This is a timely reminder to anyone still using Zimbra 8.x.x that is reaches EOL at the end of next month. There is no official open release of later versions despite much being covered by open source licenses. If you have not already moved off Zimbra you need to, ASAP, do one of the following:
1. Pay for Zimbra and upgrade that way.
2. Try compile up a later version yourself…
3. Migrate to one of the forks that sprang up (most of them are dead though, Zextras/Carbonio is still going but last time I looked the system requirements were a bit daft for what little functionality I actually need)
My needs have changed a lot over the years. I no longer run company email for DayJob¹, and for the server I ran for myself, family & friends, I've jammed together a mail server³ from standard parts.
I still have Zimbra running behind a firewall (those who need access do so via SSH tunnel) for archive access, in case anything didn't transfer cleanly to the new arrangement and for things I didn't bother transferring.
----
[1] since we've grown we have infrastructure/support people who look after that instead of muggins here doing everything, and we've long since² moved over to O365
[2] at least one buy-out ago
[3] the number of actual users⁴ is down to me and three others, and we barely used features beyond mail in the end
At that scale, Synology NAS running MailPlus can be very cost-effective. Comes with five mailboxes. Buy two, activate MailPlus High Availablity — which also pools the mailbox licenses, and you're set for 10 mailboxes over the +/- 8 years they'll actively support the device. With the rest of their software suite it can tick all the boxes tho the lack of a MAPI/EAS implementation is a miss.
9.0 onwards never has a “community edition” release so people self-hosting that rather than paying for licensing for “network edition” have stuck at 8.x. Note that there are two downloads for 8.8.15 on the linked page, one of which is marked “open source”. Anyone who is still there has been getting security updates, but that stops being the case once 8.8.15 hits EOL.
It feels like they waited a long time to post an advisory for an exploit that was being actively used by threat actors, more than a week after they pushed a fix to their repositories. Why not give customers a heads up prior? At least give your users a fighting chance.
> The patch for the vulnerability was pushed to Github on July 5. Another actor exploited the vulnerability for a full two weeks beginning on July 11 before the official patch became available on July 25.
What's the point of a responsible disclosure embargo policy when the enterprise software developer alerts threat actors of the precise vuln three full weeks before they even begin to patch their customers' systems?
Right? Let's see some Hex Color Injection or Retina Inversion or Bytecode Reversal attacks. I want to see a flatline riding a black chrome shark into my browser. Enough of this "XSS" this and "Server-Side Request Forgery" that stuff.
Is there very much a usecase for using AI to Xray a site and find all this bullshit in an automated fashion? The opposite seems so unreliable and unfashionable...
1. Pay for Zimbra and upgrade that way.
2. Try compile up a later version yourself…
3. Migrate to one of the forks that sprang up (most of them are dead though, Zextras/Carbonio is still going but last time I looked the system requirements were a bit daft for what little functionality I actually need)
4. Migrate to something else entirely.