The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Exim Mail IP address and TCP Dump IP address are different

Discussion in 'E-mail Discussions' started by cvanderbeek, May 12, 2011.

  1. cvanderbeek

    cvanderbeek Registered
    PartnerNOC

    Joined:
    Nov 3, 2003
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    This was interesting. I sent a test message from the command line while running a tcpdump in another session on the box. The mail command indicates it's connecting out with the .198 address but the .194 is the only thing that was captured by the dump.

    root@xxx [/etc/openvpn]# mail -vs "tcpdump test" xxxxxxxxx@mail.net
    asfasf
    .
    Cc:
    LOG: MAIN
    <= root@xxxx.xxxxx.com U=root P=local S=373
    root@xxx [/etc/openvpn]# delivering 1QKaNS-0007tK-OF
    Connecting to mx-0.xxxxx.net [xxx.xxx.xxx.xxx]:25 from xxx.xxx.xxx.198 ... connected
    SMTP<< 220 dm0206.xxx.xxx.net ESMTP EON-INBOUND
    SMTP>> EHLO mx1.xxx.com
    SMTP<< 250-dm0206.mta.xxx.net
    250-PIPELINING
    250-SIZE 50000000
    250-AUTH PLAIN LOGIN
    250-AUTH=LOGIN
    250-STARTTLS
    250 8BITMIME
    SMTP>> STARTTLS
    SMTP<< 220 Ready to start TLS
    SMTP>> EHLO mx1.xxx.com
    SMTP<< 250-dm0206.mta.xxx.net
    250-PIPELINING
    250-SIZE 50000000
    250-AUTH PLAIN LOGIN
    250-AUTH=LOGIN
    250 8BITMIME
    SMTP>> MAIL FROM: SIZE=1407
    SMTP>> RCPT TO:
    SMTP>> DATA
    SMTP<< 250 Sender okay
    SMTP<< 250 Recipient okay
    SMTP<< 354 Ready
    SMTP>> writing message and terminating "."
    SMTP<< 250 Thanks, queued as xxx.xxx.xxxx@xxx
    SMTP>> QUIT
    LOG: MAIN
    => xxx@xxx.net R=lookuphost T=remote_smtp H=mx-0.xxx.net [xxx.xxx.xxx.xxx] X=TLSv1:EDH-RSA-DES-CBC3-SHA:168
    LOG: MAIN
    Completed



    root@xxxxxx [~]# tcpdump -nnvv -i any dst xxx.xxx.xxx.xxx and dst port 25
    tcpdump: WARNING: Promiscuous mode not supported on the "any" device
    tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 96 bytes
    13:12:47.073379 IP (tos 0x0, ttl 64, id 17350, offset 0, flags [DF], proto: TCP (6), length: 60) xxx.xxx.xxx.194.48422 > 209.249.171.237.25: S, cksum 0x812f (correct), 824606813:824606813(0) win 5840
    13:12:47.117729 IP (tos 0x0, ttl 64, id 17351, offset 0, flags [DF], proto: TCP (6), length: 52) xxx.xxx.xxx.194.48422 > 209.249.171.237.25: ., cksum 0x333c (correct), 824606814:824606814(0) ack 3100429139 win 46
    13:12:47.162359 IP (tos 0x0, ttl 64, id 17352, offset 0, flags [DF], proto: TCP (6), length: 52) xxx.xxx.xxx.194.48422 > 209.249.171.237.25: ., cksum 0x32b4 (correct), 0:0(0) ack 48 win 46
    13:12:47.162627 IP (tos 0x0, ttl 64, id 17353, offset 0, flags [DF], proto: TCP (6), length: 74) xxx.xxx.xxx.194.48422 > 209.249.171.237.25: P, cksum 0xe0e2 (correct), 0:22(22) ack 48 win 46
    13:12:47.208042 IP (tos 0x0, ttl 64, id 17354, offset 0, flags [DF], proto: TCP (6), length: 62) xxx.xxx.xxx.194.48422 > 209.249.171.237.25: P, cksum 0xef4e (correct), 22:32(10) ack 178 win 54
    13:12:47.254475 IP (tos 0x0, ttl 64, id 17355, offset 0, flags [DF], proto: TCP (6), length: 173) xxx.xxx.xxx.194.48422 > 209.249.171.237.25: P 32:153(121) ack 202 win 54
    13:12:47.304305 IP (tos 0x0, ttl 64, id 17356, offset 0, flags [DF], proto: TCP (6), length: 52) xxx.xxx.xxx.194.48422 > 209.249.171.237.25: ., cksum 0x24e0 (correct), 153:153(0) ack 3098 win 100
    13:12:47.349030 IP (tos 0x0, ttl 64, id 17357, offset 0, flags [DF], proto: TCP (6), length: 52) xxx.xxx.xxx.194.48422 > 209.249.171.237.25: ., cksum 0x1cae (correct), 153:153(0) ack 5061 win 145
    13:12:47.358425 IP (tos 0x0, ttl 64, id 17358, offset 0, flags [DF], proto: TCP (6), length: 210) xxx.xxx.xxx.194.48422 > 209.249.171.237.25: P 153:311(158) ack 5061 win 145 <="" div="">

    14081950>
    13:12:47.444674 IP (tos 0x0, ttl 64, id 17359, offset 0, flags [DF], proto: TCP (6), length: 52) xxx.xxx.xxx.194.48422 > 209.249.171.237.25: ., cksum 0x1b71 (correct), 311:311(0) ack 5067 win 145
    xxx.xxx.xxx.194.48422 > 209.249.171.237.25: ., cksum 0x1ac5 (correct), 311:311(0) ack 5112 win 145
    13:12:47.489021 IP (tos 0x0, ttl 64, id 17361, offset 0, flags [DF], proto: TCP (6), length: 105) xxx.xxx.xxx.194.48422 > 209.249.171.237.25: P 311:364(53) ack 5112 win 145
    13:12:47.533481 IP (tos 0x0, ttl 64, id 17362, offset 0, flags [DF], proto: TCP (6), length: 169) xxx.xxx.xxx.194.48422 > 209.249.171.237.25: P 364:481(117) ack 5261 win 168
    13:12:47.617663 IP (tos 0x0, ttl 64, id 17363, offset 0, flags [DF], proto: TCP (6), length: 52) xxx.xxx.xxx.194.48422 > 209.249.171.237.25: ., cksum 0x1868 (correct), 481:481(0) ack 5306 win 168
    13:12:47.661997 IP (tos 0x0, ttl 64, id 17364, offset 0, flags [DF], proto: TCP (6), length: 52) xxx.xxx.xxx.194.48422 > 209.249.171.237.25: ., cksum 0x178e (correct), 481:481(0) ack 5396 win 168
    13:12:47.662327 IP (tos 0x0, ttl 64, id 17365, offset 0, flags [DF], proto: TCP (6), length: 777) xxx.xxx.xxx.194.48422 > 209.249.171.237.25: P 481:1206(725) ack 5396 win 168
    13:12:47.811866 IP (tos 0x0, ttl 64, id 17366, offset 0, flags [DF], proto: TCP (6), length: 89) xxx.xxx.xxx.194.48422 > 209.249.171.237.25: P 1206:1243(37) ack 5481 win 168
    13:12:47.811987 IP (tos 0x0, ttl 64, id 17367, offset 0, flags [DF], proto: TCP (6), length: 81) xxx.xxx.xxx.194.48422 > 209.249.171.237.25: P 1243:1272(29) ack 5481 win 168
    13:12:47.812377 IP (tos 0x0, ttl 64, id 17368, offset 0, flags [DF], proto: TCP (6), length: 52) xxx.xxx.xxx.194.48422 > 209.249.171.237.25: F, cksum 0x12f9 (correct), 1272:1272(0) ack 5481 win 168

    19 packets captured
    20 packets received by filter
    0 packets dropped by kernel


    When performing the same test on my test box the IP shown by the mail command matches that of the tcpdump and is the one configured for use by that sending domain.

    Any suggestions?
     
  2. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Do you have any prerouting rules setup for iptables to force SMTP traffic on port 25 to the .194 IP? That's the main reason I could see this happening. Otherwise, a gateway IP in /etc/mailips being used such as *: x.x.x.194 for any domain without a dedicated IP comes to mind.
     
Loading...

Share This Page