[SOLVED] My zimbra server is under spamming attack.

[ght]

I think my server is under such attack mentioned below :
How can I prevent my server from crashing in a DOS attack??

there are about 400,000 mails in queue and mail server can not handle such huge mails and it is so slow and even local mails don't work.

How can I ban domains like msa.hinet.net , yahoo.com.tw , etc?

I entered zimbra administration website on port 7071, and go to the mail queue page, but I can not delete that huge mail with web interface and it says me :

Server error encountered Message: system failure: exception occurred performing queue action Error code: service.FAILURE Method: MailQueueActionRequest Details:soap:Receiver

please help me, I don't know how I can back to the normal state.

[n.bochev]

Log into the zimbra server as root and do :

cd /opt/zimbra/postfix/sbin
./postsuper -d ALL

That should do the trick deleting all emails in the queue.

[uxbod]

Remember that will delete everything including valid emails that are still in the queue

Do you have a secondary MX ? If so you could block access to port 25 externally which will give you time to clear the queue and work on how to stop this from happening again.

By any chance are you using catch-all accounts ? or are these emails targeted at valid addresses ? What RBLs do you have in place at the moment ?

[ght]

I've deleted all mails in queue. it is working now, but there are some problems in web-based interface, I can not modify my domain and change its status of one of my domains from Maintenance to Active (how Can I do this with command line?)
It is bad to say, but I have not any RBLs now, how can I run it?
Please give me straight forward directions, to don't let them attack me anymore.
It seems there is a problem in my firewall too, because it put his IP in the source IP that come from anywhere (It is fortigate 300A and maybe I should ask them how prevent this habit).
but for now, please give me directions about RBLs and activating domain via command line.
Thank you very much

[phoenix]

Improving Anti-spam system - Zimbra :: Wiki Search the forums for adding RBLs and using zmprov to change from maintenance mode.

[ght]

I've searched but I did not find something useful for activating a domain. I have three domains in my mail server, two of them is reachable by web-based interface for changing status but the third and most important domain, after one minutes give me this error:

Code:

Server error encountered Error code: BAD_JSON_RESPONSE Method: SearchDirectoryRequest

I found this post and it does not work for me too (even for an individual account).

Maintenance mode for all Accounts

If I delete the domain by zmprov and add it again, all mails will be deleted? is there anyway to active it in any config file, etc?

P.S. : I search in zimbra (zimbraAccountStatus=*active*) , and I found out all accounts in that domain I mentioned are Active, but when I want to login with them, I get this error: This account is currently in maintenance mode.
I think there is a difference between maintenance mode of a domain, and maintenance mode of an account, is that right?
Then how can I change mode for domain from command line, I didn't find any useful command for this page:
Managing Domains - Zimbra :: Wiki

FYI: my server is Ubuntu 8.04 and zimbra Release is 5.0.10_GA_2609.UBUNTU8 UBUNTU8 FOSS edition.

[raj]

Did you try the following:

su - zimbra
zmprov md yourdomain.com zimbraDomainStatus active

Raj

[ght]

WoW,thanks, That works.
I've checked my mail server with this link and it said me your server is an open relay.

Is there anyway to restrict it from open relaying? Is that spamming attack because fo being open relay?

I've added those servers of my network in mynetwork option of postfix, is that enough?

[raj]

Zimbra by default is NOT open relay..you must have done something which is making it "open relay".
can you please explain what you have done ?

Raj

[ght]

I didn't do anything before attack (just installed and was happy with it). but one day I saw there is about 400,000 mails in queue from Taiwanese website. I saw it from web-based interface.
I have not enable anti-spam engine too. but maybe it was because of trusted hosts. I added a range of IPs of my server zone that my firewall was in it too. I saw that many mails source IP is from Firewall. I think it replaces its IP by the main source and that makes problems. what you think?