Account name different from email address

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Zuser
Posts: 12
Joined: Wed Sep 14, 2016 3:54 pm
ZCS/ZD Version: 8.8.x

Re: Account name different from email address

Postby Zuser » Wed Dec 19, 2018 4:11 pm

We have the same issue: various mailboxes are being attacked on the IMAP port (993) via a slow dictionary attack: 2-3 connections per minute from unique IPs, so fail2ban can't do anything about it.

We can't do packet inspection on a border router since the traffic is encrypted and although we could firewall the IMAP port this prevents some users outside the corporate network/VPN from connecting.

2FA is not an option either since outside of web access and Outlook with ZCO no (mobile) client that I know of supports the relevant 2FA standards. You can still enable 2FA for the particular mailbox in Zimbra and define a passcode for Applications (clients which don't support 2FA protocol), but this simply means replacing the password with a 16 character one, which in itself doesn't exclude the possibility of a successful attack and could actually be a downgrade if you are already using random longer passwords.

Nor does this stop mailboxes from being locked out when DosFilter thresholds are reached.

A solution for us would be a mechanism which prevents specific mailboxes from logging in via IMAP or filtering on incoming IP address for specific credentials only but I haven't found such an option yet (postscreen maybe?). See also https://serverfault.com/questions/94168 ... gle-mailbo

More relevant to the discussion regarding aliases: originally we also had the additional problem of having an old domain name aliased to a newer domain name, which meant that due to https://bugzilla.zimbra.com/show_bug.cgi?id=54838 attacks could continue as before.

We skirted at least that issue by deleting the domain alias and making it a local domain with forwarding (see https://wiki.zimbra.com/wiki/Managing_D ... Forwarding):
(IIRC I deleted the alias and recreated as local domain from the web UI, probably could do both via CLI commands too)

Code: Select all

$ zmprov md oldexample.com zimbraMailCatchAllAddress @oldexample.com
$ zmprov md oldexample.com zimbraMailCatchAllForwardingAddress @newexample.com
$ zmprov md oldexample.com zimbraMailTransport lmtp:yourmailhost.newexample.com


This means mail addressed at user@oldexample.com still arrives but you can no longer log in with user@oldexample.com, only with user@newexample.com. Outgoing mail will of course have newexample.com all over the headers so as soon as attackers get a hold of your new domain address the problem starts again.


Kordian
Posts: 15
Joined: Wed Oct 24, 2018 5:04 pm

Re: Account name different from email address

Postby Kordian » Wed Dec 19, 2018 7:52 pm

Thank you!
So it is still a "temporary" solution. But still "good" to know I am not alone with my problem.
I noticed attackers "scan" for usernames.
So having the possibility of specifying usernames different from email would be great.
OscarZarrus
Posts: 3
Joined: Sun Dec 29, 2019 3:29 pm

Re: Account name different from email address

Postby OscarZarrus » Sun Dec 29, 2019 3:52 pm

Same here.

The attacks are always the same.
They target a known account, and attempt logging in with a single ip, at intervals of 3-4 per minute. A tempted - a unique ip.
Many from Asia. All day. Everyday.
Impossible to stop them.
I set up a massive password reset with a script.
Mandatory, 16 min char, upper and lower case letters, numbers, special characters, and I sent the temporary password with an SMS gateway.

Since these troublemakers have nothing to do in life, they have a lot of time. And slowly, they find the password.


I came to this post, because I also have no other solution than access with "username / nickname" instead of the email address.
I understand that it is not possible.

I have activated the automatic account lockout, the only solution to avoid logging in. But the blocking also happens for the real user and I'm obliged to unlock the account from time to time or increase tolerance on working days.

I can't allow access with ip whitelist, because many have LTE connection (iOS, Android), with dynamic IP.

I'm thinking of creating a smartphone token systems.

It's a nightmare

Best
User avatar
L. Mark Stone
Elite member
Elite member
Posts: 2082
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine, US
ZCS/ZD Version: 8.8.15 Network Edition
Contact:

Re: Account name different from email address

Postby L. Mark Stone » Sun Dec 29, 2019 5:04 pm

OscarZarrus wrote:Same here.

The attacks are always the same.
They target a known account, and attempt logging in with a single ip, at intervals of 3-4 per minute. A tempted - a unique ip.
Many from Asia. All day. Everyday.
Impossible to stop them.
I set up a massive password reset with a script.
Mandatory, 16 min char, upper and lower case letters, numbers, special characters, and I sent the temporary password with an SMS gateway.

Since these troublemakers have nothing to do in life, they have a lot of time. And slowly, they find the password.


I came to this post, because I also have no other solution than access with "username / nickname" instead of the email address.
I understand that it is not possible.

I have activated the automatic account lockout, the only solution to avoid logging in. But the blocking also happens for the real user and I'm obliged to unlock the account from time to time or increase tolerance on working days.

I can't allow access with ip whitelist, because many have LTE connection (iOS, Android), with dynamic IP.

I'm thinking of creating a smartphone token systems.

It's a nightmare

Best


This is why we strongly encourage customers to use 2FA.

Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
Zeta Alliance http://www.zetalliance.org/
User avatar
L. Mark Stone
Elite member
Elite member
Posts: 2082
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine, US
ZCS/ZD Version: 8.8.15 Network Edition
Contact:

Re: Account name different from email address

Postby L. Mark Stone » Sun Dec 29, 2019 5:06 pm

OscarZarrus wrote:Same here.

The attacks are always the same.
They target a known account, and attempt logging in with a single ip, at intervals of 3-4 per minute. A tempted - a unique ip.
Many from Asia. All day. Everyday.
Impossible to stop them.
I set up a massive password reset with a script.
Mandatory, 16 min char, upper and lower case letters, numbers, special characters, and I sent the temporary password with an SMS gateway.

Since these troublemakers have nothing to do in life, they have a lot of time. And slowly, they find the password.


I came to this post, because I also have no other solution than access with "username / nickname" instead of the email address.
I understand that it is not possible.

I have activated the automatic account lockout, the only solution to avoid logging in. But the blocking also happens for the real user and I'm obliged to unlock the account from time to time or increase tolerance on working days.

I can't allow access with ip whitelist, because many have LTE connection (iOS, Android), with dynamic IP.

I'm thinking of creating a smartphone token systems.

It's a nightmare

Best


This is another reason why we encourage customers strongly to use 2FA.

Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
Zeta Alliance http://www.zetalliance.org/
OscarZarrus
Posts: 3
Joined: Sun Dec 29, 2019 3:29 pm

Re: Account name different from email address

Postby OscarZarrus » Sun Dec 29, 2019 7:46 pm

Kordian
Posts: 15
Joined: Wed Oct 24, 2018 5:04 pm

Re: Account name different from email address

Postby Kordian » Mon Dec 30, 2019 8:16 am

Of course you can use it as soon as you transfer one billion dollar on an account of one very poor guy that struggles to get his daily meal :-).
OscarZarrus
Posts: 3
Joined: Sun Dec 29, 2019 3:29 pm

Re: Account name different from email address

Postby OscarZarrus » Fri Jan 03, 2020 9:30 am

Incredible!

Since WebMail uses PrivacyIDEA 2FA right now, hackers attack mailbox via ImapSSLServer, where, although long and complex, the password does not change.


A little bad. An half nightmare

Return to “Administrators”

Who is online

Users browsing this forum: No registered users and 8 guests