Page 1 of 2 12 LastLast
Results 1 to 10 of 20

Thread: SMTP SSL error

Hybrid View

  1. #1
    Join Date
    Nov 2005
    Location
    London
    Posts
    19
    Rep Power
    9

    Question SMTP SSL error

    Firstly, this is a great project - I have been looking for a solution like this for a while. I hope to use zimbra as the messaging platform component in a community toolset package I am building.

    I've got the whole kit running on a dev server (FC3) inside a firewall. I have http access, users can logon via HTTP and send / receive email no problem. Remote clients (I'm using iMail) can connect with IMAP/S and read write their folders. All good.

    I am trying to use Zimbra as SMTP server for remote clients. I am getting an SSL failure when clients connect.

    Code:
    Nov  8 17:10:11 mx postfix/smtpd[6234]: connect from MY IP
    Nov  8 17:10:11 mx postfix/smtpd[6234]: setting up TLS connection from MY IP
    Nov  8 17:10:11 mx postfix/smtpd[6234]: SSL_accept:before/accept initialization
    Nov  8 17:10:11 mx postfix/smtpd[6234]: read from 088B5090 [088BF6E0] (11 bytes => -1 (0xFFFFFFFF))
    Nov  8 17:10:11 mx postfix/smtpd[6234]: SSL_accept:error in SSLv2/v3 read client hello A
    Nov  8 17:10:11 mx postfix/smtpd[6234]: read from 088B5090 [088BF6E0] (11 bytes => 11 (0xB))
    Nov  8 17:10:11 mx postfix/smtpd[6234]: 0000 16 03 01 00 57 01 00 00|53 03 01                 ....W... S..
    Nov  8 17:10:11 mx postfix/smtpd[6234]: read from 088B5090 [088BF6EB] (81 bytes => -1 (0xFFFFFFFF))
    Nov  8 17:10:11 mx postfix/smtpd[6234]: SSL_accept:error in SSLv3 read client hello B
    Nov  8 17:10:11 mx postfix/smtpd[6234]: SSL_accept:error in SSLv3 read client hello B
    Nov  8 17:10:11 mx postfix/smtpd[6234]: read from 088B5090 [088BF6EB] (81 bytes => 81 (0x51))
    Nov  8 17:10:11 mx postfix/smtpd[6234]: 0000 43 70 db f3 ef 31 79 9f|40 4a f7 6b db d0 1b 81  Cp...1y. @J.k....
    Nov  8 17:10:11 mx postfix/smtpd[6234]: 0010 71 e9 31 3c 02 e2 c9 7e|4d 1a d9 ec ba f0 21 e5  q.1<...~ M.....!.
    Nov  8 17:10:11 mx postfix/smtpd[6234]: 0020 00 00 2c 00 05 00 04 00|0a ff 83 00 09 ff 82 00  ..,..... ........
    Nov  8 17:10:11 mx postfix/smtpd[6234]: 0030 03 00 08 00 06 ff 80 00|01 00 16 00 15 00 14 00  ........ ........
    Nov  8 17:10:11 mx postfix/smtpd[6234]: 0040 13 00 12 00 11 00 18 00|1b 00 1a 00 17 00 19 01  ........ ........
    Nov  8 17:10:11 mx postfix/smtpd[6234]: 0050 - <SPACES/NULLS>
    Nov  8 17:10:11 mx postfix/smtpd[6234]: SSL_accept:SSLv3 read client hello B
    Nov  8 17:10:11 mx postfix/smtpd[6234]: SSL_accept:SSLv3 write server hello A
    Nov  8 17:10:11 mx postfix/smtpd[6234]: SSL_accept:SSLv3 write certificate A
    Nov  8 17:10:11 mx postfix/smtpd[6234]: SSL_accept:SSLv3 write server done A
    Nov  8 17:10:11 mx postfix/smtpd[6234]: write to 088B5090 [088CD808] (684 bytes => 684 (0x2AC))
    
    some data is exchanged....
    
    Nov  8 17:10:11 mx postfix/smtpd[6234]: 02a9 - <SPACES/NULLS>
    Nov  8 17:10:11 mx postfix/smtpd[6234]: SSL_accept:SSLv3 flush data
    Nov  8 17:10:11 mx postfix/smtpd[6234]: read from 088B5090 [088BF6E0] (5 bytes => -1 (0xFFFFFFFF))
    Nov  8 17:10:11 mx postfix/smtpd[6234]: SSL_accept:error in SSLv3 read client certificate A
    Nov  8 17:10:11 mx postfix/smtpd[6234]: SSL_accept error from MY IP: -1
    Nov  8 17:10:11 mx postfix/smtpd[6234]: lost connection after STARTTLS MY IP
    Nov  8 17:10:11 mx postfix/smtpd[6234]: disconnect from MY IP
    I've been digging around the forms... for example yes, I am using the full user@server.com to connect. I've plans for multiple domains so I editted with the zmsaslauthdctl.

    I think that the issue is that my certificate is for localhost.localdomain. I've tried to recreate my certs, but the script still gets localhost.localdomain from running hostname --fqdn. Maybe I should take that out?

    Anyway - what thoughts do people have?

    /rob

  2. #2
    Join Date
    Sep 2005
    Posts
    2,103
    Rep Power
    14

    Default cert hostname

    That's almost certainly the problem. You can either edit the zmcreatecert script, and rebuild the certs - or set your hostname differently, then rerun the scripts...

  3. #3
    Join Date
    Nov 2005
    Location
    London
    Posts
    19
    Rep Power
    9

    Default

    [zimbra@mx bin]$ hostname --fqdn
    localhost.localdomain

    [zimbra@mx bin]$ hostname
    mx.networkassociations.org.uk

    hummmm....I'll take off the --fqdn and see what happens.

    Thanks for your input!

  4. #4
    Join Date
    Nov 2005
    Location
    London
    Posts
    19
    Rep Power
    9

    Default hostname --fqdn

    I removed --fqdn from zmcreatecert and a cert mx.networkassociations.org.uk was created.

    I figured I'd need to do the same to zmcertinstall. Which I have done.

    now to zmcertinstall.....

    Code:
    [zimbra@mx bin]$ zmcertinstall
    ** Importing server cert
    
    /opt/zimbra/bin/zmcertinstall: line 74: [: =: unary operator expected
    cp: missing destination file
    Try `cp --help' for more information.
    [zimbra@mx bin]$ zmcertinstall mail
    ** Importing server cert
    
    cp: missing destination file
    Try `cp --help' for more information.
    [zimbra@mx bin]$
    I get an error on line 74 of zmcertinstall which is the line begining keytool in
    Code:
    importCert() {
    
        echo "** Importing server cert"
        echo
    
        if [ $APP = "mailbox" ]; then
            keytool -import -alias tomcat -keystore ${TOMCAT}/keystore \
                -trustcacerts -file ${CERTFILE} -storepass zimbra
        else
            cp -f $CERTFILE ${CONF}/smtpd.crt
            cp -f $KEYFILE ${CONF}/smtpd.key
        fi
    
    }
    Last edited by robroadie; 11-08-2005 at 09:48 AM.

  5. #5
    Join Date
    Nov 2005
    Location
    London
    Posts
    19
    Rep Power
    9

    Default

    ok - this time I'll type the right command ;-)
    Code:
    [zimbra@mx bin]$ zmcertinstall mailbox
    ** Importing server cert
    
    keytool error: java.lang.Exception: Failed to establish chain from reply
    [zimbra@mx bin]$

  6. #6
    Join Date
    Nov 2005
    Location
    London
    Posts
    19
    Rep Power
    9

    Default

    previously.....before I tried to recreate a host key the data exchanged between the server and the client referenced localhost.localdomain

    Code:
    Nov  8 17:44:05 mx postfix/smtpd[6234]: 0150 30 1c 06 03 55 04 03 13|15 6c 6f 63 61 6c 68 6f  0...U... .localho
    Nov  8 17:44:05 mx postfix/smtpd[6234]: 0160 73 74 2e 6c 6f 63 61 6c|64 6f 6d 61 69 6e 30 81  st.local domain0.
    Nov  8 17:44:05 mx postfix/smtpd[6234]: 0170 9f 30 0d 06 09 2a 86 48|86 f7 0d 01 01 01 05 00  .0...*.H ........
    now I see mx.networkassociations.org.uk in the exchange.....

    Code:
    Nov  8 17:54:14 mx postfix/smtpd[23043]: 00c0 62 72 61 31 26 30 24 06|03 55 04 03 13 1d 6d 78  bra1&0$. .U....mx
    Nov  8 17:54:14 mx postfix/smtpd[23043]: 00d0 2e 6e 65 74 77 6f 72 6b|61 73 73 6f 63 69 61 74  .network associat
    Nov  8 17:54:14 mx postfix/smtpd[23043]: 00e0 69 6f 6e 73 2e 6f 72 67|2e 75 6b 30 1e 17 0d 30  ions.org .uk0...0

  7. #7
    Join Date
    Sep 2005
    Posts
    2,103
    Rep Power
    14

    Default Fun with certificates

    The problem here is that your keystore has the old my_ca alias in it, and you want to recreate that.

    keytool -list -keystore /opt/zimbra/tomcat/conf/keystore -storepass zimbra

    Should show a my_ca alias and a tomcat alias. Delete them both:

    keytool -delete -keystore /opt/zimbra/tomcat/conf/keystore -storepass zimbra -alias my_ca

    keytool -delete -keystore /opt/zimbra/tomcat/conf/keystore -storepass zimbra -alias tomcat

    Then re-run the zmcreatecert and zmcertinstall commands.

  8. #8
    Join Date
    Nov 2005
    Location
    London
    Posts
    19
    Rep Power
    9

    Default

    Quote Originally Posted by marcmac
    The problem here is that your keystore has the old my_ca alias in it, and you want to recreate that.
    keytool -list -keystore /opt/zimbra/tomcat/conf/keystore -storepass zimbra
    Should show a my_ca alias and a tomcat alias. Delete them both:
    done. but it only displayed 1 entry - tomcat

    Quote Originally Posted by marcmac
    Then re-run the zmcreatecert and zmcertinstall commands.
    right......
    Code:
    [zimbra@mx bin]$ zmcertinstall mta
    ** Importing server cert
    cp: missing destination file
    Try `cp --help' for more information.
    [zimbra@mx bin]$ whoami
    zimbra
    [zimbra@mx bin]$ keytool -list -keystore /opt/zimbra/tomcat/conf/keystore -storepass zimbra
    Keystore type: jks
    Keystore provider: SUN
    Your keystore contains 1 entry
    tomcat, 08-Nov-2005, keyEntry,
    Certificate fingerprint (MD5):  printed....
    [zimbra@mx bin]$

  9. #9
    Join Date
    Sep 2005
    Posts
    2,103
    Rep Power
    14

    Default I lied

    Wrong keystore for the ca - that's in /opt/zimbra/java/jre/lib/security/cacerts...

    keytool -list -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit

    keytool -delete -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit -alias my_ca

  10. #10
    Join Date
    Nov 2005
    Location
    London
    Posts
    19
    Rep Power
    9

    Default

    Quote Originally Posted by marcmac
    Wrong keystore for the ca - that's in /opt/zimbra/java/jre/lib/security/cacerts...

    keytool -list -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit

    keytool -delete -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit -alias my_ca
    this is where I'm at.....

    Code:
    Nov  8 19:02:12 mx zimbramon[18688]: 18688:info: start app postfix 
    Nov  8 19:02:12 mx zimbramon[18688]: 18688:err: SMTP RESPONSE: FAILURE from localhost: problem connecting to "localhost", port 25: Connection refused 
    Nov  8 19:02:12 mx zimbramon[18688]: 18688:info: Starting child postfix: (20051108190212) 
    Nov  8 19:02:26 mx postfix/postfix-script: warning: not owned by root: /opt/zimbra/postfix-2.2.3/conf/main.cf
    Nov  8 19:02:26 mx postfix/postfix-script: starting the Postfix mail system
    Nov  8 19:02:26 mx zimbramon[18688]: 18688:err: SMTP RESPONSE: FAILURE from localhost: problem connecting to "localhost", port 25: Connection refused 
    Nov  8 19:02:26 mx postfix/master[20096]: daemon started -- version 2.2.3, configuration /opt/zimbra/postfix-2.2.3/conf
    Nov  8 19:02:28 mx postfix/smtpd[20099]: initializing the server-side TLS engine
    Nov  8 19:02:28 mx postfix/smtpd[20099]: warning: cannot get private key from file /opt/zimbra/conf/smtpd.key
    Nov  8 19:02:28 mx postfix/smtpd[20099]: warning: TLS library problem: 20099:error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch:x509_cmp.c:389:
    Nov  8 19:02:28 mx postfix/smtpd[20099]: cannot load RSA certificate and key data
    Nov  8 19:02:28 mx postfix/smtpd[20099]: connect from mx.networkassociations.org.uk[127.0.0.1]
    Nov  8 19:02:28 mx zimbramon[18688]: 18688:info: Doing startup 
    Nov  8 19:02:28 mx postfix/smtpd[20099]: disconnect from mx.networkassociations.org.uk[127.0.0.1]
    Nov  8 19:02:29 mx zimbramon[20103]: 20103:info: Zimbra Monitor startup: 20103 
    Nov  8 19:02:29 mx zimbramon[20103]: 20103:info: Process 6227 not found - removing /opt/zimbra/zimbramon/FIFO/zm.pid 
    Nov  8 19:02:29 mx zimbramon[20117]: 20117:info: Status monitor startup 
    Nov  8 19:02:29 mx zimbramon[20118]: 20118:info: Creating soap server on port 7777 
    Nov  8 19:02:41 mx postfix/smtpd[20099]: connect from mx.networkassociations.org.uk[127.0.0.1]
    Nov  8 19:02:41 mx postfix/smtpd[20099]: disconnect from mx.networkassociations.org.uk[127.0.0.1]

Similar Threads

  1. Replies: 23
    Last Post: 01-24-2013, 02:44 PM
  2. Zimbra fails after working for 2 weeks
    By Linsys in forum Administrators
    Replies: 10
    Last Post: 10-07-2008, 12:42 AM
  3. need advice on configuring zimbra to work with fax server
    By pheonix1t in forum Administrators
    Replies: 0
    Last Post: 07-11-2007, 07:46 PM
  4. M3 problem with shares
    By titangears in forum Users
    Replies: 4
    Last Post: 01-12-2006, 12:01 PM
  5. Building native libraries on MacOS X
    By ajmas in forum Developers
    Replies: 3
    Last Post: 10-14-2005, 11:00 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •