At this point Zimbra was working perfectly except for the weaker ciphers (eg: Tested in/outbound mail, web access, imaps via proxy) I then went to go & adjust settings via zmprov & I think I messed something up.
Everything works EXCEPT IMAP Proxy (nginx) with SSL.
If I try to connect to port 993, The IMAP client times out after sending the username. If I connect directly to port 7993, everything works great. I'm trying to find out what is wrong.
Some tests:
(server name/certificate replaced with variable)
Code: Select all
$ openssl s_client -connect ${myserverfqdn}:993
CONNECTED(00000003)
depth=3 /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=${myserverfqdn}
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
3 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
---
Server certificate
-----BEGIN CERTIFICATE-----
${lots_of_text}
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/OU=PositiveSSL/CN=${myserverfqdn}
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
---
No client certificate CA names sent
---
SSL handshake has read 6110 bytes and written 328 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES128-SHA
Session-ID: 5FDDFCD5438C1CEBA958110DFEF936A483C3332DF7FE6D711A649E71FFEEE644
Session-ID-ctx:
Master-Key: DC422F02D7BBA87DC4081C7BC3F22A8BA318DACE102825CC33D183FDC3AC3A6A07CDC2A568D8CDFBC336353EAC214E0B
Key-Arg : None
Start Time: 1489333158
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
* OK IMAP4rev1 proxy server ready
Logs form /opt/zimbra/log/nginx.log (username/domain edited)
Code: Select all
2017/03/12 10:47:00 [info] 27028#0: *282 client 192.168.75.62:34394 connected to 192.168.75.87:993
2017/03/12 10:47:00 [info] 27028#0: *282 peer closed connection in SSL handshake while SSL handshaking to lookup handler, client: 192.168.75.62:34394, server: 192.168.75.87:993, login: "${myusername}@${mydomain.net}"
Code: Select all
65699840[123f163a0]: ImapThreadMainLoop entering [this=1c941c00]
-1233550400[1001260b0]: 1c941c00:${myserverfqdn}:NA:SetupWithUrl: clearing IMAP_CONNECTION_IS_OPEN
65699840[123f163a0]: 1c941c00:${myserverfqdn}:NA:ProcessCurrentURL: entering
65699840[123f163a0]: 1c941c00:${myserverfqdn}:NA:ProcessCurrentURL:imap://${myusername}%40${mydomain.net}@${myserverfqdn}:993/select%3E/INBOX: = currentUrl
65699840[123f163a0]: ReadNextLine [stream=23d89150 nb=35 needmore=0]
65699840[123f163a0]: 1c941c00:${myserverfqdn}:NA:CreateNewLineFromSocket: * OK IMAP4rev1 proxy server ready
65699840[123f163a0]: 1c941c00:${myserverfqdn}:NA:SendData: 1 capability
65699840[123f163a0]: ReadNextLine [stream=23d89150 nb=273 needmore=0]
65699840[123f163a0]: 1c941c00:${myserverfqdn}:NA:CreateNewLineFromSocket: * CAPABILITY ACL BINARY CATENATE CHILDREN CONDSTORE ENABLE ESEARCH ESORT I18NLEVEL=1 ID IDLE IMAP4rev1 LIST-EXTENDED LITERAL+ MULTIAPPEND NAMESPACE QRESYNC QUOTA RIGHTS=ektx SASL-IR SEARCHRES SORT THREAD=ORDEREDSUBJECT UIDPLUS UNSELECT WITHIN LIST-STATUS XLIST AUTH=PLAIN
65699840[123f163a0]: ReadNextLine [stream=23d89150 nb=16 needmore=0]
65699840[123f163a0]: 1c941c00:${myserverfqdn}:NA:CreateNewLineFromSocket: 1 OK completed
65699840[123f163a0]: try to log in
65699840[123f163a0]: IMAP auth: server caps 0x10e0c7725, pref 0x1006, failed 0x0, avail caps 0x1004
65699840[123f163a0]: (GSSAPI = 0x1000000, CRAM = 0x20000, NTLM = 0x100000, MSN = 0x200000, PLAIN = 0x1000,
LOGIN = 0x2, old-style IMAP login = 0x4, auth external IMAP login = 0x20000000, OAUTH2 = 0x800000000)
65699840[123f163a0]: trying auth method 0x1000
65699840[123f163a0]: got new password
65699840[123f163a0]: IMAP: trying auth method 0x1000
65699840[123f163a0]: PLAIN auth
65699840[123f163a0]: 1c941c00:${myserverfqdn}:NA:SendData: 2 authenticate plain
65699840[123f163a0]: ReadNextLine [stream=23d89150 nb=4 needmore=0]
65699840[123f163a0]: 1c941c00:${myserverfqdn}:NA:CreateNewLineFromSocket: +
65699840[123f163a0]: 1c941c00:${myserverfqdn}:NA:SendData: Logging suppressed for this command (it probably contained authentication information)
-1233550400[1001260b0]: proposed url = INBOX folder for connection has To Wait = TRUE can run = FALSE
-1233550400[1001260b0]: queuing url:imap://${myusername}@${mydomain}@${myservefqdn}:993/select>/INBOX
-1233550400[1001260b0]: considering playing queued url:imap://${myusername}@${mydomain}@${myservefqdn}:993/select>/INBOX
-1233550400[1001260b0]: creating protocol instance to play queued url:imap://${myusername}@${mydomain}@${myservefqdn}:993/select>/INBOX
-1233550400[1001260b0]: proposed url = INBOX folder for connection has To Wait = TRUE can run = FALSE
-1233550400[1001260b0]: failed creating protocol instance to play queued url:imap://${myusername}@${mydomain}@${myservefqdn}:993/select>/INBOX
-1233550400[1001260b0]: proposed url = INBOX folder for connection has To Wait = TRUE can run = FALSE
-1233550400[1001260b0]: queuing url:imap://${myusername}@${mydomain}@${myservefqdn}:993/select>/INBOX
-1233550400[1001260b0]: considering playing queued url:imap://${myusername}@${mydomain}@${myservefqdn}:993/select>/INBOX
-1233550400[1001260b0]: creating protocol instance to play queued url:imap://${myusername}@${mydomain}@${myservefqdn}:993/select>/INBOX
-1233550400[1001260b0]: proposed url = INBOX folder for connection has To Wait = TRUE can run = FALSE
-1233550400[1001260b0]: failed creating protocol instance to play queued url:imap://${myusername}@${mydomain}@${myservefqdn}:993/select>/INBOX
65699840[123f163a0]: ReadNextLine [stream=23d89150 nb=0 needmore=1]
65699840[123f163a0]: 1c941c00:${myserverfqdn}:NA:CreateNewLineFromSocket: clearing IMAP_CONNECTION_IS_OPEN - rv = 804b0010
65699840[123f163a0]: 1c941c00:${myserverfqdn}:NA:TellThreadToDie: close socket connection
65699840[123f163a0]: 1c941c00:${myserverfqdn}:NA:CreateNewLineFromSocket: (null)
65699840[123f163a0]: authlogin failed
65699840[123f163a0]: marking auth method 0x1000 failed
65699840[123f163a0]: IMAP auth: server caps 0x10e0c7725, pref 0x1006, failed 0x1000, avail caps 0x4
65699840[123f163a0]: (GSSAPI = 0x1000000, CRAM = 0x20000, NTLM = 0x100000, MSN = 0x200000, PLAIN = 0x1000,
LOGIN = 0x2, old-style IMAP login = 0x4, auth external IMAP login = 0x20000000, OAUTH2 = 0x800000000)
65699840[123f163a0]: trying auth method 0x4
65699840[123f163a0]: login failed entirely
65699840[123f163a0]: 1c941c00:${myserverfqdn}:NA:ProcessCurrentURL: aborting queued urls
65699840[123f163a0]: ImapThreadMainLoop leaving [this=1c941c00]