My company is relatively new to Zimbra - just installed onto our production servers on Aug 4th of 2007. Per the installation instructions, the install exists on a box with nothing else running besides the instance of Zimbra - no other application server, DB instance, etc. the server is dedicated to Zimbra.
Somehow today a few hundred emails were sent from - none other than - my wife's email account. When she told me, I didn't believe her at first, I had assumed that someone send SPAM with a reply-to as her email address (spoofing her email address), so I went and looked at her account. Sure enough, the email is in the "Sent" folder and every recipient is now part of her "Emailed Contacts".
The server does have IPTables running as a firewall with ports 22, 80, 443, 25, 110, 143, 993, 995, 7071 opened - besides that, the default rule is deny. The Zimbra install is a relatively straight forward install following the installation instructions.
Her password is, in my mind, a good password; utilizing a combination of uppercase, lowercase, alpha, and numerics. Not to mention the SPAM which was sent was the typical Phishing SPAM; here is the start of the email:
<sample of email sent>
TUNG TRADING LLC (TTL).
# 12 Taichi Avenue,
Tung Trading LLC(TTL),
Tung Trading LLC is a Trading Company;which deals with the distribution
and Marking of Steel and other Steel products around the Globe.
</sample of email sent>
We are a very small company in the Midwest with only local customers. We only have a total of 50 customers using Zimbra. So to say someone "targeted" us is unlikely; however, you never know.
I also noticed that the X-Originating-IP address *IS* the address of my server. And to reiterate, this is a very new server and new IP address for my company.
(1) Can someone help me understand what I should research. It would appear that someone actually sent this message from my wife's account, especially being all of the emailed recipients are now in her "Emailed Contact List". Thus, from the best of my knowledge they would have had to use the web client to send the message; am I mistaken?
(2) Are there any known vulnerabilities to Zimbra which I have failed to learn about during all of my test installs, Wiki readings, and forum readings?
Ultimately, I am really concerned about this and really at a loss as to where to start looking.
I found this in the maillog, which looks as if the email WAS send via my server:
Aug 23 10:01:08 postfix/smtpd: connect from <MY-SERVERNAME-HERE>
Aug 23 10:01:08 postfix/smtpd: 228E038CC4DF: client=<MY-SERVERNAME-HERE>
Aug 23 10:01:09 postfix/cleanup: 228E038CC4DF: message-id=<9660788.17891187881267810.JavaMail.root@<MY-SERVERNAME-HERE>>
Aug 23 10:01:09 postfix/qmgr: 228E038CC4DF: from=<USERNAME-HERE>, size=4108, nrcpt=503 (queue active)
Aug 23 10:01:09 postfix/smtpd: disconnect from <MY-SERVERNAME-HERE>
Aug 23 10:01:11 postfix/smtpd: connect from localhost.localdomain[127.0.0.1]
Aug 23 10:01:12 postfix/smtpd: 2822638CC4EB: client=localhost.localdomain[127.0.0.1]
Aug 23 10:01:12 postfix/smtpd: connect from localhost.localdomain[127.0.0.1]
Aug 23 10:01:12 postfix/cleanup: 2822638CC4EB: message-id=<9660788.17891187881267810.JavaMail.root@<MY-SERVERNAME-HERE>>
Aug 23 10:01:13 postfix/qmgr: 2822638CC4EB: from=<USERNAME-HERE>, size=4747, nrcpt=50 (queue active)
Aug 23 10:01:13 postfix/smtpd: disconnect from localhost.localdomain[127.0.0.1]
This looks really bad, any help is greatly appreciated.