Hello,

I have zimbra 7.1.14 on ubuntu 8.0.4
Today I got 6200 mail in queue.. I think it was an attack.

I search in the log and I have found that they login with root
Jun 9 09:46:49 mail postfix/smtpd[30918]: 93750F88002: client=unknown[120.141.234.170], sasl_method=LOGIN, sasl_username=root
Jun 9 09:46:49 mail postfix/smtpd[30920]: 9754DF88004: client=unknown[120.141.234.170], sasl_method=LOGIN, sasl_username=root
Jun 9 09:46:49 mail postfix/smtpd[30919]: 97DDAF88013: client=unknown[120.141.234.170], sasl_method=LOGIN, sasl_username=root
Jun 9 09:46:49 mail postfix/smtpd[30916]: 9904EF88014: client=unknown[120.141.234.170], sasl_method=LOGIN, sasl_username=root
Jun 9 09:46:49 mail postfix/smtpd[29346]: A83D4F88015: client=unknown[120.141.234.170], sasl_method=LOGIN, sasl_username=root
Jun 9 09:46:50 mail postfix/smtpd[30915]: 3DD56F88016: client=unknown[120.141.234.170], sasl_method=LOGIN, sasl_username=root
Jun 9 09:46:50 mail postfix/smtpd[30917]: E8CFEF88017: client=unknown[120.141.234.170], sasl_method=LOGIN, sasl_username=root

I don't have any root zimbra account. All of authentication are made on active directory and there no root account.

The linux root account has a very strong password. I will change it for prevention..
I have a strong fail2ban, 3 bad attemps and block for 8 hours..

Am I alone with this style of attacks ?

Thanks
Sebastien BERGER