Why is Cyrus user running imap and pop3 events?

torontob

Joined
May 18, 2008
Messages
219
Likes
0
Points
0
#1
Hi Everyone,

I have a security concern. I do not use this Elastix server for IMAP/POP3. Other than getting mail on the root, it's not being used for mailserver at all.

But I see many attempts of the user Cyrus in /var/log/secure and /var/log/messages

Aug 5 20:38:28 elastix runuser: pam_unix(runuser-l:session): session opened for user cyrus by (uid=0)
Aug 5 20:38:29 elastix runuser: pam_unix(runuser-l:session): session closed for user cyrus
Aug 5 20:38:38 elastix su: pam_unix(su-l:session): session opened for user asterisk by (uid=0)
Aug 5 20:38:38 elastix su: pam_unix(su-l:session): session closed for user asterisk

What is really going on and what does the user Cyrus do? How to disable it totally without any ramifications?

Thanks
 

dicko

Joined
Oct 24, 2008
Messages
4,099
Likes
0
Points
0
#2
chkconfig postfix off
chkconfig cyrus-imapd off

service postfix stop
service cyrus-imapd stop


if you don't want to see them in your logs.
However "mail" to root then might or might work depending on how it was sent.
 

torontob

Joined
May 18, 2008
Messages
219
Likes
0
Points
0
#3
Thanks for the input Dicko.

This is an Elastix system. Of course I don't want any troubles on the system. But the security logs regarding Cyrus concern me. So, I would turn them off, provided I know for sure that system functions such as sending mail to root is not tampered.

Any firm feedback?

Thanks
 

torontob

Joined
May 18, 2008
Messages
219
Likes
0
Points
0
#4
Thanks for the input Dicko.

This is an Elastix system. Of course I don't want any troubles on the system. But the security logs regarding Cyrus concern me. So, I would turn them off, provided I know for sure that system functions such as sending mail to root is not tampered.

Any firm feedback?

Thanks
 

dicko

Joined
Oct 24, 2008
Messages
4,099
Likes
0
Points
0
#5
They are nothing to worry about, just the daemons doing their normal thing, if you are concerned about security/access from outside, and still want to have errors delivered by email on the box itself, I suggest you comment out (or perhaps just change the port of) the inet line in

/etc/postfix/master.cf

leave in the 127.0.0.1:25 (localhost)

and issue a

postfix reload
 

Members online

No members online now.

Latest posts

Forum statistics

Threads
30,898
Messages
130,879
Members
17,560
Latest member
manuelc
Top