attacks via SOAP calls on server external ip

[leenewton]

Hi guys, hoping someone can point me in the right direction. I'm seeing log entries like the following appear in /opt/zimba/log/mailbox.log

2012-02-08 15:54:46,005 INFO [btpool0-95://mail.server.com:7071/service/admin/soap/] [name=lee@server.com;ip=xx.xx.xx.xx;] SoapEngine - handler exception: authentication failed for postmaster, invalid password

Where xx.xx.xx.xx is the external ip of my zimbra server. It's my understanding, log entries from btpool are originated from zimbra's http interface. What confuses me is how the external ip of the server is getting in there. If this was a regular request via the zimbra admin web interface I would expect to see the remote ip address of the client. I see no evidence of intrusion on my server and these requests are circumventing apf firewall rules which restrict all access from beyond the external ip to a handful of remote addresses I've granted access to the zimbra web admin interface.

What am I missing, how are these requests being formed?

[phoenix]

Hi guys, hoping someone can point me in the right direction.

The right direction for (or to) what?

'm seeing log entries like the following appear in /opt/zimba/log/mailbox.log

2012-02-08 15:54:46,005 INFO [btpool0-95://mail.server.com:7071/service/admin/soap/] [name=lee@server.com;ip=xx.xx.xx.xx;] SoapEngine - handler exception: authentication failed for postmaster, invalid password

I guess you've implemented strong passwords?

Where xx.xx.xx.xx is the external ip of my zimbra server. It's my understanding, log entries from btpool are originated from zimbra's http interface.

That would be https for the Admin UI although I guess you've also enabled https for the Web UI as well (you should)?

What confuses me is how the external ip of the server is getting in there. If this was a regular request via the zimbra admin web interface I would expect to see the remote ip address of the client. I see no evidence of intrusion on my server and these requests are circumventing apf firewall rules which restrict all access from beyond the external ip to a handful of remote addresses I've granted access to the zimbra web admin interface.

You should really use a VPN to access the Admin UI from outside your LAN.

What am I missing, how are these requests being formed?

I guess they're being formed by something that's attempting to get into your server. Is your server on a LAN or just a public IP?

You should also update your forum profile with the output of the following command:

Code:

zmcontrol -v

[det]

i encounter it too.

for the same admin account. i get 2 diff. logs. how is the first log possible? why is it showing the mail server IP instead of the remote IP? there are multiple differences in the logs like:

- /service/admin/soap/AuthRequest vs /service/admin/soap
- ip of the zimbra server vs remote ip from where the zimbra server is being access from


2012-03-21 06:00:08,305 WARN [btpool0-475://mail.thedomain.com.sg:7071/service/admin/soap/] [name=postmaster@thedomain.com.sg;ip=zimbra_mail_se rver_ip;] security - cmd=Auth; account=postmaster@thedomain.com.sg; protocol=soap; error=authentication failed for postmaster, invalid password;

2012-03-22 11:13:39,002 WARN [btpool0-543://mail.thedomain.com.sg:7071/service/admin/soap/AuthRequest] [name=user2@thedomain.com.sg;ip=remote_ip;ua=Zimbra WebClient - FF3.0 (Mac);] security - cmd=AdminAuth; account=user2; error=authentication failed for user2;

[ivan78]

What am I missing, how are these requests being formed?

Had the same problem.
After some digging I found that these log entries are caused by SMTP authentication.

Steps to reproduce:

Code:

ivan@nsk-eclipse:~> echo test_user | base64
dGVzdF91c2VyCg==

ivan@nsk-eclipse:~> telnet mail 25
ehlo test
auth login
dGVzdF91c2VyCg==
dGVzdF91c2VyCg==
quit
ivan@nsk-eclipse:~>

Code:

root@mail:~# grep test_user /opt/zimbra/log/mailbox.log 
2012-10-31 05:05:00,625 INFO  [btpool0-975://mail.propertyminder.com:7071/service/admin/soap/] [ip=10.0.1.11;] SoapEngine - handler exception: authentication failed for [test_user], account not found

root@mail:~# grep SASL /var/log/maillog | tail -1
Oct 31 05:05:00 mail postfix/smtpd[13571]: warning: unknown[192.168.77.62]: SASL login authentication failed: authentication failure

Bug report related to this problem: Bug 44120 - IP Address in server logs shows server ip on failed logins