Exim Mail IP address and TCP Dump IP address are different

cvanderbeek

Registered
PartnerNOC
Nov 3, 2003
1
0
151
This was interesting. I sent a test message from the command line while running a tcpdump in another session on the box. The mail command indicates it's connecting out with the .198 address but the .194 is the only thing that was captured by the dump.

[email protected] [/etc/openvpn]# mail -vs "tcpdump test" [email protected]
asfasf
.
Cc:
LOG: MAIN
<= [email protected] U=root P=local S=373
[email protected] [/etc/openvpn]# delivering 1QKaNS-0007tK-OF
Connecting to mx-0.xxxxx.net [xxx.xxx.xxx.xxx]:25 from xxx.xxx.xxx.198 ... connected
SMTP<< 220 dm0206.xxx.xxx.net ESMTP EON-INBOUND
SMTP>> EHLO mx1.xxx.com
SMTP<< 250-dm0206.mta.xxx.net
250-PIPELINING
250-SIZE 50000000
250-AUTH PLAIN LOGIN
250-AUTH=LOGIN
250-STARTTLS
250 8BITMIME
SMTP>> STARTTLS
SMTP<< 220 Ready to start TLS
SMTP>> EHLO mx1.xxx.com
SMTP<< 250-dm0206.mta.xxx.net
250-PIPELINING
250-SIZE 50000000
250-AUTH PLAIN LOGIN
250-AUTH=LOGIN
250 8BITMIME
SMTP>> MAIL FROM: SIZE=1407
SMTP>> RCPT TO:
SMTP>> DATA
SMTP<< 250 Sender okay
SMTP<< 250 Recipient okay
SMTP<< 354 Ready
SMTP>> writing message and terminating "."
SMTP<< 250 Thanks, queued as [email protected]
SMTP>> QUIT
LOG: MAIN
=> [email protected] R=lookuphost T=remote_smtp H=mx-0.xxx.net [xxx.xxx.xxx.xxx] X=TLSv1:EDH-RSA-DES-CBC3-SHA:168
LOG: MAIN
Completed



[email protected] [~]# tcpdump -nnvv -i any dst xxx.xxx.xxx.xxx and dst port 25
tcpdump: WARNING: Promiscuous mode not supported on the "any" device
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 96 bytes
13:12:47.073379 IP (tos 0x0, ttl 64, id 17350, offset 0, flags [DF], proto: TCP (6), length: 60) xxx.xxx.xxx.194.48422 > 209.249.171.237.25: S, cksum 0x812f (correct), 824606813:824606813(0) win 5840
13:12:47.117729 IP (tos 0x0, ttl 64, id 17351, offset 0, flags [DF], proto: TCP (6), length: 52) xxx.xxx.xxx.194.48422 > 209.249.171.237.25: ., cksum 0x333c (correct), 824606814:824606814(0) ack 3100429139 win 46
13:12:47.162359 IP (tos 0x0, ttl 64, id 17352, offset 0, flags [DF], proto: TCP (6), length: 52) xxx.xxx.xxx.194.48422 > 209.249.171.237.25: ., cksum 0x32b4 (correct), 0:0(0) ack 48 win 46
13:12:47.162627 IP (tos 0x0, ttl 64, id 17353, offset 0, flags [DF], proto: TCP (6), length: 74) xxx.xxx.xxx.194.48422 > 209.249.171.237.25: P, cksum 0xe0e2 (correct), 0:22(22) ack 48 win 46
13:12:47.208042 IP (tos 0x0, ttl 64, id 17354, offset 0, flags [DF], proto: TCP (6), length: 62) xxx.xxx.xxx.194.48422 > 209.249.171.237.25: P, cksum 0xef4e (correct), 22:32(10) ack 178 win 54
13:12:47.254475 IP (tos 0x0, ttl 64, id 17355, offset 0, flags [DF], proto: TCP (6), length: 173) xxx.xxx.xxx.194.48422 > 209.249.171.237.25: P 32:153(121) ack 202 win 54
13:12:47.304305 IP (tos 0x0, ttl 64, id 17356, offset 0, flags [DF], proto: TCP (6), length: 52) xxx.xxx.xxx.194.48422 > 209.249.171.237.25: ., cksum 0x24e0 (correct), 153:153(0) ack 3098 win 100
13:12:47.349030 IP (tos 0x0, ttl 64, id 17357, offset 0, flags [DF], proto: TCP (6), length: 52) xxx.xxx.xxx.194.48422 > 209.249.171.237.25: ., cksum 0x1cae (correct), 153:153(0) ack 5061 win 145
13:12:47.358425 IP (tos 0x0, ttl 64, id 17358, offset 0, flags [DF], proto: TCP (6), length: 210) xxx.xxx.xxx.194.48422 > 209.249.171.237.25: P 153:311(158) ack 5061 win 145 <="" div="">

14081950>
13:12:47.444674 IP (tos 0x0, ttl 64, id 17359, offset 0, flags [DF], proto: TCP (6), length: 52) xxx.xxx.xxx.194.48422 > 209.249.171.237.25: ., cksum 0x1b71 (correct), 311:311(0) ack 5067 win 145
xxx.xxx.xxx.194.48422 > 209.249.171.237.25: ., cksum 0x1ac5 (correct), 311:311(0) ack 5112 win 145
13:12:47.489021 IP (tos 0x0, ttl 64, id 17361, offset 0, flags [DF], proto: TCP (6), length: 105) xxx.xxx.xxx.194.48422 > 209.249.171.237.25: P 311:364(53) ack 5112 win 145
13:12:47.533481 IP (tos 0x0, ttl 64, id 17362, offset 0, flags [DF], proto: TCP (6), length: 169) xxx.xxx.xxx.194.48422 > 209.249.171.237.25: P 364:481(117) ack 5261 win 168
13:12:47.617663 IP (tos 0x0, ttl 64, id 17363, offset 0, flags [DF], proto: TCP (6), length: 52) xxx.xxx.xxx.194.48422 > 209.249.171.237.25: ., cksum 0x1868 (correct), 481:481(0) ack 5306 win 168
13:12:47.661997 IP (tos 0x0, ttl 64, id 17364, offset 0, flags [DF], proto: TCP (6), length: 52) xxx.xxx.xxx.194.48422 > 209.249.171.237.25: ., cksum 0x178e (correct), 481:481(0) ack 5396 win 168
13:12:47.662327 IP (tos 0x0, ttl 64, id 17365, offset 0, flags [DF], proto: TCP (6), length: 777) xxx.xxx.xxx.194.48422 > 209.249.171.237.25: P 481:1206(725) ack 5396 win 168
13:12:47.811866 IP (tos 0x0, ttl 64, id 17366, offset 0, flags [DF], proto: TCP (6), length: 89) xxx.xxx.xxx.194.48422 > 209.249.171.237.25: P 1206:1243(37) ack 5481 win 168
13:12:47.811987 IP (tos 0x0, ttl 64, id 17367, offset 0, flags [DF], proto: TCP (6), length: 81) xxx.xxx.xxx.194.48422 > 209.249.171.237.25: P 1243:1272(29) ack 5481 win 168
13:12:47.812377 IP (tos 0x0, ttl 64, id 17368, offset 0, flags [DF], proto: TCP (6), length: 52) xxx.xxx.xxx.194.48422 > 209.249.171.237.25: F, cksum 0x12f9 (correct), 1272:1272(0) ack 5481 win 168

19 packets captured
20 packets received by filter
0 packets dropped by kernel


When performing the same test on my test box the IP shown by the mail command matches that of the tcpdump and is the one configured for use by that sending domain.

Any suggestions?
 

cPanelTristan

Quality Assurance Analyst
Staff member
Oct 2, 2010
7,607
40
248
somewhere over the rainbow
cPanel Access Level
Root Administrator
Do you have any prerouting rules setup for iptables to force SMTP traffic on port 25 to the .194 IP? That's the main reason I could see this happening. Otherwise, a gateway IP in /etc/mailips being used such as *: x.x.x.194 for any domain without a dedicated IP comes to mind.