Upgrade ZCS 8.6 to 8.7: Authentication POP3/IMAP fails

Ask questions about your setup or get help installing ZCS server (ZD section below).
Post Reply
jens.garstka
Posts: 1
Joined: Wed Sep 07, 2016 9:02 am

Upgrade ZCS 8.6 to 8.7: Authentication POP3/IMAP fails

Post by jens.garstka »

Hi folks,

I have upgraded from ZCS 8.6 to ZCS 8.7 a few days ago. The services seem to start correctly and zimbra accepts and sends mails. A login via web interface works as well.

But: IMAP and POP3 are not working. I get an "unauthorized"-message from my client. The Log says: "An error occurred in mail zmauth: error occurs when reading lookup response from handler while in mail zmauth state"

Below I'll attach a lot of additional information, i.e., system configuration, log excerpts and configuration snippets.

I would be very grateful for helpful hints.

Thank's in advance,
Jens

--------------- Detailed configuration and log excertps ---------------

Context:
=======

- Ubuntu 14.04
- x64
- Upgrade zcs-8.6.0_GA_1153.UBUNTU14_64.20141215151116.tgz -> zcs-8.7.0_GA_1659.UBUNTU14_64.20160628202701.tgz
- Both IPv4 and IPv6 are configured and activated

Log:
====

When I try to connect as usual, I get the following log-entries:

==> nginx.log <==
2016/09/07 12:51:16 [info] 16519#0: *142 client 132.176.93.58:57920 connected to 0.0.0.0:993
2016/09/07 12:51:16 [error] 16519#0: *142 An error occurred in mail zmauth: error occurs when reading lookup response from handler while in mail zmauth state, client: 132.176.93.58:57920, server: 0.0.0.0:993, login: "<username>@webart-factory.de"

==> trace_log.2016_09_07 <==
12:51:16.942:qtp1684106402-261 OPENED SslConnection@517d52cf{NEED_UNWRAP,eio=-1/-1,di=-1} -> HttpConnection@136928e4[DecryptedEndPoint@46f3307f{/84.39.96.233:40599<->7072,Open,in,out,-,-,0/60000,HttpConnection}->SelectChannelEndPoint@435e3b36{/84.39.96.233:40599<->7072,Open,in,out,-,-,2/60000,SslConnection}{io=0/0,kio=0,kro=0}][p=HttpParser{s=START,0 of 0},g=HttpGenerator@74c6341c{s=START},c=HttpChannelOverHttp@4f16eb61{r=0,c=false,a=IDLE,uri=null}]
12:51:16.942:qtp1684106402-261 OPENED HttpConnection@136928e4[DecryptedEndPoint@46f3307f{/84.39.96.233:40599<->7072,Open,in,out,-,-,1/60000,HttpConnection}->SelectChannelEndPoint@435e3b36{/84.39.96.233:40599<->7072,Open,in,out,-,-,2/60000,SslConnection}{io=0/0,kio=0,kro=0}][p=HttpParser{s=START,0 of 0},g=HttpGenerator@74c6341c{s=START},c=HttpChannelOverHttp@4f16eb61{r=0,c=false,a=IDLE,uri=null}]
12:51:16.942:qtp1684106402-261 CLOSED HttpConnection@136928e4[DecryptedEndPoint@46f3307f{/84.39.96.233:40599<->7072,CLOSED,ISHUT,OSHUT,-,-,0/60000,HttpConnection}->SelectChannelEndPoint@435e3b36{/84.39.96.233:40599<->7072,CLOSED,ISHUT,OSHUT,-,-,0/60000,SslConnection}{io=1/0,kio=-1,kro=-1}][p=HttpParser{s=START,0 of 0},g=HttpGenerator@74c6341c{s=START},c=HttpChannelOverHttp@4f16eb61{r=0,c=false,a=IDLE,uri=null}]
12:51:16.943:qtp1684106402-261 CLOSED SslConnection@517d52cf{NEED_WRAP,eio=256/-1,di=-1} -> HttpConnection@136928e4[DecryptedEndPoint@46f3307f{/84.39.96.233:40599<->7072,CLOSED,ISHUT,OSHUT,-,-,0/60000,HttpConnection}->SelectChannelEndPoint@435e3b36{/84.39.96.233:40599<->7072,CLOSED,ISHUT,OSHUT,-,-,1/60000,SslConnection}{io=1/0,kio=-1,kro=-1}][p=HttpParser{s=START,0 of 0},g=HttpGenerator@74c6341c{s=START},c=HttpChannelOverHttp@4f16eb61{r=0,c=false,a=IDLE,uri=null}]

Proxy-Check
==========

zimbra@mail:~$ grep zm_lookup_handlers /opt/zimbra/conf/nginx/includes/nginx.conf.zmlookup
zm_lookup_handlers http://84.39.96.233:7072/service/extension/nginx-lookup;

zimbra@mail:~$ zmprov gcf zimbraReverseProxyLookupTarget
zimbraReverseProxyLookupTarget: FALSE

zimbra@mail:~$ zmprov garpu
mail.webart-factory.de:7072/service/extension/nginx-lookup

zimbra@mail:~$ zmprov gacf | grep -i proxy
zimbraAdminProxyPort: 9071
zimbraImapProxyBindPort: 143
zimbraImapSSLProxyBindPort: 993
zimbraMailProxyMaxFails: 1
zimbraMailProxyPort: 0
zimbraMailProxyReconnectTimeout: 60
zimbraMailSSLProxyClientCertPort: 3443
zimbraMailSSLProxyPort: 0
zimbraMtaCanonicalMaps: proxy:ldap:/opt/zimbra/conf/ldap-canonical.cf
zimbraMtaSmtpdProxyTimeout: 100s
zimbraMtaTransportMaps: proxy:ldap:/opt/zimbra/conf/ldap-transport.cf
zimbraMtaVirtualAliasDomains: proxy:ldap:/opt/zimbra/conf/ldap-vad.cf
zimbraMtaVirtualAliasMaps: proxy:ldap:/opt/zimbra/conf/ldap-vam.cf
zimbraMtaVirtualMailboxDomains: proxy:ldap:/opt/zimbra/conf/ldap-vmd.cf
zimbraMtaVirtualMailboxMaps: proxy:ldap:/opt/zimbra/conf/ldap-vmm.cf
zimbraPop3ProxyBindPort: 110
zimbraPop3SSLProxyBindPort: 995
zimbraReverseProxyAcceptMutex: on
zimbraReverseProxyAdminEnabled: FALSE
zimbraReverseProxyAdminPortAttribute: zimbraAdminPort
zimbraReverseProxyAuthWaitInterval: 10s
zimbraReverseProxyAvailableLookupTargets: mail.webart-factory.de
zimbraReverseProxyCacheEntryTTL: 1h
zimbraReverseProxyCacheFetchTimeout: 3s
zimbraReverseProxyCacheReconnectInterval: 1m
zimbraReverseProxyClientCertMode: off
zimbraReverseProxyConnectTimeout: 120000ms
zimbraReverseProxyDnsLookupInServerEnabled: TRUE
zimbraReverseProxyDomainNameAttribute: zimbraDomainName
zimbraReverseProxyDomainNameQuery: (&(zimbraVirtualIPAddress=${IPADDR})(objectClass=zimbraDomain))
zimbraReverseProxyExactServerVersionCheck: on
zimbraReverseProxyExternalRouteIncludeOriginalAuthusername: FALSE
zimbraReverseProxyGenConfigPerVirtualHostname: TRUE
zimbraReverseProxyHttpEnabled: FALSE
zimbraReverseProxyHttpPortAttribute: zimbraMailPort
zimbraReverseProxyHttpSSLPortAttribute: zimbraMailSSLPort
zimbraReverseProxyIPLoginLimit: 0
zimbraReverseProxyIPLoginLimitTime: 3600
zimbraReverseProxyImapEnabledCapability: ACL
zimbraReverseProxyImapEnabledCapability: BINARY
zimbraReverseProxyImapEnabledCapability: CATENATE
zimbraReverseProxyImapEnabledCapability: CHILDREN
zimbraReverseProxyImapEnabledCapability: CONDSTORE
zimbraReverseProxyImapEnabledCapability: ENABLE
zimbraReverseProxyImapEnabledCapability: ESEARCH
zimbraReverseProxyImapEnabledCapability: ESORT
zimbraReverseProxyImapEnabledCapability: I18NLEVEL=1
zimbraReverseProxyImapEnabledCapability: ID
zimbraReverseProxyImapEnabledCapability: IDLE
zimbraReverseProxyImapEnabledCapability: IMAP4rev1
zimbraReverseProxyImapEnabledCapability: LIST-EXTENDED
zimbraReverseProxyImapEnabledCapability: LIST-STATUS
zimbraReverseProxyImapEnabledCapability: LITERAL+
zimbraReverseProxyImapEnabledCapability: MULTIAPPEND
zimbraReverseProxyImapEnabledCapability: NAMESPACE
zimbraReverseProxyImapEnabledCapability: QRESYNC
zimbraReverseProxyImapEnabledCapability: QUOTA
zimbraReverseProxyImapEnabledCapability: RIGHTS=ektx
zimbraReverseProxyImapEnabledCapability: SASL-IR
zimbraReverseProxyImapEnabledCapability: SEARCHRES
zimbraReverseProxyImapEnabledCapability: SORT
zimbraReverseProxyImapEnabledCapability: THREAD=ORDEREDSUBJECT
zimbraReverseProxyImapEnabledCapability: UIDPLUS
zimbraReverseProxyImapEnabledCapability: UNSELECT
zimbraReverseProxyImapEnabledCapability: WITHIN
zimbraReverseProxyImapEnabledCapability: XLIST
zimbraReverseProxyImapExposeVersionOnBanner: FALSE
zimbraReverseProxyImapPortAttribute: zimbraImapBindPort
zimbraReverseProxyImapSSLPortAttribute: zimbraImapSSLBindPort
zimbraReverseProxyImapSaslGssapiEnabled: FALSE
zimbraReverseProxyImapSaslPlainEnabled: TRUE
zimbraReverseProxyImapStartTlsMode: only
zimbraReverseProxyInactivityTimeout: 1h
zimbraReverseProxyIpThrottleMsg: Login rejected from this IP
zimbraReverseProxyLogLevel: info
zimbraReverseProxyLookupTarget: FALSE
zimbraReverseProxyMailEnabled: TRUE
zimbraReverseProxyMailHostAttribute: zimbraMailHost
zimbraReverseProxyMailHostQuery: (|(zimbraMailDeliveryAddress=${USER})(zimbraMailAlias=${USER})(zimbraId=${USER}))
zimbraReverseProxyMailImapEnabled: TRUE
zimbraReverseProxyMailImapsEnabled: TRUE
zimbraReverseProxyMailPop3Enabled: TRUE
zimbraReverseProxyMailPop3sEnabled: TRUE
zimbraReverseProxyPassErrors: TRUE
zimbraReverseProxyPop3EnabledCapability: EXPIRE 31 USER
zimbraReverseProxyPop3EnabledCapability: TOP
zimbraReverseProxyPop3EnabledCapability: UIDL
zimbraReverseProxyPop3EnabledCapability: USER
zimbraReverseProxyPop3EnabledCapability: XOIP
zimbraReverseProxyPop3ExposeVersionOnBanner: FALSE
zimbraReverseProxyPop3PortAttribute: zimbraPop3BindPort
zimbraReverseProxyPop3SSLPortAttribute: zimbraPop3SSLBindPort
zimbraReverseProxyPop3SaslGssapiEnabled: FALSE
zimbraReverseProxyPop3SaslPlainEnabled: TRUE
zimbraReverseProxyPop3StartTlsMode: only
zimbraReverseProxyPortQuery: (&(zimbraServiceHostname=${MAILHOST})(objectClass=zimbraServer))
zimbraReverseProxyRouteLookupTimeout: 15s
zimbraReverseProxyRouteLookupTimeoutCache: 60s
zimbraReverseProxySNIEnabled: FALSE
zimbraReverseProxySSLCiphers: ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4
zimbraReverseProxySSLECDHCurve: prime256v1
zimbraReverseProxySSLProtocols: TLSv1
zimbraReverseProxySSLProtocols: TLSv1.1
zimbraReverseProxySSLProtocols: TLSv1.2
zimbraReverseProxySSLSessionCacheSize: 10m
zimbraReverseProxySSLSessionTimeout: 10m
zimbraReverseProxySSLToUpstreamEnabled: TRUE
zimbraReverseProxySendImapId: TRUE
zimbraReverseProxySendPop3Xoip: TRUE
zimbraReverseProxyUpstreamConnectTimeout: 25
zimbraReverseProxyUpstreamLoginServers: mail.webart-factory.de
zimbraReverseProxyUpstreamPollingTimeout: 1h
zimbraReverseProxyUpstreamReadTimeout: 60s
zimbraReverseProxyUpstreamSendTimeout: 60s
zimbraReverseProxyUserLoginLimit: 0
zimbraReverseProxyUserLoginLimitTime: 3600
zimbraReverseProxyUserThrottleMsg: Login rejected for this user
zimbraReverseProxyWorkerConnections: 10240
zimbraReverseProxyWorkerProcesses: 4
zimbraReverseProxyXmppBoshEnabled: FALSE
zimbraReverseProxyXmppBoshLocalHttpBindURL: /http-bind
zimbraReverseProxyXmppBoshSSL: FALSE
zimbraReverseProxyXmppBoshTimeout: 90s
zimbraReverseProxyZmlookupCachingEnabled: TRUE
anzigo
Posts: 4
Joined: Thu Sep 22, 2016 1:54 am

Re: Upgrade ZCS 8.6 to 8.7: Authentication POP3/IMAP fails

Post by anzigo »

Hi,

Did you get this sorted? I'm in the exact same situation, with an upgrade from 8.6 to 8.7.
anzigo
Posts: 4
Joined: Thu Sep 22, 2016 1:54 am

Re: Upgrade ZCS 8.6 to 8.7: Authentication POP3/IMAP fails

Post by anzigo »

Ok, so I seem to have it working properly again (imap/pop3).

I edited the /opt/zimbra/conf/nginx/includes/nginx.conf.zmlookup file to show:

Code: Select all

zm_lookup_handlers  https://mail.yourservername.com:7072/service/extension/nginx-lookup;
Note the change from http to https and FQDN as opposed to the IP address.

Hope this helps you.
wvrooy
Posts: 2
Joined: Sat Oct 08, 2016 10:35 am

Re: Upgrade ZCS 8.6 to 8.7: Authentication POP3/IMAP fails

Post by wvrooy »

Thanks for the tip on moving to https for the zm_lookup_handlers. At least that made the IMAP/POP authentication functional again. I have asked around on the #zimbra IRC channel for a more permanent solution, but so far I have not found any.

As this seems to affect multiple ZCS instances, I have created a bug report for this issue at https://bugzilla.zimbra.com/show_bug.cgi?id=106926.
zot
Posts: 19
Joined: Sat Sep 13, 2014 2:56 am

Re: Upgrade ZCS 8.6 to 8.7: Authentication POP3/IMAP fails

Post by zot »

I have the same problem here. And unfortunately, the wrong config will be reenabled every time a zmcontrol start (or zmproxyctl start) is run, which is not so nice, as my server is stopped and restarted every night for backup purposes. :-/

I've now written a little Perl script that will fix nginx.conf.zmlookup and restart nginx afterwards. But that is not cool at all, of course.

Please fix that quickly!
wvrooy
Posts: 2
Joined: Sat Oct 08, 2016 10:35 am

Re: Upgrade ZCS 8.6 to 8.7: Authentication POP3/IMAP fails

Post by wvrooy »

In order to work around the proxy restart issue, I have simply edited the template config file. It now contains a hardcoded URL:

Code: Select all

    # zm_lookup_handlers  ${zmlookup.:handlers};
    zm_lookup_handlers  https://127.0.1.1:7072/service/extension/nginx-lookup;
Not very nice either, but it will at least work until the an upgrade of ZCS is installed.
maYerxored
Posts: 1
Joined: Sun Nov 06, 2016 2:46 pm

Re: Upgrade ZCS 8.6 to 8.7: Authentication POP3/IMAP fails

Post by maYerxored »

Same problem here, though, it have some other informations. I upgraded 2 ubuntu 14 LTS boxes from 8.5 to 8.7.(1) going as 8.5->8.6->8.7.0->8.7.1 ... the first box has the issue described here, the second does not.

I compared basically any possible configuration, `zmprov gacf | grep -i proxy` only has the difference in the zimbraReverseProxyUpstreamLoginServers as expected, nothing else.

Anything else seems configured exactly the same. So
/opt/zimbra/libexec/zmproxyconfig -e -w -o -a 8080:80:8443:443 -x https -H `zmhostname`

But the working ( 2nd ) box has https://, the first broken box has http:// - both using ips not hostnames. As described just changing the schema to https fixes it.

Then i found one difference which can matter: `zmprov -garpb`

On the working box, :8080 is referenced, on the broken box, 8443

This could make sense since as 8443 is already https, the template does not configure upstream https, but on the first box, its http ( 8080) so it configured https .. the question now is, how that is diffrenct since above i used https for both. Maybe anybody else can make something about with this clue
smclinden
Posts: 24
Joined: Mon Aug 28, 2017 7:54 pm

Re: Upgrade ZCS 8.6 to 8.7: Authentication POP3/IMAP fails

Post by smclinden »

I know that this is an old issue, but I had the very same problem this week with the latest open source version of ZCS and I fixed it in the same way (zm_lookup_handler) but the fix made it impossible for me to validate for outgoing SMTP service from my Android email app. Before that, it had worked perfectly.

Any suggestions would be appreciated.

Thanks.

Sean McLinden
Post Reply