[Users] March 30, 2021 Zeta Alliance Conference Call Summary

Randy Leiker randy at skywaynetworks.com
Tue Apr 20 04:59:09 CEST 2021

Hello Zeta Alliance Community, 

Here is a summary of this week’s conference call. A few brief reminders: 

    * Conference calls are every Tuesday and open to all using either the FreeConferenceCall.com VoIP app or via a dial-in number: [ https://www.freeconferencecall.com/wall/zetalliance | https://www.freeconferencecall.com/wall/zetalliance ] 
    * Each week’s call agenda can be found at: [ https://drive.google.com/drive/folders/1xDyBJFjnfZYxuXJHiDzsXjjMuGGtIl7J | https://drive.google.com/drive/folders/1xDyBJFjnfZYxuXJHiDzsXjjMuGGtIl7J ] 
    * A copy of each week’s summary is also posted to the Zimbra Forums: 
        * All Prior Months: [ https://forums.zimbra.org/viewforum.php?f=9 | https://forums.zimbra.org/viewforum.php?f=9 ] 
        * February 2021 : [ https://forums.zimbra.org/viewtopic.php?f=9&t=69470 | https://forums.zimbra.org/viewtopic.php?f=9&t=69470 ] 
        * March 2021 : [ https://forums.zimbra.org/viewtopic.php?f=9&t=69488 | https://forums.zimbra.org/viewtopic.php?f=9&t=69488 ] 
    * Constructive feedback on these call summaries is always welcome. 

March 30, 2021 

SpamAssassin Vulnerability Prior To Zimbra 8.8.15 P20 and Prior To 9.0 P13 
Randy L. shared news of recently disclosed vulnerability in SpamAssassin 3.4.4 and prior that affects Zimbra 8.8.15 Patch 20 and 9.0 Patch 13 and prior. He said that the vulnerability has a CVSS score of 9.8 out of 10 and is known as CVE-2020-1946 ( [ https://nvd.nist.gov/vuln/detail/CVE-2020-1946 | https://nvd.nist.gov/vuln/detail/CVE-2020-1946 ] ). The vulnerability is fixed in SpamAssassin 3.4.5 and is a form of a supply chain attack, that can be exploited in a similar manner as the victims of the Solar Winds attack widely reported by the news media. It relies on an attacker who inserts malicious code within a SpamAssassin rules (.cf) file on a repo, that when downloaded by victims during routine rule updates, can silently exploit each victim’s server with no indication an attack has taken place. John E. suggested sending a message to security at zimbra.com. John H. said he will also bring this up in an internal meeting at Synacor to discuss the response plan. Randy L. said that given the high CVSS score of 9.8, he felt this would justify an out-of-band patch from Zimbra. [ Editor Note: revised builds of 8.8.15 Patch 20 and 9.0 Patch 13 were released on April 8, 2021 that fixes this vulnerability by upgrading SpamAssassin to 3.4.5. Refer to the release notes of each respective patch for further details.] 

Zimbra Support For Ubuntu 16.04 LTS and 20.04 LTS 
Mark S. asked when Zimbra support for Ubuntu 16.04 LTS is expected to end. He explained that he has purchased extended support from Canonical for Ubuntu 16.04 LTS and was expecting to have a 1 year window to migrate to a newer Ubuntu version, which he felt now instead looked like he would be required to migrate by the end of Summer 2021, based on the observed Zimbra deprecation timeline for Ubuntu 14.04 LTS. He explained that he wants to avoid needing to upgrade to Ubuntu 18.04 LTS within the next few months, then to 20.04 LTS immediately thereafter. He asked when Zimbra is anticipating officially announcing support for Ubuntu 20.04 LTS so as to best schedule his Ubuntu version upgrade. John H. said that Zimbra support for Ubuntu 20.04 LTS is on the road map for the first half of 2021, sometime before July, and added that he was unsure of the time frame for the end of Zimbra support for Ubuntu 16.04 LTS. John explained that Zimbra support for a Ubuntu LTS version is normally aligned with when standard support for an LTS version ends from Canonical, irrespective of any extended maintenance contracts that customers may separately purchase from Canonical. John added that it has been Zimbra’s standing policy to support an operating system while it has support from the OS vendor, up until support is only available through an optional extended support maintenance contract from the OS vendor. 

Splitting A Domain Between Zimbra and Office 365 
Gary C. said one of his business customers migrated their organization from Zimbra to Office 365, and there has been a vocal group of individuals within the organization hating it, and they are seeking to move back to Zimbra. He said he is looking for options to split email delivery for the customer’s domain name, so that a portion of the domain’s mailboxes can remain on Office 365, while the other portion returns back to Zimbra. He said he has an external email gateway that allows for routing mail for individuals to Zimbra and others to Office 365, that he can setup in Zimbra to be used as an SMTP smart host, however he has concerns that inter-domain mail delivery between Zimbra and Office 365 will fail. 

Mark S. suggested changing the domain from authoritative to relay mode in Office 365 and leaving the DNS MX record for the domain pointing to Zimbra. He then recommended changing the zimbraMailTransport attribute setting for individual users in Zimbra, and deleting the mailboxes from Office 365 that are moving back to Zimbra. He also advised caution when using external email gateways (Barracuda, MailScanner, etc.) to avoid creating mail loops. 

Noah suggested this Wiki article ( [ https://wiki.zimbra.com/wiki/Split_Domain | https://wiki.zimbra.com/wiki/Split_Domain ] ). He said he has done something similar when splitting a domain between Zimbra and G Suite, by using the methods discussed in the Wiki article. He said the trick is that administration of both services (Zimbra and G Suite) needs to be managed very carefully to avoid mail loops. 

Matthew F. suggested that Gary should setup any distribution lists that his customer has in Office 365, since he has found that Zimbra ignores the zimbraMailTransport attribute for distribution lists, that can lead to mail routing issues. Marc G. asked, in terms of collaboration like sharing and free/busy, does splitting a domain make things rather messy? Mark S. confirmed that it does and did not know if the free/busy connector in Zimbra works with Office 365. John H. said he thinks there is a feature enhancement request open for the Zimbra free/busy connector to support Office 365. 

All Day Calendar Events Appearing On Wrong Day In the Zimbra Calendar 
Matthew F. asked if anyone has had a problem with all day calendar events being moved by 24 hours to the wrong day when using ActiveSync with a Zimbra mailbox. John H. said there was an old issue like this several patches ago. Matthew said he has 8.8.15 Patch 18 installed and did not see any mention in the release notes of a fix in P19. John H. said he thinks this issue was originally fixed back in P10. Matthew said that the issue does not seem to appear for all day calendar appointments created from a PC when Outlook is configured to use Exchange ActiveSync (EAS), but the issue does appear when a calendar appointment is created from an Android device using ActiveSync. John E. said this is known issue, since Outlook is doing more than just ActiveSync, including some out-of-band stuff. He suggested using the Zimbra Connector for Outlook, and avoiding using EAS. John E. asked if Matthew was testing with a Samsung device, and if so, said that Samsung has created their own ActiveSync version which sometimes causes unexpected things to happen. Mark S. said there is a Microsoft KB article that discusses the differences between Exchange ActiveSync (EAS) and Exchange Web Services (EWS). He added that Microsoft considers EAS deprecated and that EWS is solely for use on mobile devices. 

Randy Leiker ( randy at skywaynetworks.com ) 
Skyway Networks, LLC 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zetalliance.org/pipermail/users_lists.zetalliance.org/attachments/20210419/ecd5fa41/attachment.html>

More information about the Users mailing list