[Users] Disallow users to authenticate with smtp / hardening Zimbra

[Manuel Garbin]

Hi Barry, 
with smtp credential they can't take user information if there are no imap/pop3/soap opened , they can only send email. 
If you don't really need auth feature disable it ( zmprov ms <server> zimbraMtaSmtpSaslAuthEnable no ) , block with firewall 587 and 465 . 



Da: "Barry de Graaff" <info at barrydegraaff.tk> 
A: "users at lists.zetalliance.org" <users at lists.zetalliance.org> 
Inviato: Sabato, 25 maggio 2019 11:49:01 
Oggetto: [Users] Disallow users to authenticate with smtp / hardening Zimbra 

Hello All, 

I have set-up a hardened Zimbra server, that is, I firewalled pop/imap/http so that is not available. 

Port 443 can only be reached via a VPN. 

So far so good, 

I am still seeing a bot-net trying to authenticate by using username/password combos 
on the smtp port though. So I set up a fail2ban like script to ban ip's that are doing that. 

Please tell me if I am wrong, but if they succeed in getting the smtp credentials for an account, 
they can send out spam and do some spoofing, but they cannot get the users data right? As that 
cannot be fetched over smtp? Even without spamming, one can use the response from Zimbra 
to find out valid username/password combos. Which is bad, but not a big deal, because the VPN. 

Other than using an smtp relay, what can I do to prevent user-accounts being used to auth on 
smtp? I do not really need the feature on this server, but I cannot disable the port, cause then no 
more mail could be delivered right? 

Any suggestions? I still have 465/tcp 587/tcp and 25 opened for smtp. 

Kind regards, 

Barry de Graaff 
Zeta Alliance 
Co-founder & Developer 
zetalliance.org | github.com/Zimbra-Community 

Signal: +31 617 220 227 
Fingerprint: 97f4694a1d9aedad012533db725ddd156d36a2d0 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zetalliance.org/pipermail/users_lists.zetalliance.org/attachments/20190525/9075f50d/attachment.html>