[Users] February 2, 2021 Zeta Alliance Conference Call Summary

[Barry de Graaff]

In reply on the topic Zimbra and SELinux,

I have ran Zimbra on SELinux in Enforced mode on CentOS 7 for years 
without any issues. But I have since moved on to Ubuntu...

However if you look at how Zimbra runs using `ps auxZ` and the file 
permissions using `ls -halZ`you will notice that Zimbra runs in 
/unconfined/ mode. This means that Zimbra is not protected by any 
SELinux policy and Zimbra can do whatever it wants even if SELinux is in 
enforced mode it will not do anything!

In practice this means that if you enable SELinux you get some 
protection against security issues in packages and software that are 
installed and provided via the distribution. For example sshd? Needless 
to say that most attack vectors will not be covered this way. So this 
means you will need to install security updates and patches as soon as 
they are available.

The next question from a sysadmin perspective would be: is it worth it 
to enable SELinux? This will depend largely if you run other software on 
the Zimbra server as well (which you should not) and if you can afford 
down-time if SELinux causes something to stop working unintentional. It 
is a hard question to answer, and it almost does not matter. Many more 
things make more sense, like installing a host firewall, checking what 
processes listen on what ports. Disable ssh password authentication, 
disable smtp authentication on port 25 install fail2ban, install 
monitoring on failed imap and other login's, having a lock-out policy 
etc... etc.... having a centralized logging server. Having rate limiting...

So if Zimbra gets implemented with a real SELinux policy (or if you are 
crazy enough to define one) then enabling it will bring more security. 
For now it will only bring minimal added security, but it comes with a 
small chance of SELinux breaking Zimbra.

one more thing...

I have noticed that during updates of CentOS (and Fedora), the 
maintainers seem to have a hard time keeping SELinux going, I have seen 
all sorts of scripts being fired to set/reset new permissions to deal 
with changes on SELinux. These scripts can take a LONG time to complete 
as they iterate through all files and folders. If you have a large 
number of files/folders on your system this can become an annoyance and 
cause the system to slow down, or take a long time to boot the system. 
Also updates in SELinux and its policies can and *will break custom 
policies* that a sysadmin should define if running software that is not 
provided by the distro.

This and the fact that there are almost no documented cases on the 
Internet where SELinux actually prevented a bad thing from happening 
made me decide to disable it on servers with custom software. In most 
other cases I just left it on enforced.

If someone else has any thoughts on this, I'd like to hear it!


Regards, Barry



On 4/12/21 10:08 PM, Randy Leiker wrote:
> Hello Zeta Alliance Community,
>
> Here is a summary of this week’s conference call.  A few brief reminders:
>
>   * Conference calls are every Tuesday and open to all using either
>     the FreeConferenceCall.com VoIP app or via a dial-in number:
>     https://www.freeconferencecall.com/wall/zetalliance
>     <https://www.freeconferencecall.com/wall/zetalliance>
>   * Each week’s call agenda can be found at:
>     _https://drive.google.com/drive/folders/1xDyBJFjnfZYxuXJHiDzsXjjMuGGtIl7J
>     <https://drive.google.com/drive/folders/1xDyBJFjnfZYxuXJHiDzsXjjMuGGtIl7J>_
>   * A copy of each week’s summary is also posted to the Zimbra Forums:
>       o All Prior Months: https://forums.zimbra.org/viewforum.php?f=9
>         <https://forums.zimbra.org/viewforum.php?f=9>
>       o January 2021:
>         https://forums.zimbra.org/viewtopic.php?f=9&t=69121
>         <https://forums.zimbra.org/viewtopic.php?f=9&t=69121>
>       o February 2021:
>         https://forums.zimbra.org/viewtopic.php?f=9&t=69470
>         <https://forums.zimbra.org/viewtopic.php?f=9&t=69470>
>   * Constructive feedback on these call summaries is always welcome.
>
>
> February 2, 2021
>
> *Using Centralized Storage In Zimbra*
> Mark S. asked if anyone has implemented the Centralized Storage ( 
> https://zimbra.github.io/adminguide/latest/#centralized-storage 
> <https://zimbra.github.io/adminguide/latest/#centralized-storage> ) 
> feature in Zimbra?  This allows for storing mailboxes from multiple 
> Zimbra mail stores within the same directory structure on an S3 
> storage volume (AWS S3, Ceph, etc.).  Cine commented that Centralized 
> Storage speeds up mailbox moves between Zimbra mailbox servers 
> considerably.  John E. added that when using object storage 
> (Centralized Storage), it uses a single name space for blob storage, 
> that during a mailbox move, will then move only the mailbox meta data, 
> so few mailbox blobs move at all.  Mark S. asked if he has a single 
> AWS S3 bucket with two name spaces, where all of his mailboxes are 
> stored, and he performs a mailbox move, are mailbox blobs still 
> moving?  Cine said in that instance, yes, all mailbox blobs will still 
> need to be moved between name spaces, but if he switches to using 
> Centralized Storage under a single name space in his AWS bucket, then 
> most mailbox blobs will not need to be moved – only the meta data.  
> Noah P. asked if he has a primary Zimbra mailbox server volume 
> on-site, and a secondary volume on an AWS S3 bucket, does Centralized 
> Storage still work?  Cine confirmed it does.  Mark S. asked if using a 
> Zimbra HSM policy that moves email older than 4 weeks to a secondary 
> volume, when using Centralized Storage, would this mean that only the 
> most recent 4 weeks of mailbox blobs move? Cine confirmed this is 
> correct and that customers he has worked with who use an aggressive 
> HSM policy of keeping only 3-7 days of email in their primary volume 
> on-site with all older items moved to a secondary volume, when 
> combined with Centralized Storage, mailbox moves are very fast.
>
> *Zimbra Disaster Recovery (DR) Restores*
> Mark S. asked, when restoring a Zimbra mailbox server that has 
> suddenly failed in a DR situation, what is the recommended way to do a 
> restore?  Cine suggested using the Zextras Raw Restore feature ( 
> https://zimbra.github.io/adminguide/latest/#raw-restore 
> <https://zimbra.github.io/adminguide/latest/#raw-restore> ), which is 
> designed for DR use only.  Mark S. asked if he has two mailbox 
> servers, Server 1 and Server 2, and Server 1 fails, should he build 
> Server 3 as the replacement using the raw restore feature, and if so, 
> does the Raw Restore feature also update the Zimbra mailbox transport 
> setting for each mailbox from the failed server, so the Zimbra MTAs 
> (Postfix) knows the new location of each mailbox?  Cine said that it 
> is not necessary to create a new server name, as the failed server 
> name can be re-used.  Cine suggested referring to the Raw Restore 
> documentation section that discusses “Running A Raw Restore” and 
> “Usage Scenarios”.  Mark S. commented that he is trying to save money 
> on storage at AWS by putting as much on S3 storage as he can, but this 
> has the consequence of also shortening his Recovery Point Objective 
> during a DR incident.
>
> *Migrating Mailboxes From Exchange To Zimbra*
> Marc G. said he has a customer doing a migration from Microsoft 
> Exchange to Zimbra and asked for suggestions on the best mailbox 
> migration tool to use.  Mark S. suggested taking a look at BitTitan ( 
> https://www.bittitan.com/ <https://www.bittitan.com/> ).  He added 
> that BitTitan supports bi-directional transfers that can migrate 
> email, contacts, calendars, etc.  It also works well for migrating 
> Office 365 tenants between accounts, since it is aware of things like 
> Microsoft Teams.  This helps in scenarios where a parent company is 
> spinning off a subsidiary company in to their own Office 365 account.
>
> *Zimbra and SELinux*
> Matthew F. said he is building new Zimbra servers and wondered if 
> there has been any changes to earlier recommendations to avoid running 
> Zimbra with SELinux in enforcing mode.  Mark S. said he disables 
> SELinux on his Zimbra servers and Randy L. said he runs SELinux in 
> permissive mode on his Zimbra servers.
>
> *Obtaining Status Updates For a Bugzilla Pull Request*
> Cine asked for suggestions on the best option to request a status 
> update of a Bugzilla pull request for the Zimbra Open Source Edition.  
> John H. said that bug updates are only available through the Zimbra 
> Support Portal at present.  Mark S. commented that open source Zimbra 
> users can buy support, so they can then gain access to the Support 
> Portal.  He also commented that when he sees Zimbra Forum users post 
> issues that he knows affect Zimbra Network Edition, he has opened 
> support cases in the past referencing those Forum posts.  Cine said he 
> has a friend that has found a memory leak bug in the Nginx version 
> included in Zimbra, and has submitted a pull request to fix it.  John 
> H. suggested that Cine’s friend take a look at the beta version of 
> Nginx which jumps from Nginx 1.18 to 1.9.  John E. suggested that if 
> Cine’s friend posts comments in the pull request, this may also help 
> draw more attention to it. John H. added that for anyone willing to 
> install the beta version of Nginx and OpenSSL, Zimbra is willing to 
> provide support.  If installing the beta version, he suggested opening 
> a support case to give Zimbra Support a heads up and mention John 
> Hurley’s name.  Nginx has only two bugs that need to be resolved 
> before it comes out of beta: ZBUG-2098 and ZBUG-2099, related to an 
> issue with an HTTP/2 configuration file, and a second issue related to 
> some buggy code that causes Nginx to crash.
>
> *Zimbra Suite Plus Road Map*
> Mark S. asked if anyone had heard about updates for the Zimbra Suite 
> Plus road map.  He said he has a prospective customer interested in 
> Zimbra Suite Plus since they want basic mailboxes with mobile sync 
> support.  The customer is also interested in Zimbra Connect, but there 
> does not seem to be a way to add it to Zimbra Suite Plus.  No one had 
> any updates to share and Cine said that it is correct that Zimbra 
> Connect is not currently available with Zimbra Suite Plus.
>
>
> Randy Leiker (randy at skywaynetworks.com )
> Skyway Networks, LLC
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zetalliance.org/pipermail/users_lists.zetalliance.org/attachments/20210413/480851ac/attachment.html>