Note that SOAP auth with the zimbra account by itself isn't a sign for an attacker on your system. Some Carbonio cronjobs use this, too, see crontab -e as zextras and compare the times with the occurrence of SOAP auths as zimbra. In my case, this explained daily zimbra auths at 2:15, 22:00 and 23:45. Plus, the cmbackup script I'm running uses this authentication for several auths starting at 1:30 on my server. Moreover, during the upgrade process today and probably for the recommended LDAP backup, too, there were several auths today.
However, I had accesses I'm not sure about shortly after 3am at Jan 1st, 3rd, 5th, and 9th that are so regular that I'm wondering if that isn't some cronjob, too, and irregular accesses on Jan 5th at 1:44 and 11:41, on Jan 7th at 12:46, and on Jan 9th on 3:52. Plus, PreAuth keys had been set for all my domains, and I can't remember having set those myself.
Otherwise, I haven't yet found any irregular activity, so I hope that the hackers that seem to have visited my server have just paved the way for future campaigns and now won't be able to do anything as I have deleted the PreAuth keys and changed the LDAP account password.
I'd be happy if somebody could tell me what the attacker theoretically could have done with the access they had so I can have a look if really everything is in order.
Plus, PreAuth keys had been set for all my domains, and I can't remember having set those myself.
Otherwise, I haven't yet found any irregular activity, so I hope that the hackers that seem to have visited my server have just paved the way for future campaigns and now won't be able to do anything as I have deleted the PreAuth keys and changed the LDAP account password.
I'd be happy if somebody could tell me what the attacker theoretically could have done with the access they had so I can have a look if really everything is in order.
What does zimbraPreAuthKey look like?
What does it look like if there are no PreAuth keys? Only "# name" and the domain name?
Thanks for the help
//Sigtrap
@sigtrap Yes, if there are none set, there's only the #name and the domain name. In my case, long hex keys were also shown.
Another note: I also had to change the LDAP password in /etc/carbonio/carbonio-prometheus-openldap-exporter/carbonio-prometheus-openldap-exporter.yml in order not to get error messages in the logs. The system itself ran without problems, though.
Hi @zottel,
Note that SOAP auth with the zimbra account by itself isn't a sign for an attacker on your system. Some Carbonio cronjobs use this, too, see crontab -e as zextras and compare the times with the occurrence of SOAP auths as zimbra. In my case, this explained daily zimbra auths at 2:15, 22:00 and 23:45.
...
You are correct that provisioning commands executed from the CLI typically use the zimbra account for authentication. However, in such cases, the originating IP address (ip or oip) logged in the audit.log should correspond to localhost or an internal IP address (e.g., one within your trusted network range).
If you notice any Auth commands using the zimbra account with an external or unexpected IP address, it indicates a potential unauthorized access or misuse.
Best regards,
Luca
Hello everyone,
The Zextras crew is delighted to present Carbonio Community Edition 25.3.0 with various improvements and new features.
Features to highlight:
Enhanced Virtual Room Management
Managing virtual rooms is now more intuitive and efficient with several usability improvements. Users can seamlessly interact with more moderators and active participants, while enhanced icons for Join, Rejoin, and Start actions provide better clarity. A new "More Options" menu allows quick access to Copy Link, Edit Details, and Delete Room functions. Additionally, users can now edit room names and modify member lists through a refined update process.
Quick Access to Appointment Details from Reminders
Users can now open appointments directly from reminders, making it easier to review important details such as the agenda, links, and references. The reminder pop-up includes an expandable section for quick access to appointment notes, along with a direct link to open the full appointment. This enhancement improves efficiency by reducing navigation steps and ensuring users have the information they need immediately.
Easier Email Communication with Meeting Participants
Users can now send emails to all attendees directly from the meeting details screen, eliminating the need to manually copy and paste email addresses. When composing an email, the "To" field is automatically populated with all participants, and the subject line is pre-filled with the meeting title.
Support for Folders in Contact Groups
The Contact Groups feature is enhanced to allow users to create and manage contact groups within their personal accounts, offering greater flexibility and usability. Users can now organize contact groups into folders, edit or delete them. This update caters to power users and those in organizations like small municipalities or schools, where managing multiple groups is essential.
Enhanced Email Deletion Behavior in Search Results
When deleting an email from the search results, the email now automatically updates to reflect the deletion, either by being removed from the list or marked as trashed, without requiring the user to manually refresh or modify the search parameters. This ensures a smoother, more intuitive user experience when interacting with emails in search results.
Enhance "Active Participants" and "Other Moderators" Layout in Virtual Rooms
This update aims to improve the visual presentation of active participants and moderators in the virtual room card. The goal is to make this information more visually impactful and easier to use, enhancing the overall user experience.
Notify Users of Reactions on Their Messages
This feature will notify users when others react to their messages by displaying a badge on the message, providing a clear indication of new interactions and keeping them up to date on engagement with their messages.
Allow Users to Modify, Add, or Remove Message Reactions
This feature enables users to easily change a previously applied emoji reaction by selecting a different one. Additionally, users can add their reaction to an existing one by clicking on the emoji bubble, providing a quick and intuitive way to interact. Users can also remove their reactions by clicking on the bubble element, allowing them to undo their actions with ease.
Allow Users to Choose from All Available Reactions
This feature allows users to select any available reaction from the system, beyond just the default ones. Users will have access to a broader range of emojis to express their feelings and reactions in messages, enhancing customization and interaction.
and many more improvements!
Check out the full changelog to know the whole list.
How to upgrade
To upgrade your Carbonio CE, follow the simple instructions in the official Carbonio CE Upgrade Documentation.
We are grateful for your honest and useful feedback; it is a key factor in our success. We are open to any ideas, comments, or proposals for improving our services, and we eagerly await hearing from you.
For more information read the Carbonio CE documentation.
Subscribe to this thread to stay informed of future releases.
Cheers!
Hi guy,
I am trying to enable the cbpolicyd feature following the instructions here:
https://community.zextras.com/restricting-sending-and-receiving-emails-for-users-in-carbonio-community-edition-carbonio-ce/
However, when I restart the service, I encounter the following error:
Additionally, I don't see any .log file being created for this service.
I would appreciate any help. Thank you!