I think I might have discovered a security hole in Zimbra 8.0.2 but I'm not sure how to validate it...
When a user is set to global admin spammers seem to be able to relay spam using zmpost WITHOUT a password. The logs show sasl_method=LOGIN successes but I don't think auth is really happening. I've tried changing the password to a strong 20+ character passwords that has never been used before and literally seconds later spammers are still using the account. There is no way they could brute force it that fast. If I change the password back to the original and disable the global admin on the account it completely stops. I see spammers attempting to use the account repeatedly but auth fails and locks the account at that point. Some details on my setup:
My mail server sits behind a firewall on a private IP and I forward ports 25/143/587/993 to it only. Webmail is forwarded via apache's proxypass.
I require TLS auth to relay mail. The accounts in question use unique strong passwords that exist only for email and are NOT being used for other web accounts.
My admin interface is only available locally, not to the general internet.
I've run zimbra for ~6 years like this with absolutely no issues until upgrading to 8.0.2. It's happened twice since them. Both times it took a few days after adding global admin to a user before spammers found the accounts and started using them. I currently have one global admin setup on a dedicated account with a fake internal only domain. That should be a lot harder for them to figure out but myself and everyone else is in no way safe if this is in fact going on.
Has anyone else seen this? Any ideas how this might be happening if it's not an exploit? Ideas on how to debug this without allowing spammer to relay mail through me and watching?