On 22.06.2014 16:35, Always Learning wrote:
On Sat, 2014-06-21 at 20:57 -0700, Kaz Kylheku wrote:

I know what the range 192.168 is; but what is the syntax of the log? The
Exim reject logs vary in their structure. I have seen variations like:

   H=X [Z]
   H=(X) [Z]
   H=X ([Y]) [Z]
   H=([Y]) [Z]

and possibly others. The address Z in square brackets is consistent.
Between the H= and that, sometimes there are two tokens and sometimes
only one, with various combinations of brackets or parentheses.

H= occurs twice. Once in receiving messages and once when sending
messages.

Sending messages
H= host_name [ip address]
-------------------------------
Receiving messages (examples from yesterday's log; all rejected by my
defences)

When the HELO (or EHLO) is the same as the host name, the HELO is not
shown.
H=41.254.3.13.wimax.dynamic.ltt.ly [41.254.3.13]:51672

NO HOST_NAME
H=[82.221.106.233]:53132

HELO DIFFERENT FROM HOST_NAME
H=87.69.22.53.cable.012.net.il (user-f886ea06f2) [87.69.22.53]:2207

* Host_name not in brackets
* HELO different from host_name, HELO in round brackets ()
* IP address in square brackets []

How can we parse all these variations?

You can 'play' with these in the ACLs.

Thanks for all the hints.

I don't need this to reject the connections with ACL's; that works fine.

I'm scanning the textual logs themselves in real-time to additionally ban IP addresses from connecting.

The detailed H= info isn't critical, but it would be nice to parse properly.

---

By the way, doh, of course the way to test this stuff empirically is
to just run exim -bh.

We can use this to show that sending mail without HELO is perfectly possible. (I seem to recall seeing an option to reject connections that bypass HELO.)

  # exim4 -bh 10.20.30.40

  **** SMTP testing session as if from host 10.20.30.40

  [ snip ]

  220 kylheku.com ESMTP Exim 4.69 Sun, 22 Jun 2014 18:30:19 -0700
  MAIL from: [email protected]
  >>> using ACL "acl_check_mail"
  >>> processing "accept"
  >>> accept: condition test succeeded
  250 OK
  RCPT to: [email protected]
  >>> using ACL "acl_check_rcpt"

  [ snip ]

LOG: H=[10.20.30.40] F=<[email protected]> rejected RCPT [email protected]: host lookup failed (failed to find host name from IP address)

So, since no HELO was given, and the IP address didn't resolve to a host name, there is nothing between the H= token and the [IP].

Here is what it looks like if I use an IP which does resolve, but no HELO:

LOG: H=sea09s02-in-f19.1e100.net [173.194.33.51] F=<[email protected]> rejected RCPT [email protected]: Unrouteable address

And if I do supply a HELO and use the exact string "sea09s02-in-f19.1e100.net", I get the same log.

So it looks like we are both right: if the HELO matches the reversed host name, then the parenthesized HELO string is not shown. If there is no HELO, then that string is also not shown; we cannot tell from H= information in the reject log line whether or not a HELO had been given.

That's fine.

Cheers.

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Reply via email to