It appears that they are using imap not postfix to access the mail.
Do you have webmail? Most webmail systems use imap which will be a local conection 127.0.0.1 from the webserver. You would need to correlate the time with your webserver logs.
postfix would show something like this...
Apr 28 09:30:20 www ipop3d[26412]: port 35550 service init from 127.0.0.1
Apr 28 09:30:31 www ipop3d[26412]: Auth user=david host=localhost.localdomain [127.0.0.1] nmsgs=26/26
Apr 28 09:30:39 www ipop3d[26412]: Logout user=david host=localhost.localdomain[127.0.0.1] nmsgs=26 ndele=0
which I am also accessing from localhost via a tunnel to ipop3d, but if I were connecting to postfix directly over the internet it would show that ip.
This connection would show in my secure connection logs something like this...
stunnel[24475]: Using 'ipop3d' as tcpwrapper service name
stunnel[24475]: Peer certificate location /usr/share/ssl/trusted
stunnel[24475]: ipop3d connected from 166.145.85.47:1156
stunnel[24475]: VERIFY OK: depth=0, /
It's possible that the ip could be spoofed but that network should be blocked on that interface.
Filter through the virus crap on your web server logs and grep out the time needed if it's webmail.
So lets say I try webmail,
And here is an httpd/access_log showing access.
166.145.176.72 - - [28/Apr/2005:09:39:18 -0500] "GET /cgi-bin/openwebmail/openwebmail-main.pl?sessionid=david*-session-0.547814828650193&action=listmessages_afterlogin HTTP/1.1" 200 3482
here is a maillog showing an internal connection.
Apr 28 09:39:34 www ipop3d[26451]: port 35571 service init from 127.0.0.1
Apr 28 09:39:48 www ipop3d[26451]: Auth user=david host=localhost.localdomain [127.0.0.1] nmsgs=0/0
Apr 28 09:39:57 www ipop3d[26451]: Logout user=david host=localhost.localdomain[127.0.0.1] nmsgs=0 ndele=0
Just an example but I think it applies to your setup.
The user is logged in to the local machine and then gets mail from the server.
Last edited by DavidPhillips; 04-28-2005 at 10:36 PM.
|