Results 1 to 10 of 15

Thread: [SOLVED] NE Migration: SMTP AUTH Failure

Hybrid View

  1. #1
    Join Date
    Apr 2006
    Posts
    29
    Rep Power
    9

    Default [SOLVED] NE Migration: SMTP AUTH Failure

    Following a migration from the Open Source Edition to the Network Edition I ran into a few problems. Currently some SOAP operations fail but my biggest problem is that SMTP AUTH is failing. I demonstrated the problem to Zimbra Support this morning and they are investigating.. but as we get closer to Monday morning can anyone offer any suggestions to help?

    As I'm seeing other problems with SOAP could this be a SOAP communication problem rather than a SASL problem?

    I have looked over the SMTP AUTH Wiki entry as well as the forum but it looks like everything should be fine for me.

    Here's the log entry (below) plus some supporting info. Can anyone help? (note that TLS secure communication on it's own works fine, the only error is when sending outgoing emails using SMTP AUTH).

    thanks - Mark

    Sep 29 09:37:14 www postfix/smtpd[32292]: connect from unknown[x.x.x.x]
    Sep 29 09:37:15 www postfix/smtpd[32292]: setting up TLS connection from unknown[x.x.x.x]
    Sep 29 09:37:17 www postfix/smtpd[32292]: TLS connection established from unknown[x.x.x.x]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
    Sep 29 09:37:24 www postfix/smtpd[32292]: warning: SASL authentication problem: unable to open Berkeley db /etc/sasldb2: No such file or directory
    Sep 29 09:37:24 www postfix/smtpd[32292]: warning: SASL authentication problem: unable to open Berkeley db /etc/sasldb2: No such file or directory
    Sep 29 09:37:24 www postfix/smtpd[32292]: warning: SASL authentication failure: no secret in database
    Sep 29 09:37:24 www postfix/smtpd[32292]: warning: unknown[x.x.x.x]: SASL CRAM-MD5 authentication failed
    Sep 29 09:37:24 www postfix/smtpd[32292]: warning: SASL authentication problem: unable to open Berkeley db /etc/sasldb2: No such file or directory
    Sep 29 09:37:24 www last message repeated 4 times
    Sep 29 09:37:24 www postfix/smtpd[32292]: warning: SASL authentication failure: Password verification failed
    Sep 29 09:37:24 www postfix/smtpd[32292]: warning: unknown[x.x.x.x]: SASL PLAIN authentication failed
    Sep 29 09:37:24 www postfix/smtpd[32292]: warning: SASL authentication problem: unable to open Berkeley db /etc/sasldb2: No such file or directory
    Sep 29 09:37:24 www last message repeated 5 times
    Sep 29 09:37:24 www postfix/smtpd[32292]: warning: unknown[x.x.x.x]: SASL LOGIN authentication failed

    [zimbra@www log]$ zmprov -l gs mail.mydomain.com | grep Auth

    zimbraMtaAuthEnabled: TRUE
    zimbraMtaAuthHost: mail.mydomain.com
    zimbraMtaAuthURL: https://mail.mydomain.com/service/soap/
    zimbraMtaTlsAuthOnly: TRUE

    [zimbra@www conf]$ grep sasl main.cf

    broken_sasl_auth_clients = yes
    smtpd_recipient_restrictions = reject_non_fqdn_recipient, permit_sasl_authenticated, permit_mynetworks, reject_unlisted_recipient, reject_invalid_hostname, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unauth_destination, permit
    smtpd_sasl_auth_enable = yes
    smtp_sasl_security_options =

  2. #2
    Join Date
    Apr 2006
    Posts
    29
    Rep Power
    9

    Default

    A little about the migration....

    SMTP AUTH was working fine prior to the migration. After the migration (following the WIKI entry for Zimbra 4.5.6 that I was using), SMTP AUTH failed I also lost all the Admin Extensions for the NE edition

    I upgraded NE to 4.5.7 and this reintroduced the Admin extensions and correctly accepted my license key. However SMTP AUTH was still a problem.

    An example of the SOAP error is when I go into NE Mail Queues in the ADMIN UI and this generates an error. Note that my mail server is mail.mydomain.com but my domain is mydomain.com. Is it correct that the Zimbra user here (who doesn't exist as a mail account) is constructed from zimbra@ (mail server hostname) or should it be zimbra@ (my domain). If it's the latter how do I change this... the Zimbra account is not a normal mail account.

    Message: system failure: exception during auth {RemoteManager: mail.mydomain.com->zimbra@mail.mydomain.com:22}
    Error code: service.FAILURE
    Method: ZmCsfeCommand.prototype.invoke
    Details:soap:Receiver

  3. #3
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,587
    Rep Power
    58

    Default

    You don't mention whether you've set this:
    Code:
    $ zmprov gs zimbra.domain.com | grep Mode
    zimbraMailMode: mixed
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  4. #4
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,587
    Rep Power
    58

    Default

    Also the zimbraMtaAuthURL doesn't match this with the port number 443 in there:

    Code:
    zimbraMtaAuthURL: https://zimbra.domain.com:443/service/soap/
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  5. #5
    Join Date
    Apr 2006
    Posts
    29
    Rep Power
    9

    Default

    Hi Bill,

    I should have said that the mode is mixed and I had seen a posting where 443 in the URL seemed usual. However HTTPS implies 443 so I discounted this early on. Just in case, I tried adding 443 to the URL below but I receive a message that this URL can not be modified:

    $ zmprov ms mail.mydomain.com zimbraMtaAuthURL https//mail.mydomain.com:443/service/soap/
    ERROR: service.INVALID_REQUEST (invalid request: zimbraMtaAuthURL is immutable)

    I think the URL is good though.. the question is whether anything is listening on it...

    Mark

  6. #6
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,587
    Rep Power
    58

    Default

    Quote Originally Posted by markpr View Post
    I think the URL is good though.. the question is whether anything is listening on it...
    The question then follows, can you telnet to mail.mydomain.com 443 and get any response. I see you've answered the support case so I'll leave you with that rather than have two of us asking you questions.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  7. #7
    Join Date
    Apr 2006
    Posts
    29
    Rep Power
    9

    Default

    Just a recap of how things look on the system:

    1) SASLAUTHD sees the Zimbra authentication mechanism as being available:

    $ /opt/zimbra/cyrus-sasl-2.1.22.3/sbin/saslauthd -v
    saslauthd 2.1.22
    authentication mechanisms: getpwent kerberos5 pam rimap shadow zimbra

    2) SASLAUTHD is running with the Zimbra authentication mechanism active

    zimbra 23499 1 0 09:07 ? 00:00:00 /opt/zimbra/cyrus-sasl-2.1.22.3/sbin/saslauthd -r -a zimbra

    3) saslauthd configuration looks good:

    $ more /opt/zimbra/cyrus-sasl-2.1.21.ZIMBRA/etc/saslauthd.conf
    zimbra_url: https://mail.mydomain.com/service/soap/
    zimbra_cert_file: /opt/zimbra/conf/smtpd.crt
    zimbra_cert_check: off

    4) postfix configuration looks good:

    $ more /opt/zimbra/cyrus-sasl/lib/sasl2/smtpd.conf
    #
    log_level: 7
    pwcheck_method: saslauthd
    mech_list: PLAIN LOGIN
    saslauthd_path: /opt/zimbra/cyrus-sasl/state/mux

    (note that I increased the log level to 7 and uncommented the saslauthd_path but neither helped)

    5) From the logs we know that postfix is accepting the SMTP AUTH request and handing this off to SASL for authentication. We can also see that SASL tries 3 authentication mechanisms (CRAM-MD5, PLAIN and LOGIN).

    This is one thing that makes me believe that the postfix configuration file (smtpd.conf in #4 is not being used... increased logging doesn't help, the commented saslauthd_path and the attempt at an undocumented authentication method CRAM-MD5. I think that Zimbra is built to use a different method to configure postfix for saslauthd.... and that this smtpd.conf is a hold-over from an earlier version of Zimbra.


    The help I need is to understand the "Zimbra" authentication method that is confgured for saslauthd. I can't troubleshoot too far without help on this...

    What may help is also to understand where postfix is getting the smtp.conf for saslauthd so that I can turn up debugging to level 7 and see what else may be going on....

    thanks

    Mark

    BTW here's the logs again

    Oct 1 09:41:26 www postfix/smtpd[5139]: TLS connection established from unknown[x.x.x.x]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
    Oct 1 09:41:26 www postfix/smtpd[5139]: warning: SASL authentication problem: unable to open Berkeley db /etc/sasldb2: No such file or directory
    Oct 1 09:41:26 www postfix/smtpd[5139]: warning: SASL authentication problem: unable to open Berkeley db /etc/sasldb2: No such file or directory
    Oct 1 09:41:26 www postfix/smtpd[5139]: warning: SASL authentication failure: no secret in database
    Oct 1 09:41:26 www postfix/smtpd[5139]: warning: unknown[x.x.x.x]: SASL CRAM-MD5 authentication failed
    Oct 1 09:41:26 www postfix/smtpd[5139]: warning: SASL authentication problem: unable to open Berkeley db /etc/sasldb2: No such file or directory
    Oct 1 09:41:26 www last message repeated 4 times
    Oct 1 09:41:26 www postfix/smtpd[5139]: warning: SASL authentication failure: Password verification failed
    Oct 1 09:41:26 www postfix/smtpd[5139]: warning: unknown[x.x.x.x]: SASL PLAIN authentication failed
    Oct 1 09:41:27 www postfix/smtpd[5139]: warning: SASL authentication problem: unable to open Berkeley db /etc/sasldb2: No such file or directory
    Oct 1 09:41:27 www last message repeated 5 times
    Oct 1 09:41:27 www postfix/smtpd[5139]: warning: unknown[x.x.x.x]: SASL LOGIN authentication failed
    Oct 1 09:41:32 www postfix/smtpd[5139]: warning: SASL authentication problem: unable to open Berkeley db /etc/sasldb2: No such file or directory
    Oct 1 09:41:32 www last message repeated 2 times

  8. #8
    Join Date
    Apr 2006
    Posts
    29
    Rep Power
    9

    Default

    This problem is resolved (thanks all)

    SMTP AUTH follows this path:

    postfix => hands off to cyrus-sasl => uses the SOAP TOMCAT URL => retrieves credentials data from ZIMBRA LDAP.

    The problem was that postfix "master" was linking against the Operating System version of libsasl. You could see this with an ldd on /opt/zimbra/postfix/libexec/master.

    The workaround was to perform this action:

    cp /etc/ld.so.conf.d/zimbra.ld.conf /etc/ld.so.conf.d/azimbra.ld.conf
    ldconfig /etc/ld.so.conf.d/azimbra.ld.conf

    An ldd on master would then show the correct Zimbra libraries being used.

    This problem occurs in RH (64bit) 5 with Zimbra 4.5.6 and 4.5.7

    Mark

  9. #9
    Join Date
    May 2006
    Location
    USA
    Posts
    6,242
    Rep Power
    21

    Default

    the usual marking as [solved]

Similar Threads

  1. need advice on configuring zimbra to work with fax server
    By pheonix1t in forum Administrators
    Replies: 0
    Last Post: 07-11-2007, 08:46 PM
  2. SMTP Auth error 535
    By FloydWilliams in forum Administrators
    Replies: 0
    Last Post: 01-04-2007, 02:33 PM
  3. Is it started or not
    By kwelipatton in forum Installation
    Replies: 10
    Last Post: 03-28-2006, 11:11 PM
  4. SMTP Auth Failing?
    By mikea in forum Administrators
    Replies: 15
    Last Post: 01-03-2006, 10:39 AM
  5. SMTP SASL authentication failure
    By igeorg in forum Developers
    Replies: 5
    Last Post: 10-10-2005, 02:23 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •