Hi Mark, thank you for your reply.
The zimbra version is 8.6. I am not running on proxy. The mail server is behind a firewall
The firewall is a PFsense machine x.x.x.1
Zimbra is on another machine x.x.x.12
On PFsense there is a NAT 1:1 to translate te public IP to the zimbra server.
I added the local IP of firewall and mail server as you suggested
zmprov mcf +zimbraMailTrustedIP x.x.x.1
zmprov mcf +zimbraMailTrustedIP x.x.x.12
restarted zmmailboxdctl but nothing changed
in the log I can see always a long list of connect from fw.mydomain.xxx[x.x.x.1]
Code: Select all
Oct 14 19:10:05 mail postfix/smtpd[9002]: connect from fw.mydomain.xxx[x.x.x.1]
Oct 14 19:10:10 mail saslauthd[3840]: zmauth: authenticating against elected url 'https://mail.mydomain.xxx:7071/service/admin/soap/' ...
Oct 14 19:10:10 mail saslauthd[3840]: zmpost: url='https://mail.mydomain.xxx:7071/service/admin/soap/' returned buffer->data='<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"><soap:Header><context xmlns="urn:zimbra"/></soap:Header><soap:Body><soap:Fault><soap:Code><soap:Value>soap:Sender</soap:Value></soap:Code><soap:Reason><soap:Text>authentication failed for [schuftp2@mydomain.xxx]</soap:Text></soap:Reason><soap:Detail><Error xmlns="urn:zimbra"><Code>account.AUTH_FAILED</Code><Trace>qtp2054798982-171:https://x.x.x.12:7071/service/admin/soap/:1539537010737:34f5ae85e0482ba2</Trace></Error></soap:Detail></soap:Fault></soap:Body></soap:Envelope>', hti->error=''
Oct 14 19:10:10 mail saslauthd[3840]: auth_zimbra: schuftp2@mydomain.xxx auth failed: authentication failed for [schuftp2@mydomain.xxx]
Oct 14 19:10:10 mail saslauthd[3840]: do_auth : auth failure: [user=schuftp2@mydomain.xxx] [service=smtp] [realm=mydomain.xxx] [mech=zimbra] [reason=Unknown]
Oct 14 19:10:10 mail postfix/smtpd[9002]: warning: fw.mydomain.xxx[x.x.x.1]: SASL LOGIN authentication failed: authentication failure
Oct 14 19:10:11 mail postfix/smtpd[9002]: disconnect from fw.mydomain.xxx[x.x.x.1]
the hackers discovered one mail account name and they send an email to this pretending the breach.
cannot figure it out!!