[SOLVED] After 8.6. -> 8.7 upgrade, all desktop/mobile clients fail IMAP login.

Ask questions about your setup or get help installing ZCS server (ZD section below).
baena
Posts: 6
Joined: Fri Jul 22, 2016 3:47 am

[SOLVED] After 8.6. -> 8.7 upgrade, all desktop/mobile clients fail IMAP login.

Postby baena » Fri Jul 22, 2016 4:41 am

I upgraded v8.6 -> 8.7.0_GA 1659.UBUNTU14_64.20160628202701

No errors during the upgrade.

After the upgrade,

Admin UI is up
WebMail UI is up
inbound mail is relivered/received
outbound mail works, from both WebMail & from attached desktop clients

There' no more IMAP access from any clients.

My client's Thunderbird.

IMAP login never completes. All I see in Tbird is "Sending login information ..."

There's no error in Zimbra's mailbox.log or zimbra.log.

All accounts are configured as they always were:

Code: Select all

IMAP:993
SSL/TLS
Normal Password


I've also tried

Code: Select all

IMAP:143
StartTLS
Normal Password


No change in behavior.

Same no-login problem with my usual Android clients that were working prior to the upgrade.


Current zmprov imap configs are

Code: Select all

zmprov gs `zmhostname` | grep -i imap
   zimbraAdminImapImportNumThreads: 20
   zimbraImapBindOnStartup: TRUE
   zimbraImapBindPort: 7143
   zimbraImapCleartextLoginEnabled: TRUE
   zimbraImapDisplayMailFoldersOnly: TRUE
   zimbraImapExposeVersionOnBanner: FALSE
   zimbraImapInactiveSessionCacheMaxDiskSize: 10737418240
   zimbraImapMaxConnections: 200
   zimbraImapMaxRequestSize: 10240
   zimbraImapNumThreads: 500
   zimbraImapProxyBindPort: 143
   zimbraImapSSLBindOnStartup: TRUE
   zimbraImapSSLBindPort: 7993
   zimbraImapSSLProxyBindPort: 993
   zimbraImapSSLServerEnabled: TRUE
   zimbraImapSaslGssapiEnabled: FALSE
   zimbraImapServerEnabled: TRUE
   zimbraImapShutdownGraceSeconds: 10
   zimbraReverseProxyImapEnabledCapability: ACL
   zimbraReverseProxyImapEnabledCapability: BINARY
   zimbraReverseProxyImapEnabledCapability: CATENATE
   zimbraReverseProxyImapEnabledCapability: CHILDREN
   zimbraReverseProxyImapEnabledCapability: CONDSTORE
   zimbraReverseProxyImapEnabledCapability: ENABLE
   zimbraReverseProxyImapEnabledCapability: ESEARCH
   zimbraReverseProxyImapEnabledCapability: ESORT
   zimbraReverseProxyImapEnabledCapability: I18NLEVEL=1
   zimbraReverseProxyImapEnabledCapability: ID
   zimbraReverseProxyImapEnabledCapability: IDLE
   zimbraReverseProxyImapEnabledCapability: IMAP4rev1
   zimbraReverseProxyImapEnabledCapability: LIST-EXTENDED
   zimbraReverseProxyImapEnabledCapability: LIST-STATUS
   zimbraReverseProxyImapEnabledCapability: LITERAL+
   zimbraReverseProxyImapEnabledCapability: MULTIAPPEND
   zimbraReverseProxyImapEnabledCapability: NAMESPACE
   zimbraReverseProxyImapEnabledCapability: QRESYNC
   zimbraReverseProxyImapEnabledCapability: QUOTA
   zimbraReverseProxyImapEnabledCapability: RIGHTS=ektx
   zimbraReverseProxyImapEnabledCapability: SASL-IR
   zimbraReverseProxyImapEnabledCapability: SEARCHRES
   zimbraReverseProxyImapEnabledCapability: SORT
   zimbraReverseProxyImapEnabledCapability: THREAD=ORDEREDSUBJECT
   zimbraReverseProxyImapEnabledCapability: UIDPLUS
   zimbraReverseProxyImapEnabledCapability: UNSELECT
   zimbraReverseProxyImapEnabledCapability: WITHIN
   zimbraReverseProxyImapEnabledCapability: XLIST
   zimbraReverseProxyImapExposeVersionOnBanner: FALSE
   zimbraReverseProxyImapSaslGssapiEnabled: FALSE
   zimbraReverseProxyImapSaslPlainEnabled: TRUE
   zimbraReverseProxyImapStartTlsMode: off
   zimbraReverseProxyMailImapEnabled: TRUE
   zimbraReverseProxyMailImapsEnabled: TRUE
   zimbraStatThreadNamePrefix: ImapSSLServer
   zimbraStatThreadNamePrefix: ImapServer


I've seen some other IMAP issues showing up already. Nothing so far exactly the same.

Is this a known issue?

What additional debug info is helpful?
Last edited by baena on Fri Jul 22, 2016 5:42 pm, edited 1 time in total.


User avatar
tonster
Zimbra Employee
Zimbra Employee
Posts: 312
Joined: Fri Feb 21, 2014 10:14 am
Location: Ypsilanti, MI
ZCS/ZD Version: Release 8.7.0_GA_1659.RHEL6_64_2016

Re: After 8.6. -> 8.7 upgrade, all desktop/mobile clients fail IMAP login.

Postby tonster » Fri Jul 22, 2016 5:53 am

What errors or messages are notable in the logs?
baena
Posts: 6
Joined: Fri Jul 22, 2016 3:47 am

Re: After 8.6. -> 8.7 upgrade, all desktop/mobile clients fail IMAP login.

Postby baena » Fri Jul 22, 2016 6:16 am

tonster wrote:What errors or messages are notable in the logs?


Like I mentioned above

There's no error in Zimbra's mailbox.log or zimbra.log.


That's with the Imap proxy in place.

As a test, I disabled the IMAP proxy with

Code: Select all

zmprov ms `zmhostname` zimbraImapBindPort         '143'
zmprov ms `zmhostname` zimbraImapSSLBindPort      '993'
zmprov ms `zmhostname` zimbraPop3BindPort         '110'
zmprov ms `zmhostname` zimbraPop3SSLBindPort      '995'

zmprov ms `zmhostname` zimbraImapProxyBindPort    '7143'
zmprov ms `zmhostname` zimbraImapSSLProxyBindPort '7993'
zmprov ms `zmhostname` zimbraPop3ProxyBindPort    '7110'
zmprov ms `zmhostname` zimbraPop3SSLProxyBindPort '7995'

zmprov ms `zmhostname` zimbraImapSSLServerEnabled          TRUE
zmprov ms `zmhostname` zimbraImapServerEnabled             TRUE
zmprov ms `zmhostname` zimbraImapSaslGssapiEnabled         FALSE
zmprov ms `zmhostname` zimbraReverseProxyMailEnabled       FALSE
zmprov ms `zmhostname` zimbraReverseProxyMailImapEnabled   FALSE
zmprov ms `zmhostname` zimbraReverseProxyMailImapsEnabled  FALSE
zmprov ms `zmhostname` zimbraReverseProxyMailPOP3Enabled   FALSE
zmprov ms `zmhostname` zimbraReverseProxyMailPOP3sEnabled  FALSE

zmprov ms `zmhostname` zimbraReverseProxyMailEnabled       FALSE
zmprov ms `zmhostname` zimbraReverseProxyMailImapEnabled   FALSE
zmprov ms `zmhostname` zimbraReverseProxyMailImapsEnabled  FALSE
zmprov ms `zmhostname` zimbraReverseProxyMailPOP3Enabled   FALSE
zmprov ms `zmhostname` zimbraReverseProxyMailPOP3sEnabled  FALSE


restarted

Code: Select all

zmproxyctl restart


Now on a `telnet` to the ImapSSL port (no proxy), the connection's immediately closed

Code: Select all

telnet ##.##.##.14 993
   Trying ##.##.##.14...
   Connected to ##.##.##.14.
   Escape character is '^]'.
   Connection closed by foreign host.


I see in mailbox log

Code: Select all

==> mailbox.log <==
2016-07-21 23:04:32,092 WARN  [NioProcessor-3] [] DefaultExceptionMonitor - Unexpected exception.
org.apache.mina.core.filterchain.IoFilterLifeCycleException: onPreAdd(): ssl:ZimbraSslFilter in (0x00000086: nio socket, server, /##.##.##.22:35162 => /##.##.##.14:993)
        at org.apache.mina.core.filterchain.DefaultIoFilterChain.register(DefaultIoFilterChain.java:279)
        at org.apache.mina.core.filterchain.DefaultIoFilterChain.addLast(DefaultIoFilterChain.java:174)
        at org.apache.mina.core.filterchain.DefaultIoFilterChainBuilder.buildFilterChain(DefaultIoFilterChainBuilder.java:452)
        at org.apache.mina.core.polling.AbstractPollingIoProcessor.addNow(AbstractPollingIoProcessor.java:530)
        at org.apache.mina.core.polling.AbstractPollingIoProcessor.handleNewSessions(AbstractPollingIoProcessor.java:503)
        at org.apache.mina.core.polling.AbstractPollingIoProcessor.access$400(AbstractPollingIoProcessor.java:68)
        at org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.run(AbstractPollingIoProcessor.java:1133)
        at org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:64)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
        at java.lang.Thread.run(Thread.java:745)
Caused by: java.lang.IllegalArgumentException: TLSv1.1, TLSv1.2
        at sun.security.ssl.ProtocolVersion.valueOf(ProtocolVersion.java:187)
        at sun.security.ssl.ProtocolList.convert(ProtocolList.java:84)
        at sun.security.ssl.ProtocolList.<init>(ProtocolList.java:52)
        at sun.security.ssl.SSLEngineImpl.setEnabledProtocols(SSLEngineImpl.java:2081)
        at org.apache.mina.filter.ssl.SslHandler.init(SslHandler.java:170)
        at org.apache.mina.filter.ssl.SslFilter.onPreAdd(SslFilter.java:417)
        at org.apache.mina.core.filterchain.DefaultIoFilterChain.register(DefaultIoFilterChain.java:277)
        ... 10 more


and in config

Code: Select all

zmprov -l gs `zmhostname` | grep TLSv
   zimbraMailboxdSSLProtocols: TLSv1.1, TLSv1.2
   zimbraReverseProxySSLProtocols: TLSv1
   zimbraReverseProxySSLProtocols: TLSv1.1
   zimbraReverseProxySSLProtocols: TLSv1.2


a telnet to imap is fine

Code: Select all

telnet ##.##.##.14 143
   Trying ##.##.##.14...
   Connected to ##.##.##.14.
   Escape character is '^]'.
   * OK mx.example.com Zimbra IMAP4rev1 server ready


This

Code: Select all

Caused by: java.lang.IllegalArgumentException: TLSv1.1, TLSv1.2


looks like an obvious problem. Possibly happens when the proxy's in place, but my logging's not setup right to see it in that case.
baena
Posts: 6
Joined: Fri Jul 22, 2016 3:47 am

Re: After 8.6. -> 8.7 upgrade, all desktop/mobile clients fail IMAP login.

Postby baena » Fri Jul 22, 2016 2:55 pm

( :?: On a SINGLE server, is it required or recommended to access IMAP via proxy? Or to disable the proxy for IMAP and access directly? )

Starting with the reported error

Code: Select all

Caused by: java.lang.IllegalArgumentException: TLSv1.1, TLSv1.2


and the config result

Code: Select all

zmprov gs `zmhostname` zimbraMailboxdSSLProtocols
   zimbraMailboxdSSLProtocols: TLSv1.1, TLSv1.2


the defaults are

Code: Select all

zmprov desc -a zimbraMailboxdSSLProtocols
   zimbraMailboxdSSLProtocols
       List of SSL/TLS protocols (as documented by SunJSSE Provider Protocols
       and used in setEnabledProtocols) to be enabled in Jetty for HTTPS,
       IMAPS, POP3S, and STARTTLS (including LMTP)

                  type : string
                 value :
              callback :
             immutable : false
           cardinality : multi
            requiredIn :
            optionalIn : server,globalConfig
                 flags : serverInherited
              defaults : TLSv1,TLSv1.1,TLSv1.2,SSLv2Hello
                   min :
                   max :
                    id : 1657
       requiresRestart : mailbox
                 since : 8.6.0
       deprecatedSince :


resetting to defaults

Code: Select all

zmprov ms `hostname` zimbraMailboxdSSLProtocols ''
zmprov mcf           zimbraMailboxdSSLProtocols ''
zmprov mcf  zimbraMailboxdSSLProtocols 'TLSv1'
zmprov mcf +zimbraMailboxdSSLProtocols 'TLSv1.1'
zmprov mcf +zimbraMailboxdSSLProtocols 'TLSv1.2'
zmprov mcf +zimbraMailboxdSSLProtocols 'SSLv2Hello'
zmprov gcf  zimbraMailboxdSSLProtocols
   zimbraMailboxdSSLProtocols: TLSv1
   zimbraMailboxdSSLProtocols: TLSv1.1
   zimbraMailboxdSSLProtocols: TLSv1.2
   zimbraMailboxdSSLProtocols: SSLv2Hello


then

Code: Select all

zmproxyctl restart
zmmailboxdctl restart


client connections are now working again -- to non-proxy port 993

Return to “Installation and Upgrade”

Who is online

Users browsing this forum: No registered users and 7 guests