Results 1 to 4 of 4

Thread: SOAP invalid password attempts

  1. #1
    jdz
    jdz is offline Member
    Join Date
    Sep 2010
    Posts
    12
    Rep Power
    4

    Default SOAP invalid password attempts

    Hi,

    I use zimbra 7.2.0_GA_2669 on RHEL5_64.
    I have a mailbox that keeps getting locked due to repeated (WEB?) invalid password attempts...
    When we use imap, everything is fine (until the account gets locked).
    So I suspect some bad guy trying to brute force the passord on the web interface, or a zimbra service using an old password?)...
    The problem is that I am unable to find his IP in the logs.

    Here's an example (1.2.3.4 is my zimbra server IP, and a.b.com its fqdn):

    Code:
      audit.log:
      2013-01-10 13:18:15,256 WARN  [btpool0-151://a.b.com:7071/service/admin/soap/] [name=me@example.com;ip=1.2.3.4;] security - cmd=Auth; account=me@example.com; protocol=soap; error=authentication failed for [me@example.com], invalid password;
      
      mailbox.log:
      2013-01-10 13:18:15,210 INFO  [btpool0-151://a.b.com:7071/service/admin/soap/] [ip=1.2.3.4;] soap - AuthRequest
      2013-01-10 13:18:15,256 INFO  [btpool0-151://a.b.com:7071/service/admin/soap/] [name=me@example.com;ip=1.2.3.4;] SoapEngine - handler exception: authentication failed for [me@example.com], invalid password
    
      access_log.2013-01-10:
      nothing at or close to the given time.
    So, I get successful IMAP connections mixed with failed "SOAP" connections... until the account get locked.
    And I can only find my IPs/fqdn in the logs...
    Any idea where I can find the real IP behind the "SOAP" connection attempts?
    Thx.

    Regards,
    JD

  2. #2
    Aron-1 is offline Junior Member
    Join Date
    Jan 2013
    Location
    Big Lake, MN
    Posts
    5
    Rep Power
    2

    Default

    Having this same issue.

    Trying to puzzle out the zmsoap syntax to try and either change the client mailbox password to match the ldap, or to at least see if I can't get it to break in such a way that it points back at what caused it in the first place.

    Client can login on the web, but SOAP fires 6-7 attempts with a bad password that eventually locks his account.

  3. #3
    jdz
    jdz is offline Member
    Join Date
    Sep 2010
    Posts
    12
    Rep Power
    4

    Default

    After reading other threads, it seems like these self "SOAP" connections appear with failed SMTP connections...

  4. #4
    Aron-1 is offline Junior Member
    Join Date
    Jan 2013
    Location
    Big Lake, MN
    Posts
    5
    Rep Power
    2

    Default

    Quote Originally Posted by jdz View Post
    After reading other threads, it seems like these self "SOAP" connections appear with failed SMTP connections...
    Not sure. Since having these issues, I've migrated to a new server, upgraded the OS, and done at least three updates. Somewhere along the way, the problem disappeared.

    It very well could have been a mobile device that the user was logged into, changed passwords, and didn't bother updating the password on that one device. This would explain why there really weren't any errors showing up. Just a bad password attempt...

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. zimbra spark invalid username or password
    By ocbineesh in forum Administrators
    Replies: 2
    Last Post: 12-02-2010, 01:39 PM
  2. PHP Soap change password
    By helboy in forum Developers
    Replies: 1
    Last Post: 06-15-2007, 04:23 PM
  3. Replies: 4
    Last Post: 06-13-2007, 01:52 AM
  4. Invalid SOAP PDU
    By Emilio in forum Administrators
    Replies: 1
    Last Post: 11-26-2006, 02:34 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •