Page 3 of 3 FirstFirst 123
Results 21 to 30 of 30

Thread: zimbra mail hacked

  1. #21
    pasco is offline Active Member
    Join Date
    Jun 2008
    Location
    St. Gallen, Switzerland
    Posts
    25
    Rep Power
    6

    Default

    Do you need more/other infos?

    I would be very relieved if I could find the source of the problem. I don't know where/how to search.

    I just see a lot of SPAM Mails in my Mailqueue, sent from localhost?! Even though I closed all e-mail Accounts. How can this be possible?

    Thanks so much in advance.

  2. #22
    Mike Scholes is offline Advanced Member
    Join Date
    Dec 2007
    Posts
    238
    Rep Power
    7

    Default

    Check your client machines, a machine infected with malware may well be sending out spam via your server. Does your zimbra server relay for internal clients? You could use tcpdump and scan port 25 to see what's going on. Shut down all client machines and tcpdump the server and see if it's still happening.

  3. #23
    jholder's Avatar
    jholder is offline Former Zimbran
    Join Date
    Oct 2005
    Location
    Thatcher, AZ
    Posts
    5,606
    Rep Power
    20

    Default

    Mark is right. This is a common problem for small companies because the admin's don't put the Zimbra server on a different subnet.

    The Zimbra server must be on a different subnet than windows machines. The way "mynetworks" work, is anyone who is on that subnet is not auth'd. If a client is infected on that subnet, it will spam like crazy.

    Also, make sure you don't have a DHCP served address on the server...because by design, you will get the same subnet as the clients.

    All the best,
    john

  4. #24
    pasco is offline Active Member
    Join Date
    Jun 2008
    Location
    St. Gallen, Switzerland
    Posts
    25
    Rep Power
    6

    Default

    I run the zimbra-Server in a DMZ with a 255.255.255.240 subnet. There is only the zimbra-Server and a Windows-Server in this subnet. Yesterday I shut down the windows server but still I got all those SPAM e-mails in the mailqueue on the zimbra-Server.

    The zimbra-Server has also a static IP-Adress.

    Thanks a lot for your very appreciated hints, I still can check out what tcpdump will show. But I can only tomorrow 'cos I'm stuck in the bed with the flu for now...

  5. #25
    pasco is offline Active Member
    Join Date
    Jun 2008
    Location
    St. Gallen, Switzerland
    Posts
    25
    Rep Power
    6

    Default

    OK. I tried this now:

    I shut down postfix with following command:

    Code:
    /opt/zimbra/bin/postfix stop
    Then I did a

    Code:
    tcpdump -p port 25 -X
    I got a lot of these:

    Code:
    18:47:00.967025 IP <my.server.domain>.smtp > <my.internal.router.IP>.35556: R 0:0(0) ack 1416549322 win 0
            0x0000:  4500 0028 0000 4000 4006 3773 c0a8 c10a  E..(..@.@.7s....
            0x0010:  c0a8 c101 0019 8ae4 0000 0000 546e d3ca  ............Tn..
            0x0020:  5014 0000 f93c 0000                      P....<..
    18:47:02.813531 IP <my.internal.router.IP>.35557 > <my.server.domain>.smtp: S 1427397831:1427397831(0) win 32767 <mss 16396>
            0x0000:  4500 002c 5a8f 4000 4006 dcdf c0a8 c101  E..,Z.@.@.......
            0x0010:  c0a8 c10a 8ae5 0019 5514 5cc7 0000 0000  ........U.\.....
            0x0020:  6002 7fff 9d97 0000 0204 400c 0000       `.........@...
    If I try to start postfix with following command:

    Code:
    /opt/zimbra/bin/postfix start
    I got:

    Code:
    postfix/postfix-script: warning: not owned by root: /opt/zimbra/postfix-2.4.7.5z/conf/main.cf
    postfix/postfix-script: starting the Postfix mail system
    but zmcontrol status shows me:

    Code:
    antispam                Running
            antivirus               Running
            ldap                    Running
            logger                  Running
            mailbox                 Running
            mta                     Running
            snmp                    Running
            spell                   Running
            stats                   Running
    and there is no other service running on port 25.

    Now I'd run:

    Code:
    postfix set-permissions
    and postfix starts without errors.


    Postfix is relaying only to 127.0.0.1 and my DMZ-Subnet.


    No I have an idea. My router has SPAMd installed, that means it's an open-relay that passes e-mails straight to my zimbra-box. So if SPAMd doesn't work correctly, and passes the SPAM-Mails through to the zimbra-box, it looks for zimbra like it comes from a client (my router) in the trusted network..hmm..

    Is there a possiblity to forbid local clients/clients from the trusted network to relay or that any client without username/pwd can't relay on zimbra?
    Last edited by pasco; 01-14-2009 at 11:30 AM. Reason: Additional Information

  6. #26
    LMStone's Avatar
    LMStone is offline Moderator
    Join Date
    Sep 2006
    Location
    477 Congress Street | Portland, ME 04101
    Posts
    1,366
    Rep Power
    10

    Default

    Quote Originally Posted by pasco View Post

    Postfix is relaying only to 127.0.0.1 and my DMZ-Subnet.
    What other machines are on your DMZ subnet?

    Perhaps you've got a borked server on your DMZ relaying through your Zimbra box?

    Hope that helps,
    Mark



    Hope that helps,
    Mark

  7. #27
    pasco is offline Active Member
    Join Date
    Jun 2008
    Location
    St. Gallen, Switzerland
    Posts
    25
    Rep Power
    6

    Default

    On the DMZ-subnet there are following three machines:

    1. Router
    2. Zimbra box
    3. Windows-Server (which I shut down and still I got those SPAM-Floods)

    So I think the problem is a plugin on my router (SPAMd) which acts as an open-relay SMTP Server and passes the mails directly to zimbra. Like that it looks for zimbra/postfix the mail comes from the trusted network as my router DMZ-interface must also be in the same subnet as the Zimbra box as a matter of fact, I guess.

  8. #28
    LMStone's Avatar
    LMStone is offline Moderator
    Join Date
    Sep 2006
    Location
    477 Congress Street | Portland, ME 04101
    Posts
    1,366
    Rep Power
    10

    Default

    Quote Originally Posted by pasco View Post
    On the DMZ-subnet there are following three machines:

    1. Router
    2. Zimbra box
    3. Windows-Server (which I shut down and still I got those SPAM-Floods)

    So I think the problem is a plugin on my router (SPAMd) which acts as an open-relay SMTP Server and passes the mails directly to zimbra. Like that it looks for zimbra/postfix the mail comes from the trusted network as my router DMZ-interface must also be in the same subnet as the Zimbra box as a matter of fact, I guess.
    Not really a DMZ if there is a router connecting it to other networks...

    Sounds like you need a real firewall between the router and the rest of that DMZ? Temporarily, just change the Trusted Networks parameter on Zimbra to include just the /32 IP of the Windows box and the 127. address pool, eliminating the router's DMZ IP.

    Hope that helps,
    Mark

  9. #29
    pasco is offline Active Member
    Join Date
    Jun 2008
    Location
    St. Gallen, Switzerland
    Posts
    25
    Rep Power
    6

    Default

    Quote Originally Posted by LMStone View Post
    Not really a DMZ if there is a router connecting it to other networks...

    Sounds like you need a real firewall between the router and the rest of that DMZ? Temporarily, just change the Trusted Networks parameter on Zimbra to include just the /32 IP of the Windows box and the 127. address pool, eliminating the router's DMZ IP.

    Hope that helps,
    Mark
    Nono, it's a real DMZ :-). The Router connects only to the DMZ for this subnet and there's no way to connect from DMZ to other subnets managed by this router.

    But the problem is found now - THANK YOU ALL very much! It was a very stupid little mistake which has led me nearly crazy. If I'd only read the documentation of this router plug-in (IPCop - Copfilter add-on) more exactly... . Exactly this kind of situation is described in there, as I found out by now...

    So if I'd like to use the Router SPAM-Filter plug-in I need to reduce relaying only to the Zimbra Box. I can do this by define the Zimbra box network-interface as /32 network, if I get you right.

    I found also this in the zimbra wiki ZimbraMtaMyNetworks - Zimbra :: Wiki

    Code:
    zmprov modifyServer zimbra.example.com zimbraMtaMyNetworks '127.0.0.0/8 10.10.130.10/32'
    postfix reload
    Right? And there will be no disadvantage in doing that other than each client, also the local clients, need to auth. Actually that's exactely what I want - perfect! Thanks a lot!

    p@sco
    Last edited by pasco; 01-15-2009 at 06:11 AM.

  10. #30
    pasco is offline Active Member
    Join Date
    Jun 2008
    Location
    St. Gallen, Switzerland
    Posts
    25
    Rep Power
    6

    Default

    Still I have a little problem:

    Code:
    zimbra@zimbra:~$ postconf mynetworks
    gives me:

    Code:
    mynetworks = 127.0.0.0/8 192.168.193.0/28
    Even though I did previously:

    Code:
    zmprov modifyServer zimbra.example.com zimbraMtaMyNetworks '127.0.0.0/8 192.168.193.10/32'
    postfix reload
    and even though I get:

    Code:
    zmprov getServer zimbra.whn.ch | grep zimbraMtaMyNetworks
    zimbraMtaMyNetworks: 127.0.0.0/8 192.168.193.10/32
    And my Zimbra box is still relaying mails vom 192.168.193.1 (and from the whole subnet I guess) and not only from 192.168.193.10. What do I wrong? Why does my changes not get written to the postfix value 'mynetworks'?

    Thanks
    p@sco
    Last edited by pasco; 01-15-2009 at 07:50 AM.

Page 3 of 3 FirstFirst 123

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Migration Assistance
    By dwill in forum Administrators
    Replies: 10
    Last Post: 12-02-2008, 08:20 AM
  2. [SOLVED] parts_decode_ext error
    By jsabater in forum Administrators
    Replies: 7
    Last Post: 10-13-2008, 07:24 AM
  3. Replies: 2
    Last Post: 02-12-2008, 11:55 AM
  4. [SOLVED] Upgraded to 5.0 OSS - Sendmail Problem
    By Chewie71 in forum Installation
    Replies: 11
    Last Post: 12-28-2007, 07:07 PM
  5. Replies: 22
    Last Post: 12-02-2007, 05:05 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •