[Users] Disallow users to authenticate with smtp / hardening Zimbra

Mon May 27 10:50:08 CEST 2019

Hi All,

Due to heavy attacks to Zimbra servers, I wonder if you all could consider
design the login process where Zimbra's password become a passcode instead.
What I mean is this: if the user accidentally leaked the password to the
hacker, the hacker cannot use it to login directly on Zimbra to use the
services.

How this can be done? Normally we use a login portal that accept real
password. Then you click a button that has pre-auth URL to jump into
Zimbra. In this case the real password isn't at Zimbra. To allow
smtp/pop/imap and other access at Zimbra, the login portal can have a
function to assign a passcode to Zimbra. This passcode is the real password
that actually login into Zimbra. Because this passcode is randomly
generated with 16 or 32 length, the user cannot tell hacker about this. It
is used to configure their device only. This concept is similar to 2FA App
Password except that it only take one passcode.

To further improvise the idea, we could build this login portal right into
Zimbra. Let's say the Zimbra's LDAP password (userPassword) is the real
password for you to login to do password management only. Next you create
another field (can reuse zimbraAppSpecificPassword), to actually store the
password used by pop3/imap/smtp. This can be standard crypt based password.
The services will be modified to refer to this zimbraAppSpecificPassword
instead of userPassword. By doing so you split out the password usage into
service related. Note: what described is the concept.

What you think of this idea?

Thanks.

On Mon, May 27, 2019 at 3:53 PM Barry de Graaff <info at barrydegraaff.tk>
wrote:

> yeah, the smtp gateway is the best solution... but it is a lot
> of overhead.
>
> Kind regards,
>
> Barry de Graaff
> Zeta Alliance
> Co-founder & Developer
> zetalliance.org | github.com/Zimbra-Community
>
> Signal: +31 617 220 227
> Fingerprint: 97f4694a1d9aedad012533db725ddd156d36a2d0
>
> ----- Original Message -----
> From: "Truong Anh Tuan" <tuanta at iwayvietnam.com>
> To: users at lists.zetalliance.org
> Sent: Monday, 27 May, 2019 09:36:38
> Subject: Re: [Users] Disallow users to authenticate with smtp / hardening
> Zimbra
>
> On 5/25/19 4:49 PM, Barry de Graaff wrote:
> > Hello All,
> >
> > I have set-up a hardened Zimbra server, that is, I firewalled
> > pop/imap/http so that is not available.
> >
> > Port 443 can only be reached via a VPN.
> >
> > So far so good,
> >
> > I am still seeing a bot-net trying to authenticate by using
> > username/password combos
> > on the smtp port though. So I set up a fail2ban like script to ban ip's
> > that are doing that.
> >
> > Please tell me if I am wrong, but if they succeed in getting the smtp
> > credentials for an account,
> > they can send out spam and do some spoofing, but they cannot get the
> > users data right? As that
> > cannot be fetched over smtp? Even without spamming, one can use the
> > response from Zimbra
> > to find out valid username/password combos. Which is bad, but not a big
> > deal, because the VPN.
> >
> > Other than using an smtp relay, what can I do to prevent user-accounts
> > being used to auth on
> > smtp? I do not really need the feature on this server, but I cannot
> > disable the port, cause then no
> > more mail could be delivered right?
> >
> > Any suggestions? I still have 465/tcp 587/tcp and 25 opened for smtp.
>
> Hi Barry et al,
>
> In this case, I think it's best to block SMTP ports (465, 587 & 25) as
> you did with IMAP/POP/HTTP (all behind VPN)
>
> For receiving emails from outside (other email systems), you can deploy
> a separated SMTP gateway.
> I have done this way for almost our systems with Postfix, plus
> ASSP/MailScanner for another level of spam/virus filtering.
>
> --
> Kind Regards,
> Truong Anh Tuan
> iWay Founder & CEO
> M: 0903237001
> P: (04)3537-8684
> E: tuanta at iwayvietnam.com
>
>

-- 
Naisiew Yeak
+60 12 5067818

*Zimbra • Linux • Security*

My Directory Sdn Bhd
E-2-22, IOI Boulevard, Jalan Kenari 5, Bandar Puchong Jaya
47170 Puchong, Selangor, Malaysia.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zetalliance.org/pipermail/users_lists.zetalliance.org/attachments/20190527/4273f77e/attachment.html>