Zimbra Releases/10.0.6

Zimbra Collaboration Daffodil 10.0.6 Patch Release

Release Date: December 18, 2023

Check out the Security Fixes, What's New, Fixed Issues, Things to Know Before Upgrading and Known Issues sections for this version of Zimbra Collaboration. Please refer to the Patch Installation steps for Patch Installation instructions. As always, you are encouraged to tell us what you think in the Forums or open a support ticket to report issues.

Blank email issue on ZCO

After recent Microsoft updates (Version 2310, 2311), customers reported an intermittent issue that when sending a message from ZCO, it is delivered as a blank message to the recipient. The issue is not consistently reproducible and there are no definite steps to reproduce it. There have been no changes in the ZCO product that caused the issue, as we found this issue is not seen on Outlook versions not having the latest Microsoft patch. Our engineering team has also submitted a post on Microsoft forums asking for their immediate attention. We are also analyzing the issue and trying to find a root cause and feasible solution for the ZCO product. We will update as soon as we have an ETA on the fix.

For the customers facing the issue, the workaround is to downgrade their Outlook to the previous version.


Update: The issue has been fixed, and you can download the latest ZCO package at https://www.zimbra.com/product/addons/zimbra-connector-for-outlook-download/.

For customers who have installed the previous ZCO package 1938, please upgrade to the latest one on the mailstore node using the following commands:


Update: The issue for non-english locale has been fixed, and you can download the latest ZCO package at https://www.zimbra.com/product/addons/zimbra-connector-for-outlook-download/.

For customers who have installed the previous ZCO package 1938 or 1939, please upgrade to the latest one on the mailstore node using the following commands:

For Ubuntu:

apt-get update
apt-get install zimbra-zco


For RHEL/Centos/Rocky Linux:

yum clean metadata
yum check-update
yum install zimbra-zco

Zimbra Desktop installation issue on Intel-based Mac OS

The latest version of Zimbra Desktop application is currently not supported on Intel-based Mac OS and users may encounter an error upon attempting to launch it. The application functions as expected on Mac OS with the Apple M1 chip. Our team has identified the root cause and is actively working on a solution to extend support to Intel-based Mac OS systems. Updates will be provided once a solution is available. In the interim, the official recommendation for users having Intel-based Mac OS is to continue using the older version of Zimbra Desktop, or use the web client which remains accessible for all users.

Updates: The issue has been fixed and the latest Zimbra Desktop build for Mac can be downloaded from https://www.zimbra.com/zimbra-desktop-download/

NOTICE: OpenJDK cacert Package Upgrade

Please follow the instructions:

Install zimbra-core-components before the patch upgrade on the mailstore node.
apt-get install zimbra-core-components (For Ubuntu)
yum install zimbra-core-components (For RHEL/Centos/Rocky Linux)

While deploying zimlets, if the following error is encountered

Enabling Zimlet zimbra-zimlet-secure-mail
ERROR: zclient.IO_ERROR (invoke PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target, server:  localhost) (cause: javax.net.ssl.SSLHandshakeException PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to  requested target)
*** zimbra-zimlet-secure-mail Installation Completed. ***
*** Restart the mailbox service as zimbra user. Run ***

then, redeploy zimlets that are throwing error in the patch upgrade

zmzimletctl -l deploy <zimlet.zip file name>

IMPORTANT: Instructions to update Zimbra's onlyoffice repository for installing zimbra-onlyoffice package.

Please note that there is no change in the onlyoffice package. Add Zimbra's onlyoffice repository to the server before Zimbra Daffodil v10 installation/upgrade. These repos will be included bydefault in upcoming Zimbra Daffodil version.

https://repo.zimbra.com/apt/onlyoffice
https://repo.zimbra.com/rpm/onlyoffice

You must add your local repository to your RHEL/CentOS Configuration :

Redhat

RHEL7

$ cat > /etc/yum.repos.d/zimbra-onlyoffice.repo <<EOF
[zimbra-onlyoffice]
name=Zimbra Onlyoffice RPM Repository
baseurl=https://repo.zimbra.com/rpm/onlyoffice/rhel7
gpgcheck=1
enabled=1
EOF

RHEL8

$ cat > /etc/yum.repos.d/zimbra-onlyoffice.repo <<EOF
[zimbra-onlyoffice]
name=Zimbra Onlyoffice RPM Repository
baseurl=https://repo.zimbra.com/rpm/onlyoffice/rhel8
gpgcheck=1
enabled=1
EOF
rpm --import https://files.zimbra.com/downloads/security/public.key
yum --disablerepo=* --enablerepo=zimbra-onlyoffice clean metadata
yum check-update --disablerepo=* --enablerepo=zimbra-onlyoffice --noplugins


Ubuntu

UBUNTU18

$ cat > /etc/apt/sources.list.d/zimbra-onlyoffice.list << EOF
deb [arch=amd64] https://repo.zimbra.com/apt/onlyoffice bionic zimbra
deb-src [arch=amd64] https://repo.zimbra.com/apt/onlyoffice bionic zimbra
EOF

UBUNTU20

$ cat > /etc/apt/sources.list.d/zimbra-onlyoffice.list << EOF
deb [arch=amd64] https://repo.zimbra.com/apt/onlyoffice focal zimbra
deb-src [arch=amd64] https://repo.zimbra.com/apt/onlyoffice focal zimbra
EOF
apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 9BE6ED79
apt-get update

IMPORTANT: Zimbra OpenSSL with default FIPS Configuration

  • Please be advised that, TLS 1.2 is the minimum supported version if FIPS is being used with OpenSSL 3.0. We recommend using Zimbra with strong TLS configuration for increased security. Please follow instructions in Cipher-suites-wiki to set correct ciphers as per current versions of openssl, nginx and postfix.


  • From this patch going forward Zimbra OpenSSL will be configured to work with FIPS compliance enabled by default. You do not need to take any action, unless you run into issues, you can switch to the non-FIPS provider as follows:
  • Run below commands to Enable/Disable FIPS providers on all servers.

Disable FIPS provider:

As root user run below commands
Take backup of openssl.cnf cd /opt/zimbra/common/etc/ssl cp openssl.cnf <backup-path>/openssl.cnf
Copy openssl-source.cnf file cd /opt/zimbra/common/etc/ssl cp openssl-source.cnf openssl.cnf
Verify that, FIPS provider is disabled: Run below command and verify fips provider is not listed /opt/zimbra/common/bin/openssl list --providers
As zimbra user run below commands su - zimbra zmcontrol restart

Enable FIPS provider:

As root user run below commands
Take backup of openssl.cnf cd /opt/zimbra/common/etc/ssl cp openssl.cnf <backup-path>/openssl.cnf
Copy openssl-fips.cnf file cd /opt/zimbra/common/etc/ssl cp openssl-fips.cnf openssl.cnf
Verify that, FIPS provider is enabled: Run below command and verify fips provider is listed /opt/zimbra/common/bin/openssl list --providers
As zimbra user run below commands su - zimbra zmcontrol restart

Security Fixes

Summary CVE-ID CVSS Score
OpenJDK has been upgraded to version 17.0.8 to fix multiple vulnerabilities. [CVE-2023-21930 CVE-2022-21476 CVE-2022-21449 High
Fixed a vulnerability where an auth token was possible to be obtained. CVE-2023-48432 TBD
Certbot now adopts ECDSA secp256r1 (P-256) certificate private keys as the default for all newly generated certificates. Zimbra has also introduced support for ECDSA secp256r1 (P-256) certificate private keys in new certificates. TBD TBD
Modern UI was vulnerable to DOM-based Javascript injection. Security related issues have been fixed to prevent it. CVE-2023-50808 TBD


Migration Support for Daffodil v10

This patch release provides migration support to enable the customers running 8.8.15 or 9.0.0 version with NG modules, to migrate to Daffodil v10:

Key Highlights:

  • Single Node or Multi Node: Whether your setup is a Single Node or Multi Node configuration, the Migration Support covers both types of setups.
  • NG HSM Migration:
    • Provides support to migrate the setups using NG HSM - Internal and External volumes.
    • Supports migrating the following External S3 providers - Amazon S3, Ceph, EMC, NetApp StorageGrid, Scality.
    • For setups using S3 providers, with or without Centralized Storage, the migration supports a blobless migration process.

Documentation:

  • The documentation covers both Single-Node and Multi-Node migration scenarios. Please refer to the Migration Resources section at https://www.zimbra.com/product/documentation/.
  • We recommend that you carefully review the migration documentation, plan your migration schedule, and engage with our support team if you encounter any challenges during the process.

Zimbra Connect/Chat:

  • Please note that the migration support for NG Connect / Chat modules is not included in this release. Please contact our Sales or Support team for more guidance on this.

For any further queries, please reach out to our support team. 

What's New

Package Upgrade

  • The OpenJDK package has been upgraded from 17.0.2 to 17.0.8

Zimbra Collaboration

  • On an NG-based rolling-upgrade setup, when either sharer or sharee is not moved to the Zimbra-10 server and the drive data is imported through the NG Migration utility, the drive files sharing information was not available. The issue has been fixed and the shared files will now be available after the import.


Classic Web App

  • French translations have been updated in the Classic UI.

General

  • Distribution Lists are now available when choosing contacts in email via "Choose contacts" popup.
  • Users can select a mail and then select the newly added "Edit as new" option in Modern UI to create a new mail while retaining the recipients, subject and body of the mail.
  • A new Out Of Office configuration has been added in Modern UI. The users can use this option - "Send custom message to those not in my organization and address book", to send custom message to contacts who are not in user's organization and address book.
  • A separate "Trash" folder and context menu has been implemented for Calendar vertical in Modern UI.


Mail

  • Users who have the required permissions will be able expand a distribution list in Modern UI mail compose window.


Calendar

  • Users can now select the members of a distribution list as receivers when composing an email.


Zimbra Connector for Outlook

  • HTML signature with image created from ZCO is now synced to the Zimbra Web App.


Fixed Issues

Zimbra Collaboration

  • On a setup with a large number of accounts (in millions), an LDAP query executed for retrieving all accounts resulted in a timeout exception. A fix has been made to skip the LDAP query if the license issued is of unlimited accounts. ZBUG-3655
  • When composing a message, users can now attach a .p7m extension file. ZBUG-3621
  • To improve logging, a new local config attribute zimbra_additional_logging has been introduced. The default value is set to FALSE. When TRUE, it will log the following events: ZBUG-3565
    • Login attempts of non-existing users in the case of Web Client, POP3, IMAP, SMTP, and ActiveSync are now logged in audit.log with client/source IP.
    • Login attempts of non-existing users in the case of POP3, IMAP, and ActiveSync are now in mailbox.log with client/source IP.
    • Login attempts of existing users in the case of ActiveSync are now logged in mailbox.log with client/source IP.
  • In some scenarios, the external message warning was not being appended in the email when received from Gmail. The issue has been fixed. ZBUG-3132

Classic Web App

  • Files with .p7s extension were restricted as attachments due to security concerns. However the security concern is only applicable when SMIME is enabled. Hence, .p7s files can now be added as attachments when SMIME is disabled. ZBUG-2370

Zimbra Mobile

  • When deleting an appointment from mobile by the invitee, it resulted in deleting appointments for other invitees too. The issue has been fixed. ZBUG-3667


Things to Know Before Upgrading

Important Upgrade Instructions for Daffodil v10 version older than build 10.0.0_GA_4452

If you are currently using the Beta version build of Daffodil v10 (10.0.0_GA_4452), please follow these upgrade instructions:

  • Upgrade to the latest GA Version build 10.0.0_GA_4518: It is crucial to first upgrade to the latest GA version before proceeding with any further updates. This latest GA release includes essential updates, including modifications to the database schema and various other feature improvements.
  • Upgrade to 10.0.5 Patch: Once you have successfully upgraded to the latest GA version build 10.0.0_GA_4518, you can proceed with the upgrade to the 10.0.5 patch. This patch release addresses specific issues and introduces further enhancements.

By following this upgrade path, you ensure that your system is properly updated, incorporating the necessary database schema changes and other critical updates introduced in the latest GA build.

Please review the following information to decide if Zimbra Daffodil (v10) is suitable for you.

  • Zimbra Touch Client, Zimbra Mobile Client, and Zimbra HTML (Standard) Client are no longer a part of Zimbra starting from Version 9.0.0.
  • A Zimbra Network Edition license is required to use Zimbra Daffodil (v10).
  • The customizations implemented for SAML and SPNEGO will be overridden during an upgrade. It is recommended to backup these configurations before upgrading the server.
  • In case of rolling upgrades, if some mailstore nodes are upgraded to zimbra-10 and some mailstore nodes are on Zimbra 9.0.x or Zimbra 8.8.15 then, zimbraReverseProxyUpstreamLoginServers should only contain the list of Zimbra 10.0.0 mailboxes. If this is not followed then in some cases, users on zimbra-10 mailstore nodes will not be able to see Modern Web App after login.
  • Zimbra (v10) continues to support two versions of Zimbra Web Client -- Modern and Classic.
    • To know more about the highlights of the Modern Web App, please refer to Introducing the Modern Web Application
    • The Classic Web App offers the same functionality as the Advanced Web Client in Zimbra version 8.8.15.
    • Existing customized themes, logo branding changes, and crontab changes are incompatible with, and hence do not reflect in the Modern Web App. Branding needs to be re-configured to work with the Modern Web App. The Modern Web App does not currently support themes. Please refer to the Customizing Modern Web App section of Admin Guide for more information related to configuration.
    • Zimlets are supported on both the Web Clients.
    • Zimlets that work with the Classic Web App are incompatible with the Modern Web App. And due to technology changes, there is no way to migrate the Zimlets from the Classic Web App to the Modern Web App or vice-versa.
  • For Non-NG setups, recommendations when using mailbox move (through zmmboxmove utility) on Rolling-Upgrade environment:
    • Always take full backup *before* doing zmmboxmove.
    • If using Storage Management with primary and secondary storage as Internal, then set zimbraMailboxMoveSkipBlobs and zimbraMailboxMoveSkipHsmBlobs attributes to FALSE before doing zmmboxmove.
    • Always recommended to run HSM and move blobs to current primary/secondary volumes in case of multiple primary/secondary volumes present in the system before doing zmmboxmove.
    • zmmboxmove command should be run from Zimbra (v10) mailbox server.

After you review the tasks in this section, please go to Upgrade Instructions.


Known Issues

Zimbra Collaboration

  • On a NG based rolling-upgrade setup, when either sharer or sharee is not moved to zimbra-10 server and the drive data is imported through the NG Migration utility, the drive files sharing information is not available. Hence, the shared files are not available after the import.

Workaround - Before importing the Drive data for the users, move the sharee and sharer from NG server to zimbra-10 server.

  • When upgrading to Zimbra 10 using the rolling upgrade mechanism, if a user on Zimbra 10 shares a Briefcase file with a user on Zimbra 9, then while UI will display a 'Permission denied' error to the user on Zimbra 10, the user on Zimbra 9 still ends up receiving an email that the file has been shared. Even though the mail is received by the Zimbra 9 user, they will not be able to access the file, as the file sharing feature is not available in Zimbra 9.
  • During Rolling Upgrade to Zimbra 10, a user on Zimbra 9 may share a Briefcase folder with a Zimbra 10 user. However, since files were not shared with Zimbra 10 user, the files within the shared folder are not accessible to the Zimbra 10 users.
  • During Rolling Upgrade to Zimbra 10 from Zimbra 9/8.x having NG modules installed, when a Zimbra 9/8.x user creates new files from Briefcase, it results in a error "TypeError: g is null".
  • During Rolling Upgrade to Zimbra 10, a user on Zimbra 10 may share a file with a Zimbra 9 user. However, Zimbra 9 user will not be able to access the file from the shared URL.
  • Zimbra inheritance is followed when setting LDAP attributes. When using Backup & Restore->Message recovery settings from Admin UI, if the value of zimbraDumpsterEnabled attribute is FALSE at COS level and TRUE at Domain level, then the value at COS level will be considered. So the issue here is- adding Domains in the message recovery settings will have no impact on message recovery if the COS level attribute is set to its default value FALSE.
  • Backup and Restore - When mail-store server is restored after moving some of its accounts to another mail store, then old mail data like blobs, metadata, etc. of the accounts which have been moved to another mail store, will also get restored. The workaround is to - execute the restore with --ignoreRedoErrors OR with -rf options like zmrestore -a all --ignoreRedoErrors.
  • When user clicks on a file in Briefcase, a preview is displayed for the supported file formats. User can also edit these files in a separate window. The changes take a long time to be reflected in the preview, and sometimes user might need to click on the file multiple times to view the changes.
  • When editing documents from Briefcase, the documents are opened in a separate browser window in which users can edit the document. However, the updated contents are not reflected in the Briefcase file, unless the separate browser window is not closed by the user.
  • User is not able to search files in the "Files shared with me" folder, within Briefcase.
  • Re-sending a file share for a Briefcase document throws the error, "A network service error has occurred".

Admin Web Console

  • In Admin UI, if two users are assigned the Administrator privilege followed by "Assign default domain administrator views and rights", there is an error displayed for the second user, and the request is not completed. This happens due to a caching issue, and flushing the cache of the mail-store resolves this issue.

Mobile Sync

  • On iOS Native App, if the Mail, Calendar, and Contacts folders are shared with the user, the shares are not displayed on the App.Similarly, for Windows Outlook and Windows Native Contacts App, if the Contacts folder is shared with the user, the shares are not displayed on the App.

Workaround - The user will have to reconfigure his account on the device to get the shares mounted on the device.

  • Exchange ActiveSync protocol currently does not support Read-Only permission sharing. It is recommended not to enable Sharing for the users having shares with Read-Only permission.
  • In a Rolling-upgrade environment, if a zimbra-9 user shares a calendar with zimbra-10 user, the events are not synced.

Workaround - For the Rolling-Upgrade environment involving the NG mailbox server, due to technical differences between the NG Mobile feature and Zimbra (v10) Mobile Sync feature, it is recommended to use Sharing feature after moving all the accounts to zimbra-10 mailbox server.

  • For Windows Mail App, the Sent folder emails are not displayed after blocking and unblocking the user.

Workaround - The user can remove and reconfigure the account on the app.

  • When using iOS Outlook App, Out of Office settings are not synced to the user's account in Web App.
  • When the organizer and attendee use the Outlook app, if the organizer cancels an instance from a recurring meeting, the same is not reflected on the attendee's calendar.

Backup Restore

  • When using backup and restore to move data from source 9.x NG server to destination 10.x server, if both the source and destination, primary volumes are 'External', and zimbraBackupSkipBlobs is set to True, then emails moved secondary volume throw 'Missing Blob for item' error.
  • When an account is restored using backup data from NG external secondary volume, the account is displaying garbled data for emails on the destination server.
  • When we schedule backup using zmschedulebackup command, backup is getting scheduled in crontab and LDAP attributes are updated with appropriate values.

HSM

  • On the NG server, if you are using OpenIO as an external volume to store your Primary/Secondary data and do an in-place upgrade to Patch 10.0.5, then the emails present on the OpenIO store appear garbled. Currently, no workaround is available for this issue and our engineering team is working on it.

Packages

The package lineup for this release is:

PackageName                                       -> Version
zimbra-patch                                      ->  10.0.6.1702555719-2 
zimbra-mta-patch                                  ->  10.0.6.1697713310-1 
zimbra-proxy-patch                                ->  10.0.6.1697713310-1 
zimbra-ldap-patch                                 ->  10.0.6.1697713310-1 
zimbra-openjdk-cacerts                            ->  1.0.10-1zimbra8.7b1 
zimbra-openjdk                                    ->  17.0.8-1zimbra8.8b1 
zimbra-core-components                            ->  4.0.2-1zimbra10.0b1 
zimbra-ldap-components                            ->  3.0.2-1zimbra10.0b1 
zimbra-zco                                        ->  9.0.0.1938.1701268058-1 
zimbra-mbox-webclient-war                         ->  10.0.6.1701417562-1 
zimbra-license-tools                              ->  10.0.6.1701325518-1 
zimbra-common-core-jar                            ->  10.0.6.1701334761-1 
zimbra-modules-porter                             ->  1.0.0.1701436866-1 
zimbra-modern-ui                                  ->  4.35.0.1701332224-1 
zimbra-modern-zimlets                             ->  4.35.0.1701332224-1 
zimbra-zimlet-additional-signature-setting        ->  9.1.0.1701364050-1 
zimbra-zimlet-ads                                 ->  9.2.0.1701364050-1 
zimbra-zimlet-calendar-subscription               ->  7.2.0.1701364050-1 
zimbra-zimlet-date                                ->  7.2.0.1701364050-1 
zimbra-zimlet-duplicate-contacts                  ->  6.3.0.1701364050-1 
zimbra-zimlet-emptysubject                        ->  3.2.0.1701364050-1 
zimbra-zimlet-install-pwa                         ->  7.2.0.1701364050-1 
zimbra-zimlet-org-chart                           ->  3.2.0.1701364050-1 
zimbra-zimlet-privacy-protector                   ->  5.3.0.1701364050-1 
zimbra-zimlet-restore-contacts                    ->  7.2.0.1701364050-1 
zimbra-zimlet-secure-mail                         ->  2.4.0.1701364050-1 
zimbra-zimlet-set-default-client                  ->  10.3.0.1701364050-1 
zimbra-zimlet-sideloader                          ->  8.2.0.1701364050-1 
zimbra-zimlet-user-feedback                       ->  7.2.0.1701364050-1 
zimbra-zimlet-user-sessions-management            ->  10.2.0.1701364050-1 
zimbra-zimlet-web-search                          ->  5.2.0.1701364050-1 
zimbra-zimlet-document-editor                     ->  11.2.0.1701364050-1


Patch Installation

Please refer to below link to install 10.0.6 patch :

Patch Installation

Jump to: navigation, search