On 24/07/17 06:03 AM, Werner Flamme wrote:
There is no Dovecot on these hosts. And I already looked into /var/log/mail and found no entries at that time, as I wrote in OP.
You are making what might be an unwarranted assumption. Quite apart from mail.err, mail.log, mail.warn, there may be something in messages. It may be that journald is doing the relevant logging. It may be that a Thunderbird or Firefox process is responsible.
HOWEVER if there is a trojan or a rogue or undocumented or 'custom' service, be it a listener or a client, there is no guarantee that the coder included or activated calls to syslog.
That I why I suggest looking at the actual ports in use and other information under /proc rather than the log files.
Of course, I can use something like "lsof -i:25" to find out that my postfix master process is listening here, but how would I find a sending script with this method? Which port should I look at?
In fact 'lsof' will list everything for you. You'll need a 'smart eyeball' method to scan and discard the know stuff, what Marcus Ranum called 'artificial ignorance, progressive 'grep -v' to cut out thinks you can be sure aren't the problem. As you say. Postfix is port 25. Obviously that's not the one. It won't be a UDP or a UNIX Domain socket either :-) You might also try the 'fuser' command, as in # fuser tcp/imap RTFM for details about other parameters. I only know the
destination host and port (465). The sending port (in OP "48270") changes in every log entry.
If it was postfix that causes this error, I do not know why not all the world complains about postfix using IMAP commands in an SMTP dialogue. It is about the last piece of software I'd suspect of that. Besides, postfix makes nice log entries, and there are none at this time.
-- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org