168.2.33]), > if that is the HELO string, what came from the host? Just the numeric > address, or with the square brackets? Or are the square brackets Exim's > convention for logging IP addresses? '192.168.2.33' is the HELO ! All numeric. Note it is in round brackets and is shown because it is different from the host_name. Because the bogus HELO is an IP address it is also enclosed in square brackets. > Do parentheses always denote the HELO information? Round brackets yes - but shown only when it is different from the host_name. > I'm guessing: > > H=X [Z] -- host gave no HELO; X is a reverse lookup from Z. host_name = HELO. Yes, X is derived from Z. > H=(X) [Z] -- X was given as HELO; but matches Z Wrong - I think. HELO, if different from host_name will be in round brackets. First entry on line is either host_name (if derived from IP address) or IP address; never HELO. > H=X ([Y]) [Z] -- X was reversed from Z; host gave Y numeric IP as HELO HELO (y) is different from host_name (x) > H=X (Y) [Z] -- X was reversed from Z; host gave Y non-numeric item as > HELO Yes. -- Regards, Paul. England, EU. Centos, Exim, Apache, Libre Office. Linux is the future. Micro$oft is the past. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
