ZCS 8.8.15 considered harmful

[hsingh]

Hello Hsingh,

Thanks for your reply. Im going to give it a try in a lab version of the Zimbra I had the issue with and will report to let you know if it worked.
I dont know exactly when I will do so but hopefully, still this Week.

Also, can you perhaps explain me what is attribute is for?

Thanks

Florian

Hello Florian,

Once we enable zimbraCsrfTokenCheckEnabled then mailboxd will check CSRF tokens for the accounts.
It's a security feature which prevents hijacking of cookies by an attacker.

You can check the details of CSRF related vulnerabilities over here - "CWE-352" - https://cwe.mitre.org/data/definitions/352.html
https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories

Thanks,
Heera

[L. Mark Stone]

Zimbra X and Zimbra 8.8.15 are two different products for two different markets. Zimbra X is for the Service Provider market: telecoms, ISPs etc. whereas 8.8.15 is for the commercial market: companies that want to know and control where their email data lives.

Where, exactly, has Synacor provided any information about the continued existence of the current on-site deployment of the current ZCS version - their silence in these forums is stunning, extremely disappointing and a missed opportunity.

Bill,

8.8.15 is covered under General Support until the end of 2022. Coverage for each of 8.6 and 8.7.11 were extended, so you've got more than three years of a known, already-released on-premises product in 8.8.15 you can count on. On today's earnings call, Himesh specifically stated there will be a version of Zimbra X for the commercial market.

I may be misinterpreting your post, but have you seen anything that leads you to believe Zimbra will stop providing a product that can be deployed on-premises? Because certainly from all my interactions as a Partner with Zimbra staff, the Partner briefings, webinars etc., my impression is that Synacor is definitely pivoting to their software segment (CloudID and Zimbra) as a priority over high-scale, low-margin portal business.

Hope that helps,
Mark

[phoenix]

I understand the support cycle and know the dates specified but there is never any feedback about the current on-premises deployment being continued. As I've mentioned many times, the lack of involvement in these forums shows utter contempt for the users and their problems.

What is a "Zimbra X for the commercial market" and what exactly does that mean for the users in these forums? As usual, no information for the many users that visit these forums and spend their time helping others- that's my point.

[BradC]

I understand the support cycle and know the dates specified but there is never any feedback about the current on-premises deployment being continued. As I've mentioned many times, the lack of involvement in these forums shows utter contempt for the users and their problems.

What is a "Zimbra X for the commercial market" and what exactly does that mean for the users in these forums? As usual, no information for the many users that visit these forums and spend their time helping others- that's my point.

Agree with everything you've said. Each time Zimbra gets footballed to the next company, the communication and participation just gets another notch worse.

I did note this on the beta page though "Based on Zimbra’s open source project ensuring security and allowing for full source code review", so one might (perhaps rashly) make the assumption there will remain some form of OSE Zimbra edition.

[phoenix]

I did note this on the beta page though "Based on Zimbra’s open source project ensuring security and allowing for full source code review", so one might (perhaps rashly) make the assumption there will remain some form of OSE Zimbra edition.

Yes, I've also seen that and that requires someone build a version that works but I haven't seen anyone do that recently. I guess that would be a possibility sometime in the future but I don't know if anyone has considered taking the plunge - I couldn't possibly do that as I don't have the experience.

[quanah]

I did note this on the beta page though "Based on Zimbra’s open source project ensuring security and allowing for full source code review", so one might (perhaps rashly) make the assumption there will remain some form of OSE Zimbra edition.

Yes, I've also seen that and that requires someone build a version that works but I haven't seen anyone do that recently. I guess that would be a possibility sometime in the future but I don't know if anyone has considered taking the plunge - I couldn't possibly do that as I don't have the experience.

From what I understand, there has been discussion about a possible on-prem replacement that is not Zimbra X, but there's been zero work done on it at this time, and whether or not it will ever manifest is anyone's guess.

[Silverino44]

Hello All,

We have a workaround for this, please enable zimbraCsrfTokenCheckEnabled by running below commands and restart mailbox paris cdg car serviceservice:

Code: Select all

su - zimbra
zmprov mcf zimbraCsrfTokenCheckEnabled TRUE
zmmailboxdctl restart

Hello, I used the code that you gave but until now, it does not work

[snowymoountain]

Oh Dear,

So I take it from the lack of Zimbra employees response here the Opensource Zimbra is to be canned, thats a shame, I was just ramping up to a few thousand users, having moved users from various other systems, even thinking of tempting back some Gmail users.

I am so tired of the constant cloud push by companies always making things so much more expensive.

It looks like I'll be moving to another opensource project.... in the next few years.

[phoenix]

So I take it from the lack of Zimbra employees response here the Opensource Zimbra is to be canned, thats a shame, I was just ramping up to a few thousand users, having moved users from various other systems, even thinking of tempting back some Gmail users.

You can't read anything into the lack of response from Zimbra employees, they hardly ever post in these forums and only to answer (some) users posts.

I would agree with your sentiments but I'd hold off making any big decio sions about ZCS, the current version is supported for a good few year and that gives you and others plenty of time to plan a possible move to another product. Don't forget the old adage: act in haste, repent at leisure. I won't hold my breath but give Zimbra some time and they may actually recognise what a great product and user base they have here. You can guess from that I'm an optimist but I'm also a pragmatist and will be looking at other products for a possible move in a few years time.

[EDIT]BTW, Zimbra X is a different product than the 'classic' on-premises version and aimed at different markets, you're not the only one that hates 'the cloud' and I wouldn't touch it with a barge pole. Who knows what tomorrow will bring.

[snowymoountain]

I'm not going o act now but obviously i'll make plans, I've forked out a fair amount on zextras who have an ongoing agreement with Zimbra so their whole opensource business would be finished if the opensource product was srapped.

That said there are a few other good choices that more than fit the space.

Its not that I hate the cloud its that for many its a security requirement to host in our own datacentre.

Likely there must be millions using the base product who would just switch to something else in a flash if the opensource product got canned.

Cloud is great but I'm not convinced in an increasingly fragmented world with cyber attacks and new cold wars arising that basing your services in an amophous cloud is the way most will want to go.

I foresee massive attacks on cloud services causing outages as the norm in the near future.