Zimbra

VS-Francesco · #1 (**permalink**) 04-28-2011, 12:51 AM

Hi at all,
in those days spammers broke smtp authentication and they're sending a lot of spam from my mail server.
At first I notice a lot of auth of user admin:
zimbra.log

Code:

Apr 27 18:11:22 lnxgateda saslauthd[31646]: zmauth: authenticating against elected url 'https://mail.ciebspa.it:7071/service/admin/soap/' ...
Apr 27 18:11:22 lnxgateda saslauthd[31646]: zmpost: url='https://mail.xxxxxxxxxx.it:7071/service/admin/soap/' returned buffer->data='<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"><soap:Header><context xmlns="urn:zimbra"><change token="3403"/></context></soap:Header><soap:Body><AuthResponse xmlns="urn:zimbraAccount"><authToken>0_f314449532eabd3a7b5c3266e7f1d9b618e0e30a_69643d33363a66613861303534392d306338652d343163302d626463632d3765303536623034613932633b6578703d31333a313330343039333438323531333b76763d313a303b747970653d363a7a696d6272613b</authToken><lifetime>172800000</lifetime><skin>carbon</skin></AuthResponse></soap:Body></soap:Envelope>', hti->error=''
Apr 27 18:11:22 lnxgateda saslauthd[31646]: auth_zimbra: admin auth OK
Apr 27 18:11:23 lnxgateda postfix/smtpd[30107]: 080E429CC0E7: client=unknown[216.24.204.190], sasl_method=LOGIN, sasl_username=admin
Apr 27 18:11:32 lnxgateda postfix/cleanup[30185]: 080E429CC0E7: message-id=<20110427161123.080E429CC0E7@mail.xxxxxxxxx.it>
Apr 27 18:11:32 lnxgateda postfix/qmgr[7941]: 080E429CC0E7: from=<ememebercenter@ups.com>, size=6681, nrcpt=50 (queue active)
Apr 27 18:11:32 lnxgateda postfix/smtpd[30107]: disconnect from unknown[216.24.204.190]
Apr 27 18:11:32 lnxgateda amavis[32032]: (32032-01) ESMTP::10024 /opt/zimbra/data/amavisd/tmp/amavis-20110427T181132-32032: <ememebercenter@ups.com> -> <ljhill@aol.com>,<ljjjmarc@aol.com>,<ljlazard@aol.com>,<ljludy@aol.com>,<ljm0127@aol.com>,<ljmbsmlegal@aol.com>,<ljohnkj@aol.com>,<ljones1945@aol.com>,<ljonesdenise@aol.com>,<ljperez75@aol.com>,<ljrcwells@aol.com>,<ljs385@aol.com>,<ljones@boyshaven.org>,<ljhollenbeck@charter.net>,<ljr225@charter.net>,<ljhaley764@comcast.net>,<ljohn10557@comcast.net>,<ljmasil@cox.net>,<ljley@cs.com>,<ljschultz@dslextreme.com>,<ljoe19421@earthlink.com>,<ljkanofsky@gmail.com>,<ljnelson1989@gmail.com>,<ljpatron@gmail.com>,<ljkelly@granbury.com>,<ljgardner7@hotmail.com>,<ljl7joy@hotmail.com>,<ljlove21@hotmail.com>,<ljs510769@hotmail.com>,<ljs_designs@hotmail.com>,<ljredder@juno.com>,<l-j-scott@live.com>,<ljoesten@live.com>,<ljn0913@msn.com>,<ljohnson3@myway.com>,<ljmj@sumnet.tv>,<ljfuson71@yahoo.com>,<ljinjax@yahoo.com>,<ljlaa5@yahoo.com>,<ljmoore82@yahoo.com>,<ljnic22@yahoo....

So I changed the password, but they still " auth_zimbra: admin auth OK", so I deleted all the session of user admin (account-->right click on admin---> delete session) but they still send mail.
So I created other user, I gived it admin priviledges and I blocked old user admin.

How can I block this situation from the source?
Zimbra vers:
Release 7.0.1_GA_3105.RHEL5_64_20110304210645 CentOS5_64 FOSS edition.

Thank's at all!

phoenix · #2 (**permalink**) 04-28-2011, 02:25 AM

You should not, under any circumstances, have you Admin account accessible from any account external to your LAN (use a VPN). You should also enforce strong passwords, go to the COS in the Admin UI and look at the settings. There are also several threads in the forums if you'd like to search for them.