[Users] April 28, 2020 Zeta Alliance Conference Call Summary

[Randy Leiker]

Hello Zeta Alliance Community, 

Here is a summary of this week’s conference call. A few brief reminders: 


    * Conference calls are every Tuesday and open to all using either the FreeConferenceCall.com VoIP app or via a dial-in number: [ https://www.freeconferencecall.com/wall/zetalliance | https://www.freeconferencecall.com/wall/zetalliance ] 
    * Each week’s call agenda can be found at: [ https://docs.google.com/document/d/1uUUDJpwp2CAylU6lxtbEdVcUX_qSbciyes6gLTWw2fY/edit | https://docs.google.com/document/d/1uUUDJpwp2CAylU6lxtbEdVcUX_qSbciyes6gLTWw2fY/edit ] 
    * A copy of each week’s summary is also posted to the Zimbra Forums: 
        * February 2020 : [ https://forums.zimbra.org/viewtopic.php?f=9&t=67726 | https://forums.zimbra.org/viewtopic.php?f=9&t=67726 ] 
        * March 2020 : [ http://forums.zimbra.com/viewtopic.php?f=9&t=67855 | http://forums.zimbra.com/viewtopic.php?f=9&t=67855 ] 
        * April 2020 : [ https://forums.zimbra.org/viewtopic.php?f=9&t=68073 | https://forums.zimbra.org/viewtopic.php?f=9&t=68073 ] 
    * Constructive feedback on these call summaries is always welcome. 

April 28, 2020 Conference Call Summary 

Zimbra Partner Notifications Related To Security Vulnerabilities 
Barry D. reported a follow-up to a topic on last week’s call related to creating a process where Zimbra Partners could receive advance notifications about security vulnerabilities prior to the vulnerabilities being publicly announced, so as to allow Partners additional time to mitigate and prepare for patching their Zimbra installations. Barry said he initiated a discussion internally within Synacor about this topic and hopes to have additional news to share soon. 

Consulting Opportunity 
Barry D. asked if anyone was interested in doing a consulting job for a Zimbra customer, related to configuring 2-factor authentication within Zimbra. Mark S. said he would be willing to assist. 

Zimbra Bug Management 
Barry D. reported that he is having continuing internal discussions within Synacor about how Zimbra bugs are currently being handled and hopes to have more news to share about this topic soon. 

Barry and the Zimbra Forums 
Barry D. announced that he will soon be much more active in the Zimbra Forums as an additional Synacor employee resource for both the Zimbra community and partners. He also plans to do some unspecified forum clean-up too. Marc G. welcomed Barry’s announcement and felt he would be a valued resource in the forums. 

Invalidating Zimbra Login Sessions 
Mark S. said one of his customers recently discovered that when invalidating all sessions for a logged in user from the Zimbra Administration Console that it does not also terminate existing Postfix SMTP sessions, such as may be needed during a spam outbreak, due to a compromised mailbox. Mark said that his customer was told by Zimbra Support to restart the Postfix MTA service to drop the existing SMTP sessions that were being abused by an attacker. Noah P. confirmed he too has always had to restart the Zimbra Postfix service in order to drop existing SMTP sessions when responding to a compromised account. Mark S. reported that changing a mailbox’s status to locked is ineffective at stopping a spam outbreak, as existing SMTP sessions can continue to be abused. He suggested that the Zimbra Administration Console feature to invalidate all sessions for a logged in user should also drop all existing SMTP sessions in Postfix too, so the Zimbra MTA services do not need to be restarted. 

Disabling SMTP Access 
Mark S. reported that he recently discovered that while MAPI (Exchange), EWS, IMAP, and POP can be individually enabled/disabled for a Zimbra Class Of Service or mailbox, that there is no means to enable/disable SMTP access. The use case for disabling SMTP would be an instance where a mailbox owner solely relies on MAPI or EWS for sending/receiving email messages, which occurs using HTTPS or HTTP. Disabling all non-Exchange services can then be used as a risk mitigation technique for minimizing the potential attack surface. 

Zimbra Customer Feedback About Zimbra 9’s Open Source Status 
John W. said he received a letter from a customer expressing their dissatisfaction about the recently announced change in Zimbra’s open source policy, starting with Zimbra 9. John shared the customer’s letter with those on the call. The letter states that the customer was originally seeking an open source email platform, which led to selecting Zimbra. The customer also states in the letter that Zimbra’s open source policy is important, as it provides assurances that the customer would not be forced to switch to a different product, should something occur at a future date with Synacor’s business, or a discontinuation of the Zimbra product. The customer makes the business case that without an open source policy, the customer would not have purchased Zimbra licenses or continued to pay for Zimbra support services. 

Those on the call mentioned reading similar statements about the policy change being discussed in the Zimbra Forums and on the Zeta Alliance mailing list. Cine and Barry D. commented they feel that Synacor could find a better way to communicate their intent related to this change to everyone in the Zimbra community and said the only statement released officially so far is found at the bottom of the Zimbra 9 release notes: [ https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0#Open_Source_Edition | https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0#Open_Source_Edition ] 

Marc G. wondered if perhaps the issue is less about Zimbra 9 being open source, and more related to clarity in the product’s direction, along with transparency related to ongoing bug fix efforts. Barry D. asked for everyone’s patience and said that Synacor is working on this to provide more clarity. 


Randy Leiker ( randy at skywaynetworks.com ) 
Skyway Networks, LLC 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zetalliance.org/pipermail/users_lists.zetalliance.org/attachments/20200428/5aeb095a/attachment.html>