Page 2 of 2 FirstFirst 12
Results 11 to 20 of 20

Thread: [SOLVED] Unable to send mail via SMTP+TLS+Auth

  1. #11
    Join Date
    Nov 2005
    Posts
    518
    Rep Power
    10

    Default

    If you do a new installation, the self-signed certificates will already be in place; there is no need to run through the self-signed cert wiki.

  2. #12
    Join Date
    Apr 2007
    Location
    NSW, Australia
    Posts
    38
    Rep Power
    8

    Default

    I have installed 4.5.6, 4.5.7 and 4.5.9 and out-of-the-box (ie, using the certs that are generated during installation), none work with SMTP Auth over TLS on my Ubuntu 6.06 server. I've checked the AuthURL and other settings per this article and everything is in order.

    In answer to some earlier questions:
    • Yes, I am a network edition customer, but this is an open-source installation we use as part of our evaluation process in previewing and testing new releases. So support may not be available through the usual channels.
    • I need to regenerate the certificates to add some aliases that this server can be contacted on (two different host names on two different domains).

    I would really like to increase the verbosity in the postfix logs but I'm a little unsure of the best way to go about this in a persistent manner; any changes I've made get hosed when I restart zimbra or do "postfix reload".

    More info would certainly help shed some light on where the problem is.

  3. #13
    Join Date
    Apr 2007
    Location
    NSW, Australia
    Posts
    38
    Rep Power
    8

    Default Still no cigar...

    After many hours of tcpdump, and trawling logs with SASL auth logging everything (cert exchange and cipher negotiation...everything) it appears tehe problem lies in the auth stage of the mail session. Immediately after the CRAM-MD5 exchange, Zimbra terminates the session. See attached session from the logs.

    I've verified the username and passowrd are correct, and manually gone through a SSL mail session (TCP/465) and confirmed the same.

    I also found the /opt/zimbra/cyrus-sasl/sbin/testsaslauthd command so gave it a shot too running as "zimbra""

    zimbra@node:~/cyrus-sasl/sbin$ ./testsaslauthd -u <myuser> -p <mypass>
    0: OK "Success."
    zimbra@node:~/cyrus-sasl/sbin$ ./testsaslauthd -u <myuser> -p <mypass> -r gray.net.au
    0: OK "Success."

    So SASL auth is working.

    Where to now??
    Attached Files Attached Files
    Last edited by Centurion; 11-21-2007 at 04:11 PM. Reason: Added testsaslauthd results

  4. #14
    Join Date
    Apr 2007
    Location
    NSW, Australia
    Posts
    38
    Rep Power
    8

    Lightbulb The plot thickens

    Seems that zimbraMtaAuthURL isn't being hit during the authentication stage of the SMTP transaction. Watching our production (4.5.6) server I can see the relevent entries in the /opt/zimbra/tomcat/logs/access_log.2007-11-22 such as:

    10.10.100.25 - - [22/Nov/2007:13:56:59 +1100] "POST /service/soap/ HTTP/1.1" 200 475 "-" "-"

    (The production server's IP is 10.10.100.25) - this entry corresponds to a message I sent from same mail client I cannot use with our staging system.

    So watching tcpdump on loopback and port 443 confirms traffic for the authentication URL is going back and forth on production. However, we are NOT seeing this behaviour on the staging system.

    So it's looking like some weird loopback/IP/name resolution phunkiness.

    FWIW, this Ubuntu 6.06LTS server is using the default /etc/hosts file as constructed during installation:

    zimbra@node:~$ cat /etc/hosts
    127.0.0.1 localhost
    127.0.1.1 node.gray.net.au node

    # The following lines are desirable for IPv6 capable hosts
    ::1 ip6-localhost ip6-loopback
    fe00::0 ip6-localnet
    ff00::0 ip6-mcastprefix
    ff02::1 ip6-allnodes
    ff02::2 ip6-allrouters
    ff02::3 ip6-allhosts

    /etc/nsswitch.conf resolves against files, then dns. Also /etc/resolv.conf is set up correctly to use the staging name server and domains.

    <Sigh>...I will keep people posted.

  5. #15
    Join Date
    Apr 2007
    Location
    NSW, Australia
    Posts
    38
    Rep Power
    8

    Thumbs down TLS/SSL is not the problem....

    SMTP with Auth but without TLS/SSL results in the same error as my original post. This really shouldn't be so hard

    Nov 22 15:41:37 node postfix/smtpd[19248]: connect from iceman.gray.net.au[10.0.0.4]
    Nov 22 15:41:37 node postfix/master[18484]: warning: process /opt/zimbra/postfix-2.2.9/libexec/smtpd pid 19248 killed by signal 11

    Again, no hits in tomcat's access log and no traffic over loopback on tcp/443.

    So this is looking more like a network problem than a SSL/TLS on. THe question is, where the hell is postfix trying to authenticate?? I've checked the //opt/zimbra/cyrus-sasl/lib/sasl2/smtpd.conf file along with /opt/zimbra/cyrus-saslauthd.conf* and everything matches what is in LDAP.

    I'm starting to get really frustrated

  6. #16
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,587
    Rep Power
    58

    Default

    Quote Originally Posted by Centurion View Post
    FWIW, this Ubuntu 6.06LTS server is using the default /etc/hosts file as constructed during installation:

    zimbra@node:~$ cat /etc/hosts
    127.0.0.1 localhost
    127.0.1.1 node.gray.net.au node

    # The following lines are desirable for IPv6 capable hosts
    ::1 ip6-localhost ip6-loopback
    fe00::0 ip6-localnet
    ff00::0 ip6-mcastprefix
    ff02::1 ip6-allnodes
    ff02::2 ip6-allrouters
    ff02::3 ip6-allhosts
    This hosts file is incorrect, the correct format should be:

    Code:
    127.0.0.1      localhost.localdomain  localhost
    10.10.100.25   node.gray.net.au       node
    Assuming that 10.10.100.25 is the IP of your zimbra server. I also assume you have correct DNS A & MX records point at the server IP address?

    You should also disable ipv6, SElinux and any firewall you have on this server.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  7. #17
    Join Date
    Apr 2007
    Location
    NSW, Australia
    Posts
    38
    Rep Power
    8

    Default

    Hi Phoenix - thanks for your input!

    Ok, fixed the hosts file with the correct IP for the FQDN (10.0.0.5):
    Code:
    127.0.0.1       localhost.localdomain   localhost
    10.0.0.5        node.gray.net.au        node
    Verified the DNS resolution:
    Code:
    >dig node.gray.net.au
    
    ; <<>> DiG 9.3.2 <<>> node.gray.net.au
    ;; global options:  printcmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47522
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
    
    ;; QUESTION SECTION:
    ;node.gray.net.au.              IN      A
    
    ;; ANSWER SECTION:
    node.gray.net.au.       600     IN      A       10.0.0.5
    
    ;; AUTHORITY SECTION:
    gray.net.au.            600     IN      NS      ns1.gray.net.au.
    
    ;; ADDITIONAL SECTION:
    ns1.gray.net.au.        600     IN      A       10.0.0.40
    Which was retruned from the DNS server as coconfigured in /etc/resolv.conf.

    Disabled IPv6 (which broke DCC too along the way - need to recompile it)
    Code:
    >cat /etc/modprobe.d/blacklist-ipv6 
    # Never load IPv6 support
    blacklist       ipv6
    Rebooted to make sure IPv6 wasn't coming back, and removed IPv6 entries from /etc/hosts.

    Then retried the tests from Thunderbird and Apple Mail:
    Code:
    ==> /var/log/zimbra.log <==
    Nov 22 19:41:15 node postfix/smtpd[29593]: connect from iceman.gray.net.au[10.0.0.4]
    Nov 22 19:41:15 node postfix/smtpd[29593]: setting up TLS connection from iceman.gray.net.au[10.0.0.4]
    Nov 22 19:41:17 node postfix/smtpd[29593]: TLS connection established from iceman.gray.net.au[10.0.0.4]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
    Nov 22 19:41:24 node postfix/master[28946]: warning: process /opt/zimbra/postfix-2.2.9/libexec/smtpd pid 29593 killed by signal 11
    Nov 22 19:41:24 node postfix/master[28946]: warning: /opt/zimbra/postfix-2.2.9/libexec/smtpd: bad command startup -- throttling
    During this authenticated SMTP attempt, there was no activity on loopback or eth0 on port 443, and there was no auth request sent to tomcat.

    FWIW, here's the listening ports on the systtem::
    Code:
    >sudo netstat -tadlp | grep LIST
    tcp        0      0 *:imaps                 *:*                     LISTEN     28819/java          
    tcp        0      0 localhost.localdo:11553 *:*                     LISTEN     26193/MailWatch SQL 
    tcp        0      0 *:pop3s                 *:*                     LISTEN     28819/java          
    tcp        0      0 *:7780                  *:*                     LISTEN     28850/httpd         
    tcp        0      0 node.gray.net.au:ldap   *:*                     LISTEN     28305/slapd         
    tcp        0      0 localhost.localdo:10025 *:*                     LISTEN     28946/master        
    tcp        0      0 localhost.localdom:7306 *:*                     LISTEN     28693/mysqld        
    tcp        0      0 localhost.localdom:7307 *:*                     LISTEN     28550/mysqld        
    tcp        0      0 localhost.l:netbios-ssn *:*                     LISTEN     4076/smbd           
    tcp        0      0 node.gray.n:netbios-ssn *:*                     LISTEN     4076/smbd           
    tcp        0      0 *:pop3                  *:*                     LISTEN     28819/java          
    tcp        0      0 *:imap2                 *:*                     LISTEN     28819/java          
    tcp        0      0 *:10000                 *:*                     LISTEN     4268/perl           
    tcp        0      0 *:www                   *:*                     LISTEN     4243/apache2        
    tcp        0      0 *:7025                  *:*                     LISTEN     28819/java          
    tcp        0      0 *:ssmtp                 *:*                     LISTEN     28946/master        
    tcp        0      0 ns1.gray.net.au:domain  *:*                     LISTEN     3703/named          
    tcp        0      0 localhost.locald:domain *:*                     LISTEN     3703/named          
    tcp        0      0 shell.gray.net.au:ssh   *:*                     LISTEN     4097/sshd           
    tcp        0      0 node.gray.net.au:ssh    *:*                     LISTEN     4097/sshd           
    tcp        0      0 127.0.1.1:ssh           *:*                     LISTEN     4097/sshd           
    tcp        0      0 news.gray.net.au:nntp   *:*                     LISTEN     4154/xinetd         
    tcp        0      0 *:ipp                   *:*                     LISTEN     3735/cupsd          
    tcp        0      0 *:3128                  *:*                     LISTEN     4176/(squid)        
    tcp        0      0 *:smtp                  *:*                     LISTEN     28946/master        
    tcp        0      0 localhost.localdoma:953 *:*                     LISTEN     3703/named          
    tcp        0      0 *:7035                  *:*                     LISTEN     28819/java          
    tcp        0      0 *:https                 *:*                     LISTEN     28819/java          
    tcp        0      0 localhost.:microsoft-ds *:*                     LISTEN     4076/smbd           
    tcp        0      0 node.gray.:microsoft-ds *:*                     LISTEN     4076/smbd           
    tcp        0      0 *:7071                  *:*                     LISTEN     28819/java
    I've just finished downloading 4.5.10_GA and I'll give that a shot.

  8. #18
    Join Date
    Apr 2007
    Location
    NSW, Australia
    Posts
    38
    Rep Power
    8

    Unhappy Upgraded, still no dice

    As per the title. I upgraded to 4.5.10_GA and still no good with SMTP auth. As I said in an earlier post, the (working) production system has a lot of tcp/443 traffic on loopback and you can see the hits on tomcat when SMTP auth is successful.

    This staging/test system is dead in the water as far as SMTP auth. There seems to be some sort of disconnect between Postfix and saslauthd, or maybe saslauthd and tomcat(?). As there is nothing in /var/log/zimbra.log from saslauthd I'm leaning towards something wrong between Postfix and saslauthd.

    Any other ideas??

  9. #19
    Join Date
    Apr 2007
    Location
    NSW, Australia
    Posts
    38
    Rep Power
    8

    Smile Fixed!!

    After pulling my hair out I decided to use "strace" and map out just what was happenning with the system calls while Postfix was trying to carry out authenticated SMTP. What struck me was Postfix was reading sasl libraries from /usr/lib, not /opt/zimbra...(see attched traces). After further investigation it became obvious salsauthd wasn't loading correctly due to broken library paths. Zimbra runs cyrus-sasl 2.1.22.3 (Zimbra 4.5.10_GA) BUT Ubuntu 6.06LTS system libraries (under /usr/lib) use 2.1.19. This lead to Zimbra's sasl loading a version of the libraries it wsn't linked against (same problem with postfix) and the link between Postfix and saslauthd was broken.

    The fix was painfully simple: re-order the library search path in /etc/ld.so.conf so the zimbra directories are searched first:

    Original /etc/ld.so.conf
    Code:
    /lib
    /usr/lib
    /usr/local/lib/opt/zimbra/lib
    /opt/zimbra/sleepycat/lib
    /opt/zimbra/openldap/lib
    /opt/zimbra/cyrus-sasl/lib
    Modified (working) /etc/ld.so.conf
    Code:
    /opt/zimbra/lib
    /opt/zimbra/sleepycat/lib
    /opt/zimbra/openldap/lib
    /opt/zimbra/cyrus-sasl/lib
    /lib
    /usr/lib
    /usr/local/lib
    After this modification, I simply refreshed the library cache with "sudo ldconfig" then restarted Zimbra. Sure enough SMTP+TLS+Auth works!

    This thread has highlighted some problems with the installer on Ubuntu 6.06LTS:
    1. The default /etc/hosts file is not "Zimbra friendly".
    2. IPv6 is enabled by default during Ubuntu installation - aparently this should be disabled for Zimbra to function correctly.
    3. The library search path is wrong resulting in sasl auth failure. This needs to be set either globally (as I did) or specicially at run-time by the Zimbra start scripts


    Should I raise bugs for these or do one of the Zimbra staff want to handle this?

    Either way, this is SOLVED! Unfortunately there was very little Zimbra support could do in this case unless they had direct access to the box I am using, however, I've tried to be as verbose and precise as possible during the fault-finding and resolution stages to allow them, and others, to adequately diagnose similar problems in future.

    BEWARE!!
    Changing the library search order as I have described here will very likely break other applications on the system that use libraries with the same names (eg, sasl2 etc). I ran into problems with Apache unable to load the Zimbra sasl libraries. I worked around it by manually exporting the correct "LD_LIBRARY_PATH=..." at the top of the /etc/init.d/apache2 script. Ideally, the Zimbra developers should use this technique (ie, "export LD_LIBRARY_PATH") in Zimbra's startup scripts to ensure the correct library path, rather than forcing admins to break the bundled OS packages (by fudging the /etc/ld/so.conf file)in order to gain proper functionality of Zimbra under Ubuntu 6.06LTS.
    Attached Files Attached Files
    Last edited by Centurion; 11-22-2007 at 07:26 PM. Reason: Added warning about modifying the ld.so.conf file.

  10. #20
    Join Date
    Apr 2007
    Location
    NSW, Australia
    Posts
    38
    Rep Power
    8

    Default Bug lodged for library path fix

    Logged a bug to get the installer and/or startup scripts to better handle the library search order: Bug ID 21940

Similar Threads

  1. Problems with port 25
    By yogiman in forum Installation
    Replies: 57
    Last Post: 06-13-2011, 01:55 PM
  2. Replies: 7
    Last Post: 02-03-2011, 06:01 AM
  3. Issues...
    By timothyalangorman in forum Administrators
    Replies: 3
    Last Post: 11-19-2007, 09:43 AM
  4. fresh install down may be due to tomcat
    By gon in forum Installation
    Replies: 10
    Last Post: 07-25-2007, 08:09 AM
  5. receiveing mail
    By maybethistime in forum Administrators
    Replies: 15
    Last Post: 12-09-2005, 03:55 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •