as some of you might already know, ZCS 7 is vulnerable against user enumeration attacks:
In short terms:
It's possible - without any prior authentication - to probe whether certain user exists via soap calls.
ZCS will tell you whether that user exists, and for an existing one it also tells you the internal UID,
which is also used for auth token generation. (so the cleartext of the hmac-encrypted auth-tokens
are easily predictable).
In general, all requests should be denied for unauthenticated users (except the login, of course ;-)).
Needless to mention that this is a serious security problem, but Zimbra upstream has scheduled
this bug for Zimbra 9 (probably released in several years), so we need at least some migitation
Does anyone have an idea how to solve this problem ?
One option would be forking the source and fixing it there on our own, dropping NE completely,
but I'd like to explore other options first, before we're going that step.