Zimbra IPV6 pop/imap Dont Work[SOLVED]

[JDunphy]

Looked at your 'netstat -nltp|grep -w tcp6' output again now that I have a working environment. I really expected to see nginx bound to a tcp6 socket in dual stack with centos 7 - which is what you have been asking all along.

Any chance you have a nginx running that is bound to ipv4 from a previous start/stop cycle? It seems weird that its only bound to the ipv4 socket (ie. tcp LISTEN) after your zmcontrol restart... but other services are shown as (tcp6 LISTEN). Almost like nginx isn't restarting, or has the correct listen statement in its nginx/includes files or was compiled without ipv6 support.

Did you check /opt/zimbra/log/nginx.log ... Mine shows both ipv4 and ipv6 addresses. It also show the starts as it is bounced.

Code: Select all

strings /opt/zimbra/common/sbin/nginx |grep with-ipv6
configure arguments: --prefix=/opt/zimbra/common --with-cc-opt='-g -I/opt/zimbra/common/include' --with-ld-opt='-Wl,-rpath,/opt/zimbra/common/lib -L/opt/zimbra/common/lib' --with-debug --with-ipv6 --with-http_ssl_module --with-http_stub_status_module --with-pcre --with-http_upstream_zmauth_module --with-http_zm_sso_module --with-http_spdy_module --with-mail --with-mail-sasl --with-mail_ssl_module --error-log-path=/opt/zimbra/log/nginx.log --http-log-path=/opt/zimbra/log/nginx.access.log --http-client-body-temp-path=/opt/zimbra/data/tmp/nginx/client --http-proxy-temp-path=/opt/zimbra/data/tmp/nginx/proxy --http-fastcgi-temp-path=/opt/zimbra/data/tmp/nginx/fastcgi --without-http_scgi_module --without-http_uwsgi_module --add-module=modules/nviennot-nginx-tcp-keepalive

[Carlos A. P. Cunha]

Language seems to be a barrier so I just did what you did and it worked.

Here are my steps:

Code: Select all

zmprov ms `zmhostname` zimbraIPMode both
/opt/zimbra/libexec/zmiptool
zmcontrol restart

Now I wanted to verify what nginx was doing...

Code: Select all

cd /opt/zimbra/conf/nginx/includes
cat *pop3* *imap* |grep ipv6
    listen                  [::]:110 ipv6only=off;
    listen                  [::]:995 ipv6only=off;
    listen                  [::]:143 ipv6only=off;
    listen                  [::]:993 ipv6only=off;

Good... That is what I wanted.

Next... what did netstat report:

Code: Select all

netstat -na | egrep '(110|995|993|143)'
tcp        0      0 :::7110                     :::*                        LISTEN      
tcp        0      0 :::7143                     :::*                        LISTEN      
tcp        0      0 :::110                      :::*                        LISTEN      
tcp        0      0 :::143                      :::*                        LISTEN      
tcp        0      0 :::7993                     :::*                        LISTEN      
tcp        0      0 :::7995                     :::*                        LISTEN      
tcp        0      0 :::993                      :::*                        LISTEN      
tcp        0      0 :::995                      :::*                        LISTEN 

Finally, a test from a remote machine:

Code: Select all

openssl s_client -crlf -connect '[dddd:3333::f03c:91ff:fea1:740d]:993'
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
....
....
---
* OK IMAP4rev1 proxy server ready

I then repeated this with my ipv4 address with the same result. It worked.

The only thing I had to do was provide access via my firewall for ipv6 so my remote client could connect. I don't normally run ipv6 so this has been a good exercise to see what is involved.

Hope this helps.

Hello !

Result of your netstat:

Code: Select all

Netstat -na | Egrep '(110 | 995 | 993 | 143)' | head -n 10
Tcp 0 0 0.0.0.0:1010 0.0.0.0
Tcp 0 0 0.0.0.0:143 0.0.0.0
Tcp 0 0 0.0.0.0:993 0.0.0.0
Tcp 0 0 0.0.0.0:995 0.0.0.0
--- more information below, but are internal ips.

-------------------------------------

Code: Select all

cd / opt / zimbra / conf / nginx / includes
cat * pop3 * * imap * | grep ipv6
     #listen [::]: 110 ipv6only = off;
     #listen [::]: 995 ipv6only = off;
     #listen [::]: 143 ipv6only = off;
     #listen [::]: 993 ipv6only = off;

-------------------------------------

Test with openssl: (local)

Code: Select all

Openssl s_client -crlf -connect '[dddd: <MY-IPV6>]: 993'
Socket: Network is unreachable
Connect: errno = 101

Is your version of Zimbra also 8.7.1?

Thanks

[Carlos A. P. Cunha]

Looked at your 'netstat -nltp|grep -w tcp6' output again now that I have a working environment. I really expected to see nginx bound to a tcp6 socket in dual stack with centos 7 - which is what you have been asking all along.

Any chance you have a nginx running that is bound to ipv4 from a previous start/stop cycle? It seems weird that its only bound to the ipv4 socket (ie. tcp LISTEN) after your zmcontrol restart... but other services are shown as (tcp6 LISTEN). Almost like nginx isn't restarting, or has the correct listen statement in its nginx/includes files or was compiled without ipv6 support.

Did you check /opt/zimbra/log/nginx.log ... Mine shows both ipv4 and ipv6 addresses. It also show the starts as it is bounced.

Code: Select all

strings /opt/zimbra/common/sbin/nginx |grep with-ipv6
configure arguments: --prefix=/opt/zimbra/common --with-cc-opt='-g -I/opt/zimbra/common/include' --with-ld-opt='-Wl,-rpath,/opt/zimbra/common/lib -L/opt/zimbra/common/lib' --with-debug --with-ipv6 --with-http_ssl_module --with-http_stub_status_module --with-pcre --with-http_upstream_zmauth_module --with-http_zm_sso_module --with-http_spdy_module --with-mail --with-mail-sasl --with-mail_ssl_module --error-log-path=/opt/zimbra/log/nginx.log --http-log-path=/opt/zimbra/log/nginx.access.log --http-client-body-temp-path=/opt/zimbra/data/tmp/nginx/client --http-proxy-temp-path=/opt/zimbra/data/tmp/nginx/proxy --http-fastcgi-temp-path=/opt/zimbra/data/tmp/nginx/fastcgi --without-http_scgi_module --without-http_uwsgi_module --add-module=modules/nviennot-nginx-tcp-keepalive

Hello!

My result:

Code: Select all

strings /opt/zimbra/common/sbin/nginx |grep with-ipv6
configure arguments: --prefix=/opt/zimbra/common --with-cc-opt='-g -I/opt/zimbra/common/include' --with-ld-opt='-Wl,-rpath,/opt/zimbra/common/lib -L/opt/zimbra/common/lib' --with-debug --with-ipv6 --with-http_ssl_module --with-http_stub_status_module --with-pcre --with-http_upstream_zmauth_module --with-http_zm_sso_module --with-http_spdy_module --with-mail --with-mail-sasl --with-mail_ssl_module --error-log-path=/opt/zimbra/log/nginx.log --http-log-path=/opt/zimbra/log/nginx.access.log --http-client-body-temp-path=/opt/zimbra/data/tmp/nginx/client --http-proxy-temp-path=/opt/zimbra/data/tmp/nginx/proxy --http-fastcgi-temp-path=/opt/zimbra/data/tmp/nginx/fastcgi --without-http_scgi_module --without-http_uwsgi_module --add-module=modules/nviennot-nginx-tcp-keepalive

Thanks

[JDunphy]

Is your version of Zimbra also 8.7.1?

Thanks

Yes, I am running 8.7.1 on centos 6. On centos 6, netstat reports ipv6 sockets like this:

Code: Select all

netstat -na | egrep '(110|995|993|143)'
tcp        0      0 :::7110                     :::*                        LISTEN  

On Centos 7, they are reported as tcp6

Code: Select all

netstat -na | egrep '(110|995|993|143)'
tcp6        0      0 :::7110                     :::*                        LISTEN  

... everything else looks the same. The key is the ::: notation in front. For ipv4, its just 0.0.0.0:995

Anyway... it is clear from your netstat and grep of nginx that you don't have nginx configured to run ipv6 because the ipv6 listen statements are commented out.

That is odd, because:

Code: Select all

zmprov ms `zmhostname` zimbraIPMode both
/opt/zimbra/libexec/zmiptool
zmcontrol restart

Did all the work for me and configured nginx with ipv6 listen statements.

It looks like you didn't configure proxy for pop3/imap. Do this.

Code: Select all

zmprov gs `zmhostname` | grep 110
zimbraPop3BindPort: 7110
zimbraPop3ProxyBindPort: 110

If you don't see ProxyBindPort, Do you remember running this command?

Code: Select all

/opt/zimbra/libexec/zmproxyconfig -e -m -o -i 7143:143:7993:993 -p 7110:110:7995:995 -H `zmhostname`

I'll refer you to this link for more information:

Ref: https://wiki.zimbra.com/wiki/Enabling_Z ... ng_servers

[Carlos A. P. Cunha]

Hello!
Result:

Code: Select all

zmprov gs `zmhostname` | grep 110
zimbraPop3BindPort: 7110
zimbraPop3ProxyBindPort: 110

My installation was done from scratch without migration, so the proxy has already been configured in the installation.

Code: Select all

 netstat -nltd | egrep '(110|995|993|143)'
tcp        0      0 0.0.0.0:110             0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:143             0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:993             0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:995             0.0.0.0:*               LISTEN     
tcp6       0      0 :::7993                 :::*                    LISTEN     
tcp6       0      0 :::7995                 :::*                    LISTEN     
tcp6       0      0 :::7110                 :::*                    LISTEN     
tcp6       0      0 :::7143                 :::*                    LISTEN    

[JDunphy]

Thats good. So the question is why is this happening for you?

Code: Select all

cd /opt/zimbra/conf/nginx/includes
cat *pop3* *imap* | grep ipv6
     #listen [::]: 110 ipv6only = off;
     #listen [::]: 995 ipv6only = off;
     #listen [::]: 143 ipv6only = off;
     #listen [::]: 993 ipv6only = off;

Until you get those switched from

Code: Select all

listen 110
to
listen [::]: 110 ipv6only = off;

You will not have ipv6 for those services. So why is the big question here????

[Carlos A. P. Cunha]

Thats good. So the question is why is this happening for you?

Code: Select all

cd /opt/zimbra/conf/nginx/includes
cat *pop3* *imap* | grep ipv6
     #listen [::]: 110 ipv6only = off;
     #listen [::]: 995 ipv6only = off;
     #listen [::]: 143 ipv6only = off;
     #listen [::]: 993 ipv6only = off;

Until you get those switched from

Code: Select all

listen 110
to
listen [::]: 110 ipv6only = off;

You will not have ipv6 for those services. So why is the big question here????

Hello

After changing the 4 files as you reported, and restarting the services, imap / pop are functional in ipv6, as well as the compatibility issue of socket ipv6 (accept ipv4)

More data follows:

Code: Select all

grep  ipv6 *pop3* *imap*
nginx.conf.mail.pop3.default:    listen                  [::]:110 ipv6only=off;
nginx.conf.mail.pop3s.default:    listen              [::]:995 ipv6only=off;
nginx.conf.mail.imap.default:    listen                  [::]:143 ipv6only=off;
nginx.conf.mail.imaps.default:    listen                  [::]:993 ipv6only=off;

Netstat

Code: Select all

Conexões Internet Ativas (sem os servidores)
Proto Recv-Q Send-Q Endereço Local          Endereço Remoto         Estado      PID/Program name    
tcp        0      0 127.0.0.1:10026         0.0.0.0:*               OUÇA       461/amavisd (ch1-av 
tcp        0      0 0.0.0.0:587             0.0.0.0:*               OUÇA       23392/master        
tcp        0      0 0.0.0.0:11211           0.0.0.0:*               OUÇA       22744/memcached     
tcp        0      0 127.0.0.1:3310          0.0.0.0:*               OUÇA       23037/clamd         
tcp        0      0 127.0.0.1:10032         0.0.0.0:*               OUÇA       461/amavisd (ch1-av 
tcp        0      0 0.0.0.0:80              0.0.0.0:*               OUÇA       22762/nginx: master 
tcp        0      0 0.0.0.0:465             0.0.0.0:*               OUÇA       23392/master        
tcp        0      0 0.0.0.0:22              0.0.0.0:*               OUÇA       785/sshd            
tcp        0      0 0.0.0.0:25              0.0.0.0:*               OUÇA       23392/master        
tcp        0      0 0.0.0.0:443             0.0.0.0:*               OUÇA       22762/nginx: master 
tcp        0      0 127.0.0.1:23232         0.0.0.0:*               OUÇA       22787/perl          
tcp        0      0 127.0.0.1:23233         0.0.0.0:*               OUÇA       22789/perl          
tcp        0      0 200.225.114.146:389     0.0.0.0:*               OUÇA       20204/slapd         
tcp        0      0 127.0.0.1:10663         0.0.0.0:*               OUÇA       21644/zmlogger: zmr 
tcp        0      0 127.0.0.1:10024         0.0.0.0:*               OUÇA       461/amavisd (ch1-av 
tcp6       0      0 ::1:10026               :::*                    OUÇA       461/amavisd (ch1-av 
tcp6       0      0 ::1:7306                :::*                    OUÇA       21632/mysqld        
tcp6       0      0 ::1:10027               :::*                    OUÇA       23392/master        
tcp6       0      0 :::587                  :::*                    OUÇA       23392/master        
tcp6       0      0 :::11211                :::*                    OUÇA       22744/memcached     
tcp6       0      0 ::1:10028               :::*                    OUÇA       23392/master        
tcp6       0      0 ::1:10029               :::*                    OUÇA       23392/master        
tcp6       0      0 ::1:10030               :::*                    OUÇA       23392/master        
tcp6       0      0 ::1:3310                :::*                    OUÇA       23037/clamd         
tcp6       0      0 :::110                  :::*                    OUÇA       22762/nginx: master 
tcp6       0      0 :::143                  :::*                    OUÇA       22762/nginx: master 
tcp6       0      0 ::1:10032               :::*                    OUÇA       461/amavisd (ch1-av 
tcp6       0      0 127.0.0.1:8080          :::*                    OUÇA       21735/java          
tcp6       0      0 :::465                  :::*                    OUÇA       23392/master        
tcp6       0      0 ::1:8465                :::*                    OUÇA       23058/opendkim      
tcp6       0      0 :::7025                 :::*                    OUÇA       21735/java          
tcp6       0      0 :::22                   :::*                    OUÇA       785/sshd            
tcp6       0      0 :::25                   :::*                    OUÇA       23392/master        
tcp6       0      0 :::7993                 :::*                    OUÇA       21735/java       
tcp6       0      0 :::7995                 :::*                    OUÇA       21735/java          
tcp6       0      0 :::8443                 :::*                    OUÇA       21735/java          
tcp6       0      0 :::7071                 :::*                    OUÇA       21735/java          
tcp6       0      0 :::7072                 :::*                    OUÇA       21735/java          
tcp6       0      0 :::993                  :::*                    OUÇA       22762/nginx: master 
tcp6       0      0 :::7073                 :::*                    OUÇA       21735/java          
tcp6       0      0 :::995                  :::*                    OUÇA       22762/nginx: master 
tcp6       0      0 ::1:7171                :::*                    OUÇA       20224/java          
tcp6       0      0 :::7780                 :::*                    OUÇA       23157/httpd         
tcp6       0      0 MY-IPV6			  :::*                    OUÇA       20204/slapd         
tcp6       0      0 :::7110                 :::*                    OUÇA       21735/java          
tcp6       0      0 :::7143                 :::*                    OUÇA       21735/java          
tcp6       0      0 ::1:10024               :::*                    OUÇA       461/amavisd (ch1-av 
tcp6       0      0 ::1:10025               :::*                    OUÇA       869/smtpd   

Thank you very much for your attention.

[Carlos A. P. Cunha]

Hello!
JDunphy Anything else about it?
I do not know what happened, but now it's 100%.
I'll give the topic as resolved.

Thanks for the help again.

[JDunphy]

I don't have anything else to add. I tried tracing it a little further but gave up with the Holidays approaching. The nginx template keys off of core.ipboth.enable which appears to provide the correct listen statement based on zimbraIPMode. The zmconfigd stuff perhaps keys off of that and builds the correct nginx files. In your case, it failed to build nginx configuration files correctly even though 'both' was defined.

Given that you did a clean/new centos 7 install, it's sad 8.7.1 failed out of the gate.

If you have a support contract, I would encourage you to work through them to see if they can add more information or add a bug report. I didn't find anything in the bug database so don't know if this is a well known issue. In any event, you can reproduce the problem if/when someone wants to drill deeper and fix why those nginx configuration files were built incorrectly when zimbraIPMode = both.

Glad you have it working.

[syaifudin_jw]

Hi there,
i have this problem too, after reading your comment and try and error, i have success to find where the correct file to edit as you said.
file in directory /opt/zimbra/conf/nginx/templates/ , i have replace this "${vip}:${mail.pop3.port} ipv6only=off;" with this "[::]:${mail.pop3.port} ipv6only=off;".
hope this can help any one where have error in server like us