Zimbra mail server compromised

I have security issue on my Zimbra server for some time now and I cannot get rid of it. I asked the same question on Zimbra forums, but no response from community.

Here's the situation:
On our Zimbra server we have 300+ mail accounts. It is ZCS 8.0.9 right now on fairly secured Linux server. Only secure protocols are allowed, proper commercial SSL certificates, all ports firewalled, except of those needed for POP3S, IMAP+SSL, SMTP+SSL/TLS. Port 25 is closed, because we have separate spam filtering cluster, so Zimbra server is actually hidden behind that spam filtering cluster for communication via port 25 in both directions, incoming and outgoing. Server patched regularly, with RKHUNTER ran upon each update. Nothing else runs on the server, just ZCS. SSH and Zimbra Admin login is only allowed from my secured location, which is isolated from the rest of internet.
Password policy is very strict, long passwords, with Upper an lower letters, numbers and special symbols are a MUST. Upon account setup users get instructions via mail and password via SMS, which they must change. We do not hold any list or database of user's passwords. Unsecured password transfer is not supported, only via SSL/TLS channel.
So, can say pretty secure and stable setup.

But my clients get account passwords hacked from time to time, even my password was exposed few months ago. Hacked accounts are not all from the same company, not even using the same ISP to connect to internet.
I checked every password breach and can confirm, that SPAMMERS indeed authenticated with hacked account password directly to ZCS server. And most of breached passwords were highly secure ones, not a single weak password.

How do hackers manage to get in?
Any idea how to pinpoint the leak?
LVL 18
Andrej PirmanAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

andreasSystem AdminCommented:
I am guessing your users are using the same password on other places on the internet which gots then hacked from there.

Some may have fallen to phishing and provided the passwords to the attackers by themselves.

Some may hav bad luck if they use a "secure" password like this: "P@ssw0rd."
Which might fit your safety requirements but are still in the databases of crackers.

You see there are various ways of how it could got hacked WITHOUT you having the security hole in your server.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Andrej PirmanAuthor Commented:
Quite possible what you say.

So to bring it a step further, I will ask those compromised users to check their WEB BROWSERS and look for saved logins, because there's quite a possibility that the web site, where they use the same password, was compromised in first place.

I have done Google search for possible PHISHING sites, which would mimic our Zimbra Webmail setup, but fortunately I found none.
andreasSystem AdminCommented:
Current phishings will not even try to mimic.

They frequently send a plain text e-mail to user which they are requested to reply. inside the e-mail is a questionaire that they ask to be completed and then mailed back.

Many phishes are conducted without any WWW pages.

Saved browser passwords could also be a source for the attackers. But if the attacker can fetch the saved password from users browsers, they also can sniff it via a keylogger while the password is entered. So saving the password is not a big deal, except the machine got stolen, so others can access the saved browser passwords on the lost/stolen device.
Andrej PirmanAuthor Commented:
My initiation on Zimbra forums on the same problem rendered quite a useful answers, so if anybody interested, fell free to read and implement solution given here:

It's easy to implement and I've intercepted 1 hacking attempt already.

Andreas, I'll mark your question as solution, despite of it was not actual solution but rather debate on the subject. But still I appreciate your feedback.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.