On 22.06.2014 16:35, Always Learning wrote:
On Sat, 2014-06-21 at 20:57 -0700, Kaz Kylheku wrote:
I know what the range 192.168 is; but what is the syntax of the log?
The
Exim reject logs vary in their structure. I have seen variations like:
H=X [Z]
H=(X) [Z]
H=X ([Y]) [Z]
H=([Y]) [Z]
and possibly others. The address Z in square brackets is consistent.
Between the H= and that, sometimes there are two tokens and sometimes
only one, with various combinations of brackets or parentheses.
H= occurs twice. Once in receiving messages and once when sending
messages.
Sending messages
H= host_name [ip address]
-------------------------------
Receiving messages (examples from yesterday's log; all rejected by my
defences)
When the HELO (or EHLO) is the same as the host name, the HELO is not
shown.
H=41.254.3.13.wimax.dynamic.ltt.ly [41.254.3.13]:51672
NO HOST_NAME
H=[82.221.106.233]:53132
HELO DIFFERENT FROM HOST_NAME
H=87.69.22.53.cable.012.net.il (user-f886ea06f2) [87.69.22.53]:2207
* Host_name not in brackets
* HELO different from host_name, HELO in round brackets ()
* IP address in square brackets []
How can we parse all these variations?
You can 'play' with these in the ACLs.
Thanks for all the hints.
I don't need this to reject the connections with ACL's; that works fine.
I'm scanning the textual logs themselves in real-time to additionally
ban IP addresses from connecting.
The detailed H= info isn't critical, but it would be nice to parse
properly.
---
By the way, doh, of course the way to test this stuff empirically is
to just run exim -bh.
We can use this to show that sending mail without HELO is perfectly
possible. (I seem to recall seeing an option to reject connections that
bypass HELO.)
# exim4 -bh 10.20.30.40
**** SMTP testing session as if from host 10.20.30.40
[ snip ]
220 kylheku.com ESMTP Exim 4.69 Sun, 22 Jun 2014 18:30:19 -0700
MAIL from: [email protected]
>>> using ACL "acl_check_mail"
>>> processing "accept"
>>> accept: condition test succeeded
250 OK
RCPT to: [email protected]
>>> using ACL "acl_check_rcpt"
[ snip ]
LOG: H=[10.20.30.40] F=<[email protected]> rejected RCPT
[email protected]: host lookup failed (failed to find host name from IP
address)
So, since no HELO was given, and the IP address didn't resolve to a host
name, there is nothing between the H= token and the [IP].
Here is what it looks like if I use an IP which does resolve, but no
HELO:
LOG: H=sea09s02-in-f19.1e100.net [173.194.33.51] F=<[email protected]>
rejected RCPT [email protected]: Unrouteable address
And if I do supply a HELO and use the exact string
"sea09s02-in-f19.1e100.net", I get the same log.
So it looks like we are both right: if the HELO matches the reversed
host name, then the parenthesized HELO string is not shown. If there is
no HELO, then that string is also not shown; we cannot tell from H=
information in the reject log line whether or not a HELO had been given.
That's fine.
Cheers.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
