On 04/10/2024 19:04, Johnnie W Adams via Exim-users wrote:
The SIEM claims that ports 587 and 465 are generating traffic on a high-numbered port.
Urghh. Ports don't generate traffic. Sockets are endpoints for traffic, TCP-using sockets have connections which each have two ports, a local and a remote - and was initiated from one of those two. A TCP connection has packets flowing in both directinos (in general). What does this SIEM actually mean, in its claim? On logging: Exim itself is reliable in my experience. A configuration that does (or not) log certain classes of info might trip up your assumptions. External factors such as (syslog...) logging to an overburdened destination, or log-rotation errors, can result in lossage. -- Cheers, Jeremy -- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ ## unsubscribe (doesn't require an account): ## exim-users-unsubscr...@lists.exim.org ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
