Results 1 to 4 of 4

Thread: SASL Auth fails for outgoing SMTP because of Unknown SSL Error?

  1. #1
    Join Date
    Apr 2010
    Posts
    14
    Rep Power
    5

    Default SASL Auth fails for outgoing SMTP because of Unknown SSL Error?

    Hello all,
    I have recently upgraded my Zimbra Open Source server to the 7.x versions, and am having some issues.

    When I attempt to authenticate to the SMTP server to send outgoing mail, my credentials are rejected. The following appears in /var/log/zimbra.log:

    Code:
    Apr 27 00:45:08 hostname postfix/smtpd[6366]: Anonymous TLS connection established from unknown[**my.ip**]: TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)
    Apr 27 00:45:08 hostname saslauthd[2976]: rel_accept_lock : released accept lock
    Apr 27 00:45:08 hostname saslauthd[2973]: get_accept_lock : acquired accept lock
    Apr 27 00:45:08 hostname saslauthd[2976]: zmauth: authenticating against elected url 'https://mail.hostname.com:7071/service/admin/soap/' ...
    Apr 27 00:45:08 hostname saslauthd[2976]: authentication against url 'https://mail.hostname.com:7071/service/admin/soap/' caused error 'curl_easy_perform: error(35): Unknown SSL protocol error in connection to mail.hostname.com:7071 '
    Apr 27 00:45:08 hostname saslauthd[2976]: url 'https://mail.hostname.com:7071/service/admin/soap/' will not be used for (at least) 600 seconds
    Apr 27 00:45:08 hostname saslauthd[2976]: Authentication cycle re-elected url https://mail.hostname.com:7071/service/admin/soap/, giving up ...
    Apr 27 00:45:08 hostname saslauthd[2976]: auth_zimbra: user@hostname.com auth failed: curl_easy_perform: error(35): Unknown SSL protocol error in connection to mail.hostname.com:7071
    Apr 27 00:45:08 hostname saslauthd[2976]: do_auth         : auth failure: [user=user@hostname.com] [service=smtp] [realm=hostname.com] [mech=zimbra] [reason=Unknown]
    Apr 27 00:45:08 hostname saslauthd[2976]: do_request      : response: NO
    Apr 27 00:45:08 hostname postfix/smtpd[6366]: warning: SASL authentication failure: Password verification failed
    Apr 27 00:45:08 hostname postfix/smtpd[6366]: warning: unknown[**my.ip**]: SASL PLAIN authentication failed: authentication failure
    It appears to me that curl is failing to connect to https://mail.hostname.com:7071 to complete the auth because of an SSL error. Is this because of my using a self signed certificate? I have never had this issue before, and it seems to have coincided with the 7.x upgrade. Anyone else having a similar issue?

  2. #2
    Join Date
    Apr 2010
    Posts
    14
    Rep Power
    5

    Default

    Still haven't found any solutions to this issue... since this is a smaller email system my users have been content to use the web interface for now, which has no authentication issues at all...

    It appears as though libcurl is not recognizing the validity of my certificate because it isn't being supplied with the correct CA certs. Where is this configured in Zimbra?

    If I use command-line curl to access https://mail.hostname.com:7071/service/admin/soap/ , it will fail. But if I use:
    curl --cacert /opt/zimbra/conf/ca/ca.pem -vv -3 https://mail.hostname.com:7071

    it works perfectly. How can I inform SASLAUTHD to use this ca cert?

  3. #3
    Join Date
    Apr 2010
    Posts
    14
    Rep Power
    5

    Default

    Okay, I think I've isolated the issue. It looks like a bug in the version of curl (and thus libcurl) in my installation:

    Code:
    CURL distributed with my system (Ubuntu 10.04)
    
    root@hostname:/# curl -vvv --cacert /opt/zimbra/conf/ca/ca.pem https://mail.hostname.com:7071
    * About to connect() to mail.hostname.com port 7071 (#0)
    *   Trying 206.221.217.246... connected
    * Connected to mail.hostname.com (206.221.217.246) port 7071 (#0)
    * successfully set certificate verify locations:
    *   CAfile: /opt/zimbra/conf/ca/ca.pem
      CApath: /etc/ssl/certs
    * SSLv3, TLS handshake, Client hello (1):
    * SSLv3, TLS handshake, Server hello (2):
    * SSLv3, TLS handshake, CERT (11):
    * SSLv3, TLS handshake, Server key exchange (12):
    * SSLv3, TLS handshake, Server finished (14):
    * SSLv3, TLS handshake, Client key exchange (16):
    * SSLv3, TLS change cipher, Client hello (1):
    * SSLv3, TLS handshake, Finished (20):
    * SSLv3, TLS change cipher, Client hello (1):
    * SSLv3, TLS handshake, Finished (20):
    * SSL connection using DHE-RSA-AES256-SHA
    * Server certificate:
    *        subject: C=US; ST=TX; O=hostname; OU=Zimbra Collaboration Suite; CN=*.hostname.com
    *        start date: 2011-06-18 03:11:20 GMT
    *        expire date: 2021-06-15 03:11:20 GMT
    *        common name: *.hostname.com (matched)
    *        issuer: C=US; ST=N/A; L=N/A; O=Zimbra Collaboration Suite; OU=Zimbra Collaboration Suite; CN=mail.hostname.com
    *        SSL certificate verify ok.
    > GET / HTTP/1.1
    > User-Agent: curl/7.19.7 (x86_64-pc-linux-gnu) libcurl/7.19.7 OpenSSL/0.9.8k zlib/1.2.3.3 libidn/1.15
    > Host: mail.hostname.com:7071
    > Accept: */*
    >
    < HTTP/1.1 302 Found
    < Date: Sat, 18 Jun 2011 03:59:09 GMT
    < Expires: Tue, 24 Jan 2000 20:46:50 GMT
    < Cache-Control: no-store, no-cache, must-revalidate, max-age=0
    < Pragma: no-cache
    < Content-Type: text/html; charset=utf-8
    < Location: https://mail.hostname.com:7071/zimbraAdmin
    < Content-Length: 0
    <
    * Connection #0 to host mail.hostname.com left intact
    * Closing connection #0
    * SSLv3, TLS alert, Client hello (1):
    
    Works fine. Now, using the CURL included with zimbra:
    
    
    root@hostname:/# /opt/zimbra/curl/bin/curl -vvv --cacert /opt/zimbra/conf/ca/ca.pem https://mail.hostname.com:7071
    * About to connect() to mail.hostname.com port 7071 (#0)
    *   Trying 206.221.217.246... connected
    * Connected to mail.hostname.com (206.221.217.246) port 7071 (#0)
    * successfully set certificate verify locations:
    *   CAfile: /opt/zimbra/conf/ca/ca.pem
      CApath: none
    * SSLv3, TLS handshake, Client hello (1):
    * Unknown SSL protocol error in connection to mail.hostname.com:7071
    * Closing connection #0
    curl: (35) Unknown SSL protocol error in connection to mail.hostname.com:7071
    
    Immediate failure due to unknown protocol error?
    
    root@hostname:/# curl --version
    curl 7.19.7 (x86_64-pc-linux-gnu) libcurl/7.19.7 OpenSSL/0.9.8k zlib/1.2.3.3 libidn/1.15
    Protocols: tftp ftp telnet dict ldap ldaps http file https ftps
    Features: GSS-Negotiate IDN IPv6 Largefile NTLM SSL libz
    root@hostname:/# /opt/zimbra/curl/bin/curl --version
    curl 7.21.4 (x86_64-unknown-linux-gnu) libcurl/7.21.4 OpenSSL/1.0.0d zlib/1.2.3.3
    Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s rtsp smtp smtps telnet tftp
    Features: GSS-Negotiate IPv6 Largefile NTLM SSL libz
    As you can see, when I use the version of curl included with my OS, it has no issues connecting. But when I use the version of curl included with Zimbra... it immediately chokes and dies, claiming an unknown SSL error.

    I don't have a particularly exotic installation, standard settings all throughout, so I don't really understand how I could have what seems to be a bad version of curl but nobody else has reported the issue? The only difference between the two commands is the version of curl used, so I don't really understand what else could be the problem?

    Edit: Well, I guess OpenSSL could be the problem too...?

  4. #4
    Join Date
    Oct 2006
    Posts
    55
    Rep Power
    9

    Default

    Can you post the output of these commands?

    ls -l /opt/zimbra/cyrus-sasl/etc/
    cat /opt/zimbra/cyrus-sasl/etc/saslauthd.conf.in

Similar Threads

  1. Replies: 5
    Last Post: 05-11-2012, 03:16 PM
  2. Replies: 6
    Last Post: 03-14-2011, 05:21 AM
  3. [SOLVED] New zcs 7 install : database errors founds
    By dkbk in forum Administrators
    Replies: 4
    Last Post: 03-01-2011, 06:49 AM
  4. Zimbra fails after working for 2 weeks
    By Linsys in forum Administrators
    Replies: 10
    Last Post: 10-07-2008, 01:42 AM
  5. M3 problem with shares
    By titangears in forum Users
    Replies: 4
    Last Post: 01-12-2006, 01:01 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •