Zimbra 2-Factor Authentication and Zimbra Social on v8.7.6
We have good news and bad news for you – which would you like to hear first? Well, the good news is that Zimbra 2-Factor Authentication works well and is intuitive enough to deploy in your enterprise. The bad news is that we can’t say the same thing about Zimbra Social.
Zimbra 2-Factor Authentication (2FA)
Zimbra 2-Factor Authentication makes it way more difficult for an attacker to gain access to your emails through account hacking, as an additional passcode is introduced to authenticate the user. It takes both factors, password and token, to access email for an account with 2FA enabled. For their token, the user can choose any application that implements the Time-Based One-Time Password Algorithm (TOTP RFC-6238) such as the popular Android Authenticator. If the phone is protected by biometrics and the password is not written as a note on the phone somewhere, then the account is much less vulnerable than before 2FA.
Activation and configuration is easy enough and well explained in Zimbra’s blog. We tested it on Zimbra 8.7.6 GA Enterprise with several TOTP apps and it worked like a charm. 2FA is not included in the open source edition.
If a user forgets their phone and cannot login to their web client because they have no access to their second factor, it’s easy enough to disable 2FA for that user from the Admin Console and have the customer login using their password only. The 2FA configuration is not erased by disabling the feature so the user does not have to setup the OTP client and application passwords again. Given that they can only use the web client (no phone) and the web client session is valid until the next day, you can just re-enable their 2FA on the same call, no need to remember doing it the next day..
For apps that don’t support 2FA flow, there are the application passcodes. Remember that if you change the password, those codes need to also be re-generated.
The Zimbra Admin Console is not 2FA-enabled. At Syloé, we recommend restricting access to the Admin Console by allowing only access from known IP addresses and by adding a layer of web-authentication to the Admin Console page. This enables two layers of authentication but when the administrator loses their phone/token they can still get into the GUI. Of course, there’s always the CLI..
Zimbra Social Zimlet
There exist three different products that are all referred to as “Zimbra Social”. According to Telligent – “Telligent acquired Zimbra from VMWare in 2013 and rebranded the business from Telligent to Zimbra. The Telligent product line was subsequently rebranded as Zimbra Social” – an application focused on creating communities for marketing purposes. Ans yes this product can integrate with Zimbra ZCS – as per this article
However, this is not the Zimbra Social Zimlet that connects the user to their social media accounts such as facebook and twitter.
There are two Zimbra Social Zimlets. The former (version 3.5) comes integrated with the Zimbra Open Source edition 8.7.6 GA. We tried using this zimlet but to no avail. The facebook authentication is integrated with Facebook OAuth based on an unresolvable URL. The Enterprise edition of Zimbra ZCS 8.7.6GA does not include the Social Zimlet so we installed it with the same disappointing result.
Integration with Twitter did not work either and so we lost interest quickly. It seems that the VMWare employee who created the Facebook OAuth service for Zimbra moved on to pursue other interests and no-one picked up the ball when he left.
On the good side – going Zimbra 2-Factor Authentication is worth considering as email is business-critical for most companies and passwords are hacked easily enough these days. Zimbra ZCS does a good job making it easy to configure and manage per COS and per user.
On the bad side – do not bother with Zimbra Social Zimlet right now – it doesn’t work. Let’s hope someone picks up the ball and provides a working update soon.
Stay tuned for more news from Syloé – we are integrating our Nextcloud server with Zimbra Drive so will be providing a review on that in the next few weeks.