how to block ip or domain name on zimbra server

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
sbdcunha
Posts: 17
Joined: Sat Sep 13, 2014 3:26 am

how to block ip or domain name on zimbra server

Postby sbdcunha » Wed Feb 01, 2017 7:07 pm

dear all,

I have a zimbra server 8.5 OSE running with no issues .many a times we face issues as our mail server being used for sending spam emails specially ips from nigeria
it happens any time if it happens during my work hours i normally block the ip on our firewall but during offtimes and night im not aware .
i have mailwatch running so monitoring this i get the source ip and block it

I feel This is due to a users password being compromised ..

i am allowing only my local private ips in my mta networks and also 127.0.0.1

Is there any way i can avoid this
really would appreciate your kind help and advice

attached is a screen shot of my mailwatch

regards

simon


phoenix
Ambassador
Ambassador
Posts: 26160
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Re: how to block ip or domain name on zimbra server

Postby phoenix » Wed Feb 01, 2017 7:48 pm

If your server is used for sending spam then I'd suggest you might be acting as an open relay or you have an infected machine on your LAN. You might want to take a look at fail2ban and/or postscreen plus some RBLs to stop their connections. You haven't really given much information about what you're currently doing to stop spammers.
Regards

Bill

Rspamd: A high performance spamassassin replacement

If you'd like to see this implemented in a future version of ZCS then please vote on Bugzilla entries 97706 & 108168
ben1967
Advanced member
Advanced member
Posts: 94
Joined: Sat Sep 13, 2014 1:58 am

Re: how to block ip or domain name on zimbra server

Postby ben1967 » Tue Feb 07, 2017 5:27 am

dear phoenix,

appreciate your reply and very sorry for the delay in replying.
i dont think the server is a open relay since the mta trusted networks are 127.0.0.0/8 and 192.168.0.0/16 .
there could be a infected pc with virus or trojan or a script running but its really difficult since there is no clue about ip in mailwatch
it only shows public ip as seen in mailwatch and the attachment i sent
i have zimbra 8.5.1 and postfix 2.1.1
i saw a post where postscreen can be enabled on the above zimbra version
viewtopic.php?t=55746
is it wise to enable postsceen

regarding blocking of spammers i just have a cisco firewall and mailwatch which i feel both are not effective on spam
i had suggested baracuda or norton brighmail to our management but cost is a issue
kindly appreciate if you could suggest cheaper solution

Thanks and appreciate your kind advice.

now is about 9 days there is no problem but it does happen suddenly
ben1967
Advanced member
Advanced member
Posts: 94
Joined: Sat Sep 13, 2014 1:58 am

Re: how to block ip or domain name on zimbra server

Postby ben1967 » Tue Feb 07, 2017 5:44 am

dear phoenix,

i just forgot to mention that i also use policy web and enabled quotas .
also i just looked at fail2ban and seems a better option
just one more query
does failtoban has to be on the zimbra server only??
and any risk involved since this is a online production critical mail server.
i have backups but just wanted to be sure of the risk

thanks and regards

simon
User avatar
vavai
Advanced member
Advanced member
Posts: 154
Joined: Thu Nov 14, 2013 2:41 pm
Location: Indonesia
Contact:

Re: how to block ip or domain name on zimbra server

Postby vavai » Tue Feb 07, 2017 5:03 pm

HI,
ben1967 wrote:dear phoenix,

i just forgot to mention that i also use policy web and enabled quotas .
also i just looked at fail2ban and seems a better option
just one more query
does failtoban has to be on the zimbra server only??
and any risk involved since this is a online production critical mail server.
i have backups but just wanted to be sure of the risk

thanks and regards

simon


Fail2ban used to gather information and prevent possibility of incorrect guess of user name and password (also by using some parameter such as sasl, incorrect login etc).

Spam came from many sources but you can try following tips :

1. Enforce strong password for all user
2. Educate user to ignore any untrusted information received on email, or contact administrator if they have any doubt for the information
3. Limiting your trusted network to your ip only/32 and enforce user to only using SSL for both imap, pop3, smtp and web access with smtp-auth enable
4. Close all others non SSL port from outside
5. Use some anti spam appliance (both physical and virtual), as there are plenty spam appliance alternative. Mailscanner, Mailborder, Proxmox Mail Gateway and some others are such example, quite good for additional spam filter with minimal budget.
ben1967
Advanced member
Advanced member
Posts: 94
Joined: Sat Sep 13, 2014 1:58 am

Re: how to block ip or domain name on zimbra server

Postby ben1967 » Wed Feb 08, 2017 5:15 am

Dear Phoenix,
Thanks for your immediate and wise reply
really appreciate
missed to mention to you that I am using mailscanner as a mail gateway and its doing a good job
i try to enforce the points as you mentioned
btw jus wanna ask you can fail2ban safely be installed on zimbra server 8.5.1

thnaks and regards
god bless U

simon
User avatar
vavai
Advanced member
Advanced member
Posts: 154
Joined: Thu Nov 14, 2013 2:41 pm
Location: Indonesia
Contact:

Re: how to block ip or domain name on zimbra server

Postby vavai » Wed Feb 08, 2017 5:23 am

Hi,
ben1967 wrote:Dear Phoenix,
Thanks for your immediate and wise reply
really appreciate
missed to mention to you that I am using mailscanner as a mail gateway and its doing a good job
i try to enforce the points as you mentioned
btw jus wanna ask you can fail2ban safely be installed on zimbra server 8.5.1

thnaks and regards
god bless U

simon


Fail2ban are installed outside of Zimbra configuration, the worst is that legitimate IPs are being blacklisted by Fail2ban, but it don't hurt Zimbra services/configuration itself
ben1967
Advanced member
Advanced member
Posts: 94
Joined: Sat Sep 13, 2014 1:58 am

Re: how to block ip or domain name on zimbra server

Postby ben1967 » Wed Feb 08, 2017 5:31 am

dear vavai,

appreciate and thanks your immediate reply

regards

simon
sbdcunha
Posts: 17
Joined: Sat Sep 13, 2014 3:26 am

Re: how to block ip or domain name on zimbra server

Postby sbdcunha » Tue Feb 21, 2017 8:47 am

dear guys,
sorry once again and apologize,

I had a similar attack yesterday . i have attached a 2 snapshots of mailwatch
let me explain.
our domain is kilaw.edu.kw
spam is the main page of mailwatch
capture is the details
now in details i see an outside IPs that 45.101221.96 and 172.18.12.206 and 127.0.0.1 is the mail gateway server where i have mailscanner and mailwatch running and 192.168.100.31 is my zimbra server
the mail gateway server ip is 192.168.100.34 but shown as local host 127.0.0.1 as shown in mailwatch
the two ips that is 192.168.100.31 and 192.168.100.34 are statically natted on the firewall to a public ip
also i see that from user has ekpenspelltemple@solution4u.com.

i am confused and wondering how this user able to send mail.
as mentioned below only my local networks are allowed and zimbra weblogin gui is allowed but the spam is not from user login into zimbra gui
im confused
appreciate if someone can help me track and help me with some troubleshooting tips
i am thinking of fail2ban but this does not seem like a pssword guess or web login
if password is compromised any way i could track the user
if such things happen during my office time as i do monitor i can quicky block the sender ip no issues but things happen during off times its a real issue
right now we banned from gmail
now everything is fine but this can happen anytime
also really would appreciate if someone can recommend a solution ( free or commercial )where in such cases the ip is automatically banned .
once again i do appreciate your kind help as i feel lost


regards

simon

Return to “Administrators”

Who is online

Users browsing this forum: wdvasu and 25 guests