Mission Critical Email

Zimbra Hosting Terms and Conditions

Zimbra Hosting Terms and Conditions Last Updated 18 October 2024

Thanks for using our Zimbra Hosting offering, comprised of Zimbra pay-as-you-go Network Edition Professional License(s) supplied under Zimbra’s Business Service Provider (“BSP”) Partner program and per-mailbox hosting of your Zimbra mailboxes on a multi-tenant or bespoke Zimbra virtual server environment maintained by Mission Critical Email LLC (“MCE”) on public cloud infrastructure provided by Amazon Web Services, Microsoft Azure, Oracle Cloud, or other hosting provider selected by MCE for your mailboxes (the “Zimbra Hosting Services”).

By using our Zimbra Hosting Services, you are agreeing to these terms. Please read them carefully. If you do not agree with these terms, do not use our Zimbra Hosting Services.

Responsibility Boundaries

Unless stated otherwise herein or within an Order for Zimbra Hosting Services, MCE (and the cloud hosting provider(s) with whom it contracts for infrastructure as a service) is responsible for the maintenance and administration of the virtual server hosting; networking; network security and access policies, and; Zimbra software. Your Project Manager(s) are responsible for the end-user accessible portions of the Zimbra Hosting Service, including mailbox provisioning and deprovisioning, end user password management and end user device management. You are also responsible for any tasks MCE requires of you in order to make the Zimbra Hosting Services function as intended, for example by making changes to public DNS A, TXT and MX records, or not using insecure or unsupported methods to access Zimbra.

Using our Zimbra Hosting Services

You must follow any policies made available to you within the Zimbra Hosting Services.

Don’t misuse our Zimbra Hosting Services. For example, don’t interfere with our Zimbra Hosting Services or try to access them using a method other than the interface and the instructions that we and/or Zimbra provide. You may use our Zimbra Hosting Services only as permitted by law, including applicable export and re-export control laws and regulations. We may suspend or stop providing our Zimbra Hosting Services to you if you do not comply with our terms or policies or if we are investigating suspected misconduct.

Using our Zimbra Hosting Services does not give you ownership of any intellectual property rights in our Zimbra Hosting Services or the content you access. You may not use content from our Zimbra Hosting Services unless you obtain permission from its owner or are otherwise permitted by law. These terms do not grant you the right to use any branding or logos used in our Zimbra Hosting Services. Don’t remove, obscure, or alter any legal notices displayed in or along with our Zimbra Hosting Services.

Our Zimbra Hosting Services display some content that is not yours nor MCE’s. This content is the sole responsibility of the entity that makes it available. We do not review nor analyze content except to improve the Zimbra Hosting Services, for example by examining emails with a view towards improving anti-spam filtering.

In connection with your use of the Zimbra Hosting Services, we may send you service announcements, administrative messages, and other information.

Some of our Zimbra Hosting Services are available on mobile devices. Do not use such Zimbra Hosting Services in a way that distracts you and prevents you from obeying traffic or safety laws.

To reduce the possibility of your email domain being blacklisted as a spam source and potentially negatively impacting the Zimbra Hosting Services, within 30 days of your initial use of our Zimbra Hosting Services, you will collaborate with MCE to deploy DKIM, SPF and DMARC records in public DNS, using DKIM keys generated by Zimbra. Your SPF record must contain the “hard fail” attribute (“-all”) and your DMARC record must: (a) cover 100 percent of your mail volume; (b) contain at least a “quarantine” policy (“p=quarantine”) though a “reject” policy (“p=reject”) is recommended; (c) contain valid audit and forensic report email addresses whose mailbox contents are routinely reviewed (we recommend subscribing to a service like Dmarcian.com to ingest these reports and present your data in a convenient dashboard), and; (d) ideally, use “strict” instead of “relaxed” alignment.

Your Zimbra Mailbox Password and Mailbox Access

To protect your Zimbra Mailbox, keep your password confidential. You are responsible for the activity that happens on or through your Zimbra Mailbox. Try not to reuse your Zimbra Mailbox password on third-party applications. We may periodically ask you to reset your Zimbra Mailbox password; until you do, you may not have access to your Zimbra Mailbox. Your Zimbra Mailbox password must meet certain security requirements, which requirements will generally be based on guidelines published by The National Institute of Standards and Technology.

Your contract with us designates one or more Project Managers. Only Project Managers have the authority to change end-user Zimbra Mailbox Passwords and to ask for our assistance in doing so.

We do not record nor store your Zimbra Mailbox password. If your Zimbra Mailbox password becomes known to us, for example as part of a technical support request, we and/or your Project Manager will require you to use Zimbra’s built-in method for changing it the next time you attempt to log in.

We cannot “recover” your Zimbra Mailbox Password; the Zimbra software itself makes this impossible. If you lose your Zimbra Mailbox Password, your Project Manager will reset it for you, and then you will use Zimbra’s built-in method for changing it the next time you attempt to log in.

We require that passwords have a minimum length of 16 characters and not contain commonly-used passwords; we recommend passwords contain a mix of upper- and lower-case characters and numerals. We do not presently force Customers to rotate their passwords periodically.

Most of our Zimbra Mailboxes offer Two-Factor Authentication (“2FA”). The use of 2FA is considered to enhance security but requires a third-party application such as Google Authenticator to function. We strongly recommend you enable 2FA, and that you keep safe (and handy) a copy of your one-time use authorization codes (generated when you enable 2FA).  Accounts used by Project Managers for Zimbra Delegated Admin Console access are required to have 2FA configured as a condition for Delegated Admin Console access.

We employ various automated techniques which may block your access to your Zimbra Mailbox for example in the event of an unusually large number of emails is sent or received, or after a certain number of failed login attempts. If your access to your Zimbra Mailbox is blocked, inexplicably or otherwise, please contact your Project Manager(s); MCE cannot provide end-user support for any reason except at the direction of a Project Manager.

If you use a mobile or other ActiveSync device to access your mailbox, and we observe that the device has not connected in more than a month, we may remove that device from being able to sync with your mailbox.  If you later choose to put that device back in service, you can reconfigure access to your mailbox on the device and begin to sync again.

Privacy Policy

Our policy is not to share Zimbra Mailbox contents with third parties ever, except that we may be required by Zimbra and/or its parent company Synacor to provide content for example in furtherance of a technical support issue. We have also seen that service providers like us are sometimes subject to demands (e.g. under the Patriot Act) that would require us to share Zimbra Mailbox contents and other system information. In the latter case, MCE will only share such content if there is a legal and binding court order requiring such sharing, and MCE will notify you as soon as possible within the confines of that court order.

Information We Collect

The Zimbra software stores your Zimbra Mailbox contents, and in conjunction with the Linux operating system on which the Zimbra software is installed, also stores log files and other data which documents access and usage of your Zimbra Mailbox. Given our system-level maintenance, monitoring and administrative responsibilities, you grant us access to your Zimbra Mailbox contents as necessary to carry out such responsibilities.

Acceptable Use Policy

You agree not to, and not to allow third parties or your end users, to use the Zimbra Hosting Services:

  • to generate or facilitate unsolicited bulk commercial email;
  • to send emails with more than 50 recipients;
  • to violate, or encourage the violation of, the legal rights of others;
  • for any unlawful, invasive, infringing, defamatory, or fraudulent purpose;
  • to intentionally distribute viruses, worms, Trojan horses, corrupted files, hoaxes, or other items of a destructive or deceptive nature;
  • to interfere with the use of the Zimbra Hosting Services, or the equipment used to provide the Zimbra Hosting Services, by customers, authorized resellers, or other authorized users;
  • to alter, disable, interfere with or circumvent any aspect of the Zimbra Hosting Services;
  • to test or reverse-engineer the Zimbra Hosting Services in order to find limitations,vulnerabilities or evade filtering capabilities;
  • to resell Zimbra Hosting Services or parts thereof as added into a commercial product offered to third parties, except as part of a separate Reseller Agreement with MCE;
  • to use Distribution Lists as an off-domain forwarding mechanism to personal and/or non-commercial domains (e.g. gmail.com, yahoo.com, outlook.com, aol.com, mac.com, me.com, hotmail.com etc.). You are welcome to use personal Contact Groups for this function instead;
  • to use per-account Forwarding to another email account you control off-Zimbra when that other account can be configured to “pull” email from Zimbra;
  • to perform email verification, testing or similar services (we authorize you to send emails only to recipients whose email address you already know);
  • to record audio or video communications without consent if such consent is required by applicable laws and regulations (You are solely responsible for ensuring compliance with all applicable laws and regulations in the relevant jurisdiction(s)).
  • to configure the Zimbra Hosting Services to forward email to an external email address, for example, to forward your Zimbra Hosting Services email to your Gmail account.  You may however configure your external account to fetch email from your Zimbra Hosting Services email account.

To endeavor to ensure compliance with these policies and protect the Zimbra Hosting Service from being blacklisted, we register your DKIM-enabled domain(s) with various providers’ Complaint Feedback Loop Service (the “CFLs”).  The CFLs send reports to postmaster@yourdomain.com, which we review regularly.  Should you or we observe complaints from one or more CFLs, you agree to collaborate with us to take steps necessary to stop your user(s) activities which generate such complaints. Your failure to comply with this Acceptable Use Policy may result in suspension or termination, or both, of the Zimbra Hosting Services.

Mailbox Storage Quotas

Each Zimbra mailbox we supply has a configured storage quota. The contents of all folders within Zimbra (email, Contacts Calendars, Briefcase, Tasks, etc.) count towards the quota. Within the Zimbra web interface a progress bar represents your percentage consumption of your quota so you can manage your content prior to your mailbox reaching its maximum quota. Once the quota is reached, no new inbound emails will be delivered to your mailbox.

Mailbox Anti-Virus, Anti-Spam and Anti-Malware Protection

We configure the Zimbra Hosting Service to leverage the anti-virus, anti-spam and anti-malware protections bundled with the Zimbra software.  Prior to accepting any email for analysis, the system is configured to evaluate the sending server’s IP address, the sender and the sending domain of each email; we block access to the system from IPs, senders and domains deemed dangerous or risky.

All emails accepted for spam analysis are given a numerical spam score that rank the likelihood of the email being spam. Emails with a very high spam score that the system deems to be assuredly spam, as well as emails that contain well-known malware and viruses are deleted immediately with no end user notification. Emails with spam scores above an acceptable threshold will have their Subject lines modified to indicate the possibility that that email is spam; these emails may delivered either to the end user’s Inbox or to a special folder just for incoming spam. Legitimate email may from time to time be identified as spam, and spam email may not be identified as such. End users should review the contents of their spam folder periodically, and use care when deciding whether to open suspicious emails, whether marked as possible spam or not.

Mailbox and System Backups and Routine Maintenance

We keep Zimbra-generated mailbox and system backups for a minimum of 14 days.

No software is perfect and all online services suffer occasional disruptions and outages. Periodically, updates, bug fixes and security patches are released by Synacor for the Zimbra software; by the operating system vendor for various operating system components on which Zimbra depends, and by the infrastructure hosting provider. In some cases, the application of these updates, bug fixes and security patches may generate an end user perceived service interruption typically of less than a few minutes, for example when a mailbox server is rebooted or when the Zimbra services are required to be restarted. We will use reasonable commercial efforts to apply service-impacting updates and bug fixes after 11:00pm and before 5:00am Eastern time. Security updates and patches may be applied at any time.

In the event of an outage, you may not be able to retrieve your content or data that you’ve stored. We recommend that you regularly backup your content and data that you store on the Zimbra Hosting Services.

Modifying and Terminating our Zimbra Hosting Services

We are constantly changing and improving our Zimbra Hosting Services. We (and/or Zimbra and their parent company Synacor) may add or remove functionalities or features, and we may suspend or stop a Zimbra Hosting Service attribute or element altogether.

You can stop using our Zimbra Hosting Services at any time subject to your Hosting Order, although we’ll be sorry to see you go. MCE may also stop providing Zimbra Hosting Services to you, or add or create new limits to our Zimbra Hosting Services at any time.

We believe that you own your data and preserving your access to such data is important. If we discontinue a Zimbra Hosting Service, where reasonably possible, we will give you reasonable advance notice and a chance to get information out of that Zimbra Hosting Service.

At the conclusion of the Term in your Hosting Order, we destroy all of your domains, mailboxes and mailbox data irretrievably. You may export the entirety of your Zimbra mailbox data at any time during the Term using the Zimbra export function shipped within the Zimbra web interface.

Minimums and Payments

Unless indicated otherwise by our Hosting Order,  we require monthly payments via a credit card we keep on file in our QuickBooks Online system, for a minimum of ten 50GB-quota mailboxes. We will endeavor to inform you by email should a credit card charge fail to be processed (typically because the card has expired or been cancelled).  It is your responsibility to maintain a valid credit card on file with us.  Repeated failed charges against a credit card on file will result in suspension of your access to the Zimbra Hosting Services, and may result in our terminating our Hosting Order with you.  Customers who do not have a credit card on file but whose payment history in our judgement is delinquent will be required to maintain a valid credit card on file with us; the agreement to do so is deemed to be a mutually agreed modification to the original Hosting Order.  Email domains and the mailboxes therein belonging to customers with a delinquent payment history who fail to respond to requests for payment on a timely basis will result in the domains and mailboxes being placed in Locked status until the past due amounts are satisfied.  (When Locked, a mailbox will continue to receive email but users will be blocked from logging in, sending email, etc.).   Such customers will be transitioned to a pay-in-advance model, which will be deemed to be a mutually agreed modification to the original Hosting Order.

Our Warranties and Disclaimers

We provide our Zimbra Hosting Services using a commercially reasonable level of skill and care and we hope that you will enjoy using them. But there are certain things that we don’t promise about our Zimbra Hosting Services.

OTHER THAN AS EXPRESSLY SET OUT IN THESE TERMS OR ADDITIONAL TERMS, NEITHER MCE NOR ITS SUPPLIERS OR AFFILIATES MAKE ANY SPECIFIC PROMISES ABOUT THE ZIMBRA HOSTING SERVICES. FOR EXAMPLE, WE DON’T MAKE ANY COMMITMENTS ABOUT THE CONTENT WITHIN THE ZIMBRA HOSTING SERVICES, THE SPECIFIC FUNCTIONS OF THE ZIMBRA HOSTING SERVICES, OR THEIR RELIABILITY, AVAILABILITY, OR ABILITY TO MEET YOUR NEEDS. WE PROVIDE THE ZIMBRA HOSTING SERVICES “AS IS”.

SOME JURISDICTIONS PROVIDE FOR CERTAIN WARRANTIES, LIKE THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT. TO THE EXTENT PERMITTED BY LAW, WE EXCLUDE ALL WARRANTIES.

Liability for our Zimbra Hosting Services

WHEN PERMITTED BY LAW, MCE, AND MCE’S SUPPLIERS AND AFFILIATES, WILL NOT BE RESPONSIBLE FOR LOST PROFITS, REVENUES, OR DATA, FINANCIAL LOSSES OR INDIRECT, SPECIAL, CONSEQUENTIAL, EXEMPLARY, OR PUNITIVE DAMAGES. TO THE EXTENT PERMITTED BY LAW, THE TOTAL LIABILITY OF MCE, AND ITS SUPPLIERS AND AFFILIATES, FOR ANY CLAIMS UNDER THESE TERMS, INCLUDING FOR ANY IMPLIED WARRANTIES, IS LIMITED TO THE AMOUNT YOU PAID US TO USE THE ZIMBRA HOSTING SERVICES (OR, IF WE CHOOSE, TO SUPPLYING YOU THE ZIMBRA HOSTING SERVICES AGAIN). IN ALL CASES, MCE, AND ITS SUPPLIERS AND AFFILIATES, WILL NOT BE LIABLE FOR ANY LOSS OR DAMAGE THAT IS NOT REASONABLY FORESEEABLE.

Business Uses of Our Zimbra Hosting Services

If you are using our Zimbra Hosting Services on behalf of a business, that business accepts these terms and agrees to notify all of its end users of the relevant portions of these Terms of Service. It will hold harmless and indemnify MCE and its affiliates, officers, agents, and employees from any claim, suit or action arising from or related to the use of the Zimbra Hosting Services or violation of these terms, including any liability or expense arising from claims, losses, damages, suits, judgments, litigation costs and attorneys’ fees.

About these Terms

We may modify these terms or any additional terms that apply to a Service to, for example, reflect changes to the law or changes to our Zimbra Hosting Services. We will notify you as soon as practicable when we intend to do so or have done so and we will provide you with the modified and additional terms with the notification. Changes will not apply retroactively and will become effective no sooner than fourteen days after notification. However, changes addressing new functions for the Zimbra Hosting Service or changes made for legal reasons will be effective immediately. If you do not agree to the modified or additional terms, you should discontinue your use of the Zimbra Hosting Services.

If there is a conflict between these terms and the additional terms, the additional terms will control for that conflict.

These terms control the relationship between MCE and you. They do not create any third party beneficiary rights.

If you do not comply with these terms, and we don’t take action right away, this doesn’t mean that we are giving up any rights that we may have (such as taking action in the future).

If it turns out that a particular term is not enforceable, this will not affect any other terms.

The laws of the State of Maine, U.S.A. will apply to any disputes arising out of or relating to these terms or the Zimbra Hosting Services. All claims arising out of or relating to these terms or the Zimbra Hosting Services will be litigated exclusively in the federal or state courts of Cumberland County, Maine, U.S.A., and you and MCE consent to personal jurisdiction in those courts.

–end–

Updated 28 October 2020 with minor clarifications to the Mailbox and System Backups and Routine Maintenance section and a recommendation that customers back up their own data.
Updated 3 May 2021 to clarify the restrictions regarding the use of Distribution Lists as a Forwarding mechanism and Forwarding in general.
Updated 9 September 2022 to clarify that we block certain senders, IP addresses and sending domains before accepting their email for analysis.
Updated 30 January 2023 to restrict forwarding to external email accounts.
Updated 10 February 2024 to prohibit email verification and similar services.
Updated 26 February 2024 to clarify explicitly that 2FA is required for Delegated Admin Console access.
Updated 7 March 2024 to clarify explicitly needed settings for SPF and DMARC records.
Updated 7 June 2024 to clarify DMARC policy requirements, payment method, billing minimums and access in the event of non-payment.
Updated 4 July 2024 to clarify steps when a customer will be required to keep a valid credit card on file due to a history of delinquent payments.
Updated 18 October 2024 to increase minimum password length from 14 to 16 characters and to prevent using common passwords.