[SOLVED] Admin Policy Blocking --- Invalid local domain. How to interpret?

cnmoore · 03-10-2011, 11:31 AM

My logwatch daily report frequently has a section like this:

Code:

-------------------- EXIM Begin ------------------------


 --- Queue Runners ---

 --- Refused Relays 3 times

 --- Admin Policy Blocking ---
  Invalid local domain
    2011-03-09 04:50:18 :
    2011-03-09 04:50:18 :
    2011-03-09 04:50:18 :
    2011-03-09 04:50:18 :
etc.

I understand what local domain is, but what was someone trying to do? and which log if any would have the details?

I'm just curious.

business_kid · 03-10-2011, 01:15 PM

I think it means that exim has rejected (outgoing?) mail because it didn't come from the local domain.

Exim will take mail from port 25 (or whatever port it is) and post it on for you. Mail appeared on port 25 and exim refused it, because it wasn't incoming, and wasn't outgoing. Someone tried to relay through your box.

cnmoore · 03-10-2011, 01:56 PM

Actually I just found this in the EXIM main log for that time (2011-03-09 04:50:18)

Code:

2011-03-09 04:50:18 1PxGyA-0004LC-Hl <= swicom@spywareinfoforum.info U=apache P=local S=929 T="SWI Webform" from <swicom@spywareinfoforum.info> for cfo@spywareinfoforum.info
2011-03-09 04:50:18 1PxGyA-0004LC-Hl remote host address is the local host: spywareinfoforum.info
2011-03-09 04:50:18 1PxGyA-0004LC-Hl == cfo@spywareinfoforum.info R=lookuphost defer (-1): remote host address is the local host
2011-03-09 04:50:18 1PxGyA-0004LC-Hl ** cfo@spywareinfoforum.info: retry timeout exceeded
2011-03-09 04:50:18 1PxGyA-0004LE-JC <= <> R=1PxGyA-0004LC-Hl U=mail P=local S=1803 T="Mail delivery failed: returning message to sender" from <> for swicom@spywareinfoforum.info
2011-03-09 04:50:18 1PxGyA-0004LC-Hl Completed
2011-03-09 04:50:18 1PxGyA-0004LE-JC remote host address is the local host: spywareinfoforum.info
2011-03-09 04:50:18 1PxGyA-0004LE-JC == swicom@spywareinfoforum.info R=lookuphost defer (-1): remote host address is the local host
2011-03-09 04:50:18 1PxGyA-0004LE-JC ** swicom@spywareinfoforum.info: retry timeout exceeded
2011-03-09 04:50:18 1PxGyA-0004LE-JC swicom@spywareinfoforum.info: error ignored
2011-03-09 04:50:18 1PxGyA-0004LE-JC Completed

So that tells us what the event was. There is just that one sequence but I guess the retries acccount for the large number of 'Invalid local domain' items in the logwatch report (there were around 20 of them, all for the same timestamp).

Someone browsing old domain spywareinfoforum.info was trying to send mail to a mail box in that domain. New mystery! There shouldn't be any 'send email' buttons there - must investigate.

Thanks very much for taking an interest!