CVE-2019-9670 being actively exploited (Hacked Server)

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
egyptiantech
Posts: 6
Joined: Sat Sep 13, 2014 2:03 am

Re: CVE-2019-9670 being actively exploited

Post by egyptiantech »

I noticed that my FW caught the following trying to be uploaded as "/asdf/wl_41mx.zip" to my 8.6 server. The file was flagged as Unix.Packed.Coinminer-6856324-0(e03943dd5c5de98ca94043576aeb909c:999112) and was attempted twice over the course of about 8 hours by the same IP.
evelynharper
Posts: 1
Joined: Wed Jun 19, 2019 1:55 pm

Re: CVE-2019-9670 being actively exploited

Post by evelynharper »

You shouldn't. Unless you are looking for trouble.

Also by now they would have fixed the issue.

See, by the time the vulnerabilities of any software come to public view, most likely the developed of said software would have already started working on a fix. So afternoon to misuse a known vulnerability is not going to work other than in lab conditions.

Also if that know how to fix the issue, chances are they will catch you trying to use it. So stay away from any such exploitations
hisfran
Posts: 31
Joined: Tue Apr 29, 2014 2:10 pm

Re: CVE-2019-9670 being actively exploited

Post by hisfran »

Our Web Security vendor Sucuri is able to fend-off and clean similar attacks on web servers: https://blog.sucuri.net/2019/06/cryptom ... eator.html
I've never tried using their WAF service on a Zimbra server though.
edgar3 wrote:Hi!!, Thanks in advance!
I have a question... ¿Do you know if a WAF block's this attack-vulnerability?
SonicWALL, Watchguard, etc etc
indunil75
Advanced member
Advanced member
Posts: 97
Joined: Sat Sep 13, 2014 12:35 am

Re: CVE-2019-9670 being actively exploited

Post by indunil75 »

fladnar wrote:Is this vulnerabilty present in 8.7-8.8 version?. I'm in 8.6 and thinking of an upgrade.


zimbra-8-6-0-patch-13 includes fixes

https://blog.zimbra.com/2019/03/new-zim ... 0-patch-13
https://wiki.zimbra.com/wiki/Zimbra_Releases/8.6.0/P13


it's better to use patch 14

https://files.zimbra.com/downloads/8.6. ... A_1242.tgz


NOTE: All supported releases of ZCS before 8.7.11p10 have an XXE vulnerability. Details to follow.

https://bugzilla.zimbra.com/show_bug.cgi?id=109129
https://bugzilla.zimbra.com/show_activity.cgi?id=109129
sergo77
Posts: 1
Joined: Tue Jul 02, 2019 5:54 am

Re: CVE-2019-9670 being actively exploited

Post by sergo77 »

Hi guys,
Can help me with Zimbra server how stay under attack?
Possible remotely access - for look details.
Some my top process now
sed -i -E /(XZimbra\.jsp)|(Ajax\.jsp)|(attachment_blocked\.jsp)|(Core)|(Debug\.jsp)|(static\.jsp)|(ppwd=)|(66\.04)/d /opt/zimbra/log/access_log.2019-04-20 /opt/zimbra/+
All work is stoped :((
phoenix
Ambassador
Ambassador
Posts: 27272
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Re: CVE-2019-9670 being actively exploited

Post by phoenix »

sergo77 wrote:Hi guys,
Can help me with Zimbra server how stay under attack?
Possible remotely access - for look details.
The details on how to resolve this problem are all in this thread, have you read it and have you tried any of the solutions?

You should also, always, post give details of which Zimbra version is in use when postin g on these forums by giving the fFull output of the following command:

Code: Select all

zmcontrol -v
Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra
User avatar
MattPson
Posts: 4
Joined: Sun Apr 03, 2016 11:12 pm

Re: CVE-2019-9670 being actively exploited

Post by MattPson »

I feel the attacks are increasing in both cleverness and frequency. I keep on finding the bitcoinminer under different names regardless of attempting to remove all access points and shutting down processes. I have also patched my system and followed every suggestion in this thread to no avail.

Code: Select all

$ zmcontrol -v
Release 8.7.11.GA.1854.UBUNTU14.64 UBUNTU16_64 FOSS edition, Patch 8.7.11_P12.
Now, the latest attack removed the crontab for the zimbra user altogether (but that is probably a bug) and installed

Code: Select all

$ file /opt/zimbra/log/zmmailboxdmgr.out
/opt/zimbra/log/zmmailboxdmgr.out: ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, stripped
Is anyone else seeing this? And more to the point, will an upgrade (really) keep me safe?

While the hack started off as quite polite that it "only" steals CPU power it now starting to affect the services on the server in question. :cry:
phoenix
Ambassador
Ambassador
Posts: 27272
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Re: CVE-2019-9670 being actively exploited

Post by phoenix »

MattPson wrote:Is anyone else seeing this? And more to the point, will an upgrade (really) keep me safe?
If you have clean the server of all the 'hack' then I'd find it difficult to imagine how they're getting their payload on your server. A clean install should provide you with just that and a move to the new server (using ZeXtras Migration tool) should ensure that there's nothing there that shouldn't be there - my advice would be to try that and see how you get on.
Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra
User avatar
MattPson
Posts: 4
Joined: Sun Apr 03, 2016 11:12 pm

Re: CVE-2019-9670 being actively exploited

Post by MattPson »

I spent quite some time last Friday to clean out my system, recreate the crontab, nuking /opt/zimbra/log, reapplying the latest patch etc. and it seems that it finally worked. No odd processes and rampant cpu loads for all weekend. Great success! :) Next up is to upgrade to 8.8 in the next few days.

But I do have another question. In my access.log I see many accesses from various ip-numbers that aren't mine with the URL:

Code: Select all

"POST https://mailserver.example.com:7073/service/admin/soap/ HTTP/1.1"
(where mailserver.example.com is my server)

I checked the firewall and port 7073 is blocked so how are these requests even reaching my server? I did a cURL towards the same URL to no avail from a server at work so it seems that the firewall is doing what it should. How can I stop these?
Toru
Posts: 7
Joined: Mon Jan 15, 2018 12:44 pm

Re: CVE-2019-9670 being actively exploited

Post by Toru »

Hi guys!

Thank a lot you all for great information!

The second time I cleaned my server from shit, and install the last patch. Now everything looks good along a few days. However, I have one problem.

Every night, process zmopendkimctl is broken. I know for sure that at 23:29:01 it works well, but at 23:31:01 it is broken.

Here is what I see at this time in the logs:

zimbra.log

Code: Select all

Jul  8 23:29:01 mail su: (to zimbra) root on none
Jul  8 23:29:54 mail zmconfigd[7124]: Fetching All configs
Jul  8 23:29:54 mail zmconfigd[7124]: All configs fetched in 0.07 seconds
Jul  8 23:30:01 mail su: (to zimbra) root on none
Jul  8 23:30:01 mail zimbramon[9894]: 9894:info: 2019-07-08 23:30:01, QUEUE: 0 0
Jul  8 23:30:03 mail zmconfigd[7124]: Watchdog: service antivirus status is OK.
Jul  8 23:30:04 mail zmconfigd[7124]: All rewrite threads completed in 0.40 sec
Jul  8 23:30:04 mail zmconfigd[7124]: All restarts completed in 0.00 sec
Jul  8 23:30:12 mail slapd[7104]: slap_queue_csn: queueing 0x5d423c0 20190708213012.567430Z#000000#000#000000
Jul  8 23:30:12 mail slapd[7104]: slap_graduate_commit_csn: removing 0x5d423c0 20190708213012.567430Z#000000#000#000000
Jul  8 23:30:12 mail slapd[7104]: slap_queue_csn: queueing 0x1641100 20190708213012.622513Z#000000#000#000000
Jul  8 23:30:12 mail slapd[7104]: slap_graduate_commit_csn: removing 0x1641100 20190708213012.622513Z#000000#000#000000
Jul  8 23:30:21 mail slapd[7104]: slap_queue_csn: queueing 0x5d43940 20190708213021.387471Z#000000#000#000000
Jul  8 23:30:21 mail slapd[7104]: slap_graduate_commit_csn: removing 0x5d43940 20190708213021.387471Z#000000#000#000000
Jul  8 23:30:21 mail slapd[7104]: slap_queue_csn: queueing 0x5d44480 20190708213021.970951Z#000000#000#000000
Jul  8 23:30:21 mail slapd[7104]: slap_graduate_commit_csn: removing 0x5d44480 20190708213021.970951Z#000000#000#000000
Jul  8 23:30:28 mail slapd[7104]: slap_queue_csn: queueing 0x5d42880 20190708213028.815416Z#000000#000#000000
Jul  8 23:30:28 mail slapd[7104]: slap_graduate_commit_csn: removing 0x5d42880 20190708213028.815416Z#000000#000#000000
Jul  8 23:30:31 mail postfix/postscreen[11198]: CONNECT from [111.222.111.70]:57584 to [111.222.111.70]:25
Jul  8 23:30:31 mail postfix/postscreen[11198]: WHITELISTED [111.222.111.70]:57584
Jul  8 23:30:31 mail postfix/smtpd[11199]: connect from maydomain.com[111.222.111.70]
Jul  8 23:30:31 mail postfix/smtpd[11199]: NOQUEUE: filter: RCPT from maydomain.com[111.222.111.70]: <admin@maydomain.com>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<admin@maydomain.com> to=<admin@maydomain.com> proto=ESMTP helo=<localhost.localdomain>
Jul  8 23:30:31 mail postfix/smtpd[11199]: C41F2C02BED: client=maydomain.com[111.222.111.70]
Jul  8 23:30:31 mail postfix/cleanup[11202]: C41F2C02BED: message-id=<20190708213031.C41F2C02BUSER2@maydomain.com>
Jul  8 23:30:31 mail postfix/smtpd[11199]: disconnect from maydomain.com[111.222.111.70] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Jul  8 23:30:31 mail postfix/qmgr[10413]: C41F2C02BED: from=<admin@maydomain.com>, size=14774, nrcpt=1 (queue active)
Jul  8 23:30:31 mail amavis[9509]: (09509-02) ESMTP :10026 /opt/zimbra/data/amavisd/tmp/amavis-20190708T220837-09509-qunwrfV1: <admin@maydomain.com> -> <admin@maydomain.com> Received: from maydomain.com ([127.0.0.1]) by localhost (maydomain.com [127.0.0.1]) (amavisd-new, port 10026) with ESMTP for <admin@maydomain.com>; Mon,  8 Jul 2019 23:30:31 +0200 (CEST)
Jul  8 23:30:32 mail amavis[9509]: (09509-02) Checking: Cse-dl1i012u ORIGINATING/MYNETS [111.222.111.70] <admin@maydomain.com> -> <admin@maydomain.com>
Jul  8 23:30:32 mail postfix/dkimmilter/smtpd[11206]: connect from localhost[127.0.0.1]
Jul  8 23:30:32 mail postfix/dkimmilter/smtpd[11206]: warning: connect to Milter service inet:localhost:8465: Connection refused
Jul  8 23:30:32 mail postfix/dkimmilter/smtpd[11206]: NOQUEUE: milter-reject: CONNECT from localhost[127.0.0.1]: 451 4.7.1 Service unavailable - try again later; proto=SMTP
Jul  8 23:30:32 mail postfix/dkimmilter/smtpd[11206]: NOQUEUE: milter-reject: EHLO from localhost[127.0.0.1]: 451 4.7.1 Service unavailable - try again later; proto=SMTP helo=<localhost>
Jul  8 23:30:32 mail amavis[9509]: (09509-02) smtp resp to MAIL (pip): 451 4.7.1 Service unavailable - try again later
Jul  8 23:30:32 mail amavis[9509]: (09509-02) Negative SMTP resp. to DATA: 503 5.5.1 Error: need RCPT command
Jul  8 23:30:32 mail amavis[9509]: (09509-02) (!)Cse-dl1i012u FWD from <admin@maydomain.com> -> <admin@maydomain.com>, BODY=7BIT 451 4.7.1 from MTA(smtp:[127.0.0.1]:10030): 451 4.7.1 Service unavailable - try again later
Jul  8 23:30:32 mail postfix/dkimmilter/smtpd[11206]: NOQUEUE: milter-reject: MAIL from localhost[127.0.0.1]: 451 4.7.1 Service unavailable - try again later; from=<admin@maydomain.com> proto=ESMTP helo=<localhost>
Jul  8 23:30:32 mail postfix/dkimmilter/smtpd[11206]: disconnect from localhost[127.0.0.1] ehlo=1 mail=0/1 rcpt=0/1 data=0/1 rset=1 quit=1 commands=3/6
Jul  8 23:30:32 mail amavis[9509]: (09509-02) Blocked MTA-BLOCKED {TempFailedInternal}, ORIGINATING/MYNETS LOCAL [111.222.111.70]:57584 [111.222.111.70] <admin@maydomain.com> -> <admin@maydomain.com>, Queue-ID: C41F2C02BED, Message-ID: <20190708213031.C41F2C02BUSER2@maydomain.com>, mail_id: Cse-dl1i012u, Hits: -, size: 14774, 234 ms
Jul  8 23:30:32 mail postfix/smtp[11203]: C41F2C02BED: to=<admin@maydomain.com>, relay=127.0.0.1[127.0.0.1]:10026, delay=0.34, delays=0.06/0.02/0.06/0.21, dsn=4.7.1, status=deferred (host 127.0.0.1[127.0.0.1] said: 451 4.7.1 id=09509-02 - Temporary MTA failure on relaying, from MTA(smtp:[127.0.0.1]:10030): 451 4.7.1 Service unavailable - try again later (in reply to end of DATA command))
Jul  8 23:30:33 mail slapd[7104]: slap_queue_csn: queueing 0x5d44540 20190708213033.055683Z#000000#000#000000
Jul  8 23:30:33 mail slapd[7104]: slap_graduate_commit_csn: removing 0x5d44540 20190708213033.055683Z#000000#000#000000
Jul  8 23:31:01 mail su: (to zimbra) root on none
Jul  8 23:31:04 mail zmconfigd[7124]: Fetching All configs
Jul  8 23:31:04 mail zmconfigd[7124]: All configs fetched in 0.07 seconds
Jul  8 23:31:08 mail zmconfigd[7124]: Service status change: maydomain.com opendkim changed from running to stopped
mailbox.log

Code: Select all

2019-07-08 23:29:06,118 INFO  [qtp127618319-703:https:https://maydomain.com/service/soap/CreateWaitSetRequest] [name=user1@mydomain.com;mid=14;ip=111.222.111.70;port=32788;ua=Zimbra Desktop/7.3.1_13063_Mac;] soap - CreateWaitSetRequest elapsed=0
2019-07-08 23:29:33,432 INFO  [Timer-Zimbra] [] session - WaitSet sweeper: 5 active WaitSets (5 accounts) - 5 sets with blocked callbacks
2019-07-08 23:29:35,024 INFO  [MailboxPurge] [name=user2@mydomain.com;mid=3;] purge - Purging messages.
2019-07-08 23:30:07,963 INFO  [qtp127618319-690:https:https://maydomain.com/service/soap/CreateWaitSetRequest] [name=user1@mydomain.com;mid=14;ip=111.222.111.70;port=32814;ua=Zimbra Desktop/7.3.1_13063_Mac;] soap - CreateWaitSetRequest elapsed=1
2019-07-08 23:30:12,625 INFO  [qtp127618319-594:https:https://localhost:7071/service/admin/soap/AuthRequest] [name=zimbra;ua=zmprov/8.7.11_GA_3810;] soap - AuthReq
uest elapsed=66
2019-07-08 23:30:21,391 INFO  [qtp127618319-594:https:https://localhost:7071/service/admin/soap/AuthRequest] [name=zimbra;ua=ZCS;] soap - AuthRequest elapsed=19
2019-07-08 23:30:21,882 WARN  [qtp127618319-715:https:https://localhost:7071/service/admin/soap/SyncGalAccountRequest] [name=galsync.liypjsy0u@maydomain.com;ana
me=zimbra;ua=ZCS;] ldap - unknown GAL op
2019-07-08 23:30:21,973 INFO  [qtp127618319-715:https:https://localhost:7071/service/admin/soap/SyncGalAccountRequest] [name=galsync.liypjsy0u@maydomain.com;ana
me=zimbra;ua=ZCS;] gal - GalGroup - flushCache: no cache entry for domain maydomain.com
2019-07-08 23:30:21,974 INFO  [qtp127618319-715:https:https://localhost:7071/service/admin/soap/SyncGalAccountRequest] [name=galsync.liypjsy0u@maydomain.com;ana
me=zimbra;ua=ZCS;] soap - SyncGalAccountRequest elapsed=506
2019-07-08 23:30:28,186 INFO  [qtp127618319-594:https:https://localhost:7071/service/admin/soap/GetAllServersRequest] [name=zimbra;ua=zmprov/8.7.11_GA_3810;] soap 
- GetAllServersRequest elapsed=5
2019-07-08 23:30:28,818 INFO  [qtp127618319-690:https:https://localhost:7071/service/admin/soap/AuthRequest] [name=zimbra;ua=ZCS;] soap - AuthRequest elapsed=16
2019-07-08 23:30:29,094 WARN  [qtp127618319-716:https:https://localhost:7071/service/admin/soap/SyncGalAccountRequest] [name=galsync@mydomain_2.com;aname=
zimbra;ua=ZCS;] SoapEngine - handler exception
com.zimbra.cs.account.AccountServiceException: no such data source: InternalGAL
ExceptionId:qtp127618319-716:https:https://localhost:7071/service/admin/soap/SyncGalAccountRequest:1562621429026:2c30d3485d781a12
Code:account.NO_SUCH_DATA_SOURCE
        at com.zimbra.cs.account.AccountServiceException.NO_SUCH_DATA_SOURCE(AccountServiceException.java:263)
        at com.zimbra.cs.service.admin.SyncGalAccount.handle(SyncGalAccount.java:74)
        at com.zimbra.soap.SoapEngine.dispatchRequest(SoapEngine.java:607)
        at com.zimbra.soap.SoapEngine.dispatch(SoapEngine.java:460)
        at com.zimbra.soap.SoapEngine.dispatch(SoapEngine.java:273)
        at com.zimbra.soap.SoapServlet.doWork(SoapServlet.java:303)
        at com.zimbra.soap.SoapServlet.doPost(SoapServlet.java:213)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
        at com.zimbra.cs.servlet.ZimbraServlet.service(ZimbraServlet.java:206)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
        at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:821)
        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1685)
        at com.zimbra.cs.servlet.CsrfFilter.doFilter(CsrfFilter.java:175)
        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1668)
        at com.zimbra.cs.servlet.RequestStringFilter.doFilter(RequestStringFilter.java:54)
        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1668)
        at com.zimbra.cs.servlet.SetHeaderFilter.doFilter(SetHeaderFilter.java:59)
        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1668)
        at com.zimbra.cs.servlet.ETagHeaderFilter.doFilter(ETagHeaderFilter.java:47)
        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1668)
        at com.zimbra.cs.servlet.ContextPathBasedThreadPoolBalancerFilter.doFilter(ContextPathBasedThreadPoolBalancerFilter.java:107)
        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1668)
        at com.zimbra.cs.servlet.ZimbraQoSFilter.doFilter(ZimbraQoSFilter.java:107)
        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1668)
        at com.zimbra.cs.servlet.ZimbraInvalidLoginFilter.doFilter(ZimbraInvalidLoginFilter.java:117)
        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1668)
        at org.eclipse.jetty.servlets.DoSFilter.doFilterChain(DoSFilter.java:473)
        at org.eclipse.jetty.servlets.DoSFilter.doFilter(DoSFilter.java:318)
        at org.eclipse.jetty.servlets.DoSFilter.doFilter(DoSFilter.java:288)
        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1668)
        at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:581)
        at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
        at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:524)
        at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:226)
        at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1158)
        at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:511)
        at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)
        at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1090)
	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
        at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:213)
        at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:109)
        at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:119)
        at org.eclipse.jetty.rewrite.handler.RewriteHandler.handle(RewriteHandler.java:318)
        at org.eclipse.jetty.server.handler.gzip.GzipHandler.handle(GzipHandler.java:437)
        at org.eclipse.jetty.server.handler.DebugHandler.handle(DebugHandler.java:84)
        at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:119)
        at org.eclipse.jetty.server.Server.handle(Server.java:517)
        at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:306)
        at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:242)
        at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:261)
        at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:95)
        at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:192)
        at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:261)
        at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:95)
        at org.eclipse.jetty.io.SelectChannelEndPoint$2.run(SelectChannelEndPoint.java:75)
        at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.produceAndRun(ExecuteProduceConsume.java:213)
        at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.run(ExecuteProduceConsume.java:147)
        at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:654)
        at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:572)
        at java.lang.Thread.run(Thread.java:748)
2019-07-08 23:30:29,122 INFO  [qtp127618319-716:https:https://localhost:7071/service/admin/soap/SyncGalAccountRequest] [name=galsync@mydomain_2.com;aname=zimbra;ua=ZCS;] soap - SyncGalAccountRequest elapsed=135
2019-07-08 23:30:33,060 INFO  [qtp127618319-690:https:https://localhost:7071/service/admin/soap/AuthRequest] [name=zimbra;ua=ZCS;] soap - AuthRequest elapsed=9
2019-07-08 23:30:33,114 WARN  [qtp127618319-594:https:https://localhost:7071/service/admin/soap/SyncGalAccountRequest] [name=galsync@mydomain.com;aname=zimbra;ua=ZCS;] SoapEngine - handler exception
com.zimbra.cs.account.AccountServiceException: no such data source: InternalGAL

it's my zimbra version

Code: Select all

Release 8.7.11_GA_1854.RHEL7_64_20170531151956 RHEL7_64 FOSS edition, Patch 8.7.11_P12.

Using the information of logs I can not understand what exactly leads to failure. I will be happy with any ideas to understand the reason for the breaking of the process.
Post Reply