It has come to our attention that in some cases postconf settings are not retained when updating to the latest patch (9.0.0.P34, 8.8.15.P41, 10.0.2).
Make sure to re-apply any customizations, including TLS cipher configurations you had previously configured using the postconf command.
In addition, the latest patch also enabled OpenSSL in FIPS mode, more details on that in an upcoming blog. For now we advise you to review the https://wiki.zimbra.com/wiki/Cipher_suites wiki and update your configuration.
Confirmed – I had to redo postconf settings.
We always do the following when we update the Zimbra MTA to find possible modified (or lost) configurations:
$ tar cf – /opt/zimbra/conf /opt/zimbra/common/conf | gzip > conf-before-update.tar.gz
do the update
$ tar cf – /opt/zimbra/conf /opt/zimbra/common/conf | gzip > conf-after-update.tar.gz
$ diff <(zcat conf-before-update.tar.gz | tar tfv – | grep -v '^d' | sort | tr -s ' ' | cut -d ' ' -f1,2,3,6) <(zcat conf-after-update.tar.gz | tar tfv – | grep -v '^d' | sort | tr -s ' ' | cut -d ' ' -f1,2,3,6)
That’s a great idea. This should be something Zimbra does “automagically”, or at least put up as a technical wiki article/post/recommendation.
We will implement this in the future, however sometimes with newer versions of Postfix and other dependencies a reset to default settings will still be needed.