hMailServer Logs

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
User avatar
VadaDosa
New user
New user
Posts: 15
Joined: 2019-04-14 06:03

hMailServer Logs

Post by VadaDosa » 2019-05-13 00:19

Hi,

I have enabled all logs (Application, SMTP, POP3, IMAP, TCP/Ip, Debug, Awstats) on hMailServer.
The file "hMailserver_yyyy-MM-DD.log" has columnised entries like below.

"IMAPD" 4520 43844 "2019-05-12 15:43:49.806" "yyy.yyy.yyy.yyy" "SENT: * OK IMAPrev1"
"IMAPD" 4520 43844 "2019-05-12 15:43:49.916" "yyy.yyy.yyy.yyy" "RECEIVED: WIR00001 CAPABILITY"
"IMAPD" 4520 43844 "2019-05-12 15:43:49.916" "yyy.yyy.yyy.yyy" "SENT: * CAPABILITY IMAP4 IMAP4rev1 CHILDREN IDLE QUOTA SORT ACL NAMESPACE RIGHTS=texk[nl]WIR00001 OK CAPABILITY completed"
"IMAPD" 4520 43844 "2019-05-12 15:43:50.041" "yyy.yyy.yyy.yyy" "RECEIVED: WIR00002 AUTHENTICATE PLAIN"
"IMAPD" 4520 43844 "2019-05-12 15:43:50.041" "yyy.yyy.yyy.yyy" "SENT: WIR00002 NO Unsupported authentication mechanism."
"IMAPD" 4488 43844 "2019-05-12 15:43:50.166" "yyy.yyy.yyy.yyy" "RECEIVED: WIR00003 LOGIN "zzzzz@somedomain.com" ***"
"IMAPD" 4488 43844 "2019-05-12 15:43:50.197" "yyy.yyy.yyy.yyy" "SENT: WIR00003 OK LOGIN completed"
"IMAPD" 4520 43844 "2019-05-12 15:43:50.322" "yyy.yyy.yyy.yyy" "RECEIVED: WIR00004 CAPABILITY"
"IMAPD" 4520 43844 "2019-05-12 15:43:50.322" "yyy.yyy.yyy.yyy" "SENT: * CAPABILITY IMAP4 IMAP4rev1 CHILDREN IDLE QUOTA SORT ACL NAMESPACE RIGHTS=texk[nl]WIR00004 OK CAPABILITY completed"
"IMAPD" 4520 43844 "2019-05-12 15:43:50.494" "yyy.yyy.yyy.yyy" "RECEIVED: WIR00005 LIST "" "%""
"IMAPD" 4520 43844 "2019-05-12 15:43:50.494" "yyy.yyy.yyy.yyy" "SENT: * LIST (\HasNoChildren) "." "INBOX"[nl]* LIST (\HasNoChildren) "." "Sent Items"[nl]* LIST (\HasNoChildren) "." "Deleted Items"[nl]* LIST (\HasNoChildren) "." "Drafts"[nl]* LIST (\HasNoChildren) "." "Junk E-mail"[nl]WIR00005 OK LIST completed"
"IMAPD" 4520 43844 "2019-05-12 15:43:50.619" "yyy.yyy.yyy.yyy" "RECEIVED: WIR00006 LIST "" "%.%""
"IMAPD" 4520 43844 "2019-05-12 15:43:50.619" "yyy.yyy.yyy.yyy" "SENT: WIR00006 OK LIST completed"
"IMAPD" 4488 43844 "2019-05-12 15:43:50.744" "yyy.yyy.yyy.yyy" "RECEIVED: WIR00007 LIST "" "%.%.%""
"IMAPD" 4488 43844 "2019-05-12 15:43:50.744" "yyy.yyy.yyy.yyy" "SENT: WIR00007 OK LIST completed"
"IMAPD" 4488 43844 "2019-05-12 15:43:50.900" "yyy.yyy.yyy.yyy" "RECEIVED: WIR00008 SELECT "INBOX""
"IMAPD" 4488 43844 "2019-05-12 15:43:50.900" "yyy.yyy.yyy.yyy" "SENT: * 0 EXISTS[nl]* 0 RECENT[nl]* FLAGS (\Deleted \Seen \Draft \Answered \Flagged)[nl]* OK [UIDVALIDITY 1554414928] current uidvalidity[nl]* OK [UIDNEXT 2] next uid[nl]* OK [PERMANENTFLAGS (\Deleted \Seen \Draft \Answered \Flagged)] limited[nl]WIR00008 OK [READ-WRITE] SELECT completed"

"SMTPD" 4520 42785 "2019-05-12 00:08:59.264" "yyy.yyy.yyy.yyy" "SENT: 220 mail.alwaysfastersite.com ESMTP"
"SMTPD" 4516 42785 "2019-05-12 00:08:59.326" "yyy.yyy.yyy.yyy" "RECEIVED: EHLO User"
"SMTPD" 4516 42785 "2019-05-12 00:08:59.326" "yyy.yyy.yyy.yyy" "SENT: 250-mail.alwaysfastersite.com[nl]250-SIZE 2048000000[nl]250-AUTH LOGIN[nl]250 HELP"
"SMTPD" 4520 42785 "2019-05-12 00:08:59.389" "yyy.yyy.yyy.yyy" "RECEIVED: AUTH LOGIN"
"SMTPD" 4520 42785 "2019-05-12 00:08:59.389" "yyy.yyy.yyy.yyy" "SENT: 334 VXNlcm5hbWU6"
"SMTPD" 4516 42785 "2019-05-12 00:08:59.451" "yyy.yyy.yyy.yyy" "RECEIVED: aGVsbG8="
"SMTPD" 4516 42785 "2019-05-12 00:08:59.451" "yyy.yyy.yyy.yyy" "SENT: 334 UGFzc3dvcmQ6"
"SMTPD" 4520 42785 "2019-05-12 00:08:59.498" "yyy.yyy.yyy.yyy" "RECEIVED: ***"
"SMTPD" 4520 42785 "2019-05-12 00:08:59.529" "yyy.yyy.yyy.yyy" "SENT: 535 Authentication failed. Restarting authentication process."
"SMTPD" 4516 42785 "2019-05-12 00:08:59.576" "yyy.yyy.yyy.yyy" "RECEIVED: QUIT"
"SMTPD" 4516 42785 "2019-05-12 00:08:59.592" "yyy.yyy.yyy.yyy" "SENT: 221 goodbye"

IP addresses for above and many others IMAPD and SMTPD conversations are not familiar. Those are of devices from out of country. Do not know, how are they getting here.
Does it mean my hMailServer is compramised and acting like an open relay? :roll:

I am updating firewall rules for blocking unwanted IPs. I am not sure if my above assumption, identifying above IPs as unwanted, is correct. Am I missing anything here? Should I block all these unfamiliar IPs on firewall? What are consequences? :?:

User avatar
mattg
Moderator
Moderator
Posts: 20123
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: hMailServer Logs

Post by mattg » 2019-05-13 01:11

IMAP is a protocol for READING messages

Clearly the IMAP user has logged in (you have redacted the user name)
That IP may be the mobile phone network if the user has their smart phone set to read mail, or it could be any other mail client.
IMAP access doesn't mean that you are an open relay - just that someone is reading mail on your server


SMTP
The SMTP logs you show, show a FAILED attempt to login to your server
I have dozens of these each day
As long as you have strong passwords this is just a normal part of running a mailserver
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

Post Reply