ZCS 8.8.15 considered harmful

Ask questions about your setup or get help installing ZCS server (ZD section below).
hsingh
Zimbra Employee
Zimbra Employee
Posts: 5
Joined: Tue Aug 02, 2016 1:40 pm

Re: ZCS 8.8.15 considered harmful

Postby hsingh » Wed Aug 07, 2019 4:13 pm

Nix67 wrote:Hello Hsingh,

Thanks for your reply. Im going to give it a try in a lab version of the Zimbra I had the issue with and will report to let you know if it worked.
I dont know exactly when I will do so but hopefully, still this Week.

Also, can you perhaps explain me what is attribute is for?

Thanks

Florian


Hello Florian,

Once we enable zimbraCsrfTokenCheckEnabled then mailboxd will check CSRF tokens for the accounts.
It's a security feature which prevents hijacking of cookies by an attacker.

You can check the details of CSRF related vulnerabilities over here - "CWE-352" - https://cwe.mitre.org/data/definitions/352.html
https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories

Thanks,
Heera


User avatar
L. Mark Stone
Elite member
Elite member
Posts: 1994
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine
ZCS/ZD Version: 8.8.12 Network Edition
Contact:

Re: ZCS 8.8.15 considered harmful

Postby L. Mark Stone » Wed Aug 07, 2019 11:18 pm

phoenix wrote:
L. Mark Stone wrote:Zimbra X and Zimbra 8.8.15 are two different products for two different markets. Zimbra X is for the Service Provider market: telecoms, ISPs etc. whereas 8.8.15 is for the commercial market: companies that want to know and control where their email data lives.
Where, exactly, has Synacor provided any information about the continued existence of the current on-site deployment of the current ZCS version - their silence in these forums is stunning, extremely disappointing and a missed opportunity.


Bill,

8.8.15 is covered under General Support until the end of 2022. Coverage for each of 8.6 and 8.7.11 were extended, so you've got more than three years of a known, already-released on-premises product in 8.8.15 you can count on. On today's earnings call, Himesh specifically stated there will be a version of Zimbra X for the commercial market.

I may be misinterpreting your post, but have you seen anything that leads you to believe Zimbra will stop providing a product that can be deployed on-premises? Because certainly from all my interactions as a Partner with Zimbra staff, the Partner briefings, webinars etc., my impression is that Synacor is definitely pivoting to their software segment (CloudID and Zimbra) as a priority over high-scale, low-margin portal business.

Hope that helps,
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
Zeta Alliance http://www.zetalliance.org/
phoenix
Ambassador
Ambassador
Posts: 26244
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Re: ZCS 8.8.15 considered harmful

Postby phoenix » Thu Aug 08, 2019 6:23 am

I understand the support cycle and know the dates specified but there is never any feedback about the current on-premises deployment being continued. As I've mentioned many times, the lack of involvement in these forums shows utter contempt for the users and their problems.

What is a "Zimbra X for the commercial market" and what exactly does that mean for the users in these forums? As usual, no information for the many users that visit these forums and spend their time helping others- that's my point.
Regards

Bill

Rspamd: A high performance spamassassin replacement

If you'd like to see this implemented in a future version of ZCS then please vote on Bugzilla entries 97706 & 108168
BradC
Posts: 25
Joined: Tue May 03, 2016 1:39 am

Re: ZCS 8.8.15 considered harmful

Postby BradC » Thu Aug 08, 2019 12:26 pm

phoenix wrote:I understand the support cycle and know the dates specified but there is never any feedback about the current on-premises deployment being continued. As I've mentioned many times, the lack of involvement in these forums shows utter contempt for the users and their problems.

What is a "Zimbra X for the commercial market" and what exactly does that mean for the users in these forums? As usual, no information for the many users that visit these forums and spend their time helping others- that's my point.


Agree with everything you've said. Each time Zimbra gets footballed to the next company, the communication and participation just gets another notch worse.

I did note this on the beta page though "Based on Zimbra’s open source project ensuring security and allowing for full source code review", so one might (perhaps rashly) make the assumption there will remain some form of OSE Zimbra edition.
phoenix
Ambassador
Ambassador
Posts: 26244
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Re: ZCS 8.8.15 considered harmful

Postby phoenix » Thu Aug 08, 2019 3:15 pm

BradC wrote:I did note this on the beta page though "Based on Zimbra’s open source project ensuring security and allowing for full source code review", so one might (perhaps rashly) make the assumption there will remain some form of OSE Zimbra edition.
Yes, I've also seen that and that requires someone build a version that works but I haven't seen anyone do that recently. I guess that would be a possibility sometime in the future but I don't know if anyone has considered taking the plunge - I couldn't possibly do that as I don't have the experience. :(
Regards

Bill

Rspamd: A high performance spamassassin replacement

If you'd like to see this implemented in a future version of ZCS then please vote on Bugzilla entries 97706 & 108168
User avatar
quanah
Zimbra Alumni
Zimbra Alumni
Posts: 1666
Joined: Fri Sep 12, 2014 10:33 pm
Contact:

Re: ZCS 8.8.15 considered harmful

Postby quanah » Fri Aug 09, 2019 3:00 pm

phoenix wrote:
BradC wrote:I did note this on the beta page though "Based on Zimbra’s open source project ensuring security and allowing for full source code review", so one might (perhaps rashly) make the assumption there will remain some form of OSE Zimbra edition.
Yes, I've also seen that and that requires someone build a version that works but I haven't seen anyone do that recently. I guess that would be a possibility sometime in the future but I don't know if anyone has considered taking the plunge - I couldn't possibly do that as I don't have the experience. :(


From what I understand, there has been discussion about a possible on-prem replacement that is not Zimbra X, but there's been zero work done on it at this time, and whether or not it will ever manifest is anyone's guess.
--
Quanah Gibson-Mount
Product Architect, Symas http://www.symas.com/
OpenLDAP Core team http://www.openldap.org/project/
Silverino44
Posts: 1
Joined: Sat Aug 10, 2019 3:40 am

Re: ZCS 8.8.15 considered harmful

Postby Silverino44 » Sat Aug 10, 2019 6:49 am

hsingh wrote:Hello All,

We have a workaround for this, please enable zimbraCsrfTokenCheckEnabled by running below commands and restart mailbox paris cdg car serviceservice:

Code: Select all

su - zimbra
zmprov mcf zimbraCsrfTokenCheckEnabled TRUE
zmmailboxdctl restart

Hello, I used the code that you gave but until now, it does not work
snowymoountain
Advanced member
Advanced member
Posts: 62
Joined: Thu Aug 02, 2018 4:24 pm

Re: ZCS 8.8.15 considered harmful

Postby snowymoountain » Sat Aug 10, 2019 8:33 am

Oh Dear,

So I take it from the lack of Zimbra employees response here the Opensource Zimbra is to be canned, thats a shame, I was just ramping up to a few thousand users, having moved users from various other systems, even thinking of tempting back some Gmail users.

I am so tired of the constant cloud push by companies always making things so much more expensive.

It looks like I'll be moving to another opensource project.... in the next few years.
phoenix
Ambassador
Ambassador
Posts: 26244
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Re: ZCS 8.8.15 considered harmful

Postby phoenix » Sat Aug 10, 2019 8:45 am

snowymoountain wrote:So I take it from the lack of Zimbra employees response here the Opensource Zimbra is to be canned, thats a shame, I was just ramping up to a few thousand users, having moved users from various other systems, even thinking of tempting back some Gmail users.
You can't read anything into the lack of response from Zimbra employees, they hardly ever post in these forums and only to answer (some) users posts.

I would agree with your sentiments but I'd hold off making any big decio sions about ZCS, the current version is supported for a good few year and that gives you and others plenty of time to plan a possible move to another product. Don't forget the old adage: act in haste, repent at leisure. :) I won't hold my breath but give Zimbra some time and they may actually recognise what a great product and user base they have here. You can guess from that I'm an optimist but I'm also a pragmatist and will be looking at other products for a possible move in a few years time.

[EDIT]BTW, Zimbra X is a different product than the 'classic' on-premises version and aimed at different markets, you're not the only one that hates 'the cloud' and I wouldn't touch it with a barge pole. Who knows what tomorrow will bring.
Regards

Bill

Rspamd: A high performance spamassassin replacement

If you'd like to see this implemented in a future version of ZCS then please vote on Bugzilla entries 97706 & 108168
snowymoountain
Advanced member
Advanced member
Posts: 62
Joined: Thu Aug 02, 2018 4:24 pm

Re: ZCS 8.8.15 considered harmful

Postby snowymoountain » Sat Aug 10, 2019 9:24 am

I'm not going o act now but obviously i'll make plans, I've forked out a fair amount on zextras who have an ongoing agreement with Zimbra so their whole opensource business would be finished if the opensource product was srapped.

That said there are a few other good choices that more than fit the space.

Its not that I hate the cloud its that for many its a security requirement to host in our own datacentre.

Likely there must be millions using the base product who would just switch to something else in a flash if the opensource product got canned.

Cloud is great but I'm not convinced in an increasingly fragmented world with cyber attacks and new cold wars arising that basing your services in an amophous cloud is the way most will want to go.

I foresee massive attacks on cloud services causing outages as the norm in the near future.

Return to “Installation and Upgrade”

Who is online

Users browsing this forum: No registered users and 10 guests