Brute force attack & SPAM configuration

[TitusI]

Hi, I'm new to Zimbra but I had to manage a group of server using:

Release 8.6.0_GA_1153.RHEL6_64_20141215151155 RHEL6_64 FOSS edition.
and
Release 8.0.5_GA_5839.RHEL6_64_20130910123908 RHEL6_64 FOSS edition.

I'm in trouble understandig the actual zimbra configuration (I found the server screaming under a landslade of SPAM and brute force...so...I'm in some troubled water ).

First problem: I see a lot of brute force attack using different user name against Server_public_ip:7071/service/admin/soap/ from...
Server_public_ip...

2016-04-15 16:56:10,611 WARN [qtp34688703-884:https://Server_public_ip:7071/service/admin/soap/] [name=user@domain.net;ip=Server_public_ip;] security - cmd=Auth; account=user@domain.net; protocol=soap; error=authentication failed for [mailbox63827@domain.net], invalid password;

access to Server_public_ip:7071/ is blocked from outside network

I've googled a lot and done this steps and restarted zimbra:

zmlocalconfig zimbra_http_originating_ip_header
zimbra_http_originating_ip_header = X-Forwarded-For

zmprov mcf +zimbraMailTrustedIP 127.0.0.1 +zimbraMailTrustedIP Server_public_ip

Nothing changed .

I've searched a lot in bugzilla and zimbra forum it seems to be a old solved problem, I've made the suggested change but nothing happend.

Is this issue solved in some recent patch? Do you have some useful reference? Do you need other information?

Second: Is zimbra filtering spam?? I think the answer is NO, but I want to share my config on 8.6 machine:

#zmlocalconfig |grep -i spam
antispam_backup_retention = 0
antispam_enable_restarts = false
antispam_enable_rule_compilation = false
antispam_enable_rule_updates = false
antispam_mysql_data_directory = ${zimbra_home}/data/amavisd/mysql/data
antispam_mysql_directory = ${zimbra_home}/mta/mariadb
antispam_mysql_enabled = false
antispam_mysql_errlogfile = ${zimbra_home}/log/antispam-mysqld.log
antispam_mysql_host = 127.0.0.1
antispam_mysql_mycnf = ${zimbra_home}/conf/antispam-my.cnf
antispam_mysql_password = *
antispam_mysql_pidfile = ${zimbra_home}/data/amavisd/mysql/mysql.pid
antispam_mysql_port = 7308
antispam_mysql_root_password = *
antispam_mysql_socket = ${zimbra_home}/data/amavisd/mysql/mysql.sock
antispam_mysql_user = zimbra
zimbra_spam_report_queue_size = 100


/opt/zimbra/log/spamtrain.log is empty.
Zimbra is using Spammassasin or dspam?
antispam_mysql_enabled = false So zimbra is using a berkley db?

Using the zimbra administrator graphic interfece it seem all to be ok (antispam antivirus...)...but I don't belive it.

Any help is really appreciated.

[quanah]

When someone connects to postfix to auth, it generates a SOAP auth request. So what is likely happening is someone is trying to brute force against postfix. If you use something like fail2ban to block IP addresses slamming postfix, your SOAP calls should go away. I.e., you're attempting to tackle the wrong problem.

[TitusI]

I'm using file2ban, I want to underline that the ip address of the client who made the login attemps is not correct (it's my server public ip) and this is a problem.
Please explain what do you mean when you write it is an attack aginst postfix, i see port 7071 into the log.

How can I understand if my zimbra is using DSPAM or Spammassasin or all together?

[quanah]

I'm using file2ban, I want to underline that the ip address of the client who made the login attemps is not correct (it's my server public ip) and this is a problem.
Please explain what do you mean when you write it is an attack aginst postfix, i see port 7071 into the log.

How can I understand if my zimbra is using DSPAM or Spammassasin or all together?

Port 7071 is the port used by AUTH requests via SOAP. So when user X connects to port 465/587 to send email via Postfix, and they AUTH to do so, that generates a SOAP request TO port 7071 on their behalf to auth them. Trying to block port 7071 will only make it so NO ONE can send email via 465/587. Since the SOAP request is generated on the MTA that is why you see your SERVER IP.

I hope this explanation help.

Regards,
Quanah

[TitusI]

I'm using file2ban, I want to underline that the ip address of the client who made the login attemps is not correct (it's my server public ip) and this is a problem.
Please explain what do you mean when you write it is an attack aginst postfix, i see port 7071 into the log.

How can I understand if my zimbra is using DSPAM or Spammassasin or all together?

Port 7071 is the port used by AUTH requests via SOAP. So when user X connects to port 465/587 to send email via Postfix, and they AUTH to do so, that generates a SOAP request TO port 7071 on their behalf to auth them. Trying to block port 7071 will only make it so NO ONE can send email via 465/587. Since the SOAP request is generated on the MTA that is why you see your SERVER IP.

I hope this explanation help.

Regards,
Quanah

Yes, it help a lot understanding the problem, but I pass to file2ban audit.log in which the reported ip is the one for 7071...(my server public ip) not the client of connection on 465/578

2016-04-15 16:56:10,611 WARN [qtp34688703-884:https://Server_public_ip:7071/service/admin/soap/] [name=user@domain.net;ip=Server_public_ip;] security - cmd=Auth; account=user@domain.net; protocol=soap; error=authentication failed for [mailbox63827@domain.net], invalid password;

Where I had to look in my log there for connection on 465/578?

Thank you!

[horiachirculescu]

Hello.

You should check postfix's log files (usually /var/log/mail)

[TitusI]

Hi

Hello.

You should check postfix's log files (usually /var/log/mail)

Thank you, I don't have var/log/mail I've /var/log/maillog. I use the standard zimbra log /opt/zimbra/audit.log mailbox.log and /var/log/zimbra.log

my fail2ban jail indicate for postfix:

[postfix]
enabled = true
filter = postfix
action = iptables-multiport[name=postfix, port=smtp, protocol=tcp]
sendmail-buffered[name=Postfix, dest=mymail@me]
logpath = /var/log/zimbra.log
bantime = -1
maxretry = 5

in zimbra.log i've a lot of hti->error='' for access to :7071/service/admin/soap/

[horiachirculescu]

You should block the acces to the admin console port (specified by zimbraAdminBindAddress - default 7071) to permit access from only trusted networks. You can change the firewall rules on your security gateway or you can use a firewall on your mail server(s) (ex. iptables on linux boxes)

[TitusI]

You should block the acces to the admin console port (specified by zimbraAdminBindAddress - default 7071) to permit access from only trusted networks. You can change the firewall rules on your security gateway or you can use a firewall on your mail server(s) (ex. iptables on linux boxes)

Access to the admin port is allready locked.

My problem is my lack of knowledge on zimbra logic, I think that there is a logging problem (wrong host shown in audit.log) and two configuration problem, fail2ban is not working correctly and antispam is not working too (a lot of spam pass).

Any help in CHECK (i could be wrong) and solve this issue is appreciated.

[TitusI]

I'm using file2ban, I want to underline that the ip address of the client who made the login attemps is not correct (it's my server public ip) and this is a problem.
Please explain what do you mean when you write it is an attack aginst postfix, i see port 7071 into the log.

How can I understand if my zimbra is using DSPAM or Spammassasin or all together?

Port 7071 is the port used by AUTH requests via SOAP. So when user X connects to port 465/587 to send email via Postfix, and they AUTH to do so, that generates a SOAP request TO port 7071 on their behalf to auth them. Trying to block port 7071 will only make it so NO ONE can send email via 465/587. Since the SOAP request is generated on the MTA that is why you see your SERVER IP.

I hope this explanation help.

Regards,
Quanah

Following your suggestion on other thread and reading the suggested resource I've mitigated the SPAM problem:

test:
zmlocalconfig antispam_enable_rule_updates
RES:antispam_enable_rule_updates = false
zmlocalconfig antispam_enable_restarts
RES:antispam_enable_restarts = false

Setting:
zmlocalconfig -e antispam_enable_rule_updates=true
zmlocalconfig -e antispam_enable_restarts=true
zmlocalconfig -e antispam_enable_rule_compilation=true
zmamavisdctl restart
zmmtactl restart

But I would like to kno who is doing the job? DSPAM or Spammassassin?
ps aux|grep -i spam
gave 0 output