Possible mail server breach
I was checking the mail logs and observed an ip adddress successfully accessing a mailbox. There was no tls used by the user..just looked like a normal in the clear imap connection.
I contacted the end user to see if they were aware of using any other networks and they can assure thay have not. I have traced the IP address to a satellite provider who I have sent an email to.. The system is using postfix and cyrus. Relay has been locked down but I am concerned about the imap which can use imaps as well but I have left imap port open as well. I suppose I should block 143. I initially allowed this due to pda access which did not have tls functionality. In this case what is the best thing to do? Regards |
Quote:
You could start by auditing the machine for (unauth'ed) access (see the CERT Intruder Detection Checklist for a handy list of pointers), then verify the integrity of the machine. Post any findings if you want a second opinion. Sure, some will say that that's over the top and way too much hassle for something that "clearly does not constitute a compromise". Unfortunately that's a lazy and short-sighted point of view. Running GNU/Linux is all about performance, protecting assets and providing services in a continuous, stable and secure way. You want to keep it that way. You want to ascertain you alone control the system and correct things where necessary. |
All times are GMT -5. The time now is 03:21 PM. |