Results 1 to 8 of 8

Thread: Relays & TLS/SPA

  1. #1
    Join Date
    May 2006
    Location
    Flyover USA (aka SW Iowa)
    Posts
    10
    Rep Power
    9

    Default Relays & TLS/SPA

    Hello -

    Have followed several of the threads here about relays (and relay denied issues), use of TLS (and an apparent issue in the zmmta.cf between Outlook SPA and Thunderbird), and SPA issues. Unfortunately I'm still missing something which may be relatively obvious.

    My status: a happy, working Zimbra system with web functionality working properly (still working on the third party cert, but that's another matter). However, Outlook clients aren't working with SPA and SSL. When the client is set to use SPA, "outgoing server requires authentication", "use same settings as my incoming server", and under Advanced, "The server requires an encrypted connection (SSL)" - I get errors that SMTP rejects my username & password and that POP3 does not support SPA.

    Backing off SPA on the Outlook client, POP3 works under SSL but SMTP still rejects the username.

    If I back off of SMTP Auth on the Outlook client, all works fine (presumably under SSL since those are still specified in the client) - except the MTA now rejects any outside-domain email since my client isn't authenticated.

    On the Global settings, both these are enabled:
    Enable Authentication: YES
    TLS authentication only: YES (if unchecked, then SMTP SSL fails on Outlook)

    I did try the hack to zmmta.cf (placing a ! in front of the smtpd_tls_auth_only) and it caused all SSL/TLS to fail from Outlook.

    Any suggestions would be appreciated, especially those that enable SMTP Auth and SPA if possible under Zimbra. I've also tried using a relay host but it is an old SMTP (non-SSL) host and when I set to use it as the relay, the messages fail due to it rejecting a SSL session (which must just get forwarded or redirected from the Zimbra server).

    Thanks -

    Jamie

  2. #2
    Join Date
    Aug 2005
    Location
    San Mateo, CA
    Posts
    4,789
    Rep Power
    19

    Default

    What is you try with auth on but turn off:

    under Advanced, "The server requires an encrypted connection (SSL)"
    Looking for new beta users -> Co-Founder of Acompli. Previously worked at Zimbra (and Yahoo! & VMware) since 2005.

  3. #3
    Join Date
    May 2006
    Location
    Flyover USA (aka SW Iowa)
    Posts
    10
    Rep Power
    9

    Default

    Quote Originally Posted by KevinH
    What is you try with auth on but turn off:

    under Advanced, "The server requires an encrypted connection (SSL)"
    SMTP sending works but relay fails (access denied) when:
    - Auth required = YES
    - SSL connection required for SMTP = NO
    - SPA = NO

    For grins, I tried:
    - Auth required = YES
    - SSL connection required for SMTP = NO
    - SPA = YES

    And it rejects the SMTP session as follows:

    Task 'mail.(servername).com - Receiving' reported error (0x800CCC18) : 'Your e-mail server rejected your login with Secure Password Authentication. Verify your account properties. Under Tools, click E-mail accounts.'

    I'm guessing that relay must be failing above in the first example as it isn't truly logging in - no?

    Jamie

  4. #4
    Join Date
    May 2006
    Location
    Flyover USA (aka SW Iowa)
    Posts
    10
    Rep Power
    9

    Default zmprov gs data

    in case it's relevant...

    cn: (servername removed)
    objectClass: zimbraServer
    zimbraAdminPort: 7071
    zimbraFileUploadMaxSize: 10485760
    zimbraId: 0de1a716-d529-41d6-b739-89207c3d189d
    zimbraImapBindOnStartup: TRUE
    zimbraImapBindPort: 143
    zimbraImapCleartextLoginEnabled: FALSE
    zimbraImapNumThreads: 200
    zimbraImapProxyBindPort: 143
    zimbraImapSSLBindOnStartup: TRUE
    zimbraImapSSLBindPort: 993
    zimbraImapSSLProxyBindPort: 993
    zimbraImapSSLServerEnabled: TRUE
    zimbraImapServerEnabled: FALSE
    zimbraLmtpBindOnStartup: FALSE
    zimbraLmtpBindPort: 7025
    zimbraLmtpNumThreads: 20
    zimbraMailMode: https
    zimbraMailPort: 80
    zimbraMailSSLPort: 443
    zimbraMessageCacheSize: 1671168
    zimbraMtaAuthEnabled: TRUE
    zimbraMtaAuthHost: mail2.(fqdn removed).com
    zimbraMtaAuthURL: http://mail2.(fqdn removed).com:80/service/soap/
    zimbraMtaDnsLookupsEnabled: TRUE
    zimbraMtaTlsAuthOnly: TRUE
    zimbraPop3BindOnStartup: TRUE
    zimbraPop3BindPort: 110
    zimbraPop3CleartextLoginEnabled: FALSE
    zimbraPop3NumThreads: 20
    zimbraPop3ProxyBindPort: 110
    zimbraPop3SSLBindOnStartup: TRUE
    zimbraPop3SSLBindPort: 995
    zimbraPop3SSLProxyBindPort: 995
    zimbraPop3SSLServerEnabled: TRUE
    zimbraPop3ServerEnabled: FALSE
    zimbraRedoLogArchiveDir: redolog/archive
    zimbraRedoLogDeleteOnRollover: TRUE
    zimbraRedoLogEnabled: TRUE
    zimbraRedoLogFsyncIntervalMS: 10
    zimbraRedoLogLogPath: redolog/redo.log
    zimbraRedoLogRolloverFileSizeKB: 102400
    zimbraRemoteManagementCommand: /opt/zimbra/libexec/zmrcd
    zimbraRemoteManagementPort: 22
    zimbraRemoteManagementPrivateKeyPath: /opt/zimbra/.ssh/zimbra_identity
    zimbraRemoteManagementUser: zimbra
    zimbraServiceEnabled: antivirus
    zimbraServiceEnabled: antispam
    zimbraServiceEnabled: logger
    zimbraServiceEnabled: mailbox
    zimbraServiceEnabled: mta
    zimbraServiceEnabled: snmp
    zimbraServiceEnabled: ldap
    zimbraServiceEnabled: spell
    zimbraServiceHostname: mail2.(fqdn removed).com
    zimbraServiceInstalled: antivirus
    zimbraServiceInstalled: antispam
    zimbraServiceInstalled: logger
    zimbraServiceInstalled: imapproxy
    zimbraServiceInstalled: mailbox
    zimbraServiceInstalled: mta
    zimbraServiceInstalled: snmp
    zimbraServiceInstalled: ldap
    zimbraServiceInstalled: spell
    zimbraSmtpHostname: mail2.(fqdn removed).com
    zimbraSmtpPort: 25
    zimbraSmtpSendPartial: FALSE
    zimbraSmtpTimeout: 60
    zimbraSpellCheckURL: http://mail2.(fqdn removed).com:7780/aspell.php
    zimbraSshPublicKey: ssh-dss AAAAB3NzaC1kc3MAAACBAJIhkdV2bro73PYW8zFZuwtVI29Qr2 rZK++sAnShnK0bJQwEio2ZQRSguFtb3d8WDokBgC13S42zJUoa xep4w4TWOODjffFAIljU9HqIR5m11ek4kTM5M//8mqwcpUgjl186Acw/I91BH3bTBwnw0IkNPTb2zxTHm1O1b8WQixNJAAAAFQDW63e1QW 6k2WrBSfViKVh8HejzoQAAAIANghtBa02m/n5VdQwqhIamLH9QItYY06KJP1R7CIgEO5xPevmeEPd7duf0xZ/8d32lV+gvC3i1FThn9LmzhGX7iYD+nlAHIx6iuMEwjHXxIwiUZ 2Ab6cfjcmEP3oJCrNNCpkIY5B4szq/WemCrRe+KfAc1FO5R1KWl/82TiaZZGwAAAIBmCiwKPrPTGH2i6nGGFcdHYW2UulY89Wm7XEN zxFNYTwqqCp25zuy8Xpar8nqQWCpdH+QGX8BQxs4LSGhGnYVdx qwnjzQ/ZoakHoZ7ne0vTYF6/6YzKekJ/sSQUH9smBhF3LAhkmIq76sZKjs2VhSjbJJht+BG607vhmDV5wL OyQ== mail2.(fqdn removed).com
    zimbraTableMaintenanceGrowthFactor: 10
    zimbraTableMaintenanceMaxRows: 1000000
    zimbraTableMaintenanceMinRows: 10000
    zimbraTableMaintenanceOperation: ANALYZE
    zimbraVirusDefinitionsUpdateFrequency: 2h


    Jamie

  5. #5
    Join Date
    Nov 2005
    Posts
    518
    Rep Power
    11

    Default

    the mailmode doesn't match the authurl:

    zimbraMailMode: https
    ...
    zimbraMtaAuthHost: mail2.(fqdn removed).com
    zimbraMtaAuthURL: http://mail2.(fqdn removed).com:80/service/soap/
    you can fix this by running this:

    zmprov ms mail2.(fqdn removed).com zimbraMtaAuthHost mail2.(fqdn removed).com

    fyi i don't think SPA is supported

  6. #6
    Join Date
    May 2006
    Location
    Flyover USA (aka SW Iowa)
    Posts
    10
    Rep Power
    9

    Default

    Quote Originally Posted by bobby
    the mailmode doesn't match the authurl:
    you can fix this by running this:
    zmprov ms mail2.(fqdn removed).com zimbraMtaAuthHost mail2.(fqdn removed).com
    fyi i don't think SPA is supported
    Indeed that fixes the relaying issue. I'm curious - did the previous configuration result in an unauthorized SMTP session, hence the lack of relaying (e.g. no different than an external MTA sending to one of my domains which accepts local destinations but prohibits relaying)?

    I did try the SPA option after resolving the relaying issue - still no go. I though I had read that some in the forums had gotten it working but may have been incorrect in assuming that! As long as the SMTP session is encrypted under SSL, I'm happy.

    Thanks again!

    Jamie

  7. #7
    Join Date
    May 2006
    Location
    Flyover USA (aka SW Iowa)
    Posts
    10
    Rep Power
    9

    Default 1 down, 2 to go...

    Update: Outlook works great with the above settings.

    Outlook Express and Thunderbird both report SSL problems on port 25:

    The server does not support a SSL connection. Account: 'mail2.(mydomain).com', Server: 'mail2.(mydomain).com', Protocol: SMTP, Server Response: '250 8BITMIME', Port: 25, Secure(SSL): Yes, Server Error: 250, Error Number: 0x800CCC7D

    I looked at the zimbra log and it was complaining about "name or verification failed" from the OE and Thunderbird clients. However, it processes Outlook clients just fine w/ SMTP auth under SSL.

    Jun 5 12:25:03 mail2 postfix/smtpd[25244]: warning: x.x.x.x: hostname ip-x-x-x-x.mydomain.net verification failed: Name or service not known
    Jun 5 12:25:03 mail2 postfix/smtpd[25244]: connect from unknown[x.x.x.x]
    Jun 5 12:25:03 mail2 postfix/smtpd[25244]: lost connection after EHLO from unknown[x.x.x.x]
    Jun 5 12:25:03 mail2 postfix/smtpd[25244]: disconnect from unknown[x.x.x.x]

    I've tried both OE and Thunderbird with SSL on port 25 (and 465, which TBird wants to default to for SSL), and have also tried TLS which refuses to work. Global settings are still:

    enable auth: YES
    TLS auth only: YES
    protocol checks
    reject_invalid_hostname: YES
    (all remainders are NO right now)

    Jamie

  8. #8
    Join Date
    May 2006
    Location
    Flyover USA (aka SW Iowa)
    Posts
    10
    Rep Power
    9

    Default MailMode & Auth

    Researching some previous forum posts, I see a reference to MailMode needing to be http - not https. When I run the following, I'm seeing https in both MailMode and Auth:

    [zimbra@mail2 etc]$ zmprov gs mail2.mydomain.com | grep MailMode
    zimbraMailMode: https
    [zimbra@mail2 etc]$ zmprov gs mail2.mydomain.com | grep Auth
    zimbraMtaAuthEnabled: TRUE
    zimbraMtaAuthHost: mail2.mydomain.com
    zimbraMtaAuthURL: https://mail2.mydomain.com:443/service/soap/

    I've changed saslauthd.conf, stopped and started, and messed around with that but it seems like the wrong path (plus the REWRITE specification in zmmta.cf wipes it out). Do I need to use zmprov to change this variable?

    I did use zmprov to change zimbraMtaMyNetworks to allow relaying for non-auth'ed SMTP as a temporary workaround, but it'd be nice to see OE and Thunderbird clients work as well as Outlook.

    Jamie

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •