October 2020 Zeta Alliance Weekly Call Summaries

Industry info, happenings near you, and new product integrations. Hosting an event? Invite people here.
User avatar
rleiker
Advanced member
Advanced member
Posts: 73
Joined: Tue Jan 07, 2020 8:23 pm
Location: Kansas City
Contact:

October 2020 Zeta Alliance Weekly Call Summaries

Postby rleiker » Wed Oct 07, 2020 8:39 pm

Hello Zimbra Community,

Here is a summary of this week’s conference call. A few brief reminders:

October 6, 2020

Basecamp’s Email Service ‘Hey’ and Suggestions For Zimbra
Mark S. asked if anyone has tried out Basecamp’s new email service, called Hey. He said it is a re-imagination of how email should work from the developers of Basecamp, and while it does not allow for importing existing email, it allows aggregating email from other services, and is designed around Basecamp’s unique view of how they think teams should be using email. Mark provided this URL, which reviews the new service: https://www.inc.com/jason-aten/email-is ... etter.html . He asked if there were any lessons Zimbra could learn from it. John E. said that the Basecamp email service is targeted at very specific use cases and does not support any third-party email client apps. He also did not feel it was designed for most organizations as it does not implement many commonly used organizational email features. He added that Zimbra is continuing to grow and is trying to service a broad variety of clients. But, there is probably nothing stopping someone from building a client that targets a similar niche purpose, such as the Hey service, while using Zimbra on the back end. Mark S. said that Hey claims they are double encrypting each mail blob, so that a help desk person can still access a mailbox to assist with a support issue, while still preserving the mailbox owner’s privacy. He also mentioned that the service blocks all tracking pixels embedded in an email by default. He described their screener feature which places any email from new senders you have not corresponded with before in to a separate folder, apart from the Inbox. John E. commented that a key feature is the ability to search email and called in to question if Hey is actually encrypting the search indexes or keeping those as plain-text on disk.

Over Zealous Auto-Fill Feature In Chrome
Noah P. shared that he has two customers, who have domain administrator rights in Zimbra, report that after they login to the Zimbra Administration Console, then double click on a mailbox to make a modification, followed by clicking on the Forwarding tab, that they are finding that the password field for the mailbox is being auto filled-in with the domain admin’s own Zimbra password. He said it has been observed to occur only in Chrome, and he suspects it may be an auto-fill feature issue in Chrome that may be misinterpreting the email address field in the Forwarding tab & the password field in the General tab as the Zimbra login page. Cine suggested it could also be caused by a password manager app, as some password managers, such as Dashlane, are known to disable the auto-fill feature in web browsers. No one on the call was able to confirm encountering the same issue.

Experiences With 8.8.15 Patch 14
Marc G. said his organization is preparing to install 8.8.15 Patch 14 and asked if anyone has experienced any issues so far, or if there were any special concerns he should be aware of. Mark S. And Randy L. both confirmed they have had Patch 14 installed for about 4 days and have experienced no issues with it.


Randy Leiker
Skyway Networks, LLC


User avatar
rleiker
Advanced member
Advanced member
Posts: 73
Joined: Tue Jan 07, 2020 8:23 pm
Location: Kansas City
Contact:

Re: October 2020 Zeta Alliance Weekly Call Summaries

Postby rleiker » Wed Oct 14, 2020 4:07 am

Hello Zimbra Community,

Here is a summary of this week’s conference call. A few brief reminders:

October 13, 2020

New Time For the Zeta Alliance Weekly Calls
Marc G. proposed taking a vote to continue the recurring weekly Zeta Alliance calls on Tuesdays, but starting with the call for November 3, 2020, to change the time to 9:30 am America/Los Angeles (Pacific). A vote was taken on the call and the newly proposed time was accepted by all in attendance. The new call time will make it easier for everyone in Europe to attend, since the calls will start earlier in the evening, while still allowing the calls to take place during daytime business hours in the United States. The new call time is equivalent to:

  • America/New York (Eastern) 12:30 pm
  • Europe/Amsterdam (Central) 6:30 pm
Due to occasional differences for a couple of weeks each year in the start and end dates of Daylight Savings Time in the United States and Summer Time in Europe, everyone will use the America/Los Angeles (Pacific) time zone, in case of conflicts, to determine the start time of each week’s Zeta Alliance call. The next Daylight Savings Time change in the America/Los Angeles (Pacific) time zone takes place on November 1, 2020. This page ( https://en.wikipedia.org/wiki/Daylight_ ... ted_States ) provides guidance on the start and end dates for Daylight Savings Time in the America/Los Angeles (Pacific) time zone.

Making It Easier For Vendors and Developers To Integrate With Zimbra
Marc G. cited an example of one of his customers that is using a calendar product that has been integrated with Office 365 and Gmail, but not Zimbra. He asked for ideas from those on the call about how Synacor can make it easier for both software vendors and independent developers to integrate their apps with Zimbra, as they often do currently with Office 365 and Gmail. He suggested that if Zimbra could provide an application programming interface (API) compatible with Microsoft Graph ( https://docs.microsoft.com/en-us/graph/overview ), that it may be easier to get new software vendors and developers onboard to integrate with Zimbra, since they could theoretically re-use their existing Office 365 integration for an easy integration with Zimbra. John E. said a business case would need to be made for this in order to allocate resources to such an effort within Synacor, and that it could prove difficult to engineer a work alike API to Microsoft Graph in Zimbra, since Graph is a proprietary API subject to unexpected changes that also relies heavily on Microsoft-only services that would need to be referenced directly. Randy L. suggested that perhaps Zimbra Professional Services could more actively promote their ability to assist vendors and developers with product integration when a Zimbra customer does not have the in-house development resources to do so themselves.

John E. said a common complaint is that Zimbra 8.8’s API is based around the SOAP standard, while much of the world has moved on to other integration techniques. He added that Zimbra 9 has a new GraphQL API ( https://graphql.org/ ) available that makes integrations similar to Microsoft Graph possible, and that the Modern UI in Zimbra 9 is built on GraphQL. Barry D. said that a JavaScript library supporting GraphQL is available at: https://github.com/Zimbra/zm-api-js-client and he has written a how-to at: https://blog.zimbra.com/2020/08/zimbra- ... -a-zimlet/ . He added that with the development of the Modern UI in Zimbra 9, a new authentication mechanism utilizing JWT ( https://jwt.io/ ) was added, that replaces the Zimbra AUTH_TOKEN. The JWT support provides the foundation for rich security configurations, and impersonations, in a standard way. Barry D. also suggested taking a look at https://github.com/Zimbra/zimbra-zimlet-tags .

New Zimlet For Creating And Using Email Templates
Barry D. shared a Zimlet that can be used for creating and using email templates: https://github.com/Zimbra/zimbra-zimlet-email-templates . This Zimlet makes it easy for those who send many similar looking emails to convert those messages in to templates, where place holder values in the template can be replaced with the desired content before sending.

Updated Zimlet For Integrating Nextcloud With Zimbra 9
Barry D. announced that he has updated a Zimlet for integrating Nextcloud in to Zimbra 9 that has been published to the Zimbra repos, but has not yet been documented in the Zimbra Administrator’s Guide.

Avoiding Backscatter Spam For External Anti-Spam Appliances
David M. said he is working on setting up a new anti-spam appliance, external to his Zimbra installation. His prior anti-spam appliance performed LDAP look-ups via Zimbra to determine whether or not the appliance should accept a message from a sender for delivery, which avoids issues with backscatter email ( https://en.wikipedia.org/wiki/Backscatter_(email) ). However, his new anti-spam appliance does not provide this LDAP look-up capability, so he has alternatively looked at using Postfix’s VRFY feature to check with Zimbra if a sender’s message should be accepted. He explained that the VRFY feature works well for regular Zimbra mailboxes, but does not work correctly for Zimbra email aliases. He has observed messages sent to email aliases being accepted by the anti-spam appliance, then by Zimbra, which are later rejected by Zimbra resulting in backscatter email. Noah P. said he had encountered the same issue in the past and recommended adjusting this setting in Zimbra: https://zimbra.github.io/zimbra-9/admin ... atter_spam . Marc G. commented that the way his organization worked around this issue was to stand up an independent LDAP server, external to Zimbra, which both Zimbra and his anti-spam system use for verifying recipient email addresses. He said given the preference, he would like to see a direct integration with Zimbra.

Mitigating Zero-Day Malware And Neutralizing Phishing Links Via Email
Marc G. said that a common issue his organization encounters is that email arrives in customer Inboxes that contain zero-day malware that cannot yet be detected by any anti-virus product. In those instances, his team investigates by uploading the suspect email attachments to VirusTotal ( https://en.wikipedia.org/wiki/VirusTotal ), and often finds that few, if any anti-virus (AV) products detect the malware. But then, over time, AV products begin to detect the suspect file as malware, as updated malware definitions become available. He said he would like to see a means in Zimbra to either recall or delete messages found to be containing zero-day malware from customer Inboxes in an automated manner. However, this is likely to be tricky as it relates to privacy, since it may require some level of access to customer mailboxes.

Randy L. commented that all AV products are fundamentally flawed, since they operate on the model of trust everything by default, but block only select content, based on malware signatures that will always trail the release of new malware variants. This is as compared to the more effective deny by default approach (aka application white listing), where only approved content is allowed to pass. He explained that the way his organization mitigates the issue Marc described is by quarantining all email by default that contains any type of executable content, in addition to quarantining all Office files that contain macros. For emails containing either of these types of files, the original recipient of the message receives a notification that a file has been removed from the original email, but can be released from the quarantine, if the recipient trusts the sender and was expecting the message. All other messages containing attachments then continue on through normal AV checks using multiple AV products.

Noah P. suggested that for mitigating phishing links in emails, it would be interesting to do an integration with Zimbra for Cuckoo ( https://cuckoosandbox.org/ ) where a suspect link in an email could be opened safely by a recipient in a sandbox. He also referred to this blog article discussing a similar integration: https://blog.rootshell.be/2012/06/20/cu ... th-cuckoo/ . Randy L. commented that he thinks this is the basis of how the Proofpoint service works, where suspect links are rewritten in a received message, so clicked links are opened in either an ephemeral VM or container on a remote server, rather than the recipient’s local computer, and the recipient is instead viewing the suspect link through a VNC-like remote session, so their local computer remains safe.

Avoiding Business Email Compromise Security Incidents
Marc G. commented that one of his concerns is Business Email Compromise (BEC): https://www.fbi.gov/scams-and-safety/co ... compromise ). A BEC is a security incident where an attacker gains control over a Zimbra user’s mailbox, most often via a successful phishing attack. Randy L. commented that he has read security bulletins indicating that Office 365 accounts that lack two-factor authentication, are being particularly hit hard as of late with these types of security incidents. In those cases, an attacker quietly maintains persistent access to a victim’s mailbox by setting up inbound and outbound filtering rules that automatically forwards a copy of any messages sent or received from the victim’s email account to the attacker. This allows the attacker to observe the normal flow of email over a period of time. When the attacker sees a financial transaction being discussed, the attacker will then intervene by impersonating either the sender or recipient of a message, advising one of the parties to make a last minute change to the financial details, usually so a payment can be routed to a bank account under an attacker’s control, thereby completing the goal of a BEC. Many security teams are overlooking this type of intrusion in to mailboxes, as suspicious filtering rules are normally not checked by most organizations during security audits or threat hunting. Marc G. commented that his organization has personally experienced at least one BEC incident where they were contacted by someone out-of-band (by phone) asking to verify the changed banking information for a payment transaction, thereby defeating the attack.


Randy Leiker
Skyway Networks, LLC
Robert1657
Posts: 3
Joined: Tue May 12, 2020 7:33 pm

Re: October 2020 Zeta Alliance Weekly Call Summaries

Postby Robert1657 » Wed Oct 14, 2020 5:58 pm

Hi Barry

How do I download your zimbra 9 next cloud plugin ?

Return to “Community News”

Who is online

Users browsing this forum: No registered users and 1 guest