Hi,
I can see some long-running sessions from lsof;
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
sendmail 4979 root 4u IPv4 8555 TCP localhost.localdomain:smtp (LISTEN)
omsmtpd 25302 root 4u IPv4 1466169 TCP mail:smtp (LISTEN)
omsmtpd 25302 root 5u IPv4 1466170 TCP mail.myserver.co.uk:smtp (LISTEN)
omsmtpd 25302 root 6u IPv4 36190383 TCP mail.myserver.co.uk:smtp->2-232-70-62.ip211.fastwebnet.it:4323 (ESTABLISHED) (for over an hour, since I checked!)
omsmtpd 25302 root 7u IPv4 36200908 TCP mail.myserver.co.uk:smtp->77-223-156-90.netdirekt.com.tr:oem-agent (ESTABLISHED) (for over an hour, since I checked!)
now, the office is closed (it's the weekend, and a bank holiday!) - the only users will be some blackberry users so I'm keen to see what the two bottom connections are for - as they've been up and running constantly. Is there any way to identify what these connections are - which account is being accessed, alternatively I guess it'd just be good practise to change all the email passwords!