You are correct. Additionally, if someone visits http://forums.zimbra.com
, the forum will display in HTTP mode, but if changing the URL to https://forums.zimbra.com
, a visitor's browser will display a mismatched SSL certificate warning, since the wildcard certificate presented is for *.zimbra.org.
I have opened a support case with Zimbra to try and bring some attention to these two misconfigurations. It is a trivial configuration correction that is needed in the web server hosting the Forum to fix both the issue you pointed out, in addition to the needed forums.zimbra.com to forums.zimbra.org redirect. Without the redirect from HTTP to HTTPS mode, it can easily expose user's Forum logins to eavesdroppers.