April 2020 Zeta Alliance Weekly Call Summaries

Industry info, happenings near you, and new product integrations. Hosting an event? Invite people here.
User avatar
rleiker
Advanced member
Advanced member
Posts: 149
Joined: Tue Jan 07, 2020 8:23 pm
Location: Kansas City
Contact:

April 2020 Zeta Alliance Weekly Call Summaries

Post by rleiker »

Hello Zimbra Community,

Here is a summary of this week’s conference call. A few brief reminders: April 7, 2020 Conference Call Summary

New Zimbra Connector for Outlook (ZCO) Released
John H. reported that version 9.0 of the ZCO has been released (https://www.zimbra.com/downloads/zimbra ... r-outlook/). It is compatible not only with Zimbra 9, but also with 8.8.15 and newer. The new ZCO version fixes all known issues described in the 8.8.15 Patch 8 release notes, pertaining to Outlook crashes or app hanging when performing searches or synchronization with a Zimbra server. John also reminded everyone that for any Outlook users who are running the ZCO version that was released with 8.8.15 Patch 2 (or earlier), that those Outlook users will need to manually update the ZCO since the ZCO auto-update feature was broken in ZCO versions that shipped with 8.8.15 Patch 2 and earlier.

How To Push Out ZCO 9.0 to Outlook Users From Zimbra 8.8.15
Randy L. asked about the proper steps to push out ZCO 9.0 to Outlook users from a Zimbra mailbox server running 8.8.15. John H. suggested referring to this Wiki article: https://wiki.zimbra.com/wiki/Zmupdatedownload . John E. suggested logging in to the Zimbra Administration console, then navigating to Tools and Migration > Client Upload, where new ZCO versions can be uploaded. Noah P. asked if uploading new ZCO versions using this Client Upload feature will update ZCO on all mailbox servers in a cluster. Mark S. reported finding a mention in the Zimbra Administration guide that indicated that the Client Upload feature only installs a new ZCO version on a single mailbox server, so the aforementioned Wiki article is likely to be a safer way to update the ZCO version for Zimbra clusters.

Zimbra 9 Release and Upgrading To Zimbra 9
Zimbra 9 became generally available as of April 7th. Randy L. asked if the recommended upgrade path from 8.8.x to 9.0 involves an in-place upgrade or a side-by-side migration. Those on the call said an in-place upgrade works fine, and a side-by-side migration is only required if upgrading to Zimbra 9.0 from a version earlier than 8.8.

Changes To Zimbra’s Open Source Policy
John E. explained that Zimbra 9 introduces a change to Synacor’s open source policy for Zimbra. Starting with Zimbra 9, a binary version of Zimbra 9 will no longer be released to the community and will instead only be made available to Zimbra Network Edition customers. There are currently no plans to release the source code for Zimbra 9 to the community. Zimbra 8.8.15 will remain open source for the community and continue to be supported for the remainder of its lifecycle through December, 31, 2024 (https://www.zimbra.com/support/support- ... lifecycle/). Version 8.8.15 will also continue to receive patches during this time frame. John E. described this new model for Zimbra 9 as “open core” where the open source products on which Zimbra is built will continue to be freely available, but the Zimbra 9 product itself will not be open source. Marc G. asked if Synacor’s plans involved introducing new features to Zimbra 8.8.15, or if the focus for introducing new features will shift exclusively to version 9. John E. said that he did not have the answer to this question. John also shared that starting with Zimbra 9, a source code license will be made available to customers who are licensing Zimbra Network Edition.

Reactions To Zimbra Open Source Policy Change
Noah P. said that part of his customer base values that Zimbra is open source and that it has been a marketing advantage over other proprietary email platforms. Marc G. said he felt this change will be hard for the open source community to support. John E. shared his personal opinion that Zimbra has struggled for several years to engage the open source community, as the ratio of people using Zimbra, compared to the number of people contributing back to Zimbra, has been very low. He said the biggest difference currently between Zimbra 8.8.15 and 9.0 is the addition of the new, Modern UI and welcomes feedback from Zimbra partners and the open source community on this policy change. Mark S. shared that many developers he has discussed it with have said that they have found it very difficult (if not impossible) to contribute to the Zimbra project in the past, mainly due to issues with an earlier version of the contributor’s agreement, which was finally updated a couple of years ago. Randy L. mentioned that another open source project, VyOS (https://www.vyos.io/community/), overcame issues with soliciting contributions back to their open source project by making binaries available to those who could demonstrate a meaningful contribution to the project in code or documentation work and suggested that such an approach might be something that Synacor should look at too. John E. invited Zimbra partners concerned about continued open source access to make a business case explaining how the loss of open source access would have a financial business impact for Synacor.

New Modern UI in Zimbra 9
In Zimbra 9, both the Classic UI (AJAX-based – same as found in 8.8.15) and the new Modern UI (React-based), are available. Marc G. asked for clarification about a comment in the Zimbra 9 release notes (https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0) that states the Modern UI is recommended to be set as the default UI. John H. said the Modern UI has been recommended as the default, so mailbox owners can begin acclimating to using the new user interface. The Modern UI does not yet have feature parity with the Classic UI but is expected to eventually. Noah P. asked if there was a road map available that lists the specific features not yet available in the Modern UI. John E. said a road map has been created but remains an internal document at Synacor. Marc G. said that he finds the Modern UI to be very clean, with a nice user experience, but said that it may be difficult for mailbox owners to switch immediately, as many users are likely to miss features not yet available in the Modern UI. John E. explained this is why Zimbra will continue to support the Classic UI as the Modern UI continues to work toward reaching feature parity.

Zimlets in Zimbra 9
Randy L. asked if the new Zimlets introduced in Zimbra 9 will be available for both the Classic UI and the Modern UI. John E. said that the new Zimlets are only available within the Modern UI. He also explained that existing Zimlets, written for use with Zimbra 8.8.x, will need to be ported to a new Zimlet framework used in Zimbra 9. Barry D. is currently working on a guide that will provide guidance to Zimlet authors on the details of the changes needed to upgrade and is anticipated to be published soon.

Security Incident at Email.it
Mark S. mentioned two articles that he read about an email service provider, Email.it:
Mark wondered if perhaps the security incident occurred due to a security hole an attacker discovered in Zimbra. No one on the call knew if the affected provider was using Zimbra, but everyone agreed upon the importance of prompt patching of Zimbra whenever security patches are released. Cine said that he thought the incident was probably related to another part of Email.it’s network that was compromised, rather than a Zimbra server.

Using the Zimbra Reporting Tool (ZRT) With Zimbra 9
Zimbra Business Service Providers (BSPs) are required to use the ZRT to report their software license usage to Synacor. The ZRT determines the type of license used for each mailbox, based on which features are enabled. Marc G. reported noticing in Zimbra 9 that certain features could not be disabled in the Modern UI (for example, the calendar), which could cause the ZRT to report inaccurate license usage for a mailbox user. He expressed concern that this will not only create licensing usage inaccuracies for BSPs, but also confusion for mailbox owners, when they see features available that would ordinarily not be included in the service to which they have subscribed. Marc pointed out that this may prevent many BSPs from rolling out the Modern UI to their customers. John E. said that a new ZRT is in development, combined with a new usage reporting portal web site, and was expected to be made available later in the year, but no further details are available at this time.
User avatar
jered
Advanced member
Advanced member
Posts: 53
Joined: Sat Sep 13, 2014 12:35 am
Location: Somerville, MA

Re: April 2020 Zeta Alliance Weekly Call Summaries

Post by jered »

John E. shared his personal opinion that Zimbra has struggled for several years to engage the open source community, as the ratio of people using Zimbra, compared to the number of people contributing back to Zimbra, has been very low.
This is an absurd statement -- it may be true, but it's not for lack of trying! I've submitted multiple bugfixes over the years and have never gotten a response from anyone at Zimbra. There may be poor engagement with the open source community, but it's only because Zimbra keeps slamming the door in our faces.
Martinwiertz
Advanced member
Advanced member
Posts: 85
Joined: Sat Sep 13, 2014 3:55 am
Location: The Netherlands
ZCS/ZD Version: V10 FOSS Intalio on Ubuntu20.04

Re: April 2020 Zeta Alliance Weekly Call Summaries

Post by Martinwiertz »

Thanks for the update! Usefull
User avatar
rleiker
Advanced member
Advanced member
Posts: 149
Joined: Tue Jan 07, 2020 8:23 pm
Location: Kansas City
Contact:

Re: April 2020 Zeta Alliance Weekly Call Summaries

Post by rleiker »

jered wrote:
John E. shared his personal opinion that Zimbra has struggled for several years to engage the open source community, as the ratio of people using Zimbra, compared to the number of people contributing back to Zimbra, has been very low.
This is an absurd statement -- it may be true, but it's not for lack of trying! I've submitted multiple bugfixes over the years and have never gotten a response from anyone at Zimbra. There may be poor engagement with the open source community, but it's only because Zimbra keeps slamming the door in our faces.
I am just the messenger, so I can only relay to the community what I have heard from Synacor. I can confirm that others have expressed the same comments about difficulty contributing to the Zimbra project in the past and challenges with getting a response to submitted bug fixes. Barry D., who is a regular attendee on our weekly conference calls, and who is now a Synacor employee, once suggested that he too has encountered this problem. He found a method for calling attention to his submitted bug fixes by sending private messages to one or two of the Zimbra developers who are active in the Zimbra open source repo. Barry's comment was from some time ago, so unfortunately I do not recall the specific Zimbra developer names he mentioned. I agree that it should be much easier to contribute back to the Zimbra repo.
User avatar
rleiker
Advanced member
Advanced member
Posts: 149
Joined: Tue Jan 07, 2020 8:23 pm
Location: Kansas City
Contact:

Re: April 2020 Zeta Alliance Weekly Call Summaries

Post by rleiker »

rleiker wrote: Zimlets in Zimbra 9
Randy L. asked if the new Zimlets introduced in Zimbra 9 will be available for both the Classic UI and the Modern UI. John E. said that the new Zimlets are only available within the Modern UI. He also explained that existing Zimlets, written for use with Zimbra 8.8.x, will need to be ported to a new Zimlet framework used in Zimbra 9. Barry D. is currently working on a guide that will provide guidance to Zimlet authors on the details of the changes needed to upgrade and is anticipated to be published soon.
Included below is a copy of Barry's follow-up message, originally sent to the Zeta Alliance mailing list, regarding the new Zimlet guide mentioned in the call summary notes:

--------------------------------------
Hello Zeta Alliance Community,

An extensive getting started guide on how to create Zimlets (for Zimbra 9) and Java extensions can be found at:

https://github.com/Zimbra/zm-extension-guide
https://github.com/Zimbra/zm-zimlet-guide

PDF versions of the guide can be found in the releases tab on Github.

Kind regards,

Barry de Graaff
Zeta Alliance
Co-founder & Developer
zetalliance.org | github.com/Zimbra-Community
User avatar
rleiker
Advanced member
Advanced member
Posts: 149
Joined: Tue Jan 07, 2020 8:23 pm
Location: Kansas City
Contact:

Re: April 2020 Zeta Alliance Weekly Call Summaries

Post by rleiker »

Hello Zimbra Community,

Here is a summary of this week’s conference call. A few brief reminders: April 14, 2020 Conference Call Summary

Zimbra Connect Network Configuration
Mark S. asked if it is possible to setup a STUN/TURN server that uses a private IP (RFC 1918) address (example: 192.168.0.2). When combined with split-horizon DNS, he proposed that a full-qualified domain name (FQDN) like turn.example.com could resolve to an address like 192.168.0.2 within the internal network, while resolving turn.example.com to a public IP address for all others on the Internet. Cine said that this should work as long as Zimbra Connect is provided with the FQDN (turn.example.com) via the “zxsuite connect iceServer add…” command, instead of the TURN server’s RFC 1918 private IP address, ensuring that Zimbra Connect advertises the FQDN to clients rather than the RFC 1918 IP address. Cine also explained that it is still recommended to run a TURN server on a public IP address whenever possible to avoid potential operational issues and that the most common issue reported to Zextras, related to Zimbra Connect, is restrictive firewalls that block WebSocket connections from client web browsers, required by Zimbra Connect to operate normally.

Zimbra 9 Demonstration
Barry D. & Cine demonstrated some key features of the new modern UI from a Zimbra 9 install to everyone on the conference call.

Updating Zimbra 8.x Zimlets to Zimbra 9
Barry D. reported that he has published new guides for developing and upgrading Zimbra 8.x Zimlets to Zimbra 9 Zimlets. The guides also include links that will benefit those new to Zimlet development with additional resources related to getting started with the React framework:
Low Bandwidth Devices And Zimbra 9’s Modern UI
Noah P. asked how clients with low bandwidth are handled in Zimbra 9 with the Modern UI. He said that in Zimbra 8.x, clients are normally presented with an option to switch to the Standard (HTML) version of the Zimbra Web Client when logging in, if needed. John E. said that a portion of the Modern UI can now be installed directly on a low-bandwidth device, allowing the device to still use the full set of features of the Modern UI, while minimizing bandwidth usage, but he did not elaborate on how this is implemented for end users.

Community Reactions To Synacor’s Closed Source Policy For Zimbra 9
Several on the call commented about initial reactions they have read from the Zimbra community regarding Synacor’s closed source policy change for Zimbra 9, both in the Zimbra forums, and elsewhere on the Internet. Marc G. said he felt that if Synacor employees would directly correspond with the community on the Zimbra forums that it would help answer many of the angry comments posted, while simultaneously correcting inaccurate information. John E. said there are politics involved for Synacor employees to directly participate in the Zimbra forums. He also said that he is concerned there is a lot of misunderstanding about Zimbra’s position on Synacor’s open source policy. He referred to a brief note at the bottom of the Zimbra 9 release notes (https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0) about Synacor’s plans for open source versions of Zimbra going forward, in addition to his comments from last week’s call (refer to the April 7th call summary for details).

Zimbra 9 Network Edition Servers With Expiring Licenses
Mark S. said that in licensed versions of Zimbra Network Edition version 8.8.15 and earlier, that if the license expires, Zimbra reverts back to an open source mode, effectively disabling the features normally included with the Network Edition version. He asked if this still works the same way for a Zimbra 9 installation. John E. confirmed that Zimbra 9 will revert to the equivalent of an open source version of 8.8.15. He said that in such an instance, it is his understanding that Zimbra 9 components will continue to receive updates.

Zimbra Connect’s 5 Simultaneous Video Stream Limit Per Call
Zimbra Connect allows a theoretically unlimited number of participants to join a call (aka Instant Meeting), but states in its documentation that it is recommended that no more than 5 callers’ video stream be enabled simultaneously, as the web browser performance of each caller noticeably suffers with more than 5 video streams. Marcelo asked if there was a plan at Zextras to find a means to increase the recommended limit of 5 simultaneous video streams per video call. Cine said that they are monitoring feedback they are receiving related to Zimbra Connect closely to see what is possible.

Broken Email Searches In Zimbra 9
Marcello reported observing that the email message search feature in the Zimbra Web Client, for both the Classic UI and Modern UI, appears to be broken after upgrading to Zimbra 9. John H. & John E. said that this is a known issue affecting some installations that is currently under investigation. So far, Zimbra Support has not been able to reproduce this issue yet and they are working with the reporters of the issue for more details.

Zimbra Connector For Outlook (ZCO) Version 9 Feedback
John H. reported that since ZCO version 9 was released, he has heard from few customers still experiencing crashes, as compared to customers running earlier ZCO versions. He said that the only issue that has emerged with ZCO version 9 relates to using non-Latin characters within the name of an Outlook profile (for example: an Outlook profile name containing Swedish characters) which has been shown to lead to a crash of the Outlook profile upon startup.

Zimbra Connect Requests For Enhancement (RFEs)
Marcello offered several RFEs to improve Zimbra Connect and asked for the recommended way to submit his suggestions. Cine said that submitting RFEs through Zimbra support is the preferred channel. Randy L. reported that many of his customers are making feature comparisons between Zimbra Connect and services such as Zoom, WebEx, and others. He asked if Zextras could share the vision of what Zimbra Connect (aka Zextras Team) is intended to be in the long term so he can ensure he is giving customers accurate information about the future road map. Cine said he could not comment on behalf of Zextras, but said that the Zextra development team is open to all new suggestions and has seen a large spike in RFEs very recently which they are working through as the road map for Zimbra Connect continues to evolve.

Open Drive and Zoom Zimlets in Zimbra 9
Andre A. said that he is having trouble using the Open Drive Zimlet in Zimbra 9, which results in the mailboxd service failing to start. He said that after disabling this Zimlet, the mailboxd service can then be started successfully. Cine said the Open Drive Zimlet is not compatible with Zimbra 9 and suggested opening a support case with Zimbra for additional assistance. Andre also reported that he is having an issue with the new Zoom Zimlet initializing correctly in Zimbra 9, related to an OAuth error. He said he will follow-up on this topic with a Zimbra Support case.
CSylvain
Posts: 13
Joined: Fri Dec 26, 2014 5:11 am

Re: April 2020 Zeta Alliance Weekly Call Summaries

Post by CSylvain »

For my part, I do not manage to make active the NG Modules, although the logs indicate this :

Code: Select all

INFO  [main] [] extensions - Network Modules NG started.
And that it is activated :

Code: Select all

zimbraNetworkAdminNGEnabled: TRUE
The modern interface is interesting, some things are missing such as the refresh button, support for (CTRL + A) to select all messages, and the French language which is incomplete, especially on the main folder tree. :(
User avatar
rleiker
Advanced member
Advanced member
Posts: 149
Joined: Tue Jan 07, 2020 8:23 pm
Location: Kansas City
Contact:

Re: April 2020 Zeta Alliance Weekly Call Summaries

Post by rleiker »

Hello Zimbra Community,

Here is a summary of this week’s conference call. A few brief reminders: April 21, 2020 Conference Call Summary

Reactions to Closed-Source Policy for Zimbra 9
Marc G. expressed his continued concerns about Synacor’s recent decision to change to a closed-source code policy starting with Zimbra 9. He asked everyone on the call if they thought it would be possible to organize the community to get behind a campaign to encourage Synacor to re-consider making Zimbra 9 open source. John H. suggested that Zimbra customers should contact their Synacor sales people to express their thoughts on this issue so they can be relayed to the decision makers at Synacor, but said the challenge is in how to present the argument to Synacor’s management in a meaningful way.

Mark S. asked if Synacor’s former open source policy for all Zimbra versions offsets the higher cost of Zimbra licensing, as compared to Microsoft Exchange’s lower licensing costs. Barry D. said that he personally finds the open source policy change unfortunate. Marc G. said that he feels that the open source policy is a very important part of the value proposition of Zimbra and that he feels that Synacor still has not succeeded in engaging the open source community because there are key requests that seem to have been mostly ignored. One example he cited was the long-promised replacement for Zimbra’s Bugzilla site, where the community was previously able to report product bugs and upvote bugs that were of high importance to fix. Cine said that he has always loved Zimbra’s capability to be extended and that he feels the new Modern UI in Zimbra 9 helps fulfill this need. He explained that he feels Zimbra’s ability to integrate with other products is priceless, as compared to be forcing to change your workflow to fit a vendor’s platform or ecosystem.

On-going Difficulties For Zimbra BSPs Selling Zimbra With Known Bugs
Marc G. said it is critically important that things simply work in Zimbra with as few bugs as possible, in order to keep Zimbra competitive with other products in the marketplace. He shared an illustrative story of a recent new Zimbra user who encountered a known bug in the Zimbra Connector for Outlook, which causes an Outlook profile to crash. The new user reacted to this bug by assuming that Zimbra was not ready for production-use, as the user had not earlier encountered a similar problem while using competing products. Randy L. agreed that his own customers have expressed similar statements when encountering known bugs in various Zimbra and Zextras features and said that he would like to see a renewed focus from Synacor and Zextras on quality assurance efforts with expanded testing of new versions and patches, with the understanding that this could come with the trade-off of delaying new product releases or features for a period of time (for example, 3-6 months). He said that preventing breakage in existing features is more important to Zimbra customer retention than introducing new product features. Agreeing with Marc G’s comments, he commented that when Zimbra customers encounter a bug with no published schedule or guidance for when the fix will be available, that customers tend to simply jump to another vendor’s product rather than waiting indefinitely for a bug fix.

Lorenzo, who was new to the Zeta Alliance conference call, introduced himself and expressed concerns about Zimbra licensing becoming too expensive as compared to other email platforms, along with concerns about the current feature set in Zimbra, and ongoing issues with known bugs.

Zimbra Connect Feedback
Gary C. shared an illustrative story where, as a Zimbra BSP, he tried to market Zimbra Connect to his customers and several reported that it was incomplete and not ready to replace other video calling services in the marketplace, which discouraged him from further marketing of the product. Cine encouraged everyone on the call to continue to report bugs and requests for enhancement (RFEs) via Zimbra Support and said that he personally considers Google Hangouts to be somewhat equivalent to Zimbra Connect at present, as compared to services like Zoom, Microsoft Teams, WebEx, etc. He also explained that both Zimbra & Zextras is listening to customer demand and that they are very willing to adapt Zimbra Connect’s features to fulfill customer needs.

Suggestions For Improving the Zimbra Bug Fix Process
Randy L. acknowledged he understands the challenges that existed with the deprecated Zimbra Bugzilla site and suggested that, as a simplified interim solution, Synacor should setup a process to automatically export, on a recurring basis, a one-page list of known bugs from Synacor’s internal Jira bug-tracking system that shows bugs the developers are currently working on, and those that are pending more information being gathered. He explained that this would offer Zimbra BSPs and the community insights into which bug fixes are most likely to appear in an upcoming patch. For Zimbra BSPs, this would also offer the ability to give their customers unofficial guidance on a timeline of when a fix for a bug is likely to appear, even if the bug was reported by another BSP or Zimbra community member. Very limited information about bug fixes included within a given patch, prior to release, is already visible to Zimbra Partners in the Channeltivity Portal, but it offers an incomplete picture of the overall status of all known bugs affecting the product. As it currently stands, the schedule for bug fixes operates mostly as a black box process, with Zimbra BSP customers reacting to the lack of a bug fix schedule by jumping to competing products resulting in both BSPs and Synacor losing those business opportunities. John H. said that there has been discussion internally at Synacor about how to make similar information available to the public.

Randy L. also suggested that Synacor begin sending out periodic surveys asking Zimbra BSPs for feedback about top product issues, so the input can be used for setting priorities by Zimbra Product Management. Barry D. pointed out that the range of feedback is likely to be very diverse and may be difficult to group into meaningful priorities. Randy said that if that occurs, Synacor could tally the top 10-15 most frequently mentioned issues from the first survey, and send out a second follow-up survey asking Zimbra BSPs to place a number next to each of the 10-15 top reported issues to indicate priority. John H. said that he is meeting soon with an internal committee at Synacor to determine how to share out information related to priorities and the time frame in which they will be addressed, and he will mention these suggestions. Randy suggested that transparency and explanation of methods used to determine priorities should be disclosed at least to Zimbra BSPs, if not with the Zimbra community, to keep criticism of the process to a minimum.

HubSpot Personas at Synacor
Mark S. commented that Zimbra uses HubSpot, a marketing tool that requires users to document descriptions of target customers, like Zimbra BSPs, VARs, and end users, as it applies to Synacor’s business. He asked Barry D., a Synacor employee, if he had seen any of these customer descriptions in Zimbra’s HubSpot (Barry had not), and so Mark wondered if, instead of directly approaching Synacor to reconsider their decision to discontinue rolling Open Source binaries for Zimbra 9, or taking three development sprints to do not much more than refactoring, that a better option would be to encourage Zimbra to use the HubSpot Personas feature more broadly within the organization, to help Synacor employees at every level keep customers' challenges in the forefront as they carry out their job responsibilities. Mark described three examples:

Sales
While demonstrating 2-factor authentication in Zimbra for a long-standing customer, the customer asked why a QR code was unavailable that could be scanned to provision the Zimbra email account on the customer’s mobile device, like many other email platforms offer. The customer pointed out this feature is available via a Zimlet in the Open Source version of Zimbra, but is not available in the Zimbra Network Edition.

Customer and Zimbra BSP Ease of Use
While planning to retire a mailbox server in a multi-server farm, Mark opened a Zimbra sup-port case to ask how to move Zimbra Connect Spaces from one mailbox server to anoth-er. He learned that this feature does not exist and is not planned for development, but there is an undocumented variable setting to prevent Zimbra Connect Spaces from being created on a mailbox server. However, after that variable is set on a Zimbra mailbox server to be re-tired, customers have no other option but to destroy and then manually re-create their Zimbra Connect Spaces to "move" them to another server, resulting in no data being retained from their original Spaces.

Security
Zimbra Partners have access to the Channeltivity Portal, which has a section on upcoming patches, typically listing the specific fixes to be included within a patch a week or two before the scheduled release date. 8.8.15 Patch 8 included a security fix that prevents customers in a multi-tenant Zimbra installation from accessing the global address list (GAL) of other server tenants. But Channeltivity had no advance mention of this vulnerability, resulting in Partners learning of this security issue from the patch’s Release Notes, when the patch was released to the public, with no opportunity to plan to remediate the vulnerability in advance.

Mark S. said that if HubSpot Personas were more broadly used within Synacor, the likelihood of these three examples happening would have been significantly reduced. Everyone on the call agreed that advance disclosure of the security issue could have been handled better, so Zimbra BSPs had more time to plan for quickly patching the issue, once the patch was re-leased. Mark was encouraged to bring up the suggestion of HubSpot Personas with his Zimbra Sales contact.
User avatar
jeastman
Zimbra Employee
Zimbra Employee
Posts: 82
Joined: Tue Mar 29, 2016 1:36 pm

Re: April 2020 Zeta Alliance Weekly Call Summaries

Post by jeastman »

rleiker wrote: John H. suggested that Zimbra customers should contact their Synacor sales people to express their thoughts on this issue so they can be relayed to the decision makers at Synacor, but said the challenge is in how to present the argument to Synacor’s management in a meaningful way.
I am more than happy to accept such feedback from anyone willing to share. While my focus is on Zimbra Partners in North America, please feel free to contact me if you are having difficulty discussing this with the sales team in your region.
John Eastman
User avatar
rleiker
Advanced member
Advanced member
Posts: 149
Joined: Tue Jan 07, 2020 8:23 pm
Location: Kansas City
Contact:

Re: April 2020 Zeta Alliance Weekly Call Summaries

Post by rleiker »

Hello Zimbra Community,

Here is a summary of this week’s conference call. A few brief reminders: April 28, 2020 Conference Call Summary

Zimbra Partner Notifications Related To Security Vulnerabilities
Barry D. reported a follow-up to a topic on last week’s call related to creating a process where Zimbra Partners could receive advance notifications about security vulnerabilities prior to the vulnerabilities being publicly announced, so as to allow Partners additional time to mitigate and prepare for patching their Zimbra installations. Barry said he initiated a discussion internally within Synacor about this topic and hopes to have additional news to share soon.

Consulting Opportunity
Barry D. asked if anyone was interested in doing a consulting job for a Zimbra customer, related to configuring 2-factor authentication within Zimbra. Mark S. said he would be willing to assist.

Zimbra Bug Management
Barry D. reported that he is having continuing internal discussions within Synacor about how Zimbra bugs are currently being handled and hopes to have more news to share about this topic soon.

Barry and the Zimbra Forums
Barry D. announced that he will soon be much more active in the Zimbra Forums as an additional Synacor employee resource for both the Zimbra community and partners. He also plans to do some unspecified forum clean-up too. Marc G. welcomed Barry’s announcement and felt he would be a valued resource in the forums.

Invalidating Zimbra Login Sessions
Mark S. said one of his customers recently discovered that when invalidating all sessions for a logged in user from the Zimbra Administration Console that it does not also terminate existing Postfix SMTP sessions, such as may be needed during a spam outbreak, due to a compromised mailbox. Mark said that his customer was told by Zimbra Support to restart the Postfix MTA service to drop the existing SMTP sessions that were being abused by an attacker. Noah P. confirmed he too has always had to restart the Zimbra Postfix service in order to drop existing SMTP sessions when responding to a compromised account. Mark S. reported that changing a mailbox’s status to locked is ineffective at stopping a spam outbreak, as existing SMTP sessions can continue to be abused. He suggested that the Zimbra Administration Console feature to invalidate all sessions for a logged in user should also drop all existing SMTP sessions in Postfix too, so the Zimbra MTA services do not need to be restarted.

Disabling SMTP Access
Mark S. reported that he recently discovered that while MAPI (Exchange), EWS, IMAP, and POP can be individually enabled/disabled for a Zimbra Class Of Service or mailbox, that there is no means to enable/disable SMTP access. The use case for disabling SMTP would be an instance where a mailbox owner solely relies on MAPI or EWS for sending/receiving email messages, which occurs using HTTPS or HTTP. Disabling all non-Exchange services can then be used as a risk mitigation technique for minimizing the potential attack surface.

Zimbra Customer Feedback About Zimbra 9’s Open Source Status
John W. said he received a letter from a customer expressing their dissatisfaction about the recently announced change in Zimbra’s open source policy, starting with Zimbra 9. John shared the customer’s letter with those on the call. The letter states that the customer was originally seeking an open source email platform, which led to selecting Zimbra. The customer also states in the letter that Zimbra’s open source policy is important, as it provides assurances that the customer would not be forced to switch to a different product, should something occur at a future date with Synacor’s business, or a discontinuation of the Zimbra product. The customer makes the business case that without an open source policy, the customer would not have purchased Zimbra licenses or continued to pay for Zimbra support services.

Those on the call mentioned reading similar statements about the policy change being discussed in the Zimbra Forums and on the Zeta Alliance mailing list. Cine and Barry D. commented they feel that Synacor could find a better way to communicate their intent related to this change to everyone in the Zimbra community and said the only statement released officially so far is found at the bottom of the Zimbra 9 release notes: https://wiki.zimbra.com/wiki/Zimbra_Rel ... ce_Edition

Marc G. wondered if perhaps the issue is less about Zimbra 9 being open source, and more related to clarity in the product’s direction, along with transparency related to ongoing bug fix efforts. Barry D. asked for everyone’s patience and said that Synacor is working on this to provide more clarity.
Post Reply