ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Malicious Logins To Zimbra Mail Server

    IT Discussion
    9
    53
    11.5k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • anthonyhA
      anthonyh @dafyre
      last edited by

      @dafyre said in Malicious Logins To Zimbra Mail Server:

      @scottalanmiller said in Malicious Logins To Zimbra Mail Server:

      @anthonyh said in Malicious Logins To Zimbra Mail Server:

      @scottalanmiller said in Malicious Logins To Zimbra Mail Server:

      @dafyre said in Malicious Logins To Zimbra Mail Server:

      I'm going to echo @StorageNinja's comments about POP3 and / or IMAP -- disable them and force folks to use the ActiveSync setup and/or the Webmail.

      Does that solve anything? Same issues.

      One less attack vector I suppose. They could still hammer the web interface.

      Any unused protocol should be shut down, certainly. But it's that they are unused, not that they are what they are.

      I fully agree with this. Shut down and blocked at the site's Firewall.

      Done and done. POP3 was disabled eons ago. IMAP/IMAPS officially is no longer available externally. Only the following ports are allowed inbound from the outside:

      25
      443
      465
      587

      Although, do I need 465/587? All MTA to MTA should be through 25, right?

      scottalanmillerS 1 Reply Last reply Reply Quote 0
      • scottalanmillerS
        scottalanmiller @anthonyh
        last edited by

        @anthonyh said in Malicious Logins To Zimbra Mail Server:

        @dafyre said in Malicious Logins To Zimbra Mail Server:

        @scottalanmiller said in Malicious Logins To Zimbra Mail Server:

        @anthonyh said in Malicious Logins To Zimbra Mail Server:

        @scottalanmiller said in Malicious Logins To Zimbra Mail Server:

        @dafyre said in Malicious Logins To Zimbra Mail Server:

        I'm going to echo @StorageNinja's comments about POP3 and / or IMAP -- disable them and force folks to use the ActiveSync setup and/or the Webmail.

        Does that solve anything? Same issues.

        One less attack vector I suppose. They could still hammer the web interface.

        Any unused protocol should be shut down, certainly. But it's that they are unused, not that they are what they are.

        I fully agree with this. Shut down and blocked at the site's Firewall.

        Done and done. POP3 was disabled eons ago. IMAP/IMAPS officially is no longer available externally. Only the following ports are allowed inbound from the outside:

        25
        443
        465
        587

        Although, do I need 465/587? All MTA to MTA should be through 25, right?

        Correct, MTA is always on 25 unless you have an agreement with someone. Then it could be anything.

        anthonyhA S 2 Replies Last reply Reply Quote 0
        • anthonyhA
          anthonyh @scottalanmiller
          last edited by

          @scottalanmiller said in Malicious Logins To Zimbra Mail Server:

          @anthonyh said in Malicious Logins To Zimbra Mail Server:

          @dafyre said in Malicious Logins To Zimbra Mail Server:

          @scottalanmiller said in Malicious Logins To Zimbra Mail Server:

          @anthonyh said in Malicious Logins To Zimbra Mail Server:

          @scottalanmiller said in Malicious Logins To Zimbra Mail Server:

          @dafyre said in Malicious Logins To Zimbra Mail Server:

          I'm going to echo @StorageNinja's comments about POP3 and / or IMAP -- disable them and force folks to use the ActiveSync setup and/or the Webmail.

          Does that solve anything? Same issues.

          One less attack vector I suppose. They could still hammer the web interface.

          Any unused protocol should be shut down, certainly. But it's that they are unused, not that they are what they are.

          I fully agree with this. Shut down and blocked at the site's Firewall.

          Done and done. POP3 was disabled eons ago. IMAP/IMAPS officially is no longer available externally. Only the following ports are allowed inbound from the outside:

          25
          443
          465
          587

          Although, do I need 465/587? All MTA to MTA should be through 25, right?

          Correct, MTA is always on 25 unless you have an agreement with someone. Then it could be anything.

          Ok. Now the only ports open inbound from the outside are 25 and 443. 😄

          1 Reply Last reply Reply Quote 1
          • S
            StorageNinja Vendor @scottalanmiller
            last edited by

            @scottalanmiller said in Malicious Logins To Zimbra Mail Server:

            Correct, MTA is always on 25 unless you have an agreement with someone. Then it could be anything.

            I'm a bigger fan of having an external service or device (that can mailbag) do your filtering, and then you only accept SMTP with TLS from that service (So your firewall rules don't allow port 25 from the world to the actually mail back end).

            anthonyhA scottalanmillerS 2 Replies Last reply Reply Quote 1
            • anthonyhA
              anthonyh @StorageNinja
              last edited by

              @storageninja said in Malicious Logins To Zimbra Mail Server:

              @scottalanmiller said in Malicious Logins To Zimbra Mail Server:

              Correct, MTA is always on 25 unless you have an agreement with someone. Then it could be anything.

              I'm a bigger fan of having an external service or device (that can mailbag) do your filtering, and then you only accept SMTP with TLS from that service (So your firewall rules don't allow port 25 from the world to the actually mail back end).

              Hmm. Something to think about I suppose. Though I want to make sure I balance security vs complexity.

              scottalanmillerS 1 Reply Last reply Reply Quote 0
              • scottalanmillerS
                scottalanmiller @StorageNinja
                last edited by

                @storageninja said in Malicious Logins To Zimbra Mail Server:

                @scottalanmiller said in Malicious Logins To Zimbra Mail Server:

                Correct, MTA is always on 25 unless you have an agreement with someone. Then it could be anything.

                I'm a bigger fan of having an external service or device (that can mailbag) do your filtering, and then you only accept SMTP with TLS from that service (So your firewall rules don't allow port 25 from the world to the actually mail back end).

                Yup, agreed. You never really want to be accept email directly yourself (on your email server, at least.)

                anthonyhA 1 Reply Last reply Reply Quote 0
                • scottalanmillerS
                  scottalanmiller @anthonyh
                  last edited by

                  @anthonyh said in Malicious Logins To Zimbra Mail Server:

                  @storageninja said in Malicious Logins To Zimbra Mail Server:

                  @scottalanmiller said in Malicious Logins To Zimbra Mail Server:

                  Correct, MTA is always on 25 unless you have an agreement with someone. Then it could be anything.

                  I'm a bigger fan of having an external service or device (that can mailbag) do your filtering, and then you only accept SMTP with TLS from that service (So your firewall rules don't allow port 25 from the world to the actually mail back end).

                  Hmm. Something to think about I suppose. Though I want to make sure I balance security vs complexity.

                  Not really complex at all. It's generally considered a minimum component for running email. The Email Laundry would be a good place to start. They are here in the community and do exactly this.

                  1 Reply Last reply Reply Quote 0
                  • anthonyhA
                    anthonyh @scottalanmiller
                    last edited by

                    @scottalanmiller said in Malicious Logins To Zimbra Mail Server:

                    @storageninja said in Malicious Logins To Zimbra Mail Server:

                    @scottalanmiller said in Malicious Logins To Zimbra Mail Server:

                    Correct, MTA is always on 25 unless you have an agreement with someone. Then it could be anything.

                    I'm a bigger fan of having an external service or device (that can mailbag) do your filtering, and then you only accept SMTP with TLS from that service (So your firewall rules don't allow port 25 from the world to the actually mail back end).

                    Yup, agreed. You never really want to be accept email directly yourself (on your email server, at least.)

                    What about doing a Zimbra multi-server install and installing the MTA on one VM and the rest of the services on another VM?

                    scottalanmillerS 1 Reply Last reply Reply Quote 0
                    • black3dynamiteB
                      black3dynamite @anthonyh
                      last edited by

                      @anthonyh said in Malicious Logins To Zimbra Mail Server:

                      @scottalanmiller said in Malicious Logins To Zimbra Mail Server:

                      @dafyre said in Malicious Logins To Zimbra Mail Server:

                      I'm going to echo @StorageNinja's comments about POP3 and / or IMAP -- disable them and force folks to use the ActiveSync setup and/or the Webmail.

                      Does that solve anything? Same issues.

                      One less attack vector I suppose. They could still hammer the web interface.

                      You could always setup a reverse proxy server in front of the web interface. I don't think I have any websites, big or small that isn't behind a web proxy server.

                      1 Reply Last reply Reply Quote 1
                      • scottalanmillerS
                        scottalanmiller @anthonyh
                        last edited by

                        @anthonyh said in Malicious Logins To Zimbra Mail Server:

                        @scottalanmiller said in Malicious Logins To Zimbra Mail Server:

                        @storageninja said in Malicious Logins To Zimbra Mail Server:

                        @scottalanmiller said in Malicious Logins To Zimbra Mail Server:

                        Correct, MTA is always on 25 unless you have an agreement with someone. Then it could be anything.

                        I'm a bigger fan of having an external service or device (that can mailbag) do your filtering, and then you only accept SMTP with TLS from that service (So your firewall rules don't allow port 25 from the world to the actually mail back end).

                        Yup, agreed. You never really want to be accept email directly yourself (on your email server, at least.)

                        What about doing a Zimbra multi-server install and installing the MTA on one VM and the rest of the services on another VM?

                        Not a bad idea, but doesn't provide you with enterprise mailbagging. It would in no way eliminate the best practice of having an HA hosted mailbagging system.

                        anthonyhA 1 Reply Last reply Reply Quote 0
                        • DashrenderD
                          Dashrender
                          last edited by

                          I use AppRiver to filter all of my incoming email. Only allow external access via port 25 from them.

                          1 Reply Last reply Reply Quote 2
                          • anthonyhA
                            anthonyh @scottalanmiller
                            last edited by

                            @scottalanmiller said in Malicious Logins To Zimbra Mail Server:

                            @anthonyh said in Malicious Logins To Zimbra Mail Server:

                            @scottalanmiller said in Malicious Logins To Zimbra Mail Server:

                            @storageninja said in Malicious Logins To Zimbra Mail Server:

                            @scottalanmiller said in Malicious Logins To Zimbra Mail Server:

                            Correct, MTA is always on 25 unless you have an agreement with someone. Then it could be anything.

                            I'm a bigger fan of having an external service or device (that can mailbag) do your filtering, and then you only accept SMTP with TLS from that service (So your firewall rules don't allow port 25 from the world to the actually mail back end).

                            Yup, agreed. You never really want to be accept email directly yourself (on your email server, at least.)

                            What about doing a Zimbra multi-server install and installing the MTA on one VM and the rest of the services on another VM?

                            Not a bad idea, but doesn't provide you with enterprise mailbagging. It would in no way eliminate the best practice of having an HA hosted mailbagging system.

                            Right. After I replied I realized what you meant by not accepting mail directly yourself....ha.

                            I have been considering diving into a multi-server deployment at some point. I've been considering putting the mailbox service on it's own hosts for performance reasons, but maybe instead I can organize services by publicly facing/not publicly facing and do two VMs that way.

                            In no way does this help in the scenario of the OP, though. 😄

                            scottalanmillerS 1 Reply Last reply Reply Quote 0
                            • scottalanmillerS
                              scottalanmiller @anthonyh
                              last edited by

                              @anthonyh said in Malicious Logins To Zimbra Mail Server:

                              @scottalanmiller said in Malicious Logins To Zimbra Mail Server:

                              @anthonyh said in Malicious Logins To Zimbra Mail Server:

                              @scottalanmiller said in Malicious Logins To Zimbra Mail Server:

                              @storageninja said in Malicious Logins To Zimbra Mail Server:

                              @scottalanmiller said in Malicious Logins To Zimbra Mail Server:

                              Correct, MTA is always on 25 unless you have an agreement with someone. Then it could be anything.

                              I'm a bigger fan of having an external service or device (that can mailbag) do your filtering, and then you only accept SMTP with TLS from that service (So your firewall rules don't allow port 25 from the world to the actually mail back end).

                              Yup, agreed. You never really want to be accept email directly yourself (on your email server, at least.)

                              What about doing a Zimbra multi-server install and installing the MTA on one VM and the rest of the services on another VM?

                              Not a bad idea, but doesn't provide you with enterprise mailbagging. It would in no way eliminate the best practice of having an HA hosted mailbagging system.

                              Right. After I replied I realized what you meant by not accepting mail directly yourself....ha.

                              I have been considering diving into a multi-server deployment at some point. I've been considering putting the mailbox service on it's own hosts for performance reasons, but maybe instead I can organize services by publicly facing/not publicly facing and do two VMs that way.

                              In no way does this help in the scenario of the OP, though. 😄

                              Just got to a larger VM in most cases. Separating them rarely will speed it up until you are going to lots of separate hardware.

                              S 1 Reply Last reply Reply Quote 0
                              • S
                                StorageNinja Vendor @scottalanmiller
                                last edited by StorageNinja

                                @scottalanmiller said in Malicious Logins To Zimbra Mail Server:

                                @anthonyh said in Malicious Logins To Zimbra Mail Server:

                                @scottalanmiller said in Malicious Logins To Zimbra Mail Server:

                                @anthonyh said in Malicious Logins To Zimbra Mail Server:

                                @scottalanmiller said in Malicious Logins To Zimbra Mail Server:

                                @storageninja said in Malicious Logins To Zimbra Mail Server:

                                @scottalanmiller said in Malicious Logins To Zimbra Mail Server:

                                Correct, MTA is always on 25 unless you have an agreement with someone. Then it could be anything.

                                I'm a bigger fan of having an external service or device (that can mailbag) do your filtering, and then you only accept SMTP with TLS from that service (So your firewall rules don't allow port 25 from the world to the actually mail back end).

                                Yup, agreed. You never really want to be accept email directly yourself (on your email server, at least.)

                                What about doing a Zimbra multi-server install and installing the MTA on one VM and the rest of the services on another VM?

                                Not a bad idea, but doesn't provide you with enterprise mailbagging. It would in no way eliminate the best practice of having an HA hosted mailbagging system.

                                Right. After I replied I realized what you meant by not accepting mail directly yourself....ha.

                                I have been considering diving into a multi-server deployment at some point. I've been considering putting the mailbox service on it's own hosts for performance reasons, but maybe instead I can organize services by publicly facing/not publicly facing and do two VMs that way.

                                In no way does this help in the scenario of the OP, though. 😄

                                Just got to a larger VM in most cases. Separating them rarely will speed it up until you are going to lots of separate hardware.

                                I've seen a single VM handle 5000 users just fine (With Exchange). For Zimbra I can't imagine what the point of separating them out is unless it has functionality similar to DAG.

                                Also to be blunt, why on earth are you manually reading the logs for this stuff? This is a colossal waste of manpower. For security auditing, you should...

                                1. Outsource this. There are a lot of great SOC/IDS systems.
                                2. Have an IDS layer 7 devices and reverse proxy manage a lot of this or you. (You shouldn't need to be tweaking brute force detection on different systems).
                                3. If you care about security stop running your own email server. Pay someone who has dedicated SOC teams, patch management teams, massive spends on layer 7 inspection devices etc.
                                4. If you work for a F500 you might have a internal SOC, but if you do this you basically are dedicated to this.
                                5. Invest in internal security (MicroSegmentation and security inspection). Most of your DC traffic (~70%) is east wast and focusing on the external means your likely missing the real attacks as the control channel will be encrypted and tough to find on the stuff coming in north south.

                                When I worked in consulting, people who were wasting time chasing down hits on their firewall were generally the people looking for a new job a bit later.

                                scottalanmillerS 1 Reply Last reply Reply Quote 2
                                • scottalanmillerS
                                  scottalanmiller @StorageNinja
                                  last edited by

                                  @storageninja said in Malicious Logins To Zimbra Mail Server:

                                  I've seen a single VM handle 5000 users just fine (With Exchange). For Zimbra I can't imagine what the point of separating them out is unless it has functionality similar to DAG.

                                  Right, many thousands of users from a single VM would make sense. Just give it more cores and more RAM until it can handle what is needed. Splitting out to another VM would only be useful if you are also adding more physical resources between the two as well, like one is on one server and one is on another and each have dedicated CPUs. Otherwise, the network connection between them just presents an extra, and unnecessary, bottleneck.

                                  anthonyhA 1 Reply Last reply Reply Quote 1
                                  • anthonyhA
                                    anthonyh @scottalanmiller
                                    last edited by

                                    @scottalanmiller said in Malicious Logins To Zimbra Mail Server:

                                    @storageninja said in Malicious Logins To Zimbra Mail Server:

                                    I've seen a single VM handle 5000 users just fine (With Exchange). For Zimbra I can't imagine what the point of separating them out is unless it has functionality similar to DAG.

                                    Right, many thousands of users from a single VM would make sense. Just give it more cores and more RAM until it can handle what is needed. Splitting out to another VM would only be useful if you are also adding more physical resources between the two as well, like one is on one server and one is on another and each have dedicated CPUs. Otherwise, the network connection between them just presents an extra, and unnecessary, bottleneck.

                                    In my specific case, I have a cluster of hosts I could potentially spread the multi-server deployment across.

                                    scottalanmillerS 1 Reply Last reply Reply Quote 0
                                    • scottalanmillerS
                                      scottalanmiller @anthonyh
                                      last edited by

                                      @anthonyh said in Malicious Logins To Zimbra Mail Server:

                                      @scottalanmiller said in Malicious Logins To Zimbra Mail Server:

                                      @storageninja said in Malicious Logins To Zimbra Mail Server:

                                      I've seen a single VM handle 5000 users just fine (With Exchange). For Zimbra I can't imagine what the point of separating them out is unless it has functionality similar to DAG.

                                      Right, many thousands of users from a single VM would make sense. Just give it more cores and more RAM until it can handle what is needed. Splitting out to another VM would only be useful if you are also adding more physical resources between the two as well, like one is on one server and one is on another and each have dedicated CPUs. Otherwise, the network connection between them just presents an extra, and unnecessary, bottleneck.

                                      In my specific case, I have a cluster of hosts I could potentially spread the multi-server deployment across.

                                      Still is only beneficial if the bottlenecks you have are addressed from doing so. Are you unable to give enough CPU or RAM from a single VM to meet the needs of the system? That's the only case that more VMs would be beneficial. Spreading out amongst physical hosts just creates network bottlenecks and OS overhead, otherwise.

                                      anthonyhA 1 Reply Last reply Reply Quote 0
                                      • anthonyhA
                                        anthonyh @scottalanmiller
                                        last edited by

                                        @scottalanmiller said in Malicious Logins To Zimbra Mail Server:

                                        @anthonyh said in Malicious Logins To Zimbra Mail Server:

                                        @scottalanmiller said in Malicious Logins To Zimbra Mail Server:

                                        @storageninja said in Malicious Logins To Zimbra Mail Server:

                                        I've seen a single VM handle 5000 users just fine (With Exchange). For Zimbra I can't imagine what the point of separating them out is unless it has functionality similar to DAG.

                                        Right, many thousands of users from a single VM would make sense. Just give it more cores and more RAM until it can handle what is needed. Splitting out to another VM would only be useful if you are also adding more physical resources between the two as well, like one is on one server and one is on another and each have dedicated CPUs. Otherwise, the network connection between them just presents an extra, and unnecessary, bottleneck.

                                        In my specific case, I have a cluster of hosts I could potentially spread the multi-server deployment across.

                                        Still is only beneficial if the bottlenecks you have are addressed from doing so. Are you unable to give enough CPU or RAM from a single VM to meet the needs of the system? That's the only case that more VMs would be beneficial. Spreading out amongst physical hosts just creates network bottlenecks and OS overhead, otherwise.

                                        Understood.

                                        1 Reply Last reply Reply Quote 0
                                        • scottalanmillerS
                                          scottalanmiller
                                          last edited by

                                          This is a completely different discussion to the OP, but basically what we are talking about now is scaling horizontally for an application that can likely scale, for all intents and purposes, vertically indefinitely. Spreading out the application increases risk, as well, because each component not only has to be up and working, but each one has to manage to talk to the others. So we add bottlenecks, and we add risk to do the horizontal growth.

                                          Horizontal growth is only useful when you outgrow your vertical growth potential. Whenever possible, you want to grow vertically. It is far more effective and simpler.

                                          1 Reply Last reply Reply Quote 0
                                          • scottalanmillerS
                                            scottalanmiller
                                            last edited by

                                            With SSDs and big RAM and crazy amounts of CPU, I bet you could get 20K or more users on a single Zimbra instance. Of course, at those sizes, you get into scary places with having 20K users in a single failure domain. That's why you start looking at other options when you get big. But for pure performance, I bet you could do that no problem.

                                            1 Reply Last reply Reply Quote 1
                                            • 1
                                            • 2
                                            • 3
                                            • 3 / 3
                                            • First post
                                              Last post