Zimbra Releases/9.0.0/P38

Zimbra Collaboration Kepler 9.0.0 Patch 38 GA Release

Release Date: December 18, 2023

Check out the Security Fixes, What's New, Fixed Issues and Known Issues for this version of Zimbra Collaboration. Please refer to the Patch Installation page for Patch Installation instructions. As always, you are encouraged to tell us what you think in the Forums or open a support ticket to report issues

Blank email issue on ZCO

After recent Microsoft updates (Version 2310, 2311), customers reported an intermittent issue that when sending a message from ZCO, it is delivered as a blank message to the recipient. The issue is not consistently reproducible and there are no definite steps to reproduce it. There have been no changes in the ZCO product that caused the issue, as we found this issue is not seen on Outlook versions not having the latest Microsoft patch. Our engineering team has also submitted a post on Microsoft forums asking for their immediate attention. We are also analyzing the issue and trying to find a root cause and feasible solution for the ZCO product. We will update as soon as we have an ETA on the fix.

For the customers facing the issue, the workaround is to downgrade their Outlook to the previous version.

Update: The issue has been fixed, and you can download the latest ZCO package at https://www.zimbra.com/product/addons/zimbra-connector-for-outlook-download/.

For customers who have installed the previous ZCO package 1938, please upgrade to the latest one on the mailstore node using the following commands:

Update: The issue for non-english locale has been fixed, and you can download the latest ZCO package at https://www.zimbra.com/product/addons/zimbra-connector-for-outlook-download/.

For customers who have installed the previous ZCO package 1938 or 1939, please upgrade to the latest one on the mailstore node using the following commands:

For Ubuntu:

apt-get update
apt-get install zimbra-zco

For RHEL/Centos/Rocky Linux:

yum clean metadata
yum check-update
yum install zimbra-zco

Zimbra Desktop installation issue on Intel-based Mac OS

The latest version of Zimbra Desktop application is currently not supported on Intel-based Mac OS and users may encounter an error upon attempting to launch it. The application functions as expected on Mac OS with the Apple M1 chip. Our team has identified the root cause and is actively working on a solution to extend support to Intel-based Mac OS systems. Updates will be provided once a solution is available. In the interim, the official recommendation for users having Intel-based Mac OS is to continue using the older version of Zimbra Desktop, or use the web client which remains accessible for all users.

Updates: The issue has been fixed and the latest Zimbra Desktop build for Mac can be downloaded from https://www.zimbra.com/zimbra-desktop-download/

NOTICE: OpenJDK cacert Package Upgrade

Please follow the instructions:

Install zimbra-core-components before the patch upgrade on the mailstore node.
apt-get install zimbra-core-components (For Ubuntu)
yum install zimbra-core-components (For RHEL/Centos/Rocky Linux)

While deploying zimlets, if the following error is encountered

Enabling Zimlet zimbra-zimlet-secure-mail
ERROR: zclient.IO_ERROR (invoke PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target, server:  localhost) (cause: javax.net.ssl.SSLHandshakeException PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to  requested target)
*** zimbra-zimlet-secure-mail Installation Completed. ***
*** Restart the mailbox service as zimbra user. Run ***

then, redeploy zimlets that are throwing error in the patch upgrade

zmzimletctl -l deploy <zimlet.zip file name>

Deprecation of Zimbra Server on Ubuntu 16.04

Ubuntu 16.04 End of life occurred on April 29, 2021. Zimbra will deprecate Kepler 9.0.0 support for Ubuntu 16.04 as of December 31, 2023. At this date, there will no longer be any patch release for Zimbra Kepler 9.0.0 on Ubuntu 16.04 operating system. We encourage all our new customer's to use Ubuntu 20.04 for all their new installations.

For questions or guidance with upgrading your operating system please open a support case and our Support team is here to assist you.

Change in upgrade process for 9.0.0 Patch 38

Please note that the install process has changed. Additional steps to install zimbra-common-core-jar, zimbra-common-core-libs, zimbra-mbox-store-libs packages have been included for this patch release. Please refer to the Patch Installation steps to install the packages in its order.

Changes required for SSO setup before patch upgrade

Before upgrade, if the zimbraVirtualHostName parameter is not set for the domains that are using SAML and SSO based login, please set by following the instructions:

su - zimbra
zmprov md domain_name zimbraVirtualHostName virtual_hostname

Security Fixes

Summary CVE-ID CVSS Score
OpenJDK has been upgraded to version 17.0.8 to fix multiple vulnerabilities. CVE-2023-21930 CVE-2022-21476 CVE-2022-21449 High
Fixed a vulnerability where an auth token was possible to be obtained . CVE-2023-48432 TBD
Certbot now adopts ECDSA secp256r1 (P-256) certificate private keys as the default for all newly generated certificates. Zimbra has also introduced support for ECDSA secp256r1 (P-256) certificate private keys in new certificates. TBD TBD
Modern UI was vulnerable to DOM-based Javascript injection. Security related issues have been fixed to prevent it. CVE-2023-50808 TBD

Note: Additional configuration for further hardening your Zimbra setup can be found on the Zimbra Support Portal. It is recommended that all customers consider these additional steps. If someone had applied this configuration previously, then after upgrading to this patch, they will have to re-apply the same configuration.

Migration to Daffodil v10

Support for migrating customers running the 9.0.0 version with NG modules has now been added to the Daffodil 10.0.6 Patch Release. Please refer to Daffodil 10.0.6 Release Notes for more details. Please make sure the server's are upgraded to latest 9.0.0 patch release before the migration.

What's New

Package Upgrade

  • The OpenJDK package has been upgraded from 17.0.2 to 17.0.8

Modern Web App


  • Distribution Lists are now available when choosing contacts in email via "Choose contacts" popup.
  • Users can select a mail and then select the newly added "Edit as new" option in Modern UI to create a new mail while retaining the recipients, subject and body of the mail.
  • A new Out Of Office configuration has been added in Modern UI. The users can use this option - "Send custom message to those not in my organization and address book", to send custom message to contacts who are not in user's organization and address book.
  • A separate "Trash" folder and context menu has been implemented for Calendar vertical in Modern UI.


  • Users who have the required permissions will be able expand a distribution list in Modern UI mail compose window.


  • Users can now select the members of a distribution list as receivers when composing an email.

Fixed Issues

Zimbra Collaboration

  • On a setup with a large number of accounts (in millions), an LDAP query executed for retrieving all accounts resulted in a timeout exception. A fix has been made to skip the LDAP query if the license issued is of unlimited accounts. ZBUG-3655
  • To improve logging, a new local config attribute zimbra_additional_logging has been introduced. The default value is set to FALSE. When TRUE, it will log the following events: ZBUG-3565
    • Login attempts of non-existing users in the case of Web Client, POP3, IMAP, SMTP, and ActiveSync are now logged in audit.log with client/source IP.
    • Login attempts of non-existing users in the case of POP3, IMAP, and ActiveSync are now in mailbox.log with client/source IP.
    • Login attempts of existing users in the case of ActiveSync are now logged in mailbox.log with client/source IP.
  • In some scenarios, the external message warning was not being appended in the email when received from Gmail. The issue has been fixed. ZBUG-3132

Classic Web App

  • Files with .p7s extension were restricted as attachments due to security concerns. However the security concern is only applicable when SMIME is enabled. Hence, .p7s files can now be added as attachments when SMIME is disabled. ZBUG-2370

Admin Web Console

  • "Reject common passwords" feature requires LDAP attributes which were not present in Zimbra 9, hence the feature checkbox has removed from the Admin Console, from the paths -> Home > Configure > Class of Service > cosName > Advanced > Password section and Home > Manage > Accounts > userAccount > Advanced > Password section. However the full feature continues to be available on Zimbra 10. ZBUG-2871

Known Issues

  • Clicking on Settings Icon after exporting contacts causes the user interface to freeze. To fix it, reload the page.
  • While deploying zimlets, if the following error is encountered, please refer to the Patch Installation page to install the zimbra-common-core-jar, zimbra-common-core-libs, zimbra-mbox-store-libs packages in a particular order and re-deploy the zimlets.
/opt/zimbra/bin/zmjava: line 59: /bin/java: No such file or directory
Exception in thread "main" java.lang.NoClassDefFoundError: org/apache/logging/log4j/core/appender/ConsoleAppender$Target
       at com.zimbra.cs.localconfig.LocalConfigCLI.main(LocalConfigCLI.java:353)
Caused by: java.lang.ClassNotFoundException: org.apache.logging.log4j.core.appender.ConsoleAppender$Target
       at java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:602)
       at java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:178)
       at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:521)
       ... 1 more
  • From Kepler-Patch-25 onwards, customers using SSO will need to update zimbraVirtualHostName attribute for the domains. Please refer to the instructions to update the attribute.
  • With JDK 17, weaker Kerberos encryption types like 3DES and RC4 have now been disabled by default. This can cause SPNEGO auth to fail if described encryption types are being used. We recommend using stronger encryption types like AES256.

To get SPNEGO auth working with weak encryption types, weak encryption can be enabled by setting the allow_weak_crypto property to true in the krb5.conf configuration file. Please follow below instructions:

1. In /opt/zimbra/jetty_base/etc/krb5.ini.in -> [libdefaults] section, set allow_weak_crypto = true

2. Restart mailboxd service:

su - zimbra
zmmailboxdctl restart


The package lineup for this release is:

PackageName                                       -> Version
zimbra-patch                                      -> 
zimbra-mta-patch                                  -> 
zimbra-proxy-patch                                -> 
zimbra-ldap-patch                                 -> 
zimbra-openjdk-cacerts                            ->  1.0.10-1zimbra8.7b1 
zimbra-openjdk                                    ->  17.0.8-1zimbra8.8b1 
zimbra-core-components                            ->  3.0.22-1zimbra9.0b1 
zimbra-ldap-components                            ->  2.0.16-1zimbra9.0b1 
zimbra-zco                                        -> 
zimbra-mbox-webclient-war                         -> 
zimbra-mbox-admin-console-war                     -> 
zimbra-license-tools                              -> 
zimbra-common-core-jar                            -> 
zimbra-modern-ui                                  -> 
zimbra-modern-zimlets                             -> 
zimbra-zimlet-additional-signature-setting        -> 
zimbra-zimlet-ads                                 -> 
zimbra-zimlet-calendar-subscription               -> 
zimbra-zimlet-date                                -> 
zimbra-zimlet-duplicate-contacts                  -> 
zimbra-zimlet-emptysubject                        -> 
zimbra-zimlet-install-pwa                         -> 
zimbra-zimlet-org-chart                           -> 
zimbra-zimlet-privacy-protector                   -> 
zimbra-zimlet-restore-contacts                    -> 
zimbra-zimlet-secure-mail                         -> 
zimbra-zimlet-set-default-client                  -> 
zimbra-zimlet-sideloader                          -> 
zimbra-zimlet-user-feedback                       -> 
zimbra-zimlet-user-sessions-management            -> 
zimbra-zimlet-web-search                          -> 
zimbra-zimlet-briefcase-edit-lool                 -> 
zimbra-network-modules-ng                         ->

Patch Installation

Please refer to below link to install Kepler 9.0.0 Patch 38:

Patch Installation

Jump to: navigation, search