October 2020 Zeta Alliance Weekly Call Summaries

Industry info, happenings near you, and new product integrations. Hosting an event? Invite people here.
User avatar
rleiker
Advanced member
Advanced member
Posts: 74
Joined: Tue Jan 07, 2020 8:23 pm
Location: Kansas City
Contact:

October 2020 Zeta Alliance Weekly Call Summaries

Postby rleiker » Wed Oct 07, 2020 8:39 pm

Hello Zimbra Community,

Here is a summary of this week’s conference call. A few brief reminders:

October 6, 2020

Basecamp’s Email Service ‘Hey’ and Suggestions For Zimbra
Mark S. asked if anyone has tried out Basecamp’s new email service, called Hey. He said it is a re-imagination of how email should work from the developers of Basecamp, and while it does not allow for importing existing email, it allows aggregating email from other services, and is designed around Basecamp’s unique view of how they think teams should be using email. Mark provided this URL, which reviews the new service: https://www.inc.com/jason-aten/email-is ... etter.html . He asked if there were any lessons Zimbra could learn from it. John E. said that the Basecamp email service is targeted at very specific use cases and does not support any third-party email client apps. He also did not feel it was designed for most organizations as it does not implement many commonly used organizational email features. He added that Zimbra is continuing to grow and is trying to service a broad variety of clients. But, there is probably nothing stopping someone from building a client that targets a similar niche purpose, such as the Hey service, while using Zimbra on the back end. Mark S. said that Hey claims they are double encrypting each mail blob, so that a help desk person can still access a mailbox to assist with a support issue, while still preserving the mailbox owner’s privacy. He also mentioned that the service blocks all tracking pixels embedded in an email by default. He described their screener feature which places any email from new senders you have not corresponded with before in to a separate folder, apart from the Inbox. John E. commented that a key feature is the ability to search email and called in to question if Hey is actually encrypting the search indexes or keeping those as plain-text on disk.

Over Zealous Auto-Fill Feature In Chrome
Noah P. shared that he has two customers, who have domain administrator rights in Zimbra, report that after they login to the Zimbra Administration Console, then double click on a mailbox to make a modification, followed by clicking on the Forwarding tab, that they are finding that the password field for the mailbox is being auto filled-in with the domain admin’s own Zimbra password. He said it has been observed to occur only in Chrome, and he suspects it may be an auto-fill feature issue in Chrome that may be misinterpreting the email address field in the Forwarding tab & the password field in the General tab as the Zimbra login page. Cine suggested it could also be caused by a password manager app, as some password managers, such as Dashlane, are known to disable the auto-fill feature in web browsers. No one on the call was able to confirm encountering the same issue.

Experiences With 8.8.15 Patch 14
Marc G. said his organization is preparing to install 8.8.15 Patch 14 and asked if anyone has experienced any issues so far, or if there were any special concerns he should be aware of. Mark S. And Randy L. both confirmed they have had Patch 14 installed for about 4 days and have experienced no issues with it.


Randy Leiker
Skyway Networks, LLC


User avatar
rleiker
Advanced member
Advanced member
Posts: 74
Joined: Tue Jan 07, 2020 8:23 pm
Location: Kansas City
Contact:

Re: October 2020 Zeta Alliance Weekly Call Summaries

Postby rleiker » Wed Oct 14, 2020 4:07 am

Hello Zimbra Community,

Here is a summary of this week’s conference call. A few brief reminders:

October 13, 2020

New Time For the Zeta Alliance Weekly Calls
Marc G. proposed taking a vote to continue the recurring weekly Zeta Alliance calls on Tuesdays, but starting with the call for November 3, 2020, to change the time to 9:30 am America/Los Angeles (Pacific). A vote was taken on the call and the newly proposed time was accepted by all in attendance. The new call time will make it easier for everyone in Europe to attend, since the calls will start earlier in the evening, while still allowing the calls to take place during daytime business hours in the United States. The new call time is equivalent to:

  • America/New York (Eastern) 12:30 pm
  • Europe/Amsterdam (Central) 6:30 pm
Due to occasional differences for a couple of weeks each year in the start and end dates of Daylight Savings Time in the United States and Summer Time in Europe, everyone will use the America/Los Angeles (Pacific) time zone, in case of conflicts, to determine the start time of each week’s Zeta Alliance call. The next Daylight Savings Time change in the America/Los Angeles (Pacific) time zone takes place on November 1, 2020. This page ( https://en.wikipedia.org/wiki/Daylight_ ... ted_States ) provides guidance on the start and end dates for Daylight Savings Time in the America/Los Angeles (Pacific) time zone.

Making It Easier For Vendors and Developers To Integrate With Zimbra
Marc G. cited an example of one of his customers that is using a calendar product that has been integrated with Office 365 and Gmail, but not Zimbra. He asked for ideas from those on the call about how Synacor can make it easier for both software vendors and independent developers to integrate their apps with Zimbra, as they often do currently with Office 365 and Gmail. He suggested that if Zimbra could provide an application programming interface (API) compatible with Microsoft Graph ( https://docs.microsoft.com/en-us/graph/overview ), that it may be easier to get new software vendors and developers onboard to integrate with Zimbra, since they could theoretically re-use their existing Office 365 integration for an easy integration with Zimbra. John E. said a business case would need to be made for this in order to allocate resources to such an effort within Synacor, and that it could prove difficult to engineer a work alike API to Microsoft Graph in Zimbra, since Graph is a proprietary API subject to unexpected changes that also relies heavily on Microsoft-only services that would need to be referenced directly. Randy L. suggested that perhaps Zimbra Professional Services could more actively promote their ability to assist vendors and developers with product integration when a Zimbra customer does not have the in-house development resources to do so themselves.

John E. said a common complaint is that Zimbra 8.8’s API is based around the SOAP standard, while much of the world has moved on to other integration techniques. He added that Zimbra 9 has a new GraphQL API ( https://graphql.org/ ) available that makes integrations similar to Microsoft Graph possible, and that the Modern UI in Zimbra 9 is built on GraphQL. Barry D. said that a JavaScript library supporting GraphQL is available at: https://github.com/Zimbra/zm-api-js-client and he has written a how-to at: https://blog.zimbra.com/2020/08/zimbra- ... -a-zimlet/ . He added that with the development of the Modern UI in Zimbra 9, a new authentication mechanism utilizing JWT ( https://jwt.io/ ) was added, that replaces the Zimbra AUTH_TOKEN. The JWT support provides the foundation for rich security configurations, and impersonations, in a standard way. Barry D. also suggested taking a look at https://github.com/Zimbra/zimbra-zimlet-tags .

New Zimlet For Creating And Using Email Templates
Barry D. shared a Zimlet that can be used for creating and using email templates: https://github.com/Zimbra/zimbra-zimlet-email-templates . This Zimlet makes it easy for those who send many similar looking emails to convert those messages in to templates, where place holder values in the template can be replaced with the desired content before sending.

Updated Zimlet For Integrating Nextcloud With Zimbra 9
Barry D. announced that he has updated a Zimlet for integrating Nextcloud in to Zimbra 9 that has been published to the Zimbra repos, but has not yet been documented in the Zimbra Administrator’s Guide.

Avoiding Backscatter Spam For External Anti-Spam Appliances
David M. said he is working on setting up a new anti-spam appliance, external to his Zimbra installation. His prior anti-spam appliance performed LDAP look-ups via Zimbra to determine whether or not the appliance should accept a message from a sender for delivery, which avoids issues with backscatter email ( https://en.wikipedia.org/wiki/Backscatter_(email) ). However, his new anti-spam appliance does not provide this LDAP look-up capability, so he has alternatively looked at using Postfix’s VRFY feature to check with Zimbra if a sender’s message should be accepted. He explained that the VRFY feature works well for regular Zimbra mailboxes, but does not work correctly for Zimbra email aliases. He has observed messages sent to email aliases being accepted by the anti-spam appliance, then by Zimbra, which are later rejected by Zimbra resulting in backscatter email. Noah P. said he had encountered the same issue in the past and recommended adjusting this setting in Zimbra: https://zimbra.github.io/zimbra-9/admin ... atter_spam . Marc G. commented that the way his organization worked around this issue was to stand up an independent LDAP server, external to Zimbra, which both Zimbra and his anti-spam system use for verifying recipient email addresses. He said given the preference, he would like to see a direct integration with Zimbra.

Mitigating Zero-Day Malware And Neutralizing Phishing Links Via Email
Marc G. said that a common issue his organization encounters is that email arrives in customer Inboxes that contain zero-day malware that cannot yet be detected by any anti-virus product. In those instances, his team investigates by uploading the suspect email attachments to VirusTotal ( https://en.wikipedia.org/wiki/VirusTotal ), and often finds that few, if any anti-virus (AV) products detect the malware. But then, over time, AV products begin to detect the suspect file as malware, as updated malware definitions become available. He said he would like to see a means in Zimbra to either recall or delete messages found to be containing zero-day malware from customer Inboxes in an automated manner. However, this is likely to be tricky as it relates to privacy, since it may require some level of access to customer mailboxes.

Randy L. commented that all AV products are fundamentally flawed, since they operate on the model of trust everything by default, but block only select content, based on malware signatures that will always trail the release of new malware variants. This is as compared to the more effective deny by default approach (aka application white listing), where only approved content is allowed to pass. He explained that the way his organization mitigates the issue Marc described is by quarantining all email by default that contains any type of executable content, in addition to quarantining all Office files that contain macros. For emails containing either of these types of files, the original recipient of the message receives a notification that a file has been removed from the original email, but can be released from the quarantine, if the recipient trusts the sender and was expecting the message. All other messages containing attachments then continue on through normal AV checks using multiple AV products.

Noah P. suggested that for mitigating phishing links in emails, it would be interesting to do an integration with Zimbra for Cuckoo ( https://cuckoosandbox.org/ ) where a suspect link in an email could be opened safely by a recipient in a sandbox. He also referred to this blog article discussing a similar integration: https://blog.rootshell.be/2012/06/20/cu ... th-cuckoo/ . Randy L. commented that he thinks this is the basis of how the Proofpoint service works, where suspect links are rewritten in a received message, so clicked links are opened in either an ephemeral VM or container on a remote server, rather than the recipient’s local computer, and the recipient is instead viewing the suspect link through a VNC-like remote session, so their local computer remains safe.

Avoiding Business Email Compromise Security Incidents
Marc G. commented that one of his concerns is Business Email Compromise (BEC): https://www.fbi.gov/scams-and-safety/co ... compromise ). A BEC is a security incident where an attacker gains control over a Zimbra user’s mailbox, most often via a successful phishing attack. Randy L. commented that he has read security bulletins indicating that Office 365 accounts that lack two-factor authentication, are being particularly hit hard as of late with these types of security incidents. In those cases, an attacker quietly maintains persistent access to a victim’s mailbox by setting up inbound and outbound filtering rules that automatically forwards a copy of any messages sent or received from the victim’s email account to the attacker. This allows the attacker to observe the normal flow of email over a period of time. When the attacker sees a financial transaction being discussed, the attacker will then intervene by impersonating either the sender or recipient of a message, advising one of the parties to make a last minute change to the financial details, usually so a payment can be routed to a bank account under an attacker’s control, thereby completing the goal of a BEC. Many security teams are overlooking this type of intrusion in to mailboxes, as suspicious filtering rules are normally not checked by most organizations during security audits or threat hunting. Marc G. commented that his organization has personally experienced at least one BEC incident where they were contacted by someone out-of-band (by phone) asking to verify the changed banking information for a payment transaction, thereby defeating the attack.


Randy Leiker
Skyway Networks, LLC
Robert1657
Posts: 3
Joined: Tue May 12, 2020 7:33 pm

Re: October 2020 Zeta Alliance Weekly Call Summaries

Postby Robert1657 » Wed Oct 14, 2020 5:58 pm

Hi Barry

How do I download your zimbra 9 next cloud plugin ?
User avatar
rleiker
Advanced member
Advanced member
Posts: 74
Joined: Tue Jan 07, 2020 8:23 pm
Location: Kansas City
Contact:

Re: October 2020 Zeta Alliance Weekly Call Summaries

Postby rleiker » Wed Oct 21, 2020 6:06 pm

Hello Zimbra Community,

Here is a summary of this week’s conference call. A few brief reminders:

October 20, 2020

Ubuntu 18.04 & Zimbra End-Of-Life Date Mismatch
Mark S shared that Ubuntu 18.04 is scheduled to go end of-life on April 2023, while the end-of-life date for general support of Zimbra 8.8.15 and 9.0 for Ubuntu 18.04 is scheduled for December 2023 ( https://www.zimbra.com/support/support- ... lifecycle/ ). He asked if Synacor has plans to release Zimbra binaries for Ubuntu 20.04 or 22.04 before Ubuntu 18.04 goes end-of-life. John H. said he already has an internal support request from July on this same question and that he flagged it for discussion in an upcoming internal Synacor meeting that occurs every 2 weeks.

Microsoft Dynamics CRM Becoming A Web-Only Service In Microsoft 365
Noah P. said that a few of his clients are using Microsoft Dynamics CRM with Outlook on their Windows desktop with Zimbra. Microsoft recently announced plans to discontinue support of the desktop version of Dynamics CRM, making it a web-only service available exclusively through Microsoft 365. While his client can continue running the deprecated Dynamics CRM product on their desktop with Zimbra, they are concerned that if Dynamics breaks for any reason in the future, the client would be forced to move their email from Zimbra to Office 365.

Experiences Running CentOS 8 With Zimbra
Noah P. said that his company is phasing out CentOS 6.x servers and evaluating if they should set their new standard to using CentOS 7.x or 8 servers. He asked if anyone had experiences to share related to running Zimbra on CentOS 8.x. Mark S. said that he is only aware of one issue affecting one of his customers running Zimbra on CentOS 8, where the Swatch service built-in to Zimbra repeatedly fails, requiring a manual restart daily and to re-run the zmsyslogsetup utility. If not restarted, this results in log rotation issues in Zimbra. This issue has been reported to Zimbra as ZBUG-1843 and was originally targeted to be fixed in Zimbra 8.8.15 Patch 15 and 9.0 Patch 8, but Mark thinks this fix may be bumped to Patch 16 and Patch 9, respectively, as there is no mention of it being included in the release notes for Patch 15 and Patch 8.

How-To Enable Logging For Chats In Zimbra
David M. asked about how-to enable logging in Zimbra for the Chat feature in Zimbra Connect so that one of his clients can receive a log of all chat sessions conducted for mailboxes in their domain, as he could not find any clear instructions in the Zimbra or Zextras documentation. Cine suggested using a Zimbra CLI command similar to “zxsuite connect getproperty” to check which properties can be set for Zimbra Connect, as one of the properties may allow for enabling logging of all chats. If available, it should produce a log with a file name similar to zxchat.log or connect.log.

Follow-Up: Avoiding Backscatter Spam Topic From October 13th Call
David M. shared that following the advice received on the October 13th Zeta Alliance call related to avoiding backscatter spam issues with an external anti-spam appliance ( http://forums.zimbra.org/viewtopic.php? ... 7a#p299380 ), he was able to successfully implement Postfix’s VRFY feature to check if a sender’s message was sent to a valid destination email alias on his Zimbra cluster.

Follow-Up: Time Zone Confirmation For The New Zeta Alliance Call Schedule
Marc G. asked for confirmation if the America/Los Angeles (Pacific) time zone will be used by all, in case of conflict between Daylight Savings Time in the United States and Summer Time in Europe, as discussed in the October 13th Zeta Alliance call ( http://forums.zimbra.org/viewtopic.php? ... 7a#p299380 ). It was confirmed that the America/Los Angeles (Pacific) time zone will indeed be used, in the event of a conflict. Cine commented that he will coordinate with Barry D. on updating this page ( https://www.freeconferencecall.com/wall/zetalliance ) with the updated weekly call time.

Follow-Up: Updates On ActiveSync Issues Affecting Apple iOS Devices
Noah P. asked if anyone knew of updates on the open support cases related to the ActiveSync issues affecting iOS devices, as discussed on earlier Zeta Alliance calls. Mark S. said that there is no significant news to share yet, and that he has the impression that the root issue is buried somewhere deep in the Zimbra/Zextras code base, as it is still under investigation yet. To workaround the issue, Mark explained that he has setup his phone to use Exchange/ActiveSync for syncing his calendar and contacts, but not email. This is combined with an IMAP account for syncing folders and email-only to his iPhone. He also reported that when he uses Apple Siri to call someone, it does not always work consistently, and if he then opens the Address Book on his phone to manually look-up a contact, the Address Book app will sometimes crash. He said that he does not think it is an email-specific issue, but rather an ActiveSync implementation issue. John Holder, with Zimbra Support, suggested to Mark that Apple iOS devices seem to be fussier about getting a complete folder list from Zimbra before performing any data synchronization from those folders. If a complete folder list is not received within a very limited amount of time from Zimbra, then the iOS devices reset the connection and appear to request the same full folder list repeatedly, thereby preventing any data from synchronizing with the phone.

Marc G. said that he has an issue on his iPhone when using Exchange/ActiveSync with Zimbra, in that the read/unread flag on messages does not always work consistently, as the number of unread messages per folder fails to consistently update. Mark S. commented that he feels if Synacor would consider releasing a Zimbra-branded app that customers could install on their phones/tablets, it would effectively sidestep many of the issues that arise in attempting to use Microsoft’s Exchange/ActiveSync protocol. John E. said a set of native apps for Zimbra Cloud is coming out very soon, and he thinks they will eventually make their way in to the on-premises version of Zimbra too.

Follow-Up: Making It Easier For Vendors/Developers To Integrate With Zimbra
As a follow-up to one of the October 13th Zeta Alliance call topics, Marc G. asked why Zimbra cannot offer a work-alike service to Microsoft GraphQL, so that vendors integrating with Office 365 can more easily integrate with Zimbra. John E. said that his understanding of GraphQL is that it is a transversible service where everything is referenced by name, with dependencies on multiple Microsoft-specific services, and re-creating this in Zimbra would be a significant challenge. Mark S. commented that there is a legal battle between Oracle and Google ( https://en.wikipedia.org/wiki/Google_LL ... ica%2C_Inc. ) related to the use of copyrights in Application Programming Interfaces (APIs). John E. said he thinks offering a work-alike service in Zimbra for GraphQL is a deeper issue, beyond copyright concerns.

Marc G. asked, as it relates to the fundamentals of synchronizing calendar data from another vendor’s product API, is it a big ask to implement this in Zimbra. John E. felt it would be a straightforward project, but just requires proper business case justification at Synacor to allocate the developer resources, and that it could be implemented through either middleware or server-side code. Noah P. commented that any product vendor developing an integration with an email system will look at the largest 1-3 vendors, then will stop doing additional implementations beyond that point, as the software vendor typically runs out of time or budget resources. Noah felt that Google and Microsoft may be getting more preference from product vendors for integrations, since many consumers have received Google and Microsoft services for free in schools. John E. said from his personal experiences, many kids do not always like those free services and the Google/Microsoft approach can sometimes backfire.

Randy L. said that as a developer, he finds that Zimbra lacks a centralized portal for developers looking to get started with doing integration projects with Zimbra. As an example, he referenced the dedicated portals setup by merchant account providers for developers doing e-commerce integrations with shopping carts with examples like: https://developer.paypal.com/home/ and https://developer.authorize.net/ . Many of these merchant account providers have gone to great lengths to create step-by-step guides with lots of hand-holding for developers, significantly lowering the barrier to entry. Noah P. said that the closest equivalent he knows of for Zimbra is located at: https://wiki.zimbra.com/wiki/Zimlet_Dev ... troduction . John E. said he could not agree more and that this is one of Barry D.’s responsibilities at Synacor, which he has been starting to work on by creating new Zimlet development how-to posts on the Zimbra blog, as the beginning of a process to aggregate this information together in to a single future portal for developers.


Randy Leiker
Skyway Networks, LLC

Return to “Community News”

Who is online

Users browsing this forum: No registered users and 3 guests