Here is a summary of this week’s conference call. A few brief reminders:
- Conference calls are every Tuesday and open to all using either the FreeConferenceCall.com VoIP app or via a dial-in number: https://www.freeconferencecall.com/wall/zetalliance
- Each week’s call agenda can be found at: https://drive.google.com/drive/folders/1xDyBJFjnfZYxuXJHiDzsXjjMuGGtIl7J
- Constructive feedback on these call summaries is always welcome.
April 6, 2021
Mailboxd Java Options
Mark S. said that in the 8.8.15 Patch 20 release notes ( https://wiki.zimbra.com/wiki/Zimbra_Rel ... _Mailstore ), he noticed a recommendation to use the Java parameter: “-Djavax.net.debug=ssl,handshake,data” and he wanted to know if using this option would significantly increase the size of his logs in Zimbra. [Editor Note: the release notes page has since been revised to omit this Java parameter.] John E. said it should not hurt and can be helpful in determining that things are working correctly. He said that in the event the Java parameters do not work, it will present itself as a certificate failure upon startup.
Revised 8.8.15 Patch 20 and 9.0 Patch 13 Releases
John H. said there were two issues that arose with 8.8.15 P20 and 9.0 P13 after their initial release on March 30th that required a revised build of each on April 2nd. The first issue related to an incompatibility with kernel versions 4.8 and 4.9 with OpenSSL1.1.1h in Red Hat 6 and Ubuntu 14 ( https://wiki.zimbra.com/wiki/Zimbra_Rel ... and_4.9.29 ). The symptoms of this issue are discussed in this Forum thread: http://forums.zimbra.org/viewtopic.php? ... e3bba8c87a .
The second issue was related to Zimbra installations running a dual stack (IPv4 and IPv6) configuration, where the Zimbra IPv4 interface can be incorrectly disabled, as described in this Forum thread: viewtopic.php?f=13&t=69412 . [Editor Note: a third revised version of 8.8.15 P20 and 9.0 P13 were released on April 8th to address a security vulnerability in SpamAssassin 3.4.4, discussed in the March 30th Zeta Alliance Call: viewtopic.php?f=9&t=69488#p301185 ].
Follow-Up: Zimbra Support For Ubuntu 16.04 LTS
To follow-up on the Zeta Alliance March 30th call related to the topic of Zimbra support for Ubuntu 16.04 LTS, John H. confirmed that there are no plans to end Ubuntu 16.04 LTS support for the foreseeable future.
Zimbra Video Server
Mark S. asked if anyone knew of the timeline for when the Zimbra Video Server is anticipated to leave beta and become generally available. No one on the call had an update to share.
HTTP/2.0 Support In Zimbra
Randy L. said that he noticed HTTP/2.0 support had been introduced with the new Nginx version that is included with 8.8.15 Patch 20 and 9.0 Patch 13. He asked if HTTP/2 support is now supported end-to-end from the Zimbra Nginx proxy to the mailbox server. John H. said that HTTP/2 support is currently only supported on the Nginx front-end and not yet supported on the mailbox server back-end. End-to-end support for HTTP/2 is still being reviewed to ensure that no security risks will be introduced.
ClamAV Security Vulnerabilities In Zimbra
Randy L. shared that the ClamAV 102.2 version included in the recently released 8.8.15 Patch 20 and 9.0 Patch 13 has four security vulnerabilities:
- CVE-2020-3327 ( https://nvd.nist.gov/vuln/detail/CVE-2020-3341 ): CVSS Score 7.5
- CVE-2020-3341 ( https://nvd.nist.gov/vuln/detail/CVE-2020-3341 ): CVSS Score 7.5
- CVE-2020-3481 ( https://nvd.nist.gov/vuln/detail/CVE-2020-3481 ) CVSS Score 7.5
- CVE-2020-3350 ( https://nvd.nist.gov/vuln/detail/CVE-2020-3350 ) CVSS Score 6.3
The first three vulnerabilities can be exploited simply by sending a carefully crafted email attachment within an email to a Zimbra server configured to perform ClamAV scanning of inbound or outbound email. The fourth vulnerability requires an attacker to have local shell access to a Zimbra server where ClamAV is installed to exploit, making the first three vulnerabilities of greater concern for Zimbra administrators. Randy L. said he opened a support case with Zimbra and was assigned ZBUG-2193. The status of this bug can be monitored from the Zimbra Support Portal bug look-up tool.
NextCloud, ownCloud, and OnlyOffice Integrations With Zimbra
Marc S. asked for thoughts on using NextCloud or ownCloud with Zimbra. Randy L. said his personal preference is NextCloud and feels that many choose either NextCloud or ownCloud based on personal preferences and their history with each respective product. Marc G. asked if anyone is using OnlyOffice with NextCloud. Randy L. said that a few years ago, he tried to negotiate a deal to use OnlyOffice for an integration with Zimbra and NextCloud, but found that OnlyOffice lacked a service provider orientated licensing program, where instead they were offering traditional software licensing terms making it a non-starter for use in a service provider environment. He added that since then, Zimbra Docs has progressed forward, and knows that at one point, Barry D. had a working Zimlet for integrating OnlyOffice with Zimbra, but was unsure of the current status of the Zimlet. John E. said that in Zimbra Cloud, an OnlyOffice integration is currently available. [Editor Note: Barry D. confirmed on April 21st via the Zeta Alliance mailing list that the OnlyOffice integration ( https://github.com/Zimbra-Community/owncloud-zimlet ) in the Nextcloud Zimlet for Classic UI was confirmed as still working as recently as April 2021. He said the same instance of OnlyOffice can be used with the Zimlet as well as with Nextcloud.]
Skyway Networks, LLC