I have security issue on my Zimbra server for some time now and I cannot get rid of it. I asked the same question on Zimbra forums, but no response from community.
Here's the situation:
On our Zimbra server we have 300+ mail accounts. It is ZCS 8.0.9 right now on fairly secured Linux server. Only secure protocols are allowed, proper commercial SSL certificates, all ports firewalled, except of those needed for POP3S, IMAP+SSL, SMTP+SSL/TLS. Port 25 is closed, because we have separate spam filtering cluster, so Zimbra server is actually hidden behind that spam filtering cluster for communication via port 25 in both directions, incoming and outgoing. Server patched regularly, with RKHUNTER ran upon each update. Nothing else runs on the server, just ZCS. SSH and Zimbra Admin login is only allowed from my secured location, which is isolated from the rest of internet.
Password policy is very strict, long passwords, with Upper an lower letters, numbers and special symbols are a MUST. Upon account setup users get instructions via mail and password via SMS, which they must change. We do not hold any list or database of user's passwords. Unsecured password transfer is not supported, only via SSL/TLS channel.
So, can say pretty secure and stable setup.
But my clients get account passwords hacked from time to time, even my password was exposed few months ago. Hacked accounts are not all from the same company, not even using the same ISP to connect to internet.
I checked every password breach and can confirm, that SPAMMERS indeed authenticated with hacked account password directly to ZCS server. And most of breached passwords were highly secure ones, not a single weak password.
How do hackers manage to get in?
Any idea how to pinpoint the leak?