Page 2 of 2 FirstFirst 12
Results 11 to 14 of 14

Thread: attacks via SOAP calls on server external ip

  1. #11
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Vannes, France
    Rep Power


    Quote Originally Posted by th13fp45s View Post
    So there's no way to know the origin from this failed authentication?
    No, I didn't say that. You should find the IP address of the failed login attempt in your audit.log and mailbox.log - I see them listed in the logs on my server.


    Acompli: A new adventure for Co-Founder KevinH.

  2. #12
    Join Date
    Mar 2011
    Rep Power


    No, in all logs we just see the localhost IP:

    2014-02-07 14:21:12,804 WARN [qtp1097575009-258848:] [;oip=;ua=zclient/8.0.6_GA_5922;] security - cmd=Auth;; protocol=soap; error=authentication failed for [sic], LDAP error: - unable to ldap authenticate: invalid credentials;
    This is the bug!

  3. #13
    Join Date
    Oct 2010
    Rep Power


    I once had also one of this problem too,
    in my case some user using mobile client (either Blackberry,Iphone,etc) but yours maybe different .For blackberry log indicate using blackberry IP, for iphone and others the IP appear in the log is localhost or
    In my case the user always complaining about his user account always been locked, this happen because he already change the password but forget to update in the mobile, ask the user if he/she using mobile client and try to update the password
    sorry for my English
    Hope that's help
    Samuel sappa

  4. #14
    Join Date
    Sep 2010
    Rep Power


    This happened to me yesterday. The solution is to look in /var/log/zimbra.log, and check the log entries surrounding the 'authentication failed' line. An example from my server:

    Feb 9 11:39:30 mx postfix/submission/smtpd[17931]: warning: hostname null.null.null does not resolve to address Name or service not known
    Feb 9 11:39:30 mx postfix/submission/smtpd[17931]: connect from unknown[]
    Feb 9 11:39:30 mx postfix/submission/smtpd[17931]: Anonymous TLS connection established from unknown[]: TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)
    Feb 9 11:39:30 mx saslauthd[17382]: zmauth: authenticating against elected url '' ...
    Feb 9 11:39:30 mx saslauthd[17382]: zmpost: url='' returned buffer->data='<soap:Envelope xmlns:soap=""><soap:Header><context xmlns="urn:zimbra"/></soap:Header><soap:Body><soap:Fault><soap:Code><soa p:Value>soap:Sender</soap:Value></soap:Code><soap:Reason><soap:Text>authentication failed for []</soap:Text></soap:Reason><soapetail><Error xmlns="urn:zimbra"><Code>account.AUTH_FAILED</Code><Trace>qtp514441508-358:</Trace></Error></soapetail></soap:Fault></soap:Body></soap:Envelope>', hti->error=''
    Feb 9 11:39:30 mx saslauthd[17382]: auth_zimbra: auth failed: authentication failed for []
    Feb 9 11:39:30 mx saslauthd[17382]: do_auth : auth failure: [] [service=smtp] [] [mech=zimbra] [reason=Unknown]
    Feb 9 11:39:30 mx postfix/submission/smtpd[17931]: warning: unknown[]: SASL LOGIN authentication failed: authentication failure
    Feb 9 11:39:31 mx postfix/submission/smtpd[17931]: lost connection after RSET from unknown[]
    Feb 9 11:39:31 mx postfix/submission/smtpd[17931]: disconnect from unknown[]

    The offending IP address was It was trying to guess username/password once/minute, had been running 1.5 days before it happened on a valid username and got that account locked.

    If you have a very busy server you might have more than one 'connect from' entry at the same time as the 'authentication failed'. In that case, note the 'connect' IPs, then find another 'authentication failed' entry and check the 'connect' IPs around it for a match.

    My solution was to block that IP address with iptables.

Similar Threads

  1. setting up email server with external web host
    By restorestore in forum Installation
    Replies: 2
    Last Post: 02-03-2012, 04:04 AM
  2. Failed to bind to LDAP server
    By tezarin in forum Administrators
    Replies: 4
    Last Post: 01-23-2012, 08:26 AM
  3. Mail Server with Multiple IP Addresses & Domains
    By cyberdeath in forum Administrators
    Replies: 0
    Last Post: 12-10-2011, 10:50 PM
  4. Replies: 13
    Last Post: 05-25-2011, 08:14 AM
  5. Zimbra fails after working for 2 weeks
    By Linsys in forum Administrators
    Replies: 10
    Last Post: 10-07-2008, 12:42 AM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts