Anton Aylward [24.07.2017 13:13]:
On 24/07/17 06:03 AM, Werner Flamme wrote:
There is no Dovecot on these hosts. And I already looked into /var/log/mail and found no entries at that time, as I wrote in OP.
You are making what might be an unwarranted assumption. Quite apart from mail.err, mail.log, mail.warn, there may be something in messages. It may be that journald is doing the relevant logging. It may be that a Thunderbird or Firefox process is responsible.
The host in question is a server. There is nothing like a Thunderbird installed on it. Of course, nonsense files like mail.err, mail.log, mail.warn are empty. I only look at /var/log/mail - I need to collect all data to a connection, and the mail.prio files do not have those.
HOWEVER if there is a trojan or a rogue or undocumented or 'custom' service, be it a listener or a client, there is no guarantee that the coder included or activated calls to syslog.
That I why I suggest looking at the actual ports in use and other information under /proc rather than the log files.
Of course, I can use something like "lsof -i:25" to find out that my postfix master process is listening here, but how would I find a sending script with this method? Which port should I look at?
In fact 'lsof' will list everything for you. You'll need a 'smart eyeball' method to scan and discard the know stuff, what Marcus Ranum called 'artificial ignorance, progressive 'grep -v' to cut out thinks you can be sure aren't the problem.
I think there is no need for a grep. "lsof -i @internalMX:465" should suffice according to the man page. Or "lsof -i @127.0.0.1:11125", since this is an stunnel to the internalMX host. But neither command produces any output, though stunnel is running and connects localhost:11125 with internalMX:465 :-\ And how often should I run lsof to catch the event? Any second, until I accidentally catch the victim? :)
As you say. Postfix is port 25. Obviously that's not the one. It won't be a UDP or a UNIX Domain socket either :-)
You might also try the 'fuser' command, as in
# fuser tcp/imap
RTFM for details about other parameters.
Well, "man fuser" tells me that "fuser telnet/tcp" "shows all processes at the (local) TELNET port." Very nice feature. Again the question: which port should I look at? Only servers use constant ports, since this is needed for incoming connections. A sending process uses any port it can claim. Postfix does not send via port 25, it listens for incoming connections there. # LANG=C fuser -v smtp/tcp USER PID ACCESS COMMAND smtp/tcp: root 8185 F.... master Nice, here I see postix listening on incoming connections. Werner -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org