I have used Zimbra in the past, but stopped after my email account was hacked or simply found by someone out there by chance.
I found that in the past, the Desktop version was transmitting my data in plain text, which I can surely say that is why I got hacked.
Since Zimbra has changed ownership, can anyone tell me for certain if the newer versions are encrypted in it's data transmissions?
I want to use Zimbra again for my Yahoo mail accounts but am very reserved about trusting it unless I can be certain that it is secure.
Thank you for any help on the subject.
Is Zimbra Desktop Secure?
Is Zimbra Desktop Secure?
If your account is using POP3 or IMAP then your password will always be sent over clear text regardless of the client. You should be using secure POP3S or IMAPS which uses SSL to encrypt your data.
-
timlphillips
- Posts: 6
- Joined: Sat Sep 13, 2014 12:54 am
Is Zimbra Desktop Secure?
Thank you XEON. The thing is, that when I log into my Yahoo accounts through Yahoo, they are a secure transaction as there is the https page address header as well as the padlock icon during the login. What was happening with Zimbra was that when it was checking my mail, it was using a non-secure process to login to my accounts. Why? I don't know for sure as with any free program, there is very limited support to find out why or how. It is a POP3 account, but as I said, when I login to my Yahoo Mail accounts on Yahoo's mail login page, the login page is secure.
I was mainly trying to find out if any newer version of Zimbra actually uses an ssl process for logging in to these accounts.
I was mainly trying to find out if any newer version of Zimbra actually uses an ssl process for logging in to these accounts.
Is Zimbra Desktop Secure?
If your Zimbra admin was not smart enough to enable HTTPS logins, or an automatic redirect from HTTP to HTTPS, then you should be complaining to them, and not to the Zimbra devs.
All the tools are there to enable HTTPS logins with HTTP access to the Zimbra web client. And to even force all web traffic over an HTTPS connection (this is how our Zimbra NE server is configured).
Also, POP3 the protocol is a plain-text protocol. Period. No matter which client you use (Thunderbird, Outlook, Outlook Express, Pegasus Mail, The Bat!, etc). Which means, usernames and passwords are sent in plain-text. If you want it encrypted, you have to manually configured your e-mail client to use POP3S (aka POP3-over-SSL). And connect to a server that supports POP3S.
Same for IMAP4. The protocol itself is plain-text. Period. No matter which client you use (Thunderbird, Outlook, Outlook Express, Pegasus Mail, The Bat!, etc). Which means, usernames and passwords are send in plain-text. If you want an encrypted connection, then you need to manually configure the client to use IMAPS (aka IMAP-over-SSL). And connect to a server that supports IMAPS.
For the Zimbra Desktop, it's the same as every e-mail program out there: you have to manually configure it to use an encrypted channel. For example, the ZD supports HTTP or HTTPS connections to a Zimbra server; HTTPS connections to a GMail account; HTTPS connections to a Yahoo! account; POP3 or POP3S connections to a POP3 server; and IMAP or IMAPS connections to an IMAP server.
Don't blame the Zimbra devs if your Zimbra server (or client) is misconfigured.
The knobs are there to enable HTTPS, POP3S, and IMAPS connections.
All the tools are there to enable HTTPS logins with HTTP access to the Zimbra web client. And to even force all web traffic over an HTTPS connection (this is how our Zimbra NE server is configured).
Also, POP3 the protocol is a plain-text protocol. Period. No matter which client you use (Thunderbird, Outlook, Outlook Express, Pegasus Mail, The Bat!, etc). Which means, usernames and passwords are sent in plain-text. If you want it encrypted, you have to manually configured your e-mail client to use POP3S (aka POP3-over-SSL). And connect to a server that supports POP3S.
Same for IMAP4. The protocol itself is plain-text. Period. No matter which client you use (Thunderbird, Outlook, Outlook Express, Pegasus Mail, The Bat!, etc). Which means, usernames and passwords are send in plain-text. If you want an encrypted connection, then you need to manually configure the client to use IMAPS (aka IMAP-over-SSL). And connect to a server that supports IMAPS.
For the Zimbra Desktop, it's the same as every e-mail program out there: you have to manually configure it to use an encrypted channel. For example, the ZD supports HTTP or HTTPS connections to a Zimbra server; HTTPS connections to a GMail account; HTTPS connections to a Yahoo! account; POP3 or POP3S connections to a POP3 server; and IMAP or IMAPS connections to an IMAP server.
Don't blame the Zimbra devs if your Zimbra server (or client) is misconfigured.
The knobs are there to enable HTTPS, POP3S, and IMAPS connections. -
timlphillips
- Posts: 6
- Joined: Sat Sep 13, 2014 12:54 am
Is Zimbra Desktop Secure?
Thank you fcash for the information you have provided explaining the ins and outs of how the Zimbra Desktop can be configured. Although blunt and to the point as it was, please refer to my original post which simply expressed my concern and the simple question: Is Zimbra Desktop Secure?
Please also note that in no way did I attempt to place blame on anyone whatsoever. The blame is entirely mine for not exploring the configurations that Zimbra has available in it. You seem that you think I have stepped on someones toes. For that, I am sorry to have asked the simple question:
Is Zimbra Desktop Secure?
Thank you sir and forgive me for not being as experienced as you on this subject matter.
Please also note that in no way did I attempt to place blame on anyone whatsoever. The blame is entirely mine for not exploring the configurations that Zimbra has available in it. You seem that you think I have stepped on someones toes. For that, I am sorry to have asked the simple question:
Is Zimbra Desktop Secure?
Thank you sir and forgive me for not being as experienced as you on this subject matter.
Is Zimbra Desktop Secure?
[quote user="timlphillips"]Is Zimbra Desktop Secure?[/QUOTE]It is as secure as the connection to your mail server requires. If the mail server you connect to requires a secure connection then ZD will use that, if it doesn't require a secure connection then ZD will use that - the type of connection is determined by the server you're connected to and not Zimbra Desktop.
Is Zimbra Desktop Secure?
IOW, the client is as secure as the server it connects to.
Just like every other e-mail client out there.
Just like every other e-mail client out there.