Zimbra 8.8.15 NE sending license and server data to zextras

[BradC]

G'day all,

I thought I'd take a look at the new stuff available in Zimbra 9, so I grabbed a new demo license and spun up an 8.8.15 VM to experiment with, planing to do an in-place upgrade to 9.

We have an isolated network hooked up to a dummy "internet" where we safely trial software and "IoT" hardware to see what it does, and I also use it for testing stuff like this so I'm not likely to accidentally leak any data out to the world.

Imagine my surprise when I find the newly installed Zimbra server sending off E-mails to "license@updates.zextras.com" with the contents of the license, and information on the status of the machine (number of accounts, backup accounts). It appears to do this (although not consistently) after machine reboots or zmcontrol restart events also, so it's not just on first install. I'll leave it up for a few days to see if it's periodic.

Anyone else having NE instances sending off data? You can find the e-mails listed in the daily mail reports also. Is this just because it's a trial license?

I don't know how I feel about Zimbra sending off data without my permission. I didn't find it mentioned in any of the license readme(s).

Sanitised E-mail below :

Code: Select all

{
  "vendor" : "zextras",
  "zimbra_version" : "8.8.15",
  "name" : "XXXX.XXXXXXXXXX.XXX",
  "version" : "3.0.6",
  "type" : "network_modules",
  "email_version" : 2,
  "license" : {
    "ArchivingAccountsLimit" : "50",
    "ZXDesktopAccountsLimit" : "50",
    "LicenseId" : "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
    "MobileSyncEnabled" : "true",
    "ZXAccountsLimit" : "50",
    "VoiceAccountsLimit" : "50",
    "SMIMEAccountsLimit" : "50",
    "CrossMailboxSearchEnabled" : "true",
    "IssuedToName" : "XXXXXXXXXX",
    "ZSSAccountsLimit" : "50",
    "MAPIConnectorAccountsLimit" : "50",
    "ValidFrom" : "XXXXXXXXXXXXZ",
    "TouchClientsAccountsLimit" : "50",
    "TwoFactorAuthAccountsLimit" : "50",
    "HierarchicalStorageManagementEnabled" : "true",
    "AttachmentConversionEnabled" : "true",
    "ZTalkAccountsLimit" : "50",
    "MobileSyncAccountsLimit" : "50",
    "AccountsLimit" : "50",
    "AttachmentIndexingAccountsLimit" : "50",
    "ZXWebAccountsLimit" : "50",
    "ValidUntil" : "XXXXXXXXXXXXZ",
    "BackupEnabled" : "true",
    "ISyncAccountsLimit" : "50",
    "IssuedOn" : "XXXXXXXXXXXXXXXZ",
    "IssuedToEmail" : "XXXXXXXXXXX@XXXXXXXXXX.XXX",
    "InstallType" : "trial",
    "EwsAccountsLimit" : "50",
    "ResellerName" : ""
  },
  "localServerId" : "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
  "active" : true,
  "infrastructure" : {
    "servers" : [ {
      "commit" : "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
      "name" : "XXXX.XXXXXXXXXXX.XXX",
      "id" : "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"
    } ],
    "numAccounts" : XX,
    "numBackups" : XX,
    "numTalks" : 0,
    "AcKnowledge47" : XXXXXXXXXX
  }
}
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

[phoenix]

I don't know how I feel about Zimbra sending off data without my permission.

I don't care what the reason is, as far as I'm concerned no company should submit data to some unknown destination without user consent or explanation and it should not be mandatory to accept that happening. This is disgraceful behaviour - just my 2p worth.

[BradC]

I don't know how I feel about Zimbra sending off data without my permission.

I don't care what the reason is, as far as I'm concerned no company should submit data to some unknown destination without user consent or explanation and it should not be mandatory to accept that happening. This is disgraceful behaviour - just my 2p worth.

I had a much closer look and it's coming from the zextras licensing module (in zimbra-network-modules-ng). Looking at how it's built, I suspect it's doing it on zextras installs on Zimbra OSE also. I wonder if Zimbra know modules they are supplying as part of an NE install send data to zextras?

[BradC]

So I thought I'd look even closer. I probably shouldn't have.

On server start, the zextras modules immediately do an "update check" to https://updates.zextras.com. If it succeeds it sets a flag which inhibits the generation of the license update e-mail for 30 days. If it fails, the first license e-mail goes out 60 minutes after the server starts. It then periodically attempts to do its "update check". If those fail for 30 days it sends the next license e-mail.

The thing is, the information sent in the license e-mail is only a *subset* of the data being sent on each "update check". Turns out the update check contains a large JSON structure with even more data about the server. I've pulled apart and sanitised a request below.

Examination of the binary indicates it is likely shared between the NE code and the zextras modules for OSE, so anyone running a recent NE or the modules on OSE is going to be seeing this data sent off every "update check". If I hadn't isolated the machine from the network, I'd never have seen the license e-mail and got the curiosity to look a bit deeper. Whoops.

Code: Select all

{"version":"3.0.6",
"vendor":"zextras",
"type":"network_modules",
"fullZimbraVersion":"8.8.15_GA_3918 20200303013125 20200303-0157 NETWORK",
"zimbraVersion":"8.8.15",
"zimbraVersionType":"Network",
"platform":"@@BUILD_PLATFORM@@",
"buildDate":"20200303-0157",
"buildHost":"zre-ubuntu18-64.eng.zimbra.com.com",
"buildNum":"3918",
"hostname":"aaaa.aaaaaaaa.aa",
"localServerId":"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"dateStart":XXXXXXXXXXXX,
"dateEnd":XXXXXXXXXXXXXX,
"domains":[{"name":"aaaa.aaaaaaaaaa.aaa","type":"N"},{"name":"bbbb.bbbbbbbbbb.bbb","type":"N"},{"name":"ccc.cccccccccc.ccc","type":"N"},{"name":"dddd.dddddddddd.ddd","type":"N"}],
"licenseType":"trial - Network Edition",
"license":"{\"ArchivingAccountsLimit\":\"50\",
\"ZXDesktopAccountsLimit\":\"50\",
\"LicenseId\":\"XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXXX\",
\"MobileSyncEnabled\":\"true\",
\"ZXAccountsLimit\":\"50\",
\"VoiceAccountsLimit\":\"50\",
\"SMIMEAccountsLimit\":\"50\",
\"CrossMailboxSearchEnabled\":\"true\",\
"IssuedToName\":\"XXXXXXXXXXXXXXXX\",
\"ZSSAccountsLimit\":\"50\",
\"MAPIConnectorAccountsLimit\":\"50\",
\"ValidFrom\":\"XXXXXXXXXXXXXXZ\",
\"TouchClientsAccountsLimit\":\"50\",
\"TwoFactorAuthAccountsLimit\":\"50\",
\"HierarchicalStorageManagementEnabled\":\"true\",
\"AttachmentConversionEnabled\":\"true\",
\"ZTalkAccountsLimit\":\"50\",
\"MobileSyncAccountsLimit\":\"50\",
\"AccountsLimit\":\"50\",
\"AttachmentIndexingAccountsLimit\":\"50\",
\"ZXWebAccountsLimit\":\"50\",
\"ValidUntil\":\"XXXXXXXXXXXXXXXZ\",
\"BackupEnabled\":\"true\",
\"ISyncAccountsLimit\":\"50\",
\"IssuedOn\":\"XXXXXXXXXXXXXXXZ\",
\"IssuedToEmail\":\"XXXX@XXXXXXXXXX.XXX\",
\"InstallType\":\"trial\",
\"EwsAccountsLimit\":\"50\",
\"ResellerName\":\"\"}",
"servers":[{"commit":"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX","name":"aaaa.aaaaaaaaaa.aa","id":"XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"}

[BradC]

I checked the EULA. Clauses 11.4. Data Privacy and 11.6. Privacy Policy would allow the collection of data. 11.6 explicitly calls out ZeXtras : "Use of any information collected by Synacor’s licensors shall be governed by such licensor’s privacy policy, such as Synacor’s licensor, Zextras, whose privacy policy is found at https://www.zextras.com/privacy-legal/"

Interestingly the second EULA is attributed to "the Autonomy group" and all the links go 404 to HPE Networking.
Does anyone know who the Autonomy group is now and why their EULA is still in the Zimbra package? Actually, I've been unable to turn up any link between Zimbra and Autonomy, so clues gratefully received.

This is a fun one "10. MARKETING, PUBLICITY AND BRANDING. Licensee agrees that Autonomy may use Licensee's name to identify Licensee as an Autonomy customer. Licensee agrees to place the Autonomy brand logo (e.g.,"Powered by Autonomy") on Licensee's World Wide Web site, intranet or equivalent site, as applicable, in reasonable proximity to any area thereof which provides functionality related to Licensee's Use of the Software. Each party's use of the other party's trademarks and logos will be in accordance with such other party's policies in effect from time to time."

Oh, and I found another method the license data is being exfiltrated to ZeXtras. They must *really* want to make sure Zimbra is paying for every installation. Most of these are also applicable to the ZeXtras modules on Zimbra OSE (or FOSS or whatever it's called this week).

I'll stop now.

[JDunphy]

Confirmed... One of our NE servers began doing this (From our logs, I see May 5 and now June 5). License data is probably fine but I would rather they did that at time of install or activation ... but the moment they take other information gathered because they are inside my server via a package update and then use my private key to sign from my domain and issue an SMTP HELO using my servers name on their behalf seems like we are going to have a problem.

[BradC]

Wait till you step up to Zimbra 9 and it "kicks up a gear".