[Users] Disallow users to authenticate with smtp / hardening Zimbra

Barry de Graaff info at barrydegraaff.tk
Mon May 27 09:53:32 CEST 2019 

yeah, the smtp gateway is the best solution... but it is a lot
of overhead.

Kind regards, 

Barry de Graaff
Zeta Alliance 
Co-founder & Developer
zetalliance.org | github.com/Zimbra-Community

Signal: +31 617 220 227
Fingerprint: 97f4694a1d9aedad012533db725ddd156d36a2d0

----- Original Message -----
From: "Truong Anh Tuan" <tuanta at iwayvietnam.com>
To: users at lists.zetalliance.org
Sent: Monday, 27 May, 2019 09:36:38
Subject: Re: [Users] Disallow users to authenticate with smtp / hardening Zimbra

On 5/25/19 4:49 PM, Barry de Graaff wrote:
> Hello All,
> 
> I have set-up a hardened Zimbra server, that is, I firewalled
> pop/imap/http so that is not available.
> 
> Port 443 can only be reached via a VPN. 
> 
> So far so good,
> 
> I am still seeing a bot-net trying to authenticate by using
> username/password combos
> on the smtp port though. So I set up a fail2ban like script to ban ip's
> that are doing that.
> 
> Please tell me if I am wrong, but if they succeed in getting the smtp
> credentials for an account,
> they can send out spam and do some spoofing, but they cannot get the
> users data right? As that
> cannot be fetched over smtp? Even without spamming, one can use the
> response from Zimbra
> to find out valid username/password combos. Which is bad, but not a big
> deal, because the VPN.
> 
> Other than using an smtp relay, what can I do to prevent user-accounts
> being used to auth on
> smtp? I do not really need the feature on this server, but I cannot
> disable the port, cause then no
> more mail could be delivered right?
> 
> Any suggestions? I still have 465/tcp 587/tcp and 25 opened for smtp.

Hi Barry et al,

In this case, I think it's best to block SMTP ports (465, 587 & 25) as
you did with IMAP/POP/HTTP (all behind VPN)

For receiving emails from outside (other email systems), you can deploy
a separated SMTP gateway.
I have done this way for almost our systems with Postfix, plus
ASSP/MailScanner for another level of spam/virus filtering.

-- 
Kind Regards,
Truong Anh Tuan
iWay Founder & CEO
M: 0903237001
P: (04)3537-8684
E: tuanta at iwayvietnam.com

More information about the Users mailing list