7071 is not open to the outside. The attempts are targeting an e-mail address that is not zimbra admin. I had several thousand attempts over 30 minutes, so this is an automated attack.
I have a stateful firewall in front of this box. The only ports I have open are:
* 25 and 587 for SMTP (587 is forwared to 25)
* 143 and 993 for IMAP
* 110 and 995 for POP
* 80 and 443 for HTTP
I tried using the web UI and Zimbra Desktop and they both provide the correct source IP and ua=zclient or ua=Yahoo! Zimbra Desktop. When I log in as a zimbra admin the ua=ZimbraWebClient. Evidently there is a scenario when the ip is recorded as the ip of the box and the ua does not get logged for soap requests.
Under what scenario is the IP address set as the local server address and the ua not recorded in the log for soap requests? Is the ua set by the client for a soap authentication request?
Thanks for your help.
==================================
Zimbra Mail Login: 2008-08-13 20:07:29,806 WARN [btpool0-10] [oip=65.12.278.236;ua=zclient/5.0.7_GA_2444.UBUNTU6;] security - cmd=Auth; account=xyz@mydomain.com; protocol=soap; error=authentication failed for xyz, account lockout;
Zimbra Admin Login: 2008-08-13 20:07:07,776 WARN [btpool0-9] [ip=65.12.278.236;ua=ZimbraWebClient - FF3.0 (Win);] security - cmd=Auth; account=abc@xxx.mydomain.com; protocol=soap; error=authentication failed for
admin@xxx.mydomain.com, invalid password;
Zimbra Desktop Login: 2008-08-13 19:54:36,878 WARN [btpool0-9] [ip=65.12.278.236;ua=Yahoo! Zimbra Desktop/0.90_1251_Windows;] security - cmd=Auth; account=xyz@mydomain.com; protocol=soap; error=authentication failed for
xyz@mydomain.com, account lockout;
Hack Request: 2008-08-13 06:57:57,655 INFO [btpool0-0] [ip=10.10.1.2;] security - cmd=Auth; account=xyz@mydomain.com; error=account lockout due to too many failed logins;
2008-08-13 06:58:03,725 WARN [btpool0-7] [ip=10.10.1.2;] security - cmd=Auth; account=xyz@mydomain.com; protocol=soap; error=authentication failed for admin, account lockout;