I am running exim 4.69 on a CentOS 4 machine with cPanel. This
morning, I noticed the queue had quite a few emails that were from an
unknown sender so I became concerned. It appears, from looking at the
exim logs, that the sender was authenticating as the"admin" unix user.
Here is an example of one of these log entries:
2008-08-14 02:33:49 1KTWP7-00073v-2J <= [1]uffice@???
H=rrcs-67-79-255-138.sw.biz.rr.com (User) [67.79.255.138] P=esmtpa
A=fixed_login:admin S=2110
Obviously, I am concerned that I have experienced a security breach
with an unauthorized user sending mail through my exim server. The
admin user account on this machine has never been used or accessed by
an authorized user and I have checked the /var/log/secure* logs to
verify that nobody has recently logged onto the machine as the admin
user. So, I am baffled as to how someone could successfully send
authenticated mail as user = admin without knowing the admin password.
So, does anybody on this list have any insight as to what might be
going on here?
Also, how can I disable exim's SMTP services for unix user accounts
such as admin?
Thanks,
Gordon
References
1.
mailto:uffice@bancaperta.it