Anton Aylward [22.07.2017 00:14]:
On 21/07/17 01:36 PM, Werner Flamme wrote:
Hi,
this morning, my company's postmaster sent me an excerpt from the mail log stating that there is some software on one of my boxes that doesn't speak proper IMAP.
19-Jul-2017 22:38:33.49 tcp_local BS 0 rfc822; a1 LOGOUT 500 5.5.1 Unknown command "a1 LOGOUT" specified TCP|a.b.c.d|465|a.b.e.f|48270
It may be that the Ruby stuff is a sideline, an artefact from interpretation of the logs.
It is unclear from the way way you've presented the communication from the Postmaster whether he's telling you that there is an IMAP server running on your machine or if there is an IMAP client.
Yes, you nailed it. My postmaster sent log excerpts from his SMTP logs. On my host, something wants to deliver mail to the central (internal) MX. Doing so, it suddenly uses an IMAP command.
As far as I recall Postfix is only about SMTP.
and LMTP, but "a1 LOGOUT" isn't an LMTP command either :)
Once again, please do clarify what your Postmaster actually means.
I tried, see above.
Also, please note that Postfix and Dovecot, and I should think any legitimate mail server, have their own log files.
There is no Dovecot on these hosts. And I already looked into /var/log/mail and found no entries at that time, as I wrote in OP.
HOWEVER if there is a trojan or a rogue or undocumented or 'custom' service, be it a listener or a client, there is no guarantee that the coder included or activated calls to syslog.
That I why I suggest looking at the actual ports in use and other information under /proc rather than the log files.
Of course, I can use something like "lsof -i:25" to find out that my postfix master process is listening here, but how would I find a sending script with this method? Which port should I look at? I only know the destination host and port (465). The sending port (in OP "48270") changes in every log entry. If it was postfix that causes this error, I do not know why not all the world complains about postfix using IMAP commands in an SMTP dialogue. It is about the last piece of software I'd suspect of that. Besides, postfix makes nice log entries, and there are none at this time. Werner -- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org