Finding SMTP auth IPs

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
rsaeks
Advanced member
Advanced member
Posts: 53
Joined: Sat Sep 13, 2014 3:03 am
ZCS/ZD Version: Release 8.8.11_GA_3737.RHEL7_64_201

Finding SMTP auth IPs

Post by rsaeks »

We frequently have an issue of people attempting to send mail through our server by guessing user passwords. Eventually this causes an account to get locked out. I'm looking at using fail2ban (currently works fine with web-based attempted logins - blocks IP after 5 attempts) for SMTP requests and am doing some testing to try and find the source IP, however I'm not having any luck in tracking down the source.

After testing an account here is what I'm seeing:

From zimbra.log:

Code: Select all

saslauthd[31634]: auth_zimbra: zmsupport auth failed: authentication failed for [zmsupport]
From audit.log:

Code: Select all

WARN  [qtp509886383-1554:https://192.168.40.8:7071/service/admin/soap/] [name=zmsupport@glencoeschools.org;ip=192.168.40.8;] security - cmd=Auth; account=zmsupport@glencoeschools.org; protocol=soap; error=authentication failed for [zmsupport], invalid password;
From mailbox.log:

Code: Select all

WARN [qtp509886383-1554:https://192.168.40.8:7071/service/admin/soap/] [name=zmsupport@glencoeschools.org;ip=192.168.40.8;] SoapEngine - handler exception: authentication failed for [zmsupport], invalid password
None of those have the source IP. Is there a different log file that would contain that information I'm not seeing?

Release 8.6.0_GA_1153.RHEL7_64_20141215151204 RHEL7_64 NETWORK edition, Patch 8.6.0_P7
Top
Post Reply

Return to “Administrators”