Hi folks,
I have upgraded from ZCS 8.6 to ZCS 8.7 a few days ago. The services seem to start correctly and zimbra accepts and sends mails. A login via web interface works as well.
But: IMAP and POP3 are not working. I get an "unauthorized"-message from my client. The Log says: "An error occurred in mail zmauth: error occurs when reading lookup response from handler while in mail zmauth state"
Below I'll attach a lot of additional information, i.e., system configuration, log excerpts and configuration snippets.
I would be very grateful for helpful hints.
Thank's in advance,
Jens
--------------- Detailed configuration and log excertps ---------------
Context:
=======
- Ubuntu 14.04
- x64
- Upgrade zcs-8.6.0_GA_1153.UBUNTU14_64.20141215151116.tgz -> zcs-8.7.0_GA_1659.UBUNTU14_64.20160628202701.tgz
- Both IPv4 and IPv6 are configured and activated
Log:
====
When I try to connect as usual, I get the following log-entries:
==> nginx.log <==
2016/09/07 12:51:16 [info] 16519#0: *142 client 132.176.93.58:57920 connected to 0.0.0.0:993
2016/09/07 12:51:16 [error] 16519#0: *142 An error occurred in mail zmauth: error occurs when reading lookup response from handler while in mail zmauth state, client: 132.176.93.58:57920, server: 0.0.0.0:993, login: "<username>@webart-factory.de"
==> trace_log.2016_09_07 <==
12:51:16.942:qtp1684106402-261 OPENED SslConnection@517d52cf{NEED_UNWRAP,eio=-1/-1,di=-1} -> HttpConnection@136928e4[DecryptedEndPoint@46f3307f{/84.39.96.233:40599<->7072,Open,in,out,-,-,0/60000,HttpConnection}->SelectChannelEndPoint@435e3b36{/84.39.96.233:40599<->7072,Open,in,out,-,-,2/60000,SslConnection}{io=0/0,kio=0,kro=0}][p=HttpParser{s=START,0 of 0},g=HttpGenerator@74c6341c{s=START},c=HttpChannelOverHttp@4f16eb61{r=0,c=false,a=IDLE,uri=null}]
12:51:16.942:qtp1684106402-261 OPENED HttpConnection@136928e4[DecryptedEndPoint@46f3307f{/84.39.96.233:40599<->7072,Open,in,out,-,-,1/60000,HttpConnection}->SelectChannelEndPoint@435e3b36{/84.39.96.233:40599<->7072,Open,in,out,-,-,2/60000,SslConnection}{io=0/0,kio=0,kro=0}][p=HttpParser{s=START,0 of 0},g=HttpGenerator@74c6341c{s=START},c=HttpChannelOverHttp@4f16eb61{r=0,c=false,a=IDLE,uri=null}]
12:51:16.942:qtp1684106402-261 CLOSED HttpConnection@136928e4[DecryptedEndPoint@46f3307f{/84.39.96.233:40599<->7072,CLOSED,ISHUT,OSHUT,-,-,0/60000,HttpConnection}->SelectChannelEndPoint@435e3b36{/84.39.96.233:40599<->7072,CLOSED,ISHUT,OSHUT,-,-,0/60000,SslConnection}{io=1/0,kio=-1,kro=-1}][p=HttpParser{s=START,0 of 0},g=HttpGenerator@74c6341c{s=START},c=HttpChannelOverHttp@4f16eb61{r=0,c=false,a=IDLE,uri=null}]
12:51:16.943:qtp1684106402-261 CLOSED SslConnection@517d52cf{NEED_WRAP,eio=256/-1,di=-1} -> HttpConnection@136928e4[DecryptedEndPoint@46f3307f{/84.39.96.233:40599<->7072,CLOSED,ISHUT,OSHUT,-,-,0/60000,HttpConnection}->SelectChannelEndPoint@435e3b36{/84.39.96.233:40599<->7072,CLOSED,ISHUT,OSHUT,-,-,1/60000,SslConnection}{io=1/0,kio=-1,kro=-1}][p=HttpParser{s=START,0 of 0},g=HttpGenerator@74c6341c{s=START},c=HttpChannelOverHttp@4f16eb61{r=0,c=false,a=IDLE,uri=null}]
Proxy-Check
==========
zimbra@mail:~$ grep zm_lookup_handlers /opt/zimbra/conf/nginx/includes/nginx.conf.zmlookup
zm_lookup_handlers http://84.39.96.233:7072/service/extension/nginx-lookup;
zimbra@mail:~$ zmprov gcf zimbraReverseProxyLookupTarget
zimbraReverseProxyLookupTarget: FALSE
zimbra@mail:~$ zmprov garpu
mail.webart-factory.de:7072/service/extension/nginx-lookup
zimbra@mail:~$ zmprov gacf | grep -i proxy
zimbraAdminProxyPort: 9071
zimbraImapProxyBindPort: 143
zimbraImapSSLProxyBindPort: 993
zimbraMailProxyMaxFails: 1
zimbraMailProxyPort: 0
zimbraMailProxyReconnectTimeout: 60
zimbraMailSSLProxyClientCertPort: 3443
zimbraMailSSLProxyPort: 0
zimbraMtaCanonicalMaps: proxy:ldap:/opt/zimbra/conf/ldap-canonical.cf
zimbraMtaSmtpdProxyTimeout: 100s
zimbraMtaTransportMaps: proxy:ldap:/opt/zimbra/conf/ldap-transport.cf
zimbraMtaVirtualAliasDomains: proxy:ldap:/opt/zimbra/conf/ldap-vad.cf
zimbraMtaVirtualAliasMaps: proxy:ldap:/opt/zimbra/conf/ldap-vam.cf
zimbraMtaVirtualMailboxDomains: proxy:ldap:/opt/zimbra/conf/ldap-vmd.cf
zimbraMtaVirtualMailboxMaps: proxy:ldap:/opt/zimbra/conf/ldap-vmm.cf
zimbraPop3ProxyBindPort: 110
zimbraPop3SSLProxyBindPort: 995
zimbraReverseProxyAcceptMutex: on
zimbraReverseProxyAdminEnabled: FALSE
zimbraReverseProxyAdminPortAttribute: zimbraAdminPort
zimbraReverseProxyAuthWaitInterval: 10s
zimbraReverseProxyAvailableLookupTargets: mail.webart-factory.de
zimbraReverseProxyCacheEntryTTL: 1h
zimbraReverseProxyCacheFetchTimeout: 3s
zimbraReverseProxyCacheReconnectInterval: 1m
zimbraReverseProxyClientCertMode: off
zimbraReverseProxyConnectTimeout: 120000ms
zimbraReverseProxyDnsLookupInServerEnabled: TRUE
zimbraReverseProxyDomainNameAttribute: zimbraDomainName
zimbraReverseProxyDomainNameQuery: (&(zimbraVirtualIPAddress=${IPADDR})(objectClass=zimbraDomain))
zimbraReverseProxyExactServerVersionCheck: on
zimbraReverseProxyExternalRouteIncludeOriginalAuthusername: FALSE
zimbraReverseProxyGenConfigPerVirtualHostname: TRUE
zimbraReverseProxyHttpEnabled: FALSE
zimbraReverseProxyHttpPortAttribute: zimbraMailPort
zimbraReverseProxyHttpSSLPortAttribute: zimbraMailSSLPort
zimbraReverseProxyIPLoginLimit: 0
zimbraReverseProxyIPLoginLimitTime: 3600
zimbraReverseProxyImapEnabledCapability: ACL
zimbraReverseProxyImapEnabledCapability: BINARY
zimbraReverseProxyImapEnabledCapability: CATENATE
zimbraReverseProxyImapEnabledCapability: CHILDREN
zimbraReverseProxyImapEnabledCapability: CONDSTORE
zimbraReverseProxyImapEnabledCapability: ENABLE
zimbraReverseProxyImapEnabledCapability: ESEARCH
zimbraReverseProxyImapEnabledCapability: ESORT
zimbraReverseProxyImapEnabledCapability: I18NLEVEL=1
zimbraReverseProxyImapEnabledCapability: ID
zimbraReverseProxyImapEnabledCapability: IDLE
zimbraReverseProxyImapEnabledCapability: IMAP4rev1
zimbraReverseProxyImapEnabledCapability: LIST-EXTENDED
zimbraReverseProxyImapEnabledCapability: LIST-STATUS
zimbraReverseProxyImapEnabledCapability: LITERAL+
zimbraReverseProxyImapEnabledCapability: MULTIAPPEND
zimbraReverseProxyImapEnabledCapability: NAMESPACE
zimbraReverseProxyImapEnabledCapability: QRESYNC
zimbraReverseProxyImapEnabledCapability: QUOTA
zimbraReverseProxyImapEnabledCapability: RIGHTS=ektx
zimbraReverseProxyImapEnabledCapability: SASL-IR
zimbraReverseProxyImapEnabledCapability: SEARCHRES
zimbraReverseProxyImapEnabledCapability: SORT
zimbraReverseProxyImapEnabledCapability: THREAD=ORDEREDSUBJECT
zimbraReverseProxyImapEnabledCapability: UIDPLUS
zimbraReverseProxyImapEnabledCapability: UNSELECT
zimbraReverseProxyImapEnabledCapability: WITHIN
zimbraReverseProxyImapEnabledCapability: XLIST
zimbraReverseProxyImapExposeVersionOnBanner: FALSE
zimbraReverseProxyImapPortAttribute: zimbraImapBindPort
zimbraReverseProxyImapSSLPortAttribute: zimbraImapSSLBindPort
zimbraReverseProxyImapSaslGssapiEnabled: FALSE
zimbraReverseProxyImapSaslPlainEnabled: TRUE
zimbraReverseProxyImapStartTlsMode: only
zimbraReverseProxyInactivityTimeout: 1h
zimbraReverseProxyIpThrottleMsg: Login rejected from this IP
zimbraReverseProxyLogLevel: info
zimbraReverseProxyLookupTarget: FALSE
zimbraReverseProxyMailEnabled: TRUE
zimbraReverseProxyMailHostAttribute: zimbraMailHost
zimbraReverseProxyMailHostQuery: (|(zimbraMailDeliveryAddress=${USER})(zimbraMailAlias=${USER})(zimbraId=${USER}))
zimbraReverseProxyMailImapEnabled: TRUE
zimbraReverseProxyMailImapsEnabled: TRUE
zimbraReverseProxyMailPop3Enabled: TRUE
zimbraReverseProxyMailPop3sEnabled: TRUE
zimbraReverseProxyPassErrors: TRUE
zimbraReverseProxyPop3EnabledCapability: EXPIRE 31 USER
zimbraReverseProxyPop3EnabledCapability: TOP
zimbraReverseProxyPop3EnabledCapability: UIDL
zimbraReverseProxyPop3EnabledCapability: USER
zimbraReverseProxyPop3EnabledCapability: XOIP
zimbraReverseProxyPop3ExposeVersionOnBanner: FALSE
zimbraReverseProxyPop3PortAttribute: zimbraPop3BindPort
zimbraReverseProxyPop3SSLPortAttribute: zimbraPop3SSLBindPort
zimbraReverseProxyPop3SaslGssapiEnabled: FALSE
zimbraReverseProxyPop3SaslPlainEnabled: TRUE
zimbraReverseProxyPop3StartTlsMode: only
zimbraReverseProxyPortQuery: (&(zimbraServiceHostname=${MAILHOST})(objectClass=zimbraServer))
zimbraReverseProxyRouteLookupTimeout: 15s
zimbraReverseProxyRouteLookupTimeoutCache: 60s
zimbraReverseProxySNIEnabled: FALSE
zimbraReverseProxySSLCiphers: ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4
zimbraReverseProxySSLECDHCurve: prime256v1
zimbraReverseProxySSLProtocols: TLSv1
zimbraReverseProxySSLProtocols: TLSv1.1
zimbraReverseProxySSLProtocols: TLSv1.2
zimbraReverseProxySSLSessionCacheSize: 10m
zimbraReverseProxySSLSessionTimeout: 10m
zimbraReverseProxySSLToUpstreamEnabled: TRUE
zimbraReverseProxySendImapId: TRUE
zimbraReverseProxySendPop3Xoip: TRUE
zimbraReverseProxyUpstreamConnectTimeout: 25
zimbraReverseProxyUpstreamLoginServers: mail.webart-factory.de
zimbraReverseProxyUpstreamPollingTimeout: 1h
zimbraReverseProxyUpstreamReadTimeout: 60s
zimbraReverseProxyUpstreamSendTimeout: 60s
zimbraReverseProxyUserLoginLimit: 0
zimbraReverseProxyUserLoginLimitTime: 3600
zimbraReverseProxyUserThrottleMsg: Login rejected for this user
zimbraReverseProxyWorkerConnections: 10240
zimbraReverseProxyWorkerProcesses: 4
zimbraReverseProxyXmppBoshEnabled: FALSE
zimbraReverseProxyXmppBoshLocalHttpBindURL: /http-bind
zimbraReverseProxyXmppBoshSSL: FALSE
zimbraReverseProxyXmppBoshTimeout: 90s
zimbraReverseProxyZmlookupCachingEnabled: TRUE
Upgrade ZCS 8.6 to 8.7: Authentication POP3/IMAP fails
-
- Posts: 1
- Joined: Wed Sep 07, 2016 9:02 am
Re: Upgrade ZCS 8.6 to 8.7: Authentication POP3/IMAP fails
Hi,
Did you get this sorted? I'm in the exact same situation, with an upgrade from 8.6 to 8.7.
Did you get this sorted? I'm in the exact same situation, with an upgrade from 8.6 to 8.7.
Re: Upgrade ZCS 8.6 to 8.7: Authentication POP3/IMAP fails
Ok, so I seem to have it working properly again (imap/pop3).
I edited the /opt/zimbra/conf/nginx/includes/nginx.conf.zmlookup file to show:
Note the change from http to https and FQDN as opposed to the IP address.
Hope this helps you.
I edited the /opt/zimbra/conf/nginx/includes/nginx.conf.zmlookup file to show:
Code: Select all
zm_lookup_handlers https://mail.yourservername.com:7072/service/extension/nginx-lookup;
Hope this helps you.
Re: Upgrade ZCS 8.6 to 8.7: Authentication POP3/IMAP fails
Thanks for the tip on moving to https for the zm_lookup_handlers. At least that made the IMAP/POP authentication functional again. I have asked around on the #zimbra IRC channel for a more permanent solution, but so far I have not found any.
As this seems to affect multiple ZCS instances, I have created a bug report for this issue at https://bugzilla.zimbra.com/show_bug.cgi?id=106926.
As this seems to affect multiple ZCS instances, I have created a bug report for this issue at https://bugzilla.zimbra.com/show_bug.cgi?id=106926.
Re: Upgrade ZCS 8.6 to 8.7: Authentication POP3/IMAP fails
I have the same problem here. And unfortunately, the wrong config will be reenabled every time a zmcontrol start (or zmproxyctl start) is run, which is not so nice, as my server is stopped and restarted every night for backup purposes. :-/
I've now written a little Perl script that will fix nginx.conf.zmlookup and restart nginx afterwards. But that is not cool at all, of course.
Please fix that quickly!
I've now written a little Perl script that will fix nginx.conf.zmlookup and restart nginx afterwards. But that is not cool at all, of course.
Please fix that quickly!
Re: Upgrade ZCS 8.6 to 8.7: Authentication POP3/IMAP fails
In order to work around the proxy restart issue, I have simply edited the template config file. It now contains a hardcoded URL:
Not very nice either, but it will at least work until the an upgrade of ZCS is installed.
Code: Select all
# zm_lookup_handlers ${zmlookup.:handlers};
zm_lookup_handlers https://127.0.1.1:7072/service/extension/nginx-lookup;
-
- Posts: 1
- Joined: Sun Nov 06, 2016 2:46 pm
Re: Upgrade ZCS 8.6 to 8.7: Authentication POP3/IMAP fails
Same problem here, though, it have some other informations. I upgraded 2 ubuntu 14 LTS boxes from 8.5 to 8.7.(1) going as 8.5->8.6->8.7.0->8.7.1 ... the first box has the issue described here, the second does not.
I compared basically any possible configuration, `zmprov gacf | grep -i proxy` only has the difference in the zimbraReverseProxyUpstreamLoginServers as expected, nothing else.
Anything else seems configured exactly the same. So
/opt/zimbra/libexec/zmproxyconfig -e -w -o -a 8080:80:8443:443 -x https -H `zmhostname`
But the working ( 2nd ) box has https://, the first broken box has http:// - both using ips not hostnames. As described just changing the schema to https fixes it.
Then i found one difference which can matter: `zmprov -garpb`
On the working box, :8080 is referenced, on the broken box, 8443
This could make sense since as 8443 is already https, the template does not configure upstream https, but on the first box, its http ( 8080) so it configured https .. the question now is, how that is diffrenct since above i used https for both. Maybe anybody else can make something about with this clue
I compared basically any possible configuration, `zmprov gacf | grep -i proxy` only has the difference in the zimbraReverseProxyUpstreamLoginServers as expected, nothing else.
Anything else seems configured exactly the same. So
/opt/zimbra/libexec/zmproxyconfig -e -w -o -a 8080:80:8443:443 -x https -H `zmhostname`
But the working ( 2nd ) box has https://, the first broken box has http:// - both using ips not hostnames. As described just changing the schema to https fixes it.
Then i found one difference which can matter: `zmprov -garpb`
On the working box, :8080 is referenced, on the broken box, 8443
This could make sense since as 8443 is already https, the template does not configure upstream https, but on the first box, its http ( 8080) so it configured https .. the question now is, how that is diffrenct since above i used https for both. Maybe anybody else can make something about with this clue
Re: Upgrade ZCS 8.6 to 8.7: Authentication POP3/IMAP fails
I know that this is an old issue, but I had the very same problem this week with the latest open source version of ZCS and I fixed it in the same way (zm_lookup_handler) but the fix made it impossible for me to validate for outgoing SMTP service from my Android email app. Before that, it had worked perfectly.
Any suggestions would be appreciated.
Thanks.
Sean McLinden
Any suggestions would be appreciated.
Thanks.
Sean McLinden