Diplomatic Mail and Open Databases: Iranian Government Infrastructure Exposed | Intercept Cell

Passive reconnaissance of Iranian government internet-facing infrastructure reveals systemic security failures across civilian, diplomatic, and IT organizations. The Ministry of Foreign Affairs\

Using only passive data sources \u2014 Shodan InternetDB, Certificate Transparency logs, and DNS resolution \u2014 we mapped the externally visible attack surface of Iranian government infrastructure. No packets were sent to any Iranian system. Every finding comes from pre-indexed public data. What we found is a government whose civilian digital infrastructure is critically exposed while its military networks have retreated entirely behind the national firewall. The most significant finding is the mail server for Iran's **Ministry of Foreign Affairs** at 109[.]201[.]11[.]102. Shodan identifies the hostname as cp.mfa.gov.ir \u2014 the "cp" prefix indicating a cPanel control panel installation on the same host that processes diplomatic email. The server runs **Exim 4.98** and exposes five ports: SMTP (25), SMTPS (465), Submission (587), IMAPS (993), and mDNS (5353). Its TLS certificate is **self-signed**. Shodan's InternetDB reports three high-severity CVEs: This is the server that handles communications between Iran's embassies worldwide and the Foreign Ministry in Tehran. Three unpatched vulnerabilities \u2014 one enabling remote code execution via buffer overflow, another allowing SQL injection without authentication \u2014 on the system that processes diplomatic cables. The self-signed certificate means any nation-state adversary performing a man-in-the-middle attack would not trigger certificate warnings that a properly issued cert would produce, because there are no proper trust chains to break. A /24 network block associated with Iranian government IT services contains **35 hosts** with notable security issues. The highlights: