We ran an old Zimbra server for 4 years with no major problems. It was hacked last weekend. We were black listed.
I put a new opensource Zimbra server 6.0.4 GA together with CentOS 5.4.
We started falling off of black lists and everything was looking great.
3 days later I started to see several spoof messages to mainly Yahoo.com and a few to other sites from our server. This Friday we were called by someone who received one of these spoofed messages. We are from Kansas and she was from Florida.
They are coming from valid user accounts. Changing passwords does not fix the problem. 25, 80, 110, 143, 443, 993, 995 & 7071 are the only ports open to the WAN. When I put the new server together I used a different admin password. The messages are coming from 127.0.0.1. The Zimbra.log shows a warning of a possible open relay but sends the message.
If I disable the mail feature for the users, the problem goes away. We do not need this feature because almost everybody is using their own mail client and do not use the web client. I am just wondering how this is happening.