Server Hijacked

[Kent17]

Earlier today my zimbra server was hijacked and messages were being sent out appearing to be from another domain. I've captured some of the messages in the hold queue.

If my user is me@mydomain.com can I stop my users from sending an email that appears to be from joedomain.com?

Why can my users send an email to appear as if it is coming from another domain?

Is there a way to find out how these messages were generated?

Do I need to fix something in my setup?

Thanks for your help.

[phoenix]

Quote:

Originally Posted by Kent17

Why can my users send an email to appear as if it is coming from another domain?

It's called a 'Persona' and it's a feature.

Quote:

Originally Posted by Kent17

Is there a way to find out how these messages were generated?

That would depend on what you mean by 'hijacked', search the forums for the words "compromised account". If it's some for of rootkit then you'll have to check your server, if it's an infected PC then you'll have to check your LAN for the source.

Quote:

Originally Posted by Kent17

Do I need to fix something in my setup?

That would depend on what your problem actually is. If it's a hijacked account then you'll need to enforce strong passwords (look in the Admin UI for password settings).

[Kent17]

Thanks for the quick reply.

I will start searching about compromised accounts, and I've made some adjustments to our password policy. hopefully that will help.

The 'Persona' feature, can this be disabled, and are there negatives that would come from disabling it?

[Kent17]

I believe the answer to my question is on this page

RestrictPostfixSenders - Zimbra :: Wiki

Thanks fo your help.