Zimbra 10.1.X - License problems since the release of 10.1

[oetiker]

But is it causing issues for your users, or just headaches for the admins when deploying new licenses? Just to understand the (end-user) impact correctly...

The Warning look scary my License is valid checked with the support but sadly the installation does not think thats true...

Current Users=40 Licensed Users=0
Warning: The number of users on this system (40) exceeds the licensed number
(0). You may continue with the upgrade, but you will not be able to create
new users. Also, initialization of the Document feature will fail. If you
later wish to use the Documents feature you'll need to resolve the licensing
issues and then run a separate script available from support to initialize the
Documents feature.

[theZimbler]

Same for me...
sometimes the license code provided by the support team is not valid, sometimes the code is not activated/registered so it does not work...

On many cases the license daemon just stops because it likes to... IDK but this new license system is a mess and support is not doing much to solve the problems, we have a lot of open cases with the suport team regarding license problems and it ends on "bug" or just giving us information that contradicts the official documentation...

Can you list the bug numbers ... sometimes this gives some information.

Zimbra people told me to open up a new case with the bug number to reactivate the support doing something. Sometimes
the bug get a higher priority.

Sadly im still waiting for those bug numbers...

[theZimbler]

IIRC with an expired license on 8.x/9.0, users get pop-ups (in webmail) about the license being invalid, and you can no longer create new accounts.

What is the *user* experience with an expired or invalid license on Zimbra 10.1 ?

In my case, there is no specific behaviour detected, for example, in a single-server environment when the license expired we found that the users could use the webmail with the anoying "zimbra license is expired" pop-up, but in a multi-server environment with offline license activated and where the users mostly use the "modern" interface, they were completly unable to login to the webmail, and the users that use Outlook client with ZCO also were able to see their mails, but unable to send anything.

Once the license is re-activated again all this problems suddenly were resolved, but what mostly concers me is the fact that the license went expired just after an IP adress change or after updating the Zimbra CA certificates...

[oetiker]

Hi

The zmlicensectl startup script has been fixed. Zimbra has acknowledged that customers use non-standard SSH ports in their environments.

https://github.com/Zimbra/zm-core-utils ... ab378af569

Bug ZBUG-4668 remains open with no recent updates. According to Support Case #01758202, the fix will be included in the next patch release. This follows Zimbra's current pattern of fixing issues but holding the fixes until the next scheduled release.
This particular bug is critical as it prevents the license daemon from starting - a major, show-stopping issue. Despite its severity, customers must either wait another month for the official patch or implement their own workaround by manually patching the script.

From Zimbra Support:

We have been informed by our product team that this issue should be fixed in our next patch release.

Zimbra's behavior is completely incomprehensible. Not only did they launch a flawed new licensing system that significantly compromises overall stability and reliability, but they're also delaying bug fixes until the next release - which can take more than a month to arrive. This approach to handling critical issues is highly problematic.

[BradC]

Zimbra's behavior is completely incomprehensible. Not only did they launch a flawed new licensing system that significantly compromises overall stability and reliability, but they're also delaying bug fixes until the next release - which can take more than a month to arrive. This approach to handling critical issues is highly problematic.

It's like watching a trainwreck in slow motion. You know the likely outcome but you just can't look away.

[L. Mark Stone]

One other attribute of Online Activation is that it uses telnet. One security conscious customer blocks the use of telnet on their network, and that telnet is required for online activation is not presently documented anywhere that we could find. It took a Support Case to find this out.

The customer is now pursuing Offline Activation, but that requires turning off FIPS on the LDS server. Fortunately, they are not a government entity required to use FIPS everywhere.

Hope that helps,
Mark

[BradC]

One other attribute of Online Activation is that it uses telnet. One security conscious customer blocks the use of telnet on their network, and that telnet is required for online activation is not presently documented anywhere that we could find. It took a Support Case to find this out.

That's interesting. We blocked everything at the firewall. To get an activation it required :
license.zimbra.com port 443 TCP
my.nalpeiron.com port 80 TCP

As you'd expect with the port numbers the connection to license.zimbra.com was SSL and my.nalpeiron.com was unencrypted SOAP.

We didn't see any attempts to use telnet.

[L. Mark Stone]

One other attribute of Online Activation is that it uses telnet. One security conscious customer blocks the use of telnet on their network, and that telnet is required for online activation is not presently documented anywhere that we could find. It took a Support Case to find this out.

That's interesting. We blocked everything at the firewall. To get an activation it required :
license.zimbra.com port 443 TCP
my.nalpeiron.com port 80 TCP

As you'd expect with the port numbers the connection to license.zimbra.com was SSL and my.nalpeiron.com was unencrypted SOAP.

We didn't see any attempts to use telnet.

The customer I referenced does not allow any unencrypted connections on their network. They told me they saw the Zimbra activation engine try to open an outbound telnet connection in their firewall, which was blocked by policy. I took them at their word.

Even if the data being transported is otherwise useless, it's hard for me to support that anything should be transported over the open Internet unencrypted these days, especially when it's so easy to do good encryption.

[BradC]

The customer I referenced does not allow any unencrypted connections on their network. They told me they saw the Zimbra activation engine try to open an outbound telnet connection in their firewall, which was blocked by policy. I took them at their word.

I'm not arguing, just presenting what we saw when we tested. Perhaps if we'd blocked one or both of those we'd see it trying to use alternatives. Much like the Zextras "ng" modules had about 4 different ways of "phoning home" depending on what might have been blocked.

Even if the data being transported is otherwise useless, it's hard for me to support that anything should be transported over the open Internet unencrypted these days, especially when it's so easy to do good encryption.

This one is interesting. The transport for the nalpeiron server is "unencrypted", but in reality it's a plain text soap wrapper around massive encrypted/encoded blobs. Does the fact it uses port 80 and is essentially plaintext qualify it as "unencrypted" ?

Next time I spool up a test system I might have a play with impeding the LDS communication to see what fallback paths it might try and use.

I must say Zimbra hasn't really been transparent about how much(any?) of this actually works.

[rainer_d]

Were there really that many people out there gaming the system, using keygens or whatever that it had such a material impact on Zimbra's bottom line that it justified risking basically all of what goodwill is left?

I know we activated the same license very often - but that is because we run an identical "twin" of our production system as a test-system and we frequently roll that back because updates don't work on the first try (recently more often than not...).
We also had to roll back production updates then and now.

Currently, it seems I cannot "revoke" an activated offline license in the portal.