I was running the beta of zimbra on a internet facing server and last week it got hacked. It looks like only zimbra got hacked as apache and bind were untouched. When I deleted and reinstalled (without performing an actual uninstall) I got the following from the install output:
Setting defaults... MX: grey-area.mailhostingserver.com (220.127.116.11)
MX: grey-area.mailhostingserver.com (18.104.22.168)
Now, the first two interfaces were correct, as is 127 obviously. but the others were NOT mine, nor was the MX default correct. And I couldn't figure out where it was pulling this data from. But either way, i did an actual uninstall and reinstalled.
Now, it WAS the beta of 5, I believe. and I have since upgraded to the final and reinstalled and all is well. But now I worry about my mail server security.
Aside from fire walling the server (which I already have) what other steps can be taken to prevent this from happening again?
I'm not blaming zimbra for the hack, I'm certainly not a genius when it comes to this stuff anyway. But I'd like to take steps to make sure this doesn't happen again.