Suppose here are two sample mail server logs.
**************************************************************
1995-10-31 08:59:13 0tACW1-0005MB-00 => marv
D=localuser T=local_delivery
1995-10-31 09:00:10 0tACW1-0005MB-00 => monk@holistic.fict.book
R=lookuphost T=smtp H=holistic.fict.book [234.234.234.234]
**************************************************************
Here I am giving the view how to read the different fields.
1) The H and U fields identify the remote host and record the RFC 1413 identity of the user that sent the message, if one was received.
2) The number given in square brackets is the IP address of the sending host.
3) Misconfigured hosts (and mail forgers) sometimes put an IP address. Only the final address in square brackets can be relied on. U field contains the login name of the caller of Exim.
***************************
H=(10.21.32.43) [123.99.8.34]
H=([10.21.32.43]) [123.99.8.34]
***************************
4) P field specifies the protocol used to receive the message. This is set to `asmtp' for messages received from hosts which have authenticated themselves using the SMTP AUTH command.
5) A= followed by the name of the authenticator that was used. If an authenticated identification was set up by the authenticator's server_set_id option, this is logged too, separated by a colon from the authenticator name.
6) The size of the received message is given by the S field.When the message is delivered, headers may get removed or added, so that the size of delivered copies of the message may not correspond with this value (and indeed may be different to each other).
7) If the log_subject option is on, the subject of the message is added to the log line, preceded by `T=' (T for `topic', since S is already used for `size').
8) A delivery error message is shown with the sender address `<>', and if it is a locally-generated error message, this is normally followed by an item of the form
R=
which is a reference to the local identification of the message that caused the error message to be sent.
9) If a shadow transport was run after a successful local delivery, the log line for the successful delivery has an item added on the end, of the form
ST=
10) '>' FIELD: The generation of a reply message by a filter file gets logged as a `delivery' to the addressee, preceded by `>'. The D and T items record the director and transport. For remote deliveries, the router, transport, and host are recorded.
11) CC FIELD: When more than one address is included in a single delivery (for example, two SMTP RCPT commands in one transaction) then the second and subsequent addresses are flagged with `->' instead of `=>'. When two or more messages are delivered down a single SMTP connection, an asterisk follows the IP address in the log lines for the second and subsequent messages.
12) '*>' FIELD: When the -N debugging option is used to prevent delivery from actually occurring, log entries are flagged with `*>' instead of `=>'.
13) '**' FIELD: If a delivery fails, a line of the following form is logged:
-----------------------------------------------------------------------------------
1995-12-19 16:20:23 0tRiQz-0002Q5-00 ** jim@trek99.film
: unknown mail domain
-----------------------------------------------------------------------------------
This is followed (eventually) by a line giving the address to which the delivery error has been sent.
14) -N FIELD: -N options has been used to suppress the delivery faliure report.
14) `*>' FIELD: If a delivery does not actually take place because the -N options has been used to suppress it, an apparently normal delivery line is written to the log, except that `=>' is replaced by `*>'.
15) Completed FIELD:
A line of the form
-------------------------------------------------------------------------
1995-10-31 09:00:11 0tACW1-0005MB-00 Completed
--------------------------------------------------------------------------
is written to the main log when a message is about to be removed from the spool at the end of its processing.
That's all.
For further details please view the following link.
http://www.exim.org/exim-html-3.20/doc/html/spec_51.html
**************************************************************
1995-10-31 08:59:13 0tACW1-0005MB-00 => marv
D=localuser T=local_delivery
1995-10-31 09:00:10 0tACW1-0005MB-00 => monk@holistic.fict.book
R=lookuphost T=smtp H=holistic.fict.book [234.234.234.234]
**************************************************************
Here I am giving the view how to read the different fields.
1) The H and U fields identify the remote host and record the RFC 1413 identity of the user that sent the message, if one was received.
2) The number given in square brackets is the IP address of the sending host.
3) Misconfigured hosts (and mail forgers) sometimes put an IP address. Only the final address in square brackets can be relied on. U field contains the login name of the caller of Exim.
***************************
H=(10.21.32.43) [123.99.8.34]
H=([10.21.32.43]) [123.99.8.34]
***************************
4) P field specifies the protocol used to receive the message. This is set to `asmtp' for messages received from hosts which have authenticated themselves using the SMTP AUTH command.
5) A= followed by the name of the authenticator that was used. If an authenticated identification was set up by the authenticator's server_set_id option, this is logged too, separated by a colon from the authenticator name.
6) The size of the received message is given by the S field.When the message is delivered, headers may get removed or added, so that the size of delivered copies of the message may not correspond with this value (and indeed may be different to each other).
7) If the log_subject option is on, the subject of the message is added to the log line, preceded by `T=' (T for `topic', since S is already used for `size').
8) A delivery error message is shown with the sender address `<>', and if it is a locally-generated error message, this is normally followed by an item of the form
R=
which is a reference to the local identification of the message that caused the error message to be sent.
9) If a shadow transport was run after a successful local delivery, the log line for the successful delivery has an item added on the end, of the form
ST=
10) '>' FIELD: The generation of a reply message by a filter file gets logged as a `delivery' to the addressee, preceded by `>'. The D and T items record the director and transport. For remote deliveries, the router, transport, and host are recorded.
11) CC FIELD: When more than one address is included in a single delivery (for example, two SMTP RCPT commands in one transaction) then the second and subsequent addresses are flagged with `->' instead of `=>'. When two or more messages are delivered down a single SMTP connection, an asterisk follows the IP address in the log lines for the second and subsequent messages.
12) '*>' FIELD: When the -N debugging option is used to prevent delivery from actually occurring, log entries are flagged with `*>' instead of `=>'.
13) '**' FIELD: If a delivery fails, a line of the following form is logged:
-----------------------------------------------------------------------------------
1995-12-19 16:20:23 0tRiQz-0002Q5-00 ** jim@trek99.film
-----------------------------------------------------------------------------------
This is followed (eventually) by a line giving the address to which the delivery error has been sent.
14) -N FIELD: -N options has been used to suppress the delivery faliure report.
14) `*>' FIELD: If a delivery does not actually take place because the -N options has been used to suppress it, an apparently normal delivery line is written to the log, except that `=>' is replaced by `*>'.
15) Completed FIELD:
A line of the form
-------------------------------------------------------------------------
1995-10-31 09:00:11 0tACW1-0005MB-00 Completed
--------------------------------------------------------------------------
is written to the main log when a message is about to be removed from the spool at the end of its processing.
That's all.
For further details please view the following link.
http://www.exim.org/exim-html-3.20/doc/html/spec_51.html
No comments:
Post a Comment