Thank you all for ideas and thoughts. LEt me just add some maybe critical points and answer the open questions.
Yes, I am on ESX all the time. The old (2 weeks old) ZCS 8.0.9 on Ubuntu 12.04 is also on ESX, shut down and getting older every day.
Regarding TLS 1.0 and 1.1 on new ZCS 8.8.6 + Patch I think I have both them ENABLED. SSL Labs shows it should be supported by all clients, back to XP w/ SP3 and Android 2.3.7. That covers pretty much all clients I have.
Regarding blacklists and account lockouts...maybe it's just a coincidence, but dealing with 10000 queue length every few days due to some account breach, and each time different client. Well, this never happened to me in past 6 or 7 years using any previous Zimbra server. But still could be coincidence.
Regarding Fail2ban...I did not like the idea having additional firewall on ZCS box beside existing pfSense/OPENSense firewall. So I quit installling fail2ban, because of lack of knowledge to make it work in conjunction with pfSense/OPENSense firewall. I would like my firewall to ban offending IPs for entire server "cluster", not just for Zimbra server.
Beside, when I was last dealing with compromised account yesterday, I had some 100/minute failed login attempts via Zimbra Webmail by some malicious scripts (obviously...who else could type so fast?). How to deal with those, as ZCS reveals it's own IP in logs?
When going to 8.8.6 + patch I did NOT select any new features, like new IMAP, Chat or Zimbra drive.
BUT I HAD A LOT OF PROBLEMS injecting memcached and nginx into new 8.8.6. PRevious 8.0.9 did not have any of those, and when I upgraded, those two simply did not start. Tried many different methods, so I do not remember, which method worked, but it took me few hours to bring those two up and running.
Maybe I broke something during the process, very likely.
ANOTHER possible problem was migration of config, because old ZCS 8.0.9 was directly opened to internet and had public IP on nic adapter, while new server where I migrated to is now behind firewall, having LAN IP. Of course, I configured split DNS on firewall and adjusted settings accordingly, but still there might be something somewhere inside, causing troubles.
Regarding repositories...this is what's in use:
Code: Select all
/etc/apt/sources.list:deb http://si.archive.ubuntu.com/ubuntu/ trusty main restricted
/etc/apt/sources.list:deb-src http://si.archive.ubuntu.com/ubuntu/ trusty main restricted
/etc/apt/sources.list:deb http://si.archive.ubuntu.com/ubuntu/ trusty-updates main restricted
/etc/apt/sources.list:deb-src http://si.archive.ubuntu.com/ubuntu/ trusty-updates main restricted
/etc/apt/sources.list:deb http://si.archive.ubuntu.com/ubuntu/ trusty universe
/etc/apt/sources.list:deb-src http://si.archive.ubuntu.com/ubuntu/ trusty universe
/etc/apt/sources.list:deb http://si.archive.ubuntu.com/ubuntu/ trusty-updates universe
/etc/apt/sources.list:deb-src http://si.archive.ubuntu.com/ubuntu/ trusty-updates universe
/etc/apt/sources.list:deb http://si.archive.ubuntu.com/ubuntu/ trusty multiverse
/etc/apt/sources.list:deb-src http://si.archive.ubuntu.com/ubuntu/ trusty multiverse
/etc/apt/sources.list:deb http://si.archive.ubuntu.com/ubuntu/ trusty-updates multiverse
/etc/apt/sources.list:deb-src http://si.archive.ubuntu.com/ubuntu/ trusty-updates multiverse
/etc/apt/sources.list:deb http://si.archive.ubuntu.com/ubuntu/ trusty-backports main restricted universe multiverse
/etc/apt/sources.list:deb-src http://si.archive.ubuntu.com/ubuntu/ trusty-backports main restricted universe multiverse
/etc/apt/sources.list:deb http://security.ubuntu.com/ubuntu trusty-security main restricted
/etc/apt/sources.list:deb-src http://security.ubuntu.com/ubuntu trusty-security main restricted
/etc/apt/sources.list:deb http://security.ubuntu.com/ubuntu trusty-security universe
/etc/apt/sources.list:deb-src http://security.ubuntu.com/ubuntu trusty-security universe
/etc/apt/sources.list:deb http://security.ubuntu.com/ubuntu trusty-security multiverse
/etc/apt/sources.list:deb-src http://security.ubuntu.com/ubuntu trusty-security multiverse
/etc/apt/sources.list.d/zimbra.list:deb [arch=amd64] https://repo.zimbra.com/apt/87 trusty zimbra
/etc/apt/sources.list.d/zimbra.list:deb-src [arch=amd64] https://repo.zimbra.com/apt/87 trusty zimbra
I also updated right now existing Ubuntu 14.04 to latest, reinstalled ZCS 8.8.6 and re-patched it.
Wait until tomorrow and see what we've got.
BTW...one fail during re-install:
Code: Select all
zimlets
com_sol1_chromefix...failed. This may impact system functionality.