Hello, all. We are brand new to Zimbra and like what we see but are having a bear of a time getting it right (about to start our seventh installation). It did look like all was right until we changed the certificates used from the default, self generated certs to a cert issued by our internal PKI. We did this using the export CSR / import cert functionality of the administration web interface. The first thing we noticed was our external LDAP authentication broke unless we turned off SSL. After rebooting the zimbra vserver a couple of times, we suddenly noticed that the one secondary domain we created disappeared!
We have an admittedly moderately complex environment. We have a main server running everything (except Anti-SPAM on the MTA) and another Zimbra server functioning as the Internet MTA in the DMZ. These are both running as vservers on CentOS 5.3 using kernel 188.8.131.52 and vserver 2.3.x. We have enabled loopback remapping and disabled Single IP Special Casing. We are using CentOS Directory Server 8.0 as the main ldap directory but have not replaced the provided openldap directory for Zimbra as we were concerned with forward compatibilty. Instead, we simply use external authentication and a combined GAL. We are running Zimbra GA16.
The logs seem infuriatingly clean but we do notice there are several stacktraces in /opt/zimbra/log.
A packet trace of the failed LDAP communication surprised us in that it showed the LDAP server rejecting the Zimbra certificate and not the other way around. We do not yet know why (in fact the CA cert was copied from the one used by the LDAP server) and were surprised that Zimbra was furnishing its cert. I would have expected it would be requesting the LDAP server cert simply to encrypt traffic.
Unfortunately, I don't have time to troubleshoot this as we are behind on this project. I am about to destroy and rebuild the entire set up as I do know there were some errors we made along the way (a typo in the reverse lookup for the main zimbra server, a missing MX record for the secondary domain, and installing a second logger on the Internet MTA). Not tracking this down may jump up to bite us later!
I thought I would flag it to the list in case anyone has seem anything similar. I find losing a domain and its resources rather disconcerting!
Thanks - so far very impressed if we could just get it working - John