I am not 100% sure however I suspect my email server has been compromised. I am using Kolab.
I previously only logged inbound connections to my fw however I have just tested logging outbound connections and I see multiple repeated connections to a a few IPs on port 25. The prime contender is 69.172.201.153 which a google search reveals is associated with ransomware. https://ransomwaretracker.abuse.ch/ip/69.172.201.153/ I have checked the /var/log/mail.log file and can see the items being sent. An example from the log is: Oct 22 08:41:36 mail imaps[18070]: starttls: TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits reused) no authentication Oct 22 08:41:36 mail imaps[18070]: client id: "name" "Roundcube/Kolab" "version" "1.2.3" Oct 22 08:41:36 mail imaps[18070]: login: localhost [127.0.0.1] firstnamen...@mydomain.com PLAIN+TLS User logged in SESSIONID=<mail-18070-1508622096-1-863093564849054597> Oct 22 08:41:36 mail imaps[18070]: USAGE firstname.lastn...@mydomain.com user: 0.012000 sys: 0.004000 Oct 22 08:41:37 mail postfix/smtp[18131]: 3E56FAD620: to=<mgnbl...@arebetter.com>, relay=arebetter.com[68.178.213.61]:25, delay=3342, delays=3297/0.07/45/0, dsn=4.4.2, status=deferred (lost connection with arebetter.com[68.178.213.61] while receiving the initial server greeting) Open Relay? I have tested and my server is not an open relay. I have turned off all inbound connections for the time being however the emails are still being sent. My questions are: a) Does this indicated my server is compromised? b) How can this happen? c) What is initiating the sending of these emails? d) How do I stop is sending? Thanks
