Zimbra Releases/9.0.0/P13

Zimbra Collaboration Kepler 9.0.0 Patch 13 GA Release

Check out the Security Fixes, What's New, Fixed Issues, and Known Issues for this version of Zimbra Collaboration. Please refer to the Patch Installation section for Patch Installation instructions. As always, you are encouraged to tell us what you think in the Forums or open a support ticket to report issues.

Security Fixes

Summary CVE-ID CVSS Score Zimbra Rating Fix Patch Version
Heap-based buffer overflow vulnerabilities in PHP < 7.3.10 CVE-2019-9641 CVE-2019-9640 9.8 Critical 9.0.0 P13
Upgraded Apache to 2.4.46 to avoid multiple vulnerabilities. CVE-2019-0211 CVE-2019-0217 7.8 High 9.0.0 P13
Spamassasin vulnerability in versions < 3.4.5. CVE-2020-1946 9.8 Critical 9.0.0 P13

What's New

Critical SpamAssassin Security Fix


In Apache SpamAssassin version < 3.4.5, critical security vulnerability related to malicious rule configuration (.cf) files was detected. This issue has been fixed.

Note: Fixed above issue in updated Patch version today dated Apr 08, 2021 which was reported on the first version of 9.0.0 Patch 13.

Customers who have already deployed 9.0.0 Patch 13 can fix the issue on MTA node by following the below patch installation steps:

Redhat

  • As root, install the packages:
yum check-update
yum install zimbra-mta-patch
  • As zimbra user, restart zimbra services:
su - zimbra
zmcontrol restart

Ubuntu

  • As root, install the packages:
apt-get update
apt-get install zimbra-mta-patch
  • As zimbra user, restart zimbra services:
su - zimbra
zmcontrol restart


NOTE: Beta features are not supported and should not be installed on production systems. Beta modules have been provided for evaluation in lab environments only.


Zimbra Video Server (BETA)

  • The Video Server (BETA) is a WebRTC stream aggregator that improves Zimbra Connect's performance by merging and decoding/re-encoding all streams in a meeting. Refer to the admin guide for instructions on installing the Video Server on the systems.

We are nearing the end of our extensive QA cycle for these package upgrades. Watch for the GA announcement in an upcoming patch release.


Announcing GA


The following packages are now GA:

  • OpenSSL 1.1.1h support for TLS 1.3.
  • OpenSSL 1.1.1h with FIPS module support.
  • Postfix 3.5.6 support for TLSv1.3
  • Nginx 1.19.0 support for TLSv1.3


Enabling TLS 1.3

The administrator will have to execute separate steps for enabling TLS 1.3 on Zimbra Proxy (Nginx) and Zimbra Mailstore.

Execute the following steps on Zimbra Proxy (Nginx)

Execute these commands as zimbra user

  • View the existing zimbraReverseProxySSLProtocols:
$ zmprov gcf zimbraReverseProxySSLProtocols
zimbraReverseProxySSLProtocols: TLSv1
zimbraReverseProxySSLProtocols: TLSv1.1
zimbraReverseProxySSLProtocols: TLSv1.2
  • Add TLSv1.3 to existing zimbraReverseProxySSLProtocols.
$ zmprov mcf +zimbraReverseProxySSLProtocols TLSv1.3
  • Verify TLSv1.3 is added to zimbraReverseProxySSLProtocols.
$ zmprov gcf zimbraReverseProxySSLProtocols
zimbraReverseProxySSLProtocols: TLSv1
zimbraReverseProxySSLProtocols: TLSv1.1
zimbraReverseProxySSLProtocols: TLSv1.2
zimbraReverseProxySSLProtocols: TLSv1.3
  • View existing cipher's in zimbraReverseProxySSLCiphers.
$ zmprov gcf zimbraReverseProxySSLCiphers
zimbraReverseProxySSLCiphers: ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4
  • Add TLSv1.3 cipher TLS_AES_256_GCM_SHA384 to existing zimbraReverseProxySSLCiphers.
$ zmprov mcf zimbraReverseProxySSLCiphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:TLS_AES_256_GCM_SHA384:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4'
  • Restart Zimbra Proxy service:
$ zmproxyctl restart 

Execute the following steps on Zimbra Mailstore

Execute these commands as zimbra user

  • Get your current mailboxd_java_options:
$ zmlocalconfig mailboxd_java_options
mailboxd_java_options = -server -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2 -Djdk.tls.client.protocols=TLSv1,TLSv1.1,TLSv1.2 -Djava.awt.headless=true -Dsun.net.inetaddr.ttl=${networkaddress_cache_ttl} -Dorg.apache.jasper.compiler.disablejsr199=true -XX:+UseG1GC -XX:SoftRefLRUPolicyMSPerMB=1 -XX:+UnlockExperimentalVMOptions -XX:G1NewSizePercent=15 -XX:G1MaxNewSizePercent=45 -XX:-OmitStackTraceInFastThrow -verbose:gc -Xlog:gc*=info,safepoint=info:file=/opt/zimbra/log/gc.log:time:filecount=20,filesize=10m -Djava.net.preferIPv4Stack=true

Add the TLSv1.3 to https.protocols and tls.client.protocols:

$ zmlocalconfig -e mailboxd_java_options='-server -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2,TLSv1.3 -Djdk.tls.client.protocols=TLSv1,TLSv1.1,TLSv1.2,TLSv1.3 -Djava.awt.headless=true -Dsun.net.inetaddr.ttl=${networkaddress_cache_ttl} -Dorg.apache.jasper.compiler.disablejsr199=true -XX:+UseG1GC -XX:SoftRefLRUPolicyMSPerMB=1 -XX:+UnlockExperimentalVMOptions -XX:G1NewSizePercent=15 -XX:G1MaxNewSizePercent=45 -XX:-OmitStackTraceInFastThrow -verbose:gc -Xlog:gc*=info,safepoint=info:file=/opt/zimbra/log/gc.log:time:filecount=20,filesize=10m -Djava.net.preferIPv4Stack=true'
  • Restart Zimbra Mailbox service:
$ zmmailboxdctl restart

FIPS Support

FIPS support is now available with OpenSSL 1.1.1h version. After upgrading the OpenSSL package on the Zimbra server, please refer to the below guide for enabling FIPS as per your Operating System:


Set below configurations on your Zimbra Server after FIPS is enabled on your Operating System:

Execute these commands as zimbra user

$ postconf -e "lmtp_tls_fingerprint_digest = sha256"
  • Restart Zimbra services:
$ zmcontrol restart

Deprecation of Zimbra Server on Ubuntu 14.04, Oracle Linux 6 and CentOS/RHEL 6

With a number of supported operating systems entering the end of life, Zimbra will deprecate all Zimbra versions for Ubuntu 14.04, CentOS 6, Redhat 6 and Oracle 6 as of July 31, 2021. At this date, there will no longer be any patch release for 8.8.15 and 9.0.0 on these operating systems.

  • Ubuntu 14.04 end of life occurred on April 30, 2019
  • CentOS and RHEL 6 end of life occurred on November 30, 2020
  • Oracle 6 End of life occurred on October 2020

After July 31, 2021, Zimbra Support will provide best-effort support for the last patch release on the listed operating systems. However, any known or existing bugs will not be addressed and Zimbra Support encourages all customers to follow our recommended upgrade path to a supported OS version at your earliest convenience to ensure no interruption in your support services.

For more information about the direction Zimbra is taking with supporting future operating systems please check our blog.

For questions or guidance with upgrading your operating system please open a support case and our Support team is here to assist you.

Zimbra OpenSSL 1.1.1h compatibility issues with some kernel versions (4.8 and 4.9)


On Ubuntu-14 and CentOS/RHEL-6 with few kernel versions like (4.8, 4.9), the Zimbra Proxy and LDAP services failed to start due to compatibility issues with OpenSSL 1.1.1h. The issue has been fixed.
Note: Fixed above issue in updated Patch version today dated Apr 02, 2021 which was reported on the first version of 9.0.0 Patch 13.

Impacted deployments can fix the issue by following the patch installation steps again.


Web UX - Modern

  • Two factor authentication is now supported with reset-password flow. Reset-Password Success-screen proposed to "Sign In" and, if 2FA is enabled, the user will be prompted to enter code.
  • When the user hovers over the account name at the right-hand top corner, information such as *Account name*, *Send as name* and *Email address* gets displayed. Hovering over the Settings also displays a tooltip *Settings and more*.
  • Earlier, the folder hierarchy did not give the user a visual notification for unread messages in a sub-folder, when the sub-folder is not currently visible in the hierarchy (i. e. the sub-folder’s parent folder is collapsed). This issue has been fixed now. The parent folder or folders in the hierarchy are bolded in such a scenario. Highlighting on current folder and hover has also been improved.
  • Earlier, when logging into Modern UI, the environment variable *Zimbra_Domain* was used to load the user's attributes. This will now be done using *virtualHostName* attribute. *Zimbra_Domain* will be present for backward compatibility which will be deprecated in future releases.

Platform

  • Upgraded OpenSSL from 1.0.2t to 1.1.1h and added FIPS support.

Zimbra Docs

  • New version of Docs Server is available and can be found on the Network Edition Downloads page.

Fixed Issues

Web UX - Modern

  • In the Modern UI the user is now able to select a Timezone when creating events in the calendar.
  • In some cases, when a user receives a message with an attachment, the attachment was not getting displayed due to a missing content-deposition header. The issue has been fixed and the attachment gets correctly displayed.

Platform

  • When using DKIM Signing with TLS1.3 beta packages, opendkim service was crashing. The issue has been resolved.
  • The SSL freelist can be exploited in the current version of zimbra-openssl which has been fixed with the upgraded Openssl version 1.1.1g
  • Zimbra Proxy now supports and is enabled with http2 protocol capabilities.
  • Intermittently, there were memory corruption issues encountered during IMAP/POP3 connections. The issue has been fixed now.
  • When synchronizing shared calendar via CalDAV, if the '+' character is present in the event then the sync failed. The issue has been fixed.
  • postfix-logwatch was not able to generate the report. Upgrading postfix-logwatch from 1.40.01 to 1.40.03 fixed the issue.
  • When zimbraReverseProxyStrictServerNameEnabled is set to TRUE, the Zimbra Proxy service failed to start. The issue has been fixed.
    Note:: Fixed above issue in updated Patch version today dated Mar 31, 2021 which was reported on the first version of 9.0.0 Patch 13.

ZCO

  • When a user has a signature and sends a message using Apple Mail with attachments, the signature is also sent as an attachment and is not a part of the message body. This issue is due to a bug in the Apple Mail client.

NG Auth

  • Added more information to the log when an invalid credential is used.

NG Backup

  • Fixed an issue with the command zxsuite core getnotification when a host was specified with --host
  • Fixed a bug of pending RealTime Scanner operations were not properly cleared out from the operation queue by the doStopAllOperations command.
  • Anomaly and error management logic in the Coherency Check has been improved.
  • Missing Blob log lines have been made more specific

NG Mobile

  • After a mailboxd failure or restard under heavy load, several partial blobs were leftover in the cache.
  • Fixed an issue that would cause all-day calendar events created or accepted on mobile to be moved to the day before if the device is Samsung or using an older eas version
  • It is now possible to filter devices via RegEx through a dedicated ABQ command set.

Zimbra Connect

  • Fonts now honor the small-normal-large-very large value of the display font size option for the instant messaging features
  • Edited messages, either in 1:1 conversations, groups, spaces, or channels, are not resend if the content has not been changed
  • Channel names now have the character # in front of their name
  • Instant messages longer than 4096 characters are now truncated and no longer stay in the queue

Zimbra Docs

  • Fixed a bug that caused a 50 concurrent documents limit on the server's side
  • Docs no longer sets itself in idle/standby remaining ready to accept user interaction
  • Due to some missing icons, the sidebar in Docs appeared broken.

Zimbra Network Modules NG

  • Fixed an issue with the command zxsuite core getnotification when a host was specified with --host

HSM

  • Fixed a bug that caused mailbox moves to hang due to drive indexing being running on the same mailbox.


Known Issues

  • Please note that the Reject common passwords option in the Admin Console at Home -> Manage -> Accounts -> account_name -> Advanced -> Password section, is currently not supported. In case it is selected, the administrator will encounter an error and will not be able to save the changes. Hence the administrator is advised to not select this option. It will be supported in a future version.


Patch Installation

Please refer to the steps below to install 9.0.0 Patch 13 on Redhat and Ubuntu platforms:

Before Installing the Patch, consider the following:

  • Patches are cumulative.
  • A full backup should be performed before any patch is applied. There is no automated roll-back.
  • Zimlet patches can include removing existing Zimlets and redeploying the patched Zimlet.
  • Only files or Zimlets associated with installed packages will be installed from the patch.
  • Switch to zimbra user before using ZCS CLI commands.
  • Important! You cannot revert to the previous ZCS release after you upgrade to the patch.
  • Important! Please note that the install process has changed. Additional steps to install zimbra-common-core-jar, zimbra-common-core-libs, zimbra-mbox-store-libs packages have been included for this patch release. Please refer to the Patch Installation section to install the packages in its order.

9.0.0 Patch 13 Packages

The package lineup for this release is:

PackageName Version PackageName Version

zimbra-patch                               ->     9.0.0.1617362714.p13-2
zimbra-proxy-patch                         ->     9.0.0.1617362714.p13-1
zimbra-mta-patch                           ->     9.0.0.1617770243.p13-1
zimbra-common-core-jar                     ->     9.0.0.1616698890-1
zimbra-openldap-server                     ->     2.4.49-1zimbra8.8b4
zimbra-ldap-components                     ->     1.0.8-1zimbra8.8b1
zimbra-mbox-webclient-war                  ->     9.0.0.1615897257-1
zimbra-mbox-admin-console-war              ->     9.0.0.1615896919-1
zimbra-common-mbox-conf-attrs              ->     9.0.0.1602835824-1
zimbra-common-core-libs                    ->     9.0.0.1591936175-1
zimbra-zco                                 ->     9.0.0.1893.1615886147-1
zimbra-modern-ui                           ->     4.6.0.1616136586-1
zimbra-zimlet-install-pwa                  ->     4.0.0.1606479635-1
zimbra-zimlet-set-default-client           ->     4.1.0.1610520500-1
zimbra-zimlet-date                         ->     4.0.0.1606496021-1
zimbra-zimlet-additional-signature-setting ->     4.1.0.1610521399-1
zimbra-zimlet-calendar-subscription        ->     4.0.0.1606479804-1
zimbra-zimlet-sideloader                   ->     5.0.0.1606717050-1
zimbra-modern-zimlets                      ->     4.6.0.1616136586-1
zimbra-zimlet-restore-contacts             ->     4.1.0.1610520308-1
zimbra-network-modules-ng                  ->     7.0.12.1613663193-1
zimbra-drive-ng                            ->     4.0.10.1611239513-1
zimbra-drive-modern                        ->     1.0.10.1611239513-1
zimbra-connect                             ->     2.0.12.1613662694-1
zimbra-connect-modern                      ->     1.0.11.1611239355-1
zimbra-docs                                ->     4.0.4.1611239023-1
zimbra-docs-modern                         ->     1.0.4.1606409421-1
zimbra-zimlet-auth                         ->     1.0.1.1615572388-1
zimbra-zimlet-zoom                         ->     6.2.1.1614964917-1
zimbra-zimlet-slack                        ->     5.4.0.1614964917-1
zimbra-zimlet-dropbox                      ->     5.1.4.1614964917-1
zimbra-zimlet-onedrive                     ->     5.2.3.1614964917-1
zimbra-zimlet-google-drive                 ->     5.2.2.1614964917-1
zimbra-zimlet-jitsi                        ->     3.2.2.1614964917-1
zimbra-zimlet-video-call-preferences       ->     2.0.1.1614964917-1
zimbra-zimlet-nextcloud                    ->     1.0.5.1616645738-1
zimbra-zimlet-voice-message                ->     1.0.3.1611114827-1
zimbra-zimlet-classic-unsupportedbrowser   ->     1.0.0.1591045240-1
zimbra-zimlet-email-templates              ->     2.0.0.1606716802-1
zimbra-zimlet-signature-template           ->     1.0.0.1609841753-1
zimbra-chat                                ->     4.0.1.1594306412-1

Redhat

Installing Zimbra packages with system package upgrades

  • As root, first clear the yum cache and check for updates so the server sees there is a new zimbra-patch package in the patch repository:
yum clean metadata
yum check-update
  • On mailstore node, install the following packages:
yum install zimbra-common-core-jar zimbra-common-core-libs zimbra-mbox-store-libs
  • Then ask yum to update available packages:
yum update
  • Restart ZCS as zimbra user:
su - zimbra
zmcontrol restart

Installing Zimbra packages individually

Upgrade OpenLDAP on LDAP node

  • As root, install the package:
yum install zimbra-ldap-patch
  • Restart ZCS as zimbra user:
su - zimbra
zmcontrol restart

Install/Upgrade zimbra-proxy-patch on Proxy node

  • As root, first clear the yum cache and check for updates so the server sees all updated packages in the patch repository:
yum clean metadata
yum check-update
  • Then install the package:
yum install zimbra-proxy-patch
  • Restart proxy as zimbra user:
su - zimbra
zmproxyctl restart
zmmemcachedctl restart

Install/Upgrade snmp if it is installed on Proxy node

yum install zimbra-snmp-components
  • Restart proxy as zimbra user:
su - zimbra
zmproxyctl restart

Install/Upgrade zimbra-mta-components on MTA node

  • As root, first clear the yum cache and check for updates so the server sees all updated packages in the patch repository:
yum clean metadata
yum check-update
  • Then install the package:
yum install zimbra-mta-components
  • If dnscache is installed, upgrade the package before restarting the services:
yum install zimbra-dnscache-components
  • If snmp is installed, upgrade the package before restarting the services:
yum install zimbra-snmp-components
  • Restart amavisd as zimbra user:
su - zimbra
zmamavisdctl restart

Install/Upgrade zimbra-mta-patch on MTA node

  • As root, install the package:
yum install zimbra-mta-patch
  • Restart amavisd as zimbra user:
su - zimbra
zmamavisdctl restart

Install/Upgrade zimbra-patch on mailstore node

  • As root, install the package:
yum install zimbra-common-core-jar zimbra-common-core-libs zimbra-mbox-store-libs
yum install zimbra-patch
  • If apache is installed, upgrade the package before restarting the services:
yum install zimbra-apache-components
  • If spell is installed, upgrade the package before restarting the services:
yum install zimbra-spell-components
  • If snmp is installed, upgrade the package before restarting the services:
yum install zimbra-snmp-components
  • Restart ZCS as zimbra user:
su - zimbra
zmcontrol restart


Installing NG packages

Uninstall zimbra-talk on mailstore node

In case of upgrade from version 8.8.15, uninstall zimbra-talk from mailstore node since it replaces with zimbra-connect. Hence, it is important to remove zimbra-talk before installing zimbra-connect.

  • As root, uninstall the package zimbra-talk:
yum remove zimbra-talk

Install/Upgrade zimbra-network-modules-ng, zimbra-connect, zimbra-zimlet-auth, zimbra-docs and zimbra-drive-ng on mailstore node

yum install zimbra-network-modules-ng
yum install zimbra-connect
yum install zimbra-zimlet-auth
yum install zimbra-docs
yum install zimbra-drive-ng
  • Restart Zimbra mailbox service as zimbra user:
su - zimbra
zmmailboxdctl restart

Zimbra Additional Zimlets

Note: - You can install the packages of your choice from the below list.

Install/Upgrade zimbra-zimlet-slack, zimbra-zimlet-zoom, zimbra-zimlet-dropbox, zimbra-zimlet-google-drive, zimbra-zimlet-onedrive, zimbra-zimlet-jitsi, zimbra-zimlet-video-call-preferences, zimbra-zimlet-nextcloud, zimbra-zimlet-voice-message, zimbra-zimlet-sideloader, zimbra-zimlet-user-sessions-management on mailstore node

yum install zimbra-zimlet-slack
yum install zimbra-zimlet-zoom
yum install zimbra-zimlet-dropbox
yum install zimbra-zimlet-google-drive
yum install zimbra-zimlet-onedrive
yum install zimbra-zimlet-jitsi
yum install zimbra-zimlet-video-call-preferences
yum install zimbra-zimlet-nextcloud
yum install zimbra-zimlet-voice-message
yum install zimbra-zimlet-sideloader
yum install zimbra-zimlet-user-sessions-management
  • Restart Zimbra mailbox service as zimbra user:
su - zimbra
zmmailboxdctl restart

Ubuntu

Installing zimbra packages with system package upgrades

  • As root, check for updates so the server checks there is a new zimbra-patch package in the patch repository:
apt-get update
  • On mailstore node, install the following packages:
apt-get install zimbra-common-core-jar zimbra-common-core-libs zimbra-mbox-store-libs
  • Then update available packages:
apt-get upgrade
  • Restart ZCS as zimbra user:
su - zimbra
zmcontrol restart

Installing zimbra packages individually

Upgrade OpenLDAP on LDAP node

  • As root, install the package:
apt-get install zimbra-ldap-patch
  • Restart ZCS as zimbra user:
su - zimbra
zmcontrol restart

Install/Upgrade zimbra-proxy-patch on Proxy node

  • As root, install package
apt-get install zimbra-proxy-patch
  • Restart proxy as zimbra user:
su - zimbra
zmproxyctl restart
zmmemcachedctl restart

Install/Upgrade snmp if it is installed on Proxy node

apt-get install zimbra-snmp-components
  • Restart proxy as zimbra user:
su - zimbra
zmproxyctl restart

Install/Upgrade zimbra-mta-components on MTA node

  • As root, install package
apt-get install zimbra-mta-components
  • If dnscache is installed, upgrade the package before restarting the services:
apt-get install zimbra-dnscache-components
  • If snmp is installed, upgrade the package before restarting the services:
apt-get install zimbra-snmp-components
  • Restart amavisd as zimbra user:
su - zimbra
zmamavisdctl restart

Install/Upgrade zimbra-mta-patch on MTA node

  • As root, install package
apt-get install zimbra-mta-patch
  • Restart amavisd as zimbra user:
su - zimbra
zmamavisdctl restart

Install/Upgrade zimbra-patch on mailstore node

  • As root, check for updates and install package:
apt-get update
apt-get install zimbra-common-core-jar zimbra-common-core-libs zimbra-mbox-store-libs
apt-get install zimbra-patch
  • If apache is installed, upgrade the package before restarting the services:
apt-get install zimbra-apache-components
  • If spell is installed, upgrade the package before restarting the services:
apt-get install zimbra-spell-components
  • If snmp is installed, upgrade the package before restarting the services:
apt-get install zimbra-snmp-components
  • Restart ZCS as zimbra user:
su - zimbra
zmcontrol restart


Installing NG packages

Uninstall zimbra-talk on mailstore node

In case of upgrade from version 8.8.15, uninstall zimbra-talk from mailstore node since it replaces with zimbra-connect. Hence, it is important to remove zimbra-talk before installing zimbra-connect.

  • As root, uninstall the package zimbra-talk:
apt-get remove zimbra-talk

Install/Upgrade zimbra-network-modules-ng, zimbra-connect, zimbra-zimlet-auth, zimbra-docs, zimbra-drive-ng on mailstore node

  • As root, check for updates and install packages:
apt-get update
apt-get install zimbra-network-modules-ng
apt-get install zimbra-connect
apt-get install zimbra-zimlet-auth
apt-get install zimbra-docs
apt-get install zimbra-drive-ng
  • Restart Zimbra mailbox service as zimbra user:
su - zimbra
zmmailboxdctl restart


Zimbra Additional Zimlets

Note: - You can install the packages of your choice from the below list.

Install/Upgrade zimbra-zimlet-slack, zimbra-zimlet-zoom, zimbra-zimlet-dropbox, zimbra-zimlet-google-drive, zimbra-zimlet-onedrive, zimbra-zimlet-jitsi, zimbra-zimlet-video-call-preferences, zimbra-zimlet-nextcloud, zimbra-zimlet-voice-message, zimbra-zimlet-sideloader, zimbra-zimlet-user-sessions-management on mailstore node

apt-get install zimbra-zimlet-slack
apt-get install zimbra-zimlet-zoom
apt-get install zimbra-zimlet-dropbox
apt-get install zimbra-zimlet-google-drive
apt-get install zimbra-zimlet-onedrive
apt-get install zimbra-zimlet-jitsi
apt-get install zimbra-zimlet-video-call-preferences
apt-get install zimbra-zimlet-nextcloud
apt-get install zimbra-zimlet-voice-message
apt-get install zimbra-zimlet-sideloader
apt-get install zimbra-zimlet-user-sessions-management
  • Restart Zimbra mailbox service as zimbra user:
su - zimbra
zmmailboxdctl restart

Upgraded 3rd Party Packages

  • OpenSSL and Postfix TLS 1.3 Packages

The packages for RHEL6, RHEL7, UBUNTU14, UBUNTU16, UBUNTU18 are:

Package Name      Version
zimbra-openssl : 1.1.1h-1zimbra8.7b4
zimbra-postfix : 3.5.6-1zimbra8.7b3
zimbra-nginx : 1.19.0-1zimbra8.8b3
zimbra-mariadb : 10.1.25-1zimbra8.7b3
zimbra-heimdal : 1.5.3-1zimbra8.7b3
zimbra-curl : 7.49.1-1zimbra8.7b3
zimbra-perl-net-ssleay : 1.88-1zimbra8.7b2
zimbra-unbound : 1.11.0-1zimbra8.7b2
zimbra-apr-util : 1.6.1-1zimbra8.7b2
zimbra-perl-dbd-mysql : 4.050-1zimbra8.7b4
zimbra-net-snmp : 5.8-1zimbra8.7b2
zimbra-perl-crypt-openssl-random : 0.11-1zimbra8.7b3
zimbra-perl-crypt-openssl-rsa : 0.31-1zimbra8.7b2
zimbra-cyrus-sasl : 2.1.26-1zimbra8.7b3
zimbra-openldap : 2.4.49-1zimbra8.8b4
zimbra-opendkim : 2.10.3-1zimbra8.7b5
zimbra-clamav : 0.102.2-1zimbra8.8b3
zimbra-perl-io-socket-ssl : 2.068-1zimbra8.7b2
zimbra-perl-net-http : 6.09-1zimbra8.7b3
zimbra-perl-libwww : 6.13-1zimbra8.7b3
zimbra-perl-lwp-protocol-https : 6.06-1zimbra8.7b3
zimbra-perl-xml-parser : 2.44-1zimbra8.7b3
zimbra-perl-soap-lite : 1.19-1zimbra8.7b3
zimbra-perl-xml-sax-expat : 0.51-1zimbra8.7b3
zimbra-perl-xml-simple : 2.25-1zimbra8.7b2
zimbra-perl-mail-dkim : 0.40-1zimbra8.7b3
zimbra-perl-mail-spamassassin : 3.4.5-1zimbra8.8b3
zimbra-spamassassin-rules : 1.0.0-1zimbra8.8b4
zimbra-perl-innotop : 1.9.1-1zimbra8.7b3
zimbra-httpd : 2.4.46-1zimbra8.7b3
zimbra-php : 7.3.25-1zimbra8.7b3
zimbra-postfix-logwatch : 1.40.03-1zimbra8.7b1
zimbra-perl : 1.0.5-1zimbra8.7b1
zimbra-dnscache-components : 1.0.2-1zimbra8.7b1
zimbra-apache-components : 2.0.4-1zimbra8.8b1
zimbra-spell-components : 2.0.4-1zimbra8.8b1
zimbra-snmp-components : 1.0.3-1zimbra8.7b1
zimbra-mta-components : 1.0.12-1zimbra8.8b1
zimbra-core-components : 3.0.4-1zimbra8.8b1
zimbra-proxy-components : 1.0.8-1zimbra8.8b1
zimbra-store-components : 1.0.3-1zimbra8.7b1
zimbra-ldap-components : 1.0.8-1zimbra8.8b1
zimbra-mbox-store-libs : 9.0.0.1615887345-1
  • OpenSSL and Postfix TLS 1.3 Packages

The GA packages for RHEL8 are:

Package Name      Version
zimbra-openssl : 1.1.1h-1zimbra8.7b4
zimbra-postfix : 3.5.6-1zimbra8.7b3
zimbra-nginx : 1.19.0-1zimbra8.8b3
zimbra-mariadb : 10.1.25-1zimbra8.7b3
zimbra-heimdal : 1.5.3-1zimbra8.7b3
zimbra-curl : 7.49.1-1zimbra8.7b3
zimbra-perl-net-ssleay : 1.88-1zimbra8.7b2
zimbra-unbound : 1.11.0-1zimbra8.7b2
zimbra-apr-util : 1.6.1-1zimbra8.7b2
zimbra-perl-dbd-mysql : 4.050-1zimbra8.7b4
zimbra-net-snmp : 5.8-1zimbra8.7b3
zimbra-perl-crypt-openssl-random : 0.11-1zimbra8.7b3
zimbra-perl-crypt-openssl-rsa : 0.31-1zimbra8.7b2
zimbra-cyrus-sasl : 2.1.26-1zimbra8.7b3
zimbra-openldap : 2.4.49-1zimbra8.8b4
zimbra-opendkim : 2.10.3-1zimbra8.7b5
zimbra-clamav : 0.102.2-1zimbra8.8b3
zimbra-perl-io-socket-ssl : 2.068-1zimbra8.7b3
zimbra-perl-net-http : 6.09-1zimbra8.7b4
zimbra-perl-libwww : 6.13-1zimbra8.7b4
zimbra-perl-lwp-protocol-https : 6.06-1zimbra8.7b4
zimbra-perl-xml-parser : 2.44-1zimbra8.7b4
zimbra-perl-soap-lite : 1.19-1zimbra8.7b4
zimbra-perl-xml-sax-expat : 0.51-1zimbra8.7b4
zimbra-perl-xml-simple : 2.25-1zimbra8.7b3
zimbra-perl-mail-dkim : 0.40-1zimbra8.7b3
zimbra-perl-mail-spamassassin : 3.4.5-1zimbra8.8b4
zimbra-spamassassin-rules : 1.0.0-1zimbra8.8b5
zimbra-perl-innotop : 1.9.1-1zimbra8.7b4
zimbra-httpd : 2.4.46-1zimbra8.7b3
zimbra-php : 7.3.25-1zimbra8.7b3
zimbra-perl : 1.0.6-1zimbra8.7b1
zimbra-dnscache-components : 1.0.2-1zimbra8.7b1
zimbra-apache-components : 2.0.4-1zimbra8.8b1
zimbra-spell-components : 2.0.4-1zimbra8.8b1
zimbra-snmp-components : 1.0.3-1zimbra8.7b1
zimbra-mta-components : 1.0.12-1zimbra8.8b1
zimbra-core-components : 3.0.4-1zimbra8.8b1
zimbra-proxy-components : 1.0.8-1zimbra8.8b1
zimbra-store-components : 1.0.3-1zimbra8.7b1
zimbra-ldap-components : 1.0.8-1zimbra8.8b1
zimbra-mbox-store-libs : 9.0.0.1615887345-1

The updated GA packages are:

Package            Old-Version    New-Version
postfix              3.1.1          3.5.6
openssl              1.0.2t         1.1.1h
nginx                1.7.1          1.19.0
postfix-logwatch     1.40.01        1.40.03
io-socket-ssl	     2.020          2.068
xml-simple           2.20           2.25
crypt-openssl-rsa    0.28           0.31
net-snmp             5.7.3          5.8
dbd-mysql            4.033          4.050
apr-util             1.5.4          1.6.1
unbound              1.5.9          1.11.0
net-ssleay           1.72           1.88
  • Nginx TLS 1.3 Packages

The GA packages for RHEL6, RHEL7, RHEL8, UBUNTU14, UBUNTU16, UBUNTU18 are:

PackageName                                       Version
zimbra-nginx                               ->     1.19.0-1zimbra8.8b3
zimbra-proxy-components                    ->     1.0.8-1zimbra8.8b1
zimbra-proxy-patch                         ->     9.0.0.1616043862.p13-1

Jira Summary

Jira Tickets fixed in 9.0.0 Patch 13

ZCS-10378 Remote getnotification fix
ZCS-10377 Docs document limit bugfix
ZCS-10376 Docs idle/standby removal
ZCS-10375 Docs Sidebar View bugfix
ZCS-10373 Instant messaging interface font
ZCS-10372 Edit message behavior improvement
ZCS-10371 Added # character to channels
ZCS-10370 Messages longer than 4096 handling
ZCS-10367 Mailbox Move concurrency issue fixed
ZCS-10365 HSM cache improvements
ZCS-10364 Eas 2.5 and Samsung allday calendar item fix
ZCS-10363 Added regex filtering to ABQ
ZCS-10362 Coherency Check logic improvement
ZCS-10361 doStopAllOperation realtime scanner queue bugfix
ZCS-10360 Coherency Check logic improvement
ZCS-10359 Missing Blob logging improvement
ZCS-10358 Improved logging
ZCS-10312 Remove unnecessary end points in HTML client
ZCS-10199 Verify zimbra docs server installation
ZCS-10126 Support 2FA and forgot password at the same time. | Classic
ZCS-10060 Add FIPS support in OpenSSL 1.1.1h
ZBUG-2175 [Crash] When zimbraReverseProxyStrictServerNameEnabled is set to TRUE (default), the proxy will fail to start.
ZBUG-2173 CVE-2020-1946 - SpamAssassin vulnerability
ZBUG-2148 [Crash] Patch 20 breaks (nginx, LDAP, and Jetty SSL) on kernels 4.8+
ZBUG-2140 opendkim is crashing with TLS1.3 beta packages
ZBUG-2121 [Security] DoS Attack on nginx exploiting flaw in SSL Freelist
ZBUG-2099 Nginx: Enable http_v2 in conf file.
ZBUG-2098 Nginx: memory leak (legacy issue)
ZBUG-1969 Update PHP version to 7.3.23 or later.
ZBUG-1967 Problem synchronizing shared calendar via caldav when a '+' character is present on the EVENT
ZBUG-1940 Modern UI: Unable to change timezone while creating a calendar invite.
ZBUG-1798 postfix-logwatch not generating report
ZBUG-1361 HTML signature configured in Apple Mail shows as attachment in Outlook with ZCO
ZBUG-1312 Upgrade to Apache version 2.4.41 or later
PREAPPS-5932 Parsing issue with base64 email in modern UI
PREAPPS-5885 Removing the Zimbra_Domain related conditions and depencies from modern UI
PREAPPS-5827 Fit & Finish: Add tooltips to account and Settings icon in header and update Settings hover
PREAPPS-5503 Folder should be turned bold to indicate unread messages
Jump to: navigation, search