Zimbra Releases/10.0.5

Zimbra Collaboration Daffodil 10.0.5 Patch Release

Release Date: October 19, 2023

Check out the Security Fixes, What's New, Fixed Issues, Things to Know Before Upgrading and Known Issues sections for this version of Zimbra Collaboration. Please refer to the Patch Installation steps for Patch Installation instructions. As always, you are encouraged to tell us what you think in the Forums or open a support ticket to report issues.

IMPORTANT: Instructions to update Zimbra's onlyoffice repository for installing zimbra-onlyoffice package.

Please note that there is no change in the onlyoffice package. Add Zimbra's onlyoffice repository to the server before Zimbra Daffodil v10 installation/upgrade. These repos will be included by default in upcoming Zimbra Daffodil version.


You must add your local repository to your RHEL/CentOS Configuration :



$ cat > /etc/yum.repos.d/zimbra-onlyoffice.repo <<EOF
name=Zimbra Onlyoffice RPM Repository


$ cat > /etc/yum.repos.d/zimbra-onlyoffice.repo <<EOF
name=Zimbra Onlyoffice RPM Repository
yum --disablerepo=* --enablerepo=zimbra-onlyoffice clean metadata
yum check-update --disablerepo=* --enablerepo=zimbra-onlyoffice --noplugins



$ cat > /etc/apt/sources.list.d/zimbra-onlyoffice.list << EOF
deb [arch=amd64] https://repo.zimbra.com/apt/onlyoffice bionic zimbra
deb-src [arch=amd64] https://repo.zimbra.com/apt/onlyoffice bionic zimbra


$ cat > /etc/apt/sources.list.d/zimbra-onlyoffice.list << EOF
deb [arch=amd64] https://repo.zimbra.com/apt/onlyoffice focal zimbra
deb-src [arch=amd64] https://repo.zimbra.com/apt/onlyoffice focal zimbra
apt-get update

IMPORTANT: Zimbra OpenSSL with default FIPS Configuration

  • Please be advised that, TLS 1.2 is the minimum supported version if FIPS is being used with OpenSSL 3.0. We recommend using Zimbra with strong TLS configuration for increased security. Please follow instructions in Cipher-suites-wiki to set correct ciphers as per current versions of openssl, nginx and postfix.
  • From this patch going forward Zimbra OpenSSL will be configured to work with FIPS compliance enabled by default. You do not need to take any action, unless you run into issues, you can switch to the non-FIPS provider as follows:
  • Run the below commands to Enable/Disable FIPS providers on all servers.

Disable FIPS provider:

As root user run below commands
Take backup of openssl.cnf cd /opt/zimbra/common/etc/ssl cp openssl.cnf <backup-path>/openssl.cnf
Copy openssl-source.cnf file cd /opt/zimbra/common/etc/ssl cp openssl-source.cnf openssl.cnf
Verify that, FIPS provider is disabled: Run below command and verify fips provider is not listed /opt/zimbra/common/bin/openssl list --providers
As zimbra user run below commands su - zimbra zmcontrol restart

Enable FIPS provider:

As root user run below commands
Take backup of openssl.cnf cd /opt/zimbra/common/etc/ssl cp openssl.cnf <backup-path>/openssl.cnf
Copy openssl-fips.cnf file cd /opt/zimbra/common/etc/ssl cp openssl-fips.cnf openssl.cnf
Verify that, FIPS provider is enabled: Run below command and verify fips provider is listed /opt/zimbra/common/bin/openssl list --providers
As zimbra user run below commands su - zimbra zmcontrol restart

Deprecation of Zimbra Server on Ubuntu 18.04

Ubuntu 18.04 End of life occurred on May 31, 2023. Zimbra will deprecate Daffodil (v10) support for Ubuntu 18.04 as of November 30, 2023. At this date, there will no longer be any patch release for Zimbra Daffofil (v10) on Ubuntu 18.04 operating system. We encourage all our new customer's to use Ubuntu 20.04 for all their new installations.

After November 30, 2023, Zimbra Support will provide best-effort support for the last patch release on the Ubuntu 18.04 operating system. However, any known or existing bugs will not be addressed and Zimbra Support encourages all customers to follow our recommended upgrade path to a supported OS version at your earliest convenience to ensure no interruption in your support services.

We will be soon providing support for Ubuntu 22.04 operating system on the upcoming Daffodil version.

For questions or guidance with upgrading your operating system please open a support case and our Support team is here to assist you.

Security Fixes

Summary CVE-ID CVSS Score
A security related issue has been fixed to prevent javascript injection through help files. CVE-2007-1280 TBD
A security related issue has been fixed which impacted one of the third party libraries being used in Admin User Inferface. CVE-2020-7746 High
An XSS vulnerability was observed when a PDF containing malicious Javascript code was uploaded in Briefcase. CVE-2023-45207 TBD
Multiple possible cross-site scripting (XSS) vulnerabilities were observed in the robohelp package. The package has now been made optional. This means that users will now be access help documentation at the URL - https://www.zimbra.com/documentation/. CVE-2023-45206 TBD

Migration Support for Daffodil v10

This patch release provides migration support to enable the customers running 8.8.15 or 9.0.0 version with NG modules, to migrate to Daffodil v10:

Key Highlights:

  • Single Node or Multi Node: Whether your setup is a Single Node or Multi Node configuration, the Migration Support covers both types of setups.
  • NG HSM Migration:
    • Provides support to migrate the setups using NG HSM - Internal and External volumes.
    • Supports migrating the following External S3 providers - Amazon S3, Ceph, EMC, NetApp StorageGrid, Scality.
    • For setups using S3 providers, with or without Centralized Storage, the migration supports a blobless migration process.


  • The documentation covers both Single-Node and Multi-Node migration scenarios. Please refer to the Migration Resources section at https://www.zimbra.com/product/documentation/.
  • We recommend that you carefully review the migration documentation, plan your migration schedule, and engage with our support team if you encounter any challenges during the process.

Zimbra Connect/Chat:

  • Please note that the migration support for NG Connect / Chat modules is not included in this release. Please contact our Sales or Support team for more guidance on this.

For any further queries, please reach out to our support team. 

What's New

Zimbra Web Client (ZWC)

  • A security related issue has been fixed to prevent account takeover by stealing user cookies.

Fixed Issues

Zimbra Collaboration

  • When installing Zimrba, the following OS packages will get installed as Zimbra dependencies - rsyslog, net-tools, libcap2-bin. ZBUG-2931
  • A new local config attribute zimbra_enable_dnssec has been added to control the DNSSEC validation feature. The default value is true. If set to false, the DNSSEC validation will be disabled. ZBUG-2929
  • With this patch release onwards, support for Unified Storage has been added for the Storage Management feature. Unified Storage allows better data management by storing the data from multiple mailbox servers under the same directory structure in a single S3 bucket. Please refer to admin guide for more details.

Classic Web App

  • Appointments were displayed an hour earlier in the calendar when the timezone was set to some of the CST timezone like Guadalajara. ZBUG-3414
  • America/Mexico_City events were scheduled one hour before the time those events are supposed to happen, when the events were sent from non-zimbra external calendar services. ZBUG-3395
  • Hyperlink on images in emails did not work when using "Conversation View" ZBUG-3322
  • In the Classic UI webmail when used with the Chrome browser, the print preview and actual print would appear on the next page following the email details. ZBUG-3198

Admin Web Console

  • On every refresh, the queue length value in the admin console was added, which resulted in impacting the performance. ZBUG-1571

Modern Web App


  • Modern Web App did not display the "Show Original" option in right-click context menu. ZBUG-3442
  • The read/unread flag was incorrectly displayed in the right click context menu. ZBUG-3436
  • Full day events were displayed as spanning multiple days when the event involved change of Day Light Savings e.g. last Sunday of March/October in Germany. ZBUG-3422
  • Sharing calendar using 'Modern UI' with the permission 'view free/busy times only' ended up sharing calendar with 'view' permission. ZBUG-3345

Zimbra Connector for Outlook

  • When setting up ZCO for the first time, if no password is specified, an empty Outlook profile is created. When Outlook is opened again, the user just needs to provide his password to proceed. Earlier, the user had to specify the server and username again. ZBUG-3472
  • For a shared contact folder, modification done to the "Display As" field through Web Client will be reflected in ZCO. ZBUG-1421

Things to Know Before Upgrading

Important Upgrade Instructions for Daffodil v10 version older than build 10.0.0_GA_4452

If you are currently using the Beta version build of Daffodil v10 (10.0.0_GA_4452), please follow these upgrade instructions:

  • Upgrade to the latest GA Version build 10.0.0_GA_4518: It is crucial to first upgrade to the latest GA version before proceeding with any further updates. This latest GA release includes essential updates, including modifications to the database schema and various other feature improvements.
  • Upgrade to 10.0.5 Patch: Once you have successfully upgraded to the latest GA version build 10.0.0_GA_4518, you can proceed with the upgrade to the 10.0.5 patch. This patch release addresses specific issues and introduces further enhancements.

By following this upgrade path, you ensure that your system is properly updated, incorporating the necessary database schema changes and other critical updates introduced in the latest GA build.

Please review the following information to decide if Zimbra Daffodil (v10) is suitable for you.

  • Zimbra Touch Client, Zimbra Mobile Client, and Zimbra HTML (Standard) Client are no longer a part of Zimbra starting from Version 9.0.0.
  • A Zimbra Network Edition license is required to use Zimbra Daffodil (v10).
  • The customizations implemented for SAML and SPNEGO will be overridden during an upgrade. It is recommended to backup these configurations before upgrading the server.
  • In case of rolling upgrades, if some mailstore nodes are upgraded to zimbra-10 and some mailstore nodes are on Zimbra 9.0.x or Zimbra 8.8.15 then, zimbraReverseProxyUpstreamLoginServers should only contain the list of Zimbra 10.0.0 mailboxes. If this is not followed then in some cases, users on zimbra-10 mailstore nodes will not be able to see Modern Web App after login.
  • Zimbra (v10) continues to support two versions of Zimbra Web Client -- Modern and Classic.
    • To know more about the highlights of the Modern Web App, please refer to Introducing the Modern Web Application
    • The Classic Web App offers the same functionality as the Advanced Web Client in Zimbra version 8.8.15.
    • Existing customized themes, logo branding changes, and crontab changes are incompatible with, and hence do not reflect in the Modern Web App. Branding needs to be re-configured to work with the Modern Web App. The Modern Web App does not currently support themes. Please refer to the Customizing Modern Web App section of Admin Guide for more information related to configuration.
    • Zimlets are supported on both the Web Clients.
    • Zimlets that work with the Classic Web App are incompatible with the Modern Web App. And due to technology changes, there is no way to migrate the Zimlets from the Classic Web App to the Modern Web App or vice-versa.
  • For Non-NG setups, recommendations when using mailbox move (through zmmboxmove utility) on Rolling-Upgrade environment:
    • Always take full backup *before* doing zmmboxmove.
    • If using Storage Management with primary and secondary storage as Internal, then set zimbraMailboxMoveSkipBlobs and zimbraMailboxMoveSkipHsmBlobs attributes to FALSE before doing zmmboxmove.
    • Always recommended to run HSM and move blobs to current primary/secondary volumes in case of multiple primary/secondary volumes present in the system before doing zmmboxmove.
    • zmmboxmove command should be run from Zimbra (v10) mailbox server.

After you review the tasks in this section, please go to Upgrade Instructions.

Known Issues

Zimbra Collaboration

  • On a NG based rolling-upgrade setup, when either sharer or sharee is not moved to zimbra-10 server and the drive data is imported through the NG Migration utility, the drive files sharing information is not available. Hence, the shared files are not available after the import.

Workaround - Before importing the Drive data for the users, move the sharee and sharer from NG server to zimbra-10 server.

  • When upgrading to Zimbra 10 using the rolling upgrade mechanism, if a user on Zimbra 10 shares a Briefcase file with a user on Zimbra 9, then while UI will display a 'Permission denied' error to the user on Zimbra 10, the user on Zimbra 9 still ends up receiving an email that the file has been shared. Even though the mail is received by the Zimbra 9 user, they will not be able to access the file, as the file sharing feature is not available in Zimbra 9.
  • During Rolling Upgrade to Zimbra 10, a user on Zimbra 9 may share a Briefcase folder with a Zimbra 10 user. However, since files were not shared with Zimbra 10 user, the files within the shared folder are not accessible to the Zimbra 10 users.
  • During Rolling Upgrade to Zimbra 10 from Zimbra 9/8.x having NG modules installed, when a Zimbra 9/8.x user creates new files from Briefcase, it results in a error "TypeError: g is null".
  • During Rolling Upgrade to Zimbra 10, a user on Zimbra 10 may share a file with a Zimbra 9 user. However, Zimbra 9 user will not be able to access the file from the shared URL.
  • Zimbra inheritance is followed when setting LDAP attributes. When using Backup & Restore->Message recovery settings from Admin UI, if the value of zimbraDumpsterEnabled attribute is FALSE at COS level and TRUE at Domain level, then the value at COS level will be considered. So the issue here is- adding Domains in the message recovery settings will have no impact on message recovery if the COS level attribute is set to its default value FALSE.
  • Backup and Restore - When mail-store server is restored after moving some of its accounts to another mail store, then old mail data like blobs, metadata, etc. of the accounts which have been moved to another mail store, will also get restored. The workaround is to - execute the restore with --ignoreRedoErrors OR with -rf options like zmrestore -a all --ignoreRedoErrors.
  • When user clicks on a file in Briefcase, a preview is displayed for the supported file formats. User can also edit these files in a separate window. The changes take a long time to be reflected in the preview, and sometimes user might need to click on the file multiple times to view the changes.
  • When editing documents from Briefcase, the documents are opened in a separate browser window in which users can edit the document. However, the updated contents are not reflected in the Briefcase file, unless the separate browser window is not closed by the user.
  • User is not able to search files in the "Files shared with me" folder, within Briefcase.
  • Re-sending a file share for a Briefcase document throws the error, "A network service error has occurred".

Admin Web Console

  • In Admin UI, if two users are assigned the Administrator privilege followed by "Assign default domain administrator views and rights", there is an error displayed for the second user, and the request is not completed. This happens due to a caching issue, and flushing the cache of the mail-store resolves this issue.

Mobile Sync

  • On iOS Native App, if the Mail, Calendar, and Contacts folders are shared with the user, the shares are not displayed on the App.Similarly, for Windows Outlook and Windows Native Contacts App, if the Contacts folder is shared with the user, the shares are not displayed on the App.

Workaround - The user will have to reconfigure his account on the device to get the shares mounted on the device.

  • Exchange ActiveSync protocol currently does not support Read-Only permission sharing. It is recommended not to enable Sharing for the users having shares with Read-Only permission.
  • In a Rolling-upgrade environment, if a zimbra-9 user shares a calendar with zimbra-10 user, the events are not synced.

Workaround - For the Rolling-Upgrade environment involving the NG mailbox server, due to technical differences between the NG Mobile feature and Zimbra (v10) Mobile Sync feature, it is recommended to use Sharing feature after moving all the accounts to zimbra-10 mailbox server.

  • For Windows Mail App, the Sent folder emails are not displayed after blocking and unblocking the user.

Workaround - The user can remove and reconfigure the account on the app.

  • When using iOS Outlook App, Out of Office settings are not synced to the user's account in Web App.
  • When the organizer and attendee use the Outlook app, if the organizer cancels an instance from a recurring meeting, the same is not reflected on the attendee's calendar.

Backup Restore

  • When using backup and restore to move data from source 9.x NG server to destination 10.x server, if both the source and destination, primary volumes are 'External', and zimbraBackupSkipBlobs is set to True, then emails moved secondary volume throw 'Missing Blob for item' error.
  • When an account is restored using backup data from NG external secondary volume, the account is displaying garbled data for emails on the destination server.
  • When we schedule backup using zmschedulebackup command, backup is getting scheduled in crontab and LDAP attributes are updated with appropriate values.


  • On the NG server, if you are using OpenIO as an external volume to store your Primary/Secondary data and do an in-place upgrade to Patch 10.0.5, then the emails present on the OpenIO store appear garbled. Currently, no workaround is available for this issue and our engineering team is working on it.


The package lineup for this release is:

PackageName                                       -> Version
zimbra-patch                                      -> 
zimbra-mta-patch                                  -> 
zimbra-proxy-patch                                -> 
zimbra-ldap-patch                                 -> 
zimbra-os-requirements                            ->  1.0.3-1zimbra8.7b1 
zimbra-core-components                            ->  4.0.1-1zimbra10.0b1 
zimbra-ldap-components                            ->  3.0.1-1zimbra10.0b1 
zimbra-common-core-jar                            -> 
zimbra-timezone-data                              -> 
zimbra-mbox-admin-console-war                     -> 
zimbra-mbox-webclient-war                         -> 
zimbra-modules-porter                             ->
zimbra-restore-ngbackup                           -> 
zimbra-onlyoffice                                 ->  1.0.1693479465-1 
zimbra-help                                       -> 
zimbra-zco                                        -> 
zimbra-modern-ui                                  -> 
zimbra-modern-zimlets                             ->

Patch Installation

Please refer to below link to install 10.0.5 patch :

Patch Installation

Jump to: navigation, search