Finally, please note that the various Operating Systems are also vulnerable to this issue. The Zimbra patch will not update OS-level openssl libraries. It only updates the openssl package in /opt/zimbra.
Internet access from each node is required to run this patch automatically. The patch should be installed on all ZCS nodes, most importantly the proxies, MTAs and LDAP nodes.Please note: this vulnerability is being reported as having existed and actively attacked since 2012. As such, the private SSL keys for your platform may already have been compromised. After patching, it is recommended to regenerate your SSL certificates and private keys. This is unfortunate, but the only way to ensure that an attacker cannot decrypt your SSL session data.Also, please note: if you upgrade to a GA release after patching, you would need to re-patch. For example, if you install this patch on ZCS 8.0.6, then upgrade to ZCS 8.0.7, you would need to re-patch against 8.0.7.Finally, please note that the various Operating Systems are also vulnerable to this issue if running OpenSSL 1.0.1. The Zimbra patch will not update OS-level openssl libraries - it only updates the openssl package in /opt/zimbra. For example:
Cracking Zimbra 18
The steps to patch are the following:(as root)1) wget -updater.sh2) chmod a+rx zmopenssl-updater.sh3) ./zmopenssl-updater.sh --------------------- [Generates the following output] Downloading patched openssl Validating patched openssl: success Backing up old openssl: complete Installing patched openssl: complete OpenSSL patch process complete. Please restart Zimbra Collaboration Suite as the Zimbra user via zmcontrol restart ---------------------(as user zimbra)4) su - zimbra5) zmcontrol restart[/CODE]
(as root)2) cd /opt/zimbra3) mv openssl-OLDVERSION openssl-OLDVERSION.brokenheart4) tar xfz /tmp/openssl-NEWVERSION.tgz(as user zimbra)5) su - zimbra6) zmcontrol restart
2. If running ZCS 8.0.7, check zmcontrol for the build number:# su - zimbra$ zmcontrol -vRelease 8.0.7_GA_6021.RHEL6_64_20140408123937 RHEL6_64 NETWORK edition.3. If running any version of Zimbra Collaboration, check if the libssl shared library is built with dlts1_heartbeat:Vulnerable:$ strings /opt/zimbra/openssl/lib/libssl.so grep dtls1_heartbeatdtls1_heartbeat$Not Vulnerable:$ strings /opt/zimbra/openssl/lib/libssl.so grep dtls1_heartbeat$
[zimbra@mx zimlets]$ zmzimletctl install $PWD/com_zextras_chat_open.zip[] INFO: Installing Zimlet com_zextras_chat_open on this host.[] ERROR: Zimlet com_zextras_chat_open has an invalid file path com_zextras_chat_open_de.propertiescom.zimbra.cs.zimlet.ZimletException: Cannot deploy Zimlet com_zextras_chat_open. Error message: Invalid file path com_zextras_chat_open_de.properties at com.zimbra.cs.zimlet.ZimletException.CANNOT_DEPLOY(ZimletException.java:68) at com.zimbra.cs.zimlet.ZimletUtil.installZimletLocally(ZimletUtil.java:692) at com.zimbra.cs.zimlet.ZimletUtil.dispatch(ZimletUtil.java:1915) at com.zimbra.cs.zimlet.ZimletUtil.main(ZimletUtil.java:2007)[] ERROR: Errorcom.zimbra.cs.zimlet.ZimletException: Cannot deploy Zimlet com_zextras_chat_open. Error message: Invalid file path com_zextras_chat_open_de.properties at com.zimbra.cs.zimlet.ZimletException.CANNOT_DEPLOY(ZimletException.java:68) at com.zimbra.cs.zimlet.ZimletUtil.installZimletLocally(ZimletUtil.java:692) at com.zimbra.cs.zimlet.ZimletUtil.dispatch(ZimletUtil.java:1915) at com.zimbra.cs.zimlet.ZimletUtil.main(ZimletUtil.java:2007)
[zimbra@mx zimlets]$ cat /etc/redhat-releaseCentOS Linux release 7.3.1611 (Core)[zimbra@mx zimlets]$ uname -aLinux mx 3.10.0-327.28.3.el7.x86_64 #1 SMP Thu Aug 18 19:05:49 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
A year an a half ago the (tiny) Yahoo! Calendar team embarked on a mission to build a new Calendar. We were interested in cracking the consumer market where huge potential for growth and innovation lay. The problem was that the 10 year old platform was falling apart and being held together by bungee cord and tape. Innovation on this platform would have been very challenging and forever handicap our efforts going forward.
Zimbra Proxy is a high-performance reverse proxy service for passingIMAP[S]/POP[S]/HTTP[S] client requests to other internal ZCSservices.This package is normally installed on the MTA server(s) or on itsown independent server(s). When the zimbra-proxy package is installed, theproxy feature is enabled by default. Installing the Zimbra Proxy is highlyrecommended, and required if using a separate web application server.
Memcached is automatically selected when the zimbra-proxy is installed. Atleast one server must run zimbra-memcached when the proxy is in use. Youcan use a single memcached server with one or more Zimbraproxies. zimbra-memcached is required if using a separate web applicationserver.
This package is installed on the zimbra-store server. Only oneZimbra-convertd package needs to be present in the Zimbra Collaborationenvironment. The default is to install one zimbra-convertd on eachzimbra-store server. When Zimbra-Convertd is installed, the Zimbra-Apachepackage is also installed.
The following table lists the main directories created by the Zimbrainstallation packages. The directory organization is identical for anyserver in the Zimbra Collaboration, when installing under (parent) /opt/zimbra.
For systems that do not have external access to the Zimbra License server,you can use the Zimbra Support Portal tomanually activate your license. Go to the Zimbra website at www.zimbra.comand click Support to display the Zimbra Technical Support page. Click theZimbra Collaboration Suport link to display the Zimbra Support Portal page.Enter your email and password to log in.
On the Zimbra website, go to Downloads to obtain a trial license from theZimbra Downloads area. Contact Zimbra sales regarding a trial extendedlicense, or to purchase a subscription license or perpetual license, byemailing sales@zimbra.com.
By default, the message store is located on each mailbox server under/opt/zimbra/store. Each mailbox has its own directory named after itsinternal mailbox ID. Mailbox IDs are unique per server, not system-wide.
The Data Store is a SQL database where internal mailbox IDs arelinked with user accounts. All the message metadata including tags,conversations, and pointers indicate where the messages are stored inthe file system. The SQL database files are located in/opt/zimbra/db.
The index and search technology is provided through Apache Lucene. Eachemail message and attachment is automatically indexed when the messagearrives. An index file is associated with each account. Index files arelocated in /opt/zimbra/index.
For example, a web client server running 'zimbra,zimbraAdmin' webappsserving the static UI content like html/css pages, and mail serverrunning 'service' webapp serving all the SOAP requests. These serversare running in split mode.
A Zimbra Collaboration deployment consists of various third-partycomponents with one or more mailbox servers. Each of the components maygenerate its own logging output. Local logs are in /opt/zimbra/log.
Use of auxiliary object classes in LDAP allows for an object class to becombined with an existing object class. For example, an entry withstructural object class inetOrgPerson, and auxiliary object classzimbraAccount, would be an account. An entry with the structural objectclass zimbraServer would be a server in the Zimbra system that has one ormore Zimbra packages installed.
Represents an account on the Zimbra mailbox server that can be logged into.Account entries are either administrators or user accounts. The objectclass name is zimbraAccount. This object class extends thezimbraMailRecipient object class. All accounts have the followingproperties: A name in the format of user@example.domain A unique ID thatnever changes and is never reused A set of attributes, some of which areuser-modifiable (preferences) and others that are only configurable byadministrators All user accounts are associated with a domain, so a domainmust be created before creating any accounts.
Defines a calendar resource such as conference rooms or equipment that canbe selected for a meeting. A calendar resource is an account withadditional attributes on the zimbraCalendarResource object class.
Supported authentication mechanisms are Internal, External LDAP, andExternal Active Directory. The authentication method type is set on aper-domain basis. If zimbraAuthMech attribute is not set, the default isto use internal authentication.
zimbraAuthLdapURL attribute ldap://ldapserver:port/ identifies the IPaddress or host name of the external directory server, and port is theport number. You can also use the fully qualified host name instead ofthe port number.
Set the domain attribute zimbraAuthKerberos5Realm to the Kerberos5realm in which users in this domain are created in the Kerberosdatabase.When users log in with an email password and the domain,zimbraAuthMech is set to kerberos5, the server constructs theKerberos5 principal bylocalpart-of-the-email@value-of-zimbraAuthKerberos5Realm anduses that to authenticate to the kerberos5 server.
LDAP attributes are mapped to GAL entry fields. For example, the LDAPattribute displayName and cn can be mapped to GAL entry field fullName.The mapping is configured in the zimbraGalLdapAttrMap attribute.
If changes are required after the Zimbra Proxy is set up, modify the ZimbraLDAP attributes or localconfig values and run zmconfigd to generate theupdated Zimbra Proxy configuration. The Zimbra proxy configuration file isin /opt/zimbra/conf/nginx.conf. The nginx.conf includes the main config,memcache config, mail config, and web config files. 2ff7e9595c
Comments