Results 1 to 8 of 8

Thread: Anonymous access to LDAP server? security flaw?

Hybrid View

  1. #1
    Join Date
    Apr 2007
    Posts
    23
    Rep Power
    8

    Exclamation Anonymous access to LDAP server? security flaw?

    my friend ran a security audit on my machine and was able to produce the following without any passwords:



    Please note that the results below represent only the first 5 entries that could be extracted from the server.

    RESULT:
    ou: people
    objectClass: organizationalRole
    cn: people
    zimbraMailTransport: lmtp:mail.MYDOMAIN.com:7025
    zimbraMailDeliveryAddress: admin@mail.MYDOMAIN.com
    sn: admin
    zimbraId: e1BLAHc6-BLAH-BLAH-BLAH-3eaBLAH9b41
    zimbraMailStatus: enabled
    uid: admin
    objectClass: organizationalPerson
    objectClass: zimbraAccount
    objectClass: amavisAccount
    cn: admin
    zimbraMailHost: mail.MYDOMAIN.com
    mail: admin@mail.MYDOMAIN.com
    mail: root@mail.MYDOMAIN.com
    mail: postmaster@mail.MYDOMAIN.com
    zimbraMailAlias: root@mail.MYDOMAIN.com
    zimbraMailAlias: postmaster@mail.MYDOMAIN.com
    zimbraMailForwardingAddress: MYUSERACCOUNT@MYDOMAIN.com
    ou: people
    objectClass: organizationalRole
    cn: people
    ou: people
    objectClass: organizationalRole
    cn: people

  2. #2
    Join Date
    Oct 2005
    Location
    Thatcher, AZ
    Posts
    5,606
    Rep Power
    21

    Default

    Nope.
    We allow anonymous binding to the LDAP server for address book reasons.
    Most LDAP servers allow this type of activity, including RedHat Directory Server and Apple Open Directory.

    Cheers!
    john

  3. #3
    Join Date
    Apr 2007
    Posts
    23
    Rep Power
    8

    Default

    so how do i prevent people from leeching email addresses for spaming?

  4. #4
    Join Date
    Oct 2005
    Location
    Thatcher, AZ
    Posts
    5,606
    Rep Power
    21

    Default

    Anonymous bind mechanism is enabled by default, but can be disabled by specifying "disallow bind_anon" in slapd.conf.in.

    I'm not sure of the impact on your server.

    As far as SPAM, I don't think it's realistic that you will get SPAM, as it hasn't been an issue for may e-mail providers including us.

  5. #5
    Join Date
    Oct 2005
    Location
    Thatcher, AZ
    Posts
    5,606
    Rep Power
    21

    Default

    Quote Originally Posted by jholder View Post
    Anonymous bind mechanism is enabled by default, but can be disabled by specifying "disallow bind_anon" in slapd.conf.in.

    I'm not sure of the impact on your server.

    As far as SPAM, I don't think it's realistic that you will get SPAM, as it hasn't been an issue for may e-mail providers including us.
    I've just been informed by our engineering team that if you disable anonymous bind, you will break postfix's LDAP lookups.

    There is a bug that we're trying to fix for 5.0 that will remove the need for anon bind: http://bugzilla.zimbra.com/show_bug.cgi?id=15378

    john

  6. #6
    Join Date
    Oct 2005
    Location
    Thatcher, AZ
    Posts
    5,606
    Rep Power
    21

    Default

    A better solution would be to simply block access to port 389 either by external firewall, or iptables.

    john

Similar Threads

  1. initializing ldap...FAILED(256)ERROR
    By manjunath in forum Installation
    Replies: 39
    Last Post: 06-07-2013, 11:27 AM
  2. Zimbra fails after working for 2 weeks
    By Linsys in forum Administrators
    Replies: 10
    Last Post: 10-07-2008, 01:42 AM
  3. need advice on configuring zimbra to work with fax server
    By pheonix1t in forum Administrators
    Replies: 0
    Last Post: 07-11-2007, 08:46 PM
  4. 3 testing: LDAP: 389 Failed when restore zimbra
    By victorLeong in forum Administrators
    Replies: 15
    Last Post: 05-24-2007, 07:45 AM
  5. Error 256 on Installation
    By RuinExplorer in forum Installation
    Replies: 5
    Last Post: 10-19-2006, 10:19 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •