Zimbra 9 - FOSS

[jeastman]

Hi Jim,

If you identify something missing or would like to include additional documentation, please feel free to open a pull request on the package git repository. I'd like to make sure we address anything which might help folks out. There are a number of places where documentation is missing or could be improved and it is not always obvious where those things are. Projects like the build system are pretty much automated on our end or so routine for our internal team that omissions often go unnoticed unless they are pointed out.

The community could share rules and/or Zimbra could monetize vetted and trusted rules as part of a nightly update similarly to how SA rules are updated. That would provide another layer to safeguard against active attacks against zimbra before patches are released or tested and help those stuck on older version before then can upgrade to supported releases.

I really like the idea of sharing rules and would like to discuss how we might support that. I would rather see something which is community driven, optional and pulled rather than pushed. We have too many folks using the product in "unique" situations where routinely pulling in updated rules would break things more often than fix things. There are two possibilities which immediately come to mind (completely open to other options as well):

1. Establish a section on the wiki for documenting such rules (less actionable but more descriptive)
2. Create a git repository where rules could be submitted via pull request (allows for pull request review and ensuring the contents of the repository are vetted). Could also include cron-type scripts people could utilize to automatically pull the scripts if desired.

I would lean towards the second option, but would appreciate any thoughts or feedback.

[JDunphy]

If you identify something missing or would like to include additional documentation, please feel free to open a pull request on the package git repository. I'd like to make sure we address anything which might help folks out. There are a number of places where documentation is missing or could be improved and it is not always obvious where those things are. Projects like the build system are pretty much automated on our end or so routine for our internal team that omissions often go unnoticed unless they are pointed out.

Hi John,

I am not sure what the correct documentation should be. If I had typed make then the default would have worked and the getsrc would have happened. My issue is I typed in literally what was documented and it failed. I assumed it was like so much other documentation I have attempted on building Zimbra and moved on immediately to a custom solution with no investigation. I won't do that again. I doubled back only when Ian and you chimed in. In any event, I have investigated this 3 different ways to see how easy it would be to add. I use a sed script here to make a small change to the spec file and/or Makefile so I don't have to install the complete RPM for options 2 and 3.

1. use parts of spec file and a download of the nginx.tar with wget to build a dynamic ModSecurity 3 Connector module (my 1st method and easiest)
2. update the zimbra spec file to build modsecurity 3 connector inside the Zimbra nginx tree and associated RPM + updates to the Makefile to install it.
3. update the zimbra spec file to build a statically compiled modsecurity 3 connector and associated Zimbra nginx RPM

The biggest problem is that this mod security connector for nginx requires a modsecurity library so in addition to the ngx_http_modsecurity_module.so
is libmodsecurity.so.3 => /usr/local/modsecurity/lib/libmodsecurity.so.3 (0x00007f44d8468000) ... That is probably too much to expect from Zimbra and many admins that might want to try it.

Not to mention, replacing ones nginx with this RPM probably isn't desirable given the risks of introducing any change to a production environment. I am leaning toward a single bash script I use to build the environment to build, install, initialize it, patch nginx includes/template files and pull/update rules. One script handles all aspects with documentation how to turn it off/on.

Ideally, Zimbra would include modsecurity 3 connector in their installs but not enabled or included in the nginx conf files (option 2 above without the Makefile update). Just the connector and the library. Without that basic support, I am not sure there would be enough interest for a trusted vetted space for rules. Another benefit to selling it for future enhancement is it would/could give Zimbra and admins an additional tool laying dormant that could be used in the future for possible quick security bug fixes.

I really like the idea of sharing rules and would like to discuss how we might support that. I would rather see something which is community driven, optional and pulled rather than pushed. We have too many folks using the product in "unique" situations where routinely pulling in updated rules would break things more often than fix things. There are two possibilities which immediately come to mind (completely open to other options as well):

1. Establish a section on the wiki for documenting such rules (less actionable but more descriptive)
2. Create a git repository where rules could be submitted via pull request (allows for pull request review and ensuring the contents of the repository are vetted). Could also include cron-type scripts people could utilize to automatically pull the scripts if desired.

I would lean towards the second option, but would appreciate any thoughts or feedback.

I like the second option given the trusted/vetted nature of rules but I also have a wiki entry that explains the process, build, and how to write rules given there is a lot to wrap ones head around on it's capability and how to go about it. Given the prevalent use of fail2ban I have seen in these forums and Zimbra certified wiki's, I am planning about a dozen rules to handle an attack in real-time and feed fail2ban or ipset's. That should also be the less intrusive with no FP's and should be at least on par for performance as using if statements in nginx conf files which was done for the memcache security bug. Another use is to document what is being done to the proxy as significant enhanced logging can be enabled especially for POST given we can view both directions of request and responses. Lastly, modified OWASP core rule sets could be enabled which has substantial protections against various current exploits and bots. I view this as a trust exercise where you start with the 1st or 2nd capabilities before you might enable the core rules or variation of the rules.

It's getting a little off topic so I'll wrap it up and report that it's fairly easy to build modSecurity 3 into zimbra given the current state of repositories found in github.

Ref: https://codebots.com/application-securi ... s-of-owasp

Jim

[zgokan]

Hi all!

For all Zimbra Open Source fans, we have prepared Zimbra 9 FOSS edition with the newest patch 21!
Patches depend on the zimbra-patch package which the newest version is available only for Zimbra 9 NE. So, we've created our own that is cleaned from all Zimbra Network Edition components.
We also made some small changes in the Zimbra build process to make the process of Zimbra 9 FOSS installation possible. Details here: https://github.com/INTALIO/zimbra9FOSS

If you don't want to recompile the Zimbra by yourself, you can use our compiled and ready to install version of Zimbra 9 FOSS (download available at https://www.zintalio.com site)
For now, we have version for Ubuntu 18.04LTS. Next distros available soon.

Regards
Tomek

Hello
I'm using your version at work. I didn't get the latest patches. Your repositories are not working. Will this problem be solved?

Code: Select all

Release 9.0.0.INTALIO.20211230.UBUNTU18.64 UBUNTU18_64 FOSS edition, Patch 9.0.0_P24.

error:

Code: Select all

Reading state information... Done
175 packages can be upgraded. Run 'apt list --upgradable' to see them.
W: Failed to fetch https://repo.zimbra.com/apt/87/dists/bionic/InRelease  Could not connect to repo.zimbra.com:443 (13.225.78.112), connection timed out Could not connect to repo.zimbra.com:443 (13.225.78.79), connection timed out Could not connect to repo.zimbra.com:443 (13.225.78.11), connection timed out Could not connect to repo.zimbra.com:443 (13.225.78.6), connection timed out
W: Failed to fetch https://repo.zimbra.com/apt/90/dists/bionic/InRelease  Unable to connect to repo.zimbra.com:https:
W: Failed to fetch https://repo.zintalio.com/apt/90/dists/bionic/InRelease  Could not connect to repo.zintalio.com:443 (83.18.137.211), connection timed out
W: Failed to fetch https://repo.zimbra.com/apt/90-ne/dists/bionic/InRelease  Unable to connect to repo.zimbra.com:https:
W: Some index files failed to download. They have been ignored, or old ones used instead

[Tomek Makiela]

Hi.

It looks like your Zimbra server can't connect to repo due to blocking the outgoing connections to 443 port on our repo server.
Check your firewall settings on Zimbra server or network.

Regards,
Tomek

[mkr]

Hi @ianw1974
You did great thing by placing tar.gz file of Zimbra Daffodil 10.0.1 up to date till 1/6/23
Till now in 8.8.15 We used to update patch with yum update whenever zimbra patches come

If suppose New patch Zimbra Daffodil 10.0.2 announced next month how can i apply this patch?

[ianw1974]

If yum update doesn't pull in patches from Zimbra repo's to patch 9 or 10, then you have a couple of options:

1. Wait until I make a release, usually I release once a quarter - like how Zimbra used to release their package updates on their site for download.
2. If there is a critical security release, I will most likely build earlier than the quarterly build.

If that doesn't suit you and you cannot wait, you can use the script from my repository to build yourself a package. This is why I also created and released my build script to make it extremely easy for everyone to be able to build for themselves.

[mkr]

Hi Ian
This means I have to install Zimbra with complete build for each patch which you release every quarter which is not possible.
I have to apply only patch not complete build. Pls give me a solution. Doe Zimbra prevented zimbra patches from yum update for Zimbra 10/

[ianw1974]

As I said, if Zimbra doesn't release patch updates to their repo, then how else do you expect it to be? I'm a single person that makes package releases based on Zimbra's build process.

Remember also, that I believe pre Zimbra 8.x there wasn't even a Zimbra repo for adhoc patch updates. Everyone had to download the new release and run the installer to upgrade. That's how it was. So the question is, does Zimbra still release patch updates to their repos for 9 and 10. If not, then you just have to accept the situation as it is.

I do not have the time, money, infrastructure to be providing servers and repositories. If it is inconvenient for you, then you can always pay Zimbra and use their Network Edition where you are guaranteed access to quick fixes in that way.

[mkr]

Hi ianw1974
Understood. Thanks for reply and your contribution to builds.
I have one query. Deploying new build over old upgrade the system. Does it affect data?
I have 2 cases
1.Upgrade from 8.7 to 8.8.15
2.patch from 8.8.15 P39 to P40.
In first case I have to migrate data and in second case I dont.
So When you relaese a new build what all steps do i need to take? or just run installer.

[ianw1974]

I believe upgrade from 8.7 to 8.8 is possible. I never migrated at this point. Whether that has changed now or not I cannot tell you. You can ask separate questions about that on this forum.

As for upgrades from the package, you run the install.sh script and it will detect you have Zimbra installed and upgrade it. Here are parameters from the script:

Code: Select all

root@~#:/install.sh --help
./install.sh [-r <dir> -l <file> -a <file> -u -s -c type -x -h] [defaultsfile]

-h|--help               Usage
-l|--license <file>     License file to install.
-a|--activation <file>  License activation file to install. [Upgrades only]
-r|--restore <dir>      Restore contents of <dir> to localconfig
-s|--softwareonly       Software only installation.
-u|--uninstall          Uninstall ZCS
-x|--skipspacecheck     Skip filesystem capacity checks.
--beta-support          Allows installer to upgrade Network Edition Betas.
--platform-override     Allows installer to continue on an unknown OS.
--skip-activation-check Allows installer to continue if license activation checks fail.
--skip-upgrade-check    Allows installer to skip upgrade validation checks.
--skip-ng-check         Allows installer to upgrade by removing NG modules and related data.
--force-upgrade         Force upgrade to be set to YES. Used if there is package installation failure for remote packages.
[defaultsfile]          File containing default install values.

as you can see, no parameter required to initiate an upgrade. Obviously you should ensure system backups or VM snapshot before upgrading in case anything goes wrong. That is outside of my
or anyone elses responsibilities since I only provide the packages for download.