Why is Cyrus user running imap and pop3 events?

Discussion in 'General' started by torontob, Aug 7, 2010.

  1. torontob

    Joined:
    May 18, 2008
    Messages:
    219
    Likes Received:
    0
    Hi Everyone,

    I have a security concern. I do not use this Elastix server for IMAP/POP3. Other than getting mail on the root, it's not being used for mailserver at all.

    But I see many attempts of the user Cyrus in /var/log/secure and /var/log/messages

    Aug 5 20:38:28 elastix runuser: pam_unix(runuser-l:session): session opened for user cyrus by (uid=0)
    Aug 5 20:38:29 elastix runuser: pam_unix(runuser-l:session): session closed for user cyrus
    Aug 5 20:38:38 elastix su: pam_unix(su-l:session): session opened for user asterisk by (uid=0)
    Aug 5 20:38:38 elastix su: pam_unix(su-l:session): session closed for user asterisk

    What is really going on and what does the user Cyrus do? How to disable it totally without any ramifications?

    Thanks
     
  2. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
    chkconfig postfix off
    chkconfig cyrus-imapd off

    service postfix stop
    service cyrus-imapd stop


    if you don't want to see them in your logs.
    However "mail" to root then might or might work depending on how it was sent.
     
  3. torontob

    Joined:
    May 18, 2008
    Messages:
    219
    Likes Received:
    0
    Thanks for the input Dicko.

    This is an Elastix system. Of course I don't want any troubles on the system. But the security logs regarding Cyrus concern me. So, I would turn them off, provided I know for sure that system functions such as sending mail to root is not tampered.

    Any firm feedback?

    Thanks
     
  4. torontob

    Joined:
    May 18, 2008
    Messages:
    219
    Likes Received:
    0
    Thanks for the input Dicko.

    This is an Elastix system. Of course I don't want any troubles on the system. But the security logs regarding Cyrus concern me. So, I would turn them off, provided I know for sure that system functions such as sending mail to root is not tampered.

    Any firm feedback?

    Thanks
     
  5. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
    They are nothing to worry about, just the daemons doing their normal thing, if you are concerned about security/access from outside, and still want to have errors delivered by email on the box itself, I suggest you comment out (or perhaps just change the port of) the inet line in

    /etc/postfix/master.cf

    leave in the 127.0.0.1:25 (localhost)

    and issue a

    postfix reload
     

Share This Page