April 2021 Zeta Alliance Weekly Call Summaries

Industry info, happenings near you, and new product integrations. Hosting an event? Invite people here.
Post Reply
User avatar
rleiker
Advanced member
Advanced member
Posts: 149
Joined: Tue Jan 07, 2020 8:23 pm
Location: Kansas City
Contact:

April 2021 Zeta Alliance Weekly Call Summaries

Post by rleiker »

Hello Zimbra Community,

Here is a summary of this week’s conference call. A few brief reminders: April 6, 2021

Mailboxd Java Options
Mark S. said that in the 8.8.15 Patch 20 release notes ( https://wiki.zimbra.com/wiki/Zimbra_Rel ... _Mailstore ), he noticed a recommendation to use the Java parameter: “-Djavax.net.debug=ssl,handshake,data” and he wanted to know if using this option would significantly increase the size of his logs in Zimbra. [Editor Note: the release notes page has since been revised to omit this Java parameter.] John E. said it should not hurt and can be helpful in determining that things are working correctly. He said that in the event the Java parameters do not work, it will present itself as a certificate failure upon startup.

Revised 8.8.15 Patch 20 and 9.0 Patch 13 Releases
John H. said there were two issues that arose with 8.8.15 P20 and 9.0 P13 after their initial release on March 30th that required a revised build of each on April 2nd. The first issue related to an incompatibility with kernel versions 4.8 and 4.9 with OpenSSL1.1.1h in Red Hat 6 and Ubuntu 14 ( https://wiki.zimbra.com/wiki/Zimbra_Rel ... and_4.9.29 ). The symptoms of this issue are discussed in this Forum thread: http://forums.zimbra.org/viewtopic.php? ... e3bba8c87a .

The second issue was related to Zimbra installations running a dual stack (IPv4 and IPv6) configuration, where the Zimbra IPv4 interface can be incorrectly disabled, as described in this Forum thread: viewtopic.php?f=13&t=69412 . [Editor Note: a third revised version of 8.8.15 P20 and 9.0 P13 were released on April 8th to address a security vulnerability in SpamAssassin 3.4.4, discussed in the March 30th Zeta Alliance Call: viewtopic.php?f=9&t=69488#p301185 ].

Follow-Up: Zimbra Support For Ubuntu 16.04 LTS
To follow-up on the Zeta Alliance March 30th call related to the topic of Zimbra support for Ubuntu 16.04 LTS, John H. confirmed that there are no plans to end Ubuntu 16.04 LTS support for the foreseeable future.

Zimbra Video Server
Mark S. asked if anyone knew of the timeline for when the Zimbra Video Server is anticipated to leave beta and become generally available. No one on the call had an update to share.

HTTP/2.0 Support In Zimbra
Randy L. said that he noticed HTTP/2.0 support had been introduced with the new Nginx version that is included with 8.8.15 Patch 20 and 9.0 Patch 13. He asked if HTTP/2 support is now supported end-to-end from the Zimbra Nginx proxy to the mailbox server. John H. said that HTTP/2 support is currently only supported on the Nginx front-end and not yet supported on the mailbox server back-end. End-to-end support for HTTP/2 is still being reviewed to ensure that no security risks will be introduced.

ClamAV Security Vulnerabilities In Zimbra
Randy L. shared that the ClamAV 102.2 version included in the recently released 8.8.15 Patch 20 and 9.0 Patch 13 has four security vulnerabilities:
The first three vulnerabilities can be exploited simply by sending a carefully crafted email attachment within an email to a Zimbra server configured to perform ClamAV scanning of inbound or outbound email. The fourth vulnerability requires an attacker to have local shell access to a Zimbra server where ClamAV is installed to exploit, making the first three vulnerabilities of greater concern for Zimbra administrators. Randy L. said he opened a support case with Zimbra and was assigned ZBUG-2193. The status of this bug can be monitored from the Zimbra Support Portal bug look-up tool.

NextCloud, ownCloud, and OnlyOffice Integrations With Zimbra
Marc S. asked for thoughts on using NextCloud or ownCloud with Zimbra. Randy L. said his personal preference is NextCloud and feels that many choose either NextCloud or ownCloud based on personal preferences and their history with each respective product. Marc G. asked if anyone is using OnlyOffice with NextCloud. Randy L. said that a few years ago, he tried to negotiate a deal to use OnlyOffice for an integration with Zimbra and NextCloud, but found that OnlyOffice lacked a service provider orientated licensing program, where instead they were offering traditional software licensing terms making it a non-starter for use in a service provider environment. He added that since then, Zimbra Docs has progressed forward, and knows that at one point, Barry D. had a working Zimlet for integrating OnlyOffice with Zimbra, but was unsure of the current status of the Zimlet. John E. said that in Zimbra Cloud, an OnlyOffice integration is currently available. [Editor Note: Barry D. confirmed on April 21st via the Zeta Alliance mailing list that the OnlyOffice integration ( https://github.com/Zimbra-Community/owncloud-zimlet ) in the Nextcloud Zimlet for Classic UI was confirmed as still working as recently as April 2021. He said the same instance of OnlyOffice can be used with the Zimlet as well as with Nextcloud.]


Randy Leiker
Skyway Networks, LLC
Last edited by rleiker on Wed Apr 21, 2021 8:12 pm, edited 1 time in total.
User avatar
rleiker
Advanced member
Advanced member
Posts: 149
Joined: Tue Jan 07, 2020 8:23 pm
Location: Kansas City
Contact:

Re: April 2021 Zeta Alliance Weekly Call Summaries

Post by rleiker »

Hello Zimbra Community,

Here is a summary of this week’s conference call. A few brief reminders: April 13, 2021

Slow SmartScan After Installation of 8.8.15 Patch 20
Mark S. said that after installing 8.8.15 P20, he observed that SmartScans on his Zimbra servers had slowed. Matthew F. said that he also installed P20, but has not seen any performance impact on SmartScans so far.

Failing LDAP Backups After Installation of 8.8.15 Patch 20
Mark S. said that after he installed 8.8.15 P20, he noticed that LDAP backups performed from his Zimbra mailbox server had unexpectedly stopped. Upon investigation, he found that the Zextras SmartScan were trying to use an incorrect LDAP root password to perform the backups. In an attempt to fix it, Zimbra Support recommend that Mark manually edit the “ldap_root_password” value in the /opt/zimbra/conf/localconfig.xml file on his mailbox server, but this did not fix the issue. He added that he did not restart the mailboxd service after making the change. Randy L. said he had the same issue back in December 2018 with Zimbra 8.8.10, where he was seeing emailed warnings from incomplete SmartScans with the error message: “DoBackupLDAP backup path: /path-to-backups/ldap_03_12_18#00_01_00.tar.gz warning: [ldap.example.com] invalid credentials”. Randy said the solution at the time was to confirm that the passwords for each of the following zmlocalconfig values were set the same on all Zimbra servers in the cluster:
  • ldap_amavis_password
  • ldap_bes_searcher_password
  • ldap_nginx_password
  • ldap_postfix_password
  • ldap_replication_password
  • ldap_root_password
  • zimbra_ldap_password
Followed by manually editing the “ldap_root_password” value in the /opt/zimbra/conf/localconfig.xml file on the servers hosting the Zimbra mailboxd services, then performing a “zmcontrol restart” to put the change in to effect.

Performing Raw Restores In Zimbra
Mark S. commented that he was recently performing a Raw Restore ( https://zimbra.github.io/zimbra-9/admin ... aw-restore ) on one of his Zimbra servers, and encountered some trouble until he realized that both the source and destination servers needed to be on the same version and patch level for this feature to work. Matthew F. said when performing Raw Restores in the past, he has been successful with guaranteeing the source and destination servers have the same version and patch level by cloning the Zimbra repo, when rebuilding a new server, as the target of the restore. This allows him to ensure the restore runs the exact version as the old server from which the backup was originally performed on.

Zimbra Forum Missing TLS Redirect and Mismatched Certificate Name Issues
Randy L. said he opened Zimbra Support case # 01172173 related to some misconfigurations of the web server hosting the Zimbra Forum. If a visitor to the Forum enters “forums.zimbra.org” in their browser address bar, uses a bookmark, or clicks a search engine result, they are not automatically redirected to a TLS session. This remains true if a Forum user clicks the “Login” link, exposing each affected Forum user’s login information in plain-text on the Internet.

A second issue relates to an SSL certificate name mismatch for the Forum. The web site is currently configured to respond to requests for the host names “forums.zimbra.org” and “forums.zimbra.com”. However, the site is only configured with a wildcard SSL certificate that matches *.zimbra.org host names. So, if a visitor reaches the site via https://forums.zimbra.com, this will cause all web browsers to display a security warning related to the mismatched SSL certificate name.

Randy said that both issues can be fixed with some trivial web server configuration changes such as a URL rewrite for redirecting non-TLS sessions to TLS, and adding an additional subject alternative name to the SSL certificate for forum.zimbra.com, or just redirecting visitors from forums.zimbra.com to forums.zimbra.org.

Follow-Up: ClamAV Vulnerabilities In Zimbra 8.8.15 P20 and 9.0 P13
To follow-up on the April 6th Zeta Alliance call, Randy L. shared another vulnerability that affects the ClamAV 102.2 version recently released with 8.8.15 Patch 20 and 9.0 Patch 13:
This vulnerability can be exploited when an attacker sends a carefully crafted email attachment to a Zimbra server containing a PDF file that is configured to scan inbound or outbound email with ClamAV. Zimbra will need to upgrade to a minimum of ClamAV 102.4 to address the 4 ClamAV vulnerabilities discussed in the April 6th Zeta Alliance call, or preferably upgrade to a minimum of ClamAV 103.2 to address CVE-2021-1404, allowing for all 5 known vulnerabilities to be patched.

New Zimbra Android and iOS Apps
John E. said that a new Android app for Zimbra has been released in the Google Play store ( https://play.google.com/store/apps/deta ... n_US&gl=US ). The iOS Zimbra app is not yet available for downloads pending Apple’s review of the app. Mark S. asked if the apps will require Zimbra 8.8.15 or 9.0. John E. & John H. said they are told it is designed for use with Zimbra 9, but they were not sure if this is accurate. Randy L. asked if it is a replacement for using Exchange ActiveSync with native device apps, for synchronizing email, contacts, and calendars. John E. confirmed that it is and that there will be continued development to keep the apps current with the latest Zimbra features. He added that after discussing the road map for the apps with the Zimbra product team, the focus is currently on the email features, to be followed by focusing on contacts, calendars, and then incorporating Zimbra add-ons like Chat, etc.

Marc G. asked about Zimbra partner branding opportunities for the apps. John E. said there will likely not be partner branding, but he suggested partners reaching out to their contacts at Zimbra to discuss. Marc G. said that he has observed other software vendors offering branding options for their apps by charging a monthly fee to grant partners access to an app’s source code, allowing a partner to build a branded version and submit it to the app stores. John E. said a similar option was discussed with the Zimbra product team, and while the Zimbra 9 Modern UI code is available for partner review, it is not currently available for licensed derivative works. Noah P. said that he would be ok with the Synacor branded apps, but at a minimum he would like to see a capability included allowing partners to add specific links in the app, such as to a partner’s support portal rather than the general Zimbra support site.

New Zimbra Desktop App
John E. said that a limited group of beta testers have been playing with a desktop app version of Zimbra (a successor to the previously deprecated Zimbra Desktop app), and he encouraged people to reach out to him with feedback. Mark S. said that it is an Electron app ( https://www.electronjs.org/ ). John E. said that the app is designed so the same code can be used for the Zimbra Web Client, mobile apps, and desktop app. It is not just a wrapper of the Zimbra Web Client, but rather the desktop app has a significant number of things that have been done to allow it to work in offline mode. Mark S. asked if Zimbra customers using virtual hosts will have the ability to do branding in the desktop app. John E. said that he will bring this request to the Zimbra product team.


Randy Leiker
Skyway Networks, LLC
User avatar
DavidMerrill
Advanced member
Advanced member
Posts: 126
Joined: Thu Jul 30, 2015 2:44 pm
Location: Portland, ME
ZCS/ZD Version: 8.8.15 P19
Contact:

Re: April 2021 Zeta Alliance Weekly Call Summaries

Post by DavidMerrill »

rleiker wrote: Failing LDAP Backups After Installation of 8.8.15 Patch 20
Mark S. said that after he installed 8.8.15 P20, he noticed that LDAP backups performed from his Zimbra mailbox server had unexpectedly stopped. Upon investigation, he found that the Zextras SmartScan were trying to use an incorrect LDAP root password to perform the backups.
I've run into a similar error on the LDAP backups, in my case I seem to be getting an LDAP backup (there's a tar.gz on disk) but I'm seeing the following warning:

Code: Select all

Warnings: Unable to backup LDAP config schema: missing ldap_root_password in localconfig
The LDAP root password was empty in:

Code: Select all

/opt/zimbra/conf/localconfig.xml
and a:

Code: Select all

zmlocalconfig -s | grep -i assword | grep -i ldap
also had an empty entry for the LDAP root password.

I've made the required changes and will do a service restart later & report in.
___________________________________
David Merrill - Zimbra Practice Lead
OTELCO Zimbra Hosting, Licensing and Professional Services
Zeta Alliance
User avatar
rleiker
Advanced member
Advanced member
Posts: 149
Joined: Tue Jan 07, 2020 8:23 pm
Location: Kansas City
Contact:

Re: April 2021 Zeta Alliance Weekly Call Summaries

Post by rleiker »

Hello Zimbra Community,

Here is a summary of this week’s conference call. A few brief reminders: April 20, 2021

Zextras Version In Upcoming 8.8.15 Patch 21 and 9.0 Patch 14
Mark S. asked if the upcoming 8.8.15 Patch 21 and 9.0 Patch 14 will have the latest Zextras version included, 3.1.10 ( https://docs.zextras.com/zextras-suite- ... ite_3_1_10 ), or will it be one version prior, 3.1.9 ( https://docs.zextras.com/zextras-suite- ... uite_3_1_9 ). John H. said he believes that each Zimbra patch will always include the immediate prior version of the latest Zextras release, as there is not enough time to do regression testing of the latest Zextras version during a given month’s patch. This suggests that Zextras 3.1.9 will be included in 8.8.15 P21 and 9.0 P14. John H. added that Zextras 3.1.10 is anticipated to be included in 8.8.15 P22 and 9.0 P15.

Follow-Up: Slow SmartScan After Installation of 8.8.15 Patch 20
To follow-up on this April 13th Zeta Alliance call topic, Mark S. said that what he thought was a slow SmartScan issue after installing 8.8.15 P20, was not an issue after all, and was simply due to SmartScan performing a process similar to a deep scan. After it finished, backups returned to their normal performance level. Matthew F. said he looked up his SmartScan notification emails from Zimbra following the recent P20 installation, but did not see any deep scans occurring. Mark S. said that it may not be a deep scan necessarily, but appeared to be going through every mailbox (15 million objects), and was running for 3+ hours, when it normally takes about 5 minutes to complete a SmartScan process.

Cost Savings When Using Zimbra Centralized Storage With AWS S3
Mark S. presented storage cost/performance graphs from his AWS account showing the results after his roll out of the Centralized Storage feature to his Zimbra servers. He said that after setting up Centralized Storage, he was able to move much of his mailbox data to AWS’ S3 Intelligent-Tiering storage class ( https://aws.amazon.com/s3/storage-classes/ ), which is less than half the price of the Standard Storage class, providing a significant cost savings in his environment. He added that he has an HSM policy setup that moves mail items older than a few days to the Intelligent-Tiering class, and his customers have reported no adverse performance impacts with this new configuration. Matthew F. asked if Mark set this up for his Zimbra backups too? Matthew said that if a deep SmartScan was run following the installation of a given Zimbra patch, he was wondering if that would effect the ability to keep mailbox data in the lower cost Intelligent-Tiering class. Mark S. said that he is using the same storage classes for his backups and that he has not observed any adverse effects on the storage classes and cost savings. He did however say that he has noticed that backups seem to take a longer amount of time to run, probably due to the process of zipping up the individual mail blobs, then uploading those files to S3. He explained that he opened a support case with AWS asking about rate limiting with the storage services he is using, and that Support took a close look at what Mark has been doing, and said that he is no where near the rate limits that AWS applies to their customers’ hosted instances. Mark S. said he is hoping that future versions of Zextras can make more improvements in storage throughput when using S3 storage.

FIPS Support in Zimbra 9.0 Patch 13 Causes Postfix Crash
Mark S. shared a post in the Zimbra Forum ( viewtopic.php?f=13&t=69499 ) discussing an issue in Zimbra 9.0 P13 where the Zimbra MTA (Postfix) SMTP process can crash when configured to use the new FIPS mode introduced in Patch 13. He suggested to John H. that the release notes for 8.8.15 and 9.0 should be updated to advise Zimbra administrators of the setting that needs to be set to avoid this issue. John H. said he is working on it and hopes to have it updated soon.


Randy Leiker
Skyway Networks, LLC
User avatar
rleiker
Advanced member
Advanced member
Posts: 149
Joined: Tue Jan 07, 2020 8:23 pm
Location: Kansas City
Contact:

Re: April 2021 Zeta Alliance Weekly Call Summaries

Post by rleiker »

Hello Zimbra Community,

Here is a summary of this week’s conference call. A few brief reminders: April 27, 2021

Sharing Individual Files From The Zimbra Briefcase
Noah P. said that he uses the Zimbra Briefcase often and that he has a client that wants to start using it to share documents with meeting attendees outside of the client’s email domain. He said he knows that a Briefcase share can be created from the folder level, but asked, is there a means to share a specific document from within a folder, rather than a whole folder? John H. confirmed that shares can only be created at the folder level.

Zimbra Cloud and Cloud Storage Providers
Marc G. said he was trying out Zimbra Cloud and that when he connects his Dropbox and OneDrive storage to his Zimbra Cloud account, he could not find a place in the Zimbra Cloud UI where he can access these connected storage accounts. He said he found things in Zimbra Cloud to be responsive and thought the administration features were well designed for the use cases they are intended to serve. John E. said that one of the tabs in Zimbra Cloud called Cloud Storage currently just provides instructions on how to use outside cloud storage, but he has suggested to the Zimbra product team that it should do more, making it easier for end users to access their external storage accounts. It was suggested that the instructions for accessing outside cloud storage accounts may be contained in one of the automated welcome emails sent by Zimbra Cloud.

Experiences with 8.8.15 Patch 21 and 9.0 Patch 14
Mark S. asked if anyone on the call had installed 8.8.15 P21 or 9.0 P14 yet. Randy L. said he installed P21 last night, and so far, all appeared to be working smoothly. Mark also asked if Randy had enabled TLS 1.3. Randy L. said he enabled it back when he installed 8.8.15 P20, and was also happy to see HTTP/2.0 support for the Zimbra Web Client added at the same time in P20 to help accelerate Web Client performance.

Noteworthy Improvements in 8.8.15 Patch 21 and 9.0 Patch 14
Marc G. asked if there were any urgent reasons to install 8.8.15 P21 or 9.0 P14. Randy L. said the most significant reason to install either patch sooner than later is that it includes an updated version of ClamAV, version 103.2, which provides patches for 5 ClamAV vulnerabilities, four of which have high CVSS scores of 7.5 out of 10, discussed in the earlier April 6th and April 13th Zeta Alliance calls. The patches also include a fix for a vulnerability in OpenSSL with a CVSS score of 5.9. Mark S. said an additional reason to install either new Zimbra patch is that it includes a fix for purging expired backup data stored in S3 volumes, discussed in the March 2nd and March 9th Zeta Alliance calls.

Updated Zextras Road Map
Randy L. said while browsing Forum postings on the Zextras site, he came across a link to an updated Zextras road map for 2021: https://community.zextras.com/zextras-suite-roadmap/ . Mark S. commented that the road map shows the Video Server as complete in Zextras 3.1.8, but 8.8.15 P21 and 9.0 P14 (which both include Zextras 3.1.9) still show the Video Server as beta. John H. said he noticed this too and will bring it up for discussion on the next call with the Zextras & Zimbra development teams.


Randy Leiker
Skyway Networks, LLC
Post Reply