Zimbra used to ship with an audit watching process (zmauditswatch) that could be configured to send an alert email to administrators when certain bad activity was noted in the logs, like repeated failed logins from a certain IP address, or for a particular mailbox.  The underlying software underwent some changes due to trademark claims by the Swatch watch company, and those changes broke Zimbra’s implementation of zmauditswatch starting in Zimbra 8.7.

It’s really handy to get notifications essentially in near-real time when a user is struggling to log in.  You can proactively reach out to the user to confirm if they are really having a problem, or if it is the start of a brute force attack by a bad actor.  Keep a history of these alerts and you’ll quickly learn (if you don’t already know) which of your users need a little more hand-holding than the others.

While Zimbra has not officially fixed this (yet), Zimbra Support guru Rick King (the “King”) took the initiative to propose a fix.  The fix works fine on Zimbra 8.7, and I’ve deployed the fix now on several 8.8 systems and can report it works well there too.

Here’s what you need to do to get this working for you…

First, you’ll need to install this on every mailbox server in your Zimbra farm.  On each mailbox server, become root and run the following commands:

root@webmail:~# cd /tmp
wget http://bugzilla-attach.zimbra.com/attachment.cgi?id=66723
mv attachment.cgi\?id\=66723 auditswatch
mv auditswatch /opt/zimbra/libexec/auditswatch
chown root:root /opt/zimbra/libexec/auditswatch
chmod 0755 /opt/zimbra/libexec/auditswatch
su - zimbra
zmlocalconfig -e zimbra_swatch_notice_user=zimbra-super-admin@your-company-domain.com
zmlocalconfig -e zimbra_swatch_ipacct_threshold=10
zmlocalconfig -e zimbra_swatch_acct_threshold=15
zmlocalconfig -e zimbra_swatch_ip_threshold=20
zmlocalconfig -e zimbra_swatch_total_threshold=60
zmlocalconfig -e zimbra_swatch_threshold_seconds=3600
touch /opt/zimbra/conf/auditswatchrc
touch /opt/zimbra/conf/auditswatchrc.in
zmauditswatchctl start

If you make the swatch_notice_user a distribution list of system administrators, that will keep everyone in the loop.

One problem is that this is a service, so ideally it should be configured to run via an operating system startup script.  The download link in the wiki for the startup script is broken, and the existing startup script in the wiki for Ubuntu 16.04 doesn’t work (for me).  So until you get that working, you’ll need to manually start zmauditswatch after each reboot.

The wiki explains meanings behind the localconfig values you are setting above, and there are two bug reports here and here that describe what’s broken in greater detail.

zmauditswatch is a handy tool; hopefully Zimbra will provide an official and more permanent fix in the near future.  In the interim, the next time you open a Support Case, if you are lucky enough to draw Mr. King to help you, please say thanks for his fix — and know your Support Case is being handled by a superstar!

Hope that helps,
L. Mark Stone
Mission Critical Email
17 May 2018

The information provided in this blog is intended for informational and educational purposes only. The views expressed herein are those of Mr. Stone personally. The contents of this site are not intended as advice for any purpose and are subject to change without notice. Mission Critical Email makes no warranties of any kind regarding the accuracy or completeness of any information on this site, and we make no representations regarding whether such information is up-to-date or applicable to any particular situation. All copyrights are reserved by Mr. Stone. Any portion of the material on this site may be used for personal or educational purposes provided appropriate attribution is given to Mr. Stone and this blog.