On Fri, 4 Oct 2024, Johnnie W Adams via Exim-users wrote:
Hi, folks,
I'm trying to interpret some results from an SIEM regarding our Exim
servers and am having difficulty. The SIEM claims that ports 587 and 465
are generating traffic on a high-numbered port. I think it's seeing
artifacts from failed authentications and, in about two-thirds of the
cases, I can line the authentication attempts up with that traffic.
SIEM = Security information and event management ?
This SIEM is reporting traffic from ports 587 and 465 on your server
to high ports on remote machines ?
I assume there is matching traffic in the oppsite direction ?
That leaves the other third, which show no sign of authentications in
the logs.
I'm grasping at straws here, I suppose, but I'm wondering: How
reliable is exim logging on a not-very-busy machine? Pretty reliable, I
figure, but these results make me wonder.
I would expect exim logging to be reliable on a not-very-busy machine.
Is there any sort of firewall in front of exim ?
If a firewall rejects the traffic, it would never reach exim
or the exim logs.
--
Andrew C. Aitchison Kendal, UK
and...@aitchison.me.uk
--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscr...@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
