On 21/07/17 01:36 PM, Werner Flamme wrote:
Hi,
this morning, my company's postmaster sent me an excerpt from the mail log stating that there is some software on one of my boxes that doesn't speak proper IMAP.
19-Jul-2017 22:38:33.49 tcp_local BS 0 rfc822; a1 LOGOUT 500 5.5.1 Unknown command "a1 LOGOUT" specified TCP|a.b.c.d|465|a.b.e.f|48270
It may be that the Ruby stuff is a sideline, an artefact from interpretation of the logs. It is unclear from the way way you've presented the communication from the Postmaster whether he's telling you that there is an IMAP server running on your machine or if there is an IMAP client. As far as I recall Postfix is only about SMTP. The 'fuser' program (RTFM) can identify what programs are making use of network sockets. There is also 'socklist'. An IMAP server will listen on port 143. An IMAP client, such as Thunderbird in my case, access port 143 on a remote machine # socklist | grep 143 type port inode uid pid fd name tcp 143 27363 0 1478 37 dovecot tcp 143 201937 477 28599 7 imap tcp 40406 204085 501 3794 143 thunderbird-bin tcp 143 203248 477 28609 7 imap tcp 143 201956 477 28602 7 imap # grep 477 /etc/passwd dovenull:x:477:475:User for Dovecot login:/var/run/dovecot:/bin/false # fuser -n tcp -u -v 143 USER PID ACCESS COMMAND 143/tcp: root 1478 F.... (root)dovecot anton 28602 F.... (anton)imap anton 28609 F.... (anton)imap I'm also running Postscript which is listening on port 25 # fuser -n tcp -u -v 25 USER PID ACCESS COMMAND 25/tcp: root 1687 F.... (root)master Once again, please do clarify what your Postmaster actually means. Also, please note that Postfix and Dovecot, and I should think any legitimate mail server, have their own log files. HOWEVER if there is a trojan or a rogue or undocumented or 'custom' service, be it a listener or a client, there is no guarantee that the coder included or activated calls to syslog. That I why I suggest looking at the actual ports in use and other information under /proc rather than the log files. -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org