Hi! I have this in my /var/log/maillog file on a Qube3 box (if that helps)...


Nov 20 04:30:02 qube sendmail[25387]: NOQUEUE: localhost [127.0.0.1] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
Nov 20 04:30:04 qube imapd[25398]: imap service init from 127.0.0.1
Nov 20 04:30:05 qube imapd[25398]: Logout user=??? host=localhost [127.0.0.1]
Nov 20 04:45:01 qube sendmail[26186]: NOQUEUE: localhost [127.0.0.1] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
Nov 20 04:45:03 qube imapd[26205]: imap service init from 127.0.0.1
Nov 20 04:45:03 qube imapd[26205]: Logout user=??? host=localhost [127.0.0.1]
Nov 20 05:00:01 qube sendmail[26996]: NOQUEUE: localhost [127.0.0.1] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA


I don't have any experience on linux servers so I don't know what it means..please help..


Thanks for your answers...


Best regards,

Uros

I would say that something connectly locally to your imap server. If you have some webmail setup or know of something that would be using imap then maybe that's it. Are you using imap? If not shut it down. If you are compare the log to one when you use the imap server to check your mail.


It's possible that someone may be spoofing the 127.0.0.1 ip address and connecting from outside.

Is there any way to know the ip address from a web user access his mail in postfix ? in the log only appear

Apr 25 14:15:08 wmailsrvr imapd[24484]: Authenticated user=peter host=localhost [127.0.0.1]

Apr 25 14:15:08 wmailsrvr imapd[24484]: Logout user=peter host=localhost [127.0.0.1]

This user is on my own lan, and I don´t know who is ... is there any log file where the address is registered? is any way to log this address?

Thanks

It appears that they are using imap not postfix to access the mail.

Do you have webmail? Most webmail systems use imap which will be a local conection 127.0.0.1 from the webserver. You would need to correlate the time with your webserver logs.


postfix would show something like this...

Apr 28 09:30:20 www ipop3d[26412]: port 35550 service init from 127.0.0.1
Apr 28 09:30:31 www ipop3d[26412]: Auth user=david host=localhost.localdomain [127.0.0.1] nmsgs=26/26
Apr 28 09:30:39 www ipop3d[26412]: Logout user=david host=localhost.localdomain[127.0.0.1] nmsgs=26 ndele=0


which I am also accessing from localhost via a tunnel to ipop3d, but if I were connecting to postfix directly over the internet it would show that ip.


This connection would show in my secure connection logs something like this...

stunnel[24475]: Using 'ipop3d' as tcpwrapper service name
stunnel[24475]: Peer certificate location /usr/share/ssl/trusted
stunnel[24475]: ipop3d connected from 166.145.85.47:1156
stunnel[24475]: VERIFY OK: depth=0, /


It's possible that the ip could be spoofed but that network should be blocked on that interface.


Filter through the virus crap on your web server logs and grep out the time needed if it's webmail.


So lets say I try webmail,

And here is an httpd/access_log showing access.


166.145.176.72 - - [28/Apr/2005:09:39:18 -0500] "GET /cgi-bin/openwebmail/openwebmail-main.pl?sessionid=david*-session-0.547814828650193&action=listmessages_afterlogin HTTP/1.1" 200 3482

here is a maillog showing an internal connection.

Apr 28 09:39:34 www ipop3d[26451]: port 35571 service init from 127.0.0.1
Apr 28 09:39:48 www ipop3d[26451]: Auth user=david host=localhost.localdomain [127.0.0.1] nmsgs=0/0
Apr 28 09:39:57 www ipop3d[26451]: Logout user=david host=localhost.localdomain[127.0.0.1] nmsgs=0 ndele=0


Just an example but I think it applies to your setup.

The user is logged in to the local machine and then gets mail from the server.