We can't do packet inspection on a border router since the traffic is encrypted and although we could firewall the IMAP port this prevents some users outside the corporate network/VPN from connecting.
2FA is not an option either since outside of web access and Outlook with ZCO no (mobile) client that I know of supports the relevant 2FA standards. You can still enable 2FA for the particular mailbox in Zimbra and define a passcode for Applications (clients which don't support 2FA protocol), but this simply means replacing the password with a 16 character one, which in itself doesn't exclude the possibility of a successful attack and could actually be a downgrade if you are already using random longer passwords.
Nor does this stop mailboxes from being locked out when DosFilter thresholds are reached.
A solution for us would be a mechanism which prevents specific mailboxes from logging in via IMAP or filtering on incoming IP address for specific credentials only but I haven't found such an option yet (postscreen maybe?). See also https://serverfault.com/questions/94168 ... gle-mailbo
More relevant to the discussion regarding aliases: originally we also had the additional problem of having an old domain name aliased to a newer domain name, which meant that due to https://bugzilla.zimbra.com/show_bug.cgi?id=54838 attacks could continue as before.
We skirted at least that issue by deleting the domain alias and making it a local domain with forwarding (see https://wiki.zimbra.com/wiki/Managing_D ... Forwarding):
(IIRC I deleted the alias and recreated as local domain from the web UI, probably could do both via CLI commands too)
Code: Select all
$ zmprov md oldexample.com zimbraMailCatchAllAddress @oldexample.com
$ zmprov md oldexample.com zimbraMailCatchAllForwardingAddress @newexample.com
$ zmprov md oldexample.com zimbraMailTransport lmtp:yourmailhost.newexample.com
This means mail addressed at email@example.com still arrives but you can no longer log in with firstname.lastname@example.org, only with email@example.com. Outgoing mail will of course have newexample.com all over the headers so as soon as attackers get a hold of your new domain address the problem starts again.