Skip to content

[Security] Network exposure audit and traffic verification via packet capture #317

Open
Task
Open
[Security] Network exposure audit and traffic verification via packet capture#317
Task
Assignees
maneeshaxyz
Labels
securityTasks related to the security of the system.
@maneeshaxyz

Description

@maneeshaxyz
maneeshaxyz
opened on Mar 30, 2026

Description

Perform a network-level audit of the mail stack deployment to verify:

  • exposed services
  • transport security (TLS enforcement)
  • authentication surfaces
  • unexpected or anomalous traffic patterns

This task uses packet capture (tcpdump/Wireshark) combined with service inspection to validate the runtime behavior of the system from a network perspective.

Motivation

The current system includes multiple network-facing components (Postfix, IMAP server, SASL, etc.).

While configuration may appear correct, the actual runtime behavior must be verified at the packet level to ensure:

  • no plaintext credential leakage
  • correct TLS enforcement
  • no unintended service exposure
  • no anomalous inbound/outbound traffic

Scope

1. Service Exposure Audit

  • Identify all listening ports
  • Validate expected vs actual exposed services
  • Confirm no unintended public bindings

2. Packet Capture Setup

  • Establish remote capture via SSH + tcpdump
  • Capture live traffic:
    • IMAP (143 / 993)
    • SMTP (25 / 587 / 465)
  • Save sample .pcap files for analysis

3. Traffic Analysis

  • Verify:
    • TLS usage vs plaintext
    • authentication flows
    • IMAP command patterns (relevant for Gmail issue)
  • Inspect for:
    • credential leakage
    • abnormal connection patterns
    • repeated failed auth attempts

4. TLS Verification

  • Validate STARTTLS / TLS enforcement
  • Inspect handshake and cipher suites

5. SSH Hardening Review

  • Confirm:
    • key-based auth only
    • root login policy
    • firewall restrictions

6. Firewall Validation

  • Verify inbound rules match required ports only
  • Confirm no unintended open ports

Deliverables

  • Documented list of exposed services and ports
  • Sample packet captures (.pcap)
  • Summary of findings:
    • plaintext vs encrypted traffic
    • authentication behavior
    • anomalies (if any)
  • Recommended remediation actions (if issues found)

Acceptance Criteria

  • All externally exposed ports are identified and documented
  • Packet capture successfully performed and validated
  • No plaintext credentials observed in network traffic
  • TLS enforced for all authentication flows
  • No unexpected services exposed publicly
  • Findings documented with clear remediation steps

Notes

  • Prefer SSH-based capture (tcpdump -i any -w -) for remote analysis
  • Avoid relying solely on configuration—validate actual wire behavior
  • This task also supports debugging IMAP client behavior (e.g., Gmail read-state issue)

Metadata

Metadata

Assignees

Labels

securityTasks related to the security of the system.

Type

Task

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions