Results 1 to 9 of 9

Thread: Zimbra 8.0.2 major security hole?

  1. #1
    ditto is offline Intermediate Member
    Join Date
    Sep 2008
    Posts
    15
    Rep Power
    6

    Exclamation Zimbra 8.0.2 major security hole?

    I think I might have discovered a security hole in Zimbra 8.0.2 but I'm not sure how to validate it...

    When a user is set to global admin spammers seem to be able to relay spam using zmpost WITHOUT a password. The logs show sasl_method=LOGIN successes but I don't think auth is really happening. I've tried changing the password to a strong 20+ character passwords that has never been used before and literally seconds later spammers are still using the account. There is no way they could brute force it that fast. If I change the password back to the original and disable the global admin on the account it completely stops. I see spammers attempting to use the account repeatedly but auth fails and locks the account at that point. Some details on my setup:

    My mail server sits behind a firewall on a private IP and I forward ports 25/143/587/993 to it only. Webmail is forwarded via apache's proxypass.
    I require TLS auth to relay mail. The accounts in question use unique strong passwords that exist only for email and are NOT being used for other web accounts.
    My admin interface is only available locally, not to the general internet.
    I've run zimbra for ~6 years like this with absolutely no issues until upgrading to 8.0.2. It's happened twice since them. Both times it took a few days after adding global admin to a user before spammers found the accounts and started using them. I currently have one global admin setup on a dedicated account with a fake internal only domain. That should be a lot harder for them to figure out but myself and everyone else is in no way safe if this is in fact going on.

    Has anyone else seen this? Any ideas how this might be happening if it's not an exploit? Ideas on how to debug this without allowing spammer to relay mail through me and watching?

  2. #2
    uxbod's Avatar
    uxbod is offline Moderator
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    24

    Default

    Could you post an excerpt from mailboxd.log so we can see what is happening please ?

  3. #3
    ditto is offline Intermediate Member
    Join Date
    Sep 2008
    Posts
    15
    Rep Power
    6

    Default

    Do you mean mailbox.log? I don't have a mailboxd.log.

    Here is one example of what I see in my logs. Identifying info has been replaced.

    mailbox.log (I use my external LDAP server and auth fails):

    2013-02-11 16:01:23,369 WARN [qtp1758906091-30430:https://192.168.0.11:7071/service/admin/soap/] [name=myadmin@mydomain.com;ip=192.168.0.11;] account - ldap auth for domain mydomain.com failed, fall back to zimb
    ra default auth mechanism
    com.zimbra.cs.account.AccountServiceException$Auth FailedServiceException: authentication failed for [myadmin@mydomain.com]
    ExceptionId:qtp1758906091-30430:https://192.168.0.11:7071/service/ad...7fc02faa03907a
    Code:account.AUTH_FAILED

    /var/log/maillog.log (You can see the message being sent!):

    Feb 11 16:01:23 mail postfix/smtpd[18129]: BA5C6123355: client=host196-99-static.107-82-b.business.telecomitalia.it[82.107.99.196], sasl_method=LOGIN, sasl_username=myadmin@mydomain.com
    Feb 11 16:01:24 mail postfix/cleanup[16987]: BA5C6123355: message-id=<CHILKAT-MID-00000024-0054-0045-0041-004d00002400@s2003.giordano.locale>
    Feb 11 16:01:24 mail postfix/qmgr[6586]: BA5C6123355: from=<myadmin@mydomain.com>, size=3427, nrcpt=1 (queue active)
    Feb 11 16:01:24 mail postfix/smtpd[18350]: connect from localhost[127.0.0.1]
    Feb 11 16:01:24 mail postfix/smtpd[18350]: 79A9E12335C: client=localhost[127.0.0.1]
    Feb 11 16:01:24 mail postfix/cleanup[16987]: 79A9E12335C: message-id=<CHILKAT-MID-00000024-0054-0045-0041-004d00002400@s2003.giordano.locale>
    Feb 11 16:01:24 mail postfix/smtpd[18350]: disconnect from localhost[127.0.0.1]
    Feb 11 16:01:24 mail postfix/qmgr[6586]: 79A9E12335C: from=<myadmin@mydomain.com>, size=3885, nrcpt=1 (queue active)
    Feb 11 16:01:24 mail postfix/smtp[16988]: BA5C6123355: to=<batacke@comcast.net>, relay=127.0.0.1[127.0.0.1]:10026, delay=0.98, delays=0.84/0/0/0.14, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10
    029): 250 2.0.0 Ok: queued as 79A9E12335C)
    Feb 11 16:01:24 mail postfix/qmgr[6586]: BA5C6123355: removed
    Feb 11 16:01:24 mail postfix/smtpd[18129]: disconnect from host196-99-static.107-82-b.business.telecomitalia.it[82.107.99.196]

    /var/log/zimbra.log (more detail):

    Feb 11 16:01:21 mail postfix/smtpd[18129]: connect from host196-99-static.107-82-b.business.telecomitalia.it[82.107.99.196]
    Feb 11 16:01:21 mail postfix/smtpd[18129]: Anonymous TLS connection established from host196-99-static.107-82-b.business.telecomitalia.it[82.107.99.196]: TLSv1 with cipher RC4-MD5 (128/128 bits)
    Feb 11 16:01:22 mail saslauthd[6597]: zmauth: authenticating against elected url 'https://mail.internaldomain:7071/service/admin/soap/' ...
    Feb 11 16:01:23 mail zmconfigd[5909]: Fetching All configs
    Feb 11 16:01:23 mail zmconfigd[5909]: All configs fetched in 0.03 seconds
    Feb 11 16:01:23 mail saslauthd[6597]: zmpost: url='https://mail.internaldomain:7071/service/admin/soap/' returned buffer->data='<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"><soap:Header><context
    xmlns="urn:zimbra"><change token="292307"/></context></soap:Header><soap:Body><AuthResponse xmlns="urn:zimbraAccount"><authToken>0_b38989b768e 2c04155f8c84a21dd6ce39701b57a_69643d33363a34616437 666665342d626138302
    d343235662d613033302d6632373035323064323631383b657 8703d31333a313336303738393238333337313b76763d313a3 13b747970653d363a7a696d6272613b</authToken><lifetime>172800000</lifetime><skin>serenity</skin></AuthResponse></
    soap:Body></soap:Envelope>', hti->error=''
    Feb 11 16:01:23 mail saslauthd[6597]: auth_zimbra: myadmin@mydomain.com auth OK
    Feb 11 16:01:23 mail postfix/smtpd[18129]: NOQUEUE: filter: RCPT from host196-99-static.107-82-b.business.telecomitalia.it[82.107.99.196]: <myadmin@mydomain.com>: Sender address triggers FILTER smtp-amavis:[127.0.
    0.1]:10026; from=<myadmin@mydomain.com> to=<batacke@comcast.net> proto=ESMTP helo=<s2003.giordano.locale>
    Feb 11 16:01:23 mail postfix/smtpd[18129]: BA5C6123355: client=host196-99-static.107-82-b.business.telecomitalia.it[82.107.99.196], sasl_method=LOGIN, sasl_username=myadmin@mydomain.com
    Feb 11 16:01:24 mail zmconfigd[5909]: Watchdog: service antivirus status is OK.
    Feb 11 16:01:24 mail zmconfigd[5909]: All rewrite threads completed in 0.00 sec
    Feb 11 16:01:24 mail zmconfigd[5909]: All restarts completed in 0.00 sec
    Feb 11 16:01:24 mail postfix/cleanup[16987]: BA5C6123355: message-id=<CHILKAT-MID-00000024-0054-0045-0041-004d00002400@s2003.giordano.locale>
    Feb 11 16:01:24 mail postfix/qmgr[6586]: BA5C6123355: from=<myadmin@mydomain.com>, size=3427, nrcpt=1 (queue active)
    Feb 11 16:01:24 mail amavis[1135]: (01135-14) ESMTP:[127.0.0.1]:10026 /opt/zimbra/data/amavisd/tmp/amavis-20130211T085440-01135-r3MPZO4L: <myadmin@mydomain.com> -> <batacke@comcast.net> Received: from mail.internaldomain
    ([127.0.0.1]) by localhost (mail.internaldomain [127.0.0.1]) (amavisd-new, port 10026) with ESMTP for <batacke@comcast.net>; Mon, 11 Feb 2013 16:01:24 -0500 (EST)
    Feb 11 16:01:24 mail amavis[1135]: (01135-14) Checking: nCmEud-lmNKQ ORIGINATING [82.107.99.196] <myadmin@mydomain.com> -> <batacke@comcast.net>
    Feb 11 16:01:24 mail postfix/smtpd[18350]: connect from localhost[127.0.0.1]
    Feb 11 16:01:24 mail postfix/smtpd[18350]: 79A9E12335C: client=localhost[127.0.0.1]
    Feb 11 16:01:24 mail postfix/cleanup[16987]: 79A9E12335C: message-id=<CHILKAT-MID-00000024-0054-0045-0041-004d00002400@s2003.giordano.locale>
    Feb 11 16:01:24 mail opendkim[6606]: 79A9E12335C: no signing table match for 'myadmin@mydomain.com'
    Feb 11 16:01:24 mail postfix/smtpd[18350]: disconnect from localhost[127.0.0.1]
    Feb 11 16:01:24 mail postfix/qmgr[6586]: 79A9E12335C: from=<myadmin@mydomain.com>, size=3885, nrcpt=1 (queue active)
    Feb 11 16:01:24 mail amavis[1135]: (01135-14) FWD from <myadmin@mydomain.com> -> <batacke@comcast.net>,BODY=7BIT 250 2.0.0 from MTA(smtp:[127.0.0.1]:10029): 250 2.0.0 Ok: queued as 79A9E12335C
    Feb 11 16:01:24 mail amavis[1135]: (01135-14) Passed CLEAN {RelayedOutbound}, ORIGINATING LOCAL [82.107.99.196]:2138 [82.107.99.196] <myadmin@mydomain.com> -> <batacke@comcast.net>, Queue-ID: BA5C6123355, Message-
    ID: <CHILKAT-MID-00000024-0054-0045-0041-004d00002400@s2003.giordano.locale>, mail_id: nCmEud-lmNKQ, Hits: -, size: 3426, queued_as: 79A9E12335C, 136 ms
    Feb 11 16:01:24 mail postfix/smtp[16988]: BA5C6123355: to=<batacke@comcast.net>, relay=127.0.0.1[127.0.0.1]:10026, delay=0.98, delays=0.84/0/0/0.14, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10
    029): 250 2.0.0 Ok: queued as 79A9E12335C)
    Feb 11 16:01:24 mail postfix/qmgr[6586]: BA5C6123355: removed
    Feb 11 16:01:24 mail amavis[910]: (00910-06) ESMTP:[127.0.0.1]:10024 /opt/zimbra/data/amavisd/tmp/amavis-20130211T111056-00910-QlML1sjL: <mydomain@myadmin.com> -> <batacke@comcast.net> SIZE=3885 BODY=7BIT Received
    : from mail.internaldomain ([127.0.0.1]) by localhost (mail.internaldomain [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for <batacke@comcast.net>; Mon, 11 Feb 2013 16:01:24 -0500 (EST)
    Feb 11 16:01:24 mail amavis[910]: (00910-06) Checking: vXBO6Cqw32Oa MYNETS [127.0.0.1] <myadmin@mydomain.com> -> <batacke@comcast.net>
    Feb 11 16:01:24 mail postfix/smtpd[18129]: disconnect from host196-99-static.107-82-b.business.telecomitalia.it[82.107.99.196]
    Feb 11 16:01:25 mail postfix/smtpd[16992]: connect from localhost[127.0.0.1]
    Feb 11 16:01:25 mail postfix/smtpd[16992]: 6AE46123355: client=localhost[127.0.0.1]
    Feb 11 16:01:25 mail postfix/cleanup[16987]: 6AE46123355: message-id=<CHILKAT-MID-00000024-0054-0045-0041-004d00002400@s2003.giordano.locale>
    Feb 11 16:01:25 mail postfix/smtpd[16992]: disconnect from localhost[127.0.0.1]
    Feb 11 16:01:25 mail postfix/qmgr[6586]: 6AE46123355: from=<myamin@mydomain.com>, size=4275, nrcpt=1 (queue active)
    Feb 11 16:01:25 mail amavis[910]: (00910-06) FWD from <myadmin@mydomain.com> -> <batacke@comcast.net>,BODY=7BIT 250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 6AE46123355
    Feb 11 16:01:25 mail amavis[910]: (00910-06) Passed CLEAN {RelayedOutbound}, MYNETS LOCAL [127.0.0.1]:43166 [82.107.99.196] <myadmin@mydomain.com> -> <batacke@comcast.net>, Queue-ID: 79A9E12335C, Message-ID: <CHIL
    KAT-MID-00000024-0054-0045-0041-004d...iordano.locale>, mail_id: vXBO6Cqw32Oa, Hits: -1.45, size: 3850, queued_as: 6AE46123355, 898 ms
    Feb 11 16:01:25 mail postfix/smtp[18352]: 79A9E12335C: to=<batacke@comcast.net>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.95, delays=0.05/0/0/0.9, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:100
    25): 250 2.0.0 Ok: queued as 6AE46123355)
    Feb 11 16:01:25 mail postfix/qmgr[6586]: 79A9E12335C: removed
    Feb 11 16:01:26 mail postfix/smtp[18355]: 6AE46123355: to=<batacke@comcast.net>, relay=fakerelay.com[1.2.3.4]:25, delay=0.68, delays=0.01/0.01/0.14/0.53, dsn=2.0.0, status=sent (250 OK BE/3A-27917-72
    C59115)
    Feb 11 16:01:26 mail postfix/qmgr[6586]: 6AE46123355: removed

  4. #4
    liverpoolfcfan's Avatar
    liverpoolfcfan is offline Outstanding Member
    Join Date
    Oct 2009
    Location
    Dublin, IRELAND
    Posts
    710
    Rep Power
    6

    Default

    Is it possible that this is the issue ? "account - ldap auth for domain mydomain.com failed, fall back to zimbra default auth mechanism"

    Is it possible that the fallback to zimbra auth is accepting no password as none has been set up locally for the users ? Can you disable the local zimbra fallback for authentication ?

  5. #5
    ditto is offline Intermediate Member
    Join Date
    Sep 2008
    Posts
    15
    Rep Power
    6

    Default

    I have no local users except the dedicated admin account, it's all my external ldap. Also in the webui "If fail, fall back to local password management" is disabled for the domain. Is there some value I can check from the CLI to see if that's actually doing anything?

  6. #6
    speno is offline Senior Member
    Join Date
    Apr 2010
    Posts
    57
    Rep Power
    5

    Default

    It sounds like mail.log, which is generated from postfix. So you should be able to test this yourself directly by telneting to postfix and issuing the commands for authentication to verify the issue you think you see.

    I've seen spammers keep their SMTP connections open such that even if you lock a Zimbra account (or change the password), the spam continues to flow as the connection has already been authenticated. Restarting postfix in that case will stop it. That could also be happening in this case.

  7. #7
    liverpoolfcfan's Avatar
    liverpoolfcfan is offline Outstanding Member
    Join Date
    Oct 2009
    Location
    Dublin, IRELAND
    Posts
    710
    Rep Power
    6

    Default

    I found this KB article over on the VMware site. It seems we now have to search 2 sites to keep up to date ... ugh!

    Basically is says that for admins - fallback is always in place - regardless of the fallback configuration setting. It would suggest if your spammer found the originally configured local password for any admin (or none was configured) then they could authenticate. This is exactly the theory I had suggested earlier.

    VMware KB: Zimbra user can authenticate with an incorrect external LDAP or AD password

  8. #8
    speno is offline Senior Member
    Join Date
    Apr 2010
    Posts
    57
    Rep Power
    5

    Default security patches

    There's now a patch kit for 8.0.2 and 7.2.2 that is marked as a security fix. No details are given and the bugzilla page is protected. I have no idea if this fixes the issue described here or not.

    Network Edition Downloads: Enterprise Messaging and Collaboration Software by Zimbra

  9. #9
    ditto is offline Intermediate Member
    Join Date
    Sep 2008
    Posts
    15
    Rep Power
    6

    Default

    Quote Originally Posted by liverpoolfcfan View Post
    I found this KB article over on the VMware site. It seems we now have to search 2 sites to keep up to date ... ugh!

    Basically is says that for admins - fallback is always in place - regardless of the fallback configuration setting. It would suggest if your spammer found the originally configured local password for any admin (or none was configured) then they could authenticate. This is exactly the theory I had suggested earlier.

    VMware KB: Zimbra user can authenticate with an incorrect external LDAP or AD password
    That definitely appears to be what's going on. I re-enabled global admim on my user and was able to send mail using the regular password AND an old password for my dedicated admin account! My current dedicated admin account password did not work and neither did a blank password or no auth at all. I've *never* set a local password for my external auth admin. So it seems like it copies that from whatever local admin you happen to use to set it up at that time and never updates it.

    I can't think of a single good reason why zimbraAuthFallbackToLocal should ever be ignored for admin accounts. You can't lock yourself out as it's super simple to add a local admin account if/when needed. There's also no way that I can tell to maintain the local password without using the CLI either. Am I missing something here?

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Zimbra installed but I still have major issues
    By nitdawg1 in forum Administrators
    Replies: 7
    Last Post: 07-01-2013, 10:04 AM
  2. Zimbra major failure
    By plboily in forum Administrators
    Replies: 5
    Last Post: 08-26-2011, 02:51 PM
  3. Zimbra for a Major UK Community Project
    By communityuk in forum Installation
    Replies: 1
    Last Post: 03-22-2010, 03:06 AM
  4. Paid Zimbra Support = Black Hole?
    By shuntphl in forum Migration
    Replies: 3
    Last Post: 08-04-2009, 02:23 PM
  5. E-mails going into MTA black hole after IP change
    By rajahd in forum Administrators
    Replies: 2
    Last Post: 08-01-2008, 10:23 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •