Zimbra Forums

This is a forum for Zimbra admins, i.e. for people managing mailservers. If you use a provider's e-mail service, then you should ask them...

Assuming webmail: check /opt/zimbra/log/mailbox.log.<date> for "GetMsgRequest" on your account.

Thanks Mark, for this wealth of insightful information!

We are using Scality object storage, but that seems unrelated. See support case number 01915369.

We haven't had any issues anymore since running a zimbrastore.jar rebuild with ZBUG-1375 reverted.

For 10.1.17, Zimbra is preparing a change where the Trash folder will have configurable higher quota (like 110%) instead of unlimited: https://github.com/Zimbra/zm-mailbox/pull/1785.

Mark,

There were no actual changes for proxy, MTA and LDS components, only a zimbra-*-patch version bump and a zmfixperms update for Ubuntu 24 support (on all components).

It's a different story with e.g. nginx, which is heavily patched (adding Zimbra modules for the zmauth and route handler functionality), so this one is more complicated to upgrade. For nginx we do backport individual upstream fixes and functionality, but still using Zimbra's 3rd party packages build...

It was faster to patch the 3.5.1 source with the 3.5.5 CVE commits instead of auditing through the zimbra customizations to verify all the zimbra patches are compatible with 3.5.5. There are no Zimbra customizations, Zimbra isn't patching OpenSSL (and never has). Just change the version number and ...

They are neglecting all their 3rd party components, unless someone pushes them really hard to upgrade (once).

Not just openssl, also nginx, postfix, openldap, jetty, tons of java libraries, ...

Why don't you just update version.def OPENSSL_VERSION to 3.5.5 then? That's what we are now running.

That being said, I don't think the openssl CMS vulnerability is applicable to Zimbra.