I was checking the mail logs and observed an ip adddress successfully accessing a mailbox. There was no tls used by the user..just looked like a normal in the clear imap connection.

I contacted the end user to see if they were aware of using any other networks and they can assure thay have not. I have traced the IP address to a satellite provider who I have sent an email to..

The system is using postfix and cyrus. Relay has been locked down but I am concerned about the imap which can use imaps as well but I have left imap port open as well. I suppose I should block 143. I initially allowed this due to pda access which did not have tls functionality.

In this case what is the best thing to do?

Regards

Simple. Provide your users (and yourself) clarity.

You could start by auditing the machine for (unauth'ed) access (see the CERT Intruder Detection Checklist for a handy list of pointers), then verify the integrity of the machine. Post any findings if you want a second opinion.

Sure, some will say that that's over the top and way too much hassle for something that "clearly does not constitute a compromise". Unfortunately that's a lazy and short-sighted point of view. Running GNU/Linux is all about performance, protecting assets and providing services in a continuous, stable and secure way. You want to keep it that way. You want to ascertain you alone control the system and correct things where necessary.