Difference between revisions of "Zimbra Releases/9.0.0/P25"

 
Line 86: Line 86:
 
== Platform ==
 
== Platform ==
 
* A new attribute '''zimbra_gal_fallback_ldap_search_enabled''' has been introduced to control the AutoComplete request being sent to LDAP server. The default value of the attribute is TRUE. If we have a galsync account, the autocomplete request would be served from the galsync account. In case galsync account is not present, the autocomplete requests will be then served from LDAP server.
 
* A new attribute '''zimbra_gal_fallback_ldap_search_enabled''' has been introduced to control the AutoComplete request being sent to LDAP server. The default value of the attribute is TRUE. If we have a galsync account, the autocomplete request would be served from the galsync account. In case galsync account is not present, the autocomplete requests will be then served from LDAP server.
* Support to add a warning for messages arriving from the external domain is now available. Introduced two new localconfig attributes:
+
* Support to add a warning for messages arriving from the external domain is now available. Introduced two new localconfig attributes.
 
** zimbra_external_email_warning_enabled - Attribute to enable/disable the feature. Default is disabled.
 
** zimbra_external_email_warning_enabled - Attribute to enable/disable the feature. Default is disabled.
 
** zimbra_external_email_warning_message - Attribute the message to be displayed for external emails.
 
** zimbra_external_email_warning_message - Attribute the message to be displayed for external emails.
 +
For more information on how to setup the feature, please refer to [https://zimbra.github.io/zimbra-9/adminguide.html#_message_banner_for_mails_from_external_domains Admin Guide] section.
 
* To promote better password security, a new feature has been introduced to restrict users from using their names in the password when changing or resetting it. The feature is controlled by a local config attribute '''allow_username_within_password'''. The default value is true. When set to false, users won't be allowed to specify their username in the password when changing or resetting it.
 
* To promote better password security, a new feature has been introduced to restrict users from using their names in the password when changing or resetting it. The feature is controlled by a local config attribute '''allow_username_within_password'''. The default value is true. When set to false, users won't be allowed to specify their username in the password when changing or resetting it.
  

Latest revision as of 15:05, 27 June 2022

Zimbra Collaboration Kepler 9.0.0 Patch 25 GA Release

Check out the Security Fixes, What's New. Fixed Issues, and Known Issues for this version of Zimbra Collaboration. Please refer to the Patch Installation section for Patch Installation instructions. As always, you are encouraged to tell us what you think in the Forums or open a support ticket to report issues


NOTICE: Clear to proceed with patch upgrade

As of this time, we have addressed the previously identified issues with the patch release, and recommend customers proceed with this upgrade. As always, we recommend following best practices during patch upgrades (including taking backups of key data and config). We apologize for this unfortunate event.


Change in upgrade process for 9.0.0 Patch 25

Please note that the install process has changed. Additional steps to install zimbra-common-core-jar, zimbra-common-core-libs, zimbra-mbox-store-libs packages have been included for this patch release.

We have also introduced a new package zimbra-ldap-patch to be installed only on the LDAP node.

Please refer to the Patch Installation section to install the packages in its order.

Changes required for SSO setup before patch upgrade

Before upgrade, if the zimbraVirtualHostName parameter is not set for the domains that are using SAML and SSO based login, please set by following the instructions:

su - zimbra
zmprov md domain_name zimbraVirtualHostName virtual_hostname

Security Fixes

Summary CVE-ID CVSS Score Zimbra Rating Fix Patch Version
Upgraded OpenSSL to 1.1.1n to avoid DoS vulnerability. CVE-2022-0778 7.5 Low 9.0.0 P25
Upgraded Jetty to 9.4.46 to avoid vulnerability due to large TLS packets causing 100% CPU usage. CVE-2021-28165 7.5 Low 9.0.0 P25
Upgraded mina-core to version 2.1.6 CVE-2019-0231 7.5 Low 9.0.0 P25
Fixed an issue with Zimbra Classic WebApp where input sanitization was required in displaying attachment data. TBD TBD Medium 9.0.0 P25
  • Vulnerability in RARLAB UnRAR before 6.12 has been identified CVE-2022-30333 and has a score of 7.5 - HIGH. Zimbra has made configuration changes to use the 7zip package instead of unrar. Customers are requested to remove the unrar package (if installed) and use 7zip instead.


What's New

NOTE: Beta features are not supported and should not be installed on production systems. Beta modules have been provided for evaluation in lab environments only.

Rocky Linux 8 Support (Beta)

We are nearing the end of our extensive QA cycle for this major upgrade. Watch for the GA announcement in an upcoming patch release.

Package Upgrade

  • Log4j package has been upgraded to version 2.17.1 which includes CVE-2021-44228, CVE-2021-45105, CVE-2019-17571 fixes. As communicated in earlier patch releases, Zimbra was not impacted by any of these security issues since Zimbra was using an older version of Log4j. Please refer to wiki for changes in the logging options.
  • OpenJDK package has been upgraded to version 17.0.2
  • SpamAssassin package has been upgraded to version 3.4.6.
  • ClamAV package has been upgraded to version 0.103.3.
  • OpenSSL has been upgraded to version 1.1.1n.
  • Jetty has been upgraded to version 9.4.46.
  • Mina-core has been upgraded to version 2.1.6

Platform

  • A new attribute zimbra_gal_fallback_ldap_search_enabled has been introduced to control the AutoComplete request being sent to LDAP server. The default value of the attribute is TRUE. If we have a galsync account, the autocomplete request would be served from the galsync account. In case galsync account is not present, the autocomplete requests will be then served from LDAP server.
  • Support to add a warning for messages arriving from the external domain is now available. Introduced two new localconfig attributes.
    • zimbra_external_email_warning_enabled - Attribute to enable/disable the feature. Default is disabled.
    • zimbra_external_email_warning_message - Attribute the message to be displayed for external emails.

For more information on how to setup the feature, please refer to Admin Guide section.

  • To promote better password security, a new feature has been introduced to restrict users from using their names in the password when changing or resetting it. The feature is controlled by a local config attribute allow_username_within_password. The default value is true. When set to false, users won't be allowed to specify their username in the password when changing or resetting it.

Web UX - Modern

  • If the Admin has disabled a new attribute for handling better password security allow_username_within_password, it will restrict users from not using their names when resetting or changing the password.
  • Zimlets now support all the languages which are supported by Modern Web App.
  • When hovering over the folder, additional information will be displayed:
    • For Mail folders - # of messages, # of unread, size.
    • For Trash - # of items, size.
    • For Calendar - # of appointment.
    • For Contacts - # of contacts.

Contacts

  • For a user, If the attribute zimbraFeatureAntispamEnabled is set to FALSE, then all the spam-related options will appear disabled.
  • If the Tasks feature is disabled for a user, it will not get displayed in the Calendar tab.

Mail

  • User-friendly error messages have been added for the following errors received from the server:
    • SEND_ABORTED_ADDRESS_FAILURE - "Could not send message due to invalid or blocked address(es)“
    • SEND_FAILURE - “Could not send message"

Web UX - Admin

  • In Admin Console, Department and Office field has been added for user accounts at Account -> Contact information. These fields are used when viewing the organizational structure of the user.
  • Administrator defined Sieve scripts can now be configured in the Admin Console on a per domain or CoS basis. Previously this was CLI only functionality.


Fixed Issues

Platform

  • In the previous patch, SameSite cookie support was added to enhance security and protect against increasingly commonplace Cross Site Request Forgery ("CSRF") attacks. The default value of the local config variable zimbra_same_site_cookie was set to Strict. For a few of our customers, under certain conditions, it caused pre-auth and webmail login failures. From this patch onwards, the default value of the local config variable zimbra_same_site_cookie has been set to None
    • For customers who want to use the SameSite cookie, the following is the guidance:
      • If using Pre-auth for logins or Zimbra proxy in both http, https or both modes, and the zimbraPublicServiceHostname attribute is not set, please set it by following the instructions:
        • Check the Zimbra Proxy mode. As a zimbra user, execute these commands:
          • For cos - zmprov gc cos_name zimbraReverseProxyMailMode
          • For server - zmprov gs server_name zimbraReverseProxyMailMode
        • Check if the Public Service hostname is set on global and domain levels:
          •  zmprov gcf cos_name zimbraPublicServiceHostname
          •  zmprov gd domain_name zimbraPublicServiceHostname
        • Set Public Service hostname. Zimbra recommends setting it on the global level:
          •  zmprov mcf zimbraPublicServiceHostname webmail_login_domain_name
      • After making the above changes, the local config variable zimbra_same_site_cookie may be reset first to Lax (for testing) and then to Strict to obtain the highest level of protection available.  As a zimbra user, you can run the following command
        • To set it to Lax:
          •  zmlocalconfig -e zimbra_same_site_cookie=Lax
        • To set it to Strict:
          •  zmlocalconfig -e zimbra_same_site_cookie=Strict 
        • Restart services:
          •  zmcontrol restart
  • Zimbra's DNS cache service now supports DNSSEC validation.
  • When generating CSR, the preview appeared blank. The issue has been fixed.
  • When the user shares the root level folder with another user and sets zimbraPrefSharedAddrBookAutoCompleteEnabled to TRUE, autocomplete request failed for sharee. The issue has been fixed.
  • Changes made to the zimbraAmavisOutboundDisclaimersOnly attribute did not take effect after restarting the MTA service. The issue has been fixed.
  • When the user enabled 2FA for his account, it was still possible to bypass it and list the Briefcase contents. The issue has been fixed.
  • If the user has added an external IMAP account and creates or edits a Draft, it was not getting synced to the external account. The issue has been fixed.
  • In a multi-node environment, a user has "sendAs" delegation rights of the user situated on another node, if he tries to send an XML file as an attachment, it gets corrupted. The issue has been fixed.
  • When using EWS, if the user had a Common Name (CN) and Display Name(DN) set, the CN was always used when sending a meeting request. The issue has been fixed. If DN and CN are set, then use DN will be used as the Organizer name. If DN is not set and CN is set, then CN will be used as Organizer's name.
  • If an account has multiple aliases, they were not getting displayed in autocomplete when composing a message. The issue has been fixed.
  • Corrected the description of zimbraFeatureMailForwardingInFiltersEnabled attribute from enable end-user mail forwarding to enable end-user mail redirecting.
  • The JDK version 13 contains a bug wherein under certain random conditions (depending on load/memory), the JVM may crash. The issue has been fixed by upgrading the JDK to version 17.

Web UX - Modern

  • Corrected folder name n the tooltip message when moving the message to the Spam folder.
  • If a customer has a shared folder in his Mail tab, sorting the emails was not working correctly. The issue has been fixed.
  • When copy pasting the email address from excel into the composer, the email address was not converted to the contact or email id. The issue has been fixed.
  • After forwarding a message, HTML code was displayed in the headers of the forwarded message. The issue has been fixed.
  • When composing a message in plain text mode, users were unable to add the signatures. The issue has been fixed.
  • Users could set mail forwarding to themselves by going to Settings > Accounts -> Access your mail anywhere. To correct the behavior, users are no more allowed to specify the same address as their logged in email address. An appropriate error message is displayed if the user tries to do that.
  • If the user has any shared email folder and performs a search, matching emails from the shared folder were not returned in the search results. The issue has been fixed.
  • When hovering over the :mailto link in the message, the link appeared duplicated. The issue has been fixed.
  • When composing a message, the tab is updated with the subject of the message. After reloading the Modern Web App, the tab appeared blank. The issue has been fixed.

Web UX - Classic

  • In the previous patch, the default search folder was set to the shared contact folder instead of the Inbox. The issue has been fixed.
  • Fixed a regression bug that prevented SAML SP initiated log out from working correctly.
  • In the Tasks tab, If the user sets Subject as a default sort, it was not maintained after visiting other tabs or reloading the UI. The issue has been fixed.
  • Corrected date format for the Portuguese language.

HSM

  • Now the doMailboxMove operation skips non-local accounts to avoid issues caused by running the command on the wrong server.
  • To make the new volume creation experience simpler for the admins, bucket creation has been split by the volume creation commands. Admins can now create a new bucket and then pass its UUID to the volume creation command.

NG Auth

  • Fixed a bug that made the mobile apps able to bypass the Zimbra Network 2FA.

NG Backup

  • To make the external restore operation more reliable and avoid errors, now the mailboxes quota is removed during the restore operation. The quota is set back once the operation completes successfully.
  • Fixed a bug that prevented the doItemSearch command to work properly. Now the command returns the results according to the given filters.

NG Mobile

  • ABQ API has been reworked to fix a bug that prevented the set command from working with devices not already present in the list.
  • A new abq_enabled_at_startup attribute has been added to the configuration to avoid the ABQ feature being loaded at the server startup if not used to save the server’s resources.

NG Modules

  • Firebase-token-renewer-service has been completely removed.
  • Fixed a bug that prevented the right-click from working properly on contacts and calendars folders using Internet Explorer 11 when com_zextras_client zimlet is enabled.

Zimbra Connect

  • Fixed a bug that caused a room to disappear when moved between the servers.
  • Now using the internal mode, the resources are kept after the user close the call. The result is that the tab keep the red-dot on the browser’s tab
  • Fixed the issue - if user manually opens the minichat, it works, but if the setting is set to automatically open the minichat for each message, it’s not working automatically.

Zimbra Docs

  • In Modern Web App, now the users will always be navigated back to the Drive tab on closing a Docs document.


Known Issues

  • While deploying zimlets, if the following error is encountered, please refer to the Patch Installation section to install the zimbra-common-core-jar, zimbra-common-core-libs, zimbra-mbox-store-libs packages in a particular order and re-deploy the zimlets.
/opt/zimbra/bin/zmjava: line 59: /bin/java: No such file or directory
Exception in thread "main" java.lang.NoClassDefFoundError: org/apache/logging/log4j/core/appender/ConsoleAppender$Target
       at com.zimbra.cs.localconfig.LocalConfigCLI.main(LocalConfigCLI.java:353)
Caused by: java.lang.ClassNotFoundException: org.apache.logging.log4j.core.appender.ConsoleAppender$Target
       at java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:602)
       at java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:178)
       at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:521)
       ... 1 more
  • From Kepler-Patch-25 onwards, customers using SSO will need to update zimbraVirtualHostName attribute for the domains. Please refer to the instructions to update the attribute.
  • With JDK 17, weaker Kerberos encryption types like 3DES and RC4 have now been disabled by default. This can cause SPNEGO auth to fail if described encryption types are being used. We recommend using stronger encryption types like AES256.

To get SPNEGO auth working with weak encryption types, weak encryption can be enabled by setting the allow_weak_crypto property to true in the krb5.conf configuration file. Please follow below instructions:

1. In /opt/zimbra/jetty_base/etc/krb5.ini.in -> [libdefaults] section, set allow_weak_crypto = true

2. Restart mailboxd service:

su - zimbra
zmmailboxdctl restart


Patch Installation

Please refer to the steps below to install 9.0.0 Patch 25 on Redhat and Ubuntu platforms:

Before Installing the Patch, consider the following:

  • Patches are cumulative.
  • A full backup should be performed before any patch is applied. There is no automated roll-back.
  • Zimlet patches can include removing existing Zimlets and redeploying the patched Zimlet.
  • Only files or Zimlets associated with installed packages will be installed from the patch.
  • Switch to zimbra user before using ZCS CLI commands.
  • Important! You cannot revert to the previous ZCS release after you upgrade to the patch.
  • Important! Please note that the install process has changed. Additional steps to install zimbra-common-core-jar, zimbra-common-core-libs, zimbra-mbox-store-libs packages have been included for this patch release. Please refer to the Patch Installation section to install the packages in its order.

9.0.0 Patch 25 Packages

The package lineup for this release is:

PackageName Version

zimbra-patch                               ->     9.0.0.1655472168.p25-2
zimbra-proxy-patch                         ->     9.0.0.1655472168.p25-1
zimbra-proxy-components                    ->     1.0.10-1zimbra8.8b1
zimbra-mta-patch                           ->     9.0.0.1655472168.p25-1
zimbra-mta-components                      ->     1.0.15-1zimbra8.8b1
zimbra-common-core-jar                     ->     9.0.0.1655457955-1
zimbra-ldap-patch                          ->     9.0.0.1655472168.p25-1
zimbra-nginx                               ->     1.20.0-1zimbra8.8b3
zimbra-httpd  				   ->     2.4.53-1zimbra8.7b3
zimbra-spell-components                    ->     2.0.8-1zimbra8.8b1
zimbra-apache-components 		   ->     2.0.7-1zimbra8.8b1
zimbra-lmdb-lib                            ->     2.4.59-1zimbra8.8b5
zimbra-lmdb-dbg                            ->     2.4.59-1zimbra8.8b5
zimbra-lmdb                                ->     2.4.59-1zimbra8.8b5
zimbra-openldap-lib		           ->	  2.4.59-1zimbra8.8b5
zimbra-openldap-client		           ->	  2.4.59-1zimbra8.8b5
zimbra-openldap-server                     ->     2.4.59-1zimbra8.8b4
zimbra-openjdk-cacerts			   ->	  1.0.8-1zimbra8.7b1
zimbra-openjdk			   	   ->	  17.0.2-1zimbra8.8b1
zimbra-ldap-components                     ->     2.0.6-1zimbra8.8b1
zimbra-core-components                     ->     3.0.12-1zimbra8.8b1
zimbra-clamav                              ->	  0.103.3-1zimbra8.8b3
zimbra-clamav-libs                         ->     0.103.3-1zimbra8.8b3
zimbra-openssl                             ->     1.1.1n-1zimbra8.7b4
zimbra-openssl-libs                        ->     1.1.1n-1zimbra8.7b4
zimbra-postfix-logwatch                    ->     1.40.03-1zimbra8.7b1
zimbra-timezone-data                       ->     3.0.0.1646993320-1
zimbra-mbox-store-libs                     ->     9.0.0.1654854341-1
zimbra-mbox-war                            ->     9.0.0.1655457955-1
zimbra-mbox-webclient-war                  ->     9.0.0.1654769864-1
zimbra-mbox-admin-console-war              ->     9.0.0.1653031579-1
zimbra-common-mbox-conf-attrs              ->     9.0.0.1652767366-1
zimbra-common-core-libs                    ->     9.0.0.1654854341-1
zimbra-mbox-ews-service     		   ->     9.0.0.1654977318-1
zimbra-zco                                 ->     9.0.0.1919.1647347914-1
zimbra-php                                 ->     7.4.27-1zimbra8.7b3
zimbra-modern-ui                           ->     4.25.0.1653056413-1
zimbra-modern-zimlets                      ->     4.25.0.1653056413-1
zimbra-network-modules-ng                  ->     7.0.25.1652960112-1
zimbra-drive-ng                            ->     4.0.13.1637855796-1
zimbra-drive-modern                        ->     1.0.13.1637855796-1
zimbra-connect                             ->     2.0.21.1635424388-1
zimbra-connect-modern                      ->     1.0.21.1635424388-1
zimbra-docs                                ->     4.0.6.1616090633-1
zimbra-docs-modern                         ->     1.0.6.1632998065-1
zimbra-chat                                ->     4.0.2.1654677981-1
zimbra-zimlet-auth                         ->     1.0.4.1652971904-1
zimbra-zimlet-install-pwa                  ->     6.1.1.1652766350-1
zimbra-zimlet-emptysubject		   ->     2.1.1.1652766350-1
zimbra-zimlet-set-default-client           ->     8.1.1.1652766350-1
zimbra-zimlet-document-editor              ->     6.0.1.1631795284-1
zimbra-zimlet-date                         ->     6.1.1.1652766350-1
zimbra-zimlet-additional-signature-setting ->     6.1.1.1652766350-1
zimbra-zimlet-calendar-subscription        ->     6.2.0.1652766350-1
zimbra-zimlet-sideloader                   ->     7.1.1.1652766350-1
zimbra-zimlet-briefcase-edit-lool          ->     2.2.1.1652766350-1
zimbra-zimlet-org-chart                    ->     2.1.1.1652766350-1
zimbra-zimlet-zulip-chat                   ->     7.0.2.1641892590-1
zimbra-zimlet-ads                          ->     8.2.1.1652766350-1
zimbra-zimlet-user-sessions-management	   ->	  8.1.1.1652766350-1
zimbra-zimlet-user-feedback                ->     6.1.1.1652766350-1
zimbra-zimlet-privacy-protector            ->     4.1.1.1652766350-1
zimbra-zimlet-duplicate-contacts           ->     5.1.1.1652766350-1
zimbra-zimlet-secure-mail		   ->	  1.2.1.1652766350-1
zimbra-zimlet-web-search		   ->	  4.1.1.1652766350-1
zimbra-zimlet-restore-contacts             ->     6.1.1.1652766350-1
zimbra-zimlet-zoom                         ->     7.0.0.1621610655-1
zimbra-zimlet-slack                        ->     5.5.0.1621610655-1
zimbra-zimlet-dropbox                      ->     6.0.0.1621610655-1
zimbra-zimlet-onedrive                     ->     6.0.0.1621610655-1
zimbra-zimlet-google-drive                 ->     6.0.0.1621610655-1
zimbra-zimlet-jitsi                        ->     3.3.1.1621610655-1
zimbra-zimlet-video-call-preferences       ->     2.1.0.1621610655-1
zimbra-zimlet-nextcloud                    ->     1.0.7.1641799022-1
zimbra-zimlet-webex	                   ->     1.0.1.1629957793-1
zimbra-zimlet-voice-message                ->     1.0.3.1611114827-1
zimbra-zimlet-classic-unsupportedbrowser   ->     3.1.1.1652766350-1
zimbra-zimlet-email-templates              ->     2.0.0.1630308426-1
zimbra-zimlet-signature-template           ->     1.0.0.1609841753-1

Redhat

Installing Zimbra packages with system package upgrades

  • As root, first clear the yum cache and check for updates so the server sees there is a new zimbra-patch package in the patch repository:
yum clean metadata
yum check-update
  • On mailstore node, install the following packages:
yum install zimbra-common-core-jar zimbra-common-core-libs zimbra-mbox-store-libs
  • Then ask yum to update available packages:
yum update
  • Restart ZCS as zimbra user:
su - zimbra
zmcontrol restart

Installing Zimbra packages individually

Upgrade OpenLDAP on LDAP node

  • As root, install the package:
yum install zimbra-ldap-patch
  • Restart ZCS as zimbra user:
su - zimbra
zmcontrol restart

Install/Upgrade zimbra-proxy-patch on Proxy node

  • As root, first clear the yum cache and check for updates so the server sees all updated packages in the patch repository:
yum clean metadata
yum check-update
  • Then install the package:
yum install zimbra-proxy-patch
  • Restart proxy as zimbra user:
su - zimbra
zmproxyctl restart
zmmemcachedctl restart

Install/Upgrade snmp if it is installed on Proxy node

yum install zimbra-snmp-components
  • Restart proxy as zimbra user:
su - zimbra
zmproxyctl restart

Install/Upgrade zimbra-mta-components on MTA node

  • As root, first clear the yum cache and check for updates so the server sees all updated packages in the patch repository:
yum clean metadata
yum check-update
  • Then install the package:
yum install zimbra-mta-components
  • If dnscache is installed, upgrade the package before restarting the services:
yum install zimbra-dnscache-components
  • If snmp is installed, upgrade the package before restarting the services:
yum install zimbra-snmp-components
  • Restart amavisd as zimbra user:
su - zimbra
zmamavisdctl restart

Install/Upgrade zimbra-mta-patch on MTA node

  • As root, install the package:
yum install zimbra-mta-patch
  • Restart amavisd as zimbra user:
su - zimbra
zmamavisdctl restart

Install/Upgrade zimbra-patch on mailstore node

  • As root, install the package:
yum install zimbra-common-core-jar zimbra-common-core-libs zimbra-mbox-store-libs
yum install zimbra-patch
  • If apache is installed, upgrade the package before restarting the services:
yum install zimbra-apache-components
  • If spell is installed, upgrade the package before restarting the services:
yum install zimbra-spell-components
  • If snmp is installed, upgrade the package before restarting the services:
yum install zimbra-snmp-components
  • Restart ZCS as zimbra user:
su - zimbra
zmcontrol restart


Installing NG packages

Uninstall zimbra-talk on mailstore node

In case of upgrade from version 8.8.15, uninstall zimbra-talk from mailstore node since it replaces with zimbra-connect. Hence, it is important to remove zimbra-talk before installing zimbra-connect.

  • As root, uninstall the package zimbra-talk:
yum remove zimbra-talk

Install/Upgrade zimbra-network-modules-ng, zimbra-connect, zimbra-zimlet-auth, zimbra-docs and zimbra-drive-ng on mailstore node

yum install zimbra-network-modules-ng
yum install zimbra-connect
yum install zimbra-zimlet-auth
yum install zimbra-docs
yum install zimbra-drive-ng
  • Restart Zimbra mailbox service as zimbra user:
su - zimbra
zmmailboxdctl restart

Zimbra Additional Zimlets

Note: - You can install the packages of your choice from the below list.

Install/Upgrade zimbra-zimlet-slack, zimbra-zimlet-zoom, zimbra-zimlet-dropbox, zimbra-zimlet-google-drive, zimbra-zimlet-onedrive, zimbra-zimlet-jitsi, zimbra-zimlet-video-call-preferences, zimbra-zimlet-nextcloud, zimbra-zimlet-voice-message, zimbra-zimlet-sideloader, zimbra-zimlet-user-sessions-management on mailstore node

yum install zimbra-zimlet-slack
yum install zimbra-zimlet-zoom
yum install zimbra-zimlet-dropbox
yum install zimbra-zimlet-google-drive
yum install zimbra-zimlet-onedrive
yum install zimbra-zimlet-jitsi
yum install zimbra-zimlet-video-call-preferences
yum install zimbra-zimlet-nextcloud
yum install zimbra-zimlet-voice-message
yum install zimbra-zimlet-sideloader
yum install zimbra-zimlet-user-sessions-management
  • Restart Zimbra mailbox service as zimbra user:
su - zimbra
zmmailboxdctl restart

Ubuntu

Installing zimbra packages with system package upgrades

  • As root, check for updates so the server checks there is a new zimbra-patch package in the patch repository:
apt-get update
  • On mailstore node, install the following packages:
apt-get install zimbra-common-core-jar zimbra-common-core-libs zimbra-mbox-store-libs
  • Then update available packages:
apt-get upgrade
  • Restart ZCS as zimbra user:
su - zimbra
zmcontrol restart

Installing zimbra packages individually

Upgrade OpenLDAP on LDAP node

  • As root, install the package:
apt-get install zimbra-ldap-patch
  • Restart ZCS as zimbra user:
su - zimbra
zmcontrol restart

Install/Upgrade zimbra-proxy-patch on Proxy node

  • As root, install package
apt-get install zimbra-proxy-patch
  • Restart proxy as zimbra user:
su - zimbra
zmproxyctl restart
zmmemcachedctl restart

Install/Upgrade snmp if it is installed on Proxy node

apt-get install zimbra-snmp-components
  • Restart proxy as zimbra user:
su - zimbra
zmproxyctl restart

Install/Upgrade zimbra-mta-components on MTA node

  • As root, install package
apt-get install zimbra-mta-components
  • If dnscache is installed, upgrade the package before restarting the services:
apt-get install zimbra-dnscache-components
  • If snmp is installed, upgrade the package before restarting the services:
apt-get install zimbra-snmp-components
  • Restart amavisd as zimbra user:
su - zimbra
zmamavisdctl restart

Install/Upgrade zimbra-mta-patch on MTA node

  • As root, install package
apt-get install zimbra-mta-patch
  • Restart amavisd as zimbra user:
su - zimbra
zmamavisdctl restart

Install/Upgrade zimbra-patch on mailstore node

  • As root, check for updates and install package:
apt-get update
apt-get install zimbra-common-core-jar zimbra-common-core-libs zimbra-mbox-store-libs
apt-get install zimbra-patch
  • If apache is installed, upgrade the package before restarting the services:
apt-get install zimbra-apache-components
  • If spell is installed, upgrade the package before restarting the services:
apt-get install zimbra-spell-components
  • If snmp is installed, upgrade the package before restarting the services:
apt-get install zimbra-snmp-components
  • Restart ZCS as zimbra user:
su - zimbra
zmcontrol restart


Installing NG packages

Uninstall zimbra-talk on mailstore node

In case of upgrade from version 8.8.15, uninstall zimbra-talk from mailstore node since it replaces with zimbra-connect. Hence, it is important to remove zimbra-talk before installing zimbra-connect.

  • As root, uninstall the package zimbra-talk:
apt-get remove zimbra-talk

Install/Upgrade zimbra-network-modules-ng, zimbra-connect, zimbra-zimlet-auth, zimbra-docs, zimbra-drive-ng on mailstore node

  • As root, check for updates and install packages:
apt-get update
apt-get install zimbra-network-modules-ng
apt-get install zimbra-connect
apt-get install zimbra-zimlet-auth
apt-get install zimbra-docs
apt-get install zimbra-drive-ng
  • Restart Zimbra mailbox service as zimbra user:
su - zimbra
zmmailboxdctl restart


Zimbra Additional Zimlets

Note: - You can install the packages of your choice from the below list.

Install/Upgrade zimbra-zimlet-slack, zimbra-zimlet-zoom, zimbra-zimlet-dropbox, zimbra-zimlet-google-drive, zimbra-zimlet-onedrive, zimbra-zimlet-jitsi, zimbra-zimlet-video-call-preferences, zimbra-zimlet-nextcloud, zimbra-zimlet-voice-message, zimbra-zimlet-sideloader, zimbra-zimlet-user-sessions-management on mailstore node

apt-get install zimbra-zimlet-slack
apt-get install zimbra-zimlet-zoom
apt-get install zimbra-zimlet-dropbox
apt-get install zimbra-zimlet-google-drive
apt-get install zimbra-zimlet-onedrive
apt-get install zimbra-zimlet-jitsi
apt-get install zimbra-zimlet-video-call-preferences
apt-get install zimbra-zimlet-nextcloud
apt-get install zimbra-zimlet-voice-message
apt-get install zimbra-zimlet-sideloader
apt-get install zimbra-zimlet-user-sessions-management
  • Restart Zimbra mailbox service as zimbra user:
su - zimbra
zmmailboxdctl restart

Upgraded 3rd Party Packages

  • OpenSSL and Postfix TLS 1.3 Packages

The packages for RHEL7, UBUNTU16, UBUNTU18 are:

Package Name      Version
zimbra-openssl : 1.1.1n-1zimbra8.7b4
zimbra-postfix : 3.6.1-1zimbra8.7b3
zimbra-nginx : 1.20.0-1zimbra8.8b2
zimbra-mariadb : 10.1.25-1zimbra8.7b3
zimbra-heimdal : 1.5.3-1zimbra8.7b3
zimbra-curl : 7.49.1-1zimbra8.7b3
zimbra-perl-net-ssleay : 1.88-1zimbra8.7b2
zimbra-unbound : 1.11.0-1zimbra8.7b2
zimbra-apr-util : 1.6.1-1zimbra8.7b2
zimbra-perl-dbd-mysql : 4.050-1zimbra8.7b4
zimbra-net-snmp : 5.8-1zimbra8.7b2
zimbra-perl-crypt-openssl-random : 0.11-1zimbra8.7b3
zimbra-perl-crypt-openssl-rsa : 0.31-1zimbra8.7b2
zimbra-cyrus-sasl : 2.1.26-1zimbra8.7b3
zimbra-openldap : 2.4.49-1zimbra8.8b4
zimbra-opendkim : 2.10.3-1zimbra8.7b5
zimbra-clamav :  0.103.3-1zimbra8.8b3
zimbra-perl-io-socket-ssl : 2.068-1zimbra8.7b2
zimbra-perl-net-http : 6.09-1zimbra8.7b3
zimbra-perl-libwww : 6.13-1zimbra8.7b3
zimbra-perl-lwp-protocol-https : 6.06-1zimbra8.7b3
zimbra-perl-xml-parser : 2.44-1zimbra8.7b3
zimbra-perl-soap-lite : 1.19-1zimbra8.7b3
zimbra-perl-xml-sax-expat : 0.51-1zimbra8.7b3
zimbra-perl-xml-simple : 2.25-1zimbra8.7b2
zimbra-perl-mail-dkim : 0.40-1zimbra8.7b3
zimbra-perl-mail-spamassassin : 3.4.5-1zimbra8.8b4
zimbra-spamassassin-rules : 1.0.0-1zimbra8.8b5
zimbra-perl-innotop : 1.9.1-1zimbra8.7b3
zimbra-httpd : 2.4.53-1zimbra8.7b3
zimbra-php : 7.4.27-1zimbra8.7b3
zimbra-aspell-ca : 2.1.5.1-1zimbra8.8b1
zimbra-postfix-logwatch : 1.40.03-1zimbra8.7b1
zimbra-perl : 1.0.5-1zimbra8.7b1
zimbra-dnscache-components : 1.0.2-1zimbra8.7b1
zimbra-apache-components : 2.0.7-1zimbra8.8b1
zimbra-spell-components : 2.0.8-1zimbra8.8b1
zimbra-snmp-components : 1.0.3-1zimbra8.7b1
zimbra-mta-components : 1.0.14-1zimbra8.8b1
zimbra-core-components :  3.0.12-1zimbra8.8b1
zimbra-proxy-components : 1.0.9-1zimbra8.8b1
zimbra-store-components : 1.0.3-1zimbra8.7b1
zimbra-ldap-components : 2.0.6-1zimbra8.8b1
  • OpenSSL and Postfix TLS 1.3 Packages

The GA packages for RHEL8 and UBUNTU20 are:

Package Name      Version
zimbra-openssl : 1.1.1n-1zimbra8.7b4
zimbra-postfix : 3.6.1-1zimbra8.7b3
zimbra-nginx : 1.20.0-1zimbra8.8b2
zimbra-mariadb : 10.1.25-1zimbra8.7b3
zimbra-heimdal : 1.5.3-1zimbra8.7b3
zimbra-curl : 7.49.1-1zimbra8.7b3
zimbra-perl-net-ssleay : 1.88-1zimbra8.7b2
zimbra-unbound : 1.11.0-1zimbra8.7b2
zimbra-apr-util : 1.6.1-1zimbra8.7b2
zimbra-perl-dbd-mysql : 4.050-1zimbra8.7b4
zimbra-net-snmp : 5.8-1zimbra8.7b3
zimbra-perl-crypt-openssl-random : 0.11-1zimbra8.7b3
zimbra-perl-crypt-openssl-rsa : 0.31-1zimbra8.7b2
zimbra-cyrus-sasl : 2.1.26-1zimbra8.7b3
zimbra-openldap : 2.4.49-1zimbra8.8b4
zimbra-opendkim : 2.10.3-1zimbra8.7b5
zimbra-clamav :  0.103.3-1zimbra8.8b3
zimbra-perl-io-socket-ssl : 2.068-1zimbra8.7b3
zimbra-perl-net-http : 6.09-1zimbra8.7b4
zimbra-perl-libwww : 6.13-1zimbra8.7b4
zimbra-perl-lwp-protocol-https : 6.06-1zimbra8.7b4
zimbra-perl-xml-parser : 2.44-1zimbra8.7b4
zimbra-perl-soap-lite : 1.19-1zimbra8.7b4
zimbra-perl-xml-sax-expat : 0.51-1zimbra8.7b4
zimbra-perl-xml-simple : 2.25-1zimbra8.7b3
zimbra-perl-mail-dkim : 0.40-1zimbra8.7b3
zimbra-perl-mail-spamassassin : 3.4.5-1zimbra8.8b4
zimbra-spamassassin-rules : 1.0.0-1zimbra8.8b5
zimbra-perl-innotop : 1.9.1-1zimbra8.7b4
zimbra-httpd : 2.4.53-1zimbra8.7b3
zimbra-php : 7.4.27-1zimbra8.7b3
zimbra-perl : 1.0.6-1zimbra8.7b1
zimbra-dnscache-components : 1.0.2-1zimbra8.7b1
zimbra-apache-components : 2.0.7-1zimbra8.8b1
zimbra-spell-components : 2.0.9-1zimbra8.8b1
zimbra-snmp-components : 1.0.3-1zimbra8.7b1
zimbra-mta-components : 1.0.14-1zimbra8.8b1
zimbra-core-components :  3.0.12-1zimbra8.8b1
zimbra-proxy-components : 1.0.9-1zimbra8.8b1
zimbra-store-components : 1.0.3-1zimbra8.7b1
zimbra-ldap-components : 2.0.6-1zimbra8.8b1
zimbra-mbox-store-libs : 9.0.0.1647230016-1

The updated GA packages are:

Package            Old-Version    New-Version
postfix              3.5.6          3.6.1
openssl              1.1.1l         1.1.1n
openldap             2.4.49         2.4.59
nginx                1.19.0         1.20.0
postfix-logwatch     1.40.01        1.40.03
io-socket-ssl	     2.020          2.068
xml-simple           2.20           2.25
crypt-openssl-rsa    0.28           0.31
net-snmp             5.7.3          5.8
dbd-mysql            4.033          4.050
apr-util             1.5.4          1.6.1
unbound              1.5.9          1.11.0
net-ssleay           1.72           1.88
PHP                  7.3.25         7.4.27
httpd                2.4.51         2.4.53
  • Nginx TLS 1.3 Packages

The GA packages for RHEL7, RHEL8, UBUNTU16, UBUNTU18, UBUNTU20 are:

PackageName                                       Version
zimbra-nginx                               ->     1.20.0-1zimbra8.8b2
zimbra-proxy-patch                         ->     9.0.0.1655472168.p25-1
zimbra-proxy-components                    ->     1.0.9-1zimbra8.8b1

Jira Summary

Jira Tickets fixed in 9.0.0 Patch 25

ZCS-11416 Move room fixed
ZCS-11415 Red dot of camera is kept after meetings on internal mode
ZCS-11414 Minichat are not opening on Suite
ZCS-11412 Firebase-token-renewer-service has been completely removed
ZCS-11411 Mailbox move skips non-local accounts
ZCS-11410 Splitted volumes and buckets creation
ZCS-11409 ABQ set commands fixed
ZCS-11408 ABQ disabled at startup
ZCS-11407 Right-click on contact and calendar folders fixed for IE11
ZCS-11405 External restore operation quota override
ZCS-11404 doItemSearch command fixed
ZCS-11403 Zimbra Network 2FA honoured by mobile apps
ZCS-11349 Toggle off direct searches for autocomplete and galsync against Zimbra LDAP
ZCS-11344 Set the default value zimbra_same_site_cookie to Empty
ZCS-11116 Update Java JRE Version
ZCS-11096 Implementation - milter to add a warning message when a email came from outside our organisation
ZCS-11040 Zextras NG Docs | Back to Drive folder on closing a document
ZCS-10969 Add "Department" field in org chart
ZCS-10678 Server Side work to Force users not to use username in the password
ZCS-1426 Support for new sieve features on zimbra's browser clients and admin console
ZBUG-2807 Attacker got access to user's email.
ZBUG-2772 [Security] Vulnerability in Unrar leading to Pre-Auth RCE in Zimbra
ZBUG-2762 In Webclient the search bar is set to search in a shared contact folder instead of a inbox folder
ZBUG-2738 Create a hash of the key in Nginx instead of raw value
ZBUG-2734 webmail login not work when proxy set to accept both http and https request.
ZBUG-2732 View mail admin feature no longer working in latest patch ZCS 9 P24
ZBUG-2723 dnscache service does not support DNSSEC validation
ZBUG-2720 Spam folder called "Junk" in toast message
ZBUG-2718 Sorting issue - 01309590
ZBUG-2713 Zimbra OpenSSL needs to update to 1.1.1n for CVE-2022-0778
ZBUG-2701 Modern UI - Paste address list from xls or txt file in the mail composer in to field not working in modern theme.
ZBUG-2681 Html, body { overflow:visible; height:auto.... is visible when forwarding a mail and without adding text in Modern UI
ZBUG-2679 Signature is not added in plain text mode composed mail
ZBUG-2666 No information for CSR review operation from ZimbraWebAdmin
ZBUG-2633 DoS Zimbra is vulnerable to CVE-2021-28165- Jetty pins when large TLS packet is sent
ZBUG-2627 (JDK-8228811) JVM/mailboxd can crash endlessly with JDK 13.0.1
ZBUG-2588 Autocomplete bug with "/" shares
ZBUG-2583 mina-core-2.0.4.jar is vulnerable; CVE-2019-0231, CVE-2019-0231
ZBUG-2578 CVE-2021-45105
ZBUG-2571 "RCE 0-day exploit vulnerability found in log4j "
ZBUG-2569 Attribute zimbraAmavisOutboundDisclaimersOnly does not work after restarting MTA service
ZBUG-2542 Users can set forwarding to their own account
ZBUG-2477 Upgrade ClamAV to latest version 0.103.3
ZBUG-2426 SAML SP-initiated logout does not work - zimbraWebClientLogoutURL (9.0.0)
ZBUG-2390 Briefcase content accessible without 2FA
ZBUG-2361 Modified Draft not synced to external imap account
ZBUG-2322 Task not getting sorted
ZBUG-2246 shared folder content cannot be searched using All mail search
ZBUG-2233 SA Version 3.4.5 issues
ZBUG-2207 Update Java JRE Version
ZBUG-2119 Xml attachment truncated if sent from account with "sendAs" delegation
ZBUG-2056 Mail to link not rendering properly in modern UI
ZBUG-1975 Portuguese, Date format showing wrong
ZBUG-1860 Wrong encoding of organizer with ios mail client
ZBUG-1838 Auto complete displaying single email address from matching account
ZBUG-1755 Modern UI: The tab label of the message composing page is empty after reloading entire Modern UI
ZBUG-1455 zimbraFeatureMailForwardingInFiltersEnabled, Attribute funtionality is wrong
ZBUG-1335 log4j-1.2.16.jar is vulnerable reported in CVE-2019-17571
ZBUG-2838 Log4j packages are not being updated to V2 for ldap servers in some instances
ZBUG-2837 zmconfigd failing on ldap node after updating to the latest patch
ZBUG-2835 /var/log/syslog filling after applying the patch 8.8.15 patch 32
ZBUG-2834 No INFO logs while redeploying the Zimlets after updated the ZCS v9.0.0 P25.
ZBUG-2831 SMTP authentication failure with 2FA application passcode
PREAPPS-6698 Modern UI - Users should not be allowed to use username in the password
PREAPPS-6651 All Zimlets should support languages that are supported by ModernUI
PREAPPS-6639 Display folder info on hover
PREAPPS-6617 Hide all spam related options when the spam feature is disabled
PREAPPS-6616 Hide task list from calendar when the task feature is disabled
PREAPPS-5342 User friendly error messages for 503 code
Jump to: navigation, search