Quick question about logging

Mark Martinec Mark.Martinec+amavis at ijs.si
Fri Mar 11 18:13:32 CET 2011


> Jim,
> 
> > Running 2.6.4 with Zimbra.
> > I've noticed sometimes there are two sets of IP addresses logged:
> > 
> > Mar 10 17:22:55 mymail amavis[25723]: (25723-14) Passed SPAMMY,
> > [98.139.44.147] [41.138.89.39] ...
> > 
> > Can someone tell me where these are pulled from?
> > (Which part of the message header.)
> 
> This is coming from a default log template, it inserts macros %a and %e,
> if nonempty. According to README.customize:
> 
>   a  original SMTP session client IP address (info from XFORWARD)
>   e  best guess of the originator IP address collected from the Received
>       trace

In other words, the first address is the immediate SMTP client's address
from which it connected to your MX, and is passed from Postfix to amavisd
through its XFORWARD extension smtp command. So this is the last hop,
the information is guaranteed to be correct.

The second address is obtained by parsing trace fields in a mail header
section, bottom-up, skipping private IP addresses. So this is possibly
the end-user's IP address from which he connected to *his* MSA.
There is no guarantee that this information is correct, header could
be faked or trimmmed/obfuscated.

  Mark


More information about the amavis-users mailing list