External user relaying mail: Look in msg-svr-base/log/mail.log_current for records with the logging entry code J (rejected relays). To turn on logging of remote IP addresses add the following line to the option.dat file:
Note that there is a slight performance trade-off when this feature is enabled.
Local address Remote address State 184.108.40.206.25 220.127.116.11.56035 32768 0 32768 0 CLOSE_WAIT 18.104.22.168.25 22.214.171.124.57390 8760 0 24820 0 ESTABLISHED 126.96.36.199.25 188.8.131.52.48508 33580 0 24820 0 TIME_WAIT
Note that you will first need to determine the appropriate number of SMTP connections and their states (ESTABLISHED, CLOSE_WAIT, etc.) for your system to determine if a particular reading is out of the ordinary.
If you find many connections staying in the SYN_RECEIVED state this might be caused by a broken network or a denial of service attack. In addition, the lifetime of an SMTP server process is limited. This is controlled by the MTA configuration variable MAX_LIFE_TIME in the dispatcher.cnf file. The default is 86,400 seconds (one day). Similarly, MAX_LIFE_CONNS specifies the maximum number of connections a server process can handle in its lifetime. If you find a particular SMTP server that has around for a long time you may wish to investigate.