Malicious Logins To Zimbra Mail Server
-
@storageninja said in Malicious Logins To Zimbra Mail Server:
- Disable unneeded and insecure protocols. IMAP and POP3 shouldn't be externally facing it's 2017...
Right, should be IMAP/S. But the issue remains.
-
I'm going to echo @StorageNinja's comments about POP3 and / or IMAP -- disable them and force folks to use the ActiveSync setup and/or the Webmail.
Edit: Easy way to test this is to block IMAP & POP at the firewall for a few hours and see who screams, lol.
-
@dafyre said in Malicious Logins To Zimbra Mail Server:
I'm going to echo @StorageNinja's comments about POP3 and / or IMAP -- disable them and force folks to use the ActiveSync setup and/or the Webmail.
Does that solve anything? Same issues.
-
@scottalanmiller said in Malicious Logins To Zimbra Mail Server:
@dafyre said in Malicious Logins To Zimbra Mail Server:
I'm going to echo @StorageNinja's comments about POP3 and / or IMAP -- disable them and force folks to use the ActiveSync setup and/or the Webmail.
Does that solve anything? Same issues.
One less attack vector I suppose. They could still hammer the web interface.
-
@scottalanmiller said in Malicious Logins To Zimbra Mail Server:
@dafyre said in Malicious Logins To Zimbra Mail Server:
I'm going to echo @StorageNinja's comments about POP3 and / or IMAP -- disable them and force folks to use the ActiveSync setup and/or the Webmail.
Does that solve anything? Same issues.
Mainly it disables two old and insecure protocols. So no, it doesn't solve anything, but it makes things ever so slightly more difficult for the hackers (how long does it take them to switch from IMAP/POP to ActiveSync?).
-
@dafyre said in Malicious Logins To Zimbra Mail Server:
@scottalanmiller said in Malicious Logins To Zimbra Mail Server:
@dafyre said in Malicious Logins To Zimbra Mail Server:
I'm going to echo @StorageNinja's comments about POP3 and / or IMAP -- disable them and force folks to use the ActiveSync setup and/or the Webmail.
Does that solve anything? Same issues.
...(how long does it take them to switch from IMAP/POP to ActiveSync?).
I will be able to tell you soon.
-
@anthonyh said in Malicious Logins To Zimbra Mail Server:
@scottalanmiller said in Malicious Logins To Zimbra Mail Server:
@dafyre said in Malicious Logins To Zimbra Mail Server:
I'm going to echo @StorageNinja's comments about POP3 and / or IMAP -- disable them and force folks to use the ActiveSync setup and/or the Webmail.
Does that solve anything? Same issues.
One less attack vector I suppose. They could still hammer the web interface.
Any unused protocol should be shut down, certainly. But it's that they are unused, not that they are what they are.
-
@dafyre said in Malicious Logins To Zimbra Mail Server:
@scottalanmiller said in Malicious Logins To Zimbra Mail Server:
@dafyre said in Malicious Logins To Zimbra Mail Server:
I'm going to echo @StorageNinja's comments about POP3 and / or IMAP -- disable them and force folks to use the ActiveSync setup and/or the Webmail.
Does that solve anything? Same issues.
Mainly it disables two old and insecure protocols. So no, it doesn't solve anything, but it makes things ever so slightly more difficult for the hackers (how long does it take them to switch from IMAP/POP to ActiveSync?).
What's insecure about them? IMAP/S is just as secure as ActiveSync or HTTPS. Identical, in fact. I'm not sure what about them makes people feel that they are insecure... the fragility of all four is the username / password. None of them vary in security.
-
@scottalanmiller said in Malicious Logins To Zimbra Mail Server:
@dafyre said in Malicious Logins To Zimbra Mail Server:
@scottalanmiller said in Malicious Logins To Zimbra Mail Server:
@dafyre said in Malicious Logins To Zimbra Mail Server:
I'm going to echo @StorageNinja's comments about POP3 and / or IMAP -- disable them and force folks to use the ActiveSync setup and/or the Webmail.
Does that solve anything? Same issues.
Mainly it disables two old and insecure protocols. So no, it doesn't solve anything, but it makes things ever so slightly more difficult for the hackers (how long does it take them to switch from IMAP/POP to ActiveSync?).
What's insecure about them? IMAP/S is just as secure as ActiveSync or HTTPS. Identical, in fact. I'm not sure what about them makes people feel that they are insecure... the fragility of all four is the username / password. None of them vary in security.
Didn't say anything about IMAP or POP3 over SSL / TLS. I don't know about you, but I like my login information encrypted when I'm broadcasting it for the world to see.
-
@dafyre said in Malicious Logins To Zimbra Mail Server:
@scottalanmiller said in Malicious Logins To Zimbra Mail Server:
@dafyre said in Malicious Logins To Zimbra Mail Server:
@scottalanmiller said in Malicious Logins To Zimbra Mail Server:
@dafyre said in Malicious Logins To Zimbra Mail Server:
I'm going to echo @StorageNinja's comments about POP3 and / or IMAP -- disable them and force folks to use the ActiveSync setup and/or the Webmail.
Does that solve anything? Same issues.
Mainly it disables two old and insecure protocols. So no, it doesn't solve anything, but it makes things ever so slightly more difficult for the hackers (how long does it take them to switch from IMAP/POP to ActiveSync?).
What's insecure about them? IMAP/S is just as secure as ActiveSync or HTTPS. Identical, in fact. I'm not sure what about them makes people feel that they are insecure... the fragility of all four is the username / password. None of them vary in security.
Didn't say anything about IMAP or POP3 over SSL / TLS. I don't know about you, but I like my login information encrypted when I'm broadcasting it for the world to see.
Yes, but the assumption is that it is always over SSL. Web Interface is all that was mentioned, do we not assume HTTPS? If so, why in one case and not the other? And the broadcasting of creds isn't a factor here.
-
@scottalanmiller said in Malicious Logins To Zimbra Mail Server:
@dafyre said in Malicious Logins To Zimbra Mail Server:
@scottalanmiller said in Malicious Logins To Zimbra Mail Server:
@dafyre said in Malicious Logins To Zimbra Mail Server:
@scottalanmiller said in Malicious Logins To Zimbra Mail Server:
@dafyre said in Malicious Logins To Zimbra Mail Server:
I'm going to echo @StorageNinja's comments about POP3 and / or IMAP -- disable them and force folks to use the ActiveSync setup and/or the Webmail.
Does that solve anything? Same issues.
Mainly it disables two old and insecure protocols. So no, it doesn't solve anything, but it makes things ever so slightly more difficult for the hackers (how long does it take them to switch from IMAP/POP to ActiveSync?).
What's insecure about them? IMAP/S is just as secure as ActiveSync or HTTPS. Identical, in fact. I'm not sure what about them makes people feel that they are insecure... the fragility of all four is the username / password. None of them vary in security.
Didn't say anything about IMAP or POP3 over SSL / TLS. I don't know about you, but I like my login information encrypted when I'm broadcasting it for the world to see.
Yes, but the assumption is that it is always over SSL. Web Interface is all that was mentioned, do we not assume HTTPS? If so, why in one case and not the other? And the broadcasting of creds isn't a factor here.
If it's not specifically stated, I try to assume nothing. Admittedly, I did assume HTTPS for the web site. If I see POP / IMAP, I immediately think clear text on port 110 or 143.
-
@scottalanmiller said in Malicious Logins To Zimbra Mail Server:
@anthonyh said in Malicious Logins To Zimbra Mail Server:
@scottalanmiller said in Malicious Logins To Zimbra Mail Server:
@dafyre said in Malicious Logins To Zimbra Mail Server:
I'm going to echo @StorageNinja's comments about POP3 and / or IMAP -- disable them and force folks to use the ActiveSync setup and/or the Webmail.
Does that solve anything? Same issues.
One less attack vector I suppose. They could still hammer the web interface.
Any unused protocol should be shut down, certainly. But it's that they are unused, not that they are what they are.
I fully agree with this. Shut down and blocked at the site's Firewall.
-
@dafyre said in Malicious Logins To Zimbra Mail Server:
@scottalanmiller said in Malicious Logins To Zimbra Mail Server:
@dafyre said in Malicious Logins To Zimbra Mail Server:
@scottalanmiller said in Malicious Logins To Zimbra Mail Server:
@dafyre said in Malicious Logins To Zimbra Mail Server:
@scottalanmiller said in Malicious Logins To Zimbra Mail Server:
@dafyre said in Malicious Logins To Zimbra Mail Server:
I'm going to echo @StorageNinja's comments about POP3 and / or IMAP -- disable them and force folks to use the ActiveSync setup and/or the Webmail.
Does that solve anything? Same issues.
Mainly it disables two old and insecure protocols. So no, it doesn't solve anything, but it makes things ever so slightly more difficult for the hackers (how long does it take them to switch from IMAP/POP to ActiveSync?).
What's insecure about them? IMAP/S is just as secure as ActiveSync or HTTPS. Identical, in fact. I'm not sure what about them makes people feel that they are insecure... the fragility of all four is the username / password. None of them vary in security.
Didn't say anything about IMAP or POP3 over SSL / TLS. I don't know about you, but I like my login information encrypted when I'm broadcasting it for the world to see.
Yes, but the assumption is that it is always over SSL. Web Interface is all that was mentioned, do we not assume HTTPS? If so, why in one case and not the other? And the broadcasting of creds isn't a factor here.
If it's not specifically stated, I try to assume nothing. Admittedly, I did assume HTTPS for the web site. If I see POP / IMAP, I immediately think clear text on port 110 or 143.
That's not been a standard for a long time, especially on Zimbra. We run Zimbra and only expose IMAP/S and HTTPS. Works really well. Since you have to open the ports manually, one assumes extra ones are not enabled.
-
@dafyre said in Malicious Logins To Zimbra Mail Server:
@scottalanmiller said in Malicious Logins To Zimbra Mail Server:
@anthonyh said in Malicious Logins To Zimbra Mail Server:
@scottalanmiller said in Malicious Logins To Zimbra Mail Server:
@dafyre said in Malicious Logins To Zimbra Mail Server:
I'm going to echo @StorageNinja's comments about POP3 and / or IMAP -- disable them and force folks to use the ActiveSync setup and/or the Webmail.
Does that solve anything? Same issues.
One less attack vector I suppose. They could still hammer the web interface.
Any unused protocol should be shut down, certainly. But it's that they are unused, not that they are what they are.
I fully agree with this. Shut down and blocked at the site's Firewall.
Done and done. POP3 was disabled eons ago. IMAP/IMAPS officially is no longer available externally. Only the following ports are allowed inbound from the outside:
25
443
465
587Although, do I need 465/587? All MTA to MTA should be through 25, right?
-
@anthonyh said in Malicious Logins To Zimbra Mail Server:
@dafyre said in Malicious Logins To Zimbra Mail Server:
@scottalanmiller said in Malicious Logins To Zimbra Mail Server:
@anthonyh said in Malicious Logins To Zimbra Mail Server:
@scottalanmiller said in Malicious Logins To Zimbra Mail Server:
@dafyre said in Malicious Logins To Zimbra Mail Server:
I'm going to echo @StorageNinja's comments about POP3 and / or IMAP -- disable them and force folks to use the ActiveSync setup and/or the Webmail.
Does that solve anything? Same issues.
One less attack vector I suppose. They could still hammer the web interface.
Any unused protocol should be shut down, certainly. But it's that they are unused, not that they are what they are.
I fully agree with this. Shut down and blocked at the site's Firewall.
Done and done. POP3 was disabled eons ago. IMAP/IMAPS officially is no longer available externally. Only the following ports are allowed inbound from the outside:
25
443
465
587Although, do I need 465/587? All MTA to MTA should be through 25, right?
Correct, MTA is always on 25 unless you have an agreement with someone. Then it could be anything.
-
@scottalanmiller said in Malicious Logins To Zimbra Mail Server:
@anthonyh said in Malicious Logins To Zimbra Mail Server:
@dafyre said in Malicious Logins To Zimbra Mail Server:
@scottalanmiller said in Malicious Logins To Zimbra Mail Server:
@anthonyh said in Malicious Logins To Zimbra Mail Server:
@scottalanmiller said in Malicious Logins To Zimbra Mail Server:
@dafyre said in Malicious Logins To Zimbra Mail Server:
I'm going to echo @StorageNinja's comments about POP3 and / or IMAP -- disable them and force folks to use the ActiveSync setup and/or the Webmail.
Does that solve anything? Same issues.
One less attack vector I suppose. They could still hammer the web interface.
Any unused protocol should be shut down, certainly. But it's that they are unused, not that they are what they are.
I fully agree with this. Shut down and blocked at the site's Firewall.
Done and done. POP3 was disabled eons ago. IMAP/IMAPS officially is no longer available externally. Only the following ports are allowed inbound from the outside:
25
443
465
587Although, do I need 465/587? All MTA to MTA should be through 25, right?
Correct, MTA is always on 25 unless you have an agreement with someone. Then it could be anything.
Ok. Now the only ports open inbound from the outside are 25 and 443.
-
@scottalanmiller said in Malicious Logins To Zimbra Mail Server:
Correct, MTA is always on 25 unless you have an agreement with someone. Then it could be anything.
I'm a bigger fan of having an external service or device (that can mailbag) do your filtering, and then you only accept SMTP with TLS from that service (So your firewall rules don't allow port 25 from the world to the actually mail back end).
-
@storageninja said in Malicious Logins To Zimbra Mail Server:
@scottalanmiller said in Malicious Logins To Zimbra Mail Server:
Correct, MTA is always on 25 unless you have an agreement with someone. Then it could be anything.
I'm a bigger fan of having an external service or device (that can mailbag) do your filtering, and then you only accept SMTP with TLS from that service (So your firewall rules don't allow port 25 from the world to the actually mail back end).
Hmm. Something to think about I suppose. Though I want to make sure I balance security vs complexity.
-
@storageninja said in Malicious Logins To Zimbra Mail Server:
@scottalanmiller said in Malicious Logins To Zimbra Mail Server:
Correct, MTA is always on 25 unless you have an agreement with someone. Then it could be anything.
I'm a bigger fan of having an external service or device (that can mailbag) do your filtering, and then you only accept SMTP with TLS from that service (So your firewall rules don't allow port 25 from the world to the actually mail back end).
Yup, agreed. You never really want to be accept email directly yourself (on your email server, at least.)
-
@anthonyh said in Malicious Logins To Zimbra Mail Server:
@storageninja said in Malicious Logins To Zimbra Mail Server:
@scottalanmiller said in Malicious Logins To Zimbra Mail Server:
Correct, MTA is always on 25 unless you have an agreement with someone. Then it could be anything.
I'm a bigger fan of having an external service or device (that can mailbag) do your filtering, and then you only accept SMTP with TLS from that service (So your firewall rules don't allow port 25 from the world to the actually mail back end).
Hmm. Something to think about I suppose. Though I want to make sure I balance security vs complexity.
Not really complex at all. It's generally considered a minimum component for running email. The Email Laundry would be a good place to start. They are here in the community and do exactly this.
