Like any other mail server’s Zimbra too is prone to SMTP brutforce attacks. Hackers around the world try to login to the SMTP servers with the most commonly used email ID’s like info, support etc… with random passwords. Once they are able to crack the actual passwords of the accounts, they will start sending SPAM emails from the server which affects the reputation of your domain and IP address.

There is a way to get notified whenever somebody tried to login to the server with incorrect passwords, this service is called Zmauditswatch

Follow the below steps to enable the same on your Zimbra server

Note: All the below commands should be run from Zimbra user only.

1. Setup the notification email, all the brutforce alerts will be sent to this email ID

zmlocalconfig -e [email protected]

2. Now configure the brutforce thresholds

zmlocalconfig -e zimbra_swatch_ipacct_threshold=20
zmlocalconfig -e zimbra_swatch_acct_threshold=30
zmlocalconfig -e zimbra_swatch_ip_threshold=40
zmlocalconfig -e zimbra_swatch_total_threshold=80
zmlocalconfig -e zimbra_swatch_threshold_seconds=3600

3. Start the Zmauditswatch service

zmauditswatchctl start

That’s it … once the above configurations are done, you will start receiving notifications whenever there is a brutforce on the server.