Weird Authentication Failures

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
DuncanKinnear
Posts: 1
Joined: Mon Jul 25, 2022 5:09 pm

Weird Authentication Failures

Post by DuncanKinnear »

Hi there, we've had some weird authentication failures in the last 48 hours where we're not sure what's happening.

In the email we get about authentication failures, we have the following lines (over 500 in the last 24 hours):

(1) 2022-07-25 13:21:23,908 INFO [qtp649734728-86751:https:https://zimbra.mccarthy.co.nz:7073/service/admin/soap/] [name=duncan.kinnear@mccarthy.co.nz;ip=172.28.3.26;port=35320;] SoapEngine - handler exception: authentication failed for [duncan], invalid password
(2) 2022-07-25 13:21:27,302 INFO [qtp649734728-86755:https:https://zimbra.mccarthy.co.nz:7073/service/admin/soap/] [name=duncan.kinnear@mccarthy.co.nz;ip=172.28.3.26;port=35322;] SoapEngine - handler exception: authentication failed for [duncan], invalid password
(3) 2022-07-25 13:21:30,743 INFO [qtp649734728-86736:https:https://zimbra.mccarthy.co.nz:7073/service/admin/soap/] [name=duncan.kinnear@mccarthy.co.nz;ip=172.28.3.26;port=35324;] SoapEngine - handler exception: authentication failed for [duncan], invalid password
(4) 2022-07-25 13:21:34,102 INFO [qtp649734728-86736:https:https://zimbra.mccarthy.co.nz:7073/service/admin/soap/] [name=duncan.kinnear@mccarthy.co.nz;ip=172.28.3.26;port=35326;] SoapEngine - handler exception: authentication failed for [duncan], invalid password
(5) 2022-07-25 13:21:37,469 INFO [qtp649734728-86749:https:https://zimbra.mccarthy.co.nz:7073/service/admin/soap/] [name=duncan.kinnear@mccarthy.co.nz;ip=172.28.3.26;port=35328;] SoapEngine - handler exception: authentication failed for [duncan], account lockout
(6) 2022-07-25 13:21:40,947 INFO [qtp649734728-71947:https:https://zimbra.mccarthy.co.nz:7073/service/admin/soap/] [name=duncan.kinnear@mccarthy.co.nz;ip=172.28.3.26;port=35330;] SoapEngine - handler exception: authentication failed for [duncan], account lockout
(7) 2022-07-25 13:21:44,271 INFO [qtp649734728-86748:https:https://zimbra.mccarthy.co.nz:7073/service/admin/soap/] [name=duncan.kinnear@mccarthy.co.nz;ip=172.28.3.26;port=35332;] SoapEngine - handler exception: authentication failed for [duncan], account lockout

... etc.

The IP address in these messages is the internal LAN address of the Zimbra server itself, so the client is not outside our firewall.

About version is 8.7.0_GA_1659 (build 20160628192634)

What do these message mean? Should we be worried? How do we stop it?

Thanks in advance.
Ace Suares
Advanced member
Advanced member
Posts: 63
Joined: Thu Aug 07, 2014 7:26 pm

Re: Weird Authentication Failures

Post by Ace Suares »

We see the same here. Also for non-existing accounts. I blocked 7073 and 7071 in the firewall just to be sure, but these authentication comes from the inside (via webmail I suppose).
8.8.15.GA.3869.UBUNTU18.64 UBUNTU18_64 FOSS edition, Patch 8.8.15_P34
Ace Suares
Advanced member
Advanced member
Posts: 63
Joined: Thu Aug 07, 2014 7:26 pm

Re: Weird Authentication Failures

Post by Ace Suares »

Dear all,

These entries in the log file look like they are standalone entries, but actually they are caused by a fails SASL login on postfix.

Oct 26 14:01:36 newz saslauthd[6623]: : auth failure: [user=xxxxxxxxxxxxx] [service=smtp] [realm=xxxx.org] [mech=zimbra] [reason=Unknown]
Oct 26 14:01:36 newz postfix/smtps/smtpd[21196]: warning: unknown[86.51.188.78]: SASL LOGIN authentication failed: authentication failure
--
Oct 26 14:01:42 newz saslauthd[6626]: : auth failure: [user=xxxxxxx] [service=smtp] [realm=] [mech=zimbra] [reason=Unknown]
Oct 26 14:01:42 newz postfix/smtps/smtpd[16521]: warning: 23-123-122-170.lightspeed.livnmi.sbcglobal.net[23.123.122.170]: SASL LOGIN authentication failed: authentication failure

These logins generate some activity on port 7073, which get logged separately and makes it look like some unknown process is connecting to 7073 from the inside.

I found the answer in an old post: viewtopic.php?t=62032
Post Reply