whats new in zimbra collaboration 8.7.x

1

What’s New

March 2017Contains proprietary and confidential information owned by Synacor, Inc. © / 2016 Synacor, Inc.

ZIMBRA 8.7.X

2

TODAY’S DISCUSSION

Server Features • Zimbra Package Repository• Postscreen• SSL SNI for HTTPS

Security ImprovementsTwo-Factor Authentication

EWS ImprovementsUnified CommunicationsOther notable enhancementsZimbra Desktop 7.2.8Q&A

3

ISSUES RESOLVED SINCE ZIMBRA 8.0

1854

2832

970

2284

0

500

1000

1500

2000

2500

3000

8.0 8.5 8.6 8.7

BugFix

4

BACKEND FEATURES

5

ZIMBRA PACKAGE REPOSITORY

Zimbra 8.7+ now uses a package repository for the majority of 3rd party libraries• Smaller installer size• Zimbra can push rapid updates to 3rd

party packages without having to release a patch, ideal for security updates

• Customers can update 3rd party packages to latest version without having to apply patch

• Will be expanding this concept to the rest of the product over time 0 200 400 600 800 1000 1200

InstallerSizeinMB

8.6

8.7

6

ZIMBRA PACKAGE REPOSITORY

7

POSTSCREEN

• Pre-screening process for clients that implements tests to reduce the load on the SMTPD process• By keeping spambots away, Postscreen leaves more SMTP server processes

available for legitimate clients, and delays the onset of server overload conditions

• Zimbra Collaboration Postscreen maintains a temporary white-list for clients that have passed a number of tests. When an SMTP client IP address is whitelisted, Postscreen hands off the connection immediately to a Postfix SMTP server process. This minimizes the overhead for legitimate mail.

8

ZIMBRA ARCHITECTURE W/O POSTSCREEN

9

ZIMBRA ARCHITECTURE WITH POSTSCREEN

10

POSTSCREEN RESOURCES

Whitepaper Technical Wiki

11

SSL SNI ARCHITECTURE

12

SSL SERVER NAME IDENTIFICATION (SNI) FOR HTTPS

• Zimbra SSL Server Name Indication (SNI) allows the proxy server to submit various certificates in the same IPv4 address and TCP port number, which allows multiple domains (HTTPS) to be served at the same IP address without having to use the same certificate.

• Zimbra SSL SNI is excellent for service providers who service numerous domains.

13

SSL SNI RESOURCES


14

SECURITY IMPROVEMENTS

15

SECURITY INFORMATION

• As always, it is highly recommended that you revisit settings after upgrading to ensure that values are set as expected/desired in your environment and security settings meet your requirements. • https://wiki.zimbra.com/wiki/Security/Collab/87• https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories

• PEN Test – Netragard's final report available (20160613-Netragard-Report-ZCS-8.7-final.pdf )

16

TWO-FACTOR AUTHENTICATION

• Time-based one-time passcode (TOTP) security layer

• App-specific passwords for support across all clients

• Reduces successful user ID theft, fraud, and phishing attacks

• COS, Domain, and User feature• Admins can require use

17

DEMO

18

TWO-FACTOR AUTHENTICATION RESOURCES


19

MISCELLANEOUS SECURITY IMPROVEMENTS

8.7 SSL Related Changes • SSLv3 disabled (OpenJDK, OpenSSL) • Default 2048b DH Parameters (OpenSSL)• Removed RC4 cipher• Enabled Nginx SSL Session Cache (resumption) • zmlookup via HTTPS (default port 7072)• HTTPS SNI Support (zimbraReverseProxySNIEnabled)

8.7 Security Other • saslauthd on port 7073 (SMTP auth vs. ZWC, etc.) • multi-domain enhancements• many third party package updates

20

EXCHANGE WEB SERVICES (EWS)

21

EWS ENHANCEMENTS IN 8.7

Bug95132Signed/EncryptedEmailsappearasnormalinMacOutlook

Bug95988Calendar.appviaEWSsetupdoesn’tworkwithZCSCalendar

Bug98235SupportforOffice2016,OutlookforMac

55fixedBugsforEWSin8.7

22

UNIFIED COMMUNICATIONS

23

UNIFIED COMMUNICATIONS – PRESENCE

24

UNIFIED COMMUNICATIONS — VOICEMAIL

25

UNIFIED COMMUNICATIONS — MAKING A CALL

26

8.7 MISCELLANEOUS IMPROVEMENTS

27

Bug101582SupportforOffice2016withZimbraConnector,ZCO

Bug97334/97335AccessibilityforCalendarandContactsonWebClient

Bug97773Upgradetopostfix3.0series

Bug96261AddlocalizationforLao[Lo]

Bug101192Disablelinkswithinspam

Bug95484SupportforIE12

28

8.7.1 MISCELLANEOUS IMPROVEMENTS

29

Bug103683AddsupportforUbuntu16.04LTS

Bug105134Outlook2016MacEWSexpandingdistributionlistcrashesOutlook

Bug105945,105942,107024and106204SolveddifferentBugswhichpreventedtorunasuccessfulUpdate/UpgradetoZCS8.7

Bug1061628.7requiresbriefcasetobepublicifimageisinsidesignature

30


31

Bug104578PaginationsupportforSyncGalRequest

Bug104127Maillistviewisnotrefreshedwhendeletingmailsinmessageview

Bug107106Convertd failedafterupgradeto8.7.1from8.7.0

Bug107153Imagewithinsignatureisbrokeninreply/forwardwindow

32


33

Bug107623EWSsyncbrokenwhenSOAPresponseislarge

Bug101023zimbraHelpAdvancedURL,zimbraHelpStandardURL andzimbraHelpAdminURL doesnotwork

Bug106379"/opt/zimbra/libexec/zmfixperms --verbose--extended"changing/opt/zimbra/common/sbinpermissiontozimbra:zimbraBug107058

Fix"Unescaped leftbraceinregexisdeprecated,passedthroughinregex;markedby<-- HEREinm/\${<-- HEREzimbra_home}/at/opt/zimbra/libexec/zmupgrade.pm"forUBUNUTU16

34


35

Bug106811XXE[CWE-611]

Bug104278WhileprintingmailsfromZWCinIEandFirefox,wordwrappingissplittingwordsbetweentwolines.

Bug107635oo_linux_install_path isnotsetinfreshinstallation

36


37

Bug81415NewS/MIMEZimletTechnicalPreview,noJavaapplet

AdminGuideinGitHubWearemovingourDocumentationtoASCIIDoconGitHub,whereyoucangraborimproveit

Bug107583and106285- 8.7.2calendarmonthviewbrokenformultipledayspanningeventsand- HorizontalscrollbarworksincorrectlyinCalendar

Bug107058Printissue:text getscutonrightwhenprintingmailsusingIE

38


39

Bug107797StartingZimbraCollaboration8.7.6,ZimbraincludesafreeandGPLv2ChatproductembeddedinsideZimbra

Bug107798StartingZimbraCollaboration8.7.6,ZimbraincludesafreeandGPLv2OwnCloud/NextCloud productembeddedinsideZimbra

EphemeralbackendZCS8.7.6releaseincludesabetareleaseofamajorchangeinZimbraarchitecturethatallowsenablingprotectionagainstCSRFandcookie-reuseattackswithoutincreasingloadonLDAP

SecurityfixesImproperlimitationoffilepaths[CWE-22]Improperhandlingofprivileges[CWE-280]

40


41

Bug107824Allcontextmenuoptionsstoppedworkingafterdeletingtrashedappointmentandtryingtotakeactionfromusercalendar'sappointment

Bug107825WeeklyRecurringMeetingnotgettingsyncedinOutlook2016

Bug106438Caldav SharedCalendarSyncnotworkingcorrectlyonlatestmacversions

42


43

Featureimprovements- AddedfullworkingSearchfeature:- Smartcaseinsensitivequeryparsing- Previewandmostoperationsavailable- AddedNewFolder buttoninMoveDialog- AddedZimbraDriveiconandbrowsertabtitle- Addedsomecheckstopreventillegalactions

Bug107449EWS:ResolveNameshouldreturnallthecontactinformation

Bug107946WS:MapallattributesreturnedinADsearchresulttoContactinResolveName response

Bug107891Upgradefrom877to878failedduetoldap schemaviolation

Bug107899Upgradefrom850to878failingforRHEL6

early release

44


45

ZCO8.7.10hasbeenreleasedUpto11Bugsfixedforthisversion

Bug107584Nodataunder"Download"directoryafterfreshinstallationorupgrade


46


47

Bug107979S/MIMEcertificatenotseeninContactProperties

Bug102930EWSSharing- Handlesyncofsharedfoldersonremotenode


48

ZIMBRA DESKTOP v7.2.8

49

ZIMBRA DESKTOP 7.2.8

Two factor authenticationStarting in Zimbra Desktop 7.2.8, we support it natively on our Desktop. Requires ZCS 8.7 and NE

Password LockIf a user enables this feature, access to Zimbra Desktop becomes password protected, and the user needs to enter a Zimbra account password.

Auto ArchiveUsing this feature, old emails are archived locally, to local folders, and these emails are deleted from the server automatically. A really handy option to keep our Mailboxes at the minimum weight at the Server level.

Support for Traditional Chinese (Taiwan) LanguageFor all the Taiwanese speakers we have good news! Now Zimbra Desktop 7.2.8 and above supports Traditional Chinese (Taiwan). 歡迎光臨

50


Two factor authenticationWe introduced Zimbra Collaboration 2FA since v8.7, and starting in Zimbra Desktop 7.2.8, we support it natively on our Desktop client as well. The first step is to configure 2FA on the Web Client.

Zimbra Two-Factor authentication requires an upgrade of your Network Edition License Key, which is free of charge if you have a valid License. Contact your regional sales manager

Then when you try to add an account protected already with Zimbra 2FA, or if you had one already added on Zimbra Desktop and configure 2FA later, the Zimbra Desktop will prompt you for a Code from one of the TOTP applications.

Once you add a valid 2FA code from a TOTP application, you will be able to see all of your accounts and launch the Desktop

51


Password LockStarting with Zimbra Desktop 7.2.8, the end user can protect Zimbra Desktop with a password. You will find this new feature in Preferences > All accounts > General > Enable Password Lock

Once enabled, you will see a new lock icon on the top bar. You can click on that icon or just close Zimbra Desktop to be prompted for your Zimbra Desktop main account password.

This is the window that will prompt you for the main account password. This is a really useful way to protect your Zimbra Desktop content, preventing it from being read by another user who might have physical access to the computer.

After a successful login, you will see a banner message on the top bar saying Password Verified

52


Auto archiveUsing this feature, old emails are archived locally, to local folders, and these emails are deleted from the server automatically. A really handy option to keep our Mailboxes at the minimum weight at the Server level.

53

Q&AThank you!

whats new in zimbra collaboration 8.7.x

Software