[Resolved]Strange Behavior On An HTML Email (solved w/workaround)

[guitardood]

Hello,
We're running a Zimbra server, Release 8.8.15.GA.3829.UBUNTU16.64 UBUNTU16_64 FOSS edition, Patch 8.8.15_P2 on Ubuntu 16.04.6 LTS.

I have a strange problem with an email that a user sent. It was created with various fonts and colors, generating an HTML format email. The person sent the email, however, the recipients who are also using Zimbra, as well as the archived copy in the user's Sent items displays the message as missing a large portion of the text content. If I use the "Show Original", all the text is there, but through Zimbra's web client, the text is missing. I've saved the original as an EML file and opened it in my native mail program and all of the email's contents is there and displays. Unfortunately, it is an internal email and I cannot share it's exact contents.

I realize the difficulty in troubleshooting something without seeing it, but has anyone seen this type of behavior and possible have some kind of fix or workaround?

Any help greatly appreciated!!

Best,
Chuck

Update: Temporarily solved with a workaround:

Code: Select all

zmlocalconfig -e zimbra_use_owasp_html_sanitizer = false
zmmailboxdctl restart

[JDunphy]

Sounds like it could be css/display ... see this thread to see if that is it. viewtopic.php?f=15&t=66613 With recent patches, there is suppose to be a method to allow us to work around this problem. This is the text that showed up in many of the recent release notes for various patches.

What's New
ZCS Make CSS display attribute configurable in OWASP. This will let customers to have better control over the HTML rendering elements.

I think ZCS 8.8.15 saw this new feature in patch 1?? .... ZCS 8.7.11 saw it with patch 14.

Support has no solution to this new feature and my ticket has been open for a few weeks awaiting an answer. My guess from looking at the source is it might be tied to ....
/opt/zimbra/conf/owasp_policy.xml . At this point, there is no Zimbra documentation that I can find to explain how customers can have better control over Zimbra disabling css/display...

Reference from Release Notes taken from 8.7.11P13:

Known Issues
In order to prevent XSS attacks hence providing better security, new defanger implementation eliminates the display attribute from html emails, the rendering of such html messages on Webclient will be affected. Here are the known rendering impacts:
Owasp removes css "display" attribute from html tags and affects HTML body content layout in mail reading pane.

[andrey.ivanov]

The solution is generally disabling the new OWASP validation framework:

Code: Select all

zmlocalconfig -e zimbra_use_owasp_html_sanitizer=false
zmmailboxdctl restart  

[guitardood]

Sounds like it could be css/display ... see this thread to see if that is it. viewtopic.php?f=15&t=66613 With recent patches, there is suppose to be a method to allow us to work around this problem. This is the text that showed up in many of the recent release notes for various patches.

What's New
ZCS Make CSS display attribute configurable in OWASP. This will let customers to have better control over the HTML rendering elements.

I think ZCS 8.8.15 saw this new feature in patch 1?? .... ZCS 8.7.11 saw it with patch 14.

Support has no solution to this new feature and my ticket has been open for a few weeks awaiting an answer. My guess from looking at the source is it might be tied to ....
/opt/zimbra/conf/owasp_policy.xml . At this point, there is no Zimbra documentation that I can find to explain how customers can have better control over Zimbra disabling css/display...

Reference from Release Notes taken from 8.7.11P13:

Known Issues
In order to prevent XSS attacks hence providing better security, new defanger implementation eliminates the display attribute from html emails, the rendering of such html messages on Webclient will be affected. Here are the known rendering impacts:
Owasp removes css "display" attribute from html tags and affects HTML body content layout in mail reading pane.

Thanks JDunphy, I think this was the issue. (see below workaround)

The solution is generally disabling the new OWASP validation framework:

Code: Select all

zmlocalconfig -e zimbra_use_owasp_html_sanitizer=false
zmmailboxdctl restart  

Thanks Andrey, the workaround resolved the issue.

Appreciate all the help!!

Best,
Chuck

[phoenix]

Please mark this thread as [Resolved], you can do that by editing your first post and the thread title.

[guitardood]

I've marked this thread as "solved w/ workaround", because it's not really solved. It is simply disabling a feature.

The real problem seems to be HTML formatted email generated by Zimbra's web client. With my particular problem, the user created an HTML formatted email, which apparently was sent successfully. However, when the user went to their sent items, the email had large portions missing. Since changing the flag noted above, the user is now able to see their complete message in Sent Items.

Unfortunately, the story doesn't end there. Today, a different user, again sending an HTML formatted message, had the body of the email stripped on the recipient's side (non-Zimbra).

Is this some kind of bug in the HTML being generated by Zimbra's email editor?

Best,
Chuck