TitusI wrote:quanah wrote:TitusI wrote:I'm using file2ban, I want to underline that the ip address of the client who made the login attemps is not correct (it's my server public ip) and this is a problem.
Please explain what do you mean when you write it is an attack aginst postfix, i see port 7071 into the log.
How can I understand if my zimbra is using DSPAM or Spammassasin or all together?
Port 7071 is the port used by AUTH requests via SOAP. So when user X connects to port 465/587 to send email via Postfix, and they AUTH to do so, that generates a SOAP request TO port 7071 on their behalf to auth them. Trying to block port 7071 will only make it so NO ONE can send email via 465/587. Since the SOAP request is generated on the MTA that is why you see your SERVER IP.
I hope this explanation help.
Following your suggestion on other thread and reading the suggested resource I've mitigated the SPAM problem:
RES:antispam_enable_rule_updates = false
RES:antispam_enable_restarts = false
zmlocalconfig -e antispam_enable_rule_updates=true
zmlocalconfig -e antispam_enable_restarts=true
zmlocalconfig -e antispam_enable_rule_compilation=true
But I would like to kno who is doing the job? DSPAM or Spammassassin?
ps aux|grep -i spam
gave 0 output
Amavis does. I suggest you read up on https://wiki.zimbra.com/wiki/Anti-spam_Strategies. However, none of this applies to the case of someone who has hacked one of your users and is using your server to send out spam. For that, you need to monitor the postfix logs in /var/log/zimbra.log and find the spammer and the user they've hacked, and then fix things from there.