[Users] April 13, 2021 Zeta Alliance Conference Call Summary

Randy Leiker randy at skywaynetworks.com
Wed Apr 21 21:59:07 CEST 2021


Hello Zeta Alliance Community, 

Here is a summary of this week’s conference call. A few brief reminders: 


    * Conference calls are every Tuesday and open to all using either the FreeConferenceCall.com VoIP app or via a dial-in number: [ https://www.freeconferencecall.com/wall/zetalliance | https://www.freeconferencecall.com/wall/zetalliance ] 
    * Each week’s call agenda can be found at: [ https://drive.google.com/drive/folders/1xDyBJFjnfZYxuXJHiDzsXjjMuGGtIl7J | https://drive.google.com/drive/folders/1xDyBJFjnfZYxuXJHiDzsXjjMuGGtIl7J ] 
    * A copy of each week’s summary is also posted to the Zimbra Forums: 
        * All Prior Months: [ https://forums.zimbra.org/viewforum.php?f=9 | https://forums.zimbra.org/viewforum.php?f=9 ] 
        * March 2021 : [ https://forums.zimbra.org/viewtopic.php?f=9&t=69488 | https://forums.zimbra.org/viewtopic.php?f=9&t=69488 ] 
        * April 2021 : [ https://forums.zimbra.org/viewtopic.php?f=9&t=69507 | https://forums.zimbra.org/viewtopic.php?f=9&t=69507 ] 
    * Constructive feedback on these call summaries is always welcome. 

April 13, 2021 

Slow SmartScan After Installation of 8.8.15 Patch 20 
Mark S. said that after installing 8.8.15 P20, he observed that SmartScans on his Zimbra servers had slowed. Matthew F. said that he also installed P20, but has not seen any performance impact on SmartScans so far. 

Failing LDAP Backups After Installation of 8.8.15 Patch 20 
Mark S. said that after he installed 8.8.15 P20, he noticed that LDAP backups performed from his Zimbra mailbox server had unexpectedly stopped. Upon investigation, he found that the Zextras SmartScan were trying to use an incorrect LDAP root password to perform the backups. In an attempt to fix it, Zimbra Support recommend that Mark manually edit the “ldap_root_password” value in the /opt/zimbra/conf/localconfig.xml file on his mailbox server, but this did not fix the issue. He added that he did not restart the mailboxd service after making the change. Randy L. said he had the same issue back in December 2018 with Zimbra 8.8.10, where he was seeing emailed warnings from incomplete SmartScans with the error message: “DoBackupLDAP backup path: /path-to-backups/ldap_03_12_18#00_01_00.tar.gz warning: [ldap.example.com] invalid credentials”. Randy said the solution at the time was to confirm that the passwords for each of the following zmlocalconfig values were set the same on all Zimbra servers in the cluster: 


    * ldap_amavis_password 
    * ldap_bes_searcher_password 
    * ldap_nginx_password 
    * ldap_postfix_password 
    * ldap_replication_password 
    * ldap_root_password 
    * zimbra_ldap_password 

Followed by manually editing the " ldap_root_password" value in the /opt/zimbra/conf/localconfig.xml file on the servers hosting the Zimbra mailboxd services, then performing a “zmcontrol restart” to put the change in to effect. 

Performing Raw Restores In Zimbra 
Mark S. commented that he was recently performing a Raw Restore ( [ https://zimbra.github.io/zimbra-9/adminguide.html#raw-restore | https://zimbra.github.io/zimbra-9/adminguide.html#raw-restore ] ) on one of his Zimbra servers, and encountered some trouble until he realized that both the source and destination servers needed to be on the same version and patch level for this feature to work. Matthew F. said when performing Raw Restores in the past, he has been successful with guaranteeing the source and destination servers have the same version and patch level by cloning the Zimbra repo, when rebuilding a new server, as the target of the restore. This allows him to ensure the restore runs the exact version as the old server from which the backup was originally performed on. 

Zimbra Forum Missing TLS Redirect and Mismatched Certificate Name Issues 
Randy L. said he opened Zimbra Support case # 01172173 related to some misconfigurations of the web server hosting the Zimbra Forum. If a visitor to the Forum enters “forums.zimbra.org” in their browser address bar, uses a bookmark, or clicks a search engine result, they are not automatically redirected to a TLS session. This remains true if a Forum user clicks the “Login” link, exposing each affected Forum user’s login information in plain-text on the Internet. 

A second issue relates to an SSL certificate name mismatch for the Forum. The web site is currently configured to respond to requests for the host names “forums.zimbra.org” and “forums.zimbra.com”. However, the site is only configured with a wildcard SSL certificate that matches *.zimbra.org host names. So, if a visitor reaches the site via https://forums.zimbra.com, this will cause all web browsers to display a security warning related to the mismatched SSL certificate name. 

Randy said that both issues can be fixed with some trivial web server configuration changes such as a URL rewrite for redirecting non-TLS sessions to TLS, and adding an additional subject alternative name to the SSL certificate for forum.zimbra.com, or just redirecting visitors from forums.zimbra.com to forums.zimbra.org. 

Follow-Up: ClamAV Vulnerabilities In Zimbra 8.8.15 P20 and 9.0 P13 
To follow-up on the April 6th Zeta Alliance call, Randy L. shared another vulnerability that affects the ClamAV 102.2 version recently released with 8.8.15 Patch 20 and 9.0 Patch 13: 


    * CVE-2021-1404 ( https://nvd.nist.gov/vuln/detail/CVE-2021-1404 ): CVSS Score 7.5 

This vulnerability can be exploited when an attacker sends a carefully crafted email attachment to a Zimbra server containing a PDF file that is configured to scan inbound or outbound email with ClamAV. Zimbra will need to upgrade to a minimum of ClamAV 102.4 to address the 4 ClamAV vulnerabilities discussed in the April 6th Zeta Alliance call, or preferably upgrade to a minimum of ClamAV 103.2 to address CVE-2021-1404, allowing for all 5 known vulnerabilities to be patched. 

New Zimbra Android and iOS Apps 
John E. said that a new Android app for Zimbra has been released in the Google Play store ( [ https://play.google.com/store/apps/details?id=com.zimbra.modernapp&hl=en_US&gl=US | https://play.google.com/store/apps/details?id=com.zimbra.modernapp&hl=en_US&gl=US ] ). The iOS Zimbra app is not yet available for downloads pending Apple’s review of the app. Mark S. asked if the apps will require Zimbra 8.8.15 or 9.0. John E. & John H. said they are told it is designed for use with Zimbra 9, but they were not sure if this is accurate. Randy L. asked if it is a replacement for using Exchange ActiveSync with native device apps, for synchronizing email, contacts, and calendars. John E. confirmed that it is and that there will be continued development to keep the apps current with the latest Zimbra features. He added that after discussing the road map for the apps with the Zimbra product team, the focus is currently on the email features, to be followed by focusing on contacts, calendars, and then incorporating Zimbra add-ons like Chat, etc. 

Marc G. asked about Zimbra partner branding opportunities for the apps. John E. said there will likely not be partner branding, but he suggested partners reaching out to their contacts at Zimbra to discuss. Marc G. said that he has observed other software vendors offering branding options for their apps by charging a monthly fee to grant partners access to an app’s source code, allowing a partner to build a branded version and submit it to the app stores. John E. said a similar option was discussed with the Zimbra product team, and while the Zimbra 9 Modern UI code is available for partner review, it is not currently available for licensed derivative works. Noah P. said that he would be ok with the Synacor branded apps, but at a minimum he would like to see a capability included allowing partners to add specific links in the app, such as to a partner’s support portal rather than the general Zimbra support site. 

New Zimbra Desktop App 
John E. said that a limited group of beta testers have been playing with a desktop app version of Zimbra (a successor to the previously deprecated Zimbra Desktop app), and he encouraged people to reach out to him with feedback. Mark S. said that it is an Electron app ( [ https://www.electronjs.org/ | https://www.electronjs.org/ ] ). John E. said that the app is designed so the same code can be used for the Zimbra Web Client, mobile apps, and desktop app. It is not just a wrapper of the Zimbra Web Client, but rather the desktop app has a significant number of things that have been done to allow it to work in offline mode. Mark S. asked if Zimbra customers using virtual hosts will have the ability to do branding in the desktop app. John E. said that he will bring this request to the Zimbra product team. 


Randy Leiker ( randy at skywaynetworks.com ) 
Skyway Networks, LLC 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zetalliance.org/pipermail/users_lists.zetalliance.org/attachments/20210421/0d36433a/attachment-0001.html>


More information about the Users mailing list