Zimbra

higeon · #1 (**permalink**) 06-29-2009, 01:12 AM

Hi, all
Anyone help!
How to Restrict it?

the zimbra.log is here:

Jun 29 04:02:56 mail postfix/smtpd[17503]: connect from unknown[86.60.97.105]
Jun 29 04:03:45 mail postfix/smtpd[17503]: E4EBB47001B5: client=unknown[86.60.97.105]
Jun 29 04:03:47 mail postfix/qmgr[2703]: 77BA64700255: from=<ccsb@coffeyville.edu>, size=1180, nrcpt=10 (queue active)
Jun 29 04:03:47 mail postfix/qmgr[2703]: AF718470024B: from=<ccsb@coffeyville.edu>, size=1180, nrcpt=10 (queue active)
Jun 29 04:03:47 mail postfix/qmgr[2703]: 01141470019C: from=<ccsb@coffeyville.edu>, size=1180, nrcpt=10 (queue active)
Jun 29 04:03:47 mail postfix/qmgr[2703]: 0D52D47002A0: from=<ccsb@coffeyville.edu>, size=1180, nrcpt=10 (queue active)
Jun 29 04:03:47 mail postfix/qmgr[2703]: 2717A47001C6: from=<ccsb@coffeyville.edu>, size=1180, nrcpt=10 (queue active)
Jun 29 04:03:47 mail postfix/qmgr[2703]: 2A6D34700222: from=<ccsb@coffeyville.edu>, size=1180, nrcpt=10 (queue active)
Jun 29 04:03:47 mail postfix/qmgr[2703]: 2C0794700252: from=<ccsb@coffeyville.edu>, size=1180, nrcpt=10 (queue active)
Jun 29 04:03:47 mail postfix/qmgr[2703]: 2930D4700207: from=<ccsb@coffeyville.edu>, size=1180, nrcpt=10 (queue active)
Jun 29 04:03:47 mail postfix/qmgr[2703]: 26C3847001BB: from=<ccsb@coffeyville.edu>, size=1180, nrcpt=10 (queue active)
Jun 29 04:03:47 mail postfix/qmgr[2703]: 2A4864700215: from=<ccsb@coffeyville.edu>, size=1180, nrcpt=10 (queue active)
Jun 29 04:03:47 mail postfix/qmgr[2703]: 2A05B4700221: from=<ccsb@coffeyville.edu>, size=1180, nrcpt=10 (queue active)
Jun 29 04:03:47 mail postfix/qmgr[2703]: 2D41347002CD: from=<ccsb@coffeyville.edu>, size=1180, nrcpt=10 (queue active)
Jun 29 04:03:47 mail postfix/qmgr[2703]: 270C6470019A: from=<ccsb@coffeyville.edu>, size=1180, nrcpt=10 (queue active)
Jun 29 04:03:47 mail postfix/qmgr[2703]: 2C2CB470024E: from=<ccsb@coffeyville.edu>, size=1180, nrcpt=10 (queue active)
Jun 29 04:03:47 mail postfix/qmgr[2703]: 2743447001BE: from=<ccsb@coffeyville.edu>, size=1180, nrcpt=10 (queue active)
Jun 29 04:03:47 mail postfix/qmgr[2703]: 26CFC47001B0: from=<ccsb@coffeyville.edu>, size=1180, nrcpt=10 (queue active)
Jun 29 04:03:47 mail postfix/qmgr[2703]: 2BA4A4700240: from=<ccsb@coffeyville.edu>, size=1180, nrcpt=10 (queue active)
Jun 29 04:03:47 mail postfix/qmgr[2703]: 2E54F47002A9: from=<ccsb@coffeyville.edu>, size=1180, nrcpt=10 (queue active)
Jun 29 04:03:47 mail postfix/qmgr[2703]: 2FA5447002D0: from=<ccsb@coffeyville.edu>, size=1180, nrcpt=10 (queue active)

phoenix · #2 (**permalink**) 06-29-2009, 01:18 AM

Tell us some details about your Zimbra set-up, start with the putting the output of the following command in your forum profile (don't post in this thread):

Code:

zmcontrol -v

When did this problem start? Why do you think it's your system sending spam rather than NDR Spam that you're receiving? Which account is sending the spam? Have you checked to see if that really is the case? Is the 'compromised' account a local or remote user? Have you checked to see if you're acting as an open relay (search the web for sites that will check that)? Are all the machines on your LAN clean, have they been checked for viruses or bots recently?

Do you also have a strong password pilocy for your Zimbra user accounts?

uxbod · #3 (**permalink**) 06-29-2009, 01:22 AM

Welcome to the forums

What do you have specified for your trusted networks in the MTA tab of the Admin GUI ? have you checked whether you server is a open relay using something like Mail relay testing ?

higeon · #4 (**permalink**) 06-29-2009, 01:29 AM

[zimbra@mail ~]$ zmcontrol -v
Release 5.0.14_GA_2850.RHEL5_20090303142201 CentOS5 FOSS edition

[zimbra@mail ~]$ zmprov gs `zmhostname` | grep zimbraMtaMyNetworks
zimbraMtaMyNetworks: 127.0.0.0/8 172.16.10.0/24 192.168.0.0/16

higeon · #5 (**permalink**) 06-29-2009, 01:52 AM

Mail relay testing by Mail relay testing

Mail relay testing
Connecting to 203.179.82.186 for anonymous test ...
......
......
......
Relay test result
All tests performed, no relays accepted.

uxbod · #6 (**permalink**) 06-29-2009, 01:56 AM

Check /opt/zimbra/log/audit.log for that IP address and see if one of your accounts has been compromised.

higeon · #7 (**permalink**) 06-29-2009, 02:16 AM

I cannot find the IP address 86.60.97.105
but found a lot of logs such as:

2009-06-29 04:48:00,775 INFO [btpool0-125] [name=data@newcon.co.jp;ip=127.0.0.1;] security - cmd=Auth; account=data@newcon.co.jp; protocol=soap;

I think the account compromised is data@newcon.co.jp.
But why the IP is 127.0.0.1?

uxbod · #8 (**permalink**) 06-29-2009, 02:21 AM

Do you have SSH or Telnet to your server open to the Internet ? I would recommend that you also check your server for r00tkits etc to ensure it has not been hacked.

higeon · #9 (**permalink**) 06-29-2009, 02:37 AM

Yes, I can SSH to the server.
How check it?

uxbod · #10 (**permalink**) 06-29-2009, 02:43 AM

chkrootkit -- locally checks for signs of a rootkit also check /var/log/secure for any successful connections from IP addresses you do not know.

Zimbra

Downloads

Product Information

Toolbox

Why Join?