Zimbra Forums

Hello,
Is it possible to have account name different from email name/address within the free version of Zimbra Server?
I have an issue where my account is being attacked. The attackers (presumably a software) finds out my email address and uses it as the user name for hacking. As long as the error is "password incorrect", the soft continues with new passwords. As long as it receives the message "user unknown" the software stops hacking.
Therefore is would be great to have the user name different than the email address.
Can it be done?
If not, would it be possible to have this option in the next version of Zimbra?
Thank you in advance for help!
Regards

Hello,

as far as I know : no. In this case you should deactivate SMTP verify command and add fail2ban like software to block these attack.

Regards,

Fail2ban is no good, as it adds ips AFTER the attack. In 3 minutes a new attack takes place with a new ip, so this is no solution.
A real solution would be a username being different from email address. Then the user name is known to me only, it is not being propagated by no means, so actually such attacks would end here.

Kordian wrote:Fail2ban is no good, as it adds ips AFTER the attack. In 3 minutes a new attack takes place with a new ip, so this is no solution.
A real solution would be a username being different from email address. Then the user name is known to me only, it is not being propagated by no means, so actually such attacks would end here.

The username can be different than the email address but that wouldn't solve anything as a username is always associated with a user's mailbox no matter which mail server you're using so email sent to a specific email address will always end-up in the user's account.

phoenix wrote:

Kordian wrote:Fail2ban is no good, as it adds ips AFTER the attack. In 3 minutes a new attack takes place with a new ip, so this is no solution.
A real solution would be a username being different from email address. Then the user name is known to me only, it is not being propagated by no means, so actually such attacks would end here.

The username can be different than the email address but that wouldn't solve anything as a username is always associated with a user's mailbox no matter which mail server you're using so email sent to a specific email address will always end-up in the user's account.

It solves EVERYTHING as it remains unknown to the public. Email address is distributed with every mail, or your home page.
If you mean the username can be different, please provide the way to achieve it with ZImbra.
Thank you in advance!

As Phoenix said, changing the address mail does not change anything unless you delete the old one.
When setting an alias for example, you can still authenticate with the account and the alias both.

Regards,

DualBoot wrote:As Phoenix said, changing the address mail does not change anything unless you delete the old one.
When setting an alias for example, you can still authenticate with the account and the alias both.

Regards,

I think you got it all wrong. Nobody is speaking here of changing email address.
It is the user name that needs to be changed or be different than the email itself.

Kordian wrote:Thank you then for your comments from the "real world", as opposed to my "unreal" world, I suppose.
Coming back to my "unreal" world: Anybody else have some ideas?

I have another idea if the goal is to prevent account lockouts and reduce the attack surface. I thought this thread was interesting.
viewtopic.php?f=15&t=65051
The concept here is to put that ip address into a time-out or lock-out before they can trip the DoSFilter. Mark Stone gave some examples and I added a method using just the FW rules to automatically count connection attempts and put the ip address into a decaying timeout for that ip address. So provided you set these thresholds lower at the FW or fail2ban, that should provide some additional protection before DosFilter locks out the account. It isn't ideal because in theory, an attacker could come at you with 1000's of ip addresses and burn those while getting a few shots at guessing. 2FA or using a captcha would be a better solution at some point which is similar to your unguessable user name idea.

Another idea, I am currently exploring is using mod_security which has a little bit of a learning curve but version 3 would work pretty well with zimbra's front-end nginx given version 3 mod_security isn't as apache dependent. With this tool, I can create custom rules including counting ip accesses for specific patterns and firing off counter measures... so in theory, I could look for the email addresses/username and block them from logging in at the Request Header/Request Body phase and stop them before DoSFilter saw the request... allowing only the account name to be used. Or even better, throw up a capcha or 2FA to stop further attacks on that ip until they authenticated correctly before removing the ip address from the collection of ip's these additional rules are firing against. From my reading, all this should be possible. I have no idea how that would scale but its another tool for the toolbag. Always trying to stay just a little bit ahead of the attacks.

Other methods remove the attack surface completely... block all access at the firewall and allow only ip addresses from VPN access servers. I use that method for my own personal zimbra server. That means you also need a primary MX that isn't your zimbra server so you can lock down every port except the VPN access servers and the MX's in front of zimbra from known ip addresses. And if this isn't paranoid enough, I also require second factor... but hey I don't have any dictionary attacks to worry about. LOL

This thread reminded me of this bugzilla bug I'm watching - https://bugzilla.zimbra.com/show_bug.cgi?id=54838

My take on this is that one would create the mailbox with some obfuscated name and then make an alias that would be their "real world" email address (what gets published). Finally, deny login via alias.

I suppose it only moves the problem down the line (e.g. if the user's phone/computer is compromised then the obfuscated name may become known), but it seems to me it would add enough difficulty to keep some nefarious activity at bay?

DavidMerrill wrote:This thread reminded me of this bugzilla bug I'm watching - https://bugzilla.zimbra.com/show_bug.cgi?id=54838

My take on this is that one would create the mailbox with some obfuscated name and then make an alias that would be their "real world" email address (what gets published). Finally, deny login via alias.

I suppose it only moves the problem down the line (e.g. if the user's phone/computer is compromised then the obfuscated name may become known), but it seems to me it would add enough difficulty to keep some nefarious activity at bay?

Thank you, that is exactly what I thought of.
My question is what happens when I send mails/answer incoming. Is it possible that this obfuscated name will still be hidden and only the "desired" email address will be sent inside all the info files that are automatically generated while sending?